İçeriğe geç
Biletora Logo
Blog

KVKK and Guest Data Security at Events: A Guide for Event Companies

Event KVKK compliance covers the lawful processing of a guest's personal data, such as name and phone, under Turkey's Law No. 6698. We cover explicit consent, retention periods, call-center recordings and the event company's responsibility.

Event KVKK compliance refers to collecting, processing, storing and protecting a guest's personal data, such as first name, last name and phone number, lawfully under Turkey's Law No. 6698 on the Protection of Personal Data (KVKK). At a wedding, engagement or corporate event, the contact details of hundreds of guests are processed; each of these is personal data in the KVKK sense and creates concrete obligations for the event company. This article summarizes, for event companies, how guest data should be processed correctly, the role of explicit consent, retention and deletion processes, and the legal framework for call-center recordings. Note: this content is for information only and is not legal advice; consulting a legal advisor for your corporate processes is recommended.

Why Is Guest Data Covered by KVKK?

A guest's name, phone number and attendance preference make a natural person identified or identifiable; therefore they are personal data under Law No. 6698. Preparing and distributing an event invitation and collecting the attendance response is, in KVKK terminology, a data processing activity. The company begins processing this data the moment it adds a name to the list.

An important distinction: who collects the data and for what purpose determines the liability. The event owner or the event company, as the party that determines the purpose and means of processing, is usually the data controller. A technology and operations supplier that distributes, calls or stores on the firm's behalf acts as a data processor within the scope of a contract. Clarifying this division of roles with a written agreement is a fundamental step in KVKK compliance.

Lawful Processing of Personal Data

KVKK ties the processing of personal data to specific legal grounds. Processing guest data, in most scenarios, relies either on the guest's explicit consent or on other processing conditions listed in the law. In practice, two main approaches stand out:

  • Explicit consent: The guest is clearly informed of the purpose for which their data will be processed, and their consent is obtained by free will. Consent must relate to a specific matter and be based on information.
  • Other processing conditions: In cases such as the establishment of a contract, legitimate interest or the guest's own request, consent may not be required if the conditions the law requires are met. This assessment must be made separately for each event.

Whatever ground is relied upon, KVKK's core principles apply: data must be processed lawfully and fairly, for specific and legitimate purposes, in a manner that is proportionate and relevant to the purpose. Collecting a guest's blood type or unnecessary special-category data for an event violates the principle of proportionality; a name and contact detail are sufficient for attendance management.

Duty to Inform and Explicit Consent

KVKK imposes a duty to inform the guest on the data controller. The guest must be told in advance by whom and for what purpose their data is processed, to whom it may be transferred, and what their rights are. The information notice can be presented at the start of the invitation flow or on the attendance form.

Informing and explicit consent are distinct concepts. Informing is a notification; explicit consent is the guest's approval. For example, if a guest's phone number is to be used for a purpose beyond attendance, such as marketing, a separate and explicit consent is required. Using data collected for attendance management in an unrelated campaign counts as processing beyond the purpose.

Retention Period and Deletion of Data

KVKK requires personal data to be stored only for as long as necessary for the purpose. An event guest list loses its purpose after the event takes place and the related operations are completed. When the processing purpose disappears, the data must be deleted, destroyed or anonymized.

Points an event company should watch in practice:

  • Retention policy: How long guest data will be kept should be defined in advance.
  • Deletion process: Cleaning the data from the system and backups when the period expires.
  • Access restriction: Only authorized team members should be able to reach the data.

Call-Center Recordings and KVKK

Calling guests by phone and recording conversations carries a separate KVKK dimension because voice data is processed. A voice recording is also personal data. Therefore, if calls are recorded, the guest must be informed and the relevant processing condition must be met. The purpose of the recordings, the retention period and access authorization must be defined.

When a professional call-center service is used, the party providing that service acts as a data processor on the firm's behalf. Making calls in the firm's name, keeping recordings secure and using them only for the defined purpose are part of KVKK compliance.

The Event Company's Responsibility

The event company sits at the center of the responsibility because it collects guest data and determines the processing purpose. The firm is obliged to ensure data security, prevent unauthorized access and make the necessary notifications in the event of a data breach. Paper lists, unprotected Excel files and guest data scattered across personal phones both carry leak risk and conflict with KVKK's data security principle.

This risk is reduced by processing data in a centralized, access-controlled and KVKK-compliant system. Biletora is designed as a platform that processes guest data within this framework: data is gathered in the company panel, distribution is done in the firm's name, call-center conversations are conducted under recording, and the entire process is handled under Law No. 6698. The company can manage access and storage from a single system instead of scattered tools.

Checklist for a KVKK-Compliant Event

Items an event company can review before the event:

  • Legal ground: Which processing condition does the guest data rely on?
  • Informing: Has the guest been informed how their data is processed?
  • Proportionality: Is only the necessary data (name, contact, attendance) being collected?
  • Security: Is the data held in an access-controlled system?
  • Retention: Is a post-event deletion process defined?
  • Supplier: Is there a written agreement with the data-processor supplier?

These items are concrete steps to protect guest trust and reduce legal risk. Event KVKK compliance is not merely a legal obligation; it is also the foundation of corporate trust in the eyes of clients and guests.

Frequently Asked Questions

Is a guest's name and phone number personal data under KVKK?+

Yes. A name, surname and phone number that make a natural person identified or identifiable are personal data under Law No. 6698. Collecting, distributing and storing this information for an event is a data processing activity and is subject to KVKK obligations.

Is explicit consent always required to process guest data?+

Not always. Processing can rely on explicit consent, but it can also rely on other conditions listed in the law, such as the establishment of a contract or legitimate interest. Which legal ground applies must be assessed separately for each event; a separate, explicit consent is required for any use beyond the original purpose.

How should call-center conversation recordings be handled under KVKK?+

A voice recording is also personal data. If calls are recorded, the guest must be informed, and the purpose of the recording, the retention period and access authorization must be defined. A call center working in the firm's name acts as a data processor under a contract and is obliged to keep the recordings secure.

How long should a guest list be kept after the event?+

KVKK requires data to be kept only for as long as necessary for the processing purpose. Once the event is completed and the operation ends, the purpose disappears; the data should then be deleted, destroyed or anonymized. A predefined retention and deletion policy is recommended for the company.