About Personal Data Protection Authority (KVKK)

The Personal Data Protection Authority (KVKK) is a regulatory and supervisory institution established to monitor the lawful processing of personal data and to ensure protection of personal data in Türkiye. KVKK, which was established in Ankara, the capital of the Republic of Türkiye, in accordance with the Personal Data Protection Law No. 6698, which entered into force on 7 April 2016, is a public institution with administrative and financial autonomy authorized for the protection of personal data.

In the Authority, which consists of the Personal Data Protection Board and the Presidency, the decision body is the Board, and it performs and exercises duties and powers conferred on it under the Law and other legislation independently, under its own responsibility. The Board consists of nine members, including the President. The main duties of the board are to take necessary regulatory actions in matters falling within its scope of duty, to examine whether personal data are processed in accordance with the laws upon complaints or ex officio, and to impose sanctions when necessary. In addition, if it is determined that the breach is widespread, upon complaint or ex officio, the Board takes a resolution on this matter and publishes this resolution.

The Personal Data Protection Law pursues a balance between freedom and security, technology and privacy, the protection of the individual-data-based economy and the interests of those processing personal data and the fundamental rights of the persons whose data is processed. The Authority has issued several numerous guidelines for the sound implementation of the Law. Some of the guidelines have been published so far can be listed as; Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence, Guide to the Right to Be Forgotten, Guidelines on Considerations for the Processing of Biometric Data, Guidelines to Fulfilling the Obligation to Inform, Guidelines on Personal Data Security (Technical and Organizational Measures). In addition, the Authority has published "False Facts I and II" documents to raise public awareness and to clarify the issues that are determined to be frequently misapplied by data controllers.

The Authority aims to promote public awareness and ensure the best practices by maintaining communication within the sectors through “Wednesday Seminars” broadcast live online, “Awareness Meetings” held in different provinces of Türkiye and “A Little Awareness is Enough” podcast series, which started broadcasting on December 2021. Acting with the awareness of the need for developing a data protection culture specifically among the youth and children, the Authority has been a pioneer in conducting promotional activities such as the “Project to Raise Personal Data Protection Volunteers among University Youth” and a cartoon series called “Data Crew”.

Historical Process of the Law on Protection of Personal Data No. 6698

Türkiye is one of the first signatories Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108), which was opened for signature on January 28, 1981. With the Turkish Penal Code, which entered into force in 2005 in our country, types of crimes related to personal data were regulated, and although there are tools in our legislation that can ensure the protection of personal data, the right to protection of personal data has been recognized as a constitutional right and guaranteed by the constitutional amendment made in 2010. According to Article 20 of the Constitution of the Republic of Türkiye; everyone has the right to request the protection of his/her personal data.

Following the works on the Law No 6698, prepared by taking the Directive 95/46/EC as a basis within the scope of the EU harmonization process, the Law was published in the Official Gazette on April 7, 2016. Although the Law No. 6698 has been prepared on the basis of the Directive, the Authority still continues its activities for the compliance with GDPR

KVKK in the International Area

With the aim of creating a new platform for the sharing of relevant regulations and practices in the international arena, the Authority organized the “1st International Congress on Personal Data Protection” in November 2021 with the valuable contributions of the President Commissioners of Foreign Data Protection Authorities to discuss the “Developments in the World and Türkiye.”

KVKK meticulously follows and participates in the work of the working groups established within the GPA that offer pioneering reports/guidelines in the field of personal data protection, especially the subgroups of the International Enforcement Working Group. In addition, the Authority actively contributes to various international cooperation processes as a member of the Global Privacy Enforcement Network (GPEN) and Spring Conference. In 2021, the Authority was accepted to APPA with observer status and in this context, it participated in the 56th Forum organized online, hosted by the Office of the Information and Privacy Commissioner for British Columbia (OIPC), Canada.

The activities that our Authority is part of  in other international organizations are; “Digital Economy Task Force” working group under G20, Working Party on Measurement and Analysis of the Digital Economy (WPMADE) conducted by Committee on Digital Economy Policy (CDEP) under OECD, Working Party on Data Governance and Privacy in the Digital Economy (WPDGP) conducted by Committee on Digital Economy Policy (CDEP) under OECD, Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108) Bureau Meetings, Digital Economy and Society Index (DESI) studies.   

In a time where the cross-border data flows accelerate with the developments in the technological field, it is of high importance to ensure the cooperation desired among data protection authorities and the protection of personal data in a common understanding. Acting with this awareness, our Authority will always be open to cooperation proposals, information sharing and exchange of views on the activities to be carried out in the field of data protection and privacy.

You can visit the website to have more detailed information about the Authority.