GDPR and KVKK for Turkish Companies: Navigating Dual Compliance
Yes, EU GDPR can apply to a company based only in Turkey, and at the same time you must follow Turkey's own data protection law, KVKK (Law No. 6698). If you sell to or track people in the EU, you face both regimes together and have to build to the stricter of the two. This guide explains where GDPR and KVKK overlap, where they diverge, what the 12 March 2024 reform (Law No. 7499) changed for cross-border transfers, and the current 2026 fines, so a foreign-owned business in Turkey knows exactly what to do.
Why GDPR Reaches Turkish Companies
The EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) does not stop at Europe's borders. Its extraterritorial scope under Article 3 means a company established in Turkey can fall directly under GDPR even though Turkey is outside the EU.
A Turkish company is caught by GDPR in two main situations:
- Offering goods or services to people in the EU — for example an Istanbul-based e-commerce store, software platform, or hotel that markets to and serves EU customers, accepts euros, or uses EU languages.
- Monitoring the behaviour of people in the EU — such as tracking website visitors, profiling, or behavioural advertising aimed at EU users.
If either applies, GDPR obligations attach regardless of where your servers or staff sit. Many foreign-owned businesses that incorporate in Turkey are surprised to learn they answer to EU regulators alongside the Turkish authority.
Common triggers foreign founders miss
You can pull yourself under GDPR without meaning to. The usual triggers are:
- An EU-facing website in English, German or French with cookies, analytics or ad pixels that profile EU visitors.
- Marketing campaigns, newsletters or paid ads aimed at customers located in the EU.
- Employing or contracting EU-resident remote staff and processing their personal data.
- Running services on EU-based cloud or SaaS infrastructure that handle EU customers' data.
KVKK: Turkey's Own Data Protection Law (No. 6698)
Turkey's Law on the Protection of Personal Data No. 6698 (Kişisel Verilerin Korunması Kanunu, KVKK) entered into force in 2016 and was originally modelled on the EU's earlier 1995 Data Protection Directive (95/46/EC). It is enforced by the Turkish Data Protection Authority and its decision-making Board (the Kurul).
KVKK is not frozen at 1995 standards. The 12 March 2024 reform moved it toward GDPR, especially on cross-border transfers and sensitive data, so today the two regimes are closer than they were, but still not identical (more on that below).
Every company processing personal data in Turkey must observe the law's core principles, which mirror GDPR in substance:
- Lawfulness, fairness and transparency in processing.
- Processing only for specified, explicit and legitimate purposes.
- Data minimisation, accuracy, and limited retention.
- A lawful basis for each processing activity — either explicit consent or one of the statutory exceptions.
VERBİS registration and the contact person
Most data controllers operating in Turkey must register with VERBİS, the Data Controllers' Registry, and appoint a contact person (irtibat kişisi). Whether you are obliged to register depends on thresholds set by Board decisions, mainly your number of employees and your annual financial balance sheet figure, with some sector exemptions. You should check your specific position rather than assume you are in or out.
GDPR vs. KVKK: Key Differences That Trip Companies Up
Although the two regimes share DNA, the differences matter in practice. Treating KVKK as a straight copy of GDPR is a common and costly mistake. The table below shows where they line up and where they part ways.
| Issue | GDPR (EU) | KVKK (Turkey, Law No. 6698) |
|---|---|---|
| Lawful bases | Six bases, including a flexible legitimate-interests ground (Art. 6) | Explicit consent plus a narrower list of statutory exceptions (Art. 5); 2024 reform brought it closer but wording differs |
| Sensitive data | Art. 9 conditions for special categories | Art. 6, reshaped in 2024 — old health/sexual-life split removed, processing conditions broadened |
| Cross-border transfers | Adequacy / safeguards / derogations (Arts. 45–49) | Adequacy / safeguards (SCCs, BCRs) / exceptions (Art. 9), plus a 5-business-day SCC filing |
| Breach notification | To supervisory authority within 72 hours (Art. 33) | To the Board within 72 hours (Board Decision 2019/10) |
| Fines | Up to the higher of EUR 20m or 4% of global turnover (Art. 83) | Lira fines, re-indexed each January; up to ~17.09m TL for 2026 for security/VERBİS/Board-decision breaches |
Lawful bases for processing
GDPR offers six lawful bases, including legitimate interests. KVKK historically leaned heavily on explicit consent and a narrower set of statutory exceptions, giving companies less room to rely on legitimate interest. The 2024 amendments narrowed the gap, but the wording is not identical, so a basis that works under GDPR may not map cleanly onto KVKK.
Sensitive (special category) data
The 2024 reform materially changed KVKK Article 6. It removed the old split that treated health and sexual-life data differently from other sensitive categories, and it broadened the conditions under which special-category data (health, biometrics, religious belief, criminal records and more) can be processed, bringing the structure closer to GDPR Article 9. The treatment remains strict, so explicit consent or a specific statutory condition is still the safe route.
Cross-border transfers
This is the single biggest divergence and the area where foreign companies most often breach KVKK — covered in detail in the next section.
The 2024 KVKK Reform and Cross-Border Data Transfers
On 12 March 2024, Law No. 7499 (the so-called Eighth Judicial Package) was published in Official Gazette No. 32487 and amended KVKK, including Articles 6 and 9. The implementing Regulation on the cross-border transfer of personal data followed on 10 July 2024. Together they replaced the old, restrictive consent-based transfer model with a tiered framework that closely tracks GDPR's Chapter V.
Personal data may now be transferred abroad in one of three ways:
- Adequacy decision — transfer to a country, sector or international organisation that the Board has formally declared adequate.
- Appropriate safeguards — where no adequacy decision exists, transfer is allowed using one of: standard contractual clauses (SCCs) published by the Board, binding corporate rules (BCRs) for intra-group transfers, a written undertaking, or other approved instruments.
- Exceptional cases — limited, occasional transfers based on explicit consent or specific statutory grounds (for example performance of a contract, or establishment and exercise of legal claims).
Which safeguard should a foreign-owned company pick?
There is no one-size answer, but a simple decision path helps:
- A single Turkish subsidiary sending HR or customer data to one EU parent or affiliate. The Board's SCCs are usually the practical choice — sign them, use the Turkish text unchanged, and file within five business days.
- A multinational group moving data across many entities and countries. BCRs can be worth the heavier approval effort, because once approved they cover the whole group instead of a web of separate contracts.
- A rare, one-off transfer (for example to pursue a legal claim abroad). An exceptional-case ground may apply, but do not lean on it for routine, ongoing flows.
The two-direction problem
Because the EU has not issued an adequacy decision for Turkey, transfers in the other direction — EU to Turkey under GDPR — still need their own safeguards, typically the EU Commission's SCCs. Many groups therefore run two parallel sets of contracts. The table makes the split concrete:
| Direction of data | Governing regime | What you need |
|---|---|---|
| Leaving Turkey (to the EU or elsewhere) | KVKK (Art. 9) | Board SCCs (Turkish text, unmodified) + notify the Authority within 5 business days; or BCRs |
| Entering Turkey from the EU | GDPR (Art. 46) | EU Commission SCCs (or BCRs) put in place by the EU sender |
For drafting and reviewing the agreements that sit behind these flows, see how we handle data-processing agreements and standard contractual clauses.
A Practical Compliance Roadmap
For a foreign-owned company operating in or from Turkey, a defensible dual-compliance programme usually includes the following steps:
- Map your data flows. Identify what personal data you collect, where it comes from (EU residents? Turkish residents?), where it is stored, and who it is shared with — including cloud providers and group companies abroad.
- Confirm which regimes apply. Assess GDPR's Article 3 extraterritorial reach alongside KVKK. Where both apply, build to the stricter standard.
- Fix your lawful bases and notices. Prepare KVKK-compliant clarification (aydınlatma) texts and, where needed, explicit consent forms, plus GDPR-compliant privacy notices for EU users.
- Register with VERBİS if you meet the thresholds, and keep the registry entry current.
- Put transfer mechanisms in place. Adopt the Board's SCCs or BCRs for outbound transfers from Turkey, file the five-business-day notification, and adopt EU SCCs for inbound transfers from the EU.
- Appoint accountable people. A VERBİS contact person in Turkey and, where GDPR requires, a Data Protection Officer or EU representative.
- Prepare for incidents. KVKK and GDPR both require breach notification within 72 hours, so maintain an incident-response procedure you can actually run under time pressure.
Cookies and website clarification (aydınlatma)
Websites are a frequent source of KVKK trouble. If your site uses cookies, analytics or tracking pixels, you generally need a clear cookie notice, the right legal basis for non-essential cookies, and a KVKK clarification text that tells visitors what you collect and why. For a business with an EU-facing site, the same banner has to satisfy GDPR's consent rules too, so design it once for the stricter standard.
Where a law firm typically adds value
An anxious founder rarely needs everything at once. In practice, outside counsel is most useful for: data-flow mapping, choosing and drafting the right transfer mechanism, filing the five-business-day SCC notification, completing or updating VERBİS, and preparing the dual KVKK and GDPR notices. This work also overlaps with company set-up: if you are setting up a foreign-owned company in Turkey, it is cheaper to bake data compliance in from day one than to retrofit it.
Data protection rarely sits alone. In an acquisition or joint venture, it is a core part of data-protection due diligence in Turkish M&A, and it sits beside other regulatory checks such as Turkish competition-law compliance and merger-control filing thresholds. For a tailored review of your obligations, book a dual-compliance assessment with our Istanbul team.
Penalties for Getting It Wrong (2026 Figures)
Non-compliance carries consequences under each regime independently. KVKK fines are maktu (fixed-band) penalties re-indexed every January; the figures below are the bands published for 2026 (revaluation rate 25.49%, Official Gazette of 27 November 2025, effective 1 January 2026).
| KVKK breach (2026 band) | Fine range |
|---|---|
| Clarification / information duty (aydınlatma) | 85,437 – 1,709,200 TL |
| Data-security measures (Art. 12) | 256,357 – 17,092,242 TL |
| VERBİS registration failure | 341,809 – 17,092,242 TL |
| Failure to notify a cross-border SCC | 90,308 – 1,806,377 TL |
- Under KVKK: administrative fines from the Board (re-indexed annually as above), corrective orders, and reputational harm. Serious unlawful processing or unlawful transfer of personal data can also engage the Turkish Penal Code (Law No. 5237, Articles 135–140), which cover unlawful recording, sharing or obtaining of personal data and failure to destroy it.
- Under GDPR: fines up to the higher of EUR 20 million or 4% of worldwide annual turnover (Art. 83), plus enforcement action by EU supervisory authorities and potential civil claims from data subjects.
Frequently asked questions
Does GDPR apply to a company based only in Turkey?
It can. Under Article 3 GDPR, a Turkish company that offers goods or services to people in the EU, or monitors the behaviour of people in the EU, falls within GDPR's scope even with no EU establishment. In that case it must comply with GDPR and Turkey's KVKK at the same time.
Is KVKK the same as GDPR?
No. KVKK (Law No. 6698) was originally modelled on EU data protection law and shares the same core principles, but the lawful bases, sensitive-data rules, transfer mechanisms and fine levels differ. The 2024 reform (Law No. 7499) narrowed the gap, especially on cross-border transfers and sensitive data, but the regimes are not identical.
What changed for cross-border data transfers in 2024?
Law No. 7499, published on 12 March 2024, and the implementing Regulation of 10 July 2024 replaced the old consent-based model with a tiered system: adequacy decisions, appropriate safeguards (standard contractual clauses, binding corporate rules, undertakings) and limited exceptional cases. The old consent route for ongoing transfers was permitted only until 1 September 2024. Transfers relying on the Board's standard contractual clauses must be notified to the Authority within five business days of signing.
Can I send personal data from the EU to my Turkish company?
The EU has not granted Turkey an adequacy decision, so transfers from the EU to Turkey under GDPR generally require their own safeguards, most commonly the EU Commission's standard contractual clauses. This is separate from the Turkish SCCs needed for outbound transfers from Turkey, so groups often maintain two parallel sets of contracts.
Do we have to register with VERBİS?
Many data controllers processing personal data in Turkey must register with VERBİS, the Data Controllers' Registry, and appoint a contact person. Whether your company meets the thresholds depends on factors such as employee numbers and your annual financial balance sheet figure, with some exemptions, so it should be checked for your specific situation.
What is the fine for not registering with VERBİS in Turkey?
For 2026, failing to register with VERBİS, registering with wrong information, or not updating it on time can draw an administrative fine of roughly 341,809 to 17,092,242 TL. These maktu bands are re-indexed every January, so confirm the current figure before relying on it.
How fast must we report a data breach in Turkey?
You must notify the KVKK Board within 72 hours of becoming aware of a personal data breach (Board Decision 2019/10), and affected individuals must also be informed within a reasonable time. GDPR sets the same 72-hour deadline to the supervisory authority under Article 33, so a company under both regimes should run a single incident-response process built to the stricter standard.
