top of page

gdpr.com.tr

Data Privacy Consultancy

Public Announcement by KVKK: Clarification on GDPR References in KVKK Disclosures

  • Writer: A. F. Hanyaloglu
    A. F. Hanyaloglu
  • Oct 6
  • 3 min read

Summary


On 8 November 2019, the Turkish Personal Data Protection Authority (the "Authority") published a public announcement reminding that data controllers should not treat mere compliance with the EU’s GDPR as sufficient for compliance with data protection regulations in Turkey. While referencing GDPR in disclosures is permissible, the announcement emphasizes that meeting GDPR obligations does not relieve entities of their responsibilities under Turkey’s Law No. 6698 on the Protection of Personal Data ("KVKK"). This clarification is essential for firms handling Turkish personal data, especially multinational or cross-border operations.


What the Authority said


In its announcement, the Authority reaffirmed core requirements under the law and highlighted the following key points:


  • Data controllers (and their representatives, if any) must clearly identify themselves and disclose their contact information, the purposes of processing, categories of recipients, and legal bases—and do so in a transparent manner.

  • The KVKK specifically recalled that in disclosure/notice texts prepared to meet the "clarification" (aydınlatma) obligation, statements such as “this disclosure is compliant with GDPR” are not sufficient or substitutive of compliance with the KVKK. In other words, referencing GDPR compliance does not exempt the data controller from fulfilling KVKK obligations.

  • The announcement underscores that the rules, policies, and statements included in clarification texts should explicitly affirm that those policies/practices first and foremost comply with the KVKK.

  • The Authority implicitly warns against over-relying on GDPR frameworks without verifying that all KVKK-specific requirements are fulfilled (e.g., local obligations in Turkey).


In its concluding remarks, the Authority notes that even if an entity claims GDPR compliance, it still must satisfy every requirement of Law No. 6698 and related secondary regulations. The announcement serves as a reminder that the existence of a GDPR-centric disclosure does not automatically meet Turkey’s legal standards.


Why this matters


This announcement is significant for a number of reasons. Below is a breakdown of its implications, especially for organizations doing business in or with Turkey.


1. Dual-compliance oversight is not optional — it is mandatory


Many international or digital businesses maintain a GDPR-based privacy and transparency framework, assuming that it covers them globally. That assumption is not safe in the Turkish context. The Authority is clearly signaling that GDPR alignment alone is insufficient — you must explicitly demonstrate compliance with the KVKK in addition to any GDPR obligations.

This is especially important for:

  • Foreign-based companies offering services in Turkey or processing data of Turkish individuals.

  • Turkish branches of multinational corporations that adopt a unified GDPR privacy policy.

  • Digital platforms (apps, web services, ad/analytic platforms) targeting Turkish users.


2. Disclosure (aydınlatma) texts should explicitly reference KVKK


When preparing your privacy notices / clarification texts, you should:


  • State that the policies comply with KVKK as a priority, not just “also with GDPR.”

  • Avoid misleading language implying that GDPR compliance automatically covers Turkish obligations.

  • Ensure that all sections (legal bases, data subject rights, transfer to third parties, retention periods, etc.) reflect KVKK standards (including any stricter or additional rules under Turkish law).


3. Risk of non-conformity and reputational or enforcement liability


If your disclosure materials fail to satisfy KVKK—even if they cite GDPR—you may be exposed to:


  • Enforcement actions by Authority (e.g. warnings, fines).

  • Criticism or lack of trust from Turkish regulators or customers.

  • Weakness in internal compliance audits when Turkish law is reviewed.


4. This is a proactive signal from the regulator


This announcement is not tied to a particular enforcement case (at least publicly). Rather, it functions as a reminder and preventive warning: the Authority wants to preempt situations where entities misuse references to GDPR to try to bypass local obligations.

It also reflects a broader regulatory trend: jurisdictions often permit referencing “international standards” like GDPR, but they emphasize that local law must be satisfied in composite. In other words, “GDPR + local rules” is the model, not “GDPR only.”


5. Consistency across Turkish and EU frameworks


For organizations that must comply with both GDPR and KVKK:


  • Don’t simply copy your GDPR notice and publish it in Turkey. Use it as a baseline, but adapt to Turkish law.

  • Wherever there is divergence (for instance, permitted legal bases, retention, or data transfer rules), make sure the Turkish version reflects the stricter or different requirement.

  • Document in your compliance records (audit trails, internal policies) that you have assessed both sets of requirements.


Key Takeaways


  • Referencing GDPR in clarification/disclosure texts is allowed, but cannot substitute compliance with KVKK.

  • Your disclosures must plainly affirm that your practices comply with KVKK first and foremost.

  • Entities that process data of Turkish individuals — whether domestic or international — must ensure that their privacy notices meet both GDPR and KVKK standards.

  • Misalignment or over-reliance on GDPR alone can expose you to regulatory risk in Turkey.

  • This announcement serves as a regulatory caution: compliance must be local as well as international.

Comments

bottom of page