Turkey Data Privacy Laws: KVKK, Law 7499 & 2024 Cross-Border Transfer Reform

Turkey's primary data privacy statute, Law No. 6698 (KVKK), governs personal data protection for all individuals located in Turkey. Law No. 7499, effective June 1, 2024, overhauled cross-border transfer rules and replaced the old consent-and-approval model with a three-tier framework of adequacy decisions, standard contractual clauses, and limited derogations.

Turkey's data privacy regime is built on a statute, a constitutional right, and an independent supervisory authority that has grown steadily more assertive since 2023. Understanding it requires grasping both the original 2016 law and the major 2024 reforms that fundamentally changed how personal data may be sent outside the country.

Quick Answer: Turkey's Data Protection Framework

Turkey's primary data protection law is the Kisisel Verilerin Korunmasi Kanunu, abbreviated KVKK and formally designated Law No. 6698. It entered force on April 7, 2016, and was Turkey's first comprehensive data protection statute.

The supervising body is the Personal Data Protection Authority (Kisisel Verileri Koruma Kurumu). Its nine-member decision-making arm, the Personal Data Protection Board (Kisisel Verileri Koruma Kurulu), issues binding decisions, conducts investigations, imposes fines, and publishes regulatory guidance.

In March 2024, the Turkish Grand National Assembly passed Law No. 7499, published in the Official Gazette on March 12, 2024 (No. 32487). The KVKK-related provisions took effect June 1, 2024, with a transitional compliance period running until September 1, 2024. This legislation was the most substantial amendment to the KVKK since its enactment.

Constitutional Basis: Article 20 and the 2010 Amendment

Turkey's data protection framework has an explicit constitutional foundation. The original Constitution of the Republic of Turkey, adopted in 1982, protected privacy in general terms under Article 20's provisions on the secrecy of private life. In 2010, a significant constitutional amendment added paragraph 3 to Article 20, published in Official Gazette No. 27580 on May 13, 2010.

Article 20(3) provides that everyone has the right to protection of their personal data. The provision expressly grants the right to be informed about personal data, to access that data, to request its correction or deletion, and to learn whether it has been used in accordance with a lawful purpose. It also states that personal data may be processed only in cases prescribed by law or with the explicit consent of the person concerned.

The 2010 amendment specifically required the legislature to enact a dedicated statute on the protection of personal data. That constitutional mandate produced the KVKK six years later, in 2016. The constitutional grounding distinguishes Turkey from many countries where data protection rests solely on ordinary legislation and places privacy and data protection in the highest tier of Turkish law.

Turkey is also a signatory to the Council of Europe's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), which reinforces the constitutional and statutory framework with international law obligations.

The KVKK: Scope and Coverage

The KVKK applies to any natural or legal person who processes the personal data of individuals located in Turkey. This includes Turkish companies, foreign entities offering goods or services to Turkish residents, and organizations that monitor the behavior of individuals in Turkey.

Personal data under the KVKK means any information relating to an identified or identifiable natural person. The definition is broad and covers names, identification numbers, email addresses, IP addresses, location data, and any other information that can directly or indirectly identify an individual.

The law applies to both automated processing and non-automated processing, provided the non-automated data forms part of a filing system. There is no revenue threshold or employee count that triggers or exempts organizations from the core obligations, though VERBIS registration thresholds do exist for domestic controllers.

Core Principles of Data Processing

Article 4 of the KVKK establishes the foundational principles governing all personal data processing. These principles are similar to those in most modern data protection frameworks.

Data must be processed lawfully and fairly. Processing must have a valid legal basis and must not deceive or mislead the data subject. All processing must be connected to a specific, explicit, and legitimate purpose. Controllers may not collect more data than is necessary for the stated purpose.

Accuracy is mandatory. Controllers must keep data up to date and correct inaccuracies when identified. Data may only be stored for as long as the purpose of processing requires. Once that purpose is fulfilled or the legal retention period expires, the data must be deleted, destroyed, or anonymized.

Legal Bases for Processing

Article 5 of the KVKK sets out the conditions under which personal data may be lawfully processed. The primary basis is explicit consent. However, several alternative grounds allow processing without consent.

Processing without consent is permitted when it is expressly prescribed by law, when it is necessary for the protection of life or physical integrity of a person unable to give consent, when it is necessary for the performance of a contract to which the data subject is party, when it is necessary for the controller to fulfill a legal obligation, when the data has been made public by the data subject, when processing is necessary for establishing or protecting a legal right, and when processing is necessary for the legitimate interests of the controller provided those interests do not violate the fundamental rights of the data subject.

The KVKK's legitimate interests ground is interpreted more narrowly than under the GDPR. The KVKK Board has historically emphasized explicit consent as the preferred legal ground, and organizations relying on legitimate interests carry a heavier justification burden.

Special Categories of Personal Data

Article 6 of the KVKK defines special categories of personal data and imposes stricter processing conditions. These categories include race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations or trade unions, health data, sexual life, criminal convictions and security measures, and biometric and genetic data.

Before Law No. 7499, the KVKK drew a further internal distinction between health and sexual life data on one side and all other sensitive categories on the other, applying different legal conditions to each group. The 2024 amendment abolished that internal distinction. All special-category data is now subject to a unified set of legal grounds.

Under the amended Article 6, sensitive data may be processed without explicit consent when expressly permitted by law, when necessary to protect the life or physical integrity of a person unable to give consent, when data has been made public by the subject, when processing is necessary for establishing or exercising a legal right, when necessary to fulfill employment or occupational health and safety obligations, or when processed by associations and foundations for their own members' purposes without disclosure to third parties.

The amendment also broadened the medical and public health exception, permitting processing by health professionals for preventive medicine, medical diagnosis, treatment and care services, and the planning and financing of health services, provided adequate confidentiality and technical safeguards are maintained.

All processing of special-category data continues to require compliance with additional safeguard measures that the KVKK Board has the authority to specify.

The KVKK Board and the Personal Data Protection Authority

The Personal Data Protection Authority (KVKK Authority) is the independent supervisory body. Its nine-member Board consists of five members elected by the Turkish Grand National Assembly and four appointed by the President of the Republic. Board members serve six-year terms and are expected to act independently.

The Board's enforcement powers are broad. It investigates complaints, conducts ex officio investigations, issues binding decisions requiring remediation, imposes administrative fines, publishes guidelines and regulatory guidance, approves or rejects cross-border data transfer mechanisms, and maintains the VERBIS registry.

The Authority's Presidency handles day-to-day administration, processes VERBIS registrations, supports investigative work, and manages public communications including publication of breach notifications on the Authority's website.

Since 2023, the Board has accelerated enforcement. It has issued guidance on emerging technology topics including chatbots, deepfakes, and AI systems, and has expanded scrutiny of digital platforms and financial institutions.

VERBIS: The Data Controllers Registry

One of the KVKK's most distinctive features is the Veri Sorumlulari Sicil Bilgi Sistemi, known as VERBIS. This publicly accessible online registry requires data controllers to register before beginning to process personal data in Turkey.

Registration requires the controller to disclose the categories of personal data processed, the purposes of processing, the categories of data subjects, the recipients to whom data is disclosed, the anticipated retention periods, and any cross-border data transfers. Any changes to this information must be updated within seven days.

Domestic Registration Thresholds

For controllers established in Turkey, registration is required if they employ 50 or more people or have an annual balance sheet total of 100 million TRY or more. An exemption applies to smaller organizations, but only if their main activity is not the processing of special-category data. Controllers whose main business involves processing sensitive data must register if they have 10 or more employees or an annual balance sheet of at least 10 million TRY.

These thresholds were revised by an amendment published in September 2025 that took effect on October 1, 2025. The revision adjusted both the employee and financial thresholds and clarified the special-category processing criterion for smaller controllers.

Foreign Controllers

The domestic thresholds do not apply to foreign data controllers. Any foreign entity that processes the personal data of individuals in Turkey must register with VERBIS regardless of its size, workforce, or annual revenue. Foreign controllers must also appoint a local representative who is resident in Turkey. The representative serves as the primary point of contact for the KVKK Authority and for data subjects seeking to exercise their rights.

VERBIS Enforcement

The KVKK Board began aggressively enforcing VERBIS registration in 2024. In August 2024, the Board investigated 16,350 organizations for non-compliance and issued penalties totaling approximately 504 million TRY (roughly 14 million EUR). Both domestic and foreign controllers, including public institutions, faced sanctions. Meta and WhatsApp each received fines of approximately 2.6 million TRY for incomplete VERBIS registration.

The 2024 Amendment: Law No. 7499

Law No. 7499 was enacted as a broad multi-sector reform bill. Its KVKK provisions amended Articles 6, 9, and 18 of Law No. 6698, with the changes taking force on June 1, 2024 and a transition period ending September 1, 2024.

The amendment was driven by two goals: modernizing Turkey's cross-border transfer framework to align with GDPR Chapter V, and expanding the legal bases for sensitive data processing. Both were areas where the original 2016 law had created practical difficulties for businesses and friction with EU partners.

Cross-Border Data Transfers: The New Three-Tier Framework

The 2024 amendments to Article 9 represent the most consequential change in the KVKK's history. Before Law No. 7499, international data transfers required either the explicit consent of the data subject or a case-by-case undertaking approved by the KVKK Board. That process was slow, created uncertainty, and made systematic cross-border data flows difficult to manage. The new framework replaced it with a hierarchy of three mechanisms.

Tier 1: Adequacy Decisions

The KVKK Board may issue formal adequacy decisions recognizing that a specific country, a sector within a country, or an international organization provides a level of data protection essentially equivalent to the KVKK. When such a decision is in place, personal data may be transferred to that destination using the ordinary legal grounds under Articles 5 and 6, without additional authorization or contractual mechanisms.

A notable feature of the Turkish adequacy regime is that it can apply at a sectoral level. A specific industry within a country may receive an adequacy designation even if the country overall has not been found adequate. Adequacy decisions are subject to periodic review at least every four years.

As of early 2026, the KVKK Board had not yet published a finalized list of adequate countries or sectors. The designation landscape continues to develop, and organizations cannot yet rely on an adequacy decision for most transfer destinations.

Tier 2: Appropriate Safeguards

When no adequacy decision exists, controllers may rely on one of three safeguard mechanisms.

Standard contractual clauses (SCCs) are pre-approved template contracts published by the KVKK Board. They come in distinct modules covering controller-to-controller and controller-to-processor transfers. The clauses must be adopted without modification. Supplementary annexes may be added to address operational details such as data categories, purposes, and security measures, but the core clause text cannot be altered.

Once executed, the parties must notify the KVKK Authority through the Authority's electronic Veri Aktarim Modulu (Data Transfer Module) within five business days of signing. The day of signature is day zero; notification must be completed by the close of the fifth business day following execution. By end of 2024, approximately 1,345 standard contracts had been notified through the module during the June-to-December period, indicating that organizations moved quickly to adopt the new mechanism.

Notification does not constitute Board approval. The transfer's legality derives from correct adoption of the Board-approved clause text. Notification is an administrative filing that supports Authority monitoring.

Binding corporate rules (BCRs) allow multinational organizations to establish intra-group transfer frameworks. BCRs must be submitted to the KVKK Board for approval and must demonstrate that adequate protection standards are maintained across all participating group entities, including commitments on data security, transparency, and data subject rights enforcement.

Written undertakings are a third option. A data controller or processor may draft a customized written agreement with the foreign recipient that commits both parties to adequate protection standards. Unlike SCCs, written undertakings are not based on a pre-approved Board template. They must be submitted to the Board for individual authorization before transfers begin. This mechanism provides flexibility for atypical transfer relationships but requires more lead time than SCCs.

Tier 3: Exceptional Derogations

When neither an adequacy decision nor a safeguard mechanism is available or practical, certain limited derogations permit transfers in specific circumstances. These include transfers based on the explicit informed consent of the data subject, transfers necessary for the performance of a contract between the data subject and the controller, transfers that are vital to protect the data subject's life or physical integrity when consent cannot be obtained, and transfers necessary for the establishment or exercise of legal rights.

As of September 1, 2024, explicit consent can no longer serve as a basis for regular or repeated international transfers. Consent in the derogation sense covers only occasional, non-systematic transfers. This eliminates the practice of using rolling blanket consent as a substitute for structural mechanisms.

The 2024 amendments also explicitly authorize data processors, and not only controllers, to engage in cross-border transfers, closing a gap in the original legislation.

The Cross-Border Transfer Regulation and Guideline

The KVKK published the Regulation on the Procedures and Principles Regarding Cross-Border Transfer of Personal Data on July 10, 2024, providing the operational detail behind the new Article 9 framework. In January 2025, the Authority issued accompanying guidelines clarifying the hierarchy of mechanisms and the procedural requirements for each. The guidelines instruct controllers to assess the protection level in the destination country, document that assessment, and select the applicable mechanism based on the outcome.

VERBIS and Cross-Border Transfers

Organizations engaged in cross-border data transfers must reflect those transfers in their VERBIS registration. The categories of foreign recipients, the countries involved, and the transfer mechanism used must all be disclosed. Any change to a transfer arrangement must be updated in VERBIS within seven days.

Data Breach Notification

The KVKK imposes strict breach notification obligations. When a personal data breach is discovered, the data controller must notify the KVKK Board within 72 hours using the official Personal Data Breach Notification Form. The 72-hour clock begins when the controller's management becomes aware of the breach, not merely when the IT department first detects it.

Turkey's notification requirement is notably broader than the GDPR's. The GDPR requires notification only when a breach is likely to result in risk to the rights and freedoms of natural persons. The KVKK imposes no such risk threshold. All breaches must be reported to the Board regardless of severity or the likelihood of harm to individuals.

The notification must describe the nature of the breach, the categories and approximate number of personal data records affected, the approximate number of data subjects involved, the potential consequences, and the measures taken or proposed to address the breach. If the controller cannot complete the notification within 72 hours, the reasons for the delay must be documented and included with the notification.

Controllers must also notify affected data subjects without undue delay so they can take protective measures. The Board may additionally order the controller to publish a breach notification on its website or through other channels when it determines broader public notification is warranted.

From December 25, 2025, breach notifications published on the KVKK Authority's website are removed after a maximum of 60 days. This change was introduced by Board Decision No. 2025/2451, replacing the previous practice of indefinite retention. Controllers who can demonstrate that all affected individuals were directly notified earlier may have notices removed sooner.

Every data controller subject to the KVKK is expected to maintain a tested breach response plan that identifies internal reporting chains, assigns notification responsibility, and establishes procedures for documenting and investigating incidents.

Data Subject Rights

Article 11 of the KVKK grants individuals a comprehensive set of rights regarding their personal data. The 2024 amendments strengthened several of these rights, bringing them closer to GDPR standards.

Data subjects may learn whether their personal data is being processed. If it is, they may request information about the nature of the processing. They may learn the purpose of processing and whether data is used in accordance with its stated purpose. They may identify the third parties, whether domestic or foreign, to whom their data has been disclosed. They may request correction of incomplete or inaccurate data. They may request deletion or destruction of their data when the grounds for processing no longer exist or the retention period has expired.

Data subjects may request that the controller notify third parties of any corrections or deletions made. They may object to a result produced exclusively through automated processing when that result affects them adversely. They may also claim compensation for damages caused by unlawful processing.

Following the 2024 amendments, data portability rights were reinforced in practice, giving individuals a stronger ability to receive and transfer their data. Protections against automated decision-making were also enhanced.

To exercise these rights, the data subject must first submit a written application to the data controller. The controller must respond within 30 days. If the controller refuses, gives an inadequate response, or fails to respond, the data subject may file a complaint with the KVKK Board within 30 days of learning of the response, or within 60 days of the original request. Complaints are submitted through the KVKK Complaint Module.

KVKK vs. GDPR: Key Similarities and Differences

The KVKK and the EU's General Data Protection Regulation share a common lineage in European data protection tradition. Turkey's Convention 108 membership and its EU accession candidacy both shaped the KVKK's design. However, meaningful differences remain even after the 2024 reforms.

Territorial reach. The GDPR applies to any entity processing data of EU residents regardless of where the entity is based. The KVKK applies to foreign entities targeting Turkish residents, but its extraterritorial enforcement has been less developed in practice.

Legal bases. Both laws recognize explicit consent, contract performance, legal obligations, vital interests, and legitimate interests. The KVKK's legitimate interests ground is more narrowly interpreted, and the Board has historically preferred explicit consent.

Penalty levels. The GDPR allows fines up to 20 million EUR or 4% of global annual revenue. The KVKK's 2026 maximum administrative fine is approximately 17 million TRY, which at current exchange rates is roughly 460,000 to 490,000 EUR. The KVKK supplements administrative fines with criminal penalties through the Turkish Penal Code, including imprisonment for individuals.

VERBIS vs. DPOs and DPIAs. The KVKK requires VERBIS registration, which has no direct GDPR equivalent. The GDPR requires Data Protection Impact Assessments and Data Protection Officers in certain high-risk or large-scale processing contexts. Neither DPOs nor DPIAs are formally mandated by the KVKK, though many practitioners recommend them as best practice.

Breach notification threshold. The GDPR uses a risk-based threshold. The KVKK requires notification for all breaches without any threshold.

Adequacy for transfers. Both laws use a tiered transfer framework culminating in adequacy decisions, SCCs, and BCRs. Turkey's framework was modeled on GDPR Chapter V after the 2024 reform. However, Turkey has not yet issued any adequacy decisions, leaving SCCs as the primary practical mechanism for most international transfers.

Penalties and Enforcement

Administrative Fines for 2026

Administrative fines under the KVKK are adjusted annually by Turkey's statutory revaluation rate. For 2026, the revaluation rate is 25.49%, applied on top of 2025 figures pursuant to Official Gazette No. 33090 (November 27, 2025). The exact 2026 fine ranges are:

• Failure to inform data subjects: 85,437 TRY minimum to 1,709,200 TRY maximum
• Failure to fulfill data security obligations: 256,357 TRY minimum to 17,092,242 TRY maximum
• Failure to comply with Board decisions: 427,263 TRY minimum to 17,092,242 TRY maximum
• Failure to register with or notify VERBIS: 341,809 TRY minimum to 17,092,242 TRY maximum
• Failure to notify the Authority of standard contractual clauses for cross-border transfers: 90,308 TRY minimum to 1,806,377 TRY maximum

The last category was added by the 2024 amendment as a dedicated enforcement tool for the SCC notification requirement.

Administrative fines were previously appealable to criminal courts of peace. Law No. 7499 changed this: fines are now appealable to administrative courts, a procedural shift that aligns with the administrative law character of the KVKK regime.

Criminal Penalties

Article 17 of the KVKK refers serious violations to the Turkish Penal Code (Law No. 5237), which prescribes imprisonment for data protection offenses:

• Unlawful recording of personal data: 1 to 3 years imprisonment; elevated sentences apply for sensitive categories
• Unlawful provision of personal data to others, or acquisition of data by unlawful means: 2 to 4 years imprisonment
• Failure to delete or anonymize data when legally required: 1 to 2 years imprisonment

These provisions apply to natural persons, meaning company directors and officers may face personal criminal liability for data protection violations.

Notable Enforcement Actions

Total KVKK Board fines in 2024 exceeded 552 million TRY. The largest single wave was the August 2024 VERBIS non-compliance action against 16,350 organizations, resulting in penalties of approximately 504 million TRY. Both domestic and foreign controllers, including public institutions, were included.

Notable individual actions include fines of approximately 2.6 million TRY each against Meta and WhatsApp for incomplete VERBIS registration. Twitch received a 2 million TRY fine in 2024 for a data breach affecting more than 35,000 Turkish users.

In 2025, the KVKK Authority signed a cooperation protocol with the Capital Markets Board (Sermaye Piyasasi Kurulu). This signals expanded joint oversight of financial institutions and publicly listed companies that process personal data, and foreshadows coordinated investigations and cross-agency enforcement in the financial sector.

Emerging Topics: AI, Chatbots, and Deepfakes

The KVKK Authority has begun issuing substantive guidance on emerging technology topics. In 2024, the Authority published information notes on chatbots including ChatGPT, deepfakes, and the legal bases for various categories of AI-driven data processing. This guidance does not yet take the form of binding regulations but signals the direction of future enforcement.

The Board's position is that AI systems which process personal data are subject to the full KVKK framework, including the requirements for lawful processing basis, data minimization, transparency, and data subject rights. Organizations deploying AI tools that process personal data of Turkish residents should document the legal basis, prepare data subject information disclosures, and assess whether data transfers to foreign AI providers comply with the cross-border transfer regime.

The Authority has also flagged the intersection of data protection and competition law, noting that investigations into large technology platforms increasingly have both dimensions, following the pattern of the META investigation and similar actions in the EU.

Compliance Checklist for Organizations

Organizations subject to the KVKK should address the following areas to build and maintain compliance.

Register with VERBIS before processing any personal data in Turkey. Foreign controllers must register regardless of size and must appoint a Turkish-resident representative. Domestic controllers below the general thresholds must still register if their main activity involves special-category data processing.

Establish and document a lawful basis for every personal data processing activity. Explicit consent should not be the default choice where another ground is more appropriate and stable.

Map all cross-border data transfers and identify the applicable transfer mechanism. If using SCCs, execute them without modification and notify the KVKK through the Veri Aktarim Modulu within five business days. If using written undertakings, obtain Board authorization before transfers begin.

Implement technical and organizational data security measures. Maintain internal audit schedules and document compliance measures periodically.

Prepare and test a data breach response plan that supports 72-hour notification to the Board for all breaches regardless of severity. Review the plan at least annually.

Respond to data subject applications within 30 days. Maintain a process for receiving, authenticating, and processing applications.

Update VERBIS registration within seven days of any change to processing activities, data categories, recipients, or transfer arrangements.

Review AI and automated processing activities against KVKK requirements. Prepare transparency disclosures for processing involving chatbots or AI-driven tools that handle personal data of Turkish residents.

See Also

For recording law, wiretapping, and Turkish Penal Code consent rules, see Turkey Recording Laws.