Personal Data Protection Law
Embedding data processing procedures into daily operations, breach intervention, and management of Authority processes constitute one of the most intensive practice areas of our office.
Personal data processing is now intertwined with virtually all business processes of contemporary enterprises. With the comprehensive amendments made to Law No. 6698 in 2024, this field has become a rapidly evolving discipline that technical and legal teams must manage jointly. Our office provides consulting to domestic and international clients in designing and implementing end-to-end data protection compliance.
We assist our clients in conducting personal data inventories, formulating internal policies and procedures, designing duty to inform notices and explicit consent architecture, managing VERBIS registration processes, and preparing data protection addenda (DPA) in commercial relationships. In operations requiring international transfers, we establish the standard contractual clauses or binding corporate rules (BCR) architecture—mandated by the 2024 reform—and manage Authority notification procedures. In cases of data breaches, we conduct notifications to the Authority and affected individuals, internal investigations, and—where necessary—coordinate judicial proceedings. In investigations initiated by the Authority ex officio or upon complaint, we stand by our clients in preparing statements of defense, oral argument, and administrative litigation against Authority decisions.
Our practice concentrates in data-intensive sectors: technology companies, marketplace and e-commerce operators, fintech and payment institutions, health technologies, digital media, and advertising. Data protection due diligence in company mergers, structuring intra-group transfer frameworks in multi-subsidiary arrangements, and processes involving multiple regulators (KVKK-Banking Regulation and Supervision Authority-Competition Authority; sector-specific authorities such as the Banking Regulation and Supervision Authority or Ministry of Health) represent typical contexts in which we work collaboratively.
Data protection compliance is not merely a textual exercise on paper. We establish inventories, policies, and procedures as a governance framework that aligns with actual business workflows and remains auditable and updatable. As legislation, Authority guidance, and practice change rapidly, we work with our clients on a quarterly rather than annual rhythm; following material legislative amendments, regulatory changes, or Authority decisions, we review and update the compliance framework jointly with our clients.