Global Privacy Policy
& GDPR/KVKK

1. Identity of the Data Controller

Aydemir Law Firm is deeply committed to preserving the highest standards of data security, institutional confidentiality, and privacy rights. In absolute accordance with the Turkish Personal Data Protection Law No. 6698 (“KVKK”), the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and, where applicable, the UK General Data Protection Regulation (“UK GDPR”) as retained by the Data Protection Act 2018, Aydemir Law Firm acts as the independent Data Controller concerning all personal data collected, stored, processed, or transmitted through the Website and its integrated communication networks.

• Data Controller: Aydemir Law Firm (Av. Abdussamet AYDEMİR)
• Registered Address: Istanbul, Republic of Turkey
• Data Protection Contact: info@aydlaw.com

2. Categories of Processed Data

We limit personal data collection to the absolute technical and operational minimum required to facilitate professional representation, secure digital browsing, client onboarding, and regulatory compliance. The Firm processes the following categories of personal data:

• Identity and Contact Information: Full name, physical corporate address, business telephone number, mobile telephone number, and professional email address voluntarily submitted via online inquiry forms, direct email correspondence, or telephone communications.
• Marketing and Communications Data: Your explicit preferences regarding receiving legal newsletters, legislative updates, case law alerts, operational bulletins, event invitations, webinar registrations, and communication channel selections.
• Technical and Telemetry Data: Internet Protocol (IP) addresses, login logs, session identifiers, browser type and version, browser plugins, language settings, time zone settings, operating system and platform, device identifiers, screen resolution, and network timestamps automatically captured via hosting security infrastructure during Website navigation.
• Usage Metrics: Navigational pathways, page response latencies, download errors, entry and exit page URLs, clickstream data, scroll depth, and digital interaction markers compiled through essential analytical tracking mechanisms.
• Correspondence Records: Records of all communications between the User and the Firm, including email correspondence, contact form submissions, telephone call logs, and meeting notes, to the extent necessary for the administration of the professional relationship.

3. Legal Bases and Processing Purposes

The processing of personal data is executed exclusively under the following established statutory legal frameworks:

• Pre-contractual Engagements & Performance of Contract (KVKK Art. 5(2)(c) / GDPR Art. 6(1)(b)): To process, evaluate, and respond to incoming legal inquiries, potential client assessments, engagement letter preparation, conflict-of-interest checks, and professional career applications.
• Legitimate Interests of the Controller (KVKK Art. 5(2)(f) / GDPR Art. 6(1)(f)): To maintain, secure, and monitor the Website infrastructure; prevent cyber-fraud; insulate data systems from malicious code; detect and prevent unauthorized access; structurally optimize user experiences; administer the Firm’s internal business operations; and ensure network and information security. The Firm has conducted and documented Data Protection Impact Assessments (DPIAs) where required and has determined that such processing does not disproportionately affect the rights and freedoms of Data Subjects.
• Compliance with Legal Obligations (KVKK Art. 5(2)(ç) / GDPR Art. 6(1)(c)): To fulfill mandatory commercial, tax, anti-money laundering, counter-terrorism financing, and professional statutory retention requirements, or to comply with binding disclosure mandates from law enforcement, competent judicial authorities, regulatory bodies (including MASAK, the Personal Data Protection Authority [KVKK Kurulu], and the Information and Communication Technologies Authority [BTK]), or other governmental entities.
• Explicit Consent (KVKK Art. 5(1) / GDPR Art. 6(1)(a)): Where processing is based on consent, such consent is obtained through clear, affirmative action (such as ticking a checkbox or clicking an opt-in button) and is documented. Consent may be withdrawn at any time without affecting the lawfulness of processing conducted prior to withdrawal.

4. Data Retention and Erasure

4.1. General Retention Principle: Personal data processed by the Firm shall not be retained for duration periods extending beyond what is strictly necessary to fulfill the specific operational purposes enumerated in Section 3, or as mandated by statutory limitation periods under Turkish, EU, and applicable international law.

4.2. Specific Retention Periods: Contact form submissions and general correspondence: three (3) years from the date of last communication. Client engagement records: ten (10) years from the termination of the engagement, in accordance with the Turkish Attorneyship Law No. 1136 and the Turkish Tax Procedure Law (VUK). Financial and tax records: five (5) years as mandated by VUK Art. 253. AML/KYC records: eight (8) years from the termination of the business relationship, in accordance with the Law on Prevention of Laundering Proceeds of Crime No. 5549.

4.3. Litigation Prospect Retention: Notwithstanding general deletion schedules, the Firm explicitly reserves the right to retain relevant personal data for an extended duration if there is a legitimate, reasonable expectation or prospect of litigation, an outstanding regulatory dispute, a formal complaint, or an ongoing investigation involving the Data Subject, strictly to facilitate the establishment, exercise, or defense of the Firm’s legal claims in accordance with GDPR Art. 17(3)(e) and KVKK Art. 7(2).

4.4. Deletion and Anonymization: Upon the natural expiration of the applicable retention period or the resolution of the legal necessity, the data will be completely deleted, destroyed, or irreversibly anonymized in accordance with the KVKK Board’s Data Deletion, Destruction, or Anonymization Regulation and the Firm’s internal Data Retention and Destruction Policy (VERİ SAKLAMA VE İMHA POLİTİKASI).

5. Authorized Disclosures and Cross-Border Transfers

Aydemir Law Firm strictly prohibits the commercial monetization, sale, leasing, rental, or unauthorized distribution of personal data to third-party marketing entities, data brokers, or advertising networks. Access to your data is restricted exclusively to authorized personnel, trusted partners, and vetted IT administrators operating under strict contractual confidentiality obligations. Data may be disclosed only to the following categories of recipients:

• Trusted Data Processors: Secure cloud storage networks, corporate hosting providers, email infrastructure services, IT maintenance and cybersecurity systems, and document management platforms acting under severe, contractually mandated confidentiality instructions and Data Processing Agreements (DPAs) compliant with GDPR Art. 28.
• Professional Advisers: External legal counsel, banking institutions, auditors, accountants, tax advisers, and insurers where necessary to facilitate professional advice, manage administrative risks, or comply with regulatory obligations.
• Regulatory and Judicial Authorities: Law enforcement agencies, courts of competent jurisdiction, regulatory bodies (including MASAK, the Personal Data Protection Authority, and tax authorities), where disclosure is mandated by law, court order, or binding legal process.
• Cross-Border Data Transfers: Due to the global architecture of enterprise cloud services, your data may be transferred to and processed in countries outside of Turkey and the European Economic Area (EEA). Such transfers are structurally fortified by: (a) explicit user consent obtained in accordance with KVKK Art. 9 and GDPR Art. 49; (b) an adequacy decision by the European Commission pursuant to GDPR Art. 45; (c) Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to GDPR Art. 46(2)(c); or (d) Binding Corporate Rules (BCRs) approved by competent supervisory authorities pursuant to GDPR Art. 47, guaranteeing an uncompromised chain of custody and a level of data protection essentially equivalent to that guaranteed within the EEA.

6. Data Security Measures

The Firm implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to: encryption of personal data in transit (TLS 1.2/1.3) and at rest (AES-256); pseudonymization of personal data where feasible; access controls and role-based authentication; regular security audits and penetration testing; incident response and breach notification procedures; employee training and awareness programs on data protection; and physical security measures for servers and office premises.

7. Automated Decision-Making and Profiling

The Firm does not engage in any automated decision-making, including profiling, that produces legal effects concerning the Data Subject or similarly significantly affects them, as contemplated by GDPR Art. 22. Should the Firm at any future date implement any form of automated processing, appropriate safeguards shall be put in place, including the right to obtain human intervention, to express a point of view, and to contest the decision.

8. Data Protection Impact Assessments

Where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons, the Firm shall, prior to the processing, carry out a Data Protection Impact Assessment (DPIA) in accordance with GDPR Art. 35 and the KVKK Board’s guidelines. The Firm shall consult with the competent supervisory authority pursuant to GDPR Art. 36 where the DPIA indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk.

9. Exhaustive Data Subject Rights and Enforcement

Under Chapter III of the GDPR (Articles 15–22) and Article 11 of the KVKK, you possess the following enforceable, statutory rights:

• Right of Access (GDPR Art. 15 / KVKK Art. 11(1)(b)–(c)): To obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and specified information about the processing.
• Right to Data Portability (GDPR Art. 20): To receive the personal data concerning you, which you have provided to the Firm, in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
• Right to Rectification (GDPR Art. 16 / KVKK Art. 11(1)(d)): To compel the immediate correction of inaccurate personal data and to have incomplete personal data completed.
• Right to Erasure (“Right to be Forgotten”) (GDPR Art. 17 / KVKK Art. 11(1)(e)–(f)): To demand the erasure of your personal data where the data is no longer necessary for the purposes for which it was collected, where you withdraw consent, where you object to processing, where the data has been unlawfully processed, or where erasure is required to comply with a legal obligation.
• Right to Restriction of Processing (GDPR Art. 18 / KVKK Art. 11(1)(e)): To request the restriction of processing where the accuracy of the data is contested, where the processing is unlawful, where the Firm no longer needs the data but you require it for the establishment, exercise, or defense of legal claims, or where you have objected to processing pending verification.
• Right to Object (GDPR Art. 21 / KVKK Art. 11(1)(e)): To object at any time to the processing of your personal data which is based on legitimate interests, including profiling. The Firm shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
• Right to Withdraw Consent (GDPR Art. 7(3) / KVKK Art. 5(1)): To revoke previously granted processing consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal.
• Right to Lodge a Complaint: You maintain the unassailable right to lodge a formal complaint with a competent data protection supervisory authority within your jurisdiction. In Turkey, the competent authority is the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — KVKK Kurumu). In the EU, the competent authority is the Data Protection Authority of the EU Member State in which you reside or work.

To formally exercise any of these data protection rights, the Data Subject must submit a verified, written request to our dedicated Data Protection Officer at: info@aydlaw.com. Validated applications will be evaluated and completed completely free of charge and strictly within thirty (30) calendar days from receipt. Where requests are manifestly unfounded or excessive, particularly if they are repetitive, the Firm may charge a reasonable fee based on administrative costs or refuse to act on the request.