KVKK Consulting Services and Fees

Personal Data Protection Law (KVKK)

Technology has advanced rapidly and digital transformation is reshaping how organisations operate. That shift has brought new laws and enforcement obligations in the areas of privacy and security. Both public institutions and private-sector firms now reach thousands of people every day through digital channels, and the records captured can be processed quickly thanks to progress in information technology.

Digital transformation became even more central during the pandemic. Going digital has effectively become mandatory for organisations, which in turn has increased the privacy and security obligations they face. When KVKK (Turkey's Personal Data Protection Law, No. 6698) was published in the Official Gazette and entered into force on 7 April 2016, organisations began a period of technological restructuring. Organisations that did not previously have adequate privacy and security systems started focusing on this area.

As Sistem Patent A.S., we share the principles of international standards alignment and protection of personal privacy. Drawing on more than 20 years of consultancy experience in building and operating information-security systems, we develop solutions for KVKK compliance that fit each client's situation. Building on our ISO 27001 Information Security Management System consultancy experience and implementation practice, we also provide consultancy for KVKK. We aim to build a durable, dynamic, sustainable, and manageable personal data management system together with each client.

What KVKK Means for Organisations

KVKK applies to every organisation that processes personal data and carries specific obligations. For the collection, processing, storage, and safe custody of personal data, each organisation must define a lawful method and implement it.

Each organisation must carry out detailed work on compliance with the legislation on personal data protection, taking its own activities into account. The organisation's business processes must be reviewed, the required measures for personal data protection must be put in place, the appropriate privacy notices and disclosures must be prepared, and, where necessary, a personal data retention and disposal policy must be prepared in line with KVKK.

The Purpose of KVKK

KVKK regulates the obligations of the natural and legal persons who process personal data, with a view to the protection of personal privacy as one of the fundamental rights.

Who KVKK Covers

KVKK applies to natural and legal persons that process personal data (names, surnames, dates of birth, places of birth, phone numbers, and similar data) through a data filing system, whether fully or partly by automated means.

What Is Personal Data?

Personal data is any information that directly or indirectly identifies an individual.

Examples include name, surname, date of birth, place of birth, phone number, email address, national identification number, CV, photograph, fingerprints, family information, and health information. This list can be extended. Data that, if disclosed, could harm the data subject or lead to discrimination is classified as special category personal data.

Examples of special category personal data include race, ethnic origin, political opinions, philosophical beliefs, religion and sect, membership of associations, foundations or trade unions, health data, criminal convictions, and security measures.

Why Personal Data Protection Matters

Consider an organisation that has collected millions of gigabytes of personal data through automated systems since 2010: if that data reaches malicious actors, trust in the organisation collapses. Recent incidents where social media platforms did not adequately protect personal data landed on the public agenda. Personal data protection is not an extra burden: it is a baseline obligation for society.

Why Choose Sistem Patent Kalite for KVKK Consultancy

KVKK consultancy is one of the core consultancy and support services of Sistem Patent Kalite, which has more than 20 years in the sector as an established and continuously improving organisation. Our KVKK consultancy has 3 phases:

• Legal consultancy
• Process consultancy
• Technical consultancy

Legal consultancy: our consultants analyse all the organisation's processes against KVKK. Based on our analysis of the personal data the organisation processes day to day, the required measures are defined.

Process consultancy: in line with the measures defined by our consultants, processes are designed and documented. A detailed data-inventory report is produced, and the data is prepared for classification on that basis.

Process consultancy also covers the contents of the organisation's policies for retention and destruction of personal data, the review and bringing into line with KVKK of legal agreements and forms, and the preparation of explicit consent and privacy notices.

KVKK technical consultancy: as with ISO 27001, once all required documentation is in place the process moves to the technical phase, which verifies that the protection of personal data is independent of automation issues or user errors. This phase is fully technical and requires specialist knowledge.