
What foreign nationals and businesses need to know about Turkish Law No. 6698, compliance obligations, data subject rights, VERBIS registration, and enforcement decisions
With rapid global digitalization, collecting, storing, and processing personal data has become an inseparable part of modern business operations. Whether you are a foreign company with employees or customers in Turkey, a multinational with a Turkish subsidiary, or an individual entrepreneur operating in the Turkish market, you are almost certainly processing personal data that falls within the scope of Turkish data protection law.
At Bayraktar Attorneys, we regularly advise foreign nationals and businesses on KVKK compliance, including data processing inventories, information notices, consent mechanisms, cross-border transfer arrangements, VERBIS registration, and representation before the Personal Data Protection Board. This guide sets out the full legal framework in practical terms.
Answer-first: KVKK stands for Kisisel Verilerin Korunmasi Kanunu, which is the Personal Data Protection Law No. 6698 of Turkey. Enacted on 7 April 2016, it governs the processing of personal data, protects individual privacy, and imposes compliance obligations on data controllers, with administrative fines currently reaching millions of Turkish Lira per violation. Any legal entity or individual processing personal data in Turkey, or targeting data subjects residing in Turkey from abroad, must achieve and maintain full compliance. |
KVKK establishes a precise set of defined terms that determine who is regulated, what is regulated, and on what legal grounds. These definitions are the starting point for any compliance analysis.
1.1. Personal Data
Under Article 3 of KVKK, personal data means any information relating to an identified or identifiable real person. This is a broad definition that covers obvious identifiers such as names, national identity numbers, and home addresses, as well as less obvious information such as IP addresses, cookie identifiers, location data, voice recordings, photographs, and behavioral profiles.
The identifiability test is key: if information can be combined with other data to identify a specific individual, even if that combination requires additional steps, it constitutes personal data under KVKK.
1.2. Special Categories of Personal Data
Article 6 of KVKK identifies a set of data categories that are subject to enhanced protection and stricter processing conditions. These are:
The processing of special categories of personal data is prohibited unless the data subject has given explicit consent, or specific statutory exceptions apply. Health and criminal data may only be processed, even with consent, by persons under a duty of confidentiality and for purposes specified by law.
Important Many foreign businesses process health data, biometric data, or trade union membership data as a routine part of their HR operations, without realizing that Turkish law subjects these categories to a much stricter regime than ordinary personal data. Processing special category data without a valid legal basis under Article 6 is one of the most common sources of significant KVKK fines. |
1.3. Data Controller vs. Data Processor
KVKK draws the same fundamental distinction as the EU GDPR between data controllers and data processors:
Data Controller (Veri Sorumlusu): the real person or legal entity that determines the purposes and means of processing personal data. The data controller bears the primary legal obligations under KVKK, including the duty to inform, the obligation to register with VERBIS where applicable, and the obligation to respond to data subject requests. Where a foreign company determines how and why personal data relating to Turkish residents is processed, that company is the data controller regardless of where it is incorporated.
Data Processor (Veri Isleten): a person or entity that processes personal data on behalf of the data controller, under the controller's instructions. Data processors in Turkey must comply with the security and confidentiality obligations imposed by KVKK, even though the primary accountability rests with the controller.
1.4. Data Subject (Ilgili Kisi)
The data subject is the identified or identifiable real person whose personal data is being processed. KVKK protects only natural persons. Corporate data, such as information about companies as legal entities, falls outside KVKK's protective scope, though contact details of individuals at companies (such as a named employee's work email) constitute personal data.
One of the most practically important aspects of KVKK compliance is understanding on what legal ground each processing activity rests. Article 5 of KVKK identifies the lawful bases for processing ordinary personal data (and Article 6 for special categories). Processing without a valid legal basis constitutes a violation regardless of whether any harm results.
Legal Basis | Description | Common Examples |
Explicit consent (Acik riza) | Freely given, specific, informed, and unambiguous consent by the data subject | Marketing communications, optional profile features, health data processing |
Contractual necessity | Processing necessary for the performance of a contract with the data subject, or to take pre-contractual steps at their request | Shipping address for order fulfillment, payroll processing for employees |
Legal obligation | Processing necessary to comply with a legal obligation on the controller | Tax record retention, mandatory workplace safety records, KYC under anti-money laundering law |
Protection of vital interests | Processing necessary to protect the vital interests of the data subject or another person where the data subject cannot give consent | Medical emergencies |
Legitimate interests (controllers) | Processing necessary for the legitimate interests of the controller or a third party, where not overridden by the data subject's interests or fundamental rights | Fraud prevention, network and information security, intra-group HR transfers |
Public interest or exercise of official authority | Processing carried out in the public interest or in the exercise of official authority | Government bodies and public institutions |
A common error among foreign businesses is to rely on explicit consent as a default legal basis for all processing activities. Consent is the appropriate basis only where none of the other statutory bases applies, and it carries significant obligations: it must be freely given (which means it cannot be a condition of accessing a service), specific, informed, and withdrawable at any time. Relying on bundled, pre-ticked, or coerced consent is a violation of KVKK.
Article 4 of KVKK establishes a set of overarching principles that apply to every act of data processing, regardless of the legal basis. These principles are not mere policy aspirations: the Board enforces them through administrative fines.
3.1. Lawfulness, Fairness, and Transparency
All processing must have a clear legal basis, must be fair to the data subject, and must be carried out transparently. Transparency requires that data subjects are informed about processing activities in clear, plain language, not hidden in lengthy terms and conditions that no one reads.
3.2. Purpose Limitation
Data may only be collected for specified, explicit, and legitimate purposes, and may not be subsequently processed in a manner incompatible with those purposes. This principle is frequently violated by businesses that collect data for one purpose (for example, delivery) and then use it for another (for example, marketing) without a separate legal basis.
3.3. Data Minimization
Only the personal data that is actually necessary for the stated processing purpose may be collected. Collecting additional data 'in case it is useful later' violates the minimization principle. The Board's decision in the e-Devlet password case discussed below is a clear enforcement example of this principle.
3.4. Accuracy
Personal data must be accurate and, where necessary, kept up to date. Controllers must implement reasonable measures to ensure that inaccurate data is corrected or deleted without delay.
3.5. Storage Limitation
Data must be retained only for as long as is necessary for the stated purpose, or as required by applicable law. Once the purpose is fulfilled and no legal retention obligation remains, the data must be deleted, destroyed, or anonymized.
3.6. Integrity and Confidentiality
Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, and against accidental loss, destruction, or damage, using appropriate technical and organizational measures.
Article 10 of KVKK requires data controllers to provide data subjects with a mandatory information notice (aydınlatma metni) at the time of data collection. This is one of the most universally applicable obligations under KVKK and one that many businesses, particularly smaller foreign businesses entering Turkey, fail to address properly.
4.1. Mandatory Content of the Information Notice
The information notice must contain, at minimum:
4.2. When Must the Notice Be Provided?
The information notice must be provided at the point of data collection. It cannot be provided after data has already been collected. For digital businesses, this means the notice must be accessible and presented before or at the moment the user provides their data, not buried in post-registration communications.
4.3. Distinction Between Information Notice and Consent
A critically important distinction that many businesses overlook is that the information notice (aydınlatma metni) is not the same as the consent declaration (acik riza beyanı). The obligation to inform applies regardless of whether the legal basis for processing is consent. Even where processing rests on contractual necessity or legal obligation, the data subject must still receive the information notice.
If your business requires consent for certain processing activities, the consent mechanism must be entirely separate from the information notice. Bundling the two, for example by having a single checkbox that constitutes both information and consent, is a common technical error that invalidates the consent and potentially the information obligation. |
Where processing relies on explicit consent as its legal basis, Article 3 and Article 5 of KVKK impose strict requirements on what constitutes valid consent. Consent that does not meet these requirements is null and processing based on it constitutes a violation.
5.1. Elements of Valid Explicit Consent
5.2. The Problem of Conditional Consent
One of the most common compliance failures we encounter is the conditioning of a service, product, or transaction on the data subject's consent to marketing or other non-essential processing. The Board has consistently held that consent given under these conditions lacks the element of free will and is therefore invalid. The mandatory credit card saving case discussed in Section 7 below is a direct illustration of this principle.
VERBIS (Veri Sorumluları Sicili Bilgi Sistemi) is the publicly accessible registry of data controllers maintained by the Personal Data Protection Authority. Data controllers that meet the defined thresholds are required to register their data processing activities with VERBIS before commencing those activities.
6.1. Who Must Register?
The obligation to register applies to data controllers that either meet the financial balance sheet or employee number thresholds defined in the Board's secondary regulations, or that process special categories of personal data. The Board has the authority to exempt certain categories of controllers from registration, which it has done for some smaller entities.
Critically, the registration obligation applies to foreign data controllers that process data of Turkish residents. A foreign company that has no physical presence in Turkey but targets Turkish customers online and processes their personal data must register with VERBIS and designate a representative based in Turkey.
6.2. What Must Be Registered?
VERBIS registration requires the data controller to document and publicly disclose:
From Our Practice We regularly assist foreign companies in completing their VERBIS registration, which requires a detailed mapping of data flows across the entire organization before registration can be completed. A business that has not conducted a thorough data processing audit will not have the information needed to complete VERBIS registration accurately. Inaccurate registration is itself a violation. We recommend beginning the audit process well in advance of the registration deadline. |
Article 11 of KVKK grants data subjects a comprehensive set of rights. Upon receiving a valid request from a data subject, the data controller must respond within 30 days. Failure to respond, or refusal to act on a valid request, exposes the controller to Board complaints and administrative sanctions.
Right | Description | Key Notes |
Right to learn whether data is processed | The data subject may ask whether the controller holds any personal data about them | Must be answered regardless of whether data is held |
Right to information | Where data is processed, the subject may request information about the nature, purposes, and sources of the processing | Effectively a subject access right |
Right to know the purpose | The subject may ask whether data is being used in conformity with the stated purpose | Ties to the purpose limitation principle |
Right to know third-party recipients | The subject may ask to whom their data has been transferred, domestically or abroad | Requires the controller to maintain accurate transfer records |
Right to rectification | The subject may request correction of inaccurate or incomplete data | Controller must notify third party recipients of the correction |
Right to erasure or destruction | Where the conditions for processing no longer exist, the subject may request deletion or destruction of their data | Controller must notify third party recipients |
Right to object to automated decisions | The subject may object to a decision made solely on the basis of automated processing that produces legal effects or similarly significant effects | Equivalent to GDPR Article 22 |
Right to claim damages | Where processing causes harm, the subject has the right to claim compensation | Civil claim route before courts |
7.1. How Data Subjects Submit Requests
Data subjects must submit their requests in writing to the data controller, either by written letter, electronically signed email, registered e-mail (KEP), or through secure electronic application channels designated by the controller. The controller must verify the identity of the applicant before responding.
7.2. The 30-Day Response Deadline
The data controller must conclude the request within 30 days of receipt. If the request requires additional time (for example, because the data involved is extensive), the controller may extend this period, but must notify the data subject. Responses are generally free of charge. Where the request is manifestly unfounded or excessive, a reasonable fee may be charged.
Where the data controller rejects the request, the data subject may file a complaint with the Personal Data Protection Board within 30 days of learning of the rejection, and in any event within 60 days of the original request.
The transfer of personal data outside Turkey is one of the most complex areas of KVKK compliance for foreign businesses. Article 9 of KVKK imposes strict requirements on cross-border transfers.
8.1. The Adequacy Decision Route
Personal data may be transferred to a foreign country if the Personal Data Protection Board has declared that country to provide an adequate level of protection. The Board periodically reviews and updates the list of countries deemed to provide adequate protection. Where a target country is on this list, transfer does not require additional justification.
8.2. Transfers Without an Adequacy Decision
Where the recipient country has not been declared adequate, cross-border transfer may only occur where one of the following conditions is met:
8.3. Binding Corporate Rules and Standard Contractual Clauses
In practice, many multinational businesses operating in Turkey use binding corporate rules or standard contractual clauses to legitimize intra-group and third-party cross-border transfers, mirroring the mechanisms used under GDPR. The Board has developed its own framework for standard contractual clauses that can be used for transfers where neither an adequacy decision nor a statutory exception applies.
Important Many foreign businesses assume that because their global headquarters is in an EU country, and GDPR applies to the entire group, their Turkish operations automatically comply with KVKK's cross-border transfer requirements. This is incorrect. KVKK is a separate legal regime with its own adequacy assessment and transfer mechanism requirements. A GDPR-compliant data transfer arrangement does not automatically satisfy KVKK. |
Article 12 of KVKK requires data controllers to take all necessary technical and administrative measures to ensure an appropriate level of security for personal data. This obligation applies to the data itself as well as to systems, processes, and personnel who interact with it.
9.1. Technical Measures
The Board has published guidelines identifying the technical measures expected of data controllers. These include:
9.2. Administrative Measures
Administrative security measures required by KVKK include:
9.3. Data Breach Notification
Article 12(5) of KVKK requires data controllers to notify the Personal Data Protection Board as soon as possible, and within 72 hours, of becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Where the breach is likely to result in high risk to the rights and freedoms of natural persons, affected data subjects must also be notified.
From Our Practice In our experience, data breach incidents involving Turkish operations are consistently handled better by companies that have established breach response plans and designated responsible personnel before an incident occurs. Companies without these structures in place regularly miss the 72-hour notification window, which itself constitutes a separate violation from the underlying breach. |
The true operational scope of KVKK is defined by the Board's enforcement decisions. The following cases illustrate the Board's approach to key compliance issues.
10.1. Workplace Prayer Room Surveillance
An employer installed security cameras in a workplace prayer room and subsequently used footage from those cameras in employment court proceedings, arguing that an employee had been abusing prayer time. The Board found that recording individuals in a religious space constitutes the processing of special category personal data relating to religious beliefs, and that using such recordings in litigation, without the employees' knowledge or consent and without a valid legal basis for special category data processing, constituted an unlawful processing of sensitive data. The employer was fined 300,000 TL.
The case illustrates a core principle: data collected for one purpose (workplace security) cannot be repurposed for another use (evidence in litigation) without a separate legal basis, and data captured in a context that reveals religious beliefs requires the heightened justification demanded by Article 6.
10.2. Courier Employee's Personal Use of Customer Data
Following a delivery, a courier employee used the recipient's phone number from the company's logistics database to send personal text messages for social purposes. The Board held the logistics company liable, not just the individual employee. The basis was that the company had failed to implement sufficient access controls over its systems, allowing an employee to retrieve and use customer contact information for purposes unrelated to the delivery transaction. The company's failure to restrict access constituted a failure of the technical and administrative security measures required by Article 12.
This case has a direct practical implication for any business with CRM systems, customer databases, or logistics platforms: role-based access controls must prevent employees from accessing data beyond what is necessary for their specific function.
10.3. Mandatory Credit Card Saving in E-Commerce
A major online marketplace redesigned its checkout interface to require users to save their credit card details to their account profile as a condition of completing a purchase. The Board found that because the purchase could technically be completed without saving the card for future use, requiring the user to save card details as a condition of the transaction invalidated the element of free will required for explicit consent. Saving payment credentials beyond the immediate transaction is a separate processing purpose that requires its own legal basis, and conditioning service access on consent to that additional processing is a KVKK violation. A fine of 500,000 TL was imposed.
10.4. Requiring e-Devlet Passwords for Credit Risk Assessment
A consumer finance company required customers to hand over their e-Devlet (national e-Government portal) login credentials as part of its credit risk assessment process. The Board found that an e-Devlet password provides access to a wide range of highly sensitive government-held data about the individual, including health records, asset information, and legal history, far beyond what is relevant to a credit risk assessment. This violated the data minimization principle under Article 4 and constituted a disproportionate processing of data that was far in excess of what was necessary for the stated purpose. A fine of 400,000 TL was imposed.
10.5. Key Themes From Board Enforcement
Across its enforcement decisions, the Board has consistently emphasized:
Many foreign businesses approach KVKK through the lens of GDPR, which is understandable given that the Turkish law drew extensively on the European framework. However, important structural differences mean that GDPR compliance does not automatically produce KVKK compliance.
Feature | KVKK (Turkey) | EU GDPR |
Enactment | Law No. 6698, 7 April 2016 | Regulation 2016/679, 25 May 2018 |
Territorial scope | Applies to processing of Turkish residents' data by controllers inside or outside Turkey | Applies to processing of EU residents' data by controllers inside or outside the EU |
Legal bases for processing | Article 5 (ordinary data) / Article 6 (special categories) | Article 6 (ordinary) / Article 9 (special categories) |
Data controller registry | VERBIS registration system (mandatory for eligible controllers) | No equivalent centralized public registry under GDPR |
Data Protection Officer | No DPO requirement under KVKK (but an internal responsible person is expected) | Mandatory DPO in certain circumstances (public bodies, large-scale monitoring, special category data) |
Cross-border transfers | Board adequacy decisions plus statutory exceptions; developing SCCs framework | Commission adequacy decisions, SCCs, BCRs, derogations |
Data portability right | No explicit data portability right in KVKK | Explicit right under GDPR Article 20 |
Maximum fines | Updated annually; currently reaching millions of TL per violation | Up to 4% of global annual turnover or EUR 20 million, whichever is higher |
Breach notification |
|
The following checklist covers the principal compliance steps for a foreign business with operations, employees, or customers in Turkey.
Yes. KVKK applies to any data controller that processes personal data of individuals residing in Turkey, regardless of where the controller is established. A foreign company that operates an e-commerce platform targeting Turkish consumers, or a foreign employer that processes data relating to Turkish remote employees, is subject to KVKK and must comply with its obligations, including VERBIS registration through a local representative where applicable.
KVKK fines are updated annually in line with the revaluation rate announced by the Turkish Revenue Administration. The maximum fine for a single violation is not expressed as a percentage of turnover (unlike GDPR) but as an absolute Turkish Lira amount that increases each year. The current maximum for the most serious violations, such as failure to comply with Board orders, reaches several million Turkish Lira. Multiple violations can result in multiple fines. Fines for failure to fulfill the obligation to inform, failure to implement security measures, and unlawful data transfers are each separately specified and separately assessed.
No. While KVKK and GDPR share many structural elements, including the same core principles, the same categories of data subjects, and similar data subject rights, there are important differences. KVKK does not include a right to data portability. KVKK imposes a unique VERBIS registration system with no GDPR equivalent. The cross-border transfer frameworks differ. The fine structure is different. Businesses that have achieved GDPR compliance have a significant head start on KVKK compliance, but a gap analysis is always necessary.
Article 5 of KVKK provides six legal bases for processing ordinary personal data: explicit consent, contractual necessity, legal obligation, protection of vital interests, public interest or official authority, and the legitimate interests of the controller. For special categories of data listed in Article 6, the bases are more restricted: explicit consent is the primary route, with limited statutory exceptions for health and criminal data processed by authorized persons under confidentiality obligations. Processing without a valid legal basis is a violation regardless of harm.
Employers may monitor corporate email accounts and devices only under strict conditions. The employer must publish a clear internal privacy notice informing employees that corporate communication tools are for business purposes and may be subject to monitoring. Any monitoring must be proportionate, necessary for a legitimate business purpose, and limited to business-related communications. Monitoring personal communications, even on corporate devices, is generally impermissible. The Board has made clear that workplace monitoring activities constitute personal data processing subject to all KVKK obligations.
Under Article 10, the information notice must include: the identity and contact details of the data controller; the purposes of processing; the legal basis for each purpose; to whom the data may be transferred and for what purposes; the method of data collection and its legal basis; and the data subject's rights under Article 11. The notice must be presented in clear, accessible language at the point of data collection, and must be separate from any consent mechanism.
If a data controller fails to respond within 30 days, or refuses to act on a valid Article 11 request, the data subject may file a complaint with the Personal Data Protection Board within 30 days of learning of the refusal, and in any event within 60 days of the original request. The Board may investigate the matter and, if it finds a violation, may order the controller to take corrective action and impose an administrative fine. The data subject may also pursue civil damages through the courts.
Yes. KVKK applies to both automated processing systems and non-automated filing systems, provided that personal data is stored in a structured filing system that allows access to data relating to a specific individual. Customer files, HR paper records, physical contracts containing personal information, and printed forms all fall within KVKK's scope if they form part of a structured data system.
KVKK is a mature, actively enforced data protection regime that applies broadly to any business, Turkish or foreign, that processes personal data relating to individuals in Turkey. The Personal Data Protection Board has demonstrated through its enforcement decisions that it takes violations seriously and is prepared to impose significant fines for failures of information, security, consent, and data minimization.
For foreign businesses entering the Turkish market, KVKK compliance is not an optional feature to be addressed later. The obligations to inform, to register with VERBIS where applicable, to secure data appropriately, and to respond to data subject requests apply from the moment personal data relating to Turkish residents is first processed.
At Bayraktar Attorneys, we advise foreign businesses on the full spectrum of KVKK compliance, from initial data mapping and information notices through to VERBIS registration, cross-border transfer mechanisms, breach response planning, and representation before the Board. If you have questions about your organization's KVKK obligations, please contact us directly.