On December 16, 2019, our Managing Partner Erdem Mümtaz Hacıpaşaoğlu joined Av. Ahmet Çobanoğlu as a speaker at the briefing seminar organized by the Kırklareli Chamber of Commerce and Industry on the Personal Data Protection Law (KVKK). The session was directed at member companies adjusting to the obligations of the KVKK and its secondary legislation.
The central thesis of the session was clear: KVKK compliance is not a one-time documentation exercise — it is an ongoing operational discipline that touches IT, HR, marketing and customer-facing teams, and the companies that build it into how they actually run, rather than how they look on paper, are the ones that survive an inspection.
The KVKK landscape
The speakers walked through the general principles of personal data protection law, the sanctions regime, the personal data concept, the preparation of a data inventory and data classification, the administrative, criminal and civil liability of data controllers and processors, data processing principles, cross-border data transfers, and the VERBİS (Veri Sorumluları Sicil Bilgi Sistemi) registration process.
From law to operational practice
Mümtaz noted that the value of a KVKK compliance program lies in operational maturity, not in the thickness of a binder: data flows have to be mapped, retention has to be enforced in production systems, processors and sub-processors have to be governed by contract, and incident response has to be rehearsed, not just written down.
