The Personal Data Protection Law No. 6698 (GDPR) entered into force in Turkish Law on April 7, 2016. Companies in Turkey that are subject to the Personal Data Protection Law (GDPR) include all institutions and businesses that process or supervise personal data. The GDPR regulates the general principles and rules regarding the processing of personal data and encompasses all organizations that are obliged to comply with these rules.

Companies and organizations subject to the Personal Data Protection Law must adhere to the following conditions:


Principles of Processing Personal Data: According to the GDPR, personal data must be collected lawfully, in accordance with the principles of fairness, in a clear and concise manner. Data should only be processed for specific, explicit, and legitimate purposes. Processed data must be accurate and up-to-date. Additionally, personal data should only be retained for a specific duration.

Rights of Data Subjects: The GDPR protects the rights of data subjects (data subjects). These rights include information, access, rectification, erasure, objection, and data portability.

Duties and Responsibilities of Data Controllers: Data controllers are responsible for the protection of personal data and are obliged to conduct data processing activities in compliance with the GDPR. They may also have an obligation to register with the Data Controllers Registry (VERBİS).

Data Security: The security of personal data is of utmost importance. According to the GDPR, measures must be taken to prevent unauthorized access, alteration, disclosure, or loss of personal data.

Data Breach Notification: According to the GDPR, data controllers are required to immediately and no later than 72 hours after a data breach, notify data subjects and the Personal Data Protection Authority (KVKK).

Consent of the Data Subject: Generally, the explicit consent of the data subject is required to process personal data. The GDPR regulates how consent should be obtained and documented.

The Personal Data Protection Law generally applies to all companies and organizations involved in the processing, storage, and protection of personal data. Every business must take necessary measures to comply with the GDPR and establish data protection policies. Furthermore, businesses should monitor data processing activities in accordance with GDPR provisions and report to the Personal Data Protection Authority (KVKK) when necessary. Non-compliance with the GDPR can result in serious sanctions, making it crucial to be cautious in this regard.


GDPR Consultancy assists companies in managing their compliance process with the GDPR and may include the following main headings:

Legal Consultancy: Addresses the legal aspects of the GDPR compliance process. This ensures that companies understand their obligations under the GDPR and the procedures and principles they must adhere to. Bringing contracts and documents in line with the GDPR is also part of this scope.

Process Consultancy: Involves making data processing processes compliant with the GDPR. This includes creating a personal data inventory and reviewing and adapting data processing procedures. Ensuring that processes are GDPR-compliant helps minimize the risk of data breaches.

Data Security Consultancy: Involves taking technical measures necessary for the secure storage and processing of personal data. This may include data encryption, secure network configuration, data backups, and data security software.

Awareness Training: Ensures that employees within the company are educated about GDPR compliance. These trainings help employees understand and implement data protection policies and procedures.

Data Breach Management: According to the GDPR, the necessary steps must be taken in case of a data breach. Consultancy services can help prepare for potential data breaches and provide guidance on how to respond correctly in case of a data breach.

Data Subject Rights and Requests: The GDPR protects the rights of data subjects. Consultancy services provide guidance on how to handle and respond to requests from data subjects in accordance with these rights.


GDPR consultancy can be tailored to the specific needs of each company. Complying with data protection regulations is critical both in terms of fulfilling legal obligations and gaining the trust of customers and employees.”