Turkey's Kişisel Verileri Koruma Kanunu (KVKK) (also known as the "Data Protection Law") is a relatively strong data protection law with similarities to the EU's General Data Protection Regulation (GDPR).
Passed in 2016, Turkey's KVKK more closely resembles the GDPR's predecessor, the Data Protection Directive, but contains some unique provisions not found in the EU GDPR (which applies across the entire European Economic Area, with an equivalent law in the UK).
This article will compare how these two laws apply across eight areas: Application, definitions, principles, transparency obligations, lawfulness, rights, "special category data," and enforcement.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. How Turkey KVKK and GDPR Laws Apply
- 2. Key Definitions and Concepts in Turkey KVKK vs GDPR
- 3. Principles of Data Processing in Turkey KVKK vs GDPR
- 4. Your Privacy Policy for Turkey KVKK vs GDPR
- 5. A Valid Legal Basis under Turkey KVKK vs GDPR
- 6. Facilitating Data Protection Rights under Turkey KVKK vs GDPR
- 7. Correctly Handle Special Category Data under Turkey KVKK vs GDPR
- 8. How are Turkey KVKK vs GDPR Laws Enforced
- 9. Summary
How Turkey KVKK and GDPR Laws Apply
Who is covered by each law? Here's Article 2 of the KVKK, which sets out the Turkish law's scope:
The GDPR's scope is set out across its own Article 2 ("material scope," meaning the types of activities covered by the law) and Article 3 ("territorial scope," meaning the location of organizations covered by the law).
Here's a table explaining how each law applies.
| Turkish KVKK, Article 2 | EU GDPR, Articles 2 and 3 | |
| Applies "extraterritorially" (to organizations based outside of Turkey or the EU, respectively) | Yes: Implied in Article 2, which makes no distinction between Turkish and non-Turkish organizations | Yes: If the organization offers goods or services in the EU, or monitors the behavior of people in the EU |
| Applies to "natural persons" (individuals, non-businesses) | Yes | Yes |
| Applies to non-profits, charities, and public bodies | Yes | Yes |
| Protects personal data about "legal persons" (corporations and other people or organizations with legal rights) | No | No |
| Covers "non-automated" processing of personal data (such as paper files) | Yes: If stored as part of a filing system | Yes: If stored as part of a filing system |
Article 28 of the KVKK also provides some circumstances where the law doesn't apply, including domestic activities, national security, and judicial proceedings. The GDPR allows for a similar range of exceptions.
Key Definitions and Concepts in Turkey KVKK vs GDPR
Turkey and all EU countries have signed the Council of Europe's Convention 108+ treaty, which clearly influences both laws. As such, both laws use similar language.
The following definitions come from Article 3 of the KVKK, and each has roughly the same meaning in the GDPR.
- Personal data: Any information relating to an identified or identifiable natural person
- Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system
- Data processor: The natural or legal person who processes personal data on behalf of the data controller upon its authorization
- Data subject: The natural person (living individual) whose personal data are processed
Principles of Data Processing in Turkey KVKK vs GDPR
Both the KVKK and the GDPR provide a set of principles that must be applied whenever you process personal data.
Here's the relevant section of Turkey's KVKK:
And here's the relevant part of the GDPR:
Here's a table setting out each law's principles:
|
Turkish KVKK Article 4 (2) "The following principles shall be complied within the processing of personal data:" |
EU GDPR Article 5 (1) "Personal data shall be:" |
| a) Lawfulness and fairness | a) Processed lawfully, fairly and in a transparent manner ("lawfulness, fairness, and transparency") |
| b) Being accurate and kept up to date where necessary | d) Accurate and, where necessary, kept up to date... ("accuracy") |
| c) Being processed for specified, explicit and legitimate purposes | b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes... ("purpose limitation") |
| ç) Being relevant, limited and proportionate to the purposes for which they are processed | c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation") |
| d) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed | e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed... ("storage limitation") |
The GDPR provides two further principles that are not included in the KVKK:
- Integrity and confidentiality. This GDPR principle requires organizations to keep personal data secure. The KVKK dedicates Article 12 to security.
- Accountability. Data controllers must be able to demonstrate their compliance with the principles. This principle is implicit in the KVKK.
Your Privacy Policy for Turkey KVKK vs GDPR
Both the KVKK and the GDPR include transparency requirements. One of the ways to meet these requirements is by publishing a Privacy Policy (or "Privacy Notice").
To comply with either law, you should publish your Privacy Policy on your website, within your app (if you have one), and provide links to your Privacy Policy whenever you collect personal data.
Include a link to your Privacy Policy in your site's footer, like so:
For mobile apps, link your Privacy Policy to a "Settings" or "About" type of menu within the app itself, as seen here:
To comply with the requirement to display your Privacy Policy wherever you collect personal data, add a link to the following places (and similar types of places) on your site:
- Contact forms where users submit an email address and a message to you
- Account registration forms where users sign up for a personal account
- Checkout pages where shoppers finalize an order and send you financial information and a mailing address
See our feature article for more information: Where Should I Place My Privacy Policy?
Article 10 of the KVKK sets out the law's transparency requirements, known as "the obligation of the data controller to inform." Controllers must provide the following information to data subjects via a Privacy Policy:
- The identity of the data controller and of its representative, if any
- The purpose of processing personal data
- Any other organizations to whom the personal data may be transferred, and the purposes for any such transfer
- The method and legal basis of collection of personal data
- An explanation of the KVKK's data subject rights (we'll explore these rights below)
You must provide the above information to data subjects "at the time when personal data are obtained" (whether directly from the data subject or indirectly from a third party).
Here's how you can disclose the data controller and contact details:
Always disclose your purpose for collecting data and ensure it's accurate and up to date. Here's how you can inform users what your legal basis is, such as "legitimate interests" as seen in the example clause below. Let them know why you process personal data that you collect:
Be transparent about your data sharing and disclosing practices in a clause like this:
Disclose user rights and make sure users understand they have the ability to exercise them, as seen here:
The GDPR's transparency obligations are set out at Article 12 (which describes how to provide the information), Article 13 (for when you collect personal data directly from the data subject), and Article 14 (for when you obtain personal data indirectly).
Here's a summary of the information you'll need in your GDPR Privacy Policy, covering both Articles 13 and 14.
- The controller's identity and contact information, including for its EU representative and data protection officer (DPO) (if relevant)
- The types of personal data you process
- Your purposes for processing personal data
- Your legal bases for processing personal data, including an explanation of your legitimate interests, if relevant
- Your storage periods for different types of personal data
- Which other parties you share personal data with (their specific identities, or, if necessary what types of organizations they are)
- Your sources of personal data
- If you transfer personal data outside of the EU, the international data transfer safeguards you rely on for these transfers
- An explanation of the GDPR's data subject rights, including any relevant automated decision-making activities
- Contact details for the relevant data protection authority (DPA) if people wish to make a complaint
Note that the screenshot examples in the previous section will apply here as well, and demonstrate information that should be included in all Privacy Policies.
A Valid Legal Basis under Turkey KVKK vs GDPR
Both the GDPR and KVKK require controllers to have a legal justification for processing personal data, known as a "legal basis" (or lawful basis) under the GDPR and a "condition for processing" under the KVKK.
Here's Article 5 of the KVKK, which sets out the law's conditions for processing:
And here's the equivalent at Article 6 (1) of the GDPR:
Here's how these provisions compare:
| Turkish KVKK "condition" | EU GDPR "legal basis" | Notes |
| Explicit consent | Consent |
The KVKK treats "explicit consent" as the default condition. The GDPR treats all legal bases equally. The two laws offer similar "opt-in" consent definitions. |
| Provided by laws | Public task | These two conditions are comparable in that a controller may only rely on the GDPR's "public task" basis if authorized to do so under EU or national law. |
| Protection of life or physical integrity | Vital interests | At face value, these two conditions are effectively identical. |
| Contractual necessity | Contractual necessity | Despite different phrasing, these two conditions have near-identical meanings. |
| Legal obligation | Legal obligation | These conditions are identical across both laws. |
| Data made public by the data subject | No comparable legal basis | The GDPR does provide a "publicly available" legal basis and does not fundamentally distinguish public and non-public personal data. |
| Establishment, exercise, or protection of any right | No comparable legal basis | The GDPR does not provide such a legal basis but does provide exceptions where processing is necessary in relation to a legal claim. |
| Legitimate interests | Legitimate interests | These two conditions are comparable, except that the GDPR also allows the controller to take into account the legitimate interests of a third party as well as the controller. |
Facilitating Data Protection Rights under Turkey KVKK vs GDPR
Both the KVKK and the GDPR provide data subjects with certain rights over their personal data.
Here's how the KVKK's rights look in Article 11 (1):
The GDPR dedicates an entire chapter (Chapter 3) to data subject rights, comprising 11 articles across five sections.
Here's a comparison of some of the key rights under each law:
| Turkish KVKK Article 11 (1) | EU GDPR Chapter 3 |
|
Right to request information: Under the KVKK, data subjects can request information about whether, how, and why their personal data is processed, and the third parties with whom the data is shared. The official English KVKK translation does not appear to provide a right to access a copy of the personal data. However, this might be down to poor translation, as Article 11 (1) (a) and (b) appear to have the same meaning. |
Right of access: The GDPR also enables data subjects to request information about how their personal data is processed, but the right is more extensive than under the KVKK. The GDPR makes explicit reference to the right to receive a copy of personal data and also provides the related right to "data portability" that is not present in the KVKK. |
| Right to rectification: The KVKK enables data subjects to request the correction of "incomplete or inaccurate" personal data. | Right to rectification: The GDPR provides data subjects with a similar right. |
| Right to erasure: Data subjects may request the deletion of personal data if it is no longer needed for its intended purpose. | Right to erasure: The GDPR also provides a right to erasure but offers a broader range of reasons that data subjects may exercise this right. |
| Right to inform third parties about the exercise of rights: Data subjects have the right to request that the controller tell any relevant third parties about rectification or erasure requests so the third parties can also erase or rectify personal data if necessary. | Under the GDPR, controllers must carry this process out without the data subject explicitly requesting it. |
| Right to object to solely automated decision-making: Data subjects may object to "results" delivered without human intervention (e.g., via AI). | Rights concerning solely automated individual decision-making: The GDPR's rules on automated decision-making are more complex. In general, data subjects do not have to actively object to automated decision-making, but the rules only arise in relation to decisions of legal or similar importance. |
| Right to claim compensation: A data subject may bring a legal claim if they suffer damage due to a KVKK violation. | The GDPR enables data subjects to bring legal claims against controllers, but this is not characterized as a data subject right. |
As noted, the KVKK does not provide a right to data portability. The law also lacks other rights found under the GDPR, such as a broad "right to object" to certain processing activities and the "right to restrict" data processing.
Controllers may not normally charge a fee for facilitating a data subject rights request under either law, and the initial deadline for carrying out a request is similar under both laws (30 days under the KVKK, one month under the GDPR).
Correctly Handle Special Category Data under Turkey KVKK vs GDPR
Both the KVKK and the GDPR treat certain types of information as "special category data." Under both laws, there are stricter rules for processing special category data.
Article 6 (1) of the KVKK treats personal data that reveals the following information as "special category data:"
- Race
- Ethnic origin
- Political opinions
- Philosophical beliefs
- Religion
- Religious sect or other beliefs
- Appearance
- Memberships of associations, foundations, or trade unions
- Health
- Sexual life
- Criminal convictions and security measures
- Genetic and biometric data
The GDPR provides a similar list of types of "special category data" under Article 9 (1), except that the EU law:
- Does not explicitly include "religious sect or other belief" or "appearance" as "special category data." However, these types of information might be deemed special category data if they reveal information about a person's religion or race.
- Does not include "criminal conviction data" in its list of special category data. However, criminal conviction data is subject to special rules under Article 10 of the GDPR.
- Only treats genetic or biometric data as special category data if it is processed for the purpose of uniquely identifying an individual.
Whereas the GDPR provides ten legal bases for processing special category data, the KVKK requires controllers to obtain explicit consent before doing so. The exceptions are "health and sexual life" data, which may be processed by medical professionals without consent.
Explicit consent involves getting users to take a notable action to prove they consent to something, such as by checking a box next to an "I Agree" or "I Consent" statement, like so:
How are Turkey KVKK vs GDPR Laws Enforced
Both the KVKK and the GDPR are enforced by data protection authorities (DPAs) and via legal claims by data subjects.
KVKK enforcement is down to the Turkish DPA, the Kişisel Verileri Koruma Kurumu (which, like the law, is also initialized as "KVKK"), whereas each EU member state has at least one national DPA to enforce the GDPR.
Maximum fines under the KVKK can range from TKY 5,000 to 1 million (USD 186 to 37,300), while the GDPR's penalties can reach up to EUR 20 million (USD 21.4 million) or 4% of annual turnover.
A DPA may order corrective measures under both laws, including an order to stop processing personal data altogether.
Summary
While the GDPR is longer and more detailed than the KVKK, both laws provide a robust data protection framework and impose many obligations on organizations.
If your business has an effective GDPR compliance program, meeting the KVKK's requirements should not require too much additional work.
However, Turkish companies seeking to adjust to the EU's strict data protection standards might need to make more serious adjustments, particularly in the areas of transparency and data subject rights.
Make sure you have a compliant Privacy Policy displayed correctly, disclosing your valid legal basis for processing personal data. Be transparent about what rights data subjects have, and get consent when necessary before processing special categories of personal data.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.
