Everything You Need to Know About Turkey’s Personal Data Protection Law
Turkey’s Personal Data Protection Law No. 6698 or Kişisel Verileri Koruma Kanunu (KVKK) came into force on 7 April 2016, just weeks before the EU passed its groundbreaking General Data Protection Regulation (GDPR). It is the first law in Turkey that regulates the protection of personal data and the obligations entities and individuals dealing with personal data must comply with. Before its passing, data protection outside of a few specialized sectors was regulated through a single provision in the Turkish Constitution and several provisions of the Turkish Penal Code.
The Turkish Data Protection Authority (TDPA) was established as a financially and administratively independent supervisory authority in early 2017. Its role is to enforce the provisions of the KVKK and raise public awareness about personal data protection.
The KVKK was meant to bring Turkish legislation in line with the EU’s Directive 95/46/EC which at the time governed data protection in the European bloc. However, the Directive was repealed in favor of the GDPR shortly after the KVKK came into force. There are therefore notable differences between the KVKK and GDPR, not only because the KVKK is based on the GDPR’s predecessor, but also because the Turkish law comes with its own set of unique requirements for data protection. Let’s take a closer look!
Who does the KVKK apply to?
The KVKK applies to any data controllers and processors that collect data or process data collected from Turkey. This includes entities located within Turkey, but also any foreign natural or legal persons that are processing the personal information of Turkish data subjects.
What data is protected under the KVKK?
Personal data is defined as any information relating to an identified or identifiable natural person. The KVKK also includes stricter provisions for special categories of personal data that are especially sensitive such as personal data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, information related to health, sex life, previous criminal convictions and security measures, and biometric and genetic data.
Registration to VERBIS
The biggest difference from the GDPR is the obligation data controllers face under the KVKK to enroll onto VERBIS, the TDPA’s Data Controllers’ Registry. VERBIS registration is free and mandatory for all data controllers before they begin processing the data of Turkish residents. Once registered, data controllers are expected to record the data processing activities they engage in.
To register with VERBIS and start processing personal data, organizations need to first appoint a data controller representative who must be a Turkish Legal Entity or a Turkish Natural Person. During registration, they will also be required to submit a Data Processing Inventory that identifies the categories of data subjects, the types of data they process, the purpose for it, their legal basis, and the technical and administrative measures that an organization is taking to comply with the KVKK.
Due to the complex nature of the VERBIS registration process, the deadline for it has been pushed back twice already, with the TDPA finally extending it to 30 June 2020 for all controllers, whether Turkish or Foreign. The only exception are Turkish controllers whose main business activity involves the processing of sensitive personal information and that have less than 50 employees and an annual balance sheet of less than TL 25 million (approximately $3.5 million). For them, the deadline is 30 September 2020.
There are several exemptions to VERBIS registration set out in the second paragraph of Article 28 of the KVKK. These are:
- Data controllers who have less than 50 employees and an annual balance sheet below TL 25 million (approximately $3.5 million), as long as their main activity does not require the processing of special categories of data;
- Data controllers who process data only by non-electronic means;
- Custom brokers and mediators;
- Public notaries, certified public accountants, and lawyers;
- Associations, foundations, and syndicates;
- Political parties.
Failure to register with VERBIS can result in administrative fines of up to approximately $230.000 or the restriction of the controller’s data processing activities.
International transfer of personal data is permitted with the explicit consent of the data subject if a country has a level of data protection in place that is deemed adequate by the TDPA or data controllers commit in writing to provide an adequate level of protection in a way previously approved by the TDPA. These conditions also apply to international data controllers processing personal data abroad.
While these provisions are similar to those of the GDPR, the KVKK also allows the TDPA to prohibit the cross-border transfer of data even if explicit consent of the data subject is obtained if it considers that the interests of Turkey or the data subject will be seriously harmed.
Data Breach Notifications and Response Plans
The TDPA made data breach notifications mandatory with Decision 2019/10 published on 25 February 2019. Data controllers are obligated to notify the TDPA about a data breach within 72 hours of becoming aware of it using the Data Breach Notification Form provided by the TDPA. Justifications for any delays must also be sent with the form. Affected data subjects must be notified of the breach as well, but a specific time frame for it is not specified.
Within the same decision, the TDPA also made it a requirement for data controllers to prepare a Data Breach Response Plan that must name the person that should be contacted in case of a data breach. This person will be the primary point of contact for the TDPA and be responsible for the assessment of the consequences of any breaches that may occur.
Data controllers who fail to comply with the requirements of the KVKK face administrative fines of up to approximately TL 1.5 million (roughly $230,000), depending on the gravity of the violation. Crimes concerning personal data meanwhile are governed under Articles 135-140 of Turkish Penal Code No. 5237.
The value of the fines is increased each year based on the re-evaluation values published in the Official Gazette with Tax Procedural Law Communiques. All numbers that appear in this article correspond to the 2019 re-evaluation.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.