Processing Children’s Personal Data Under Turkish Personal Data Protection Law

Introduction

Processing children’s personal data under Turkish Personal Data Protection Law requires a more careful and protective approach than ordinary personal data processing. Children use mobile applications, online games, social media platforms, education technologies, school portals, healthcare systems, sports club platforms, e-commerce services, digital learning tools, video platforms, messaging services, and artificial intelligence tools at increasingly young ages. As a result, companies, schools, healthcare providers, digital platforms, mobile app developers, gaming companies, advertising networks, and public or private institutions may process children’s personal data in many different contexts.

Turkey’s main data protection legislation is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. KVKK applies to natural persons whose personal data are processed and to natural or legal persons processing such data wholly or partly by automated means, or by non-automated means forming part of a data filing system. The law defines personal data broadly as any information relating to an identified or identifiable natural person, and it defines explicit consent as freely given, specific, and informed consent.

Although KVKK does not contain a separate comprehensive chapter dedicated only to children’s data, children are data subjects and benefit from all rights and protections under the law. In addition, the Turkish Personal Data Protection Authority has published child-focused guidance and educational materials, emphasizing that children are individuals with a right to personal data protection, that child data processing should be minimized, that child-friendly information texts should be prepared, and that technical and administrative safeguards should be handled with heightened sensitivity.

For this reason, businesses should not treat children’s data as ordinary customer, student, patient, or user data. The correct approach is to apply KVKK principles with stronger care, clearer transparency, stricter data minimization, safer default settings, age-appropriate explanations, parental or legal representative involvement where required, and a constant focus on the child’s best interests.

What Is Children’s Personal Data?

Children’s personal data means any information relating to an identified or identifiable child. This may include name, surname, Turkish identity number, passport number, school number, photo, video, voice recording, address, phone number, email address, parent or guardian information, school records, grades, attendance records, behavioral reports, health information, disability information, location data, device identifiers, IP address, username, game profile, social media account, biometric data, online behavior, search history, chat records, and platform activity.

Under international child rights standards published by the Republic of Türkiye Ministry of Foreign Affairs, a child generally means every human being below the age of eighteen unless majority is attained earlier under applicable law. The Convention on the Rights of the Child also provides that the best interests of the child shall be a primary consideration in all actions concerning children and that no child shall be subjected to arbitrary or unlawful interference with privacy, family, home, or correspondence.

In Turkish data protection practice, this means that data controllers should evaluate child data processing not only from a formal legal basis perspective but also from a child protection perspective. The question is not merely “Can we process this data?” The more appropriate question is: “Is this processing necessary, proportionate, transparent, safe, and compatible with the child’s best interests?”

Core KVKK Principles for Children’s Data

KVKK requires all personal data processing to comply with general principles. Personal data must be processed lawfully and fairly, be accurate and kept up to date where necessary, be processed for specified, explicit, and legitimate purposes, be relevant, limited, and proportionate to those purposes, and be retained only for the period required by law or by the processing purpose. These principles apply fully to children’s personal data.

For children’s data, these principles should be interpreted strictly. A school should not collect excessive family or psychological information without necessity. A mobile game should not request a child’s precise location if approximate region data or no location data would be sufficient. A digital learning platform should not use children’s learning behavior for unrelated advertising. A sports club should not publish children’s photos publicly without a proper legal basis and consent structure. An online platform should not activate behavioral advertising tools by default for children.

The Turkish Authority’s child-focused guidance for product and service developers expressly states that if children’s personal data must be processed, processing should be kept at the minimum level in accordance with data minimization. It also recommends child-specific disclosure texts appropriate to children’s perception level, supported by simple language and visuals where needed.

Legal Basis for Processing Children’s Data

A common misunderstanding is that every processing activity involving children requires explicit consent. Under KVKK, explicit consent is one legal basis, but personal data may also be processed without explicit consent where another legal basis under Article 5 applies. These include processing expressly provided by law, necessity for contract performance, necessity for compliance with a legal obligation, necessity for the establishment, exercise, or protection of a right, and legitimate interests of the controller provided that fundamental rights and freedoms are not harmed.

For example, a private school may process student identity and enrollment data to provide education services and comply with legal obligations. A pediatric clinic may process appointment and treatment data for healthcare services. An online education platform may process login credentials to provide access to purchased courses. A sports facility may process emergency contact information for safety purposes. These activities may not always require explicit consent if another valid legal basis exists.

However, consent may be required for optional or non-essential processing. Examples include marketing to children, publishing a child’s photo or video online, using child data for advertising profiling, transferring data to third-party commercial partners, using children’s behavioral data for unrelated analytics, or processing special categories of data where no statutory condition applies. In these cases, the controller must assess whether the child can validly consent or whether parental/legal representative consent is required under the circumstances.

Parental Consent and the Role of Legal Representatives

KVKK does not set a specific age threshold like “children under 13” or “children under 16” for digital consent. Therefore, businesses must consider Turkish civil law principles, the child’s maturity, the nature of the processing, whether the act creates legal consequences, and whether a parent or legal representative must be involved.

As a practical compliance approach, data controllers should obtain consent from the parent or legal representative where the processing is significant, high-risk, commercial, contractual, or involves sensitive data. For younger children, parental involvement will usually be necessary. For older children, the child’s own understanding and participation may also matter, especially where the processing affects personality rights, privacy, health, education, or digital identity.

The Turkish Authority’s guidance for product and service developers recommends using age verification systems and, where necessary, sending information and explicit consent approval texts to verified contact details of persons holding parental authority or guardianship.

Child-Friendly Privacy Notices

The obligation to inform is one of the most important KVKK duties. Under Article 10, data controllers must inform data subjects about the identity of the controller, processing purposes, transfer recipients and transfer purposes, method and legal basis of collection, and data subject rights. This duty applies regardless of whether processing is based on explicit consent or another legal basis.

When the data subject is a child, the privacy notice should be understandable for the child’s age and perception level. A complex legal notice written only for adults may not be sufficient where the product or service directly targets children. The Authority’s child guidance recommends preparing informative texts suitable for children’s perception level and, where needed, using simpler language supported by pictures and visual effects.

A good child-friendly privacy notice should explain what data is collected, why it is collected, who can see it, whether it will be shared, whether it will be used for advertising, how long it will be kept, how the child or parent can ask questions, and how rights can be exercised. For digital platforms, this notice should be layered: a simple child-facing explanation, a detailed parent-facing privacy notice, and a legally complete KVKK disclosure text.

Children’s Data in Schools and Education Platforms

Schools, private education institutions, tutoring centers, online learning platforms, student management systems, and educational technology providers process large amounts of children’s data. This may include enrollment records, identity data, parent contact details, grades, attendance, disciplinary records, psychological guidance information, exam results, learning analytics, photos, videos, health records, disability information, and online activity logs.

Educational institutions must be especially careful with special categories of personal data. In a Board decision concerning an educational institution, the Authority examined allegations that a child was subjected to a Cognitive Assessment System test without fulfilling the obligation to inform or obtaining necessary consent. The Board concluded that the school processed special category health data without the explicit consent of the child’s legal representative and without another applicable condition, and imposed an administrative fine while instructing the institution to bring its guidance services into compliance.

This decision is highly important for schools and educational service providers. Psychological tests, developmental assessments, health-related evaluations, disability records, and counseling documents may involve special category data. Schools should not assume that all student-related processing is automatically lawful because the child is enrolled. Each processing activity must have a legal basis, proper notice, proportional scope, limited access, and secure retention.

Children’s Health Data

Health data is a special category of personal data under KVKK Article 6. Children’s health data may include pediatric records, vaccination information, disability reports, psychological assessments, medication records, emergency medical information, diagnostic reports, therapy records, and hospital files. Processing such data requires strict legal basis analysis and heightened safeguards.

The Board has also considered child health data in a decision concerning the sharing of health data with a non-custodial parent by unauthorized hospital employees. The decision emphasized that healthcare personnel should access health data only to the extent necessary for the health service, that health information obtained during healthcare services cannot be disclosed except as permitted by law, and that access to patient files should be limited through authorization controls and trace records.

For hospitals, clinics, psychologists, school nurses, sports clubs, and digital health platforms, this means that child health data should be accessible only to authorized persons who need it for a lawful purpose. Parents, guardians, non-custodial parents, lawyers, school personnel, and third parties should not receive child health data without careful legal assessment.

Children’s Data in Social Media and Online Platforms

Children’s data on social media and online platforms is one of the most sensitive and current issues in Turkish privacy practice. Children may share photos, videos, messages, location, interests, friend networks, school information, gaming IDs, comments, and behavioral signals. Platforms may also process device identifiers, advertising IDs, watch history, search history, recommendation data, and profiling information.

On 20 February 2026, the Turkish Personal Data Protection Authority announced that the Board had initiated an ex officio investigation into TikTok, Instagram, Facebook, YouTube, X, and Discord regarding how children’s personal data is processed and what measures are taken to protect children from potential risks in the digital environment, expressly referring to the best interests of the child.

This development shows that digital platforms, social media companies, gaming services, and online communities should not treat child users as ordinary users. They should implement age-appropriate privacy settings, minimize tracking, restrict behavioral advertising, provide parental tools where appropriate, prevent excessive profiling, explain data processing clearly, and adopt child-protective default settings.

Age Verification and Data Minimization

Age verification is a difficult compliance issue. A platform may need to know whether a user is a child in order to provide child-appropriate protection. However, age verification itself may require collecting additional data, such as date of birth, identity information, parent contact details, or verification documents. This creates a privacy paradox: protecting children may require processing more data.

The correct approach is proportionality. A platform should choose the least intrusive age verification method that is effective for the risk level of the service. A low-risk educational game may not need identity document verification. A high-risk social platform or payment-related service may require stronger checks. Where parental consent is needed, the controller should verify the parent or guardian without collecting excessive documents.

The Authority’s guidance expressly recommends using age verification systems according to available technology and suggests that, where necessary, information and explicit consent approval texts may be sent to verified contact details of persons with parental authority or guardianship.

Marketing to Children

Marketing involving children is a high-risk area. Children may not fully understand advertising, profiling, influencer marketing, persuasive design, in-app purchases, personalized recommendations, or behavioral tracking. Therefore, using children’s data for marketing requires special care.

A Board decision concerning a marketing company involved an 8-year-old child receiving a promotional brochure by mail. The complaint alleged that the child’s name and home address were processed for commercial promotional purposes without parental consent. The Board’s summary records the facts and shows the Authority’s willingness to examine child data processing in direct marketing contexts.

Businesses should avoid sending promotional communications to children unless there is a clear lawful basis and appropriate parental involvement. Marketing databases should not contain children’s names, addresses, phone numbers, or behavioral profiles without careful legal review. Digital advertising aimed at children should be especially restricted, and behavioral profiling of children should be avoided unless a strong legal basis and protective safeguards exist.

Children’s Data in Online Games

Online games process children’s personal data through usernames, avatars, chat messages, in-game purchases, device IDs, location indicators, friend lists, voice chat, behavioral data, achievements, and sometimes payment information. Multiplayer games may also expose children to contact from unknown adults, profiling, targeted ads, and social pressure.

Gaming companies operating in Turkey should provide child-friendly notices, default privacy settings, parental controls where appropriate, safe chat features, reporting mechanisms, and limitations on behavioral advertising. They should not use children’s gameplay behavior for intrusive profiling or third-party marketing. In-game purchase systems should also be designed carefully because payment data and parental authorization issues may arise.

If a game uses voice chat, location-based features, biometric avatars, facial filters, or AI-based moderation, the controller should conduct a privacy risk review before deployment.

Children’s Data and Artificial Intelligence

AI systems may process children’s data in education, gaming, social media, healthcare, security, moderation, recommendation engines, and learning analytics. AI can create additional risks because it may infer sensitive information about a child’s abilities, mental state, interests, weaknesses, social relations, or behavior.

For example, an education platform may use AI to predict academic performance. A social platform may use recommendation algorithms to shape content exposure. A game may use behavior data to personalize offers. A healthcare app may use AI to analyze child symptoms. These systems should be designed with privacy, fairness, explainability, and child protection in mind.

If AI is used for decisions or recommendations that significantly affect children, human oversight should be included. Data used for AI training should be minimized, anonymized where possible, and not retained indefinitely. Children’s data should not be used to train unrelated commercial AI models without a clear legal basis and strong transparency.

Data Security Obligations for Children’s Data

KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure the protection of personal data. This obligation becomes more sensitive when children’s data is involved.

The Authority’s child guidance recommends adopting an approach in which technical and administrative measures are handled at the highest level when children’s personal data is processed.

Practical measures include role-based access control, encryption, strong authentication, logging, secure backups, staff training, child data confidentiality policies, vendor due diligence, access review, secure deletion, breach response procedures, and privacy-by-design controls. Schools should restrict access to student records. Healthcare providers should limit health data access. Digital platforms should protect accounts against takeover. Gaming companies should secure chat logs and payment data. Cloud providers processing children’s data should be contractually bound to strict security obligations.

Data Breach Notification Involving Children’s Data

If children’s personal data is obtained by unauthorized persons, the risk may be serious. A breach may expose home addresses, school names, photos, videos, health data, account credentials, chat logs, or location data. Such incidents may lead to identity misuse, bullying, stalking, fraud, reputational harm, or safety risks.

Under KVKK Article 12, if processed personal data is obtained by others unlawfully, the data controller must notify the data subject and the Personal Data Protection Board within the shortest time.

Where children are affected, notification should be carefully drafted. It should be understandable for parents and, where appropriate, children. It should explain what happened, which data was affected, what risks may arise, what measures were taken, and what steps parents should take. If the breach involves school, health, location, or communication data, urgent protective measures may be necessary.

Retention and Deletion of Children’s Data

Children’s data should not be stored indefinitely. KVKK requires personal data to be processed only for the period required by law or by the purpose of processing, and personal data must be erased, destroyed, or anonymized when the reasons requiring processing no longer exist.

Retention periods should be shorter and more carefully justified for children’s data. Schools may need to retain certain education records due to legal obligations, but old counseling notes, photos, event videos, or online platform logs should not be retained without purpose. Online platforms should delete inactive child accounts after a reasonable period. Gaming companies should not keep children’s chat logs or behavioral profiles indefinitely. Healthcare providers may have statutory medical record retention duties, but access should remain strictly controlled.

If a parent or legal representative requests deletion, the controller should evaluate whether legal retention obligations continue. If no legal basis remains, the data should be erased, destroyed, or anonymized.

Data Subject Rights for Children

Children are data subjects under KVKK and have rights under Article 11. These include the right to learn whether personal data is processed, request information, learn processing purposes, know transfer recipients, request correction, request erasure or destruction under legal conditions, object to adverse results arising from automated systems, and claim compensation for unlawful processing.

In practice, these rights may be exercised by the child, parent, guardian, or legal representative depending on the child’s age, maturity, and the nature of the request. Controllers should establish procedures for verifying the authority of the parent or guardian, especially in cases of divorced parents, custody disputes, healthcare records, school records, or sensitive data.

The Authority’s guidance recommends developing appropriate policies and mechanisms that enable children to know and use their personal data protection rights.

Cross-Border Transfers of Children’s Data

Children’s data may be transferred abroad through cloud services, education platforms, mobile apps, gaming servers, social media tools, analytics providers, AI tools, foreign parent companies, and customer support systems. Cross-border transfers must comply with KVKK Article 9.

Following the 2024 amendments to Article 9, personal data may be transferred abroad if one of the processing conditions under Articles 5 or 6 exists and there is an adequacy decision. If there is no adequacy decision, transfers may be possible through appropriate safeguards such as standard contracts, binding corporate rules, or written commitments approved by the Board.

For children’s data, cross-border transfers require extra caution. A school using a foreign learning platform, a game using overseas servers, a social platform using foreign analytics, or a health app sending data to a foreign AI provider should map the transfer, identify the recipient, determine the legal basis, implement appropriate safeguards, and explain the transfer in the privacy notice.

Practical Compliance Checklist for Children’s Data

A company or institution processing children’s personal data in Turkey should follow these steps:

1. Identify whether the service targets children or is likely to be used by children.
2. Map all children’s personal data categories.
3. Determine whether special categories of data are processed.
4. Identify the legal basis for each processing purpose.
5. Obtain parental or legal representative consent where required.
6. Use age verification systems proportionate to the risk.
7. Prepare child-friendly privacy notices.
8. Provide parent-facing detailed notices.
9. Minimize data collection.
10. Avoid unnecessary location tracking.
11. Avoid behavioral advertising and intrusive profiling of children.
12. Use privacy-protective default settings.
13. Restrict access to children’s data internally.
14. Sign strong data processing agreements with vendors.
15. Map cross-border transfers.
16. Define retention and deletion periods.
17. Establish mechanisms for child and parent rights requests.
18. Train employees working with children’s data.
19. Prepare breach response procedures.
20. Conduct regular privacy risk reviews.

Common Mistakes in Processing Children’s Data

One common mistake is treating children as ordinary adult users. Another is using adult-level privacy notices that children cannot understand. A third mistake is collecting excessive data during registration, such as full address, precise location, parent income, unnecessary photos, or identity numbers.

A fourth mistake is using children’s data for marketing or profiling without proper consent and legal basis. A fifth mistake is publishing children’s photos or videos on websites and social media without a careful consent mechanism. A sixth mistake is giving broad staff access to student, patient, or platform records. A seventh mistake is using foreign digital tools without cross-border transfer analysis.

Another serious mistake is ignoring family law issues. In custody disputes, school or health data should not be disclosed to every person claiming to be a parent without verifying legal authority and considering the child’s best interests.

Conclusion

Processing children’s personal data under Turkish Personal Data Protection Law requires a protective, transparent, and risk-based compliance approach. KVKK applies to children as natural persons and protects their personal data through general principles, legal basis requirements, privacy notice obligations, data subject rights, data security duties, transfer rules, and deletion obligations. However, because children are more vulnerable than adults, these rules should be applied with heightened care.

The Turkish Personal Data Protection Authority’s child-focused guidance emphasizes that children are individuals with a right to personal data protection, that children’s data should be processed at the minimum level, that child-friendly disclosure texts should be prepared, that age verification systems should be used where appropriate, and that technical and administrative safeguards should be handled more sensitively.

For schools, healthcare providers, digital platforms, gaming companies, mobile app developers, social media services, advertisers, and online education providers, child data compliance should be treated as a core legal and ethical responsibility. A compliant structure should include lawful processing, parental involvement where required, child-friendly notices, data minimization, privacy-by-default settings, restricted access, secure vendors, careful retention, effective rights mechanisms, and strong breach response.

In Turkey, children’s data protection is also becoming a more visible regulatory priority. The Authority’s 2026 ex officio investigation into major social media platforms regarding children’s personal data demonstrates that child data processing in digital environments is under increasing scrutiny.

Businesses that process children’s personal data lawfully and responsibly protect not only themselves from regulatory risk but also children from long-term privacy, safety, reputational, and psychological harm. In a digital world where childhood increasingly unfolds online, child-centered data protection is not merely a compliance requirement; it is a fundamental part of responsible service design.