Founder
February 28, 2026
24 min read
The technological possibilities brought by the digital age have transformed educational processes while giving rise to a new generation of violations that strain the traditional codes of the legal system. This report examines the scenario in which a secondary-school student, without authorisation, takes photographs of teachers from the school’s official website, uses Deepfake (deep synthesis) technology to turn them into inappropriate, obscene or reputation-damaging images, and shares this content on digital platforms outside the school.
The report treats the subject not as mere “student mischief” but as a multi-layered legal case. The analysis is built on three main pillars: (1) Administrative Law and the Discipline Regime—the impact of the student’s off-campus conduct on school order and the limits of disciplinary authority; (2) Criminal Law—the multiple offence structure under the Turkish Criminal Code (TCK) and the status of a child drawn into crime (SSÇ); (3) Personal Data Protection Law (KVKK)—biometric data security and the liability of the school administration arising from “service fault.”
The case analysis concludes that, although the act was committed off school premises, the school’s disciplinary authority is full because the conduct directly targets the delivery of the education service and the reputation of a public official; that the conduct presents a structure aggravated under the TCK rules on cumulative offences; and that, most critically, the school administration has been at fault as “data controller” by publishing teachers’ photographs without the necessary cybersecurity measures.
Understanding the nature of the technology used as the instrument of the offence is essential to grounding the legal analysis. Deepfake is derived from the combination of “deep learning” and “fake” and uses an artificial intelligence architecture called Generative Adversarial Networks (GAN). This technology analyses the face, gestures and expressions of a person in an existing image or video and integrates the target person’s face onto another body or situation.
The origins of Deepfake technology date back to 1997, when researchers in computer graphics developed a system capable of generating facial animation from audio output. In 2001 significant progress was made in face matching and tracking, and the use of statistical models for matching shapes and images became widespread. By 2016–2017, deepfake content could be produced on consumer-level computers, and the accessibility of the technology increased.
The deepfake creation process essentially consists of three stages: In the first stage, a large dataset is collected from images and video recordings of the target person. In the second stage, artificial neural networks are trained on the collected data. During this training, face recognition technology is used to identify basic facial features (eyes, nose, mouth) and a three-dimensional model is created using facial mapping. In the final stage, the algorithm uses this model to generate realistic images or videos that mimic the target person’s movements. The most widely used methods for creating deepfakes today are autoencoder-based systems and generative adversarial networks (GAN), which can analyse image sets and produce new images of similar quality.
In our case, the student’s conduct legally differs from a simple “Photoshop” montage. In traditional montages the forgery can be detected with the naked eye, whereas Deepfake technology is built on “persuasiveness.” This increases the scale of the effect (harm) damaging the victim teacher’s reputation and deepens the mental element (intent) of the offence under the TCK. Moreover, producing a Deepfake requires extraction of the target person’s facial biometrics (facial map), which places the conduct directly in the Biometric Data Processing category and triggers a KVKK violation.
The use of deepfake technology in the education environment poses a serious problem, especially in the context of cyberbullying. According to research, in 2019 roughly 96% of deepfake content on the internet was obscene. As of 2023, the purposes for which the technology is used have diversified; its use for revenge, hatred, reputation damage and cyberbullying has increased significantly. Students in educational institutions producing inappropriate content by manipulating teachers’ images is one of the most serious examples of this technology’s use in the education environment.
Explore a comprehensive guide on data privacy, algorithmic bias, and institutional responsibilities regarding AI use in Turkish education, highly relevant to deepfake discussions.
The scenario under review involves three main legal subjects and conflicting rights:
Perpetrator (Student): Having overstepped the bounds of freedom of expression, used the technology as a tool of “cyberbullying” and “digital violence.” As a minor, must be assessed under the Child Protection Law (ÇKK).
Victim (Teacher): Rights to privacy, protection of honour and dignity, and protection of personal data have been violated. Being a public official at the same time alters the nature of the offence.
Administration (School Management): Is both the body conducting the disciplinary investigation and the party that failed to ensure data security (with a suspicion of service fault).
The Legal Framework for Distance Education in Turkish LawPublicationsNovember 27, 2025👤Sercan Koç
The main doubt school managements face in such cases is that the conduct occurred “outside school hours” and “outside school premises” (at home, on a personal computer). The settled case law of administrative law and legislative provisions resolve this doubt through the theory of “Continuity of the Education Service and School Order.”
Whereas the traditional understanding of discipline law treated the school walls as the limit of authority, with digitalisation Danıştay and the administrative courts have adopted the “sphere of impact” criterion.
For conduct to be subject to disciplinary sanction it need not have been committed on school premises; it is enough that its consequences impair school order, the peace of education or the teacher–student relationship. According to the settled decisions of the 8th Chamber of the Danıştay, if posts on social media target school staff or damage the institution’s corporate identity, the administration’s disciplinary authority arises.
In our case, the content produced by the student undermines the teachers’ authority and humiliates them in the eyes of students. Because the spread of these images among other students would make discipline in the classroom impossible, there is a direct and strong causal link between the conduct and the disruption of school order.
Legislation has brought ICT-related offences under the discipline provisions and expressly confers the corresponding authority on the school administration. Article 164 of the Secondary Education Institutions Regulation (or its current equivalent in the prevailing classification) classifies disciplinary offences by severity.
The student’s conduct falls within the category of acts requiring the strictest sanctions under the regulation:
The regulation assigns the following sanctions to such conduct: Insulting or behaving disrespectfully towards managers and teachers by means of ICT (Article 164/2-k, amended paragraphs) entails short-term removal from school. Creating or disseminating via ICT or social media content that is contrary to morality or promotes violence (Article 164/2-ç, Amended: RG-1/7/2015-29403) entails exclusion from formal education; sharing persons’ photographs or videos without their consent (Article 158/l) entails school transfer.
Because the “creating inappropriate imagery with Deepfake” conduct in the case directly falls under “creating and disseminating content contrary to morality,” the primary sanction the school administration must apply is “Exclusion from formal education.” This results not only in the student’s removal from that school but in removal from the formal education system and referral to the Open Education High School (Açık Öğretim Lisesi).
When reviewing disciplinary sanctions, administrative courts look at procedure before substance. In a complex case such as Deepfake, the school management must fully complete the following steps:
Evidence identification and record: From the moment the incident is learned of, the existence of the content must be recorded in a formal report. However, if the content is “obscene” (child pornography etc.), the school administration must not keep these images on their personal phones; the URLs of the images must be entered in the record, and where possible recourse should be had to notarially certified E-Tespit rather than screenshots.
Appointment of investigator (muhakkik): The school principal must appoint a deputy principal or teacher as “muhakkik” to examine the matter with an impartial eye.
Exercise of the right of defence: Under Article 129 of the Constitution, no disciplinary sanction may be imposed without hearing the defence. The offence alleged against the student (Deepfake production and dissemination) must be set out in clear terms, and at least 7 days must be given for the preparation of the defence.
Psychological assessment (guidance report): Under the regulation, before the discipline board convenes, a report must obligatorily be obtained from the School Guidance Service on the student’s general situation and the reasons that led to the offence. Absence of this report is a ground for annulment before the courts.
Board decision and approval: The “exclusion from formal education” sanction is proposed by the School Student Awards and Discipline Board, but the decision becomes final upon approval by the Provincial/District Student Discipline Board. The school principal alone cannot impose this sanction.
Follow industry developments from Genesis Hukuk and receive priority information on industry analyses from expert attorneys in the education sector.
While the school discipline process is an administrative sanction, the gravity of the conduct makes the intervention of the judicial authorities (the Public Prosecutor’s Office) necessary. Under Article 279 TCK, school administrators as public officials are obliged to report offences they learn of in the course of their duties. Failure to report is itself an offence on the part of the administrator.
The perpetrator’s conduct gives rise to concurrence of offences in the TCK scheme—several offences committed by a single act (Fikri İçtima—Art. 44 TCK).
According to the settled case law of the 12th Criminal Chamber of the Court of Cassation (Yargıtay), recording a person’s image without their consent or using it after alteration by technological means (Deepfake) constitutes the offence of violation of privacy.
“Fake” defence: The student’s defence that “this image is not real, it’s obviously a montage” is legally invalid. The Court of Cassation treats within this scope even fabricated images that intrude into the person’s private sphere and show them in an undesired situation.
Aggravated form (TCK 134/2): Publication (disclosure) of the images on the internet requires aggravation of the penalty compared to the basic form. The penalty is 2 to 5 years’ imprisonment.
Teachers’ facial photographs are biometric data that identify them.
Formation of the offence: The student’s downloading these photographs from the school website (even if access was lawful), processing this data for a different purpose (other than the purpose of data processing) and disseminating it by turning it into a Deepfake video constitutes the offence of “unlawful dissemination of data” under TCK 136.
Court of Cassation approach: Using photographs shared publicly on social media (Facebook, Instagram, etc.) without the data subject’s consent and using them on another medium is held to be an offence. “Public access” on the school site does not give the student a right to “process and manipulate.”
The most serious aspect of the case is that the images produced are “inappropriate.” If this inappropriateness is of a pornographic nature, TCK 226 applies.
Fabricated obscenity: TCK 226 punishes not only real images but obscene products produced by “text, sound or image.” Deepfake pornography falls under this article.
Use of children (TCK 226/3): If the student has superimposed the teacher’s face onto a child’s body in the video or other students appear in the video, the offence is transformed into “producing obscene products using children.” The penalty for this offence is 5 to 10 years’ imprisonment; it is not subject to complaint and is not within the scope of reconciliation.
Even if the images are not obscene, if they show the teacher in a ridiculous, degrading or humiliating situation (e.g. drunk, committing a crime, etc.), the offence of “insult by means of an image” is committed.
Offence against public official: Because the victim is a teacher, the offence is deemed to have been committed “against a public official on account of his or her duties” under TCK 125/3-a. In that case the offence ceases to be subject to complaint and the prosecutor’s office investigates ex officio.
Public nature: Dissemination over the internet under TCK 125/4 fulfils the “public nature” element and the penalty is increased by one sixth.
One of the most serious forms of use of deepfake technology in the education environment is the use of obscene content as a tool of threat and blackmail. If the student uses obscene deepfake content produced with the teacher’s image for the purpose of threatening or blackmailing the teacher, the offence of threat under Article 106 TCK or of blackmail under Article 107 TCK is committed.
Obscene deepfake content is often used in the education environment to manipulate the teacher–student relationship, to force the teacher to remain silent or to exhibit certain behaviour. In that case the obscene nature of the content is treated as an aggravating element of the threat or blackmail.
Deepfake technology can also be used in the education environment for students to falsely accuse teachers of offences. If the student, by manipulating the teacher’s image, produces fake videos showing the teacher committing an offence and submits them to the competent authorities, the offence of defamation under Article 267/2 TCK or the act of fabrication of offence under Article 271 TCK is committed.
In such cases, because of the realism of deepfake content, the risk of misleading the investigation authorities is high. The student’s fabricating evidence or traces of an offence that was not committed so as to trigger an investigation constitutes the act of fabrication of offence.
Gaining unauthorised access to educational institutions’ information systems to obtain teachers’ photographs, or damaging those systems so as to steal data, constitutes the offences of “unauthorised access to an information system” under Article 243 TCK and “damaging an information system” under Article 244 TCK.
Typical examples are the student’s unauthorised access to the school’s information system and stealing teachers’ photographs or destroying data in the system. Obtaining the data needed for Deepfake production by such means may be treated as an aggravating circumstance.
Where Deepfake technology is used for criminal purposes, the manufacture, import, dispatch, transport, acceptance, storage, sale, offering for sale, purchase, transfer to others or possession of software containing this technology constitutes the offence of “possession of prohibited programs” under Article 245/A TCK.
In the education environment, the student’s possessing or using such software for the purpose of producing deepfakes falls within this offence. In particular, use of the technology for producing obscene content or for threat/blackmail suffices for the offence to be committed.
Offences committed through the use of deepfake in the education environment generally result in several offences being committed by a single act. Under the Fikri İçtima rule (Article 44 TCK), if the perpetrator by a single act causes several different offences to be committed, he or she is punished for the offence carrying the most severe penalty.
For example, if the student produces obscene deepfake using the teacher’s image and uses it as a tool of threat, both the offence of obscenity (TCK Art. 226) and the offence of threat (TCK Art. 106) are committed. In that case the Fikri İçtima rule is applied and the perpetrator is punished for the offence carrying the most severe penalty.
Where the same offence is committed more than once against the same person at different times, the repeated offence provisions (Article 43/1 TCK) apply. Offences one of which constitutes an element or aggravating circumstance of the other and which are therefore deemed a single act are composite offences (Article 42 TCK). In such offences the concurrence provisions are not applied.
A secondary-school student (age group 15–18) is subject to the provisions of the Child Protection Law (ÇKK) No. 5395.
Procedure of investigation: The taking of statements is done only by the public prosecutor in person; the police may not take statements.
Social inquiry report (SİR): At the trial stage, a social inquiry report analysing the child’s family structure and the reasons that led to the offence must be obtained.
Reduction for minority: Under Article 31/3 TCK, a one-third reduction in the penalty is applied for children in the 15–18 age group.
Deferral of announcement of judgment (HAGB): If the student has no criminal record and the penalty (after reductions) falls below 2 years, the court may give an HAGB decision and place the child under supervised release.
Dive deeper into managing special categories of personal data in Turkish schools, covering risks, security, and compliance strategies under KVKK, directly relevant to biometric data issues.
The dimension of the case that is often overlooked but directly subjects the school management to financial and legal liability is the violations of the Personal Data Protection Law (KVKK) No. 6698. Here it is not only the student but the school management too that is in the dock.
Article 6 of the KVKK defines biometric data as “personal data of a special nature.” Although a passport-style photograph alone may not be treated as biometric data, the Personal Data Protection Board’s decision No. 2020/167 (Sports Hall Entries and Exits) is of precedential value. The Board accepts that technical processing of data for authentication or unique identification purposes constitutes processing of biometric data.
Deepfake technology analyses the face in the photograph (facial mapping) and extracts unique data such as inter-pupillary distance and nose structure. Therefore, use of the photograph on the school site for Deepfake purposes is an activity of processing biometric data. The school management is the party supplying this data as “raw material.”
In the use of Deepfake technology, persons’ voices and images are not used directly; only the data derived from them for facial mapping are used. That the biometric data used in facial mapping are of a personal data nature is beyond dispute. However, when assessing whether each deepfake content produced using these data constitutes personal data, it must be considered whether the content contains information relating to an identified or identifiable natural person.
In the education context, although the teachers’ photographs published on the school website are disclosed data, use of these data to create deepfake is contrary to the data subject’s (teacher’s) will as to disclosure. The teacher, in consenting to publication of their photograph on the website, could not have foreseen that the image would be manipulated to produce inappropriate content. This is contrary to the “purpose limitation” principle laid down in Article 5 KVKK.
The school management is “data controller” within the meaning of the KVKK. Article 12 of the Law imposes on the data controller the obligation to take all technical and organisational measures “to prevent personal data from being processed unlawfully” and “to prevent unlawful access to data.”
The administration’s faults in the case analysis:
Breach of the proportionality principle (KVKK Art. 4): Is publication of teachers’ photographs on the website “necessary”? While the teacher’s name on the site is sufficient for parent information, open publication of the facial photograph (and in quality suitable for Deepfake) is contrary to the “data minimisation” principle.
Insufficiency of technical measures: The school management did not take measures to prevent downloading of the photographs (right-click disable, transparent overlay) or to make manipulation harder (watermark, low resolution).
Issue of explicit consent: Was “informed explicit consent” obtained from the teachers for publication of their photographs on the website? In MEB schools this consent is usually obtained by standard forms, but the consent text does not include the phrase “security of your photograph may not be guaranteed,” which may vitiate the consent.
Conclusion: The school management has violated Article 12 KVKK by failing to take the necessary cybersecurity measures and by making disproportionate data disclosure. Although the Board cannot impose an administrative fine on the school (or the Ministry to which it is attached) because it is a public body, it notifies the relevant unit for the application of disciplinary provisions and makes the situation public.
For compensation of the harm to the victim teachers, our legal system provides two channels: a full jurisdiction claim against the administration and a compensation claim against the student/parents.
Under the principles of administrative law, the administration (school/MEB) is obliged to protect its personnel and to ensure the security of the service it provides.
Service fault thesis: The victim teachers may argue in a claim before the Administrative Court: “The administration, by putting my photograph on the internet without protection, provided the technological infrastructure for this attack. If the administration had placed my photograph only on a password-protected parent panel or had not placed it at all, the student would not have been able to access this data.”
Danıştay approach: The Danıştay holds the administration at fault for harm arising from security vulnerabilities in the administration’s information systems. In that case the court may order the administration to pay moral compensation to the teacher. The administration subsequently recovers the compensation paid from the at-fault student’s parents or from the negligent school principal.
Teachers may bring a tort compensation claim against the student and parents before the Civil Court of First Instance.
Liability of the head of household (TMK Art. 369): Under the Turkish Civil Code (TMK), the head of the family (parent) is liable for harm caused by the minor. If the parent cannot prove that they fulfilled the “duty of supervision” (which is very difficult where the offence was committed from a home computer), they are held liable for compensation.
Amount of compensation: The court determines moral compensation taking into account the speed of spread of the incident, the teacher’s standing in society, the distress suffered and the nature of the images (the amount increases if they are obscene).
The economic gains obtained by the student in the course of producing and disseminating deepfake content must also be considered within the scope of compensation. If the student has obtained advertising revenue or increased follower count by sharing the deepfake content they produced on social media platforms (YouTube, TikTok, Instagram, etc.), the transfer of these gains to the victim teacher comes into question.
The provisions on negotiorum gestio in Article 530 of the Turkish Code of Obligations (TBK) find application here. There is no contractual link between the student and the teacher, nor did the student intend to perform a legal act in the teacher’s name and for their benefit. On the contrary, the student acted without the teacher’s knowledge and consent and to the teacher’s detriment. Therefore the economic gains obtained by the student as a result of their conduct (e.g. advertising revenue from the published content, increase in follower count, platform payments, etc.) must be transferred to the teacher.
This is assessed within the concept of “unauthorised negotiorum gestio”: the student used, without the teacher’s consent, gains obtained by violating the teacher’s personality rights. The court may request information from the platform providers for the identification and transfer of these gains and may examine the student’s financial records.
While legal proceedings continue, the most urgent action is to remove the images from the internet. Law No. 5651 provides rapid mechanisms in this regard.
Because deepfake content is of the nature of “violation of personality rights,” victim teachers may apply directly to the Criminal Court of Peace (Sulh Ceza Hakimliği).
Speed: The court rules on the application within 24 hours at most, without a hearing.
Implementation: The decision is sent to the Access Providers Association (ESB) and access is blocked within 4 hours. If the content is on a social media platform (X, Instagram), the court decision is also served on those platforms.
Digital content can be deleted instantly. Simple screenshots taken by the school management or the teacher may be rejected as evidence in court on the ground that they are “manipulable.”
Therefore before the content is deleted, the existence of the content at the relevant URL must be turned into legally valid evidence with a timestamp using the “E-Tespit” service of the Union of Notaries of Turkey.
The use of Deepfake technology as evidence in discipline procedures in educational institutions carries serious risks. Deepfake content prepared so well that it cannot be distinguished from the real thing may be used as misleading evidence in the school administration’s discipline decisions or in the investigations of the judicial authorities. In educational institutions there is a risk that students produce deepfake content to falsely accuse teachers of offences or to manipulate discipline procedures and present it as evidence.
Against these risks, school administrations must exercise care in evidence-gathering. Although deepfake detection tools (Sensity AI, Deepware, etc.) exist, they are not of a professional nature and do not always yield reliable results, so educational institutions must show extra diligence in evidence-gathering. In particular, verification of the authenticity of image or video evidence presented to discipline boards has become even more important with the spread of deepfake technology.
Even after time has passed since the incident, applications should be made to search engines (Google, Yandex) for cleaning of indexes within the scope of the right to be forgotten, so that when the teacher’s name is searched these reports or images do not appear.
This case is a hybrid scenario in which technology advances faster than the law but the basic principles of law (fault, harm, causation) still apply. The secondary-school student’s conduct is a serious offence: in discipline law it triggers “expulsion from school,” in criminal law imprisonment (with the age reduction), and in private law substantial compensation. The most important finding, however, is that the school management’s “digital negligence” also gives rise to legal liability in this process.
Roadmap for institutions:
Website management: Teachers’ photographs should be removed from the public area; only a name list or institutional contact information should remain. If photographs are to be published, technical measures to prevent downloading (right-click disable, transparent layer) and measures to make manipulation harder (watermark, low resolution) should be taken. Legal basis: KVKK Art. 4 (proportionality principle), KVKK Art. 12 (technical measures).
Crisis management: E-Tespit should be carried out at the time of the incident; content should be stored in a secure digital environment, not on administrators’ phones. Deepfake detection tools (Sensity AI, Deepware, etc.) may be used, but it should be borne in mind that these tools are not of a professional nature and may not always give reliable results. Legal basis: TCK Art. 226 (instrument of offence).
Platform cooperation: Where obscene or reputation-damaging deepfake content is disseminated on social media platforms (YouTube, TikTok, Instagram, X/Twitter), the platform providers should be approached for removal of the content. Applications may also be made to search engines such as Google and Microsoft for removal of obscene content from search results. Legal basis: Law No. 5651, Arts. 6, 8, 8A.
Evidence verification: The authenticity of image or video evidence presented in discipline procedures must be verified. In view of the spread of deepfake technology, the risk of students producing deepfake content to falsely accuse teachers of offences should be taken into account. Legal basis: Criminal procedure law—principle of free evaluation of evidence.
Discipline procedure: The "off school premises" defence should not be relied on; with reference to Danıştay decisions, action should be taken on the ground of "disruption of institutional order." Legal basis: MEB Secondary Ed. Reg., Article 164.
Education: Mandatory seminars on "Digital Footprint" and "Legal Consequences of Cyberbullying" should be given to students. Information should be provided on the legal consequences of deepfake technology and the criminal sanctions for its use in the education environment. Legal basis: Preventive law.
In conclusion, school management must not forget that it may be not only in the position of “judge” imposing disciplinary sanction but also in the position of “defendant” that failed to protect data. The fight against Deepfake begins not with punishing the student but with protecting the data (the photograph) at source.
Get legal guidance on education law and digital risks. Genesis Hukuk
