KVKK

• Applies to all personal data processing in Turkey
• Covers both natural and legal persons as data controllers
• Applies to automated and non-automated processing
• Extraterritorial application in certain cases
• Covers special categories of personal data with stricter requirements

• Right to know whether personal data is processed
• Right to request information about processing
• Right to know the purpose of processing
• Right to know third parties to whom data is transferred
• Right to request rectification of incomplete or inaccurate data
• Right to request erasure or destruction
• Right to object to processing results obtained through automated systems
• Right to claim compensation for damages

• Registration with VERBİS (Data Controllers Registry)
• Explicit consent for special category data
• Data breach notification to KVKK within 72 hours
• Appointment of a data controller representative
• Cross-border transfer restrictions and Board approval
• Data retention limitations and destruction obligations
• Privacy notice requirements (Aydınlatma Metni)
• Implementation of technical and administrative measures

KVKK provides for both administrative and criminal penalties for violations. Administrative fines are updated annually based on revaluation rates.

Cross-border transfers require explicit consent or adequate protection in the destination country. The KVKK Board maintains a list of countries with adequate protection (currently limited). Binding Corporate Rules (BCR) and undertaking letters can be used for transfers to countries without adequacy decisions.