Back to Articles
Data Protection··7 min read

Publicly Available Personal Data in Light of the Turkish Constitutional Court: Can It Be Processed for Any Purpose?

Personal data may be processed only where explicit consent or a ground for lawfulness prescribed by law exists. Under Article 5/2-d of the Personal Data Protection Law No. 6698 (KVKK), publicly available data does not give the data controller an unlimited scope of use; the purpose of making the data public and the principle of proportionality are decisive.

The basic rule in personal data law is clear: personal data may not be processed unless there is explicit consent or a ground for lawfulness prescribed by law. In practice, the following question frequently arises in relation to data that has become public: if a person has made their data publicly available, can that data then be used freely for any purpose?

When the systematic structure of the Personal Data Protection Law No. 6698 (KVKK) and the Turkish Constitutional Court’s (Anayasa Mahkemesi) approach to the right to the protection of personal data are considered together, the answer to this question is no. The fact that a piece of data is public does not mean that it has completely lost its legal protection; it may only create a legal basis under which explicit consent may not be separately required for a data processing activity, subject to certain conditions.

What Does Article 5/2-d of the KVKK Say About Publicly Available Data?

Article 5 of the Personal Data Protection Law No. 6698 regulates the conditions for the processing of personal data. As a rule, personal data may not be processed without the explicit consent of the data subject. However, the same article also sets out certain exceptional grounds for lawfulness.

One of these grounds is the case of making data public, regulated under subparagraph d of paragraph 2 of Article 5 of the Law:

It has been made public by the data subject themselves.

This provision allows personal data that the data subject has made publicly available of their own volition to be processed under certain conditions. However, the critical point here is the relationship between the scope of making the data public and the purpose of processing.

The fact that a person makes their telephone number, email address, professional title or photograph visible on a particular platform does not mean that such data may be used in every context and for every purpose. Making data public must be assessed by taking into account the purpose for which, and the audience to which, the data subject has disclosed the data.

Making Data Public Does Not Grant Unlimited Processing Authority

Under personal data protection law, data processing activities do not become lawful merely because they are based on a ground for lawfulness. They must also comply with the general principles set out in Article 4 of the Law.

These principles are particularly important in relation to publicly available data:

  • Compliance with the law and the rules of good faith,
  • Processing for specified, explicit and legitimate purposes,
  • Being relevant, limited and proportionate to the purposes for which they are processed,
  • Being accurate and, where necessary, up to date,
  • Being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

Accordingly, even if data is public, the data controller may not collect, classify, transfer to third parties or use that data for different commercial purposes as it wishes. The principles of purpose limitation and proportionality define the boundaries of processing publicly available data.

The Constitutional Court’s Approach: Protection of Personal Data Is a Constitutional Right

The protection of personal data is assessed not only within the scope of the KVKK, but also within the framework of fundamental rights guaranteed under the Constitution. Under the relevant provisions of the Constitution, everyone has the right to request the protection of personal data concerning themselves.

The key approach that stands out in the Turkish Constitutional Court’s assessments regarding personal data is that it is not sufficient for a data processing activity merely to have a formal legal basis. The interference must be based on a legitimate aim, be necessary and remain proportionate.

In this respect, the concept of publicly available data must also be interpreted narrowly and in a purpose-bound manner. The fact that the data subject makes a piece of data visible cannot be interpreted as a complete waiver of the right to privacy and the protection of personal data. In particular, using the data for another purpose by detaching it from the context in which it was made public may give rise to a debate on lawfulness.

The condition for processing publicly available data and explicit consent should not be confused with one another. Explicit consent is consent relating to a specific matter, based on information and expressed through free will. Making data public, on the other hand, is the data subject making their data publicly available through their own conduct.

There are important differences between these two legal bases:

CriterionExplicit ConsentMaking Data Public
Legal basisThe data subject’s explicit declaration of willThe data subject themselves making the data public
ScopeLimited to the subject matter and purpose specified in the consentLimited to the purpose of making the data public
WithdrawalMay be withdrawn at any timeThe effect of publicity is assessed according to the specific case
RiskThe validity of the consent may be disputedExceeding the purpose may result in unlawfulness

For this reason, data controllers should not content themselves with the defence that the data ‘was already publicly available’ when processing data on the basis of its public availability. The purpose for which the data was made public and whether the current processing activity is compatible with that purpose must also be examined separately.

Practical Checklist for Data Controllers

If the processing of publicly available personal data is planned, data controllers must conduct a careful assessment in each specific case. The risk is higher in particular for activities such as commercial communication, marketing, profiling, creating databases or transferring data to third parties.

In practice, it is important to answer the following questions:

  1. Was the data actually made public by the data subject?
  2. For what purpose and in what medium was the data made publicly available?
  3. Is the planned processing activity compatible with that purpose?
  4. Is the data to be processed necessary and proportionate for the purpose?
  5. Have the obligation to inform and other KVKK obligations been fulfilled?
  6. If the data is to be transferred, is there also a legal basis for such transfer?

The answers to these questions play a critical role in determining whether a processing activity carried out on the basis of publicly available data is lawful.

What Does This Mean in Practice?

Publicly available personal data is not entirely unprotected under the KVKK. The fact that data is visible does not make it processable without limit; the legal basis, purpose and proportionality must be assessed together.

  • Publicly available data may be processed only in a manner compatible with the purpose for which it was made public.
  • If there is no explicit consent, one of the grounds for lawfulness set out in Article 5 of the KVKK must exist.
  • Article 5/2-d of the KVKK does not grant the data controller unlimited authority of use.
  • The Constitutional Court’s approach addresses the protection of personal data from the perspective of a constitutional right.
  • Data controllers must assess publicly available data processing in terms of purpose, proportionality and the obligation to inform.

Share

Need legal advice on this topic?

Our expert team is here to help with your legal questions.

Contact Us

Related Articles

Data Protection

Biometric Data Cannot Be Used for Employee Time Tracking: the Personal Data Protection Board’s (KVK Kurulu) Principle Decision No. 2026/921

The Personal Data Protection Board’s (KVK Kurulu) Principle Decision No. 2026/921, published in the Official Gazette dated 02.06.2026, clearly establishes that biometric data should not be used for employee time tracking. For employers, this decision requires a reassessment of KVKK compliance processes concerning attendance monitoring through fingerprint, facial recognition, and similar systems.

Data Protection

Privacy Notices and Explicit Consent Texts Must Not Be Combined: What Does the Board’s Principle Decision Mean?

The Personal Data Protection Board (KVK Kurulu) has turned its individual decisions on violations arising from data controllers preparing privacy notices together with explicit consent texts into a principle decision. This decision shows that the obligation to inform and explicit consent must not be merged into the same text, and that data controllers need to review their compliance processes.

Data Protection

KVKK Practice and the Lawyer’s Role: A Legal Assessment of the Sinop Bar Association Seminar

The KVKK seminar to be organized by the Sinop Bar Association addresses the key practical topics in personal data protection law. Issues such as representation of data subjects, lawful data processing, unlawfully obtained evidence, and KVKK-related offences are of particular importance for legal practice.