What is the KVKK Authority?
The Personal Data Protection Authority of Turkey (Turkish: Kişisel Verileri Koruma Kurumu, abbreviated KVK Kurumu or simply “the Authority”) is the independent body established by Law No. 6698 to enforce Turkish data protection law. Its decision-making organ is the KVK Board (KVK Kurulu), composed of 9 members.
Powers
- Investigate complaints from data subjects (free of charge)
- Conduct ex officio investigations
- Issue binding decisions, including order-to-comply
- Impose administrative fines (in 2026, ranging from low five-figure to multi-million TRY)
- Issue regulations and guidelines (cookies, biometrics, AI, breach notification, etc.)
- Manage the VERBİS data controller registry
- Approve binding corporate rules (BCR) and review standard contractual clauses for cross-border transfer
Decision process
A complaint to the Authority must first be made to the controller; if no response within 30 days (or response unsatisfactory), the data subject can apply to the Authority within 30 days of the controller’s response or 60 days from initial application. The Authority can issue interim measures pending full investigation.
Fines (2026)
The Authority’s administrative fines for various infractions are updated annually. Common fines: TRY 50,000–1,000,000 for incomplete privacy notice; TRY 100,000–2,000,000 for inadequate security; TRY 500,000–3,000,000 for unauthorized cross-border transfer. See KVKK Tracker for recent enforcement.
Relationship with the GDPR / EDPB
The Authority is not a member of the European Data Protection Board (EDPB) — Turkey is not in the EU — but maintains technical cooperation. The 2024 amendment (Law 7499) brought KVKK closer to GDPR on cross-border transfer mechanisms.