Av. Serhat Koçblog, English_1, IT&IP_Law

  1. INTRODUCTION

The protection of personal data represents one of the broadest and most critical aspects of personality rights in the digital era. With the widespread use of the Internet and modern technologies, new forms of intrusion into private life have emerged. Individuals, as free beings, do not wish to live under constant surveillance, with personal information collected, stored, or processed without consent. Personal data privacy and protection are recognized as an integral part of the right to respect for private and family life under Article 8 of the European Convention on Human Rights (ECHR).

Personal data may include a person’s name, surname, age, gender, place of birth, religion, national identification number, sexual life, mobile number, marital status, family, occupation, income, debts, address, medical records, personal preferences, and similar information. Personal data is defined as any information relating to an identified or identifiable natural person. These data may be collected in various ways, and unauthorized disclosure constitutes a violation of the individual’s personality rights. Email addresses are also recognized as personal data in modern law, and illegal collection constitutes a violation of privacy rights.

When personal data is transmitted online or published on the Internet, it becomes accessible to countless people worldwide, potentially causing irreparable harm to the individual’s private life. Consequently, legal frameworks have evolved to protect such rights.

  1. INTERNATIONAL AND EUROPEAN FRAMEWORKS

2.1. Council of Europe Convention 108 (1981/1985)

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), adopted in 1981 and effective from 1985, provides a foundation for personal data protection in Europe. Amendments in 1999 modernized its scope, and it has influenced national legislation globally.

2.2. OECD Guidelines

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1981) encourage member countries to adopt principles protecting personal information in cross-border data transfers.

2.3. United Nations Guidelines

The UN Guidelines on Computerized Personal Data Files (1990) provide international principles for safeguarding individuals’ data in computerized systems.

2.4. European Union: GDPR

The General Data Protection Regulation (GDPR, Regulation 2016/679), effective from May 25, 2018, harmonized data protection across the EU. The GDPR establishes robust principles for processing personal data, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. Individuals are granted rights to access, correct, erase, restrict processing, and object to processing of their personal data.

The EU Directive 95/46/EC, preceding GDPR, laid the foundation for the collection, processing, and free movement of personal data, emphasizing the protection of fundamental rights and freedoms.

  1. TURKISH LEGAL FRAMEWORK

3.1. Constitution

Turkey’s Constitution guarantees the protection of private life under Article 20, the confidentiality of communications under Article 22, and fundamental rights under Article 40.

3.2. Turkish Penal Code (TCK)

The TCK regulates personal data-related offenses in the context of cybercrime:

  • Article 132:Violation of the confidentiality of communication.
  • Article 134:Infringement of private life privacy.
  • Article 135:Recording personal data unlawfully.
  • Article 136:Unauthorized disclosure or acquisition of personal data.
  • Article 138:Failure to delete personal data according to legal obligations.

Other cybercrime-related provisions (TCK Articles 243–246) address crimes committed via information systems, including theft, fraud, and obscenity.

3.3. Law on the Protection of Personal Data (KVKK 6698)

Turkey enacted Law No. 6698 on the Protection of Personal Data (KVKK) in 2016, aligning partly with EU standards. Key provisions include:

  • Consent requirement for processing personal data (Article 5).
  • Obligations for data controllers (Articles 12–16).
  • Mandatory data breach notifications.
  • Rights of data subjects (access, correction, deletion, objection).

Since 2020, several amendments have clarified the scope of processing sensitive data, cross-border transfers, and administrative fines, reflecting evolving global standards.

3.4. Integration with International Standards

KVKK references international instruments such as Convention 108+ and aligns with GDPR principles regarding sensitive data, accountability, and transparency.

  1. IMPORTANT JUDICIAL DECISIONS

4.1. European Court of Human Rights: Klass v. Germany (1978)

The Klass case established that public authorities’ surveillance and interception of communications constitute potential violations of the right to respect for private life, unless appropriate legal safeguards exist.

4.2. Other Jurisprudence

  • Cases concerning online data exposure highlight that publishing personal information on the Internet without consent can cause irreparable harm, triggering remedies under both domestic and international law.
  • Turkish courts increasingly reference KVKK and GDPR principles when addressing privacy violations in cyberspace.
  1. SPECIFIC CYBERCRIME OFFENSES RELATED TO PRIVACY

Cybercrime affecting private life is categorized as follows:

5.1. Violation of Communication Privacy (TCK 132)

  • Punishable acts include intercepting, recording, or disclosing communications without consent.
  • Publishing the content through press or online platforms aggravates the penalty.

5.2. Violation of Private Life Privacy (TCK 134)

  • Includes unlawful recording or disclosure of visual/audio content relating to private life.
  • Penalties are increased if media or online platforms are used.

5.3. Recording Personal Data Unlawfully (TCK 135)

  • Covers sensitive personal data including political, philosophical, religious, racial, sexual, health, and union-related information.
  • Illegal storage or collection, whether physical or digital, is penalized.

5.4. Unauthorized Disclosure or Acquisition (TCK 136–137)

  • Transmitting personal data unlawfully constitutes a punishable offense, including identity theft.
  • Aggravated circumstances include abuse of authority or professional position.

5.5. Failure to Delete Personal Data (TCK 138)

  • Data controllers’ failure to remove data beyond legal retention periods is punishable.
  • Protects both individual rights and institutional reliability.
  1. THE SCOPE OF “PRIVATE LIFE” IN CYBER LAW

Private life encompasses:

  • Identity-related information:records, security files, population data.
  • Sexual life and conduct:including orientation and intimate matters.
  • Physical and mental integrity:medical, psychiatric, or forensic data.
  • Private spaces and correspondence:homes, vehicles, letters, electronic communications.

Violations of these rights, particularly online, are treated as serious offenses under Turkish law and international human rights principles.

  1. DATA TRANSMISSION AND ONLINE RISKS

Publishing personal data online can cause irreversible harm, including identity theft, reputational damage, or financial loss. Legal frameworks emphasize:

  • Consent and transparency:only lawful processing is allowed.
  • Data security measures:encryption, access control, and breach notification.
  • Cross-border compliance:adherence to GDPR or other international standards when transmitting data abroad.
  1. CONCLUSION

The rapid expansion of digital technologies necessitates strong legal frameworks to protect personal data. Turkey’s KVKK, aligned with GDPR and international standards, provides a foundation for safeguarding individual rights. Criminal provisions under the TCK address cyber offenses targeting private life, while international and European instruments offer guidance for harmonized protection. Judicial decisions, including the Klass ruling, reinforce the principle that privacy is a fundamental right requiring robust safeguards against unlawful intrusion.

REFERENCES

  • European Convention on Human Rights, 1950.
  • Klass v. Germany, 1978, European Court of Human Rights.
  • Council of Europe, Convention 108 (1981, amended 1999).
  • OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 1981.
  • United Nations Guidelines on Computerized Personal Data Files, 1990.
  • General Data Protection Regulation (GDPR), Regulation (EU) 2016/679.
  • Directive 95/46/EC of the European Parliament and Council, 1995.
  • Law No. 6698 on the Protection of Personal Data (KVKK), Turkey, 2016, amended 2020.
  • Turkish Penal Code (TCK) No. 5237, 2004.
  • Turkish Constitution, Articles 20, 22, 40.
  • Articles 132–138, TCK: Cyber-related offenses.