With the advancements in electronic environments and the growing opportunities of the digital age, the need to protect children’s personal data has become more pressing. Children are vulnerable in digital environments, and measures must be taken to protect them against the risks they face. The Turkish Personal Data Protection Law No. 6698 (KVKK) falls short in terms of measures and provisions aimed at protecting children’s personal data. In this article, we will address the protection of children’s personal data within the scope of Turkish law and international legislation.

The definition of personal data is provided in Article 3, paragraph (d) of the Turkish Personal Data Protection Law No. 6698, which states:

Examples of personal data include fingerprints, resumes, residential addresses, bank information, and transactions. Beyond these, personal attributes such as physical features, socio-economic characteristics, education, and familial details also constitute personal data. To process personal data, it must be done lawfully, in compliance with principles of honesty, and without violating fundamental rights and freedoms. Data controllers who process such personal data are obligated to fulfill their disclosure requirements under the Personal Data Protection Law.

The concept of a child is defined in various legislations in Turkish law, such as the Turkish Civil Code No. 4721 and the Child Protection Law No. 5395. According to Turkish law, a child is an individual under the age of 18, meaning those who are not of legal age. Legal age in Turkish law is attained at 18 years.

In international legislation, for example, under the United Nations Convention on the Rights of the Child (UNCRC) or the General Data Protection Regulation (GDPR), the concept of a child is also defined. Article 1 of the UNCRC defines a child as:

According to this definition, 18 years is the determining threshold for adulthood. Different regulations may specify varying ages for defining a child, but the concept generally revolves around age limitations.

The Personal Data Protection Law No. 6698 (KVKK) provides the framework for the protection and processing of individuals' personal data. Although it does not include specific provisions for children, children’s personal data are protected under general principles. However, the provisions remain inadequate for the unique needs of children’s data protection.

According to Turkish law, a child is defined as an individual under the age of 18. While children gain legal capacity at birth, they do not possess full legal capacity. Full legal capacity requires the individual to be of legal age, have the power of discernment, and not be under legal disability. Under the KVKK, explicit consent is required for the processing of personal data. However, as minors under 18 lack full legal capacity, they cannot provide such consent. This places a responsibility on parents or guardians to protect their children’s personal data. Parents must be informed and take necessary measures to ensure their children’s data are safeguarded while educating their children about these matters.

Article 4 of the KVKK stipulates certain principles for processing personal data. Personal data must be processed lawfully and in accordance with principles of honesty, be accurate and up-to-date when necessary, processed for specific, explicit, and legitimate purposes, and limited to what is necessary for the purposes for which they are processed. These principles also apply to the processing of children’s personal data. Additionally, the best interests of the child should always be considered when processing their personal data, given their greater need for protection compared to adults.

The UN Convention on the Rights of the Child (UNCRC) is the primary international treaty addressing children’s rights. Turkey is a party to this convention. The UNCRC comprehensively outlines children’s rights, including their development, right to life, and general well-being. According to the convention, every individual under the age of 18 is considered a child.

Article 3 of the UNCRC emphasizes the best interests of the child, stating:

This principle ensures that the protection of children’s personal data prioritizes their security and well-being.

The General Data Protection Regulation (GDPR) provides a more detailed framework for protecting children’s personal data compared to the UNCRC. Under the GDPR, the processing of children’s personal data requires the consent of a parent or guardian for children under the age of 16. Member states may lower this age limit to 13, but it cannot go below 13.

For instance, an 11-year-old sharing political opinions on social media requires parental consent. On the other hand, a 17-year-old does not need parental consent to share similar views.

For children under 16, parental or guardian consent is required for the processing of their data. This raises critical questions about whether parents should obtain consent from their children when sharing their data. When parents process their children’s data, the principle of balancing interests must be applied. If processing serves the child’s interests, it may be permissible; otherwise, it may be deemed unlawful.

Regarding the ability of children to consent to their data being processed, the GDPR allows children aged 16 and above to provide consent. Member states may lower this age limit to 13. For younger children, parental consent is mandatory, and the processing of their data must be communicated to them in a manner they can understand.

With the increasing accessibility of digital platforms and social media, children, who need more protection and support than adults, face significant risks regarding the processing of their personal data. While Turkish law does not contain specific provisions for protecting children’s personal data, international frameworks like the GDPR provide comprehensive and high-security standards that enable children to participate in the digital world safely. Raising parental awareness and implementing special regulations in Turkish law to prioritize the best interests of the child can ensure the safe digital participation of children.