KVKK Compliance Checklist for Turkish E-commerce Stores (2026)
A practical 12-point KVKK checklist for Turkish online stores: VERBİS registration, consent flows, data-processing register, retention periods, and what regulators actually inspect.
TL;DR. KVKK is Turkey's GDPR-equivalent. If you collect any customer data — name, address, email, phone — you must comply. The 12 must-haves: published privacy + cookie policies, VERBİS registration if you process data on more than 50 customers per year, a documented data-processing register, explicit (un-pre-checked) consent flows at signup and checkout, a working delete-my-data path, retention periods, KVKK-compliant supplier contracts, breach notification within 72 hours, security baseline, employee training, regular audits, and a published Data Controller Representative if you serve EU customers.
KVKK (Kişisel Verilerin Korunması Kanunu) has been law since 2016, but enforcement has tightened materially in 2024–2026. Penalties start at 12,000 TRY per violation and run into the millions for systematic failures. This is not a theoretical risk — KVK Kurumu publishes its enforcement actions, and the modal violator is an e-commerce site that did exactly what most e-commerce sites still do.
What KVKK requires (the short version)
KVKK regulates "personal data" — anything that identifies a person directly or indirectly. For an e-commerce site this means name, address, email, phone, IP address, billing details, browsing history, and order data. The law gives the data subject (your customer) seven rights: to know, to access, to rectify, to delete, to object, to data portability, and to be informed of automated decision-making.
Your obligations as a "Data Controller" (Veri Sorumlusu):
- Publish a privacy policy and cookie policy that are specific to your business — not template boilerplate.
- Collect personal data only for explicit, lawful purposes and only as much as you actually need.
- Get explicit consent for each distinct processing purpose (marketing email is a different purpose than fulfilling an order).
- Register with VERBİS if you process data on more than 50 customers per year (effectively every real e-commerce business).
- Maintain a documented data-processing register.
- Notify KVK Kurumu and affected users within 72 hours of a data breach.
- Apply technical and organizational security measures appropriate to the risk.
The 12-point operational checklist
1. Privacy policy and cookie policy on every page
A footer link on every public page leading to a Turkish-language privacy policy that names: what data you collect, the legal basis (consent, contract, legitimate interest), retention periods, third-party processors, data subject rights, and a contact email for KVKK requests.
2. VERBİS registration
VERBİS (Veri Sorumluları Sicil Bilgi Sistemi) is the national registry of data controllers. If you process personal data on more than 50 customers per year, you must register and publish your processing categories. Registration is free; non-registration is a 50,000+ TRY fine.
3. Documented data-processing register
A spreadsheet or document listing every kind of data you collect, every system that stores it, every third party that touches it, and how long you retain it. KVK Kurumu requests this register during audits — having it ready cuts an audit from days to hours.
4. Explicit, opt-in consent at signup
Pre-checked consent boxes are not consent under KVKK. Each distinct processing purpose needs its own opt-in. Fulfilling an order does not require marketing consent; collecting marketing consent at checkout requires a separate, unchecked box.
5. Explicit consent at checkout (separate from order)
The "I have read and accept the Distance Sales Agreement" checkbox is fine for order fulfillment. Marketing email and SMS need their own opt-ins. Profiling consent (using behavior to recommend products) is a third opt-in.
6. Working delete-my-data path
Either an in-account "delete my account" button or a clearly published email address that goes to a person who can actually delete records. KVKK requires response within 30 days of a data subject request. The failure mode regulators see most often: the email goes to a no-longer-checked inbox.
7. Retention periods written down
You can't keep data forever. Common retention windows that work for e-commerce:
| Data | Retention |
|---|---|
| Order records (legal/tax) | 10 years (Turkish Commerce Code) |
| Customer accounts (active) | While active + 3 years post-last-purchase |
| Marketing consent | While granted; revocable any time |
| Cart abandonment data | 30 days |
| IP / browsing logs | 1 year max |
Document these. Implement them. KVK Kurumu inspects the gap between policy and practice.
8. KVKK clauses in supplier contracts
Every third party that touches customer data — email service (SendGrid, Postmark), SMS gateway (Netgsm, iletimerkezi), CRM, analytics, payment processor — needs a written data-processing agreement that meets KVKK Article 12. Templates exist; signing them is the work.
9. Breach notification protocol
A documented, rehearsed plan for what happens when a breach is detected. The 72-hour clock starts when anyone in the company becomes aware. Communications template, internal escalation list, KVK Kurumu contact form, customer email template — prepared in advance, not drafted under pressure.
10. Security baseline
The law expects "appropriate" measures, not perfect security. Minimum: HTTPS site-wide, password hashing (bcrypt or stronger), encrypted database backups, role-based access for staff, no shared admin credentials, MFA on production systems. Document the baseline; review yearly.
11. Employee training
Every staff member with access to customer data needs annual KVKK training and signs an acknowledgment. The training does not have to be elaborate — a 30-minute briefing and a PDF — but it has to be documented.
12. Annual audit and update
Once a year, walk the register, verify retention is being applied, sample data subject responses, review supplier contracts for new vendors, refresh training. An external KVKK consultant (~10,000–25,000 TRY/year for a small store) speeds this up but is not required.
What regulators actually inspect
KVK Kurumu does not run random audits. They show up after a complaint or a publicized breach. The pattern of their case writeups is consistent:
- The complaint triggers a request for the data-processing register.
- They check whether the consent flows were opt-in or pre-checked.
- They ask for the breach notification log (and find none).
- They audit retention against your policy.
- They issue a fine sized to the violation tier and the company's revenue.
The cheapest defense is having items 1–7 above actually implemented before a complaint arrives. Items 8–12 reduce the fine when a complaint does arrive.
Common mistakes
- Translating the GDPR template directly. KVKK and GDPR are similar but not identical. VERBİS registration and the Distance Sales Agreement obligations don't exist in GDPR.
- One catch-all consent box. "I accept all terms" does not satisfy KVKK consent specificity.
- Storing data on overseas servers without notification. Cross-border transfer requires either explicit consent for the transfer or a KVK Kurumu-recognized adequacy decision (these are rare).
- Treating cookies as functional-only. Marketing pixels (Meta, Google Ads, TikTok) are processing personal data and require explicit consent.
- Letting the founder do the DPO work part-time and forgetting it. The ratio of "we have a DPO" to "the DPO does anything" is alarming.
Penalties timeline
| Violation tier | Fine range (TRY) |
|---|---|
| Failure to inform / deficient privacy policy | 12,000 – 250,000 |
| Failure to obtain consent | 25,000 – 500,000 |
| Failure to register with VERBİS | 50,000 – 1,000,000 |
| Failure to take security measures | 25,000 – 1,000,000 |
| Failure to comply with KVK Kurumu order | 50,000 – 1,000,000 |
| Cross-border transfer violation | 50,000 – 1,000,000 |
These are per-incident or per-failure. A single e-commerce site that has done none of items 1–7 is realistically looking at 200,000–500,000 TRY of accumulated exposure.
FAQ
Do I need a Data Protection Officer? Only if you process data of more than 50 customers per year, do high-volume sensitive-category data processing, or are designated as a public institution. For most SMB e-commerce stores, no — but you still need a person who is responsible for KVKK and is the contact for data subject requests.
Are cookie banners legally required? For non-essential cookies (analytics, marketing pixels) yes. For strictly functional cookies (cart, login session) no. Use a cookie banner with explicit accept/reject options — pre-acceptance is a violation.
What if my store sells to EU customers? You're also subject to GDPR. The good news is that KVKK compliance covers ~80% of GDPR obligations. The remaining 20% includes appointing an EU representative and ensuring lawful basis for cross-border transfer.
How long does VERBİS registration take? 1–3 business days online. The registration itself is free; the time goes into preparing the data-processing categories you'll declare.
Can I get a one-time KVKK template package? Yes — Turkish KVKK consultants sell template kits for ~5,000–10,000 TRY one-time. They're a fine starting point. The mistake is treating the templates as the work; the actual compliance is in implementation.
KVKK template flows are pre-wired into FaStart: the privacy policy, cookie banner, consent checkboxes, and data-export endpoints ship as part of the platform. Free plan covers it from day one.