Related Policies
PRIVACY AND PERSONAL DATA PROTECTION POLICY
GÜLSEREN ÖNGÜN LAW OFFICE “GÜLSEREN ÖNGÜN” attaches great importance to the protection of your personal data. This Privacy and Personal Data Protection Policy (“Policy”) explains, in accordance with the Turkish Personal Data Protection Law No. 6698 (“KVKK”), the EU General Data Protection Regulation (“GDPR”) and other applicable legislation, how we collect, use, share and otherwise process the personal data of visitors to our website, mobile applications and other online services (collectively referred to as the “Platform”), our clients, prospective clients, business partners, newsletter subscribers, event participants and other relevant persons.1. Data Controller and Contact Information
The data controller is GÜLSEREN ÖNGÜN LAW OFFICE
Address
: Gaziosmanpaşa Mah. Attar Sokak 11/6 Çankaya 06680 ANKARA/TURKEY
E-mail
Telephone
: +90 533 198 64 12
2. Categories of Personal Data Processed and Methods of Collection
When you use the Platform or contact us, the following categories of personal data may be collected by automatic or non-automatic means (e.g. forms, cookies, e-mail, telephone, mail, courier, hand delivery):Identity and Contact Data Name-surname, title, company name, e-mail address, telephone number, postal address,
Registration and Event Data : Newsletter subscriptions, event/seminar/webinar registrations, visual and audio recordings,
Device and Usage Data IP address, browser type, visit duration, pages visited, cookie information
Client Service Data : Information relating to third parties within client files, invoicing and payment details
Compliance Data : Identity documents provided for verification purposes,
Special Categories of Personal Data Processed only with your explicit consent or in exceptional cases permitted under Article 6/3 of the KVKK and Article 9/2 of the GDPR (e.g. establishment, exercise or defence of legal claims, public disclosure by you, legal obligation), and only to the extent strictly necessary.
3. Purposes and Legal Bases for Processing Personal Data
Your personal data are processed for the following purposes and on the legal bases set out in Articles 5 and 6 of the KVKK and Articles 6 and 9 of the GDPR:Purpose
Primary Legal Bases
Provision of legal consultancy and advocacy
services, planning and execution of human
resources processes, establishment,
performance and management of contractual
processes (including pre-contractual and post-
contractual stages), invoicing and collection
Performance of a contract (KVKK Art. 5/2-c, GDPR
Art. 6/1-b)
Conduct of client relationships, invoicing and
payment collection, and management of
operational processes with business partners
and suppliers.
Performance of a contract, legal obligation,
legitimate interest
Sending newsletters, invitations, legal updates and event announcements
Explicit consent or legitimate interest (provided it does not harm the fundamental rights and freedoms
of the data subject)
Ensuring the functionality, performance
improvement and security of the Platform
Legitimate interest, legal obligation
Compliance with legal obligations (e.g. tax,
Social Security Institution, anti-money
laundering, identity verification)
Legal obligation (KVKK Art. 5/2-a, ç, e)
Establishing evidence and protecting rights in
potential disputes
Legitimate interest, establishment/exercise/defence of
legal claims
Special categories of personal data (including racial or ethnic origin, political opinions, religious
beliefs, health, biometric data, etc.) are processed only with your explicit consent or in the exceptional
circumstances provided for in Article 6/3 of the KVKK and Article 9(2) of the GDPR (such as the
establishment, exercise or defence of legal claims, public health purposes, medical diagnosis, etc.).
4. With Whom and For What Purposes Your Personal Data May Be Shared
Your personal data may be shared, to the extent necessary for the above purposes and in compliance with Articles 8 and 9 of the KVKK and Articles 44–50 of the GDPR, with the following recipient categories:- Our business partners and collaborating law firms abroad,
- Cloud, e-mail, hosting and other technical infrastructure providers (domestic and foreign),
- Financial institutions (for payment and invoicing purposes),
- Competent public authorities, courts, notaries and enforcement offices,
- Acquirer or potential acquirer companies in mergers, acquisitions or asset sales,
- Regulatory authorities where required by law.
5. Retention Periods for Personal Data
Your personal data will be retained only for as long as required for the purposes of processing and in accordance with the statutory limitation and retention periods. Retention Periods (indicative):
Client and contractual data
; 10 years after the end of the client relationship/contract
Accounting and financial records
; 5 to 10 years,
HR and personnel files
; 10 years after termination of employment,
CCTV footage
maximum 30 days,
Website and internet logs
: 1 year.
Once the purpose ceases or the retention period expires, your personal data will be secureley deleted,
destroyed or anonymised.
6. Security of Personal Data
We implement appropriate technical and organisational measures (encryption, access restrictions, regular training, confidentiality undertakings, periodic audits, etc.) to prevent unauthorised processing of or access to your personal data and to ensure their proper storage. In the event of a personal data breach, notification will be made to the Personal Data Protection Authority and to the affected data subjects within 72 hours, as required by the KVKK and GDPR.7. Your Rights as a Data Subject (KVKK Art. 11 and GDPR Chapter III)
You may exercise the following rights at any time:- To learn whether your personal data are being processed,
- To request information about the processing activities,
- To learn the purposes of processing and whether the data are used in accordance with those purposes,
- To know the third parties to whom your data are transferred domestically or abroad,
- To request rectification of incomplete or inaccurate data,
- To request erasure or destruction (“right to be forgotten”),
- To request notification of rectification/erasure operations to third parties,
- To object to adverse outcomes resulting from automated processing,
- To claim compensation for damages caused by unlawful processing,
- To request data portability (transfer to another controller).
8. How to Exercise Your Rights
You may submit your requests through one of the following channels:- By notary or registered mail with return receipt to our address in Kazım Özalp Mah. Nenehatun Cad. 101/4 Çankaya 06680 ANKARA / TURKEY,
- Via Registered Electronic Mail (KEP) to gulseren.ongun@hs01.kep.tr ,
- From the e-mail address previously provided to us and registered in our systems to privacy@gulserenongun.com ,
- Using secure electronic methods containing a mobile signature, e-signature or other means of identity verification.
9. Cookies and Third-Party Links
The Platform uses cookies. You can access our Cookie Policy at http://gulserenongun.com/en/cookie-policy We are not responsible for the privacy practices of third-party (public authorities, bar associations, courts, etc.) websites linked from the Platform.10. Amendments to the Policy
This Policy may be revised due to changes in legislation or our data processing activities. The current version will always be available at http://gulserenongun.com/en/privacy-policy at will be published.For any questions or requests, please contact us at privacy@gulserenongun.com or using the contact details above.
Best regards,
GÜLSEREN ÖNGÜN LAW OFFICE
GÜLSEREN ÖNGÜN LAW OFFICE
Effective Date
: December 5, 2025
Last Updated
: December 5, 2025