+90 212 244 9222


KVKK and GDPR Consultancy Services

By analyzing your risks due to legal incompliancy, we advise the required technical and administrative measures to have you process and store personal data fully compliant with the Law.

Click here for service details

How GDPR and KVKK Shall be Applied by Entities in Turkey?

  • If your company,

    • Provides service or goods to EU citizens that live outside the borders of EU or individuals living within the EU borders,
    • Monitors the behaviours of these individuals,
    • Transacts business with EU companies,
    • Provides services in one of the EU languages,
    • Owns, processes, stores or deletes the personal information of data subjects that live in EU,

    Then, it will be subjected to the GDPR.

  • If your company,

    • Owns,
    • Processes,
    • Stores,
    • Deletes

    personal information indirectly, directly, partially or in a whole;

    then it will be subjected to the PDPL.

  • Being subject to GDPR shall mean,

    • To receive a written approval from data subject according to the feature of each personal data to be processed,
    • To process, store, transfer, anonym, and delete personal data in line with the law,
    • To create a regulation that specify how to use each processed data,
    • To take technical measures and complete substructure for the security of the personal data and for processing them according to the GDPR,
    • To have a specific reason for processing each personal data and to make documentation,
    • To assign a Data Protection Officer for your company.

    Being subject to PDPL shall mean;

    • To process personal data in line with legislation,
    • To create a personal data inventory,
    • To complete technical substructure for sustaining data processing according to the legislation,
    • To prepare a personal data storage and destruction policy,
    • To assign a Data Protection Officer for your company,
    • To register in VERBIS (Data Controllers' Registry Information System).

Are you sure your company is not subject to GDPR?

You can contact us to figure out whether you are subject to Personal Data Protection Law (KVKK) or EU’s General Data Protection Regulation (GDPR).

Click here for details

Execution of Data Protection Laws

KVKK and GDPR impacts your entity’s operations significantly, both by legal and technical aspect.


It is safe to say that GDPR is the enhanced version of Turkish Data Protection Law (KVKK) and the KVKK is the first version of GDPR, released on 1995 under the name (Directive 95/46/EC). Since both regulations are the same in core concepts, it is more efficient for your operations to analyze the liabilities at first, then proceed with the compliancy measures. It will allow you to save both time and resources.

Within this scope, simply below the main concepts are summarized.

KVKK (Personal Data Protection Law)

GDPR (General Data Protection Regulation)

Key concepts on the KVKK are;

  • Required to be in accordance with the law and good faith rules.
  • To have the data accurate and updated, where and when necessary.
  • To process data for specified, clear and legitimate purposes.
  • To have data that are linked with the processing purpose, limited and restrained.
  • To store as necessary for the processing purpose or as considered in PDPL.
  • Appointing an officer (DPO) is not mandatory but recommended.

Key concepts on GDPR are;

  • To process data in line with lawfulness, fairness and transparency for the data subject.
  • To have the data be accurate and where necessary keep it up to date.
  • To process data for specified, explicit and legitimate purposes.
  • To process data as necessary, related with the purpose and restrained.
  • To store data for no longer than necessary for its processing purpose.
  • The controller shall be responsible for all principles.
  • To have a DPO for compliance process.


Not compliant with the regulation or the responsibilities related to the Law, what will happen now?

Both KVKK and GDPR aim the minimization of data and to have transparent data processing procedure along with security and confidentiality methods. Besides, sanctions of any discrepancies with the legal obligations are strictly serious.

Although both laws have the same core idea, they differ on the penalties. It is crucial to cover obligations in the law that you have responsibility of, linked with compliancy periods, not to face with any enforcement and administrative legal procedures.

Incompliancy Penalties for KVKK

  • Not registering to the VERBIS (Data Controllers' Registry Information System) between the related dates; between 20.000 TL – 1.000.000 TL,
  • Not fulfilling the obligation to provide acknowledgement on data transfer processes; between 5.000 TL – 100.000 TL,
  • Security incidents such as data breaches; between 15.000 TL – 1.000.000 TL,
  • In case the decisions made by the Board are not executed; 25.000 – 1.000.000 TL,

The given amounts are applied at the beginning of each calendar year by increasing the rate of revaluation determined and announced in accordance with the duplicated provisions of the Article 298 of the Tax Procedure Law No. 213 dated 4.1.1961 for that year.

In addition to these administrative fines mentioned in the Personal Data Protection Law, there are also jail sentences mentioned in the Turkish Criminal Code between 1 to 4 years.

according to the 2017 data, 41 data breach application are made to the PDPL Institution and 125.000-TL administrative fine is imposed as a result of these sanctions. In 2018, the amount of these data breach applications have increased to 395 and 233 of them are investigated by the Institution and replied. Moreover, the administrative fines to be imposed on 2018, are came up with 1.365.000-TL in total. Thus, the issue of personal data protection has been gaining more importance and the clock is ticking against the companies who have not completed the compliancy process yet.

Incompliancy Penalties for GDPR

In case of a probable data breach and/or incompliancy with the regulation, the sanctions to be imposed are very high when compared to KVKK.

The administrative penalty fine is determined as 4% of global revenue of the company that belong to the previous year or €20.000.000 Among these amounts, the highest one shall be imposed as a penalty fine.

Besides, the below mentioned ones shall also be imposed as a penalty:

  • Written warnings and notices,
  • Suspending data processing for a definite/indefinite period of time,
  • Demanding the processed data to be regulated, amended and/or limited,
  • Limiting the data transfer to any third-party country.

This website is using cookies.
In this website, we use cookies to develop your user experience, obtain efficient work and track statistical data. You are agreeing to our use of cookies by browsing our website. Please review Çerezler (Cookies) page for detailed information of how we manage the cookies. This choice is valid for 30 days until you delete the cookies in your web browser.
Hizmetlerimiz devam ediyor.

Due to the Covid-19 Coronavirus pandemic to secure the health of our employees our business operations are held remotely until further notification. CottGroup® will have its business processes carried out efficiently and smoothly thanks to our BCP plans and strong technological infrastructure. As always, our customers and business partners will be able to reach us via our phones and e-mails.