What’s KVKK and how does Turkish data law differ from GDPR for Magento stores?

KVKK (Kişisel Verilerin Korunması Kanunu, Law No. 6698 — 2016) is Türkiye’s personal-data protection law. It’s similar to GDPR but not identical, enforced by the KVKK Kurumu (KVKK Authority):

• VERBİS registration — if you process personal data above the threshold, you must register as a Data Controller in VERBİS (Veri Sorumluları Sicili). This is not a GDPR equivalent — even if you’re GDPR-compliant for EU customers, you still need separate VERBİS registration to operate in Türkiye.
• Explicit consent (Açık Rıza) — KVKK Art. 5 requires explicit, freely-given, informed consent for processing — similar to GDPR but the bar is interpreted slightly differently.
• Cross-border data transfer — KVKK is more restrictive than GDPR. Sending TR customer data outside Türkiye requires explicit consent or a KVKK Authority approval of the destination country’s adequacy.
• Data-subject rights — right to access, rectification, erasure, similar to GDPR Art. 15–17. DSAR routing via aydinlatma@yourstore.com.tr typical.
• Aydınlatma Metni (Information Notice) — you must display an explicit KVKK information notice before collecting any data — not the same wording as a GDPR privacy policy.

Magento integration: KVKK-compliant cookie consent banner (Cookiebot or custom), Aydınlatma Metni on every form, DSAR endpoint, VERBİS-compliant data inventory.