The basic rule in personal data law is clear: personal data may not be processed unless there is explicit consent or a ground for lawfulness prescribed by law. In practice, the following question frequently arises in relation to data that has become public: if a person has made their data publicly available, can that data then be used freely for any purpose?
When the systematic structure of the Personal Data Protection Law No. 6698 (KVKK) and the Turkish Constitutional Court’s (Anayasa Mahkemesi) approach to the right to the protection of personal data are considered together, the answer to this question is no. The fact that a piece of data is public does not mean that it has completely lost its legal protection; it may only create a legal basis under which explicit consent may not be separately required for a data processing activity, subject to certain conditions.
What Does Article 5/2-d of the KVKK Say About Publicly Available Data?
Article 5 of the Personal Data Protection Law No. 6698 regulates the conditions for the processing of personal data. As a rule, personal data may not be processed without the explicit consent of the data subject. However, the same article also sets out certain exceptional grounds for lawfulness.
One of these grounds is the case of making data public, regulated under subparagraph d of paragraph 2 of Article 5 of the Law:
It has been made public by the data subject themselves.
This provision allows personal data that the data subject has made publicly available of their own volition to be processed under certain conditions. However, the critical point here is the relationship between the scope of making the data public and the purpose of processing.
The fact that a person makes their telephone number, email address, professional title or photograph visible on a particular platform does not mean that such data may be used in every context and for every purpose. Making data public must be assessed by taking into account the purpose for which, and the audience to which, the data subject has disclosed the data.
Making Data Public Does Not Grant Unlimited Processing Authority
Under personal data protection law, data processing activities do not become lawful merely because they are based on a ground for lawfulness. They must also comply with the general principles set out in Article 4 of the Law.
These principles are particularly important in relation to publicly available data:
- Compliance with the law and the rules of good faith,
- Processing for specified, explicit and legitimate purposes,
- Being relevant, limited and proportionate to the purposes for which they are processed,
- Being accurate and, where necessary, up to date,
- Being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
Accordingly, even if data is public, the data controller may not collect, classify, transfer to third parties or use that data for different commercial purposes as it wishes. The principles of purpose limitation and proportionality define the boundaries of processing publicly available data.
The Constitutional Court’s Approach: Protection of Personal Data Is a Constitutional Right
The protection of personal data is assessed not only within the scope of the KVKK, but also within the framework of fundamental rights guaranteed under the Constitution. Under the relevant provisions of the Constitution, everyone has the right to request the protection of personal data concerning themselves.
The key approach that stands out in the Turkish Constitutional Court’s assessments regarding personal data is that it is not sufficient for a data processing activity merely to have a formal legal basis. The interference must be based on a legitimate aim, be necessary and remain proportionate.
In this respect, the concept of publicly available data must also be interpreted narrowly and in a purpose-bound manner. The fact that the data subject makes a piece of data visible cannot be interpreted as a complete waiver of the right to privacy and the protection of personal data. In particular, using the data for another purpose by detaching it from the context in which it was made public may give rise to a debate on lawfulness.
The Difference Between Publicly Available Data and Explicit Consent
The condition for processing publicly available data and explicit consent should not be confused with one another. Explicit consent is consent relating to a specific matter, based on information and expressed through free will. Making data public, on the other hand, is the data subject making their data publicly available through their own conduct.
There are important differences between these two legal bases:
| Criterion | Explicit Consent | Making Data Public |
|---|---|---|
| Legal basis | The data subject’s explicit declaration of will | The data subject themselves making the data public |
| Scope | Limited to the subject matter and purpose specified in the consent | Limited to the purpose of making the data public |
| Withdrawal | May be withdrawn at any time | The effect of publicity is assessed according to the specific case |
| Risk | The validity of the consent may be disputed | Exceeding the purpose may result in unlawfulness |
For this reason, data controllers should not content themselves with the defence that the data ‘was already publicly available’ when processing data on the basis of its public availability. The purpose for which the data was made public and whether the current processing activity is compatible with that purpose must also be examined separately.
Practical Checklist for Data Controllers
If the processing of publicly available personal data is planned, data controllers must conduct a careful assessment in each specific case. The risk is higher in particular for activities such as commercial communication, marketing, profiling, creating databases or transferring data to third parties.
In practice, it is important to answer the following questions:
- Was the data actually made public by the data subject?
- For what purpose and in what medium was the data made publicly available?
- Is the planned processing activity compatible with that purpose?
- Is the data to be processed necessary and proportionate for the purpose?
- Have the obligation to inform and other KVKK obligations been fulfilled?
- If the data is to be transferred, is there also a legal basis for such transfer?
The answers to these questions play a critical role in determining whether a processing activity carried out on the basis of publicly available data is lawful.
What Does This Mean in Practice?
Publicly available personal data is not entirely unprotected under the KVKK. The fact that data is visible does not make it processable without limit; the legal basis, purpose and proportionality must be assessed together.
- Publicly available data may be processed only in a manner compatible with the purpose for which it was made public.
- If there is no explicit consent, one of the grounds for lawfulness set out in Article 5 of the KVKK must exist.
- Article 5/2-d of the KVKK does not grant the data controller unlimited authority of use.
- The Constitutional Court’s approach addresses the protection of personal data from the perspective of a constitutional right.
- Data controllers must assess publicly available data processing in terms of purpose, proportionality and the obligation to inform.