Online Ödeme

Storage and Destruction Policy



1.1. Purpose

The purpose of this Policy; K&P LEGAL LAW FIRM The purpose of this policy; K&P Legal Law Firm/ Erdal KARDAS – Yelda TOPUZ KARDAS Partnership processed personal data protection of personal data for various purposes and from the channels written to the Law Firm, the identification of personal data in printed or electronic form and appropriate controls; the establishment of a secure environment to store this data and this data are carried out by the preparation of limited access to authorized persons and to be sure that Law Firm processed personal data deleted the maximum period required for the purpose for which they are processed, identification of the processes of destruction or anonymity and identification of the roles and responsibilities of the persons involved in these processes and the management of personal data breaches.

The business and transactions related to the storage and destruction of personal data are carried out in accordance with K&P Legal’s policy.

1.2. Scope

The scope of this policy; Law Firm employees, clients, employee candidates, service providers, customers, visitors and other third parties the personal data of the confidentiality, privacy to protect your personal data when it comes to the implementation of the necessary controls and precautions to be taken times the maximum storage of personal data personal data will be stored in accordance with the law, where personal data are processed taken technical and administrative measures to be disposed of all recording environments and constitute the activities with regard to the processing of personal data. In this context, the above-mentioned groups of personal data owners can be applied to the entirety of this Policy, as well as only some of its provisions.

1.3. Definitions

The definitions of the terms and abbreviations contained in this Policy are as follows:

Explicit ConsentFreely given, specific and informed consent
Recipient GroupsCategory of real or legal persons in which personal data is transferred by the data controller.
Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data
PresidencyBoard of Protection of Personal Data
Employee K&P Legal personnel
Law FirmK&P LEGAL LAW FIRM/ Erdal Kardas – Yelda Topuz Kardas Partnership
Electronic environmentEnvironments where personal data can be created, read, exchanged and written with electronic devices.
Non-Electronic EnvironmentAll written, printed, visual, etc. media that are excluded from electronic media.
Service ProviderA real or legal person providing services under a specific term of contract with K&P Legal.
Data SubjectThe natural person, whose personal data is processed
Related User Persons who process personal data within the data controller organization or in accordance with the authorization and instructions it receives from the data controller, excluding the person or unit responsible for technically storing, protecting and backing up data.
DestructionThe process of making personal data inaccessible, non-refundable and unusable by anyone in any way
Recording EnvironmentAny environment where personal data is completely or partially automated or processed by non-automated means, as part of any data recording system.
KEPRegistered Electronic Mail
Electronic Mail
Secure e-mail service with legal validity in case of dispute, where sender and receiver IDs are identified, shipping time and content cannot be changed.
Personal DataAll the information relating to an identified or identifiable natural person
Personal Data Processing
The personal data processing activities of data controllers based on their business processes; the purpose scanning for personal data and its legal reason, the category of data, the group of recipients transferred, and the maximum duration of the protection required for the purposes for which personal data is processed, the inventory they elaborate by describing the personal data envisaged to be transferred to countries and the measures taken regarding data security.
Processing of Personal
Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.
BoardPersonal Data Protection Board
LawPersonal Data Protection Law
Committee on the
Protection of
Personal Data
A committee established to carry out administrative monitoring of processes established under the Personal Data Protection Law and sub-regulations appointed by K&P Legal.
Personal Data
Information on the race, ethnic origin, political opinion, philosophical beliefs, religion, sect or other beliefs, disguise and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Periodic DestructionIn the event that all of the terms of the processing of personal data contained in the law are eliminated, the deletion, destruction and anonymity will be performed at repeated intervals as set out in the policy of retention and destruction of personal data.
PolicyK&P Legal Protection and Destruction of Processing Personal Data
ProcessorThe natural or legal person who processes personal data on behalf of the controller upon his authorization
Data Recording
Any recording system through which personal data are processed by structuring according to specific criteria
Data controllerK&P LEGAL LAW FIRM/ERDAL KARDAS – YELDA TOPUZ KARDAS PARTNERSHIP who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.
VERBIS (Data Controllers Registry
Information System
Data controllers will use in the application of the Registry and other related transactions related to the Register, accessible over the internet, created and managed by the Presidency information system.
VERBISData Controllers Registry Information System
RegulationRegulation on the erasure, destruction or anonymizing of personal data.

Definitions not included in this Policy apply to the definitions in the Act.


All of K&P Legal’s units and employees responsible for technical and administrative units that are being taken by the proper implementation of the measures under the policy of staff training and awareness raising, monitoring and continuous control to prevent unlawful processing of personal data, personal data, and preventing access to lawful and unlawful storage of personal data personal data is processed for purposes of technical and administrative measures for ensuring data security in all environments responsible for the introduction of the units gives active support to the issues.


By K&P Legal, personal data belonging to employees, clients, employee candidates, visitors, customers and employees of third parties, organizations or organizations associated as service providers is stored and destroyed in accordance with the Law.

Article 3 of the Law defines the concept of the processing of personal data, the personal data processed in Article 4 is limited and measured in connection with the purpose for which they are processed, and the time required for the purpose for which they are intended or processed in the relevant legislation must be maintained, In articles 5 and 6, the terms of processing of personal data are counted.

In this context, K&P Legal processes personal data in accordance with articles 5/1, 5/2-a, 5/2-B, 5/2-c, 5/2-ç, 5/2-e, 5/2-F and 6/3 within the framework of its activities and stores it for the period stipulated in the relevant legislation or for the period appropriate to the processing purposes.

  • 5/1 Personal data shall not be processed without obtaining the explicit consent of the data subject.
  • 5/2-a It is expressly permitted by any law.
  • 5/2-b It is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent.
  • 5/2-c It is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract.
  • 5/2-ç It is necessary for compliance with a legal obligation which the controller is subject to.
  • 5/2-e It is necessary for the institution, usage, or protection of a right.
  • 5/2-f It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.
  • 6/3 Personal data indicated in paragraph 1, other than personal data relating to health and sexual life, may be processed without obtaining the explicit consent of the data subject if processing is permitted by any law. Personal data relating to health and sexual life may only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations.

3.1. Legal Reasons for Storage

The personal data processed within the framework of K&P Legal’s activities are kept for the period stipulated

in the relevant legislation;

  • 1136 Attorneyship Law No.
  • Turkish Code of Obligations No. 6098
  • Turkish Commercial Law No. 6102
  • Turkish Civil Code No. 4721
  • Personal Data Protection Law No. 6698
  • Consumer Protection Law No. 6502
  • Labor Law No. 4857
  • Occupational Health and Safety Act and related Regulations No. 6331 it is stored as long as the storage times stipulated in the framework.

3.2. Processing Purposes Requiring Storage

  • Employee Candidate / Intern / Student Selection and Placement Process Execution
  • Execution of The Application Process of Employee Candidates
  • Fulfillment of Obligations arising from Business Contracts and Legislation for Employees
  • Execution of Benefits and Benefits Processes for Employees
  • Conducting Educational Activities
  • Execution of Access Authorizations
  • Execution of Activities in Compliance with the Legislation
  • Execution of Finance and Accounting Affairs
  • Ensuring Physical Space Security
  • Execution of Legal Affairs
  • Execution of Communication Activities
  • Execution / Supervision of Business Activities
  • Execution of Occupational Health / Safety Activities
  • Conducting Business Continuity Ensuring Activities
  • Execution of Logistics Activities
  • Execution of Goods / Services Procurement Processes
  • Execution of Goods / Services After-Sales Support Services
  • Execution of Goods / Services Sales Processes
  • Execution of Good / Service Production and Operation Processes
  • Execution of Activities for Customer Satisfaction
  • Organization and Event Management
  • Execution of Risk Management Processes
  • Execution of Contract Processes
  • Providing Information to Authorized Persons, Institutions and Organizations
  • Creation And Tracking of Visitor Records

3.3. Reasons For Destruction

Personal Data;

  • amending or replacing the provisions of the relevant legislation which constitute the basis for its processing,
  • elimination of the purpose requiring processing or hiding,
  • In cases where processing personal data is carried out solely on the condition of explicit consent, the data subject may withdraw his or her explict consent.
  • In accordance with Article 11 of the Law, K&P Legal accepts its application for the deletion and destruction of personal data within the framework of the rights of the data subject,
  • If K&P Legal rejects the application made to the data subject for the request to delete, destroy or anonymize his personal data, finds his answer insufficient, or does not respond within the time stipulated in the Act; To make a complaint to the Board and to make this request appropriate by the Board,
  • The maximum period requiring the storage of personal data has passed and there are no conditions that justify storing personal data for longer,

In their case, they are deleted, destroyed, or re-deleted, destroyed, or made anonymous by K&P Legal at the request of the data subject.


In accordance with Article 12 of the Law, K&P Legal shall ensure the appropriate level of security to prevent unlawful processing of the personal data it is processing, to prevent unlawful access to the data, and to ensure the protection of the data. In the event of unlawful disclosure of personal data, it shall act in accordance with the measures provided for in the Law.

4.1. Administrative Measures

  • K&P Legal trains and provides awareness of its employees in relation to the Law on The Protection of Personal Data.
  • Employees are informed that they cannot disclose or use the personal data they have learned in contravention of the provisions of the Act and that they will not be able to use it for any purpose other than for processing purposes and that this obligation will continue after their departure from office, and they are required to make the necessary commitments.
  • Disciplinary action is carried out if employees do not comply with safety policies.
  • In cases where personal data is subject to transfer, K&P Legal shall ensure that the contracts concluded with the persons to whom the personal data is transferred will be included with the records that the party to whom the personal data is transferred will fulfill its obligations to ensure data security.
  • Contracts with the relevant companies in which personal data is transferred in accordance with the law in the event of receiving an external service due to technical requirements for the storage of personal data; the provisions concerning that the persons to whom personal data is transferred will take the necessary security measures to protect personal data and that these measures will be complied with in their own organizations.
  • At regular intervals, supplier data processing control is implemented. “The process is operated through the “Supplier Evaluation Form”. “Tedarikçi Değerlendirme Formu” üzerinden süreç işletilmektedir.
  • Personal data processing inventory compliant with VERBIS system is issued by the K&P Legal and compliance audits are carried out here.
  • Personal data processing activities carried out by K&P Legal are examined in detail and periodically reviewed and updated as needed. In this context, steps to be taken to ensure compliance with the personal data processing requirements stipulated in the Law are determined.
  • As a result of the review, non-needed personal data is disposed of safely and securely in accordance with the “Personal Data Storage and Destruction Policy” and the regulation on the deletion, destruction or anonymisation of personal data.
  • K&P Legal determines the practices that must be implemented in order to comply with the Law, regulates the “Personal Data Retention and Destruction Policy” and periodically reviews it and updates it as needed. The risks that may arise from personal data breach incidents and how to manage security breaches are also clearly defined.

4.2. Technical Measures

  • K&P Legal complies with the Information Security Policies in the storage of personal data.
  • Technical measures are taken by K&P Legal regarding the protection of personal data to the extent possible by the technology and the measures taken are updated and improved in parallel with the developments.
  • In technical matters, expert personnel are employed.
  • Periodic inspections are carried out for the implementation of the measures taken.
  • Software and systems are installed to ensure security.
  • The authority to access personal data processed within K&P Legal is limited to the employees concerned for the purpose of processing.
  • Systems suitable for technological developments are used to store personal data in secure environments.
  • Technical security systems for hiding areas are established, technical measures taken are audited periodically, risk-generating issues are re-evaluated, and the necessary technological solution is produced.
  • All necessary infrastructures are used in accordance with the law to ensure that personal data is stored securely.
  • Adequate security measures are taken in the physical environments where sensitive personal data is processed, maintained and/or accessed, and unauthorized entry and exit are prevented by ensuring physical security.
  • If sensitive personal data is required to be transferred via e-mail, it is encrypted by corporate e-mail address or by using a KEP account. Portable memory is encrypted using cryptographic methods and the cryptographic key is kept in different media if it needs to be transferred via media such as CDs and DVDs. If the transfer is performed between servers in different physical environments, data transfer is performed by establishing VPN between servers or using sFTP. If it is necessary to transfer through paper Media, necessary precautions are taken against risks such as theft, loss or sight of the document by unauthorized persons and the document is sent in a “confidential” format.

The main technical measures taken by K&P Legal to prevent unlawful access to personal data are listed below;

4.2.1. Ensuring Cyber Security

  • Firewall and gateway measures are primarily used to protect personal data-containing information technology systems from unauthorized access threats over the Internet.
  • In cases where personal data is provided through different websites and/or mobile application channels to ensure personal data security, connections are made with SSL.
  • Current anti-virus software is used. Traffic going to the internet or coming is scanned against viruses.
  • Software that is not approved by the Law Firm cannot be downloaded on Internet and these software cannot be installed on Law Firm’s systems.
  • Third parties may use the Law Firm’s Internet with the permission of Information Technology employees and the rules on this subject.
  • The services to be accessed by the user on the network are restricted and unlimited network access is prevented.
  • Network access is restricted by creating separate logical areas such as VPN and VLAN.
  • Devices used as firewalls are not used for any other purpose.
  • Critical updates to the Firewall configuration are made approved by the It Manager.
  • Keeping the current topology of network devices, configuration information is stored.

4.2.2. Software Updates

  • Removing unused software and services from devices is applied and vulnerabilities are prevented.
  • Patch management and software updates of the software, services and hardware used are regularly checked.
  • It is regularly checked for proper operation of software and hardware and whether security measures for systems are adequate.

4.2.3. Access Limitations

  • Access to systems containing personal data is limited.
  • An access authorization and control matrix is created to control inappropriate access or access attempts.
  • Employees are given access to the relevant systems through the use of user name and password, to the extent that it is necessary for their work and tasks and their authority and responsibilities.
  • Access rights of employees whose job description has changed or left the Law Firm are immediately removed.

4.2.4. Password

  • When creating a password, strong password combinations consisting of small capital letters, numbers, both digit and punctuation characters, symbols are preferred instead of numbers or sequences of letters that are associated with personal information and which can be easily guessed.
  • Passwords are changed at least every 6 (six) months.
  • The number of password login attempts is limited to 10 (ten).

4.2.5. Anti-virus Software

  • Anti-virus program is used to protect against malware and regularly scan the information system network and detect hazards.
  • PC connected to the antivirus server automatically update the latest versions from the server on the subnets where they are located.
  • Users who are not connected to the domain are kept up to date with different update rules of the anti-virus program.
  • Removable media (cd-rom, dvd-rom, bluetooth, flash drive, external disc) are always scanned against viruses.

4.2.6. Monitoring of Personal Data Security

  • Servers are regularly and controlled to update anti-virus databases.
  • Necessary measures are taken to ensure the uninterrupted and secure operation of database systems.
  • Unused services and applications are being closed.
  • Servers are located in physically protected system rooms.
  • All security-related events that occur in critical systems are logged.
  • Security logs related to events not related to the current application on the server, port scanning attacks, and unauthorized persons trying to access privileged accounts are evaluated by the system administrator and necessary precautions are taken, to the data controller.
  • Transactions of all users, log records are kept regularly.
  • Once a year, Vulnerability and Penetration tests are carried out and necessary precautions are taken by revealing risks, threats, weaknesses and vulnerabilities regarding information systems.
  • Risk analysis is carried out by the Law Firm or authorized companies in order to detect system deficiencies and take necessary measures in the K&P Legal’s computer network.
  • Evidence is securely collected in undesirable incidents such as the collapse of the information system, malicious software, decommissioning attack, incomplete or incorrect data entry, breaches of confidentiality and integrity, misuse of the information system, etc. stored.

4.2.7. Securing Enviroments Containing Personal Data

  • Physical security measures are taken against threats such as the theft or loss of personal data stored in a paper environment and personal data contained on devices.
  • Confidential information about personal data, which expires and is no longer needed, is destroyed by paper shredder, incineration, etc.
  • In the event of the destruction of server and network devices, the storage device is physically destroyed by taking precautions that the personal data contained in the storage device may not be read again.
  • When leaving the computer, precautions are taken to close the session or to activate screen savers that can be activated with the password.
  • Documents in a paper environment containing personal data, servers, and backup devices, CDs, DVDs and USB are kept in the system room and archive room with additional security measures for devices such as CDs, DVDs and USB.
  • System room and archive room entrances / exits are controlled. It is closed to unauthorized persons.
  • The entry of non-corporate visitors and unauthorized personnel into the secure areas is carried out under the supervision of authorized security officers.
  • Access control authorization and/or encryption methods are used in cases where devices containing personal data are lost or stolen.
  • The physical environment (System room, archive room) in which personal data is contained has external risks (fire, flood, etc.) are protected against by appropriate methods.
  • For protecting personal data, full disk encryption on devices or a file with personal data on the device is also encrypted.
  • Anti-virus programs are installed on computers and servers and cannot be deactivated for any reason.
  • Encryption is used to protect sensitive or critical information stored/transmitted.
  • Digital signatures or message verification codes are used to protect the reliability or integrity of sensitive or critical information stored/transmitted.
  • Cryptographic techniques are used to obtain evidence of the occurrence or absence of an event or activity.

4.2.8. Information Technology Systems Supply, Development and Maintenance

  • Safety requirements are taken into account when determining the requirements for the supply, development or improvement of existing systems.
  • Fails or a maintenance period for coming a manufacturer, dealer, service devices that contain your personal data to third parties such as maintenance and repair of the devices that are sent can be sent for before you to ensure the security of your personal data, stored in the data storage media of the device disassembled, only the defective part of the submission process is applied.
  • If external personnel have arrived for purposes such as maintenance and repair, necessary measures are taken to prevent them from copying personal data and moving it out of the institution. .

4.2.9. Backing Up Personal Data

  • In cases where personal data is damaged, destroyed, stolen or lost for any reason, it is activated as soon as possible by using backed up data.
  • Personal data backed up is only accessible to the system administrator.
  • A backup list is created that determines the systems to be backed up and the system to be backed up is carefully determined.
  • The backup list is periodically reviewed and updated because the information to be backed up may vary.
  • The backup process is set up on the backup program agent to be installed on the desired computer and made over the network.
  • The control of the healthy retrieval of the backup is controlled by providing the reserves.
  • The physical safety of all reserves is also ensured.

4.3. Personal Data Security Breach Incidents Management

In the event that the personal data processed is seized/disclosed by third parties by unlawful means, even though all administrative and technical measures have been taken within the scope of the personal data processing activity carried out by K&P Legal;

  • Employees are primarily responsible for working in the face of personal data security breach incidents in order to respond quickly and regularly to personal data security breach incidents. In such a case, the employee is primarily obliged to notify the address.
  • “Disciplinary Policy” is carried out by keeping a “Violation Notification Report” against employees who do not comply with the processes and requirements to be followed in the event that attitudes, behaviors and incidents that violate the rules and which are contrary to the provisions stated in the regulations published within the framework of the law.
  • In cases where support is required from the external units or firms related to the identified event, the primary responsibility for establishing and maintaining communication is the liaison person registered with VERBIS.
  • The contact person is obliged to notify the data subject and the board within 72 hours of the violation and incident notification.
  • K&P Legal is also obliged to notify the persons affected by such data breach within a reasonable period of time by appropriate means, such as if the contact address of the person is available directly or if it is not available via K&P Legal’s website.
  • In the event that the notification cannot be made within 72 hours, K&P Legal is obliged to inform the Board of the reasons for the delay along with the notification to be made to the Board on a justified basis.
  • The “Personal Data Infringement Notification Form” published by the Board shall be used in the notification to be made to the Board.
  • In cases where it is not possible to provide the information contained in the form at the same time, this information will be provided gradually without delay.
  • Information, effects and measures taken by K&P Legal regarding data breaches will be recorded and the Board will be prepared for its review.

4.4. Conducting Audit Activities related to The Protection of Personal Data

The operation of the technical and administrative measures taken by K&P Legal within the scope of the protection and security of personal data are monitored and the practices that will ensure the continuation of the operation are carried out. The results of the audit activities carried out within this scope are reported to the KVK Committee and the relevant department within K&P Legal. In line with the audit results, activities are carried out to improve and improve the measures taken for the protection of data.


At the end of the period stipulated in the relevant legislation or the retention period required for the purpose for which they are processed, personal data shall be destroyed by K&P Legal in accordance with the provisions of the relevant legislation and again upon the application of the relevant person by the following techniques.

5.1. Erasure of Personal Data

Personal data is deleted by the methods provided in Table-1.

Table 1: Erasure of Personal Data

Data Recording EnvironmentDescription
Personal Data on ServersFor those who require storage of personal data on servers, the Information Processing Department will remove the access authority of the relevant users and delete them.
Personal Data In Electronic MediaThose whose period of time requiring the storage of electronically contained personal data will be rendered inaccessible and reusable in any way to other employees (related users) except the Information Processing Department.
Personal data in the physical environment For those who require storage from personal data held in a physical environment, it is rendered inaccessible and reusable in any way to other employees except those responsible for the document archive. In addition, the blackout process is applied by scratching/painting/deleting it so that it is unreadable.
Personal Data in Portable MediaThose requiring storage of personal data held in flash-based storage environments are encrypted by the It Department and accessed only to the Information Processing Manager, and in secure environments with encryption keys stored.

5.2. Destruction of Personal Data

Personal data is destroyed by K&P Legal using the methods provided in Table-2.

Table 2: Destruction of Personal Data

Data Recording EnvironmentDescription
Personal data in the physical environment Those that require storage from personal data in a paper environment are irrevocably destroyed in paper clippers.
Personal Data in Optical/ Magnetic MediaThe process of physical destruction, such as melting, burning or powdering those who expire, which require storing from personal data in optical media and magnetic media, is applied. In addition, magnetic media is passed through a special device and exposed to a high-value magnetic field, making the data unreadable.

5.3. Anonymizing of Personal Data

Anonymization of personal data is the rendering of personal data to be innovated in any way to an identified or identifiable real person, even if it is matched with other data.
For personal data to be anonymized; personal data must be returned by the data controller or third parties and/or made unrelatable to a specific or identifiable real person, even through the use of appropriate techniques in terms of the recording environment and related area of activity, such as matching the data with other data.


In relation to the personal data being processed by K&P Legal within the scope of its activities;

  • Retention periods based on personal data related to all personal data within the scope of activities based on processes are stored in the Personal Data processing Inventory.
  • Retention times by data categories are recorded to VERBIS.
  • Process-based retention periods are included in the Personal Data Retention and Destruction Policy.

For personal data whose retention period has expired, deletion by themselves, destruction, or anonymizing is performed.


In accordance with Article 11 of the regulation, K&P Legal has set the period of periodic destruction as 6 months. December and June of each year, periodical destruction process is carried out in the institution.


Owners of personal data defined as the data subject in the law are entitled to make certain requests for the processing of their personal data in Article 11 of the Law.

In accordance with the first paragraph of Article 13 of the Law; K&P Legal responsible for the data must be forwarded to us in writing of applications for these rights or by other methods determined by the Board to the Data Controller in the Notification of The Application Procedures and Principles.

In this context, applications to be made K&P Legal- Erdal KARDAS Yelda TOPUZ KARDAS Partnership as “written”, by taking the output of the application form;

  • With the applicant’s personal application,
  • Through the notary,
  • by authenticating the return by registered mail,
  • Through the e-mail address (,

be forwarded to us.


This Policy here by will be updated by K&P Legal KVK Committee at least once a year and updated if necessary. K&P Leagal KVK Committee is authorized and responsible for the enactment, modification, execution and repeal of this policy.


This Policy has been approved by senior management and 01.01.2019 effective date.