Ankara KVKK and Data Protection Consulting: VERBIS, Policies and Audit
For companies operating in Ankara, KVKK compliance is now mandatory. Who needs a VERBIS registration, which policies and documents must be prepared, how to build a data inventory, how to manage employee notices and explicit consent, the 72-hour breach rule and administrative fines. A step-by-step, sourced KVKK compliance and audit guide for Ankara-based businesses.
Ankara KVKK and Data Protection Consulting: VERBIS, Policies and Audit
Quick answer: Every company operating in Ankara that processes personal data is within the scope of Law No. 6698 on the Protection of Personal Data (KVKK). Compliance is not a single document but a process: first a personal data inventory is built showing which data you process, why and where you store it; data controllers exceeding certain criteria register with VERBIS (the Data Controllers Registry Information System); a privacy notice, explicit consent, a retention and destruction policy, data security measures and a breach response plan are prepared. When a breach occurs, the Board is expected to be notified as soon as possible, within 72 hours. The administrative fines for KVKK violations are high, so compliance is both a legal obligation and risk management. For an Ankara-based business, this process is completed by setting up on-site inventory, a document set and technical measures together.
KVKK compliance is still treated by many Ankara businesses as "we added a privacy notice, we are done." But compliance is much more than a text on paper: it is the full management of how data is collected, where it is stored, who accesses it and how it is protected. We explained the general framework of KVKK compliance and the VERBIS steps in KVKK compliance consulting, VERBIS, policies, audit; this article addresses the process step by step, especially for businesses operating in Ankara. We addressed the technical side, that is, whether the systems are actually secure, in information security consulting, ISO 27001 and KVKK.
Whom KVKK covers
Law No. 6698 covers anyone who processes personal data. Personal data is any information relating to an identified or identifiable natural person: name, phone, email, ID number, location, even an IP address. If a company collects such data of its customers, employees or suppliers, it is within the scope of KVKK. That means almost every business, from a hospital in Ankara to an e-commerce site, from an accounting office to a software company.
There are two basic roles. The data controller is the person/entity that decides why and how the data will be processed. The data processor is the party that processes the data on behalf of the controller, for example a cloud service or a payroll firm. Most of the responsibility lies with the controller, but the contracts made with the processor are also part of compliance.
Step 1: Personal data inventory
The foundation of compliance is knowing what you process. The personal data processing inventory is a map showing which personal data the company processes, for what purpose, on what legal basis, where it stores it, with whom it shares it and how long it keeps it. Without this inventory, VERBIS registration cannot be done correctly, policies will not reflect reality, and what was lost in a breach cannot be known.
Building the inventory is illuminating for most businesses: most companies realize they keep far more personal data than they thought, from employee files to old customer databases, from WhatsApp messages to shared Excel files.
Step 2: VERBIS registration
VERBIS is the official system where data controllers register with the Board. Not every company is required to register with VERBIS; the Board determines the registration obligation based on criteria such as the number of employees, the annual financial balance sheet and the nature of the data processed (such as processing special categories of data). It is important to correctly determine whether you have a registration obligation, because failing to register when required is subject to administrative sanction. For the current criteria and process, KVKK's official VERBIS portal should be taken as the basis.
VERBIS registration is not a one-time form filling; it requires an accurate declaration consistent with the inventory and is updated as data processing activities change.
Step 3: Policy and document set
KVKK compliance requires a mutually consistent document set:
- Privacy notice: The text that informs the person, at the moment you collect the data, which of their data you process and why, with whom you share it and their rights. It must be present at every contact point such as the website, application form and contract.
- Explicit consent: For some processing (especially that based on explicit consent), the person's free, informed and explicit consent is required. Consent cannot be imposed as a condition of service and must be revocable.
- Retention and destruction policy: How long the data will be kept and how it will be securely deleted when the period expires. Secure destruction of data is a technical matter; careless deletion is not enough.
- Data security policy: Technical and administrative measures such as access control, encryption, backup and logging.
- Breach response plan: Who does what when a breach occurs, how it will be detected and notified.
These documents must be prepared according to the company's actual inventory and processes, not with copy-paste templates; otherwise inconsistencies will surface in an audit.
Step 4: Technical and administrative measures
KVKK requires real security, not just paper. The law obliges the data controller to take appropriate technical and administrative measures to protect personal data. This includes limiting access rights, encrypting data, strong authentication, regular backups, logging and keeping systems up to date. The way to understand whether these measures are actually adequate is to test the systems; a penetration test (pentest) ensures vulnerabilities are found before a real attacker. We addressed this in Ankara cyber security, pentest and KVKK.
Step 5: Data breach and 72 hours
Despite every measure, a breach can occur: a database leaks, a device is stolen, ransomware locks the systems. In such a case, KVKK expects the data controller to notify the Board as soon as possible, within 72 hours; notification to the affected persons may also be required. Proper management of a breach is critical both to fulfill the legal obligation and to limit the damage. We explained the breach notification process and preparation in KVKK data breach notification, 72 hours. Determining technically what the breach was, what leaked and how is the work of digital forensics; at this point the examination must be done while preserving the chain of custody.
Administrative fines and why it matters
Violations of KVKK lead to serious administrative fines: failing to fulfill the notice obligation, not taking data security measures, violating the VERBIS obligation and not complying with Board decisions are each penalized separately and the amounts are updated every year. But the fine is only one face of the risk: a data breach also threatens customer trust, commercial reputation and business continuity. So KVKK compliance is, more than a formality, risk management and an investment in trust.
DSET's approach in Ankara
At DSET we treat KVKK compliance not as a paper document set but as a process where the inventory, policies and real technical security are built together. First an on-site data inventory is built, the VERBIS obligation is correctly determined, a company-specific document set is prepared, technical measures are tested and a breach response plan is set up. Being Ankara-based is an advantage for on-site inventory and audit.
Frequently Asked Questions
Is every company required to register with VERBIS? No. The registration obligation is determined by the number of employees, the financial balance sheet and the nature of the data processed. It is important to correctly determine whether you are obliged; the current criteria are on KVKK's official VERBIS portal.
Is KVKK compliance just adding a privacy notice? No. The privacy notice is one part of the process; compliance requires the data inventory, VERBIS, the policy set, technical measures and a breach plan together.
Within what time must I notify a data breach? KVKK expects the breach to be notified to the Board as soon as possible, within 72 hours; notification to affected persons may also be required.
What happens if I do not comply with KVKK? Administrative fines are applied for violations such as notice, data security, VERBIS and non-compliance with Board decisions, and the amounts are updated every year; there is also reputation and business-continuity risk.
Sources
- KVKK, Personal Data Protection Authority (official): https://www.kvkk.gov.tr/
- VERBIS, Data Controllers Registry Information System (official): https://verbis.kvkk.gov.tr/
- Law No. 6698 on the Protection of Personal Data (mevzuat.gov.tr): https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=6698&MevzuatTur=1&MevzuatTertip=5
- DSET, KVKK compliance consulting: /blog/kvkk-uyum-danismanligi-verbis-politikalar-denetim
For KVKK compliance, VERBIS registration and data protection audit in Ankara, contact DSET.
Kimliğinizi doğrulayın
Yetkilendirilmiş erişim alanı. Tüm giriş denemeleri kayıt altına alınır.