Moroglu Arseven Avukatlik Ortakligi
What law(s) specifically govern personal data / information?
In Türkiye, the protection of personal data is regulated under the Law No. 6698 on the Protection of Personal Data ("DP Law") and its secondary legislation.
Within the scope of the implementation of the DP Law, the following secondary regulations have been enacted:
Before the DP Law was enacted, data protection was governed by the Constitution of the Republic of Türkiye (“Constitution”), as well as general and sectoral laws and regulations.
Below, you can find the general laws on personal data protection.
Below, you can find the sector-specific regulations on personal data protection.
What are the key data protection principles in this jurisdiction?:
Pursuant to Article 4 of the DP Law general principles for the processing of personal data are stated as follows:
- Lawfulness and fairness – Processing must comply with the law and the principle of good faith.
- Accuracy and up-to-dateness – Data must be accurate and updated when necessary.
- Specified, explicit, and legitimate purposes – Data must be processed for clearly defined and lawful purposes.
- Relevance, limitation, and proportionality – Processing must be relevant, limited, and proportionate to the intended purpose.
- Storage limitation – Data must be retained only for the duration prescribed by relevant legislation or necessary for the purposes for which it is processed.
What is the supervisory authority / regulator in charge of data protection?
In order to ensure proper implementation of the data protection rules, the Personal Data Protection Authority (“Authority”) was established as an independent regulatory authority, with organisational and financial autonomy, charged with ensuring fulfilment by market players of all provisions of the DP Law. The Authority is composed of the Personal Data Protection Board (“Board”).
The Board is the Authority’s decision- making body, consisting of nine members, five of which are appointed by the Grand National Assembly of Türkiye, and the remaining four by the President of the Republic. The Board has been active in Türkiye since January 2017.
Is there a requirement to register with a supervisory authority / regulator?
With the Board’s Decision No. 2020/482 and Board’s Decision No. 2023/1154, data controllers who are natural or legal persons with fewer than 50 employees and an annual financial balance sheet total of less than TRY 100 million, and whose primary activity does not involve processing special category personal data, are exempt from the obligation to register with the VERBIS.
In addition, the Board held that the following categories of data controllers are exempt from having to register with VERBIS:
- data controllers processing personal data through non-automatic means, provided the processing is part of a data filing system;
- public notaries;
- associations (only for personal data processed in accordance with their area of activity);
- foundations;
- unions;
- political parties;
- lawyers;
- public accountants and sworn-in public accountants;
- customs brokers and authorized customs brokers; and
- mediators.
In addition, a data controller is exempt from the registration obligation where:
- processing of personal data is necessary for the prevention of crime or criminal investigation;
- processing is carried out on personal data that is made public by the data subject;
- processing is necessary for the performance of monitoring and regulating duties of the authorized public authorities and professional organizations with public institution status and for the disciplinary investigation and prosecution; or
- processing is necessary to protect the economic and financial interests of the State in relation to budget, tax, and financial matters.
Notably, overseas data controllers processing data from Türkiye must register with VERBİS without exception.
Is there a requirement to notify the supervisory authority / regulator?
Registration to VERBİS may be completed online via the official VERBİS platform.
Pursuant to the DP Law, local data controllers that exceed the statutory thresholds are required to register with VERBİS, which is an online system where data controllers must record their data processing activities. The applicable thresholds are:
- employing more than 50 employees;
- having an annual balance sheet total exceeding TRY 100 million; or
- being an overseas data controller that processes Türkiye-originated personal data (regardless of employee headcount or balance sheet size).
Outlined below are the key steps for VERBİS registration applicable to overseas data controllers:
- Creation of a VERBİS User Account
To create a VERBİS user account, the application form available on the VERBİS platform must be completed and submitted to the Board. Following the submission, the username and password will be sent to the data controller’s designated corporate e-mail address.
- Appointment of a Contact Person
Data controllers are required to appoint a contact person responsible for communications with the Board. The appointed contact person must be notified through VERBİS, and all notifications concerning VERBİS will be carried out via the e-government account of such contact person.
Once appointed, the contact person will upload the data inventory, as described below, and finalize the VERBİS registration.
- Preparation of a Data Inventory for Türkiye-Originated Processing Activities
Data controllers must prepare a data inventory and upload it to VERBİS. For overseas data controllers, the inventory should only cover data processing activities involving Türkiye-originated personal data, as registration is limited to these processes.
Please note that the registration process for overseas data controllers is more complex, as it requires the appointment of both a data controller representative (a Turkish legal entity or natural person) and a contact person (a Turkish natural person). The data controller representative will complete the VERBİS application form and formally appoint the contact person. Each legal entity must notify one contact person to VERBİS, and a contact person may only serve in that role for a single legal entity.
In addition, if cross-border data transfers are carried out based on the SCCs published by the Board, the execution of such clauses must be notified to the Board within five business days. This notification can be submitted online through the Standard Contractual Clauses Notification Module made available by the Authority.
What are the key data subject rights under the data protection laws of this jurisdiction?
As per Article 11 of the DP Law, data subjects are entitled to request the following from data controllers:
- information about whether their personal data has been processed;
- if their personal data has been processed including information about such data and processing;
- information about the purpose of the data processing and whether the data was used for that purpose;
- information about the identities of the natural or legal persons to whom the data was transferred;
- correction, erasure, or removal of the personal data;
- that the data controller advises the recipient about correction, erasure, or removal of the personal data if data is transferred;
- there is no negative consequence of their data being analyzed exclusively through automated systems; and
- compensation where a data subject suffers any damage due to the illegal processing of their data.
Is there a requirement to appoint a data protection officer (or equivalent)?
As explained above, data controllers that are required to register with VERBİS must appoint a contact person who will be responsible for managing communications with the Board through the e-government system. The authority of the contact person is strictly limited to correspondence and does not extend to decision-making or operational responsibilities in relation to personal data processing. Turkish legislation does not introduce a Data Protection Officer (“DPO”) appointment obligation.
For data controllers located in Türkiye, appointing a contact person is the only mandatory assignment within the scope of VERBİS obligations.
However, data controllers located outside Türkiye must fulfil an additional requirement. As detailed under the heading "Is it possible to register with / notify the supervisory authority / regulator online?", overseas data controllers are obliged to appoint both (i) a data controller representative in Türkiye (who must be a Turkish legal entity or a Turkish natural person) and (ii) a contact person.
In this structure, the data controller representative acts as the official liaison before the Board for fulfilling statutory obligations, while the contact person performs the technical communication functions via the e-government platform.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Data Protection Impact Assessment (“DPIA”) is not explicitly mandated under the DP Law. However, as mentioned in the Genetic Data Guide published by the Authority, data controllers handling genetic data under DP Law, are required to conduct a DPIA due to the sensitive nature of the data and potential risks to individuals. The DPIA, similar to Article 35 of the General Data Protection Regulation (“GDPR”), is utilized to assess data processing activities that may involve high risks, particularly with new technologies, aiming to prevent breaches and mitigate risks to data subjects.
Additionally, for cross-border data transfers, the transferor must conduct an analysis (such as a transfer impact assessment) to ensure that the data subject has the ability to exercise
their rights and seek effective legal remedies in the recipient country.
Does this jurisdiction have any specific data breach notification requirements?
Yes. In line with Board’s Decision No. 2019/10, dated 24.01.2019, establishes specific requirements for data breach notifications. According to this decision, data controllers and processors must notify the Authority within 72 hours of becoming aware of a personal data breach. The notification must include details of the breach, affected data subjects, potential risks, and mitigation measures taken.
If the breach is likely to result in a high risk to individuals’ rights and freedoms, the affected data subjects must also be informed as soon as possible, using appropriate communication methods, to enable them to take protective steps. Failure to comply with the 72-hour notification obligation may lead to administrative sanctions, underscoring the importance of an effective incident response mechanism.
The essential requirements set out under the Decision are as follows:
- Data controllers must notify the Board within 72 hours of becoming aware of a breach and must promptly inform the affected data subjects after identifying them.
- Where notification to the Board cannot be made within 72 hours for justified reasons, the data controller must submit the notification together with the reasons for the delay.
- Notifications must be submitted online, via the Authority’s official website, using the standard Data Breach Notification Form published by the Board.
- If all required information cannot be provided at the time of the initial notification, the data controller may submit the missing information to the Board in stages, without undue delay.
- The data controller must document all details regarding the breach—including its effects and the measures taken—and make this information available to the Board upon request.
- Where a breach occurs within the processing activities of a data processor, the processor must immediately notify the data controller.
- Overseas data controllers are required to notify the Board if the breach (i) affects data subjects residing in Türkiye and (ii) relates to products or services offered to data subjects in Türkiye.
- Data controllers must maintain a formal data breach response plan and review it periodically. This plan should clearly identify internal reporting lines, individuals responsible for assessing the breach, and those in charge of executing notification obligations under the DP Law.
What restrictions apply to the international transfer of personal data / information?
Yes. On 12 March 2024, amendments were made to the cross-border data transfer provisions in the DP Law, which came into effect on 1 September 2024. The revisions align the DP Law with GDPR, introducing a three-stage process for legal cross-border data transfers:
- Adequacy Decisions: Cross-border data transfer is lawful if an adequacy decision given by the Board for (a) a country or (b) international organizations or (c) sectors within a country. There has been no public announcement regarding the expected timing of such decisions. Therefore, this method is not currently applicable.
- Transfer with Adequate Safeguards: In the absence of an adequacy decision, the suitable safeguard mechanisms for cross-border data transfers can be applied. Under the condition that data subjects have the opportunity to exercise their rights and seek effective legal remedies in the destination country, the data controllers and processors may transfer personal data abroad if any of the following safeguards are provided by the parties:
- The existence of an agreement between the public and international authorities that is not an international contract, and the Board authorizes the transfer
- The existence of Binding Corporate Rules (“BCRs”) approved by the Board containing provisions on the protection of personal data
- Existence of a SCCs containing the matters announced by the Board. The data controller or data processor must notify the Board within 5 business days regarding the execution of the SCCs
- Existence of a written undertaking letter containing provisions to ensure adequate protection and authorization of the transfer by the Board
- Transfer Conditions for Exceptional Cases: Cross-border data transfers may be permitted under specific circumstances. These methods are intended for exceptional cases and are not applicable for regular or systematic transfers. These circumstances are as follows:
- Obtaining Explicit Consent
- Necessity for the performance of a contract with the data subject or for the implementation of pre-contractual measures
- Necessity for the establishment, exercise, or protection of a right
- Necessity for the protection of vital interests of the data subject or another natural person
- Necessity for compliance with a legal obligation
- Necessity for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or in a third party to whom the data is disclosed
- Necessity for the purposes of legitimate interests pursued by the data controller or by a third party to whom the data is disclosed, except where such interests are overridden by the fundamental rights and freedoms of the data subject, particularly if the data subject is a child.
In practice, signing SCCs is a preferred method for regular data transfer processes. This is because obtaining approval for BCRs or commitment letters from the Board can be time-consuming. Since 2020, only 9 data controllers have had their commitment applications approved. Additionally, BCRs have a limited scope as they can only be signed between group companies. Since exceptional conditions apply only to non-regular data transfers, they offer a limited solution and may not be suitable for all data transfer processes.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
In line with the principle of territoriality applicable under the Turkish Law, the DP Law shall apply to all natural and legal persons who process Turkish-originated data, regardless of whether they are located in Türkiye or overseas.
What rules specifically deal with marketing?
In Türkiye, marketing activities involving personal data and the transmission of commercial electronic messages are governed by different regulatory frameworks.
From a data protection perspective, the processing of personal data for marketing purposes, including profiling, segmentation, targeted advertising or online behavioural advertising, is subject to the DP Law. As a general rule, personal data may be used for direct marketing purposes only with the data subject’s consent, unless another lawful basis is applicable. In practice, most marketing activities require explicit consent under the DP Law, especially where behavioural tracking or profiling is carried out.
Separately, the sending of commercial electronic messages such as promotional e-mails, SMS, calls, WhatsApp messages or app notifications is regulated under the e-Commerce Law and the Regulation on Commercial Communication and Commercial Electronic Messages (“e-Communication Regulation”). Under this regime, service providers must obtain the recipient’s prior consent before sending any commercial electronic message, except for certain limited exemptions such as transactional messages that do not contain a commercial purpose or specific B2B communications.
Accordingly, although both regimes rely on a consent requirement, they address different processes. Consent under the DP Law concerns the use of personal data for marketing activities. Consent under the e-commerce legislation concerns the act of sending commercial electronic messages.
For further details on the rules applicable to electronic marketing communications, please refer to the answer to the question titled “Does your jurisdiction have any rules specially dealing with electronic marketing (for example, by email, text, WhatsApp message, online ads etc)?”
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes. Prior consent is not required for sending commercial electronic messages to merchants. However, if a merchant exercises the right to opt out, no further commercial electronic messages may be sent unless the merchant subsequently provides an opt-in consent.
With regard to personal data processing, the DP Law does not differentiate between business-to-business and business-to-consumer marketing activities. Therefore, the same data protection requirements, including the need for an appropriate legal basis such as explicit consent for marketing purposes, apply regardless of whether the recipient is an individual consumer or a merchant.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Yes. The electronic commercial communication has been regulated under the e-Communication Regulation.
As per e-Communication Regulation, the receiver’s consent is required for sending electronic commercial messages.
The Regulation Amending the Regulation on Commercial Communication and Electronic Commercial Messages sets forth the establishment of a central and singular platform, with the purpose of conducting transactions that involve obtaining prior consent from recipients in order to send electronic commercial messages. On 4 January 2020, the Official Gazette (30998) published information on the recipient’s right of rejection and complaint procedures.
The Commercial Electronic Messages Management System (“MMS”) Registry was established to conduct transactions that involve obtaining prior consent from recipients in order to send electronic commercial messages. The right of rejection by the recipient and complaint procedures are mandatory for the real or legal persons aiming to send commercial messages. Electronic messages cannot be sent to the recipients whose approval are not on the MMS.
What rules specifically deal with cookies?
No specific rules apply to cookies. General rules for marketing and data protection apply.
Additionally, the Guide on Cookie Practices has been published to ensure the processing of personal data through cookies complies with the DP Law.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Non-compliance with certain obligations under the DP Law may trigger administrative sanctions pursuant to Article 18. For the year 2025, the applicable minimum and maximum penalty amounts are updated annually in line with the revaluation rate.
Here are the key figures for 2025:
- Violation of the obligation to inform may result in an administrative fine between TRY 47,303 – TRY 946,308
(2026 expected range: TRY 85,437 – TRY 1,709,200).
- Violation of obligations related to data security may result in an administrative fine between TRY 141,934 – TRY 9,463,213
(2026 expected range: TRY 256,357 – TRY 17,092,242).
- Failure to comply with the decisions of the Personal Data Protection Board may result in an administrative fine between TRY 236,557 – TRY 9,463,213
(2026 expected range: TRY 427,263 – TRY 17,092,242).
- Violation of the obligation to register with and notify the VERBIS may result in an administrative fine between TRY 189,245 – TRY 9,463,213
(2026 expected range: TRY 341,809 – TRY 17,092,242).
- Failure to fulfil the obligation to notify SCCs may result in an administrative fine between TRY 50,000 – TRY 1,000,000
(2026 expected range: TRY 90,308 – TRY 1,806,177).
Also, Under Turkish Criminal Law:
- Unlawful recording of personal data is punishable by imprisonment for 1 to 3 years. If the personal data unlawfully recorded relates to race, ethnic origin, political and philosophical views, sexual orientation, health or trade-union membership is punishable by imprisonment for up to 4 to5 years.
- Illegally obtaining, transferring, and disseminating personal data is punishable by imprisonment for 2 to 4 years. However, if committed (i) by a public official in misuse of power, or (ii) by an individual misusing benefits or privileges of a profession or trade, then it is punishable by up to 6 years imprisonment.
- Failure to destroy personal data after expiration of the applicable statutory retention period is punishable by imprisonment for 1 to 2 years. However, where such failure is due to the nature of the data, within the purview of Turkish criminal law, then it is punishable by up to 4 years imprisonment.
Under the E-Commerce Law and the administrative fine ranges applicable for 2025, sending unsolicited commercial electronic messages may result in an administrative fine of up to approximately TRY 34,210. If the message is sent to multiple recipients, the fine may be increased by up to ten times.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Yes. Under DP Law, there are several jurisdiction-specific obligations that may apply to entities located outside Türkiye but processing personal data of individuals in Türkiye.
First, as noted under the section on registration requirements, foreign data controllers are required to appoint a data controller representative in Türkiye and complete the registration and notification obligations before the VERBIS. This obligation applies irrespective of whether the data processing activities are conducted within Türkiye or abroad.
Second, before any processing activity begins, a privacy notice compliant with Article 10 of the DP Law must be provided to data subjects in Türkiye. Notices prepared under other jurisdictions (such as GDPR) are typically insufficient, as Turkish law prescribes specific content requirements and relies on different legal bases for processing.
Third, data controllers must implement the technical and administrative measures explicitly required under the DP Law and the Personal Data Security Guide published by the Authority. These requirements can differ from or exceed the standards adopted in other jurisdictions.
Finally, with respect to cross-border data transfers, no specific mechanism currently exists for foreign data controllers directly subject to the DP Law. While the Turkish Türkiye enable international transfers from Türkiye abroad, these clauses are designed primarily for Turkish data controllers and processors. In practice, where a multinational processes personal data of individuals in Türkiye, SCCs can still be executed between the foreign entity and a Turkish counterparty to ensure an adequate safeguard mechanism for outbound transfers.
What upcoming data protection developments should multinational organisations be aware of?
In recent years, technological developments, particularly in artificial intelligence, machine learning and cybersecurity, have begun to reshape regulatory expectations in Türkiye. The DP Law is increasingly interpreted and updated in a way that reflects these advancements, with the Authority placing greater emphasis on algorithmic transparency, risks arising from automated decision-making, cybersecurity resilience and robust data governance practices.
Forthcoming legislative initiatives in the fields of artificial intelligence and cybersecurity are also expected to influence data protection compliance, as they will introduce clearer standards on risk management, security measures and accountability. These developments demonstrate a broader policy trend toward strengthening data security, addressing AI-driven processing risks and enhancing organisational responsibility.
Although the core structure of the DP Law remains in place, ongoing regulatory work points to a more technology-responsive and risk-based framework. As these reforms progress, organisations processing personal data in Türkiye, whether located within the country or abroad, will be required to align their governance mechanisms, technical measures and AI-related practices with evolving expectations regarding transparency, fairness and cybersecurity maturity.