Introduction
Foreign companies doing business in Turkey increasingly face one critical legal question: Does Turkish Personal Data Protection Law apply to our operations? In many cases, the answer may be yes. A foreign company may not have a large office in Turkey, but it may still collect personal data from Turkish customers, employ staff in Turkey, cooperate with Turkish distributors, use Turkish call centers, run e-commerce operations targeting Turkish consumers, process payment information, monitor website visitors, or transfer data from Turkey to foreign servers.
Turkey’s main data protection legislation is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. The law entered into force after its publication in the Official Gazette on 7 April 2016, and its purpose is to protect fundamental rights and freedoms, particularly the right to privacy, in relation to the processing of personal data. It also imposes obligations, principles, and procedures on natural and legal persons processing personal data.
For foreign companies, KVKK compliance should not be treated as a minor administrative formality. It is a core legal risk area affecting customer relations, employment, marketing, technology infrastructure, cloud services, group company data transfers, due diligence, mergers and acquisitions, litigation risk, and regulatory investigations. A company that ignores Turkish data protection requirements may face administrative fines, complaints before the Turkish Personal Data Protection Authority, contractual disputes, reputational damage, and operational restrictions.
This practical guide explains the key KVKK compliance obligations for foreign companies operating in or dealing with Turkey.
What Is KVKK?
KVKK is Turkey’s primary personal data protection law. It regulates the processing of personal data and establishes obligations for data controllers and data processors. The law applies to natural persons whose personal data are processed and to natural or legal persons processing such data wholly or partly by automated means or by non-automated means forming part of a data filing system.
In practice, this means that KVKK may become relevant whenever a business collects, stores, uses, transfers, analyzes, deletes, archives, or otherwise handles information relating to identifiable individuals. Foreign companies should therefore assess KVKK compliance if they process personal data of customers, employees, job applicants, website users, patients, suppliers, representatives, shareholders, directors, agents, dealers, or business contacts in Turkey.
The law defines personal data as any information relating to an identified or identifiable natural person. It also defines processing very broadly, including collection, recording, storage, preservation, alteration, disclosure, transfer, retrieval, making available, categorization, and preventing use.
Therefore, personal data is not limited to names and identity numbers. It may include email addresses, phone numbers, passport details, Turkish identity numbers, IP addresses, device IDs, location data, license plates, photographs, CCTV images, call recordings, HR files, payroll information, customer complaints, transaction history, health data, biometric identifiers, and online behavior data.
Why Foreign Companies Should Take KVKK Compliance Seriously
Foreign companies often assume that Turkish data protection rules apply only to companies incorporated in Turkey. This assumption may be risky. A foreign company may become involved in KVKK compliance through many business models, including:
A foreign e-commerce platform selling goods or services to Turkish customers may collect names, addresses, phone numbers, payment details, delivery information, and customer support records. A global technology company may process Turkish users’ account data, analytics data, cookies, device data, or behavioral data. A multinational employer may process HR data of employees working in Turkey. A foreign healthcare provider, clinic, medical tourism agency, or insurance company may process sensitive health data. A foreign parent company may receive employee, customer, or supplier data from its Turkish subsidiary. A foreign cloud provider, CRM platform, HR software provider, or marketing automation company may act as a data processor for a Turkish data controller.
In each of these examples, KVKK should be assessed carefully. The practical question is not only whether the company is physically present in Turkey, but also whether it determines the purposes and means of processing personal data connected with Turkey, receives data from Turkey, or participates in data processing activities subject to Turkish law.
Data Controller and Data Processor Under KVKK
Understanding the distinction between a data controller and a data processor is essential for KVKK compliance.
A data controller is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system. A data processor is a natural or legal person who processes personal data on behalf of the data controller based on authorization.
For example, a foreign company operating an online marketplace and deciding what customer data to collect, why to collect it, how long to store it, and with whom to share it will generally be considered a data controller. A cloud hosting provider storing data on behalf of that company may be a data processor. However, roles must be assessed case by case. A service provider may be a processor for one activity and a controller for another activity if it determines its own purposes and means for certain processing operations.
Foreign companies should clearly define their role in each data flow. This is particularly important in group company structures, outsourcing relationships, SaaS agreements, marketing operations, call center arrangements, payment systems, logistics services, and HR platforms.
Core Principles of KVKK Compliance
KVKK compliance begins with the general principles under Article 4. Personal data must be processed lawfully and fairly, must be accurate and kept up to date where necessary, must be processed for specified, explicit, and legitimate purposes, must be relevant, limited, and proportionate to those purposes, and must be stored only for the period required by law or by the purpose of processing.
These principles are not theoretical. They should shape every compliance decision. A foreign company should ask the following practical questions:
Does the company have a clear and lawful reason for collecting each category of data? Is the data collected limited to what is necessary? Are privacy notices accurate and transparent? Are outdated records corrected or deleted? Are retention periods defined? Are access rights limited to employees who genuinely need the data? Are data transfers documented? Are Turkish data subjects informed properly?
A company may have a valid legal basis for processing but still breach KVKK if the processing is excessive, unclear, indefinite, insecure, or incompatible with the original purpose. For this reason, foreign companies should not treat KVKK as a simple “consent form” issue. Compliance requires a structured data governance system.
Legal Bases for Processing Personal Data
One of the most common misunderstandings about KVKK is the belief that all processing requires explicit consent. Explicit consent is important, but it is not the only legal basis. Under Article 5, personal data may be processed without explicit consent where one of the statutory conditions exists. These include processing expressly provided by law, necessity for contract performance, necessity for compliance with a legal obligation, data made public by the data subject, necessity for the establishment, exercise, or protection of a right, and legitimate interests of the data controller provided that fundamental rights and freedoms of the data subject are not violated.
For foreign companies, this distinction is crucial. For example, processing customer address data for product delivery may be based on contract performance. Processing invoice records may be based on legal obligations. Processing employee payroll data may be based on employment, tax, and social security obligations. Processing litigation documents may be necessary for the establishment or protection of a right. Certain fraud prevention activities may potentially be based on legitimate interest, provided that a proportionality assessment is made.
Explicit consent should not be used automatically. If consent is unnecessarily used for processing that actually depends on legal obligation or contract performance, withdrawal of consent may create legal uncertainty. A proper KVKK compliance project should therefore map each processing activity and assign the correct legal basis.
Explicit Consent Under Turkish Data Protection Law
Explicit consent under KVKK must be freely given, specific, and informed. It should not be hidden inside general terms and conditions. It should not be bundled with unrelated permissions. It should not be obtained through vague wording or pre-ticked boxes. The data subject must understand what data will be processed, for which purpose, by whom, and with what possible consequences.
Foreign companies commonly need explicit consent in areas such as certain direct marketing practices, non-essential cookie tracking, processing activities that do not fall under another legal basis, and some exceptional cross-border transfer scenarios. However, consent must be managed carefully. The company should keep records showing when consent was obtained, what text was shown to the data subject, which processing activity was covered, and whether the consent was later withdrawn.
Consent is especially sensitive in employer-employee relationships. Because of the imbalance of power between employer and employee, employee consent may be challenged if it is not genuinely free. Therefore, employers should first assess whether processing can rely on legal obligation, employment law requirements, contract performance, or protection of rights before relying on consent.
Special Categories of Personal Data
KVKK provides stronger protection for special categories of personal data. These include data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, biometric data, and genetic data.
Foreign companies should pay particular attention to special categories of data because these data can create higher risks for individuals and higher compliance exposure for businesses. Examples include health records processed by medical tourism companies, biometric entry systems used in workplaces, criminal record checks during recruitment, disability information processed for employment purposes, occupational health records, genetic data in clinical research, or health insurance records.
Following the 2024 amendments, Article 6 contains specific grounds under which special categories of personal data may be processed. These include explicit consent, express legal provision, necessity for protection of life or physical integrity, data made public by the data subject in line with the intention of disclosure, necessity for the establishment or protection of a right, certain public health and healthcare purposes by authorized persons or institutions, and employment, occupational health and safety, social security, social services, and social assistance obligations. Adequate measures determined by the Board must also be implemented.
Obligation to Inform Data Subjects
Foreign companies subject to KVKK must comply with the obligation to inform data subjects. At the time personal data is obtained, the data controller or its authorized person must inform data subjects about the identity of the controller and representative, if any; the purpose of processing; to whom and for what purposes the data may be transferred; the method and legal basis of collection; and the rights of the data subject.
This obligation is typically fulfilled through privacy notices. However, generic privacy policies are not enough. The privacy notice must accurately reflect the company’s actual processing operations.
For example, a foreign e-commerce company targeting Turkish customers may need separate explanations for account creation, order processing, payment, delivery, customer support, returns, fraud prevention, commercial communications, cookies, analytics, legal claims, and data retention. A foreign employer with Turkish employees may need employee privacy notices, candidate notices, workplace CCTV notices, remote work monitoring notices, and third-party transfer explanations. A foreign health-related business must be even more precise because health data is a special category of personal data.
Data Subject Rights Under KVKK
Data subjects have several rights under Article 11. They may request to learn whether their personal data is processed, obtain information if processing has occurred, learn the purpose of processing and whether data is used accordingly, know third parties to whom data is transferred domestically or abroad, request correction of incomplete or inaccurate data, request erasure or destruction under legal conditions, request notification of correction or deletion to third-party recipients, object to adverse results arising from analysis exclusively through automated systems, and claim compensation for damage caused by unlawful processing.
Foreign companies should establish an internal data subject request procedure. This procedure should identify how requests are received, how identity is verified, who reviews the request, how the legal assessment is made, how responses are drafted, and how deadlines are monitored. Customer support teams, HR teams, marketing teams, and local representatives should be trained to recognize data subject requests.
Ignoring or mishandling a data subject request may lead to complaints before the Turkish Personal Data Protection Authority. Even if the original processing activity is lawful, failure to respond properly may create regulatory risk.
Data Security Obligations
Article 12 requires the data controller to take all necessary technical and organizational measures to provide an appropriate level of security for preventing unlawful processing, preventing unlawful access, and ensuring the protection of personal data. Where data is processed by another person on behalf of the controller, the controller is jointly responsible with that person for taking the relevant measures.
For foreign companies, data security is one of the most important KVKK compliance areas. Technical measures may include access controls, encryption, secure authentication, logging, backup systems, vulnerability management, firewall protection, malware protection, secure software development, network segmentation, data loss prevention, and incident response systems.
Organizational measures may include data protection policies, confidentiality undertakings, employee training, vendor due diligence, data processing agreements, internal audit systems, authorization matrices, disciplinary rules, clean desk policies, retention schedules, breach response plans, and periodic risk assessments.
Security should be proportionate to the nature of the data. A company processing health data, biometric data, financial information, children’s data, or large-scale customer databases must implement stronger safeguards than a company processing limited business contact data.
Data Breach Notification
If processed personal data is obtained by others through unlawful means, the data controller must notify the data subject and the Personal Data Protection Board within the shortest time. The Board may also announce the breach on its official website or through another method where necessary.
Foreign companies should therefore have a breach response mechanism covering Turkey. This is especially important for multinational businesses that manage cybersecurity incidents globally. A global incident response team should not overlook Turkish notification obligations when affected individuals include persons in Turkey or when the relevant processing activity is subject to KVKK.
A practical breach response plan should include detection, containment, internal reporting, legal assessment, forensic analysis, evidence preservation, notification drafting, communication with Turkish counsel, communication with affected individuals, and remediation.
Erasure, Destruction, and Anonymization
KVKK does not allow companies to keep personal data indefinitely. Even where personal data has been processed lawfully, it must be erased, destroyed, or anonymized when the reasons requiring processing no longer exist. This may be done ex officio or upon request of the data subject.
Foreign companies should prepare data retention schedules for Turkish data. These schedules should consider Turkish tax law, commercial law, employment law, social security law, consumer law, healthcare law, banking and finance rules, limitation periods, litigation requirements, and sector-specific regulations.
A proper retention policy should answer practical questions: How long are customer records kept? How long are job applicant CVs retained? When are CCTV recordings deleted? How long are payroll records stored? How long are marketing consent logs retained? When are inactive accounts anonymized? Which systems contain backup copies? Who approves destruction?
VERBIS Registration for Foreign Companies
VERBIS is the Turkish Data Controllers’ Registry Information System. The By-Law on the Data Controllers Registry states that the registry is kept publicly available under the supervision of the Board, and it applies to natural and legal persons who determine the purposes and means of personal data processing and are responsible for the establishment and management of the data filing system.
The By-Law also states that data controllers are obliged to register with the registry before starting data processing, and data controllers not established in Turkey are obliged to register through their representatives before starting data processing, if they are under the registration obligation.
This is highly relevant for foreign companies. If a foreign company qualifies as a data controller and is not exempt from registration, it may need to appoint a representative in Turkey and complete VERBIS registration. VERBIS information is based on the personal data processing inventory and includes processing purposes, data categories, recipient groups, foreign transfer information, security measures, and retention periods.
Foreign companies should not assume that VERBIS is only a local Turkish company obligation. The registration analysis must be made according to the company’s processing activities, data categories, scale, sector, and applicable exemptions.
Cross-Border Data Transfers From Turkey
Cross-border data transfer is one of the most important topics for foreign companies. Many foreign businesses use servers, software, cloud platforms, CRM systems, HR tools, ticketing systems, analytics providers, payment processors, or group company databases located outside Turkey. These arrangements may involve the transfer of personal data abroad.
Article 9 of KVKK was amended in 2024. The Turkish Personal Data Protection Authority announced that Article 9, titled “Transfer of Personal Data Abroad,” was amended by Law No. 7499 and that English translations of the By-Law and standard contract texts were made available.
Under the amended Article 9, personal data may be transferred abroad by data controllers and data processors if one of the processing conditions under Articles 5 or 6 is met and there is an adequacy decision for the relevant country, sector, or international organization. Adequacy decisions are issued by the Board and published in the Official Gazette, and they are assessed at least every four years.
Where there is no adequacy decision, transfers may still be possible through appropriate safeguards, including binding corporate rules approved by the Board, standard contracts published by the Board, or written commitments approved by the Board. The standard contract must be notified to the Authority within five business days after signature.
The Authority has published four types of standard contracts: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller.
This regime is particularly important for foreign companies receiving data from Turkey. A multinational group should map all data transfers from Turkish subsidiaries to foreign affiliates. A SaaS provider should determine whether it is a processor or controller and whether Turkish customer data is transferred abroad. A foreign parent company should review HR, finance, audit, compliance, and legal reporting flows.
Contracts With Processors and Business Partners
Foreign companies should carefully draft data processing agreements and data transfer clauses. A well-drafted agreement should define the roles of the parties, processing purposes, data categories, data subject groups, security measures, confidentiality obligations, sub-processor rules, audit rights, breach notification duties, retention and deletion obligations, transfer restrictions, assistance with data subject requests, and liability allocation.
For foreign service providers working with Turkish clients, it is commercially useful to provide KVKK-compatible documentation. Turkish business partners increasingly request data processing addendums, standard contract support for international transfers, security documentation, ISO certificates, breach notification commitments, and clear processor instructions.
For foreign companies using Turkish vendors, contracts should ensure that Turkish vendors process data only within defined instructions, maintain confidentiality, implement adequate security measures, assist with data subject requests, and notify incidents promptly.
KVKK Compliance Checklist for Foreign Companies
A practical KVKK compliance project for foreign companies should include the following steps.
First, conduct a data mapping exercise. Identify which personal data is collected from Turkey or about individuals in Turkey, where it is stored, who accesses it, why it is processed, and with whom it is shared.
Second, determine the company’s role as controller, processor, joint controller, or independent controller for each processing activity.
Third, identify the legal basis for each processing purpose. Avoid relying on explicit consent where contract performance, legal obligation, legitimate interest, or protection of rights is more appropriate.
Fourth, prepare Turkish privacy notices where necessary. Privacy notices should be accurate, specific, and aligned with actual processing.
Fifth, review special category data. Health, biometric, genetic, criminal conviction, union membership, and similar sensitive data require stricter legal and technical analysis.
Sixth, assess VERBIS registration. Foreign controllers not established in Turkey may need to register through a representative if they are subject to registration.
Seventh, map cross-border transfers. Identify all foreign servers, cloud systems, parent company databases, support teams, vendors, and onward transfers.
Eighth, implement Article 9 transfer mechanisms. Consider adequacy decisions, standard contracts, binding corporate rules, written undertakings, or exceptional transfer grounds depending on the structure.
Ninth, revise vendor contracts. Data processing agreements and transfer clauses should be consistent with KVKK.
Tenth, implement security measures. Technical and organizational measures should be documented and regularly reviewed.
Eleventh, create a data subject request procedure. Turkish data subjects must be able to exercise their rights effectively.
Twelfth, establish a breach response plan. The company should be ready to assess and notify breaches affecting Turkish data.
Thirteenth, define retention and deletion rules. Turkish personal data should not be stored indefinitely.
Fourteenth, train relevant teams. Legal, HR, marketing, IT, security, sales, and customer support teams should understand KVKK obligations.
Administrative Fines and Legal Risk
KVKK includes administrative fines for failures such as breach of the obligation to inform, breach of data security obligations, failure to comply with Board decisions, breach of VERBIS registration and notification obligations, and failure to notify standard contracts under Article 9/5. Article 18 also states that administrative fines imposed by the Board may be appealed before administrative courts.
The Authority has announced that administrative fines under Article 18 are increased for each calendar year according to the revaluation mechanism under Turkish law, and the official table covers the increased amounts for 2017–2026.
For foreign companies, financial penalties are not the only risk. A KVKK investigation may create reputational damage, disrupt business relationships, delay transactions, create disclosure obligations in M&A processes, affect public tenders, and cause customer trust issues. In serious cases, unlawful processing may also create civil compensation claims or criminal law implications under the Turkish Penal Code.
Sector-Specific KVKK Risks for Foreign Companies
Certain sectors face higher KVKK exposure.
E-commerce companies process customer identity, address, payment, order, marketing, and behavioral data. They should focus on privacy notices, marketing consents, cookies, retention, customer support recordings, and cross-border transfers.
Technology companies and SaaS providers should focus on processor-controller roles, server locations, sub-processors, standard contracts, cybersecurity, logging, and customer instructions.
Healthcare, medical tourism, and insurance businesses should pay special attention to health data, explicit legal grounds, confidentiality, medical records, transfer restrictions, and heightened security.
Employers and multinational groups should review employee files, payroll, performance monitoring, disciplinary records, workplace cameras, whistleblowing systems, global HR platforms, and intra-group transfers.
Fintech and payment-related companies should consider financial data, identity verification, fraud prevention, regulatory retention, biometric verification, and security controls.
Hotels, travel companies, and mobility platforms should assess identity data, passport data, location data, reservation data, camera recordings, and third-party transfers.
Conclusion
KVKK compliance in Turkey is a critical issue for foreign companies. Whether a company sells products to Turkish consumers, receives data from a Turkish subsidiary, uses Turkish vendors, operates a digital platform accessible in Turkey, provides cloud services, employs Turkish staff, or processes sensitive data relating to individuals in Turkey, Turkish Personal Data Protection Law may create significant obligations.
A strong compliance program should not be limited to template privacy notices. Foreign companies need a practical and defensible structure based on data mapping, legal basis analysis, transparent privacy notices, VERBIS assessment, cross-border transfer mechanisms, security measures, data processing agreements, retention policies, breach response planning, and employee training.
The 2024 amendments to the international transfer regime make compliance even more important for foreign companies receiving data from Turkey. Standard contracts, binding corporate rules, adequacy decisions, written undertakings, and exceptional transfer rules should be assessed carefully. Companies that process Turkish personal data without a clear legal basis, proper notice, secure infrastructure, or valid transfer mechanism may face regulatory, financial, contractual, and reputational risks.
For foreign companies, KVKK compliance is not only a legal requirement. It is also a business credibility issue. A company that demonstrates respect for Turkish privacy law strengthens customer trust, improves contractual reliability, reduces regulatory exposure, and builds a safer foundation for long-term operations in Turkey.
Yanıt yok