Personal Data Protection in Turkish Education Institutions and Private Schools

Introduction

Personal data protection in Turkish education institutions and private schools is one of the most sensitive areas of privacy compliance. Schools, private schools, kindergartens, nurseries, language courses, tutoring centers, universities, dormitories, online education platforms, educational technology companies, exam preparation centers, and school transportation providers process large volumes of personal data about students, parents, teachers, employees, visitors, and service providers.

Educational institutions do not process ordinary commercial data only. They often process children’s personal data, academic records, attendance records, disciplinary files, parent contact details, health information, psychological counseling records, CCTV footage, transportation data, online learning logs, exam results, photos, videos, payment records, and sometimes special categories of personal data such as health data, biometric data, disability information, or psychological assessment results.

In Turkey, the main legal framework is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. KVKK protects fundamental rights and freedoms, especially the right to privacy, and regulates the obligations of persons and institutions that process personal data. It applies to personal data processed wholly or partly by automated means or by non-automated means forming part of a data filing system.

For education institutions, KVKK compliance is not limited to publishing a general privacy policy on a school website. A compliant school must understand what data it collects, why it collects it, which legal basis applies, whether parental consent is required, whether special categories of data are processed, who may access student records, how long data will be retained, which vendors receive data, whether foreign education platforms are used, and how students and parents may exercise their rights.

Why Personal Data Protection Is Critical in Education

Education institutions process data in a relationship of trust. Parents entrust schools with information about their children’s identity, learning progress, health, behavior, family structure, emergency contacts, transportation arrangements, and social development. Students may also share highly personal information with teachers, counselors, psychologists, school nurses, coaches, and administrators.

The consequences of unlawful data processing in education can be serious. A data breach may expose a child’s address, school, family contact information, health status, disciplinary record, academic weakness, psychological assessment, or image. Unlawful disclosure may lead to bullying, discrimination, reputational harm, emotional distress, family conflict, or safety risks.

For this reason, schools should treat student data as high-risk data even when it is not always classified as “special category data.” The fact that the data belongs to a child or young person makes the processing more sensitive. The Turkish Personal Data Protection Authority’s child-focused guidance emphasizes that, where children’s personal data must be processed in products and services, processing should be kept to a minimum in accordance with the data minimization principle.

Personal Data Commonly Processed by Schools and Educational Institutions

Schools and education institutions may process many categories of personal data. These commonly include student identity data such as name, surname, date of birth, Turkish identity number, school number, nationality, photograph, class, grade level, and enrollment information. Parent and guardian data may include names, phone numbers, email addresses, addresses, occupation, custody information, emergency contacts, payment responsibility, and communication preferences.

Academic data may include grades, attendance, exam results, homework records, learning analytics, teacher evaluations, disciplinary records, awards, course selections, and classroom performance. Administrative data may include registration forms, tuition payments, invoices, scholarship information, transportation records, meal plan records, dormitory information, and extracurricular activity participation.

Schools may also process digital data such as student portal logs, online class attendance, IP addresses, device information, learning management system records, email accounts, cloud classroom files, video lesson recordings, exam platform data, and communication platform messages.

Certain data may be special category data under KVKK. Health reports, disability information, psychological assessment results, counseling notes, biometric attendance data, genetic information, and criminal conviction or security measure data are not ordinary school records. Special categories of personal data may be processed only under specific legal conditions and with adequate measures.

Data Controller Role of Schools

Most schools and private education institutions act as data controllers for student, parent, employee, and visitor data. A data controller determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system. Under KVKK, the controller must ensure lawful processing, proper privacy notices, data security, retention compliance, transfer rules, and response to data subject requests.

A private school will usually determine why student enrollment data is collected, how academic records are stored, who can access parent contact details, how counseling records are managed, whether CCTV is used, whether photos are published, and which software systems are used. Therefore, the school cannot shift all responsibility to software providers, outsourced IT companies, transportation providers, or cloud education platforms.

However, vendors may also play important roles. A learning management system provider, school bus tracking provider, online exam platform, cafeteria payment provider, cloud storage company, CCTV vendor, or school communication app may process personal data on behalf of the school. In such cases, data processing agreements and vendor controls are essential.

Legal Bases for Processing Student and Parent Data

Not every school data processing activity requires explicit consent. Under KVKK Article 5, personal data may be processed without explicit consent where one of the legal bases applies, such as processing expressly provided by law, necessity for contract performance, necessity for compliance with a legal obligation, necessity for establishment, exercise or protection of a right, or legitimate interests of the data controller provided that fundamental rights and freedoms are not harmed.

For example, a private school may process student and parent identity data to establish and perform the education contract. It may process payment and invoice data to comply with legal and accounting obligations. It may process attendance records to manage education services. It may process emergency contact information to protect the student’s safety. It may process disciplinary records where necessary for school administration and protection of rights.

However, explicit consent may be required for optional or high-risk processing activities. Examples include using student photos or videos in promotional materials, publishing images on social media, processing certain special category data where no statutory ground applies, using biometric access systems, sharing student data with third-party commercial partners, or using student behavioral data for unrelated marketing or profiling.

The legal basis must be determined separately for each processing purpose. A school should not use a single broad consent form for all student data. This is especially important because children and parents may feel pressured in the education relationship.

Privacy Notices for Students and Parents

The obligation to inform is one of the most important KVKK duties. At the time personal data is obtained, the data controller must inform data subjects about the controller’s identity, processing purposes, recipients and transfer purposes, collection method and legal basis, and Article 11 rights.

A school privacy notice should not be generic. It should explain enrollment, education services, academic assessment, attendance monitoring, parent communications, payment processing, student safety, guidance services, health and emergency processes, school transportation, extracurricular activities, CCTV, online education platforms, photo and video processing, data transfers, retention periods, and rights of students and parents.

Where the data subject is a child, the notice should be understandable. The Authority’s child-focused guidance recommends preparing informative texts suitable for children’s perception level, using clear and simple language and visual support where appropriate.

A strong structure may include two layers: a detailed parent-facing KVKK notice and a child-friendly explanation for students. For younger children, notices may use simple visuals or short explanations. For older students, schools should provide clear explanations about school portals, online classes, camera systems, exam platforms, and digital communication tools.

Parental Consent and Children’s Participation

KVKK does not provide a single specific age threshold for all children’s consent. Therefore, schools must consider Turkish civil law principles, the child’s age and maturity, the nature of the processing, and whether parental or legal representative involvement is required.

For routine education-related processing, the school may rely on contract performance, legal obligation, or legitimate interests depending on the activity. But for optional processing, such as publishing a student’s photo on social media, using student images in advertising, or conducting certain psychological assessments, parental consent or legal representative approval may be necessary.

At the same time, children should not be treated as passive objects. Older students may have their own privacy expectations and personal rights. Even where parental consent is obtained, the school should consider whether the processing respects the student’s dignity, privacy, safety, and best interests.

Special Category Data in Education: Health, Disability, Psychological Records, and Biometric Data

Education institutions often process special category data, sometimes without realizing it. A student’s allergy report, medication information, disability record, psychological counseling note, cognitive assessment, ADHD-related evaluation, anxiety disorder record, special education report, or biometric attendance data may fall into sensitive categories.

The Personal Data Protection Board’s Decision No. 2020/255 is particularly important for schools. In that case, an education institution processed children’s special category personal data through a Cognitive Assessment System test. The Board evaluated the processing of children’s special category data and imposed sanctions because the necessary explicit consent of the legal representative had not been obtained and the processing did not satisfy the legal conditions.

This decision is a warning for private schools, guidance services, psychological counselors, and education consultants. Academic support and guidance activities may appear educational, but if they produce health, psychological, developmental, or cognitive data, they may involve special category personal data. Schools should not conduct psychological tests, counseling evaluations, behavioral assessments, or health-related screenings without a specific legal basis, proper notice, and adequate safeguards.

Guidance and Counseling Services

School guidance services are especially sensitive. Counselors may process information about a student’s mental health, family life, social relationships, academic difficulties, bullying experiences, emotional state, disciplinary issues, anxiety, attention problems, or developmental needs. Such information should be accessible only to authorized personnel who need it for legitimate educational or protective purposes.

Counseling records should not be freely accessible to all teachers, administrators, parents, or service providers. The school should define who can access counseling files, when information may be shared with parents, when confidentiality must be preserved, and how records will be retained.

If a school uses third-party psychological testing tools or outsourced counseling services, contracts should clearly regulate confidentiality, legal basis, data security, retention, and deletion. Results should not be used for labeling, discrimination, marketing, or unrelated school decisions.

Student Photos, Videos, Websites, and Social Media

Many schools publish photos and videos from ceremonies, competitions, classroom activities, sports events, theater performances, trips, graduation programs, and social responsibility projects. These materials may promote the school, inform parents, or celebrate student achievements. However, student photos and videos are personal data, and online publication may create long-term privacy risks.

Publishing a child’s image on a website or social media platform is not the same as using it internally. Online publication may make the image accessible to unknown third parties, searchable, downloadable, reusable, and difficult to delete. Schools should therefore obtain specific consent from parents or legal representatives where required and should also consider the student’s own wishes, especially for older students.

Consent should not be hidden in a general enrollment contract. It should explain where images may be published, for what purpose, whether social media platforms are involved, whether the content may remain online after graduation, and how consent can be withdrawn. Schools should also provide alternatives for students who do not consent so that they are not excluded from activities.

CCTV and Camera Recording in Schools

CCTV may be used in schools for security, student safety, incident investigation, entrance control, and protection of property. However, camera recording is personal data processing. It must comply with KVKK principles, including lawfulness, purpose limitation, proportionality, transparency, retention limitation, and data security.

Cameras may be justified in school entrances, corridors, gardens, gates, parking areas, and common security-sensitive spaces. However, cameras should not be placed in toilets, changing rooms, medical rooms, counseling rooms, dormitory rooms, or other private areas. Classroom camera recording should be approached with particular caution because it may create continuous surveillance of students and teachers.

The Personal Data Protection Board has examined camera and audio recording in educational institutions. In Decision No. 2023/1461, the Board considered a complaint involving image and sound recording through a camera in an education institution. This shows that camera and audio surveillance in schools can attract regulatory scrutiny, especially where explicit consent, notification, or proportionality is disputed.

Audio recording is more intrusive than ordinary video. Schools should avoid audio recording unless there is a clear legal basis and strict necessity. In most cases, ordinary security purposes can be achieved without recording conversations.

Online Education Platforms and Education Technology

Online education has expanded the amount of student data processed by schools. Learning management systems, video conferencing tools, online exam platforms, homework portals, classroom apps, digital libraries, AI tutoring systems, and communication platforms may process student names, grades, attendance, homework, screen activity, camera images, voice data, chat records, IP addresses, device information, and behavioral data.

Schools must evaluate each platform before use. Important questions include: Who is the data controller? Who is the processor? Where is the data stored? Does the platform use foreign cloud infrastructure? Are classes recorded? Are chats retained? Does the platform use data for advertising or product improvement? Does it process children’s data? Can data be deleted after the school relationship ends?

If a platform is foreign or stores data abroad, cross-border transfer rules under KVKK Article 9 may apply. After the 2024 amendments, personal data may be transferred abroad through adequacy decisions or appropriate safeguards such as standard contracts, binding corporate rules, or approved written commitments, depending on the transfer structure.

Artificial Intelligence in Education

AI tools are increasingly used in education for adaptive learning, automated grading, plagiarism detection, exam monitoring, behavioral analytics, language learning, tutoring, student risk prediction, and administrative support. These systems may process large volumes of student data and may produce significant effects on students.

AI-based education tools should be assessed carefully. Schools should determine whether AI processing is necessary, whether students and parents are informed, whether special category data is processed, whether automated decisions affect students, whether human review is available, and whether the tool transfers data abroad.

Student data should not be used to train unrelated commercial AI models without a clear legal basis and transparent disclosure. AI systems should not label students, predict psychological traits, or make important educational decisions without human oversight and a strong legal framework.

School Transportation, Cafeteria, Dormitory, and Extracurricular Data

Schools often process data through additional services. Transportation providers may process student names, addresses, routes, parent phone numbers, pick-up/drop-off times, vehicle GPS data, and attendance. Cafeteria systems may process meal plans, dietary preferences, allergies, payment records, and consumption data. Dormitories may process accommodation records, entry-exit logs, visitor records, health data, and disciplinary notes. Sports and club activities may process health forms, photos, competition records, travel permissions, and emergency contacts.

These data flows should be included in the school’s data inventory. Vendors such as transportation companies, catering companies, dormitory operators, sports clubs, app providers, and payment vendors should be contractually controlled. The school should ensure that vendors do not use student data for unrelated purposes.

Data Security in Schools

KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure protection of personal data. If data is processed by another person on behalf of the controller, the controller is jointly responsible with that person for security measures.

For schools, practical security measures include role-based access to student information systems, strong passwords, multi-factor authentication for administrative accounts, secure storage of health and counseling records, encrypted backups, limited access to CCTV footage, staff confidentiality undertakings, secure disposal of printed records, locked archives, vendor due diligence, and data protection training.

Teachers should not keep student grades, reports, or parent contact lists in unsecured personal devices or public cloud accounts. WhatsApp groups should be managed carefully because they may expose phone numbers, photos, student information, or parent communications. Staff should be trained not to share student data in unauthorized channels.

Retention and Deletion of Student Data

Schools must retain certain records for legal, educational, administrative, tax, accounting, and dispute-related purposes. However, data cannot be retained indefinitely without a lawful basis. KVKK Article 7 requires personal data to be erased, destroyed, or anonymized when the reasons requiring processing no longer exist. The By-Law on Erasure, Destruction or Anonymization sets procedures for deletion, destruction, and anonymization of personal data.

Retention periods should be defined for enrollment records, academic files, attendance, disciplinary records, health forms, counseling notes, CCTV footage, online platform data, parent communications, payment records, transportation logs, cafeteria data, and alumni records.

Not all school data should be kept forever. For example, CCTV footage should usually be retained for a short period unless an incident occurs. Unsuccessful admission application files should not be kept indefinitely. Health forms for temporary activities should be deleted after the purpose ends unless a legal reason remains. Marketing consent records may need to be retained for proof, but marketing contact lists should be updated and cleaned regularly.

Data Subject Rights of Students and Parents

Students and parents have rights under KVKK Article 11. These include the right to learn whether personal data is processed, request information, learn processing purposes, know domestic and foreign transfer recipients, request correction, request erasure or destruction under legal conditions, object to adverse results arising exclusively through automated systems, and claim compensation for unlawful processing.

Schools should create a clear procedure for these requests. A parent may ask for correction of contact information, deletion of a photo, information about an online education platform, access to data shared with a vendor, or deletion of outdated health records. A student may object to publication of their image or request information about digital learning records.

The school must verify the identity and authority of the requester. Custody disputes, divorced parents, guardianship issues, and student maturity must be considered carefully. Not every adult claiming to be related to a child should receive student data automatically.

Data Breach Notification in Education

A data breach in a school can be highly damaging. Examples include leaked student lists, hacked school portals, exposed grades, unauthorized access to counseling records, lost health forms, ransomware attacks, misdirected parent emails, leaked CCTV footage, or unauthorized publication of student photos.

Under KVKK Article 12, if processed personal data is obtained by others unlawfully, the data controller must notify the data subject and the Personal Data Protection Board within the shortest time.

Schools should prepare a breach response plan. The plan should identify who investigates the incident, who contacts IT vendors, who preserves evidence, who assesses notification duties, who communicates with parents, and what immediate protective measures are needed. If children’s data or special category data is involved, the school should treat the incident as high priority.

VERBIS and Data Inventory

Private schools and education institutions should assess whether they are required to register with VERBIS, the Data Controllers’ Registry Information System. Under KVKK Article 16, data controllers must register before starting processing unless an exemption applies. Registry applications include controller identity, processing purposes, data subject groups, data categories, recipient groups, personal data envisaged to be transferred abroad, security measures, and maximum storage periods.

Even if a school is exempt from VERBIS registration, it should still maintain a data inventory. Exemption from registration does not remove other KVKK obligations. A data inventory helps the school manage privacy notices, retention periods, vendor transfers, cross-border transfers, and data subject requests.

Practical KVKK Compliance Checklist for Schools

A Turkish education institution or private school should:

1. Prepare a personal data processing inventory.
2. Identify all student, parent, teacher, employee, visitor, and vendor data.
3. Determine legal bases for each processing purpose.
4. Prepare privacy notices for students, parents, employees, candidates, visitors, and website users.
5. Use child-friendly explanations where appropriate.
6. Separate privacy notices from explicit consent forms.
7. Obtain specific consent for student photos, videos, promotional use, and optional processing where required.
8. Review psychological testing, counseling records, and health data under Article 6.
9. Restrict access to special category data.
10. Review CCTV placement and avoid private areas.
11. Avoid audio recording unless strictly necessary.
12. Assess online education platforms and cloud tools.
13. Map cross-border transfers.
14. Sign data processing agreements with vendors.
15. Define retention and deletion periods.
16. Establish student and parent rights request procedures.
17. Train teachers, administrators, counselors, nurses, security personnel, and IT staff.
18. Prepare a data breach response plan.
19. Review VERBIS obligations.
20. Audit compliance periodically.

Common Mistakes in School Data Protection

One common mistake is using a single broad enrollment contract as if it covers all data processing. Enrollment may justify certain educational processing, but it does not automatically authorize promotional image use, psychological testing, biometric systems, or unrelated marketing.

Another mistake is publishing student photos and videos online without specific consent. A third mistake is giving too many employees access to student records. A fourth mistake is storing health reports and counseling notes without strict access controls. A fifth mistake is using foreign online education platforms without transfer analysis. A sixth mistake is retaining old student data indefinitely.

Schools also frequently underestimate informal data sharing. Teacher WhatsApp groups, parent messaging groups, printed class lists, unlocked offices, shared spreadsheets, and personal email accounts can all create KVKK risk.

Conclusion

Personal data protection in Turkish education institutions and private schools requires a careful, child-centered, and risk-based compliance approach. Schools process extensive personal data about students, parents, teachers, employees, and visitors. Much of this data is sensitive in practice, and some of it may qualify as special category data under KVKK.

The most important compliance areas include lawful processing, privacy notices, parental consent, children’s rights, special category data, guidance and counseling records, student photos and videos, CCTV, online education platforms, AI tools, transportation and cafeteria data, vendor contracts, cross-border transfers, data security, retention, breach response, and VERBIS assessment.

The Turkish Personal Data Protection Board’s 2020/255 decision concerning a school’s processing of children’s special category data through cognitive assessment testing shows that education institutions may face serious consequences when they process sensitive student data without proper legal basis and safeguards.

For schools, KVKK compliance should not be treated as a formal legal document exercise. It must be integrated into daily school operations: registration, teaching, counseling, communication, security, technology, health services, extracurricular activities, transportation, and parent relations. A school that protects personal data properly protects not only itself from legal risk but also the dignity, safety, and future privacy of its students.