What is a Data Subject?
A data subject (Turkish: ilgili kişi) is the identified or identifiable natural person whose personal data is processed by a controller or processor. Under Turkey’s KVKK (Law No. 6698) and the EU’s GDPR, the data subject is the holder of rights against organizations handling their information.
Who qualifies?
A data subject must be a natural person — legal entities (companies, associations, foundations) are not data subjects under KVKK or GDPR. Identifiability includes direct identifiers (name, national ID, email) and indirect identifiers (IP address, device fingerprint, cookie ID) that, alone or combined with other data, can single out an individual.
Core rights under KVKK Article 11
- To learn whether their data is being processed
- To request information about the processing
- To learn the purpose and verify proper use
- To know third parties to whom data has been transferred (domestic or foreign)
- To request correction of inaccurate data
- To request erasure or destruction
- To object to automated decisions producing adverse outcomes
- To claim compensation for damages from unlawful processing
Practical implications for founders
Every Turkish-facing product must publish an accessible privacy notice and operate a 30-day data subject request (DSR) workflow. KVKK enforcement consistently penalizes controllers who lack a documented DSR process. Set up a dedicated channel (privacy@yourdomain), ticketing, and 7/24 escalation for breach notifications. See the KVKK Tracker for recent enforcement examples.