These jurisdiction checklists are practical scoping aids for privacy, DPO, DSAR, transfer, incident, and vendor governance decisions. Confirm obligations against your facts before relying on any checklist as advice.
Turkey Data Protection Checklist
Comprehensive compliance guide for Turkish Data Protection Law (Law No. 6698)
Key Provisions
•Articles 1–2: Purpose & Scope
Article 1: Purpose – Protect fundamental rights and freedoms, especially privacy, during personal data processing.
Article 2: Scope – Applies to data controllers/processors in Turkey; excludes purely personal or household activity.
•Article 3: Definitions
Explicit Consent: Consent that is freely given, specific, and informed.
Anonymization: Making personal data unidentifiable even when combined with other data.
Data subject: The person whose personal data is being processed.
Personal Data: Any information that can identify a natural person.
Processing of personal data: Any action done to personal data, like collecting, storing, or sharing it.
Data processor: A person or entity that processes data on behalf of the data controller.
Data controller: The person or entity that decides why and how personal data is processed.
•Article 4: General Principles
Personal data must be processed lawfully and in good faith, accurately, for specified and legitimate purposes, with data minimization and limited retention.
•Article 5: Conditions for Processing Personal Data
Personal data cannot be processed without explicit consent, except where processing is necessary for legal obligation, contract performance, vital interests, public interest, legitimate interests, or data subject has made data public.
•Article 6: Conditions for Processing of Special Categories of Personal Data
Special categories (race, health, sexual life, biometrics, etc.) require explicit consent. Health and sexual-life data may be processed without consent by medical professionals or public health bodies, under Board-approved safeguards.
•Article 7: Erasure, Destruction or Anonymization of Personal Data
Data controllers must erase, destroy or anonymize personal data ex officio or upon request when processing purposes no longer apply; procedures set by by-law.
•Articles 8–9: Transfer of Personal Data
Article 8 (Domestic Transfer) – Consent required, unless covered by Article 5 or Article 6 exceptions.
Article 9 (Cross-Border Transfer) – Consent required; may transfer without consent if recipient country has "adequate protection" or via written commitment and Board authorization.
•Article 10: Obligation of Data Controller to Inform
At data collection, controllers must inform data subjects of controller identity, processing purposes, recipients, legal basis, and rights under Article 11.
•Article 11: Rights of the Data Subject
Data subjects may request confirmation of processing; access; purpose; recipients; correction; deletion under Article 7; notification of third parties; objection to automated decisions; and compensation.
•Article 12: Obligations Concerning Data Security
Controllers must implement technical and organizational measures (encryption, access controls, audits, training) to prevent unlawful processing/access. Must notify data subjects and Board of breaches "as soon as possible."
•Articles 17–18: Crimes and Misdemeanours
Article 17 (Crimes) – Penal provisions under Turkish Penal Code (Articles 135–140) apply to unlawful data processing.
Article 18 (Misdemeanours) – Administrative fines: 5,000–100,000 TL for failure to inform (Art. 10); 15,000–1,000,000 TL for security lapses (Art. 12); 25,000–1,000,000 TL for non-compliance with Board decisions (Art. 15); 20,000–1,000,000 TL for registry offences (Art. 16).
•Article 28: Exemptions
Exempts purely personal/household processing, national security, judicial proceedings, and artistic/research purposes (with certain partial exceptions for informing, data rights, and registry).
•Articles 19–22: Personal Data Protection Authority and Board
Article 19 – Establishes the Personal Data Protection Authority (KVKK).
Article 20 – Authority's duties (legislative monitoring, research, international cooperation).
Article 21 – Board composition and independence.
Article 22 – Board's powers (examinations, sanctions, regulatory acts).
Compliance Checklist
✓Articles 5–6: Conditions for Processing (Consent)
For Controllers
- Obtain explicit consent for personal data and special categories
- Document and justify any non-consent processing basis (Art. 5)
For Processors
- Process data only under controller's instructions
- Do not use special categories beyond agreed scope
✓Article 7: Erasure, Destruction or Anonymization
For Controllers
- Define and enforce retention periods aligned with processing purposes
- Erase/anonymize data once purposes expire
For Processors
Securely delete or anonymize data per controller instructions.
✓Articles 8–9: Transfer of Personal Data
For Controllers
Obtain consent for domestic and cross-border transfers. Ensure recipient country adequacy or Board approval.
For Processors
- Transfer data only to authorized jurisdictions
- Use encryption for transfers
✓Article 10: Obligation to Inform
For Controllers
Maintain clear, up-to-date privacy notices covering processing purposes, recipients, and rights.
For Processors
Support controllers in fulfilling disclosure obligations.
✓Article 11: Rights of the Data Subject
For Controllers
Establish processes for data access, correction, deletion (Art. 7), and objection.
For Processors
Respond to data subject requests within 30 days.
✓Article 12: Data Security Obligations
For Controllers
Implement encryption, access controls, breach response plans, regular audits, and staff training.
For Processors
Immediately report any breaches to the controller.
✓Article 16: Data Controllers' Registry
For Controllers
Register with VERBIS before processing; update entries for changes.
For Processors
Provide controllers with accurate registration information.
✓Article 18: Misdemeanours
For Controllers
Monitor and remediate compliance gaps to avoid fines (5,000–1,000,000 TL).
For Processors
Cooperate with audits and investigations to demonstrate due diligence.
Need Help with Turkey KVKK Compliance?
Our experts can guide you through Turkish data protection requirements and ensure full compliance with Law No. 6698.
Checklist to implementation
Need a fact-specific view?
Data>Nuance can turn this checklist into a scoped action plan for your product, vendor stack, cross-border transfers, DSAR workflow, breach readiness, or DPO operating model.