The draft on the Law on the Protection of Personal Data was referred to the Presidency of the Turkish Grand National Assembly on January 18, 2016. The KVKK was adopted and enacted by the General Assembly of the Turkish Grand National Assembly on March 24, 2016 and entered into force by being published in the Official Gazette dated April 7, 2016 and No 29677. On April 7, 2018, the validation period of the Law was completed and became active. As of this date, the KVKK has given businesses a number of responsibilities to be complied with.

The purpose of publishing the Law is defined as "to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data and to regulate the obligations and rules to be complied with by natural and legal persons who process personal data."

For this purpose, businesses should take actions for all personal data they process as specified by the Law, enlighten the relevant persons, make declarations in certain criteria, obtain explicit consent when necessary, carry out documented studies, take administrative measures and organize their technical infrastructure, destroy their periodically expired personal data, respond to incoming personal data requests in a timely manner and take action.

Perceptions that are believed to be most correct in the industry but are actually wrong;

  • • We are a public institution. Public institutions are not penalized.
  • • Since I am not within the scope of the Data Information System, the terms of the Law do not cover me.
  • • I take my own inventory. I can run these processes without support
  • • We've got plenty of time. We'll do it when the time comes.
  • • As long as there is no complaint, the KVK Institution does not bother me.

etc. misperceptions are encountered.

It should be taken into account that there are Administrative, Technical and Legal processes in the process of compliance with the Law. It seems that the adaptation studies carried out by considering unilaterally were done incorrectly.

Data Information System (VERBIS)

Since the Law has just come into force in Turkey, what is the personal data of the institutions, for what purpose it is processed, how it is stored, how long it is stored, with whom it is shared, is there any transfer abroad?  When analyzing these criteria, there were deviations. The KVK Institution has implemented the Data Information System (Verbis) and has stated that the enterprises should perform their analysis completely and that the individuals should process and protect the data in line with this statement. Some sectors were deemed exempt from Verbis. For example; Association, Foundation, Lawyer, Financial Advisors, Notaries etc.

For institutions that are not exempt from Verbis;

  • • Those whose annual balance sheet information is more than 25 Million TL
  • • Those with more than 50 employees
  • • Those with the main activity or the majority of the personal data it processes are special categories of personal data

as determined. These enterprises are required to submit their declarations until the deadlines specified by the Law.

Verbis periods;

Data Controllers

Starting Date of Registry Liability

Ending Date of Registry Liability

Real and legal person data controllers with more than 50 employees per year or with an annual financial balance of more than 25 million TL



Natural and legal person data controllers residing abroad



Real and legal person data controllers with less than 50 employees and an annual financial balance of less than 25 million TL and whose main field of activity is processing special personal data



Public institutions and organizations' data controllers



Administrative and Technical Measures;

The law requires enterprises to take the following administrative and technical measures related to personal data security. In the event of a violation, businesses expect large penalties for the lack of administrative and technical measures.

Administrative Measures;

  • • Preparation of Personal Data Processing Inventory
  • • Corporate Policies (Access, Information Security, Use, Storage and Destruction etc.)
  • • Agreements
  • • Privacy Contracts
  • • In-house Periodic and/or Random Audits
  • • Risk Analysis
  • • Employment Contract, Disciplinary Regulation (Adding Legal Provisions)
  • • Corporate Communication (Crisis Management, Informing the Board and Relevant Person, Reputation Management, etc.)
  • • Training and Awareness Activities (Information Security and Law)
  • • Notification to Data Controllers Registry Information System (VERBIS)

Technical Measures;

  • • Authority Matrix
  • • Authority Control
  • • Access Logs
  • • User Account Management
  • • Network Security
  • • Application Security
  • • Encryption
  • • Penetration Test
  • • Attack Detection and Prevention Systems
  • • Log Records
  • • Data Masking
  • • Data Loss Prevention Software
  • • Backup
  • • Firewalls
  • • Updated Anti-Virus Systems
  • • Deletion, Destruction, or Anonymization
  • • Key Management

Documented Studies:

Businesses mostly use the method of preparing the documents specified and mentioned in the guidelines, guidelines and regulations published in the Law in the studies of compliance with the KVKK. Although this actually seems right, it is a missing study. It is important to prepare additional documents that the institution can store by looking at the structure of the institution, the standards it has, its processes, the environments where the personal data they process are available, etc.

The basic documents required to be made within the scope of the law;

  • • Personal Data Disclosures
  • • Explicit Consent
  • • Personal Data Protection Policies
  • • Personal Data Storage and Destruction Policies
  • • Personal Data Request Methods
  • • Personal Data Inventory

It is important that it is not limited to the documents mentioned above. It is important to evaluate the compatibility of the contents of the documents from a legal point of view. There may be legal sanctions as a result of incorrect or incomplete documents.

Service Steps for KVKK Project

Thanks to its expert employees and units with sectoral experience, UITSEC examines the KVKK compliance processes in every aspect and ensures the trouble-free operation of the compliance processes of the enterprises with the Law. The technical, administrative and legal processes required by the Law for compliance are examined by expert personnel and the studies carried out are presented to the enterprises as a whole.

The following steps are followed in businesses;

  • • Identifying roles and responsibilities
  • • Determination of business strategies and objectives
  • • Preparation of personal data inventory. In the inventory preparation process;
    • o Determination of business processes
    • o Identification of relevant persons
    • o Detection of received data
    • o Determining the purposes of collecting personal data
    • o Determining the methods of obtaining personal data
    • o Identifying the parties to whom personal data is shared
    • o Determining the methods of sharing personal data
    • o Determining the storage periods of personal data
    • o Determining the international sharing of personal data
    • o Determining the sharing environments of personal data for the institution
    • o Legal references of personal data
    • • Managing the registration process with Verbis
    • • Preparation of policies on data security
    • • Fulfillment of lighting obligations and determination of distribution methods
    • • Determination of contact person communication methods
    • • Determination of express consent
    • • Review of existing documents and recommendations for improvement
    • • Creation of personal data access authorization matrix
    • • Examination of existing authorities and briefings
    • • Personal data risk analysis
    • • Examination of administrative measures
    • • Examination of technical measures
    • • Giving trainings
    • • Performing internal audits, reporting and correcting findings
    • • Review of contracts from a legal perspective
    • • Establishment of procedures such as destruction, management etc. related to the use of personal data
    • • Determination of monitoring, measurement, analysis and evaluation criteria