07.04.2016 07.04.2018 and entered into force on the date of the largest scale in history, all companies-regardless of the law on protection of personal data No. 6698 extra information according to the principles and procedures in the document is not taken and personal data protection has become a necessity and all departments within the company the importance of knowledge about this law.

A “Personal Data Protection Board” has been established, which has the authority to audit whether companies are complying with this law. For companies that do not comply with the procedures and principles of the Personal Data Protection Law No. 6698 (Legal Entity Responsible-all Management contained in the signature circulars), there are imprisonment and fines.The penalty for failure to comply with the law on recording, processing, transferring and destroying data may be imprisonment for 1-6 years, and a fine of US $ 5,000-US $ 1,000,000 for failure to fulfill the obligations specified in the law. Companies should complete their work on compliance with the law as soon as possible and receive training to raise corporate awareness.

As a consultancy , we support you within the scope of compliance with the law with expert information technology experts, lawyers and process analysts. 


1-in accordance with the law, process analysis of all departments within the company is carried out and data inventory is taken out.

2-Classification Of Personal Data

3-Alignment Of Data Processing Processes

4-Alignment Of Data Transfer Processes

5-Updating Contracts

6-creation /alignment of application , complaint, appeal processes

7-creation of explicit consent and Illumination texts 

8-establishment of KVKK Policy and Information Security Policy 

9-realization of data destruction as stipulated by law

10 - Organization of in-house KVKK awareness trainings 


The EU General Data Protection Regulation (GDPR) was developed to draft a harmonised set of data privacy laws aimed at protecting EU citizens across Europe. This regulation replaces Data Protection Directive 95/46/EC, and there are serious differences between it and this directive, such as:

Wider jurisdiction. The General Data Protection Regulation shall apply to all companies that process the personal data of anyone living within the borders of the European Union, regardless of the company's own position.

Penalties. All institutions and organizations, including controllers and handlers, that do not comply with the GDPR, may be fined up to 4% of their annual global turnover or 20 million euros (whichever is greater).

Approval must be clearly and easily understood and can be distinguished from other issues. In addition, getting approval back should be as easy as giving it.

Infringement notices: infringement notices will be mandatory and must be completed within 72 hours of the institution or organization becoming aware of the breach.

Privacy. The GDPR stipulates that the data protection function should be included from the beginning when designing systems, not implemented through subsequent insertion.

It demands the existence of a clear and precise policy on the processing and protection of data.

It requires that all personal data processing activities are necessarily restricted by affirmative procedures or instructions, and that awareness is provided and demonstrable by all data processing and data access persons.

All data platforms and their related protection plans are created, data transfer rules, protection rules and technical infrastructure compliance is documented and run in accordance with the policy.

The purpose of GDPR is to protect all EU citizens from privacy and data breaches in today's data-driven world. Although the basic principles of data privacy continue to comply with the previous directive, many changes to regulatory policies have been proposed; you can find information about the key points of data protection and their impact on Business below.

Regional scope (extraterrestrial applicability)

As the most fundamental aspect of the architecture of data privacy, the GDPR has established clear and clear rules for all companies that process data, regardless of the company's location. Along with the adopted law, the GDPR has had very broad powers and sanctions power in very large areas. According to the signed protocol agreements, almost all countries in the world have sanctions power.

The GDPR makes its applicability very clear-the processing of personal data by controllers and businesses in the EU, regardless of whether transactions occur in the EU or not, is sufficient to fall within the scope of the law. GDPR is also sufficient for the personal data of data subjects in the EU to provide goods or services to EU citizens, even if it is a company not established in the EU, where the activities are related to the following.

All businesses and individuals who violate GDPR rules can be fined up to 4% of annual global turnover or 20 million euros (whichever is greater). This is the highest fine that can be imposed for the most serious violations that do not have sufficient customer approval to process data or violate the confidentiality of the concept of privacy by design concepts. A gradual approach regarding monetary fines, for example, a company is obligated to protect the personal data in the register GDPR cat and it does not record 2% can be fined (Article 28), it is important to note that both of these rules are valid for both controllers businesses – cloud computing systems that host data in GDPR are not exempt from sanctions.

Differences between GDPR and KVKK

1-KVKK the articles obtained from GDPR during the EU alignment of the state of the Republic of Turkey are published in accordance with the standards of our country, and the GDPR is a more comprehensive study.

2-KVKK covers issues related to the protection of data and transfer of legal and natural persons operating in the Republic of Turkey abroad. GDPR data covers all companies and data processing persons operating in all EU countries and other countries.

3-the GDPR, which is set as the upper limit of TL 1,000,000, has set 4% of the company's turnover or 20,000,000 euros ( whichever is greater ) as a criminal sanction.

4-KVKK rules are subject to sanctions in accordance with the rules of our country, while GDPR rules the country has the right to intervene and impose penalties in accordance with the authority granted to them independently of the region.


Your phone number

Your message


Your phone number

Your message