Founder
November 7, 2025
19 min read
The twenty-first century has placed the "right to be forgotten" (RTBF)—one of the most fundamental legal challenges born from the internet's infinite memory capacity—at the center of the legal and societal agenda. This new-generation human right creates an inevitable tension between the individual's demand to shape their future free from the burdens of their digital past, and academia's foundational commitment to the integrity, accessibility, and preservation of scientific records for future generations. The primary objective of this report is to answer this complex question: How can academic institutions, as guardians of knowledge, reconcile these two conflicting fundamental imperatives within the constantly evolving Turkish legal system? The landmark decisions in this area by the Yargıtay (Court of Cassation) and the Anayasa Mahkemesi (Constitutional Court) stand out as the primary catalysts that have ignited this urgent discussion. Therefore, the future of academic archives depends on how this delicate balance is struck between the indelibility of digital memory and the protection of individual autonomy.
This chapter lays the necessary legal and conceptual groundwork for understanding the complexity of the subject. The definition of the right to be forgotten, its legal bases, and its relationship with other fundamental rights are examined in-depth, specific to the Turkish legal system.
Creating a comprehensive definition of the right to be forgotten requires synthesizing various sources. The most frequently cited definition in Turkish law was provided by the Yargıtay General Assembly of the Civil Chambers (Yargıtay Hukuk Genel Kurulu - HGK): "the right to demand that negative events experienced in the past, which are located in digital memory, be forgotten after a certain time, and that personal data one does not wish others to know be deleted and its dissemination prevented, unless there is an overriding public interest." This definition is supported by academic definitions that emphasize the individual's control over their own digital footprint and personal data. Essentially, this right grants the individual control over where, how, and until when their personal data can be used.
The most critical point distinguishing the right to be forgotten from other legal claims is the nature of the information that constitutes the subject of the right. This right targets information that was lawfully published and accurate, but which has become outdated, irrelevant, or causes disproportionate harm to the individual over time. This characteristic definitively separates the right to be forgotten from requests for the removal of illegal or defamatory content, as such claims are resolved through different legal channels. The right to be forgotten aims to eliminate the negative impact created in an individual's life by the passage of time on data that originally existed on a legitimate basis.
The modern origins of the right to be forgotten are rooted in European Union (EU) law. Specifically, the "right to erasure" stipulated in Article 17 of the EU General Data Protection Regulation (GDPR) and the 2014 landmark Google Spain decision by the Court of Justice of the European Union (CJEU, or ABAD) ensured the global recognition of this right. This international background is vital for understanding the intellectual currents that have shaped the approach and jurisprudence developed by Turkish courts on the subject.
Unlike the GDPR, the Turkish legal system does not have a standalone statutory provision explicitly titled the "right to be forgotten." This right is a legal construct developed by judicial jurisprudence (içtihat) rather than by the legislator. This situation makes court decisions the primary reference point for determining the boundaries and application conditions of the right. The absence of a clear text, such as Article 17 of the GDPR, creates legal uncertainty for institutions. Compliance becomes a matter of interpreting an ever-evolving body of case law rather than following a clear checklist. This makes risk assessment and policy-making significantly more challenging for institutions in Turkey compared to their European counterparts, increasing the need for specialized legal counsel and robust internal deliberation processes.
Turkish courts have derived the right to be forgotten from a series of fundamental rights enshrined in the Constitution. These rights form the constitutional basis for the right to be forgotten:
Article 20: Privacy of Private Life and Protection of Personal Data: This article is considered the primary foundation of the right.
Article 17: The Right to Protect and Develop One's Material and Spiritual Existence: The protection of an individual's dignity and reputation is evaluated under this article.
Article 5: Fundamental Aims and Duties of the State: The state's duty to prepare the necessary conditions for the development of the individual's material and spiritual existence lays the groundwork for viewing the right to be forgotten as a positive obligation.
Law No. 6698 on the Protection of Personal Data (KVKK): The KVKK provides the primary mechanism for implementing the right to be forgotten. Specifically, Article 7 ("Deletion, destruction or anonymization of personal data") and Article 11 ("Rights of the data subject") grant individuals the right to request the deletion of their data if the purpose for processing it no longer exists. These provisions form the legal infrastructure for right to be forgotten requests.
Law No. 5651: This law, which regulates publications on the internet, can be used as a tool, particularly through Articles 9 and 9/A concerning content removal and blocking of access. However, while the scope of Law No. 5651 is generally limited to clear rights violations, such as the privacy of private life, the scope of the right to be forgotten is broader and can also encompass content that is lawful.
The right to be forgotten is not an absolute right. This right must be balanced against other fundamental rights and freedoms, such as freedom of expression, freedom of the press, and the public's right to access information. The duty of the legal system is to establish a fair balance between these conflicting rights.
At the center of this balancing act lies the criterion of "overriding public interest" (üstün kamu yararı). The right to be forgotten can only be asserted if the individual's interest in being forgotten outweighs the public's interest in remembering. This is a flexible test that requires each concrete case to be evaluated within its own circumstances.
One of the most important legal defense mechanisms for the academic world is the exceptions found in legal regulations. Both the KVKK and the GDPR permit the continued processing of personal data for historical, statistical, or scientific purposes, provided that appropriate safeguards are in place. However, this exception does not grant academic institutions absolute immunity. The Yargıtay HGK decision, which will be examined in Chapter II, narrows the scope of this exception and questions the "scientific purpose" defense. The legal defense of an academic archive cannot be limited to merely stating, "this is a scientific publication." The defense must be structured as: "this specific personal data is indispensable for the scientific and historical value of this publication." This significantly shifts the burden of proof onto the institution.
In practice, the courts and the Personal Data Protection Board (KVKK) have developed a series of criteria to establish this balance. These criteria serve as a guide in the evaluation of each request:
The public profile of the data subject: Whether the person is a politician, celebrity, or public figure.
The nature and content of the information: Such as a criminal conviction, a value judgment, or a factual reality.
The timeliness of the information: How much time has passed since the event.
Its contribution to public debate or general interest.
Its historical, scientific, or statistical value.
The harm caused to the individual by its continued accessibility.
This chapter moves from theory to practice, analyzing two fundamental court decisions that define the modern application of the right to be forgotten in Turkey. These decisions substantialize the legal framework that academic institutions are obligated to comply with.
The case was based on an individual's request for the removal of news from a national newspaper's internet archive concerning a fine he received for drug use 14 years prior. The applicant claimed that the easy accessibility of this old news via the internet hindered his efforts to rebuild his life and damaged his reputation.
The Constitutional Court ruled that the permanent and easy access to this old news through a simple name search violated the applicant's "right to the protection of honor and reputation" (şeref ve itibarın korunması hakkı), which is guaranteed under Article 17 of the Constitution. The decisive factors in the decision were the long time elapsed, the fact that the subject had lost its timeliness in terms of public interest, the nature of the crime, and the disproportionate negative impact of the news's continued accessibility on the individual's life.
The most critical outcome of this decision is the approach adopted by the AYM. The Court explicitly stated that the goal was not to rewrite history by completely deleting the archive. Instead, it emphasized that less intrusive and proportionate methods that balance the conflicting rights must be applied. The methods suggested by the Court include:
De-indexing from search engines (preventing the result from appearing in searches for the person's name).
Anonymizing the news (removing the name and other identifying information from the text).
Blocking access to a specific part of the content.
This decision sets a powerful precedent for all long-term digital archives, including academic archives. It demonstrates that providing permanent and easily searchable public access to sensitive personal data is legally vulnerable, even if the information is accurate and was lawfully published.
This lawsuit was filed after the name of a sexual assault victim was published without a pseudonym in a multi-volume legal commentary book (a scientific work). The plaintiff argued that the disclosure of her name in this manner violated her personality rights and undermined her right to be forgotten.
The Yargıtay HGK ruled in favor of the victim and ordered the name to be removed from the book. The court's reasoning was a turning point for the legal world: It concluded that the publication of the victim's real name and identity provided no additional contribution to the scientific or academic value of the work. According to the Yargıtay, the use of the name constituted a disproportionate interference with the victim's private life and right to be forgotten, as the scientific purpose of the work could have just as well been achieved by using initials or other anonymization techniques.
This decision establishes a "scientific value" or "necessity" test for the use of personal data in academic and scientific publications. The court peers behind the veil of "academic freedom" to question whether a specific piece of personal data is truly necessary for the integrity and purpose of the work.
These two decisions do not exist in isolation but rather form a coherent compliance framework. The Yargıtay HGK decision provides the substantive test (Is the personal data scientifically necessary?), while the AYM decision offers the procedural remedy (If not, use less intrusive methods like anonymization or de-indexing instead of total destruction). This demonstrates that a university's compliance policy must be a two-step process: First, the scientific necessity of the personal data in a contested publication must be evaluated; second, if the necessity is weak, the least intrusive of the AYM's remedies must be applied.
This combined approach offers institutions a clear and actionable strategy. Furthermore, a recurring theme, especially in the AYM decision and KVKK guidance, is that the primary action is often not to delete the source content, but to break the link between the individual's name and that content in search results (de-indexing). This is a fundamentally different approach from content removal. The original document (e.g., thesis, article) can remain intact on the university's server, while the obligation is to prevent it from being easily discovered via a public search engine using the person's name. This has profound architectural implications for academic archives and shows that compliance can be achieved by manipulating metadata, using robots.txt files, or negotiating with search engines, rather than altering the archive record itself. This approach also preserves the "intact" archival copy for legitimate, non-public research access.
This chapter applies the legal principles from Chapters I and II to the concrete operational realities of academic institutions. It examines the challenges and obligations created by the right to be forgotten across a wide spectrum, from scientific publications to student records.
This constitutes one of the highest-risk areas. Theses, which often contain sensitive personal data from interviews, case studies, or ethnographic research, are now globally accessible through platforms like the YÖK Ulusal Tez Merkezi (YÖK National Thesis Center). The Yargıtay HGK's landmark decision is directly applicable to this area. The mass digitization and opening of access to older theses, written before modern data protection ethics standards became widespread, has created a huge and unassessed legal liability. The owners of unanonymized personal data in these theses have the right to demand the removal of their data based on the Yargıtay decision. This represents a potential "ticking time bomb" ("saatli bomba") for YÖK and universities, implying a massive retroactive screening and remediation burden.
National platforms like DergiPark and universities' own institutional repositories host vast collections of publications spanning decades. These platforms are considered "data controllers" (veri sorumlusu) or "data processors" (veri işleyen) under the KVKK and bear legal responsibility as such. The obligation to retroactively review decades of publications for unnecessary personal data imposes a significant operational and financial burden on these institutions.
YÖK's policies play a central role here. YÖK's mandating of international author identifiers like ORCID and its warning against uploading signed jury approval pages indicate a growing awareness of data protection. However, the fundamental problem regarding personal data contained within the text of the thesis itself still persists as a major legal gap and risk area.
Universities are "data controllers" (veri sorumlusu) under the KVKK, processing and storing massive amounts of personal data. This status imposes serious legal obligations on them regarding data protection. This dual role of universities (as both knowledge producers and data controllers) creates a conflict of interest. As a research institution, its goal is to preserve and disseminate information, advocating for the permanence of archives. However, as a data controller under the KVKK, its obligation is to comply with the principle of data minimization, limit the retention period, and fulfill deletion requests. For example, when a former student with a disciplinary penalty requests the deletion of their data, the university's role as data controller (protecting the individual) conflicts with its role as archivist (protecting the integrity of the institutional record). This internal conflict requires a sophisticated, high-level policy that clearly defines which records are part of the permanent "academic/historical archive" (with a high justification for retention) and which are merely administrative records subject to routine destruction schedules.
The analysis must cover various types of institutional data:
Student Records: Data such as transcripts, course registrations, and grades are mandatory for administrative purposes. However, the retention period and purpose for this data must be questioned under the KVKK's principles of data minimization and purpose limitation.
Disciplinary Records: Records of academic misconduct or other violations are extremely sensitive and fit directly into the "negative events in the past" definition that the right to be forgotten aims to address.
Alumni Information: The legal basis for indefinitely retaining data kept for alumni relations and fundraising activities must be carefully examined within the framework of KVKK principles.
This report argues that universities must abandon the "keep everything forever" mentality and develop formal, legally defensible data retention and destruction policies, as required by the KVKK. These policies must define the legitimate retention period for each data type and ensure the secure destruction of data at the end of that period.
The right to be forgotten poses a profound challenge for research that follows individuals over time (longitudinal) or uses identifiable data from human participants. A research participant's request to delete their data years later can fundamentally undermine the integrity, replicability, and scientific validity of a study.
Traditional "informed consent" forms may no longer be sufficient. Consent processes must become more dynamic and include clear information about the limits of the right to be forgotten in the research context. It must be clearly explained to participants why their data needs to be retained for scientific validity and under what conditions deletion requests may be refused.
This final and action-oriented chapter presents a roadmap for universities to navigate this complex legal landscape. The goal is to both ensure legal compliance and protect the academic mission.
Universities must establish a clear and public process for submitting right to be forgotten requests, compliant with the KVKK's data subject application procedures. This process should include a designated contact point (e.g., a KVKK compliance office), standard application forms, and clear timelines.
Rather than having requests related to academic publications handled by a single administrator, it is recommended that a special committee be established to evaluate such requests. This committee should include the university's legal counsel, a library/archive manager, a data protection officer, and faculty experts from the relevant field. The committee's task would be to apply the two-step test derived from high court decisions (scientific necessity + proportionality) to each request.
A classification system should be established to manage incoming requests effectively:
Category 1 (Simple Administrative Data): Requests such as deleting outdated alumni contact information. These can be handled through routine procedures.
Category 2 (Sensitive Institutional Records): Requests concerning records like disciplinary actions. These require careful legal review within the framework of the institution's data retention policies.
Category 3 (Academic/Archival Content): Requests for modifications to theses or journal articles. These requests trigger the full multidisciplinary committee review.
This section provides practical and technical details on how to implement the "less intrusive" methods suggested by the AYM.
Anonymization: The process of irreversibly stripping identifiers from data so that it can no longer be re-associated with an individual. This is the strongest form of protection, and anonymized data is no longer considered "personal data" under the KVKK.
Pseudonymization: The replacement of identity identifiers with a consistent pseudonym or code, where the key linking to the true identity is stored separately and securely. This method is extremely valuable for preserving the integrity of longitudinal research data, as it allows data from the same individual to be linked without revealing their identity.
Masking/Redaction (Maskeleme/Karartma): The process of hiding or "blacking out" (redacting) specific data points within a document (e.g., a T.C. identity number, a name) while leaving the rest of the content visible. This is a direct implementation of the solution specified in the Yargıtay HGK decision.
This is the report's central strategic recommendation. It is proposed to transition from a single, open-access archive model to a multi-layered model:
Tier 1 (Public Access): The default layer. All content here is either fully anonymized or has passed a strict "scientific necessity" test for the personal data it contains. This layer is fully indexed by public search engines.
Tier 2 (Authenticated Access): Access is granted to verified researchers, students, and faculty who log in with university credentials. This layer may contain pseudonymized or partially masked data required for research. It must be configured to prevent indexing by public search engines.
Tier 3 (Restricted/Archival Access): The intact, original, and unmodified copy of the document. Access is highly restricted and requires a formal application demonstrating a legitimate research need. Access is granted on a case-by-case basis by the review committee. This model minimizes public exposure while preserving the original record for historical integrity.
Synthesizing the findings of this report, the conclusion is that the "right to be forgotten" is not an existential threat to academic archives, but rather a catalyst for their necessary evolution. This right compels institutions to confront the realities of the digital age and modernize their data management practices.
Academic institutions can successfully navigate this new legal reality by proactively adopting robust legal policies (such as a review committee), sophisticated architectural solutions (such as tiered access), and modern data protection techniques (such as anonymization and pseudonymization). This approach not only mitigates legal risks but also strengthens institutional reputation by respecting the rights of research participants and students.
The future of the academic archive lies in the transition from the "open by default" paradigm to the "principled access" paradigm. This new model aims to strike a balance that simultaneously honors both the rights of the individual and academia's enduring mission to preserve and create knowledge. Ultimately, the right to be forgotten is not the end of academic legacy, but an opportunity for it to be reshaped toward a more just, responsible, and sustainable future.
