Privacy Notices Under Turkish Personal Data Protection Law: How to Draft a Compliant Disclosure Text

Introduction

Privacy notices are one of the most important compliance documents under Turkish Personal Data Protection Law. In Turkey, a privacy notice is commonly referred to as an “Aydınlatma Metni” or disclosure text, and it is the main document through which a data controller informs individuals about how their personal data is collected, processed, transferred, stored, and protected.

Under Law No. 6698 on the Protection of Personal Data, commonly known as KVKK, data controllers have a legal obligation to inform data subjects at the time personal data is obtained. This obligation is regulated under Article 10 of KVKK and further detailed by the Communiqué on the Principles and Procedures to Be Followed in Fulfilment of the Obligation to Inform. The law requires the data controller to inform data subjects about the identity of the controller, processing purposes, transfer recipients and purposes, collection method and legal basis, and the rights of the data subject under Article 11.

For businesses operating in Turkey, a privacy notice is not a decorative legal text placed at the bottom of a website. It is a core compliance document. It directly affects the lawfulness of personal data processing, the validity of explicit consent mechanisms, data subject request management, VERBIS consistency, cross-border transfer transparency, and regulatory risk. A company with a generic, vague, outdated, or misleading privacy notice may face complaints before the Turkish Personal Data Protection Authority, administrative fines, customer distrust, employee disputes, and reputational damage.

This guide explains how to draft a compliant privacy notice under Turkish Personal Data Protection Law and what businesses should consider when preparing disclosure texts for customers, employees, website visitors, mobile app users, patients, suppliers, candidates, and digital platform users.

What Is a Privacy Notice Under Turkish Law?

A privacy notice is a disclosure document prepared by the data controller to inform the data subject about personal data processing activities. It is not the same as a privacy policy, data protection policy, cookie policy, consent form, terms of use, or data processing agreement. Although these documents may be related, each has a different legal function.

A privacy notice is directed to the data subject and explains how their personal data is processed. A privacy policy may be an internal or general governance document explaining the controller’s broader data protection approach. A cookie policy explains cookies and tracking technologies. An explicit consent form records the data subject’s consent where consent is required. A data processing agreement regulates controller-processor relationships. A compliant KVKK structure should not merge these documents in a confusing way.

The Turkish Personal Data Protection Authority has expressly warned that general privacy policies or data processing policies should not be used as privacy notices if they are not limited to the specific processing activity. The Authority has also identified deficiencies where disclosure texts are not easily accessible, are presented late, fail to include Article 10 elements, confuse processing purpose with legal basis, or combine explicit consent and informing under the same text or platform.

Legal Basis of the Obligation to Inform

The legal basis of the privacy notice obligation is Article 10 of KVKK. According to Article 10, at the time personal data is obtained, the data controller or the person authorized by it must inform the data subject about five minimum elements: the identity of the data controller and its representative, if any; the purpose of processing personal data; to whom and for which purposes processed personal data may be transferred; the method and legal basis of collection; and the rights of the data subject under Article 11.

The Communiqué on the Obligation to Inform further clarifies how this obligation must be fulfilled. It states that the obligation applies whether processing is based on explicit consent or another processing condition under the law. It also states that if the processing purpose changes, the data subject must be informed about the new purpose before the new processing activity begins.

This is a crucial point. A company cannot avoid preparing a privacy notice by claiming that it has obtained explicit consent. The obligation to inform exists independently. Similarly, a company cannot rely on a privacy notice as if it were explicit consent. Informing and consent are separate legal concepts.

Privacy Notice vs Explicit Consent

One of the most common mistakes in KVKK practice is confusing privacy notices with explicit consent. A privacy notice informs the data subject; explicit consent records a freely given, specific, and informed approval for a particular processing activity. Where personal data processing is based on explicit consent, the procedures for informing and obtaining consent must be performed separately.

For example, an e-commerce website may provide a privacy notice explaining how customer data is processed for membership, order processing, payment, delivery, invoicing, customer support, marketing, and legal obligations. This notice does not automatically mean the customer has consented to receiving promotional SMS messages or to being tracked by advertising cookies. If consent is needed for marketing or tracking, that consent must be obtained separately and clearly.

Similarly, an employer may provide an employee privacy notice explaining payroll, personnel file management, occupational health and safety records, workplace camera systems, and disciplinary records. This notice does not automatically authorize optional uses such as publishing employee photos on social media or using biometric attendance systems where explicit consent and proportionality analysis may be required.

A compliant structure should therefore separate: privacy notice, explicit consent, commercial electronic message consent, cookie consent, and contractual terms.

Minimum Elements of a Compliant KVKK Privacy Notice

A privacy notice under Turkish law must include at least the elements listed in Article 10 of KVKK. However, merely listing these headings is not enough. Each section must be drafted in a clear, specific, and accurate manner.

Identity of the Data Controller

The privacy notice must identify the data controller. This should include the full legal name of the company, registered address, and contact details. If the controller has a representative, that representative should also be mentioned. This is especially important for foreign data controllers not established in Turkey.

The identity section should not be vague. For example, phrases such as “our company,” “the platform,” or “the service provider” may be insufficient if the legal entity is not clearly identified. Data subjects should understand who is legally responsible for processing their data.

Purpose of Processing Personal Data

The privacy notice must explain the purpose of processing. These purposes must be specific, explicit, and legitimate. The Communiqué states that general and ambiguous statements should be avoided and that statements creating the impression of processing for other possible future purposes should not be used.

Weak examples include “business operations,” “commercial activities,” “future services,” “improving customer experience,” or “all legal purposes.” Stronger examples include “creating customer membership accounts,” “processing online orders,” “issuing invoices,” “delivering purchased products,” “responding to customer support requests,” “managing job applications,” “conducting payroll operations,” or “ensuring workplace security through CCTV.”

Each purpose should be connected with actual processing activities. If the company processes personal data for different purposes, the notice should not compress all of them into a single vague paragraph.

Recipients and Transfer Purposes

The privacy notice must explain to whom and for what purposes personal data may be transferred. Recipient groups may include cargo companies, payment service providers, banks, accountants, lawyers, auditors, public authorities, software providers, cloud service providers, call centers, marketing agencies, group companies, business partners, or authorized institutions.

The transfer section should not merely say “your data may be shared with third parties.” That statement is too broad. The notice should identify recipient groups and transfer purposes. For example, a company may state that delivery information is transferred to cargo companies for shipment, invoice information is transferred to accountants for legal accounting obligations, and dispute-related documents are transferred to lawyers for the establishment or protection of legal rights.

If personal data may be transferred abroad, this should also be disclosed. After the 2024 changes to KVKK Article 9, cross-border transfer compliance has become more structured, and transparency in privacy notices is particularly important.

Method and Legal Basis of Collection

The notice must explain how personal data is collected and on which legal basis it is processed. The Communiqué clarifies that “legal basis” means the processing condition under Articles 5 and 6 of KVKK and that it must be explicitly provided when fulfilling the obligation to inform.

Collection methods may include website forms, mobile applications, cookies, call centers, email correspondence, physical forms, contracts, job application portals, camera systems, customer support tickets, public databases, third-party platforms, or automatic system logs.

Legal bases may include explicit consent, processing expressly provided by law, contract performance, legal obligation, legitimate interest, establishment or protection of a right, or special category data processing conditions under Article 6. The notice should not confuse “purpose” with “legal basis.” For example, “processing customer orders” is a purpose; “performance of a contract” is a legal basis.

Rights of the Data Subject

The privacy notice must refer to the data subject’s Article 11 rights. These include the right to learn whether personal data is processed, request information, learn processing purposes, know domestic and foreign transfer recipients, request correction, request erasure or destruction under legal conditions, request notification of correction or deletion to third parties, object to adverse results created exclusively through automated systems, and claim compensation for unlawful processing.

A privacy notice should also explain how the data subject can exercise these rights. The Communiqué on requests to data controllers provides application methods such as written application, registered electronic mail, secure electronic signature, mobile signature, the email address previously recorded in the controller’s system, or software/application designed for this purpose.

When Must the Privacy Notice Be Provided?

The general rule is that the privacy notice must be provided at the time personal data is obtained. If personal data is collected through an online form, the notice should be accessible before or during submission. If collected through an employment process, the candidate or employee should be informed at the appropriate stage. If collected by call center, oral or recorded notification methods may be used. If collected by CCTV, layered notice methods may be appropriate.

Where personal data is not obtained directly from the data subject, the Communiqué provides specific timing rules. The obligation to inform must be fulfilled within a reasonable time after obtaining the data, at the first communication if the data will be used to communicate with the data subject, or at the time of the first transfer at the latest if the data will be transferred.

This rule is important for lead lists, referrals, business contact databases, recruitment agencies, third-party platforms, acquired customer databases, and publicly sourced data. A company cannot assume that because it did not collect data directly from the individual, it has no obligation to inform.

How Should a Privacy Notice Be Written?

A compliant privacy notice should be clear, plain, intelligible, specific, and accessible. The Communiqué requires the notice to use intelligible, clear, and plain language, and the Authority has warned against general, ambiguous, incomplete, misleading, or false information.

The language should match the audience. A privacy notice for employees may use workplace terminology. A notice for patients should be understandable for non-lawyers. A notice for children or young users should be simpler. A notice for foreign patients or international customers may need to be provided in a language they can understand.

The notice should avoid excessive legal jargon. It should be structured with headings, short paragraphs, and activity-specific explanations. In digital environments, a layered approach may be useful: the first layer gives key information, while the second layer provides detailed explanations. However, the Authority has warned that layered notices should not merely direct users to general privacy policies without providing basic information at the first stage.

Drafting Privacy Notices for Different Data Subject Groups

A single privacy notice rarely fits all processing activities. A company may need multiple notices depending on its business model.

Customer Privacy Notice

A customer privacy notice should explain account creation, order processing, payment, delivery, invoicing, customer support, returns, complaints, marketing, loyalty programs, legal obligations, fraud prevention, retention, and data transfers. E-commerce companies, marketplaces, hotels, clinics, SaaS platforms, and service providers should tailor this notice to real data flows.

Employee Privacy Notice

An employee privacy notice should cover recruitment, employment contract management, personnel files, payroll, social security, tax obligations, occupational health and safety, workplace security, performance management, disciplinary processes, employee benefits, camera systems, IT monitoring, and HR data transfers. Employers should be particularly careful when processing health data, criminal record data, biometric data, or union-related information.

Candidate Privacy Notice

A candidate notice should explain how CVs, application forms, interview notes, references, test results, contact information, and recruitment platform data are processed. It should also state how long unsuccessful candidate data will be retained and whether it may be used for future vacancies.

Website Visitor and Cookie Notice

A website privacy notice should address IP addresses, cookies, analytics, contact forms, newsletter subscriptions, server logs, advertising technologies, and third-party tools. Cookie notices should be separate or clearly layered, especially where non-essential cookies, advertising cookies, or tracking pixels are used.

Patient Privacy Notice

Healthcare providers should prepare detailed patient notices covering appointment booking, diagnosis, treatment, laboratory services, imaging, prescriptions, patient files, billing, insurance, public authority reporting, medical tourism, data security, and retention. Health data is a special category of personal data, so the legal basis and safeguards must be carefully stated.

Mobile Application Privacy Notice

Mobile apps should explain app permissions, device identifiers, location data, push notifications, analytics SDKs, advertising tools, user-generated content, account data, payment data, cross-border transfers, and account deletion rights.

Privacy Notices and VERBIS Consistency

If the data controller is obliged to register with the Data Controllers’ Registry, the information provided to data subjects under the obligation to inform must conform to the information in the Registry. The Communiqué expressly states that privacy notice information must be consistent with Registry information where registration is required.

This creates a practical compliance requirement. Privacy notices, VERBIS entries, data inventories, retention policies, explicit consent texts, cookie policies, vendor contracts, and cross-border transfer documents should be aligned. If VERBIS states that data is transferred abroad but the privacy notice does not mention foreign transfers, the inconsistency may create regulatory risk. If a privacy notice refers to recipient groups not listed in the inventory, the company should review its records.

Privacy Notices and Data Subject Requests

A privacy notice should include a clear procedure for exercising Article 11 rights. It should identify application channels and explain that data subjects may apply to the controller regarding their rights. Under Article 13, the data controller must conclude requests as soon as possible and at the latest within thirty days.

The Communiqué on requests to data controllers also states that controllers must take necessary organizational and technical measures to conclude requests effectively and in accordance with lawfulness and fairness.

In practice, this means that a privacy notice should not merely list rights. It should provide an email address, KEP address, physical address, application form link, or in-app request channel. Customer service, HR, IT, and legal teams should be trained to recognize and escalate requests.

Common Mistakes in KVKK Privacy Notices

One common mistake is using a generic privacy policy as a disclosure text. A privacy policy may describe broad corporate practices, but a KVKK disclosure text must be connected to specific processing activities.

Another mistake is combining explicit consent and informing in the same text. The Authority has specifically identified this as a compliance deficiency.

A third mistake is failing to state the legal basis. Many notices explain purposes but do not identify whether processing is based on contract performance, legal obligation, legitimate interest, explicit consent, or another Article 5 or Article 6 condition.

A fourth mistake is using vague purposes such as “improving services” or “conducting business operations” without explaining what data is processed for which concrete activity.

A fifth mistake is failing to disclose transfers. Many companies use cloud services, payment providers, CRM tools, email marketing systems, cargo companies, call centers, and analytics tools but do not mention recipient groups.

A sixth mistake is using notices that are difficult to access. A notice hidden in a long contract, unavailable at the time of collection, or accessible only after data submission may not satisfy the obligation.

A seventh mistake is failing to update notices when processing changes. If a company introduces a mobile app, biometric access, foreign cloud provider, AI tool, or new marketing platform, the privacy notice may need revision.

Administrative Fine Risk

Failure to fulfill the obligation to inform may result in administrative fines under Article 18 of KVKK. Administrative fine amounts are updated annually, and 2026 amounts reported for breach of the disclosure obligation range from TRY 85,437 to TRY 1,709,200.

This risk should not be underestimated. The obligation to inform is one of the most visible compliance areas because data subjects can easily identify missing or defective notices. A customer can complain about a website form with no disclosure text. An employee can challenge an HR form that combines consent and disclosure. A patient can object to a clinic that uses photos without proper notice and consent. A website user can complain about tracking technologies that are not disclosed.

A strong privacy notice is therefore not only a legal requirement but also a first line of defense.

Practical Checklist for Drafting a Compliant KVKK Privacy Notice

A compliant privacy notice should be prepared through a structured process:

1. Identify the data controller and representative, if any.
2. Identify the relevant data subject group.
3. Map the personal data categories processed.
4. Define each processing purpose specifically.
5. Identify the legal basis for each processing purpose.
6. Identify collection methods.
7. Identify recipient groups and transfer purposes.
8. Identify whether data is transferred abroad.
9. Include Article 11 rights.
10. Provide clear application channels.
11. Use plain and accessible language.
12. Avoid general and ambiguous purposes.
13. Separate explicit consent from the privacy notice.
14. Ensure consistency with VERBIS and the data inventory.
15. Review special category data separately.
16. Update the notice when processing changes.
17. Keep evidence that the notice was provided.
18. Make the notice easily accessible.
19. Use layered notices where appropriate.
20. Review notices periodically.

Sample Structure of a KVKK Privacy Notice

A practical disclosure text may be structured as follows:

Title: Privacy Notice on the Processing of Personal Data

1. Data Controller
Identify the legal entity, address, contact details, and representative if any.

2. Categories of Personal Data Processed
List categories such as identity, contact, customer transaction, financial, visual/audio, health, biometric, digital log, location, or marketing data.

3. Purposes of Processing
Explain each purpose clearly and separately.

4. Legal Basis of Processing
Match processing purposes with Article 5 or Article 6 legal bases.

5. Collection Methods
Explain whether data is collected through forms, website, mobile app, call center, email, contracts, camera systems, cookies, or third parties.

6. Transfers and Recipient Groups
Explain recipient groups and transfer purposes.

7. Cross-Border Transfers
Explain whether personal data may be transferred abroad and why.

8. Data Subject Rights
List Article 11 rights.

9. Application Method
Explain how data subjects may apply to exercise their rights.

This structure should be adapted to the specific processing activity. A patient notice, employee notice, cookie notice, and customer notice should not be identical.

Sector-Specific Drafting Considerations

E-commerce companies should focus on account creation, order processing, delivery, payment, returns, marketing, cookies, customer support, and foreign software providers.

Employers should focus on personnel files, payroll, occupational safety, health data, camera systems, IT monitoring, disciplinary records, and HR transfers.

Healthcare providers should focus on special category health data, medical confidentiality, diagnosis and treatment, insurance, public authority reporting, patient rights, and data retention.

Fintech companies should focus on identity verification, fraud prevention, transaction monitoring, legal obligations, device data, financial data, and strong security measures.

SaaS providers should distinguish between controller activities and processor activities. Their privacy notices should not confuse customer-uploaded data processed on behalf of clients with their own account, billing, analytics, and support data.

AI companies should explain whether prompts, uploaded files, logs, outputs, and feedback are stored or used for model improvement. Automated decision-making and profiling should be addressed where relevant.

Conclusion

Privacy notices under Turkish Personal Data Protection Law are a core element of KVKK compliance. Article 10 requires data controllers to inform data subjects at the time personal data is obtained about the controller’s identity, processing purposes, transfer recipients and purposes, collection method and legal basis, and Article 11 rights. The Communiqué on the Obligation to Inform further requires clear, plain, specific, accurate, and accessible notices, and it emphasizes that the obligation applies regardless of whether processing is based on explicit consent or another legal basis.

A compliant disclosure text should not be generic, hidden, misleading, or merged with explicit consent. It should be tailored to the relevant processing activity and data subject group. It should clearly explain what data is processed, why it is processed, how it is collected, on which legal basis it is processed, to whom it is transferred, and how data subjects may exercise their rights.

For companies operating in Turkey, privacy notices should be treated as living compliance documents. They must be updated when business processes, technologies, vendors, transfers, legal bases, or processing purposes change. They must also remain consistent with VERBIS records, data inventories, retention policies, cookie practices, explicit consent forms, and vendor contracts.

A well-drafted privacy notice protects both the data subject and the data controller. It supports transparency, reduces complaint risk, strengthens legal defensibility, improves customer and employee trust, and demonstrates a mature approach to Turkish data protection compliance.