Violation of privacy under the Turkish Penal Code (Türk Ceza Kanunu, TCK) is not a single offense but a cluster of specifically defined criminal acts set out in Articles 132 through 140 of the Code—covering the unlawful recording of conversations, the covert surveillance of private spaces, the interception of communications, the unauthorized disclosure of personal data, and the violation of the confidentiality of communication. Each of these offenses has its own specific elements, its own penalty range, and its own aggravating circumstances that increase the sentence when the offense is committed using technology, by persons in positions of trust, or against particular categories of victims. The significance of this legal framework extends well beyond criminal proceedings: privacy violations in Turkey trigger parallel civil remedies under the Turkish Civil Code for compensation of material and moral damages, enforcement action by the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu, KVKK) for violations involving personal data, and in some contexts administrative remedies before the Information Technologies and Communication Authority (BTK) for digital privacy violations. A victim of privacy violation in Turkey therefore has multiple legal avenues available simultaneously—criminal complaint, civil lawsuit, KVKK complaint, and administrative complaint—and the strategic choice of which to pursue, in what sequence, and with what evidentiary foundation determines the outcome far more than the substantive strength of the underlying claim. The full text of the Turkish Penal Code is accessible at Mevzuat. This article provides a systematic, practice-oriented guide to the Turkish privacy violation legal framework—addressed to individuals whose privacy has been violated, to foreign nationals navigating the Turkish legal system following a privacy incident, and to businesses seeking to understand their exposure under Turkish criminal and data protection law.
Overview of TCK Articles 132–140
A lawyer in Turkey advising on the Turkish Penal Code privacy framework must explain that Articles 132 through 140 of the TCK collectively constitute what Turkish criminal law treats as the "offenses against privacy and confidentiality of communication"—a coherent chapter of the Code that addresses the modern reality of technology-enabled surveillance and data exposure through a series of distinct but related criminal offenses. Article 132 criminalizes the violation of the confidentiality of communication (haberleşmenin gizliliğini ihlal etme); Article 133 criminalizes the wiretapping and listening to communications between others (kişiler arasındaki konuşmaların dinlenmesi ve kayıt altına alınması); Article 134 criminalizes the violation of the privacy of private life (özel hayatın gizliliğini ihlal etme) including unlawful recording and disclosure of private activities; Article 135 criminalizes the unlawful recording of personal data (kişisel verilerin kaydedilmesi); Article 136 criminalizes the unlawful disclosure or transfer of personal data (verileri hukuka aykırı olarak verme veya ele geçirme); Article 137 establishes aggravated versions of these offenses for specific perpetrator categories; Article 138 addresses the failure to destroy data when legally required; Articles 139 and 140 address procedural requirements including the complaint prerequisite. Practice may vary by authority and year — check current guidance on the current text of these articles and on any recently enacted amendments from the Mevzuat portal.
An Istanbul Law Firm advising on the complaint prerequisite under Articles 139 and 140 must explain that several of the privacy offenses in this chapter—including Article 134 violations of private life and Article 133 communication interception between private individuals—are subject to the "şikayete bağlı suç" requirement, meaning they can only be prosecuted upon a formal complaint by the victim. The public prosecutor does not investigate these offenses ex officio—without the victim's complaint, no investigation begins. This creates a critical practical obligation for victims: the complaint must be filed within the applicable limitation period from the date the victim learns of the offense and the identity of the perpetrator. A victim who delays in filing the complaint beyond this period loses the right to criminal prosecution regardless of the strength of the evidence. Practice may vary by authority and year — check current guidance on the current complaint period applicable to each specific TCK privacy offense and on the specific articles that are subject to the complaint prerequisite versus those that are prosecuted ex officio.
A Turkish Law Firm advising on the interaction between the TCK privacy offenses and the KVKK personal data protection framework must explain that a single act can simultaneously constitute a criminal offense under the TCK and a data protection violation under the Personal Data Protection Law (KVKK, Law No. 6698). These are parallel legal systems with separate enforcement mechanisms—the criminal offense is pursued through the criminal justice system via the public prosecutor, while the KVKK violation is pursued through an administrative complaint to the Personal Data Protection Authority. A victim of unlawful recording or data disclosure does not have to choose between these remedies—both can be pursued simultaneously—but they serve different purposes: the criminal complaint seeks punishment of the perpetrator, while the KVKK complaint seeks administrative sanction against the data controller and may result in an order to delete the unlawfully held data. The KVKK framework is analyzed in detail in the resource on personal data protection law in Turkey. Practice may vary by authority and year — check current guidance on the current interaction between TCK criminal prosecution and KVKK administrative enforcement for specific categories of privacy violation.
Article 134: Violation of private life
A law firm in Istanbul advising on TCK Article 134 privacy must explain that Article 134 is the provision most directly applicable to the common situations that individuals identify as privacy violations in everyday life: the covert recording of a person's private activities using video or audio equipment without their consent, and the disclosure of such recordings to third parties or to the public. The Article creates two distinct offenses in its two paragraphs: the first paragraph criminalizes the act of recording private life activities without consent, and the second paragraph—which carries a higher penalty—criminalizes the disclosure or publication of such recordings or information about private life. A person who covertly records a private individual in their home, their hotel room, a private conversation, or any other private context without consent commits the first-paragraph offense; a person who then shares that recording with others, publishes it on social media, or distributes it commits the aggravated second-paragraph offense. Practice may vary by authority and year — check current guidance on the current penalty ranges under Article 134 paragraphs 1 and 2 and on the specific elements that Turkish courts currently require to be established for a conviction under each paragraph.
An English speaking lawyer in Turkey advising on the "private life" scope of Article 134 must explain that Turkish courts have interpreted the concept of private life (özel hayat) broadly in line with the constitutional right to privacy under Article 20 of the Turkish Constitution—but the protected sphere is not unlimited. Activities conducted in genuinely public spaces, disclosures that the individual has voluntarily made to the public, and recordings made by public authorities acting under legal authorization are generally outside the Article 134 prohibition. The key analytical question is whether the recorded activity occurred in a context where the person had a reasonable expectation of privacy—a standard that Turkish courts assess based on the specific circumstances of each case including the location, the relationship between the parties, and the nature of the recorded activity. A recording made in a person's home clearly engages Article 134; a photograph taken of a person walking on a public street generally does not—but the line between these extremes requires case-by-case assessment. Practice may vary by authority and year — check current guidance on the current Turkish court approach to defining the protected private life sphere under Article 134 and on any recently issued Court of Cassation decisions that have refined the boundaries of the offense.
A Turkish Law Firm advising on the image and video disclosure dimension—where a private individual's intimate images or videos are disclosed without consent (so-called non-consensual intimate image sharing or "revenge porn")—must explain that Turkey's legal framework addresses this through the combined application of Article 134 paragraph 2 (disclosure of private life recordings), potential Article 125 defamation provisions where the disclosure is accompanied by false imputations, and the KVKK framework where the images constitute personal data. Turkish courts have imposed custodial sentences in non-consensual intimate image sharing cases, and the victim can pursue both criminal prosecution and civil damages simultaneously. The emerging digital forensics dimension—obtaining the evidence needed to identify anonymous perpetrators who share intimate images through pseudonymous accounts—requires specific technical and legal strategies that are addressed in the privacy lawyer Turkey engagement section below. Practice may vary by authority and year — check current guidance on the current Turkish judicial approach to non-consensual intimate image sharing cases and on the specific evidentiary steps Turkish courts require before ordering platform disclosure of anonymous user identity data.
Article 133: Communication interception
A law firm in Istanbul advising on TCK Article 133 communication interception must explain that Article 133 criminalizes the interception of communications between other people—listening to, recording, or transmitting conversations between third parties without the consent of those involved in the communication. The key element distinguishing Article 133 from Article 134 is that Article 133 concerns communications between others, not the recording of one's own communications with another person. A person who records their own conversation with another person—even without the other person's knowledge—is generally not committing an Article 133 offense (though this may engage other legal provisions depending on context and use); a person who intercepts and records a conversation between two others commits the Article 133 offense. Practice may vary by authority and year — check current guidance on the current Turkish court interpretation of the Article 133 "between others" element and on how courts handle scenarios where the recording person is also a participant in the conversation.
An English speaking lawyer in Turkey advising on the phone recording law Turkey dimension must clarify a persistent misunderstanding: Turkish law does not contain a blanket prohibition on recording your own phone conversations. The act of one party to a conversation recording that conversation without the other party's knowledge is generally analyzed under different provisions—not Article 133—and the legality depends significantly on the purpose of the recording and how it is subsequently used. A recording of one's own conversation made purely for personal reference, never shared with third parties, and used only in legal proceedings to prove what was said occupies a very different legal position from the same recording shared on social media for reputational purposes. Turkish courts have addressed this distinction in numerous cases. Practice may vary by authority and year — check current guidance on the current Turkish court approach to self-party recordings and on the specific conditions under which such recordings are admissible as evidence in criminal and civil proceedings.
A Turkish Law Firm advising on the hidden camera law Turkey dimension under Article 133 and related provisions must explain that covert surveillance devices installed to intercept communications in a space where private communications occur—a home, an office, a meeting room—engage both Article 133 (interception of communications between others) and Article 134 (surveillance of private life activities), depending on the specific nature of what is captured. A hidden microphone installed in a marital home by one spouse to record the other spouse's private conversations with third parties, or a hidden camera installed in a shared workspace to record confidential business discussions, can engage multiple TCK provisions simultaneously. The sentence exposure in these cases is significant—multiple offense provisions can be applied concurrently. Practice may vary by authority and year — check current guidance on the current Turkish court approach to concurrent application of Articles 133 and 134 in hidden surveillance device cases and on the procedural steps for obtaining judicial authorization to search for and seize such devices.
Articles 135–136: Personal data offenses
A law firm in Istanbul advising on TCK Articles 135 and 136 personal data offenses must explain that these provisions criminalize two distinct acts in the personal data context: Article 135 criminalizes the unlawful recording of personal data (without a legal basis justifying the data processing), while Article 136 criminalizes the unlawful transfer, disclosure, or acquisition of personal data—including selling personal data, sharing it with unauthorized parties, or obtaining it through unlawful means. The definition of "personal data" in the TCK context is broad and aligns with the KVKK definition: any information relating to an identified or identifiable natural person, including name, contact details, financial information, health data, location data, and biometric data. Practice may vary by authority and year — check current guidance on the current TCK and KVKK definitions of personal data and on the specific data categories that Turkish courts and the KVKK currently treat as sensitive personal data subject to enhanced protection.
An English speaking lawyer in Turkey advising on Article 136 data disclosure violations in the employment context—where an employer or former employer unlawfully discloses an employee's personal data—must explain that this is one of the most frequently encountered personal data violation scenarios in Turkish practice. An employer who shares an employee's health records, financial information, or disciplinary history with third parties without legal basis commits an Article 136 offense in addition to potential KVKK violations. A former employer who provides a negative reference that discloses personal information about a former employee beyond what the reference requestor has a legitimate need to know may similarly engage these provisions. The employment law Turkey framework—covering employee data protection rights—is analyzed in the resource on termination of employment in Turkey. Practice may vary by authority and year — check current guidance on the current Turkish court and KVKK approach to employer personal data disclosure violations in the employment context.
A Turkish Law Firm advising on Article 138—the failure to destroy data when legally required—must explain that this provision creates a specific criminal obligation for data controllers who are required by law or court order to destroy personal data but who fail to do so. In practice, this most frequently arises in situations where: a KVKK decision or court order requires deletion of unlawfully processed data; a storage period specified in a retention policy or legal requirement has expired; or a data subject's valid erasure request under KVKK Article 7 has not been complied with. The Article 138 offense is particularly relevant for companies and organizations that hold large volumes of personal data and that may have systemic failures in their data deletion procedures. A data controller who cannot demonstrate timely compliance with a deletion obligation faces Article 138 exposure in addition to KVKK administrative sanctions. Practice may vary by authority and year — check current guidance on the current KVKK deletion obligation requirements and on the specific evidence of deletion that Turkish courts and the KVKK currently require to establish compliance with Article 138.
Article 137: Aggravated offenses
An English speaking lawyer in Turkey advising on TCK Article 137 aggravated privacy offenses must explain that Article 137 increases the penalties for the offenses in Articles 132 through 136 when they are committed in two specific aggravating circumstances: first, when the offense is committed by a public official (kamu görevlisi) who abuses their official position or authority to commit the violation; and second, when the offense is committed using the means or capabilities of an organization or company (belirli bir meslek grubuna veya korporasyona mensup kişiler). The public official aggravation is particularly significant in cases involving police officers who conduct unauthorized surveillance, civil servants who access and disclose personal data held in government databases, or healthcare workers who disclose patient data without authorization. Practice may vary by authority and year — check current guidance on the current Turkish court approach to the Article 137 public official aggravation and on the specific professional categories currently recognized as qualifying for the organizational means aggravation.
A Turkish Law Firm advising on the practical significance of the public official aggravation must explain that it addresses a category of privacy violation that is both particularly harmful—because public officials have access to sensitive data and coercive powers that ordinary individuals lack—and particularly difficult to detect and prosecute, because the abuse occurs within institutional structures that may not actively surface violations. A police officer who accesses the national identity database (MERNİS) to retrieve personal information about an individual for personal reasons rather than official duty, or a tax inspector who accesses taxpayer records without authorization, commits the Article 135 or 136 base offense aggravated by Article 137. Victims of public official privacy violations should file complaints with both the public prosecutor and the relevant disciplinary authority (the institution employing the official). Practice may vary by authority and year — check current guidance on the current complaint and investigation procedures for public official privacy violations and on the interaction between criminal prosecution and administrative disciplinary proceedings in these cases.
A law firm in Istanbul advising on corporate privacy violations—where an organization's system or database is used to commit privacy violations against individuals—must explain that the Article 137 organizational means aggravation engages corporate liability alongside individual criminal liability in certain cases. While Turkish criminal law generally does not impose criminal liability on legal entities (corporations are not criminally prosecuted as defendants in Turkish law), the individual employees, managers, or officers who commit privacy violations using corporate systems and authority face both the base offense penalty and the Article 137 aggravation. A company that systematically processes personal data in violation of TCK Article 135 or 136—for example, by operating a customer database for unauthorized secondary purposes—exposes its responsible managers to criminal liability under the aggravated provision. Practice may vary by authority and year — check current guidance on the current Turkish prosecutor's approach to identifying and charging individual corporate officers in systematic data violation cases and on the interaction between corporate KVKK liability and individual TCK criminal liability.
Surveillance and hidden cameras
An English speaking lawyer in Turkey advising on the surveillance law Turkey framework must explain that the installation of surveillance equipment—CCTV cameras, audio recording devices, GPS trackers, keyloggers, or other monitoring tools—is regulated both by the TCK privacy provisions and by specific sector regulations applicable to workplace monitoring, commercial premises, and public spaces. The general principle is that surveillance in private spaces without the knowledge and consent of the persons monitored constitutes a criminal offense; surveillance in semi-public commercial spaces (shops, hotel lobbies, parking areas) with appropriate disclosure and regulatory compliance may be lawful; and surveillance in truly public spaces is generally lawful for security purposes subject to proportionality requirements. The legal analysis of any specific surveillance installation requires assessing where on this spectrum the monitored space falls and whether the disclosure and consent requirements have been met. Practice may vary by authority and year — check current guidance on the current Turkish regulatory requirements for CCTV and surveillance installations in different types of premises and on the KVKK guidance on compliant workplace surveillance.
A Turkish Law Firm advising on workplace surveillance—one of the most practically significant and legally complex surveillance contexts—must explain that an employer's right to monitor employee activities in the workplace is constrained by both TCK privacy provisions and KVKK data protection obligations. Turkish courts and the KVKK have addressed the employer surveillance framework through a proportionality analysis: surveillance that is proportionate to a legitimate business purpose, conducted transparently with employee awareness, limited to work-related activities and spaces, and subject to appropriate data retention limits is generally lawful; surveillance that extends to private communications, break areas, restrooms, or personal device activity without disclosure is generally not. An employer who installs hidden cameras in employee personal spaces or who covertly monitors private communications faces TCK criminal liability in addition to KVKK administrative sanctions. The KVKK compliance framework for employers is analyzed in the resource on GDPR and KVKK compliance Turkey. Practice may vary by authority and year — check current guidance on the current KVKK guidance documents on employee monitoring and on the specific disclosure requirements applicable to different workplace surveillance technologies.
A law firm in Istanbul advising on the GPS tracking dimension—where a vehicle or person is tracked using a GPS device installed without consent—must explain that covert GPS tracking of another person constitutes a violation of their private life under Article 134 when the tracking is used to monitor their movements, associations, and activities in a private context. The installation of a GPS tracker on another person's vehicle without their knowledge or legal authorization is both a property violation (tampering with the vehicle) and a privacy violation under TCK Article 134. Turkish courts have addressed GPS tracking cases in the context of spousal surveillance and employment monitoring, generally finding that covert tracking of private individuals without court authorization constitutes a criminal privacy violation. Practice may vary by authority and year — check current guidance on the current Turkish court approach to GPS tracking privacy violation claims and on the specific evidence required to establish the unlawful nature of the tracking in different factual contexts.
Digital privacy violations
An English speaking lawyer in Turkey advising on digital privacy violations in Turkey must explain that the TCK privacy provisions apply fully to digital contexts—the medium through which a privacy violation occurs (digital versus analog) does not affect the criminal characterization. Hacking into someone's email account to read their private correspondence violates Article 132; installing spyware on someone's phone to intercept their communications violates Article 133; capturing and sharing someone's private social media content or intimate images shared in private digital channels violates Article 134; and obtaining and selling personal data from a digital database violates Article 136. The digital context often adds a separate layer of criminal exposure through the Computer Crime provisions of the TCK (Articles 243 and 244) for the unauthorized access component of the violation. Practice may vary by authority and year — check current guidance on the current Turkish court approach to concurrent application of TCK privacy provisions and computer crime provisions in digital privacy violation cases and on the specific technical evidence required to support a criminal complaint in these cases.
A Turkish Law Firm advising on social media privacy violations—where private information about an individual is disclosed without consent on social media platforms—must explain that the disclosure of private information through social media constitutes an Article 134 paragraph 2 offense where the information concerns the person's private life, and may additionally constitute criminal defamation (iftira or hakaret) under TCK Articles 125–131 where the disclosure involves false imputations. The victim of a social media privacy violation has the option of filing a criminal complaint identifying the perpetrator, applying to the Information Technologies and Communication Authority (BTK) for content blocking (erişim engeli) where the content constitutes a clear privacy violation, and filing a civil lawsuit for moral damages. The content blocking route through BTK is particularly useful where rapid removal of harmful content is the priority—the blocking decision can be obtained within 24 hours in urgent cases under the applicable internet law. Practice may vary by authority and year — check current guidance on the current BTK content blocking procedures for privacy-violating social media content and on the current processing times for urgent blocking applications.
A law firm in Istanbul advising on the data breach dimension—where personal data held by a company or public authority is exposed through a security breach—must explain that a data breach that exposes personal data constitutes a TCK Article 136 violation (unlawful exposure of personal data) where the breach results from negligent or deliberate failures in data security rather than from an external attack that the data controller could not reasonably have prevented. The KVKK requires data controllers to notify both the KVKK and affected data subjects of breaches within 72 hours of discovery—a compliance obligation that runs concurrently with any criminal exposure. A company that experiences a significant data breach and fails to comply with the KVKK notification obligation faces both administrative sanctions for the notification failure and potential criminal exposure for the underlying data exposure. The director liability data breach Turkey framework is analyzed in the resource on director liability for data breaches in Turkey. Practice may vary by authority and year — check current guidance on the current KVKK data breach notification requirements and on the criminal exposure framework for data controllers following significant breaches.
Criminal complaint process
A Turkish Law Firm advising on how to file a privacy criminal complaint Turkey must explain that the criminal complaint (suç duyurusu or şikayet dilekçesi) is filed with the Chief Public Prosecutor's Office (Cumhuriyet Başsavcılığı) in the district where the offense was committed or where the perpetrator resides. The complaint can be filed in person at the prosecutor's office, submitted by mail, or filed through an attorney. A well-prepared criminal complaint should: clearly identify the complainant and their contact information; describe the specific acts constituting the offense in chronological order; identify the perpetrator or perpetrators to the extent known; specify the TCK provisions allegedly violated; list the evidence available to support the complaint; and attach copies of that evidence. A poorly drafted complaint that omits key elements or that characterizes the offense incorrectly may result in a decision not to prosecute (kovuşturmaya yer olmadığına dair karar, KYOK) that the complainant then has to appeal. Practice may vary by authority and year — check current guidance on the current complaint filing procedures at the specific prosecutor's office with jurisdiction over your case and on any recently digitized complaint submission options.
An English speaking lawyer in Turkey advising on the evidence collection phase—what evidence to gather before filing the privacy criminal complaint—must explain that digital evidence in privacy violation cases is particularly vulnerable to deletion, modification, and loss, and that preserving evidence must be the first priority upon discovering a violation. Digital evidence that should be preserved immediately includes: screenshots of offending content with timestamps and URL information; screen recordings of dynamic content that may be removed; notarized digital evidence (noter tespit tutanağı) where the evidence is particularly important—a notary can attend and formally record the existence of digital content at a specific time, creating an official document that is difficult to challenge; and preserving physical devices (phones, computers, recording equipment) that may contain evidence of the violation. Evidence that has not been preserved before the complaint is filed may be permanently lost if the perpetrator deletes it in the meantime. Practice may vary by authority and year — check current guidance on the current Turkish court and prosecutor evidentiary standards for digital evidence in privacy violation cases and on the current procedure for notarized digital evidence preservation.
A law firm in Istanbul advising on the investigation phase after the complaint is filed must explain that the public prosecutor will conduct a preliminary investigation (ön soruşturma) to determine whether there is sufficient basis to initiate a formal investigation (soruşturma) and ultimately to decide whether to bring charges (iddianame düzenlemek) or issue a non-prosecution decision (KYOK). For privacy offenses subject to the complaint prerequisite, the prosecutor cannot act without the complaint but may request additional evidence and investigative steps from the police once the complaint is filed. A complainant who files a bare complaint without supporting evidence may receive a KYOK decision—not because the offense did not occur, but because the evidence does not establish sufficient grounds for prosecution. If a KYOK is issued, the complainant has 15 days to file an objection (itiraz) with the competent criminal court of peace (sulh ceza hakimliği). Practice may vary by authority and year — check current guidance on the current investigation procedures for TCK privacy offenses and on the current objection procedure and deadline applicable to KYOK decisions in the relevant jurisdiction.
Civil remedies for privacy violations
An English speaking lawyer in Turkey advising on civil remedies for privacy violations in Turkey must explain that the Turkish Civil Code (Medeni Kanun) and the Code of Obligations (Borçlar Kanunu) provide independent civil law remedies for privacy violations that operate in parallel with criminal proceedings—meaning that a victim can pursue both criminal prosecution and civil compensation simultaneously, or can pursue civil remedies alone without filing a criminal complaint. The civil remedy for privacy violation is grounded in the right to personality (kişilik hakkı) protected under Turkish Civil Code Article 24, which provides that any person whose personality rights are unlawfully threatened or violated can seek court orders to stop the violation, remove its effects, and compensate for the resulting damages. Practice may vary by authority and year — check current guidance on the current civil court procedure for privacy violation claims and on the specific courts with jurisdiction over different categories of civil privacy claims in Turkey.
A Turkish Law Firm advising on moral damages (manevi tazminat) in privacy violation cases must explain that Turkish courts consistently award moral damages for privacy violations that cause emotional distress, reputational harm, or other non-material injury to the victim. The amount of moral damages awarded depends on the severity of the violation, the extent of disclosure, the perpetrator's intent or fault, and the victim's personal circumstances—Turkish courts have significant discretion in setting the amount, and awards range widely depending on these factors. The calculation of moral damages in privacy cases is not a mechanical formula: the court weighs the nature of the privacy invasion, whether intimate or sensitive information was involved, the breadth of disclosure (one person versus thousands), and the lasting effects on the victim's personal and professional life. A victim seeking moral damages should document the personal impact of the violation as specifically as possible—concrete effects on employment, relationships, health, and daily life support a higher damages award than abstract claims of distress. Practice may vary by authority and year — check current guidance on the current Turkish court approach to moral damages calculation in privacy violation cases and on any recently issued Court of Cassation decisions that have set reference points for damages in specific categories of violation.
A law firm in Istanbul advising on urgent interim measures in privacy violation cases—court orders obtained before a full trial to stop an ongoing violation—must explain that the Turkish civil procedure framework provides for urgent interim injunctions (ihtiyati tedbir) that can be obtained quickly where the applicant can demonstrate the likelihood of the underlying right and the urgency of protection. A victim of an ongoing social media disclosure, for example, can apply to the civil court for an immediate injunction requiring the perpetrator to remove the offending content, pending the outcome of the full civil proceedings. The interim injunction application is decided on the papers—often within days—without the perpetrator's participation, providing rapid emergency relief. The commercial litigation Turkey framework—covering Turkish civil procedure including interim measures—is analyzed in the resource on commercial litigation Turkey. Practice may vary by authority and year — check current guidance on the current Turkish civil court interim injunction procedure for privacy cases and on the evidence and security deposit requirements applicable to urgent applications.
Privacy rights of foreign nationals
A Turkish Law Firm advising on the privacy rights Turkey framework for foreign nationals must explain that the TCK privacy protections apply to all individuals present in Turkey regardless of nationality—a foreign national whose privacy is violated in Turkey has the same right to file a criminal complaint and pursue civil remedies as a Turkish citizen. The nationality of the victim does not affect the applicability of the TCK or the civil remedies available. A foreign national who is the victim of covert recording, communication interception, or personal data disclosure in Turkey can file a complaint with the Turkish public prosecutor in the same manner as a Turkish citizen. Practice may vary by authority and year — check current guidance on any specific procedural requirements or documentation obligations applicable to foreign national complainants in Turkish criminal privacy proceedings—such as translation requirements for complaint documents or identification verification procedures.
An English speaking lawyer in Turkey advising on the cross-border privacy violation scenario—where the perpetrator is in Turkey but the victim is abroad, or where the violation occurs through online platforms with servers in foreign jurisdictions—must explain that Turkish jurisdiction over privacy offenses extends to violations that occur in Turkey even where the perpetrator or the victim is located outside Turkey, and Turkish courts have asserted jurisdiction over online privacy violations accessible in Turkey. A foreign national who is victimized by a Turkey-based perpetrator can file a complaint with Turkish authorities regardless of where they are physically located at the time of filing—through the Turkish consulate in their country of residence or directly by mail to the relevant prosecutor's office. Practice may vary by authority and year — check current guidance on the current Turkish prosecutor's approach to accepting and processing complaints filed by foreign nationals from abroad and on any specific documentation requirements for overseas complainants.
A law firm in Istanbul advising on the KVKK complaint route for foreign nationals whose personal data has been processed in violation of Turkish data protection law must explain that the KVKK accepts complaints from all natural persons whose personal data has been unlawfully processed by data controllers subject to Turkish jurisdiction—the complainant's nationality and country of residence are not eligibility conditions. A foreign national whose personal data is held and processed by a Turkish company, Turkish government authority, or any other data controller subject to KVKK jurisdiction can file a KVKK complaint. The KVKK complaint must first be made directly to the data controller (a prerequisite to KVKK application), and if the controller fails to respond or responds inadequately within 30 days, the complaint can be escalated to the KVKK. The KVKK's website at kvkk.gov.tr provides the current complaint form and guidance. Practice may vary by authority and year — check current guidance on the current KVKK complaint procedure and on any recently changed requirements for international complaints from non-resident data subjects.
Defenses and legitimate exceptions
An English speaking lawyer in Turkey advising on defenses to privacy violation charges must explain that not every recording, disclosure, or surveillance activity constitutes a criminal privacy offense—Turkish law recognizes a range of circumstances in which activities that would otherwise engage the TCK privacy provisions are lawful or exempt from criminal liability. The primary recognized exceptions include: lawful judicial authorization (a court-ordered wiretap conducted by law enforcement pursuant to a valid judicial warrant); consent of the person recorded or monitored (where genuine, informed consent to recording or disclosure has been given); the legitimate exercise of press freedom in the public interest (where journalists report on matters of genuine public concern using proportionate investigative techniques); and the use of recordings made by a party to a conversation in their own defense in legal proceedings where no other evidence is available. Practice may vary by authority and year — check current guidance on the current Turkish court approach to each of these exceptions and on the specific conditions that must be met for each exception to apply.
A Turkish Law Firm advising on the press freedom exception—a significant source of tension between privacy rights and journalism in Turkey—must explain that Turkish courts apply a proportionality test in cases where privacy violation is claimed against journalistic activities: the public interest value of the information disclosed, the public status of the person whose privacy is at issue (public figures have reduced privacy expectations in their public roles), and whether the journalistic means used were proportionate to the public interest served. A journalist who publishes a public official's clearly public conduct recorded in the performance of their official duties generally cannot be successfully prosecuted for privacy violation. A journalist who covertly records and publishes the private family life of a private individual without significant public interest justification faces a much weaker press freedom defense. The free speech in Turkey framework—covering the boundaries of constitutionally protected expression including journalistic expression—is analyzed in the resource on free speech in Turkey. Practice may vary by authority and year — check current guidance on the current Turkish constitutional court and Court of Cassation balance between privacy rights and press freedom in specific fact patterns.
A law firm in Istanbul advising on the consent defense must explain that genuine, informed consent to recording or disclosure is a complete defense to TCK privacy charges—but the consent must be real and uncoerced, must have been given before the recording or disclosure (not ratified after the fact), and must specifically cover the activity for which consent is claimed. A general consent to being photographed does not constitute consent to intimate recording; consent given under economic pressure or in an employment context may be challenged as not freely given; and consent given to one party for one purpose does not authorize disclosure to third parties for a different purpose. A person charged with a TCK privacy offense who relies on a consent defense must be able to produce evidence of the specific consent—typically a written consent document, a recording of the consent being given, or witness testimony. Practice may vary by authority and year — check current guidance on the current Turkish court evidentiary standards for establishing a consent defense in TCK privacy violation proceedings.
Practical steps for victims
A Turkish Law Firm advising on the immediate practical steps for a victim of a privacy violation in Turkey must explain that the first priority is evidence preservation—before anything else, capture and preserve every piece of evidence of the violation in a format that will be durable and credible in legal proceedings. This means: taking timestamped screenshots of all offending content with URL addresses visible; downloading and saving any recordings or images involved; documenting the time and manner in which you discovered the violation; recording the identity or apparent identity of the perpetrator if known; and if the violation involves a digital platform, preserving the URL, account details, and content in a notarized digital evidence record (noter tespit) for maximum evidentiary weight. The speed of evidence preservation is critical because digital content can be deleted rapidly once the perpetrator becomes aware of legal action. Practice may vary by authority and year — check current guidance on the current accepted standards for digital evidence preservation in Turkish criminal proceedings and on the current procedure for obtaining a notarized digital evidence record from a Turkish notary public.
An English speaking lawyer in Turkey advising on the strategic decision of which legal avenue to pursue first—criminal complaint, civil lawsuit, KVKK complaint, or BTK content removal application—must explain that this decision depends on the specific nature of the violation and the victim's primary objective. If the primary objective is rapid removal of harmful content from the internet, the BTK blocking application (erişim engeli talebi) is typically the fastest route—decisions can be obtained within 24 hours in urgent cases. If the primary objective is punishment of the perpetrator, the criminal complaint is the appropriate first step. If the primary objective is financial compensation, the civil lawsuit is the primary vehicle—and the civil lawsuit can be filed immediately without waiting for the outcome of any criminal proceedings. If the primary objective is deletion of unlawfully held personal data, the KVKK complaint route is the most targeted mechanism. In many cases, all four avenues should be pursued simultaneously to maximize the pressure on the perpetrator and the effectiveness of the legal response. Practice may vary by authority and year — check current guidance on the current processing times and practical outcomes achievable through each avenue in the specific jurisdiction and fact pattern applicable to your case.
A best lawyer in Turkey completing the practical guidance must address the privacy lawyer Turkey engagement question—when qualified Turkish legal counsel is essential versus when self-management is sufficient. For minor privacy violations with a known perpetrator, clearly preserved evidence, and a straightforward factual pattern, a self-represented criminal complaint may be sufficient to trigger an investigation. However, for violations involving intimate images, systematic data breaches, public official perpetrators, cross-border elements, anonymous perpetrators requiring platform disclosure orders, or any situation where the victim has suffered significant reputational or financial harm, qualified Turkish privacy and criminal law counsel is essential. The complexity of managing parallel criminal, civil, and administrative proceedings; obtaining urgent interim injunctions; navigating digital evidence authentication; and identifying anonymous online perpetrators through legal process all require specialist legal expertise that significantly affects outcomes. The Istanbul Bar Association at istanbulbarosu.org.tr provides resources for identifying qualified practitioners. Practice may vary by authority and year — check current guidance on the current TCK penalty ranges, complaint deadlines, and procedural requirements applicable to your specific privacy violation situation before taking any legal action.
Author: Mirkan Topcu is an attorney registered with the Istanbul Bar Association (Istanbul 1st Bar), Bar Registration No: 67874. His practice focuses on cross-border and high-stakes matters where evidence discipline, procedural accuracy, and risk control are decisive.
He advises individuals and companies across Criminal Defense, Data Protection Law, Commercial and Corporate Law, and cross-border documentation matters where procedural accuracy and evidence discipline are decisive.
Education: Istanbul University Faculty of Law (2018); Galatasaray University, LL.M. (2022). LinkedIn: Profile. Istanbul Bar Association: Official website.