KVKK was enacted by the parliament in 2016 and it covers all data processors (companies, public institutions, professional organizations and individuals) who process personal data since 2018.

The law basically imposes administrative and technical obligations on data processors. Administrative measures include disclosure texts, obtaining explicit consent, risk analysis and non disclosure agreement; technical measures include access management, use of antivirus, backup, data loss prevention, penetration testing, use of firewall, and data destruction. A guide has also been published by the Council to explain the methods for administrative and technical measures. The law has also established a lot of rules on data processing, data storage, data sharing and data transfer to abroad.

In addition, public institutions and organizations and individuals who have certain conditions (such as special data processing, number of personnel, annual balance sheet) are obliged to register in the data registry called VERBIS.

In recent years, harsh penalties have been imposed by the Council for non-compliance with the obligations imposed by the Law and for data breaches. Penalties can be given from 9.834,00 TL to 1.966,000,00 TL in 2021, depending on the type of liability. In addition, disciplinary investigations can be made for civil servent, and a trial can be initiated with imprisonment for all persons who cause a data breach in accordance with the Turkish Penal Code, depending on the type of data breach.

Within the scope of KVKK Consultancy Service, analyzes are made for the technical measures included in the Law (such as Risk Analysis, GAP Analysis), data mapping (Personal Data Inventory), and Technical Compliance Report is written to report the current situation of the organization and what needs to be done according to the legislation. Similarly, in administrative processes, the personal data included in the data map are examined, and clarification, explicit consent and contract requirements for data transfer and confidentiality are determined, the necessary documents are prepared, and the Legal Compliance Report and what needs to be done according to the legislation are reported.