• Burak Ozdagistanli

Turkish DPA: Compliance with GDPR Does Not Mean Compliance with Turkish Data Protection Law

On November 6, 2019 the Turkish Data Protection Authority ("DPA") published a statement on its website stating;

1- DPA reviewed privacy notices in several websites and notices that there are references to GDPR,

2- Privacy notices and relevant policies contain wording suggesting that the data controller is acting in line with the GDPR,

3- Such wording is not sufficient for compliance with Law on Protection of Personal Data ("KVKK") and

4- Privacy notices and relevant policies should firstly state that the controller is acting in line with the KVKK instead of GDPR.

Further, the DPA once again reminded the minimum content requirements for privacy policies which are

a- Identity of the data controller and its representative if any,

b- Purpose of processing,

c- Transfer of data to third parties and purpose of such transfer,

d- Method of data collection and legal basis for processing (by specifically stating any of the statutory justifications mentioned in Articles 5 and 6 of the KVKK)

d- Rights of the data subject under KVKK Article 11,

In light of the above, the Turkish DPA clearly states that compliance with the GDPR does not mean compliance with the KVKK, therefore specific compliance steps should be taken for KVKK.

39 views0 comments

Recent Posts

See All

Countdown For Compliance with Turkish Data Protection Law

Authors: Burak Özdagıstanli, Sümeyye Uçar, Bensu Özdemir Natural or legal persons who process personal data under the Law on Personal Data Protection with no. 6698 (“DPL”) must register to the Data Co


The protection period of the registered trademark is ten years from the application date, as regulated in the Industrial Property Law numbered 6769 (“SMK”), and as long as the trademark is registered,