ATT. MEVLÜT ELMALI & ATT. KEREM USTAOĞLU – AY-YILDIZ LAW FIRM POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
This Policy sets out the principles that Att. Mevlüt Elmalı & Att. Kerem Ustaoğlu – AY-YILDIZ Law Firm (hereinafter referred to as the "Law Firm") shall adopt and take into account in the processing and protection of personal data. This Policy identifies the matters to be observed by the Law Firm and establishes the fundamental principles governing compliance with the requirements set forth in the Turkish Personal Data Protection Law No. 6698 (the "PDPL").
Pursuant to the Constitution of the Republic of Türkiye, everyone has the right to request the protection of personal data concerning themselves. As a constitutional right, the protection of personal data is treated with the utmost care by the Law Firm, which, through this Policy, ensures the protection of the personal data of participants, employee candidates, office representatives, visitors, employees and representatives of collaborating parties, and third parties, and has adopted this commitment as an institutional policy.
The primary purpose of this Policy is to provide explanations regarding the personal data processing activities carried out lawfully by the Law Firm, as well as the systems adopted for the protection of personal data. In this context, its aim is to ensure transparency by informing the individuals whose personal data are processed by the Law Firm, including, but not limited to, our employees, employee candidates, representatives, visitors, clients, employees and representatives of the institutions with which we cooperate, and third parties. This Policy has been prepared with the objective of ensuring that all compliance activities carried out by the Law Firm to comply with the PDPL are managed at the highest level.
This Policy applies to all personal data of our employees, employee candidates, institutional representatives, the employees and representatives of the institutions with which we cooperate, and third parties, processed by fully or partially automated means or by non-automated means provided that they form part of a data recording system.
This section briefly explains the special terms, concepts, and abbreviations used in the Policy.
Att. Mevlüt Elmalı & Att. Kerem Ustaoğlu – AY-YILDIZ Law Firm: The Law and Consultancy Firm.
Explicit Consent: Consent related to a specific matter, given based on being informed and limited to a particular purpose of data processing.
Anonymization: Rendering personal data incapable of being associated with an identified or identifiable natural person, even by matching them with other data.
Employee: An employee of the Law Firm.
Service Provider: A natural or legal person, or an employee thereof, from whom the Law Firm receives services and/or to whom the Law Firm provides services.
Data Subject (Relevant Person): The natural person whose personal data are processed.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing of Personal Data: Any operation performed on personal data — such as obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of such data — by fully or partially automated means or by non-automated means, provided that such non-automated processing forms part of a data recording system.
the Board: The Personal Data Protection Board.
Personal Data Protection Law (PDPL): Turkish Personal Data Protection Law No. 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677.
Special Categories of Personal Data (Sensitive Personal Data): Data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
the Policy: The Policy on the Protection and Processing of Personal Data of Att. Mevlüt Elmalı & Att. Kerem Ustaoğlu – AY-YILDIZ Law Firm.
Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system, and who is obliged to register with the Data Controllers' Registry.
1.5.1) Data Controller
Under the PDPL, any operation performed on personal data — such as obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of such data — by fully or partially automated means or by non-automated means, provided that they form part of a data recording system, constitutes the processing of personal data. The Law Firm, in its capacity as Data Controller, is responsible for determining the purposes and means of processing the personal data recorded in its database and for establishing and managing the data recording system.
1.5.2) Data Processor
Natural or legal persons who process personal data on behalf of the Law Firm based on the authority granted by the Law Firm shall be deemed data processors. Where personal data are processed on behalf of the Law Firm by another natural or legal person, the Law Firm, as Data Controller, and such data processors shall be jointly responsible for taking the necessary measures. As the Data Controller, the Law Firm periodically audits the compliance of data processors with this Policy in order to ensure that the trust placed in it by the data subjects sharing personal data with it is upheld to the same standard by its business partners and service providers.
Under the PDPL, the Law Firm has legal obligations regarding the protection and processing of personal data. These obligations are as follows:
1.6.1) Duty to Inform
When collecting personal data, the Law Firm is obliged to inform the data subject and, in this respect, to provide the data subject with information on the following matters:
Within the scope of its duty to inform, the Law Firm shall inform data subjects about the processing of their personal data through various means. In addition, the Law Firm places particular importance on ensuring that its publicly available policies are comprehensible to data subjects. The information referred to above is provided on the Law Firm's website. The methods to be used for informing data subjects have been determined by way of internal policies.
1.6.2) Duty to Respond to Applications from Data Subjects
Data subjects may exercise their rights under the PDPL concerning their own personal data by submitting an application in writing or by such other methods as may be determined by the Board. In this respect, the Law Firm takes the necessary administrative and technical measures to fulfil its obligations under Article 13 of the PDPL and to give effect to the rights of data subjects.
1.6.3) Duty to Ensure the Security of Personal Data
The Law Firm takes the necessary technical and administrative measures to provide an appropriate level of security in order to prevent the unlawful processing of, and unlawful access to, the personal data it processes and to ensure their preservation. Should the Board subsequently issue detailed regulations concerning data security obligations, the Law Firm will exert reasonable effort to comply with such obligations and to provide the maximum level of security. The Law Firm designs systems for carrying out or having carried out the necessary audits regarding the operation of the technical and administrative measures it adopts. The results of such audits are reviewed by the responsible units within the Law Firm, and the necessary actions are taken. If the personal data processed are obtained by others through unlawful means, the Law Firm is obliged to notify the affected data subject and, where required by law, the Board as soon as possible. The necessary organizational structure has been established for this purpose. Whenever a situation constituting a security risk is identified by the Law Firm, measures to eliminate such risk are taken without delay.
1.6.3.1) Adoption of Technical and Administrative Measures to Ensure the Lawful Processing of Data
The following measures are taken by the Law Firm to ensure the lawful processing of personal data:
The employees of the Law Firm are informed and trained on the lawful processing of personal data and on the sanctions applicable to unlawful data processing.
Regular audits are carried out to raise awareness among employees, and the necessary administrative measures are implemented through the Law Firm's internal policies and training programs.
Provisions concerning the confidentiality of the personal data shared and the manner in which such data are to be processed and stored are included in the contracts and documents that govern the legal relationships between the Law Firm and its employees and business partners.
Access to personal data is restricted to those employees who need such access for the purpose of processing. Employees' access to personal data that they do not use in the course of their duties is restricted.
1.6.3.2) Adoption of Technical and Administrative Measures to Prevent Unlawful Access to Personal Data
The following measures are taken by the Law Firm to prevent unlawful access to personal data:
1.6.4) Duty of Notification
Pursuant to Article 11 of the PDPL, the rights of the data subject from whom personal data are obtained regarding the protection of such personal data are as set out in Section 10 of this Policy. Pursuant to Article 13 of the PDPL, the Law Firm is obliged to evaluate the requests submitted concerning these rights and to inform the relevant data subjects, and such notifications shall be made within the timeframe stipulated by applicable law. Such requests must be submitted to the Law Firm in writing by the data subjects or by such other methods as may be determined by the Board. The Law Firm shall, without contravening any decision of the Board on this matter, endeavour to provide data subjects with additional means of submitting their applications.
The relevant legal provisions in force concerning the processing and protection of personal data shall have priority in application. In the event of any inconsistency between the applicable legislation and this Policy, the Law Firm acknowledges that the applicable legislation shall prevail. This Policy has been drawn up by giving concrete effect, within the scope of the Law Firm's operations, to the rules set forth by the applicable legislation.
Should this Policy prepared by the Law Firm be renewed in whole or in part, the effective date of the Policy shall be updated accordingly.
The PDPL defines personal data as any information relating to an identified or identifiable natural person. In this context, the person's data must be specific or capable of being determined (i.e., such that, when combined with other information, the person can be identified). Information such as a person's name, surname, date and place of birth, identity number, social security number, telephone number, address, images, payment information, health information, and similar information falls within the definition of personal data.
Special categories of personal data are those which, if disclosed, may cause the relevant person to suffer harm or discrimination, and are listed in the first paragraph of Article 6 of the PDPL as follows: data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. The processing of special categories of personal data without the explicit consent of the data subject is prohibited, save in cases expressly authorized by law. Accordingly, such personal data shall not be processed by the Law Firm except in cases permitted by the PDPL, or shall be processed with the explicit consent of the data subject in accordance with the conditions set out in Article 6 of the PDPL.
This Policy serves as a guide as to how the Law Firm shall concretely implement the rules set forth by the PDPL and related legislation. Taking this Policy as a guide, the Law Firm shall analyse the personal data processing activities carried out within its organization, determine the actions required to comply with this Policy, and adopt all necessary technical and administrative measures. Once the determined actions have been implemented, continued compliance with the Policy shall be maintained through internal audit mechanisms. To ensure compliance with this Policy within the Law Firm, activities to raise awareness among employees shall be carried out, and the necessary onboarding processes shall be followed for new employees. In order to ensure compliance with the PDPL, personal data are processed by the Law Firm in accordance with the general principles and provisions set forth by the legislation. Accordingly, this section addresses the principles and conditions that must be observed by the Law Firm in all personal data processing activities. The principles to be taken into account during the processing of personal data are examined below under separate headings.
3.1) Processing of Personal Data in Compliance with the Law and the Principle of Good Faith
The Law Firm acts in accordance with the law and the principle of good faith in its personal data processing activities. In this respect, the Law Firm applies the principles of proportionality and necessity in the processing of personal data, processing only such personal data as are required and to the extent commensurate with the purposes of processing.
3.2) Ensuring that Personal Data are Accurate and, Where Necessary, Up to Date
The Law Firm ensures that the personal data it processes are accurate and up to date and takes the necessary measures to that end. For instance, the Law Firm develops systems that enable data subjects to correct and update their personal data.
3.3) Processing for Specified, Explicit, and Legitimate Purposes
The Law Firm processes personal data for specified, explicit, and lawful purposes. In this respect, the Law Firm determines the purposes for which personal data will be processed and communicates such purposes to data subjects before their personal data are processed. Personal data are not processed for purposes other than those specified. The data processing purposes determined by the Law Firm are legitimate and lawful.
3.4) Being Relevant to, Limited to, and Proportionate to the Purposes of Processing
The Law Firm processes personal data in a manner suitable for the fulfilment of the specified purposes and refrains from processing personal data that are not related to or not necessary for the fulfilment of such purposes. For example, no personal data processing activity is carried out for the fulfilment of a new purpose that arises after the personal data have been obtained.
3.5) Retention for the Period Provided for in the Applicable Legislation or Required for the Purposes for Which the Data are Processed
The Law Firm retains personal data solely for the periods stipulated by law or, where the retention period is not so stipulated, only for the period required for the purposes for which the data are processed. In this respect, if the applicable legislation prescribes a specific period for the retention of personal data, that period shall be observed. If no period has been prescribed, personal data are retained for the period necessary for the purposes for which they are processed.
4.1) Categorization of Personal Data
Within the Law Firm, upon informing data subjects in accordance with Article 10 of the PDPL, and based on and limited to one or more of the personal data processing conditions set forth in Article 5 of the PDPL, the personal data in the categories listed below are processed for the legitimate and lawful personal data processing purposes of the Law Firm — in compliance with the general principles set forth in the PDPL, in particular the principles set out in Article 4 concerning the processing of personal data, and in compliance with all obligations regulated under the PDPL — and within the retention periods set out in this Policy:
Identity Information: All information contained in documents such as a driver's licence, national identity card, residence certificate, passport, attorney's identity card, and marriage certificate, which clearly relates to an identified or identifiable natural person and is processed by partially or fully automated means, or by non-automated means as part of a data recording system.
Contact Information: Information such as telephone number, address, and e-mail, which clearly relates to an identified or identifiable natural person and is processed by partially or fully automated means, or by non-automated means as part of a data recording system.
Participant Information: Information obtained and generated in respect of the relevant person as a result of our service activities and the operations carried out by our business units within such framework, which clearly relates to an identified or identifiable natural person and is processed by partially or fully automated means, or by non-automated means as part of a data recording system.
Information Regarding Family Members and Relatives: Information about the family members and relatives of the data subject, clearly relating to an identified or identifiable natural person and contained in the data recording system, processed in connection with the products and services we provide or for the purpose of protecting the legal interests of the Law Firm and the data subject.
Participant Transaction Information: Information such as the records relating to the use of our products and services and the instructions and requests of the person necessary for the use of such products and services, which clearly relates to an identified or identifiable natural person and is contained in the data recording system.
Physical Premises Security Information: Personal data relating to the records and documents obtained upon entry into and during presence within the physical premises, which clearly relate to an identified or identifiable natural person and are contained in the data recording system.
Transaction Security Information: Personal data processed in order to ensure our technical, administrative, legal, and commercial security while carrying out our activities, which clearly relate to an identified or identifiable natural person and are contained in the data recording system.
Risk Management Information: Personal data processed by means of methods used in accordance with generally accepted legal and commercial customs and the principle of good faith to enable us to manage our technical and administrative risks, which clearly relate to an identified or identifiable natural person and are contained in the data recording system.
Financial Information: Personal data processed in respect of information, documents, and records reflecting all types of financial results generated according to the type of legal relationship established between the Law Firm and the data subject, which clearly relate to an identified or identifiable natural person and are processed by partially or fully automated means, or by non-automated means as part of a data recording system.
Personnel Information: All types of personal data processed with the aim of obtaining information that will form the basis for the personnel rights of our employees or of the natural persons who have an employment relationship with the Law Firm, which clearly relate to an identified or identifiable natural person and are processed by partially or fully automated means, or by non-automated means as part of a data recording system.
Employee Candidate Information: Personal data processed in respect of individuals who have applied to be an employee of the Law Firm, or who have been evaluated as an employee candidate in accordance with commercial customs, the principle of good faith, and the Law Firm's human resources needs, or who otherwise have a working relationship with the Law Firm, which clearly relate to an identified or identifiable natural person and are processed by partially or fully automated means, or by non-automated means as part of a data recording system.
Employee Transaction Information: Personal data processed in respect of all work-related transactions carried out by our employees or by natural persons having a working relationship with the Law Firm, which clearly relate to an identified or identifiable natural person and are processed by partially or fully automated means, or by non-automated means as part of a data recording system.
Employee Performance and Career Development Information: Personal data processed for the purpose of measuring the performance and planning and carrying out the career development of our employees or of natural persons having a working relationship with the Law Firm within the scope of the Law Firm's human resources policy, which clearly relate to an identified or identifiable natural person and are processed by partially or fully automated means, or by non-automated means as part of a data recording system.
Fringe Benefits and Interests Information: Personal data processed for the purpose of planning the fringe benefits and interests we provide or will provide to employees or to other natural persons having a working relationship with the Law Firm, determining the objective criteria concerning entitlement thereto, and monitoring the accrual of such entitlements, which clearly relate to an identified or identifiable natural person and are processed by partially or fully automated means, or by non-automated means as part of a data recording system.
Legal Proceedings and Compliance Information: Personal data processed within the scope of the identification and pursuit of legal claims and rights, the discharge of debts and our legal obligations, salary attachment information, attachment notices, court writs, statements taken within the scope of investigations, court records, mediation records, instructions and releases, as well as compliance with the Law Firm's policies — clearly relating to an identified or identifiable natural person and processed by partially or fully automated means, or by non-automated means as part of a data recording system.
Audit and Inspection Information: Personal data processed in the framework of the information and data required for Ministry inspections, as well as the Law Firm's legal obligations and its compliance with the Law Firm's policies, which clearly relate to an identified or identifiable natural person and are processed by partially or fully automated means, or by non-automated means as part of a data recording system.
Special Categories of Personal Data: The data specified in Article 6 of Law No. 6698, which clearly relate to an identified or identifiable natural person and are processed by partially or fully automated means, or by non-automated means as part of a data recording system.
Request/Complaint Management Information: Personal data relating to the receipt and evaluation of any request or complaint submitted to the Law Firm, including information received via social media accounts, e-mail, telephone, written applications, and the WhatsApp line, which clearly relate to an identified or identifiable natural person and are processed by partially or fully automated means, or by non-automated means as part of a data recording system.
Location Information: The location information of the places where employees are present while using the Law Firm's vehicles, which clearly relates to an identified or identifiable natural person and is processed by partially or fully automated means, or by non-automated means as part of a data recording system.
Professional Experience: All types of certificate information — such as diploma information, registry information, school information, courses attended, in-service training information, title, work completion certificates, all types of training received for career development, retirement, foreign language skills, operator's certificates, and driving credentials — clearly relating to an identified or identifiable natural person and processed by partially or fully automated means, or by non-automated means as part of a data recording system.
Visual and Audio Data: Visual and audio recordings such as photographs, videos, and the like, which clearly relate to an identified or identifiable natural person and are processed by partially or fully automated means, or by non-automated means as part of a data recording system.
4.2) Retention of Personal Data
The Law Firm takes the necessary technical and administrative measures — commensurate with technological possibilities and the cost of implementation — to ensure that personal data are stored in secure environments and to prevent their unlawful destruction, loss, or alteration.
4.3) Retention Periods for CCTV Footage
The Law Firm retains and processes CCTV footage obtained through security cameras located within the boundaries of the premises, in administrative and social facility areas, and in common-use areas for a period of thirty (30) days. The Law Firm takes the necessary technical and administrative measures — commensurate with technological possibilities and the cost of implementation — to ensure that such image records are stored in secure environments and to prevent their unlawful destruction, loss, or alteration.
4.4) Technical Measures Adopted for the Retention of Personal Data in Secure Environments
The principal technical measures adopted by the Law Firm to ensure the storage of personal data in secure environments are as follows:
4.4.1) Administrative Measures Adopted for the Retention of Personal Data in Secure Environments
The principal administrative measures adopted by the Law Firm to ensure the storage of personal data in secure environments are as follows:
4.5) Retention Periods for Personal Data
Where a period is prescribed by the relevant laws and legislation, the Law Firm retains personal data for the period specified in the applicable legislation. Where no period has been prescribed by legislation regarding how long personal data are to be retained, personal data are processed for the period required by the Law Firm's practices and by the customs of commercial life, in connection with the services provided by the Law Firm at the time such data are processed. Such periods are specified separately for each item of personal data in the Law Firm's inventory, and once the periods have expired, the personal data are erased, destroyed, or anonymized. Detailed information on this matter is provided in Section 8 of this Policy. Once the purpose of processing has ended and the retention periods determined by the applicable legislation and by the Law Firm have expired, personal data may be retained solely for the purpose of serving as evidence in potential legal disputes, or for asserting a right connected to the personal data, or for establishing a defence. The determination of the applicable retention periods in this context takes into account the statutory limitation periods for asserting such rights and, notwithstanding the expiration of such limitation periods, the examples set by requests previously submitted to the Law Firm on the same matters. In such cases, the retained personal data are not accessed for any other purpose, and access to such personal data is provided only when their use in the relevant legal dispute is necessary. Once the period referred to herein has ended, the personal data are likewise erased, destroyed, or anonymized.
As a rule, personal data are processed based on one or more of the personal data processing conditions set forth in Article 5 of the PDPL.
The PDPL provides that special measures may be introduced for the processing of special categories of personal data. Accordingly, the measures determined by the Board are taken when processing special categories of personal data. The necessary organizational systems have been designed to comply with the arrangements provided for in Articles 8 and 9 of the PDPL concerning the transfer of personal data to third parties within Türkiye or abroad. The necessary security measures are taken during such transfers of personal data in line with the purposes of processing.
5.1. Purposes for Which the Law Firm Processes Personal Data
The Law Firm processes personal data for the purposes and under the conditions set forth in Articles 5 and 6 of the PDPL concerning the processing of personal data and special categories of personal data. These purposes and conditions are as follows:
Where a processing activity carried out on the basis of the aforementioned conditions and purposes does not meet any of the conditions set forth under the PDPL, the Law Firm shall request the explicit consent of the data subject in respect of the relevant processing activity.
Within this framework, the Law Firm processes your personal data for the following purposes: