Turkey’s New Data Privacy Law and Compliance of Companies

Turkey’s New Data Privacy Law and Compliance of Companies

Personal Data Protection Law (KVKK), the Turkish counterpart of the European General Data Protection Regulation, passed in 2016 but came into full effect throughout 2019. Data Privacy

Under KVKK, personal data is any data that can identify a person directly or indirectly. In this respect, data such as name surname, birthdate, birth place, phone number, license plate, social security number, identity number, credit card number, passport number, resume, photo, e-mail, video and voice records, fingerprints, hobbies, preferences, interacted people, group memberships, family info, health records etc. are all considered personal data.

Collection, processing, storage, transfer and deletion of all personal data are subject to KVKK, and people or entities that handle personal data are called “Data Controller” under KVKK.

As per KVKK, being a data controller comes with several obligations and responsibilities. The most major ones are as follows:


As per KVKK, data controllers must register to the official data registry system. However, companies that do not have processing special personal data in their main field of operations AND have less than 50 employees AND less than total annual balance sheet of 25 million TL are exempted from this obligation. The same exemption applies to certain professions such as lawyer, certified public accounts and others.

Companies that are obliged to register are also obliged to prepare and submit a data inventory that states the types of data, types of people from whom the data are collected, types of collection methods, purposes of collection and types of precautions taken.

Finally, companies that are obliged to register are also obliged to prepare and submit corporate policies on storing and terminating personal data and publish those policies on their website.


As per KVKK, a data controller must get the data owner’s explicit consent for handling his/her data before collecting the data. Exceptions to this rule are:

a) Explicit consent taken from the consumer

b) Legal requirement

c) Medical emergency

d) Formation of contract

e) Data controller’s legal obligation

f) Data made public by the owner

g) Establishing, exercising or preserving a right

h) Justified interests of the data controller


As per KVKK, regardless of whether there is explicit consent or another legal ground for collecting data, a data controller must inform the data owner on which data are being collected, on which grounds, by which methods, for which purposes, for which time period and with whom the data will be shared. These privacy information notices need to be as specific and detailed as possible.


When the legal grounds on which the personal data is kept cease to exist, whether the said ground is consent, formation of contract or legal obligation of the data controller, the data must be irrevocably deleted, permanently destroyed or made anonymous in a way that you cannot associate them with an identified or identifiable data owner even if you were to match those data to other data.

In order to comply with this obligation, data controllers must incorporate policies to manually and/or automatically delete the data when the legal time period for storing the data ends.


The KVKK mandates all data controllers to take all necessary technical and administrative security measures against data leak, unlawful data processing and unauthorized access. The law does not present an exhaustive list of these measures; the data controller must identify the risks, determine the necessary measures to be taken to eliminate or minimize these risks and then duly take these measures.

While these are the most basic obligations and responsibilities of data controllers, there are many other legal obligations, such as the rules to comply with when transferring data to third parties, data breach policies, consumer complaint and request policies, corporate privacy policies and general principles of data collection. Data privacy laws are important both in terms of individual freedoms and of companies’ legal obligations. Companies that violate data privacy laws may be fined by the KVKK authority for up to more than a million TL. This is why data privacy compliance should be managed by professionals who are experienced in this specific area.

Antalya Lawyer and Antalya Attorney Baris Erkan Celebi and his Antalya Law Firm handle companies’ complete data compliance, advise them on data privacy laws, assist them to incorporate the necessary administrative and security measures, draft corporate data privacy policies and confidentiality agreements, prepare employee training manuals and give compliance presentation to company executives.