Frequently asked questions

Answers to common questions about our services and the support we provide are available here. This section offers detailed information to help you understand how we can meet your needs.

Who needs to comply with KVKK in Turkey?

Any company—local or foreign—that processes personal data of Turkish residents must comply with the Turkish Personal Data Protection Law (KVKK). This includes registering in the VERBIS system and implementing compliant privacy practices. Non-compliance can lead to significant fines.

I don’t have a Turkish entity. Do I still need to register?

Yes. Even without a Turkish company, if you collect or process data of Turkish users, you are required to register with VERBIS through a Turkey-based representative (similar to GDPR Art. 27). Kooch offers this Data Protection Representative (DPR) service to handle this obligation on your behalf.

What’s the difference between KVKK and GDPR?

KVKK is Turkey’s data protection law, closely modeled on GDPR but with local differences (e.g., registration obligations, consent rules). Many companies already GDPR-compliant still need adjustments to fully comply with KVKK.

What services do you provide?

We offer four main packages:

- KVKK Startup Launchpad: Entry compliance (VERBIS, privacy notices, cookie banners).
- KVKK/GDPR Gap Analysis: Full compliance audit + roadmap.
- ISO 27001 Readiness: Documentation and ISMS build for certification.
- Ongoing Compliance Management: Year-round support and DPO-as-a-service.
- Data Protection Representative (DPR): for foreign companies.

How long does compliance take?

- KVKK Launchpad (VERBIS + notices): ~2–4 weeks.
- Gap Analysis: ~4–6 weeks.
- ISO 27001 Readiness: 3–6 months depending on scope.
- DPR service: 1–2 weeks for setup, ongoing support afterward.

How much does it cost?

- Launchpad: $3K–$5K one-time + $3K/year for maintenance.
- Gap Analysis: $3K–$11K depending on complexity.
- ISO 27001 Readiness: $10K–$20K.
- Ongoing Compliance: $500–$1,500/month.
- DPR: $2,500–$4,000/year.

What happens if I don’t comply?

Penalties under KVKK include fines up to ~TRY 2M (~€60K) per violation. Non-compliance can also block business deals (partners or investors may require proof of compliance) and damage reputation.

Do you provide bilingual documents?

Yes. All policies, notices, and agreements are delivered in both Turkish and English, ensuring compliance with regulators and clarity for international stakeholders.

Do you act as our DPO (Data Protection Officer)?

For Turkish law, the equivalent role is covered by our Ongoing Compliance Management package. We provide continuous oversight, regulator liaison, and DSAR handling, similar to a DPO under GDPR.

Is my company too small for these requirements?

Not necessarily. If you process Turkish personal data (even for a small user base), you may still fall under KVKK obligations. We’ll assess your case and only recommend services you truly need.

How do you keep client data secure?

We apply strict internal controls: encrypted communications, least-privilege access, secure file transfer, and documented incident response. We also carry professional liability insurance, so our clients are protected.

Ready to transform your business?
Get started
Privacy & Cookie PoliciesKVKKLegal DisclaimerInformation Security PolicyTerms of ServiceLogos of payment methods: iyzico, Elo Débito, Mastercard, Visa, American Express, and Troy.