Legal Definition of the Crime
The Crime of Failing to Destroy Data is regulated under Article 138 of the Turkish Penal Code (TCK) within the chapter “Crimes Against Private Life and the Confidential Sphere of Life.” The relevant provision reads as follows:
TCK Article 138
(1) Those who are obliged to destroy data within the system despite the legally prescribed periods having expired and fail to fulfill their duty shall be sentenced to imprisonment from one to two years.
(2) (Added: 21/2/2014–6526/5) If the subject of the crime is data that must be eliminated or destroyed under the provisions of the Code of Criminal Procedure, the penalty to be imposed shall be increased by one fold.
When examining the text of the law, it is understood that personal data must be destroyed within the system once the legally prescribed periods have expired, and those who fail to fulfill this obligation may be held liable for the crime of failing to destroy data under Article 138 of the TCK. In this article, we will discuss the elements of the crime of failing to destroy data, which types of data are considered personal data, the necessary conditions for the formation of the crime, and its criminal consequences.
What is Personal Data?
The concept of personal data is addressed and defined in the Law on the Protection of Personal Data No. 6698 (KVKK) (Article 3/d). According to the relevant provision, any information relating to an identified or identifiable natural person constitutes personal data.
It should be noted that the concept of personal data refers to information that the individual does not disclose to unauthorized third parties and may share with others only upon their consent or within a limited circle. Information that is publicly known or easily accessible is not considered personal data. Examples of personal data include an individual’s bank information, residential address, fingerprint records, health information, religious beliefs, and similar data.
“…The term ‘personal data’ should be understood as any information relating to a person that is not disclosed to unauthorized third parties, shared only with others upon consent and within a limited circle, including but not limited to: population information (such as Turkish ID number, name, surname, place and date of birth, mother’s and father’s names), criminal records, residence, educational status, profession, bank account information, phone number, email address, blood type, marital status, fingerprints, DNA, biological samples such as hair, saliva, and nails, sexual and moral orientation, health information, ethnic origin, political, philosophical and religious views, and union affiliations — in short, any information that identifies or makes a person identifiable, distinguishes them from other individuals in society, and reveals their characteristics.” (Court of Cassation 12th Criminal Chamber, 2018/8295 E., 2019/6858 K., 29.05.2019)
Elements of the Crime
When evaluated together with both its objective and subjective elements, the crime of failing to destroy data has the following fundamental components:
1-Perpetrator: The crime of failing to destroy data is a specific offense, and the perpetrator is the person who, despite being obliged to destroy the data, fails to fulfill their duty.
2-Victim: In the context of this crime, the victim is the person or persons whose data has not been destroyed.
3-Act (Conduct) Element: Regarding Article 138 of the Turkish Penal Code, the act element is the negligent conduct of failing to destroy the data. The legislator has not required any specific outcome for the formation of the crime. Therefore, the crime is considered to have occurred once the negligent conduct described in the legal definition is carried out.
4-Legally Protected Interest: The crime of failing to destroy data is regulated under the chapter “Crimes Against Private Life and the Confidential Sphere of Life” in the Turkish Penal Code. The legally protected interest under this crime is the individual’s private life.
5-Mental Element: The crime can only be committed intentionally; it cannot be committed negligently under the law.
Aggravating Circumstances
The crime of failing to destroy data, regulated under Article 138 of the Turkish Penal Code, is accompanied by certain qualified circumstances that warrant a heavier penalty in specific cases. According to the relevant legal provision, if the subject of the crime is data that must be eliminated or destroyed in accordance with the provisions of the Code of Criminal Procedure, the penalty to be imposed shall be increased by one fold.
Complaint Period, Statute of Limitations, and Competent Court
The crime regulated under Article 138 of the Turkish Penal Code is not subject to a complaint, and the investigation is conducted ex officio by the public prosecutor. Although there is no complaint period for the investigation of the crime, the statute of limitations for filing a case is eight years. The competent court is the Criminal Court of First Instance.
Judicial Fine, Postponement of the Sentence, and Conditional Suspension of the Announcement of the Verdict
Pursuant to Article 138 of the Turkish Penal Code, those who are obliged to destroy data within the system despite the expiration of the legally prescribed periods and fail to fulfill their duty shall be sentenced to imprisonment from one to two years. Considering the minimum and maximum limits of the penalty, it is possible for the prison sentence to be converted into a judicial fine, for a conditional suspension of the announcement of the verdict (CSAV) to be ordered, or for the sentence to be postponed.
Court of Cassation Decisions
“…The crime of failing to destroy data under Article 138 of the Turkish Penal Code originally provided:
“(1) Those who are obliged to destroy data within the system despite the expiration of the legally prescribed periods and fail to fulfill their duty shall be sentenced to imprisonment from six months to one year.”
However, with the enactment of Law No. 6526, published in the Official Gazette No. 28933 on 06.03.2014, the provision was amended as follows:
“(1) Those who are obliged to destroy data within the system despite the expiration of the legally prescribed periods and fail to fulfill their duty shall be sentenced to imprisonment from one to two years.
(2) If the subject of the crime is data that must be eliminated or destroyed in accordance with the provisions of the Code of Criminal Procedure, the penalty to be imposed shall be increased by one fold.”
In the rationale of Article 138 of the Turkish Penal Code, it is stated: “With this provision, the failure to destroy data lawfully recorded, despite the expiration of the periods prescribed by law, is defined as an independent crime.” Accordingly, this article establishes that individuals obliged to destroy data within the system, despite the expiration of the legally prescribed periods, commit a crime if they fail to perform this duty.
“Destruction” refers to the permanent elimination of physical documents and the deletion of information in an information system in such a way that no copy remains. The crime of failing to destroy data can only be committed intentionally. Intent (mens rea) is the willful and conscious commission of an act recognized as a crime by law and the deliberate performance of the conduct producing its result. It is legally impossible for this crime to be committed negligently.
For the completion of the crime under Article 138 of the TCK, it is sufficient that personal data is not destroyed in violation of the obligation; no actual harm is required. Therefore, it is considered a crime of danger. Since there is no need to investigate the causal relationship between the act and the outcome, failing to destroy data constitutes an abstract danger offense. In other words, it is not further examined whether the negligent behavior poses a risk of harm to personal data.
Failing to destroy data is a specific crime, and the subject of this crime is personal data. The legally protected interest under Article 138 of the TCK is the individual’s private life. Additionally, if personal data stored in public institutions is not destroyed within the prescribed period, the reliability of public administration will also be compromised. Therefore, the reliability and functioning of public administration are also considered legally protected interests.
The conditions and periods for the destruction of information and evidence obtained through monitoring of communications via telecommunications (Article 137/3 of the Code of Criminal Procedure, CMK), recording of communications between the suspect and persons entitled to refuse testimony (Article 135/3 CMK), appointment of secret investigators (Article 139/6 CMK), and technical surveillance measures (Article 140/4 CMK) are regulated under the CMK. These measures are considered protective measures and are included in the Fourth Part of the CMK entitled “Protective Measures.”
Article 135/3 of the CMK provides: “The communications between the suspect or accused and persons entitled to refuse testimony shall not be recorded. If the recording is carried out and this becomes known, the recordings shall be immediately destroyed.” Testifying is generally obligatory; the exception is the right to refuse testimony. This right, based on Article 38/5 of the Constitution, derives from the principle that no one can be compelled to provide self-incriminating statements or statements incriminating close relatives.
In addition to the suspect’s right to remain silent, they also have the right to cooperate with the investigation and prosecution authorities to avoid criminal liability. Article 45 of the CMK regulates those who have an unlimited right to refuse testimony, while Article 46 regulates those who have a conditional right to refuse testimony in specific circumstances. The prohibition on recording communications between the suspect and individuals entitled to refuse testimony aims to prevent the use of evidence against the suspect.
In doctrine, it is stated that the content of such communications should be destroyed by the public prosecutor rather than the officer who records the communication between the suspect and the person entitled to refuse testimony…” (General Assembly of Criminal Chambers, 2025/94 E., 2025/227 K., 21.05.2025).
Lawyer. Gökhan AKGÜL & Lawyer. Yasemin ERAK
