Turkey Data Privacy Laws: KVKK Compliance Guide (2026)

Turkey's data privacy laws center on a single statute that shapes how every organization operating in or targeting the Turkish market handles personal information. The Kisisel Verileri Koruma Kanunu, known as the KVKK and formally designated Law No. 6698, entered force on April 7, 2016. It was Turkey's first comprehensive data protection law, and it remains the governing framework today.

The law draws heavily on European data protection principles. Turkey's candidacy for European Union membership and its status as a signatory to the Council of Europe's Convention 108 both influenced the KVKK's design. However, the law has its own distinct features, enforcement structure, and penalty regime that set it apart from the EU's General Data Protection Regulation (GDPR).

The most significant update in the law's history came in March 2024, when the Turkish Grand National Assembly adopted Law No. 7499. These amendments, effective June 1, 2024, modernized the cross-border data transfer framework, expanded the legal bases for processing sensitive data, and introduced new penalty categories. Any organization doing business in Turkey must understand both the original law and these recent changes.

What the KVKK Covers and Who It Applies To

The KVKK applies to any natural or legal person who processes the personal data of individuals located in Turkey. This includes Turkish companies, foreign entities offering goods or services to Turkish residents, and organizations that monitor the behavior of individuals within Turkey.

Personal data under the KVKK means any information relating to an identified or identifiable natural person. This definition is broad and covers names, identification numbers, email addresses, IP addresses, location data, and any other information that can directly or indirectly identify an individual.

The law applies to both automated processing and non-automated processing of personal data, provided the non-automated data forms part of a filing system. There is no revenue threshold or employee count that exempts organizations from the law's core obligations, though certain VERBIS registration thresholds do exist for domestic controllers.

Core Principles of Data Processing

Article 4 of the KVKK establishes the foundational principles that govern all personal data processing. These principles mirror those found in most modern data protection frameworks and serve as the baseline against which the KVKK Board evaluates compliance.

Data must be processed lawfully and fairly, meaning the processing must have a valid legal basis and must not deceive or mislead the data subject. All processing must be connected to a specific, explicit, and legitimate purpose, and controllers may not collect more data than is necessary for that stated purpose.

Accuracy is mandatory. Controllers must keep personal data up to date and correct inaccurate information when identified. Data may only be stored for as long as the purpose of processing requires. Once the purpose is fulfilled or the legal retention period expires, the data must be deleted, destroyed, or anonymized.

Legal Bases for Processing Personal Data

Article 5 of the KVKK sets out the conditions under which personal data may be lawfully processed. The primary basis is the explicit consent of the data subject. However, the KVKK recognizes several alternative legal grounds where consent is not required.

Processing without consent is permitted when it is expressly prescribed by law, when it is necessary for the protection of life or physical integrity of a person who is unable to give consent, when it is necessary for the performance of a contract, when it is necessary for the controller to fulfill a legal obligation, when the data has been made public by the data subject, when processing is necessary for the establishment or protection of a right, and when processing is necessary for the legitimate interests of the controller, provided this does not violate the fundamental rights of the data subject.

Notably, while the KVKK includes a legitimate interests basis, it is more restrictively interpreted than under the GDPR. The KVKK Board has historically placed greater emphasis on explicit consent as the preferred legal ground.

Special Categories of Personal Data

Article 6 of the KVKK defines special categories of personal data and imposes stricter processing conditions. These categories include race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or trade unions, health data, sexual life, criminal convictions and security measures, and biometric and genetic data.

Before the 2024 amendments, processing special category data generally required explicit consent unless the processing was mandated by law. The 2024 changes introduced expanded alternative legal grounds for processing sensitive data, bringing the KVKK closer to the GDPR's approach.

Under the amended Article 6, sensitive data may now be processed without explicit consent when necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, or the planning and management of health services and financing. Processing by associations and foundations for their members is also permitted under specific conditions. All processing of special category data must still comply with adequate safeguard measures determined by the KVKK Board.

The KVKK Board and Enforcement Authority

The Personal Data Protection Authority (Kisisel Verileri Koruma Kurumu) is the independent regulatory body responsible for enforcing the KVKK. Its decision-making arm is the Personal Data Protection Board, which consists of nine members. Five members are elected by the Turkish Grand National Assembly, and four are appointed by the President of the Republic.

The Board holds broad powers. It issues binding decisions on data protection complaints, conducts investigations, imposes administrative fines, publishes guidelines and regulatory guidance, and approves or rejects cross-border data transfer mechanisms. The Board also maintains the Data Controllers Registry (VERBIS) and reviews adequacy decisions for international data transfers.

The Authority's administrative arm, the Presidency, manages daily operations, processes VERBIS registrations, supports the Board's investigative work, and handles public communications. Together, the Board and the Presidency form a regulatory structure that has become increasingly active in enforcement since 2023.

VERBIS: The Data Controllers Registry

One of the KVKK's distinctive features is the Veri Sorumlulari Sicil Bilgi Sistemi, commonly known as VERBIS. This is a publicly accessible online registry where data controllers must register before they begin processing personal data in Turkey.

Registration requires the controller to disclose the categories of personal data processed, the purposes of processing, the categories of data subjects, the recipients or categories of recipients to whom data is disclosed, the anticipated time limits for erasure, and any cross-border data transfers. Any changes to this information must be updated within seven days.

Domestic data controllers are exempt from VERBIS registration if they employ fewer than 50 people and have an annual balance sheet total under 100 million TRY, provided their main business is not the processing of special category data. However, this exemption does not apply to foreign data controllers. Any foreign entity processing personal data in Turkey must register with VERBIS regardless of its size and must appoint a local representative who serves as the point of contact for the KVKK Authority and data subjects.

The KVKK Board began aggressively enforcing VERBIS registration requirements in 2024. In August 2024, the Board investigated 16,350 organizations for non-compliance and issued penalties totaling approximately 504 million TRY (roughly 14 million EUR). Both domestic and foreign controllers, including public institutions, faced sanctions.

Cross-Border Data Transfers: The 2024 Overhaul

The 2024 amendments to Article 9 represent the most substantial change in the KVKK's history. Before these amendments, international data transfers required either the explicit consent of the data subject or case-by-case approval from the KVKK Board, a process that was slow and created significant uncertainty for businesses.

The new framework, effective June 1, 2024, introduces a tiered system modeled closely on the GDPR's approach to international transfers.

Adequacy Decisions

The KVKK Board may now issue formal adequacy decisions recognizing that a specific country, a sector within a country, or an international organization provides an adequate level of data protection. When an adequacy decision exists, data controllers may transfer personal data to that destination based on the standard legal grounds under Articles 5 and 6 of the KVKK, without additional authorization.

Standard Contractual Clauses

In the absence of an adequacy decision, controllers and processors may rely on standard contractual clauses (SCCs) published by the KVKK Board. These clauses must be signed by the transferring and receiving parties, and the signed contracts must be notified to the KVKK Authority within five business days. Failure to notify within this window is itself a finable offense, with penalties ranging from approximately 72,000 TRY to 1.4 million TRY in 2026.

Binding Corporate Rules

Multinational organizations may establish binding corporate rules (BCRs) as an alternative safeguard mechanism for intra-group transfers. These must be approved by the KVKK Board and demonstrate adequate protection standards across all group entities.

Occasional Transfers and Consent

As of September 1, 2024, explicit consent is no longer a valid mechanism for regular or repeated international data transfers. Consent may only serve as a legal basis for occasional, non-systematic transfers. This change encourages organizations to establish structural transfer mechanisms rather than relying on individual consent.

The 2024 amendments also explicitly authorize data processors, not just controllers, to engage in cross-border transfers, closing a gap in the original legislation.

Data Breach Notification

The KVKK imposes strict breach notification obligations on data controllers. When a personal data breach is discovered, the controller must notify the KVKK Board within 72 hours using the official Personal Data Breach Notification Form.

Turkey's breach notification requirement is notable for its breadth. Unlike the GDPR, which requires notification only when a breach is "likely to result in a risk to the rights and freedoms of natural persons," the KVKK requires notification for all breaches regardless of severity or risk level. There is no threshold assessment, meaning even minor breaches must be reported to the Board.

The notification must include the nature of the breach, the categories of personal data affected, the approximate number of data subjects affected, the potential consequences, and the measures taken or proposed to mitigate harm. If the controller cannot complete the notification within 72 hours, the reasons for the delay must be documented and submitted alongside the notification.

Controllers must also notify affected individuals without undue delay so they can take protective measures. The KVKK Board may additionally order the controller to publish the breach notification on its website or through other channels if the Board determines broader public notification is necessary. Publication of breach notices on the KVKK Authority's website is limited to 60 days.

Every data controller is expected to maintain a data breach response plan that is reviewed periodically. The plan should identify internal reporting chains, assign responsibility for notification decisions, and establish procedures for documenting and investigating breaches.

Data Subject Rights

Article 11 of the KVKK grants individuals a set of rights regarding their personal data. These include the right to learn whether personal data is being processed, the right to request information about the processing if data has been processed, the right to learn the purpose of processing and whether data is used in accordance with its purpose, the right to know the third parties to whom data is transferred, the right to request correction of incomplete or inaccurate data, the right to request deletion or destruction of data when the grounds for processing no longer exist, the right to request notification of correction or deletion to third parties, the right to object to a result produced exclusively by automated processing that is adverse to the individual, and the right to claim compensation for damages caused by unlawful processing.

The 2024 amendments strengthened several of these rights. Data portability was introduced, and protections against automated decision-making were enhanced, bringing the KVKK closer to GDPR standards.

To exercise these rights, the data subject must first apply in writing to the data controller. If the controller refuses the request, provides an insufficient response, or fails to respond within 30 days, the data subject may file a complaint with the KVKK Board within 30 days of learning of the controller's response, or within 60 days of the original request date. The complaint must be submitted through the KVKK Complaint Module, which has been operational since January 2020.

KVKK vs. GDPR: Key Similarities and Differences

The KVKK and GDPR share a common lineage in European data protection principles. Both laws require lawful bases for processing, mandate breach notification, grant data subject rights, and regulate cross-border transfers. Turkey's accession to Convention 108+ reinforces this alignment.

However, meaningful differences remain even after the 2024 amendments.

The GDPR applies to any entity processing data of EU residents regardless of where the entity is located, giving it a broader extraterritorial reach. The KVKK's extraterritorial application is less clearly defined and has been less tested in enforcement.

The GDPR provides six explicit legal bases for processing, including a well-developed legitimate interests framework. The KVKK lists similar bases but has historically favored explicit consent, and its legitimate interests ground is more narrowly interpreted.

Penalties diverge substantially. The GDPR allows fines up to 20 million EUR or 4% of global annual revenue, whichever is higher. The KVKK's maximum administrative fine for 2026 is approximately 17 million TRY (roughly 470,000 EUR at current exchange rates), orders of magnitude smaller than what the GDPR permits.

The KVKK requires VERBIS registration, a concept that has no direct equivalent in the GDPR. The GDPR instead requires Data Protection Impact Assessments (DPIAs) and the appointment of Data Protection Officers (DPOs) in certain cases, neither of which is formally required under the KVKK.

Finally, the KVKK's breach notification covers all breaches with no risk threshold, while the GDPR allows controllers to skip notification when a breach is unlikely to result in risk to individuals.

Penalties and Enforcement

The KVKK enforces compliance through both administrative fines and criminal penalties.

Administrative Fines (2026 Amounts)

Administrative fines are adjusted annually based on Turkey's revaluation rate. For 2026, the rate increased by 25.49% over 2025 amounts. The current fine ranges are:

• Failure to fulfill the obligation to inform data subjects: 85,000 TRY to 1.7 million TRY
• Failure to fulfill data security obligations: 256,000 TRY to 17 million TRY
• Failure to comply with Board decisions: 427,000 TRY to 17 million TRY
• Failure to register with or notify VERBIS: 342,000 TRY to 17 million TRY
• Failure to notify the Authority of standard contractual clauses for cross-border transfers: 72,000 TRY to 1.4 million TRY

Criminal Penalties

Article 17 of the KVKK refers violations to the Turkish Penal Code (Law No. 5237), which prescribes imprisonment for serious data protection offenses:

• Unlawful recording of personal data: 1 to 3 years imprisonment (higher for sensitive categories)
• Unlawful provision of personal data to others or acquisition of personal data: 2 to 4 years imprisonment
• Failure to delete or anonymize data when required: 1 to 2 years imprisonment

These criminal provisions apply to individuals, meaning company directors and officers may face personal criminal liability for data protection violations.

Notable Enforcement Actions

The KVKK Board has become increasingly aggressive in enforcement. In addition to the August 2024 mass enforcement action against VERBIS non-compliance (16,350 organizations, 504 million TRY in total fines), notable individual actions include fines of approximately 2.6 million TRY each against Meta and WhatsApp for failure to complete VERBIS registration, and a 2 million TRY fine against Twitch in 2024 for a data breach affecting over 35,000 Turkish users.

In 2025, the KVKK Authority signed a cooperation protocol with the Capital Markets Board, signaling expanded regulatory oversight of financial institutions and listed companies that process personal data.

Compliance Checklist for Organizations

Organizations subject to the KVKK should address the following areas to maintain compliance:

• Register with VERBIS before processing any personal data in Turkey (mandatory for foreign controllers regardless of size)
• Appoint a local representative if the organization is based outside Turkey
• Establish and document lawful bases for all personal data processing activities
• Implement technical and organizational measures to ensure data security
• Create a data breach response plan and ensure 72-hour notification capability
• Review cross-border data transfer mechanisms and transition away from consent-based transfers to SCCs, BCRs, or adequacy-based transfers
• Notify the KVKK Authority within five business days of executing standard contractual clauses
• Respond to data subject requests within 30 days
• Maintain data processing inventories and retention schedules
• Conduct regular audits and update VERBIS registration information within seven days of any change