For foreign investors looking at Turkish tech and digital businesses, “KVKK + GDPR Compliant Start-up: Before VC Investment” is no longer a nice-to-have slide at the end of the data room; it is part of core legal and reputational due diligence. A target that mishandles data, ignores explicit consent requirements or transfers personal data abroad without safeguards is not just a legal risk – it can damage a VC’s own brand with LPs and regulators.
This article gives a practical, legally focused checklist for foreign VCs reviewing a Turkish start-up under KVKK (Turkish Data Protection Law No. 6698) and GDPR standards.
1. Map the Legal Landscape: KVKK + GDPR Exposure
Before anything else, investors should ask:
- Is the start-up established in Türkiye and processing personal data of individuals in Türkiye? → KVKK clearly applies.
- Does it also target or monitor individuals in the EU/EEA or UK (for example, EU users of an app)? → GDPR (and possibly UK GDPR) may also apply extraterritorially.
The practical result: many Turkish start-ups need to be dual-compliant. In a term sheet or SPA, VCs should ensure the company represents that it complies with all applicable data protection laws, not just KVKK.
2. Transparency: Clear Information Notices
Under both KVKK and GDPR, the first pillar is aydınlatma – informing data subjects how their data is used.
Checklist for investors:
- Are there up-to-date privacy notices for:
- Website/app users
- Customers and leads
- Business partners and suppliers
- Employees and job applicants?
- Do notices clearly state:
- Identity and contact details of the controller
- Purposes and legal bases of processing
- Categories of data and recipients
- Retention periods
- Rights of data subjects and how to exercise them
- Information on cross-border transfers (if any)?
If the start-up has only a generic, outdated “privacy policy” copy-pasted from the internet, this is a red flag. Proper KVKK/GDPR-oriented information notices per data subject category are a minimum standard.
3. Explicit Consent vs Other Legal Bases
Foreign investors should understand how the target uses açık rıza (explicit consent):
- Is consent collected only where legally required (e.g. certain marketing activities, some special categories of data)?
- Or is the company over-relying on consent where contractual necessity, legal obligation or legitimate interest would be more appropriate?
Checklist questions:
- Are consent texts separate from general terms, plain and specific (no bundled, vague wording)?
- Is there a clear mechanism for withdrawing consent that is as easy as giving it?
- Is consent used in addition to, not instead of, a proper legal basis analysis?
An investor-friendly start-up will have a legal basis matrix: which categories of data are processed on which legal ground under KVKK/GDPR, and where explicit consent is truly needed.
4. Cross-Border Data Transfers (Yurtdışına Veri Aktarımı)
Many Turkish start-ups use global cloud providers, analytics tools and CRM platforms. This almost always means yurtdışına veri aktarımı (international data transfers).
For VC due diligence, check:
- To which countries is data transferred (EU, US, other third countries)?
- Under GDPR:
- Are there Standard Contractual Clauses (SCCs) or other safeguards in place?
- Has the start-up documented transfer impact assessments where needed?
- Under KVKK:
- Does the company rely on explicit consent for transfer, or has it adopted Board-approved undertakings / adequacy mechanisms where available?
If the start-up cannot clearly describe the legal basis for transfers beyond “our data is on foreign servers”, this is a compliance gap that should be addressed pre-closing or reflected in warranties and covenants.
5. Cookie Policies and Tracking Technologies
Modern B2C start-ups often live on cookies and SDKs – analytics, retargeting, attribution tools.
Checklist points:
- Is there a cookie policy separate from the general privacy notice?
- Does the website/app distinguish between:
- Strictly necessary cookies
- Analytics / performance cookies
- Advertising / tracking cookies?
- Is there a cookie banner / consent management platform that:
- Allows users to refuse non-essential cookies
- Records and honours choices
- Is consistent with both KVKK guidance and GDPR-style requirements?
A start-up that drops third-party marketing cookies on first visit with no real choice is exposed to complaints and authority scrutiny, especially when targeting EU users.
6. Employee Data: HR Files, Monitoring, Start-up Culture
Employee and candidate data is often forgotten in product-focused companies, but regulators do not ignore it.
For investors, important questions include:
- Are there employee privacy notices explaining how HR data is collected, used, stored and shared (including with group companies and service providers)?
- Does the company have clear rules on:
- Email/internet monitoring
- CCTV and access control
- Background checks and reference checks
- Sharing employee data with payroll, benefits and SaaS HR tools abroad?
- Are retention periods defined for HR files, CVs, performance records, and how are deletions handled?
Well-written policies here not only support KVKK/GDPR compliance but also show a mature governance culture, which matters for VCs.
7. Practical VC Takeaways
Before investing, foreign VCs should require the start-up to:
- Provide an overview of data flows (which data, which systems, which countries).
- Share its privacy notices, consent forms, cookie policy and employee data documents.
- Explain its legal basis strategy, cross-border transfer mechanisms and incident response plan.
A start-up that can confidently walk an investor through this KVKK + GDPR compliant checklist is not only legally safer; it is also a better candidate for scaling globally without nasty surprises from regulators or users.
Yanıt yok