by 
In a recent ruling, Turkey’s Constitutional Court clarified the scope of constitutional protection for personal data. On 20 March 2025, the Court issued an important decision (Application No. 2020/15944), confirming that the right to protection of personal data, set out in Article 20 of the Turkish Constitution as part of the right to respect for private life, also creates positive obligations for the State.
Although this safeguard was already recognised in principle, the decision makes it clear, that public authorities and courts must, in cases involving third-party interference, assess whether such interference complies with Article 20. These obligations go beyond shielding individuals from state action: they require the State to ensure protection against violations by private parties as well.
Summary of the Facts
The case before the Turkish Constitutional Court centred on a man’s claim that no effective criminal prosecution had been carried out in relation to his criminal complaint regarding the offence of unlawful disclosure or dissemination of personal data. He argued that a psychiatrist who had treated him years earlier passed on documents about his mental health to his mother without consent. He also said his family later used these documents to start guardianship proceedings, which left him deprived of his constitutional rights for almost two years.
During the criminal proceedings, the psychiatrist told the court that the applicant’s mother had reported her son missing and was worried for his safety. She had requested medical records to obtain a protection order. Believing the situation was urgent, the psychiatrist said he handed over a treatment document to prevent potential harm to the applicant or his family.
The İzmir 2nd Criminal Court of First Instance acquitted the psychiatrist finding no criminal intent. The İzmir Regional Court of Appeal upheld the acquittal.
What the Constitutional Court Said – Key Takeaways for Judicial Authorities
The Court held that the case should be considered under Article 20 of the Turkish Constitution, which guarantees the right to protect personal data, and emphasised that safeguarding private life falls within the State’s positive obligations. It underlined that these obligations extend not only to acts of public authorities but also to interferences by private individuals.
Accordingly, for the protection of personal data, judicial authorities must assess whether third-party conduct complies with constitutional guarantees. In doing so, and in line with the principles of a fair trial under the Turkish Constitution and Article 6 of the European Convention on Human Rights, courts must verify that any interference concerning personal data and private life pursues a legitimate aim, meets the test of proportionality, and that the proceedings fully take into account data protection considerations, with conclusions supported by relevant and sufficient reasoning.
Here, the Court found several major failings by the judicial authorities:
- They did not ask whether it was really necessary to hand over the medical document, rather than simply warning the applicant’s mother about potential self-harm risks.
- They did not consider whether the mother’s interests might have conflicted with her son’s.
- They failed to explain why documents from 2010 were given to the mother in 2016, six years later, and whether any urgent or exceptional reason justified this.
- Even if there had been an urgent reason, they did not explore whether there was another way to handle the situation without disclosing sensitive documents.
The Constitutional Court concluded that the lower courts had failed to weigh the applicant’s constitutional rights properly.
Conclusion
The Court’s decision gives judges in Turkey a clear guide on how to handle cases involving personal data. Whenever personal data is shared with third parties without the data subject’s consent, the key questions must be:
- Was it really necessary to share so much information?
- Was there no other way to deal with the situation?
- Could the same result have been achieved in a less intrusive way?
In conclusion, the Constitutional Court made it clear, that the constitutional right to the protection of personal data is not merely a theoretical safeguard, but a substantive right that must be actively upheld in judicial proceedings involving both public authorities and private individuals.
This approach aligns with the long-standing case law of the European Court of Human Rights, which says that states cannot simply refrain from interference but must take active measures to protect individuals’ rights against violations by private parties (e.g., I. v. Finland, K.U. v. Finland). With this decision, the Turkish Constitutional Court has demonstrated that it has embraced the ECHR standard and has expressly affirmed the doctrine of positive obligations under Article 20 of the Constitution.
