What is personal data?
Personal data (Turkish: kişisel veri) is any information relating to an identified or identifiable natural person. Under KVKK Article 3 and GDPR Article 4, the definition is broad on purpose — it covers data that, alone or combined with other data, can identify a person.
Examples of personal data
- Direct identifiers: name, surname, national ID (TCKN), email, phone, photograph
- Online identifiers: IP address, cookie ID, device ID, advertising ID, MAC address
- Location data: GPS coordinates, cell tower data, Wi-Fi fingerprinting
- Genetic and biometric data (special category — see below)
- Economic identity: bank account, IBAN, payment history, credit score
- Online behavior: browsing history, search queries, social media posts
- Pseudonymized data IS still personal data — only fully anonymized data falls outside KVKK
Personal data vs sensitive (special category) data
KVKK Article 6 carves out special category personal data (race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association/foundation/union membership, health, sexual life, criminal convictions, biometric and genetic data) which requires explicit consent and additional safeguards.
Practical implications
Treat all user data as personal data by default. Build a data inventory mapping what you collect, where it lives, and who has access. Especially for AI products — your training data may contain PII you need to strip before model fine-tuning. See the KVKK Tracker for recent AI-related Authority guidance.