What Is KVKK?
KVKK (Kisisel Verilerin Korunmasi Kanunu, Law No. 6698) is Turkey's personal data protection law, enacted on April 7, 2016. It regulates how personal data of individuals in Turkey is collected, processed, stored, and transferred. If your mobile app has users in Turkey, KVKK applies regardless of where your company is based.
Turkey has over 85 million people and high smartphone penetration. If your app is available on the Turkish App Store or Google Play Turkey, you need to understand KVKK.
How KVKK Compares to GDPR
KVKK was modeled after the EU's 1995 Data Protection Directive and shares many similarities with GDPR, but key differences exist:
| Feature | GDPR | KVKK |
|---|---|---|
| Lawful bases | 6 bases | 8 bases (adds "publicly available data" and "mandatory for rights claims") |
| Consent standard | Explicit, freely given | Explicit; must be separate from terms |
| Data Protection Authority | National DPAs per country | Single authority: KVKK Board |
| Breach notification | 72 hours to DPA | "As soon as possible" (no fixed hours) |
| Fines | Up to 4% of global revenue | Fixed ranges: TRY 50,000 to TRY 3,000,000 per violation |
| Cross-border transfer | SCCs, adequacy, BCRs | Board approval or adequate country list; consent as fallback |
The biggest practical difference: KVKK fines are fixed ranges in Turkish Lira rather than percentages of revenue.
Key Requirements for App Developers
1. Explicit Consent
KVKK requires explicit consent before processing personal data. This consent must be informed, freely given, specific to each purpose, and documented. Unlike GDPR, KVKK does not have a broad "legitimate interest" basis for analytics and marketing. Most app data processing relies on explicit consent.
2. Data Controller Registration (VERBIS)
Turkey operates VERBIS, a national data controller registry. Companies above certain thresholds must register and declare what data they process, retention periods, and cross-border transfers. Foreign companies with Turkish users may need to appoint a representative in Turkey.
3. Privacy Notice (Aydinlatma Metni)
KVKK requires a privacy notice covering the data controller's identity, collection purposes, legal basis, recipients, user rights, and retention periods. This must be shown during onboarding or before the consent prompt.
4. Cross-Border Data Transfer
This is where KVKK gets stricter. Transferring Turkish users' data outside Turkey requires:
- The destination country is on the Board's "adequate protection" list (very few qualify)
- The Board has granted specific approval
- The user has given explicit consent
- A binding commitment letter is filed with the Board
Most developers rely on explicit consent since the adequate country list is very limited.
5. Data Subject Rights
Turkish users can request access, rectification, erasure, and have the right to complain to the Board. You must respond within 30 days.
Practical Compliance Steps
- Add a Turkish-language consent prompt meeting KVKK requirements
- Provide a Turkish-language privacy notice
- Implement data export and deletion features
- Get explicit consent for storing data outside Turkey
- Check VERBIS registration thresholds
- Keep consent records with timestamps
Enforcement
The KVKK Board actively investigates complaints and publishes decisions. They have fined both Turkish and international companies for missing consent mechanisms, unauthorized transfers, and VERBIS non-registration.