Skill

turkey-kvkk

Implements Turkey KVKK compliance: data controller obligations, VERBIS registration, data subject rights, cross-border transfers, Board decisions, fines.

security

npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-complete

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Supporting Assets

assets/template.mdreferences/standards.mdreferences/workflows.mdscripts/process.py

SKILL.md

Similar Skills

github-deep-research

63.9k

Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.

2 files

bytedance-deer-flow-1

surprise-me

63.9k

Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.

bytedance-deer-flow-1

image-generation

63.9k

Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.

2 files

bytedance-deer-flow-1

Stats

Parent Repo Stars37

Parent Repo Forks4

Last CommitMar 16, 2026

Actions

View Source View Plugin View on GitHub View README

Turkey KVKK Compliance

Overview

The Kisisel Verilerin Korunmasi Kanunu (KVKK), Law No. 6698, is Turkey's comprehensive personal data protection law. It was published in the Official Gazette on 7 April 2016 and entered into force on the same date. The KVKK is modelled on the EU Data Protection Directive 95/46/EC and shares structural similarities with the GDPR, though there are significant differences in cross-border transfer mechanisms, consent requirements, and the role of the Personal Data Protection Authority (Kisisel Verileri Koruma Kurumu, KVKK Authority) and its decision-making body, the Personal Data Protection Board (Kurul).

Turkey applied for EU membership in 1987, and the KVKK was enacted partly to align with EU data protection standards. However, Turkey has not received an adequacy decision from the European Commission under GDPR Article 45, which creates complexity for EU-Turkey data flows.

Key Definitions

Turkish Term	English	GDPR Equivalent
Kisisel veri	Personal data	Personal data (Art. 4(1))
Ozel nitelikli kisisel veri	Special category personal data	Special category data (Art. 9)
Veri sorumlusu	Data controller	Controller (Art. 4(7))
Veri isleyen	Data processor	Processor (Art. 4(8))
Ilgili kisi	Data subject / Relevant person	Data subject
Acik riza	Explicit consent	Consent
VERBIS	Data Controllers Registry	No direct equivalent (registration system)

Lawful Bases for Processing (Article 5)

Processing of personal data is prohibited without the explicit consent of the data subject, except where:

Expressly provided by law — processing is clearly laid down in legislation
Necessary for protection of life or physical integrity — where the data subject or another person is physically or legally incapable of giving consent
Necessary for performance of a contract — directly related to establishing or performing a contract
Necessary for the controller to fulfil a legal obligation
Data made public by the data subject — manifestly made public
Necessary for establishment, exercise, or defence of a right
Necessary for legitimate interests of the controller — provided this does not violate fundamental rights and freedoms of the data subject

Special Category Data (Article 6)

Special category data includes: race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dressing, association/foundation/union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Processing requires either:

Explicit consent of the data subject, OR
Express authorisation by law (for categories other than health and sexual life)
For health and sexual life data: processing by persons or authorised institutions under secrecy obligations for purposes of public health, preventive medicine, medical diagnosis, treatment, care, or health service management

VERBIS — Data Controllers Registry

All data controllers meeting the registration threshold must register with VERBIS (Veri Sorumlulari Sicil Bilgi Sistemi). Registration requires disclosure of:

Identity and contact information of the data controller and representative
Purpose of data processing
Categories of data subjects and personal data
Recipients or categories of recipients
Personal data transferred abroad and transfer safeguards
Maximum retention periods
Security measures taken

Exemptions from VERBIS: The Board has exempted certain categories including data controllers processing data as required by law, data controllers with fewer than 50 employees and less than TRY 100 million annual turnover (provided core activity is not special category data processing), and notaries.

Cross-Border Transfers (Article 9)

Transfer of personal data abroad requires:

Explicit consent of the data subject, OR
One of the Article 5(2) or Article 6(3) conditions is met, AND one of:
- Transfer is to a country with adequate protection (as determined by the Board — as of 2026 the Board has not yet published a list of adequate countries)
- Data controllers in Turkey and abroad provide adequate protection in writing and the Board grants permission
- Binding corporate rules approved by the Board

2024 Amendment: The KVKK was amended in March 2024 to introduce new cross-border transfer mechanisms including standard contractual clauses and adequacy decisions aligned more closely with GDPR Chapter V, with transitional provisions extending to 1 September 2024.

Data Subject Rights (Article 11)

Data subjects have the right to:

Learn whether their personal data is being processed
Request information about processing if data has been processed
Learn the purpose of processing and whether data is used in accordance with its purpose
Know the third parties to whom personal data is transferred domestically or abroad
Request rectification of incomplete or inaccurate data
Request erasure or destruction of personal data under Article 7
Request notification of rectification/erasure to third parties
Object to a result that is against them produced by analysis of processed data exclusively through automated systems
Claim compensation for damages arising from unlawful processing

Enforcement and Penalties

The Personal Data Protection Board may impose administrative fines:

TRY 5,000 to 1,000,000 for failure to comply with the obligation to inform (Article 10)
TRY 15,000 to 1,000,000 for failure to comply with data security obligations (Article 12)
TRY 25,000 to 1,000,000 for failure to comply with Board decisions (Article 15)
TRY 20,000 to 1,000,000 for failure to register with VERBIS (Article 16)

Fine amounts are adjusted annually based on the revaluation rate.

Key Board Decisions

Decision 2019/78: Guidelines on explicit consent — consent must be freely given, informed, specific, and an unambiguous indication of will
Decision 2019/10: Data controller and data processor distinction — clarified responsibilities and contractual requirements
Decision 2020/915: Cookie consent requirements — prior consent required for non-essential cookies
Decision 2022/1: Cross-border transfer assessment criteria prior to the 2024 amendments

Integration Points

cross-border transfers: KVKK Article 9 transfer mechanisms interact with GDPR Chapter V for EU-Turkey flows
vendor-privacy-due-diligence: Data processor agreements must include Article 12 security obligations
breach-72h-notification: KVKK Article 12(5) requires notification to the Board "as soon as possible" (Board guideline suggests 72 hours)
data-inventory-mapping: VERBIS registration requires comprehensive processing inventory