Turkey’s Law on the Protection of Personal Data (KVKK) no 6698 requires organizations to obtain consent before processing personal data, including cookies and other tracking technologies. Is your website ready for compliance?
The Law on the Protection of Personal Data (KVKK) sets out rules for the collection, processing, storage, and transfer of personal data. Modeled partly onr the EU’s GDPR, the KVKK aims to protect individuals’ fundamental rights to privacy while allowing lawful business use of data.
Organizations must obtain explicit consent before processing personal data unless a lawful basis applies (such as legal obligations, performance of a contract, or legitimate interest as defined under KVKK). Organizations must provide clear notices explaining why data is collected, how it will be used, and how long it will be stored. Cross-border transfers of personal data are subject to strict controls and may require the approval of the KVKK Authority or the data subject’s explicit consent.
To check compliance with KVKK, your organization should:
Conduct a data review:
Review how your organization collects, processes, and stores personal data.
Implement consent management:
Ensure that your cookie banner, privacy policy, and consent mechanisms are clear and compliant.
Keep records:
Maintain recordkeeping and complete regular audits
Train staff:
Educate employees about KVKK and its implications
Complete vendor checks:
Ensure partners and third-party tools such as analytics or marketing platforms are compliant.
All organizations—public, private, non-profit, and foreign companies—that process the personal data of individuals in Turkey must comply with KVKK. This includes local businesses, online platforms, and international service providers targeting Turkish users.
Under the KVKK, individuals (data subjects) in Turkey are granted the following rights:
To know what personal data is being collected, for what purposes, and with whom it is shared.
To learn whether their personal data is processed and to request access to it.
To request corrections of incomplete or inaccurate personal data.
To request deletion of personal data if the purposes of processing are no longer valid or consent is withdrawn.
To request limitation of processing in certain circumstances.
To object to the processing of personal data, including for marketing or profiling purposes.
To request transfer of personal data to another controller, where technically feasible.
To seek compensation for damages caused by unlawful data processing
Cookies and similar tracking technologies are considered a form of personal data processing under KVKK when they identify or can be linked to an individual. Essential cookies required for website functionality may not require consent, but analytics, advertising, and personalization cookies generally do. Websites must provide a cookie policy and obtain explicit opt-in consent for non-essential cookies.
The KVKK Authority can impose significant penalties for non-compliance. Administrative fines may reach up to TRY 2,000,000 (indexed and subject to annual updates) depending on the nature of the violation. The Authority may also order suspension of data processing activities, deletion of unlawfully processed data, and corrective actions. Non-compliance risks not only financial penalties but also reputational damage.
To check your compliance with the KVKK Turkey, businesses should:
Audit:
Audit their data to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Implement consent banners and check they are working correctly, make it easy and transparent for users to withdraw consent at any time, and keep consent logs
Check on partners and third parties:
Review third-party data-sharing practices
Train employees:
Make sure staff understand and comply with KVKK
The KVKK regulates the processing of personal data by natural persons or legal entities in Turkey. It aims to protect the fundamental rights and freedoms of individuals, particularly the right to privacy, when their data is collected, stored, used, or transferred.
Personal data refers to any information relating to an identified or identifiable natural person. This includes details such as name, surname, identification number, address, phone number, email, financial information, or any other data that can directly or indirectly reveal someone’s identity.
Sensitive personal data includes information on race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, attire, association/union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. Processing this category of data requires stricter safeguards and legal bases.
The Personal Data Protection Authority (KVKK Kurumu) is the independent regulatory and supervisory authority responsible for overseeing compliance with the law.
The KVKK does not apply to the processing of personal data by individuals for purely personal or household activities, provided that the data is not shared with third parties or used for professional or commercial purposes.
More detailed information, guidelines, and resources are available on the official website of the Turkish Personal Data Protection Authority (KVKK).
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
