KVKK Compliance in Türkiye: Legal Guide for Companies and Foreign Investors

Personal data has become one of the most valuable and sensitive assets held by modern companies. Customer databases, employee files, supplier records, CCTV footage, website analytics, payment information, health data, marketing lists, call recordings, cloud systems and cross-border reporting flows all involve personal data.

In Türkiye, the processing of personal data is mainly regulated under the Law on the Protection of Personal Data, commonly known as the KVKK.

For many companies, KVKK compliance began as a documentation project: privacy notices, consent forms, policies and registry entries. That approach is no longer sufficient. Data protection compliance is now a board-level, operational and contractual issue.

A company must understand:

• what personal data it collects;
• why it collects that data;
• which legal basis applies;
• who has access to the data;
• where the data is stored;
• whether the data is transferred abroad;
• how long the data is retained;
• how data subjects are informed;
• how requests are handled;
• how vendors are controlled;
• what happens in case of a data breach.

This guide explains the key legal issues companies, investors and international businesses should consider when operating in Türkiye.

1. KVKK Compliance Is Not Only for Technology Companies

A common mistake is to assume that data protection law concerns only technology platforms, software companies or e-commerce businesses.

In practice, almost every company processes personal data.

A company may process personal data when it hires employees, keeps payroll records, collects customer information, sends marketing messages, records calls, uses CCTV, manages visitors, operates a website, uses cookies, works with vendors, stores contracts, processes invoices, keeps supplier contacts, uses cloud software, reports to a foreign parent company, manages job applications, conducts internal investigations or runs loyalty or membership programmes.

For this reason, KVKK compliance is relevant to manufacturing companies, law firms, clinics, hotels, schools, real estate developers, financial businesses, logistics companies, retailers, agencies, family businesses and foreign investors.

The question is not whether a company processes personal data. The question is whether it knows how and why it does so.

2. The First Step: Data Mapping

A company cannot comply with KVKK if it does not know its own data flows.

Before preparing documents, the company should map its personal data processing activities.

A practical data map should identify the categories of data subjects, the categories of personal data, the purposes of processing, the legal bases, the collection methods, the storage locations, internal access rights, third-party recipients, cross-border transfers, retention periods, security measures and deletion or anonymisation processes.

Data subjects may include employees, job applicants, customers, potential customers, suppliers, visitors, shareholders, directors, contractors, website users, patients or clients, event participants, family members of employees and emergency contacts.

The purpose of data mapping is not bureaucracy. It is to create visibility.

Without visibility, privacy notices may be inaccurate, consent forms may be unnecessary or defective, vendor contracts may be incomplete and breach response may become chaotic.

3. Privacy Notices and the Duty to Inform

One of the central obligations under Turkish data protection law is the duty to inform data subjects. This is usually fulfilled through privacy notices.

A privacy notice should explain, in a clear and accessible manner, the identity of the data controller, the purposes of processing, the legal basis of processing, the recipients or recipient groups, the method of collection, the rights of the data subject, and how data subjects may exercise their rights.

The Turkish Data Protection Authority emphasises that data subjects should be informed whenever their personal data is processed, even where processing is based on explicit consent or another legal ground.

A privacy notice should not be a generic document copied from another company. Different processing contexts usually require different notices — for example, an employee privacy notice, a job applicant notice, a customer notice, a website notice, a CCTV notice, a visitor notice, a supplier contact notice, a marketing notice and an event participant notice.

A company should also ensure that the privacy notice is presented at the correct time. A notice hidden in a website footer may not be sufficient for data collected in person, through employment processes or through a physical visitor system.

4. Explicit Consent Is Not Always the Correct Legal Basis

Many companies assume that they should obtain consent for every data processing activity. That is not always correct.

Under KVKK, explicit consent is one possible legal basis, but not the only one. Certain processing activities may be based on other legal grounds, depending on the circumstances.

Overusing consent can create problems. If a company says that processing is based on consent, but the data subject cannot realistically refuse, the consent may be challenged. This is particularly important in employment relationships, where the imbalance between employer and employee may affect the validity of consent.

The Authority defines explicit consent as consent relating to a specific subject, based on information and expressed with free will.

A company should therefore ask: is explicit consent really needed? Is there another legal basis? Is the consent specific? Is the data subject properly informed? Can the person refuse without negative consequences? Is consent recorded? Can consent be withdrawn? What happens after withdrawal?

Consent should not be used as a decorative signature line. It should be legally necessary, properly obtained and operationally respected.

5. VERBIS Registration and Data Inventory

Certain data controllers may be required to register with the Data Controllers Registry, commonly known as VERBIS.

VERBIS registration should be based on a personal data processing inventory. The Authority has stated that controllers subject to the registry obligation must prepare a personal data processing inventory and that VERBIS entries should be based on that inventory.

A weak VERBIS registration can create risk if it does not reflect real data processing activities.

Companies should review whether they are subject to registration, whether any exemption applies, whether the data inventory is complete, whether VERBIS entries match actual practice, whether changes have been updated, whether retention periods are realistic, whether recipient groups are accurately identified and whether cross-border transfer information is correct.

VERBIS should not be treated as a one-time form. Business changes may require updates. New software, new HR processes, new marketing practices, new vendors or international reporting flows can all affect the data inventory.

6. Employee Data and Human Resources

Employment data is one of the most sensitive areas of KVKK compliance.

Employers process a wide range of personal data, including identity information, contact details, payroll data, bank account information, social security data, performance records, disciplinary records, health reports, criminal record documents in limited cases, leave records, emergency contact information, family information, biometric data in some workplaces, CCTV footage, access logs, and email and device usage data.

Employee data should be processed with particular care because of the power imbalance in the employment relationship.

Key issues include employee privacy notices, retention of employment records, access to personnel files, health data processing, monitoring of workplace devices, CCTV in the workplace, internal investigations, disciplinary processes, remote work tools, transfer of employee data to group companies, data sharing with payroll providers and deletion after termination.

Employers should avoid collecting excessive data simply because it may be useful later. Personal data should be limited to what is necessary, lawful and proportionate.

7. Sensitive Personal Data

Certain categories of personal data require higher protection. Sensitive personal data may include health data, biometric data, union membership, criminal conviction information and other special categories depending on applicable law.

Companies may encounter sensitive data in employment health reports, occupational safety processes, disability records, biometric entry systems, health services, insurance processes, employee benefit programmes, internal investigations, litigation files and diversity or inclusion initiatives.

Processing sensitive data without a proper legal basis and safeguards can create significant risk.

Companies should determine why sensitive data is collected, whether collection is necessary, who has access, whether special security measures are applied, whether the data is shared with third parties, whether the data is transferred abroad, how long it is retained and how it is deleted.

Sensitive data should never be treated as ordinary administrative information.

8. Marketing, CRM and Commercial Communications

Marketing is a common source of data protection risk.

Companies may collect and use personal data for newsletters, promotional emails, SMS campaigns, customer segmentation, CRM systems, retargeting, social media advertising, loyalty programmes, event invitations, lead generation, call centre follow-up and business development.

Marketing data should be reviewed together with consent, privacy notices, electronic commercial communication rules, cookie practices and CRM access rights.

Companies should consider how marketing contacts are collected, whether consent is required, whether opt-out mechanisms work, whether customer lists were lawfully obtained, whether purchased databases are used, whether group companies share marketing data, whether marketing vendors process data and whether records of consent are kept.

A business development team should not use informal contact lists without legal review. This is particularly relevant for companies operating across Türkiye, the EU, the UK or the Middle East, where different privacy and marketing rules may interact.

9. Website, Cookies and Analytics

A company website may collect more personal data than expected. Data may be collected through contact forms, newsletter forms, job application forms, cookies, analytics tools, embedded maps, chat widgets, social media pixels, appointment systems, downloadable content, IP logs and security tools.

A website should have appropriate privacy and cookie documentation.

Companies should ask: What cookies are used? Are analytics tools active? Are marketing pixels installed? Is data transferred outside Türkiye? Is user consent required for certain cookies? Is the cookie banner accurate? Does the privacy policy match actual tools? Are form submissions stored securely? Who receives website enquiries? Are third-party plugins compliant?

A website privacy policy should not simply state that data is protected. It should reflect the actual technical structure of the website.

10. Vendor and Processor Management

Most companies do not process data alone. They use service providers such as payroll providers, accountants, IT vendors, cloud hosting companies, CRM platforms, marketing agencies, call centres, security companies, recruitment platforms, payment providers, logistics providers, software vendors and external consultants.

Each vendor relationship may create data protection obligations.

Companies should review what personal data is shared, why the vendor receives it, whether the vendor acts as processor or independent controller, whether a data processing agreement is needed, whether the vendor uses sub-processors, whether data is transferred abroad, what security measures are applied, how breach notification works and how data is returned or deleted after termination.

Vendor contracts should not be limited to price and service scope. Data protection clauses are now essential.

11. Cross-Border Data Transfers

Cross-border data transfer is one of the most important compliance issues for international companies in Türkiye.

Many companies transfer personal data abroad through foreign parent company reporting, global HR systems, cloud storage, CRM platforms, email hosting, accounting systems, international vendors, group company databases, technical support access, marketing tools and foreign servers.

The Turkish Data Protection Authority has published a guide on the cross-border transfer of personal data following legislative changes, and companies should review the applicable transfer mechanism carefully.

Companies should not assume that using a global software provider is automatically compliant.

They should identify what data leaves Türkiye, which country receives it, who receives it, what transfer mechanism applies, whether standard contracts are needed, whether notification to the Authority is required, whether sensitive data is involved, whether data subjects are informed and whether vendor contracts align with Turkish requirements.

For foreign investors, this is particularly important because group reporting and centralised systems are common.

12. Data Breaches and Incident Response

A data breach may involve unauthorised access, disclosure, loss, alteration, destruction or unlawful processing of personal data.

Examples include a ransomware attack, a lost laptop, an email sent to the wrong recipient, unauthorised access by an employee, a hacked customer database, a stolen HR file, a misconfigured cloud folder, a vendor breach, a phishing incident, exposed website form data and leaked medical or financial records.

A company should not wait for a breach to create an incident response plan.

A practical breach response plan should define who receives internal reports, who assesses the incident, who preserves evidence, who contacts IT and security providers, who decides whether notification is required, who communicates with affected individuals, who informs management, who manages legal privilege and documentation, who deals with media or reputation issues and how corrective measures are recorded.

In a breach, timing matters. Confusion in the first 24–48 hours can create legal and reputational damage.

13. Board and Management Responsibility

KVKK compliance should not be delegated entirely to junior staff or external consultants. Management should understand the company's risk profile.

Senior management should periodically ask: Do we know what personal data we process? Are our privacy notices accurate? Do we rely on consent correctly? Are we required to register with VERBIS? Is our data inventory updated? Do we transfer data abroad? Are vendors contractually controlled? Do we have a breach response plan? Are employees trained? Are retention periods applied? Do we delete data when no longer needed? Are HR and IT aligned with legal requirements?

Data protection is not only a legal compliance issue. It is a governance, risk and reputation issue.

14. M&A, Investment and Due Diligence

KVKK compliance is increasingly relevant in mergers, acquisitions and investment transactions.

A buyer or investor should review whether the target company has privacy notices, has obtained necessary consents, has a data inventory, is registered with VERBIS if required, has vendor agreements, transfers data abroad, has suffered data breaches, has received complaints, processes sensitive data, uses marketing databases, relies on customer data as a business asset, has employee monitoring practices, has cookie and website compliance documents, and has deletion and retention policies.

Data protection issues may affect valuation, warranties, indemnities, closing conditions, post-closing integration, customer database usability, vendor migration, IT restructuring and group reporting.

For companies whose commercial value depends on customer data, software platforms, health records, marketing databases or user accounts, KVKK due diligence can be critical.

15. Data Retention and Deletion

A common compliance weakness is keeping data indefinitely. Companies often retain documents because storage is cheap, deletion is inconvenient or no one knows who is responsible. However, excessive retention creates legal and security risk.

A data retention policy should define the retention period by data category, the legal basis for retention, the responsible department, the deletion method, the anonymisation method where relevant, archive rules, litigation hold exceptions, the backup deletion approach and a periodic review process.

Different data types require different retention logic. For example, employment records, accounting documents, CCTV footage, marketing consents, visitor logs, contracts and litigation files should not all be retained under one generic period.

Data retention is not only about deletion. It is about disciplined information governance.

16. Internal Policies and Training

Documents alone do not create compliance. Employees must understand how to handle personal data in daily work.

Training should cover what personal data is, basic KVKK principles, confidentiality, email mistakes, secure document sharing, password and access controls, phishing awareness, HR data sensitivity, customer data handling, data subject requests, breach reporting, use of personal devices, remote work, vendor sharing, and social media and marketing data.

Policies should be practical, not merely formal. Useful internal policies may include a personal data protection policy, a data retention and deletion policy, an information security policy, a breach response procedure, an employee privacy policy, a CCTV policy, a clean desk policy, an acceptable use policy and a vendor management procedure.

A company with perfect policies but no training remains vulnerable.

17. Common Mistakes in KVKK Compliance

Common mistakes include copying privacy notices from another company; treating consent as a solution for everything; failing to map data flows; ignoring employee data; not updating VERBIS entries; using foreign cloud tools without transfer analysis; collecting excessive documents from employees or customers; retaining data indefinitely; failing to contractually control vendors; ignoring cookies and tracking tools; not training employees; having no breach response plan; failing to document data subject requests; treating KVKK as a one-time project; and involving legal counsel only after a complaint or breach.

Many compliance failures are not caused by bad faith. They are caused by lack of structure.

18. Practical KVKK Compliance Checklist

Companies operating in Türkiye should consider the following questions:

1. Have we mapped our personal data processing activities?
2. Do we know all categories of personal data we process?
3. Are our privacy notices accurate and accessible?
4. Do we rely on explicit consent only where appropriate?
5. Are consent records properly kept?
6. Are we required to register with VERBIS?
7. Is our data inventory updated?
8. Are employee data processes compliant?
9. Do we process sensitive personal data?
10. Are marketing and CRM practices reviewed?
11. Are website cookies and analytics tools assessed?
12. Do vendor contracts include data protection clauses?
13. Do we transfer data abroad?
14. Have cross-border transfer mechanisms been reviewed?
15. Do we have a data breach response plan?
16. Are employees trained?
17. Are retention periods defined?
18. Do we delete or anonymise data when required?
19. Are data subject requests handled properly?
20. Is management aware of the company's data protection risks?
21. Is compliance reviewed after business or technology changes?

Frequently Asked Questions

What is KVKK?

KVKK is the common abbreviation for Türkiye's Law on the Protection of Personal Data. It regulates the processing of personal data and imposes obligations on data controllers and, in practice, many businesses operating in Türkiye.

Does every company need KVKK compliance?

Most companies process personal data and therefore need to consider KVKK obligations. The scope of compliance depends on the company's activities, size, data categories, systems, vendors and transfers.

Is a privacy notice enough?

No. A privacy notice is important, but it is only one part of compliance. Companies also need lawful processing grounds, data mapping, vendor controls, retention rules, security measures and breach response procedures.

Is explicit consent always required?

No. Explicit consent is one legal basis, but it is not always necessary or appropriate. Companies should identify the correct legal basis for each processing activity.

What is VERBIS?

VERBIS is the Data Controllers Registry. Certain data controllers may be required to register and maintain information based on their personal data processing inventory.

Can Turkish companies use foreign cloud services?

They may be able to, but cross-border data transfer rules must be reviewed. The company should identify what data is transferred, where it is transferred and which legal mechanism applies.

What should a company do after a data breach?

The company should immediately preserve evidence, assess the incident, involve legal and technical teams, determine notification obligations, take corrective measures and document all steps.

Is KVKK relevant in company acquisitions?

Yes. Data protection compliance can affect valuation, warranties, indemnities, customer database usability and post-closing integration.

Conclusion

KVKK compliance is not a formality. It is an operational discipline.

Companies in Türkiye must understand their data flows, inform individuals properly, rely on correct legal bases, protect personal data, manage vendors, assess international transfers and prepare for potential breaches.

A strong compliance structure does not prevent business. It makes business more reliable, auditable and resilient.

For international investors and Turkish companies alike, personal data protection should be integrated into corporate governance, contracts, employment processes, IT systems and risk management.

The companies that treat data protection as a living compliance programme will be better positioned than those that treat it as a folder of documents prepared once and forgotten.

How Terziolu & Partners Can Assist

Terziolu & Partners advises companies, investors, entrepreneurs and private clients on corporate, commercial, regulatory and cross-border matters involving Türkiye. Our work may include reviewing KVKK compliance structures; preparing privacy notices and internal policies; assessing data processing activities; advising on VERBIS and data inventory matters; reviewing employee data processes; advising on marketing and CRM compliance; reviewing vendor and data processing agreements; advising on cross-border data transfers; supporting data breach response; conducting data protection due diligence in transactions; and coordinating with IT, cybersecurity and international advisors where required.

Discuss a KVKK compliance, data protection or cross-border data transfer matter with our team.

This article is provided for general informational purposes only and does not constitute legal advice. Data protection obligations may vary depending on the company's activities, data categories, legal basis, sector, systems, vendors, transfer mechanisms, security measures, data subjects and timing of advice. No action should be taken or withheld solely on the basis of this publication. Specific legal and technical advice should be obtained before implementing any KVKK compliance, cross-border transfer, data processing, vendor management or breach response measure. Submission of an enquiry to Terziolu & Partners does not create a lawyer-client relationship unless and until the engagement is formally accepted in writing.