+90 212 244 9222

What is KVKK - GDPR?

The Law on the Protection of Personal Data (KVKK)

With this Law, which has been regulated in consideration of international documents, Turkish Constitution, Turkish Laws, comparative law practices and the needs of our country in our age, it is aimed to protect the fundamental rights and freedoms of individuals, especially the privacy of personal life, by processing personal data in contemporary standards. In this context, the Law regulates the conditions of processing personal data, the basic principles to be adopted regarding the protection of personal data, the obligations of natural and legal persons who process personal data, and the procedures and principles they will comply with.

EU General Data Protection Regulation (GDPR)

In order to make the regulations regarding the protection of personal data in the member states of the European Union compliant, The Personal Data Processing and Free Movement Directive No. 95/46/EC was abolished in line with the new requirements regarding the protection of personal data and this regulation is put into effect in 2018. In order to ensure the data security of the residents of the European Union, the main purpose of the regulation is to provide them an effective approach to privacy and security with the reshaping of organizations in terms of compliance.

Protection of Personal Data

Even though the concepts of fundamental rights and freedoms, personal data, privacy and security have been in our lives since the understanding of human rights emerged, these concepts have become even more important in our daily lives at the recent times when developments regarding technology and the implementation of fundamental rights and freedoms are experienced. The Law on the Protection of Personal Data (KVKK), which is of the equivalence of GDPR in Turkey, gives us information and guides us on how to protect our personal data, along with our fundamental rights and freedoms.

Compliance Process: KVKK & GDPR Consultancy

KVKK has been put into effect in 2016 and all organizations were given a deadline until the end of April 2018 to review their personal data processes and complete their compliance with the Law to have readiness.

Regardless of their organizational structures or the number of employees, all organizations in Turkey should have completed their KVKK compliance process by 2018. The completion of compliance process means that any kind of personal data of the parties kept by an organization which belong to its employees, employee candidates, suppliers, stakeholders etc., in order words, any data which are subject to the processes that define us to be arranged in accordance with the conditions stipulated by the law and executed within the framework of these conditions.

Even if your organization is located within the borders of Turkey and provides services in Turkey, it will not be enough for you to be in compliance with the data protection processes in Turkey and KVKK, solely. You may also be subject to the data protection practices of EU, that is, GDPR. In this case, your compliance process to be implemented within your organization and the sustainability of which is to be followed, must cover both KVKK and GDPR. In today's world, your compliance process to be implemented should become a routine business process rather than an audit activity and personal data protection processes should be adopted as a corporate culture.

GDPR Compliance

In the Article 3 of the GDPR titled Regional Scope, it is regulated that natural or legal persons may be subject to the GDPR, even if they are not located within the borders of the European Union. In other words, it is elaborated in this article that it is possible for people who process personal data to be subject to both KVKK and GDPR. If an organization established in Turkey process data of EU residents by any means of communication with a person resident in EU or a different method (by selling products and / or services to EU residents, using one of the languages used in the EU countries in their online systems), in this case, the organization will be subject to GDPR regarding these persons; and with regard to the data processing activities carried out in Turkey, the organization will be subject to KVKK. That is, the organization will be obliged to fulfill the requirements of both laws.

Didn’t we have our personal data protected, before 2016?

Before KVKK came into force in 2016, there was a sanction for the unlawful acquisition, transmission and non-destruction of personal data in the Turkish Penal Code dated 12.10.2004. On 12.09.2012, with a paragraph added to the Article 20 of the Constitution, the protection of personal data has become a constitutional right. In 2016, based on the 1995 version of GDPR, the "data processing" processes that can be defined as any kind of transaction on the data were elaborated, and the terms in our lives were filled with the Constitution, Laws and International Conventions.

Data Inventory & VERBİS Registration

In the first phase, the internal organizational chart should be prepared and what personal data is processed in the departments / units within the organization should be specified by category (identity, communication, location, health, etc.). Afterwards, a data inventory should be prepared, and the following information should be included in the inventory.

  • Which personal data are processed in the specified categories (ID: Name, Surname, TR Identity Number etc.)
  • Natural person whose data is processed (customer, employee, supplier, stakeholder, third parties)
  • Purpose and legal reason of data processing
  • What types of personal data are processed; sensitive personal data (health, race, religion, gender) or personal data (name, contact information)
  • How long the processed data will be stored / Retention period
  • Administrative and technical measures taken regarding the personal data processed
  • Whether data are transferred abroad or not

In the light of the data inventory prepared, a declaration should be made to the data controllers' registry through VERBIS. It should not be forgotten that; VERBIS and Personal Data Inventory should contain parallel information and be up to date.


Fulfilling the requirements of KVKK, should not be understood as a one-time audit and the consultancy you will receive within this scope and fulfilling VERBIS registration. Even if you fulfill some of your legal obligations in this way, it is necessary to ensure continuity for compliance with the Law and ensure that the information declared is up to date.

KVKK has entered our lives in 2016 and is still a law that requires us to adapt new practices to our processes with updates. One of the directives of this law is to ensure that all our activities are always sustained in accordance with the provisions of KVKK, that our record in VERBIS, our Personal Data Inventory and other documents prepared during the compliance process are always kept up to date. Besides, that audits should be carried out periodically to ensure sustainability is another point stated in KVKK.

At this point, the audit, consultancy and sustainability services offered by CottGroup® will determine whether your processes comply with the law; and after completing the compliance process, by monitoring whether the sustainability is ensured or not, it will provide a guarantee of protection from administrative and legal sanctions that you may face.

You can access legal regulations on the protection of personal data and current decisions published by the Turkish Personal Data Protection Board through our page on KVKK legislations.

In addition, in order to find out details of the consultancy we can provide you as CottGroup® in your compliance process and the scope of sustainability services we offer to our customers after completion of the compliance process, you can visit our page on consulting services.

KVKK & GDPR Consulting Services - CottGroup

KVKK and GDPR Consultancy Services

By analyzing your risks due to legal incompliancy, we advise the required technical and administrative measures to have you process and store personal data fully compliant with the Law.

Click here for service details

How GDPR and KVKK Shall be Applied by Entities in Turkey?

  • If your company,

    • Provides service or goods to EU citizens that live outside the borders of EU or individuals living within the EU borders,
    • Monitors the behaviours of these individuals,
    • Transacts business with EU companies,
    • Provides services in one of the EU languages,
    • Owns, processes, stores or deletes the personal information of data subjects that live in EU,

    Then, it will be subjected to the GDPR.

  • If your company,

    • Owns,
    • Processes,
    • Stores,
    • Deletes

    personal information indirectly, directly, partially or in a whole;

    then it will be subjected to the PDPL.

  • Being subject to GDPR shall mean,

    • To receive a written approval from data subject according to the feature of each personal data to be processed,
    • To process, store, transfer, anonym, and delete personal data in line with the law,
    • To create a regulation that specify how to use each processed data,
    • To take technical measures and complete substructure for the security of the personal data and for processing them according to the GDPR,
    • To have a specific reason for processing each personal data and to make documentation,
    • To have the Binding Corporate Rules (BCR) in place regarding the personal data transfer processes to abroad,
    • To assign a Data Protection Officer for your company.

    Being subject to PDPL shall mean;

    • To process personal data in line with legislation,
    • To create a personal data inventory,
    • To complete technical substructure for sustaining data processing according to the legislation,
    • To prepare a personal data storage and destruction policy,
    • To assign a Data Protection Officer for your company,
    • To have the Binding Corporate Rules (BCR) in place regarding the transfer of personal data to abroad and for the protection of the personal data,
    • To register in VERBIS (Data Controllers' Registry Information System).

Are you sure your company is not subject to GDPR?

You can contact us to figure out whether you are subject to Personal Data Protection Law (KVKK) or EU’s General Data Protection Regulation (GDPR).

Click here for details

Execution of Data Protection Laws

KVKK and GDPR impacts your entity’s operations significantly, both by legal and technical aspect.


Not compliant with the regulation or the responsibilities related to the Law, what will happen now?

Both KVKK and GDPR aim the minimization of data and to have transparent data processing procedure along with security and confidentiality methods. Besides, sanctions of any discrepancies with the legal obligations are strictly serious.

Although both laws have the same core idea, they differ on the penalties. It is crucial to cover obligations in the law that you have responsibility of, linked with compliancy periods, not to face with any enforcement and administrative legal procedures.

Incompliancy Penalties for KVKK to be Applied in 2020

  • Not registering at VERBIS (Data Controllers' Registry Information System) between the related dates; between 36.053 TL - 1.802.641 TL,
  • Not fulfilling the disclosure requirement on data transfer processes; between 9.013 TL - 180.264 TL,
  • Security incidents such as data breaches; between 27.040 TL - 1.802.641 TL,
  • In case the decisions made by the Board are not executed; 45.066 TL – 1.802.641 TL,

The given amounts are applied at the beginning of each calendar year by increasing the rate of revaluation determined and announced in accordance with the duplicated provisions of the Article 298 of the Tax Procedure Law No. 213 dated 4.1.1961 for that year.

In addition to these administrative fines mentioned in the Personal Data Protection Law, there are also jail sentences mentioned in the Turkish Criminal Code between 1 to 4 years.

according to the 2017 data, 41 data breach application are made to the PDPL Institution and 125.000-TL administrative fine is imposed as a result of these sanctions. In 2018, the amount of these data breach applications have increased to 395 and 233 of them are investigated by the Institution and replied. Moreover, the administrative fines to be imposed on 2018, are came up with 1.365.000-TL in total. Thus, the issue of personal data protection has been gaining more importance and the clock is ticking against the companies who have not completed the compliancy process yet.

Incompliancy Penalties for GDPR

In case of a probable data breach and/or incompliancy with the regulation, the sanctions to be imposed are very high when compared to KVKK.

The administrative penalty fine is determined as 4% of global revenue of the company that belong to the previous year or €20.000.000 Among these amounts, the highest one shall be imposed as a penalty fine.

Besides, the below mentioned ones shall also be imposed as a penalty:

  • Written warnings and notices,
  • Suspending data processing for a definite/indefinite period of time,
  • Demanding the processed data to be regulated, amended and/or limited,
  • Limiting the data transfer to any third-party country.


It is safe to say that GDPR is the enhanced version of Turkish Data Protection Law (KVKK) and the KVKK is the first version of GDPR, released on 1995 under the name (Directive 95/46/EC). Since both regulations are the same in core concepts, it is more efficient for your operations to analyze the liabilities at first, then proceed with the compliancy measures. It will allow you to save both time and resources.

Within this scope, simply below the main concepts are summarized.

KVKK (Personal Data Protection Law)

GDPR (General Data Protection Regulation)

Key concepts on the KVKK are;

  • Required to be in accordance with the law and good faith rules.
  • To have the data accurate and updated, where and when necessary.
  • To process data for specified, clear and legitimate purposes.
  • To have data that are linked with the processing purpose, limited and restrained.
  • To store as necessary for the processing purpose or as considered in PDPL.
  • Appointing an officer (DPO) is not mandatory but recommended.

Key concepts on GDPR are;

  • To process data in line with lawfulness, fairness and transparency for the data subject.
  • To have the data be accurate and where necessary keep it up to date.
  • To process data for specified, explicit and legitimate purposes.
  • To process data as necessary, related with the purpose and restrained.
  • To store data for no longer than necessary for its processing purpose.
  • The controller shall be responsible for all principles.
  • To have a DPO for compliance process.

This website is using cookies.
In this website, we use cookies to develop your user experience, obtain efficient work and track statistical data. You are agreeing to our use of cookies by browsing our website. Please review Çerezler (Cookies) page for detailed information of how we manage the cookies. This choice is valid for 30 days until you delete the cookies in your web browser.
Hizmetlerimiz devam ediyor.

Due to the Covid-19 Coronavirus pandemic to secure the health of our employees our business operations are held remotely until further notification. CottGroup® will have its business processes carried out efficiently and smoothly thanks to our BCP plans and strong technological infrastructure. As always, our customers and business partners will be able to reach us via our phones and e-mails.