IYS and KVKK: Consent Management for Data Privacy

IYS and KVKK: Consent Management for Data Privacy

IYS (Message Management System...

07.07.2026 13:22

Makdos

9 min. reading

IYS and KVKK compliance is more than a consent form. It defines how businesses obtain explicit consent and process individuals’ personal data. It also helps them keep consent records updated and protect customer trust. For SMEs, e-commerce companies, corporate brands, and agencies, consent management is now a core part of responsible marketing. A campaign list is not only a marketing asset. It is also a record of data processing activities, communication preferences, opt-in history, withdrawal rights, and security responsibilities. This guide explains how IYS and KVKK work together in Turkey. It also shows how businesses should collect, update, and manage permission records. It also explains why panel or API integration matters. Makdos IYS helps businesses manage commercial communication permissions reliably, securely, and at scale. This content is for informational purposes only and does not constitute legal advice.

IYS and KVKK consent management workflow

What IYS Is and Why It Matters for KVKK Compliance

IYS, short for İleti Yönetim Sistemi, is Turkey’s centralized Message Management System for commercial electronic communication permissions. It allows recipients to see, manage, approve, or reject commercial messages from brands through a single structure.

The Turkish Ministry of Trade describes IYS as a central system for managing communication consents. Businesses can collect and manage communication consents through this system. Service providers also gain legal security by keeping proof of consent.

KVKK is Turkey’s data protection framework. International teams often refer to it as Turkey’s Law on the Protection of Personal Data, or KVKK. Its official Turkish legal name is Kişisel Verileri Koruma Kanunu.

In marketing, KVKK matters because sending commercial messages usually requires businesses to process personal data. This may include phone numbers, email addresses, names, customer IDs, permission timestamps, and communication preferences.

In practice, IYS and KVKK address two connected layers. IYS focuses on managing message permissions in practice. It tracks who approved, who rejected, which channel the customer allowed, and when the permission status changed.

KVKK focuses on protecting personal data. It also covers the lawful basis for processing, transparency, retention, security, and the rights of each data subject.

Collecting contact details does not automatically permit every marketing campaign. The business must define the categories of personal data it collects and explain why it processes that data. It must also record and update each user’s communication permission correctly.

How Consent Management Works Under IYS and KVKK

A compliant permission process begins before the first campaign is sent. The business should clearly tell the recipient which brand will contact them, through which channel, for what purpose, and how they can withdraw permission.

The original Turkish Makdos article emphasizes the same process. Consent must be specific to the communication channel and purpose. Recipients must also be able to opt out from the start.

Collecting Valid Consent

To obtain explicit consent, the user must take a clear and voluntary action. A pre-selected checkbox, vague language, or a bundled acceptance statement can create risk.

In these cases, users may not clearly understand what they are approving. For example, a customer may give permission for email only. In that case, the business should not use that permission for SMS or phone calls.

The Turkish Data Protection Authority has also emphasized that privacy notices and explicit consent texts should remain separate. Combining them into a single document can make the process confusing for users. When personal data processing depends on explicit consent, businesses should keep the privacy notice and consent statement separate. Each one should have a clear heading and its own declaration.

A practical consent form should therefore answer four questions:

  • Which legal entities are collecting or using the data?
  • Which communication channels does IYS cover?
  • Which categories of personal data will the business use?
  • What are the purposes of processing?

This structure helps data controllers avoid vague permission records. It also gives recipients a clear opportunity to make an informed decision. 

A privacy notice is not the same as consent. The privacy notice explains how the business handles personal data. Consent is the user’s voluntary approval for a specific processing activity, such as marketing communication.

Recording and Updating Permissions in IYS

After permission is collected outside IYS, it must be transferred into the IYS structure within the applicable legal timeline. The original Makdos article makes this point clearly. Businesses should register permissions in IYS before treating consent collection as complete. Unregistered permissions can create compliance risks and affect campaign delivery.

This is where many businesses struggle operationally. Customer permissions can change across website forms, IYS, CRM systems, and email unsubscribe links. Without proper synchronization, the business may continue sending messages to someone who has already withdrawn permission.

A strong IYS and KVKK process should therefore include:

  • Consent collection at the original source,
  • IYS registration,
  • CRM or marketing automation synchronization,
  • Opt-out processing,
  • Log retention,
  • Periodic data review,
  • Secure deletion or anonymization when the processing purpose ends.

This approach helps the business manage personal data in a controlled way. It also keeps permission records from ending up in separate spreadsheets, forms, CRM fields, and campaign tools. 

Panel or API: Choosing the Right IYS Integration Model

Businesses usually manage IYS permissions through either a panel-based process or an API-based integration. The right choice depends on permission volume, technical resources, and the number of brands. It also depends on how quickly permission statuses change.

For a small business with limited daily updates, panel usage can be enough. A team can upload lists, review approvals, and update rejections manually. However, as the number of recipients grows, manual management becomes harder to audit. Human error, delayed updates, duplicate records, and missed opt-outs can create legal and reputational risk.

API integration is a better fit when customer permissions come from multiple sources. Customer permissions may come from checkout pages, forms, apps, CRM systems, call centers, landing pages, and email tools. The source article explains that API and webhook flows help automate consent additions, rejections, and status updates across systems.

Panel vs API for IYS Consent Sync 

Panel vs API for IYS Consent Sync

The technical goal is not only to “send data to IYS.” It is also to maintain one consistent permission status across all systems that use Turkish customer data. 

Data Security, Retention, and Deletion Responsibilities

Consent data is personal data. This data may include contact details, permission records, source information, transaction history, and campaign preferences. In some industries, businesses should also be careful not to collect sensitive personal data unnecessarily in marketing forms.

Under KVKK, businesses must treat data security as more than software security. Data controllers must protect personal data from unlawful processing, unauthorized access, and loss. It also highlights the need for appropriate technical and administrative measures.

For IYS and KVKK alignment, this means businesses should control:

  • Who can access permission records,
  • How consent logs are stored,
  • Whether exported files are encrypted,
  • How API credentials are protected,
  • Which systems receive customer permission data,
  • Whether data transfers are necessary and documented,
  • How long records are retained,
  • How deletion, destruction, or anonymization is handled.

Retention is especially important. A business may need to preserve consent evidence for compliance purposes. However, it should not retain personal data indefinitely without a valid reason. KVKK-related deletion and anonymization rules require organizations to manage data retention and destruction with defined policies, technical measures, and auditability.

This is also where teams with international operations should compare KVKK with the General Data Protection Regulation. While the legal systems differ, both frameworks encourage transparency, data minimization, purpose limitation, security, and accountability. Strong GDPR privacy-by-design practices create a solid compliance foundation. This can also support consent management aligned with KVKK.

Having IYS does not mean the business transfers all data security responsibilities. Your business may still be responsible for several areas. These include CRM data, campaign lists, exported files, access rights, vendor usage, and internal approval workflows.

Practical Scenarios for SMEs, E-Commerce Teams, Agencies, and Enterprise Brands

Different business types face different consent management risks. The legal obligation may be similar across organizations. However, the operational design should match each organization’s scale and complexity. 

SMEs: Start With Clean Permission Sources

For SMEs, the first priority should be clarity. Do not collect permissions through unclear forms, outdated Excel sheets, or verbal approvals that your team cannot verify later. A small business can build a strong foundation by identifying where it collects permissions. Each source should also include a clear privacy notice, consent statement, and opt-out mechanism.

A panel-based IYS setup may be enough at first. However, even small teams should document who updates records, how often they check them, and where they store backup data.

E-Commerce Firms: Connect Consent to the Customer Journey

E-commerce brands collect customer data across many touchpoints. These may include account registration, checkout, newsletter forms, discount pop-ups, loyalty programs, abandoned cart tools, and support interactions. Your team should review each touchpoint separately.

A checkout form, for example, should not hide marketing consent inside terms and conditions. Your team should separate transactional messages from promotional messages. A shipping update may be necessary for service delivery, while a campaign SMS requires a different permission logic.

For e-commerce teams, API-based IYS integration is often more reliable. Permission changes can happen frequently, and businesses may keep customer records across multiple systems.

Agencies: Build Repeatable Client Governance

Agencies that manage campaigns for multiple brands need a repeatable consent governance model. They should not assume they can use a client’s list simply because the client delivered it for a campaign. Before sending commercial communication, the agency should review the client’s IYS records. It should also confirm that channel permissions are accurate and documentation is sufficient.

Agencies should also define their role carefully. Depending on the relationship, they may act as a processor, service provider, or operational partner. That role affects how they should handle access rights, logs, data transfers, and deletion requests.

Enterprise Brands: Standardize Across Departments

Enterprise brands often collect permissions across multiple departments. These may include marketing, sales, customer support, retail branches, dealer networks, mobile apps, and call centers. Without central governance, one department may update a recipient’s opt-out status. However, another department may continue sending messages from a separate tool.

Larger organizations should manage IYS and KVKK compliance as a cross-functional process. This process should involve legal, IT, marketing, security, and customer experience teams.

Common Mistakes That Create Compliance Risk

The most common mistakes are usually operational rather than technical. A business may have a privacy policy, an IYS account, and a campaign tool. However, the business may still face compliance gaps. Disconnected systems and unclear consent language create compliance risk.

Common risk areas include:

  • Using one consent checkbox for multiple unrelated purposes,
  • Treating email permission as SMS or call permission,
  • Failing to update CRM records after an IYS rejection,
  • Sending campaigns from old exported lists,
  • Allowing too many employees to access permission data,
  • Keeping old records without a retention policy,
  • Not separating privacy notice and consent language,
  • Failing to log when, where, and how consent was collected,
  • Using another company’s consent text without adapting it to real processing activities.

Privacy and consent texts must be clear, accurate, and specific to the data controller’s activities.

A permission record is only reliable when your team can explain its source, scope, purpose, and validity.

How Makdos Supports IYS and KVKK-Aligned Consent Management

Makdos IYS helps businesses manage message permissions with a more structured and technically reliable process. Companies do not have to rely only on manual uploads, disconnected CRM notes, or spreadsheet-based tracking. With Makdos IYS Integration, they can centralize permission management and reduce day-to-day operational friction. 

Makdos provides several features and services for IYS integration. These include API integration support, webhook support, an administration panel, and consulting during the implementation process. These capabilities are especially useful for businesses that need to connect IYS with their internal systems. This may include their own applications, CRM tools, customer databases, or marketing systems.

For companies with higher security expectations, Makdos can also support the wider infrastructure layer around permission management. Access-controlled hosting, firewall planning, secure admin workflows, and reliable server architecture all support safer data handling. Together, they help businesses protect consent records and marketing systems more effectively.

Makdos Firewall and Security 

If your business runs landing pages, campaign forms, or customer portals, the hosting environment also matters. A secure and stable website infrastructure helps reduce technical interruptions during consent collection. It also supports a better user experience during opt-in and opt-out flows. 

Makdos’s value is not limited to a single technical connection. The main benefit is operational. It helps businesses move from fragmented consent handling to a clearer, more manageable, and more auditable permission process.

For SMEs, this can mean simpler onboarding. For e-commerce teams, it can mean smoother synchronization. For agencies, it can mean more repeatable client processes. For enterprise brands, it can mean fewer gaps between legal requirements and daily campaign execution.

Conclusion: Build Consent as a Controlled Business Process

IYS and KVKK compliance should not be treated as a one-time setup. It is an ongoing business process that connects legal transparency, permission collection, data security, system integration, customer trust, and campaign performance.

A reliable consent structure helps your business clearly understand who it can contact. It also shows which channel your business can use, for what purpose, and based on which permission record. It also helps reduce several risks. These include unauthorized communication, outdated lists, weak audit records, and unnecessary storage of personal data.

The next step is to review your current permission sources and identify where your business stores the records. Then, check whether your systems synchronize IYS updates and strengthen the systems that handle customer communication data. Your business may want to manage this process through a structured integration.

In that case, Makdos IYS offers a practical path forward. It helps organize permissions, support technical workflows, and improve compliance readiness without making consent management a manual burden. 

👉 Makdos IYS Services 

Frequently Asked Questions

A First in Türkiye
The first hosting mobile application

Makdos Technology App Store ApplicationMakdos Technology Play Store Application
Makdos Technology Mobile Application Image
WhatsApp