Rights of Data Subjects Under Turkish Personal Data Protection Law

Introduction

The rights of data subjects under Turkish Personal Data Protection Law are central to privacy protection, transparency, and accountability in Turkey. In a digital economy where companies collect and process large amounts of personal data through websites, mobile applications, e-commerce platforms, employment records, customer databases, healthcare systems, financial services, cookies, call centers, cloud software, artificial intelligence tools, and marketing technologies, individuals must have effective control over how their personal data is used.

Turkey’s main personal data protection legislation is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. The law protects natural persons whose personal data is processed and imposes obligations on natural or legal persons who process personal data wholly or partly by automated means, or by non-automated means forming part of a data filing system. Under Article 11 of KVKK, each person has specific rights against the data controller concerning the processing of their personal data.

These rights are not symbolic. They allow individuals to ask whether their personal data is processed, request information, learn the purpose of processing, know whether data is transferred domestically or abroad, request correction, request erasure or destruction, object to certain automated results, and claim compensation for damages arising from unlawful processing. For businesses, these rights create practical compliance duties: companies must establish internal procedures, respond within legal deadlines, verify identity, evaluate requests properly, and document their responses.

Who Is a Data Subject Under Turkish Law?

A data subject is the natural person whose personal data is processed. Turkish Personal Data Protection Law protects only natural persons, not legal entities as such. However, personal data relating to company representatives, employees, customers, shareholders, directors, authorized signatories, sole proprietors, contractors, or contact persons may fall within the scope of KVKK if the information relates to an identified or identifiable individual.

For example, the trade name of a company is not personal data by itself. However, the name, email address, phone number, signature, identity number, professional record, or correspondence of a company employee or authorized representative may constitute personal data. In practice, data subjects may include customers, employees, former employees, job applicants, patients, website visitors, mobile app users, subscribers, students, suppliers, business contacts, debtors, complainants, and users of digital platforms.

The concept of personal data is broad. It may include name, surname, identity number, passport number, address, phone number, email address, IP address, device ID, customer number, bank details, location data, health records, biometric identifiers, criminal record data, photographs, camera recordings, voice records, transaction history, and any other information relating to an identified or identifiable person.

Legal Basis of Data Subject Rights Under KVKK

The main provision governing data subject rights is Article 11 of KVKK. This article lists the rights that each person may exercise by applying to the data controller. These rights are connected with other provisions of the law, especially Article 10 on the obligation to inform, Article 12 on data security, Article 13 on requests to the data controller, Article 14 on complaints to the Board, and Article 7 on erasure, destruction, or anonymization.

The purpose of these rights is to make personal data processing transparent and controllable. Without data subject rights, individuals would not know whether their data is processed, why it is processed, where it is transferred, whether it is accurate, or how to challenge unlawful processing. These rights also support accountability because data controllers must be able to explain and justify their data processing activities.

Right to Learn Whether Personal Data Is Processed

The first right under Article 11 is the right to learn whether personal data is processed. This is the gateway right. A person may ask a company, institution, employer, hospital, website operator, platform provider, bank, insurance company, school, or service provider whether it processes personal data about them.

This right is important because individuals may not always know which organizations hold their data. A person may have filled out a website form years ago, applied for a job, used a mobile application, visited a clinic, joined a loyalty program, contacted a call center, or appeared in camera recordings. By exercising this right, the individual can determine whether the data controller has any personal data relating to them.

From a business perspective, this means that companies should be able to search their systems, identify relevant records, and respond accurately. If the company does not process the person’s data, it should say so. If it does process the data, it must evaluate the other parts of the request and provide appropriate information.

Right to Request Information About Processing

If personal data has been processed, the data subject has the right to request information about that processing. This may include information about data categories, processing purposes, legal basis, storage practices, transfer recipients, and other relevant details. Article 11 expressly grants the right to demand information if personal data has been processed.

This right is closely connected with the obligation to inform under Article 10. The data controller must already provide certain information at the time of collection, including the controller’s identity, processing purpose, recipients and transfer purposes, method and legal basis of collection, and Article 11 rights.

A data subject request, however, may arise later. For example, a customer may ask an e-commerce company what data it holds after closing an account. An employee may ask an employer what records are stored in the personnel file. A patient may ask a clinic what medical data is processed and transferred. A mobile app user may ask which device identifiers and analytics data are collected.

Right to Learn the Purpose of Processing and Whether Data Is Used Accordingly

Data subjects have the right to learn the purpose of processing and whether their personal data is used in compliance with that purpose. This right reflects one of the core principles of KVKK: personal data must be processed for specified, explicit, and legitimate purposes.

For example, a customer may provide an email address for order confirmation. If the company later uses that email address for unrelated marketing without a valid legal basis, the customer may question whether the data is being used in accordance with the original purpose. An employee may provide health information for occupational safety purposes, but the employer should not use that information for unrelated workplace evaluations. A website visitor may accept strictly necessary cookies, but that does not automatically authorize advertising tracking.

This right requires companies to define their processing purposes clearly. Vague purposes such as “business operations,” “future use,” “commercial activities,” or “improving services” may be insufficient if they do not explain the actual processing activity. The Communiqué on the Obligation to Inform requires processing purposes to be specified, explicit, and legitimate, and warns against general and ambiguous statements.

Right to Know Third Parties to Whom Personal Data Is Transferred

A data subject has the right to know the third parties to whom personal data is transferred domestically or abroad. This is particularly important in modern business because personal data is often shared with service providers, group companies, cloud platforms, payment providers, cargo companies, call centers, payroll providers, marketing agencies, analytics tools, hospitals, laboratories, public authorities, lawyers, accountants, and foreign software providers.

The right covers both domestic and international transfers. Therefore, a data subject may ask whether their personal data has been transferred to third parties in Turkey or abroad. A company should be able to identify at least recipient categories and purposes of transfer. For example, an e-commerce company may transfer delivery information to cargo companies, payment data to payment service providers, invoice data to accountants, and customer support data to call center providers.

This right is also important because cross-border data transfers are heavily regulated under KVKK. If personal data is transferred abroad, the data controller should have a valid legal basis and a lawful transfer mechanism. The data subject’s right to know foreign transfers strengthens transparency and allows individuals to challenge unlawful international data flows.

Right to Request Correction of Incomplete or Inaccurate Data

Article 11 gives data subjects the right to request correction of incomplete or inaccurate personal data. This right is closely connected with the accuracy principle under KVKK. Personal data must be accurate and kept up to date where necessary.

Correction may be important in many situations. A bank may have an incorrect phone number. An employer may have outdated address information. A hospital record may contain a spelling error. An e-commerce company may store an incorrect delivery address. A school may have inaccurate parent contact information. A platform may contain incorrect account details.

Inaccurate data can cause real harm. Wrong contact information may prevent a person from receiving important notices. Incorrect employment records may affect rights and benefits. Inaccurate financial or risk data may affect access to services. Incorrect health records may affect medical treatment. Therefore, data controllers should have a practical mechanism to verify and correct data.

Right to Request Erasure or Destruction of Personal Data

Data subjects have the right to request erasure or destruction of their personal data under the conditions referred to in Article 7. Article 7 provides that personal data must be erased, destroyed, or anonymized when the reasons requiring processing no longer exist, even if the data was originally processed lawfully.

This right does not mean that every deletion request must be accepted automatically. If the data controller has a continuing legal obligation or valid legal basis to retain the data, it may refuse deletion with justified grounds. For example, a company may need to retain invoices for tax purposes, employment records for statutory periods, medical records for healthcare obligations, or litigation documents for the establishment or protection of rights.

However, the controller cannot use legal retention duties as an excuse to keep all data indefinitely. Marketing records, inactive accounts, obsolete candidate files, expired consent-based data, unnecessary copies, and old tracking data may need to be deleted, destroyed, or anonymized when no valid purpose remains.

Right to Request Notification of Correction or Deletion to Third Parties

Article 11 also gives data subjects the right to request that operations carried out for correction, erasure, or destruction be notified to third parties to whom the personal data has been transferred.

This right is practically important. Suppose a company transfers inaccurate customer data to a logistics provider, group company, or marketing vendor. If the data is corrected only in the company’s own system, the incorrect data may continue to exist in third-party systems. Similarly, if a deletion request is accepted, the controller should assess whether third parties that received the data must also be notified.

Businesses should therefore keep transfer records. Without knowing which third parties received the data, the controller may not be able to fulfill this right properly. Vendor contracts should also include clauses requiring processors and recipients to assist with correction, deletion, and data subject request processes.

Right to Object to Automated Decisions

One of the most modern rights under KVKK is the right to object to the occurrence of a result against the person by analyzing processed data solely through automated systems.

This right is increasingly important because businesses use algorithms, artificial intelligence, scoring systems, profiling tools, automated fraud detection, HR screening software, credit risk models, recommendation engines, and automated customer segmentation. If an automated system produces a result against the person, the individual may object.

Examples may include automated rejection of a loan application, automatic classification of a customer as high-risk, automated rejection of a job candidate, automated blocking of a user account, or automated pricing decisions that negatively affect the individual. Companies using automated systems should provide transparency, human review mechanisms, accuracy checks, and appeal processes where appropriate.

This right does not prohibit all automated processing. However, it requires controllers to take automated decision-making seriously, especially where the result has a negative legal, financial, employment, or service-related impact on the data subject.

Right to Claim Compensation for Unlawful Processing

Article 11 gives data subjects the right to claim compensation for damage arising from unlawful processing of personal data.

This right is important because personal data violations may cause material or moral harm. A person may suffer financial loss due to identity misuse, reputational harm due to disclosure of sensitive information, emotional distress due to exposure of health data, employment harm due to inaccurate records, or economic harm due to unlawful profiling.

The compensation right is separate from administrative complaints before the Personal Data Protection Board. The Board may impose administrative sanctions, but a person seeking compensation for damages may need to pursue legal remedies before competent courts depending on the nature of the claim. Businesses should therefore understand that KVKK non-compliance may create not only regulatory risk but also civil liability.

How Data Subjects Can Apply to the Data Controller

Article 13 of KVKK provides that data subjects must make requests relating to the implementation of the law to the data controller in writing or by other methods determined by the Board. The controller must conclude the request as soon as possible and at the latest within thirty days, depending on the nature of the request. The response is generally free of charge, but if the action requires additional cost, fees may be charged according to the tariff determined by the Board.

The Communiqué on the Principles and Procedures for the Request to Data Controller states that data subjects may submit requests in writing, by registered electronic mail address, secure electronic signature, mobile signature, the email address previously recorded in the data controller’s system, or through software or an application designed for this purpose.

This means that businesses should clearly explain how data subjects can apply. A privacy notice or website should provide contact channels. Customer service teams, HR teams, legal departments, and platform support teams should know how to identify and escalate data subject requests.

What Should a Data Subject Request Include?

The Communiqué states that a request should include identifying and contact information and the subject of the request. It also sets out procedures for applications made by different methods.

In practice, a clear request should include the applicant’s name and surname, Turkish identity number for Turkish citizens where appropriate, passport or identity information for foreigners where needed, contact address, email or phone number, the specific right being exercised, and documents proving identity or authorization if the request is submitted through a representative.

Data controllers must verify identity carefully. If a company discloses personal data to a person who is not the actual data subject or authorized representative, this may itself create a data breach. At the same time, identity verification should not be excessive. The controller should request only information necessary to verify the applicant and process the request.

The Data Controller’s Response Obligation

The data controller must act on the request or reject it with justified grounds and communicate its response to the data subject in writing or electronically. If the request is accepted, the controller must fulfill it.

A good response should be clear, specific, and legally reasoned. If the controller accepts a correction request, it should say what has been corrected. If it rejects a deletion request because legal retention obligations continue, it should explain the relevant legal basis. If it cannot provide certain information because it would violate third-party rights or trade secrets, it should explain the reason carefully.

Generic responses such as “your data is processed in accordance with the law” are usually insufficient. The response should address the actual request. Businesses should keep records of incoming requests, identity verification steps, internal evaluations, response dates, and actions taken.

Complaint to the Personal Data Protection Board

If the data subject’s request is rejected, the response is found insufficient, or the request is not answered within the legal period, the data subject may lodge a complaint with the Personal Data Protection Board within thirty days after learning the response and, in any case, within sixty days from the request date. However, a complaint cannot be lodged before the data subject first applies to the data controller under Article 13.

This procedure is important. Data subjects must generally exhaust the request mechanism before complaining to the Board. For businesses, this means that the first response to the data subject is critical. A well-reasoned and lawful response may prevent escalation. A late, vague, or dismissive response may lead to a complaint.

The Board may examine the complaint and, where it finds non-compliance, may order the controller to remedy violations or impose administrative sanctions depending on the circumstances.

Relationship Between Data Subject Rights and the Obligation to Inform

Data subject rights are closely connected with the controller’s obligation to inform. Under the Communiqué on the Obligation to Inform, the obligation must be fulfilled in all cases of processing, whether processing is based on explicit consent or another legal basis. If the processing purpose changes, the obligation to inform must be fulfilled before the new processing activity. The notice must be clear, plain, and intelligible, and proof of fulfilling the obligation belongs to the controller.

If a data controller properly informs individuals, later requests may be easier to manage. Conversely, if privacy notices are vague, outdated, or inconsistent with actual processing, data subjects are more likely to complain. Privacy notices should accurately explain processing purposes, legal bases, recipient groups, transfer abroad status, and rights.

Data Subject Rights in Employment Relationships

Employees and job applicants frequently exercise data subject rights. They may request access to personnel files, information about camera recordings, correction of employment records, deletion of old candidate files, information about payroll data transfers, or details about automated HR evaluation systems.

Employers should handle these requests carefully. Some records may need to be retained due to labor law, tax law, social security law, occupational health and safety obligations, or legal claims. However, employers should not use these obligations as a blanket reason to reject every request.

Employee requests may also involve third-party data, trade secrets, investigation records, disciplinary files, or legal strategy. Employers should balance the employee’s rights with confidentiality, workplace security, and rights of others.

Data Subject Rights in E-Commerce and Digital Platforms

Customers and users of digital platforms may request deletion of accounts, correction of contact details, information about marketing data, withdrawal of consent, disclosure of transfer recipients, or objection to profiling. E-commerce companies should have strong request-handling procedures because customer requests often come through informal channels such as email, chat, call centers, support tickets, or social media.

A message saying “delete my account,” “stop using my phone number,” “remove my data,” “which companies did you share my data with,” or “why am I receiving ads” may be a KVKK request. Customer service teams should be trained to recognize and escalate these requests.

Data Subject Rights in Healthcare

Patients may request access to health data, correction of identity or contact information, information about transfers to public authorities or insurers, deletion of data where legally possible, or information about who accessed their records. Health data is a special category of personal data, so requests must be handled with strict confidentiality.

Healthcare providers must also consider medical record retention obligations. A patient may request deletion, but the provider may be legally required to retain certain medical records. In such cases, the provider should explain the legal basis for retention clearly and avoid deleting records that must be preserved for medical, legal, or administrative reasons.

Data Subject Rights and Cross-Border Transfers

Because Article 11 gives data subjects the right to know third parties to whom data has been transferred in Turkey or abroad, companies must be able to identify foreign data transfers.

This is especially important for businesses using foreign cloud providers, global HR systems, CRM platforms, analytics tools, advertising networks, payment processors, AI tools, or parent company databases. A company that does not map international transfers may be unable to respond properly to data subject requests.

Cross-border transfer documentation, privacy notices, VERBIS entries, and vendor contracts should all be consistent so that the company can respond accurately.

Practical Compliance Checklist for Businesses

A business subject to KVKK should create a structured data subject rights procedure. This procedure should include:

1. Clear application channels.
2. Identity verification rules.
3. Internal escalation process.
4. Request classification by Article 11 right.
5. Department-level data search procedure.
6. Legal review of exemptions or refusal grounds.
7. Thirty-day response tracking.
8. Standard response templates.
9. Third-party notification process for correction or deletion.
10. Documentation of all requests and responses.
11. Training for customer service, HR, IT, legal, and marketing teams.
12. Procedures for requests involving special categories of data.
13. Procedures for requests involving automated decisions.
14. Procedures for requests involving cross-border transfers.
15. Periodic audit of request handling.

The most important point is consistency. A company should not respond differently to similar requests without legal reason. It should also ensure that its privacy notices, data inventory, VERBIS records, retention policies, and vendor contracts support its request-handling process.

Common Mistakes in Handling Data Subject Requests

One common mistake is ignoring informal requests. Data subjects do not always use legal terminology. A simple email asking “do you have my data?” may still be a valid request if it can be properly verified.

Another mistake is missing the thirty-day deadline. Companies should track deadlines carefully from the date of receipt.

A third mistake is giving generic responses. The controller must respond to the specific request, not merely state that it complies with KVKK.

A fourth mistake is over-disclosing data without verifying identity. This can create a separate privacy breach.

A fifth mistake is rejecting deletion requests without explaining the legal retention basis.

A sixth mistake is failing to notify third parties after correction or deletion where required.

A seventh mistake is not documenting the process. If the matter becomes a Board complaint, the controller should be able to prove how it handled the request.

Legal Consequences of Failing to Respect Data Subject Rights

Failure to properly respond to data subject rights may lead to complaints before the Personal Data Protection Board, administrative sanctions, orders to remedy unlawful practices, reputational damage, civil compensation claims, and loss of customer or employee trust. KVKK also provides administrative fines for various violations, including failure to fulfill the obligation to inform, failure to fulfill data security obligations, failure to comply with Board decisions, and breach of Registry obligations.

Data subject rights are often the starting point of regulatory disputes. Many Board investigations begin because a person applied to the controller, received no answer, received a late answer, or found the answer insufficient. Therefore, a strong internal request procedure is one of the most practical ways to reduce KVKK risk.

Conclusion

The rights of data subjects under Turkish Personal Data Protection Law are essential to the effective protection of privacy in Turkey. Article 11 of KVKK gives individuals the right to learn whether their personal data is processed, request information, learn processing purposes, know domestic and foreign transfer recipients, request correction, request erasure or destruction, request notification of correction or deletion to third parties, object to adverse automated results, and claim compensation for unlawful processing.

These rights impose real operational duties on businesses. Data controllers must establish clear application channels, verify identity, search relevant systems, evaluate requests legally, respond within thirty days, justify refusals, notify third parties where required, and keep records of the process.

For companies operating in Turkey, data subject rights should not be treated as a formal appendix to privacy policies. They should be integrated into customer service, HR, IT, compliance, legal, marketing, healthcare, and platform operations. A company that can respond to data subject requests accurately and transparently demonstrates real KVKK compliance.

In a data-driven business environment, respecting data subject rights is not only a legal obligation. It is also a trust-building mechanism. Individuals are more likely to trust organizations that explain their data practices clearly, correct mistakes quickly, delete unnecessary data when required, respect objections, and respond responsibly to privacy concerns. For this reason, effective management of data subject rights is one of the strongest indicators of mature personal data protection compliance in Turkey.