Frequently asked questions

Answers to common questions about our services and the support we provide are available here. This section offers detailed information to help you understand how we can meet your needs.

Who needs to comply with KVKK in Turkey?

Any company—local or foreign—that processes personal data of Turkish residents must comply with the Turkish Personal Data Protection Law (KVKK). This includes registering in the VERBIS system and implementing compliant privacy practices. Non-compliance can lead to significant fines.

I don’t have a Turkish entity. Do I still need to register?

Yes. Even without a Turkish company, if you collect or process data of Turkish users, you are required to register with VERBIS through a Turkey-based representative (similar to GDPR Art. 27). Kooch offers this Data Protection Representative (DPR) service to handle this obligation on your behalf.

What’s the difference between KVKK and GDPR?

KVKK is Turkey’s data protection law, closely modeled on GDPR but with local differences (e.g., registration obligations, consent rules). Many companies already GDPR-compliant still need adjustments to fully comply with KVKK.

What services do you provide?

We offer four main packages:

- KVKK Startup Launchpad: Entry compliance (VERBIS, privacy notices, cookie banners).
- KVKK/GDPR Gap Analysis: Full compliance audit + roadmap.
- ISO 27001 Readiness: Documentation and ISMS build for certification.
- Ongoing Compliance Management: Year-round support and DPO-as-a-service.
- Data Protection Representative (DPR): for foreign companies.

How long does compliance take?

- KVKK Launchpad (VERBIS + notices): ~2–4 weeks.
- Gap Analysis: ~4–6 weeks.
- ISO 27001 Readiness: 3–6 months depending on scope.
- DPR service: 1–2 weeks for setup, ongoing support afterward.

How much does it cost?

- Launchpad: $3K–$5K one-time + $3K/year for maintenance.
- Gap Analysis: $3K–$11K depending on complexity.
- ISO 27001 Readiness: $10K–$20K.
- Ongoing Compliance: $500–$1,500/month.
- DPR: $2,500–$4,000/year.

What happens if I don’t comply?

Penalties under KVKK include fines up to ~TRY 2M (~€60K) per violation. Non-compliance can also block business deals (partners or investors may require proof of compliance) and damage reputation.

Do you provide bilingual documents?

Yes. All policies, notices, and agreements are delivered in both Turkish and English, ensuring compliance with regulators and clarity for international stakeholders.

Do you act as our DPO (Data Protection Officer)?

For Turkish law, the equivalent role is covered by our Ongoing Compliance Management package. We provide continuous oversight, regulator liaison, and DSAR handling, similar to a DPO under GDPR.

Is my company too small for these requirements?

Not necessarily. If you process Turkish personal data (even for a small user base), you may still fall under KVKK obligations. We’ll assess your case and only recommend services you truly need.

How do you keep client data secure?

We apply strict internal controls: encrypted communications, least-privilege access, secure file transfer, and documented incident response. We also carry professional liability insurance, so our clients are protected.

KVKK Startup Launchpad

Your fast-track to entering the Turkish market. We handle your mandatory VERBIS registration and draft essential bilingual policies in just 2-4 weeks, ensuring you're compliant from day one.

Full KVKK/GDPR Gap Analysis

Get a comprehensive audit of your data privacy practices. We identify compliance gaps against KVKK, GDPR, or both, and deliver a prioritized remediation plan to close them.

ISO 27001 Readiness

Achieve a globally recognized competitive advantage. We build your Information Security Management System (ISMS) and prepare all documentation for a successful Stage 1 certification audit.

Ongoing Compliance Management

Stay compliant year-round with our managed service. We act as your external Data Protection Officer (DPO) partner, handling health checks, incident response, and DSARs.

Data Protection Representative (DPR) in Turkey

Fulfill a mandatory legal requirement under KVKK for non-resident companies. We act as your official, Turkey-based representative and point of contact for data subjects and the KVKK Authority.

Hourly Services

Contact us for hourly based services

Ready to transform your business?
Get started
Privacy & Cookie PoliciesKVKKLegal DisclaimerInformation Security Policy