Consenti

KVKK Compliance Guide (Turkey)

ℹ️Compliance group: opt-in — explicit consent required for sensitive personal data. Use compliance: { type: 'opt-in' } in your ConsentiSetup config.

Turkey's Kişisel Verilerin Korunması Kanunu (KVKK) — Law No. 6698 — came into force in April 2016 and is enforced by the Kişisel Verileri Koruma Kurumu (KVK Board / KVKK Authority). It is inspired by the EU GDPR's predecessor (Directive 95/46/EC) and has been progressively updated to align with modern GDPR requirements. Consenti supports KVKK via regulation: 'kvkk'.

⚠️Consenti provides Partial coverage for KVKK. The consent UI, audit log, and withdrawal are fully supported. Data localisation requirements (certain data must be stored in Turkey), cross-border transfer rules, and VERBİS (data controller registry) registration are infrastructure and legal obligations that fall outside Consenti's scope.

Official references

Key requirements

RequirementDetail
Consent modelOpt-in — informed, related to a specific matter, based on free will
Sensitive dataExplicit consent required (race, ethnicity, political opinion, religion, sect, health, sexual life, criminal record, biometrics, security measures)
Blanket consentNot valid — consent must be specific per purpose
WithdrawalMust be possible at any time; equivalent mechanism to giving consent
VERBİS registrationData controllers above certain size thresholds must register in the data controller registry
Cross-border transferRequires either data subject consent or KVK Board authorisation (or country adequacy)
EnforcerKVK Board (Kişisel Verileri Koruma Kurumu)

KVKK vs. GDPR

GDPRKVKK
Opt-in requiredYesYes
Lawful bases6 (Art. 6)Similar list in Art. 5–6; consent is primary
Sensitive dataArt. 9 special categoriesArt. 6 — broader list including security measures
DPO equivalentDPO (mandatory for some)No mandatory DPO requirement
RegistryNo mandatory controller registryVERBİS — mandatory for qualifying controllers
GPCOptionalNot recognised

Enabling KVKK mode

Frontend widget

ts
new ConsentiSetup({
  core: {
    regulation: 'kvkk',
  },
})

Profile configuration (dashboard)

json
{
  "regulation": "kvkk",
  "kvkk": {
    "controllerName": "Acme Yazılım A.Ş.",
    "contactEmail": "[email protected]",
    "purposeDescription": "Web sitesini işletmek ve işlem e-postaları göndermek."
  }
}

Turkish law requires the data controller's identity and contact information to be disclosed. Setting kvkk.controllerName and kvkk.contactEmail renders these in the consent modal footer automatically.

Erasure

KVKK Article 7 grants data subjects the right to request deletion. Use:

http
DELETE /consenti/api/v1/consent/:visitorId