KVKK: The Complete Guide

Turkey's Law on the Protection of Personal Data (KVKK), enacted in April 2016, is the country's first comprehensive data protection law. While originally modeled on the EU's Data Protection Directive (95/46/EC) rather than the GDPR, subsequent amendments — particularly the March 2024 update to cross-border transfer provisions — have brought the KVKK closer to modern European standards. The law is enforced by the Personal Data Protection Authority (Kurum).

What the KVKK Covers

The KVKK requires explicit consent as the default legal basis for processing personal data. Processing without consent is permitted only in specific circumstances including legal obligation, protection of vital interests, contract performance, legitimate interests of the controller (provided data subject rights are not overridden), and data made public by the data subject.

Special categories of personal data — including race, ethnicity, political opinions, philosophical beliefs, religion, appearance, membership in associations, health, sexual life, criminal convictions, and biometric and genetic data — require either explicit consent or must fall within specific statutory exceptions for processing.

Data subjects have the right to know whether their data is processed, request information about the purpose of processing, know third-party recipients, request correction or deletion, object to automated decision-making results, and claim compensation for damages.

VERBIS Registration

A distinctive feature of the KVKK is the Data Controllers Registry (VERBIS). Data controllers meeting certain thresholds must register with VERBIS, disclosing information about their data processing activities, data categories, retention periods, and cross-border transfers. Failure to register carries significant administrative fines.

Cross-Border Transfers

The March 2024 amendments modernized the cross-border transfer regime. Transfers are now permitted to countries with an adequacy determination by the KVKK Board, or with appropriate safeguards such as binding corporate rules, standard contractual clauses, or written undertakings between public entities. This replaced the previous system that required Board approval for individual transfers.

Enforcement and Penalties

The KVKK Authority may impose administrative fines ranging from 5,000 to 1,000,000 Turkish Lira for various violations. The Authority has been actively enforcing the law, issuing decisions against both domestic and international organizations.

Practical Compliance Steps

1. VERBIS registration — Register with the Data Controllers Registry if threshold requirements are met
2. Consent management — Implement explicit consent mechanisms meeting KVKK requirements
3. Disclosure notices — Provide data subjects with required information at the time of collection
4. Special categories — Implement enhanced protections for sensitive personal data
5. Cross-border assessment — Evaluate transfer mechanisms under the updated 2024 provisions
6. Rights fulfillment — Build processes to respond to data subject requests within 30 days