Data & Privacy · Turkey
Data & Privacy - Turkey
Türkiye has had a comprehensive personal data protection regime since Law No. 6698 (KVKK) entered into force in 2016, modelled closely on the EU GDPR. The law was substantially amended in 2024 (effective June 1, 2024; cross-border transfer rules effective September 1, 2024) to further align with GDPR by introducing SCCs, BCRs, broadened adequacy decisions, and new legal bases for special-category data. As of May 2026, Türkiye has not received an EU adequacy decision, so cross-border transfers to the EU must rely on SCCs, BCRs, or other safeguards.
Law No. 6698 on the Protection of Personal Data (KVKK), enacted April 7, 2016, is the primary comprehensive data protection statute, establishing principles of lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, and security across all sectors.
The 8th Judicial Package published in the Official Gazette on March 12, 2024 amended KVKK to align with GDPR: it introduced Standard Contractual Clauses and Binding Corporate Rules for cross-border transfers, expanded adequacy decisions to cover sectors and international organisations (not just countries), and harmonised legal bases for processing special-category data including health data.
The Personal Data Protection Authority (KVKK/PDPA) is an independent public body with administrative and financial autonomy headquartered in Ankara. Its decision-making arm is the Personal Data Protection Board. Since 2017 the Authority has imposed TRY 1.265 billion in total administrative fines and processed over 56,896 data breach notifications.
Since September 1, 2024, transfers abroad require one of three mechanisms: (1) a KVKK Board adequacy decision (none issued yet as of May 2026), (2) appropriate safeguards such as SCCs or BCRs, or (3) narrow exceptional circumstances including explicit data-subject consent or contractual necessity. Explicit consent alone is no longer a routine transfer basis. The Authority issued Cross-Border Personal Data Transfer Guidelines on January 2, 2025 to clarify the new rules.
The European Commission has not granted Türkiye an EU GDPR adequacy decision; a December 2023 Commission assessment found Turkish law insufficiently aligned with GDPR. Türkiye is absent from the EU's list of adequate third countries as of May 2026.
Administrative fines are revalued annually; for 2026 (reflecting the 25.49% revaluation rate) they range from TRY 85,437 to TRY 17,092,242 per violation. Data controllers must register in the Data Controllers Registry (VERBIS) and comply with mandatory breach-notification obligations.
Machine-assisted translation · verified 5/24/2026 · orientation, not legal advice. English version →