Join the Webinar | Strong Protection Against Cyber Threats

KVKK Consultancy

What is Personal Data?


Personal data includes data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic information. data.

What is the Processing of Personal Data?


Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. It is any operation performed on data, such as blocking.


Personal Data Protection Law



The purpose of the Personal Data Protection Law No. 6698 is to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data and to regulate the obligations of real and legal persons processing personal data and the procedures and principles to be followed.

Law; It will also include data sent to an institution or organization, in addition to data stored in cloud environments or software.

Some articles included in the Personal Data Protection Law;

  • You must inform the owner of the data for what purpose you will use the personal information you wish to receive, how long you will store it, under what conditions, where you will keep it and when you will delete it, and undertake that you will not use this data for any other purpose, and you must fulfill this commitment.
  • Personal data cannot be transferred abroad without the explicit consent of the relevant person.

Data controller;

  • To prevent unlawful processing of personal data,
  • To prevent unlawful access to personal data,
  • It must take all necessary technical and administrative measures to ensure the appropriate level of security to ensure the preservation of personal data.

If the rules in the law are not followed, people may face fines or imprisonment. Violating personal data will result in a prison sentence of 1-3 years, obtaining data through violation will result in a prison sentence of up to 2-4 years, and an administrative fine of 5,000-1,000,000₺ will be imposed depending on the items not fulfilled.

Click on the link to access the original text of the Personal Data Protection Law:

In order for the Personal Data Protection Law to be fully implemented, some structures need to be improved.

  • Enterprise Architecture
  • Technological Approaches
  • Legal Approaches


Enterprise Architecture

Corporate architecture is the business methodology that manages these systems by creating the target, structure and operating order of the institution and providing technological information about the systems used. It is the discipline that enables the institution to accelerate its decision-making process, create an environment in accordance with standards, create a competitive advantage, in short, reorganize the institution according to its own needs.

Major enterprise architecture framework;

  • TOGAF / The Open Group
  • Zachman Framework / Zachman International
  • The Federal Enterprise Architecture Framework (FEAF) / Federal Government of the US


Technological Approaches

With KVKK, there are solutions that can be provided in the field of security of the data that companies hold on their customers (such as account and password control, security level monitoring, classification, sorting, data protection, preventing data leaks).


Approaches to Law

A long-term implementation text is prepared to ensure compliance with legal rules (legal definitions, obligations of data controllers, definition of rights of personal data owners, etc.) in the institution.

Frequently Asked Questions About KVKK Consultancy

We Have Collected Personal Data Related to Our Marketing Databases for Several Years. What is the impact of KVKK on this situation?

One of the biggest problems that arise with the introduction of KVKK is the field of consent, and especially for marketing. In accordance with KVKK, consent must be freely given and explicit. Current legislation allows approval with an "opt-out" checkbox. However, the new regulation requires approval through an "elected"; therefore, the data subject ticks a box to agree to receive marketing materials. For this reason, organizations should review their databases for appropriate approval. One of the problems with reapproval is the response rate to these requests, which may have been historically low. Failure to respond to such requests means that consent has not been obtained and you cannot reach them again. In practice, many organizations see the new regulation as an opportunity to “clean up” their marketing databases and ensure that they target those who are genuinely interested in getting their marketing information.

How Can We Completely Delete Data?

You may think that the data is deleted when you press the delete key on your computer. However, erasing digital data is not easy. However, you can create a data deletion policy together with your IT department or outsourced IT service provider, ensuring that the data to be deleted is kept in an archive with strict access restrictions, so that the archived data is considered "dead data" because direct access is not possible.

We Have a Constantly Working Camera System. Are These Images Considered Personal Data? Do I Have to Provide a Copy of the Image in Request for These Images?

Yes, camera footage of data subjects is personal data under current and new regulations. If the data request is received and your organization still holds images of the data subject, you must provide them to the requesting party. In practice, camera recordings are kept for a short time, normally 30 days; therefore, if the request is made after this time, you are not obligated to provide it.