Processing and Protection of Personal Data

As Proses Consulting, we transparently explain the purpose for which we collect your personal data, how we protect it, and what rights you hold.

Last Updated
01 June 2026
Version
2.6

This Policy has been prepared to set out the fundamental principles regarding how all personal data processed within Proses Consulting is processed, retained, transferred and protected within the framework of the Personal Data Protection Law No. 6698, the relevant secondary legislation and the decisions of the Personal Data Protection Board. The Policy applies to our employees, job candidates, customers, suppliers, visitors and other third parties.

1. Purpose and Scope

The purpose of this Policy is to ensure that the personal data processing activities carried out by Proses Consulting are conducted in accordance with the Law, the relevant legislation and universally accepted data protection principles. The Policy covers all business processes, personal data processed automatically or semi-automatically, and physical files kept as part of the data recording system.

2. Definitions

  • Explicit Consent: Consent on a specific subject, based on information and expressed with free will
  • Anonymisation: Rendering data unable to be associated with an identified or identifiable natural person, even if matched with other data
  • Data Subject: The natural person whose personal data is processed
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, religious belief, health and sexual life, together with biometric and genetic data
  • Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller
  • Data Controller: The person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system

3. Processing Principles

Proses Consulting processes personal data in accordance with the principles listed in Article 4 of the KVKK:

  • Being in compliance with the law and the rules of good faith
  • Being accurate and, where necessary, up to date
  • Being processed for specific, explicit and legitimate purposes
  • Being relevant, limited and proportionate to the purposes for which they are processed
  • Being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed

4. Categories of Data Subjects

Category Description
Customer Officials of organisations receiving services and natural persons who make contact
Potential Customer Persons who submit a quote request or make contact
Employee Staff employed under an employment contract
Job Candidate Persons who apply for a job
Suppliers and Business Partners Natural persons or officials of legal entities with whom there is a contractual relationship
Visitor Persons who visit our physical offices or our website

5. Processing Conditions

Personal data is processed where at least one of the following conditions listed in Article 5 of the KVKK exists:

  • The explicit consent of the data subject is present
  • It is expressly stipulated in laws
  • The protection of the life or physical integrity of a person who is unable to express consent due to actual impossibility
  • It is directly related to the establishment or performance of a contract
  • It is necessary for the data controller to fulfil its legal obligation
  • It has been made public by the data subject themselves
  • It is necessary for the establishment, exercise or protection of a right
  • It is necessary for the legitimate interest of the data controller (provided that it does not harm the fundamental rights and freedoms of the data subject)

Special categories of personal data are processed pursuant to Article 6 of the KVKK only in cases stipulated by laws or with the explicit consent of the data subject.

6. Data Retention and Destruction

Personal data is retained for the period necessary for the purpose for which it is processed and in accordance with the minimum periods stipulated by the relevant legislation. At the end of the retention period, the data is deleted, destroyed or anonymised within the scope of the Regulation on the Deletion, Destruction or Anonymisation of Personal Data.

Our retention periods are determined taking into account the nature of business processes, legal obligations and statutory limitation periods, and are detailed in our Retention and Destruction Policy.

7. Data Security Measures

The following technical and administrative measures are taken in order to prevent the unlawful processing of personal data, prevent unlawful access to the data and ensure the preservation of the data:

7.1. Technical Measures

  • Infrastructure compliant with the ISO 27001 Information Security Management System standards
  • Firewall, antivirus and intrusion detection systems
  • Database encryption and hashing mechanisms
  • Authorisation and role-based access control
  • Secure backup and disaster recovery processes
  • Penetration tests and regular security audits
  • Keeping and regularly reviewing log records

7.2. Administrative Measures

  • Regular KVKK and information security training for employees
  • Signing of confidentiality agreements
  • Keeping the data inventory and data flow maps up to date
  • Data processing agreements with suppliers and business partners
  • Breach management and notification procedures
  • Regular review of policies and procedures

8. Data Transfer

Personal data may be transferred to third parties at home and abroad in accordance with Articles 8 and 9 of the KVKK, only to the extent necessary to achieve the processing purpose. Transfer abroad is carried out to countries that provide adequate protection or on condition that the undertakings permitted by the Board are signed.

9. Rights of the Data Subject and Application

The procedures and principles for data subjects to exercise the rights listed in Article 11 of the KVKK are set out in our Disclosure Text and in the Communiqué on the Procedures and Principles for Application to the Data Controller. Applications may be sent to info@prosesdanismanlik.com.tr or in writing to our office address.

10. Breach Notification

In the event that personal data is unlawfully obtained by others, notification is made to the data subject and the Personal Data Protection Board as soon as possible. Notifications are carried out in accordance with the procedures and periods determined by the KVKK Board.

11. Entry into Force and Update of the Policy

This Policy enters into force on the date it is published on our website. It is updated where deemed necessary in line with legislative changes, updates in our business processes or Board decisions, and changes are announced through the same channel.