KVKK Compliance

Configure your forms for Türkiye's Personal Data Protection Law.

What is the KVKK?

The KVKK (Kişisel Verilerin Korunması Kanunu — Personal Data Protection Law), also known as Law No. 6698, is Türkiye's comprehensive data protection legislation. It entered into force on April 7, 2016, making it one of the earlier modern data protection laws outside the EU.

The law was modeled on the EU Data Protection Directive (95/46/EC), the predecessor to the GDPR. While it shares many structural similarities with European data protection frameworks, the KVKK has its own distinct requirements — particularly around cross-border data transfers and registration obligations.

The law is enforced by the Personal Data Protection Authority (Kişisel Verilerin Korunması Kurumu), commonly referred to by the same acronym — KVKK. The Authority has the power to investigate complaints, conduct audits, and impose administrative fines.

The KVKK applies to:

Any processing of personal data within Türkiye — regardless of whether the data controller is based in Türkiye or abroad.
Any processing of data belonging to individuals in Türkiye — even if the processing takes place outside the country.

If your web form collects data from people in Türkiye — whether you operate from Türkiye or not — the KVKK likely applies to you.

The consent model

The KVKK requires explicit consent for processing personal data, unless one of the limited legal exceptions applies. The recognized legal bases are:

Explicit consent of the data subject.
Clearly stipulated in law — processing required by legislation.
Protection of vital interests — when the data subject is physically or legally unable to give consent.
Contract performance — processing necessary to fulfill a contract to which the data subject is a party.
Legal obligation — processing necessary for the data controller to comply with a legal duty.
Publicly available data — data the individual has made manifestly public.
Legitimate interest — processing necessary for the legitimate interests of the data controller, provided it does not harm the fundamental rights of the data subject.

For web forms collecting contact information, feedback, or inquiries, consent is the most practical legal basis. While you might argue contract performance or legitimate interest in some cases, relying on explicit consent is the safest approach and the one the KVKK Authority expects in most online data collection scenarios.

Consent under the KVKK must be:

Informed — the individual must be told what data is collected, why, and how it will be used before giving consent.
Specific — consent must relate to a defined purpose. Blanket consent for undefined future uses is not valid.
Freely given — consent cannot be coerced or made a precondition for accessing an unrelated service.

For web forms, this means you need a clear consent checkbox with a message that describes the purpose. For example:

I consent to the processing of my personal data submitted
through this form for the purpose of responding to my inquiry,
in accordance with the KVKK (Law No. 6698).

Sensitive data: The KVKK defines certain categories as "special categories of personal data" (race, ethnicity, political opinion, religion, health data, biometric data, criminal records, etc.). Processing these requires explicit consent and cannot rely on legitimate interest. If your forms collect any such data, ensure you have specific, separate consent for each category.

What the KVKK preset configures

Setting	Value	Why
Consent checkbox	Required	The KVKK requires explicit consent before processing personal data. The checkbox serves as the consent mechanism for web forms.
IP anonymization	Yes	IP addresses are personal data under the KVKK. Anonymizing them (zeroing the last octet) minimizes the data you collect, supporting the data minimization principle.
User-agent storage	Enabled	Browser information is retained for troubleshooting and security purposes. It is not singled out for special treatment under the KVKK.
Data retention	365 days	The KVKK requires deletion once the purpose for processing has been fulfilled. One year is a reasonable default; adjust to match your actual retention need.
Privacy policy URL	Required	The KVKK mandates a "clarification text" (aydınlatma metni) informing individuals about data processing. Linking your privacy policy provides this transparency.

Set up the KVKK preset

Account level

Go to Account Settings in the sidebar.
Scroll to Compliance.
Select KVKK (Türkiye) from the dropdown.
Click Save.

Per form

Open the form in your dashboard.
Go to the Compliance tab.
Select KVKK (Türkiye) from the preset buttons or region dropdown.
Click Save.

VERBIS registration

One of the KVKK's distinctive requirements is the Data Controllers Registry, known as VERBIS (Veri Sorumluları Sicili). Data controllers who process personal data must register with VERBIS before they begin processing.

Registration requires you to declare:

Your identity and contact information as the data controller.
The purposes for which you process personal data.
The categories of data subjects and personal data you process.
The recipients to whom you disclose personal data.
Whether you transfer personal data abroad, and if so, to which countries.
The technical and administrative security measures you have in place.
Your maximum data retention periods.

Some exemptions from VERBIS registration exist:

Data controllers with fewer than 50 employees and annual turnover under 25 million TL, provided they do not process sensitive data as their core activity.
Non-resident data controllers who process limited categories of data.

If you are based outside Türkiye but process Turkish individuals' data at scale through your web forms, you may need to appoint a data controller representative in Türkiye and register with VERBIS. Consult with a legal advisor to determine whether exemptions apply to your situation.

Practical note: VERBIS registration is an obligation on you as the data controller. FormBlade is a data processor acting on your behalf. Your VERBIS registration should list FormBlade (ZNX Ltd) as a data processor and note that data is transferred to the EU for processing.

Cross-border data transfers — strict rules

Cross-border data transfers have historically been the most restrictive aspect of the KVKK. Until recent amendments, transferring personal data outside Türkiye required either:

Explicit consent from the data subject for each transfer, or
Transfer to a country that the KVKK Board has deemed to provide adequate protection.

The adequacy list was extremely slow to develop — for years, no countries were formally declared adequate, creating significant practical difficulties for businesses operating internationally.

The 2024 amendments to the KVKK introduced additional transfer mechanisms more closely aligned with the GDPR:

Standard contractual clauses (SCCs) — pre-approved contractual terms between the data exporter and importer.
Binding corporate rules (BCRs) — for intra-group transfers within multinational organizations.
Adequacy decisions — the Board is expected to issue more adequacy decisions going forward.

The EU is generally considered to provide adequate protection for personal data, given its strong data protection framework under the GDPR. FormBlade servers are located in the EU, which supports the legal basis for transferring Turkish users' data to our infrastructure.

Recommended approach: Use the consent checkbox to inform users that their data will be processed on servers in the EU. If you want additional legal certainty, include a note in your privacy policy about cross-border transfers and the safeguards in place (encryption in transit and at rest, EU data protection standards).

Data subject rights

The KVKK grants individuals a comprehensive set of rights regarding their personal data. As a data controller, you must be prepared to respond to these requests within 30 days:

Right to know — learn whether their personal data is being processed.
Right to access — request information about what data has been collected and how it is used.
Right to learn the purpose — understand why their data is being processed and whether it is being used in accordance with its intended purpose.
Right to know third parties — learn the identity of domestic or foreign third parties to whom their data has been transferred.
Right to correction — request correction of inaccurate or incomplete personal data.
Right to deletion — request erasure or destruction of their personal data when the conditions for processing no longer exist.
Right to notification — request that corrections, deletions, or destructions be communicated to third parties to whom the data has been transferred.
Right to object — object to a decision made exclusively through automated processing that produces a legal effect or similarly significant impact.
Right to compensation — claim compensation for damages arising from unlawful processing of their personal data.

To handle data subject requests through FormBlade:

Search for the individual's submissions in the dashboard using their email address or name.
Export or delete submissions as requested.
Confirm the action to the individual within the 30-day deadline.

Penalties

The KVKK imposes both administrative fines and criminal penalties, making it more severe than many other data protection laws in this regard.

Administrative fines

Failure to fulfill the clarification obligation (not providing proper notice to data subjects): 50,000 to 1,000,000 TL.
Data security breaches (failure to implement adequate technical and administrative measures): up to 1,800,000 TL.
Non-compliance with KVKK Board decisions: 25,000 to 1,000,000 TL.
VERBIS registration violations (failure to register or providing inaccurate information): 50,000 to 1,000,000 TL.

These amounts are updated annually based on the revaluation rate. The KVKK Board has the discretion to set the fine amount within the specified range based on the severity and nature of the violation.

Criminal penalties

The KVKK references the Turkish Penal Code for criminal liability:

Unlawful processing of personal data: 1 to 3 years imprisonment.
Failure to delete data when required: 1 to 2 years imprisonment.

Criminal penalties are pursued through the regular criminal justice system, separate from the administrative process. While criminal prosecution is relatively rare, the possibility adds significant weight to compliance obligations.

Note: The combination of administrative fines and criminal penalties makes the KVKK one of the few data protection laws worldwide that can result in imprisonment. Take compliance seriously, especially around data deletion obligations and security measures.

Practical recommendations

To ensure your forms are fully compliant with the KVKK, follow these steps beyond applying the preset:

Apply the KVKK preset now. The consent, anonymization, and retention settings align with the law's core requirements and will work regardless of future regulatory updates.
Prepare a clarification text (aydınlatma metni). The KVKK requires you to inform data subjects about data processing before collecting their data. Draft a clear notice that covers: your identity as the data controller, the purpose of processing, who the data may be shared with, the legal basis for collection, and the individual's rights. Link this from your form's privacy policy URL field.
Set a realistic retention period. The KVKK requires deletion once the processing purpose has been fulfilled. If you only need form submissions for 90 days, do not store them for 365. Use FormBlade's automatic retention purge to handle deletion.
Evaluate VERBIS registration. If you are based in Türkiye or process Turkish individuals' data at significant scale, check whether you need to register with VERBIS. The exemptions are narrow.
Document cross-border transfers. Note in your privacy policy that form data is processed on EU servers by FormBlade (ZNX Ltd). If relying on consent for the transfer, ensure the consent checkbox text mentions this.
Plan for data subject requests. Have a process in place to respond to access, correction, and deletion requests within 30 days. Use the dashboard's search and export features to fulfill these requests.
Avoid collecting sensitive data unless necessary. Special categories of personal data (health, religion, political opinion, biometrics, etc.) require additional safeguards and explicit consent. Keep your form fields to the minimum necessary for your purpose.
Monitor regulatory developments. The 2024 amendments are still being implemented, and the KVKK Board continues to issue decisions and guidance. Follow updates at kvkk.gov.tr.