What is a Data Subject?
A data subject (Turkish: ilgili kişi) is the identified or identifiable natural person whose personal data is processed by a controller or processor. Under Turkey’s KVKK (Law No. 6698) and the EU’s GDPR, the data subject is the holder of rights against organizations handling their information.
Who qualifies?
A data subject must be a natural person — legal entities (companies, associations, foundations) are not data subjects under KVKK or GDPR. Identifiability includes direct identifiers (name, national ID, email) and indirect identifiers (IP address, device fingerprint, cookie ID) that, alone or combined with other data, can single out an individual.
Core rights under KVKK Article 11
- To learn whether their data is being processed
- To request information about the processing
- To learn the purpose and verify proper use
- To know third parties to whom data has been transferred (domestic or foreign)
- To request correction of inaccurate data
- To request erasure or destruction
- To object to automated decisions producing adverse outcomes
- To claim compensation for damages from unlawful processing
Practical implications for founders
Every Turkish-facing product must publish an accessible privacy notice and operate a 30-day data subject request (DSR) workflow. KVKK enforcement consistently penalizes controllers who lack a documented DSR process. Set up a dedicated channel (privacy@yourdomain), ticketing, and 7/24 escalation for breach notifications. See the KVKK Tracker for recent enforcement examples.
References
- Turkish Law No. 6698 on the Protection of Personal Data (KVKK)
- Personal Data Protection Authority of Türkiye
- EU GDPR (Regulation 2016/679) — EUR-Lex
- U.S. Internal Revenue Service (IRS)
The rights that attach to a data subject
A data subject is the identified or identifiable individual to whom personal data relates — and the whole architecture of data-protection law exists to protect that person. Both the GDPR and the KVKK grant the data subject a bundle of enforceable rights: to be informed about processing, to access their data, to have it corrected or erased, to object to certain processing, to restrict it, and (under the GDPR) to data portability. For organisations the practical consequence is operational: there must be a defined, time-bound process for receiving and answering data-subject requests, verifying the requester’s identity, and logging the response. Treating these rights as a paperwork exercise rather than a real workflow is a common source of complaints and regulatory findings.