Founder
November 27, 2025
26 min read
The purpose of this report is to comprehensively analyze the legal limits educational institutions in Turkey must adhere to when processing "special categories of personal data" pursuant to the Law No. 6698 on the Protection of Personal Data (KVKK), the risks they may encounter, and the best practices they must adopt. In an era where digitalization has become an integral part of educational processes, schools are collecting and processing an increasing amount of sensitive data regarding students, parents, and staff. Ranging from health records to guidance counselor notes, from biometric data to union memberships, this information carries the potential to cause serious victimization and discrimination if misused or if it falls into the hands of unauthorized persons. Therefore, it is of vital importance for educational institutions, acting as data controllers, to fully understand their legal obligations and to take administrative and technical measures compliant with these obligations, both to protect themselves from legal sanctions and to maintain the trust relationship established with their stakeholders. This report aims to provide a strategic roadmap for educational institutions acting as data controllers by building a bridge between legal legislation, Personal Data Protection Board (Board) decisions, and practical applications.
Law No. 6698 (KVKK) divides personal data into two main categories: general and special. Article 6 of the Law defines special categories of personal data as sensitive information that, if learned, could lead to discrimination against or victimization of the data subject, and determines these data through a method of limited enumeration (numerus clausus). In accordance with this principle, data other than those listed in the law cannot be accepted as special categories of personal data through interpretation.
According to KVKK Article 6, special categories of personal data are:
Race,
Ethnic origin,
Political opinion,
Philosophical belief,
Religion, sect, or other beliefs,
Appearance and dress,
Membership of associations, foundations, or trade unions,
Health,
Sexual life,
Criminal convictions and security measures,
Biometric and genetic data.
Keeping this list limited by law serves not as a "safe harbor" for data controllers, but rather as a "high-risk map" indicating where legal risk is concentrated. If an educational institution's data processing inventory contains data falling into any of these categories, this situation should automatically label the relevant processing activity as "high risk" and mandate the implementation of much stricter security measures. Therefore, this classification is not merely a legal definition but also a proactive risk management tool for institutions.
All personal data processing activities, including those involving special categories of personal data, must comply with the basic principles regulated in Article 4 of the KVKK. The sensitivity of this data further increases the importance of compliance with these principles.
It is essential that the data processing activity is transparent and based on a valid legal ground.
Mechanisms must be established to ensure the accuracy and currency of data that may change over time, especially the health status of students.
The concrete purpose for which the data is collected (e.g., providing infirmary services, providing guidance support, fulfilling a legal obligation) must be clearly determined and must not be used outside of these purposes.
This principle is one of the most frequently violated principles in special category data processing activities. More special category data than necessary to achieve the determined purpose should not be collected. For example, to provide guidance services to a student, only psychological or medical information relevant to the counseling process should be obtained, not their entire medical history.
When the purpose of data processing ceases to exist (e.g., the student graduates), the relevant special categories of personal data must be destroyed unless there is a legal obligation to retain them.
Deep dive into the comprehensive legal landscape of distance education in Turkey, covering data protection, intellectual property, and contractual agreements.
According to Paragraph 2 of Article 6 of the KVKK, the processing of special categories of personal data is prohibited as a rule. The primary legal basis that eliminates this prohibition is obtaining the "explicit consent" of the data subject. However, for consent to be deemed legally valid, it must carry three essential elements simultaneously:
General and vaguely scoped consents such as "I allow the processing of all special categories of data collected about me at school" are invalid. Consent must be directed towards a specific subject, such as "processing of my health data within the scope of infirmary services" or "keeping my interview notes in case I receive psychological counseling services."
Before requesting consent, the educational institution acting as the data controller must fully fulfill its obligation to inform pursuant to KVKK Article 10. The parent, student, or staff member must consent only after fully understanding which data will be processed, for what purpose, to whom it may be transferred, how long it will be stored, and what their rights are.
Consent must not be imposed as a precondition for the provision of a service. This element is critical, especially in relationships where there is an imbalance of power, such as school-parent or school-staff relationships. If a perception is created that refusing consent will lead to a negative consequence for the student or employee (e.g., being deprived of a specific educational service), the consent given cannot be accepted as based on free will.
In the education sector, "explicit consent" is much more fragile than it appears as a legal basis and should generally be considered a last resort. Institutions tend to take the easy route of seeking consent for every activity instead of investigating other processing conditions such as "being expressly provided for by the laws" or "fulfillment of a legal obligation." However, due to the aforementioned power imbalance, the legal validity of such consents is often dubious. As the Board has emphasized in various decisions, resorting to explicit consent when another data processing condition exists constitutes a violation of the law, as it may be misleading to the data subject and constitute an abuse of right.
The KVKK stipulates certain exceptions for the processing of special categories of data, which must be interpreted narrowly. The Law regulates these exceptions by making a distinction between "health and sexual life" data and others:
These data may be processed without the explicit consent of the data subject only if "expressly provided for by the laws." For example, processing a teacher's union membership information for the purpose of deducting union dues from their salary as required by relevant labor and social security laws falls within this scope.
These data are subject to even stricter protection. Their processing without explicit consent is possible only for the following purposes and by the following persons: "for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services and financing, by persons under the obligation of secrecy or authorized institutions and organizations." A typical example of this exception is a doctor or nurse working in the school infirmary, who is under an obligation of secrecy, processing a student's health data in an emergency.
Beyond legal limits, discover a holistic framework for governance, risk management, and academic integrity tailored for educational institutions.
Educational institutions process a wide variety of special categories of personal data due to the nature of their activities. The lawfulness of these activities depends on identifying the correct legal basis and adhering to basic principles, particularly the principle of proportionality.
Student health files kept in school infirmaries (chronic illnesses, allergies, medications used), vaccination records, blood type information taken for use in emergencies, health reports requested for participation in sports activities. Purpose: To protect the student's health, perform emergency medical interventions, and provide preventive medicine services.
Notes regarding individual or group interviews with students, results of applied psychological tests (e.g., intelligence, aptitude, or personality tests), information regarding the student's family, social, or emotional state. Purpose: To support the student's holistic development and assist in academic and career planning.
Petitions submitted by students or their parents requesting exemption from the mandatory Religious Culture and Moral Knowledge course, which indirectly reveal religious belief. Purpose: To ensure the exercise of a constitutional right.
Union membership information of teachers and other staff. Purpose: To fulfill legal and contractual obligations such as deducting membership dues from salaries.
Data collected through fingerprint or facial recognition systems used at school entrances/exits, cafeterias, or library services. Purpose: To ensure security or facilitate service tracking.
Although special category data processing activities in educational institutions often start with well-intentioned purposes such as security or student development, they can easily become unlawful due to disregarding the principles of "proportionality" and "purpose limitation."
For example, a school installing a fingerprint recognition system to increase security might seem to be based on a legitimate purpose. However, KVKK Article 4 mandates that data processing be "proportionate." Is it truly necessary to collect fingerprints—a non-revocable and high-risk biometric data—of every student and staff member to ensure security? Or could less intrusive methods such as student ID cards, passcodes, or staff supervision serve the same purpose? The fact that the Board ruled in its Decision No. 2020/404 regarding an employer that collecting fingerprints when alternative methods exist violates the principle of proportionality shows that this approach applies to educational institutions as well. Consequently, the school's legitimate purpose transforms into an unlawful data processing activity due to the disproportionate method chosen. This pattern of error can be repeated in many areas, from PDR services to the collection of health data.
Special categories of personal data processed in educational institutions are subject to strict legal limitations under the Law on Protection of Personal Data (KVKK). Lawful processing of this data mandates adherence to the principles of limitation to the designated purpose and proportionality.
Health Data regarding students and staff is processed for two main purposes. First is to provide emergency response and treatment services in the infirmary, and this activity can be carried out without explicit consent by medical personnel under an obligation of secrecy pursuant to Article 6/3. However, this data must be accessible only to authorized medical personnel, and sharing it with third parties generally requires explicit consent. Second, health reports requested for participation in sports teams are processed by obtaining explicit consent under Article 6/2. The most important point to consider here is that, due to the proportionality principle, the report should contain only the information necessary for the relevant sports activity, and unnecessary health data should not be requested.
Guidance and Psychological Counseling (PDR) Data (psychological counseling and test applications) are also collected from students with explicit consent within the framework of Article 6/2. For this consent to be valid, it is of vital importance to provide detailed and transparent information regarding the nature of the test, the purpose of using the results, and with whom they may be shared (See Board Decision 2020/255).
Requests for exemption from religious classes, which indirectly reveal the student or parent's Religious Information, can be processed within the scope of fulfilling the data controller's legal obligation under Article 5/2-ç. Proportionality is essential in this process as well; more information than necessary for the request (e.g., worship habits) should not be requested, only the minimum data required to process the exemption should be collected.
Regarding staff, Union Membership information is processed for the purpose of dues deduction based on being expressly provided for by laws (Labor Law and related legislation) pursuant to Article 6/3. This sensitive information should only be shared with authorized persons in the payroll and accounting department and must not be used for purposes such as performance evaluation.
Processing Biometric Data (fingerprint entry-exit control), which is a particularly high-risk area, is legally possible with explicit consent under Article 6/2, yet it remains high risk. The Personal Data Protection Board's established jurisprudence may find biometric data processing contrary to the proportionality principle when less intrusive methods (such as card systems) exist, deeming it unlawful even if explicit consent is obtained. This clearly demonstrates that educational institutions must achieve their security goals with less risky alternatives.
Article 12 of the KVKK imposes an obligation on data controllers to take "all necessary technical and administrative measures" to ensure the security of personal data under their responsibility. However, when it comes to special categories of personal data, the Board has separately and detailedly determined the "adequate measures" to be taken via its decision dated 31/01/2018 and numbered 2018/10, going beyond this general obligation. Educational institutions are obliged to fully implement the administrative and technical measures specified in this decision.
Creation of Policies and Procedures: A separate and written policy regulating the processing, security, and destruction processes of special categories of personal data must be created.
Training and Awareness: Regular training regarding legal regulations, institutional policies, and data security must be provided to personnel processing this sensitive data (infirmary staff, PDR specialists, human resources, IT staff), and awareness activities must be conducted. Signing confidentiality agreements with this staff is also an important measure. The fact that the Board accepted the failure to provide adequate KVKK training to staff as a direct data security violation in a decision regarding a hospital shows how critical this measure is.
Authorization Matrix and Access Control: Authorizations to access special categories of personal data must be clearly defined and limited based on the "need-to-know" principle. A classroom teacher should not be authorized to access PDR notes or detailed health records of a student they are responsible for. Access authorizations must be reviewed regularly.
Physical Security: The physical security of environments where printed documents containing special categories of data (health files, PDR forms, etc.) are located (infirmary, PDR room, archives) must be ensured; these areas must be kept under lock and key, and unauthorized entry/exit must be prevented.
Encryption (Cryptography): Electronic environments (servers, databases, laptops) where special categories of personal data are stored must be encrypted using strong cryptographic methods.
Secure and Immutable Logging: Transaction records (logs) of all actions performed on this data (access, viewing, modification, deletion) must be kept securely in a way that prevents unauthorized intervention.
Network Security and Prevention of Unauthorized Access: Systems hosting the data must be protected against external threats with up-to-date firewalls and intrusion detection/prevention systems.
Secure Data Transfer: Special categories of data must not be transferred via insecure channels like email. If transfer is necessary, data must be encrypted or secure communication protocols such as VPN or sFTP must be used.
Two-Factor Authentication: If remote access to this data is possible, the use of a two-factor authentication system is mandatory to increase security.
Penetration Tests and Regular Audits: The security of IT systems where data is held must be regularly checked with penetration tests, and detected vulnerabilities must be remediated.
Secure Destruction: Special categories of data whose retention period has expired or whose purpose for processing has ceased must be destroyed in a way that makes them irretrievable in digital environments (secure deletion software, degaussing, etc.) and unreadable in physical environments using paper shredders.
The KVKK grants extensive rights to natural persons whose data is processed (students, parents, staff) against the data controller. These rights aim to ensure transparency in data processing procedures and enable individuals to control their own data. By applying to the school acting as the data controller, data subjects have the right to:
Learn whether their personal data is processed,
Request information if their personal data has been processed,
Learn the purpose of processing and whether they are used in accordance with this purpose,
Know the third parties to whom their data is transferred domestically or abroad,
Request rectification of their data if it is incomplete or inaccurately processed,
Request the deletion or destruction of their personal data within the framework of the conditions stipulated in KVKK Article 7,
Request notification of the operations made as per rectification, deletion, or destruction to third parties to whom personal data has been transferred,
Object to the occurrence of a result against themselves by analyzing the processed data exclusively through automated systems,
Demand compensation for damages in case they suffer damage due to the unlawful processing of their personal data.
The process for data subjects to exercise these rights has a two-stage structure:
The data subject must first submit their request to the school acting as the data controller in writing or through other methods determined by the Board (registered electronic mail, secure electronic signature, etc.). This process is a mandatory remedy that must be exhausted before resorting to the complaint procedure. The school is obliged to conclude this application free of charge as soon as possible and within 30 days at the latest, depending on the nature of the request. The school may accept the request or reject it by explaining its reasoning and shall notify the data subject of its answer in writing or electronically.
The data subject may file a complaint with the Personal Data Protection Board if the school rejects the application, if the answer given is found insufficient, or if the school fails to answer within 30 days. The right to complain must be exercised within 30 days from the date of learning the school's answer and in any case within 60 days from the date of application. These periods are statute of limitations (preclusive periods); if exceeded, the Board will not examine the complaint.
For educational institutions, managing data subject applications is not only a legal obligation but also an early warning system preventing a potential crisis. A simple request for information that is not managed duly and in a timely manner may lead a parent or staff member to file a complaint with the Board. A complaint submitted to the Board may not remain limited to that specific request but may lead to an audit of the institution's general KVKK compliance level, privacy notices, consent forms, and data security measures. This carries the risk of a matter that could be easily resolved initially evolving into a comprehensive audit process that could result in serious administrative fines.
Explore the complex balance between data protection (KVKK) and academic legacy when managing university archives and the right to erasure.
The decisions rendered by the Board regarding the education sector are of critical importance in terms of demonstrating how the theoretical provisions of the law are interpreted in practice. These decisions clearly reveal the error patterns schools must avoid and what they should focus on during compliance processes.
A private educational institution administered the CAS (Cognitive Assessment System) test, which measures cognitive abilities, to students without providing duly notification (lighting text) to parents and without obtaining valid explicit consent.
Evaluation: The Board determined that the data obtained as a result of this test constituted special categories of personal data as it contained evaluations regarding the student's intelligence level and personality traits. The school's defense that it conducted this activity within the framework of the Ministry of National Education Guidance Services Regulation was found insufficient. The Board pointed out that referring to a general regulation does not eliminate the specific and clear notification obligation required by the KVKK. Consequently, it was decided that the school violated its notification obligation under KVKK Article 10 and its obligations regarding data security under Article 12.
Lesson Learned: Educational institutions must abandon the "we got the signature, no problem" mentality. Board decisions show a focus on substance (quality of notification, necessity of processing, proportionality) rather than form (existence of a consent text). Even if consent is obtained from a parent or staff member for a data processing activity, if transparent and understandable information regarding what this consent means, how the data will be used, and the rights of the data subject has not been provided, the processing will be deemed unlawful.
A school continued to use the photograph of a graduated student in the school's promotional brochures and website, relying on permission obtained from the parent during the student's enrollment period.
Evaluation: The Board accepted that the school had obtained a wet-ink signed explicit consent from the parent for "social media sharing" during enrollment and therefore the initial use of the photo was lawful. However, the Board emphasized that with the student's graduation, the legal relationship between the student and the school, and thus the purpose of data processing, ceased to exist. Therefore, it ruled that this data, which no longer had a legitimate purpose for processing, must be destroyed or at least anonymized (e.g., blurred) in a way that the student cannot be recognized. Furthermore, the Board instructed that the notification and consent texts used by the school be rearranged in a "granular" (detailed) manner to offer separate options for each sharing channel (brochure, website, social media, etc.).
Lesson Learned: Explicit consents obtained do not have indefinite validity. When the purpose of data processing ceases to exist, the consent effectively loses its validity, and the data must be destroyed within the framework of retention and destruction policies. Additionally, instead of "blanket consents" such as "I allow all sharing," detailed consent mechanisms that allow the data subject to choose which type of sharing will be done on which medium must be established.
Violations of the KVKK are not limited to administrative fines. Depending on the nature of the act, crimes regulated in Law No. 5237 Turkish Penal Code (TCK) may also arise. Specifically, the acts of unlawfully giving, disseminating, or seizing personal data constitute a crime requiring a prison sentence of 2 to 4 years under TCK Article 136. The commission of this crime by a public official (public school teacher or administrator) by abusing the authority conferred by their duty, or by utilizing the convenience provided by a certain profession and art (private school staff), is regulated as an aggravating circumstance that increases the penalty under TCK Article 137.
Turkey's personal data protection legislation, the KVKK, is largely based on the European Union's former Directive 95/46/EC. However, there are significant differences between it and the currently effective General Data Protection Regulation (GDPR).
The definition of "special categories of personal data" in the KVKK largely overlaps with the definition of "special categories of personal data" in Article 9 of the GDPR. Both regulations include data such as race, ethnic origin, political opinion, health, and sexual life within this scope. However, the KVKK's inclusion of "appearance and dress" (kılık ve kıyafet) information as special category data is a difference specific to Turkish law.
In terms of scope, while the GDPR is a much more detailed and comprehensive regulation consisting of 99 articles and 53,000 words, the KVKK consists of 32 articles and approximately 5,500 words. Therefore, the GDPR offers a broader spectrum in terms of terminology and field of application.
The common point in both regulations is that special categories of personal data generally cannot be processed without explicit consent. This principle is clearly set forth in KVKK Article 6 and GDPR Article 9. However, both regulations foresee certain exceptions (e.g., protection of public health, proceedings conducted by judicial authorities). Therefore, the "prohibition and exceptions" approach constitutes the basic processing rule in both systems.
One of the most fundamental philosophical differences between GDPR and KVKK is the principle of "accountability" and its reflection, the obligation of Data Protection Impact Assessment (DPIA). GDPR expects data controllers not only to comply with the rules but also to actively prove that they are compliant.
Article 35 of the GDPR mandates that the data controller compulsorily conduct a DPIA before starting high-risk data processing activities, such as the large-scale processing of special categories of data. A DPIA is a proactive process that systematically analyzes the potential risks of the planned processing activity on the rights and freedoms of individuals, identifies measures to mitigate these risks, and documents them.
In the KVKK, there is no explicit and mandatory DPIA mechanism like in the GDPR. However, the obligation to "take all necessary technical and administrative measures" in KVKK Article 12 and the Board's risk-based approach necessitate a similar risk analysis in practice. Especially when special categories of data are concerned, whether the data controller evaluated possible risks beforehand and took proportionate measures against these risks is audited.
The fact that GDPR makes accountability an explicit and fundamental principle creates a much heavier and documented compliance obligation compared to KVKK. In KVKK, this principle is implicit.
Another significant difference emerges in the dimension of sanctions. Under the KVKK, administrative fines (up to approximately 10 million TL as of 2024) are foreseen, and prison sentences under the Turkish Penal Code may also be in question depending on the nature of the act.
The GDPR, on the other hand, foresees administrative fines of up to 4% of global turnover or up to 20 million Euros (whichever is higher). These high amounts make the GDPR a much more deterrent regulation, especially for international and large-scale companies.
The analyses conducted throughout this report clarify the legal limits educational institutions must adhere to when processing special categories of personal data and the key risks they may encounter.
Special categories of data can only be processed in exceptional cases narrowly defined in the law or with a valid "explicit consent" where all elements are present. Every processing activity must strictly adhere to basic principles such as "purpose limitation," "data minimization," and "proportionality." Data security must be ensured at the highest level within the framework of "adequate measures" determined by the Board.
Invalid Consent: Consents being deemed legally invalid due to insufficient notification or power imbalance between parties.
Broad Interpretation of Exceptions: Arbitrary use of exceptions like "expressly provided for by laws" or "public health" without a concrete legal basis.
Insufficient Security Measures: Incomplete or non-implementation of administrative and technical measures mandated by the Board (especially encryption, access control, regular training).
Exceeding Retention Periods: Failure to destroy data belonging to persons whose purpose of processing has ceased, such as graduated students or staff who left the job.
Inability to Manage Data Subject Applications: Failure to comply with legal deadlines and failure to provide duly reasoned responses to applications, leading to this situation turning into a complaint and audit before the Board.
It is recommended that educational institutions adopt a systematic approach comprising the following steps to ensure full compliance with the KVKK and effectively manage their risks:
Upper management must take ownership of the issue, allocate necessary resources, and appoint a Personal Data Protection Committee or Officer to manage KVKK processes within the institution.
Creating a detailed data processing inventory where all special categories of personal data processed within the institution (where, why, how, and for how long they are processed) are identified.
Clarifying the legal basis (consent or exception) for each processing activity in the inventory and analyzing potential risks with an approach similar to the DPIA in GDPR.
Preparing or revising privacy notices (lighting texts), explicit consent forms, policies, and procedures in accordance with the KVKK and Board decisions. Designing consent forms in a "granular" manner to offer separate options for each purpose and sharing channel.
Fully implementing all administrative and technical measures detailed in Chapter 4 and mandated by the Board.
Training all staff, especially units processing sensitive data, on KVKK and data security at regular intervals.
Establishing written procedures with clear responsibilities and process steps to manage data subject applications and potential data breaches.
Checking the effectiveness of the established system regularly through internal or external audits and adopting a continuous improvement approach by remediating detected deficiencies.
Understand the legal status of digital content creators in distance education, covering copyright, taxation, platform contracts, and data privacy (KVKK).
For educational institutions, the processing of special categories of personal data is, beyond being a legal obligation, an ethical responsibility owed to students, parents, and staff. Compliance with KVKK does not merely mean avoiding administrative fines and legal sanctions; it is also a fundamental necessity for protecting the institution's reputation and establishing a transparent and trust-based relationship with its stakeholders.
Success in this complex and dynamic field lies not in seeking solutions as problems arise with a reactive approach, but in adopting a proactive and risk-oriented data management culture. This report is designed to provide comprehensive guidance to educational institutions on the path to creating this culture.
