KVKK (Kişisel Verilerin Korunması Kanunu) — Law No. 6698 — is Türkiye’s personal data protection regime, enacted on April 7, 2016. The law is administered by the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — KVKK) through its decision-making body, the Personal Data Protection Board (Kurul). KVKK is structurally aligned with the European Union’s GDPR, though with material differences in cross-border transfer, lawful-basis architecture, and administrative-fine framework.
The law applies to any natural or legal person — domestic or foreign — that processes personal data of individuals located in Türkiye, regardless of where the controller is established. Companies operating SaaS platforms, mobile applications, e-commerce sites, advertising networks, or any service that receives user data from Türkiye fall within its scope.
Core compliance obligations include: (i) registration of data-processing activities with VERBİS (the controller registry, mandatory for organizations exceeding statutory thresholds); (ii) lawful basis identification under Article 5 (explicit consent or one of seven enumerated bases); (iii) transparent privacy notices satisfying Article 10 disclosure requirements; (iv) appointment of a data protection officer where required; (v) implementation of technical and administrative security measures proportionate to processing risk; (vi) breach notification within 72 hours to the Board and affected data subjects; and (vii) cross-border transfer compliance under Article 9 (substantially rewritten by Law No. 7499 in 2024 to align with GDPR’s SCC/BCR framework).
The Board issues binding decisions through three channels: Kurul Kararları (full decisions), Karar Özetleri (decision summaries), and İlke Kararları (principle decisions of general application). Administrative fines can reach significant amounts — recent decisions have imposed fines exceeding TRY 30 million on single controllers — and the Board has issued material decisions on cookie consent (2022), data breach reporting standards (2024), advertising-driven SMS messaging, biometric-data processing, and employee monitoring.
Vircon Legal advises Turkish and international clients on full-stack KVKK compliance: regulatory mapping, VERBİS registration, privacy notice architecture, data-processing agreement (DPA) negotiation, breach response protocols, cross-border transfer routing, and Board investigation defense. We also maintain a live KVKK Tracker indexing 100+ Board decisions and principle rulings.
Relationship to the GDPR, the Authority, and the 2024 amendments
The KVKK was modelled on the EU framework that preceded the GDPR, so its core concepts — controller, processor, lawful basis, data-subject rights — will look familiar to anyone versed in European data protection, but the two are not identical and compliance built for one does not automatically satisfy the other. Enforcement sits with the Personal Data Protection Authority and its decision-making Board (Kurul), which issues binding decisions and administrative fines. A significant 2024 reform brought the KVKK closer to the GDPR in two areas in particular: it broadened the lawful bases for processing special-category (sensitive) data, and it overhauled the cross-border transfer regime to introduce adequacy decisions and standard contractual clauses. Controllers operating in Türkiye must also remember the local-specific VERBİS registration duty, which has no direct GDPR equivalent.