turkey-kvkk
Turkey KVKK Compliance
Overview
The Kisisel Verilerin Korunmasi Kanunu (KVKK), Law No. 6698, is Turkey's comprehensive personal data protection law. It was published in the Official Gazette on 7 April 2016 and entered into force on the same date. The KVKK is modelled on the EU Data Protection Directive 95/46/EC and shares structural similarities with the GDPR, though there are significant differences in cross-border transfer mechanisms, consent requirements, and the role of the Personal Data Protection Authority (Kisisel Verileri Koruma Kurumu, KVKK Authority) and its decision-making body, the Personal Data Protection Board (Kurul).
Turkey applied for EU membership in 1987, and the KVKK was enacted partly to align with EU data protection standards. However, Turkey has not received an adequacy decision from the European Commission under GDPR Article 45, which creates complexity for EU-Turkey data flows.
Key Definitions
| Turkish Term | English | GDPR Equivalent |
|---|---|---|
| Kisisel veri | Personal data | Personal data (Art. 4(1)) |
| Ozel nitelikli kisisel veri | Special category personal data | Special category data (Art. 9) |
| Veri sorumlusu | Data controller | Controller (Art. 4(7)) |
| Veri isleyen | Data processor | Processor (Art. 4(8)) |
| Ilgili kisi | Data subject / Relevant person | Data subject |
| Acik riza | Explicit consent | Consent |
| VERBIS | Data Controllers Registry | No direct equivalent (registration system) |