Guide to Turkey Personal Data Protection Law (KVKK)

Turkey Personal Data Protection Law (PDPL) or Kişisel Verileri Korunmasi Kanunu (KVKK), enacted as Law No. 6698 in 2016, regulates the processing of personal data in the country. It aligns national practice with the EU’s General Data Protection Regulation (GDPR). 

The law defines data subject rights, sets out obligations for controllers and processors, and establishes enforcement mechanisms.

Amendments in 2024 introduced a structured framework for cross-border data transfers, including adequacy decisions, standard contractual clauses (SCCs), and binding corporate rules (BCRs), further aligning the PDPL with the GDPR.

KVKK (Kişisel Verileri Korunmasi Kanunu), or Law No. 6698, is Turkey’s personal data protection law. It regulates the processing of personal data by both public and private entities, including those outside Turkey that handle data of Turkish residents.

The law defines key roles and establishes business obligations, including:

• Lawful data processing
• Maintaining data accuracy
• Providing information regarding data processing
• Ensuring data security
• Cross-border data transfer controls
• Registering with the VERBIS registry
• Special rules that apply to sensitive data categories 

Enforcement is carried out by the Turkey Personal Data Protection Authority (DPA). It investigates breaches, issues corrective orders, and imposes administrative fines ranging from TRY 68,083 to 13,620,402.

In cases of unlawful data recording, sharing, or retention, criminal sanctions, including imprisonment, may apply.

While the law resembles the GDPR, it is not identical. There are minor distinctions regarding data subject rights, data protection principles, and other related aspects.

The KVKK has broad applicability, covering all organisations that process the personal data of Turkish residents. 

This includes processing done by fully or partially automated means, as well as non-automated means, provided the data is part of a data recording system. 

Consequently, organisations located outside Turkey must also comply with KVKK if they process Turkish personal data.

Data controller

A person or organisation that decides the purpose and method of processing personal data and manages the data recording system.

Data processor

A person or organisation that processes personal data on behalf of the data controller, based on given instructions.

Personal data

Any information that identifies or can be used to identify a specific person.

Under Article 4 of Law No. 6698 (KVKK), personal data must be processed in compliance with both the law and the principles outlined below. These principles apply to all stages of data processing and form the foundation of lawful data handling in Turkey:

• Lawfulness and fairness: Data must be processed in accordance with the law and general principles of good faith.
• Accuracy: Personal data must be accurate, complete, and kept up to date where necessary.
• Purpose limitation: Data should only be processed for clear and lawful purposes known to the data subject.
• Data minimisation: Processing must be relevant, limited, and proportionate to the intended purpose.
• Storage limitation: Data should be retained only for as long as required by law or the purpose of processing.

These principles ensure that personal data is handled responsibly and transparently, supporting both individual rights and business accountability.

Turkey’s Personal Data Protection Law (KVKK) requires explicit consent for processing personal data, especially sensitive data or in the absence of other legal bases.

Explicit consent is also required for data sharing, unless another legal basis applies. Individuals must be informed of any potential risks.

What qualifies as explicit consent?

As defined in Article 3, explicit consent must be:

• Specific: Clearly tied to a defined purpose
  
• Informed: Based on clear, accessible information
  
• Freely given: Provided voluntarily through an affirmative action

Blanket or vague consents (e.g., “all data processing activities”) are invalid.

How should businesses collect it?

Consent can be collected electronically or in writing. It must be verifiable, and the burden of proof rests with the data controller.

Can consent be withdrawn?

Yes. Individuals can withdraw consent at any time. Processing must stop as soon as the withdrawal is received.

Key consent obligations for businesses:

• Request consent separately for each purpose
  
• Avoid pre-checked boxes or implied consent
  
• Keep records of consent
  
• Respect the scope and limits set by the data subject

Legal bases of processing

Consent is the primary legal ground for data processing under the Turkish data protection law.

Other lawful bases where consent is not required include:

• Compliance with laws
• To protect vital interests
• Performance of a contract
• To fulfil a legal obligation
• Data is publicly available 
• Mandatory for the protection of rights
• Legitimate interest

Transparency/ privacy policy requirements

Businesses must provide the following information to the users during the collection of information:

• Identification of the data controller and its representative, if applicable
• The purposes of data processing
• With whom the data will be shared, if applicable
• Legal basis for processing personal data
• Data subject rights

Consent requirements

Comply with the Turkey KVKK requirements of getting explicit, freely given and specific consent from users. This is similar to the opt-in requirements under GDPR.

Although Turkey has not published formal guidance on internet cookies or other tracking technologies, websites may still need to obtain prior consent for the use of any non-essential cookies under the KVKK.

Data security

Controllers must take all necessary technical and administrative measures to protect personal data. This includes:

• Preventing unlawful processing and access to data
  
• Ensuring data integrity and confidentiality
  
• Conducting regular compliance audits
  
• Maintaining confidentiality, even after leaving the role
  
• Reporting breaches promptly to affected individuals and the KVKK Board
  

If processing is carried out by another party, both the controller and processor are jointly responsible for data security.

Breach notification

Data controllers must notify the authority and concerned individuals of any breaches within 72 hours of knowledge.

Cross-border transfers

Transferring personal data to other countries is allowed but only under certain rules. First, there must be a valid reason for processing the data, like a legal obligation, a contract, or the person’s clear consent. 

Second, the country receiving the data must have enough data protection in place. This is called an adequacy decision and is determined by the Data Protection Board. 

If there is no adequacy decision, data can still be transferred if certain safeguards are used. These include binding corporate rules (BCRs) within a group of companies, standard contracts (SCCs) approved by the Board, or written commitments that guarantee data protection.

In situations where there’s no adequacy decision and no safeguard in place, data can only be transferred under specific, exceptional conditions such as consent or contractual necessity.

Sensitive data protection

Under Turkey KVKK, sensitive personal data includes information such as race, religion, health, sexual life, biometric data, political views, and union or association membership. 

This type of data is generally prohibited from being processed unless:

• The person gives explicit consent, or
  
• There is a legal basis, such as:
  
  • Required by law
    
  • Needed to protect someone’s life or rights
    
  • Public health or medical purposes
    
  • Employment or social security obligations
    
  • Data was made public by the individual
    
  • Related to nonprofit group members and used internally
    

Businesses must also implement additional security measures defined by the KVKK Board when handling sensitive data.

Data Controllers Registry (VERBIS) requirement

Data controllers must register with the Data Controllers Registry Information System (VERBIS) before starting to process personal data, unless exempted by the KVKK Board. 

Exemptions may apply based on factors like the type, amount, or legal basis of the data processed.

The registration must include key details such as the data controller’s identity, purpose of processing, data categories, recipient groups, international transfers, security measures, and data retention periods.

Any changes to the registered information must be reported promptly.

Individuals have the right to request information and take action regarding their personal data held by a data controller. These rights include:

• Finding out if their personal data is being processed
  
• Accessing details about how and why their data is used
  
• Knowing if their data is shared with third parties, locally or internationally
  
• Requesting correction of inaccurate or incomplete data
  
• Requesting deletion or destruction of data when legal conditions are met
  
• Asking for third parties to be informed of any corrections or deletions
  
• Objecting to outcomes based on automated data processing
  
• Seeking compensation for damages caused by unlawful data use

These rights ensure individuals can manage their personal data and hold organisations accountable.

The enforcement of Turkey Personal Data Protection Law (KVKK) is managed by the Personal Data Protection Authority, known in Turkish as Kişisel Verileri Koruma Kurumu.

It is an independent public authority with administrative and financial autonomy, headquartered in Ankara.

The Authority carries out its functions through two main bodies:

• The Personal Data Protection Board (Kişisel Verileri Koruma Kurulu): the decision-making and enforcement body, responsible for issuing decisions, investigating complaints, imposing fines, and ensuring compliance with the law.
  
• The Presidency: the administrative arm that manages day-to-day operations, maintains the Data Controllers Registry (VERBIS), and supports the Board’s activities.

The Board can issue administrative fines for non-compliance with KVKK:

• Failure to inform individuals (privacy notice issues): TRY 68083 – 1,362,021
• Failure to ensure data security: TRY 2,04,285 – 13,620,402
• Failure to comply with board instructions: TRY 340476 – 13,620,402
• Failure to comply with cross-border notification requirements: TRY 71965 – 1,439,300
• Failure to register with VERBİS: TRY 2,72,380 – 13,620,402

The KVKK updates non-compliance fines every year.