Back to Articles
Data Protection··7 min read

KVKK Practice and the Lawyer’s Role: A Legal Assessment of the Sinop Bar Association Seminar

The KVKK seminar to be organized by the Sinop Bar Association addresses the key practical topics in personal data protection law. Issues such as representation of data subjects, lawful data processing, unlawfully obtained evidence, and KVKK-related offences are of particular importance for legal practice.

Personal data protection law is no longer an area limited solely to companies’ compliance obligations; it has a broad sphere of influence, extending from legal practice to criminal proceedings, employment relationships, and the assessment of evidence. The KVKK seminar to be held by the Sinop Bar Association on Friday, 31 October at 14:00 at the Sabahattin Ali Cultural Center is important in that it addresses this wide field of application from a professional perspective.

The seminar program includes the topics of KVKK practice, representation of data subjects, the lawyer’s role in personal data protection requests, lawful data processing, unlawfully obtained evidence, and KVKK-related offences. These topics are current and have practical consequences both for data controllers and for lawyers representing individuals in legal remedies and rights-enforcement processes.

Law No. 6698 on the Protection of Personal Data (Kişisel Verilerin Korunması Kanunu) (KVKK) regulates the basic principles concerning the processing of personal data, the obligations of data controllers, and the rights of data subjects. The Law is not merely a technical compliance instrument; it is also a legal framework that serves the protection of fundamental rights and freedoms.

The processing of personal data is inevitable in the legal profession. Client information, opposing party data, case files, medical reports, payroll records, communication records, and documents qualifying as evidence may be evaluated within this scope. For this reason, when processing personal data, lawyers must observe both professional secrecy and the duty of confidentiality, as well as the principles of the KVKK.

The key principles that stand out in KVKK practice are as follows:

  • Processing in accordance with the law and the rules of good faith,
  • Processing for specific, explicit, and legitimate purposes,
  • Being relevant, limited, and proportionate to the purposes for which they are processed,
  • Being accurate and, where necessary, up to date,
  • Being retained for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.

These principles must be taken into account at every stage of legal practice, from file management to electronic communications, and from archiving to sharing information with third parties.

Representation of Data Subjects and the Lawyer’s Role in Application Processes

Under the KVKK, a natural person whose personal data is processed is defined as the data subject. The data subject has rights such as learning whether their data has been processed, requesting information if it has been processed, learning whether the data has been used in accordance with its purpose, and requesting its deletion, destruction, or rectification where the conditions are met.

The exercise of these rights often requires technical and legal assessment. For this reason, representation of data subjects is one of the lawyer’s most important roles in the field of personal data protection. In the application process, the lawyer ensures that the request is directed to the correct addressee, that the demand is clear and legally grounded, and that action is taken in compliance with the applicable time limits.

The main points that a lawyer should consider within the scope of representing a data subject are as follows:

  1. Determining which data controller the application should be addressed to,
  2. Clearly stating which data subject right the request is based on,
  3. Properly demonstrating the power of attorney and authority to represent,
  4. Formulating the personal data request in a proportionate and purpose-appropriate manner,
  5. Assessing the legal route to be followed if no response is given or if an insufficient response is provided.

Applications made with incomplete or generic statements in these processes may make it difficult to exercise the right effectively. Therefore, the lawyer’s role in personal data protection request processes is not merely one of representation; it also involves strategic legal assessment.

The Fine Line Between Lawful Data Processing and Unlawfully Obtained Evidence

There is a delicate balance between personal data protection law and the use of evidence in proceedings. The fact that a piece of information is important for resolving a dispute does not always mean that it was obtained lawfully or may be used lawfully. In particular, the rights to privacy, confidentiality of communications, and protection of personal data may be decisive in this assessment.

As a rule, for data processing to be lawful, one of the conditions stipulated in the relevant legislation must exist. Grounds such as explicit consent, express provision by law, necessity for the establishment or performance of a contract, fulfillment of a legal obligation, or the establishment, exercise, or protection of a right frequently arise in practice.

By contrast, obtaining or sharing personal data by unlawful means may make the admissibility of the evidence in proceedings controversial. In criminal proceedings in particular, the prohibition on unlawfully obtained evidence applies; in civil proceedings, the assessment is made within the framework of the rule of good faith and equity.

For lawyers, therefore, the following distinction is of critical importance:

IssueLegal Assessment
Obtaining the dataIt must comply with the legislation, the purpose, and proportionality.
Submitting the data to the fileThe right of defense and the protection of personal data must be balanced.
Sharing the data with third partiesIt must be assessed in terms of authority, purpose, and necessary scope.
Retaining the dataThe necessary retention period and security measures must be observed.

This table shows that a separate assessment must be made in each specific case. The same data may be used lawfully in one file while qualifying as unlawfully obtained evidence in another situation.

The field of personal data protection is not limited to administrative sanctions. The Turkish Criminal Code (Türk Ceza Kanunu) contains provisions that may give rise to criminal liability for acts such as the unlawful recording, disclosure, dissemination, or failure to destroy personal data. For this reason, the topic of KVKK-related offences requires particular attention from individuals, institutions, and members of the profession alike.

In assessing criminal liability, factors such as the nature of the data, the method by which it was obtained, the purpose of sharing, the scope of sharing, and the perpetrator’s intent become important. The risk may be higher particularly in relation to special categories of personal data. Health information, data on criminal convictions, biometric data, and information relating to private life must be handled carefully within this framework.

To reduce criminal risks in legal practice:

  • Personal data within the case file should be shared only with the necessary persons,
  • Appropriate security measures should be taken for documents stored electronically,
  • The manner in which documents received from the client or third parties were obtained should be questioned,
  • In submitting evidence, a proportionality assessment should be made with respect to the parts containing personal data,
  • Unnecessary data duplication and archiving habits should be avoided.

These measures form part of both the professional duty of care and compliance with personal data protection law.

What Does This Mean in Practice?

The fact that the Sinop Bar Association addresses KVKK practice, representation of data subjects, the lawyer’s role in personal data protection requests, lawful data processing, unlawfully obtained evidence, and KVKK-related offences within the same program reveals the multifaceted nature of the subject. The protection of personal data should now be evaluated not only together with compliance policies, but also together with litigation strategy and professional responsibility.

The main practical takeaways are as follows:

  • Lawyers should take both KVKK principles and professional rules into account in personal data processing processes.
  • Data subject applications may not produce effective results if they are not prepared within the correct legal framework.
  • Personal data qualifying as evidence should be separately assessed in terms of lawful acquisition and proportionate use.
  • Violations in the field of the KVKK may give rise not only to administrative liability, but also, in some cases, to criminal liability.
  • Data security, file management, and archiving processes should be addressed systematically in legal practice.

Share

Need legal advice on this topic?

Our expert team is here to help with your legal questions.

Contact Us

Related Articles

Data Protection

Publicly Available Personal Data in Light of the Turkish Constitutional Court: Can It Be Processed for Any Purpose?

Personal data may be processed only where explicit consent or a ground for lawfulness prescribed by law exists. Under Article 5/2-d of the Personal Data Protection Law No. 6698 (KVKK), publicly available data does not give the data controller an unlimited scope of use; the purpose of making the data public and the principle of proportionality are decisive.

Data Protection

Biometric Data Cannot Be Used for Employee Time Tracking: the Personal Data Protection Board’s (KVK Kurulu) Principle Decision No. 2026/921

The Personal Data Protection Board’s (KVK Kurulu) Principle Decision No. 2026/921, published in the Official Gazette dated 02.06.2026, clearly establishes that biometric data should not be used for employee time tracking. For employers, this decision requires a reassessment of KVKK compliance processes concerning attendance monitoring through fingerprint, facial recognition, and similar systems.

Data Protection

Privacy Notices and Explicit Consent Texts Must Not Be Combined: What Does the Board’s Principle Decision Mean?

The Personal Data Protection Board (KVK Kurulu) has turned its individual decisions on violations arising from data controllers preparing privacy notices together with explicit consent texts into a principle decision. This decision shows that the obligation to inform and explicit consent must not be merged into the same text, and that data controllers need to review their compliance processes.