Internet of Things (IoT) Data Privacy and KVKK Compliance

Internet of Things (IoT) Data Privacy and KVKK Compliance. Considered one of the most disruptive and transformative technologies of the digital age, the Internet of Things (IoT) is redefining every field, from industrial processes to daily life, by merging the physical world with digital data streams. This network, composed of billions of devices equipped with sensors, software, and connectivity technologies, has led to an unprecedented volume of data generation. Although regulations such as the Law on the Protection of Personal Data No. 6698 (KVKK) in Turkey and the General Data Protection Regulation (GDPR) on a global scale aim to discipline this data flow, the inherent features of IoT technology—such as “continuous monitoring,” “invisibility,” and “ubiquity”—conflict with traditional legal norms.

This report deeply examines IoT devices starting from their technical layers, analyzing data collection methods, the legal characterization of these processes under the KVKK, the applicability of the “Privacy by Design” principle, and compliance issues encountered on a sectoral basis (healthcare, automotive, smart cities). Critical topics such as “obligation to inform in screenless devices,” “conditions for the validity of explicit consent,” “proportionality in processing biometric data,” and “encryption risks in the quantum age” are analyzed in light of Personal Data Protection Board (Board) decisions and international doctrine. Research findings reveal that data controllers in the IoT ecosystem must develop not only a reactive compliance process but also a proactive data governance strategy integrated into the product life cycle.

1. Technical Architecture of IoT Technology and Data Processing Dynamics

To conduct a legal analysis, it is essential to first understand the working principles and data flow diagrams of the technology in question. The Internet of Things rises on a multi-layered architecture beyond individual devices. Each layer of this architecture harbors different responsibilities and risks within the scope of the KVKK.

1.1. Multi-Layered IoT Structure and Data Collection Methods

Technical analyses on smart cities and industrial applications classify the IoT architecture into four main layers. This stratification represents the transformation process of data from its raw state into processed information.

1.1.1. Perception Layer

This layer is the first point of contact where data from the physical world is converted into digital signals. IoT devices and sensors start by collecting data from the environment. The nature of the collected data varies according to the device’s intended use, but the potential to meet the “identifiable person” criterion under the KVKK is high.

• Physical Variables: Environmental data such as temperature, humidity, pressure, weight, and air quality are collected. Although not considered personal data at first glance, temperature change data collected by a smart thermostat can reveal a household’s living habits, hours spent at home, and vacation periods.
• Visual and Auditory Data: Recording images and sound via cameras and microphones is one of the most common data collection methods in IoT. Security cameras, baby monitors, or voice assistants process biometric and visual data that allow for direct identification.
• Location and Movement: GPS modules, accelerometers, and gyroscopes instantly track the location, speed, and direction of movement of the device, and consequently, the user.
• Biometric and Health Data: Wearable technologies (smartwatches, fitness trackers) collect data such as pulse, oxygen saturation, and sleep patterns; security systems perform fingerprint, retina, and face scanning. These data have the status of “Special Categories of Personal Data” (Sensitive Data) under Article 6 of the KVKK.

1.1.2. Network Layer

This is the process of transmitting data collected by sensors to the center where it will be processed. At this stage, data moves out of the device towards the cloud or local servers. Various protocols such as WiFi, Bluetooth, Zigbee, NFC (Near Field Communication), Infrared, 5G, and satellite connections are used for connectivity.

Legally, this layer is the area where the “Data Security” obligations regulated in Article 12 of the KVKK are most intensely tested. Whether the data is encrypted while in transit, the security of the protocol used (e.g., transmission over a public WiFi network), and resistance to “Man-in-the-Middle” attacks determine the technical measure obligations of the data controller.

1.1.3. Device and Hardware Layer

This layer includes the physical hardware that collects and transmits data. RFID tags, mobile devices, smart meters, and sensors constitute this layer. The low processing capacity of devices prevents traditional security software (antivirus, heavy encryption algorithms) from running on these devices, leaving IoT devices vulnerable to cyber-attacks.

1.1.4. Application/Consciousness Layer

This is the top layer where data is transformed into meaningful information, insight, and action. Cloud computing, big data analytics, machine learning, and artificial intelligence technologies come into play here. Raw data (e.g., instantaneous speed data from a vehicle) is processed in this layer and converted into a “Driver Behavior Profile.” This is where legal risks are most complex; because “profiling” and automated decision-making processes can produce results that directly affect the individual’s economic and social life.

1.2. Sectoral Depth and Applications in Data Collection

IoT device data collection practices are shaped by sectoral needs and trigger different legal problems in each sector.

• Healthcare and Biometric Monitoring: Healthcare institutions use IoT technologies to facilitate access to patient files, monitor treatment data, and automatically upload biometric data to the cloud. While this improves patient care, it means moving the most intimate data to platforms with a high risk of cyber-attacks.
• Banking and Finance (FinTech): The finance sector is rapidly adopting IoT solutions to improve customer experience and increase accessibility. Examples include payments via wearable devices or offering location-based insurance quotes. However, this allows financial data (credit card information, spending habits) to be matched with location data to create a detailed economic profile.
• Industrial IoT (IIoT) and Manufacturing: In industry, real-time monitoring of processes and communication between smart machines and sensors (M2M) increase efficiency. However, according to Boston Consulting Group reports, 42% of companies in the manufacturing sector experience difficulties in managing IoT data. Data collected from machines also measures the performance, break times, and working speed of the operator using that machine, indirectly becoming “Employee Performance Data” and creating problems at the intersection of labor law and data protection law.
• Smart Cities and Environmental Analysis: Noise, air pollution, and traffic density are monitored in cities; earthquake and tsunami early warning systems are managed with IoT sensors. In the energy sector, consumption data is collected instantly via Advanced Metering Infrastructure (AMI). While the analysis of this data provides efficiency in city management, it increases concerns about the “Surveillance Society.”

2. Basic Legal Concepts and Relationships Under KVKK

Fitting the factual situation created by IoT technologies into the normative framework introduced by Law No. 6698 (KVKK) brings about some conceptual difficulties.

2.1. Determination of Data Controller and Data Processor Status

In traditional data processing procedures, the data controller (who determines the purposes and means of processing) is usually single and clear. However, in the IoT ecosystem, there is a multi-actor structure including the device manufacturer, software developer, cloud service provider, platform operator, and the end-user using the device.

According to Opinion 8/2014 of the EU Data Protection Working Party (Article 29 Working Party), IoT stakeholders are considered data controllers to the extent that they determine the purposes and means of collecting data.

• Device Manufacturers: If they pull the data collected by the device to their own servers and use it for product development or marketing purposes, they are data controllers.
• Platform Providers: Platforms like Apple HealthKit or Google Fit, which collect and manage data from different devices in a single center, are qualified as data controllers because they provide central management of data. Smartphones and tablets have become natural gateways for data coming from IoT devices to open up to the internet, and platforms controlling these gateways play a critical role.
• Data Processor: Cloud providers that only offer infrastructure for data storage but have no decision-making authority over the content or purpose of use of the data fall into this category.

An important difference between KVKK and GDPR emerges here. While both the data controller and the data processor can be held jointly and severally liable in case of a data breach under GDPR, this distinction is sharper in the KVKK liability regime, and the data controller is accepted as the primary addressee.

2.2. Distinction Between Personal Data and Special Categories of Personal Data

By nature, IoT devices have the potential to collect any kind of data that makes a person “identifiable.”

• Personal Data: IP addresses, MAC addresses, or Unique Device Identifiers (UDID) of devices are considered personal data because these devices can be matched with a specific user.
• Special Categories of Personal Data: Data listed in Article 6 of the KVKK; health, biometric data, clothing, association/foundation membership, etc. ECG data collected by smartwatches (Health), fingerprints used by smart locks (Biometric), or political speeches recorded by smart home assistants (Political Opinion) fall into this category. The processing of this data is subject to being explicitly foreseen in laws or the explicit consent of the person concerned. For health data, the conditions are even stricter; if there is no explicit consent, it can only be processed by persons under the obligation of secrecy (e.g., workplace doctor). Automatic processing of this data by IoT devices constitutes a direct illegality in cases where consent is not obtained.

3. Obligation to Inform and Explicit Consent: Implementation Issues

One of the most fundamental obligations of the data controller, transparency (obligation to inform) and obtaining a legal basis (consent or other reasons), faces serious obstacles in IoT devices due to technical constraints.

3.1. Critical Differences Between Obligation to Inform and Explicit Consent

These two concepts, often confused in legal practice, need to be clarified in the context of IoT.

• Difference in Purpose: The clarification text (privacy notice) provides transparency by giving information about the data processing activity. Explicit consent implies that the informed person approves the processing of their data.
• Timing: Information must be provided before data processing begins. Explicit consent must be obtained if there are no other processing conditions in KVKK Art. 5 or Art. 6 (foreseen in laws, performance of a contract, etc.).
• Necessity: Information is mandatory in every case; explicit consent is only necessary if there is no other legal ground. Trying to obtain consent for every data processing creates “consent fatigue” and is legally incorrect.

3.2. The Issue of Informing in Screenless Devices and the Layered Solution

Many IoT devices (smart bulbs, sensors, simple wearables) do not have a screen. In this case, the problem arises of how to present a clarification text compliant with KVKK Art. 10 (identity, purpose, method, legal reason, rights) to the user. Manufacturers usually put papers with small fonts inside the box or direct users to a website; however, this may undermine the principle of informing the user before their data starts being processed.

Layered Notice Approach: To overcome this problem, KVKK Guidelines and international authorities recommend the “Layered Notice” method.

1. First Layer (Summary and Attention-Grabbing): Short, understandable information appearing on the device, its packaging, or on the first screen during installation. For example, a QR code or a warning “This device collects your health data.” Printing QR codes on the device allows the user to access the current clarification text by scanning it at any time.
2. Second Layer (Detailed): Full text accessed via QR code or mobile application. Here, data transfer to third parties, retention periods, and application rights are detailed.
3. Oral Information: In some cases, it is possible to provide information orally (e.g., the smart assistant giving a voice warning at first startup), but the burden of proof lies with the data controller.

3.3. Validity of Explicit Consent and the “Free Will” Problem

In IoT applications, consent is usually obtained by checking a box “I have read and accept the Terms of Use and Privacy Policy” while downloading a mobile application. However, this method is controversial under KVKK.

• Blanket Consent: General, vague, and open-ended consents for the future are invalid. A consent like “I allow all my data to be processed” is unlawful.
• Prohibition of Bundling Consent: If giving consent for the processing of data irrelevant to the device’s basic function (e.g., sharing viewing history for marketing purposes) is made mandatory for a smart television to work, this consent is not given with “free will” and is invalid.
• Consent in Employment Relationships: Consents obtained for IoT devices provided by employers to employees (vehicle tracking, smart helmets) are generally considered invalid due to the hierarchical power imbalance between employee and employer. The Article 29 Working Party states that consent cannot be a legal basis in employment relationships, and data processing must be based on “legitimate interest” or “performance of a contract.”

3.4. Data Minimization Principle and Secondary Use Risk

Article 4 of the KVKK commands that data must be “relevant, limited and proportionate to the purposes for which they are processed.” This is the “Data Minimization” principle. However, IoT and Big Data technologies inherently tend towards “maximum data collection.”

Secondary Use Threat: The primary purpose is using data collected from a vehicle for traffic management. However, selling the same data to insurance companies to determine the driver’s risk premium or to marketing companies to show ads for restaurants on the route is “secondary use.” Research shows that users’ biggest concern regarding IoT is these secondary uses. The data controller must clearly determine the data collection purpose and not go beyond this purpose.

Case Example: If an e-commerce company collects a customer’s date of birth but does not use it for a birthday discount or age analysis, this data collection activity violates the minimization principle. Similarly, a smart flashlight application accessing location data violates the proportionality principle.

4. Privacy by Design and Security Measures

The traditional “security added later” approach remains insufficient in the IoT age. Data security and privacy must be part of the process from the product’s design phase.

4.1. Privacy by Design and Privacy by Default Principles

“Privacy by Design” implies designing a system in compliance with data protection principles while it is still in the development phase. “Privacy by Default” envisages that the system works with the highest level of privacy settings without the need for the user to make any adjustments.

• Legal Status: While GDPR Article 25 explicitly mandates these principles, these terms do not explicitly appear in the KVKK. However, KVKK Art. 12 (Data Security) and Art. 4 (General Principles) indicate that this approach is implicitly accepted in Turkish law. Board guidelines and academic opinions emphasize that adopting these principles is essential for compliance.
• Canada and EU Example: Although the concept of Privacy by Design originated in Canada, while not a binding provision in Canadian laws, the EU has made it a legal requirement with GDPR. Similar legal regulation or the creation of jurisprudence through Board decisions is expected in Turkish law.

4.2. Security Vulnerabilities in IoT Devices and Quantum Threat

IoT devices are seen as the weakest link in the network regarding cybersecurity. Low processor powers make it difficult to run complex encryption algorithms.

• Basic Security Deficiencies: Many devices come with default passwords that are difficult or impossible to change, cannot receive security updates, and lack basic network protection protocols.
• Quantum Age Threats: Developing quantum computers will reach the capacity to break encryption algorithms accepted as secure today, such as RSA and ECC, within seconds. This creates a major risk for long-life IoT infrastructures (smart grids, dam gates, health implants). Data controllers need to put “Quantum-Resistant Cryptography” solutions on their agenda.
• Technical Measures: According to the KVKK “Personal Data Security Guide”; encryption, keeping access logs, using intrusion detection systems, and performing regular penetration tests are mandatory.

5. Sectoral Judicial Decisions and Board Jurisprudence

Decisions made by the Personal Data Protection Board are of vital importance in showing how abstract law articles are applied to concrete events.

5.1. Gyms and Biometric Data Violation (Precedent Decision)

The Board found it unlawful to take members’ palm prints or fingerprints at gym entrances and exits and imposed heavy administrative fines on relevant businesses (Decision No: 2020/167).

• Reasoning of the Decision: Biometric data is “Special Categories of Personal Data.” Processing a person’s most intimate data, biometric data, for a simple operation like gym entry control is contrary to the “Proportionality Principle.” While there are alternative methods requiring less data such as card pass, turnstile password, or mobile QR code, processing biometric data is unlawful.
• Obligation to Destroy: The Board not only imposed a fine but also ordered the immediate destruction of all collected biometric data and notification to third parties (software firms, etc.) to whom data was transferred.

5.2. Announcement of Exam Results and Privacy

Hanging exam results in a university where everyone can see them or publishing them on the internet was considered a violation. The Board requested the establishment of a system where students can only see their own results with their TR ID number and password. This decision is also valid for IoT-based education systems or employee performance dashboards; data should be presented with personalized access, not publicly.

5.3. Vehicle Tracking Systems

Using GPS tracking systems in vehicles provided by the employer is lawful only under certain conditions:

1. Informing: The driver must be explicitly informed that the vehicle is being monitored.
2. Purpose: Monitoring must be based on a legitimate purpose such as the execution of the work, vehicle security, or fuel saving.
3. Time Constraint: Monitoring the employee outside working hours or during times allowed for private use of the vehicle violates the privacy of private life.

6. Comparative Compliance Analysis of KVKK and GDPR

For companies operating in the global IoT market, the differences between KVKK and GDPR are critical. Although the two regulations are based on similar foundations, they diverge in implementation details.

6.1. Data Transfer Abroad: The Biggest Obstacle

IoT data is usually kept on servers of global cloud providers (AWS, Google, Microsoft) located abroad.

• GDPR: Data transfer to countries with an adequacy decision is relatively easy via Binding Corporate Rules (BCR) or Standard Contractual Clauses (SCC).
• KVKK: The regime for transfer abroad is quite strict. If there is no explicit consent, it is checked whether there is adequate protection in the country where the transfer will be made (Safe Country list has not been announced yet). In this case, permission must be obtained from the Board or a letter of undertaking must be given. This bureaucratic process is a serious operational obstacle for cloud-based IoT services.

6.2. Administrative Fines and Liability

• GDPR: Foresees fines up to 4% of global turnover or 20 million Euros (whichever is higher).
• KVKK: Fines are determined over fixed amounts and increase with the revaluation rate every year (can reach millions of TL as of 2024). GDPR fines are much higher in terms of deterrence.

7. Future Projections and AI Commissions

The emergence of AIoT (Artificial Intelligence of Things) through the combination of Artificial Intelligence (AI) and IoT necessitates the evolution of legal regulations. “Artificial Intelligence Science Commission” established within the Ministry of Justice carries out studies to determine the legal infrastructure of AI technologies and minimize risks. The work of this commission will be decisive in the transparency, accountability, and lack of bias of algorithms to be used in processing IoT data in the future.

8. General Evaluation

The Internet of Things has become an indispensable part of modern life; however, this technology brings with it the risk of “surveillance capitalism.” In light of the findings presented in this report, the following strategic steps must be taken for KVKK compliance:

1. Data Minimization Strategy: Companies should abandon the “collect as much as you can” mentality and adopt the principle of collecting only the minimum data necessary for the purpose.
2. Standardization of Layered Notice: Clarification mechanisms integrated with QR codes and mobile apps for screenless devices must become the industry standard.
3. Avoidance of Biometric Data: Systems processing biometric data (fingerprint, face recognition) should not be used unless mandatory and an alternative exists.
4. Security by Design: Encryption, anonymization, and privacy settings should be integrated as default during the product development phase.
5. User Control: Interfaces providing users with full control over their data (access, deletion, anonymization) should be offered.

Data privacy is not just a legal obligation but also a value that provides a competitive advantage by gaining user trust. The IoT ecosystem will only be sustainable when built upon this foundation of trust.

---

Our Latest Articles