Skip to main content

Law on the Protection of Personal Data No. 6698 (Turkey)

Turkey's KVKK (Law No. 6698) regulates personal data processing, modeled on the EU's 1995 Directive and enforced by the Personal Data Protection Board. It requires lawful processing conditions, VERBIS registration, and, since 2024, GDPR-style transfer rules.

Jurisdiction
Turkey

Turkey's Law on the Protection of Personal Data No. 6698, known by its Turkish abbreviation KVKK (Kişisel Verilerin Korunması Kanunu), is the country's primary data protection law. It entered into force on April 7, 2016. The law was modeled largely on the EU's 1995 Data Protection Directive and is enforced by the Personal Data Protection Authority and its decision-making body, the Personal Data Protection Board. Amendments in 2024 brought parts of the law, particularly the rules on special categories of data and cross-border transfers, closer to the GDPR.

The KVKK sets out conditions for lawful processing and requires many data controllers to register with the national registry known as VERBIS.

Who It Applies To

The KVKK applies to natural and legal persons that process the personal data of individuals, whether wholly or partly by automated means or as part of a filing system. It applies to data controllers operating in Turkey and is generally understood to reach the processing of personal data of individuals in Turkey. Data controllers meeting certain criteria must register with VERBIS, the Data Controllers Registry.

Key Requirements

Personal data may be processed only with the explicit consent of the data subject or under one of the law's other lawful conditions, such as legal obligation, performance of a contract, legitimate interests, or where processing is necessary to protect life. Special categories of data, such as health, religion, and biometric data, have stricter conditions. Data subjects have rights to learn whether their data is processed, to access it, to request correction or deletion, and to object to results of automated analysis. Controllers must inform data subjects at the time of collection, take technical and organizational security measures, and register with VERBIS where required. Cross-border transfers were historically restrictive, but the 2024 amendments introduced GDPR-style mechanisms such as adequacy, standard contracts, and binding corporate rules.

Penalties for Non-Compliance

The Personal Data Protection Board can impose administrative fines for failures such as not fulfilling information obligations, not ensuring data security, not complying with Board decisions, and not registering with VERBIS. Fines are adjusted annually and can be substantial. Certain unlawful acts involving personal data can also carry criminal penalties under the Turkish Penal Code, including imprisonment.

How to Comply

Identify a lawful condition for each processing activity and obtain explicit consent where no other condition applies. Apply stricter rules to special categories of data. Provide information notices at collection and honor data subject requests. Implement technical and organizational security measures. Register with VERBIS if you meet the criteria. Review cross-border transfers under the updated 2024 framework and apply an appropriate transfer mechanism.