Do Your Safety MeasuresMeet KVKK Requirements?


Thanks to end-to-end compliance and data protection solutions offered by Verisistem®, you can step into a more successful digital future by securing your personal data processes.

New technologies have led to significant changes in our daily lives. The reflections of these changes appear as new rules and laws on privacy and security. Today, both public institutions and private sector have access to various information belonging to thousands of people within the scope of the performed business. This information obtained can be processed and transmitted easily as a result of the rapid developments in information technologies.

By increasing the requirements of companies in terms of privacy and security, this transformation made digitalization compulsory. This necessity can also be seen by various organizations as a "technological restructuring" opportunity. Due to the Personal Data Protection Law (KVKK), which has introduced in 2016, organizations that do not have enough infrastructure and knowledge in the area of privacy and security have started to focus on this area.

Personal Data Protection is directly related to the right of privacy, which is one of the fundamental human rights. Before KVKK, the rules on the Personal Data Protection were to specify with Turkish Penal Code, Constitution and other environmental legislation. Personal Data Protection Law No. 6698 is the most important legal regulation with the most severe sanctions.

What is KVKK?

Personal data rules that defined for Turkey



Personal Data Protection Law


Effective Date

April 07, 2016

KVKK Başlangıç Tarihi

Our consultancy services on Personal Data Protection Law identify risks that may arise due to legal non-compliance and provide you to take the necessary technical and administrative measures for the processing and protection of all kinds of personal data in accordance with the law.

Legal Responsibility and Basic Principles

Negligence and breach of the protection of personal data imposes heavy legal and criminal responsibilities on businesses. For example, as of 2019, sanctions up to 100.000 TL are applied in case of breach of the disclosure requirement; sanctions up to 1.000.000 TL shall be applied in case of breach of the obligation of VERBIS registration and notification. If the personal data is not destroyed within the specified period, imprisonment of up to 2 years and in case of unlawful action shall be sentenced to up to 4 years. Similarly, in the case of compliance issues with GDPR, high fines are imposed, up to 4% of the company's global turnover for the previous year or up to € 20,000,000.

The basic principles for the processing of personal data should be included in all kinds of data processing activities and such activities should be carried out in accordance with these principles:

Legal compliance with good faith

Being accurate and current

Processing for specific, clear and legitimate purposes

Being connected, limited and restrained related to the purpose they are processed

Data minimization & storing minimum data

Legal retention periods & purpose for processing data

In the process of compliance with the Personal Data Protection Law, first of all, awareness should be created about privacy and security and data security should be made a part of corporate culture. Companies exchange information on personal data in many areas from production to sales of products and services, from purchasing to financial processes. For example, the population of Istanbul was over 15 million in 2018. Personal data and sensitive personal data of all people living in Istanbul are processed for various purposes. This indicates the intensity of personal data and sensitive data of a special nature.

What can you achieve with digital transformation and compliance process?

Heavy penal sanctions, cyber threats, unlimited and fast information needs of the information society necessitate digital transformation. Institutions that have completed their technical and administrative processes within the compliance period, will have the following commercial advantages.

To complete the necessary compliance processes and protect their data, businesses that have completed requirements by making the policies, procedures and infrastructure of privacy and security processes will significantly reduce risks.

Nowadays, the most important part of customer satisfaction is digitalization. Customers' fast and secure digital interaction with the organization greatly enhances loyalty and trust.

Fast and secure sharing of accurate information enhances the agility within the organization, employee commitment with faith and trust.

Your data, which must be kept confidential, is generated through the exchange of information between you and your employees, their families, customers, suppliers and any other third-party organization. Digital transformation requires substantial changes to the services you provide in all areas of your business and any operations. This new cultural formation will be possible by radically changing the status quo that provides administrative and operational comfort in your company.

Penalty fines in case of KVKK breach

In case disclosure obligation is contradicted;

2016 (Amount in the Law) :
5.000 ₺ - 100.000 ₺
2016 (Kanunda)
2020 (Current Amount) :
9.013 ₺ - 180.264 ₺

In case of breach on Data Security obligations;

2016 (Amount in the Law) :
15.000 ₺ - 1.000.000 ₺
2020 (Current Amount) :
27.040 ₺ - 1.802.641 ₺

In case of contradiction with the decisions of the Board;

2016 (Amount in the Law) :
25.000 ₺ - 1.000.000 ₺
2020 (Current Amount) :
45.066 ₺ - 1.802.641 ₺

In case of breach of the obligation of VERBIS registration and notification;

2016 (Amount in the Law) :
20.000 ₺ - 1.000.000 ₺
2020 (Current Amount) :
36.053 ₺ - 1.802.641 ₺

Sanctions arising from the Turkish Penal Code

In case of illegal processing of personal data

1 up to 3 years sentence to prison, the penalty for sensitive data is increased by half

In case of providing or obtaining data illegally

2 up to 4 years sentence to prison

In case of non-purging of personal data within the period specified by law

1 up to 2 years sentence to prison

At the heart of the Personal Data Protection Law, there is an organizational discipline of administrative and technical measures to protect data in general. In order to place this discipline in every stage of the organization, the roadmap in the process of digitization must be determined in detail.

How does the compliance process progress?


Strategic planning, gap analysis, questionnaires


Awareness trainings


Preparation of data inventory and determination of responsibilities


Review and development of policies and procedures


Submission of compliance report


Governance, monitoring, auditing and updates

Preparation Assessment - GAP Analysis

In order to complete a successful compliance process, we analyze the current situation of the organization in detail and prepare a roadmap covering all stages.

Scored assessment and graphical analysis for the assessment of the current situation

Audit checklist prepared as a result of assessment

Process checklist (which data is used; where and for what purpose it is used)

Check and revise the Binding Corporate Rules (BCR) in relation with abroad transfer and protection measures of the personal data