Introduction
Processing special categories of personal data in Turkey is one of the most sensitive and legally demanding areas of Turkish data protection law. Businesses, employers, hospitals, clinics, insurance companies, financial institutions, schools, technology companies, human resources departments, and foreign investors operating in Turkey may process sensitive data without fully understanding the legal consequences. Under Turkish Personal Data Protection Law, commonly known as KVKK, special categories of personal data are subject to stricter rules than ordinary personal data because their misuse may cause discrimination, social exclusion, reputational harm, financial damage, employment-related consequences, and serious interference with private life.
Law No. 6698 on the Protection of Personal Data applies to natural persons whose personal data are processed and to natural or legal persons processing such data wholly or partly by automated means, or by non-automated means forming part of a data filing system. The purpose of the law is to protect fundamental rights and freedoms, especially the right to privacy, and to regulate the obligations of persons processing personal data.
For companies, processing sensitive data requires more than a standard privacy notice. It requires a clear legal basis, strict proportionality, data minimization, security measures, retention rules, confidentiality controls, access limitations, and in many cases a more detailed compliance assessment. This article explains how special categories of personal data are regulated in Turkey, when they may be processed, what precautions must be taken, and how businesses can reduce KVKK compliance risks.
What Are Special Categories of Personal Data Under KVKK?
Under Article 6 of KVKK, special categories of personal data include personal data relating to race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, biometric data, and genetic data. These data categories are legally sensitive because their unlawful processing may have particularly serious consequences for the data subject.
Examples of special categories of personal data include medical reports, disability information, blood test results, vaccination records, biometric fingerprints, facial recognition templates, criminal record certificates, union membership information, religious belief information, genetic test results, occupational health reports, psychological assessment records, and data relating to sexual life.
Special category data may arise in many ordinary business contexts. An employer may collect health reports, criminal record certificates, disability information, biometric access data, or occupational health records. A hospital may process diagnosis and treatment data. A school may process health and disability data of students. A fintech company may use biometric verification. A hotel or travel company may process passport and health-related information in limited cases. A law firm may process criminal, health, or family-related sensitive data in litigation files.
Because these data are high-risk, companies should not process them casually or collect them “just in case.” Every processing activity must be connected to a specific, lawful, legitimate, limited, and proportionate purpose.
Why Special Categories Require Stronger Protection
Special category data is more sensitive than ordinary contact or identity data. If an email address is unlawfully disclosed, the individual may face inconvenience or spam. If a medical diagnosis, biometric template, criminal record, religious belief, or union membership record is unlawfully disclosed, the harm may be far more serious. It may affect employment opportunities, insurance access, social reputation, family life, professional status, physical safety, or personal dignity.
This is why KVKK treats special categories of data differently. Article 6 states that processing special categories of personal data is prohibited as a rule, but permitted only under specific conditions. The law also requires that adequate measures determined by the Personal Data Protection Board be implemented when processing special categories of personal data.
For businesses, this means that sensitive data processing must be exceptional, justified, and controlled. A company should be able to explain why the data is necessary, which legal basis applies, who can access it, how long it will be stored, how it is secured, whether it is transferred to third parties, and when it will be deleted or anonymized.
Legal Bases for Processing Special Categories of Personal Data
Following the 2024 amendment to Article 6 of KVKK, special categories of personal data may be processed only under the conditions listed in the law. The amended Article 6 provides that processing is permitted if the data subject has given explicit consent, if processing is explicitly provided by laws, if it is necessary for the protection of life or physical integrity where consent cannot be obtained or is not legally valid, if the data has been made public by the data subject and processing is consistent with the intention of disclosure, if processing is necessary for the establishment, exercise, or protection of a right, if processing is necessary for public health, preventive medicine, medical diagnosis, treatment and care services, and healthcare planning, management and financing by persons under confidentiality obligations or competent institutions, if processing is necessary for legal obligations in employment, occupational health and safety, social security, social services and social assistance, or if it relates to current or former members and affiliates of certain non-profit organizations within limited conditions.
This structure is important because explicit consent is not the only legal basis for processing special categories of personal data. In many cases, processing may be based on a statutory obligation, employment law requirement, healthcare-related legal basis, or the establishment and protection of legal rights. However, the applicable ground must be carefully selected and documented.
For example, an employer may process certain health data where necessary to comply with occupational health and safety obligations. A hospital may process health data for diagnosis and treatment through persons subject to confidentiality obligations. A company may process a medical report or criminal complaint document if necessary for the establishment, exercise, or protection of a legal right. A court file may contain special category data because it is relevant to a legal dispute.
However, where no statutory ground applies, explicit consent may be required. Even then, consent must be specific, informed, freely given, and properly documented.
Explicit Consent for Sensitive Data Processing
Explicit consent under KVKK must relate to a specific matter, be based on information, and be declared with free will. In the context of special categories of personal data, this standard should be applied even more strictly. A broad consent form stating that “all sensitive personal data may be processed for all business purposes” is not a safe compliance method.
A valid explicit consent text should explain which special category data will be processed, for what purpose, by whom, whether it will be transferred, whether it will be stored abroad, how long it will be retained, and how the data subject may withdraw consent. Consent should not be hidden inside employment contracts, membership forms, general terms and conditions, or privacy notices.
It is also important to distinguish between the obligation to inform and explicit consent. Under Article 10 of KVKK, data controllers must inform data subjects about the identity of the controller, processing purposes, recipients and transfer purposes, method and legal basis of collection, and data subject rights. A privacy notice informs the data subject; it does not automatically create consent. Where explicit consent is required, it should be obtained separately from the privacy notice.
Health Data Processing in Turkey
Health data is one of the most common and sensitive categories of personal data. It may include diagnosis information, laboratory results, prescriptions, medical reports, disability information, occupational health records, hospital admission records, health insurance claim files, vaccination records, psychological assessments, and medical imaging results.
Under Article 6, health-related special category data may be processed where necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management, and financing of healthcare services by persons subject to legal confidentiality obligations or competent public institutions and organizations.
This rule is especially important for hospitals, clinics, doctors, dentists, laboratories, pharmacies, health tourism agencies, insurance companies, and employers. However, not every organization may process health data under the healthcare exception. The identity and legal status of the person processing the data, the purpose of processing, confidentiality duties, and sector-specific rules must be considered.
Employers should be particularly careful. A workplace may need certain health data for occupational health and safety purposes, sick leave management, disability accommodation, or legal obligations. However, employers should not collect excessive medical details beyond what is necessary. For example, it may be legitimate to process a fitness-for-work report in certain cases, but collecting full medical history without necessity may violate proportionality.
Biometric Data Processing in Turkey
Biometric data is expressly listed as a special category of personal data under Article 6. Biometric data may include fingerprints, facial recognition templates, iris scans, palm vein patterns, voice recognition templates, and other biological or behavioral characteristics used for identification or authentication.
Biometric data processing creates high legal risk because biometric identifiers are unique, permanent, and difficult to change if compromised. If a password is leaked, it can be replaced. If a biometric template is compromised, the harm may be long-term and difficult to remedy.
The Turkish Personal Data Protection Authority’s biometric data guidance emphasizes that biometric data controllers must comply with personal data security obligations and must take the measures specified in the Board’s decision on adequate precautions for special categories of personal data. The guidance also states that technical and organizational measures should correspond to the nature of the data and the possible risks posed to the data subject.
For employers, biometric access systems require particular caution. A fingerprint entry system may be challenged if less intrusive methods, such as ID cards, passwords, turnstile cards, or mobile verification, can achieve the same purpose. The key legal questions are necessity, proportionality, alternative methods, security safeguards, retention period, access limitation, and whether the data subject has a genuine choice.
Criminal Conviction and Security Measure Data
Criminal conviction and security measure data are also special categories of personal data under KVKK. Employers frequently request criminal record certificates from candidates or employees, but this practice should not be treated as routine for every position. The employer must determine whether the request is legally required, necessary for the nature of the job, or justified by a specific legal basis.
A criminal record request may be more defensible for positions involving children, vulnerable persons, financial responsibility, security-sensitive roles, regulated sectors, or legal compliance obligations. However, requesting criminal records from all candidates without distinction may violate the principles of necessity, proportionality, and data minimization.
The Board’s 2022/172 decision concerning a foreign-based data controller’s liaison office in Turkey is a useful example. The complaint involved requests for criminal records, health reports, lung film reports, blood group certificates, marriage certificate copies, and family members’ identity card copies during recruitment. The complaint alleged lack of explicit consent, contradiction with Article 4 principles, failure to comply with adequate measures for special categories, possible transfer abroad, and failure to respond within the legal period.
This decision is important for foreign employers and liaison offices because it shows that recruitment-stage sensitive data requests are scrutinized under KVKK. Employers should collect only data that is necessary for the specific position and legal purpose.
Employment, Occupational Health and Safety, and Social Security
The 2024 amendment to Article 6 expressly permits processing special categories of personal data where necessary for fulfilling legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance.
This ground is highly relevant for employers. Employee data processing may include occupational health reports, disability documentation, workplace accident records, sick leave documents, maternity-related records, union membership information in limited contexts, and social security-related documents.
However, the existence of an employment relationship does not give the employer unlimited authority to process sensitive data. The employer must still comply with general principles such as lawfulness, fairness, purpose limitation, accuracy, proportionality, and storage limitation. Article 4 requires personal data to be processed for specified, explicit, and legitimate purposes, to be relevant, limited, and proportionate, and to be stored only for the period laid down by relevant legislation or required by the processing purpose.
In practice, employers should prepare separate HR privacy notices, candidate privacy notices, workplace health data procedures, occupational health and safety data policies, disciplinary data rules, camera recording policies, and retention schedules. Access to health and criminal record data should be strictly limited to authorized personnel.
Special Category Data in Litigation and Legal Claims
Special categories of personal data often appear in legal disputes. Court files may include medical reports, criminal records, psychological evaluations, employment health records, disability reports, family law documents, or evidence relating to union membership, religion, or personal life.
Article 6 permits processing where necessary for the establishment, exercise, or protection of any right. This ground is particularly important for lawyers, companies defending claims, insurers, employers, and parties involved in litigation or enforcement proceedings.
For example, an employer defending a workplace accident claim may need to process health reports. An insurance company assessing a bodily injury claim may process medical records. A lawyer handling a criminal complaint or compensation case may process sensitive evidence. A company investigating fraud may process documents containing criminal allegation data.
Nevertheless, even rights-based processing must be limited to what is necessary for the claim or defense. Sensitive data should not be shared with unrelated employees, vendors, or business units. Litigation files should be protected through confidentiality, access control, secure storage, and retention policies.
Transfer of Special Categories of Personal Data
Domestic transfer of personal data is regulated by Article 8. Personal data cannot be transferred without explicit consent unless one of the legal conditions applies. For special categories of data, transfer without explicit consent may be possible where Article 6 conditions exist, provided that sufficient measures are taken.
This means that transferring sensitive data to payroll providers, occupational health providers, lawyers, auditors, insurance companies, public institutions, laboratories, or group companies must be assessed carefully. The transfer must have a legal basis, a clear purpose, and sufficient security measures.
Cross-border transfers require additional analysis. Article 9, as amended in 2024, allows personal data to be transferred abroad by controllers and processors if one of the processing conditions under Articles 5 or 6 is met and there is an adequacy decision. In the absence of an adequacy decision, transfers may be made if enforceable rights and effective legal remedies are available in the recipient country and one of the appropriate safeguards is ensured, such as binding corporate rules, a standard contract, or a written commitment approved by the Board.
For special categories of personal data, standard contracts and transfer documentation must also address additional measures for sensitive data. The amended Article 9 expressly refers to standard contracts containing information such as data categories, transfer purposes, recipients, technical and organizational measures, and additional measures for special categories of personal data.
Data Security and Adequate Measures
Processing special categories of personal data requires stronger data security. Article 12 obliges data controllers to take all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure protection of personal data. If processing is carried out by another person on behalf of the controller, the controller is jointly responsible for ensuring these measures.
The Authority states that appropriate data security measures should be determined according to each controller’s structure, activities, and risks, and that a single model cannot be imposed on every controller. In determining appropriate measures, the nature of the work, the personal data protected, and the company’s size and turnover are relevant. The Authority also emphasizes that adequate measures determined by the Board must be taken when processing special categories of personal data.
In practice, adequate measures for special category data should include strict access control, role-based authorization, encryption, secure transmission, logging, confidentiality undertakings, employee training, disciplinary rules, secure physical archives, separate storage for sensitive data, periodic audits, data minimization, anonymization where possible, secure deletion, vendor due diligence, and breach response procedures.
For digital systems, companies should consider multi-factor authentication, database encryption, data masking, vulnerability testing, backup security, endpoint protection, secure API controls, and monitoring of unauthorized access. For physical files, locked cabinets, access logs, secure rooms, and limited key control may be necessary.
Data Breach Risks Involving Sensitive Data
If personal data is obtained by others unlawfully, the data controller must notify the data subject and the Board within the shortest time. The Board may announce the breach on its official website or by other means where necessary.
A breach involving special categories of personal data is likely to be treated as more serious than a breach involving ordinary data. Disclosure of health records, biometric templates, criminal records, or union membership information may cause substantial harm. Therefore, companies processing sensitive data should have a breach response plan specifically addressing high-risk data incidents.
A practical breach response plan should define internal escalation procedures, forensic investigation steps, containment measures, legal assessment, notification criteria, communication with affected data subjects, communication with the Authority, evidence preservation, vendor coordination, and remedial actions.
Retention, Erasure, Destruction, and Anonymization
Special categories of personal data should not be retained indefinitely. Article 7 provides that personal data processed in accordance with the law must be erased, destroyed, or anonymized by the controller, ex officio or upon request, when the reasons requiring processing no longer exist.
Retention periods for sensitive data should be determined carefully. A hospital may have statutory medical record retention obligations. An employer may need to retain occupational health and safety records for legally required periods. A company involved in litigation may retain sensitive evidence until limitation periods and legal proceedings are completed. However, once the legal or operational reason ends, the data should be deleted, destroyed, or anonymized.
Biometric data deserves special attention. The Authority’s biometric guidance states that the maximum processing period should be determined and that all variants of biometric features, including raw and derived records, must be processed only for the required time; the reasons for retention should be explained in the personal data retention and destruction policy.
Data Subject Rights
Data subjects have the right to learn whether their personal data is processed, request information about processing, learn the purpose of processing and whether data is used in accordance with that purpose, know third parties to whom data is transferred domestically or abroad, request correction of incomplete or inaccurate data, request erasure or destruction under legal conditions, request notification of correction or deletion to third-party recipients, object to adverse results created solely by automated analysis, and claim compensation for damage arising from unlawful processing.
When special categories of data are involved, companies should handle data subject requests with particular care. A request for access to health data, biometric records, criminal record data, or employment-related sensitive files may require identity verification, confidentiality controls, legal review, and secure communication. The controller must respond to data subject requests as soon as possible and at the latest within thirty days.
Practical Compliance Checklist for Businesses
A business processing special categories of personal data in Turkey should follow a structured compliance program.
First, identify all sensitive data categories. Determine whether the company processes health data, biometric data, criminal record data, union membership data, disability data, genetic data, religious belief data, or other special category data.
Second, define the purpose of each processing activity. Sensitive data should never be collected without a clear and legitimate purpose.
Third, determine the legal basis under Article 6. Do not assume that explicit consent is always required, and do not assume that the employment relationship or commercial relationship automatically permits processing.
Fourth, prepare accurate privacy notices. Data subjects should understand which sensitive data is processed, why, by whom, for how long, and whether it is transferred.
Fifth, obtain explicit consent only where necessary. Consent should be separate, specific, informed, and freely given.
Sixth, limit access. Only authorized persons should access special category data.
Seventh, implement technical and organizational measures. Sensitive data requires stronger protection than ordinary data.
Eighth, review transfers. Domestic and international transfers of special categories must have a legal basis and adequate safeguards.
Ninth, prepare retention and destruction rules. Sensitive data should be deleted, destroyed, or anonymized when no longer necessary.
Tenth, train employees. HR, IT, legal, healthcare, security, and management teams should understand sensitive data risks.
Eleventh, audit vendors. Processors handling sensitive data should be contractually bound and technically capable of protecting the data.
Twelfth, prepare breach response procedures. Sensitive data breaches require fast and careful handling.
Common Mistakes in Processing Special Categories of Data
One common mistake is collecting excessive sensitive data during recruitment. Employers should not request medical reports, criminal records, family members’ identity documents, or other sensitive documents unless necessary and legally justified.
Another mistake is relying on broad consent clauses. Consent for special category data must be specific and informed. Blanket consent is legally weak.
A third mistake is using biometric systems without necessity. If less intrusive alternatives exist, biometric processing may be disproportionate.
A fourth mistake is storing sensitive data in ordinary shared folders or email inboxes without access controls.
A fifth mistake is failing to update privacy notices when sensitive data processing changes.
A sixth mistake is transferring sensitive data abroad through cloud systems without assessing Article 9 transfer requirements.
A seventh mistake is keeping health, biometric, or criminal record data longer than necessary.
A final mistake is failing to document the legal basis, security measures, and retention period for each category of sensitive data.
Conclusion
Processing special categories of personal data in Turkey requires a higher level of legal and technical care than ordinary personal data processing. Health data, biometric data, criminal conviction records, genetic data, union membership information, religious belief data, and similar sensitive information can create serious risks for individuals if misused or disclosed.
Under KVKK Article 6, processing special categories of personal data is prohibited as a rule but permitted under specific legal conditions. The 2024 amendments provide a clearer and broader legal framework for processing sensitive data in areas such as employment, occupational health and safety, healthcare services, protection of rights, public health, and non-profit organization activities. However, these legal bases do not remove the need for proportionality, transparency, confidentiality, and adequate security measures.
Businesses operating in Turkey should build a sensitive data compliance framework based on data mapping, legal basis analysis, privacy notices, explicit consent where necessary, strict access controls, security measures, transfer assessments, retention rules, employee training, and periodic audits.
A company that processes special categories of personal data lawfully and securely not only reduces regulatory risk but also strengthens trust with employees, customers, patients, users, business partners, and public authorities. In a business environment where privacy and digital security are increasingly important, careful handling of sensitive data is a core part of responsible corporate governance and KVKK compliance in Turkey.
Yanıt yok