Personal data protection law is no longer an area limited solely to companies’ compliance obligations; it has a broad sphere of influence, extending from legal practice to criminal proceedings, employment relationships, and the assessment of evidence. The KVKK seminar to be held by the Sinop Bar Association on Friday, 31 October at 14:00 at the Sabahattin Ali Cultural Center is important in that it addresses this wide field of application from a professional perspective.
The seminar program includes the topics of KVKK practice, representation of data subjects, the lawyer’s role in personal data protection requests, lawful data processing, unlawfully obtained evidence, and KVKK-related offences. These topics are current and have practical consequences both for data controllers and for lawyers representing individuals in legal remedies and rights-enforcement processes.
Why Is KVKK Practice at the Center of Legal Practice?
Law No. 6698 on the Protection of Personal Data (Kişisel Verilerin Korunması Kanunu) (KVKK) regulates the basic principles concerning the processing of personal data, the obligations of data controllers, and the rights of data subjects. The Law is not merely a technical compliance instrument; it is also a legal framework that serves the protection of fundamental rights and freedoms.
The processing of personal data is inevitable in the legal profession. Client information, opposing party data, case files, medical reports, payroll records, communication records, and documents qualifying as evidence may be evaluated within this scope. For this reason, when processing personal data, lawyers must observe both professional secrecy and the duty of confidentiality, as well as the principles of the KVKK.
The key principles that stand out in KVKK practice are as follows:
- Processing in accordance with the law and the rules of good faith,
- Processing for specific, explicit, and legitimate purposes,
- Being relevant, limited, and proportionate to the purposes for which they are processed,
- Being accurate and, where necessary, up to date,
- Being retained for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.
These principles must be taken into account at every stage of legal practice, from file management to electronic communications, and from archiving to sharing information with third parties.
Representation of Data Subjects and the Lawyer’s Role in Application Processes
Under the KVKK, a natural person whose personal data is processed is defined as the data subject. The data subject has rights such as learning whether their data has been processed, requesting information if it has been processed, learning whether the data has been used in accordance with its purpose, and requesting its deletion, destruction, or rectification where the conditions are met.
The exercise of these rights often requires technical and legal assessment. For this reason, representation of data subjects is one of the lawyer’s most important roles in the field of personal data protection. In the application process, the lawyer ensures that the request is directed to the correct addressee, that the demand is clear and legally grounded, and that action is taken in compliance with the applicable time limits.
The main points that a lawyer should consider within the scope of representing a data subject are as follows:
- Determining which data controller the application should be addressed to,
- Clearly stating which data subject right the request is based on,
- Properly demonstrating the power of attorney and authority to represent,
- Formulating the personal data request in a proportionate and purpose-appropriate manner,
- Assessing the legal route to be followed if no response is given or if an insufficient response is provided.
Applications made with incomplete or generic statements in these processes may make it difficult to exercise the right effectively. Therefore, the lawyer’s role in personal data protection request processes is not merely one of representation; it also involves strategic legal assessment.
The Fine Line Between Lawful Data Processing and Unlawfully Obtained Evidence
There is a delicate balance between personal data protection law and the use of evidence in proceedings. The fact that a piece of information is important for resolving a dispute does not always mean that it was obtained lawfully or may be used lawfully. In particular, the rights to privacy, confidentiality of communications, and protection of personal data may be decisive in this assessment.
As a rule, for data processing to be lawful, one of the conditions stipulated in the relevant legislation must exist. Grounds such as explicit consent, express provision by law, necessity for the establishment or performance of a contract, fulfillment of a legal obligation, or the establishment, exercise, or protection of a right frequently arise in practice.
By contrast, obtaining or sharing personal data by unlawful means may make the admissibility of the evidence in proceedings controversial. In criminal proceedings in particular, the prohibition on unlawfully obtained evidence applies; in civil proceedings, the assessment is made within the framework of the rule of good faith and equity.
For lawyers, therefore, the following distinction is of critical importance:
| Issue | Legal Assessment |
|---|---|
| Obtaining the data | It must comply with the legislation, the purpose, and proportionality. |
| Submitting the data to the file | The right of defense and the protection of personal data must be balanced. |
| Sharing the data with third parties | It must be assessed in terms of authority, purpose, and necessary scope. |
| Retaining the data | The necessary retention period and security measures must be observed. |
This table shows that a separate assessment must be made in each specific case. The same data may be used lawfully in one file while qualifying as unlawfully obtained evidence in another situation.
KVKK-Related Offences and the Criminal Liability Dimension
The field of personal data protection is not limited to administrative sanctions. The Turkish Criminal Code (Türk Ceza Kanunu) contains provisions that may give rise to criminal liability for acts such as the unlawful recording, disclosure, dissemination, or failure to destroy personal data. For this reason, the topic of KVKK-related offences requires particular attention from individuals, institutions, and members of the profession alike.
In assessing criminal liability, factors such as the nature of the data, the method by which it was obtained, the purpose of sharing, the scope of sharing, and the perpetrator’s intent become important. The risk may be higher particularly in relation to special categories of personal data. Health information, data on criminal convictions, biometric data, and information relating to private life must be handled carefully within this framework.
To reduce criminal risks in legal practice:
- Personal data within the case file should be shared only with the necessary persons,
- Appropriate security measures should be taken for documents stored electronically,
- The manner in which documents received from the client or third parties were obtained should be questioned,
- In submitting evidence, a proportionality assessment should be made with respect to the parts containing personal data,
- Unnecessary data duplication and archiving habits should be avoided.
These measures form part of both the professional duty of care and compliance with personal data protection law.
What Does This Mean in Practice?
The fact that the Sinop Bar Association addresses KVKK practice, representation of data subjects, the lawyer’s role in personal data protection requests, lawful data processing, unlawfully obtained evidence, and KVKK-related offences within the same program reveals the multifaceted nature of the subject. The protection of personal data should now be evaluated not only together with compliance policies, but also together with litigation strategy and professional responsibility.
The main practical takeaways are as follows:
- Lawyers should take both KVKK principles and professional rules into account in personal data processing processes.
- Data subject applications may not produce effective results if they are not prepared within the correct legal framework.
- Personal data qualifying as evidence should be separately assessed in terms of lawful acquisition and proportionate use.
- Violations in the field of the KVKK may give rise not only to administrative liability, but also, in some cases, to criminal liability.
- Data security, file management, and archiving processes should be addressed systematically in legal practice.