Home  /  KVKK vs GDPR

KVKK vs GDPR: what foreign companies must know about Turkey

For privacy teams who already know the GDPR, this is the fast route to what is the same, what is different, and where the differences will catch you out.

Turkey's Personal Data Protection Law (Law No. 6698, the KVKK) was modelled in part on European data protection principles, so much of it will feel familiar. The danger for a foreign company lies in assuming it is simply a Turkish copy of the GDPR. On the point that matters most to you — the local representative requirement — the two laws diverge sharply.

The difference that matters most

Under the GDPR, Article 27 requires many controllers outside the European Union to appoint an EU representative, but it exempts occasional, low-risk, small-scale processing. Turkey has a comparable requirement for foreign controllers, but no equivalent exemption. A company established outside Turkey that processes the personal data of people in Turkey must appoint a representative and register with VERBIS regardless of scale.

Do not assume your EU representative covers Turkey. The Turkish requirement is separate, arises under a separate law, and is not satisfied by an Article 27 appointment in the European Union. If you are caught by Article 27, you should assume you are caught in Turkey too — and without the small-scale relief.

Side by side

TopicGDPR (EU)KVKK (Turkey)
Local representativeArticle 27, with a small-scale exemptionRequired for foreign controllers, with no size exemption
Public registrationNo general public registryRegistration in the VERBIS registry
Data subject request deadlineOne month, extendableThirty days
Breach notification to the regulatorWithout undue delay, within 72 hours where feasibleWithin 72 hours of becoming aware
Cross-border transfersAdequacy, safeguards such as SCCs, or derogationsReformed in 2024 to a comparable tiered mechanism, including standard contracts
Administrative finesPercentage-of-turnover ceilingsFixed monetary ranges, revalued each year

The table simplifies a detailed picture. The direction of travel, however, is clear: the obligations rhyme with the GDPR, but the procedures, the deadlines, and above all the representative requirement follow Turkish rules that must be met on their own terms.

Deadlines you should note

Two timelines commonly surprise companies used to the GDPR. Requests from data subjects must generally be answered within thirty days. Personal data breaches must be notified to the Authority within seventy-two hours of the controller becoming aware of them, with affected individuals informed as soon as reasonably possible. A representative that can act quickly on your behalf is valuable precisely at these moments.

Cross-border transfers after the 2024 reform

Turkey reformed its cross-border transfer regime in 2024, moving to a tiered mechanism that will look familiar to GDPR practitioners: transfers may rest on adequacy, on appropriate safeguards such as standard contractual clauses, or on specific derogations. The detail differs from the European model, including procedural steps that apply once a standard contract is signed. If your data leaves Turkey, this is an area to plan deliberately rather than by analogy to the GDPR.

We publish the full English text of the law, the implementing regulations, and translated decisions of the Authority on our knowledge hub, dataprotectionturkey.com. Few providers in this market can point to that depth, and no software platform can.

What this means in practice

If your organisation already complies with the GDPR, you have done most of the underlying work. What remains is to meet Turkey's specific requirements: appoint a representative, register with VERBIS, and align your processes with Turkish deadlines. That is precisely the engagement we handle, end to end, as a recognised Turkish law firm.

Bring your GDPR programme into line with Turkey

We appoint as your representative, register you, and advise where the two laws part ways.

Request a quote