Processing Location Data Under Turkish Personal Data Protection Law

Introduction

Processing location data under Turkish Personal Data Protection Law is a high-risk privacy issue for mobile applications, delivery platforms, transportation companies, vehicle rental businesses, logistics operators, employers, fintech applications, tourism platforms, smart city projects, advertising networks, e-commerce companies, mobility services, and digital platforms.

Location data may show where a person lives, works, travels, shops, worships, receives healthcare, studies, spends leisure time, meets other people, or attends private events. Even where location data is not expressly listed as a “special category of personal data” under Law No. 6698 on the Protection of Personal Data, commonly known as KVKK, it may reveal very sensitive aspects of private life when processed continuously or combined with other datasets.

Under KVKK, personal data means any information relating to an identified or identifiable natural person, and processing includes collection, recording, storage, transfer, disclosure, use, classification, and similar operations. Location data may therefore fall within KVKK when it can be linked to an identified or identifiable person, such as a mobile app user, vehicle driver, employee, customer, courier, passenger, patient, student, or platform member. KVKK’s purpose is to protect fundamental rights and freedoms, particularly the right to privacy, and to regulate the obligations of those processing personal data.

For companies operating in Turkey, location data compliance requires more than obtaining a mobile operating system permission. A lawful system requires a proper legal basis, a clear privacy notice, proportionality, data minimization, limited retention, strong security measures, vendor controls, cross-border transfer analysis, and respect for data subject rights.

What Is Location Data?

Location data refers to information that identifies or indicates the geographical position, movement, route, proximity, or location history of an individual or a device connected to an individual. It may be collected through GPS, Wi-Fi networks, Bluetooth signals, cell tower data, IP addresses, vehicle tracking devices, mobile application permissions, smart watches, delivery systems, fleet management tools, access control systems, beacons, smart city sensors, connected vehicles, or platform check-ins.

Examples include real-time GPS coordinates, historical route logs, delivery addresses, ride history, check-in/check-out points, geofencing alerts, vehicle movement records, worksite entry-exit data, approximate city-level location, location derived from IP address, and location inferred from transaction or device activity.

Location data does not always have the same risk level. Approximate city-level location used for weather forecasts may be lower risk than continuous real-time GPS tracking. A single delivery address is different from a full movement history over several months. A one-time location permission for a nearby restaurant search is different from background location tracking for behavioral advertising.

The legal assessment must therefore consider the type of location data, frequency of collection, accuracy, purpose, retention period, recipient groups, whether profiling is involved, and whether the data reveals sensitive patterns.

Is Location Data Personal Data Under KVKK?

Location data is personal data when it relates to an identified or identifiable natural person. If a mobile app account, phone number, user ID, device ID, vehicle plate, employee ID, customer number, or login record can connect location information to a person, KVKK applies.

For example, a delivery company tracking the real-time route of a courier processes personal data. A ride-hailing app storing passenger pick-up and drop-off points processes personal data. An employer tracking company vehicle movements may process employee personal data if the vehicle is assigned to a specific worker. A retail app collecting users’ location for targeted advertising processes personal data if the location can be linked to identifiable users.

The Turkish Personal Data Protection Board has expressly warned that location data may reveal life habits. In Decision No. 2021/1303 concerning vehicle rental software and blacklisting practices, the Board noted that where rented vehicles are tracked, controllers must remember that processing location data may reveal the data subject’s life habits. The Board further stated that information about journeys, workplace, residence, and places visited may allow profiling and may reveal data that could include special category information such as religion, belief, or sexual life; therefore, collecting location data should be an exceptional practice.

This Board approach is highly important. It confirms that location data should not be treated as ordinary operational data. It may become intrusive, profiling-based, and privacy-sensitive depending on how it is collected and used.

Core KVKK Principles for Location Data

All location data processing must comply with Article 4 principles under KVKK. Personal data must be processed lawfully and fairly, accurately and up to date where necessary, for specified, explicit, and legitimate purposes, in a relevant, limited, and proportionate manner, and only for the period required by law or by the processing purpose.

These principles have direct consequences for location data. First, the purpose must be specific. A company should not say vaguely that location data is processed “for service improvement.” It should explain whether the purpose is delivery tracking, route optimization, fraud prevention, workplace safety, vehicle security, nearby service display, emergency assistance, or location-based advertising.

Second, data minimization is essential. If approximate location is enough, precise GPS coordinates should not be collected. If location is needed only while the app is in use, background tracking should not be activated. If the purpose is delivery, location should not be retained longer than necessary after delivery is completed.

Third, proportionality must be assessed. Continuous tracking is more intrusive than temporary tracking. Tracking employees outside working hours is more intrusive than tracking work vehicles during active duties. Tracking children, patients, or vulnerable individuals creates higher risk.

Legal Bases for Processing Location Data

Under KVKK Article 5, personal data may be processed with explicit consent or without explicit consent where one of the statutory legal bases applies. These include processing expressly provided by law, necessity for contract performance, necessity for compliance with a legal obligation, necessity for establishment, exercise or protection of a right, and legitimate interests of the controller provided that fundamental rights and freedoms are not harmed.

The correct legal basis depends on the location data use case. A delivery app may process courier location during delivery to perform the delivery service. A navigation application may process real-time location to provide routing. A ride-hailing platform may process passenger and driver location to match rides and complete the transport service. A logistics company may process vehicle location for fleet security and operational coordination.

However, explicit consent may be required where location processing is optional, unrelated to the core service, intrusive, or used for advertising or profiling. The Turkish Authority’s mobile application privacy recommendations state that if access to a user’s location is not necessary for a feature or function requested by the user, location data should not be collected for targeted advertising unless the user gives explicit consent. The same guidance indicates that users should be allowed to use the application even if they disable optional permissions such as microphone or location access where those permissions are not necessary for the app’s functionality.

Therefore, businesses should not rely on one broad consent text for all location processing. Each purpose must be assessed separately. Location needed for core service delivery is different from location used for marketing, analytics, profiling, or third-party advertising.

Operating System Permission Is Not Enough

A major compliance mistake is assuming that a mobile app’s operating system permission equals valid KVKK consent. When a user taps “Allow location access” on a phone, this only permits technical access at the device level. It does not automatically satisfy all KVKK requirements.

KVKK still requires a valid processing basis, clear information, purpose limitation, proportionality, and data security. If the processing relies on explicit consent, consent must be specific, informed, and freely given. A generic operating system pop-up does not usually explain all KVKK elements, such as controller identity, transfer recipients, legal basis, retention period, data subject rights, or use of third-party SDKs.

For this reason, mobile apps should provide a separate privacy notice and, where necessary, a separate consent mechanism before collecting location data for optional purposes. Just-in-time notices are particularly useful. For example, before enabling live location sharing, the app may explain why location is needed, whether it will be stored, who can see it, whether it will be shared with drivers or couriers, and how the user can disable it.

Privacy Notices for Location Data

Under KVKK Article 10, data controllers must inform data subjects at the time personal data is obtained about the controller’s identity, processing purposes, recipients and transfer purposes, collection method and legal basis, and Article 11 rights.

A location data privacy notice should be specific and practical. It should explain:

Which location data is collected.
Whether precise or approximate location is used.
Whether location is collected in the background.
Whether location is collected only while the app is open.
Why location is processed.
Whether location is stored or only used temporarily.
How long location records are retained.
Whether location is shared with drivers, couriers, business partners, advertisers, analytics providers, cloud vendors, or public authorities.
Whether location is transferred abroad.
How users can disable location permissions.
How users can exercise KVKK rights.

For workplace or fleet tracking, the notice should be provided to employees before tracking begins. For customer-facing apps, the notice should be available during onboarding and at the point where location access is requested. For vehicle rental, transportation, and logistics services, the notice should be included in booking, contract, or app-based processes.

Location Data in Mobile Applications

Mobile applications are one of the most common sources of location data. Apps may collect location for navigation, ride-hailing, delivery, nearby store search, weather services, dating, emergency services, travel, banking security, fraud prevention, fitness tracking, or advertising.

KVKK compliance requires app developers to distinguish between necessary and optional location use. A map application may need live location for navigation. A food delivery app may need delivery address and courier location. A mobility app may need driver and rider coordinates during a ride. However, a shopping app may not need continuous background location for core service performance.

The Authority’s mobile application guidance emphasizes determining the processing condition for personal data processed through mobile applications and states that identifying the legal basis is a prerequisite for transparency. It also notes that personal data processed through mobile applications should have storage and destruction periods justified by clearly defined business needs or legal obligations and should not be retained longer than necessary.

Mobile apps should therefore implement privacy-by-design controls. These may include collecting location only when needed, using approximate location by default, disabling background tracking unless necessary, separating advertising consent from service permissions, providing easy settings to turn off location, and deleting unnecessary location logs.

Location-Based Advertising and Retargeting

Location-based advertising is high-risk because it uses where a person is or has been to influence marketing. A shopping mall app may send offers when a user enters a store. A restaurant platform may target users near a branch. A retail chain may analyze location history to infer shopping habits. An advertising SDK may combine location data with device identifiers and behavioral profiles.

This type of processing often requires explicit consent because it is not necessary for the core service and may involve profiling. The mobile application guidance expressly gives the example that where location access is not required for a user-requested feature, location data should not be collected for targeted advertising unless the user gives explicit consent.

Location-based advertising consent should not be bundled with general terms of use. The user should be able to use the main app without consenting to location-based marketing where location marketing is not essential. The consent should identify the advertising purpose, whether third-party advertising partners receive data, whether location is precise or approximate, and how consent may be withdrawn.

Employee Location Tracking

Employee location tracking is especially sensitive because of the power imbalance in employment relationships. Employers may track employees through company vehicles, delivery apps, route management tools, mobile devices, access cards, GPS devices, or field service software. Such tracking may be lawful where necessary for operational coordination, safety, fleet management, proof of service, emergency response, or protection of company assets.

However, the employer must apply strict proportionality. Tracking should generally be limited to working hours, work-related vehicles, and work-related duties. Continuous tracking outside working hours may violate employee privacy unless there is an exceptional and clearly justified reason. Tracking personal devices is particularly risky. If employees use personal phones for work, the employer should avoid collecting private location data outside the work context.

Employee privacy notices should explain what is tracked, why it is tracked, when tracking occurs, whether real-time or historical location is stored, who can access records, whether data may be used for disciplinary purposes, and how long it is retained.

Employers should also avoid relying solely on employee consent where tracking is mandatory. Because consent in employment may not always be freely given, the employer should identify a legal basis such as legitimate interest, contract necessity, legal obligation, or protection of rights, depending on the facts. Even then, proportionality remains essential.

Vehicle Tracking, Fleet Management, and Rental Cars

Vehicle tracking is common in logistics, delivery, public transport, construction, cargo, company cars, rental cars, and fleet management. GPS tracking may help prevent theft, manage routes, optimize fuel use, verify deliveries, respond to emergencies, and protect vehicles. However, GPS tracking may also reveal drivers’ daily habits, private visits, residence, workplace, health-related visits, or religious/social patterns.

The Board’s Decision No. 2021/1303 is especially relevant to vehicle tracking. The Board warned that tracking rented vehicles may reveal life habits and even data that could include special category information through profiling. It concluded that collecting location data should be exceptional.

For rental car companies, this means GPS tracking should not be treated as a default practice without a clear reason. Anti-theft tracking, recovery of missing vehicles, legal protection, or high-risk rental scenarios may be more defensible than continuous monitoring of every customer’s route for ordinary business convenience. Customers should be clearly informed before tracking begins, and location records should be retained only as long as necessary.

For company vehicles, employers should define whether private use is permitted. If private use is allowed, tracking outside working hours should be restricted or disabled where possible.

Location Data and Children

Location data relating to children is particularly sensitive. A child’s location may reveal school, home, extracurricular activities, health visits, family routines, and safety patterns. Apps used by children, school transportation services, wearable devices, child safety applications, education platforms, or games should avoid unnecessary location tracking.

Where location processing is necessary for safety, such as school bus tracking or emergency contact services, processing should be limited to the purpose. Parents and, where appropriate, children should receive clear information. Access should be limited to authorized persons. Location histories should not be retained indefinitely or used for marketing.

Location-based advertising to children should be avoided or treated with the highest level of caution.

Location Data and Special Category Inferences

Location data is not automatically special category data under KVKK. However, it may reveal special category information indirectly. Repeated visits to a hospital may indicate health status. Visits to a place of worship may indicate religious belief. Attendance at a political meeting may reveal political opinion. Visits to certain private places may reveal sexual life or social relationships.

The Board’s vehicle rental decision expressly recognized that location data may enable profiling and may reveal information including special category data.

This means that controllers should assess not only what data they directly collect, but also what can be inferred from location histories. The more precise, frequent, and long-term the location tracking, the higher the risk of sensitive inference.

Data Security for Location Data

KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure protection of personal data. Where processing is carried out by another person on behalf of the controller, the controller is jointly responsible with that person for security measures.

Location data requires strong security because unauthorized access may create physical safety risks. If a stalker, abusive person, competitor, criminal actor, or unauthorized employee obtains real-time location information, the harm may be immediate and serious.

Practical security measures include encryption, role-based access, access logs, multi-factor authentication for admin panels, secure APIs, data minimization, pseudonymization where possible, limited retention, secure vendor access, employee training, and breach response procedures. The Turkish Authority’s data security guide explains technical and administrative measures that data controllers should take to prevent unlawful processing and unlawful access and to ensure secure retention of personal data.

Access to location data should be need-to-know. Marketing teams should not access real-time courier locations. HR should not access full vehicle histories unless necessary. Customer support should see only the location details needed to resolve a specific request.

Retention and Deletion of Location Data

Location data should not be retained indefinitely. KVKK requires personal data to be stored only for the period required by law or by the processing purpose. The By-Law on Erasure, Destruction or Anonymization states that personal data must be erased, destroyed, or anonymized when all processing conditions under Articles 5 and 6 no longer exist; disposal operations must comply with general principles and security obligations, and disposal records must be stored for at least three years unless other legal obligations apply.

Retention periods should be purpose-specific. Real-time delivery location may be needed only until delivery and complaint periods end. Fleet route data may be needed for operational records, accident investigation, or fuel analysis for a limited time. Security-related GPS data may be retained longer if connected to theft, damage, litigation, or insurance claims. Advertising location segments should be retained for short and clearly justified periods.

A company should define retention periods in its data inventory, privacy notice, and internal policies. Backups, logs, analytics exports, and vendor copies should also be covered.

Cross-Border Transfers of Location Data

Many location-based services rely on foreign cloud providers, global maps, analytics SDKs, advertising networks, mobility platforms, route optimization tools, or foreign technical support. These structures may involve cross-border transfers of personal data.

KVKK Article 9 was amended in 2024. Under the amended framework, personal data may be transferred abroad if one of the processing conditions under Articles 5 or 6 exists and there is an adequacy decision. In the absence of an adequacy decision, transfers may be possible through appropriate safeguards such as standard contracts, binding corporate rules, or written commitments approved by the Board. Standard contracts must be notified to the Authority within five business days after signature.

Companies processing location data should therefore identify where data is stored, whether maps or analytics providers receive location data, whether advertising partners receive coordinates or device IDs, whether technical support teams abroad can access data, and whether standard contracts or other safeguards are required.

Data Subject Rights

Data subjects have rights under KVKK Article 11, including the rights to learn whether personal data is processed, request information, learn processing purposes, know domestic and foreign transfer recipients, request correction, request erasure or destruction under legal conditions, object to adverse results arising exclusively through automated systems, and claim compensation for unlawful processing.

In location data contexts, users may ask: “Why is my location tracked?”, “Who can see my route?”, “Was my location shared with advertisers?”, “Delete my location history,” “Stop tracking my vehicle,” or “Which foreign providers receive my location data?” Companies should have procedures to answer such requests within legal time limits.

For location data access requests, controllers must also protect third-party rights. A ride history may include a driver, passenger, address, or other individuals. A vehicle log may include multiple drivers. A delivery route may reveal customer addresses. Responses should be accurate but should not disclose third-party personal data unnecessarily.

Practical KVKK Compliance Checklist for Location Data

A company processing location data in Turkey should:

1. Map all location data collection points.
2. Identify whether precise, approximate, real-time, or historical location is processed.
3. Determine the legal basis for each location processing purpose.
4. Separate service-required location use from optional advertising or analytics use.
5. Prepare clear privacy notices.
6. Obtain explicit consent where required, especially for optional location-based advertising.
7. Avoid background tracking unless strictly necessary.
8. Use approximate location where precise location is not needed.
9. Limit employee tracking to working hours and work-related purposes.
10. Avoid tracking personal devices unless legally justified.
11. Assess vehicle tracking under proportionality principles.
12. Restrict internal access to location records.
13. Secure APIs, dashboards, and admin panels.
14. Define retention periods.
15. Delete or anonymize location data when no longer needed.
16. Review third-party SDKs, map tools, and analytics vendors.
17. Map cross-border transfers.
18. Include location data obligations in vendor contracts.
19. Establish data subject request procedures.
20. Conduct a privacy impact assessment for high-risk tracking.

Common Mistakes in Location Data Processing

One common mistake is collecting location continuously when location is needed only temporarily. Another is using background tracking for marketing without valid explicit consent. A third mistake is relying solely on phone operating system permissions instead of a proper KVKK notice and legal basis.

Employers often make the mistake of tracking employees outside working hours or through personal devices. Vehicle rental companies may treat GPS tracking as default practice without showing exceptional necessity. Apps may transfer location data to advertising SDKs or analytics providers without clear disclosure. Companies may also retain route histories indefinitely.

Another serious mistake is failing to recognize inference risk. Location data can reveal health, religion, lifestyle, family life, political activities, and other sensitive patterns even if the controller never directly asks for such information.

Conclusion

Processing location data under Turkish Personal Data Protection Law requires a careful, transparent, and risk-based compliance approach. Location data can be highly intrusive because it may reveal a person’s movements, habits, workplace, residence, health-related visits, social relationships, and private life. The Turkish Personal Data Protection Board has specifically warned that location tracking can reveal life habits and may even expose special-category inferences, and that collecting location data should be exceptional in relevant contexts.

For businesses, the key compliance principles are purpose limitation, data minimization, proportionality, transparency, security, limited retention, and lawful transfer. Mobile apps should avoid unnecessary location permissions. Employers should limit tracking to legitimate work purposes. Vehicle tracking should be justified and documented. Location-based advertising should generally rely on separate explicit consent where it is not necessary for the requested service. Cross-border transfers through cloud, SDK, map, and analytics providers must be assessed under Article 9.

A compliant location data program should include proper privacy notices, legal basis mapping, consent management, privacy-by-design settings, secure access controls, retention schedules, vendor contracts, data subject rights procedures, and privacy impact assessments for high-risk tracking. Companies that manage location data responsibly protect both individual privacy and their own legal position under Turkish data protection law.