Who this page is for
This page is for foreign organisations that touch Turkish personal data, wherever they sit. You may be:
- A foreign company with Turkish customers, users or an e-commerce presence reaching Türkiye;
- An employer processing the data of staff in Türkiye;
- A group that already runs a GDPR programme and assumes it covers Türkiye — it does not, automatically;
- A controller facing a KVKK Board investigation, a complaint, or a data breach.
KVKK is close enough to the GDPR to feel familiar, and different enough to be a trap. The gaps — VERBİS registration, the post-2024 transfer rules, breach timing — are exactly where foreign companies get fined.
What KVKK is and who must comply
Turkish data protection is governed by the Personal Data Protection Law No. 6698 (Kişisel Verilerin Korunması Kanunu, KVKK), in force since 7 April 2016. It is enforced by the Personal Data Protection Authority and its decision-making body, the Board (Kurul), whose published decisions shape day-to-day practice.
The law applies to data controllers and processors handling the personal data of people in Türkiye, including foreign companies without a Turkish establishment where their processing reaches individuals here.
When KVKK and the GDPR both apply
A common and costly assumption is that a GDPR programme automatically satisfies Türkiye. It does not. Many foreign businesses are caught by both regimes at once — the GDPR because they target the EU, KVKK because they process data of people in Türkiye. The principles rhyme, but the obligations differ on registration, lawful-basis nuances, transfer mechanics and notification deadlines. We map the overlap so you run one coherent programme that is compliant on both sides, rather than two that contradict each other. See our note on the impact of the GDPR on companies dealing with Türkiye.
Lawful processing and explicit consent (açık rıza)
Personal data may only be processed on a lawful basis. The conditions sit in Articles 5 and 6 of KVKK, with stricter rules for special categories of data (health, biometrics, religious belief and the like). Where you rely on consent, it must be explicit consent (açık rıza): informed, freely given and specific to a defined purpose — bundled or pre-ticked consent does not count. Separately, you must give data subjects an information notice (aydınlatma metni) explaining who you are, what you process and why.
VERBİS registration
Most data controllers must register with VERBİS (the Data Controllers' Registry) under Article 16 of KVKK before they start processing, and keep the entry current. Exemptions and thresholds — based on factors such as employee numbers and annual financial size — are set by the Board, and foreign controllers have their own registration route, usually through a Türkiye-based representative. Missing or neglecting VERBİS is one of the most frequently fined failures, precisely because it is visible and binary.
Cross-border data transfers after the 2024 reform
Sending Turkish personal data abroad — to a parent company, a cloud provider, a group system — is regulated, and the rules changed substantially with the 2024 reform (Law No. 7499) and its implementing Transfer Regulation of 10 July 2024. The regime now mirrors the GDPR's structure, with three routes:
| Route | When it applies |
|---|---|
| Adequacy decision | Transfer to a country (or sector) the Board has decided offers adequate protection |
| Appropriate safeguards | Standard contractual clauses (SCCs), binding corporate rules (BCRs) or other approved safeguards |
| Exceptions | Specific, limited case-by-case derogations (e.g. explicit consent, contractual necessity) |
Data-subject requests and your response duties
Individuals have rights under KVKK — to learn whether their data is processed, to access and correct it, to ask for deletion, and to object to certain processing. A controller that receives a request must respond within the statutory period and, where it refuses, give reasons. Unanswered or mishandled requests are a frequent route to a Board complaint. We build the request-handling procedure and templates so your team responds correctly and on time.
Data breaches: the 72-hour rule
If personal data is unlawfully accessed or disclosed, Article 12(5) of KVKK requires notification to the Board 'in the shortest time'. The Board's foundational Decision No. 2019/10 (24 January 2019) reads that as within 72 hours of becoming aware of the breach, with notification to affected individuals as well.
Investigations, fines and criminal exposure
Enforcement comes from two directions. The Board imposes administrative fines under Article 18 — for security failures (Art. 12), breach-notification failures, VERBİS non-registration and more. The lira amounts are revised upward every year, so the real exposure keeps rising; we advise on current figures rather than quoting a number that dates. Separately, unlawful recording, transferring or obtaining personal data is a crime under TCK Arts. 135-140, carrying imprisonment, so individuals inside the business can face personal criminal liability alongside the company's fine. We defend controllers in Board investigations and coordinate the criminal-law angle where it arises.
Handling it from abroad
You do not need a presence in Türkiye to become compliant. With a power of attorney — notarised and apostilled abroad and translated, or signed at a Turkish consulate — we register you on VERBİS, draft your Turkish-law policies and notices, put transfer mechanisms in place, and represent you before the Board. We act as your Türkiye-based contact point, so requests and notices do not fall through the cracks. This connects naturally to company formation and your commercial contracts, where data-processing clauses belong.
Common KVKK mistakes foreign companies make
The fines we see most often trace back to a short list: assuming a GDPR programme covers Türkiye; skipping or forgetting VERBİS; transferring data to a parent or cloud provider abroad without a lawful route (and without the five-day SCC notice); relying on bundled consent instead of the right lawful basis; missing the 72-hour breach window; and having no information notice (aydınlatma) in Turkish. Each is cheap to fix before an inspection and expensive after one. For the adjacent obligations, see Türkiye's new cybersecurity law and the emerging AI regulation landscape.
Why a Turkish data-protection lawyer
KVKK is interpreted through a growing body of Board decisions that are not always intuitive from the statute, and the 2024 transfer reform is still bedding in. A Turkish data-protection lawyer reads those decisions, knows what the Board actually expects in a VERBİS entry or a breach notice, and can defend you when an investigation opens — rather than leaving you to map an unfamiliar regime onto a GDPR template. We pair that with cross-disciplinary support on competition and corporate matters when they intersect.
How we make you KVKK-compliant
Data audit and gap assessment
We map what personal data you hold, where it flows and where it goes abroad, and measure it against KVKK (and the GDPR where it also applies) to find the gaps.
Obligation mapping
We set out exactly what KVKK requires of you — registration, notices, lawful bases, transfers, security — with a prioritised, fixed-fee plan.
VERBİS registration and policies
We register you on VERBİS and draft your Turkish-law information notices, consent texts, data-processing and retention policies.
Lawful transfer mechanisms
We put the right cross-border route in place — adequacy, SCCs or another safeguard — and file the five-day SCC notification with the Board.
Breach and request procedures
We build your 72-hour breach-response plan and data-subject-request workflow, with templates your team can actually use.
Board representation
If a complaint or investigation arises, we represent you before the KVKK Board and manage the response and any fine.
Ongoing compliance and training
We keep your programme current as the rules evolve and train your staff so compliance holds in practice.
KVKK & data protection in Türkiye — frequently asked questions
Does my GDPR compliance cover Türkiye?
No. KVKK (Law No. 6698) is a separate regime. It resembles the GDPR but differs on VERBİS registration, cross-border transfers and breach timing, so a GDPR programme does not automatically make you compliant in Türkiye. Many companies are subject to both at once.
What is KVKK?
The Personal Data Protection Law No. 6698, Türkiye's data protection law, in force since 7 April 2016 and enforced by the Personal Data Protection Authority and its Board (Kurul). It governs how personal data of people in Türkiye may be processed.
Does KVKK apply to a foreign company with no office in Türkiye?
It can. Where your processing reaches people in Türkiye — Turkish customers, users or staff — you can fall within KVKK even without a local establishment, and you generally register and act through a Türkiye-based representative.
What is VERBİS and do I have to register?
VERBİS is the Data Controllers' Registry under Article 16 of KVKK. Most controllers must register before processing and keep the entry current. Exemptions and thresholds are set by the Board, and foreign controllers have their own registration route. Non-registration is one of the most commonly fined failures.
Can I transfer Turkish personal data to my parent company abroad?
Yes, but only through a lawful route under the 2024 transfer regime: an adequacy decision, appropriate safeguards such as standard contractual clauses (SCCs) or binding corporate rules, or a specific exception. Where you use SCCs, you must notify the signed clauses to the Board within five business days.
What changed in the 2024 KVKK amendment?
Law No. 7499 (March 2024) and the Transfer Regulation of 10 July 2024 overhauled cross-border transfers, replacing the old consent-heavy approach with a GDPR-style three-tier structure: adequacy, appropriate safeguards, and limited exceptions.
How quickly must I report a data breach?
Article 12(5) of KVKK requires notification 'in the shortest time'. The Board's Decision 2019/10 of 24 January 2019 reads this as within 72 hours of becoming aware of the breach, with affected individuals notified as well.
What is açık rıza (explicit consent)?
Consent that is informed, freely given and specific to a defined purpose. Bundled, pre-ticked or take-it-or-leave-it consent is not valid. Often another lawful basis under Articles 5-6 fits better, because consent can be withdrawn.
How large are KVKK fines?
Administrative fines are imposed under Article 18 for failures such as inadequate security, late breach notice and VERBİS non-registration. The lira amounts are revised upward each year, so we advise on the current figures rather than quoting a number that quickly dates.
Can someone go to prison over a data breach in Türkiye?
Unlawful recording, transferring or obtaining personal data is a criminal offence under Articles 135-140 of the Turkish Penal Code, carrying imprisonment. This criminal liability runs alongside the company's administrative fine and can attach to individuals.
What rights do data subjects have, and how fast must I respond?
Individuals can ask whether their data is processed, access and correct it, request deletion and object to certain processing. You must respond within the statutory period and give reasons for any refusal. Mishandled requests are a frequent route to a Board complaint.
Can you make us compliant if we are based abroad?
Yes. With a notarised, apostilled power of attorney we register you on VERBİS, draft your Turkish-law notices and policies, set up lawful transfers and represent you before the Board — acting as your Türkiye-based contact. Most foreign clients handle the whole programme remotely.
