• Burak Ozdagistanli

Turkish DPA: Compliance with GDPR Does Not Mean Compliance with Turkish Data Protection Law

On November 6, 2019 the Turkish Data Protection Authority ("DPA") published a statement on its website stating;


1- DPA reviewed privacy notices in several websites and notices that there are references to GDPR,

2- Privacy notices and relevant policies contain wording suggesting that the data controller is acting in line with the GDPR,

3- Such wording is not sufficient for compliance with Law on Protection of Personal Data ("KVKK") and

4- Privacy notices and relevant policies should firstly state that the controller is acting in line with the KVKK instead of GDPR.


Further, the DPA once again reminded the minimum content requirements for privacy policies which are

a- Identity of the data controller and its representative if any,

b- Purpose of processing,

c- Transfer of data to third parties and purpose of such transfer,

d- Method of data collection and legal basis for processing (by specifically stating any of the statutory justifications mentioned in Articles 5 and 6 of the KVKK)

d- Rights of the data subject under KVKK Article 11,


In light of the above, the Turkish DPA clearly states that compliance with the GDPR does not mean compliance with the KVKK, therefore specific compliance steps should be taken for KVKK.

41 views0 comments

Recent Posts

See All

Authors: Hatice Ekici Tağa, Burak Özdağıstanli, Sümeyye Uçar, Öykü Su Sabancı Gambling is defined as “games that are performed for profit and in which profit and loss depend on luck” in the Turkish Pe

Authors: Burak Özdagıstanli, Sümeyye Uçar, Öykü Su Sabancı The ongoing covid-19 pandemic dominated legal developments in 2021 as restrictions were maintained in order to mitigate its impact. In additi

Authors: Burak Özdagıstanli, Sümeyye Uçar, Bensu Özdemir Natural or legal persons who process personal data under the Law on Personal Data Protection with no. 6698 (“DPL”) must register to the Data Co