The concept of processing personal data is defined in the European Union directive (EU 95/46/EC) in ‘2/b’ as “any operation or set of operations performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; classification, storage, use, retrieval, distribution, erasure, destruction, collection, etc.”
In the General Data Protection Regulation (GDPR), it is defined in Article 4/2 as “any operation or set of operations performed upon personal data or a set of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; classification, storage, use, retrieval, distribution, restriction, erasure, destruction, collection, etc.” It appears that there is no fundamental difference between the definitions in the directive and the regulation, with only a few word changes that do not affect the essence of the regulation.
The concept of processing personal data is also explained in the Personal Data Protection Law (KVKK) in Article 3/E. The law states, “Processing of personal data: It refers to any operation performed on personal data, fully or partially by automatic means or as part of a data recording system, including collection, recording, storage, preservation, modification, restructuring, disclosure, transmission, acquisition, making available, classification, or preventing its use.”
In the legal definitions related to the processing of personal data, it is noted that the actions to be performed on personal data are determined by enumeration, but it is also regulated that similar activities to those listed will be considered within the scope of data processing. Similarly, the methods used for data processing are not limited. Data can be processed by computer and similar automated systems, as well as by individuals without automated systems, and actions like those listed will still result in the processing of personal data. For example, merely negotiating on personal data without recording it will also imply that the data has been processed.
The collection of personal data is one of the actions considered as data processing. How personal data is collected and for what purpose is not significant. Activities such as taking photographs of individuals through surveillance, recording a person’s GPS coordinates, or listening to phone calls to capture personal data fall within the scope of personal data processing. The action of recording collected personal data onto CDs, MP3s, DVDs, USB drives, etc., constitutes a separate processing method outside of mere collection. The preservation of recorded personal data is another distinct processing method. Actions like copying personal data, organizing image files, audio files, etc., are also separate processing methods. Modifying personal data is another separate processing method. The deletion and destruction of personal data that has been collected, stored, preserved, and subsequently grouped or altered is also a separate processing method. The transfer of personal data between individuals will also be considered data processing. Both the transferor and the transferee will be deemed to have processed the data. Especially in the context of data mining and big data, acquiring numerous data from different sources, classifying these data, analyzing and combining them to arrive at new conclusions will also be considered actions within the scope of data processing. The actions listed above do not exhaustively describe all actions related to data processing. In a broader sense, any operation or action performed on personal data will imply data processing. The law does not provide a consumer-style definition for the actions and operations referred to by the word “like.”
The concept of processing personal data has also been a subject of decisions by the European Court of Justice. In particular, uploading personal data to websites has been defined as processing personal data. Regardless of whether the data are personal data, systematic scanning of data on the internet by search engines and presenting them in lists has been characterized as the collection, recording, classification, disclosure, and making personal data available, thus constituting personal data processing. The fact that data has been made public in other channels beforehand does not bear any significance concerning the existence of data processing activities.[1]
[1] Mesut Serdar SEÇKİN, Avrupa Birliği Hukukuyla Mukayeseli Olarak 6698 sayılı Kişisel Verilerin Korunması Kanunu, Onikilevha,2018, p.40.
Attorney Yalçın Torun
© 2025 Torun Law Firm – All Rights Reserved.
This article is protected under the provisions of the Law on Intellectual and Artistic Works (No. 5846). The content, in whole or in part, may not be copied, reproduced, published, or shared on any other website without the prior written permission of the author and Torun Law Firm.
This material may only be shared by licensed attorneys, for professional purposes, without any modifications, and with full attribution to the author and the source.
Any unauthorized use may result in legal and criminal liability.