Personal data protection in Türkiye is governed by the Personal Data Protection Law No. 6698 (Kişisel Verilerin Korunması Kanunu, or KVKK), which took effect in 2016. The law is closely modelled on European standards and, following its March 2024 amendments, has moved further toward alignment with the EU General Data Protection Regulation (GDPR). For any company operating in or entering the Turkish market, KVKK compliance is now a baseline requirement rather than an afterthought — it shapes how you hire, sell, market, and run your IT systems from day one.
The framework at a glance
The KVKK is enforced by the Personal Data Protection Board (Kişisel Verileri Koruma Kurulu), the decision-making body of the Personal Data Protection Authority. The Board issues binding decisions, investigates complaints, publishes guidance and imposes administrative fines. Its published decisions matter in practice: unlike a purely private dispute, a Board finding against your company is often made public, so a compliance failure can become a reputational event as well as a financial one.
The law rests on a familiar set of definitions:
- Data controller — the natural or legal person who determines the purposes and means of processing. This reaches entities outside Türkiye whose processing affects individuals in the country.
- Data processor — a person who processes data on the controller’s behalf, under the controller’s authority.
- Processing — almost any operation performed on personal data, including collection, recording, storage, alteration, disclosure, transfer and erasure.
What this means for you
If you sell to Turkish consumers, employ people in Türkiye, or run a website or app that collects data from users in the country, you are almost certainly a data controller under the KVKK — even if your servers and headquarters are abroad. The practical consequence is that the first compliance question is rarely “does the law apply?” but “where are our gaps, and how exposed are we?”
Lawful grounds for processing
As a rule, personal data may only be processed with the explicit consent of the data subject. Consent must be freely given, specific and informed — a pre-ticked box or a blanket “I agree to everything” clause buried in terms of service will not hold up before the Board.
The KVKK then sets out specific exceptions where processing is lawful without consent, such as where it is:
- expressly permitted by law;
- necessary to perform or conclude a contract with the data subject;
- required to comply with a legal obligation of the controller;
- necessary to protect the life or physical integrity of a person who cannot give consent; or
- necessary for the controller’s legitimate interests, provided the data subject’s fundamental rights are not prejudiced.
Special categories of data — including health, biometric and genetic data, religious belief, ethnic origin, and criminal records — are subject to stricter conditions and, for most categories, require explicit consent or a specific statutory basis. These are the categories that most often generate complaints and fines, so processing them (for example, in HR files or health services) needs particular care.
A common and costly mistake is treating explicit consent as a catch-all. Consent that is bundled into a contract, made a condition of service, or impossible to withdraw is not valid consent — and relying on it can leave your entire processing operation unlawful.
Rights of the data subject
The KVKK grants individuals a robust set of rights. A data subject may:
- learn whether their personal data is being processed and request information about it;
- learn the purpose of processing and whether the data is used accordingly;
- know the third parties, in Türkiye or abroad, to whom data is transferred;
- request correction of inaccurate data and erasure or destruction where the grounds for processing no longer exist;
- object to outcomes produced solely by automated analysis; and
- claim compensation for damage caused by unlawful processing.
Controllers must respond to such requests within the statutory time limit, and unresolved applications can be escalated to the Board. In practice this means you need a working intake process — a monitored contact point, a template response, and an internal owner — before the first request arrives, not after.
VERBIS registration
Most controllers must enrol in VERBIS (Veri Sorumluları Sicili), the Data Controllers’ Registry, before processing begins. The registration describes, at a high level, what data you process, for what purposes, with whom you share it, and what security measures you apply. The Board grants a limited exemption to smaller controllers based on annual turnover and employee headcount, but that threshold is narrow and should be verified rather than assumed.
Foreign controllers without an establishment in Türkiye face an added step: they generally must appoint a data controller representative in the country and register through that representative. Skipping VERBIS is one of the more frequently penalised failures precisely because it is easy for the Board to detect — a controller either appears on the registry or does not.
Cross-border data transfers after the 2024 reform
Transfer of personal data abroad was historically the most restrictive part of the KVKK, and for years it was the single biggest headache for multinational groups running shared HR, CRM or cloud systems. The March 2024 amendments overhauled this regime. Data may now be transferred outside Türkiye through:
- an adequacy decision by the Board for the destination country;
- appropriate safeguards such as standard contractual clauses, binding corporate rules, or an undertaking approved by the Board; or
- specific exceptional grounds, including the data subject’s explicit informed consent, for occasional transfers.
Standard contractual clauses must be notified to the Authority within a set period after signing. This shift gives multinational groups practical, GDPR-style mechanisms that did not previously exist under Turkish law — but the mechanisms only protect you if the paperwork is actually in place and filed on time.
If your group moves Turkish employee or customer data to a parent company, a cloud provider, or a shared service centre abroad, the transfer needs a documented legal basis under the KVKK. Doing it on the strength of a global GDPR policy alone is not enough.
KVKK and GDPR side by side
For groups that already run a GDPR programme, the fastest way to scope the Turkish work is to see where the regimes diverge:
| Topic | GDPR | KVKK |
|---|---|---|
| Default lawful ground | Six co-equal legal bases | Explicit consent as the rule, with listed exceptions |
| Registry obligation | No general registry | VERBIS registration for most controllers |
| Foreign controllers | EU representative in some cases | Data controller representative + VERBIS registration |
| Cross-border transfers | Adequacy, SCCs, BCRs | Aligned since March 2024, but SCCs must be notified to the Authority |
| Enforcement | National supervisory authorities | KVKK Board, with fines updated annually for inflation |
The practical takeaway: a GDPR-compliant group usually needs a focused local layer — Turkish-language notices, VERBIS, and filed transfer documents — rather than a rebuilt programme.
Enforcement and penalties
Non-compliance carries real exposure. The Board can impose administrative fines, updated each year for inflation, for failures such as breaching data security obligations, ignoring Board decisions or neglecting VERBIS registration. Separately, the Turkish Penal Code criminalises the unlawful recording, disclosure and non-erasure of personal data, which can expose individuals within a company to personal liability. Affected individuals may also bring civil compensation claims for the damage they suffer.
Because many Board decisions are published, the practical cost of a serious failure often exceeds the headline fine: prospective partners, investors and customers can see it.
If the Board does open an investigation — typically after a data subject complaint or a reported breach — the quality of your written response matters enormously. Investigations are conducted largely on the file: the Board asks questions, sets deadlines, and decides on the documents you submit. Answering late, incompletely, or without the supporting records (consent logs, notices, security policies) is itself treated as a compliance signal. This is one of the areas where preparing before any incident pays off most directly.
What compliance looks like in practice
Companies operating in Türkiye should:
- map their processing activities and maintain accurate records;
- issue compliant privacy notices (aydınlatma metni) and, where required, collect valid explicit consent;
- complete and keep current their VERBIS entry;
- put data transfer mechanisms in place before moving data abroad;
- implement technical and organisational security measures and a breach-response plan; and
- train staff so that compliance is embedded rather than reactive.
We advise clients across the full lifecycle — from gap assessments and policy drafting to VERBIS filings, transfer agreements, breach notifications and representation before the Board. The pattern we see most often is a company that is broadly compliant with the GDPR assuming it is therefore compliant in Türkiye; it usually is not, because of VERBIS, the consent default, and local notification rules. Early, structured compliance is far less costly than responding to an investigation after the fact.
How we build KVKK compliance
- 01
Gap assessment
We map your data flows and measure current practice against the KVKK, flagging the highest-risk gaps first.
- 02
Notices and consents
We draft compliant privacy notices (aydınlatma metni) and valid explicit-consent mechanisms tailored to each processing activity.
- 03
VERBIS registration
We prepare and file your VERBIS entry — appointing a data controller representative first if you have no Turkish establishment.
- 04
Transfer mechanisms
We put standard contractual clauses, binding corporate rules or another lawful route in place before data leaves Türkiye, with timely notification to the Authority.
- 05
Ongoing compliance
We train staff, set up a data-subject request process and a breach-response plan, and keep documentation current as the Board's practice evolves.
Frequently asked questions
What is the KVKK and who does it apply to?
The KVKK is Türkiye's Personal Data Protection Law (Law No. 6698). It applies to any natural or legal person who processes the personal data of individuals in Türkiye, including data controllers established abroad whose processing affects people in Türkiye. In practice, if you have Turkish customers, employees or users, the law reaches you even without a Turkish office.
Does my company need to register with VERBIS?
Most data controllers must register with VERBIS, the Data Controllers' Registry, before they begin processing. Certain controllers are exempt based on headcount and annual turnover thresholds set by the KVKK Board, but the exemption is narrow and should be confirmed case by case. Foreign controllers without a Turkish establishment generally must appoint a data controller representative and still register.
Can I transfer personal data outside Türkiye?
Yes, but only through one of the legal routes set out in the KVKK. The March 2024 amendments introduced standard contractual clauses, binding corporate rules and other safeguards alongside the existing adequacy and explicit-consent routes, bringing the regime closer to the GDPR. Standard contractual clauses must be notified to the Authority within a set period after signing.
What penalties apply for breaching the KVKK?
The KVKK Board can impose administrative fines that are updated annually for inflation, and separate criminal liability exists under the Turkish Penal Code for unlawful recording, disclosure or failure to erase personal data. Data subjects may also claim compensation for damage they suffer, and Board decisions are frequently published, creating reputational exposure.
What are the main rights of a data subject under the KVKK?
Individuals can learn whether their data is processed, request information and access, learn the third parties data is shared with, ask for correction or erasure, object to results produced solely by automated analysis, and claim compensation for unlawful processing. Controllers must answer these requests within the statutory time limit.
How is the KVKK different from the EU GDPR?
The two regimes share the same structure and much of the same vocabulary, and the 2024 reform narrowed the gap on international transfers. But important differences remain: the KVKK still treats explicit consent as the default lawful ground, VERBIS registration has no direct GDPR equivalent, deadlines and fine levels differ, and enforcement practice reflects the Turkish Board's own published decisions. Compliance built only for the GDPR does not automatically satisfy the KVKK.