The Law on the Protection of Personal Data No. 6698 (KVKK) is a legal framework aimed at protecting the fundamental rights of individuals and disciplining the processing of data. Koç University, in the capacity of “Data Controller,” is obliged to fully comply with the KVKK and all relevant legislation.
Any information relating to an identified or identifiable natural person is personal data. In addition to names and surnames; other identity information, financial information, personnel information, KU NetID, e-mail address, vehicle license plate, campus entry logs, and IP address fall into this scope. If a piece of data can be traced back to reveal “who that person is,” that data is accepted as personal data.
In accordance with KVKK, these are data that, if learned, could lead to discrimination against or victimization of the person concerned. The limited number of categories listed in the Law include; race, ethnic origin, political opinion, philosophical belief, religion, sect, clothing/attire, association/foundation/union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. The processing of such data is subject to much stricter conditions.

In accordance with university policies, anyone authorized to access data is obliged to comply with the following security rules:
- Confidentiality of Authentication Information: Do not share your user code (KU NetID) and password with anyone, including your manager or Information Technology staff. Do not write your password on papers and attach them to visible places (screen edges, desktops, etc.).
- Clean Desk and Clean Screen: Lock your computer session even if you leave your workspace for a short time. Do not leave documents and other physical materials containing sensitive data unprotected and open on desks or printers; keep them in locked drawers.
- Hardware and Software Security: Do not attempt to install unlicensed software or software from unknown sources on university computers. Ensure that operating system and antivirus updates are installed.
- Unauthorized Access and Sharing: Do not attempt to access data for which you are not authorized. Do not share data for which you are authorized (especially personal and special categories of personal data) with unauthorized third parties verbally, in writing, or via e-mail.
- Data Destruction: Shred hard-copy sensitive data that is no longer needed; do not throw it in the trash bin.
Data cannot be stored indefinitely. When the purpose for processing ceases to exist or the legal retention period expires, it is a legal requirement to securely delete, destroy, or anonymize the data in accordance with the “Koç University Storage and Retention Policy.”
Only secure cloud environments with which the University has a institutional license (OneDrive / Google Workspace) must be used for the storage and processing of personal data. It is prohibited to store “Restricted”(Hizmete Özel), “Confidential” (Gizli), and “Top Secret” (Çok Gizli) data on personal cloud accounts, sources of uncertain origin, or temporary file-sharing sites such as WeTransfer.”
When you notice an e-mail sent to the wrong person, a stolen laptop/phone, a password leak, or an unauthorized transaction in the system, you should contact IT without panic and without wasting time. Since it may be necessary to notify the institution within the legal period (72 hours), taking quick action is vital.

In terms of data security and management, data is divided into the following categories according to its sensitivity level:
- Public: Information that is open to the public and for which there is no harm in being known by everyone.
- Restricted: Data shared only within the University or, when necessary, with service providers under a signed Non-Disclosure Agreement (NDA), and not approved for external sharing. Unauthorized disclosure or loss of such data may result in reputational damage or non-compliance. (e.g., Project documents, information specific to a project shared with firms, internal meeting schedules, general announcements, telephone directories, employee lists, procedures, operational data, documents containing names, surnames, and IP addresses).
- Confidential: Data that, if shared with unauthorized persons or entities or lost, could seriously impact or disrupt national interests or security; or the operations, image, or revenues of the University. Additionally, data defined as “Special Categories of Personal Data” under the Law on the Protection of Personal Data No. 6698 also fall into this category. (e.g., Passwords, business plans, salary information, contracts, proposals, cost reports, sensitive design work, patient information, sales data, strategic plans, personnel records, credit card information, national and international research data).
- Top Secret: Data that must be known only by a limited number of individuals and, if shared with unauthorized persons or entities or lost, could seriously and adversely affect the existence and operations of the University, potentially leading to national or international risks, threats to national security or defense, or international disputes. (e.g., Software/drawings designed for use in national security or defense industry projects, investment plans and strategies, discoveries or methodologies that could cause major changes in the sector or alter competitive conditions).
Related Documents and Tools
You can access detailed procedures regarding our university’s information security standards, data destruction processes, user obligations, and the KVKK request system from the links below.
Information Technology Directorate Policies and Procedures
KVKK Track-it Application

Contact and Support
You can contact the Information Technology Service Desk for your questions, opinions, or security breach notifications.