YourRegisteredData Controller Representative in Türkiye
Foreign companies processing personal data of Turkish residents are required to appoint a local representative under KVKK. Kooch is a registered Turkish legal entity that receives authority correspondence, forwards data subject requests, and maintains your VERBIS record — so your team doesn't have to navigate Turkish procedure alone.
* Representative-only and partner-supported options available for foreign law firms, privacy consultancies, and international compliance teams.
Why foreign companies need this servicea representative in Türkiye:
Türkiye's Personal Data Protection Law (KVKK, Law No. 6698) requires foreign data controllers who process personal data of Turkish residents to appoint a representative established in Türkiye. The representative is the local point of contact for the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu) and for data subjects exercising their statutory rights. Unlike GDPR Article 27, there is no de minimis threshold for foreign controllers. If you process Turkish residents' personal data — through a website, an app, a service, or any other channel — you fall within scope and must appoint a representative before registering in VERBIS, Türkiye's Data Controllers' Registry.
2026 penalty exposure: Failure to register in VERBIS or maintain a valid representative can result in administrative fines of up to TRY 17,092,242 per violation following the November 2025 revaluation. The Personal Data Protection Authority imposed TRY 503 million in fines on non-compliant controllers in a single 2024 enforcement wave.
How the representative relationshipworks:
Once appointed, Kooch sits between your organization, the Personal Data Protection Authority, and data subjects in Türkiye. We're the local Turkish-registered entity on record — you remain the data controller and retain all decisions about how personal data is processed.
Setup infour steps:
A complete appointment typically takes two to six weeks, depending on apostille and translation timelines in your jurisdiction.
Step 1 — Appointment Resolution
Your board or authorized signatory issues a resolution appointing Kooch as your KVKK representative. We provide a template that meets Personal Data Protection Authority expectations, reviewed by our partnered Turkish privacy counsel.
Step 2 — Apostille & Sworn Translation
The resolution is apostilled in your jurisdiction (Hague Convention countries) or consularized (non-Hague countries), then translated into Turkish by a sworn translator. We coordinate the process and handle pass-through costs.
Step 3 — VERBIS Registration
We register your organization as a "Data Controller Residing Abroad" in VERBIS, the Personal Data Protection Authority's official registry, listing Kooch as your representative.
Step 4 — Privacy Notice Clause
You update your privacy notice to name Kooch as your Türkiye representative, with our Istanbul address and contact channel for Turkish data subjects. We provide the exact clause text.
What we handle as your representative:
Authority correspondence
We receive and acknowledge correspondence from the Personal Data Protection Authority within 24 business hours and coordinate your response with you and your legal counsel.
Data subject requests (DSARs)
Requests from data subjects in Türkiye reach Kooch first. We forward them to you within 1 business day and track the statutory 30-day response window.
VERBIS maintenance
We keep your VERBIS record current — updating processing purposes, data categories, retention periods, and cross-border transfer mechanisms as your operations evolve.
Cross-border transfer notifications
When you sign a Standard Contract under the post-2024 KVKK cross-border framework, we coordinate the 5-business-day notification to the Authority via the Data Transfer Module.
Breach coordination
In the event of a personal data breach, we coordinate the 72-hour notification to the Authority alongside your incident response team and legal counsel.
Annual review
Once per year, we review your VERBIS entries, processing inventory, and representative arrangement to confirm everything is current.
What wedo notdo:
Kooch is not a law firm. We are a Turkish-registered consultancy that performs the representative function and the operational compliance work around it. The following remain with your legal counsel — ours, yours, or both.
Legal opinions on whether KVKK applies to a specific processing activity
Drafting or negotiating Standard Contracts, Binding Corporate Rules, or undertaking letters
Representation before Turkish administrative courts
Determinations of lawful basis under KVKK Article 5 or 6
Health, genetic, biometric, or clinical-trial data processing advice (handled in partnership with specialist counsel)
Tax, employment, or commercial law matters
Serviceoptions:
One annual fee, two engagement levels for the representative function. Onboarding — including your Appointment Resolution, apostille coordination, sworn translation, VERBIS registration, and kick-off call — is included in your first-year fee. Minimum 12-month engagement term.
Who is legally required to appoint a DPR in Turkey?
All non-resident data controllers (companies without a physical presence in Turkey) that process the personal data of Turkish residents must appoint a Turkey-based representative.
What happens if we don't appoint a DPR?
You will be in violation of KVKK. This can result in fines and prevent you from legally completing your mandatory registration in the VERBIS data registry.
What kind of inquiries will you handle?
We will receive, track, and forward official correspondence from the KVKK Authority and Data Subject Access Requests (DSARs) from individuals in Turkey.
Is a Data Protection Representative (DPR) the same as a Data Protection Officer (DPO)?
No. A DPR is a mandatory local point of contact for foreign companies, similar in spirit to GDPR Article 27. A DPO is a broader role responsible for overseeing an organization's data protection strategy, which is not always mandatory.
.webp)
