ARTICLE
25 August 2025

Personal Data Protection And Social Media

KC
Kilinc Law & Consulting

Contributor

Kilinc Law & Consulting logo
Kilinç Law & Consulting established by Levent Lezgin Kilinç currently operates in Istanbul, Izmir and London. Our firm, provides services to clients in a wide range of complex matters including Project Finance, Corporate Law, M&A, Energy Law, Dispute Resolution, Maritime Law, IP Law, International Transactions as well as Litigation of the disputes.
Explore Firm Details
With the acceleration of digitalisation, social media platforms have become one of the most common actors processing individuals' personal data.
Turkey Privacy
Eren Can Ersoy,Melis Çolakoğlu, and Ece Nur Aplak
Your Author LinkedIn Connections

Ⅰ. INTRODUCTION

With the acceleration of digitalisation, social media platforms have become one of the most common actors processing individuals' personal data. Users often lack sufficient information about the scope and consequences of data processing when sharing their personal information on these platforms. The Personal Data Protection Law No. 6698 ("PDPL"), which came into force in Turkey in 2016, aims to protect the fundamental rights and freedoms of individuals in the processing of their personal data and imposes various obligations on data controllers. In this context, the activities of social media platforms in Turkey are evaluated within the framework of the provisions of the PDPL; this is of particular importance in terms of both safeguarding the digital rights of users and monitoring the data processing processes of platforms.

Ⅱ.SOCIAL MEDIA AND THE PDPL

Social media platforms are considered "data controllers" under the PDPL. As such, they are obligated to act in accordance with the law when collecting, processing, storing, and, when necessary, deleting or anonymising the personal data of users in Turkey.

Pursuant to Article 10 of the PDPL, data controllers are required to inform the relevant individuals, i.e., users, when personal data is collected. The information provided in this context must include the identity of the data controller, the purposes for which personal data will be processed, with whom and for what purposes it may be shared, the method of data collection, the legal grounds for processing, and the rights of the data subjects.

Users have various rights under Article 11 of the PDPL. These rights include the right to learn whether their personal data is being processed, to request information about the processing if it is being processed, to question whether the data is being used in a manner proportionate to the purpose of processing, and to learn to whom the data is being transferred. In addition, users may request the correction of incomplete or inaccurate data, as well as the deletion or destruction of data processed in violation of the PDPL. They also have the right to request that these requests be communicated to third parties to whom the data has been transferred.

In addition, the right to object in cases where the analysis of personal data by automated systems results in adverse consequences for the individual, and the right to claim compensation for damages arising from the unlawful processing of personal data are also recognised.

The relationship between the PDPL and social media platforms is shaped by the obligation of these actors operating in the digital environment to comply with local legislation in Turkey. In particular, the obligation of social media providers to have a representative in Turkey and the requirement to ensure transparency regarding user data, as introduced by Law No. 7253, are directly linked to the data security and privacy principles set forth in the PDPL. The processing of extensive personal data, such as user profile information and location data, by social media companies subjects these platforms to the obligation to take technical and administrative security measures as stipulated in the PDPL. Failure to comply with these obligations results in various sanctions, such as the obligation to report data breaches and the supervisory authority of the Personal Data Protection Board ("Board").

III. RESPONSIBILITIES OF SOCIAL MEDIA PLATFORMS

According to the PDPL, a "data controller" is a natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. By virtue of this definition, social media platforms acquire the status of data controller when they engage in activities such as collecting, analysing, sharing, or storing their users' data, regardless of whether they are based in Turkey. Platforms such as Facebook, Instagram, and TikTok are subject to the obligations set forth in the PDPL in their personal data processing processes, even if they are based on the explicit consent of users. These obligations include the obligation to provide information, take data security measures, respond to requests from data subjects, and notify the Board and data subjects in the event of a data breach.

Social media platforms determine the purposes and mean of processing the data they collect from their users as part of the services they offer, which makes them independent data controllers rather than mere data processors. For example, profiling user data for advertising targeting, sharing it with other service providers, or using it in algorithmic content recommendations fall directly within the scope of the data controller's responsibility. In this context, social media companies also have additional obligations, particularly about users in Turkey, such as appointing a local representative, creating a data inventory, and registering with Data Controllers Register ("VERBİS"). Otherwise, administrative fines, suspension of activities, and bandwidth reduction may be imposed within the scope of the Board's authority. Therefore, the data controller identity of social media platforms places them in a direct and comprehensive relationship with the data protection regime in Turkey.

The PDPL imposes important obligations on all data controllers, including social media platforms, regarding the security of personal data. Under Article 12 of the PDPL, data controllers are obliged to fulfil three fundamental objectives:

  • Prevent the unlawful processing of personal data,
  • Prevent unlawful access to personal data,
  • Ensure the secure storage of personal data.

To achieve these objectives, data controllers are required to take all necessary technical and administrative measures. If personal data is processed by another natural or legal person on behalf of the data controller, the data controller is jointly responsible for the measures taken with these persons. In addition, data controllers are also obliged to carry out or have carried out the necessary audits to ensure that the provisions of the PDPL are implemented in their institutions or organisations. Social media companies and their employees may not disclose personal data they have obtained in a manner contrary to the provisions of the PDPL or use it for purposes other than those specified.

In the event of a breach such as the unauthorised acquisition of personal data, the data controller is obliged to notify both the relevant person and the Board as soon as possible. The Board may, where it deems appropriate, make such breaches public.

Article 13 of the PDPL grants individuals whose personal data is processed the right to exercise their rights by directly contacting the data controller. This application may be made in writing or by other methods determined by the Board. The data controller is required to resolve the applications submitted to them as soon as possible and within a maximum of thirty days. If the processing of the application incurs additional costs, fees may only be charged in accordance with the tariff determined by the Board. However, if the application is due to an error on the part of the data controller, the fee shall be refunded.

The data controller may accept or reject the application, stating the reasons for the rejection. The necessary actions shall be taken immediately in accordance with the accepted requests, and the results shall be communicated to the relevant person in writing or electronically.

Ⅳ. RESPONSIBILITY VIOLATIONS

The most common liability violations of social media platforms under the PDPL include:

  • Processing personal data without explicit consent,
  • Failure to provide sufficient information to data subjects,
  • Failure to provide the necessary safeguards for the transfer of data abroad,
  • Inadequate data security measures,

and so on. In the Board's 2019 decisions, it was seen that Facebook was subject to serious administrative sanctions for failing to provide sufficient transparency in the sharing of user data with third-party applications and for data security vulnerabilities (PDPL Decision No: 2019/269 – "Personal Data Protection Board Decision No. 2019/269 dated 18.09.2019 regarding Facebook"). Similarly, TikTok was found to have violated its obligation to provide information regarding the processing of personal data of child users and failed to take special measures when processing the data of underage users. (PDPL Decision No. 2023/134 – 'Summary of the Personal Data Protection Board's Decision No. 2023/134 on TikTok Pte Ltd.') The Board determined that the social media company TikTok Pte Ltd., a social media company, failed to take the necessary technical and administrative measures, particularly regarding the processing of children's personal data, and did not comply with the disclosure obligation and the conditions for obtaining explicit consent, and therefore decided to impose an administrative fine of 1,750,000.-TRY.

Such violations are not limited to administrative fines; they also lead to compensation claims due to the violation of data subjects' rights and reputational damage to platforms. Pursuant to Article 18 of the PDPL, administrative fines ranging from 50,000.-TRY to 2,000,000.-TRY may be imposed depending on the nature of the violation. In addition, social media companies acting as data controllers may also be subject to legal and criminal liability under the Turkish Code of Obligations No. 6098 and the Turkish Penal Code No. 5237 for the unlawful disclosure, loss, or misuse of personal data.

In other words, social media platforms that violate the obligations under the PDPL are not only subject to administrative penalties but also to legal and criminal consequences. This transforms the data protection regime from merely a compliance issue into a direct responsibility and risk management issue for the platform.

Ⅴ. CONCLUSION

Social media platforms act as data controllers under the PDPL in their processing of user data, which entails numerous legal responsibilities, from the obligation to provide information to ensuring data security, from exercising rights to obtaining explicit consent. Even if they are not based in Turkey, these platforms that process Turkish users' data are subject to the provisions of the PDPL and are open to inspection and sanctions. Especially when it comes to sensitive data such as children's personal data, the platforms' obligations increase further, and in case of violations, administrative fines as well as legal and criminal liabilities may arise. Decisions issued by the Board in recent years highlight the seriousness of these obligations and their impact on implementation, thereby strengthening data protection awareness among social media platforms. Therefore, both users acting consciously and platforms developing transparent and legally compliant data processing policies are of vital importance for the effectiveness of the data security regime envisaged by the PDPL.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Eren Can Ersoy
Eren Can Ersoy
Photo of Melis Çolakoğlu
Melis Çolakoğlu
Photo of Ece Nur Aplak
Ece Nur Aplak
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More