PERSONAL DATA PROTECTION LAW (KVKK)
1. Date of Enactment and Purpose of the Law
The Personal Data Protection Law (KVKK) was published in the Official Gazette No. 29677 on April 7, 2016, and entered into force. The main purpose of this law is to ensure the confidentiality of individuals’ personal data and to protect their fundamental rights and freedoms in the processing of such data. (KVKK m. 1)
In addition, Turkey’s efforts to comply with the European Union’s Data Protection Directive 95/46/EC (replaced by the GDPR) have also influenced the preparation of the KVKK.
2. Consequences of the Enactment of the Law
With the entry into force of the KVKK:
- Personal data can no longer be processed randomly or without control.
- Certain rules have been introduced for data processing activities for all natural and legal persons.
- The Data Controllers Registry Information System (VERBİS) was established, making registration mandatory for data controllers.
- The relevant persons, i.e. individuals whose data is processed, are granted rights such as notification, access, correction, and deletion.
- Administrative fines and legal proceedings were imposed in cases of violations.
3. What is Personal Data?
According to the KVKK, personal data is any information belonging to an identified or identifiable natural person. This information includes, for example:
- First name – last name
- Turkish ID number
- phone number
- IP address
- Photo
- Location information
All data that directly or indirectly identifies a person.
4. What is Special Category Personal Data?
Special categories of personal data are data that are more sensitive and require special protection, as they could lead to discrimination against individuals. According to the law, these include:
- Race, ethnic origin
- Political thought
- Religion, denomination, belief
- Clothing
- Health information
- Sexual life
- Criminal convictions and security measures
- Biometric and genetic data
As a rule, the processing of special categories of personal data is prohibited. However, processing is possible in the cases listed in Article 6/3 of the KVKK. Special categories of personal data that require particular attention here are sexual life and health information. This is because the processing of these special categories of personal data is not possible even in the cases provided for by law.
5. Who Does the Law Apply to?
The KVKK applies to all individuals and legal entities that process personal data. For example:
- Public institutions
- Companies
- Lawyers, doctors
- Website owners
- Associations and foundations
Therefore, any institution or individual that collects, stores, or transfers the personal data of any individual is required to comply with this law. It also concerns real persons whose personal data is processed, as their rights are regulated in Article 11 of the KVKK.
6. Obligations of the Data Controller
The data controller is the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. Their responsibilities are as follows:
- Inform the relevant persons
- Obtaining explicit consent (except in cases specified by law, such as practical impossibilities)
- Processing personal data in accordance with the law
- Keep data up to date and accurate
- Ensuring security (against cyber attacks and data breaches)
- Registering with VERBİS (for those who meet certain criteria)
7. Rights of the Interested Party
Individuals whose personal data is processed (data subjects) have many rights under the KVKK.
These are:
- Find out whether your data has been processed
- Requesting information if processed
- Find out if it is being used for its intended purpose
- If transferred to third parties within or outside the country, learn about them
- Requesting correction or deletion of your data
- Objecting to analysis by automated systems
- Claim compensation if you have suffered damage
8. When the Data Controller is a Legal Entity
When the data controller is a legal entity (e.g., a company):
- Responsibility lies with the legal entity, but in practice, the authorized persons carrying out the transactions bear responsibility.
- It is recommended that a person be appointed to manage KVKK compliance processes within the company (usually a “data protection officer”).
- Legal entities may face administrative sanctions for any kind of violation.
IMPORTANT! In the event of a breach, the imposition of an administrative fine on the data controller does not preclude the right of the data subject to compensation under the general provisions.
9. What is Explicit Consent?
Explicit consent is a statement of approval that is specific to a particular subject, based on information, and freely given.
For example, a company must obtain explicit consent from a customer in order to collect their birthday information and send them promotional messages.
10. Situations Where Express Consent Is Not Required
In some cases, personal data may be processed without explicit consent. These include:
- If expressly provided for by law
- If the data of a person who is unable to give consent due to actual impossibility needs to be processed for vital reasons
- If it is directly related to the establishment or performance of a contract
- If it is necessary for the data controller to fulfill its legal obligations
- If the person concerned has made the data public themselves
- If necessary for the establishment, exercise, or defense of legal claims
- If it is necessary for the legitimate interests of the data controller (provided that it does not harm the fundamental rights and freedoms of the data subject)
11. How are KVKK disputes resolved?
Remedies for alleged violations of the KVKK:
- First, an application must be made to the data controller. (The data controller may accept or reject this application. The response to the application must be communicated in writing or electronically.)
- Subsequently, a complaint may be filed with the Personal Data Protection Authority (KVKK) (Application period: 30 days if the data controller rejects the application; 60 days if the data controller fails to respond to the application or in any case).
- An action for annulment may be brought before the administrative court against the decisions of the Board.
- In addition, if there is damage, a compensation lawsuit may be filed under the Turkish Code of Obligations.
IMPORTANT! In order to file a complaint with the Personal Data Protection Authority, the application process with the data controller must be exhausted. Otherwise, no application can be made to the Personal Data Protection Authority.
IMPORTANT! Pursuant to Article 17 of the KVKK, crimes related to personal data are governed by Articles 135–140 of Chapter 9, titled “Crimes Against Private Life and the Private Sphere,” of the Turkish Penal Code No. 5237.
What is the Personal Data Protection Law (KVKK)? 2025 Updated Information
