Skip to content
Placeholder image

YourDataControllerRepresentativeinTürkiye 

Operate safely in Türkiye protected by Prighter. We act as your local representative and provide you with an all-in-one solution for the Turkish Personal Data Protection Law (KVKK). Shield your business from regulatory risk and enjoy the positive impact from a trustworthy and efficient solution on your business.

Get Started Contact Us

Trusted by Customers all over the World

Do You Need a Data Controller Representative in Türkiye? 

Explore our FAQs to understand more about KVKK and if it is applicable to your business.

What is the Turkish Personal Data Protection LAW (KVKK)?

The Turkish Data Protection Law (KVKK), officially Law No. 6698 on the Protection of Personal Data, came into force in 2016 to align Turkey’s data protection framework with international standards, particularly the EU’s GDPR. Its primary aim is to safeguard the fundamental rights and freedoms of individuals, especially the right to privacy, by regulating the processing of personal data.

A key obligation under KVKK is the requirement to register with the Data Controllers Registry Information System, known as VERBIS. Most data controllers operating in Turkey—or processing personal data of individuals in Turkey—must register before they begin processing. VERBIS registration includes providing detailed information on data processing activities, including categories of data, legal basis, data transfers, and retention periods. Non-compliance with this requirement may result in administrative fines.

Another core obligation is the appointment of a representative for foreign data controllers without a legal entity in Turkey. This representative acts as the local point of contact for both the Turkish Data Protection Authority and data subjects. The representative must be registered in VERBIS and is responsible for fulfilling certain compliance duties on behalf of the foreign controller.

The KVKK also emphasizes data subject rights, including the right to be informed, to access, to request correction or deletion of personal data, and to object to data processing in certain situations. In the case of data breaches, data controllers must promptly notify the Turkish Data Protection Authority and, if necessary, affected individuals. Failure to report breaches can result in penalties and reputational harm.

Overall, KVKK requires organizations to adopt a proactive, transparent, and accountable approach to data protection.

Read More
Pricing Learn More

Champion Compliance

Stay ahead of Turkish data protection requirements with our KVKK Representative Service. As your appointed local contact, we ensure full compliance with Law No. 6698 — managing VERBIS registration, liaising with the Turkish Data Protection Authority, and handling data subject requests. Our expert team simplifies the regulatory process, so you can confidently operate in Turkey while focusing on your core business.

Featured image

Compliant Representation Service

By appointing Prighter you comply with the requirement for local representation in Türkiye and you make sure to have a competent and trustworthy point of contact. Meet the Turkish data protection requirements and benefit from a first-class service with Prighter.

VERBIS-Registration

We provide you with an easy way of making your data mapping ready for VERBIS and as your representative we take care of the initial VERBIS-registration as well as of any future update of the processing activities. Rely on our local expertise and experience in handling VERBIS registrations for companies around the world.

Comprehensive Compliance Setup

We make sure you meet the requirements of the KVKK with our established processes for the registration of the representative, the VERBIS registration and for the wording regarding the appointment of Prighter. We keep you safe so you can focus on your business.

Local Trustworthy Addressee

As your representative we serve as your primary point of contact for data protection matters in Türkiye. We handle communications with the Turkish Data Protection Authority and data subjects on your behalf and facilitate the management of these stakeholder interactions with our SaaS solutions.

Featured image

Authority Case Management

Appoint Prighter as your representative to establish a reliable communication channel with the Turkish Data Protection Authority (KVKK). Entrust our experienced local team, supported by our Authority Case Management system, to assist you with crucial regulatory interactions such as investigations or data breach notifications.

Data Subject Addressee

We act as your trusted addressee for data subjects in Türkiye, ensuring clear and compliant communication in line with KVKK requirements. With our proprietary Privacy Rights Manager, you can efficiently manage the full lifecycle of data subject requests—organized, secure, and fully traceable.

Automated interactions

Prighter combines legal know-how with intelligent software to automate your stakeholder interactions globally. Our solutions help you manage regulatory communication and data subject requests with ease. From Authority Case Management to the Privacy Rights Manager, every tool is designed to streamline processes, reduce manual effort, and ensure full compliance.

More than Compliance

Create value through compliance by turning regulatory requirements into business opportunities. Demonstrating your commitment to KVKK not only ensures legal alignment but also strengthens your brand, builds stakeholder trust, and positions you as a responsible, future-ready organization in the Turkish market.

Featured image

Reinforce Brand Trust

Building trust is key to standing out in today’s privacy-conscious market. Strengthen your brand in the Turkish market by showcasing your commitment to KVKK compliance. Leverage tools like the Prighter Certificate, Compliance Badge, and Trust Center to visibly reinforce your credibility and earn the confidence of customers, partners, and regulators alike.

The Trust Center

Build credibility with your Trust Center—a fully customizable, branded portal that highlights your compliance efforts. Verified in real time as your official representative, we make the Trust Center the go-to destination for authorities, data subjects, and partners to submit and track requests.

Work Smarter

Boost your efficiency with an intelligent compliance SaaS platform designed to automate routine tasks, minimize manual workload, and maintain regulatory alignment. Whether you're responding to data subject requests or handling an authority case, our scalable tools help you streamline every process—freeing you up to focus on your priorities.

Full-Service Solution

KVKK compliance is more than a one-time task—it requires consistent attention and the right tools. Our all-in-one solution equips you to manage every aspect of your data protection obligations efficiently and proactively, all in one place.

Featured image

Additional Services

Comprehensive support beyond representation. Our additional services—ranging from compliance consulting to training and audit support—are delivered by top-tier experts. Together with our trusted partners, we offer end-to-end solutions tailored to your KVKK needs, all in one place.

Knowledge Hub

We actively share our expertise to keep you informed about developments under the Turkish KVKK. From regulatory updates and case law to emerging trends in AI and digital governance, our knowledge-sharing approach ensures you stay ahead in a fast-evolving compliance landscape.

Professional Team

Our expert team brings together deep knowledge of Turkish data protection law and real-world compliance experience under KVKK. With a mix of skilled lawyers and experienced privacy professionals, we provide clear, practical guidance to help you meet regulatory obligations with confidence. Trust us to deliver reliable, business-focused support every step of the way.

Türkiye KVKK Representation icon

Türkiye KVKK Representation

Combine additional Representative services to receive discounts of up to 40%

Select your Size:

Add complementary products:

Privacy Representation

3 products

Digital Governance

3 products

Privacy Software

2 products

€170/month
Billed Annually €2,040
Save €228 /year

Price breakdown:

Türkiye KVKK Representation€170/month

Core Features

Representative for Türkiye
Qualified local team
Privacy Policy Wording on the Representation
Registration of the Representative(Setup)
VERBIS Registration(Setup)
Assistance with drafting the VERBIS registration(basic)

Marketing Features

Compliance Batch for your website
Dedicated Trust Center
Compliance certificate

Authority Features

Point of contact for the Turkish Data Protection Authorities
Unlimited Authority Requests
Authority Case Manager(basic)
Data Breach Notification(basic)

Data Subject Features

Addressee for Turkish data subjects
Unlimited Data Subject Requests
Privacy Rights Manager (PRM)(TR PRM)

Processor Features

Addressee for Turkish B2B clients (relevant for processors)
Data Processing Agreement(basic)
International Data Transfer(basic)

Knowledge

Knowledgehub Access
Regulatory Monitoring
KVKK Training

Subscription

Entities and Brands Covered(5)
Digital Governance management suite(5 seats)
Support Level(basic)

How It works

Resource Center

Our Resource Centre is designed to help businesses around the world to understand and navigate international privacy, AI, and digital governance compliance. Whether you're new to compliance, or you're an experienced privacy professional, you'll find helpful tips, fresh insights, and practical resources to help you level-up your approach to compliance.

Visit the full Resource Center

Showing articles for: Turkish KVKK

Showing 1-15 of 80 results
Auto-generated banner for NIS 2 Self Assessment
Self Assessment
NIS 2

NIS 2 Self Assessment

Take our self assessment today to check your status under the NIS 2!

Andreas Maetzler's profile pictureKatharina Jokic's profile picture
By Andreas Maetzler, Katharina Jokic
Auto-generated banner for What Does the European Commission’s GDPR Reform in 2025 Mean for Your Business?
Article
EU GDPR

What Does the European Commission’s GDPR Reform in 2025 Mean for Your Business?

For businesses operating across the EU — and those from outside who target the EU market — the package carries strategic significance for how data protection compliance is approached. This article explores what this means for you.

Auto-generated banner for Global Privacy and AI Journey: Korea, China, India & EU
Webinar
Chinese PIPLEU GDPRKorean PIPAAI Act

Global Privacy and AI Journey: Korea, China, India & EU

Learn about the new global challenges for privacy and how data protection interrelates with AI governance.

Auto-generated banner for Enforcement of the Digital Services Act is Coming. What Does It Mean for You?
Article
DSA

Enforcement of the Digital Services Act is Coming. What Does It Mean for You?

The EU is ramping up DSA enforcement, especially for VLOPs like X. With the 16 April 2025 reporting deadline ahead, businesses should act now to ensure compliance.

Andreas Maetzler's profile picture
By Andreas Maetzler
Auto-generated banner for NIS 2 Directive is Applicable as of Today: Time to Comply!
News
NIS 2

NIS 2 Directive is Applicable as of Today: Time to Comply!

As of today, 18 October 2024, the EU’s NIS2 Directive is officially applicable, marking a new era in cybersecurity for essential services across Europe.

Elif Merve Demir's profile picture
By Elif Merve Demir
News
Cyber Resilience ActCybersecurity Act

UK's Cyber Security Laws Set for update in 2025: What's Coming Next?

The UK plans to introduce the Cyber Security and Resilience Bill in 2025 to boost cyber defences and protect vital public services from growing digital threats.

Charlotte Mason's profile picture
By Charlotte Mason
News
EU GDPR

GDPR in Practice: Key Insights and Recommendations from the FRA's Latest Report

The European Union Agency for Fundamental Rights (FRA) recently published a comprehensive report on GDPR implementation, highlighting areas for improvement.

News
AI Act

The European Commission Established an AI Office to Advance EU Leadership in Reliable and Safe AI

Today, the establishment of the AI Office was announced by the European Commission. It was developed to reduce risks, maximize societal and economic benefits, and improve AI development, deployment, and use.

News
AI Act

European Council Officially Approves First-Ever Global AI Regulations

The AI Act will be officially published soon and will take effect two years after its publication. This timeframe is important for businesses to build full compliance with the new regulations.

Auto-generated banner for New Consent Requirement for Swiss Traffic: Google's Policy Expansion
News

New Consent Requirement for Swiss Traffic: Google's Policy Expansion

Starting July 31, 2024, Google is expanding its EU User Consent Policy to encompass users in Switzerland.

News

EU-Japan Agreement: Council Approves Data Flow Facilitation Protocol

The Council of EU has officially approved a protocol aimed at facilitating the flow of data between the EU and Japan. This protocol represents a step forward in securing closer economic ties and collaboration between these two regions.

News

Navigating Data Privacy: 'Consent or Pay' Models and the Path Forward

The recent Court of Justice of the European Union (CJEU) ruling on Meta's data processing practices has sparked uncertainty among many companies.

News
EU GDPR

GDPR Compliance in AI: Essential Tips from CNIL's Latest Guidance

The French Data Protection Authority (CNIL) released a set of recommendations which provide both legal and technical explanations between the GDPR and AI to ensure the protection of personal data while developing AI systems.

News

Landmark US Privacy Bill Unveiled: A Leap Forward for Digital Privacy Rights

Last week, two influential members of the U.S. Congress unveiled a draft bipartisan, bicameral federal privacy bill, in a crucial step forward for safeguarding individuals' privacy rights in the digital era.

Auto-generated banner for Data Breach Notifications Across Europe: EDPB's list published!
News

Data Breach Notifications Across Europe: EDPB's list published!

This significant update nearly went unnoticed as all attention was focused on the final text of the AI Act. The EDPB finally published the list detailing the notification processes of all relevant EEA data protection authorities (DPAs).

Turkish Data Protection Regulation (KVKK) FAQ

Does the KVKK apply to my company?

Is our organisation subject to KVKK?

KVKK applies to all organisations processing personal data of data subjects in Turkey. Insofar KVKK reaches out globally and regulates all processing activities related to Turkish individuals.

Exempted from the applicability of KVKK are only:

- household activities;

- official statistics with anonymised data;

- artistical, historical, literary or scientific purpose if national defence, national security, public security, public order, economic security are not violated;

- preventive, protective and intelligence activities by public bodies which are assigned by law to protect the above-mentioned public goods;

- processing by judicial or execution authorities with regard to investigation, prosecution, judicial and execution proceedings.

All other processing activities by foreign organisations are therefore subject to KVKK and need to comply with it, especially with the obligation to appoint a Data Controller Representative and to register with Data Controllers' Registry Information System (VERBIS).

Does our company need a Data Controller Representative in Turkey?

You are required to appoint a Data Controller Representative in Turkey if your organisation:

  • is acting as a Data Controller and not as a processor;
  • is processing personal data of individuals in Turkey; and
  • is not established in Turkey.

Is our company a Data Controller under KVKK?

An organisation qualifies as a data controller under KVKK if it determines the purposes and means of processing personal data and is responsible for the establishment and management of the technical infrastructure to process such data. In contrast, a processor under KVKK is an organisation which processes personal data on behalf of the data controller upon its authorisation. The concept is therefore identical with the GDPR and the decisive criteria is, if an organisation has the authority to decide over and define the processing activities.

Are we processing personal data of data subjects in Turkey?

Processing means any operation which is performed on personal data with at least partially automated means, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorisation, preventing the use thereof and much more. The term is therefore very broad and intends to include any handling of personal data. Are subject to such processing activities individuals in Turkey, your organisation falls under KVKK. Examples are:

  • having active business in Turkey with customers, users, students, patients, which are Turkish data subjects;
  • any attempt to target Turkish individuals with google ads or any other online marketing campaign;
  • monitoring Turkish individuals with cookies, behavioural advertisement, geo-localisation activities.

If your organisation qualifies as a controller and processes personal data of Turkish individuals, you are required to appoint a Data Controller Representative according to KVKK.

Are there any exemptions?

Besides those companies which process personal data only by non-automatic means, the following organisations are exempted from the obligation to appoint a representative:

  • Certain professions like notary publics, law and accounting firms;
  • Trade unions;
  • Political parties.

What is a VERBIS registration?

VERBIS is the Data Controllers' Registry Information System established on the basis of art 16 KVKK. Before processing personal data, a Data Controller must register in VERBIS.

How does the registration work?

For Foreign Data Controllers the registration can only be conducted by the representative. You first need to appoint a Data Controller Representative who then takes care of the registration.

The registration requires a list of processing activities similar to the records of processing activities under GDPR. The representative enters these processing activities in the VERBIS interface (verbis.kvkk.gov.tr) to complete the registration.

What is the deadline for the registration?

The deadline was extended several times but will end now on December 31st, 2021.

Fines in KVKK

Not appointing a Data Controller Representative although being required to do so, may trigger sanctions according to Art. 18 of the CCCTB. Non-compliance fines are increased every year and are now about 2 million Turkish Lira as of 2022. Be aware that the increase from 2021 to 2022 is as high as 36,20%.

How does the Prighter Turkey DCR work?

How to sign up for the Prighter Turkey DCR service?

As Turkish law contains formal requirements for signatures and the VERBIS registration an end-end digital process is not compliant. Therefore, the signup process is as follows:

  1. Complete the signup form with your company information and generate the Power of Attorney (PoA).
  2. Have the PoA duly signed, notarised and apostilled at the place of signature.
  3. Send us the scanned version of the PoA followed by the originals to our Turkish address via registered mail.
  4. We have the PoA notarised in Turkey and handle the VERBIS registration.

Who is the service provider for the Prighter Turkey DCR?

Prighter partners with IPTECH Legal Danışmanlık Ltd. Şti for the Prighter Turkey DCR service and Ozdagistanli Ekici Attorney Partnership for the legal advice according to Turkish law. The client relationship, support and payments are centralised and managed by Prighter Group.