IP, Contracts & Privacy

KVKK / GDPR Compliance Pack

Türkiye's KVKK Law No. 6698 (post-March 2024 amendments) and the EU GDPR covered with a single, coherent compliance pack. Privacy policies, internal records, VERBIS registration, processor DPAs, cross-border transfer mechanism.

KVKK Law 6698
GDPR
VERBIS
Post-2024 cross-border

Book a discovery call Add to my package

What it is

Turkish data-protection law (KVKK, Law No. 6698) sits alongside the EU GDPR in scope and substance. Any studio that collects player data, accounts, in-app purchase records, support tickets, telemetry, crash reports, or marketing engagement, falls under KVKK in Türkiye and under GDPR wherever it offers services to EU users or monitors their behaviour. We deliver one pack that covers both regimes: public-facing policies, internal records, registration with the Data Controllers Registry (VERBIS) where the threshold is met, processor DPAs, cross-border transfer documentation aligned with the post-March 2024 KVKK amendments, and a breach-response SOP that does not depend on you reading the statute mid-incident.

Four layers, one pack

The pieces that make a compliance file actually work.

A privacy policy on its own is not compliance. The four layers below have to agree with each other, so the public-facing claim, the internal record, the regulator registration, and the processor contract all tell the same story.

Public-facing

The documents your players and customers read. Privacy policy, terms of service, cookie policy, age-gate where the audience includes minors. Bilingual EN / TR, KVKK and GDPR aligned.

Privacy policy
Terms of service
Cookie policy and banner config
Age-gate language

Internal records

The records the regulator asks for during inspection and the buyer asks for during DD. Lawful-basis register per activity, retention schedule, data-subject request workflow with response templates.

Data-processing inventory
Lawful-basis register
Retention and erasure policy
DSAR workflow + templates

VERBIS

Registration in the Data Controllers Registry where the threshold is met: more than 50 employees, ₺100M+ turnover, or foreign data controllers regardless of size. The entry mirrors your internal inventory.

Threshold assessment
VERBIS entry preparation
Submission and confirmation
Annual review

Processor DPAs and cross-border

Data Processing Agreements with each processor (cloud, analytics, support, payments). Cross-border transfer mechanism under the post-March 2024 KVKK regime (adequacy, SCC, BCR). EU representative where you target EU users.

DPA template + signed copies
Cross-border transfer documentation
EU Article 27 representative
Breach response SOP

Cross-border transfers, post-March 2024

The KVKK amendment that finally aligned Türkiye with the GDPR transfer regime.

The March 2024 amendments to Article 9 of KVKK replaced the old commitment-letter system with a transfer framework that mirrors GDPR concepts: adequacy decisions by the KVKK Board, Standard Contractual Clauses, Binding Corporate Rules, and narrow derogations. For a studio sending player data to AWS, Firebase, Zendesk, or your foreign HQ, this is the regime that governs every flow. We pick the right mechanism for each processor and execute it.

Adequacy

Transfers to jurisdictions the KVKK Board has whitelisted.

SCC

Standard Contractual Clauses approved by the Board, country-specific.

BCR

Binding Corporate Rules for intra-group transfers across a corporate family.

How we do it

Mapping to breach SOP, in one engagement.

Three to four weeks for a full pack on engagement. Annual refresh stays current with regulatory change.

Data flow mapping
We map what personal data you collect (accounts, IAP records, IP and device identifiers, support tickets, telemetry, marketing engagement), where it lives (your cloud, processor systems, HQ), and who touches it (employees, processors, sub-processors). The map drives every other deliverable.
Public-facing policy drafting
Privacy policy, terms of service, and cookie policy drafted bilingually (English and Turkish) and aligned to both KVKK and GDPR. Cookie banner configuration with KVKK Board cookie-guidance compliance (strictly-necessary vs consent-required categorisation). Age-gate language where the audience may include minors.
Internal documentation
Internal data-processing inventory (KVKK Article 16 register and GDPR Article 30 records of processing). Retention and erasure policy with category-level periods. Data-subject request workflow covering access, correction, erasure, objection, and the 30-day KVKK response window.
Cross-border transfer mechanism
Under the March 2024 KVKK amendments, cross-border transfers are now structured around adequacy decisions, Standard Contractual Clauses (SCC), Binding Corporate Rules (BCR), and limited derogations, harmonised with GDPR concepts. We document the lawful transfer basis for each flow (HQ reporting, cloud hosting, analytics, support tools) and execute the relevant SCC or undertaking.
VERBIS registration
Registration in the Data Controllers Registry (Veri Sorumluları Sicili) where the threshold is met: more than 50 employees, annual turnover above ₺100M, or foreign data controllers regardless of size. The VERBIS entry lists data categories, lawful bases, recipients, retention periods, and security measures.
Processor DPAs and EU representative
Data Processing Agreements signed with each processor (cloud, analytics, crash reporting, email, support, payments). EU representative arrangement under GDPR Article 27 where the studio offers services to EU users without an EU establishment.
Breach response SOP
Incident-response playbook with the 72-hour KVKK Board notification window, the GDPR Article 33 supervisory authority notification, and the data-subject notification trigger. Pre-drafted notification templates so the legal work happens before the breach, not during.

What's included

The whole pack, plus the annual refresh.

Privacy policy, terms of service, and cookie policy (English / Turkish, KVKK and GDPR aligned)
Cookie banner configuration aligned with the KVKK Board cookie guidance
Internal data-processing inventory (KVKK Article 16 + GDPR Article 30)
Lawful-basis register for each processing activity
Retention and erasure policy with category-level periods
Data-subject request workflow and response templates
Cross-border transfer documentation (adequacy, SCC, or BCR)
VERBIS registration where the threshold is met
Data Processing Agreement template and signed copies with key processors
EU representative arrangement under GDPR Article 27 where required
Breach response SOP with 72-hour notification templates
One refresh per year while on retainer to keep up with regulatory change

Key facts

The statutes that shape the pack.

KVKK (Law No. 6698): Türkiye's data-protection statute, effective from 7 April 2016. Amended substantially in March 2024 to harmonise cross-border transfer mechanisms and introduce a legitimate-interests lawful basis. Administered by the Personal Data Protection Authority (KVKK Kurumu) and the Personal Data Protection Board.
Lawful bases (Article 5): Explicit consent, performance of a contract, compliance with a legal obligation, protection of life, data made public by the data subject, establishment or protection of rights, legitimate interest (added 2024), and processing required by law. Sensitive personal data (Article 6) has a tighter list.
VERBIS thresholds: Registration with the Data Controllers Registry is required if the controller has more than 50 employees, OR annual turnover above ₺100M, OR is a foreign data controller (regardless of size). Specific exemptions apply for low-risk processors and certain sectors.
Cross-border transfers post-March 2024: The amended Article 9 brings KVKK into line with GDPR concepts: adequacy decisions by the KVKK Board, Standard Contractual Clauses, Binding Corporate Rules, and derogations for specific situations (consent, contract, public interest, legal claims). The old commitment-letter regime is being phased out.
When GDPR applies on top of KVKK: GDPR applies to a Turkish studio if it offers goods or services to EU data subjects, or monitors their behaviour. Both regimes apply in parallel. The pack is built so the public-facing policy and the internal records satisfy both without duplication.
Data subject rights: Under KVKK Article 11: access, information, correction, deletion, objection to automated decisions, and compensation. GDPR Articles 15 to 22 cover access, rectification, erasure, restriction, portability, objection, and automated-decision rights. The response window is 30 days under KVKK and one month under GDPR.
Administrative fines: KVKK fines are revised annually and can reach several million Turkish lira per violation. GDPR fines run up to the higher of EUR 20 million or 4% of global annual turnover. Failure to register with VERBIS, unlawful cross-border transfers, and failure to notify breaches are common high-fine categories.
Cookies and electronic communications: The KVKK Board's June 2022 cookie guidance distinguishes strictly-necessary cookies (no consent needed) from analytics, advertising, and personalisation cookies (require informed, specific consent). Banner solutions configured to match.

Bundled in

StarterNo
BuilderNo
EnterpriseNo
Add-on available

Pricing

USD 2,400 for the full pack on engagement. Annual refresh included while on retainer; standalone annual refresh USD 600.

Related services

0%Corporate tax

70%Cashback

Ready to map your setup?

Free 30-minute discovery call. We'll match the right services to your stage and come back with a fixed-fee proposal.

Book a call Send us a note