What is a Personal Data Inventory? 2026 Updated Guide

What is a Data Inventory? | Personal Data Protection Lawyer | Izmir Lawyer | Izmir Law Firm

The personal data inventory is a fundamental document that details all personal data processing activities carried out by data controllers in accordance with their business processes. This is based on the Data Controllers Registry Law published in the Official Gazette dated 30.12.2017. Regulations It has been given legal recognition in accordance with Article 4/1-h.

In light of current legislation and the guidelines of the Personal Data Protection Authority (KVKK), the inventory is not simply a list of data, but a comprehensive analysis report that maps the institution's data processing. A data inventory details the processed data by associating it with the following elements:

• Purposes and legal grounds for processing personal data.
• Data categories and data subject groups.
• The recipient or recipient groups to whom the information was transferred.
• Maximum retention periods for personal data necessary for the purposes for which it is processed.
• Personal data intended to be transferred to foreign countries.
• Technical and administrative measures taken regarding data security.

Preparing an inventory means that the data controller examines each process carried out within the scope of its activities individually, analyzes all activities in these processes, and determines whether there is any unlawful data processing. In this respect, the inventory is a self-monitoring mechanism that the data controller performs on its own processes.

Why Should a Personal Data Inventory Be Prepared?

Kişisel veri envanteri, kurumunuz için sadece “bulundurulması gereken bir dosya” değil, KVKK uyum sürecinizin kalbidir. Bu belgenin hazırlanması, veri sorumluları için hem yasal bir zorunluluk hem de operasyonel süreçlerin sağlıklı işlemesi için bir temeldir. 

The main purposes of inventory preparation and the benefits it provides to your organization can be summarized under the following headings:

• Ensuring Compliance with the Law: Veri sorumlusunun tüm iş süreçlerinde Kanun’a aykırı bir veri işleme durumu olup olmadığının kolayca tespit edilmesine imkan tanır. 
• Self-Regulation Mechanism: Kişisel veri işleme faaliyetlerinin mevzuata uygunluğu konusunda kurumun kendi süreçlerini kontrol ettiği bir tür “kendi kendini denetleme” raporudur. 
• Transparency and Accountability: It guides the organization in ensuring full transparency in its data processing processes and acting in accordance with the principle of accountability. 
• Data Security and Risk Management: In addition to the advantages provided by the processed data, it enables the analysis of data security risks and potential breaches. 

Envanter, aslında bir “Uyum Temeli” görevini görür. Kurumunuzun hazırlamak zorunda olduğu diğer tüm yasal belgeler bu envanterden beslenir:

• VERBIS Registration: The categorical information to be entered into the registry (VERBIS) can only be accurately prepared through a detailed inventory study. 
• Information and Explicit Consent: The information provided to data subjects and the explicit consents obtained must be based on the purposes and legal grounds stated in the inventory. 
• Storage and Disposal Policy: Verilerin ne kadar süre saklanacağı ve hangi yöntemle yok edileceği envanterdeki “azami saklama süreleri” dikkate alınarak kurgulanır. 

Differences Between Inventory and VERBİS: Why Isn't Registration in the Registry Enough?

One of the most common mistakes in practice is the belief that the obligation to prepare an inventory ends when registration with VERBİS (Data Controllers Registry Information System) is completed.. Oysa VERBİS ve Kişisel Veri İşleme Envanteri, veriler açısından benzerlik gösterse de nitelik ve kapsam bakımından birbirinden tamamen farklıdır.

Kurum’un güncel rehberine göre bu iki kavram arasındaki temel farklar şunlardır:

Why are both necessary? 

According to the regulation, the information to be disclosed to the Registry (VERBİS) must be prepared based on the Personal Data Processing Inventory. In other words, if you do not have an up-to-date and detailed inventory, you will not be able to prove the accuracy and legal validity of your VERBİS registration. Furthermore, it is a legal obligation to submit the inventory if requested by the Board.

Who is responsible for preparing the inventory?

The obligation to prepare a personal data processing inventory is not a general duty for all data controllers; it is a legal requirement based on specific criteria. According to the Regulation on the Data Controllers Registry, the scope of this obligation is defined as follows:

• Registration Obligation: All natural and legal person data controllers who are obliged to register with the Data Controllers Registry (VERBİS) must prepare a Personal Data Processing Inventory.
• Exceptions and Exemptions: Data controllers exempted from the registration obligation by the Board are not required to prepare an inventory. However, the scope of this exemption is..., annual number of employees and can vary depending on criteria such as the total financial balance.

In summary, if your business is required to register with VERBİS, preparing a detailed data inventory is an unavoidable necessity, as it is the first and most important step towards legal compliance.

9-Step Guide to Creating a Data Inventory

The latest guidelines published by the Personal Data Protection Authority (KVKK) have linked the inventory preparation process to a specific methodology. For a successful inventory study, it is recommended to first form a competent team including representatives from departments such as legal, IT, and human resources.

Once the preparation team is formed, here are 9 key steps to follow:

• Technical and Administrative Measures: To ensure data security, current security measures taken for each processing activity (e.g., authorization matrix, penetration testing, confidentiality agreements) must be recorded in the inventory.
• Process or Activity-Based Detection: All business processes of the institution should be examined on a unit basis, and it should be determined individually in which activities documents containing personal data were obtained.
• Determining Data Attributes: İşlenen her bir verinin “kişisel veri” mi yoksa “özel nitelikli kişisel veri” mi olduğu ayrıştırılmalıdır.
• Determining the Legal Basis: Veri işleme faaliyetinin Kanun’un 5. veya 6. maddesinde yer alan hangi işleme şartına (Örn: Kanunlarda öngörülmesi, sözleşmenin ifası) dayandığı netleştirilmelidir.
• Determining the Purposes of Processing: A specific, clear, and legitimate processing purpose (e.g., processing payrolls, ensuring physical security) must be assigned to each piece of data.
• Data Subject Group: It is necessary to determine who the data belongs to (employee, visitor, supplier representative, customer, etc.).
• Determining the Storage Time: The maximum retention period necessary for the purposes for which the data is processed, or the period stipulated in the legislation, must be determined.
• Identifying Buyer Groups: It must be documented to which third parties (public institutions, business partners, suppliers, etc.) the processed data is transferred.
• Transfer to Foreign Countries: Verilerin yurt dışına aktarılıp aktarılmadığı kontrol edilmeli ve Kanun’un 9. maddesindeki şartlara uyum analizi yapılmalıdır.

Criteria to Consider When Determining Maximum Storage Times

The duration for which personal data will be stored is one of the most technical and error-prone sections of a data inventory. According to Article 4 of Law No. 6698, personal data can only be retained for the period stipulated in the relevant legislation or for the period necessary for the purpose for which it was processed. The destruction of data at the end of these periods is a legal obligation.

Veri sorumluları, mevzuatta açık bir süre belirtilmeyen durumlarda saklama süresini belirlerken Kişisel Verileri Koruma Kurumu’nun güncel rehberine göre şu kriterleri dikkate almalıdır:

• Industry Practices: The processing purposes of the relevant data category shall be based on generally accepted timeframes within the sector in which the data controller operates.
• Continuation of the Legal Relationship: The duration of the legal relationship established with the data subject (e.g., employment contract or membership) is taken into consideration.
• Legitimate Interest Period: The period during which the legitimate interest that the data controller will obtain as a result of processing the relevant data will be valid in accordance with the law and the principles of good faith is evaluated.
• Risks, Costs, and Responsibilities: The potential risks of data storage and the duration for which legal responsibilities arising from this storage activity will continue are analyzed.
• Accuracy and Timeliness: The maximum period to be determined will be assessed to ensure that the data is accurate and up-to-date when necessary.
• Legal Obligations: It is checked whether the data controller is required by law to retain the data for a specific period.
• Statute of Limitations Periods: The statutory limitation periods for asserting a right related to the personal data in question play a critical role in determining the retention period.

Personal data may be processed for different purposes in different business processes; in this case, it is possible to determine separate retention periods for each process. If there is more than one retention period for the same data category, as a general rule, the longest period stipulated in the legislation will be taken as the basis for notification.

Example Scenario: How to Include HR Processes in Inventory?

Kişisel veri envanterini somutlaştırmak için kurumların en sık yürüttüğü temel süreci, Kişisel Verileri Koruma Kurumu’nun güncel rehberindeki örnekler üzerinden inceleyelim. Envanterde her faaliyet; departman, veri kategorisi, amaç, hukuki sebep ve saklama süresi gibi bileşenlerle eşleştirilmelidir.

Senaryo 1: İnsan Kaynakları – Çalışan Özlük Dosyası Oluşturma

Bir işletmenin İK departmanında yürüttüğü “Özlük Dosyası Oluşturma” faaliyeti envantere şu şekilde işlenir:

• Department/Process: Human Resources / Creating Employee Personnel Files.
• Data Category and Data: Identity Information (Name-Surname, Turkish Republic Identity Number), Contact Information (Phone Number).
• Purpose of Processing: Fulfilling obligations arising from employment contracts and legislation for employees.
• Legal Basis: It must be explicitly stipulated in the laws and be a legal obligation of the data controller.
• Storage Time: Ten years from the date of leaving the job.
• Buyer Groups: Social Security Institution (SGK) and other authorized public institutions and organizations.

Bu örnekte görüldüğü üzere, envanter hazırlarken veriler “kategorik” olarak bırakılmamalı; hangi verinin hangi amaçla ve ne kadar süreyle işlendiği net bir şekilde dökümante edilmelidir. Ayrıca her bir faaliyet için sızma testleri, erişim yetki matrisi ve gizlilik sözleşmeleri gibi teknik ve idari tedbirler de ilgili satıra eklenmelidir.

Get legal protection for your inventory processes with an İzmir GDPR lawyer.

Preparing a Personal Data Processing Inventory is not merely a technical process of filling out a table; it is a comprehensive risk analysis requiring all of an organization's workflows to be subjected to legal scrutiny. It is a legal obligation for every data controller to create a living inventory structure tailored to their unique activities and processes. An inaccurate or incomplete inventory not only risks administrative fines but also undermines all other compliance documents, such as data protection notices and data destruction policies.

Efes Hukuk Bürosu olarak, başta İzmir’de yer alan müvekkillerimize KVKK uyum süreçlerinde profesyonel danışmanlık hizmeti sunmaktayız. Uzman ekibimizle birlikte;

• By conducting a detailed analysis of your business processes, we create your Personal Data Processing Inventory in compliance with the legislation.,
• We prepare legally valid Information Texts and Explicit Consent forms based on inventory data.,
• VERBİS manages your registration processes in full compliance with the inventory.,
• We provide legal guidance in determining the necessary technical and administrative measures for data security.

The Personal Data Processing Inventory is a document kept within the data controller's organization and not publicly accessible; however, it is mandatory to submit it upon request by the Personal Data Protection Board. Therefore, keeping your inventory up-to-date and ready for audit at all times is of critical importance.

To receive legal advice on this matter, please contact us. Contact page.

Address: Nergis Neighborhood, Girne Boulevard No: 83, Floor 2, Apartment 2, Karşıyaka, İzmir

E-mail: info@efeshukuk.com

Phone: +90 534 415 52 56