What is special category personal data?
Special category personal data (Turkish: özel nitelikli kişisel veri; international counterpart: sensitive personal data) is a sub-category of personal data requiring heightened protection. Under KVKK Article 6, processing is prohibited by default unless an enumerated exception applies plus explicit consent or specific legal authority.
Categories listed in KVKK Article 6
- Race, ethnic origin
- Political opinion
- Philosophical belief, religion, sect, or other beliefs
- Appearance and dress
- Membership in associations, foundations, or unions
- Health and sexual life
- Criminal convictions and security measures
- Biometric and genetic data
Processing requirements
Article 6(2) and (3) allow processing only with (a) explicit consent of the data subject; OR (b) where expressly permitted by law (for health/sexual data: only by persons under confidentiality duty, e.g., doctors); OR for non-health/sexual categories: where necessary for the protection of vital interests, performance of an employment contract, or other specifically enumerated grounds.
Additional technical and organizational measures
The KVKK Authority issued specific guidelines requiring encryption, access logging, isolated environments, and special authorization workflows for special category data. Two-factor authentication for any user accessing this data is essentially mandatory. Read the Authority’s official decisions.
Practical implications for tech founders
HealthTech, EdTech (especially with under-18 users), HRTech (health screenings, background checks), facial recognition products, biometric authentication apps all process special category data. Budget for security audits and explicit consent UX before launch. See KVKK Tracker for past Authority fines on biometric and health data mishandling.