An ordinary-looking email landed in an e-commerce company’s support inbox: “I want to see all the data you hold about me and have it deleted.” The support team treated it as a standard customer query and replied three weeks later. But this was a data-subject request with a legal clock already running, and the late, incomplete reply turned into a direct complaint to the regulator. The company’s problem wasn’t bad faith; it was not knowing when a request becomes “legal.”
KVKK grants everyone concrete rights over their own data: to request information, rectification, erasure, to object to processing, and more (art. 11). The main mechanism for exercising these rights is the data subject’s application to the data controller. Handling these requests professionally is both a legal obligation and a trust-building customer experience. In this piece, we build the process that runs when a request arrives.
What Is a Request, and When Does the “Clock” Start?
A data subject may apply to the controller in writing, or by other methods the Board sets, to exercise the rights in KVKK art. 11. The Communiqué on the Procedures and Principles for Application to the Data Controller (Official Gazette, 10 March 2018) frames this process. The critical point: a request may look like an ordinary customer question, but if its substance points to a right under art. 11, the legal clock starts then. That’s why your front line (support, sales) recognizing a request is the first and most important step.
The 30-Day Rule
The controller must conclude the request as quickly as possible and within 30 days at the latest, depending on its nature. The response is free unless it requires an additional cost. Where a written response is given, no fee may be charged for up to ten pages; for each page beyond ten, a limited processing fee may be charged under the Communiqué. Thirty days is a ceiling, not a target — closing simple requests far faster is the right move for both compliance and reputation.
Step-by-Step Request Handling
A solid process consists of these links:
- Recognition and logging — Record every request, regardless of channel, in a single register; time-stamp it. That record is what governs the deadline.
- Identity verification — Before responding, confirm the applicant is who they claim. Giving data to the wrong person is a data breach in itself. Verification must be reasonable and proportionate — don’t demand more data than necessary.
- Classifying the request — Is it information, rectification, erasure, objection? Each has a different answer.
- Assessment — Is the request well-founded? Does an exception (e.g., a statutory retention duty) apply?
- Response and documentation — Respond in writing and with reasons; keep the response and its basis. Documentation is the proof of accountability.
Must You Grant Every Request? Grounds for Refusal
No. Some requests may be lawfully refused or limited: a retention obligation under another law may block an erasure request; a request may be manifestly unfounded or excessively repetitive; or it may infringe others’ rights. What matters is to give reasons for the refusal and to document them. An unreasoned or late refusal is the most common cause of complaint.
If the Data Subject Complains: 30/60 Days
If the request is refused, the response is found inadequate, or no timely response is given, the data subject may complain to the Board. Under the calculation in Board decision 2019/9: the person may complain within thirty days of learning of the controller’s response, and in any case within sixty days of the application date. In other words, if you don’t manage the clock, the data subject will run the calendar for you.
Treat Requests as an Early-Warning System, Not a Threat
A rising number of erasure or information requests often signals a deeper issue — one a KVKK compliance audit would surface: over-collection, a trust-eroding marketing practice, or an unclear privacy notice. A well-run request process doesn’t only protect you from fines; it tells you what your customers are uncomfortable with. A ready process, a ready response template, and a trained front line — together these turn thirty days from a crisis into routine work.
Is your request process ready? Let’s build data-subject request handling end to end. Schedule a call →
Frequently Asked Questions
Within how many days must I respond?
Within 30 days at the latest; closing simple requests far faster is the right move for both compliance and reputation.
Must I grant every request?
No. A statutory retention duty, or manifestly unfounded or excessively repetitive requests, can be refused with reasons.
What if the data subject complains?
They may complain to the Board within 30 days of learning your response, and in any case within 60 days of the application — if you don’t manage the clock, they will.
Sources
- Communiqué on the Procedures and Principles for Application to the Data Controller (OG 10.03.2018): https://www.resmigazete.gov.tr/eskiler/2018/03/20180310-6.htm
- KVKK — Board Decision 2019/9 on Calculating Application and Complaint Periods: https://www.kvkk.gov.tr/Icerik/5358/Kamuoyu-Duyurusu
- Law No. 6698 on the Protection of Personal Data (arts. 11, 13, 14): https://www.mevzuat.gov.tr/mevzuatmetin/1.5.6698.pdf
This article is for general information only and does not constitute legal advice. For a specific situation, please consult Vircon Legal.
Author
-
View all postsMümtaz is the Managing Partner of Vircon Legal, which he founded in 2016. He advises founders, investors and operators on financing rounds, M&A, cross-border incorporations and regulated verticals — including crypto-asset infrastructure, fintech and games — bringing a former startup founder's perspective to every engagement.
More from Vircon Insights
The Clock Is Running: A Data-Breach Response Plan and the 72-Hour Rule
June 30, 2026The Risk That Quietly Kills a Round: Data-Protection Due Diligence in Funding and M&A
June 26, 2026The KVKK Compliance Audit: A Step-by-Step Guide to Measuring Your Data-Protection Health
June 25, 2026You Are the Assistant: Generative AI at Work and KVKK
July 1, 2026When Startups Become Buyers: A Legal Guide to Acquiring Companies
June 22, 2026When a Startup Dies: The Law of Winding Down
June 18, 2026Related Practice Areas
Privacy & Cybersecurity
KVKK and GDPR compliance, breach response, cybersecurity governance.
View service →Corporate Law
Share transfers, capital increases, board structuring, governance.
View service →US Company Formations & Flip-Ups
Delaware C-Corp, flip-up structures, SAFE/convertible notes, 83(b).
View service →