Data & Privacy · Turkey
Data protection & privacy laws in Turkey (2026)
Turkey shaded by its data & privacy status
Türkiye has had a comprehensive personal data protection regime since Law No. 6698 (KVKK) entered into force in 2016, modelled closely on the EU GDPR. The law was substantially amended in 2024 (effective June 1, 2024; cross-border transfer rules effective September 1, 2024) to further align with GDPR by introducing SCCs, BCRs, broadened adequacy decisions, and new legal bases for special-category data. As of May 2026, Türkiye has not received an EU adequacy decision, so cross-border transfers to the EU must rely on SCCs, BCRs, or other safeguards.
Key points
Law No. 6698 on the Protection of Personal Data (KVKK), enacted April 7, 2016, is the primary comprehensive data protection statute, establishing principles of lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, and security across all sectors.
The 8th Judicial Package published in the Official Gazette on March 12, 2024 amended KVKK to align with GDPR: it introduced Standard Contractual Clauses and Binding Corporate Rules for cross-border transfers, expanded adequacy decisions to cover sectors and international organisations (not just countries), and harmonised legal bases for processing special-category data including health data.
The Personal Data Protection Authority (KVKK/PDPA) is an independent public body with administrative and financial autonomy headquartered in Ankara. Its decision-making arm is the Personal Data Protection Board. Since 2017 the Authority has imposed TRY 1.265 billion in total administrative fines and processed over 56,896 data breach notifications.
Since September 1, 2024, transfers abroad require one of three mechanisms: (1) a KVKK Board adequacy decision (none issued yet as of May 2026), (2) appropriate safeguards such as SCCs or BCRs, or (3) narrow exceptional circumstances including explicit data-subject consent or contractual necessity. Explicit consent alone is no longer a routine transfer basis. The Authority issued Cross-Border Personal Data Transfer Guidelines on January 2, 2025 to clarify the new rules.
The European Commission has not granted Türkiye an EU GDPR adequacy decision; a December 2023 Commission assessment found Turkish law insufficiently aligned with GDPR. Türkiye is absent from the EU's list of adequate third countries as of May 2026.
Administrative fines are revalued annually; for 2026 (reflecting the 25.49% revaluation rate) they range from TRY 85,437 to TRY 17,092,242 per violation. Data controllers must register in the Data Controllers Registry (VERBIS) and comply with mandatory breach-notification obligations.
Timeline - major decisions & events
Annual inflation-linked revaluation pushed the maximum per-violation fine to TRY 17,092,242 — the highest since the law's enactment — with the full fine band for data-security failures now running TRY 256,000–17,092,242, reflecting Turkey's standard statutory revaluation mechanism.
GoTrust Privacy Platform ↗The Personal Data Protection Board approved a data-sharing arrangement between the Directorate General of Migration Management and UNHCR — the first formal authorization under the June 2024 cross-border transfer regime — establishing the template for international data flows with intergovernmental organizations.
Prighter ↗The KVKK Authority concluded a nationwide audit of data-controller registry compliance and imposed cumulative fines of approximately TRY 504 million on domestic and foreign organizations — including public bodies — for failure to register with or notify VERBİS, marking a decisive shift from guidance to active enforcement.
International Bar Association ↗Implementing rules for the overhauled Article 9 of Law 6698 were published in Official Gazette No. 32598, detailing adequacy decisions, standard contractual clauses (SCCs), and binding corporate rules (BCRs), and requiring controllers to notify the Board within five business days of executing SCCs.
CottGroup ↗The most significant reform of Law 6698 since enactment took effect, replacing the consent-only cross-border transfer rule with a GDPR-aligned three-tier mechanism (adequacy decision → SCCs/BCRs → Board authorisation) and introducing expanded lawful bases for processing special-category data.
Esin Attorney Partnership ↗The Board imposed TRY 1.95 million on WhatsApp for conditioning continued app access on acceptance of a 2021 policy update that bundled data-sharing with Meta, ruling that tying service to explicit consent violates KVKK's requirement that consent be freely given.
DataGuidance ↗In Decision No. 2019/104 the Board fined Facebook TRY 1.65 million — the first major fine against a global tech platform under KVKK — for failing to implement adequate technical safeguards that allowed third-party apps to access ~300,000 Turkish users' photos via an API bug, and for delayed notification to the Authority.
Tasnim News Agency ↗The secondary legislation establishing the mandatory online Data Controllers Registry (VERBİS) took effect, requiring data controllers above prescribed thresholds to register before processing personal data — creating Turkey's central compliance infrastructure and the basis for subsequent enforcement sweeps.
Personal Data Protection Authority (KVKK) ↗After all nine Board members were appointed, Turkey's independent supervisory authority (Kişisel Verileri Koruma Kurumu) began accepting complaints, opening investigations, and publishing guidance — completing the institutional enforcement framework required by Law No. 6698.
Personal Data Protection Authority (KVKK) ↗Turkey's first comprehensive data-protection statute was published in the Official Gazette, establishing data-subject rights, lawful bases for processing, obligations on controllers and processors, and the independent Personal Data Protection Board — modelled on EU Directive 95/46/EC and enacted weeks before the EU finalised GDPR.
Personal Data Protection Authority (KVKK) ↗Turkey - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →