KVKK Privacy Guide: Your Data Protection Rights in Turkey
Understand your rights under KVKK (Turkish Personal Data Protection Law). Learn how to request data deletion, file complaints, and exercise your privacy rights in Turkey.
KVKK Privacy Guide: Your Data Protection Rights in Turkey
Turkey's Kisisel Verilerin Korunmasi Kanunu (KVKK), or Personal Data Protection Law No. 6698, has been in effect since 2016. It is Turkey's equivalent of the EU's GDPR, and it gives you significant rights over your personal data. Yet most Turkish citizens have never exercised these rights — many do not even know they exist.
This guide breaks down what KVKK means for you, how to use it, and when to escalate to the authorities.
What KVKK Protects
KVKK covers all "personal data" — any information that can identify you directly or indirectly:
| Data Category | Examples |
|---|---|
| Identity | TC Kimlik Numarasi, name, date of birth, photo |
| Contact | Phone number, email, home address |
| Financial | Bank account, credit card, salary, tax records |
| Health | Medical records, prescriptions, blood type |
| Biometric | Fingerprint, facial recognition data |
| Digital | IP address, cookies, browsing history, location data |
| Professional | Employment history, education, performance reviews |
| Sensitive | Political opinions, religious beliefs, criminal record |
Who Must Comply
Every organization that processes personal data of people in Turkey must comply with KVKK. This includes:
- Turkish companies of all sizes
- International companies operating in Turkey
- Government agencies
- Healthcare providers
- Educational institutions
- Banks and financial institutions
- Online platforms and apps
Your Rights Under KVKK (Article 11)
KVKK grants you specific, actionable rights. Here is what you can do:
1. Right to Know (Bilgilendirilme Hakki)
You can ask any organization whether they process your personal data and demand to know what data they hold about you.
2. Right to Access (Erisim Hakki)
You can request a complete copy of all personal data an organization holds about you.
3. Right to Rectification (Duzeltme Hakki)
If your data is incorrect or incomplete, you can demand that it be corrected.
4. Right to Deletion (Silme Hakki)
You can request that your personal data be deleted when:
- The original purpose for processing no longer exists
- You withdraw your consent
- The data was processed unlawfully
- A legal obligation requires deletion
5. Right to Object (Itiraz Hakki)
You can object to:
- Automated decision-making based on your data
- Profiling that affects you
- Processing for direct marketing purposes
6. Right to Data Portability
You can request your data in a structured, machine-readable format to transfer to another service.
7. Right to Compensation (Tazminat Hakki)
If you suffer damages due to unlawful processing of your data, you can claim compensation.
How to Exercise Your KVKK Rights: Step by Step
Step 1: Identify the Data Controller
The "data controller" (veri sorumlusu) is the organization that determines why and how your data is processed. This is usually the company you have a direct relationship with.
Step 2: Submit a Written Request
KVKK requires that requests be made in writing. You can:
- Send a physical letter (registered mail recommended, iadeli taahhutlu mektup)
- Send an email using your registered email address
- Use the company's KVKK application form (many companies publish these on their websites)
Your request must include:
- Your full name and TC Kimlik Numarasi
- Your address or email for the response
- A clear description of what you are requesting
- Your signature (physical or electronic)
Step 3: Wait for a Response
| Timeline | Requirement |
|---|---|
| 30 days | Maximum time for the data controller to respond |
| Free | Responses must generally be free of charge |
| Written | The response must be in writing |
Step 4: Escalate If Needed
If the organization does not respond within 30 days, or if you are unsatisfied with the response, you can file a complaint with the KVKK Board (Kisisel Verileri Koruma Kurulu).
How to File a KVKK Complaint
Filing with the KVKK Board
- Prerequisite: You must first apply to the data controller directly and either receive an unsatisfactory response or receive no response within 30 days
- Deadline: File your complaint within 30 days of receiving the response (or 60 days after your initial request if no response was given)
- How to file: Through the KVKK website (kvkk.gov.tr) or by registered mail to the board's address
- Required documents: Copy of your original request, the response (if any), your identity information, and a clear explanation of your complaint
What the Board Can Do
The KVKK Board has real enforcement power:
| Action | Description |
|---|---|
| Order compliance | Direct the organization to fulfill your request |
| Administrative fines | Fine the organization (up to 1,966,862 TL as of 2026) |
| Data destruction order | Order the deletion of unlawfully processed data |
| Public announcement | Publish the violation publicly |
| Criminal referral | Refer cases to the prosecutor for criminal charges |
Practical KVKK Scenarios
Scenario 1: Unwanted Marketing
You keep receiving SMS promotions from a company you shopped at once. Under KVKK, you can:
- Contact the company and demand they stop processing your data for marketing
- Request deletion of your phone number from their marketing database
- File a complaint with KVKK if they do not comply within 30 days
Scenario 2: Data Breach Notification
A company you use announces a data breach. Under KVKK, they are required to notify both the KVKK Board and affected individuals "as soon as possible." If you learn about a breach through the news rather than a direct notification, this itself may be a KVKK violation worth reporting.
Scenario 3: Excessive Data Collection
A mobile app asks for your TC Kimlik Numarasi when it has no legitimate reason (e.g., a food delivery app). You can:
- Refuse to provide the data
- Report the excessive data collection to KVKK
- Request deletion if you already provided it
Scenario 4: Employment Exit
When you leave a job, your former employer must delete personal data that is no longer needed for legal retention requirements. You can request an inventory of what data they still hold and demand deletion of anything unnecessary.
KVKK vs. GDPR: Key Differences
| Feature | KVKK | GDPR |
|---|---|---|
| Scope | Turkey only | EU/EEA + global reach |
| Consent | Explicit consent required for most processing | Explicit consent is one of six legal bases |
| DPO requirement | Not mandatory | Mandatory for certain organizations |
| Breach notification | "As soon as possible" (no fixed deadline) | 72 hours |
| Maximum fine | ~2 million TL | Up to 20 million EUR or 4% of global revenue |
| International transfer | Requires adequacy decision or explicit consent | Similar framework with adequacy decisions |
Protecting Your Privacy Proactively
While KVKK gives you reactive rights, proactive privacy protection is even more important:
- Minimize data sharing: Only provide personal data when absolutely necessary
- Read privacy policies: Check what data is collected and how it is used before signing up
- Use aliases: For services that do not need your real name, consider using alternatives
- Separate email addresses: Use different emails for different purposes (banking, shopping, newsletters)
- Share sensitive data securely: When you must share personal information like your TCKN or financial details, use encrypted channels
For situations where you need to share sensitive personal data covered by KVKK — medical records, financial information, identity documents — use LOCK.PUB to create password-protected, expiring memos. This ensures your data does not persist in insecure channels and reduces the risk of unauthorized access.
Building a Data-Conscious Culture
Turkey's digital transformation is accelerating, and with it, the amount of personal data flowing through digital systems. Understanding your KVKK rights is not just about legal compliance — it is about taking control of your digital life.
When you need to transmit personal information that falls under KVKK protection, always ask yourself: does this channel protect my data adequately? If the answer is no, tools like LOCK.PUB offer a simple way to add encryption and expiration to your sensitive communications.
Share this guide with friends and family. The more people exercise their KVKK rights, the stronger the culture of data protection becomes in Turkey.
Your personal data is yours. KVKK gives you the tools to protect it — use them.
Keywords
You might also like
TC Kimlik Numarasi Safe Sharing Guide: Protect Your Turkish National ID
Learn who actually needs your TC Kimlik Numarasi, how to share it safely, what happens when it leaks, and how to protect yourself from identity theft in Turkey.
Thailand PDPA Privacy Guide: Your Rights Under the Personal Data Protection Act
A practical guide to Thailand's PDPA (Personal Data Protection Act) for individuals. Learn your data rights, how to request deletion, and what companies must comply with.
Browser Fingerprinting: How Websites Track You Without Cookies (And How to Fight Back)
Google now allows browser fingerprinting for advertisers. Learn what browser fingerprinting is, how it identifies you with 99% accuracy, and practical steps to reduce your digital fingerprint.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free