RENGİN LAW
PERSONAL DATA PROTECTION AND PROCESSING POLICY
1. Purpose and Principle
At Rengin Law, the protection of personal data is regarded not only as a legal obligation, but also as a natural reflection of our respect for individual rights. In this regard, it is among our fundamental principles to ensure the security of personal data and to adopt a transparent and fair approach during data processing activities in accordance with Law No. 6698 on the Protection of Personal Data (“KVKK”), Article 20 of the Constitution, the Turkish Code of Obligations, the Turkish Commercial Code and the Electronic Communications Law.
2. Definitions Table
| Term | Definition |
|---|---|
| Explicit Consent | The declaration of will given by an individual, based on informed and free will, regarding a specific subject. |
| Personal Data | Any information relating to an identified or identifiable natural person (name, surname, Turkish ID number, e-mail, IP, audio recording, etc.). |
| Special Categories of Personal Data | Sensitive data that may lead to discrimination, such as health information, political opinion, religious belief, biometric data and information on criminal convictions. |
| Data Subject (Related Person) | The natural person whose personal data is processed (client, visitor, job applicant, etc.). |
| Data Processor | Any natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data. |
| VERBİS | Data Controllers Registry Information System. |
| POLICY | This “Personal Data Protection and Processing Policy” which sets out the principles we have adopted regarding the processing and protection of personal data. |
| KVKK | Law No. 6698 on the Protection of Personal Data. |
3. Scope
3.1 Categories of Individuals
This Policy covers the processing of personal data belonging to all natural persons who have a relationship with Rengin Law. Legal entities are excluded from the scope of this Policy. The table below lists the categories of individuals whose data are processed.
| # | Category | Description |
|---|---|---|
| 1 | Job Applicant | Individuals who apply for a job or submit their résumé. |
| 2 | Intern | Individuals working within the office as part of practical legal training. |
| 3 | Lawyer | Individuals who professionally provide legal services within our firm. |
| 4 | Client & Consultant | Individuals who benefit from the legal services offered by our office. |
| 14 | Potential Client | Individuals who may potentially benefit from the legal services we provide. |
| 15 | Visitor | Individuals who visit our office or our digital platforms. |
| 16 | Third Party | Individuals whose data are processed but who do not fall into the groups listed above. |
| 17 | Relatives and Family Members | Spouses, children, parents and similar family members declared by employees or authorized persons. |
3.2 Categories of Personal Data
Personal data processed by Rengin Law may be classified under the following categories:
| # | Data Category | Example Data | Data Type |
|---|---|---|---|
| 1 | Identity | Name and surname, parents’ names, mother’s maiden name, date and place of birth, marital status, ID card serial number, Turkish ID number, etc. | Personal Data |
| 2 | Contact | Address, e-mail, correspondence address, Registered Electronic Mail (KEP), phone number, etc. | Personal Data |
| 3 | Location | Location information, geographic location, etc. | Personal Data |
| 4 | Employment | Payroll information, disciplinary investigation records, onboarding documents, asset declarations, résumés, performance evaluation reports, etc. | Personal Data |
| 5 | Legal Transaction | Correspondence with judicial authorities, information found in case files, etc. | Personal Data |
| 6 | Client Transaction | Call center records, invoices, promissory notes, checks, order information, branch transactions, request and complaint records, etc. | Personal Data |
| 7 | Physical Premises Security | CCTV recordings, entry and exit logs, etc. | Personal Data |
| 8 | Processing Security | Website login and logout records, password and credential information, user activity logs, etc. | Personal Data |
| 9 | Financial | Balance sheet data, bank account information, credit and risk information, financial data, etc. | Personal Data |
| 10 | Professional Experience | Diplomas, certificates, professional qualification documents, work history, education status, etc. | Personal Data |
| 11 | Marketing | Survey responses, cookie data, participation in campaigns, customer preferences and interests, etc. | Personal Data |
| 12 | Visual and Audio Records | Photographs, audio and video recordings, etc. | Personal Data |
| 13 | Signature | Electronic signature, wet signature, etc. | Personal Data |
| 14 | Health Data | Disability status, blood type, personal health information, details of medication and medical procedures, etc. | Special Category Data |
| 15 | Criminal Convictions and Security | Information relating to criminal convictions, security investigations and security measures, etc. | Special Category Data |
4. Our Data Processing Principles
At Rengin Law, personal data is processed solely for legally specified purposes and in a secure manner. In addition to complying with legal provisions, protecting corporate reputation and respecting individuals’ fundamental rights are also considered key responsibilities.
Rengin Law strictly adheres to the following principles when processing personal data:
- Compliance with law and rules of good faith: Data processing activities are carried out in accordance with legal regulations and social ethical values.
- Accuracy and up-to-dateness: Care is taken to ensure that the data processed is accurate and kept up-to-date when necessary.
- Processing for specific and legitimate purposes: Data is processed only for clearly defined, lawful and legitimate purposes.
- Limited and proportionate processing: Only the data necessary for the intended purpose is collected and used.
- Storage limitation: Data is retained only for the period required by the purpose of processing and is then deleted, destroyed or anonymized.
4.1 Lawful Processing of Personal Data
4.1.1 Processing General Personal Data in Accordance with Legislation
All personal data processing activities carried out within Rengin Law must be based on at least one of the data processing conditions set out in Law No. 6698 and other applicable legislation. In this context, each department and responsible person must:
- Evaluate the legal basis of the processes they carry out,
- Ensure that personal data processing operations and practices are based on a legitimate legal ground,
- Prevent the inclusion of any personal data processing activity in the processes that lacks a legal basis.
Each department must periodically check the legal validity of the data processing operations within its area of activity and ensure compliance with current legislation.
4.1.2 Lawful Processing of Special Categories of Personal Data
Special categories of personal data require a higher degree of protection in terms of data security. Therefore, Rengin Law takes additional technical and administrative measures when processing such data.
In particular, the following principles are followed:
- (a) For special categories of personal data other than health data (such as race, political opinion, religious belief, clothing, etc.), if the relevant legislation explicitly provides for data processing, the data may be processed without the explicit consent of the data subject. However, in the absence of a legal provision, explicit consent must be obtained.
- (b) Health data may be processed only for legitimate and specific purposes such as protection of public health, preventive medicine, medical diagnosis, treatment and care, planning and management of health services and their financing. Such data may be processed without explicit consent only by health professionals or authorized institutions who are under a confidentiality obligation. In other cases, explicit consent must be obtained.
Even under the above-mentioned conditions, Rengin Law exercises utmost care in all special category data processing activities as follows:
- Processing such data only for the purposes specified and in a limited manner,
- Fully complying with the provisions of KVKK and other relevant legislation regarding the transfer of such data to third parties (domestically or abroad),
- Acting in accordance with Article 6 of KVKK in the processing, transfer, storage and deletion of special categories of personal data,
- Implementing all mandatory administrative (restriction of access, confidentiality undertakings, clear job descriptions, etc.) and technical (encryption, access controls, logging, etc.) security measures without exception.
Rengin Law, in processing such data, bases its approach not only on legal requirements, but also on respect for individuals’ fundamental rights and freedoms.
4.2 Obligations Regarding the Protection and Processing of Personal Data
4.2.1 Data Security
Data security is one of the top priorities of Rengin Law. In this context:
- Technical and administrative measures are taken to prevent unauthorized access, data loss or data leakage.
- KVKK awareness trainings are organized for employees.
- Security vulnerabilities and breaches are detected immediately and reported within the legal time limits.
4.2.2 Clarification (Information)
In all personal data processing activities carried out by our office, the obligation to inform data subjects is fulfilled in accordance with Law No. 6698 on the Protection of Personal Data (“KVKK”) and related regulations.
Accordingly, before or at the latest at the time the personal data is obtained, data subjects are informed about:
- The identity of the data controller,
- The purpose of processing the data,
- The method of collection and the legal basis,
- To whom and for what purpose the data may be transferred,
- The rights of the data subject,
in accordance with the scope and content specified in Article 10 of KVKK.
All channels through which personal data may be collected by the office (physical forms, digital platforms, call centers, website, etc.) must be clearly identified and special clarification texts appropriate to these collection methods must be prepared. These texts must be structured to cover both legal requirements and the nature of the channel used, and must be kept up to date.
In addition, a list of all data collection tools and channels used by Rengin Law must be created and this list must be reviewed and updated twice a year, every 6 months.
Rengin Law considers the transparent information of data subjects and supporting such information with concrete channels as a primary obligation.
4.2.4 Notification Obligation
Under Law No. 6698 on the Protection of Personal Data, individuals whose personal data are processed (data subjects) have the right to request information, correction, deletion and other rights by applying to the data controller. In this context, Rengin Law is obliged to manage the requests of data subjects in a transparent, accessible and effective manner.
Accordingly, our office:
- Determines various application channels (e-mail, postal mail, application form, etc.) through which data subjects can submit their requests and applications,
- Defines all processes from receipt to finalization of such requests within the legal framework,
- Fulfills its obligation to provide information and notification in this context.
Applications submitted by data subjects are evaluated as soon as possible depending on the nature and content of the request and are finalized within thirty (30) days in all circumstances. Responses are provided in a clear, plain and informative format, in language that the data subject can clearly understand.
Our office clearly informs the data subject that in cases where:
- No response is received in due time,
- The response received is found insufficient,
- The application is completely rejected,
the data subject may file a complaint with the Personal Data Protection Board. In addition, internal information is provided regarding this right and awareness on this issue is raised among employees within the organization.
Rengin Law records all applications made regarding the exercise of data subjects’ rights and the responses given to these applications in a systematic manner.
By fulfilling all these obligations, Rengin Law ensures that data subjects can effectively exercise their legal rights and acts in accordance with the principle of transparency.
5. Data Transfer
Personal data may be shared with third parties in Turkey provided that the conditions stipulated in KVKK are met, in the following cases:
- Where explicit consent has been obtained,
- Where it is clearly provided for by law,
- Where it is necessary to protect life or physical integrity,
- Where it is necessary for the performance of a contract,
- Where it is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed,
- Where it is necessary for the establishment, exercise or protection of a right,
- Where the data have been made public by the data subject himself/herself.
6. Rights of Data Subjects
Under Article 11 of KVKK, data subjects have the following rights:
- To learn whether their personal data is processed,
- To request information if their personal data has been processed,
- To learn the purpose of processing their personal data and whether they are used in accordance with this purpose,
- To know the third parties to whom personal data is transferred, whether domestically or abroad,
- To request the correction of incomplete or inaccurate data,
- To request the deletion or destruction of their personal data,
- To request that these correction, deletion or destruction processes be notified to third parties to whom the data has been transferred,
- To object to the emergence of a result against them by analyzing the processed data exclusively through automated systems,
- To request compensation for damages in case they suffer damage due to unlawful processing of personal data.
7. Application and Communication Process
To exercise the rights listed above, you may apply by:
- Submitting a written application with a wet-ink signed petition,
- Submitting electronically signed application forms.
Your applications will be answered within 30 days at the latest. If the processing of your application requires an additional cost, a fee may be charged in accordance with the tariff determined by the Personal Data Protection Board.
8. Publication and Update of the Policy
This Policy entered into force on the date it was published by Rengin Law. Updates to the Policy may be made in line with legislative changes or operational requirements. The current versions are published at …. (website address).
