KVKK & Compliance Consulting
If you process personal data in Türkiye — and any company with Turkish employees, customers or vendors does — KVKK applies. Compliance is not a binder on a shelf; it is a set of technical and organizational measures embedded in your IT.
Data Inventory
Personal data categories, processing purposes, lawful bases, retention, recipients.
VERBİS Registration
Obligation assessment, registration, ongoing maintenance.
72-hour Breach Response
Runbook for KVKK Kurumu notification window, incident-response retainer.
ISO 27001 Readiness
Gap analysis, policy suite, control implementation, audit preparation.
KVKK readiness — what we do
- Data inventory — map personal data categories, processing purposes, lawful bases, retention periods, recipients, cross-border transfers.
- VERBİS registration — assess obligation, prepare the form, register, maintain.
- Policy & procedure — disclosure text (aydınlatma metni), consent forms (açık rıza), data subject request handling, breach response plan.
- Technical measures — Microsoft Purview Sensitivity Labels, DLP, audit log retention, MFA, encryption, role-based access.
- Breach response — runbook for the 72-hour KVKK Kurumu notification window, incident-response retainer.
- Special categories — extra protection for health, criminal, biometric, genetic data.
ISO 27001 readiness
For organizations preparing for ISO 27001:2022 certification, we deliver gap analysis (against the 93 Annex A controls), Statement of Applicability, policy and procedure suite, risk register, internal audit, and management review documentation. Certification itself is issued by TÜRKAK-accredited bodies; we are the implementation partner, not the certifier.
Frequently Asked Questions
KVKK (Kişisel Verilerin Korunması Kanunu, Law 6698) is the Turkish data-protection law. It applies to any company processing personal data in Türkiye, including subsidiaries of foreign groups. It is broadly aligned with GDPR — data subject rights, lawful bases, technical and organizational measures, breach notification (within 72 hours to KVKK Kurumu), VERBİS registration for organizations exceeding thresholds.
VERBİS (Veri Sorumluları Sicili Bilgi Sistemi) registration is required for most organizations, with limited exemptions based on size, sector and personal-data volume. We help you assess obligation, prepare the data-processing inventory, complete the registration and maintain it.
Conceptually similar — both built on lawful basis, data subject rights, breach notification. KVKK includes explicit consent ("açık rıza") more prominently, has its own special category definitions, and operates under Türkiye-specific guidance. For multinational groups, the right approach is usually a unified GDPR baseline plus KVKK-specific adjustments.
We handle the consulting and implementation — gap analysis, policy and procedure documentation, control implementation, audit preparation. ISO 27001 certificates are issued only by TÜRKAK-accredited certification bodies (BSI, TÜV, Bureau Veritas, DNV etc.).
How Xen Bilişim delivers KVKK & Compliance Consulting
- 1. Discovery: Stakeholder interviews, current-state inventory, compliance review and risk mapping; deliverable: written discovery report.
- 2. Plan: Target architecture, SKU/licence selection, migration plan and SLA scope documented; quote signed.
- 3. Implement: Phased rollout with pilot → full deployment; user training and runbook delivered; KVKK/ISO compliance evidence collected.
- 4. Operate: Continuous monitoring, quarterly health-checks, incident response and roadmap reviews — under MSP retainer or project-end transfer.
Typical end-to-end timeline: 4-6 weeks (varies by scope).