Compliance: KVKK & OHS

KVKK — explicit consent & VERBİS

A KVKK audit starts with two questions: was explicit consent obtained (Art. 5/2) and is the VERBİS registry up to date (Art. 16). Folkena manages both in a traceable way.

Employees grant their own consent and withdraw it whenever they wish; every action leaves a trail with the IP and a self-service flag. Seven separate scopes are managed individually:

Photo — use of the employee's image on ID badges, system profiles and the internal directory.PHOTO
Biometric data — access control and time & attendance via fingerprint / face recognition; as special-category data, written and specific consent is mandatory.BIOMETRIC
Health data — workplace physician examinations, reports and disability information; special-category data.HEALTH
Emergency contact — next-of-kin details and emergency reach-out records.EMERGENCY_CONTACT
Marketing / communications — consent for commercial messages beyond internal announcements.MARKETING
Candidate CV retention — keeping application data for a defined period after the hiring process.CV_RETENTION
Background check — verification for references / CV vetting.BACKGROUND_CHECK

VERBİS obligation250+ employees or ₺100M+ turnover

Legal basisKVKK Art. 16

VERBİS freshness check1 year → alert

Privacy notice (Art. 10)single source, tenant setting

Consent matrixemployee × 7 scopes

Audit outputCSV (YES / NO / —)

Consent matrix · the first format an auditor asks for

For every active employee, the latest status of all seven scopes (granted / withdrawn / never obtained) is visible in a single table. The system separately flags employees who have never given any consent — the most critical risk in an audit. If a VERBİS registry number is missing or the last update exceeded 365 days, an automatic alert appears; the entire table is handed to the auditor as a CSV with one click.

Data-subject rights

KVKK Art. 11 grants employees five rights; Art. 13 obliges the data controller to respond within 30 days. Folkena receives the request from the employee portal, queues it and tracks the deadline.

Access

Reach the data

The employee learns whether their personal data is being processed and can request an export.

Data export
Who accessed it — access log

Rectification

Inaccurate data

The employee requests correction of incomplete or incorrectly processed data.

Rectify
Trail: oldValues → newValues

Erasure / objection

The remaining three rights

Erasure, objection to processing and restriction of processing are recorded as separate request types.

Erasure
Object
Restrict

SLA-bound asynchronous queue — once a request is created its age is counted day by day; open requests exceeding 30 days are flagged OVERDUE.KVKK Art. 13
Admin approve / reject — HR reviews the request and closes it with a resolution note; resolved requests move to RESOLVED, overdue ones appear in red on the dashboard.
Personal access log — the audit trail records who accessed the employee's data through the system — transparency and accountability.

Retention, destruction & masking

KVKK Art. 7 and the Data Destruction Regulation: data whose period has expired must be destroyed. Folkena applies the retention policy, lists expired records and performs role-based masking.

Employment / personnel records10 years

Payroll records10 years

Leave records5 years

Health records15 years

Withdrawn consent3 years

Periodsoverridable from tenant settings

Expired-record list — personnel records that have passed their retention period after offboarding, plus expired withdrawn consents, are collected in a single list.KVKK Art. 7
Field-level masking — sensitive fields such as salary, IBAN and national ID number are masked by role; an unauthorized user never sees the full value.
Immutable audit trail — every action such as granting/withdrawing consent, resolving a request and updating VERBİS is written to the audit log and cannot be altered afterwards.

An honest boundary · no automatic deletion

This list shows expired records; the system does not perform actual deletion on its own. To avoid a conflict between KVKK's destruction obligation and the retention obligations of the Labour Law / Tax Procedure Law / Social Security (SGK), the destruction decision requires human approval. Folkena prepares the workflow and the queue; an authorized person presses the button.

OHS — occupational accident reporting

Law 6331, Art. 14: an occupational accident must be reported to Social Security (SGK) within 3 business days. Folkena records the incident, validates the mandatory fields, automatically calculates the reporting deadline and turns overdue reports into alerts.

Incident type

4 categories

Recording and process branch by incident type.

Occupational accident
Near-miss
Occupational disease
Property damage

Severity

4 levels

Incident severity drives statistics and the mandatory-field rule.

Low · medium · high · fatal
Extra fields required for HIGH / FATAL
Annual lost-workday statistics

Mandatory-field validation under Law 6331 — witness statements, workplace physician report and corrective-action (CAPA) record number; for serious (HIGH) and fatal (FATAL) incidents the record cannot be completed without them.Law 6331 Art. 14
Automatic SGK reporting deadline — the 3-business-day window for occupational accidents and occupational diseases is calculated from the incident date; once reported, the date and the reporter are recorded.
Overdue-report alert — accidents past their deadline and still unreported appear in a separate list; an early warning against the risk of an administrative fine.
Annual statistics — monthly distribution, breakdown by type and severity, total lost workdays; output ready for OHS board reporting.

OHS board, risk & medical exams

Headcount threshold, risk score and examination schedule — all three are tracked with rules tied to the law, and delays warn you in advance.

OHS board

50+ employees

For a tenant above the threshold, board status is reported automatically.

Required / established?Law 6331 Art. 22
Meeting every 90 days
Late meeting → alert

Risk assessment

5×5 matrix

For each hazard, risk score = likelihood × severity (1–25).

Area, hazard, control measure
Priority order by score
Review date tracking

Medical exam

4 types

Pre-employment, periodic, return-to-work and special examination records.

Result: fit / restricted / unfitLaw 6331 Art. 15
Upcoming-exam alert
Overdue-exam alert

In risk assessment, active records whose review date has passed are listed separately; for periodic exams, those with an approaching due date and those already overdue (along with how many days late) are reported separately — the risk of a Law 6331 Art. 15 breach and an administrative fine becomes visible early.

Anonymous reporting / whistleblower

From mobbing to corruption, from workplace safety to customer feedback — 10 channels. No sign-in required and — most importantly — identity is never recorded.

KVKK-compliant anonymity · privacy by design

On this channel, IP, user-agent and identity information are never recorded. The IP is used only as a rate-limit key to prevent abuse (3 submissions per hour) and is never written to the database or the audit log. Reporting requires no auth; an employee can speak up without fear. Anonymity isn't a setting — it's the architecture itself.

Ten categories — serving as both an ethics-violation channel and a constructive-suggestion channel:

Ethics violation — mobbing, harassment, corruption, workplace safety hazard, discrimination and other.5 categories
Constructive suggestion (Kaizen) — process improvement, product/service innovation, cost saving and customer experience.5 categories
Admin status management — an incoming record is managed through the flow received → under review → closed → action taken; the admin sees only the category, the text and the internal status — the reporter is never visible.

Approval queue & HR analytics

A manager's pending tasks in one inbox; the human-capital picture in numbers on a single dashboard.

Approval queue

One inbox

Leave, advance and document requests aren't scattered across modules; an instant answer to "how many pending tasks are there."

Leave · advance · document requests in one list
Bulk approval (one click)
Owner-check: you can't approve your own leave

HR analytics

Decision data

Dashboard metrics and charts from a single query; the whole HR board live.

Headcount, turnover / retention rate
Demographics, age pyramid, tenure distribution
Exit reasons, workforce cost
Severance liability scenario

The approval queue is a single-stage aggregator — it brings scattered requests together, it does not set up a multi-stage authorization chain. During bulk approval, each request is verified to belong to the tenant and approved leave is automatically deducted from the balance.

HR assistant

An assistant that understands natural Turkish questions and gives employees and managers instant answers — across 25 defined intents.

Personal questions

Employee-specific

"How much leave do I have?", "my latest payslip?", "my tenure?", "my shift this week?" — answered from their own data.

Leave balance, latest payslip
Tenure, shift, advance status

General legislation

Labour Law No. 4857

Article-backed information on topics such as annual leave, parental leave, overtime, probation and severance.

Annual leave (Art. 53–54)
Maternity / paternity, overtime (Art. 41)
Probation (Art. 15), notice (Art. 17)

Manager query

With HR authority

Company-wide questions are open only to authorized users.

Headcount, department distribution
Birthdays this month
Pending approvals

Honest positioning · your data never leaves

This assistant is rule-based; it does not call a language model (LLM). It matches recognized question patterns and produces the answer directly from your own data. This has two concrete benefits: employee data is never sent to any external service (privacy) and there is no token cost (predictable spend). We don't overstate the "AI" label — what it does is clear: fast, secure, transparent Q&A.

Compliance readiness check

A one-click answer to "is everything in place?" The system scans critical compliance points, scores them as OK / Warning / Error and tells you whether you're ready to go live.

KVKK privacy notice — not just a character count; it checks whether the text covers the data controller, processing purpose, transfers and the Art. 11 rights.6698 Art. 10
VERBİS registry — at 250+ employees it's an automatic error even if the obligation flag is unset; a warning if the registry number is blank or out of date.KVKK Art. 16
KEP & OHS hazard class — whether the KEP (registered e-mail) configuration and its password are encrypted at rest; the hazard class is checked for the annual training calculation.
Minimum wage & IBAN coverage — the 2026 gross minimum wage definition and employees' bank IBAN coverage (the bank-payment obligation under Law 6552) are checked.
Leave balance — whether a per-employee balance record has been created for this year; if missing, a "Run sync" prompt.

A branded PDF for the auditor

All checks turn into a single-page A4 PDF audit report: tenant details, tax number, the scope of legislation covered (KVKK, 4857, 6331, 6552), the checklist and a summary score. If there are no failures, it reads "Ready for pilot launch"; otherwise the gaps are listed. Delivered to the auditor or management in one click.

Compliance isn't a bolt-on module — it's the foundation.