KVKK Compliance Consulting

End-to-end compliance services under Law No. 6698 on the Protection of Personal Data (KVKK) — from data inventory and VERBIS registration to privacy notices and technical safeguards. A programme that manages the legal, technical, and organisational dimensions in a single track.

KVKK consulting is a compliance service that enables data controllers, under Law No. 6698 on the Protection of Personal Data, to systematically establish their obligations including building a personal data inventory, registration with VERBIS (Art. 16), the obligation to inform (Art. 10), management of explicit consent (Art. 5), retention and disposal policies, and technical-administrative safeguards (Art. 12).

Beyond formal documents, we set up a compliance programme that is integrated into business processes, auditable, and sustainable. The work is conducted with reference to the KVKK Board guidelines and the ISO/IEC 27701 PIMS framework. Our legal team and technical team operate within the same project, under the same accountability.

Service Scope

The service is delivered through three core modules. Each module is tailored to the organisation's size, sector, and intensity of data processing. Modules can be procured together or independently as needed.

Legal Module

  • Privacy notices (Art. 10) — website, application forms, HR, call centre, CCTV recordings, contractual annexes
  • Explicit consent sets (Art. 5/1) — marketing, commercial electronic communications, processing of special-category data
  • Cookie policy, banner, and preference centre configuration
  • Data processor agreements and cross-border transfer undertakings (Art. 9)
  • Data subject request process and identity verification flow (Communique on the Procedures and Principles for Applications to the Data Controller)
  • Embedding KVKK clauses into supplier contracts

Technical Module

  • Access management (RBAC/ABAC), MFA, and session control
  • Logging, at-rest and in-transit encryption, and immutable backups
  • Data Loss Prevention (DLP) and data classification
  • Data breach response plan and notification readiness (Art. 12/5)
  • Integration of penetration testing and vulnerability management
  • Embedding Privacy by Design and Privacy by Default control sets into systems

Documentation Module

  • Personal Data Processing Inventory and process maps
  • Retention and Disposal Policy
  • VERBIS registration, updates, and annual review
  • Internal directives, procedures, and process definitions
  • Senior management reports and audit log sets

Outputs and Deliverables

At the end of the project, the organisation receives a concrete set of documents that can be used in audits and updated over time. The principal deliverables of a typical compliance project are listed below.

Legal Outputs

  • Privacy notices for the website, HR, customer, and supplier processes
  • Explicit consent statements and process-based consent management flows
  • Cookie policy and banner configuration
  • Data subject request form, response templates, and procedural document
  • Data processor agreement template and KVKK addendum for existing contracts
  • Cross-border transfer undertakings and standard contract examples

Technical Outputs

  • Risk assessment report and prioritised remediation roadmap
  • Technical safeguards implementation list and verification records
  • Data breach response plan and sample notification documents
  • Access authorisation matrix and review record template
  • Retention and disposal records and destruction log templates

Documentation Outputs

  • Personal Data Processing Inventory (Excel or GRC tool output)
  • Retention and Disposal Policy
  • Personal Data Protection and Processing Policy
  • Completed VERBIS registration and registry details
  • Training attendance records and awareness report
  • Senior management presentation file and KPI report

Implementation Process

A six-phase methodology completed in 4 to 10 weeks depending on the size of the organisation. Weekly status meetings are held on the client side with the responsible owners assigned for each phase.

  1. Discovery and PlanningCurrent-state analysis, scope definition, stakeholder map, deliverables list, and timeline. The project is formally launched with senior management sponsorship. Duration: 1 week.
  2. Data Inventory and Flow MappingThrough departmental interviews, data categories, data subject groups, legal bases, retention periods, recipients, and transfers are identified. Duration: 2-3 weeks.
  3. Risk AssessmentA risk score is produced for existing controls, gaps, and breach scenarios using the ISO 27005 methodology; a prioritised roadmap is prepared. Duration: 1 week.
  4. DocumentationPrivacy notices, explicit consent sets, policies, procedures, and contract annexes are drafted in a tailor-made way for the organisation and submitted for legal sign-off. Duration: 2 weeks.
  5. ImplementationTechnical safeguards are rolled out, employee awareness training is delivered, and the data subject request process is embedded in the organisation's systems. Duration: 2-3 weeks.
  6. VERBIS and SustainabilityVERBIS registration is completed, the periodic audit calendar is established, KPIs are defined, and the management review process is initiated. Duration: 1 week.

Expected Client-Side Participation

Throughout the project, the client assigns a project owner (typically a Legal or Information Security manager) and departmental representatives. Departmental interviews are concentrated in Phase 2; each department is asked for an average of 2-3 hours of meetings. Weekly follow-up meetings are sufficient in the other phases.

Legislation and Administrative Fines

Law No. 6698 on the Protection of Personal Data was updated by Law No. 7499 published in the Official Gazette dated 12 March 2024, No. 32487. The provisions on the processing of special-category personal data (Art. 6) and cross-border transfer (Art. 9) have been brought closer to the EU GDPR framework in particular. As of May 2026, the applicable framework consists of Law No. 6698 + Amendment No. 7499, KVKK Board guidelines, ISO/IEC 27701:2019 PIMS, the ISO/IEC 27005:2022 risk methodology, and the EU GDPR (Regulation 2016/679). The amendments to the KVKK entered into force on 1 June 2024.

Administrative fines applied in case of non-compliance are set out in Article 18 of the Law. The table below summarises the principal obligations and the sanctions applied in case of non-compliance.

ObligationRelevant ArticleSanction
Obligation to informArt. 10Administrative fine (Art. 18): TRY 85,437 - 1,709,200 (2026)
Obligations regarding data securityArt. 12Administrative fine (Art. 18): TRY 256,357 - 17,092,242 (2026)
Failure to comply with Board decisionsArt. 18/1-cAdministrative fine: TRY 427,263 - 17,092,242 (2026)
VERBIS registration and notification breachArt. 16Administrative fine (Art. 18): TRY 341,809 - 17,092,242 (2026)
Unlawful processing of personal dataTCK (Turkish Penal Code) Art. 1351-3 years imprisonment
Failure to destroy dataTCK Art. 1381-2 years imprisonment

Current amounts: Administrative fine figures are updated annually based on the revaluation rate published in the Official Gazette. For 2026, the revaluation rate has been set at 25.49% (General Communique of the Tax Procedure Law published in the Official Gazette dated 27 November 2025, No. 33090). The figures above are the 2026 statutory lower and upper limits updated by this rate. For current amounts, the KVKK Administrative Fines page should be taken as the reference.

Training Service

The most fragile component of KVKK compliance is employee behaviour. No matter how well-written the policies and procedures are, it is how the employee handles data in their daily workflow that determines compliance performance. For this reason, training is positioned as an integral part of the consulting service.

Training Formats

  • Executive briefing: A 60-minute summary session for senior management and directors covering board-level responsibilities under KVKK, criminal-law risk in case of breach, and reporting obligations.
  • Employee awareness training: A 90-120 minute foundational training for all employees covering data subject rights, explicit consent, the obligation to inform, password security, phishing, and the data breach notification flow.
  • Department-specific applied training: Process-based case studies for departments handling intensive data processing such as HR, sales, the call centre, IT, and Legal.
  • E-learning package: A module that can be uploaded to the organisation's LMS and flagged as annual mandatory training; with certified completion records.
  • Phishing simulation: Measurements before and after training to report awareness effectiveness in quantitative form.
In-house KVKK training session
In-House Employee Training
KVKK and data security seminar
Industry Seminar
KVKK awareness seminar at an academic institution
Academic Awareness Seminar

Sustainability and Annual Maintenance

KVKK compliance is not a one-off exercise but a continuously running programme. Board decisions issued in 2025 and 2026 and the administrative fine figures updated by the revaluation rate are tracked periodically and reported to clients. As the organisation grows, new processes are added, or the legislation changes, the inventory, policies, and technical safeguards must be updated. Following the initial compliance project, annual maintenance services are provided under the following headings.

  • Legislative monitoring: Board decisions, new guidelines, and legislative changes are reported with organisation-specific impact analysis.
  • Periodic internal audit: Semi-annual or annual audit cycle; on-site verification that the operation is in line with the documentation.
  • Inventory updates: New processes, new systems, and new data categories are added to the inventory.
  • Breach response drill: An annual tabletop exercise based on a breach scenario; the notification flow is tested under real conditions.
  • Supplier audit: Review of the contractual compliance and technical safeguards of data-processor suppliers.
  • Annual employee refresher training: A short reminder module for all employees and the communication of legislative changes.

Frequently Asked Questions

How long does the KVKK compliance process take?

It is completed in 4 to 10 weeks depending on the size of the organisation, the number of processes, and the intensity of data processing. The process consists of six phases: discovery, inventory, risk, documentation, implementation, and sustainability. The duration may be longer for multi-location organisations or those processing special-category data.

Who is required to register with VERBIS?

Under Article 16 of Law No. 6698, data controllers whose annual number of employees or annual financial balance sheet total exceeds the thresholds determined by the Board, data controllers established abroad, and organisations processing special-category personal data are required to register with VERBIS. Current thresholds and deadlines should be confirmed via Board announcements.

Which controls are applied as technical safeguards?

Under KVKK Art. 12 and the Board's Personal Data Security Guide, the following are applied: access management (RBAC/ABAC), MFA, session control, log management, at-rest and in-transit encryption, immutable backups, DLP, breach response plan, and regular penetration tests. The control set is tailored to the organisation's maturity and data category.

How is a data breach notification made?

Upon detection of a personal data breach, notification to the Authority is mandatory under Art. 12/5 of KVKK as soon as possible and within the timeframes set by the Board. The notification is made via the KVKK Board's Data Breach Notification Form. Affected data subjects must also be notified as soon as possible.

How is KVKK compliance achieved in cookie management?

Under the KVKK Board's Guide on Cookie Practices, explicit consent must be obtained for all cookies except those that are strictly necessary. The reject option must be presented with the same visibility as the accept option on the banner, a user preference centre must be provided, and pre-ticked consent boxes must not be used.

What are the conditions for cross-border data transfer?

Under Art. 9 as amended by Law No. 7499, cross-border data transfer may be carried out to countries with an adequacy decision, by means of standard contracts or binding corporate rules (BCRs), or, in certain occasional cases, on the basis of explicit consent. Standard contracts must be notified to the Board within five business days of signature.

What is the relationship between KVKK and ISO 27701?

ISO/IEC 27701 is the Personal Information Management System (PIMS) standard built on top of an ISO 27001 ISMS. It enables the technical and administrative safeguards required by KVKK to be implemented through a certifiable framework. This framework is used as a reference in consulting projects; if the organisation wishes, it may pursue certification once compliance is complete.

Through which channels is the obligation to inform fulfilled?

Under KVKK Art. 10, a privacy notice must be provided on every channel through which data is collected (website forms, contracts, the call centre, application forms, HR processes, CCTV recordings). To prevent users from consenting without reading the notice, the KVKK Board recommends a layered notice model.

What is the difference between explicit consent and legitimate interest?

Explicit consent (Art. 5/1) is informed and freely given consent for a specific topic and can be withdrawn at any time. Legitimate interest (Art. 5/2-f) allows processing for the legitimate interests of the data controller that do not harm fundamental rights and freedoms, and requires a balancing test (LIA). The legal basis must be selected on a per-process basis.

How is the KVKK consulting fee determined?

Pricing varies based on the number of employees, the number of locations, the data categories processed, the existence of cross-border transfers, sector-specific regulations (BRSA, CMB, CBRT, EMRA), and the scope of service. The initial discovery meeting is free of charge. For details, see the KVKK Consulting Fees page.

Official Sources

Legislation and Institutional Links

  • Law No. 6698 on the Protection of Personal Data (mevzuat.gov.tr)
  • KVKK Board Guidelines
  • VERBIS - Data Controllers Registry
  • Board Decision Summaries and Public Announcements
  • Current Administrative Fine Amounts

KVKK Compliance Preliminary Meeting - 30 minutes with Att. Irem Genc and Zehra Baranli

Let's clarify the data inventory, privacy notices and consent management, contract adjustments, and VERBIS scope together. At the end of the meeting, an organisation-specific roadmap and proposal timeline will be sent to you.