By Av. Serkan Kara, Istanbul Bar No. 53770. Last updated: 14 June 2026.
Data privacy in Turkey is governed by the Personal Data Protection Law No. 6698 (KVKK), a regime closely modeled on the EU General Data Protection Regulation (GDPR). The KVKK governs how data controllers collect, process, store, and transfer personal data, sets the lawful-processing conditions in Article 5, regulates cross-border transfers in Article 9, and is enforced by the Personal Data Protection Authority (Kisisel Verileri Koruma Kurumu). For cross-border companies, KVKK compliance now sits alongside GDPR exposure, the EU AI Act, and breach-notification duties, so the governing instruments must be read together rather than in isolation.
For foreign investors, general counsel, and cross-border companies, technology and data-privacy compliance in Turkey is no longer a single-statute exercise. The Personal Data Protection Law No. 6698 (KVKK) is the core domestic instrument, but real exposure also runs through the GDPR, the EU AI Act, and contractual obligations imposed by enterprise customers. This guide answers the questions clients actually ask, names the governing instruments, and explains how a documented compliance program reduces enforcement and transaction risk.
What law governs data privacy in Turkey?
Data privacy in Turkey is governed by the Personal Data Protection Law No. 6698 (KVKK), which entered into force in 2016 and is structurally aligned with the EU GDPR. The KVKK applies to data controllers and processors who handle the personal data of individuals, sets out lawful-processing conditions, defines data-subject rights, and creates the Personal Data Protection Authority as the supervisory body. Companies serving European customers also remain subject to the GDPR, so a single business often carries dual obligations.
The KVKK builds its framework on familiar principles: lawful, fair, and transparent processing; purpose limitation; data minimization; accuracy; storage limitation; and data security. These principles are not abstract. They are the standard against which the Authority measures whether processing was lawful and whether controls were adequate during an audit or after an incident.
What is the lawful basis for processing personal data under the KVKK?
Under Article 5 of the KVKK, personal data may be processed only with the explicit consent of the data subject or where one of the listed legal exceptions applies, such as performance of a contract, compliance with a legal obligation, protection of a legitimate interest, or grounds expressly provided in law. Processing without consent and without a qualifying exception is unlawful, regardless of how the data was technically secured.
In practice, the most common failure is not the absence of a lawful basis but the inability to prove one. Controllers should be able to show, for each processing activity, the specific basis relied on, the purpose, the data categories involved, and the retention period. Special categories of data carry stricter conditions, so the basis for processing health, biometric, or similar data should be documented separately and conservatively.
How are cross-border data transfers regulated?
Article 9 of the KVKK governs the transfer of personal data abroad, requiring either explicit consent or an adequate level of protection in the receiving country, supported where appropriate by binding commitments between the parties. Where companies also fall under the GDPR, parallel mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or adequacy frameworks like the EU-U.S. Data Privacy Framework (DPF) become relevant for the corresponding EU-origin data flows.
The recurring mistake is treating cloud architecture as automatically lawful. A transfer framework collapses if the subprocessor chain is incomplete, if global support teams can reach production data without controls, or if the company cannot answer who can access what data and when. The legal position must match the technical reality of where data sits and who touches it.
| Transfer mechanism | Best suited for | Key limitation |
|---|---|---|
| Standard Contractual Clauses (SCCs) | Most cross-border flows; fast to deploy contractually | Paper only unless paired with verifiable technical and access controls |
| Binding Corporate Rules (BCRs) | Large multinational groups with mature governance | Significant investment and internal approval time required |
| Adequacy / DPF | Eligible recipients in covered jurisdictions | Does not cover onward transfers or excuse weak vendor diligence |
What is VERBIS and who must register?
VERBIS is the data controllers’ registry maintained under the KVKK, in which data controllers are required to register their processing activities unless an exemption applies. Registration is not a one-time formality. It connects to the obligation to maintain an accurate processing inventory that reflects what data is held, why, on what lawful basis, and for how long.
Whether a specific company is required to register, and any applicable thresholds or exemptions, are set by the Authority and may change, so confirm the registration obligation and any thresholds in force at the time you file. The practical takeaway is that a clean VERBIS position depends on the same data mapping that supports every other part of a compliance program.
What rights do individuals have, and how does the EU AI Act add to the picture?
Under the KVKK, data subjects have rights including access to their data, rectification of inaccurate data, erasure or destruction in defined circumstances, and the right to object to outcomes produced solely through automated processing. Controllers must have a process to receive, assess, and answer these requests within the period set by law, and must be able to evidence that the process works.
For companies that build or deploy AI, the EU AI Act adds a separate, risk-based regime that classifies systems and imposes governance obligations on higher-risk uses such as employment screening, credit and insurance assessment, and biometric identification. The practical question for cross-border businesses is not whether they use AI, but whether their systems are correctly classified and whether they can produce a coherent governance file, including risk management, human oversight, technical documentation, and logging, when a regulator or enterprise customer asks.
What are the penalties for KVKK violations?
The KVKK provides for administrative fines and other measures for breaches such as unlawful processing, failure to ensure data security, or failure to register where required. The monetary thresholds are set by law and adjusted over time, so any fine range should be confirmed against the figures in force at the time of the conduct or filing rather than treated as a fixed current amount.
Enforcement outcomes are driven less by the existence of a breach than by the quality of the response. The decisive facts are usually whether the controller can prove a lawful purpose, minimization, and adequate controls with real documentation, and whether the operational team executed a breach response without producing contradictions or losing evidence.
How should companies handle a data breach and the notification clock?
Breach response is a process test, not a single decision. Under the GDPR, Article 33 requires notification to the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach that meets the threshold; the KVKK likewise requires notification to the Authority and affected individuals within the period it sets. The common failure is delay: companies wait for perfect certainty and miss the statutory window.
A defensible response in the first day means activating a single incident command, preserving evidence such as logs and snapshots before containment destroys them, identifying the affected data sets and jurisdictions, and maintaining one consistent narrative channel across regulators, customers, and insurers. Build the playbook before the incident, because the window is too short to design the process while the facts are still incomplete.
Frequently asked questions
Does the KVKK apply to a foreign company with no office in Turkey?
The KVKK can reach data controllers that process the personal data of individuals in Turkey, depending on the nature and location of the processing. A company without a local office should not assume it is outside scope; instead it should map where its data subjects are, what data is processed, and on what lawful basis, and obtain advice on its specific footprint under Law No. 6698.
Do SCCs automatically legalize cloud transfers under the GDPR?
No. Standard Contractual Clauses are a contractual mechanism, not a stamp that legalizes any transfer. They must align with technical reality and, where transfer risk is high, be supported by supplementary measures such as encryption, key management, and strict access control. If the subprocessor chain or access model is unclear, SCCs become paper only and will not survive a technical audit.
Is consent always required to process personal data in Turkey?
No. Article 5 of the KVKK lists legal exceptions that allow processing without explicit consent, such as performance of a contract or compliance with a legal obligation. Consent is one lawful basis among several, but where you rely on an exception you must be able to identify it precisely and document why it applies to that specific processing activity.
How does the EU AI Act affect a Turkish company?
The EU AI Act becomes relevant where a company places AI systems on the EU market, serves EU-based customers, or is required by contract to demonstrate AI compliance. Procurement pressure often forces governance earlier than formal deadlines, so the practical step is to inventory AI systems, classify them by risk, and assemble the documentation that enterprise buyers and regulators expect.
What is the single fastest compliance improvement for a mid-size company?
Build and maintain the core registers: a processing register, a transfer register, an AI system register where relevant, and a vendor register. Then enforce a simple procurement rule that no new vendor and no new AI feature goes live without a registry update and a transfer and lawful-basis check. These registers become the evidence layer you need to answer a regulator or customer quickly.
Talk to counsel before your next data project
Cross-border data privacy, AI governance, and crypto and technology questions intersect in ways that are difficult to manage statute by statute. If you need a documented, audit-ready program rather than a checklist, our technology, data privacy, and crypto law team advises foreign investors and cross-border companies on KVKK and GDPR compliance, transfer mechanisms, AI Act governance, and incident response. We also support related transactions through our corporate and commercial law practice when data assets are part of a deal.
For related reading, see our guides on intellectual property law, the legal aspects of international investments in Turkey, and AI legal analysis prompts for Turkey.
General information, not legal advice. Turkish law; verify your specific situation with qualified counsel.
Related legal guides
- For related guidance, see our corporate legal advisory.