Building a KVKK-Compliant AI Chatbot for Turkish Businesses

Turkey's Kişisel Verileri Koruma Kanunu (KVKK — Law No. 6698 on the Protection of Personal Data) has been in force since 2016. The Personal Data Protection Board (KVKK Kurulu) began active enforcement with meaningful fines from 2019 onward. Since 2023, digital channel enforcement — including WhatsApp chatbots, website widgets, and AI systems — has increased significantly.

For Turkish businesses deploying AI chatbots, KVKK compliance is not optional, and "we were not sure what the rules were" is not a defense that reduces penalties. This guide gives you the specific requirements, the implementation checklist, and the documentation your business needs to be audit-ready.

KVKK Basics for AI Chatbots: What You Need to Know

KVKK applies whenever you collect, store, or process personal data from Turkish residents. A chatbot conversation that collects a customer's name and phone number — the minimum for any useful chatbot interaction — is a personal data processing activity under KVKK.

Key Definitions for Chatbot Context

• Data Controller (Veri Sorumlusu): Your business — the entity that determines the purposes and means of data processing. Your chatbot's operator.
• Data Processor (Veri İşleyen): Your chatbot platform provider (e.g., Cortex) — processes data on your behalf. You must have a Data Processing Agreement with them.
• Personal Data: Any information relating to an identified or identifiable person. Name, phone number, email, conversation content, IP address, device identifiers — all are personal data.
• Special Category Data: Health data, biometric data, racial origin, political opinions, religious beliefs. A healthcare chatbot collecting any patient health information is processing special category data — which has stricter requirements under KVKK Article 6.

Legal Basis for Processing

Under KVKK Article 5, you must have a legal basis for every data processing activity. For AI chatbots, the relevant bases are:

Legal Basis	When to Use It	Example
Explicit Consent (Açık Rıza)	Marketing messages, non-essential data collection	Sending promotional WhatsApp broadcasts
Contractual Necessity	Data needed to fulfill a service agreement	Collecting booking details to confirm a reservation
Legitimate Interest	Processing reasonably expected by the data subject	Logging conversations for service quality (with disclosure)
Legal Obligation	Required by Turkish law	Retaining invoice data for 5 years under Turkish tax law

Critical point: Consent (explicit opt-in) is the required legal basis for marketing communication via WhatsApp. "The customer gave us their phone number at checkout" is not valid consent for WhatsApp marketing. You need a documented, specific opt-in to WhatsApp marketing.

Consent Requirements: What Valid Consent Looks Like

Under KVKK Article 3 and related Personal Data Protection Board guidelines, valid consent must be:

• Freely given: Cannot be a condition of service. If refusing consent means the customer cannot receive the service, the consent is not valid.
• Specific: Consent for "communications" is not specific enough. Consent must specify: WhatsApp messages, from your business, regarding (e.g.) promotions and service updates.
• Informed: The customer must know what they are consenting to before consenting.
• Unambiguous: Pre-checked checkboxes are not valid consent. The customer must actively check a box or click a button.
• Withdrawable: The customer must be able to withdraw consent at any time, as easily as they gave it. Every WhatsApp marketing message must include an opt-out instruction.

KVKK-Compliant Opt-In Language (Model Text)

Below is a model consent statement that meets KVKK requirements for WhatsApp marketing:

"[İşletme Adı] tarafından WhatsApp üzerinden kampanya, duyuru ve hizmet bildirimleri almayı kabul ediyorum. Verilerimin [işletme adı] tarafından bu amaçla işleneceğini anlıyorum. İstediğim zaman 'STOP' yazarak bu izni geri çekebilirim."

(English: "I accept receiving campaigns, announcements, and service notifications from [Business Name] via WhatsApp. I understand that my data will be processed by [Business Name] for this purpose. I can withdraw this consent at any time by replying STOP.")

AI Disclosure Requirements

KVKK's automated decision-making provisions (Article 11) give individuals the right to know when a decision affecting them is made by automated systems. Beyond the KVKK obligation, Meta's WhatsApp Business Policy requires businesses not to deceive users about whether they are talking to a human or a bot.

Your chatbot's greeting message must include clear AI disclosure. Standard compliant language:

"Merhaba! Ben [işletme] yapay zeka asistanıyım. Size hızla yardımcı olmak için buradayım. İstediğiniz zaman insan temsilciyle görüşebilirsiniz."

(English: "Hello! I am [business]'s AI assistant. I am here to help you quickly. You can speak with a human representative at any time.")

Privacy Notice Requirements for Chatbot Users

Under KVKK Article 10, data subjects must be informed at the time of data collection. For chatbots, this means your privacy notice (Aydınlatma Metni) must be accessible at the start of the chatbot conversation. Best practice:

1. Include a link to your full privacy notice in the chatbot greeting message
2. The notice must specify: what data is collected via chatbot, the legal basis, retention period, and data subject rights
3. For WhatsApp: note that WhatsApp itself has separate data practices; you are responsible only for the data you collect and process

Data Processing Agreement with Your Platform Provider

Under KVKK Article 12, data controllers must take appropriate technical and organizational security measures, and must ensure data processors do the same. You need a written Data Processing Agreement (Veri İşleme Sözleşmesi) with your chatbot platform provider that specifies:

• What data the processor processes on your behalf
• The processor's security obligations
• Restrictions on the processor using your data for other purposes
• Sub-processor disclosure (if your platform uses third-party services)
• Data deletion obligations upon termination of the service
• Cooperation in the event of a data breach

Cortex provides a standard KVKK-compliant Data Processing Agreement to all customers operating in Turkey. Review and execute this agreement before going live — do not launch a chatbot that processes personal data without it.

Retention and Deletion Policy

KVKK requires that personal data is deleted, destroyed, or anonymized when the processing purpose ends or the retention period expires (Article 7). For chatbot data, you must define:

• How long you retain conversation logs (recommendation: 12 months for service logs, 24 months for lead records)
• How you will delete data when requested (KVKK right to erasure)
• How you ensure your platform provider also deletes data upon your instruction

KVKK Compliance Implementation Checklist

Before launching your AI chatbot:

• KVKK-compliant opt-in mechanism in place (website, booking form, or CRM) for marketing communications
• AI disclosure in chatbot greeting message
• Privacy notice link accessible from chatbot interaction
• Data Processing Agreement executed with platform provider
• Retention periods defined and documented
• Data deletion process tested and documented
• Staff trained on handling KVKK data subject requests (access, correction, deletion)
• Incident response process in place for data breaches
• KVKK registration with the Data Controllers Registry (VERBİS) if applicable (required for data controllers processing personal data at scale)

Special Category Data: Healthcare and Other Sensitive Sectors

If your chatbot operates in healthcare, legal, financial services, or any sector involving sensitive personal data, additional requirements apply under KVKK Article 6:

• Explicit consent required for all health, biometric, or other special category data processing — not just implied consent
• Processing must serve a specific, documented legitimate purpose
• Data must be protected with enhanced security measures
• Healthcare chatbots: must not store clinical information without explicit patient consent to that specific purpose

How Cortex Supports KVKK Compliance

Cortex provides Turkish businesses with:

• Pre-built KVKK-compliant consent flow templates for all sectors
• AI disclosure language integrated into greeting templates
• Data Processing Agreement (standard and sector-specific versions)
• Data export and deletion tools for responding to data subject requests
• Audit log for all data access and processing activities
• Privacy notice template for chatbot data processing

Start your free trial at duzenal.com — KVKK compliance templates and Data Processing Agreement included. Or book a compliance-focused demo to see the consent flow and audit trail in action for your specific sector and use case.