Practice Area
KVKK and Data Protection Law
Compliance programmes, VERBİS registration, notice and consent architecture, breach management and representation in Board investigations under Türkiye's KVKK and the GDPR.
Overview
We deliver end-to-end KVKK compliance programmes — from data-processing inventories and policy design to data controller / processor agreements and international transfer mechanisms.
We advise on high-risk areas such as cross-border transfers, consent management, cookies, employee and health data, and direct marketing, and manage breach notifications to the Turkish Data Protection Board.
What We Do
- KVKK compliance programmes and data-processing inventories
- VERBİS registration and updates
- Privacy notices, consent and cookie policies
- Cross-border data transfer mechanisms and BCRs
- Data breach notification and incident response
- Turkish Data Protection Board complaints, investigations and administrative fines
Our Approach
We design compliance not as a paper exercise but as an auditable, sustainable governance model embedded in day-to-day operations.
Frequently Asked Questions
- Who is required to register with VERBİS?
- Data controllers whose employee headcount or financial thresholds exceed statutory limits, or whose core activity is data processing, must register with VERBİS. Exemption decisions are periodically updated by the Board.
- What is the deadline to notify a data breach?
- Data controllers must notify the Board within 72 hours of becoming aware of a breach, and inform affected data subjects within a reasonable time.
- On what basis can data be transferred abroad?
- Under Article 9 of the KVKK, transfers may be made to countries with adequate protection, or via approved safeguards such as undertakings or BCRs with Board authorisation.