Support Centre



Law: Law on Protection of Personal Data No. 6698 ('the Law')

Regulator: Personal Data Protection Authority ('KVKK')

Summary: The Law outlines a similar framework to the European Data Protection Directive (Directive 95/46/EC). Secondary legislation in Turkey, in the form of regulations and communications, has been evolving in line with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Law establishes the KVKK and the Board as the supervisory authorities responsible for its enforcement. The KVKK serves a mostly administrative role, while the Board is the decision-making organ within the KVKK. The KVKK was established as an independent regulatory authority with institutional and financial autonomy and is responsible for ensuring personal data protection and raising awareness in this respect.


In this report, OneTrust DataGuidance and Esin Attorney Partnership provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Law on Protection of Personal Data (LPPD). 

The report, which was last updated in April 2023, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the LPPD with the  GDPR. 

You can access the latest version of the report here.

On 5 August 2022, the Personal Data Protection Authority ('KVKK') published its Guide on Good Practices in the Banking Sector regarding the Protection of Personal Data1 ('the Guide'). Melis Mert, Managing Associate – Attorney at Law at BTS & Partners, discusses the provisions of the Guide and its enforceability.

Law on Protection of Personal Data No. 6698 ('the Law') introduced a significant number of responsibilities for domestic and foreign data controllers, among which the appointment of a data controller representative ('DCR'). Can Sözer, Berfu Öztoprak, and Ecenur Etiler, from Esin Attorney Partnership, discuss the role of DCRs and compare it to that of contact persons and data protection officers ('DPOs').

In Turkey, rules regarding commercial communications are governed under Law No. 6563 of 2014 on the Regulation of Electronic Commerce ('the E-Commerce Law') and the Regulation on Commercial Communications and Electronic Commercial Messages 2015 ('the Regulation on Commercial Communication'). In 2020, with the amendments made under the Regulation on Commercial Communication, Turkish legislators introduced the Commercial Electronic Message Management System ('İYS'). Can Sözer, Berfu Öztoprak, Ecem Elver, and Ecenur Etiler, from Esin Attorney Partnership, provides an overview of the İYS, including which data companies need to submit to it and details regarding the registration procedure.

On 16 June 2022, the Personal Data Protection Authority ('KVKK') published the draft guidelines on examination of loyalty programs within the scope of the Personal Data Protection Law No. 6698 ('the Law') on its official website for public consultation, with the KVKK accepting opinions on the draft guidelines from stakeholders up until 16 July 2022. Melis Mert and Büşra Haltaş, from BTS&Partners, provide a summary of the key points presented by the KVKK in the draft guidelines.

The increasing use of the internet has amplified the importance of online tools in our daily lives. This trend has assigned great significance to the use of cookies and introduced legal and technical regulations worldwide. İlay Yılmaz, Can Sözer, Berfu Öztoprak, and Aybüke Gündel Solak, from Esin Attorney Partnership, discuss cookies, principles for data processing through cookies, as well as different trends and frameworks regulating their use in Turkey.

On 12 December 2019, the Turkish Institute of Health Data Research and Artificial Intelligence Applications ('the Institute') was established under the Presidency of Turkish Health Institutes, one of the institutions of the Ministry of Health. Melis Mert and Miray Muratoğluc, from BTS & Partners, discuss the background to the Institute, as well as to the health and artificial intelligence ('AI') in Turkey.

On 11 January 2022, the Personal Data Protection Authority ('KVKK') published its draft guidelines on cookie applications1 ('the Draft Guidelines') for public consultation, which covers cookies placed on the devices of data subjects and relevant privacy-related obligations. Melis Mert and Kaan İlısu, from BTS & Partners, provide an overview of the Draft Guidelines for data controllers who process personal data via cookies and are subject to the Law.

Artificial intelligence ('AI') is a concept that is progressively becoming more important in our daily lives and in most industries. Although its most prominent aim is to make our lives easier, data privacy concerns surrounding AI raise questions for regulators and individuals. AI's swift emergence and development in most markets and industries demands a more rigorous approach to establishing guidelines for it. İlay Yılmaz, Can Sözer, Yigit Acar, and Ecenur Etiler, from Esin Attorney Partnership, discuss the emergence of various guidelines, ethical rules, and recommendations on AI practices from the EU and Turkey.

Five years after the enactment of the Law on Protection of Personal Data No. 6698 ('the Law'), the Personal Data Protection Authority ('KVKK') has introduced the new concept of a data protection officer ('DPO') with the Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism1 ('the Communiqué'), which was published in the Official Gazette on 6 December 2021, and entered into force on the same date. Although the term 'DPO' is the same as the one recognised under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the Communiqué introduced a more basic and non-compulsory system for Turkish DPOs. Melis Mert and Miray Muratoğlu, from BTS & Partners, provide an overview of the new Turkish DPO role and the obligations and consequences of the Communiqué.