All You Need to Know About Turkey’s Personal Data Protection Law (KVKK)

Turkey’s Personal Data Protection Law No. 6698 or Kişisel Verileri Koruma Kanunu (KVKK) came into force on 7 April 2016, just weeks before the EU passed its groundbreaking General Data Protection Regulation (GDPR). The KVKK is the first law in Turkey that regulates personal data protection and outlines the legal obligations that entities and individuals dealing with personal data must comply with. Before the enactment of the KVKK, Turkey did not have a specific law on the protection of personal data. Data security and protection outside of a few specialized sectors was regulated through a single provision in the Turkish Constitution and several provisions of the Turkish Penal Code.

The Turkish Data Protection Authority (TDPA) was established as a financially and administratively independent supervisory authority in early 2017. Its role is to enforce the provisions of the KVKK and raise public awareness about personal data protection.

The KVKK was meant to bring Turkish legislation in line with the EU’s Directive 95/46/EC, which at the time governed data protection in the European bloc. However, the Directive was repealed in favor of the GDPR shortly after the KVKK in Turkey came into force. Therefore, there are notable differences between the KVKK and GDPR, not only because the Turkish data protection law is based on the GDPR’s predecessor but also because the data protection law of Turkey comes with its own set of unique requirements. Let’s take a closer look!

Who does the KVKK apply to?

The KVKK applies to any data controllers and data processors that collect data or process data collected from Turkey. This includes entities located within Turkey, but also any foreign natural or legal persons that are processing the personal information of Turkish data subjects.

What data is protected under the KVKK?

Personal data is defined as any information relating to an identified or identifiable natural person. Turkey’s data protection legislation also includes stricter provisions for special categories of personal data, such as sensitive personal data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, membership of associations, foundations, or trade unions, health data, information related to sexual life, previous criminal convictions and security measures, and biometric and genetic data.

Registration to VERBIS

The biggest difference from the GDPR is the obligation data controllers face under the KVKK to enroll onto VERBIS, the TDPA’s Data Controllers Registry Information System. VERBIS registration is free and mandatory for all data controllers before they begin processing the data of Turkish residents. Once registered, data controllers are expected to record the data processing activities they engage in.

To register with VERBIS and start the processing of personal data, organizations need to first appoint a data controller representative who must be a Turkish Legal Entity or a Turkish Natural Person. During registration, they will also be required to submit a Data Processing Inventory that identifies the categories of data subjects, the types of data they process, its purpose, their legal basis, and the technical and administrative measures that an organization is taking to comply with the KVKK.

Due to the complex nature of the VERBIS registration process, the deadline for it has been pushed back twice already, with the TDPA finally extending it to 30 June 2020 for all controllers, whether Turkish or Foreign. The only exception are Turkish controllers whose main business activity involves processing sensitive personal information and having less than 50 employees and an annual balance sheet of less than TL 25 million (approximately $3.5 million). For them, the deadline is 30 September 2020.

There are several exemptions to VERBIS registration set out in the second paragraph of Article 28 of the KVKK. These are:

• Data controllers who have less than 50 employees and an annual balance sheet below TL 25 million (approximately $3.5 million), as long as their main activity does not require the processing of special categories of data;
• Data controllers who process data only by non-electronic means;
• Custom brokers and mediators;
• Public notaries, certified public accountants, and lawyers;
• Associations, foundations, and syndicates;
• Political parties.

Failure to register with VERBIS can result in administrative fines of up to approximately $230.000 or the restriction of the controller’s data processing activities.

Cross-border transfers

International transfer of personal data is permitted with the data subject’s explicit consent if a country has a level of data protection in place that is deemed adequate by the TDPA or data controllers commit in writing to provide an adequate level of protection in a way previously approved by the TDPA. These conditions also apply to international data controllers processing personal data abroad.

While these provisions are similar to those of the GDPR, the KVKK also allows the Personal Data Protection Authority to prohibit the cross-border transfer of data even if explicit consent of the data subject is obtained if it considers that the interests of Turkey or the data subject will be seriously harmed.

Data Breach Notifications and Response Plans

February 2019. Data controllers are obligated to notify the TDPA about a data breach within 72 hours of becoming aware of it using the Data Breach Notification Form provided by the TDPA. Justifications for any delays must also be sent with the form. Affected data subjects must be notified of the breach as well, but a specific time frame for it is not specified.

Within the same decision, the TDPA also made it a requirement for data controllers to prepare a Data Breach Response Plan that must name a contact person to be contacted in case of a data breach. This person will be the primary point of contact for the TDPA and be responsible for the assessment of the consequences of any breaches that may occur.

Penalties

Data controllers who fail to comply with the requirements of the KVKK face administrative fines of up to approximately TL 1.5 million (roughly $230,000), depending on the gravity of the violation. Crimes concerning personal data, meanwhile, are governed under Articles 135-140 of Turkish Penal Code No. 5237.

The value of the fines is increased each year based on the re-evaluation values published in the Official Gazette with Tax Procedural Law Communiques. All numbers that appear in this article correspond to the 2019 re-evaluation.