Quick answer: KVKK (Kişisel Verilerin Korunması Kanunu — Law No. 6698) is Turkey's data protection law, in force since April 7, 2016. It was modeled on the EU Data Protection Directive 95/46/EC and shares similarities with GDPR, but has significant differences in consent requirements, data transfer rules, and enforcement. With Turkey's EU accession ambitions, amendments are bringing KVKK closer to GDPR.
What Is KVKK?
KVKK is Turkey's comprehensive data protection law. It applies to all natural and legal persons that process personal data of individuals in Turkey — regardless of where the data controller is located. The law is enforced by the KVKK Board (Kişisel Verileri Koruma Kurulu), Turkey's data protection authority.
KVKK vs GDPR: Key Differences
| Aspect | Turkish KVKK | EU GDPR |
|---|---|---|
| In force since | April 2016 | May 2018 |
| Based on | EU Directive 95/46/EC | Replaces Directive 95/46/EC |
| Consent standard | Explicit consent is the primary legal basis | 6 legal bases (consent is just one option) |
| Legitimate interest | Not available as a standalone legal basis (only "mandatory for legitimate interest if not outweighing fundamental rights") | Available as a standalone legal basis (Art. 6(1)(f)) |
| Sensitive data categories | Includes race, ethnicity, political opinion, religion, health, biometrics, criminal records, appearance, association membership | Similar but appearance and association membership not explicitly listed |
| DPO requirement | Not required — but must register with VERBIS (Data Controllers Registry) | Mandatory for public bodies and large-scale processing |
| Data breach notification | Report to KVKK Board "as soon as possible" (practice: within 72 hours) | 72 hours to DPA |
| Cross-border transfers | Very restrictive — adequate country list + explicit consent OR Board approval | Adequacy + SCCs + BCRs + other mechanisms |
| Fines | TRY 50,000 – 5,000,000 (~€1,500 – €150,000) | Up to €20M or 4% of revenue |
| Right to be forgotten | Available (Art. 7) | Available (Art. 17) |
| Data portability | Not explicitly granted | Explicitly granted (Art. 20) |
| DPIA | Not explicitly required (but recommended by KVKK Board) | Mandatory for high-risk processing |
2024 Amendments: Moving Closer to GDPR
In March 2024, Turkey amended KVKK through Law No. 7499, introducing significant GDPR-aligned changes:
- New legal bases for processing: Added "legitimate interest" as a separate legal basis (similar to GDPR Art. 6(1)(f)), establishment/exercise of legal claims, and public interest
- Relaxed cross-border transfers: Introduced adequacy decisions, appropriate safeguards (contractual clauses), and binding corporate rules as transfer mechanisms — replacing the previous ultra-restrictive system
- Automated decision-making: New right to object to decisions made solely by automated means
KVKK Compliance Checklist
| # | Action | Priority |
|---|---|---|
| 1 | Register with VERBIS (Data Controllers Registry) if required by turnover/employee thresholds | Critical |
| 2 | Create a Turkish-language privacy policy (aydınlatma metni) compliant with Art. 10 | Critical |
| 3 | Implement explicit consent mechanisms for processing activities that rely on consent | Critical |
| 4 | Establish a data subject rights response process (applications must be answered within 30 days) | Critical |
| 5 | Create a personal data retention and destruction policy | High |
| 6 | Implement cookie consent for Turkish users (KVKK Board has issued guidance requiring consent) | High |
| 7 | Assess cross-border data transfers and implement appropriate safeguards under the 2024 amendments | High |
| 8 | Conduct data inventory — map all personal data processing activities | High |
| 9 | Implement technical and administrative security measures (Art. 12) | High |
| 10 | Train employees on data protection obligations | Medium |
Website-Specific Requirements
- Aydınlatma metni (Privacy notice): Must be in Turkish, must identify the controller, purposes, recipients, legal basis, retention periods, and data subject rights. Must be displayed before any data collection
- Cookie consent: The KVKK Board has published cookie guidelines requiring consent for non-essential cookies, similar to EU practice. Must disclose cookie categories and purposes
- Explicit consent for marketing: Turkish Commercial Electronic Messages Law (6563) requires explicit opt-in consent for commercial emails, SMS, and push notifications — with a maximum 3-year validity
- Contact forms: Must include a privacy notice explaining how the data will be processed before the user submits
VERBIS Registration
VERBIS (Veri Sorumluları Sicili) is Turkey's mandatory data controller registry. Registration requirements depend on your organization's size:
| Category | VERBIS registration required? |
|---|---|
| Companies with 50+ employees or TRY 100M+ annual turnover | Yes (mandatory) |
| Companies processing sensitive data as core activity | Yes (mandatory) |
| Foreign data controllers processing Turkish data | Yes (mandatory) |
| Small companies below thresholds | Exempt (but must still comply with KVKK) |
Frequently Asked Questions
Does KVKK apply to my business if I'm based in the EU?
Yes, if you process personal data of individuals in Turkey — for example, if your website targets Turkish users, accepts Turkish customers, or monitors the behavior of people in Turkey. You must register with VERBIS as a foreign data controller.
Is Turkey considered "adequate" under GDPR?
No. Turkey does not have an EU adequacy decision. Transfers from the EU to Turkey require Standard Contractual Clauses (SCCs) or another GDPR transfer mechanism. The 2024 KVKK amendments were partly motivated by improving Turkey's chances of obtaining adequacy.
How do I check if my website complies with KVKK?
PrivacyChecker scans your website for compliance issues including cookie consent, privacy policy completeness, third-party data transfers, and security headers. While primarily focused on GDPR and CCPA, the checks cover core KVKK requirements as well — especially website-level privacy controls and consent mechanisms.