Skip to content
Biscotti CMP
FeaturesPricing🔍 Cookie Check♿ Accessibility📦 DownloadsDocumentationBlog
Login
Home›Blog

Doing Business in Turkey? What You Need to Know About the KVKK and VERBIS

July 7, 2026 · 15 min read

Doing Business in Turkey? What You Need to Know About the KVKK and VERBIS

Quick Answer: Turkey's primary data protection law, KVKK (Law No. 6698), applies to any organization, domestic or foreign, that processes personal data of individuals in Turkey. VERBIS is the mandatory data controller registry under KVKK. Most mid-to-large organizations must register with VERBIS or face administrative fines. As of 2026, the registration process is accessible via Turkey's e-Devlet platform, and exemption thresholds for small businesses have been clarified.


Key Takeaways

  • KVKK (Kişisel Verilerin Korunması Kanunu) is Turkey's data protection law, enacted in 2016 and modeled partly on GDPR principles, but with distinct local requirements.
  • VERBIS is the online registry where data controllers must declare their data processing activities before processing begins.
  • Foreign companies processing data of Turkish residents are subject to KVKK, regardless of where the company is based.
  • As of January 12, 2026, small-scale data controllers with fewer than 10 employees and an annual balance sheet below 10 million TL are exempt from VERBIS registration if their primary activity involves special category data. [4]
  • The VERBIS registration deadline was extended to June 5, 2026 for organizations qualifying based on 2025 financial statements. [1]
  • As of July 1, 2026, VERBIS services are fully integrated with Turkey's e-Devlet (e-Government) platform. [3]
  • Non-compliance penalties under Article 18 of KVKK can reach significant administrative fines, and the KVKK authority actively enforces them.
  • Consent under KVKK must be freely given, specific, informed, and unambiguous, a Consent Management Platform (CMP) is a practical tool for web-based compliance.

What Is KVKK? Turkey's Data Protection Law Explained

KVKK (Kişisel Verilerin Korunması Kanunu, Law No. 6698) is Turkey's comprehensive personal data protection statute, enacted on April 7, 2016. It governs how personal data is collected, stored, processed, transferred, and deleted by data controllers and processors operating in Turkey.

The law established the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu, also abbreviated KVKK), the independent supervisory body responsible for enforcement, guidance, and the VERBIS registry.

Core principles under KVKK include:

  • Lawfulness, fairness, and transparency
  • Purpose limitation (data collected for specified, explicit purposes only)
  • Data minimization
  • Accuracy and keeping data current
  • Storage limitation (data retained no longer than necessary)
  • Integrity and confidentiality

Any entity that determines the purposes and means of processing personal data qualifies as a "data controller" under KVKK and bears the primary compliance obligations.


KVKK vs. GDPR: Key Differences and Compliance Overlap

KVKK shares structural DNA with the EU's GDPR, but the two frameworks diverge in several operationally significant ways. Organizations already GDPR-compliant should not assume automatic KVKK compliance.

Dimension KVKK (Turkey) GDPR (EU)
Enacted 2016 2018 (enforcement)
Supervisory body KVKK Authority National DPAs per member state
Data registry VERBIS (mandatory for most) No equivalent mandatory registry
Data transfers abroad Requires explicit consent or adequacy Adequacy decisions or SCCs
DPO requirement No formal DPO mandate Mandatory in certain cases
Breach notification 72 hours to authority 72 hours to authority

Key divergence: KVKK requires data controllers to register with VERBIS and declare their processing activities proactively. GDPR has no equivalent public registry obligation. Additionally, KVKK's cross-border data transfer rules are more restrictive in practice, requiring either the data subject's explicit consent or a formal adequacy decision, and Turkey has not been granted EU adequacy status.

"GDPR compliance is a useful foundation, but doing business in Turkey requires a separate KVKK compliance layer, particularly around VERBIS registration and cross-border transfer rules."


What Is VERBIS and How Does It Work?

VERBIS (Veri Sorumluları Sicil Bilgi Sistemi) is the online registry maintained by the KVKK Authority where data controllers must register and declare their personal data processing activities before processing begins. Think of it as a public-facing inventory of who processes what data, for what purpose, and under what retention policy.

How VERBIS works in practice:

  1. The data controller creates an account on the VERBIS portal (now accessible via Turkey's e-Devlet platform as of July 1, 2026). [3]
  2. The controller declares each category of personal data processed, the purpose of processing, the legal basis, data categories, recipient groups, and retention periods.
  3. Declarations are submitted and become part of the public registry.
  4. Any changes to processing activities must be updated in VERBIS promptly.
  5. Failure to register or update triggers penalties under Article 18 of KVKK. [5]

On July 1, 2026, the KVKK Authority also released updated versions of the "Sorularla VERBİS" guidance document and the official VERBİS Kılavuzu (user guide) to help data controllers navigate registration obligations. [2]


Do Foreign Companies Need KVKK Compliance?

Yes. KVKK applies to any data controller that processes personal data of individuals located in Turkey, regardless of where the controller is incorporated or based. A German SaaS company with Turkish customers, a US e-commerce platform shipping to Turkey, or a UK marketing agency running campaigns targeting Turkish consumers, all fall within KVKK's scope.

Practical implications for foreign companies:

  • Must appoint a local representative in Turkey if they lack a physical presence (though the law's implementation on this point continues to evolve, consult local legal counsel).
  • Must comply with VERBIS registration requirements unless a specific exemption applies.
  • Cross-border data transfers out of Turkey require either explicit data subject consent or a formal adequacy mechanism, neither of which is straightforward for most non-EU destinations.

Common mistake: Foreign companies assuming that GDPR compliance or a generic privacy policy covers their Turkish user base. KVKK requires jurisdiction-specific disclosures, consent mechanisms, and registry declarations.


VERBIS Registration Requirements: Who Must Register and How

Most data controllers above the small-business exemption threshold are required to register with VERBIS. The obligation applies to both private sector entities and public institutions. [6]

Registration is required if the data controller:

  • Has 50 or more employees (full-time equivalent), OR
  • Has an annual financial balance sheet total exceeding 25 million TL, OR
  • Processes special categories of personal data (health, biometric, criminal records, etc.) regardless of size, unless the small-scale exemption applies (see below).

For startups and growing companies: The threshold is based on annual employee count and balance sheet figures. A startup that crosses the 50-employee mark or the balance sheet threshold in a given year becomes obligated to register. Registration must be completed before processing begins under the new threshold, not retroactively at year-end.

Step-by-step VERBIS registration process:

  1. Log in to the VERBIS portal via e-Devlet (e-Government gateway) using a KEP (registered electronic mail) address or authorized signatory credentials. [3]
  2. Complete the data controller profile (company name, legal form, contact details, authorized representative).
  3. Create a "processing activity" entry for each distinct category of personal data processed.
  4. For each activity, declare: data category, purpose, legal basis, data subject group, recipients, and retention period.
  5. Submit and receive a VERBIS registration number.
  6. Update the registry whenever processing activities change materially.

KVKK Exemptions: Small Businesses and What Data Is Not Covered

Not every organization must register with VERBIS. On January 12, 2026, the KVKK Authority clarified the exemption criteria for small-scale data controllers. [4]

Exemption applies when ALL three conditions are met:

  • Fewer than 10 employees
  • Annual balance sheet total below 10 million TL
  • Primary activity involves processing special categories of personal data (the exemption was specifically designed for small healthcare providers, clinics, and similar entities)

Legal analysis published by CMS Law notes that this exemption is narrower than it may initially appear, it is not a blanket small-business carve-out but specifically targets entities whose core business involves sensitive data categories. [7] Erdem & Erdem further clarified the application principles of these new exemptions. [8]

Data categories not covered by KVKK:

  • Anonymized data (where re-identification is impossible)
  • Data processed purely for personal or household purposes (no commercial activity)
  • Data processed by judicial authorities for criminal proceedings (governed by separate legislation)

Edge case: Pseudonymized data is still considered personal data under KVKK if the controller retains the means to re-identify individuals. Do not treat pseudonymization as equivalent to anonymization for compliance purposes.


KVKK Consent Requirements for Customer Data

Under KVKK, valid consent must be freely given, specific, informed, and unambiguous. Consent cannot be bundled with terms of service acceptance, and pre-ticked boxes do not constitute valid consent.

Consent must be:

  • Freely given: No coercion or conditioning of service access on consent
  • Specific: Tied to a defined purpose, not blanket authorization
  • Informed: Data subject must know who is collecting data and why
  • Unambiguous: Requires an affirmative action (click, signature, checkbox)

For websites and digital platforms, implementing a compliant Consent Management Platform is the most practical approach. Biscotti CMP is designed to help website owners and enterprises manage consent collection in a manner aligned with KVKK and other data protection frameworks, providing audit trails and granular consent records.

Explicit consent is additionally required for special categories of personal data (health, biometric, genetic, criminal records, etc.) and for cross-border data transfers where no adequacy mechanism exists.


KVKK Penalties and Fines for Non-Compliance

KVKK enforcement is not theoretical. The KVKK Authority has issued fines against both domestic and foreign entities. Penalties are governed by Article 18 of the law.

Administrative fine categories under Article 18:

  • Failure to fulfill disclosure obligations: 9,027 TL to 180,536 TL (approximate 2024 bracket; amounts are updated annually for inflation)
  • Failure to ensure data security: 45,135 TL to 9,027,000 TL
  • Failure to comply with KVKK Authority decisions: 45,135 TL to 9,027,000 TL
  • Failure to register with VERBIS or failure to update VERBIS: 39,337 TL to 1,966,862 TL

Note: Fine amounts are indexed annually and the figures above reflect published 2024 brackets. Verify current figures with the KVKK Authority or Turkish legal counsel for 2026 enforcement actions.

Criminal liability for certain violations (unlawful processing, failure to delete data) can result in imprisonment under the Turkish Penal Code, a dimension absent from GDPR's enforcement toolkit.


KVKK Data Breach Notification Rules

Under KVKK, data controllers must notify the KVKK Authority within 72 hours of becoming aware of a personal data breach. If the breach is likely to adversely affect data subjects, those individuals must also be notified promptly.

Breach notification checklist:

  • Identify and contain the breach
  • Assess the scope and likely impact on data subjects
  • Notify the KVKK Authority within 72 hours via the official notification form
  • Document the breach internally (what happened, what data was affected, remediation steps)
  • Notify affected data subjects if there is a high risk of harm

Failure to notify within the required timeframe is itself a sanctionable violation under Article 18.


Common KVKK Compliance Mistakes Businesses Make

1. Treating VERBIS as a one-time task. VERBIS entries must be updated whenever processing activities change. Acquiring a new CRM, launching a new marketing campaign with different data categories, or onboarding a new data processor all potentially require VERBIS updates.

2. Relying on GDPR consent for Turkish users. KVKK consent requirements have local nuances. A consent banner optimized for GDPR may not capture the specific disclosures required under KVKK.

3. Ignoring cross-border transfer rules. Sending Turkish customer data to a US-based analytics platform or cloud provider without a valid transfer mechanism is a common and frequently penalized violation.

4. Assuming small-business exemption without verification. The January 2026 clarification made clear that the exemption is conditional on all three criteria being met simultaneously. [4]

5. No data retention policy. KVKK requires data to be deleted, destroyed, or anonymized when the purpose for processing no longer exists. Many businesses collect data indefinitely without a documented retention schedule.


FAQ

Q: Is KVKK mandatory for all businesses operating in Turkey? Yes, any entity that processes personal data of individuals in Turkey is subject to KVKK, regardless of company size or nationality. VERBIS registration is mandatory for most entities above the small-business exemption threshold.

Q: What is the VERBIS registration deadline in 2026? The KVKK Authority extended the VERBIS registration deadline to June 5, 2026 for organizations qualifying based on their 2025 financial statements. [1] Organizations that already met prior thresholds should already be registered.

Q: Can a foreign company be fined under KVKK? Yes. The KVKK Authority has jurisdiction over any data controller processing Turkish residents' data, including foreign companies. Enforcement against foreign entities is an evolving area, but the legal exposure is real.

Q: Is there an alternative to VERBIS for declaring data processing activities? No. VERBIS is the sole mandatory registry under KVKK. There is no alternative mechanism for fulfilling the data controller registration obligation.

Q: How long does VERBIS registration take? With the e-Devlet integration as of July 1, 2026, the technical process can be completed in a few hours for straightforward cases. [3] However, the preparatory work, mapping all data processing activities, identifying legal bases, and documenting retention periods, typically takes weeks for mid-sized organizations.

Q: Does KVKK require a Data Protection Officer (DPO)? KVKK does not mandate a formal DPO role equivalent to GDPR's requirement. However, the KVKK Authority recommends that data controllers designate a responsible person internally to manage compliance.

Q: What constitutes special category personal data under KVKK? Special categories include: race, ethnic origin, political opinion, philosophical belief, religion, sect, health data, sexual life, criminal convictions, biometric data, and genetic data. Processing these categories requires explicit consent or a specific legal basis.

Q: How does KVKK handle cookie consent on websites? Cookies that collect personal data (analytics, advertising identifiers) require valid consent under KVKK. A compliant CMP such as Biscotti CMP can help website owners capture, store, and manage cookie consent in line with KVKK obligations.

Q: Are public institutions required to register with VERBIS? Yes. Public institutions and organizations are required to register with VERBIS. The registration period for public entities began April 1, 2019, with a completion deadline of June 30, 2020. [6]

Q: What happens if a company updates its processing activities but does not update VERBIS? Failure to update VERBIS to reflect current processing activities is treated as a compliance violation and can result in administrative fines under Article 18 of KVKK. [5]


Conclusion: Actionable Next Steps for KVKK and VERBIS Compliance

Doing business in Turkey requires a structured, jurisdiction-specific approach to data protection. KVKK is actively enforced, VERBIS registration is not optional for most organizations, and the January 2026 exemption clarifications have narrowed, not expanded, the carve-outs for small businesses. [4]

Immediate actions for organizations operating in Turkey:

  1. Conduct a data mapping exercise. Identify every category of personal data processed, its purpose, legal basis, and recipient.
  2. Determine VERBIS obligation. Apply the employee count and balance sheet thresholds to confirm whether registration is required. If in doubt, register.
  3. Register or update VERBIS. Use the e-Devlet-integrated VERBIS portal to complete or update your data controller registration. [3]
  4. Audit consent mechanisms. Ensure website consent banners and data collection forms meet KVKK's specific requirements. Consider deploying Biscotti CMP (www.biscotti-cmp.com) for structured, auditable consent management.
  5. Review cross-border transfer arrangements. Identify all third-party processors and cloud services receiving Turkish personal data and assess the legal basis for each transfer.
  6. Establish a breach response protocol. Document the 72-hour notification procedure and assign internal responsibility.
  7. Engage local legal counsel. KVKK interpretation continues to evolve, and a Turkish data protection attorney can provide jurisdiction-specific guidance that no general compliance framework can substitute.

The compliance landscape for doing business in Turkey is maturing rapidly. Organizations that treat KVKK as a checkbox exercise rather than an ongoing program will find themselves exposed as enforcement intensifies.


References

[1] Verbis Kayit Suresi Uzatildi - https://kvkkrehberi.com/verbis-kayit-suresi-uzatildi/?utm_source=openai

[2] Sorularla Veri Sorumlulari Sicil Bilgi Sistemi Verbis Ve Veri Sorumlulari Sicil Bilgi Sistemi Verbis Kilavuzu Guncellendi - https://www.kvkk.gov.tr/Icerik/8426/Sorularla-Veri-Sorumlulari-Sicil-Bilgi-Sistemi-VERBIS-ve-Veri-Sorumlulari-Sicil-Bilgi-Sistemi-VERBIS-Kilavuzu-Guncellendi?utm_source=openai

[3] Verbis Hizmetleri Artik E Devlet Kapisinda - https://www.kvkk.gov.tr/Icerik/5429/VERBIS-Hizmetleri-Artik-e-Devlet-Kapisinda?utm_source=openai

[4] VERBİS Değişikliklerine İlişkin 12.01.2026 Tarihli Kamuoyu Duyurusu - https://www.teb.org.tr/news/10991/VERB%C4%B0S-De%C4%9Fi%C5%9Fikliklerine-%C4%B0li%C5%9Fkin-12012026-Tarihli-Kamuoyu-Duyurusu?utm_source=openai

[5] Verbis E Kayitlar Devam Ediyor - https://www.kvkk.gov.tr/Icerik/5490/VERBIS-e-Kayitlar-Devam-Ediyor-?utm_source=openai

[6] Verbiskayit - https://www.kvkk.gov.tr/Icerik/5404/VerbisKayit?utm_source=openai

[7] Expanded Verbis Exemptions For Small Scale Data Controllers - https://cms.law/en/tur/legal-updates/expanded-verbis-exemptions-for-small-scale-data-controllers?utm_source=openai

[8] Verbis Kayit Yukumlulugune Iliskin Yeni Istisnalarin Uygulama Esaslari Aciklandi - https://www.erdem-erdem.av.tr/bilgi-bankasi/verbis-kayit-yukumlulugune-iliskin-yeni-istisnalarin-uygulama-esaslari-aciklandi?utm_source=openai


← Back to blog
Biscotti CMP

Consent Management and Legal Text Generator by Campcruisers GmbH (Falkensee). Can support your website compliance.

Product

🏢 About UsFeaturesPricingDocumentation🔍 Cookie Check📦 Downloads📚 Privacy & Consent Knowledge Base📝 Blog📖 Cookie Consent & Privacy Glossary🌍 Jurisdictions♿ WCAG 2.2 Accessible Consent Banner

Legal

ImprintPrivacy PolicyTerms of ServiceRight of WithdrawalDPACookie Policy

Contact

Contact
© 2026 Biscotti – A service of Campcruisers GmbH🍪 Change cookie settings