- Mandatory Registration: Foreign data controllers targeting the Turkish market or monitoring Turkish residents must register with the VERBIS system before processing data.
- 2024 Reform: Recent amendments to the KVKK have aligned Turkish cross-border data transfer rules more closely with the EU's GDPR, introducing Standard Contractual Clauses (SCCs).
- Criminal Liability: Unlike the GDPR, non-compliance with the KVKK can lead to imprisonment for individuals under the Turkish Penal Code, in addition to heavy administrative fines.
- Explicit Consent: While "explicit consent" is a primary legal basis, Turkish law provides specific exemptions where data can be processed without consent, such as for the performance of a contract or legal obligations.
- Local Representation: Foreign companies must appoint a Turkish resident or a Turkish legal entity as a "Data Controller Representative" to facilitate communication with the Authority.
What are the main differences between EU GDPR and Turkish KVKK?
The Turkish Personal Data Protection Law (Law No. 6698), known as KVKK, is heavily inspired by the EU's Directive 95/46/EC but contains unique procedural requirements and harsher penalties. While both frameworks share principles like data minimization and transparency, the KVKK imposes specific registration obligations and distinct criminal sanctions that are not found in the GDPR.
International businesses often mistake GDPR compliance for automatic KVKK compliance, but several critical differences exist:
- Registration (VERBIS): The GDPR does not require a central registry for all controllers. The KVKK requires mandatory registration for most companies through the Data Controllers Registry Information System (VERBIS).
- Criminal Sanctions: The Turkish Penal Code (Articles 135-140) stipulates prison sentences ranging from one to four years for unlawful recording or distribution of personal data.
- Data Subject Rights: While similar, the timelines for responding to data subject requests differ. Under KVKK, you must respond within 30 days, and the process is governed by specific Turkish communiqués.
- Explicit Consent Definition: Turkish law is often stricter regarding "bundled consent." Consent must be freely given, specific, and informed, and it cannot be a mandatory condition for providing a service unless strictly necessary.
What is the VERBIS system and is registration mandatory for foreign companies?
VERBIS (Veri Sorumluları Sicil Bilgi Sistemi) is the mandatory online registration system where data controllers must declare their data processing categories, purposes, recipient groups, and data security measures. Foreign data controllers that process the personal data of individuals located in Turkey must register with VERBIS through a designated representative.
Registration is not just a formality; it is a statutory requirement for transparency. Failure to register can result in significant administrative fines.
| Entity Type | Threshold for Mandatory Registration |
|---|---|
| Local Turkish Companies | Annual turnover > 100 million TRY OR > 50 employees. |
| Foreign Data Controllers | Mandatory if they process data of individuals in Turkey (no turnover threshold). |
| Special Categories | Mandatory for those whose main business is processing sensitive data (e.g., healthcare providers). |
The Registration Process for Foreign Firms:
- Appoint a Representative: You must formally appoint a Turkish citizen or a legal entity established in Turkey as your Data Controller Representative via a notarized and apostilled Power of Attorney.
- Create a Data Inventory: Before logging into VERBIS, you must map all data flows within your organization.
- Submit the Notification: The representative enters the data categories (e.g., identity, contact, financial) and purposes into the system. No actual personal data is uploaded-only the metadata of your processing activities.
How can businesses legally transfer personal data from Turkey to other countries?
Following the landmark 2024 amendments to the KVKK, businesses can now transfer data out of Turkey using mechanisms similar to the GDPR, such as Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs). Previously, transfers were highly restricted due to the lack of an "authorized countries" list, often requiring explicit consent for every transaction.
Under the updated Article 9 of the KVKK, cross-border transfers are permitted through the following "Appropriate Safeguards":
- Adequacy Decision: Transfers are free to countries or international organizations deemed by the Personal Data Protection Board to have an adequate level of protection.
- Standard Contractual Clauses (SCCs): In the absence of an adequacy decision, controllers can use SCCs provided by the Board. These must be signed and notified to the Board within five business days.
- Binding Corporate Rules (BCRs): For intra-group transfers, multinational corporations can submit BCRs for approval by the Authority.
- Written Undertaking: Controllers can sign a specific agreement and seek the Board's express permission for the transfer.
If none of these safeguards are in place, transfers may only occur based on explicit consent or under exceptional circumstances, such as the performance of a contract or for the protection of life.
When is explicit consent required versus legitimate interest under Turkish law?
Explicit consent is the default legal basis for processing personal data in Turkey, but it is not the only one. Article 5 of the KVKK lists several legal grounds that allow a business to process data without obtaining a signature or click-wrap agreement from the individual.
Processing Without Consent (Legal Grounds):
- Explicitly Provided by Law: If a specific Turkish statute requires the data collection (e.g., Tax Procedure Law).
- Performance of a Contract: Processing data necessary to fulfill a contract with the data subject (e.g., taking an address for a delivery).
- Legal Obligation: To comply with a legal duty (e.g., reporting employee data to the Social Security Institution).
- Legitimate Interests: Processing that is necessary for the company's legitimate interests, provided it does not harm the fundamental rights and freedoms of the individual.
- Publicly Available Data: Data that has been made public by the individual themselves.
Processing Sensitive Data: Sensitive data (race, religion, health, biometrics) requires even stricter handling. Processing health and sexual life data without explicit consent is generally only permitted for authorized persons or institutions for purposes like medical diagnosis and healthcare management.
What are the penalties for non-compliance with the KVKK?
The Turkish Personal Data Protection Authority (KVKK Kurumu) actively audits companies and imposes significant administrative fines for violations. Because these fines are adjusted annually based on the revaluation rate, they represent a substantial financial risk for global enterprises.
| Violation Type | Potential Administrative Fine (2024 estimates) |
|---|---|
| Failure to Notify/Register with VERBIS | Up to 9,463,213 TRY |
| Violation of Data Security Obligations | Up to 9,463,213 TRY |
| Failure to Inform Data Subjects | Up to 946,308 TRY |
| Failure to Fulfill Board Decisions | Up to 9,463,213 TRY |
Criminal Consequences: Beyond fines, the Turkish Penal Code applies to individuals within the company.
- Unlawful Data Recording: 1 to 3 years imprisonment.
- Unlawful Data Transfer/Acquisition: 2 to 4 years imprisonment.
- Failure to Destroy Data: 1 to 2 years imprisonment.
Common Misconceptions About KVKK
"We don't have an office in Turkey, so the law doesn't apply to us."
The KVKK has extraterritorial effect. If you offer goods or services to people in Turkey or monitor their behavior (e.g., via cookies or apps), you are subject to the law and must appoint a local representative.
"Explicit consent covers everything."
Explicit consent must be specific. "General" consent for "marketing and all other purposes" is often found invalid by the Turkish Authority. Furthermore, if you rely on consent for something that is actually a legal obligation, that consent may be considered "misleading" and therefore void.
"GDPR SCCs are sufficient for Turkey."
While the 2024 amendment introduced Turkish SCCs, you cannot simply use your existing EU SCCs. You must use the specific templates provided by the Turkish Personal Data Protection Authority and follow their notification procedures.
When to Hire a Lawyer
Navigating the KVKK requires a blend of technical IT knowledge and local legal expertise. You should consult a qualified Turkish data protection attorney if:
- You are entering the Turkish market and need to register with VERBIS.
- You are transferring customer or employee data from a Turkish subsidiary back to your global headquarters.
- You have suffered a data breach and must notify the Turkish Authority within the 72-hour window.
- You are drafting localized privacy policies and explicit consent forms to ensure they meet Turkish "bundled consent" standards.
- You are involved in an investigation or audit by the Kişisel Verileri Koruma Kurumu.
Next Steps
- Audit Your Data: Identify what personal data you collect from Turkish residents and where it is stored.
- Appoint a Representative: If you are a foreign entity, formally designate your Turkish Data Controller Representative.
- Register on VERBIS: Complete your notification to the registry to avoid the most common source of administrative fines.
- Update Transfer Mechanisms: Review your cross-border data transfer agreements to ensure they utilize the new 2024 SCC templates.
- Train Local Staff: Ensure your Turkish team understands the 30-day response window for data subject access requests (DSARs).
