• Burak Ozdagistanli

Turkish DPA: Compliance with GDPR Does Not Mean Compliance with Turkish Data Protection Law

On November 6, 2019 the Turkish Data Protection Authority ("DPA") published a statement on its website stating;


1- DPA reviewed privacy notices in several websites and notices that there are references to GDPR,

2- Privacy notices and relevant policies contain wording suggesting that the data controller is acting in line with the GDPR,

3- Such wording is not sufficient for compliance with Law on Protection of Personal Data ("KVKK") and

4- Privacy notices and relevant policies should firstly state that the controller is acting in line with the KVKK instead of GDPR.


Further, the DPA once again reminded the minimum content requirements for privacy policies which are

a- Identity of the data controller and its representative if any,

b- Purpose of processing,

c- Transfer of data to third parties and purpose of such transfer,

d- Method of data collection and legal basis for processing (by specifically stating any of the statutory justifications mentioned in Articles 5 and 6 of the KVKK)

d- Rights of the data subject under KVKK Article 11,


In light of the above, the Turkish DPA clearly states that compliance with the GDPR does not mean compliance with the KVKK, therefore specific compliance steps should be taken for KVKK.

43 views0 comments

Recent Posts

See All

For many years, the allocation and transactions of ".tr" domain names have been carried out by the Middle East Technical University (“METU”) through the Nic.TR system. With the Regulation on Internet

Turkish legislation provides that the revocation of a registered trademark is a consequence of the legal issues that occurred concerning the trademark owner. Trademark revocation initiates in case of