1. The Objective of the Personal Data Protection Policy
The objective of the Personal Data Protection Policy is to provide information regarding the systems adopted for personal data processing, and the protection of personal data that are conducted by Erdem & Erdem Ortak Avukatlık Bürosu and Erdem Erdem Danışmanlık A.Ş. (“Erdem & Erdem”), in accordance with the Law on Protection of Personal Data (“LPPD”) numbered 6698 and related legislation. In this respect, this policy aims to enlighten the persons whose personal data has been processed and, in particular, our employees, prospective employees, suppliers and visitors, as well as the employees, shareholders and officials of the institutions that we are in collaboration with, and third parties.
2. The Scope of the Policy
This policy includes explanations regarding the content, categories, means of use, and the processing means of personal data, its maintenance conditions, the rights of data subjects, and precautions taken to protect personal data.
3. The Purpose of Processing of the Personal Data
Erdem & Erdem undertakes that it shall process all personal data pursuant to the principles that are determined within the scope of Article 4 of the LPPD, and in accordance with the purposes stated, below:
a) For our clients and business partners:
i. Implementing every type of advocacy and legal consultancy activities,
ii. Implementing or ensuring additional/complementary services (external and internal auditing, accounting, tax counseling, IT, translation etc.) for the performance of the above-mentioned activities,
iii. Supplying information with regard to various legal developments and providing scientific articles,
iv. Providing legal trainings organized by Erdem & Erdem, related documents and informing on future trainings that wil be made by Erdem & Erdem,
v. Conservation of the data that is obtained in this respect, in order to be able to preserve them for future processing.
b) For employees:
i. Exercising the rights vested in the laws and regulations, such as the labor law, social security law, and tax law, etc., and fulfilling the obligations arising from the latter of these,
ii. Taking out private health insurance,
iii. Adding Personal Data onto our web site for informational purposes,
iv. Resolution of disputes arising from the labor law,
v. Corporate planning,
vi. Ensuring the order, control, security, administration, and harmonization in the workplace,
vii. Archiving the data, such as camera recordings, video recordings, and photographs that are obtained from office events,
viii. Implementing our recruitment process.
4. Data Collection Method
Erdem & Erdem may collect Personal Data through the medium of verbal communication, e-mails, faxes, telephone, post, couriers, and deliveries by hand, etc.
5. Authorization of Processing and Transfer
The domestic processing of Personal Data and their transfer to third natural or legal parties may be affected by the express consent of the data subject. Pursuant to Article 5 of the LPPD, in the absence of express consent, personal data may be processed in the following circumstances:
a. Explicit provision of law,
b. In the event it is required for the security of the life or physical integrity of the data subject who cannot express its consent because of physical incapacity, or whose consent is not legitimized, either for the security of life or physical integrity of another person,
c. In the event the processing of personal data of parties to a contract is required, provided that it is directly related to the execution or performance of this contract,
d. In the event it is required for the performance of the legal obligations of Erdem & Erdem,
e. In the event it is already disclosed by the Data Subject,
f. In the event the processing of data is required for the establishment of a right, its exercise, or its protection,
g. In the event the processing of data is required for the legitimate interests of Erdem & Erdem, provided that the fundamental rights and freedoms of the related person are protected.
Personal Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, memberships of association, foundations or trade-unions, health, sexual orientation, criminal conviction and security measures, and biometrics and genetics are special categories of Personal Data. The Processing and Transfer of special categories of personal data may be affected with the express consent of the related person. In the absence of express consent:
a. Personal Data that is not related to health condition or sexual orientation may be processed without obtaining the express consent of the related person if it is regulated by law,
b. Personal Data that is related to health condition or sexual orientation may be processed without obtaining the express consent of the related person by real persons or competent institutions and organizations that are under a confidentiality obligation, purely and simply for the express purpose of the protection of public health, preventive medicine, medical diagnosis, the course of treatment and maintenance services, and the planning and management of health services.
The processing of Personal Data abroad and their transfer to third natural or legal parties may be affected by the express consent of the data subject. In the absence of express consent, Personal Data may be processed in the presence of one of the conditions stipulated under Articles 5/2 and 5/3 of the LPPD, and in the presence of the below-stated conditions:
a. Adequate protection is provided, as it is determined and announced by the Personal Data Protection Board (“Board”),
b. Data Controllers in Turkey and in the concerned foreign country undertake, in writing, to provide adequate protection, as well as the authorization of the Board, if sufficient protection does not exist in the foreign country.
Furthermore, provided that international agreement clauses are reserved, in the event serious harm is made to the interest of the country or to the related person, Personal Data may be transferred abroad, provided that the opinion of the related state institution or organization is obtained, and the Board authorizes the transfer.
6. Protection of Rights of the Data Subject
Data Subjects may make use of their below-stated rights by application to Erdem & Erdem:
a. Ascertaining whether any personal data is processed or not,
b. Requesting information related to the processing of personal data, if processed,
c. Ascertaining the purpose of the processing of personal data, and whether or not the use of Personal Data is in compliance with this purpose,
d. Identifying third parties to whom the personal data is transferred within the country and abroad,
e. Requesting rectification if personal data is processed in an unsatisfactory or incorrect manner,
f. Demanding deletion or destruction of personal data within the framework of Article 7 of the LPPD,
g. Demanding the notification of adjustment, deletion and destruction to third parties to whom the personal data had been transferred,
h. Objection to the result of the analyzation (exclusively by means of automatic systems) of the processed personal data, and which is to the detriment of the person, and
i. Claiming compensation for damages that he/she suffered due to the illegal processing of the personal data.
For the exercise of these rights as stated, above, it is required for Data Subjects to send their requests in written or through registered electronic mail address, secured electronic signature, mobile signature or through the electronic mail address which is notified before to Erdem & Erdem by the Data subject and registered in Erdem & Erdem’s system; or the requests may be also delivered through a software or application developed for the objective of application tothe electronic address of Erdem & Erdem, i.e. firstname.lastname@example.org or to it mail address at Ferko Signature, Büyükdere Caddesi, No. 175, Kat. 3, 34394 Esentepe - Şişli, İstanbul/ Turkey.
It is obligatory for the Data Subjects’s application to include, name, surname, signature (if the application is written), identity number for Turkish Republic Citizens, nationality, passport number and identity number (if applicable) for the foreigners, place of residence or work to be used in the notifications, electronic mail address to be declared (if applicable), telephone and fax numbers and the subject of request.
7. Precautions Related to Accurate and Updated Conservation, Security and Protection of Personal Data
Erdem & Erdem shall take all necessary technical and administrative precautions to ensure the accurate and updated conservation of Personal Data, to conserve Personal Data in secure media, and to avoid the disappearance, transformation and illegal use of Personal Data.
In the event that personal data is processed by a natural or legal persons on behalf of Erdem & Erdem, and in the matter of the precautions stated in this paragraph, Erdem & Erdem is jointly and severally liable together with the other data processors.
Erdem & Erdem and its employees can neither disclose personal data to third parties in violation of the LPPD, nor may it make use of this knowledge beyond the level of processing. This obligation continues after their resignation, as well.
If personal data by third parties is obtained in an illegal manner, Erdem & Erdem shall report this fact to the person concerned, and to the Board within 72 hours in order to be able to take the necessary precautions.
- Activities related to Personal Data processing are defined in the Quality Management System. The requirements for legal conformity, based on these activities, are developed by way of application rules and auditing methods.
- Briefings and Trainings are regularly organized for the purpose of increasing the awareness of Erdem & Erdem employees regarding the relevant legislation on the protection of Personal Data.
- The obligations of employees regarding the protection of Personal Data and its processing within the legal framework are stipulated in the confidentiality statement between the employee and Erdem & Erdem.
- In the event that service procurement is required from an external institution, the persons or the institution that processes Personal Data are informed of the “Confidentiality Undertaking for the Data Processor.” Through this means, the auditing of the data processing by the data processor institutions is ensured.
- For the purpose of ensuring confidentiality, the printed versions of the documents are retained in rooms and storage cupboards that are protected by passwords. The passwords of these rooms are available only to authorized persons.
- Personal data is kept separately, the retention period of this data is systematically tracked, and their destruction process is audited.
- Personal data is processed via Outlook and a special software, e. Document Management System.
- Regular system reports are obtained for network security. Technological developments are followed, and the information systems are renewed and updated.
- Internet security is ensured by firewall and by internet infrastructure. The interlocation secure network connection and the antivirus programs that are designated according to needs and necessities, are used.
8. Amendments to Personal Data Protection Policy
Erdem & Erdem may make amendments from time to time to this Policy that are required due to their activities, or that which are legally necessary. These amendments become valid by the publication of the amended Policy on www.erdem-erdem.av.tr Also, all clients, business associates and employees shall be notified by e-mail of any proposed amendments.