What Companies Should Do in the KVKK (Law on the Protection of Personal Data) Compliance Process

According to the Law on the Protection of Personal Data (KVKK) No. 6698, personal data is defined as any information relating to an identified or identifiable natural person. Many people have access to their personal data within the scope of commercial activities of companies. In terms of these data, the legal entity of the company is the data controller within the scope of KVKK. The data controller is the person who determines the purposes and means of processing the data and is responsible for the establishment and management of the data recording system. In this context, it must fulfill its responsibilities arising from the Law. Below are general explanations on how companies will complete the KVKK compliance process and what needs to be done within the scope of KVKK and related legislation.

Companies process the data of people in 3 different categories as data controllers. These are;

  • Company employees and job applicants,
  • Customers,
  • Business partners, suppliers and consultants.

Companies are obliged to protect the data of individuals belonging to these three groups. The scope of this protection is possible by processing, storing, sharing, deleting and anonymizing personal data in accordance with the Law. Likewise, it is important to take protection measures against cyber attacks by establishing the necessary technological infrastructure for the environments where data is processed and stored.

The processing of personal data is only possible with the prior consent of the person concerned. Although there are exceptions to this rule, express consent is usually required. It is necessary to prepare some documents and work on this subject. These are;

1) Preparation of the Clarification Text

It is a text that includes for what purpose the information is obtained, where the data is stored, who can access this data, and to whom the data can be transferred. Data policy and data destruction policies should also be included in this text. The company should prepare a clarification text for the following people;

  • employees(workers) or job applicants
  • customers
  • public opinion and third parties

After the disclosure text is shared, the Explicit Consent of the people must be obtained. Explicit consent must be obtained before the data is processed. Explicit consent can be obtained in written form or online. Companies that collect data through their websites are required to make arrangements in a way that allows the relevant persons to allow the processing of personal data online, after reading the Clarification Text on the site.



2) Preparation of Privacy and Cookie Policies

Companies with websites must have privacy and cookie policies on their websites.

3) Preparation of Non-disclosure Agreements

Non-disclosure agreements should be made with companies with which we do business, such as business partners, suppliers, financial advisors, call centers.

4) Establishment of Internal Cyber Security Policies

Data controllers have an obligation to take the necessary security measures regarding the data they process. It should carry out activities to establish and control the necessary technological infrastructure against cyber attacks. Otherwise, it is possible to face criminal and legal sanctions. Companies have obligations arising from the Law to ensure the confidentiality of the data of their employees and customers, to prevent unauthorized access to this data by others, and to establish the necessary technical infrastructure for this. Even if the employer receives services from another workplace or company for data security, this does not remove the company’s own responsibility.

5) Obligations Regarding Commercial Electronic Messages

In order for companies to use the contact information they have obtained about their customers to send commercial electronic messages to these people later on, the express consent of the relevant parties is required within the scope of KVKK. With the Regulation Amending the Regulation on Commercial Communications and Commercial Electronic Messages published in the Official Gazette dated 04.01.2020 and numbered 30998, companies that wish to send commercial electronic messages are obliged to register with the Message Management System (IYS). IYS is a national database system where companies can store and manage commercial message permissions such as calls, messages and e-mails, view, remove and store permissions granted by recipients.

  • The obligations of companies regarding IYS are listed below;
  • The explicit consent of the customers regarding data processing must be obtained online through the IYS. If the company has obtained the explicit consent of the customer through its own means, not through the system, it must record the consent statement it has received in the IYS within 3 working days, provided that the burden of proof rests with itself.
  • Approvals that are not recorded in the IYS are deemed invalid and commercial electronic messages cannot be sent to customers whose approval is not received. The deadline for the registration of existing approvals to the IYS is set for May 31, 2021, and the approvals not transferred to the system until this date will be deemed invalid and commercial electronic messages will not be sent to these recipients.
  • In accordance with the relevant regulation, companies are obliged to keep the approval records of commercial electronic messages sent to the electronic communication addresses of the recipients for 3 years from the date of the validity of the approval, and other records related to commercial electronic messages from the date of registration To promote and market its goods and services, to promote its business or to increase recognition with content such as celebrations and wishes..


6) Obligations on Data Transfer Abroad

In the sharing of personal data of the persons concerned abroad, the first one must obtain the explicit consent of the worker regarding this sharing within the scope of KVKK.  Secondly, companies are under the obligation to investigate whether the country to which they will share personal data can provide adequate protection for this data and not to share data in cases where it determines that it cannot.

The Personal Data Protection Board announces which countries provide adequate protection. If data is to be transferred to a country that is not among these countries, it should be decided by taking into account international agreements, the principle of reciprocity and the measures undertaken by the data controller to be transferred. Especially for multinational companies, sharing personal data with the headquarters or subsidiary abroad without complying with the above obligations may be a reason for liability within the scope of KVKK.

7) Classification of Processed Personal Data and Preparation of Data Inventory and Notification to VERBIS (Data Controllers to the Registry Information System)

It is mandatory for companies to register with VERBIS as Data Controller. Companies do not have to upload all the data they process to VERBIS. They are only obliged to report general information about the data they process. In order to make this notification, a categorized inventory of all the data processed by the company should be made and the types should be determined, information should be given for what purpose and for how long it was processed and stored, and other issues such as to whom the data can be transferred should be notified. The information that needs to be registered in VERBIS is given below;

  • Identity and address information of the data controller and its representative, if any,
  • The purpose of processing personal data to be determined in accordance with the purpose of use,
  • The maximum time required according to the purpose for which personal data is processed,
  • Information about the data subject groups and the data categories of these persons,
  • Recipient groups to whom personal data can be transferred,
  • Personal data to be transferred to foreign countries,
  • Measures taken to ensure personal data security.

8) Notification of Data Breach

In case the processed personal data is obtained by others illegally, the data controller is obliged to notify the Personal Data Protection Authority within 72 hours at the latest. A personal data breach notification can be made by clicking on the Personal Data Breach Notification tab on the website of the Personal Data Protection Authority, www.kvkk.gov.tr. If the data controller detects the relevant persons whose data has been breached, these persons must be notified as soon as possible.


Failure to comply with the obligations imposed on companies under the Personal Data Protection Law entails serious legal and criminal liability. For this reason, it is a necessity for companies to harmonize their activities with KVKK.

Companies that are data controllers should make their operational processes, commercial messages, personnel contracts, sales and other related agreements compatible with the KVKK, prepare the necessary texts and take the necessary measures to obtain explicit consent from the relevant parties.

KVKK harmonization studies are processes that require expertise. In order to avoid legal problems and grievances in the future, it is recommended to get help from a lawyer who is expert in the field of personal data protection in preparing data inventories, making necessary notifications, and preparing texts related to KVKK legislation. You can request KVKK Harmonization services from the Solmaz Law and Consultancy Team.

Best Regards.

NOTE: For more information on this topic, you can check out our newsletter on “The Relationship of Personal Data Protection Law with Employment Contracts and Areas of Interaction” or contact us.


Verbis Kvkk



Law on the Protection of Personal Data