Clym Logo
TR flag

TR

Personal Data Protection Law (KVKK) Turkey

Overview

The Personal Data Protection Law of Turkey (Kışisel Verileri Koruma Kanunu - Law No. 6698) was adopted on March 24, 2016, and came into effect on April 7, 2016. Its main purpose is to safeguard personal data, emphasizing the right to privacy while setting obligations for entities processing such data. The law regulates the processing, transfer, and protection of personal data, establishing the roles and responsibilities of data controllers and processors.

Regulation Summary

  • Enacted: March 24, 2016
  • Effective: April 7, 2016

  • Natural and legal persons processing personal data wholly or partially through automated means or as part of a filing system.
  • Organizations based outside Turkey if they process the personal data of Turkish residents.

  • Personal data processed for personal or household activities.
  • Data used for official statistics, research, planning, and anonymized statistical purposes.
  • Processing for artistic, historical, or scientific purposes, provided fundamental rights are not violated.

  • Obtain explicit consent for processing personal data unless a legal exception applies.
  • Ensure data is processed lawfully, fairly, and transparently.
  • Limit processing to specified, explicit, and legitimate purposes.
  • Implement robust security measures to prevent unauthorized access, alteration, or destruction of personal data.
  • Notify breaches promptly to the Personal Data Protection Authority (KVKK) and affected individuals.
  • Register with the Data Controllers' Registry (VERBIS).

  • Obtain user consent for cookies and other tracking technologies.
  • Publish comprehensive privacy policies.
  • Facilitate the exercise of data subject rights, such as access and deletion.

  • Cross-Border Data Transfers: Allowed only to countries with adequate data protection or under agreements approved by KVKK.
  • Sensitive Data: Stricter safeguards apply to special categories of personal data, such as health and biometric data.
  • Data Retention: Limit data storage duration to what is necessary for the stated purpose and securely delete data thereafter.

  • Access: Request confirmation of whether data is being processed.
  • Correction: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion or anonymization of personal data.
  • Objection: Object to processing under certain conditions.

  • Regulatory Authority: The Personal Data Protection Authority (KVKK).
  • Penalties: Fines range from TRY 5,000 to TRY 1,000,000 (~USD $210 to $42,000) depending on the violation.