TR·EN

Work With Us →

// KVKK CONSULTING

Full compliance with Law No. 6698 (KVKK) — legal + technical controls together.

Bringing your company into compliance with the Personal Data Protection Law (KVKK), implementing required administrative and technical safeguards, building data-subject response infrastructure.

Compliance Call →
Process

// WHY KRITERA

Legal + technical under one roof

KVKK compliance is not only paperwork; it is also a technical infrastructure matter. Kritera delivers both together.

01

Legal + Technical Synthesis

Privacy notices, explicit consent flows (legal) + data minimization, encryption, logging (technical) — not in separate silos but as one package.

02

VERBİS Registration + Annual Update

Data Controllers’ Registry (VERBİS) registration, category-purpose mapping, annual updates — with deadline tracking.

03

Breach Response Scenarios

Within 72 hours of a data breach under KVKK Art. 12, the protocol for notifying the KVKK Board — tabletop tested.

// PROCESS

Eight-phase KVKK compliance

WEEK 1-2

Current State Assessment

Which personal data is processed, in which systems, for what purpose — DATA INVENTORY. Data flow maps.

WEEK 2-3

Legal Gap Analysis

Privacy notices, consent flows, contracts — gaps versus KVKK Art. 10/11.

WEEK 3-4

Technical Gap Analysis

Access control, encryption, logging, backups, data minimization, anonymization — against KVKK Board decisions + Data Security Guide.

WEEK 4-6

Document Preparation

Privacy notices (web, application form, contract), Explicit consent statements, Data Controller Policy & Procedures, Data subject application form.

WEEK 6-7

Technical Control Implementation

Encryption (TDE, column-level), access logging, anonymization routines, pseudonymization processes.

WEEK 7-8

VERBİS Registration

Data categories, purposes, recipient groups, retention periods — registration or update in VERBİS.

WEEK 8

Staff Training

How to respond to data subject requests, how to report a breach — training module.

ONGOING

Annual Maintenance

Data inventory currency, impact of regulatory changes, audit readiness — annual 2-3 day refresh.

// PITFALLS

Five most common mistakes in KVKK compliance

Most frequent violations in KVKK Board enforcement decisions in 2023-2026:

“Template privacy notice”

An internet template doesn’t reflect your real data flows. Solution: Auditable notice derived from actual inventory.

Treating explicit consent as default

Asking for explicit consent for everything obscures other legal bases. Solution: KVKK Art. 5/2 grounds first, explicit consent as last resort.

No breach notification procedure

Once a breach happens “now what?” — 72-hour window missed. Solution: Written, tested crisis management protocol.

VERBİS record not updated

Stale VERBİS after initial registration = misleading declaration. Solution: Mandatory annual review.

Slow data subject requests

Requests passing the 30-day response window = KVKK Board violation ruling. Solution: Automated tracking + backup decision-maker.

// CONTACT

Pre-assessment of your company’s KVKK compliance status

Free pre-assessment to discuss your current compliance level and next steps.

iletisim@kritera.com