Expertise
Data Protection & IT Law
Personal data protection is now on the agenda of businesses of every size. Turkish Data Protection Law No. 6698 (KVKK) imposes concrete obligations on data controllers while granting strong rights to data subjects. The spread of information technology has likewise made legal support around online offences a distinct specialisation.
KVKK Compliance for Companies
Compliance is not a one-off paperwork exercise; it is a continuous process spanning data inventories, privacy notices, retention-destruction policies and staff training.
- Preparing the personal data processing inventory
- Drafting privacy notices and explicit consent mechanisms
- Assessing VERBIS registration obligations
- Data processing and transfer agreements
- Managing the 72-hour breach notification to the Authority
Rights of Data Subjects
Everyone has the right to learn whether their data is processed, to have inaccurate data corrected and, where conditions are met, deleted. An application to the data controller is generally the first step; if unanswered within thirty days, a complaint may be lodged with the Data Protection Board.
Cybercrime and Online Violations
Unlawful access to information systems, misuse of bank and credit cards, defamation and blackmail via social media and unlawful acquisition of personal data are the most common offences in practice. Content removal and access-blocking requests are also part of our services in this field.
This content is provided for general legal information only and does not constitute legal advice on any specific matter.
Frequently Asked Questions
Data Protection & IT Law
The registration obligation depends on headcount, annual balance sheet and the nature of the data processed. Different thresholds apply to businesses whose core activity involves sensitive data; your situation should be assessed individually.
Depending on the circumstances, removal or delisting from search results may be requested under the right to be forgotten. The balance between freedom of expression and personality rights is assessed case by case.
Determine the scope immediately, take technical measures and notify the Board within 72 hours of becoming aware. Whether affected individuals must also be notified is assessed separately.
Do you need legal support in this area?
We can schedule a preliminary consultation to assess your situation.