KVKK § 10 — Eight mandatory fields in the Privacy Notice
KVKK Article 10 (Turkey's data protection law) governs the data controller's duty to inform. Your Privacy Notice must contain eight mandatory fields — these are what the Personal Data Protection Authority (KVKK Kurul) will check first during an audit.
PratikYedek summary: Use this page as a checklist both when drafting your own Privacy Notice and when preparing the Privacy Notice that PratikYedek provides to you for an audit.
Why eight fields?
KVKK § 10/1 and § 10/2 together with the Authority's Communiqué on Procedures and Principles for the Fulfilment of the Obligation to Inform (Official Gazette 10 March 2018, no. 2018/10) require the following eight fields:
| # | Field | Question answered |
|---|---|---|
| 1 | Identity of the data controller | Who is processing my data? |
| 2 | Representative (if applicable) | If the controller is abroad, who represents them in Turkey? |
| 3 | Purpose of processing | What is my data used for? |
| 4 | Transfers: to whom, for what purpose | Will my data be shared with third parties? |
| 5 | Collection method | Where did my data come from? |
| 6 | Legal basis (§ 5 + § 6) | Under which legal ground is it processed? |
| 7 | KVKK § 11 rights | What rights do I have? |
| 8 | Application channel | How do I exercise my rights? |
Field-by-field detail
1. Identity of the data controller
What to write:
- Full legal name (LLC / JSC / sole proprietor / CPA)
- MERSIS number (if any)
- Address (tax office address is sufficient)
- KVKK contact email and phone
Common mistake: Writing only "our company". The Authority requires the full legal name.
2. Data controller's representative
Not mandatory for entities established in Turkey. However, entities established abroad must designate a representative in Turkey (KVKK § 11/A).
For PratikYedek: The company is established in Turkey; no representative. A sentence such as "As the data controller is established in Turkey, no representative has been designated" is sufficient in the Privacy Notice.
3. Purpose of processing
What to write:
- Specific, measurable purposes (not generic "business development")
- A data category for each purpose
- List form if there are multiple purposes
Example (PratikYedek):
- Performance of a contract — account creation, billing, backup storage
- Legal obligation — tax records (Tax Procedure Law 10-year retention), commercial books (Commercial Code Art. 82)
- Legitimate interest — error monitoring (self-hosted Sentry/GlitchTip), security logs
- Explicit consent — Early Access programme, marketing communications
4. Transfers: to whom, for what purpose
What to write:
- Domestic transfer recipients (banks, courier, payment provider, sub-processors)
- For cross-border transfers, country + safe country list status + KVKK § 9 basis
- Standard wording for "legally authorised public authorities" (KVKK Authority, Tax Office, prosecutor)
For PratikYedek specifically:
- No cross-border transfer (self-hosted GlitchTip in Turkey)
- BYOS (Google Drive / OneDrive) with explicit consent — opt-in for individual plans
- BYOS prohibited for tax advisors → all data within Turkish borders
5. Collection method
What to write:
- Automated or non-automated?
- Channel: web form, mobile app, email, phone, third party?
Example (PratikYedek): "Collected through automated and non-automated means via the registration form on our website, mobile application, customer support communication, and the desktop/mobile client on your device."
6. Legal basis (KVKK § 5 + § 6)
This is the field most commonly missed. Each data category requires its own legal basis.
§ 5/1 — Explicit consent: Marketing, non-essential cookies, Early Access participation § 5/2-a — Legal obligation: Financial records (Tax Procedure Law), commercial records (Commercial Code) § 5/2-c — Performance of contract: Account, billing, backup storage § 5/2-f — Legitimate interest: Error monitoring, security logs, IP logging
§ 6 special category data: Health, biometric, religion, sexual orientation etc. require explicit consent (apart from § 6/3 exceptions).
7. KVKK § 11 rights
The seven rights of the data subject must be listed:
- To learn whether their data is being processed
- To request information if processed
- To learn whether the data is used in line with its purpose
- To learn the third parties to whom the data is transferred at home and abroad
- To request correction of incomplete or incorrect data
- To request deletion or destruction under § 7
- To request compensation for damages
The 30-day response time (KVKK § 13/2) must be stated next to the rights.
8. Application channel
What to write:
- Written application address (post)
- Secure electronic signature email
- Registered electronic mail (KEP) address
- For registered users in the system: in-panel application link
PratikYedek application channels:
- Email:
kvkk@pratikyedek.com - KEP:
pratikyedek@hs03.kep.tr(opens after launch) - Panel: Account → KVKK → Rights Request (for signed-in users)
- Post: full address in the Privacy Notice
Pre-audit checklist
If you can mark each of the 12 questions below as YES, your Privacy Notice is § 10-compliant:
- [ ] Full legal name of the data controller (LLC / JSC / sole proprietor) written?
- [ ] MERSIS number, KVKK contact email and address present?
- [ ] Processing purposes written as a list (not just "business need")?
- [ ] Legal basis (KVKK § 5/2 sub-clause) given for each purpose?
- [ ] Domestic / cross-border transfer list (if any) explicit?
- [ ] Collection method (channel + automated/manual) stated?
- [ ] All 7 rights under § 11 listed?
- [ ] 30-day application response window stated?
- [ ] Application channels (post, email, KEP) given?
- [ ] Cookie policy (if a website exists) included?
- [ ] Version and update date written?
- [ ] SHA-256 stamp or equivalent integrity proof present (for the PratikYedek notice)?
How was the PratikYedek Privacy Notice produced?
PratikYedek Privacy Notice v1.1 was drafted to cover all eight § 10 fields. The SHA-256 stamp of the notice is published with every version; version history and change log are accessible from your panel.
Practical use for tax advisors: You can submit this Privacy Notice as a supplementary document for your advisory audit. Either download and place it in your file, or generate a share link directly from the PratikYedek panel.
→ Full text: pratikyedek.com/en/legal/privacy-notice → Rights request form: pratikyedek.com/en/legal/kvkk-rights-request → Data deletion: /en/kvkk/deletion-request
What's next?
→ How to request data deletion → Is the data kept within Turkey?