Attorney Bilal Alyar | Istanbul Bar Association, Reg. No: 54965 | Last Updated: March 2026

Turkey’s Personal Data Protection Law (KVKK — Kişisel Verilerin Korunması Kanunu, Law No. 6698), enacted in April 2016, established a comprehensive data protection framework modeled on the EU’s 1995 Data Protection Directive, with subsequent amendments moving it closer to GDPR alignment. The Personal Data Protection Authority (KVKK Kurumu) serves as the independent supervisory body, with powers to investigate, audit, and impose significant fines. For businesses operating in Turkey — whether Turkish companies, foreign subsidiaries, or international companies targeting Turkish users — KVKK compliance is a legal obligation with penalties reaching up to 9,834,659 TRY per violation (2026 ceiling). This guide by Attorney Bilal Alyar provides a detailed analysis of data protection requirements in Turkey and their relationship with the EU’s GDPR.

KVKK Overview: Key Principles

KVKK applies to all processing of personal data by data controllers (veri sorumlusu) and data processors (veri işleyen) operating in Turkey, regardless of where the data subject is located. The law establishes six core principles for data processing: lawfulness, fairness, and transparency; purpose limitation (data collected for specified, explicit purposes); data minimization; accuracy and currency of data; storage limitation (retained only as long as necessary); and integrity and security. These mirror GDPR’s Article 5 principles closely, though KVKK uses slightly different terminology.

KVKK categorizes personal data into two tiers: General personal data (name, email, phone, address, financial data) can be processed with explicit consent or under one of the eight lawful bases specified in Article 5(2): legal obligation compliance, necessity for contract performance, vital interests, legitimate interests of the controller, data made public by the subject, necessity for legal claims, and explicit legal authorization. Special categories of data (health, biometric, genetic, race/ethnicity, political opinions, religion, criminal records, union membership) receive heightened protection under Article 6 — processing requires explicit consent or specific statutory authorization, with additional technical safeguards mandated by the KVKK Board.

KVKK vs. GDPR: Key Differences

While KVKK and GDPR share the same DNA, several important differences affect multinational compliance strategies: Lawful bases: KVKK Article 5(2) lists 8 lawful bases for processing; GDPR Article 6(1) lists 6. Notably, KVKK includes “data made manifestly public by the data subject” as a standalone basis, while GDPR treats this as a factor within legitimate interests. Consent mechanism: KVKK requires “explicit consent” (açık rıza) — informed, specific to the purpose, and freely given. GDPR accepts both explicit and implied consent depending on context. In practice, KVKK’s consent requirements are stricter for many processing activities. DPO requirement: KVKK does not mandate a Data Protection Officer (DPO) in the same way GDPR does. Instead, KVKK requires registration on the VERBIS system and appointment of a “contact person” for the KVKK Authority. Fines: KVKK fines are significant but lower than GDPR — maximum approximately $500,000 per violation vs. GDPR’s €20 million / 4% of global turnover.

Cross-border transfers: KVKK Article 9 restricts international data transfers to countries with “adequate protection” as determined by the KVKK Board. Unlike GDPR, Turkey does not yet have a Standard Contractual Clauses (SCC) mechanism, though this is under development. The KVKK Board has published a “safe countries” list and allows transfers with explicit consent or binding corporate rules. Data breach notification: KVKK requires notification to the Authority “as soon as possible” — interpreted as 72 hours in practice, aligning with GDPR Article 33. Notification to data subjects is required “as soon as possible” without a specific hour threshold. Right to be forgotten: Both frameworks include this right, but KVKK’s implementation through Board decisions has been more conservative than the CJEU’s Google Spain jurisprudence.

Data Controller Obligations

Every data controller operating in Turkey must implement a comprehensive compliance program including: Clarification notice (aydınlatma yükümlülüğü): Under Article 10, data subjects must be informed about the controller’s identity, processing purposes, recipients, data collection method and legal basis, and their rights — before or at the time of data collection. This notice must be layered, clear, and accessible. Data inventory: Controllers must maintain a detailed inventory of all personal data processing activities, including data categories, purposes, retention periods, recipients, and security measures. Retention and destruction policy: A formal policy governing data retention periods and secure destruction methods is mandatory under the Regulation on Deletion, Destruction, or Anonymization of Personal Data. Technical and organizational measures: Appropriate security measures must be implemented based on the nature of the data and risks — including encryption, access controls, logging, regular security testing, and employee training. The KVKK Board has published detailed guidance on minimum technical measures.

VERBIS Registration

The Data Controllers Registry Information System (VERBİS) is Turkey’s mandatory data controller registration platform, similar to the UK’s ICO registration. All data controllers processing personal data in Turkey must register on VERBİS, disclosing: data categories processed, processing purposes, data subject groups, recipients/transfers, retention periods, and security measures. Exemptions exist for controllers with fewer than 50 employees AND annual turnover below 25 million TRY, provided they do not process special category data as their core activity. Registration is free but must be renewed annually. Failure to register carries fines of 39,337 TRY to 1,966,932 TRY (2026 figures).

Cross-Border Data Transfer Rules

International data transfers are one of the most complex areas of KVKK compliance. Under Article 9, personal data can only be transferred outside Turkey if: (1) the recipient country has been deemed to have “adequate protection” by the KVKK Board (as of 2026, no country has received full adequacy — the Board has published partial adequacy findings for certain sectors); (2) the data subject has given explicit consent after being informed that the recipient country may not provide adequate protection; (3) a binding corporate rules (BCR) mechanism approved by the Board is in place; or (4) one of the exemptions in Article 5(2) or Article 6(3) applies AND the transfer is specifically approved by the Board. For multinational companies, this means that routine data transfers (employee data to headquarters, cloud storage on foreign servers, use of foreign SaaS platforms) require careful legal structuring.

KVKK Enforcement and Penalties

The KVKK Authority has become increasingly active in enforcement. Penalties include: failure to implement adequate security measures: 29,503 TRY to 1,966,932 TRY; failure to comply with Board decisions: 49,172 TRY to 1,966,932 TRY; VERBIS registration violations: 39,337 TRY to 1,966,932 TRY; and failure to fulfill the clarification obligation: 9,834 TRY to 196,693 TRY. These amounts are adjusted annually for inflation. Criminal penalties under the Turkish Criminal Code (TCK) also apply: Article 135 (unlawful recording of personal data): 1-3 years imprisonment; Article 136 (unlawful transfer or acquisition of personal data): 2-4 years; Article 138 (failure to destroy data): 1-2 years. The KVKK Board has imposed fines on major technology companies, banks, telecommunications operators, and e-commerce platforms, with published decisions providing guidance on the Authority’s enforcement approach.

Compliance Checklist for Foreign Companies

Foreign companies targeting Turkish users or processing data of Turkish residents should: (1) Determine whether KVKK applies — if you collect data from Turkish individuals or have a physical presence in Turkey, it likely does. (2) Appoint a KVKK representative in Turkey or designate a contact person. (3) Register on VERBİS if thresholds are met. (4) Publish a Turkish-language privacy notice (aydınlatma metni) compliant with Article 10. (5) Implement a consent management platform that captures explicit consent per KVKK requirements. (6) Review all international data transfers and establish compliant transfer mechanisms. (7) Adopt a data retention and destruction policy. (8) Conduct a data protection impact assessment for high-risk processing activities. (9) Train employees on KVKK obligations. (10) Establish a data breach response plan with 72-hour notification capability. For companies forming in Turkey, KVKK compliance should be built into the operational framework from day one. Crypto and fintech companies face additional data protection requirements due to the sensitive financial data they process.

Frequently Asked Questions

Does KVKK apply to foreign companies without a Turkish entity?

Yes, if you process personal data of individuals in Turkey — for example, through a website or app targeting Turkish users. The KVKK Authority has asserted extraterritorial jurisdiction in enforcement actions against foreign technology companies. However, practical enforcement against companies with no Turkish presence is limited to blocking access and diplomatic channels.

Can I use US cloud providers (AWS, Google Cloud, Azure)?

Using foreign cloud providers involves cross-border data transfer under Article 9. You need a compliant transfer mechanism — typically explicit consent or a Board-approved BCR. Many companies address this by selecting cloud regions within Turkey (Azure Turkey, AWS Turkey planned) or by implementing encryption where the keys remain under Turkish control.

What is the relationship between KVKK and sector-specific regulations?

KVKK provides the general framework, but sector-specific rules add additional requirements: BDDK regulations for banking data, SPK rules for capital markets, MASAK requirements for financial intelligence, and the Electronic Communications Law for telecom data. Companies in regulated sectors must comply with both KVKK and their sector-specific obligations, with the stricter standard prevailing.

How does KVKK affect cookie consent?

KVKK requires explicit consent for cookies that process personal data (tracking, analytics, advertising cookies). Essential/technical cookies may be processed under the legitimate interest basis. Turkey does not have a separate e-Privacy regulation like the EU, so KVKK is the primary legal basis for cookie consent. A cookie consent management platform displaying a clear opt-in mechanism (not just an “accept” banner) is recommended.

Can KVKK fines be appealed?

Yes. Administrative fines imposed by the KVKK Board can be challenged before the administrative courts (İdare Mahkemesi) within 60 days of notification. Criminal penalties under TCK are handled through the criminal court system. Success rates on appeal vary — the courts generally defer to the Board’s technical expertise but may reduce fines where procedural deficiencies are identified.

Do I need a KVKK audit?

While not legally mandatory, a KVKK compliance audit is strongly recommended, particularly for companies processing large volumes of personal data, handling special category data, or conducting cross-border transfers. The audit should cover: data mapping, consent mechanisms, security measures, retention policies, VERBIS registration accuracy, and incident response preparedness. Contact our office at +90 545 199 25 25 for a compliance assessment.

KVKK Enforcement: Real-World Cases and Penalties

The KVKK Authority (Kişisel Verileri Koruma Kurumu) has become increasingly active in enforcement. Notable decisions: Technology companies: Multiple penalties against social media platforms and search engines for: unauthorized data collection, insufficient data subject consent mechanisms, failure to comply with data deletion requests, and cross-border data transfer without adequate safeguards. Banks and financial institutions: Penalties for: sharing customer data with third-party marketing companies without explicit consent, data breaches resulting from inadequate security measures, and failure to implement proper data access controls. E-commerce platforms: Penalties for: cookie tracking without consent, email marketing to non-consenting recipients, and sharing customer purchase data with advertisers. Healthcare providers: Penalties for: sharing patient data between affiliated hospitals without proper consent, insufficient security for electronic health records, and data breaches exposing sensitive health information. The Authority publishes summarized decisions on its website (kvkk.gov.tr) — these provide essential guidance on how the law is interpreted and enforced.

Data Protection Impact Assessment (DPIA)

While not explicitly mandatory under KVKK (unlike GDPR Article 35), the KVKK Authority has recommended DPIAs for high-risk processing activities. When to conduct a DPIA: introducing new technologies that process personal data at scale, systematic monitoring of public areas (CCTV, facial recognition), processing special category data (health, biometric, genetic) on a large scale, automated decision-making with significant effects on individuals, and cross-border data transfers to countries without adequate protection. The DPIA should cover: description of the processing activity and its purposes, assessment of necessity and proportionality, identification and assessment of risks to data subjects, and measures to address those risks (technical and organizational). For companies establishing in Turkey with significant data processing activities, conducting a DPIA as part of the initial compliance setup is strongly recommended.

Data Breach Response: The 72-Hour Window

KVKK requires notification of data breaches to the Authority “as soon as possible” — interpreted in practice as 72 hours (aligned with GDPR Article 33). The response process: Detection and Assessment (Hours 0-24): Identify the breach (unauthorized access, data leak, system compromise), assess the scope (what data, how many records, which data subjects), contain the breach (isolate affected systems, revoke compromised credentials), and preserve evidence for forensic analysis. Notification to Authority (Hours 24-72): File a breach notification through the KVKK online portal including: nature of the breach, categories and approximate number of affected data subjects, categories and approximate number of affected personal data records, possible consequences, and measures taken or proposed. Notification to Data Subjects (As soon as possible): If the breach is likely to result in high risk to data subjects, they must be notified directly. The notification should be in clear, plain language explaining: what happened, what data was affected, what the potential consequences are, and what the controller is doing and what data subjects can do to protect themselves. Post-Breach: Conduct a root cause analysis, implement corrective measures, update the breach register (mandatory under KVKK), and revise security measures to prevent recurrence. Failure to notify: administrative fine of 29,503 to 1,966,932 TRY (2026 figures).

Practical KVKK Compliance for Foreign Companies

Foreign companies targeting Turkish users or processing data of Turkish residents should implement a phased compliance program: Phase 1 — Assessment (Month 1): Determine whether KVKK applies to your activities (does your website target Turkish users? Do you collect data from persons in Turkey?). Map all personal data processing activities involving Turkish data. Identify the lawful basis for each processing activity (consent, contract, legal obligation, etc.). Phase 2 — Documentation (Month 2-3): Prepare a Turkish-language privacy notice (aydınlatma metni) compliant with Article 10. Implement a consent mechanism that captures explicit consent per KVKK requirements. Draft data processing agreements with any third-party processors. Prepare a data retention and destruction policy. Register on VERBİS if thresholds are met. Phase 3 — Technical Measures (Month 3-4): Implement: encryption for personal data at rest and in transit, access controls (role-based, least privilege), logging and monitoring of data access, regular backup and recovery testing, and vulnerability scanning and patch management. Phase 4 — Ongoing Compliance: Employee training (initial + annual refresher), regular compliance audits, data breach response plan testing, VERBİS annual update, and monitoring KVKK Authority decisions for new guidance. For crypto and fintech companies, additional sector-specific data protection requirements from SPK, BDDK, and MASAK must also be addressed.

Frequently Asked Questions

Does KVKK apply to my foreign website?

If your website: targets Turkish users (Turkish language option, TRY pricing, Turkish delivery), collects personal data from persons in Turkey (through forms, cookies, analytics), or offers goods/services to persons in Turkey — then KVKK likely applies. The Authority has asserted extraterritorial jurisdiction in several enforcement actions. However, practical enforcement against companies with no Turkish presence is limited to: blocking access to the website, and diplomatic channels through international cooperation.

What is the relationship between KVKK and MASAK?

MASAK’s AML/KYC requirements involve extensive personal data processing. The intersection: customer identity data collected for MASAK compliance is processed under the “legal obligation” lawful basis (KVKK Article 5/2(ç)) — no consent required. However, this data cannot be used for other purposes (marketing, profiling) without separate consent. Special category data (criminal records checked for PEP screening) requires specific authorization. Data retention: MASAK requires 8 years; KVKK requires deletion when no longer necessary — the MASAK 8-year requirement overrides the KVKK deletion principle for AML-related data.