KVKK + GDPR Compliance Checklist

CHECKLIST · 30 ITEMS · 25 MIN

KVKK + GDPR Compliance Checklist

A 30-item dual-regime data-protection compliance checklist — scope-applicability, legal basis-notice, cross-border transfer (Schrems II), operational compliance. Post-2024 KVKK reform + 72-hour breach + 30-day DSR.

Unlock the checklist

Enter your email and join the Vircon Substack list to access this checklist. Your entries are stored only in your browser.

Join the Vircon Substack list to receive new content.

0 / 30 Saved

SECTION 1 8 ITEMSScope and Applicability SECTION 2 8 ITEMSLegal Basis and Notice SECTION 3 8 ITEMSCross-Border Transfer SECTION 4 6 ITEMSOperational Compliance

SECTION 1 · 8 ITEMS

Scope and Applicability

Where each regime applies. Dual application is more common than founders realize — TR company with EU customers triggers both KVKK and GDPR.

01KVKK territorial and material scopeKVKK Art. 2 applies to data controllers and processors regardless of where they are established, when processing affects data subjects in Turkey or processing is carried out by Turkey-established entities.

02GDPR territorial scope (Article 3)GDPR applies to EU-established controllers/processors, and to non-EU operators that (a) offer goods or services to EU data subjects, or (b) monitor EU data subjects’ behavior.

03Dual application — Turkish company with EU customersSelling SaaS to EU customers, running EU-targeted ad campaigns, or processing EU job-applicant data pulls Turkish companies into GDPR. Both KVKK and GDPR apply in parallel.

04Child-data special considerationsGDPR Art. 8: children under 16 (national derogation to 13) need parental consent for information society services. KVKK has no specific child-data threshold but treats child data with heightened sensitivity.

05Special-category data triggersHealth, biometric, genetic, racial, political, religious, sexual orientation, criminal record. Triggers KVKK Art. 6 (explicit consent or narrow exceptions) and GDPR Art. 9 (10 exception grounds).

06Data controller vs processor analysisWho decides the means and purposes? Controller-processor analysis frames contractual structure (DPA), allocation of obligations, and breach-notification responsibility.

07Joint controller arrangementGDPR Art. 26 requires joint controllers to publish essence of the arrangement. KVKK is silent but Authority guidance treats co-controllers as joint-and-several liable.

08Intra-group data transfersGroup company transfers are NOT exempt under either regime. Each transfer needs lawful basis + safeguards. Document via intra-group DPA or binding corporate rules (BCR).

SECTION 2 · 8 ITEMS

Legal Basis and Notice

Lawfulness of processing and transparency obligations. Most enforcement actions stem from wrong basis selection or inadequate notice.

09Legal basis selection: KVKK Art. 5/6 vs GDPR Art. 6/9KVKK has 7 personal-data bases + 4 special-category bases. GDPR has 6 + 10. Mapping matters because what’s allowed under KVKK ‘legitimate interest’ (m.5/2-f) may fail GDPR Art. 6(1)(f) balancing.

10Explicit consent mechanicsGranular per-purpose, freely given, informed, specific, withdrawable. Pre-ticked boxes invalid (both regimes). Withdrawal mechanism must be equally accessible to consent grant.

11Contract necessity basisBoth regimes allow processing necessary for contract performance — but ‘necessary’ is narrowly interpreted. Marketing, analytics, profiling rarely qualify.

12Legitimate interest balancing test (LIA)Document the three-step test: (a) legitimate interest identified, (b) processing necessary, (c) balancing weighs in controller’s favor. KVKK Kurul Karar 2018/63 sets parameters.

13KVKK aydınlatma metni and GDPR Art. 13/14 noticeBoth require pre-collection notification. Content overlaps but isn’t identical — GDPR adds international transfer specifics, data-retention period, profiling logic.

14Layered privacy notice designShort-form notice at collection + long-form available via link. Improves engagement and compliance simultaneously. JIT (just-in-time) notices for sensitive operations.

15Child consent and parental verificationGDPR Art. 8 + national age (16 EU default, 13 in UK/IT). Parental consent verification mechanism documented. KVKK no specific age but Authority guidance applies.

16DPIA triggers — when impact assessment is mandatoryKVKK Kurul Karar 2018/10 lists scenarios. GDPR Art. 35 + EDPB list 9 criteria. Both require DPIA before high-risk processing — biometrics, profiling, large-scale special category.

SECTION 3 · 8 ITEMS

Cross-Border Transfer

Where data leaves Turkey or the EU. Schrems II reshaped this entirely — government-access risk now front-and-center.

17KVKK Art. 9 transfer mechanisms post-2024 reformAdequacy list (KVKK Karar 2024/1568) + SCC-equivalent (taahhütname/undertaking) + binding corporate rules + explicit consent + narrow derogations. Sufficient-protection list updated periodically.

18KVKK SCC (Standart Sözleşme) executionKVKK published SCCs in 2024 Karar 2024/1568. Annex I (controller-controller), Annex II (controller-processor), Annex III (processor-processor). Notification to Authority within 5 days.

19GDPR Chapter V transfer mechanismsAdequacy decision + SCC + BCR + Codes of Conduct + Certification + Article 49 derogations. Each requires Transfer Impact Assessment (TIA) under Schrems II.

20Schrems II and Transfer Impact Assessment (TIA)Pre-transfer assessment: destination country’s surveillance laws, judicial remedies, supplementary measures (encryption, pseudonymization, contractual).

21US transfer specifics (DPF, SCC, supplementary measures)EU-US Data Privacy Framework (active since 2023) provides adequacy for participating US companies. Non-DPF transfers require SCC + TIA + supplementary technical measures.

22Cloud and SaaS vendor transfer chain mappingAWS, Azure, GCP, M365 — each has multiple sub-processor layers. Map the transfer chain comprehensive. Vendor’s standard DPA may not cover the actual flow.

23Onward transfer and government access riskImported data may be onward-transferred to third countries. Schrems II requires assessing destination AND any onward-transfer destinations. US FISA 702 / CLOUD Act risk-rated separately.

24Supplementary measures — encryption, pseudonymizationTechnical (comprehensive encryption with keys held by EU/TR data exporter), organizational (split processing), contractual (transparency, challenge rights). Documented and verified.

SECTION 4 · 6 ITEMS

Operational Compliance

Day-to-day controls that make the policy real. Paper compliance without operational reality is the most common enforcement trigger.

25DPO appointment — mandatory triggersKVKK does not mandate DPO but Authority guidance recommends it. GDPR Art. 37 mandates DPO for public authorities, large-scale systematic monitoring, large-scale special-category processing.

26VERBIS registration + GDPR Article 30 recordsVERBIS (KVKK Art. 16) public registration for thresholded controllers. GDPR Art. 30 internal record of processing activities. Both must be current — updates within 7 days (KVKK) and proactively (GDPR).

27Data breach 72-hour notificationKVKK 72-hour notification to Authority + data subjects (Communique on Notification of Data Breaches). GDPR Art. 33 (72-hour to supervisory authority) + Art. 34 (high-risk breaches to data subjects). Use parallel notification track.

28Data subject request workflowKVKK Art. 13 — 30 days to respond. GDPR Art. 12 — 30 days extendable to 90 days for complex requests. Use one intake portal mapping to both regimes’ response obligations.

29Vendor/processor management (DPA + Article 28)Each processor must have DPA covering: instructions, confidentiality, security, sub-processor authorization, audit rights, return/deletion at termination. Procurement gating required.

30Incident response runbook + periodic auditTabletop exercises quarterly. External audit (Article 32 GDPR / KVKK Communique on Security) annual. Maintain audit trail for 5+ years under both regimes.

Decision Matrix — Is Our Dual-Regime Compliance Sound?

How your checked items distribute shows your compliance maturity:

Section 1 7+/8: Which regimes apply is clear. Dual application correctly identified.
Section 2 7+/8: Legal basis mapping and notices complete.
Section 3 7+/8: Cross-border transfers safeguarded. Schrems II analysis documented.
Section 4 4+/6: Operational controls live. Audit-ready.
Section 2-3 weak: Enforcement risk high — fast remediation via KVKK Authority decisions + EDPB guidance.
Cross-border map missing: Cloud vendor transfer chain must be mapped comprehensive. Without SCC + TIA, transfer is exposed.
No 72-hour runbook: Breach response capacity absent — tabletop exercise required.
All four sections above threshold: KVKK + GDPR compliance at upper range. Maintain with annual external audit and continuous updates.

Legal notice. This document is for informational purposes only and does not constitute legal advice. KVKK, GDPR, KVKK Authority decisions, EDPB guidelines and other legislation referenced are general references; applying them to your company requires evaluation by a lawyer experienced in data protection. Vircon Legal: [email protected]

SISTER CHECKLISTS

Book a free 30-minute intro call

Once you've worked through this checklist, pick a time below for a personalized risk review and prioritization of any remaining items.

KVKK + GDPR Compliance Checklist

Unlock the checklist

Scope and Applicability

Legal Basis and Notice

Cross-Border Transfer

Operational Compliance

Decision Matrix — Is Our Dual-Regime Compliance Sound?

You may also like

Book a free 30-minute intro call