The purpose of this Personal Data Protection Policy (“Policy”) is to provide information about the personal data processing activities carried out by Erdem & Erdem Ortak Avukatlık Bürosu, Erdem & Erdem Danışmanlık A.Ş. and Erdem & Erdem B.V. (“Erdem & Erdem” or “E&E”) in accordance with the Law on Protection of Personal Data (“LPPD”) numbered 6698, the European Union General Data Protection Regulation (“GDPR”) and the relevant legislation and the systems adopted for the protection of personal data. In this respect, this policy aims to enlighten the persons whose personal data has been processed, especially our clients and business partners, employees, prospective employees, website visitors, Newsletter and Exlibris subscribers, suppliers, visitors as well as the employees, shareholders, and officials of the institutions that we are in collaboration with, and third parties.
1. Legal Reason for Personal Data Processing
Erdem & Erdem processes personal data only (i) explicit provision of law, (ii) in the event it is required for the security of the life or physical integrity of the data subject who cannot express its consent because of physical incapacity, or whose consent is not legitimized, either for the security of life or physical integrity of another person, (iii) in the event the processing of personal data of parties to a contract is required, provided that it is directly related to the execution or performance of this contract, (iv) in the event it is required for the performance of the legal obligations of Erdem & Erdem, (v) in the event it is already disclosed by the data subject, (vi) in the event the processing of data is required for the establishment of a right, its exercise, or its protection, (vii) in the event the processing of data is required for the legitimate interests of Erdem & Erdem, provided that the fundamental rights and freedoms of the related person are protected, or (viii) explicit consent of the data subject.
Personal data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance, and dress, memberships of association, foundations or trade-unions, health, sexual orientation, criminal conviction, and security measures, and biometrics and genetics are special categories of personal data. the Processing and transfer of special categories of personal data may be affected with the express consent of the related person.
Personal data that is not related to health conditions or sexual orientation may be processed without obtaining the express consent of the related person if it is regulated by law. Personal data that is related to health conditions or sexual orientation may be processed without obtaining the express consent of the related person by real persons or competent institutions and organizations that are under a confidentiality obligation, purely and simply for the express purpose of the protection of public health, preventive medicine, medical diagnosis, the course of treatment and maintenance services, and the planning and management of health services.
2. Purpose and Method of Personal Data Processing
Erdem & Erdem obtains personal data in the categories of identity, communication, personal, legal transaction, customer transaction, physical space security, finance, professional experience, audio-visual records, health information, biometric data, and correspondence information by methods such as electronic mail, website, fax, telephone, mail, courier, hand delivery and undertakes to process them in accordance with the principles regarding the protection of personal data and the following purposes:
- Personal data of our clients and business partners are processed for implementing every type of advocacy and legal consultancy activities, conducting communication activities, managing client/business partner relations, conducting pre-contract negotiation and proposal processes, communication and activity management, reporting and analysis, managing finance and accounting processes, providing information on various legal developments, organizing meetings or legal training organized by E&E, fulfilling legal obligations, developing services and conducting feedback processes effectively, and ensuring information and physical space security.
- Personal data of employees and prospective employees are processed within the framework of human resources policies and performance of the employment contract, exercising rights and/or fulfilling obligations stipulated in all kinds of legislation such as labor, occupational health and safety, social security, tax, etc., carrying out promotion, information and corporate communication activities, maintaining and developing effective employee management, planning, management and execution of human resources processes, carrying out assignment processes, fulfilling personnel activities, performance evaluation, emergency management, ensuring information security, ensuring employee health and workplace safety.
- The personal data of employees, shareholders, and officials of our suppliers and the institutions with which we collaborate and of third parties are processed for the purposes of carrying out operational and commercial activities, for the fulfillment of communication activities and obligations deriving from contractual relationships, and for carrying out tax and declaration procedures before authorized institutions and organizations.
- Personal data relating to employees, shareholders, and officials of our suppliers and collaborating institutions and third parties are processed for the purposes of carrying out operational and commercial activities, fulfilling communication activities and obligations arising from the contractual relationship, and carrying out tax and declaration procedures before authorized institutions and organizations.
- Personal data of our website visitors are processed to maintain the basic functionality of our website, facilitate navigation and improve its efficiency/performance, and optimize our activities and services.
- Personal data of Erdem & Erdem Newsletter and Exlibris subscribers are processed for providing information on current developments regarding E&E, sharing Exlibris Magazine, sending announcements regarding current legal developments, notifying E&E events and training, and managing customer relations.
3. Transfer of Personal Data in Türkiye
In the presence of one of the reasons for compliance with the law specified in Article 1 of the Policy, personal data is transferred without the need for explicit consent. Otherwise, no transfer is made without the explicit consent of the person concerned.
Erdem & Erdem transfers personal data to its service providers and suppliers, business partners, clients, banks, law enforcement agencies, courts, notaries, Social Security Institution, relevant professional chambers, tax offices, and private and public institutions and organizations in Türkiye in the presence of the legal grounds set out in Article 1 and for the purposes set out in Article 2.
4. Transfer Abroad of Personal Data
4.1. Transfer Abroad Pursuant to the PDPL
Erdem & Erdem may process and transfer personal data abroad in the presence of the explicit consent of personal data owners. However, in the presence of one of the reasons for compliance with the law specified in Article 1 of this Policy and in the foreign country to which the personal data will be transferred (i) in the presence of adequate protection determined and announced by the Personal Data Protection Board (“Board”) or (ii) in the absence of adequate protection, in the event that the data controllers in Türkiye and the relevant foreign country undertake adequate protection in writing and the Board's permission is obtained, transfer may be made abroad without seeking the consent of the data subject.
Without prejudice to the provisions of international agreements, in cases where the interests of the State or the person concerned will be seriously damaged, it may only be transferred abroad with the permission of the Board by obtaining the opinion of the relevant public institution or organization.
Erdem & Erdem transfers the personal data it obtains to Erdem & Erdem B.V., its clients and/or business partners residing abroad, service providers with whom it has a contractual relationship, cloud and e-mail service providers residing abroad, authorized public institutions and organizations, and private law persons based on the legal reasons specified in Article 1 and for the purposes stated above.
4.2.Transfer Pursuant to the GDPR
Erdem & Erdem may transfer the personal data it obtains to countries outside the European Economic Area (“EEA”).
As a rule, in order for personal data to be lawfully transferred to countries outside the EEA, the country of transfer must be declared by the European Commission as a safe country providing an adequate level of protection. In the event that the recipient party is not among the countries providing an adequate level of protection, Erdem & Erdem may transfer data based on (i) binding company rules, (ii) standard contractual clauses published and/or approved by the European Commission.
In the absence of the above-mentioned transfer conditions, the transfer is made in accordance with the GDPR only in the presence of the following exceptional circumstances:
- Explicit consent of the data subject,
- In the even the data subject enters into a contractual relationship that requires the transfer of data abroad,
- The conclusion or execution of a contract between a controller and a third party for the benefit of the data subject,
- Public interest,
- For the purpose of establishing, exercising or defending legal claims,
- It is necessary for the protection of the vital interests of the data subject or third parties.
In cases where any of the above-mentioned conditions do not exist and the transfers cannot be based on an adequacy decision or appropriate assurances, the transfer is carried out in the event it is necessary for the legitimate interests of Erdem & Erdem, the transfer abroad will not be continuous and it concerns a limited number of data subjects.
Erdem & Erdem transfers personal data to Erdem & Erdem Ortak Avukatlık Bürosu and Erdem & Erdem Danışmanlık A.Ş. located in Türkiye, clients and/or business partners located outside the EEA, service providers with whom Erdem & Erdem & Erdem has a contractual relationship, providers located outside the EEA that provide cloud and e-mail services, authorized public institutions and organizations and private law persons based on the legal reasons listed in Article 1 and for the purposes stated above.
5. Measures for the Storage, Security and Protection of Personal Data
Erdem & Erdem takes all necessary technical and administrative measures to ensure the appropriate level of security to prevent unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure that personal data is kept in accordance with the law. In this context, Erdem & Erdem implements the following measures, including but not limited to those listed as examples:
- Processes and procedures regarding the processing of personal data are defined within the Quality Management System, periodically audited and compliance is ensured.
- Information and trainings are organized regularly in order to increase the awareness of Erdem & Erdem employees regarding the relevant legislation on the protection of personal data.
- A confidentiality commitment is signed with all parties involved in personal data processing and transfer processes.
- Printed versions of documents are stored in password-protected rooms and cabinets to ensure confidentiality.
- Personal data is kept separately; retention periods for this data are systematically monitored and destruction processes are carried out for personal data whose legal period or purpose of data processing has expired.
- Regular system reports are taken for information and infrastructure security, information systems are renewed and updated by following technological developments.
Erdem & Erdem is jointly responsible with other data processors in case personal data is processed by another natural or legal person on its behalf and for taking administrative and technical measures.
In the event of a data breach in any way, Erdem & Erdem notifies the necessary institutions, organizations and data subjects in accordance with the legislation under the LPPD and GDPR within 72 hours at the latest.
6. Rights of the Data Subject
Data subjects may exercise the following rights in accordance with LPPD regarding their personal data by applying to Erdem & Erdem:
- Ascertaining whether any personal data is processed or not,
- Requesting information related to the processing of personal data, if processed,
- Ascertaining the purpose of the processing of personal data, and whether or not the use of Personal Data complies with this purpose,
- Identifying third parties to whom the personal data is transferred within Türkiye and abroad,
- Requesting rectification if personal data is processed in an unsatisfactory or incorrect manner,
- Demanding deletion or destruction of personal data within the framework of Article 7 of the LPPD,
- Demanding the notification of adjustment, deletion, and destruction to third parties to whom the personal data had been transferred,
- Objection to the result of the analyzation (exclusively by means of automatic systems) of the processed personal data, and which is to the detriment of the person, and
- Claiming compensation for damages that he/she suffered due to the illegal processing of the personal data.
Under Chapter 3 of the GDPR, data subjects have the following rights:
- Requesting information related to the processing of personal data,
- Right of access to your processed personal data and the processing activity,
- Right to rectification of your personal data,
- Right to erasure of your personal data (“right to be forgotten”),
- Right to restriction of personal data processing,
- Requesting notification of the rectification or erasure of your personal data or the restriction of its processing to third parties to whom your personal data has been transferred,
- Requesting the transfer of your personal data to another data controller,
- Right to object,
- Not be the subject of a decision based exclusively on automated processing, including profiling, that has legal implications for you or similarly significantly affects you.
To exercise the above-mentioned rights, data subjects may submit their requests or the completed version of the application form below to Erdem & Erdem in writing by using one of the following communication methods together with the information that will ensure the identification of their identity:
a. by electronic mail to istanbul@erdem-erdem.av.tr or izmir@erdem-erdem.com or amsterdam@erdem-erdem.nl; or
b. Ferko Signature, Büyükdere Caddesi, No. 175, Kat. 3, 34394 Esentepe- Şişli, Istanbul by mail.
For the application to be answered faster, “Personal Data Information Request” should be written on the application envelope.
The applications submitted to Erdem & Erdem are responded to within thirty days from the date of receipt of the request, depending on the nature of the request. If the information and documents submitted to Erdem & Erdem are incomplete or incomprehensible, we will contact the applicant to clarify the application.
You can download the personal data subject application form here.
7. Amendments to the Personal Data Protection Policy
Erdem & Erdem may make changes in this policy when it is deemed necessary when data processing processes or legislation provisions change. Such amendments become effective upon the publication of the updated policy text on www.erdem-erdem.av.tr.