Data Protection and Privacy in Turkish Law: Key Rules under Law No. 6698

The fundamental legislation regulating privacy and protection of personal data in Turkey is the Personal Data Protection Law No. 6698 (KVKK). Under this law:

• Data Subject: The natural person whose personal data is processed.

• Personal Data: Any information relating to an identified or identifiable natural person.

• Processing of Personal Data: Any operation performed on personal data.

• Data Processor: A natural or legal entity who processes personal data on behalf of the data controller, based on authorization.

• Data Controller: The person or entity determining the purposes and means of processing personal data and responsible for establishing and managing the data recording system.

Obligations of Companies under KVKK

Companies act as data controllers and/or data processors and must comply with the following obligations:

• The data controller is responsible for fulfilling the information/notice requirement (privacy notice).

• The data controller is responsible for ensuring data security.

• The data controller must comply with the decisions of the Personal Data Protection Authority (KVKK Authority).

• The data controller must complete registration and notification to the Data Controllers’ Registry (VERBIS).

• In case of cross-border data transfers, both the data controller and the data processor are responsible for notifying the Authority of the standard contractual clauses used.

These rules form the backbone of data privacy compliance in Turkey and align, in many respects, with the principles of EU GDPR.

AKL

Your Legal Guide in Turkey