Do Your Safety MeasuresMeet KVKK Requirements?


Thanks to end-to-end compliance and data protection solutions offered by VeriSistem®, you can step into a more successful digital future by securing your processes regarding personal data.

New technologies have led to significant changes in our daily lives. The reflections of these changes appear as new rules and laws on privacy and security. Today, both public institutions and private sector have access to various information belonging to thousands of people within the scope of the performed business. This information obtained can be processed and transmitted easily as a result of the rapid developments in information technologies.

By increasing the requirements of companies in terms of privacy and security, this transformation made digitalization inevitable. This necessity can also be seen by various organizations as a "technological restructuring" opportunity. Due to the Turkish Personal Data Protection Law (KVKK), which has been introduced in 2016, organizations that do not have enough infrastructure and knowledge in the area of privacy and security have started to focus on this area.

Personal Data Protection is directly related to the right of privacy, which is one of the fundamental human rights. Before KVKK, the rules on the Personal Data Protection were to specify with Turkish Criminal Code, Constitution and other relevant legislation. Personal Data Protection Law No. 6698 is the most important legal regulation with the most severe sanctions.

What is KVKK?

Personal data rules and regulations defined for Turkey



Turkish Personal Data Protection Law


Effective Date

April 07, 2016

KVKK Başlangıç Tarihi

Our consultancy services on the Turkish Personal Data Protection Law identify risks that may arise due to legal non-compliance and provide you to take the necessary technical and administrative measures for the processing and protection of all kinds of personal data in accordance with the law.

Legal responsibility and basic principles

Negligence and breach of the protection of personal data impose heavy legal and criminal liabilities on business organizations. For example, as of 2019, sanctions up to 100.000 TL are applied in case of breach of the disclosure obligation; sanctions up to 1.000.000 TL shall be applied in case of breach of VERBIS registration obligation and notification. If the personal data are not destructed within the specified period, imprisonment up to 2 years and in case of unlawful action, penalty of imprisonment shall be imposed up to 4 years. Similarly, in the case of compliance issues with GDPR, high penalty fines are imposed, up to 4% of the company's global turnover for the previous year or up to 20,000,000 EUR.

The basic principles for the processing of personal data should be included in all kinds of data processing activities and such activities should be carried out in accordance with these principles:

Legal compliance with good faith and honesty

Legal compliance with good faith and honesty

Being accurate and up to date

Being accurate and up to date

Processing for specific, clear and legitimate purposes

Processing for specific, clear and legitimate purposes

Being connected, limited and restrained related to the purpose they are processed

Being connected, limited and restrained related to the purpose they are processed

Data minimization & storing minimum data

Data minimization & storing minimum data

Legal retention periods & purpose for processing data

Legal retention periods & purpose for processing data

In the process of compliance with the Personal Data Protection Law, first of all, awareness should be created about privacy and security and data security should be made a part of corporate culture. Organizations exchange information on personal data in many areas from production to sales of products and services, from purchasing to financial processes. For example, the population of Istanbul was over 15 million in 2018. Personal data and sensitive personal data of all people living in Istanbul are processed for various purposes. This indicates the intensity of personal data and sensitive personal data.

What can you achieve with digital transformation and compliance process?

Heavy penal sanctions, cyber threats, unlimited and fast information needs of the information society necessitate digital transformation. Organizations that completed their technical and administrative processes within the compliance period, will have the following commercial advantages.

To complete the necessary compliance processes and protect their data, business organizations that have completed requirements by establishing the policies, procedures and infrastructure of privacy and security processes will significantly reduce risks.

Today, the most important part of customer satisfaction is digitalization. Fast and secure digital interaction of the clients with the organization enhances loyalty and trust to a great extent.

Fast and secure sharing of accurate information enhances the agility within the organization, employee commitment with faith and trust.

Your data, which must be kept confidential, are generated through the exchange of information between you and your employees, their families, clients, suppliers and any other third-party organizations. Digital transformation requires fundamental changes in the services you provide in all areas of your business and operations of any kinds. This new cultural formation will only be possible by radically changing the status quo that provides administrative and operational comfort in your organization.

Penalty fines imposed in case of KVKK breach

In case disclosure obligation is contradicted;

2016 (Amount Stipulated in the Law):
5.000 ₺ - 100.000 ₺
2016 (Kanunda)
2021 (Current Amount) :
9.834 ₺ - 196.686 ₺

In case of breach of Data Security obligations;

2016 (Amount Stipulated in the Law):
15.000 ₺ - 1.000.000 ₺
2021 (Current Amount) :
29.503 ₺ - 1.966.862 ₺

In case of contradiction with the decisions of the Board;

2016 (Amount Stipulated in the Law):
25.000 ₺ - 1.000.000 ₺
2021 (Current Amount) :
49.172 ₺ - 1.966.862 ₺

In case of breach of VERBIS registration obligation and notification;

2016 (Amount Stipulated in the Law):
20.000 ₺ - 1.000.000 ₺
2021 (Current Amount) :
39.337 ₺ - 1.966.862 ₺

Sanctions arising from the Turkish Criminal Code

In case of illegal processing of personal data

1 up to 3 years sentence to prison, the penalty for sensitive personal data is increased by half

In case of providing or obtaining data illegally

2 up to 4 years sentence to prison

In case of non-purging of personal data within the period specified by law

1 up to 2 years sentence to prison

At the center of the Turkish Personal Data Protection Law, there is an organizational discipline that consists of administrative and technical measures related to data protection in general. In order to place this discipline in every stage of the organization, the road map in the process of digitalization must be specified in detail.

How does the compliance process progress?


Strategic planning, gap analysis, questionnaires


Awareness trainings


Preparation of data inventory and determination of responsibilities


Review and development of policies and procedures


Submission of compliance report


Governance, monitoring, auditing and updates

Preparation Assessment - GAP Analysis

In order to complete a successful compliance process, we analyze the current situation of the organization in detail and prepare a roadmap covering all stages.

Scored assessment and graphical analysis for the assessment of the current situation

Audit checklist prepared as a result of assessment

Process checklist (which data are used; where and for what purpose they are used)

Examining your Binding Corporate Rules (BCR) that ensure the transfer and protection of the data you transfer abroad and improving necessary areas


Contents provided in this article serve to informative purpose only. The article is confidential and property of CottGroup® and all of its affiliated legal entities. Quoting any of the contents without credit being given to the source is strictly prohibited. Regardless of having all the precautions and importance put in the preparation of this article, CottGroup® and its member companies cannot be held liable of the application or interpretation of the information provided. It is strictly advised to consult a professional for the application of the above-mentioned subject.

Please consult your client representative if you are a customer of CottGroup® or consult a relevant party or an expert prior to taking any action in regards to the above content.

KVKK & GDPR Consultancy

Contact us for information about the KVKK & GDPR

Yes No

Yes No
Yes No

Turkish English Turkish-English

I accept to receive newsletters, legislation, current news, new service suggestions, advertisements and announcements.

(*) I have explicit consent to the processing of my data within the framework of Personal Data Protection Policy and Privacy Policy.

*Required Field