Overview of the Decision
The Turkish Constitutional Court has issued a significant decision restricting the Personal Data Protection Board from imposing administrative fines based on unwritten statutory rules. In its decision dated January 27, 2026, the Court ruled that penalizing a company for using publicly available personal data contrary to its "purpose of publication" violates the constitutional principle of legality in crimes and punishments.
This decision directly impacts how foreign and local businesses, particularly those engaged in direct marketing and sales, interpret their obligations under the Personal Data Protection Law (Law No. 6698 or KVKK) when collecting data from public sources.
Background of the Dispute
The case involved Viennalife Emeklilik ve Hayat A.Ş., an insurance and pension company operating in Türkiye. The company obtained the name and phone number of an individual from a public service directory website. The company then contacted the individual to offer its commercial services.
The individual filed a complaint with the Personal Data Protection Authority, alleging that their personal data was processed without explicit consent. The company defended its actions by citing Article 5(2)(d) of the KVKK, which allows the processing of personal data without explicit consent if the data subject has made the data public.
The KVKK Board's Position
The KVKK Board rejected the company's defense. Relying on its own administrative "Application Guide", the Board argued that for data to be legally processed without consent under the "publicly available" exception, it must not be used outside the specific purpose for which the data subject made it public.
The Board concluded that the individual published their contact details to offer professional services, not to receive insurance marketing calls. Consequently, the Board ruled that the company failed to take necessary data security measures under Article 12(1)(a) of the KVKK and imposed an administrative fine of 100,000 TL under Article 18(1)(b). A lower court later reduced this fine to 17,828 TL due to calculation errors, but upheld the Board's legal reasoning.
The Constitutional Court's Legal Assessment
The company escalated the matter to the Constitutional Court, arguing a violation of the principle of legality. The Court ruled in favor of the company based on the following grounds:
- The Principle of Legality: Article 38 of the Turkish Constitution mandates that no one can be punished for an act that is not explicitly defined as an offense by law at the time it was committed. This principle requires clear, predictable statutory boundaries for any penal sanction, including administrative fines.
- Lack of Statutory Basis: Article 5 of the KVKK clearly states that data made public by the data subject can be processed without explicit consent. However, the law does not contain a provision penalizing the use of such data contrary to its initial "purpose of publication".
- Overreach by Administrative Guide: The restriction regarding the "purpose of publication" exists only in the KVKK Board's Application Guide, not in the formal statute. The Constitutional Court determined that imposing a fine by broadly interpreting a statutory provision through an administrative guide makes the law unpredictable.
The Court concluded that the administrative fine violated the Constitution and ordered a retrial to eliminate the consequences of this violation.
Frequently Asked Questions (FAQs)
Does this mean businesses can freely scrape and use all publicly available data in Türkiye?
No. The Constitutional Court's ruling is strictly focused on the principle of legality regarding administrative fines. The Court ruled that the KVKK Board cannot impose fines based on criteria (like "purpose of publication") that are not explicitly written in Law No. 6698. However, data controllers must still comply with the general principles of data processing under Article 4 of the KVKK, and systematic data scraping may still trigger other legal or regulatory risks.
Can the KVKK Board still fine companies for marketing calls?
Yes, if the processing violates explicit provisions of the KVKK or the Law on the Regulation of Electronic Commerce. If a person's data is not genuinely public or if the company processes data that requires explicit consent without obtaining it, the Board retains the authority to impose heavy administrative fines.
What is the practical impact of this decision on corporate compliance?
This decision provides a strong defense for businesses facing KVKK investigations related to the processing of publicly available data. It establishes that the KVKK Board cannot enforce penalties by expanding the text of the law through internal guidelines or broad interpretations. Companies should review any past or pending KVKK fines that rely heavily on the Board's Application Guide rather than explicit statutory language.
Will the KVKK Law be amended because of this ruling?
It is highly likely. To enforce the "purpose of publication" limitation in the future, the Turkish Parliament will need to amend Article 5 of Law No. 6698 to explicitly state that publicly available data can only be processed in accordance with the purpose for which it was made public. Until such an amendment is enacted, the Board's authority to fine companies on this specific ground is severely restricted.
Legal Representation and Compliance Support
Navigating data protection enforcement in Türkiye requires precise knowledge of administrative law, constitutional limits, and commercial realities. The regulatory environment is strict, and defending against administrative fines requires a highly technical legal approach.
If your company is facing a KVKK investigation, dealing with cross-border data transfer compliance, or requires an audit of local marketing practices, accurate legal structuring is mandatory.
