KVKK Privacy Guide: ang Iyong Data Protection Rights in Turkey
Understand your rights under KVKK (Turkish Personal Data Protection Law). Alamin kung paano request data deletion, file complaints, and exercise ang iyong privacy rights in Turkey.
KVKK Privacy Guide: ang Iyong Data Protection Rights in Turkey
Turkey's Kisisel Verilerin Korunmasi Kanunu (KVKK), or Personal Data Protection Law No. 6698, has been in effect since 2016. It is Turkey's equivalent of the EU's GDPR, and it gives you significant rights over your personal data. Yet most Turkish citizens have never exercised these rights — many do not even know they exist.
This guide breaks down what KVKK means for you, how to use it, and when to escalate to the authorities.
Ano KVKK Protects
KVKK covers all "personal data" — any information that can identify you directly or indirectly:
| Data Category | Examples |
|---|---|
| Identity | TC Kimlik Numarasi, name, date of birth, photo |
| Contact | Phone number, email, home address |
| Financial | Bank account, credit card, salary, tax records |
| Health | Medical records, prescriptions, blood type |
| Biometric | Fingerprint, facial recognition data |
| Digital | IP address, cookies, browsing history, location data |
| Professional | Employment history, education, performance reviews |
| Sensitive | Political opinions, religious beliefs, criminal record |
Sino Must Comply
Every organization that processes personal data of people in Turkey must comply with KVKK. This includes:
- Turkish companies of all sizes
- International companies operating in Turkey
- Government agencies
- Healthcare providers
- Educational institutions
- Banks and financial institutions
- Online platforms and apps
Your Rights Under KVKK (Article 11)
KVKK grants you specific, actionable rights. Here is what maaari kang do:
1. Right to Know (Bilgilendirilme Hakki)
You can ask any organization whether they process your personal data and demand to know what data they hold about you.
2. Right to Access (Erisim Hakki)
You can request a complete copy of all personal data an organization holds about you.
3. Right to Rectification (Duzeltme Hakki)
If your data is incorrect or incomplete, maaari kang demand that it be corrected.
4. Right to Deletion (Silme Hakki)
You can request that your personal data be deleted when:
- The original purpose for processing no longer exists
- You withdraw your consent
- The data was processed unlawfully
- A legal obligation requires deletion
5. Right to Object (Itiraz Hakki)
You can object to:
- Automated decision-making based on your data
- Profiling that affects you
- Processing for direct marketing purposes
6. Right to Data Portability
You can request your data in a structured, machine-readable format to transfer to another service.
7. Right to Compensation (Tazminat Hakki)
If you suffer damages due to unlawful processing of your data, maaari kang claim compensation.
Paano to Exercise Your KVKK Rights: Step by Step
Hakbang 1
The "data controller" (veri sorumlusu) is the organization that determines why and how your data is processed. This is usually the company you have a direct relationship with.
Hakbang 2
KVKK requires that requests be made in writing. You can:
- Send a physical letter (registered mail recommended, iadeli taahhutlu mektup)
- Send an email using your registered email address
- Use the company's KVKK application form (many companies publish these on their websites)
Your request must include:
- Your full name and TC Kimlik Numarasi
- Your address or email for the response
- A clear description of what you are requesting
- Your signature (physical or electronic)
Hakbang 3
| Timeline | Requirement |
|---|---|
| 30 days | Maximum time for the data controller to respond |
| Free | Responses must generally be free of charge |
| Written | The response must be in writing |
Hakbang 4
If the organization does not respond within 30 days, or if you are unsatisfied with the response, maaari kang file a complaint with the KVKK Board (Kisisel Verileri Koruma Kurulu).
Paano to File a KVKK Complaint
Filing with the KVKK Board
- Prerequisite: You must first apply to the data controller directly and either receive an unsatisfactory response or receive no response sa loob ng 30 days
- Deadline: File your complaint sa loob ng 30 days of receiving the response (or 60 days pagkatapos your initial request if no response was given)
- How to file: Through the KVKK website (kvkk.gov.tr) or by registered mail to the board's address
- Required documents: Copy of your original request, the response (if any), your identity information, and a clear explanation of your complaint
Ano the Board Can Do
The KVKK Board has real enforcement power:
| Action | Description |
|---|---|
| Order compliance | Direct the organization to fulfill your request |
| Administrative fines | Fine the organization (up to 1,966,862 TL as of 2026) |
| Data destruction order | Order the deletion of unlawfully processed data |
| Public announcement | Publish the violation publicly |
| Criminal referral | Refer cases to the prosecutor for criminal charges |
Practical KVKK Scenarios
Scenario 1: Unwanted Marketing
You keep receiving SMS promotions from a company you shopped at once. Under KVKK, maaari kang:
- Contact the company and demand they stop processing your data for marketing
- Request deletion of your phone number from their marketing database
- File a complaint with KVKK if they do not comply within 30 days
Scenario 2: Data Breach Notification
A company you use announces a data breach. Under KVKK, they are required to notify both the KVKK Board and affected individuals "as soon as possible." If you learn about a breach through the news rather than a direct notification, this itself may be a KVKK violation worth reporting.
Scenario 3: Excessive Data Collection
A mobile app asks for your TC Kimlik Numarasi when it has no legitimate reason (e.g., a food delivery app). You can:
- Refuse to provide the data
- Report the excessive data collection to KVKK
- Request deletion if you already provided it
Scenario 4: Employment Exit
When you leave a job, your former employer must delete personal data that is no longer needed for legal retention requirements. You can request an inventory of what data they still hold and demand deletion of anything unnecessary.
KVKK vs. GDPR: Key Differences
| Feature | KVKK | GDPR |
|---|---|---|
| Scope | Turkey only | EU/EEA + global reach |
| Consent | Explicit consent required for most processing | Explicit consent is one of six legal bases |
| DPO requirement | Not mandatory | Mandatory for certain organizations |
| Breach notification | "As soon as possible" (no fixed deadline) | 72 hours |
| Maximum fine | ~2 million TL | Up to 20 million EUR or 4% of global revenue |
| International transfer | Requires adequacy decision or explicit consent | Similar framework with adequacy decisions |
Pagprotekta sa ang Iyong Privacy Proactively
While KVKK gives you reactive rights, proactive privacy protection is even more important:
- Minimize data sharing: Only provide personal data when absolutely necessary
- Read privacy policies: Check what data is collected and how it is used bago signing up
- Use aliases: For services that do not need your real name, consider using alternatives
- Separate email addresses: Use different emails for different purposes (banking, shopping, newsletters)
- Share sensitive data securely: When you must share personal information like your TCKN or financial details, use encrypted channels
For situations where kailangan mong share sensitive personal data covered by KVKK — medical records, financial information, identity documents — use LOCK.PUB to create password-protected, expiring memos. This ensures your data does not persist in insecure channels and reduces the risk of unauthorized access.
Pagbuo ng a Data-Conscious Culture
Turkey's digital transformation is accelerating, and with it, the amount of personal data flowing through digital systems. Understanding your KVKK rights is not just about legal compliance — it is about taking control of your digital life.
When kailangan mong transmit personal information that falls under KVKK protection, always ask yourself: does this channel protect my data adequately? If the answer is no, tools like LOCK.PUB offer a simple way to add encryption and expiration to your sensitive communications.
Share this guide with friends and family. The more people exercise their KVKK rights, the stronger the culture of data protection becomes in Turkey.
Your personal data is yours. KVKK gives you the tools to protect it — use them.
Keywords
You might also like
Ukrainian Tax ID (ІПН) Identity Theft: Paano Protektahan ang Pinaka-Sensitibong Numero Mo
Paano inaabuso ng mga kriminal ang Ukrainian ІПН para sa identity theft.
VPN at Privacy Guide para sa mga Ukrainian: Wartime Digital Security Essentials
Praktikal na gabay sa VPN at digital privacy para sa mga Ukrainian.
Bangladesh NID Identity Theft: Paano Protektahan ang National ID Mo mula sa Fraud
Alamin kung paano ginagamit ng mga kriminal ang Bangladesh National ID Card (NID) para sa fraud, SIM registration, at pekeng loans. Praktikal na hakbang para protektahan ang identity mo.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free