KVKK Compliance Guide (Turkey)
ℹ️Compliance group:
opt-in — explicit consent required for sensitive personal data. Use compliance: { type: 'opt-in' } in your ConsentiSetup config.Turkey's Kişisel Verilerin Korunması Kanunu (KVKK) — Law No. 6698 — came into force in April 2016 and is enforced by the Kişisel Verileri Koruma Kurumu (KVK Board / KVKK Authority). It is inspired by the EU GDPR's predecessor (Directive 95/46/EC) and has been progressively updated to align with modern GDPR requirements. Consenti supports KVKK via regulation: 'kvkk'.
⚠️Consenti provides Partial coverage for KVKK. The consent UI, audit log, and withdrawal are fully supported. Data localisation requirements (certain data must be stored in Turkey), cross-border transfer rules, and VERBİS (data controller registry) registration are infrastructure and legal obligations that fall outside Consenti's scope.
Official references
Key requirements
| Requirement | Detail |
|---|---|
| Consent model | Opt-in — informed, related to a specific matter, based on free will |
| Sensitive data | Explicit consent required (race, ethnicity, political opinion, religion, sect, health, sexual life, criminal record, biometrics, security measures) |
| Blanket consent | Not valid — consent must be specific per purpose |
| Withdrawal | Must be possible at any time; equivalent mechanism to giving consent |
| VERBİS registration | Data controllers above certain size thresholds must register in the data controller registry |
| Cross-border transfer | Requires either data subject consent or KVK Board authorisation (or country adequacy) |
| Enforcer | KVK Board (Kişisel Verileri Koruma Kurumu) |
KVKK vs. GDPR
| GDPR | KVKK | |
|---|---|---|
| Opt-in required | Yes | Yes |
| Lawful bases | 6 (Art. 6) | Similar list in Art. 5–6; consent is primary |
| Sensitive data | Art. 9 special categories | Art. 6 — broader list including security measures |
| DPO equivalent | DPO (mandatory for some) | No mandatory DPO requirement |
| Registry | No mandatory controller registry | VERBİS — mandatory for qualifying controllers |
| GPC | Optional | Not recognised |
Enabling KVKK mode
Frontend widget
ts
new ConsentiSetup({
core: {
regulation: 'kvkk',
},
})Profile configuration (dashboard)
json
{
"regulation": "kvkk",
"kvkk": {
"controllerName": "Acme Yazılım A.Ş.",
"contactEmail": "[email protected]",
"purposeDescription": "Web sitesini işletmek ve işlem e-postaları göndermek."
}
}Turkish law requires the data controller's identity and contact information to be disclosed. Setting kvkk.controllerName and kvkk.contactEmail renders these in the consent modal footer automatically.
Erasure
KVKK Article 7 grants data subjects the right to request deletion. Use:
http
DELETE /consenti/api/v1/consent/:visitorId