Turkish KVKK Law Requirements

Key Provisions from Law No. 6698

Purpose (Article 1)

  • Protect fundamental rights and freedoms, particularly right to privacy
  • Set obligations, principles and procedures for data processing

Scope (Article 2)

  • Applies to natural persons whose personal data are processed
  • Applies to natural or legal persons processing data (wholly or partially automated)

Key Definitions (Article 3)

  • Explicit consent: Freely given, specific and informed consent
  • Personal data: Any information relating to identified or identifiable natural person
  • Data Controller: Natural or legal person who determines purposes and means of processing
  • Data Processor: Natural or legal person who processes data on behalf of controller
  • Processing: Collection, recording, storage, protection, alteration, disclosure, transfer, etc.

General Principles (Article 4)

Data processing must comply with:

  • Lawfulness and fairness
  • Being accurate and kept up to date
  • Being processed for specified, explicit and legitimate purposes
  • Being relevant, limited and proportionate
  • Being stored for required period only

Conditions for Processing (Article 5)

Personal data requires explicit consent UNLESS:

  • Expressly provided by laws
  • Necessary for protection of life/physical integrity
  • Necessary for contract establishment/performance
  • Necessary for legal compliance
  • Data made public by data subject
  • Necessary for establishment/exercise/protection of rights
  • Necessary for legitimate interests (without violating fundamental rights)

Special Categories of Personal Data (Article 6)

Prohibited unless specific conditions met:

  • Health data, sexual life, criminal convictions
  • Race, ethnic origin, political opinion, religious beliefs
  • Biometric and genetic data

Permitted when:

  • Explicit consent given
  • Explicitly provided by laws
  • Necessary for health protection/medical services
  • Made public by data subject
  • Necessary for legal obligations in employment/health/safety

Data Subject Rights (Article 11)

  • Right to be informed about data processing
  • Right to request access to personal data
  • Right to request rectification or erasure
  • Right to object to processing
  • Right to data portability

Obligations for Data Controllers

  • Provide clear information about data processing
  • Implement adequate security measures
  • Register with Data Controllers Registry (VERBIS) if required
  • Notify data breaches to authorities
  • Conduct Data Protection Impact Assessments when required