KVKK § 10 "Disclosure Obligation" defines the requirement to inform the data subject before personal data processing. When choosing a cloud backup provider, examining the provider's Privacy Notice is the fastest compliance test — if the notice is incomplete, the provider is selling a KVKK-non-compliant product.
In this article we go through the 8 required sections distilled from the Authority's inspection checklist, the questions each addresses, and the corresponding parts of PratikYedek's notice.
1. Identity of the data controller (KVKK § 10/1-a)
The notice must include:
- Company legal name + title
- MERSIS number
- Trading address
- KVKK Authority registration number (VERBIS no)
"info@..." is not an identity; commercial registry information is.
In PratikYedek's notice: § 1 "Data Controller Information" — company details, MERSIS, VERBIS, KVKK contact person are explicitly listed.
2. Processing purpose (KVKK § 10/1-b)
"Backup" alone is not a sufficient purpose. The notice must be specific:
- Which data categories are backed up (financial statements, taxpayer info, employee records, etc.)
- In which scenarios the backup is used (ransomware recovery, accidental deletion, KVKK § 12 proof)
- What happens at the end of the retention period (auto-deletion, anonymization)
In PratikYedek's notice: § 3 "Processed Data Categories and Purpose" — 7 categories and each one's specific purpose are listed.
3. Third parties data is transferred to and the purposes (KVKK § 10/1-c)
If the provider uses sub-processors, each must be named: which service (email delivery, SMS, error tracking, payments), which company, where hosted.
In PratikYedek's notice: § 5 "Third-Party Service Providers" — Mailcow (our own server), Twilio Turkey SMS, GlitchTip (our own server), PaynKolay/iyzico/PayTR payments, Bien/Uyumsoft/İzibiz/Foriba/CRSSoft e-document integrations. All explicitly listed.
4. Cross-border transfer (KVKK § 9)
If your data goes abroad, explicit consent or one of the § 9 exemptions is mandatory. If the provider's notice says "our data center is in [country]" without citing the § 9 basis, it is not legal.
In PratikYedek's notice: § 6 "Data Storage Location" — "All personal data is hosted within the borders of the Republic of Turkey, on KVKK § 9 compliant physical servers. No cross-border transfer occurs." Istanbul and Ankara data center addresses are listed.
5. Collection method and legal basis (KVKK § 10/1-d)
"Through the registration form" is insufficient. The legal basis (§ 5/2-a explicit consent, § 5/2-c contractual performance, § 5/2-ç legal obligation, § 5/2-f legitimate interest) must be specified field by field.
In PratikYedek's notice: § 7 "Legal Basis Table" — each data field has its own legal basis reference + example scenario.
6. Data subject's rights (KVKK § 11)
The notice must enumerate all 7 sub-paragraphs of § 11 (a-g) and state the rights exercise channel (email, physical application). "You may exercise your rights" alone is insufficient.
In PratikYedek's notice: § 9 "Data Subject Rights" — 7 sub-paragraphs listed individually + KVKK Data Subject Application Form PDF link + 30-day response commitment.
7. Retention period (KVKK § 7 erasure/anonymization)
VUK 242 5-year general rule; special category data is different (KVKK § 6); financial data is different (BDDK regulations). The notice must provide retention periods per data category.
In PratikYedek's notice: § 8 "Retention and Disposal Periods" — 7 categories, each with legal basis + period. Anonymization procedure at end of retention is detailed.
8. Security measures (KVKK § 12)
The notice must list technical and administrative measures. "We take necessary measures" is insufficient; specific measures (encryption algorithm, key management, access control, audit log, training) must be listed.
In PratikYedek's notice: § 11 "Technical and Administrative Measures" — AES-256-GCM encryption, RBAC access, biannual penetration testing, employee KVKK training, audit log retention 5 years. All specifically listed.
Inspection checklist
Open your provider's Privacy Notice and check each of these 8 sections. Mark the missing ones. If more than three are missing, the provider is not KVKK-compliant. This puts you (as the customer in the data controller position) at risk during an inspection — the Authority may also penalize the customer under "sub-processor selection responsibility."
PratikYedek Privacy Notice v1.1: pratikyedek.com/legal/aydinlatma — SHA-256 stamped, version-tracked, in PDF and Markdown formats.
KVKK compliance in Early Access
Firms joining the Early Access program during onboarding:
- Sign DPA (Data Processor Agreement) v1.1
- Approve Privacy Notice v1.1 via e-signature
- Complete the KVKK compliance checklist (the 8 sections above + 12 additional controls) issued as inspection readiness documentation