Using Cloud Services in Turkey: KVKK Obligations Explained

Businesses operating in Turkey increasingly rely on cloud platforms — SaaS tools, remote storage, infrastructure services — to run their day-to-day operations. What many do not realise is that routing personal data through a cloud provider automatically engages Turkey's Personal Data Protection Law (Kişisel Verilerin Korunması Kanunu / KVKK), and with it a set of concrete legal obligations that fall on both the business and the cloud provider. Getting this relationship right matters: the KVKK Board (Kişisel Verileri Koruma Kurulu) has consistently enforced these rules, and Danıştay (the Council of State) has upheld significant penalties against organisations that failed to manage third-party data processors properly.

How the Law Classifies a Cloud Provider

Under KVKK Article 3, every actor in a data processing chain has a specific role. The data controller (veri sorumlusu) is the entity that decides why and how personal data is processed — that is usually the business using the cloud service. The data processor (veri işleyen) is any real or legal person that processes data on the controller's behalf under the controller's authority.

A cloud provider fits squarely into the data processor category. Whether you are storing customer records on a remote server, running payroll through a SaaS platform, or hosting a CRM in the cloud, the cloud provider is processing personal data on your behalf. That classification carries direct legal consequences under KVKK Article 12.

Joint Responsibility: You Cannot Delegate Your Way Out

This is the rule that surprises most businesses. KVKK Article 12(2) states that when a data controller has its data processed by an external party, the controller and that party are jointly responsible for taking all necessary technical and administrative security measures.

In practice this means: if your cloud provider suffers a breach or fails to implement adequate security controls, your organisation can still be held liable — even if the failure was entirely on the provider's side. A contract that simply says "the provider is responsible for security" does not protect you. The law places shared responsibility on both parties regardless of what the service agreement says.

Danıştay's 10th Chamber has reinforced this principle in multiple recent decisions, confirming that a data controller's responsibility under KVKK continues in full when it uses third-party processors. Delegating the processing task does not transfer legal accountability.

What the Data Processing Agreement Must Cover

Before sending any personal data to a cloud provider, you need a written data processing agreement in place. While KVKK does not specify a standard form, the KVKK Board's guidance and the joint-responsibility principle under Article 12(2) mean the agreement should, at minimum:

• Define the scope and purpose of the processing
• Set out the technical and administrative security measures the provider must implement
• Give the controller the right to conduct or commission audits (as required by Article 12(3))
• Prohibit the provider from using the data for any purpose outside the agreed scope (Article 12(4))
• Require the provider to notify the controller immediately in the event of a data breach, so the controller can meet the notification obligation under Article 12(5)

KVKK Article 12(4) also binds the provider independently: data processors cannot disclose or use personal data for purposes beyond those instructed by the controller — and this obligation survives the end of the service relationship.

Cross-Border Transfers When Cloud Servers Sit Abroad

Many major cloud platforms store data in data centres outside Turkey. If your cloud provider processes personal data on servers located outside the country, this constitutes a cross-border personal data transfer under KVKK Article 9, and specific conditions apply.

The 2024 amendments to KVKK introduced a more structured transfer framework. Transfers are permitted when the destination country provides an adequate level of protection (as determined by the KVKK Board), or — where it does not — when the parties have signed appropriate standard contractual clauses or obtained explicit consent from data subjects in certain cases. Businesses relying on foreign cloud infrastructure should confirm which legal basis applies to their specific situation before data starts flowing.

For a deeper look at the transfer rules, see our article on cross-border personal data transfers for foreign-controlled companies.

VERBİS Registration and Cloud-Stored Data

If your organisation processes personal data — including via cloud services — and is not exempt under the thresholds set by the KVKK Board, you must register in VERBİS (Veri Sorumluları Sicil Bilgi Sistemi), Turkey's data controller registry. Your VERBİS record must accurately describe the processing activities, the categories of data involved, and the transfers, including to cloud-based storage. Incomplete or inaccurate entries can themselves trigger enforcement action.

See our dedicated guide on VERBİS registration obligations in Turkey.

Breach Notification When the Cloud Provider Is Involved

If a breach occurs on the cloud provider's infrastructure, the legal notification obligation falls on you as the data controller, not on the provider. Under KVKK Article 12(5), you must notify affected individuals and the KVKK Board as soon as possible after discovering a breach involving personal data. The Board may also choose to publish the incident on its website.

This is why your data processing agreement must require the provider to notify you immediately — without that contractual bridge, you risk missing the notification window. Our article on data breach notification under KVKK covers the full procedure.

Frequently Asked Questions

Q: Can we use any cloud provider we like for processing Turkish personal data?

You can use any provider that agrees to appropriate data processing terms, implements sufficient security measures, and — if servers sit outside Turkey — satisfies the cross-border transfer requirements under KVKK Article 9. Size or brand name alone is not a legal basis.

Q: Does our cloud provider also need to register in VERBİS?

VERBİS registration is required for data controllers, not data processors acting purely on instructions. If your cloud provider also determines the purposes of processing for its own business reasons (for example, using your data to train models), it may itself become a data controller and have its own registration obligation.

Q: What happens if our cloud provider has a security incident?

As data controller, you bear joint legal responsibility and must notify the KVKK Board and affected individuals as soon as you become aware. Contractual indemnity from the provider may help you recover costs, but it does not eliminate your regulatory exposure under KVKK.

Q: Is a verbal or email agreement with the cloud provider sufficient?

No. The joint-responsibility framework under Article 12(2) and the audit rights under Article 12(3) are practically unenforceable without a written agreement that clearly sets out the parties' obligations.

Q: We are a small company — do these rules still apply to us?

The KVKK's core obligations apply to all data controllers, regardless of size. Some exemptions exist for natural persons processing data for purely personal purposes and certain other narrow cases. If you are running a business that holds customer, employee, or supplier data, the rules almost certainly apply.

How Mona Hukuk Can Help

Our team advises businesses across Turkey — including international companies based in Antalya — on KVKK compliance, data processing agreements, and cloud governance frameworks. We review your current cloud contracts, identify gaps, and help you put the right legal structure in place before a regulatory inquiry arrives.

Contact us at contact@monahukuk.com or call +90 (242) 606 14 32 to schedule a consultation in Antalya.