Data protection sits at the core of how technology companies build, ship, and scale. We advise startups and international companies — across software, SaaS, gaming, e-commerce, fintech, and consumer technology — on the full data lifecycle: collection, processing, disclosure, and cross-border transfer.
Beyond documentation, we operationalise compliance: privacy policies and notices that reflect actual data flows, internal authorisation matrices, vendor and data-processing-agreement management, and incident-response support — including coordination of forensic investigations when things go wrong.
Our privacy & cybersecurity work includes, among others:
- Data protection (KVKK & GDPR) programmes and gap analyses
- In-house authorisation matrices and access governance
- Regulatory compliance reviews and audits
- IT and internet-related matters
- E-commerce transactions and platform terms
- Advertising, marketing, and social-media compliance
- Next-generation e-payment systems
Other Practice Areas
Frequently Asked Questions
Do Turkish companies need to comply with both KVKK and GDPR?
KVKK applies to processing of personal data in Türkiye. GDPR additionally applies if you offer goods or services to people in the EU or monitor their behaviour. Most Turkish SaaS and e-commerce companies selling internationally need a programme that satisfies both regimes, which differ on legal bases, international transfers, and breach notification.
When is VERBİS registration mandatory?
Registration with the Data Controllers’ Registry (VERBİS) is required for controllers above the annual employee or turnover thresholds set by the KVKK Board, for those whose main activity involves special categories of data, and for foreign controllers processing personal data in Türkiye. Registration must be completed before processing begins.
What should we do in the first 72 hours after a data breach?
Contain the incident, preserve evidence and logs, and assess scope. Under KVKK the Board must be notified as soon as possible — interpreted as 72 hours — and affected individuals without undue delay; under GDPR the supervisory-authority deadline is 72 hours. Running parallel notification tracks with consistent wording is where a breach playbook pays off.