How to Prepare a Privacy Notice: Mandatory Elements

The privacy notice is a fundamental document every organization processing personal data must present to data subjects. Article 10 of KVKK clearly sets out what information this text must contain. In this article we cover the mandatory elements of the privacy notice, a correct structure and common mistakes.

This content is for general information only and does not constitute legal advice.

What is the disclosure obligation?

The data controller is obliged to inform the data subject at the time of collecting personal data. This obligation applies whether or not the data subject consents; the privacy notice and explicit consent are separate concepts. The notice is an act of informing; explicit consent is a separate approval obtained for specific operations.

Mandatory elements (KVKK Art. 10)

A privacy notice must contain at least the following:

• The identity of the data controller (and its representative, if any).
• The purposes for which the personal data will be processed.
• To whom and for what purpose the processed data may be transferred.
• The method and legal basis of collecting the personal data.
• The data subject's rights listed in KVKK Art. 11 (access, correction, erasure, objection, etc.).

All of these elements must be present, in complete and understandable language.

What does a correct structure look like?

A good privacy notice:

1. Uses clear, plain language. It uses language the data subject can understand rather than legal jargon.
2. Is consistent with the processing activity. The purposes and data categories in the text must match your real processing and your data inventory exactly.
3. Is accessible. It is presented to the data subject at the point of collection (form, website, contract).
4. Is kept current. When purposes or transfers change, the text is updated too.

Common mistakes

• Using a template as-is. Copying another organization's text does not reflect your processing activity and creates non-compliance.
• Confusing notice with consent. Combining the two into a single checkbox is wrong; they must be presented separately.
• Not stating transfers. The parties data is shared with must appear in the text.
• Not updating. When the process changes but the text stays fixed, inconsistency arises.

Managing the process

Keeping privacy notices consistent with your inventory and recording which version was presented to whom is hard to do manually. Kivuz KVKK is a KVKK compliance software that manages this process from text generation to versioning. The notice is part of the broader KVKK compliance process; to see the whole, request a demo.