TLDR:
KVKK (Kişisel Verilerin Korunması Kanunu, Law No. 6698) is Turkey’s comprehensive personal data protection law, in force since 2016 and significantly amended in 2024 to align more closely with GDPR. It establishes principles, individual rights, controller obligations, transfer rules, and enforcement by the Kişisel Verileri Koruma Kurulu (KVKK Board).
Core Obligations
KVKK imposes obligations including: lawful basis requirement for all personal data processing (explicit consent or one of the legal grounds in Article 5), enhanced protections for special categories (Article 6—health, biometrics, criminal record, etc.), data subject rights (Article 11—information, access, rectification, erasure, restriction, objection, automated decision-making), transparency obligations (aydınlatma metni / privacy notice), data security measures proportionate to risk, breach notification to the Board within 72 hours and affected individuals, and Data Protection Officer obligations for certain controllers.
VERBIS Registration
Many controllers must register with VERBIS (Veri Sorumluları Sicil Bilgi Sistemi), Turkey’s national registry of data controllers. Registration thresholds depend on employee count, financial criteria, and whether the controller is public or private—with thresholds periodically extended. Registered controllers must maintain a “Kişisel Veri İşleme Envanteri” (personal data processing inventory) documenting processing activities, retention periods, and data categories. The 2024 amendments extended VERBIS compliance deadlines for additional entity categories.
Penalties and Recent Developments
Penalties for KVKK violations are significant: administrative fines up to 3 million TL per violation (adjusted annually for inflation, materially higher in current values), separate fines for failing to register with VERBIS, technical and organizational measure failures, and breach notification failures. The 2024 amendments significantly expanded transfer regime rules (introducing standard contractual clauses, binding corporate rules, and adequacy assessments), aligning more closely with GDPR. For founders operating in Türkiye, KVKK compliance should be designed alongside any GDPR program—the frameworks are similar but contain specific differences in consent, transfer, and registration that require Türkiye-specific attention.