Introduction
Illegal recording, sharing and publication of private data in Turkey is a serious legal issue that may create criminal liability, civil compensation claims, data protection remedies and urgent online content removal procedures. In the digital age, private data can be recorded, copied, stored and published within seconds. A person’s private photographs, voice recordings, video footage, WhatsApp messages, e-mails, identity information, phone number, address, health data, bank details or social media content may be unlawfully obtained and shared through messaging applications, social media platforms, websites, cloud systems or online forums.
Turkish law protects private life and personal data through several legal mechanisms. The most important provisions are found in the Turkish Penal Code No. 5237, especially Article 134 on violation of privacy and Articles 135–136 on personal data crimes. The Personal Data Protection Law No. 6698, known as the KVKK, also provides administrative and civil data protection remedies. In online publication cases, Law No. 5651 may become relevant for blocking access to content that violates privacy. Digital evidence rules under the Criminal Procedure Code may also be important where phones, computers, servers or accounts must be examined.
This article explains illegal recording, sharing and publication of private data in Turkey from a practical legal perspective. It covers criminal liability, victim rights, digital evidence, content removal, compensation claims, data controller obligations and defence strategies.
1. What Is Private Data Under Turkish Law?
The term “private data” is not always used as a single statutory category. In practice, it may refer to information protected under privacy law, personal data protection law and criminal law. Private data may include personal photographs, videos, audio recordings, private messages, identity details, home address, phone number, e-mail address, family information, health records, financial data, location information, sexual life information, biometric data, private social media content and confidential professional communications.
Under the KVKK, personal data means information relating to an identified or identifiable natural person. The law’s purpose is to protect fundamental rights and freedoms, particularly privacy, in relation to the processing of personal data.
In criminal law, the analysis depends on the type of act. Recording someone’s personal data may fall under Article 135. Publishing or unlawfully acquiring personal data may fall under Article 136. Recording or publishing images, sounds or information relating to private life may fall under Article 134. Unauthorized access to an account or device may also trigger cybercrime provisions.
2. Violation of Privacy Under Turkish Penal Code Article 134
Article 134 of the Turkish Penal Code protects the confidentiality of private life. The offence may arise where a person unlawfully violates another person’s private life, records images or sounds relating to private life, or discloses such recordings. This provision is especially important in cases involving private photographs, intimate videos, hidden camera recordings, secretly recorded conversations, private messages and revenge publication.
For example, secretly recording a person in a private environment, sharing intimate images without consent, publishing private videos on social media, sending private photographs to third parties or exposing private messages may all create criminal liability depending on the facts. The protected value is not only the secrecy of the data but also the person’s dignity, autonomy and control over private life.
A critical point is that consent is limited. A person may consent to being photographed privately but not consent to public distribution. A person may send a private image to one person, but this does not authorize that person to publish it online. A private WhatsApp message sent in a confidential context cannot automatically be shared publicly without legal consequences.
3. Unlawful Recording of Personal Data: TCK Article 135
Article 135 of the Turkish Penal Code criminalizes unlawful recording of personal data. This offence may arise where a person records, stores or creates a database of personal data without a lawful basis. The provision also has particular importance for sensitive data, such as information relating to political, philosophical or religious views, racial origin, moral tendencies, health conditions or union connections. The official English text of the Turkish Penal Code states that unlawful recording of personal data is punishable and separately refers to sensitive categories of personal information.
Examples may include secretly collecting identity information, saving private customer records without authorization, recording health data unlawfully, storing private photographs or messages, creating lists of individuals with sensitive characteristics, or copying data from an employer, hospital, school, law office or platform without legal authority.
The offence is not limited to hackers. Employees, former employees, business partners, public officials, service providers, family members or third parties may commit personal data crimes if they unlawfully record protected information.
4. Unlawful Sharing, Publication or Acquisition of Data: TCK Article 136
Article 136 of the Turkish Penal Code is one of the most important provisions for private data publication cases. It punishes a person who unlawfully delivers personal data to another person, publishes it or acquires it through illegal means. The official English text provides imprisonment from one year to four years for unlawfully delivering, publishing or acquiring data.
This provision may apply in many modern situations:
Sharing someone’s phone number, address or identity number online.
Publishing screenshots containing private personal information.
Sending another person’s private data to a third party.
Obtaining customer lists from a company database.
Sharing private photographs or personal records through messaging groups.
Publishing personal data on websites or forums.
Acquiring leaked personal data from illegal databases.
Sending private messages or documents to embarrass someone.
Article 136 is especially important because it covers not only publication to the public but also delivery to another person. Sending someone’s personal data to even one unauthorized person may be legally relevant if the statutory conditions are met.
5. Qualified Forms: Public Officials and Professional Advantage
Article 137 of the Turkish Penal Code increases the punishment for personal data offences if they are committed by a public officer through the influence of public office or by exploiting the advantage of a profession or art.
This is highly relevant in professional contexts. Doctors, lawyers, bankers, accountants, teachers, IT personnel, public officers, human resources staff and customer service employees may access private data because of their work. If they abuse that access to record, share or publish private data unlawfully, the qualified form may be considered.
For example, a hospital employee who shares patient records, a bank employee who discloses financial information, a public officer who leaks registry data, or an IT employee who copies customer information may face heavier criminal consequences.
6. Failure to Destroy Personal Data: TCK Article 138
Article 138 punishes failure to destroy personal data after the legally prescribed period expires. The official English text of the Turkish Penal Code provides imprisonment from six months to one year for persons responsible for failing to destroy data within a defined system despite expiry of the legally prescribed period.
This provision is important for organizations that store personal data longer than necessary. Companies, associations, clinics, schools, employers and service providers should have retention and deletion policies. Keeping identity documents, CVs, customer records, camera recordings, health files or employee data indefinitely may create legal risk if there is no valid legal basis.
The KVKK also requires personal data to be erased, destroyed or anonymized when the reasons requiring processing no longer exist. Therefore, unlawful retention may create both criminal and administrative consequences.
7. Complaint Requirement in Personal Data Crimes
Article 139 of the Turkish Penal Code contains an important procedural rule. The official English text states that, except for recording of personal data, unlawful delivery or acquisition of data and destruction of data, investigation and prosecution for offences listed in the relevant section are bound to complaint.
This means that the complaint requirement must be analyzed carefully depending on the specific offence. Victims should not delay filing a criminal complaint. In many private data cases, delay may also cause loss of digital evidence, deletion of platform records, removal of content before preservation or difficulty identifying the perpetrator.
8. Illegal Recording of Conversations and Voice Data
Illegal recording of conversations is a common issue in Turkish practice. A person may record a phone call, meeting, argument, workplace conversation or private discussion without the knowledge or consent of the other party. Whether such recording creates criminal liability depends on the circumstances.
If the recording relates to private life, Article 134 may become relevant. If the recording captures personal data and is stored or shared unlawfully, Articles 135 or 136 may also be considered. If the recording is used for blackmail, threats or defamation, additional offences may arise.
There may be exceptional legal debates where a person records a conversation solely to preserve evidence of an ongoing unlawful attack or to protect themselves where no other evidence is available. However, this is fact-sensitive and should not be treated as a general permission to secretly record others. The safest legal rule is that recording and sharing private conversations without consent creates serious criminal risk unless a clear legal justification exists.
9. Sharing Private Photographs and Videos
The unlawful sharing of private photographs and videos is one of the most harmful forms of privacy violation. It may occur after a relationship ends, during blackmail, through hacked accounts, by former friends or partners, or through stolen devices.
The legal consequences may include:
Violation of privacy under Article 134.
Unlawful publication of personal data under Article 136.
Blackmail if the content is used as leverage.
Threat if publication is threatened.
Unauthorized access if the content was obtained from an account or device.
Civil compensation for moral damages.
Content removal or access blocking if the material is online.
The fact that a person once voluntarily sent an image does not mean that the recipient may share it with others. Consent to private possession is not consent to publication.
10. Publication of Private Data on Social Media
Private data is often published through Instagram, X, Facebook, TikTok, Telegram, WhatsApp groups, forums, blogs and websites. The content may include identity cards, addresses, phone numbers, private messages, family information, photographs, workplace details, medical records, bank information or intimate content.
Victims should act quickly. They should preserve screenshots showing the URL, username, date, time and content. They should save original messages and links. If the content is public, a notarial determination or technical preservation method may strengthen the evidence. After evidence is preserved, the victim may seek criminal remedies and online removal mechanisms.
In urgent cases involving privacy, Law No. 5651 Article 9/A is particularly important. Current English translation materials describe Article 9/A as the mechanism for blocking access to content due to violation of privacy of private life and state that access blocking is implemented by blocking access to the specific content, such as a URL, picture or video.
11. Law No. 5651 and Online Content Removal
Law No. 5651 regulates internet publications and certain access blocking procedures in Turkey. For private data cases, Article 9/A concerning violation of privacy is the most relevant route. A person whose privacy is violated by internet content may request blocking of access to the relevant content under the procedure established by the law.
It is important to note that online content law in Turkey has changed and continues to evolve. Recent translation materials indicate that Article 9 on removal of content and access blocking has been abolished, while Article 9/A on privacy remains listed as a separate mechanism.
Therefore, the correct route must be selected according to the nature of the content. Where the issue is private life, private images, intimate videos, exposed identity data or private correspondence, privacy-based blocking may be urgent and necessary. Criminal prosecution may punish the perpetrator, but it may not remove content quickly enough to stop ongoing harm.
12. KVKK Remedies for Victims
The KVKK gives data subjects several rights. These include learning whether personal data is processed, requesting information about processing, learning the purpose of processing, knowing third parties to whom data has been transferred, requesting correction of incomplete or inaccurate data, requesting deletion or destruction under legal conditions and claiming compensation for damage arising from unlawful processing.
If private data is unlawfully processed by a company, platform, employer, hospital, school, clinic, association or other data controller, the victim may consider KVKK-based remedies in addition to criminal complaint. This is particularly relevant where the unlawful publication resulted from a data breach, negligent data handling, unauthorized employee access or failure to delete data.
The KVKK also states that crimes concerning personal data are subject to Articles 135 to 140 of the Turkish Penal Code. This confirms that data protection law and criminal law work together rather than separately.
13. Data Breach Notification by Companies
If private data processed by a data controller is obtained by others through unlawful means, the data controller may have notification obligations under KVKK. The official KVKK framework requires notification to the data subject and the Personal Data Protection Board within the shortest time in such cases.
This is especially important where private data is published after a cyberattack, insider leak, phishing incident, ransomware attack or misdirected disclosure. A company that discovers such an incident should immediately assess whether personal data was affected, what categories of data were involved, how many people were affected, whether sensitive data was included and whether notification is required.
14. Criminal Complaint Strategy for Victims
A criminal complaint for illegal recording, sharing or publication of private data should be detailed and evidence-based. It should not simply state that “my private data was shared.” It should explain what data was recorded, how it was obtained, who shared it, where it was published, who saw it, what damage occurred and which evidence supports the complaint.
A strong complaint should include:
The victim’s identity information.
Description of the private data.
The platform, website, account or person involved.
The date and time of recording or publication.
Screenshots with URLs and timestamps.
Original messages, e-mails or files.
Witnesses who saw the publication.
Suspected persons and their motive.
Evidence of account hacking, if any.
Evidence of threats or blackmail, if any.
Request for platform logs, IP records and device examination.
Request for content removal or access blocking, if urgent.
Legal qualification under Articles 134, 135, 136, 137, 138, 243, 244 or other relevant provisions.
The complaint should be filed quickly because digital evidence may disappear. Social media posts may be deleted, accounts may change usernames, websites may go offline and platform logs may be retained only for limited periods.
15. Digital Evidence and CMK Article 134
Digital evidence is central in private data cases. Phones, computers, cloud accounts, social media accounts, servers, e-mails and messaging applications may contain the relevant evidence.
Article 134 of the Turkish Criminal Procedure Code regulates search, copying and seizure of computers, computer programs and computer records. The UNODC database describes Article 134 as covering the copying of data during seizure of computers or computer records. The Council of Europe’s Turkey cybercrime profile also identifies Article 134 as the procedural basis for search of computers, computer programs and records, copying and provisional seizure.
For victims, this means the criminal complaint should request proper forensic examination where necessary. For suspects, it means digital evidence must be collected lawfully. Unlawful searches, unsupported screenshots, incomplete logs, broken chain of custody or excessive examination of private devices may be challenged.
16. Compensation Claims for Illegal Publication of Private Data
Illegal recording or publication of private data may cause both material and moral damages. Material damages may include business loss, loss of employment opportunity, costs of content removal, cybersecurity expenses, legal expenses, therapy costs or financial loss caused by identity misuse.
Moral damages are often central. Publication of private data may cause humiliation, fear, anxiety, reputational harm, family problems, professional damage and psychological distress. Intimate image publication, exposure of health data, doxxing and publication of private correspondence may justify significant moral damage claims depending on the circumstances.
A civil compensation claim must prove unlawful act, damage and causal connection. A criminal investigation or conviction may strengthen the civil case, but the claimant should still document the harm carefully.
17. Illegal Publication by Employees or Former Employees
Private data publication often occurs in employment contexts. Employees may access customer records, patient files, personnel files, payroll information, camera recordings, internal correspondence or commercial databases. A former employee may copy data before resignation or dismissal and later share it.
Such conduct may create criminal liability under Articles 135–136, qualified forms under Article 137 if professional advantage is abused, cybercrime liability under Articles 243–244 and civil liability for breach of confidentiality.
Employers should maintain access controls, role-based permissions, log records, confidentiality agreements, data protection training and offboarding procedures. When an employee leaves, system access should be revoked immediately, shared passwords should be changed and suspicious downloads should be reviewed.
18. Defence Strategies in Private Data Cases
A person accused of illegal recording or publication of private data may face serious consequences. Defence strategy should focus on the exact statutory elements.
Possible defence arguments include:
The data is not private or personal data in the alleged context.
The accused did not record, publish, deliver or acquire the data.
The data was already lawfully public.
There was valid consent.
The publication was made within a lawful complaint or defence right.
There was no criminal intent.
The evidence was obtained unlawfully.
Screenshots are manipulated or incomplete.
The accused did not control the account that published the data.
The device was shared or compromised.
The correct legal classification is different.
The complaint was filed outside the legal period where applicable.
However, “the data was true” is not always a defence. Even true private data may be unlawfully published if there is no legal justification.
19. Practical Checklist for Victims
A victim of illegal recording, sharing or publication of private data in Turkey should take the following steps:
Preserve evidence before deletion.
Take screenshots showing URL, username, date and time.
Save original messages, e-mails and files.
Do not delete platform notifications.
Identify witnesses who saw the publication.
Request urgent removal from the platform where possible.
File a criminal complaint.
Request platform logs and IP records.
Consider Law No. 5651 Article 9/A privacy-based blocking if content is online.
Consider KVKK remedies if a data controller is involved.
Document psychological, reputational and financial harm.
Secure hacked accounts and change passwords.
Notify banks or institutions if identity data or financial data was exposed.
Seek civil compensation where appropriate.
Fast action is essential because private data can spread quickly and digital evidence can disappear.
20. Preventive Measures for Individuals and Companies
Individuals should avoid sharing sensitive private images or identity documents unnecessarily, use strong passwords, enable two-factor authentication, secure cloud accounts, avoid suspicious links, check privacy settings and act quickly if an account is compromised.
Companies should implement data minimization, access control, encryption, secure deletion policies, employee training, confidentiality agreements, incident response plans, vendor controls, log retention and KVKK compliance programs. Organizations processing sensitive data, such as healthcare providers, law firms, financial institutions and employers, should take stronger measures.
Preventing illegal publication is easier than repairing reputational and psychological damage after disclosure.
Conclusion
Illegal recording, sharing and publication of private data in Turkey may create serious criminal, civil and administrative consequences. Article 134 of the Turkish Penal Code protects private life. Article 135 punishes unlawful recording of personal data. Article 136 punishes unlawful delivery, publication or acquisition of personal data. Article 137 increases penalties where professional or public office advantages are abused. Article 138 addresses failure to destroy data after the legally required period.
The KVKK provides data protection rights and remedies, while Law No. 5651 Article 9/A may provide urgent access blocking for content violating privacy of private life. Digital evidence rules under CMK Article 134 are also critical where phones, computers or digital accounts must be examined.
For victims, the key steps are preserving evidence, filing a detailed criminal complaint, seeking urgent content removal and documenting damage. For companies, the key obligation is to prevent unlawful access, sharing and retention of personal data. For suspects, the defence must examine consent, intent, authenticity of evidence, lawful justification and correct legal classification.
In Turkey’s digital environment, private data is highly vulnerable. Once published, it may spread rapidly and cause lasting harm. Effective legal protection requires speed, precise evidence and a strategy combining criminal law, data protection law, internet law and compensation remedies.
Yanıt yok