Answers to common questions about our services and the support we provide are available here. This section offers detailed information to help you understand how we can meet your needs.
Any company—local or foreign—that processes the personal data of people in Türkiye falls under the Turkish Personal Data Protection Law (KVKK). Depending on your size and activities, that can include registering in VERBİS (subject to statutory thresholds and exemptions) and putting compliant privacy practices in place. Non-compliance can lead to significant administrative fines.
Yes. Even without a Turkish company, if you process the personal data of people in Türkiye you’re generally required to register with VERBİS and appoint a Türkiye-based representative (similar to GDPR Art. 27). Kooch provides this Data Controller Representative (DCR) service to handle that obligation on your behalf.
KVKK is Türkiye’s data protection law. It shares GDPR’s core principles (both grow out of European data-protection law) but has its own local rules—registration obligations, consent, transfer mechanisms. GDPR-compliant companies usually still need adjustments to fully meet KVKK.
We offer five main packages:
- KVKK Startup Launchpad: Entry compliance (VERBIS, privacy notices, cookie banners).
- KVKK/GDPR Gap Analysis: Full compliance audit + roadmap.
- ISO 27001 Readiness: Documentation and ISMS build toward certification.
- Ongoing Compliance Management: Year-round managed data-protection support.
- Data Controller Representative (DCR): for foreign companies.
- KVKK Launchpad (VERBIS + notices): ~2–4 weeks.
- Gap Analysis: ~4–6 weeks.
- ISO 27001 Readiness: 3–6 months depending on scope.
- DCR service: setup typically 2–4 weeks (apostille/sworn-translation turnaround), ongoing support afterward.
- Launchpad: $3K–$5K one-time + $3K/year for maintenance.
- Gap Analysis: $3K–$11K depending on complexity.
- ISO 27001 Readiness: $10K–$20K.
- Ongoing Compliance: $500–$1,500/month.
- DCR: from $3,000 year one (Basic, $1,800 renewal) to $4,500 (Professional, $3,250 renewal).
Under KVKK Article 18, administrative fines reach up to about TRY 17 million per violation for the most serious breaches, and the ceilings are revalued upward every year. Non-compliance can also stall deals—partners or investors may require proof of compliance—and damage reputation.
Yes. All policies, notices, and agreements are delivered in both Turkish and English, ensuring compliance with regulators and clarity for international stakeholders.
KVKK doesn’t impose a general DPO requirement, so there’s no statutory DPO role to fill. The equivalent ongoing support sits in our Ongoing Compliance Management package—oversight, regulator liaison, and DSAR support—comparable to a GDPR DPO. This is operational compliance support, not legal representation.
Not necessarily. If you process the personal data of people in Türkiye (even for a small user base), you may still fall under KVKK obligations. We’ll assess your case and only recommend services you truly need.
We apply strict internal controls: encrypted communications, least-privilege access, secure file transfer, and documented incident response. Client information is protected by confidentiality and data-processing terms in our agreements.
.webp)
