KVKK / GDPR Compliant POS Systems Guide 2026
What you need to do to make your POS and ERP systems KVKK / GDPR compliant, plus audit checklist.
Under Turkey's Personal Data Protection Law (KVKK / GDPR equivalent), every POS / ERP system that collects customer data has specific obligations. Penalties can reach 1.7M TL as of 2026.
**1. Disclosure Notice**: You must inform customers in writing / digitally what data is collected and the purpose of use. ERP12's customer registration screen displays an automatic disclosure notice.
**2. Explicit Consent**: For marketing use of data, separate explicit consent is required. Always obtain approval before adding customers to your SMS / email list.
**3. Data Encryption**: Sensitive data (national ID, card number) must be encrypted with AES-256. This is standard in ERP12.
**4. Breach Notification**: In case of a data breach, you must notify the KVKK Authority within 72 hours.
**5. Right to Erasure**: On customer request, their data must be deleted. ERP12 offers one-click anonymization.
**6. Data Processor Agreement**: You must sign a DPA with the service provider used for cloud backup.
Audit checklist: disclosure ✓, explicit consent ✓, encryption ✓, logging ✓, periodic backup ✓, employee training ✓.