What is Turkey KVKK and does it cover AI automated decisions?

KVKK (Kişisel Verilerin Korunması Kanunu, Law No. 6698) is Turkey's Personal Data Protection Law, effective April 2016. While KVKK does not contain an explicit automated decision article equivalent to GDPR Article 22, Article 11(g) grants data subjects the right to object to automated processing that produces outcomes against them. KVKK also requires explicit consent or a lawful basis for any processing — including AI inference on personal data.

What are the lawful bases for AI processing under KVKK?

KVKK Article 5 provides lawful bases for ordinary personal data: explicit consent; performance of a contract; legal obligation; protection of vital interests; public interest; and legitimate interests (balanced against data subject rights). For sensitive personal data (Article 6), explicit consent is the primary basis, with narrow statutory exceptions for health and criminal data. Financial, biometric, and health data in AI models require explicit KVKK consent.

Does KVKK apply to foreign AI companies serving Turkish users?

Yes. KVKK Article 2 applies to data controllers processing personal data of individuals in Turkey regardless of establishment location. A foreign AI company with Turkish users, or a foreign SaaS providing AI to Turkish enterprises, must comply. Data controllers without Turkish establishment must appoint a Turkish representative. KVKK requires domestic registration with VERBIS (Data Controllers Registry) for qualifying controllers.

What is VERBIS and who must register?

VERBIS (Veri Sorumluları Sicil Bilgi Sistemi) is Turkey's Data Controllers Registry, maintained by the KVKK Board. Data controllers meeting thresholds must register processing activities before commencing them. AI companies processing personal data in Turkey — whether local or foreign — must complete VERBIS registration. Failure to register carries administrative fines up to TRY 1.9 million (~$60K).

What are the fines for KVKK violations?

The KVKK Board (Kişisel Verileri Koruma Kurumu) imposes administrative fines: failure to fulfill data security obligations — TRY 15,000–1.9 million; violation of data subject rights — TRY 5,000–1.9 million; unauthorized transfer abroad — TRY 25,000–1.9 million; failure to notify breach — TRY 15,000–1.9 million. KVKK fines are lower than GDPR but are per-violation with no turnover cap, and criminal liability under Turkish Penal Code adds further exposure.

What are the cross-border transfer rules for AI API calls under KVKK?

KVKK Article 9 restricts transfers of personal data abroad. Standard pathway: adequate countries designated by the KVKK Board (whitelist not yet finalized for most tech jurisdictions). Alternatively: obtain explicit consent for specific cross-border transfer; or use a binding undertaking between the Turkish controller and the foreign processor (similar to BCRs). The KVKK Board has issued guidance that overseas AI cloud providers require either adequacy or a binding controller-to-processor undertaking.

What data subject rights apply to AI decisions under KVKK?

KVKK Article 11 provides: right to know whether personal data is processed; right to access; right to know processing purpose; right to know recipients; right to request rectification; right to request deletion; right to demand notification to third parties; right to object to automated processing producing outcomes against interests (Art.11g); and right to claim compensation for damages. The objection right (§g) is the key AI-specific provision.

Does KVKK require breach notification?

Yes. KVKK Article 12 requires data controllers to notify the KVKK Board within 72 hours of discovering a breach that may harm data subjects. Data subjects must be notified when there is risk of harm. AI system breach events include unauthorized model access, training data exfiltration, and output log exposure.

Turkey KVKK AI Compliance: VERBIS Registration, Article 6 Sensitive Data Consent, and Cross-Border Transfer Obligations

Turkey's Kişisel Verilerin Korunması Kanunu (KVKK, Law No. 6698) has been in force since April 7, 2016 — predating GDPR. KVKK creates several obligations specifically relevant to AI systems: Article 6 requires explicit consent for processing special category sensitive personal data (health, biometric, genetic, racial/ethnic, religious, political, and criminal data); Article 9 governs cross-border data transfers to overseas AI providers; Article 16 requires VERBIS registration of all processing activities before commencement; and Article 11(g) grants data subjects the right to object to automated processing producing outcomes against their interests. The KVKK Board enforces with administrative fines up to TRY 1.9 million (~$60K) per violation — a per-violation structure that can stack across multiple violations. VERBIS non-registration is among the most frequently fined violations and applies to foreign AI companies serving Turkish users from abroad.

KVKK vs GDPR: Key Structural Differences for AI Teams

KVKK is explicitly modeled on GDPR Directive 95/46/EC (the pre-GDPR framework) and incorporates elements of GDPR, but predates many GDPR developments. Key structural differences: (1) No dedicated automated decision-making article — KVKK lacks an Article 22 equivalent. Instead, Article 11(g) grants data subjects the right to object to automated processing producing outcomes against their interests, which serves as the primary AI-specific protection. (2) VERBIS registration — unlike GDPR which requires only an internal ROPA, KVKK Article 16 requires external registration of processing activities with the state. (3) Sensitive data definition includes security measures and appearance/dress (religious context) — categories not in GDPR. (4) Cross-border transfer framework — KVKK Article 9 predates the GDPR SCCs regime; Turkey's mechanisms are evolving and as of May 2026 the adequacy country list is not yet comprehensive for most tech jurisdictions. (5) Fine structure — per-violation flat TRY amounts rather than percentage of global turnover. Despite these differences, the KVKK Board expressly states that GDPR compliance practices are generally consistent with KVKK — organizations compliant with GDPR Article 9 (sensitive data), Article 46/47 (cross-border transfer), and Article 22 (automated decisions) are largely KVKK-compliant as well, with the addition of VERBIS registration.

Article 11(g): The Right to Object to AI Decisions

KVKK Article 11 grants data subjects enumerated rights, including in paragraph (g): the right to object to a result that is against the person's interests through analysis of processed data exclusively by automated systems. This is the KVKK analogue to GDPR Article 22's automated decision rights, but structured as a reactive objection right rather than a proactive restriction. Implementation requirements: establish a data subject rights intake channel in Turkish (or a language data subjects can understand); define the internal workflow for receiving, verifying, and responding to Article 11(g) objections; within 30 days of receiving an objection, either accept the objection (cease automated processing for that individual), reject the objection with documented compelling grounds, or escalate to human review with authority to override; document each objection and the response in a rights fulfilment log. For AI systems making consequential decisions (credit, employment, healthcare access, insurance): Article 11(g) means you need a human review override capability, not just an objection intake form. A supervisor who reviews the AI output and has technical authority to change it — not just to log the complaint — satisfies Article 11(g).

VERBIS: What to Register and When to Update

VERBIS (Veri Sorumluları Sicil Bilgi Sistemi, vbs.kvkk.gov.tr) is Turkey's mandatory data controller registry. Controllers with annual revenues above TRY 3 million or 50+ employees, all foreign controllers processing personal data of Turkish residents, and all public institutions must register. VERBIS registration must happen before processing commences — retroactive registration after the KVKK Board opens an investigation is an aggravating factor. Each processing activity must be registered with: the data controller's identity and contact information (or their Turkish representative); the purpose(s) of processing; the categories of data subjects; the categories of personal data processed; the intended domestic and overseas recipients; the maximum data retention period; whether data is transferred overseas and the transfer safeguards in place; and the data security measures implemented. For AI systems: each AI processing activity is a distinct VERBIS record — an inference engine, a training pipeline, and a scoring API are typically separate entries. When you add a new AI model or change the overseas provider (e.g., switching from one LLM API to another), update VERBIS within a reasonable time. KVKK Board auditors compare the VERBIS record against actual processing to find discrepancies.

Article 9: Cross-Border Transfer Compliance for AI APIs

KVKK Article 9 restricts transfer of personal data to foreign countries. The three-part framework: (1) Adequate countries — the KVKK Board publishes a list of countries with adequate data protection. As of May 2026, this list is not finalized for most major tech jurisdictions; adequacy decisions are pending for the US, EU (post-Schrems II), and others. (2) Binding undertaking between controllers and processors — the primary practical pathway; the foreign AI provider and the Turkish controller execute a binding undertaking that commits the overseas processor to the same protections as KVKK; this undertaking must be submitted to the KVKK Board for approval in practice or relied on contractually. (3) Explicit consent for each specific transfer — data subjects must be told the destination country and associated risks; impractical for API-scale processing. Practical approach for overseas AI APIs: review each major AI cloud provider's Turkey-specific data processing documentation (AWS, Google, Microsoft Azure, OpenAI have filed for KVKK approval); execute data processing addenda that reference KVKK compliance; log each overseas transfer relationship in VERBIS; and maintain records showing the legal mechanism used for each provider.

KVKK Board Enforcement Decisions and AI-Relevant Precedents

The KVKK Board has been issuing decisions since 2019 with increasing relevance to AI and automated systems. Key enforcement patterns: VERBIS violations are the most common — companies discovered serving Turkish users without VERBIS registration receive immediate fines with no remediation window. Article 6 consent failures: healthcare platforms, insurance companies, and fintech providers have been fined for processing sensitive personal data (health, financial, biometric) without explicit KVKK consent — including cases where GDPR consent was obtained but was not separately documented as KVKK explicit consent. Cross-border transfer violations: companies using overseas AI cloud providers without documented transfer mechanisms have been fined; the KVKK Board treats overseas AI API calls as transfers requiring a compliant mechanism. Breach notification failures: several companies have been fined for delayed or incomplete breach notifications — the Board expects notification "as soon as possible" and has interpreted this as 72 hours for AI-relevant breach events. The KVKK Board publishes its decisions (in Turkish) on kvkk.gov.tr — reviewing recent Board decisions for your industry provides the most current picture of enforcement priorities and argumentation patterns.