Audit
isn't a day,
it's
a system that runs daily.
Forms filled out the night before the regulator audit don't count as compliance. Compliance is a daily-running foundation of data inventory, consent management, subject-rights automation, breach response runbook and subprocessor contracts. We build, document and keep that foundation audit-ready.
KVKK fines up to 1.8M TL, GDPR up to 4% of global annual turnover. "It probably won't happen" stopped working — dozens of Turkish companies have received seven-figure penalties in the past three years.
SLA target: 30 days — average 4 hours
Compliance Score
Risk Score
Why most fail the audit
Five classic gaps. All five usually show up together.
After dozens of compliance projects, we see the same five gaps repeat in almost every company. Each one looks like a small detail in isolation; together, they make administrative penalties inevitable. None of the below is rhetorical — every item comes from real, published regulator decisions in Turkey and the EU.
Cookie banner that doesn't actually block
A banner sits on the page waiting for clicks — but Meta Pixel, GA4, Hotjar are already firing on page load. Even "Reject" doesn't stop them. This makes the "consent obtained" log fraudulent; regulators in Turkey and the EU fine both the banner and the lack of technical blocking separately.
No VERBIS / RoPA
KVKK Article 16 and GDPR Article 30 require a written record of every processing activity: what data, what legal basis, which system, what retention, which recipients. Without that inventory the audit is over before it starts. Most companies either don't have one, or made one two years ago and never updated it.
Subprocessor DPAs unsigned
AWS, Google Workspace, HubSpot, Mailchimp, Stripe — every SaaS you use processes data on your behalf. Using them without a signed Data Processing Addendum is illegal. Nobody reads these contracts, so the gap stays hidden until something goes wrong.
No breach response plan
When an incident hits, you must notify within 72 hours. Without a plan, contact list, external-comms drafts and a log-collection procedure, those 72 hours evaporate. Late notification alone means tens of thousands of euros in extra fines — independent of the breach itself.
Undefined retention
Data is kept indefinitely. "How long do we hold it" is unanswered. Both KVKK and GDPR apply storage-limitation: you must delete after the purpose ends. If 8-year-old customer data sits in your CRM, an incident exposes 8 years of data.
What compliance looks like
Three visible outputs: consent flow, data map, falling penalty exposure.
Data Flow Map
Green = compliant flow, red = missing required DPA
Potential Fine On Breach
Before (non-compliant):
€ 2,840,000
After (post-compliance):
€ 84,000
Insurable, documented, defensible floor.
Who it's for
Anyone processing personal data daily — that is, almost every company.
E-commerce — TR + EU
Selling to Turkish customers means KVKK; shipping to the EU means GDPR. Two regimes in one basket. Order, invoice, shipping, returns — each processed under different bases and must be documented.
SaaS / B2B platforms
You host your customers' customer data as a Processor. Each customer needs a DPA, subprocessor list, audit log, deletion/exit flow — and contracts usually commit to all of it.
Healthcare & clinics
Patient data is special-category; KVKK 6 and GDPR 9 demand stricter protection. Explicit consent, separate security controls, separate retention. Medical-device data, appointment systems, e-prescription — all in scope.
Banking & fintech
BDDK and PSD2 stack on top of KVKK/GDPR. KYC data, transaction history, card data (PCI-DSS), open-banking sharing — each its own program. Compliance is continuous, not monthly.
Education & EdTech
Under-18 data requires parental consent. LMS data, exam results, behavioural analytics — extra controls for child data. Extra COPPA-style layers in the EU.
Agencies & outsourced
You manage client marketing lists, CRMs, social accounts. That makes you a Processor; each client needs a separate DPA, IP/device access logs, end-user access rules.
API-driven B2B & integrations
Integration platforms touching client ERPs, accessing customer-of-customer data. Data minimisation, purpose limitation, log retention — a single webhook can be a privacy breach.
Marketplaces / two-sided KYC
Buyer and seller ID / IBAN / tax-ID data on both sides. Bilateral KYC, AML logging, tax sharing, breach response — a gap on either side makes the platform liable.
Services
Every piece of a compliance project — one single team.
Lawyer, DPO, engineer, process designer — instead of hunting four vendors, get ten capabilities from one team. The ten items below are sufficient and necessary to set up, audit and sustain a compliance program.
Gap analysis
Current state mapped against every KVKK and GDPR article — what you have, what's missing, what to fix first.
RoPA / VERBIS records
Written record of all processing activities, KVKK Art. 16 + GDPR Art. 30 aligned, in a continuously updatable format.
DPA / Subprocessor contracts
Data Processing Agreements signed with all vendors (AWS, Google, Stripe, HubSpot etc.) and tracked.
CMP — Consent Management Platform
Cookiebot / OneTrust / Iubenda setup, GTM integration, trackers actually halted when refused.
Bilingual privacy notices
Two-language privacy notices for web, mobile, forms, call centre — bound to KVKK + GDPR articles, plain language.
Subject-request automation
Erasure, rectification and portability requests routed into one portal and fetched from all systems automatically — under SLA.
Breach response runbook
72-hour notification flow, contact list, log-collection procedure, external-comms drafts, regulator form templates.
DPO-as-a-Service
Appointed DPO role — official point of contact in audits, employee request channel, annual reporting.
Staff training
KVKK + GDPR fundamentals, phishing simulation, department-specific modules (HR, sales, engineering), attendance records.
Audit preparation
Pre-audit self-assessment, response prep for customer DPIAs, ISO 27701 and SOC 2 alignment.
Process
From zero to audit-ready, in six steps.
Audit
Scan of current systems, flows, contracts. First draft of the data inventory, mapping of gaps and weaknesses. Output: a 30–60 page gap analysis report.
Prioritisation
We place the gaps on a risk × impact matrix. Which gap fails you at audit, which is most expensive on breach — we resolve them in that order.
Policies & contracts
Privacy notices (TR/EN/DE), privacy policy, cookie policy, employee undertakings, DPA templates, subprocessor list — all written and signed off.
Technical controls
CMP integration, subject-request portal, log retention policy, encryption, access control, data minimisation — changes on the application side.
Training
General training for all staff plus deeper modules for HR, sales, engineering. Attendance records kept for audit.
Maintenance & monitoring
Monthly internal audit, quarterly policy refresh, annual external audit. Re-evaluation when a new vendor or process is added. This step is permanent.
Platforms we work with
Vendor choice depends on your need — we work with all of them.
Enterprise (OneTrust, BigID), mid-market (Cookiebot, Iubenda), startup-friendly (Vanta, Drata) and Turkey-specific (VERBIS) — we install what fits the requirement. We're vendor-agnostic, not vendor-resellers.
Cases
What a compliance project looks like in numbers.
E-commerce (TR + EU)
6 weeks
Passed VERBIS + GDPR audit — zero findings.
Four-language privacy notices, Cookiebot CMP, 22 subprocessor DPAs, subject-request portal — six weeks pre-audit.
B2B SaaS
−91%
Cookie consent complaints down 91%.
The old banner didn't stop trackers on refusal. CMP replaced, GTM triggers bound to consent. Complaints went from 47/month to 4.
Hospital chain
14 days
Subject access request answered in 14 days (was 45).
A DSR portal unifying patient data spread across multiple HIS + LIS + appointment systems. Four-hour extraction, 14-day delivery.
Fintech startup
94/100
Enterprise customer DPIAs answered with one click.
ISO 27701 prep + customer DPIA repository. Four of the six yearly customer audits answered with a single report.
Education platform
0
Zero regulator complaints in 12 months of operation.
Dual-consent flow with parents for under-18s, separate retention for child data, annual student-deletion routine. No parent complaint received.
Logistics company
72h → 14h
Breach response time cut from 72 to 14 hours.
Runbook, phone tree, automated log collection, external-comms drafts. On a small email leak, notification was complete in 14 hours, no extra fine.
FAQ
The eight questions we hear most.
Under KVKK, every data controller has a registration obligation in the Data Controllers Registry Information System (VERBIS). It applies to companies with more than 50 employees per year or annual balance over 100M TL; some exemptions exist below that threshold, but anyone processing special-category data (health, criminal, biometric etc.) must register regardless. Registration is not one-off — it must be updated when processing purposes change. Failing to register attracts administrative fines of 100K-1.5M TL.
They share the same logic but are not identical. KVKK entered force in Turkey in 2016, GDPR in the EU in 2018. Many core principles overlap: purpose limitation, data minimisation, accountability. But GDPR is much stricter — SCCs are required for cross-border transfers, the DPO appointment threshold triggers more often, subject-request deadlines are 30 days, breach notification is 72 hours, and fines can reach 4% of global annual turnover. A Turkish company with EU presence or selling to EU residents must apply both. Our practical advice: design to GDPR, align to KVKK — never the reverse.
If you don't directly sell goods/services into the EU and don't monitor EU residents' behaviour, GDPR may not apply to you directly. But indirect scope is much wider: an EU visitor filling in a form, an EU supplier whose data you process, an EU-based employee — each touches GDPR. On top of that, your B2B customers may contractually require GDPR-grade compliance. Designing at GDPR level while complying with KVKK makes future customer DPIAs much easier. "We don't need it yet" usually costs more later.
Yes — both KVKK Art. 5/1 and GDPR Art. 6 + ePrivacy Directive forbid placing cookies without informed consent. There is an exception for strictly necessary cookies (session, cart); but analytics, marketing and profiling cookies require active opt-in. A banner that loads cookies before you click "Accept", a "Continue" link that counts as consent, trackers that still fire on refusal — all are grounds for fines. Turkey saw dozens of brands fined in 2024 for exactly this. The correct setup: CMP + GTM consent mode + every tracker fired only behind the consent gate.
Under GDPR a DPO is mandatory in three cases: being a public body, having core processing that is large-scale systematic monitoring, or core processing of large-scale special-category data. Outside these it is recommended but optional. KVKK requires a "contact person" — every company on VERBIS must register one with the regulator. The DPO or contact-person role can be filled in-house or taken as DPO-as-a-Service; we run the second model often. No conflict of interest, structural independence and direct reporting to top management are critical.
Within the EU, transfer is free. Outside the EU you need a transfer mechanism: either to a country with an adequacy decision (UK, Switzerland, Japan etc.), or under signed Standard Contractual Clauses (SCCs). For the US you can use vendors certified under the EU-US Data Privacy Framework (2023); for non-certified US vendors, SCCs plus a Transfer Impact Assessment (TIA) are required. From Turkey to the EU, KVKK Art. 9 has no "adequate protection" decision; transfer is by written undertaking + regulator approval or by explicit consent. Setting these up correctly is the single most-missed item in most audits.
Under GDPR, notification to the supervisory authority is mandatory within 72 hours. If "high risk" to subjects, notification to data subjects is required without undue delay. KVKK says "as soon as possible"; in practice the regulator interprets this as 72 hours. Missing the deadline brings a separate fine from the breach itself — often half of the main fine in case decisions. Our runbook: suspected breach → triage within 1h → scope confirmed within 4h → official text drafted within 24h → notification + subject communication within 72h. Without pre-prepared text, contact list and decision tree, you don't make the deadline.
KVKK fines are indexed annually for inflation. For 2024: failure to inform 47K-940K TL, failure to secure data 141K-9.4M TL, failure to comply with a regulator decision 235K-9.4M TL. GDPR has two tiers: minor infringements up to 2% of global annual turnover or €10M; major infringements up to 4% or €20M (whichever is higher). On top, customer churn, contract penalties and brand damage can be many multiples. British Airways was initially proposed at £183M for its 2019 breach, reduced to £20M — small companies don't survive that.
Next step
Not the night before audit — today.
In a 30-minute call we map your current compliance, your three most critical gaps and a 90-day roadmap. Free, no-obligation, under NDA.
Response time
< 24 h
Typical project
6-12 weeks
Confidentiality
NDA by default