KVKK Compliance Guide: Data Protection Obligations in Turkey

The Personal Data Protection Law (KVKK) is the fundamental Turkish law regulating personal data processing activities. Containing largely parallel provisions with the EU GDPR, KVKK creates compliance obligations for every organisation processing customer data, employee data, or business partner data. For businesses in Antalya operating in tourism, healthcare, real estate, education, and technology, KVKK is not merely ordinary legislation but a serious compliance topic creating financial, legal, and reputational risk. This guide covers KVKK compliance fundamentals and steps companies should take.

Scope of KVKK

KVKK covers all natural and legal persons processing personal data. Personal data is any information relating to an identified or identifiable natural person:

• Name, surname,
• Turkish national ID / foreign national ID,
• Email, phone,
• IP address,
• Location information,
• Health data,
• Sexual orientation,
• Biometric data,
• Employee performance information,
• Customer preferences,
• Cookie information.

For special-category personal data (health, ethnic origin, religious belief, biometric, etc.), additional protection rules apply.

Data Controller and Processor

KVKK defines two basic roles:

• Data Controller: Person/organisation determining purposes and means of data processing, responsible for establishing and managing the data registry system.
• Data Processor: Person/organisation processing data on behalf of and based on authority granted by data controller.

A company is generally the data controller; the cloud service provider or CRM software it uses is data processor.

Core Compliance Obligations

1. Disclosure Obligation

Data controller must inform the data subject whose personal data is processed about:

• Identity of data controller,
• Purposes of data processing,
• To whom data may be transferred,
• Method and legal basis of data collection,
• Data subject's rights (access, deletion, correction, etc.).

This disclosure is generally published on website as Privacy Notice or Privacy Policy; presented to data subject during application, contract, or service procurement.

2. Explicit Consent

For some data processing activities, data subject's explicit consent must be obtained. Explicit consent:

• Must relate to specific topic,
• Must be based on information,
• Must be freely given,
• Must be withdrawable.

Disclosure and explicit consent should not be confused. Disclosure is required in every case; explicit consent is sought only for specific transactions.

3. VERBİS Registration

Data controllers above a specific size must register at Data Controllers Registry Information System (VERBİS). VERBİS:

• What types of data are processed,
• For whom processed,
• For what purposes,
• For what duration retained,
• With whom shared

is a publicly accessible registry recording these. Administrative sanctions are imposed for data controllers required to but failing to register or with incomplete VERBİS records.

4. Personal Data Storage and Disposal Policy

Data controllers required to register at VERBİS must prepare Personal Data Storage and Disposal Policy. This policy:

• Contains personal data inventory,
• Sets how long which data is stored,
• Shows method of disposal or anonymisation at end of storage period,
• Describes periodic audit mechanism.

5. Data Security Measures

Data controllers are obligated to:

• Take administrative and technical measures preventing unauthorised access,
• Apply encryption, access control, backup,
• Make confidentiality agreements with employees,
• Establish data breach response plan.

6. Data Breach Notification

When a data breach (cyberattack, leak, etc.) occurs, data controller:

• Must notify the Authority in shortest time possible,
• Must inform affected data subjects.

Late notification and late response lead to additional sanctions per breach.

7. Responding to Data Subject Applications

Data subject has rights to:

• Learn whether their data is processed,
• Obtain information about processed data,
• Request correction or deletion,
• Object if adverse outcomes arise from automated systems analysis.

Data controller is obligated to respond to these applications within specific period.

Cross-Border Data Transfer

Cross-border transfer of personal data processed in Turkey is generally subject to restrictions. Mechanisms apply such as data subject's explicit consent, list of countries Turkish Data Protection Authority recognises as providing adequate protection, or binding corporate rules.

Customer data transfers via cloud services, email services, or to foreign organisations fall in this scope; non-compliance brings heavy sanctions.

Administrative Sanctions

For violations of KVKK, the Data Protection Authority is empowered to apply administrative fines. Fine amounts:

• By type of violation,
• By number of persons affected by breach,
• By size of data controller,
• By repetition

vary and can reach serious levels. The Authority's published decisions are publicly accessible and create reputational damage for companies.

Practical Compliance Steps in Companies

Typical path followed for KVKK compliance:

1. Data inventory creation — mapping all data flows in company.
2. Privacy notices and privacy policies preparation.
3. Designing explicit consent processes — in marketing, employee, customer contexts.
4. Storage and disposal policy preparation.
5. VERBİS registration completion.
6. Employee training.
7. Updating contracts — particularly KVKK clauses in contracts with data processors (CRM, cloud, IT services).
8. Establishing data breach response plan.
9. Periodic audit and updates as needed.

Sector-Specific Topics

Tourism Businesses

Hotels and travel agencies process large amounts of personal data: passport information, health declarations, payment data. Cross-border transfer and storage of card information are particularly important.

Health Sector

Patient data is in special-category data; stricter rules apply.

E-commerce

Cookie policy, user analytics tools, and targeted advertising tools require careful evaluation under KVKK.

Real Estate

Customer ID information, financial data, title documents require long-term storage.

Legal Support

For businesses operating in Antalya to ensure KVKK compliance, MONA HUKUK provides comprehensive compliance service from data inventory creation to VERBİS registration, from privacy notice preparation to employee training. With our IT law expertise, we guarantee your company's compliance with both legislation and international standards.

Contact us at contact@monahukuk.com or call +90 (242) 606 14 32 to schedule a consultation in Antalya.