B/A LAW FIRM
PERSONAL DATA PROTECTION AND PRIVACY POLICY
INDEX
ABBREVIATIONS AND CONCEPTS
1. INTRODUCTION
2. PROVISIONS ON PERSONAL DATA PROTECTION
3. PROVISIONS ON PERSONAL DATA PROCESSING AND TRANSFERRING
4. CATEGORIZATION OF PERSONAL DATA PROCESSED BY THE DATA CONTROLLER, PURPOSE OF PROCESSING
5. THE RETENTION PERIODS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA AND STORAGE ENVIROMENTS
6. CATEGORIZATION OF DATA SUBJECTS, WHOSE PERSONAL DATA IS PROCESSED BY DATA CONTROLLER
7. PERSONAL DATA TRANSFER TO THIRD PARTIES BY THE DATA CONTROLLER AND THEIR PURPOSE OF TRANSFER
8. PERSONAL DATA PROCESSING CONDITIONS AND PROCESSING ACCORDING TO THE LAW
9. RIGHTS OF PERSONAL DATA SUBJECTS
10.THE RELATIONSHIP OF THE PERSONAL DATA PROTECTION AND PRIVACY POLICY WITH OTHER POLICIES
ABBREVIATIONS AND CONCEPTS
| KVKK/The Law | Law No. 6698 on the Protection of Personal Data published in the Official Gazette numbered 29677 dated April 7 2016 |
| GDPR | EU General Data Protection Regulation |
| The Constitution | Constitution of the Republic of Turkey dated 1982 and numbered 2709 |
| Data Processor | The person responsible for the technical storage, protection and backup of the data or the person who processes personal data outside the organization of the data controller and in accordance with the authorization and instruction received from the data controller. |
| Data Subject/Related Person | B/A Law Firm’s Related Persons; employees, clients, customers, business partners, shareholders, potential clients, employee candidates, interns, visitors, suppliers, employees of the institutions, third parties and other persons, including but not limited to those listed here, are real persons whose personal data are processed. |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. In line with this Policy, B/A Law Firm will hereinafter be referred to as Data Controller. |
| Explicit Consent | Informed and freely given consent on a particular issue. |
| Disposal | Deletion, destruction or anonymization of personal data. |
| Storage/Recording | Any medium containing personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Sensitive Personal Data | Race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data of natural persons |
| Processing of personal data | All kinds of operations performed on personal data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system |
| Anonymization | The anonymization of personal data in such a way that it cannot be accessed, retrieved and reused in any way. |
| Deletion | The deletion of personal data in such a way that it cannot be associate personal data with a specific or identifiable natural person in any way. |
| Destruction | The destruction of personal data in such a way that it cannot be accessed, retrieved and reused in any way. |
| Periodic Disposal | The ex officio execution of deletion, destruction or anonymization operations at recurring intervals. |
| Regulation | Regulation on Deletion, Destruction or Anonymization of Personal Data. |
| Personal Data Protection Board | Personal Data Protection Board |
| Personal Data Protection Authority | Personal Data Protection Authority |
| Policy | Data Controller’s Personal Data Protection and Processing Policy |
| Turkish Criminal Law | Turkish Criminal Law dated 2004 and numbered 5237. |
| Disclosure Obligation | It is the obligation of the Data Controller to inform the data subject within the scope of the rights in Article 11 of the KVKK law. |
| Data Controllers Registry Information System (VERBIS) | The data recording system where data controllers declare their information regarding data processing activities. |
1. INTRODUCTION
Objective
As a Data Controller, we are aware of our responsibility for the protection and legal assurance of personal data. We attach special importance to the security of your personal data.
The purpose of this policy is to regulate the procedures and principles to be followed by B/A Law Firm to ensure the processing and protection of personal data in accordance with the Personal Data Protection Law (the KVKK Law).
This policy is about ensuring full compliance with the legislation in the processing and protection of personal data carried out by the Data Controller and protecting all rights of personal data subjects.
Scope
This policy is implemented for the protection of personal data processed by B/A Law Firm within the scope of attorneyship and consultancy activities.
| Groups of Persons Whose Data are Processed under the Policy |
|---|
| Attorney at Law / Lawyer |
| Employee |
| Employee Candidate |
| Parties to Litigation, Enforcement, Arbitration, Mediation |
| Former Client |
| Subject of news |
| Shareholder/Partner |
| Client |
| Data Subjects whom the Client is the Data Controller |
| Potential Client |
| Legal Intern |
| Supplier Employee |
| Supplier Representative |
| Visitor |
Implementation of the Policy and Related Legislation
Within the scope of this Policy, the relevant legal regulations and data security principles in force in the national legislation regarding the processing and protection of personal data shall be applied primarily. In case of any incompatibility between the legislation in force and this Policy, the Data Controller agrees that the legislation in force shall apply.
2. PROVISIONS ON PERSONAL DATA PROTECTION
The Data Controller shall take appropriate technical and administrative measures in accordance with the technological possibilities and the cost of implementation in order to ensure that personal data is processed in accordance with the law, to prevent unlawful access, loss and destruction of this data, and to ensure that it is stored in secure environments.
The main technical measures taken in our firm are listed below:
| Technical Measures |
|---|
| Network security and application security are ensured |
| Closed system network is used for personal data transfers through the network |
| Key management is implemented |
| Necessary security measures are taken within the scope of procurement, development and maintenance of information technology systems |
| Security of personal data stored in the cloud is ensured |
| Access logs are kept regularly |
| Corporate policies on access, information security, use, storage and disposal have been prepared and implemented |
| Data masking measures are applied as needed |
| Up-to-date anti virus systems are used |
| Firewalls are used |
| Personal data is backed up and the security of the backed up personal data is also ensured |
| User account management and authorization control system is implemented and monitored |
| Log records are kept without user intervention |
| Intrusion detection and prevention systems are used |
| Cyber security measures have been taken and their implementation is constantly monitored |
| Encryption is used |
| Sensitive personal data transferred in portable memory, CD, DVD media are transferred by encrypting the data |
| Data loss prevention software is used |
The main administrative measures taken in our firm are listed below:
| Administrative Measures |
|---|
| Disciplinary arrangements are in place for employees that include data security provisions |
| Education and awareness activities on data security for employees are carried out regularly |
| Authorization matrix created for employees |
| Confidentiality agreements are made |
| Employees who change their position or leave their job are de-authorized |
| The signed contracts contain data security provisions |
| Personal data security policies and procedures are determined |
| Personal data security issues are quickly reported |
| Personal data security is monitored |
| Necessary security measures are taken for entering and exiting physical environments containing personal data |
| Physical environments containing personal data are secured against external risks (fire, flood, etc.) |
| Security of environments containing personal data is ensured |
| Personal data is reduced as much as possible |
| Internal periodic and/or random audits are conducted |
| Existing risks and threats are identified |
| Protocols and procedures for the security of sensitive personal data are determined |
| Data processing service providers are periodically audited on data security |
| Awareness of data processing service providers on data security is ensured |
Supervision of Measures Taken for the Protection of Personal Data
The Data Controller conducts the necessary audits within its own organization. The results of the audits conducted within the scope of the audit activities required to fulfill the obligations of the legal regulations constituting the protection of personal data are reported to the relevant unit of the Data Controller and necessary work is carried out to improve the measures taken.
Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
The Data Controller is obliged to protect the personal data against unauthorized access, unlawful processing, disclosure, loss and alteration. In the event that personal data is obtained and used by unauthorized persons, the data controller shall notify the relevant data subject and the Personal Data Protection Board as soon as possible.
Protection of Sensitive Personal Data
The KVKK Law attaches special importance to some special categories of personal data due to the risk of causing victimization or discrimination if processed unlawfully..
Sensitive personal data are data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
The Data Controller is deeply committed to the protection of special categories of personal data processed in accordance with the law. In this regard, necessary audits are conducted and a Policy on Processing and Protection of Sensitive Personal Data is established by Data Controller.
Processing of Sensitive Personal Data
In the processing of personal data determined as "sensitive", the Data Controller diligently complies with the regulations stipulated in the KVKK Law.
Sensitive personal data are processed by the Data Controller as listed below:
If the personal data subject has explicit consent
or
in cases stipulated in the law, except for personal data of special nature other than the health and sexual life of the personal data subject.
Sensitive personal data relating to the health and sexual life of the personal data subject may only be processed by authorized persons, institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
Enhancing Awareness on Protection and Processing of Personal Data
The Data Controller ensures that necessary trainings are organized at the workplace to raise awareness in order to ensure the utmost protection of personal data.
The trainings are updated and renewed by the data controller in parallel with the changes in the relevant legislation.
3. PROVISIONS ON PERSONAL DATA PROCESSING AND TRANSFERRING
The Data Controller processes personal data in accordance with the law and integrity rules; accurate and updated when necessary; for specific, unambiguous and legitimate purposes; in a manner that is purposeful, limited and proportionate. It retains these data only for the period specified in the relevant legislation or required for the purpose for which they are processed.
Pursuant to Article 5 of the KVKK Law, the Data Controller processes personal data based on one or more of the conditions specified regarding the processing of personal data only in cases stipulated by law or with the explicit consent of the person.
The Data Controller shall inform the personal data subjects in accordance with Article 10 of the KVKK Law. Whilst fulfilling the disclosure obligation, the Data Controller acts in accordance with the Law No. 6698, the Communiqué on the Procedures and Principles to be followed in the Fulfillment of the Disclosure Obligation, the Board decisions published on the website of the Authority and the Guide to the Fulfillment of the Disclosure Obligation prepared by the Authority.
The Data Controller complies with the regulations stipulated for the processing of sensitive personal data in pursuant to Article 6 of the KVKK Law.
The Data Controller transfers personal data in accordance with Articles 8 and 9 of the KVKK Law.
Transfer of Personal Data
The Data Controller may transfer personal data to third parties by taking the necessary security measures in order to process personal data in accordance with the law.
Conditions for Transfer of Personal Data
In line with the legitimate and lawful personal data processing purposes, the Data Controller may transfer personal data to third parties based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Law listed below:
- If there is explicit consent of the personal data subject,
- If there is a specific regulation in the laws concerning the transfer of personal data,
- If it is mandatory for the protection of the life or physical integrity of the personal data subject or someone else and the personal data subject is unable to disclose his/her consent due to actual impossibility or his/her consent is not legally valid,
- If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract
- If personal data transfer is mandatory for the Data Controller to fulfill its legal obligation,
- If the personal data has been made public by the personal data subject,
- If personal data transfer is mandatory for the establishment, exercise or protection of a right,
- If personal data transfer is mandatory for the legitimate interests of the Data Controller, on condition that it does not harm the fundamental rights and freedoms of the personal data subject
Transfer of Personal Data Abroad
Nowadays, communication through instant messaging or online channels is often practiced using platforms and applications originating from abroad. Hence, data can be transferred abroad over these platforms.
4. CATEGORIZATION OF PERSONAL DATA PROCESSED BY THE DATA CONTROLLER, PURPOSE OF PROCESSING
Personal data are processed by the Data Controller in accordance with the general principles and all obligations set out in the KVKK Law.
Categorization of Personal Data Processed by the Data Controller
The Data Controller processes your personal data in the below categories:
| Data Categorization |
|---|
| Identity |
| Transaction Security |
| Contact |
| Career Experience |
| Risk Management |
| Financial |
| Legal Procedures and Compliance |
| Audiovisual |
| Health Status |
| Workplace Personnel File |
| Client Transaction |
| Criminal Conviction and Security Measures |
| Employee Family Member and Relative |
Purposes of Processing Personal Data
The Data Controller processes your personal data for the below purposes:
| Purposes |
|---|
| Execution of Emergency Management Processes |
| Execution of Information Security Processes |
| Execution of Employee Candidates Job Application Processes |
| Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees |
| Execution of Side Benefits and Perquisites Processes for Employees |
| Execution of Audit / Ethics Activities |
| Education Activities |
| Execution of Access Authorizations |
| Execution of Activities in Compliance with the Legislation |
| Execution of Termination Procedures |
| Execution of Finance and Accounting Affairs |
| Ensuring Physical Space Security |
| Communication With Our Clients, Their Stakeholders, And Third Party Communication On Behalf Of Our Clients, Within The Context Of The Services Provided To Our Clients |
| Providing Legal Advisory And Advocacy Services To Our Clients, The Performance Of Our Other Contractual Obligations, And Reporting |
| Execution / Supervision of Business Activities |
| Execution of Work Health / Safety Activities |
| Receiving and Evaluating Suggestions for Improvement of Business Processes |
| Execution of Business Sustainability |
| Execution of Goods / Service Supply Processes |
| Execution of Advocacy Service Processes |
| Informing Clients of Legislative and Other Developments |
| Organization and Event Management |
| Storage and Archive Activities |
| Execution of Contract Processes |
| Monitoring of Requests / Complaints |
| Ensuring the Security of Movable Property and Resources |
| Execution of Wage Policy |
| Talent / Career Development Activities |
| Providing İnformation And Documentation Requested Under The Relevant Legislation By Judicial Or Administrative Authorities, İncluding Execution Offices, Law Enforcement Officers |
| Execution of Management Activities |
| Creating and Tracking Visitor Records |
In such a situation where the processing activity carried out for the above-mentioned purposes does not comply with any of the conditions stipulated under the KVKK Law, explicit consent will be obtained regarding the relevant processing process.
5. THE RETENTION PERIODS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA AND STORAGE ENVIROMENTS
The retention periods of the personal data processed by the Data Controller are listed below:
| Data Categories | Retention Periods |
|---|---|
| Identity |
|
| Transaction Security |
|
| Contact |
|
| Career Experience |
|
| Risk Management |
|
| Financial |
|
| Legal Procedures and Compliance |
|
| Audiovisual |
|
| Health Status |
|
| Workplace Personnel File |
|
| Client Transaction |
|
| Criminal Conviction and Security Measures |
|
| Employee Family Member and Relative |
|
If the legislation does not regulate the period for which personal data should be retained, Personal Data is processed for the period required to be processed in accordance with the practices of the Data Controller and the practices of the sector, depending on the activity performed by the Data Controller while processing that data, and then it is deleted, destroyed or anonymized. You can find detailed information on this subject in the Policy on Deletion, Destruction or Anonymization of Personal Data.
If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and the Data Controller have reached the end; personal data can only be stored in order to constitute evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. In the setting of the periods herein, retention periods are determined based on the statute of limitations for the assertion of the aforementioned right and the examples in the requests previously addressed to the Data Controller on the same issues despite the expiration of the statute of limitations. In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the case of the legal dispute. After the aforementioned period expires, personal data are deleted, destroyed or anonymized.
Personal data are securely stored by the Data Controller in the environments listed in the table below:
| Storage Environments |
|---|
| Business Server |
| Computer |
| Locked Archive Storage |
| Server |
| Email Server |
| Software Program |
| Cloud Storage/Backup |
| Flash Memory |
6. CATEGORIZATION OF DATA SUBJECTS, WHOSE PERSONAL DATA IS PROCESSED BY DATA CONTROLLER
The types of personal data of the data subjects are detailed in the table below.
| Personal Data Subject Category and Description | Category of Processed Personal Data of the Data Subject |
|---|---|
| Attorney at Law / Lawyer |
|
| Employee (Real persons who have an employment contract with the Data Controller) |
|
| Employee Candidate (Natural persons who have applied for a job or who have opened their CV and related information to the examination of the Data Controller) |
|
| Parties to Litigation, Enforcement, Arbitration, Mediation File |
|
| 3rd Parties in Litigation, Execution, Arbitration, Mediation File |
|
| Former Client |
|
| Subject of the news (The person about whom the news was reported) |
|
| Shareholder/Partner (Real persons who are shareholders of the Data Controller) |
|
| Client |
|
| Data Subjects for whom the Client is Data Controller (Other groups of people) |
|
| Potential Client |
|
| Legal Intern |
|
| Supplier Employee (Natural persons who are affiliated to the Data Controller with a supply contract and have an employment contract with the Supplier) |
|
| Supplier Representative (Natural persons who are authorized to represent the Supplier who are affiliated to the Data Controller with a supply contract) |
|
| Website Visitors (Natural persons who visit the websites owned by the Data Controller) |
|
7. PERSONAL DATA TRANSFER TO THIRD PARTIES BY THE DATA CONTROLLER AND THEIR PURPOSE OF TRANSFER
In pursuant to Articles 8 and 9 of the KVK Law, the Data Controller may transfer the personal data of the data subjects to domestic and abroad recipient groups within the scope of the purposes for transfer on the basis of the data category in the below :
| Data Category | Transfer Purpose | Recipient Groups | ||
|---|---|---|---|---|
| Domestic | Abroad | Domestic | Abroad | |
| Identity |
Administration Request
Legal Obligation
Provide Information
Court Order
Consulting
Audit Operations
Service Delivery for the Relevant Person
Monitoring the Legal Affairs and Transactions of the Data Controller
Operational Transactions
|
Communication
Service Delivery for the Relevant Person
|
Authorized Government Institutions and Organizations Clients
Natural Persons or Private Law Legal Entities
Suppliers
|
Natural Persons or Private Law Legal Entities
Suppliers
|
| Transaction Security |
Administration Request
Legal Obligation
|
-
|
Authorized Government Institutions and Organizations
|
-
|
| Contact |
Administration Request
Legal Obligation
Provide Information
Operational Transactions
|
Communication
Service Delivery for the Relevant Person
|
Authorized Government Institutions and Organizations
|
-
|
| Career Experience |
Provide Information
Legal Obligation
Administration Request
Court Order
Audit Operations
Service Delivery for the Relevant Person
Monitoring the Legal Affairs and Transactions of the Data Controller
Consulting
Operational Transactions
|
-
|
Authorized Government Institutions and Organizations
|
Natural Persons or Private Law Legal Entities
Suppliers
|
| Risk Management |
Provide Information
Legal Obligation
Administration Request
Court Order
Audit Operations
Service Delivery for the Relevant Person
Monitoring the Legal Affairs and Transactions
Consulting
Operational Transactions
|
-
|
Authorized Government Institutions and Organizations
|
-
|
| Financial |
Provide Information
Legal Obligation
Administration Request
Court Order
Consulting
Audit Operations
Service Delivery for the Relevant Person
Monitoring the Legal Affairs and Transactions
Consulting
Operational Transactions
|
-
|
Authorized Government Institutions and Organizations
|
-
|
| Legal Procedures and Compliance |
Administration Request
Legal Obligation
Service Delivery for the Relevant Person
Court Order
Consulting
|
-
|
Authorized Government Institutions and Organizations
|
-
|
|
Audiovisual
|
Administration Request
Legal Obligation
Service Delivery for the Relevant Person
Court Order
Consulting
|
-
|
Authorized Government Institutions and Organizations
|
-
|
| Health Status |
Administration Request
Legal Obligation
Court Order
|
-
|
Authorized Government Institutions and Organizations
|
-
|
| Workplace Personnel File |
Provide Information
Legal Obligation
Administration Request
Court Order
Audit Operations
Service Delivery for the Relevant Person
Monitoring the Legal Affairs and Transactions
Consulting
Operational Transactions
|
-
|
Authorized Government Institutions and Organizations
|
|
| Client Transaction |
Administration Request
Legal Obligation
Service Delivery for the Relevant Person
Court Order
Consulting
|
-
|
Authorized Government Institutions and Organizations
|
-
|
| Criminal Conviction and Security Measures |
Administration Request
Legal Obligation
Service Delivery for the Relevant Person
Court Order
Consulting
|
-
|
Authorized Government Institutions and Organizations
|
-
|
| Employee Family Member and Relative |
Administration Request
Legal Obligation
Court Order
|
-
|
Authorized Government Institutions and Organizations
|
-
|
8. PERSONAL DATA PROCESSING CONDITIONS AND PROCESSING ACCORDING TO THE LAW
The personal data of the data subject may be processed in accordance with the law if it is specifically stated in the law.
In cases where it is necessary to process personal data other than the conditions stated in the law, the explicit consent of the personal data subject will be obtained.
In the event that it is mandatory for the protection of the life or physical integrity of the personal data subject or someone else and the personal data subject is unable to disclose his/her consent due to actual impossibility or his/her consent is not legally valid, his/her personal data can be processed without seeking explicit consent.
If it is necessary to process personal data belonging to the parties to the contract, it is possible to process personal data provided that it is directly related to the establishment or performance of the contract.
The personal data of the data subject may be processed by the data controller if it is mandatory for the fulfillment of its legal obligations.
If the data subject has made his/her personal data public by himself/herself, the relevant personal data can now be processed.
Personal data of the personal data owner may be processed if data processing is mandatory for the establishment, exercise or protection of a right.
In circumstances where data processing is mandatory for the legitimate interests of the Data Controller, the data may be processed without prejudice to the fundamental rights and freedoms of the personal data subject.
9. RIGHTS OF PERSONAL DATA SUBJECTS
Rights of the Personal Data Subject
Personal data subjects have the below-mentioned rights:
- The right to be informed whether their personal data has been processed or to request information about whether their personal data has been processed;
- The right to be informed of the purposes of the data processing and whether their personal data has been used for the intended purposes;
- The right to be informed of the third parties to whom their personal data has been transferred either domestically or abroad;
- The right to request the rectification of incomplete or inaccurate data, if any; request the deletion, destruction of their personal data under the conditions laid down in the legislation; or request a notification from the third parties to whom their personal data has been transferred regarding the operations carried out with respect to their aforementioned request;
- The right to object to the processing of their personal data collected exclusively by automatic means that has led to an unfavorable consequence for them;
- The right to request compensation for any damages arising from the unlawful processing of their personal data.
Circumstances in which the Rights of the Personal Data Owner cannot be asserted
- Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
- Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime.
- Processing of personal data within the scope of preventive, protective and investigative activities executed by law authorized public institutions and organizations in order to ensure national defense, national security, public security, public order or economic security.
- Processing of personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials or executions.Kişisel veri işlemenin suç işlenmesinin önlenmesi veya suç soruşturması için gerekli olması.
- Processing of personal data made public by the personal data subject himself/herself.
- Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by the authorized public institutions and organizations based on the authority granted by the law.
- Processing of personal data is necessary for the protection of the economic and financial interests of the State in the context of budgetary, tax and fiscal matters.
Use of Rights of the Personal Data Subject
Personal Data Owners can submit their requests regarding their rights to the Data Controller free of charge by filling out and signing the Application Form with the information and documents that will identify their identity by defined in below or by methods determined by the Personal Data Protection Board.
After filling in the form, which you can obtain from Cumhuriyet Bulvarı No:127/8 Konak İzmir address, or simply in our website, you can send a original signed copy of the form to the address of the Data Controller Cumhuriyet Bulvarı No:127/8 Konak İzmir by hand or through a notary public.
Personal Data Subject's Right to File a Complaint to the Personal Data Protection Board
Pursuant to Article 14 of the KVKK Law, the personal data subject may file a complaint to the Personal Data Protection Board within thirty days from the date of learning the response of the Data Controller and n such cases where the application is rejected, the response is found insufficient or the application is not responded in due time.
Procedure and Deadline for the Data Controller to Respond to Applications
The Data Controller will conclude the application free of charge within thirty days at the latest depending on the content of the request. However, if a fee is required by the Board, the Data Controller shall charge the applicant the fee in the tariff determined by the Personal Data Protection Board.
Request for Information from the Applicant Personal Data Subject
The Data Controller may request information in order to determine whether the applicant is the personal data subject. Also,the Data Controller may ask questions to the personal data subject about the application in order to clarify the issues in the application of the personal data subject.
10. THE RELATIONSHIP OF THE PERSONAL DATA PROTECTION AND PRIVACY POLICY WITH OTHER POLICIES
The Data Controller may prepare sub-policies for internal use regarding the protection and processing of personal data with respect to the principles set out in this Policy, also establishes other policies for certain groups of people, especially employees.
The principles of the Data Controller's sub-policies for internal use are aimed to be shared with publicly available policies to inform those concerned within this framework and to ensure transparency and accountability regarding the personal data processing activities carried out.
Thank you for reading our KVKK Policy.