Turkey KVKK: Personal Data Protection Compliance

Turkey's Kişisel Verilerin Korunması Kanunu (KVKK — Personal Data Protection Law No. 6698) entered into force on April 7, 2016, making Turkey one of the first countries outside the EU to enact GDPR-aligned comprehensive data protection legislation. With Turkey's growing digital economy, significant population (85 million), and its role as a hub for businesses serving both European and Middle Eastern markets, KVKK compliance has become an increasingly important consideration for international organisations.

The KVKK is administered by the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — KVKK Authority or KVK Kurumu) and enforced by the Personal Data Protection Board (Kişisel Verileri Koruma Kurulu). The Board has actively issued guidance, investigated complaints, and imposed significant fines — with penalties reaching up to ₺19.8 million ($620,000 USD) per violation as of 2025.

Key Takeaways

• KVKK applies to natural and legal persons processing personal data of Turkish individuals, regardless of where the controller is established
• Seven processing conditions exist for general personal data; eight for sensitive personal data
• Sensitive personal data includes race, ethnic origin, political opinion, philosophical belief, religion, sect, union membership, health, sexual life, criminal convictions, biometric, and genetic data
• Data subjects have eight rights including access, correction, erasure, and objection to automated decisions
• Cross-border data transfers require either adequacy determination by the Board or explicit consent
• VERBİS registration (Data Controllers Registry) is mandatory for controllers meeting certain thresholds
• Data breach notification required without undue delay to the Board and within 72 hours for serious breaches
• Administrative fines up to ₺19.8 million; criminal liability under Turkish Criminal Code

---

KVKK Framework and Territorial Scope

Applicability

KVKK applies to:

• Natural and legal persons that process personal data fully or partly by automated means
• Natural and legal persons that process personal data by non-automated means if the data is part of a filing system

Extraterritorial reach: KVKK does not explicitly state extraterritorial application in the same clear terms as GDPR Article 3. However, the Board has taken the position that KVKK applies to overseas data controllers processing personal data of individuals in Turkey — reflected in enforcement actions against Facebook/Meta and other international companies. Controllers outside Turkey offering goods/services to Turkish individuals or processing Turkish individuals' data should assess KVKK obligations.

Exemptions: KVKK does not apply to:

• Processing of personal data by natural persons for purely personal activities
• Processing of personal data for criminal investigation and prosecution purposes
• Processing of anonymised personal data for statistical purposes
• Processing for arts and literature
• Processing for journalistic, academic, artistic, or literary purposes (with limitations)
• Processing within the scope of national defence, security, and public safety

---

Processing Conditions

Article 5 sets out conditions under which personal data can be processed. At least one condition must be met:

1. Explicit consent of the data subject
2. Explicitly provided for by law — processing expressly required or permitted by legislation
3. Protection of life or physical integrity — where the data subject or third party cannot provide consent
4. Contract necessity — processing necessary for the conclusion or performance of a contract
5. Legal obligation — fulfilment of a legal obligation of the data controller
6. Data subject has made the data public — the person has disclosed the data
7. Establishment, exercise, or protection of a right — necessary for legal proceedings

Sensitive Personal Data Conditions (Article 6): Sensitive personal data may only be processed:

1. With the explicit consent of the data subject
2. Without consent, for specific categories only:
   • Health and sexual life data: only for protection of public health, preventive medicine, medical diagnosis, care/treatment services, and planning and management of health services, by or under the obligation of secrecy of persons in the health sector
   • Other sensitive data (race, ethnic origin, religion, union membership, etc.): processing permitted where explicitly provided by laws

Sensitive personal data includes: race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, clothing, trade union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

---

Data Subject Rights

Article 11 grants data subjects the following rights — requests must be responded to within 30 days at no charge:

Exercising rights: Data subjects submit written requests (or via the method specified by the controller). Controllers must respond within 30 days. If the request is refused, the data subject can complain to the Board within 30 days.

---

VERBİS Registration

Article 16 requires data controllers to register with the Data Controllers Registry (VERBİS — Veri Sorumluları Sicili) before beginning to process personal data. Registration requires:

• Controller identity and contact information
• Processing purposes
• Transferred data groups and recipients
• Transfer purposes
• Data categories processed
• Security measures taken
• Retention periods

Exemptions from VERBİS registration (determined by Board decisions):

• Annual number of employees fewer than 50 AND annual financial statement not exceeding 25 million Turkish Lira
• Processing only for the data subject's own benefit
• Processing for a limited purpose where sensitive data is not processed

Important: Even if exempt from VERBİS registration, all other KVKK obligations apply. VERBİS exemption only removes the registry requirement.

Overseas data controllers: The Board has determined that overseas data controllers subject to KVKK must also register in VERBİS if they are not within an exemption category.

---

Obligations of Data Controllers

Privacy Notice

Data controllers must inform data subjects at or before collection of:

• Identity of the controller and representative (if applicable)
• Processing purposes
• Recipients of personal data and transfer purposes
• Data collection method and legal basis
• Data subject rights under Article 11

Language: Must be in Turkish for operations serving Turkish individuals.

Data Controller Representative

While KVKK does not explicitly require a Turkish representative for overseas controllers in the same way as GDPR Article 27, the Board's enforcement practice has indicated that overseas controllers should designate a contact point in Turkey. A 2024 Board regulation on cross-border transfers is expected to formalise this requirement.

Data Minimisation and Purpose Limitation

Article 4 establishes core data processing principles:

• Compliance with law and good faith
• Accuracy and being up to date
• Processing for specific, clear, and legitimate purposes
• Relevance, restriction, and proportionality to the purpose
• Retention for the period stipulated by law or required by the purpose

Security Measures (Article 12)

Data controllers must take all necessary technical and administrative measures to prevent:

• Unlawful processing of personal data
• Unlawful access to personal data
• Loss, destruction, or alteration of personal data

The Board has issued specific technical guidelines. Key requirements include:

• Encryption of sensitive personal data in storage and transmission
• Access control and authentication management
• Audit logging
• Penetration testing (at least annually)
• Training for personnel

---

Cross-Border Data Transfer

Articles 9 and 9/A govern international data transfers. Key restrictions:

General prohibition: Personal data cannot be transferred abroad without the data subject's explicit consent, unless one of the following conditions is met:

1. Adequate protection: The destination country has been determined by the Board to provide adequate protection; and one of the processing conditions is met

2. Undertaking: The overseas recipient provides an undertaking in writing that adequate protection will be provided; and the Board has approved the transfer

3. Standard Contractual Clauses: The 2024 KVKK amendments introduce SCCs modelled on GDPR's approach — transfers to non-adequate countries can use Board-approved standard contractual clauses

4. Binding Corporate Rules: Approved BCRs for intragroup transfers

5. Exceptional transfers: Where explicit consent cannot be obtained and the transfer is necessary for: legal proceedings, vital interests, exercising rights, performance of official duties

Countries with adequacy determination: The Board maintains a list; as of early 2026, it has approved a limited number of countries. The EU does not have a reciprocal adequacy arrangement with Turkey (despite KVKK's GDPR alignment), meaning EU→Turkey and Turkey→EU transfers require SCCs or explicit consent.

Practical reality for cloud services: Many businesses operating in Turkey use cloud services hosted outside Turkey. Under current KVKK requirements, they must obtain explicit consent for each individual's data transferred abroad or implement SCCs/BCRs for the transfer arrangement.

---

Breach Notification

The KVKK does not specify an explicit breach notification timeline in the original law. However, Board decisions and implementing guidance establish:

• Notification to Board: Without undue delay and at the latest within 72 hours of becoming aware of a personal data breach
• Notification to data subjects: If the breach is likely to affect the rights of data subjects — without undue delay
• Use the Board's notification form available on the kvkk.gov.tr portal

Notification content:

• Nature of the breach and categories/approximate number of affected individuals
• Categories and approximate number of affected records
• Contact details of the data protection contact person
• Likely consequences of the breach
• Measures taken or proposed

---

Board Enforcement and Penalties

The Personal Data Protection Board (Kişisel Verileri Koruma Kurulu) has seven members appointed by the President of Turkey. It has authority to:

• Investigate complaints
• Conduct ex officio investigations
• Issue binding decisions
• Impose administrative fines
• Issue compliance orders

Administrative fines (updated annually):

Criminal penalties: Under Turkish Penal Code Article 135–140, unlawful recording, provision to third parties, destruction, or use of personal data can result in imprisonment of 1–4 years. Misuse of sensitive data increases penalties.

Notable enforcement actions: The Board has issued significant decisions including fines against: WhatsApp (₺1.95 million for unlawful cross-border transfer via privacy policy changes), Trendyol (multiple actions for data security deficiencies), Meta/Facebook (₺3 million for WhatsApp data sharing), and various Turkish banks and telecom operators.

---

KVKK Compliance Checklist

• KVKK applicability determined (Turkey operations or Turkish individuals' data processed)
• VERBİS registration completed or exemption confirmed
• Personal data inventory completed including sensitive data identification
• Processing conditions documented for each activity
• Sensitive data processing conditions documented (explicit consent or specific exemption)
• Privacy notice prepared in Turkish with all required elements
• Data subject rights procedures documented (30-day response)
• Cross-border transfer assessment completed — mechanism in place (SCCs, consent, or adequacy)
• Security measures implemented: encryption, access control, audit logging
• Penetration test conducted and results documented
• Breach notification procedure documented (72-hour Board notification)
• Retention schedules documented and automated deletion configured
• Personnel training on KVKK obligations completed
• VERBİS entries kept current and up to date

---

Frequently Asked Questions

What is VERBİS and is registration mandatory for my business?

VERBİS (Veri Sorumluları Sicili) is Turkey's Data Controllers Registry — a public register of organisations that process personal data. Registration is mandatory for data controllers that do not qualify for a Board-determined exemption. Exempt categories include small organisations (fewer than 50 employees AND less than 25 million TL annual turnover) that do not process sensitive data. All other organisations processing personal data for commercial purposes must register before beginning processing. Failure to register is subject to administrative fines of up to ₺1.96 million.

How does KVKK compare to GDPR?

KVKK and GDPR are similar in structure and principles — both establish lawful bases, data subject rights, controller/processor frameworks, and data security obligations. Key differences: (1) KVKK has fewer processing conditions (7 vs GDPR's 6, but KVKK's conditions differ in substance); (2) KVKK cross-border transfers are more restrictive — Turkey is not an EU-adequate country, so EU→Turkey and Turkey→EU transfers require SCCs or consent; (3) VERBİS registration has no direct GDPR equivalent; (4) KVKK criminal penalties are more extensive; (5) KVKK's enforcement approach has been more restrictive on international data flows.

Does my company need a local representative in Turkey?

KVKK does not have an explicit requirement analogous to GDPR Article 27 for a Turkish representative. However, the Board has taken enforcement actions against overseas companies, and practical compliance — including VERBİS registration and responding to Board investigations — requires Turkish-language communication and the ability to respond within Turkish legal processes. Many overseas companies appoint a Turkish law firm or compliance partner as their de facto representative. The 2024 KVKK amendments are expected to clarify representative requirements for overseas controllers.

What are the cross-border transfer options for Turkish businesses using AWS or Azure?

AWS and Azure have data centres in Turkey (AWS and Azure both have Istanbul regions). Using Turkey-region services avoids cross-border transfer issues. If you use non-Turkish cloud regions, you need a cross-border transfer mechanism. Currently, the primary options are: (1) explicit individual consent (operationally challenging for large-scale cloud use); (2) undertaking — the overseas recipient provides a written commitment to protect data, approved by the Board (Board approval process is long); (3) Board-approved SCCs introduced in 2024 amendments. Many businesses are waiting for Board guidance on SCC templates before migrating from consent-based approaches.

What types of violations attract the highest KVKK fines?

The highest administrative fines (up to ₺19.6 million) are for cross-border transfer violations. Data security obligation violations attract fines up to ₺9.8 million. Failure to comply with Board decisions also attracts high fines (up to ₺9.8 million). In practice, the Board has issued the largest fines for: unlawful cross-border transfers (particularly to social media platforms), data security breaches resulting from inadequate technical measures, and systematic non-compliance with notification obligations. Criminal sanctions (imprisonment under the Turkish Penal Code) are reserved for deliberate unlawful recording or provision of personal data.

---

Next Steps

Turkey's KVKK is a demanding compliance framework with active enforcement, specific technical standards, and complex cross-border transfer rules. As Turkish legislation continues to evolve through Board decisions and regulatory amendments, maintaining compliance requires ongoing monitoring.

ECOSIRE assists businesses operating in Turkey with KVKK compliance assessments, VERBİS registration support, technical implementation of data protection controls, and cross-border transfer mechanism selection.

Get started: ECOSIRE Services

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. Turkish data protection law is subject to ongoing change through Board decisions and legislative amendments. Consult qualified Turkish legal counsel for advice specific to your organisation.