Current Assessment Under the Law on the Protection of Personal Data No. 6698
Introduction
With the rise of digitalization, the protection of personal data has become one of the top priorities for both individuals and companies.
The Law on the Protection of Personal Data No. 6698, commonly referred to as the KVKK, serves as the primary legislation in this field and applies to all natural and legal persons processing data in Turkey.
Especially for companies, compliance with the Personal Data Protection Law (KVKK) is no longer merely a legal obligation but also a corporate responsibility, and it is of great importance in terms of public trust in the organization.
Who Is Responsible for the KVKK?
Under the Personal Data Protection Law No. 6698, any natural or legal person who processes personal data is considered a data controller.
In other words, whether you are a holding company or a small business, if you process the personal data of your customers, employees, or business partners, you are required to comply with this law.
The processing of personal data encompasses any operation or activity involving the collection, recording, storage, alteration, transfer, classification, or deletion of data pertaining to an individual.
“These operations can be performed manually or automatically and are considered ‘processing’ in the legal sense, regardless of whether the data is stored in a physical or digital format.”
For example;
- A factory’s recording of its employees’ first and last names and Turkish ID numbers,
- Collecting visitors’ entry information in writing,
- To retain the camera recordings,
is considered the processing of personal data.
Companies’ Key Obligations Under the Personal Data Protection Law
1. Duty to Inform (Article 10 of the Personal Data Protection Law)
Data controllers must inform data subjects during personal data processing activities:
- What data it collects,
- For what purpose it processes the data,
- Who you share your data with,
- On what legal basis does it process data?
is required to communicate this clearly and concisely.
Failure to comply with this obligation will result in the imposition of an administrative fine.
Özellikle ticaret, sağlık, eğitim, danışmanlık gibi sektörlerde aydınlatma metinlerinin hazırlanması ve ilgili kişilere sunulması kritik öneme sahiptir.
2. Data Security Obligation
Companies must ensure that the personal data they process:
- Unauthorized access,
- Data loss,
- is responsible for protecting it through technical and administrative measures against leaks or misuse.
In this context;
- Staff training,
- Antivirus systems,
- Secure servers,
- Access control,
- Encryption
such measures must be taken.
“While the protection of personal data is subject to regulatory oversight in this regard, it may also result in significant administrative fines or even criminal proceedings.”
3. VERBIS Registration Requirement
VERBİS is the system known as the Data Controller Registry, where data controllers are required to register and information regarding their data processing activities is recorded.
VERBIS registration is mandatory for the following businesses:
- Businesses with more than 50 employees,
- Businesses with an annual balance sheet total of more than 100 million TL,
- Responsible individuals and legal entities based abroad,
- Businesses whose primary activity involves the processing of special-category personal data
(regardless of the number of employees or financial balance sheet criteria)
Businesses that fail to comply with the VERBİS requirement are subject to administrative fines.
In addition, failure to update this information or providing false information is subject to penalties.
4. Obligation to Comply with Board Decisions
Decisions made by the Personal Data Protection Board are binding on all data controllers.
Failure to comply with these decisions will also result in the company facing criminal liability.
For example, companies that send marketing-related text messages without obtaining explicit consent are subject to penalties under this provision.
Current Administrative Fines for 2025
The revaluation rate set for 2025 has been announced as 43.93%.
In line with this increase, the penalties to be imposed under the KVKK have been updated as follows:
| Type of Violation | Penalty Range |
|---|---|
| Disclosure Obligation | 68,083 – 1,362,021 TL |
| Failure to ensure data security | 204,285 – 13,620,402 TL |
| Acting in violation of the Board’s decisions | 340,476 – 13,620,402 TL |
| Failure to register with VERBİS | 272,380 – 13,620,402 TL |
“These penalties are increased every year and can have financially devastating consequences for many small and medium-sized businesses.”
What Should Companies Do?
The key steps companies must take to ensure compliance with the KVKK are as follows:
- Create a data inventory:
Identify what types of personal data you process and for what purposes you use them. - Prepare the privacy notice and consent forms.
- Check whether you are required to register with VERBİS and sign up.
- Provide training on the Personal Data Protection Law (KVKK) for your staff.
- Take cybersecurity precautions.
- Post your privacy policy on your website.
- Minimize legal risks by seeking consulting support.
Conclusion: Adaptability Is No Longer a Luxury, but a Necessity
Compliance with the KVKK is of great importance not only to avoid penalties, but also to maintain customer trust, strengthen reputation, and minimize legal risks.
“It is a legal requirement for all businesses, regardless of size, to operate with an awareness of their data responsibilities.”
Best regards,
Attorney İdil Zeynep Yağlıca
