Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Turkey: The KVKK's guidance on recommendations for protecting privacy in mobile applications

On December 22, 2023, the Turkish Personal Data Protection Authority (KVKK) published the Guidelines on the Protection of Privacy in Mobile Applications (the Guidelines) to address the existing and potential risks regarding the protection of privacy in mobile applications and to provide general recommendations to data subjects and data controllers. Melis Mert, of BTS & Partners, provides an overview of the key takeaways and enforceability of the Guidelines. 

Javi Sanz/E+ via Getty Images

What is the enforceability of the Guidelines? 

The KVKK's guidelines are not legally binding but present the KVKK's approach on the relevant matter, along with expectations regarding data controllers' data processing activities. However, it should be noted that in certain decisions, the KVKK references its guidelines while assessing the data controller's compliance with the Turkish Personal Data Protection Law No. 6698 (the Law), although there is no sanction provided under the Law for non-compliance with the KVKK guidelines. In this regard, data controllers who fall within the scope of these Guidelines should consider reviewing their data processing activities through mobile applications in light of these Guidelines and comply with best practices. 

What are the key takeaways?  

Territorial scope  

Currently, the Law does not have an explicit extraterritorial application clause. In practice, foreign data controllers assess their position by taking their data processing operations towards data subjects located in Turkey.  

The Guidelines have identified several criteria for non-resident data controllers similar to the European Data Protection Board's (EDPB) guidance regarding the territorial scope of the General Data Protection Regulation (GDPR). If these criteria are applicable in the mobile applications operated by them, the Law will be applicable, which will trigger obligations such as registration to the Data Controllers' Registry1. For the mobile applications offered by non-resident providers, in the event that the criteria below are present, the local privacy law obligations shall apply: 

  • offering goods and services with reference to Turkey;  
  • making introductory statements indicating that the service is provided to persons in Turkey; 
  • providing a Turkish language option and product delivery options to Turkey in the provision of goods and services;  
  • targeting the relevant persons in Turkey in the provision of goods and services or behavioral advertising activities; and  
  • online tracking through unique identifiers and geo-localization activities for marketing purposes.

Data controller - data processor status 

In terms of personal data collected in mobile applications, the KVKK has underlined the fact that there may be more than one data controller in cases where the mobile application integrates a third-party service (for instance, the inclusion of a third-party service provider in the mobile application to perform two-factor authentication or advertising networks in the mobile application).  

Furthermore, in a scenario where the application provider and the application developer are separate entities, the application developer may be considered a data processor provided that, as per the contract between them, the application developer:  

  • undertakes only a technical role in personal data processing; and  
  • is ensured not to process personal data for its own purposes.  

In this context, the controller or processor status of different stakeholders in the development and rollout of mobile applications should be determined before the personal data processing activity takes place. Based on this determination, the contracts concluded between the parties shall be reviewed and compliance with the Law shall be ensured. 

Conditions for the processing of personal data 

The KVKK has concluded that the explicit consent of the user shall be obtained when processing is not mandatory for the performance of the main function of the application (e.g., in addition to shopping through the e-commerce application, showing the nearest stores by accessing the person's location data without obtaining explicit consent). Regarding personal data that is not mandatory for the performance of the application, it would be crucial to ensure that:  

  • the personal data is not processed in cases where the services offered by the application are not actively preferred by the data subject; and  
  • the processing of the relevant personal data is not mandatory for the performance of the main function of the application. 

Processing of special categories of personal data  

The Guidelines highlight that data stored in applications that provide functions such as sleep tracking and step counters may also be classified as health data (in some cases, items such as photos, messages, and user log-ins may also contain special categories of personal data). If such data is not processed for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health care services, or financing thereof by persons who are not under a confidentiality obligation, the explicit consent of the data subjects should be obtained prior to the processing of such data and, in any case, additional measures determined by the Data Protection Board's Decision numbered 2018/10 and dated 31.01.2018 must be taken. 

Measures for the security of personal data 

As per the Guidelines, it is essential that privacy-enhancing settings are turned on when mobile applications are used for the first time, without the need for users to take any further action. Similar to Opinion 02/2013 of the Article 29 Data Protection Working Party, the Guidelines recommend that multi-factor authentication methods and strong passwords be created and changed regularly by users, protection should be provided by switching to current hashing functions, and methods such as CAPTCHA  should be preferred on pages requiring user input in order to prevent unauthorized access to the devices on which the applications are used.  

Lastly, for applications that are known to be widely used by children, it is stipulated that systems should be implemented to verify the age of users and that processing activities for children shall be carried out according to a separate policy and procedure.  

Melis Mert Managing Associate – Attorney at Law 
[email protected]
BTS & Partners, Istanbul 

1 Pursuant to Article 16 of the Law, natural and legal persons who process personal data are required to register with the Data Controllers' Registry before starting to process personal data. In this regard, as a general rule, all data controllers who are residents in Turkey, data controllers who are residents abroad, and data controllers of public institutions and organizations are required to register with the Data Controllers' Registry if they process personal data in Turkey.