KVKK compliance is not a binder of policies — it is the gap between what your documents say and what your systems actually do. Turkish data protection law applies to every company processing personal data in Türkiye, and since the 2024 amendment the cross-border transfer regime works through GDPR-style mechanisms: adequacy decisions, standard contractual clauses notified to the Board, and binding corporate rules. For technology companies selling internationally, KVKK and GDPR have to be handled as one programme.
This hub collects our KVKK resources: core definitions, the live decision tracker, audit and compliance services, and practical articles.
Core concepts
- KVKK and GDPR — how the two regimes differ and overlap
- Data controller vs data processor — who carries which obligation
- Explicit consent — and why it is the last resort, not the default
- DPO — the GDPR role and its Turkish near-equivalents
Live resources
- KVKK Decision Tracker — Turkish Data Protection Board decisions, categorised and searchable
Deeper reading
When you need counsel
We run KVKK programmes end to end — gap analysis, documentation wired into real data flows, transfer mechanisms under the 2024 regime, and incident response. See KVKK & GDPR Compliance, KVKK Audit, and the broader Privacy & Cybersecurity practice.