Law No.6698 on ProtectIon of Personal Data


The data protection/privacy law of Turkey, namely Law No.6698  on Protection of Personal Data (“KVKK”), which was accepted in 2016 and enacted for all data controllers in 2018, brings many obligations that requires compliance and non-compliance can be fined up to 1 Million Turkish Liras.

KVKK is based on EU Directive 95/46/EC (“Directive”) on protection of individuals with regard to the processing of personal data and on the free movement of such data. Although KVKK is mainly based on the Directive, it is not identical, and it differs from the Directive in certain points.

The main difference between the Directive and KVKK is that Directive focuses on the act of processing personal data rather than the parties to such processing; whereas the Law mainly provides rights and imposes obligations on the parties of a data processing act. All definitions in KVKK already exist in the General Data Protection Regulation (“GDPR”). However, the definitions such as restriction of processing, profiling, pseudonymisation, personal data breach, genetic data, biometric data, data concerning health, representative, enterprise, group of undertakings, binding corporate rules, relevant and reasoned objection, information society service do not exist in KVKK.