Personal Data Protection Law - KVKK

Let’s take the first step together and achieve KVVK compliance together. We are here every step of the way.

+ 0
0 %
Success Rate

What is KVKK? How is the KVKK compliance process carried out?

Personal Data Protection Law - KVKK

Within the scope of Law No. 6698 on the Protection of Personal Data, we carry out KVKK compliance processes for all persons and organizations that are obliged to store data and register to the VERBIS system.

The main source of the Law on the Protection of Personal Data within the scope of the KVKK compliance process for companies is the Law No. 6698 on the Protection of Personal Data, which entered into force after being published in the Official Gazette dated April 7, 2016.

The Law firstly defines the concept of personal data. Accordingly, in relation to the question of what KVKK means, personal data refers to all kinds of information relating to an identified or identifiable natural person. Companies access the personal data of many people as a result of their commercial activities. According to the Law, the legal entity of the company is the data controller in relation to this data. Data controller is defined as the person who determines the purposes and means of data processing and is responsible for the establishment and management of the data recording system. In this context, the responsibilities arising from the Law must be fulfilled. It is useful to share some basic information on how companies will carry out the KVKK compliance process in line with the KVKK and related legislation, on KVKK consultancy and what needs to be done:

Data controller companies process the data of 3 different categories of persons in the capacity of data controller. These are;

  • Company personnel and job applicants,
  • Customers,
  • Business partners, suppliers and consultants.

Within the scope of the KVKK compliance process for companies, companies are under the obligation to protect the data of the persons in these three groups through the persons providing KVKK consultancy services. The content of this protection is basically; processing, storing, sharing, deleting and anonymizing personal data in accordance with the Law. However, it is also important to establish the necessary technical infrastructure for the platforms where personal data is processed and stored and to take measures against possible cyber-attacks.

The processing of personal data is only possible with the explicit prior consent of the person whose data is to be processed. Although there are exceptions to this rule, explicit consent is generally required. In this regard, some documents should be prepared and studies should be carried out.

Disclosure text refers to the text that includes the purpose for which the information is obtained, in which environments the data is stored, who has access to this data, and to whom the data can be transferred. Data policy and data destruction policies must also be included in this text. The company is required to prepare a disclosure text for the following persons;

  • Staff or job applicants
  • Customers
  • The public and third parties

After the disclosure text is shared, the condition of obtaining the explicit consent of the persons must be fulfilled. Explicit consent must be obtained before the data is processed. Explicit consent can be obtained both in writing and online. Companies that collect data using websites must make the necessary arrangements to allow the data subjects to consent to the processing of personal data online after ensuring that the disclosure text is read on the site where the data is collected.

Companies with active websites must have privacy and cookie policies on their websites.

Business partners, suppliers, accountants, call centers, etc. It is necessary to conclude a confidentiality agreement with the support of a KVKK consultancy lawyer.

Data controllers have the obligation to implement a number of necessary protection measures regarding the data they process. The technological infrastructure needed against cyber-attacks should be established and auditing activities should be carried out. Otherwise, it is possible to face criminal and legal sanctions. Companies have obligations arising from the Law such as establishing the confidentiality of the data of their employees and customers, preventing unauthorized access to such data by others, and establishing the necessary technical infrastructure for this purpose. Even if the employer receives services from another workplace or company in order to ensure data security, this does not eliminate the company’s own responsibility.

In order for companies to use the contact information they have obtained regarding their customers to send commercial electronic messages to these persons, the explicit consent of the persons concerned must be obtained in accordance with the LPPD. The provisions of the Regulation Amending the Regulation on Commercial Communication and Commercial Electronic Messages have made it obligatory for companies wishing to send commercial electronic messages to register with the Message Management System. IYS is a national database where companies can maintain and manage their commercial message permissions such as calls, messages and e-mails, and where recipients can view, remove and store their permissions.

Obligations of Companies Regarding the Message Management System

The explicit consent of customers regarding data processing must be obtained online through IYS. If the company has obtained the explicit consent of the customer not through the system but through its own means, it must record the consent statement it has received within three business days in the Message Management System, with the burden of proof belonging to it.

Consents not recorded in the Message Management System are deemed invalid. It is against the Law to send commercial electronic messages to customers whose consent has not been obtained. The deadline for registering the consents already in the IYS is May 31, 2021. Consents not registered in the system before this date will be deemed invalid and sending commercial electronic messages to these recipients will be in violation of the Law.

Pursuant to the Regulation, companies are obliged to keep the consent records related to commercial electronic messages sent to the electronic communication addresses of recipients in order to promote and market their products and services or to increase their awareness with content such as congratulations and wishes for three years from the date the consent ceases to be valid, and other records related to commercial electronic messages for three years from the date of recording.

The first condition for the transfer of personal data abroad is to obtain the explicit consent of the data subject. Apart from this, it is necessary to investigate whether the country where the personal data will be shared can provide adequate protection for this data and if it is determined that it cannot, data sharing should not be carried out.

The Personal Data Protection Board notifies the countries that provide adequate protection for data sharing. If data will be shared with a country that is not included in this list, a decision should be made by evaluating international agreements, the principle of reciprocity and the protection measures undertaken by the data controller to be shared. In particular, sharing personal data of multinational companies with the headquarters or subsidiary abroad in violation of these obligations may result in liability in accordance with the LPPD.

Companies are obliged to register with VERBIS under the name of data controller. Companies are not obliged to upload all the data they process to VERBIS. Their obligation in this regard is only to notify general information about the data they process. In order to make this notification, a categorized inventory of all data recorded by the company should be made and their types should be determined, information regarding the purpose and duration of data processing and data retention should be provided, and a notification should be made regarding other issues such as to whom the data can be transferred. In case of any hesitation on the subject, support can be obtained from the relevant lawyers within the KVKK consultancy law firm. The information that must be recorded in VERBIS is as follows:

Identity and address information of the data controller and its representative, if any,
The purpose of processing to be determined within the scope of the reason for the use of personal data,
The time that may be needed according to the reason for processing personal data,
Information on the communities of data subjects and the categories of data relating to them,
The recipient communities to which personal data may be transferred,
Personal data to be shared with foreign countries,
Measures implemented to ensure personal data protection

In the event that the personal data processed within the scope of the KVKK compliance process regarding the companies are unlawfully obtained by others, the data controller is obliged to notify the Personal Data Protection Authority within 72 hours. This notification can be made through the website of the Authority. In the event that the data controller identifies the data subjects whose data has been breached, it must also notify them as soon as possible.

Personal Data Protection Law - KVKK

Play Video
"We are with you whenever you need us"
Av. Orhan Oğuzhan Ensari

Three Steps to Winning a Case

For Speed and Success in Your Legal Processes

We are ready to advise and manage your legal disputes with our reliable and professional team.



Our fundamental principle is to protect the rights and interests of our clients under all circumstances.



We are at your side with all our experience and know-how for the fast and correct conclusion of the lawsuit and other processes.



We strive to resolve legal disputes as quickly as possible, saving our clients’ time and budget.

You can contact us by filling out the form below.

Thoughts About Us

Client Testimonials

Why us?

Discover What We Do Better

We carry out KVKK processes with our references and professional team consisting of organizations in different sectors.

Important things to know

Field Related Questions and Answers

Legal entities that process data in line with their activities are required to register with the Data Controllers Registry (VERBIS).

We carry out the entire process with our experienced lawyers and IT experts.

Failure to register with the Registry within the prescribed period may result in an administrative fine of up to TL 1,000,000.

After or before completing your KVKK compliance process, we provide training at your workplace and carry out legal consultancy activities after the process.

Our Experienced Fields

Our Services

We Will Be There When You Need Us

Let us carry out your consultancy, execution and litigation processes together.

You can contact us by filling out the form below.