Turkey's Personal Data Protection Law (Law No. 6698, the KVKK) was modelled in part on European data protection principles, so much of it will feel familiar. The danger for a foreign company lies in assuming it is simply a Turkish copy of the GDPR. On the point that matters most to you — the local representative requirement — the two laws diverge sharply.
The difference that matters most
Under the GDPR, Article 27 requires many controllers outside the European Union to appoint an EU representative, but it exempts occasional, low-risk, small-scale processing. Turkey has a comparable requirement for foreign controllers, but no equivalent exemption. A company established outside Turkey that processes the personal data of people in Turkey must appoint a representative and register with VERBIS regardless of scale.
Do not assume your EU representative covers Turkey. The Turkish requirement is separate, arises under a separate law, and is not satisfied by an Article 27 appointment in the European Union. If you are caught by Article 27, you should assume you are caught in Turkey too — and without the small-scale relief.
Side by side
| Topic | GDPR (EU) | KVKK (Turkey) |
|---|---|---|
| Local representative | Article 27, with a small-scale exemption | Required for foreign controllers, with no size exemption |
| Public registration | No general public registry | Registration in the VERBIS registry |
| Data subject request deadline | One month, extendable | Thirty days |
| Breach notification to the regulator | Without undue delay, within 72 hours where feasible | Within 72 hours of becoming aware |
| Cross-border transfers | Adequacy, safeguards such as SCCs, or derogations | Reformed in 2024 to a comparable tiered mechanism, including standard contracts |
| Administrative fines | Percentage-of-turnover ceilings | Fixed monetary ranges, revalued each year |
The table simplifies a detailed picture. The direction of travel, however, is clear: the obligations rhyme with the GDPR, but the procedures, the deadlines, and above all the representative requirement follow Turkish rules that must be met on their own terms.
Deadlines you should note
Two timelines commonly surprise companies used to the GDPR. Requests from data subjects must generally be answered within thirty days. Personal data breaches must be notified to the Authority within seventy-two hours of the controller becoming aware of them, with affected individuals informed as soon as reasonably possible. A representative that can act quickly on your behalf is valuable precisely at these moments.
Cross-border transfers after the 2024 reform
Turkey reformed its cross-border transfer regime in 2024, moving to a tiered mechanism that will look familiar to GDPR practitioners: transfers may rest on adequacy, on appropriate safeguards such as standard contractual clauses, or on specific derogations. The detail differs from the European model, including procedural steps that apply once a standard contract is signed. If your data leaves Turkey, this is an area to plan deliberately rather than by analogy to the GDPR.
We publish the full English text of the law, the implementing regulations, and translated decisions of the Authority on our knowledge hub, dataprotectionturkey.com. Few providers in this market can point to that depth, and no software platform can.
What this means in practice
If your organisation already complies with the GDPR, you have done most of the underlying work. What remains is to meet Turkey's specific requirements: appoint a representative, register with VERBIS, and align your processes with Turkish deadlines. That is precisely the engagement we handle, end to end, as a recognised Turkish law firm.
Bring your GDPR programme into line with Turkey
We appoint as your representative, register you, and advise where the two laws part ways.