KVKK for AI Agents · concept · an Avalanche AI example wiki verified 2026-07-08 · live

KVKK in Brief — for AI Builders

Türkiye's data protection regime rests on Law No. 6698 on the Protection of Personal Data (KVKK), in force since 2016, supervised by the Kişisel Verileri Koruma Kurumu (the Authority) and its decision-making board, the Kurul. It is GDPR-adjacent in structure but not identical — assuming GDPR compliance transfers one-to-one is the most common mistake foreign AI vendors make.

The two roles your architecture must assign

Getting this split explicit in contracts matters because obligations (security measures, breach notification, registration) attach differently to each role.

Core principles (Art. 4)

Processing must be lawful and fair, accurate and current where necessary, for specified, explicit and legitimate purposes, relevant and limited to the purpose (data minimization), and retained no longer than needed. Every one of these has a direct architectural consequence for agents — see Deployment Patterns — KVKK-Aware Agent Architecture.

Lawful bases (Art. 5)

Processing requires açık rıza (explicit consent) unless one of the statutory exceptions applies — including: expressly provided by law; necessary for a contract; the controller's legal obligation; data made public by the subject; establishment or protection of a legal claim; and the controller's legitimate interest provided fundamental rights are not harmed. Special categories (health, biometrics, religion, etc., Art. 6) carry stricter rules.

A practical consequence: consent is the fallback, not the default design. Well-scoped agent use cases usually stand on contract necessity or legitimate interest — but that analysis must be documented per use case.

The obligations that follow the agent

---

Educational reference maintained by Avalanche AI — not legal advice. Verify against current official texts at kvkk.gov.tr before relying on it.