GDPR vs. KVKK: What Foreign Companies in Turkey Really Need to Comply With
yazarı lawyerfbc
açık Aralık 10, 2025

GDPR vs. KVKK: What Foreign Companies in Turkey Really Need to Comply With

If you ask most foreign headquarters whether their Turkish operations are “privacy compliant”, the answer is usually:

“We already comply with GDPR, so we’re fine in Turkey as well.”

Legally, that is not correct.

For foreign companies active in Turkey – through a subsidiary, branch, local distributor or even purely online services – two different regimes may apply at the same time:

  • the EU General Data Protection Regulation (GDPR), and
  • Türkiye’s Personal Data Protection Law No. 6698 (KVKK).

They share a common philosophy but they are not identical, and KVKK has several very local, very practical obligations that GDPR alone will not cover.

This article explains, in business-oriented legal language, what foreign companies in Turkey realistically need to comply with, where GDPR and KVKK overlap, and where they diverge in ways that can cost you money, time and reputation if you ignore them.

1. Two Laws, Two Supervisors, One Company

GDPR in a nutshell (for non-EU companies)

GDPR applies not only to entities established in the EU, but also to non-EU controllers and processors that:

  • offer goods or services to individuals in the EU, or
  • monitor their behaviour within the EU (for example via tracking, profiling, analytics).

So a company headquartered in the US or the UK can still be fully subject to GDPR because of its EU-facing website, app or platform.

KVKK in a nutshell

KVKK is Türkiye’s own data protection law, inspired by the old EU Data Protection Directive but gradually moving closer to GDPR through amendments, especially in 2024 on sensitive data and cross-border transfers.

KVKK applies broadly to personal data processed in Türkiye and to controllers and processors that handle data relating to individuals in Türkiye, irrespective of nationality. The law is enforced by the Turkish Data Protection Authority (KVKK Authority / Board).

For foreign groups, this often leads to dual exposure:

  • GDPR – because of EU users, customers or employees;
  • KVKK – because of Turkish users, customers or employees, or processing carried out in Türkiye.

2. The Biggest Structural Difference: VERBIS vs. No Register

One of the clearest differences – and the one most often ignored by foreign companies – is registration.

KVKK: mandatory VERBIS registration

KVKK imposes a duty on many data controllers to register with the Data Controllers’ Registry (VERBIS) before or while processing personal data.

Key points for foreign companies:

  • Foreign data controllers processing personal data related to Türkiye must, as a rule, register with VERBIS, regardless of employee or turnover thresholds.
  • Registration is done via an online system and requires a data processing inventory (categories of data, purposes, recipient groups, retention periods, security measures, etc.).
  • A Turkish-resident “contact person” (irtibat kişisi) must be appointed for communications with the Authority.

Although there are exemptions (for example for some small controllers or for specific sectors, and new exemptions have been introduced over time), foreign groups should never assume they are exempt without a concrete analysis of their activities and Board decisions.

GDPR: no equivalent central register (anymore)

GDPR does not generally require controllers to register with a central authority; instead, it focuses on internal records of processing (Article 30) and DPO appointments where necessary.

For a GDPR-compliant organisation coming into Türkiye, VERBIS is therefore an entirely new, additional obligation. If you are operating in Turkey and have never heard of VERBIS, that is your first red flag.

3. Territorial Reach: When Are You Actually Caught?

Under GDPR

You are caught by GDPR if:

  • you have an establishment in the EU, and process personal data in that context, or
  • you are established outside the EU but target EU data subjects (offering goods/services or monitoring).

It is perfectly possible for a Turkish company with no EU branch to be subject to GDPR simply because it markets aggressively to EU users and tracks them online.

Under KVKK

You are caught by KVKK if:

  • you operate in Türkiye (subsidiary, branch, office, warehouse, etc.), or
  • you are abroad but process personal data relating to individuals in Türkiye in such a way that the processing is effectively connected to Türkiye (for example by offering services clearly targeted at the Turkish market).

KVKK Authority practice shows that foreign data controllers can be investigated and fined, especially where they fail to register with VERBIS or to notify breaches that affect data subjects in Türkiye.

4. Lawful Bases, Consent Culture and Sensitive Data

Both GDPR and KVKK require a lawful basis for processing and give data subjects similar core rights (access, rectification, erasure, objection, etc.).

But the emphasis is different:

  • GDPR offers a balanced menu of lawful bases: contract, legal obligation, vital interests, public task, legitimate interests and consent.
  • KVKK historically relied more on explicit consent and a narrower list of alternative legal bases, especially for special categories of data. Recent amendments have expanded and clarified the legal grounds for processing sensitive data and for cross-border transfers, but practice is still more cautious and consent-driven than in many EU jurisdictions.

For foreign companies, this means:

  • Privacy notices and HR documentation built for GDPR may over-rely on “legitimate interests” and under-document explicit consent where Turkish practice expects it (e.g. for certain marketing or biometric use cases).
  • KVKK requires that data subjects can exercise rights primarily via a formal application to the controller; the controller must respond within 30 days, and only afterwards can the individual complain to the Authority.

In other words, GDPR-level documentation is a good starting point, but KVKK requires its own calibration of legal bases, consent texts and internal procedures.

5. Cross-Border Transfers: SCCs vs. KVKK’s New Transfer Regime

For global groups, the most sensitive area is often transfers of personal data abroad.

GDPR approach

GDPR permits transfers outside the EU/EEA if:

  • there is an adequacy decision for the destination,
  • the parties use appropriate safeguards (notably Standard Contractual Clauses (SCCs) or approved Binding Corporate Rules), or
  • a specific derogation applies in exceptional cases.

Supervisory authorities increasingly expect transfer impact assessments and supplementary measures following the Schrems II case.

KVKK’s evolving approach

KVKK has historically used a more restrictive, consent-heavy transfer regime. However, amendments that entered into force in 2024 significantly restructured Article 9 and introduced a more systematised model more familiar to GDPR practitioners.

Today, the main KVKK tools include:

  • Adequacy decisions: where the Board declares that a country, sector or international organisation provides sufficient protection (still limited but conceptually similar to GDPR adequacy).
  • Standard contracts: controller-to-controller and controller-to-processor templates published by the Authority; once signed, they must be notified to the Authority within a short period (five business days).
  • Binding corporate rules and other appropriate safeguards: subject to authorisation by the Authority.

For foreign companies in Turkey, this means:

  • Your GDPR SCCs are not automatically sufficient under KVKK. They may need to be paralleled by KVKK-standard contracts or other mechanisms recognised by Turkish law.
  • Transfer diagrams must be drawn from Türkiye outward, not only from the EU outward. A typical group will need to document both directions separately.

6. Roles, Governance and Breach Notification

DPO vs. Contact Person / Representative

GDPR introduces the Data Protection Officer (DPO) for certain controllers and processors, with a defined level of independence and direct reporting to senior management.

Under KVKK:

  • A controller subject to VERBIS must appoint a “data controller representative” if located abroad and a contact person in Türkiye.
  • These roles serve as the official interface with the Authority and for data subjects, but they are not the same as a GDPR DPO in terms of statutory independence or role description.

Foreign companies should decide:

  • whether the global DPO will also act as the KVKK contact point, and
  • what local supporting structure is needed within the Turkish entity.

Breach notification

Both regimes require rapid notification of personal data breaches:

  • Under GDPR, controllers must notify the competent authority within 72 hours of becoming aware of a breach, where feasible.
  • Under KVKK, the Board has explicitly set the same 72-hour notification deadline towards the Authority, and expects notification of affected data subjects “as soon as possible”.

Foreign data controllers based outside Türkiye are not exempt: if the breach affects data subjects resident in Türkiye or using services offered in Türkiye, the Authority expects proper notification.

If your incident response plan only lists “EU supervisory authorities” and forgets KVKK, you are missing a crucial element of compliance.

7. Sanctions and Enforcement Risk

GDPR is famous for its headline fines: up to the higher of 20 million EUR or 4% of worldwide annual turnover for serious infringements.

KVKK’s administrative fines are numerically lower in EUR terms but still material – in the millions of Turkish lira – and they come with additional risks:

  • corrective orders (e.g. to stop processing, amend contracts, change practices),
  • public announcements of decisions, and
  • knock-on effects with other regulators or in civil litigation.

For a foreign company with a visible brand, a published decision by the KVKK Authority can be just as damaging as a GDPR investigation.

8. Practical Roadmap for Foreign Companies in Turkey

To move from theory to execution, foreign companies should treat GDPR and KVKK as two layers of the same privacy programme:

  1. Map your legal exposure
    • Identify where GDPR applies (EU establishments, EU-targeted services, monitoring of EU users).
    • Identify where KVKK applies (Turkish entities, processing in Türkiye, services clearly targeting Turkish data subjects).
  2. Check VERBIS obligations
    • Determine whether your group or local entity must register with VERBIS.
    • Prepare or update the data inventory and appoint the contact person / representative.
  3. Align lawful bases and notices
    • Review your legal bases for processing under KVKK, especially for HR data, marketing and biometrics.
    • Localise privacy notices into clear Turkish with KVKK-specific references and procedures for exercising rights.
  4. Rebuild your transfer strategy from Türkiye outward
    • Map all cross-border flows from Türkiye (HR systems, cloud providers, intra-group tools).
    • Decide whether to rely on adequacy, standard contracts, or BCRs/other safeguards under KVKK – in addition to your GDPR SCCs.
  5. Update governance and breach playbooks
    • Clarify how your global DPO function interacts with the KVKK contact person/representative.
    • Include KVKK Authority notification steps in your incident response plan, with the same 72-hour standard.
  6. Train local teams
    • Ensure that HR, marketing, IT and customer support in Türkiye understand:
      • KVKK terminology and timelines (30-day response to data subjects),
      • VERBIS updates and documentation duties,
      • the difference between “nice to have” GDPR standards and mandatory local rules.

9. Conclusion

For foreign companies active in Türkiye, the message is straightforward:

  • GDPR compliance is necessary, but not sufficient.
  • KVKK creates additional, local obligations – especially VERBIS registration, cross-border transfer tools, and formalised rights procedures – that must be implemented alongside GDPR.
  • Treat Türkiye as a separate privacy jurisdiction, not just a branch of your EU compliance project.

Handled properly, a combined GDPR + KVKK programme does not have to be a burden. It becomes a competitive advantage: you can demonstrate to customers, employees, regulators and business partners that you take privacy seriously both in the EU and in Türkiye – on their own terms, under their own laws.

Categories:

Genel

Tags:

#GDPR #KVKK #Turkey #DataProtection #PrivacyCompliance #VERBIS #CrossBorderTransfers #ForeignCompaniescross-border data transfersdata breach notificationdata subject rightsdata transfer abroadforeign companies in TurkeyGDPRKVKKTurkey data protection lawVERBIS registration

Yanıt yok

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

Our Client

We provide a wide range of Turkish legal services to businesses and individuals throughout the world. Our services include comprehensive, updated legal information, professional legal consultation and representation

Our Team

.Our team includes business and trial lawyers experienced in a wide range of legal services across a broad spectrum of industries.

Why Choose Us

We will hold your hand. We will make every effort to ensure that you understand and are comfortable with each step of the legal process.

Open chat
1
Hello Can İ Help you?
Hello
Can i help you?
Call Now Button