KVKK, GDPR, EAA, KAİK, Google Consent Mode v2 and Circular No. 2025/10: which one affects you, what is the scope, what should you do? Practical guides, penalty details and direct solution paths.
Every company operating in Türkiye is affected by at least one, and those selling into the EU market by more than one.
Law No. 6698 (Türkiye)
The personal data protection law mandatory for all companies operating in Türkiye. Cookie usage requires disclosure and explicit consent. KVKK Board administrative fines are updated annually by the revaluation rate.
Regulation (EU) 2016/679
Covers all companies targeting the EU market, including Turkish firms. It jointly governs cookie consent, the ePrivacy Directive and Schrems II data transfer rules. The maximum fine is 20M€ or 4 percent of global turnover.
Directive 2019/882 (28 June 2025)
Mandatory for all companies offering B2C digital services in the EU. WCAG 2.1 AA compliance and an official accessibility statement are required. E-commerce, mobile apps and SaaS products targeting the EU are within scope.
Presidential Circular 2019/12, DDO KAİK Guide
The public information systems accessibility guide published by the Presidential Digital Transformation Office. Public institutions and private firms bidding on public tenders must comply with the WCAG criteria.
Mandatory for the EU and UK since March 2024
Mandatory for EU and UK traffic for all advertisers using Google Ads and GA4. It manages data flow based on consent status; without it, conversion data cannot be sent and personalized ads cannot be run.
Presidential Circular (2025)
Contains the latest regulations on accessibility and personal data management in public digital services. It sets out the priorities and implementation timeline for public institutions and firms that partner in public services.
Quickly check which obligations apply to you based on your company profile.
| Company Profile | KVKK | GDPR | EAA | KAİK | GCM v2 |
|---|---|---|---|---|---|
| E-commerce in Türkiye (TR sales only) | ✓ | - | - | - | Recommended |
| E-commerce targeting the EU (Trendyol Europe etc.) | ✓ | ✓ | ✓ | - | ✓ |
| Public institution in Türkiye (municipality, ministry) | ✓ | - | - | ✓ | - |
| Private software firm bidding on public tenders | ✓ | - | - | ✓ | - |
| News and publishing site (TR and EU) | ✓ | ✓ | ✓ | - | ✓ |
| SaaS B2B (TR customers only) | ✓ | - | - | - | Recommended |
| SaaS B2B (has EU customers) | ✓ | ✓ | - | - | ✓ |
| Mobile app B2C (EU market) | ✓ | ✓ | ✓ | - | ✓ |
Compare the regulations by supervisory authority, maximum sanction and subject matter.
| Regulation | Max. Sanction | Supervisory Authority | Effective Date | Subject |
|---|---|---|---|---|
| KVKK | Updated annually (kvkk.gov.tr) | KVKK Board | 07.04.2016 | Personal data and cookies |
| GDPR | 20M€ or 4 percent of turnover | Member state data authorities | 25.05.2018 | Personal data and cookies |
| EAA | Varies by member state | Member state accessibility boards | 28.06.2025 | Digital accessibility |
| KAİK | Exclusion from tenders | Presidential DDO and the Court of Accounts | Circular 2019/12 | Public site accessibility |
| GCM v2 | Loss of advertising and analytics data | Google (automatic) | 03.2024 (EU and UK) | Advertising consent signal |
| 2025/10 | Tender and audit sanction | Presidential DDO | 2025 | Public digital compliance |
Manage all your compliance needs from KVKK to GCM v2 from a single panel. Start free, no credit card required.