Do Your Safety MeasuresMeet KVKK Requirements?


Thanks to end-to-end KVKK compliance and data protection solutions offered by VeriSistem®, you can step into a more successful digital future by securing your processes regarding personal data.

New technologies have led to significant changes in our daily lives. The reflections of these changes appear as new rules and laws on privacy and security. Today, both public institutions and private sector have access to various information belonging to thousands of people within the scope of the performed business. This information obtained can be processed and transmitted easily as a result of the rapid developments in information technologies.

By increasing the requirements of companies in terms of privacy and security, this transformation made digitalization inevitable. This necessity can also be seen by various organizations as a "technological restructuring" opportunity. Due to the Turkish Personal Data Protection Law (KVKK) introduced in 2016, organizations that do not have enough infrastructure and knowledge in the area of privacy and security have started to focus on this area.

Personal Data Protection is directly related to one of the fundamental human rights: the right of privacy. Before KVKK, the rules on the Personal Data Protection were to specified by Turkish Criminal Code, Constitution and other relevant legislation. Personal Data Protection Law No. 6698 is the most important legal regulation with the most severe sanctions.

What is KVKK?

Personal data rules and regulations defined for Türkiye



Turkish Personal Data Protection Law


Effective Date

April 07, 2016

KVKK Başlangıç Tarihi

Our consultancy services on the Turkish Personal Data Protection Law identify risks that may arise due to legal non-compliance and allow you to take the necessary technical and administrative measures for the processing and protection of all kinds of personal data in a lawful manner.

Legal responsibility and basic principles

Negligence and breach of the protection of personal data impose heavy legal and criminal liabilities on business organizations. For example, as of 2024, sanctions up to 946,308 TRY are applied in case of breach of the disclosure obligation; sanctions up to 9,463.213 TRY shall be applied in case of breach of VERBIS registration obligation and notification. If the personal data are not destructed within the specified period, imprisonment up to 2 years and in case of unlawful action, penalty of imprisonment shall be imposed up to 4 years. Similarly, in the case of compliance issues with GDPR, high penalty fines are imposed, up to 4% of the company's global turnover for the previous year or up to 20,000,000 EUR.

The basic principles for the processing of personal data should be followed in all kinds of data processing activities and such activities should be carried out in accordance with these principles:

Legal compliance with good faith and honesty

Legal compliance with good faith and honesty

Being accurate and up to date

Being accurate and up to date

Processing for specific, clear and legitimate purposes

Processing for specific, clear and legitimate purposes

Being relevant, limited and proportionate tal the purposes they are processed for

Being relevant, limited and proportionate tal the purposes they are processed for

Data minimization & storing minimum data

Data minimization & storing minimum data

Legal retention periods & purpose for processing data

Legal retention periods & purpose for processing data

In the process of compliance with the Personal Data Protection Law, first of all, awareness about privacy and security should be built, and data security should be made a part of corporate culture. Organizations exchange information on personal data in many areas from production to sales of products and services, from purchasing to financial processes. For example, the population of Istanbul was over 15 million in 2018. Personal data and sensitive personal data of all people living in Istanbul are processed for various purposes. This indicates the intensity of personal data and sensitive personal data.

What can you achieve with digital transformation and compliance process?

Heavy penal sanctions, and cyber threats, unlimited and fast information needs of the information society have necessitated digital transformation. Organizations that completed their technical and administrative processes within the compliance period will have the following commercial advantages.

Business organizations that aim to complete compliance processes and protect data, thus have fulfilled requirements by establishing privacy and security policies, procedures, and infrastructure developments will achieve significant risk reduction.

Today, the most important part of customer satisfaction is digitalization. Fast and secure digital interaction of the clients with the organization enhances loyalty and trust to a great extent.

Fast and secure sharing of accurate information enhances the agility within the organization, employee commitment, faith, and trust.

Your data, which must be kept confidential, are generated through the exchange of information between you and your employees, their families, clients, suppliers, and any other third-party organizations. Digital transformation requires fundamental changes in the services you provide in all areas of your business and operations of any kinds. This new cultural formation will only be possible by radically changing the status quo that provides administrative and operational comfort in your organization.

Penalty fines imposed in case of KVKK breach

In case disclosure obligation is contradicted;

2016 (Amount Stipulated in the Law):
5,000 ₺ - 100,000 ₺
2024 (Current Amount) :
47,303 ₺ - 946,308 ₺

In case of breach of Data Security obligations;

2016 (Amount Stipulated in the Law):
15,000 ₺ - 1,000.000 ₺
2024 (Current Amount) :
141,934 ₺ - 9,463.213 ₺

In case of contradiction with the decisions of the Board;

2016 (Amount Stipulated in the Law):
25,000 ₺ - 1,000.000 ₺
2024 (Current Amount) :
236,557 ₺ - 9,463.213 ₺

In case of breach of VERBIS registration obligation and notification;

2016 (Amount Stipulated in the Law):
20,000 ₺ - 1,000.000 ₺
2024 (Current Amount) :
189,245 ₺ - 9,463.213 ₺

Sanctions arising from the Turkish Criminal Code

In case of illegal processing of personal data

1 up to 3 years sentence to prison, the penalty for sensitive personal data is increased by half

In case of providing or obtaining data illegally

2 up to 4 years sentence to prison

In case of non-purging of personal data within the period specified by law

1 up to 2 years sentence to prison

At the center of the Turkish Personal Data Protection Law, there is an organizational discipline that consists of administrative and technical measures related to data protection in general. In order to place this discipline in every stage of the organization, the road map in the process of digitalization must be specified in detail.

Technical Measures

The technical measures proposed in the guidelines of the
Turkish Personal Data Protection Authority are summed up as follows:

Authorization Matrix

Authorization Control

Access Logs

User Account Management

Network Security

Application Security


Penetration Test

Intrusion Detection and Prevention Systems (IDS & IPS)

Log Records

Data Masking

Data Loss Prevention (DLP) Software



Up-To-Date Anti-Virus Systems

Deletion, Destruction, or Anonymization

Key Management

Administrative Measures

The administrative measures proposed in the guidelines of the
Turkish Personal Data Protection Authority are summed up as follows:

GAP Analysis

Awareness Training

Process Analysis

Preparation of Policies and Procedures

Preparation of Personal Data Processing Inventory

VERBIS Registration

Compliance with General Principles

Relationship Management with Data Processors

How does the KVKK compliance process progress?


Strategic planning, gap analysis, questionnaires


Awareness trainings


Preparation of data inventory and identifying responsibilities


Review and development of policies and procedures


Submission of compliance report


Governance, monitoring, auditing, and updates

Preparation Assessment - GAP Analysis

In order to complete a successful compliance process, we analyze the current situation of the organization in detail and prepare a roadmap covering all stages.

Scored assessment and graphical analysis for the assessment of the current situation

Audit checklist prepared as a result of assessment

Process checklist (which data are used, where and for what purpose they are used)

Examining your Binding Corporate Rules (BCR) that ensure the transfer and protection of the data you transfer abroad and improving necessary areas


Contents provided in this article serve to informative purpose only. The article is confidential and property of CottGroup® and all of its affiliated legal entities. Quoting any of the contents without credit being given to the source is strictly prohibited. Regardless of having all the precautions and importance put in the preparation of this article, CottGroup® and its member companies cannot be held liable of the application or interpretation of the information provided. It is strictly advised to consult a professional for the application of the above-mentioned subject.

Please consult your client representative if you are a customer of CottGroup® or consult a relevant party or an expert prior to taking any action in regards to the above content.

Let's start
Get a quote for your service requirements.

Would you like to know more
about our services?