According to Gartner’s definition lead generation is the process of collecting a set of contacts from prospective buyers with a goal to nurture and qualify them as sales opportunities to grow the business.
Nowadays, lead generation is one of the most preferred method of marketing strategies of many companies. The main goal of this method is to bring potential customers and companies together. A lead can be any consumer who has directly or indirectly interest in buying a product or service.
The processing of this method is as follows; consumers submit personal information online via a website form, or on a telemarketing call. The relevant personal information shared by consumers is often defined as personal data in accordance with KVKK (“Law”). These information may sometimes include the identity of the consumer and sometimes more sensitive information.
The Law came into force on 7 April 2016 and regulates a number of processes that should be followed when receiving personal data from individuals and also imposes law enforcement on non-compliance.
Especially when the Turkish Data Protection Board’s decisions are reviewed, it is understood that companies should be more careful about the personal data processed within the scope of marketing activities.
Thus, the basic actions need to be taken in the context of lead generation marketing are indicated below;
-Legal Basis: İt is important to decide which legal basis the company is based on. This means that asking yourself whether the company need explicit consent directly from consumers, or can they rely on contractual agreements or legitimate interest?
-Determining the channels in which the personal data is collected: According to the Law legal obligations will vary for each marketing channel (telephone, SMS, email, post etc.) so it’s important to prepare customised procedures for each channel.
-Updating forms: Companies have to update all lead capture forms on their web site or other platforms. In these revised forms, it will be important to inform the customers in accordance with the Law and act in accordance with data minimisation principal 
-Establishing a registration and destruction system: İt is important that customers information is stored within a system and destructed during the determined retention period.
-Security of Personal Data: KVKK also means that companies need to make sure that they keep all the personal data securely. Encryption, SSL certificate is only one of these measures.
-Working with trusted third parties: Finally, if a third-party service provider is handling the company’s data for them, confirm that the provider is complying with the Law. Signing a data protection addendum and some other measures will be sufficient for the beginning.
In conclusion, the activities targeting customers within the scope of marketing have become an important topic in these days. Companies should start a compliance process and implement the above mentioned matters in detail to their processes.
 Turkish Personal Data Protection Law No:6698
 2016/679 ,General Data Protection Regulation, Article 5/1/ (c) “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)”