Privacy Policy
Your privacy is important to us. This policy outlines how we collect, use, and protect your personal information.
LANSARIN GROUP PRIVACY POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
SECTION 1: INTRODUCTION, IDENTITY OF THE DATA CONTROLLER, AND DEFINITIONS
1.1. Introduction
LANSARİN ULUSLARARASI İDARİ DANIŞMANLIK VE TERCÜMANLIK TİCARET LİMİTED ŞİRKETİ and LANSARIN INTERNATIONAL LTD. (hereinafter collectively referred to as the “Lansarin Group”, the “Company”, “We”, or “Us”) are highly committed to protecting the security and privacy of your personal data. Accordingly, we handle all personal data belonging to our customers, potential customers, employees, employee candidates, interns, visitors, business partners, suppliers, and all other relevant third parties with the utmost care and in compliance with all applicable national and international legislation, including but not limited to the Republic of Turkey's Law on the Protection of Personal Data No. 6698 (“KVKK”), the European Union's General Data Protection Regulation 2016/679 (“GDPR”), and the United Kingdom's Data Protection Act 2018 (“UK GDPR”).
This Privacy Policy (the “Policy”) has been prepared to transparently explain what personal data we collect; the purposes and legal grounds for processing such data; to whom and for what reasons it is transferred; our data retention periods; the technical and administrative measures implemented to ensure data security; and your rights as a data subject concerning the personal data processed by the Lansarin Group.
1.2. Data Controller
Within the scope of our personal data processing activities, the companies listed below may act as separate or, depending on the circumstances, joint data controllers, based on the purpose and means of processing.
Data Controller in Turkey:
- Trade Name: LANSARİN ULUSLARARASI İDARİ DANIŞMANLIK VE TERCÜMANLIK TİCARET LİMİTED ŞİRKETİ
- Registered Address: Öğretmenevleri Mah. 922. Sok. No: 3/15 Konyaaltı/ANTALYA 07070 Turkey
- Telephone Number: +90 242 606 0004
- Email Address: kvkk@lansarin.com
- Registered Electronic Mail (KEP) Address: lansarin@hs01.kep.tr
- National Electronic Notification Address (UETS): 25828-19390-67798
Data Controller in the United Kingdom:
- Trade Name: LANSARIN INTERNATIONAL LTD
- Company Registration Number: 16332928 (England and Wales)
- Registered Address: 86-90 Paul Street EC2A 4NE London, United Kingdom
- Telephone Number: +44 20 4577 0145
Data Controller Contact Person:
- Name: Can Aleksander DANİLOV
- Email Address: can@lansarin.com
1.3. Definitions
For the purposes of this Policy, the following terms shall have the meanings ascribed to them below:
- Personal Data: Any information relating to an identified or identifiable natural person.
- Special Category Personal Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data, biometric data for the purpose of uniquely identifying a natural person; data concerning health or a natural person's sex life or sexual orientation; and data concerning criminal convictions and security measures.
- Data Subject: An identified or identifiable natural person whose personal data is processed (e.g., customer, employee, visitor).
- Processing of Personal Data: Any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Data Controller: The natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Data Processor: A natural or legal person which processes personal data on behalf of the controller.
- KVKK: The Law on the Protection of Personal Data No. 6698, published in the Official Gazette of the Republic of Turkey on April 7, 2016, No. 29677.
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- The Board (Kurul): The Personal Data Protection Board of the Republic of Turkey.
- ICO (Information Commissioner's Office): The independent data protection authority in the United Kingdom.
SECTION 2: PRINCIPLES AND LEGAL BASES FOR THE PROCESSING OF PERSONAL DATA
2.1. Our Principles for Processing Personal Data
The Lansarin Group undertakes to process your personal data in full compliance with the following fundamental principles, as set forth in Article 4 of the KVKK and Article 5 of the GDPR:
- a) Lawfulness, Fairness, and Transparency: We process your personal data lawfully, fairly, and in a transparent manner, in accordance with applicable legal regulations and general principles of law. We are diligent in fulfilling our obligation to inform data subjects.
- b) Accuracy: We take reasonable steps to ensure that the personal data we process is accurate and, where necessary, kept up to date. We diligently handle requests from data subjects to rectify or update their data.
- c) Purpose Limitation: We process your personal data only for specified, explicit, and legitimate purposes as outlined in this Policy and relevant privacy notices. We do not carry out processing activities beyond these stated purposes.
- d) Data Minimisation: We limit the personal data we collect to what is adequate, relevant, and necessary to achieve the specified purposes. We refrain from processing personal data that is not relevant or required.
- e) Storage Limitation: We retain your personal data for the period stipulated in the relevant legislation or for as long as necessary for the purpose for which it is processed. Upon the expiration of this period, we delete, destroy, or anonymise the data in accordance with the KVKK, GDPR, and other applicable laws.
- f) Integrity and Confidentiality: We ensure the integrity and confidentiality of your data by implementing appropriate technical and administrative security measures to protect it against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
2.2. Legal Bases for Processing Personal Data
Your personal data is processed based on one or more of the following legal grounds, in accordance with Article 5 of the KVKK and Article 6 of the GDPR:
- a) Consent of the Data Subject: Where no other legal basis applies, your personal data may be processed based on your freely given, specific, informed, and unambiguous consent for a particular purpose.
- b) Explicitly Provided for by Law: Where the processing activity is explicitly required by applicable laws (e.g., Turkish Tax Procedure Law, Turkish Commercial Code, Labour Law).
- c) Necessity for the Performance of a Contract: Where the processing of your personal data is necessary for the establishment or performance of a contract to which you are a party (e.g., processing contact and identity information to issue an invoice under a service agreement).
- d) Necessity for Compliance with a Legal Obligation: Where processing is necessary for our Company to comply with its legal obligations (e.g., responding to lawful requests from competent public authorities and institutions).
- e) Necessity for the Establishment, Exercise, or Defence of Legal Claims: Where processing is necessary for the establishment, exercise, or protection of the legal rights of our Company or data subjects (e.g., in the event of a legal dispute).
- f) Data Made Public by the Data Subject: Where you have manifestly made your personal data public yourself.
- g) Necessity to Protect Vital Interests: Where processing is necessary to protect the vital interests of the data subject or another person, particularly in urgent situations where a person is physically or legally incapable of giving consent.
- h) Necessity for Legitimate Interests: Where processing is necessary for the purposes of the legitimate interests pursued by our Company, such as conducting our operations, improving service quality, or protecting our administrative or commercial interests, provided that such interests are not overridden by the fundamental rights and freedoms of the data subject. A balancing test is conducted in such cases (e.g., using surveillance cameras to ensure workplace security).
2.3. Legal Bases for Processing Special Category Personal Data
Special category personal data is subject to stricter protective measures due to its sensitive nature. Such data is processed in accordance with Article 6 of the KVKK and Article 9 of the GDPR, only when one of the following conditions is met:
- a) Explicit Consent of the Data Subject: The primary legal basis for processing your special category data is your explicit consent.
- b) Cases Provided for by Law: Special category personal data other than health and sexual life (e.g., race, ethnic origin, political opinions) may be processed without explicit consent in cases stipulated by law.
- c) Processing of Data Concerning Health and Sexual Life: Your personal data concerning health and sexual life may be processed without your explicit consent only by persons under an obligation of secrecy or by authorised institutions and organisations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing (e.g., processing employee health data as part of occupational health and safety obligations).
- d) Other Conditions under GDPR and UK GDPR: Additionally, special category data may be processed under other exceptional circumstances specified in the GDPR and UK GDPR, such as when processing is necessary for carrying out obligations in the field of employment and social security law, or for the establishment, exercise, or defence of legal claims.
SECTION 3: CATEGORIES OF PERSONAL DATA PROCESSED, PURPOSES OF PROCESSING, AND DATA SUBJECT GROUPS
3.1. General Overview
To conduct its business activities, the Lansarin Group collects and processes personal data from the data subject groups defined below, for the specified purposes and within the data categories also outlined below. This section provides a detailed explanation of which data categories are collected, for what purposes, and from whom.
3.2. Data Subject Groups
The groups of data subjects whose personal data are processed within the scope of this Policy are as follows:
- Customer (Recipient of Products or Services): Natural persons who use or have used the products and services offered by our Company.
- Potential Customer: Natural persons who have shown interest in our products and services or have made an inquiry but are not yet customers.
- Employee: Personnel providing services within our Company under an employment contract.
- Employee Candidate: Natural persons who have applied for a job, shared their CV and related information with our Company, or have been interviewed.
- Intern: Students or recent graduates participating in internship programs within our Company.
- Visitor: Natural persons who visit our Company's physical premises (e.g., offices) or websites.
- Shareholder/Partner: Natural persons who are shareholders or partners of our Company.
- Supplier Employee / Representative: Employees or officials of entities from which our Company procures goods or services or with which it has a business relationship.
- Parent/Guardian/Legal Representative: Natural persons acting legally on behalf of minors or data subjects lacking legal capacity.
- Individual Featured in Communications: Natural persons who are the subject of news, bulletins, or promotional materials within the scope of our activities.
- Examination Candidate: Natural persons who participate in examinations organised or facilitated by our Company.
3.3. Detailed Breakdown of Data Categories, Purposes, and Data Subject Groups
3.3.1. Identity Information
- Scope: Information that identifies a person, such as full name, parents' names, mother's maiden name, date and place of birth, marital status, T.R. identity number, and national ID card serial/sequence number.
- Data Subject Groups: Employee, Employee Candidate, Shareholder/Partner, Potential Customer, Intern, Customer, Parent/Guardian/Legal Representative, Visitor, Individual Featured in Communications.
- Purposes of Processing: To conduct processes related to: Emergency Management, Information Security, Employee Candidate/Intern Selection and Placement, Employee Applications, Fulfilling Obligations from Employment Contracts and Legislation, Finance and Accounting, Physical Space Security, Legal Affairs, Communication Activities, Human Resources Planning, Execution/Auditing of Business Activities, Occupational Health and Safety, Customer Relationship Management, Advertising/Campaigns/Promotions, Risk Management, Storage and Archiving, Contracts, Request/Complaint Management, Remuneration Policy, Marketing of Products/Services, Work/Residence Permits for Foreign Personnel, Investments, Providing Information to Authorised Institutions, Management Activities, and Visitor Registration.
3.3.2. Contact Information
- Scope: Information that enables contact with the data subject, such as address, email address, registered electronic mail (KEP) address, and telephone number.
- Data Subject Groups: Employee, Employee Candidate, Shareholder/Partner, Potential Customer, Intern, Supplier Employee, Customer, Parent/Guardian/Legal Representative, Visitor, Individual Featured in Communications.
- Purposes of Processing: In addition to the purposes listed in the preceding section, this data is used for: Managing Access Authorisations, Company/Product/Service Loyalty, Assignments, Internal Audits/Investigations, Business Process Improvement, Business Continuity, Performance Evaluations, Social Responsibility, Strategic Planning, Ensuring Security of Data Controller Operations, and Talent/Career Development.
3.3.3. Location Information
- Scope: Real-time or historical location data of the data subject.
- Data Subject Groups: Employee, Employee Candidate, Shareholder/Partner, Potential Customer, Intern, Customer, Parent/Guardian/Legal Representative, Visitor, Individual Featured in Communications.
- Purposes of Processing: To conduct processes related to: Emergency Management, Information Security, Assignments, Legal Affairs, Communications, Human Resources, Customer Relations and Satisfaction, Advertising/Campaigns/Promotions, Risk Management, Contracts, Request/Complaint Management, Remuneration Policy, Marketing of Products/Services, Ensuring Security of Data Controller Operations, Work/Residence Permits for Foreign Personnel, Providing Information to Authorised Institutions, Management Activities, and Visitor Registration.
3.3.4. Personnel Information
- Scope: Information held within an employee's personnel file under the employment contract, such as payroll details, disciplinary investigation records, entry/exit documents, declarations of property, CV information, and performance evaluation reports.
- Data Subject Groups: Employee, Employee Candidate, Shareholder/Partner, Intern. (Also indirectly Parent/Guardian/Legal Representative, Customer, Individual Featured in Communications).
- Purposes of Processing: To manage processes for: Employee Candidate/Intern Selection and Placement, Employee Applications, Fulfilling Obligations from Employment Contracts and Legislation, Employee Fringe Benefits and Interests, Audit/Ethical Activities, Access Authorisations, Legal Affairs, Providing Information to Authorised Institutions, and Management Activities.
3.3.5. Legal Transaction Information
- Scope: Data pertaining to legal processes, such as correspondence with judicial and administrative authorities, and information from lawsuit and enforcement files.
- Data Subject Groups: Employee, Employee Candidate, Shareholder/Partner, Potential Customer, Intern, Examination Candidate, Supplier Employee/Representative, Customer, Parent/Guardian/Legal Representative, Visitor, Individual Featured in Communications.
- Purposes of Processing: Primarily for Ensuring Compliance of Activities with Legislation and the Follow-up and Execution of Legal Affairs, as well as managing all legal processes to which the Company is a party and fulfilling legal obligations.
3.3.6. Customer Transaction Information
- Scope: Data related to commercial transactions with the customer, such as call centre records, invoices, promissory notes, cheques, order details, and request information.
- Data Subject Groups: Customer, Potential Customer, Parent/Guardian/Legal Representative, Visitor, Individual Featured in Communications.
- Purposes of Processing: To manage: Sales and After-Sales Support Processes for Goods/Services, Finance and Accounting Affairs, Customer Relationship Management, Request/Complaint Management, Contract Processes, Risk Management, Advertising/Campaign/Promotion Activities, and Providing Information to Authorised Institutions.
3.3.7. Physical Space Security Information
- Scope: Entry and exit logs for Company premises and security camera (CCTV) recordings.
- Data Subject Groups: All individuals present on Company premises (e.g., Employees, Visitors, Customers, Supplier Employees).
- Purposes of Processing: To ensure Physical Space Security, Emergency Management, Information Security, Visitor Registration and Tracking, Internal Audits and Investigations, Execution of Legal Affairs, and Providing Information to Authorised Institutions upon request.
3.3.8. Transaction Security Information
- Scope: Digital footprints created when using the Company's IT systems, such as IP addresses, website access logs, and password/passphrase information.
- Data Subject Groups: All individuals who use the Company's IT systems or online platforms.
- Purposes of Processing: For the Execution of Information Security Processes, Ensuring the Security of Data Controller Operations, Ensuring Compliance of Activities with Legislation, Internal Audits/Investigations, Auditing of Business Activities, and for use as evidence in legal disputes.
3.3.9. Risk Management Information
- Scope: Information processed to manage the Company's commercial, technical, and administrative risks.
- Data Subject Groups: All individuals who may be relevant to the respective processes.
- Purposes of Processing: For the Execution of Risk Management Processes, Emergency Management, Follow-up of Legal Affairs, Finance and Accounting Operations, and Audit and Ethical Activities.
3.3.10. Professional Experience Information
- Scope: Information regarding a person's educational and career history, such as diplomas, courses attended, professional training, certificates, and transcripts.
- Data Subject Groups: Employee, Employee Candidate, Intern, Shareholder/Partner, and consultants from whom services are procured.
- Purposes of Processing: For Employee Candidate/Intern Selection and Placement, Planning of Human Resources Processes, Talent/Career Development Activities, Assignment Processes, and Performance Evaluations.
3.3.11. Special Category Personal Data This category of data is subject to a higher level of protection under KVKK and GDPR and is processed only in exceptional cases permitted by law or with the explicit consent of the data subject.
- Visual and Auditory Records: Includes photographs, video recordings, and audio recordings. Processed for purposes such as physical space security, event management, promotional and advertising activities, and the auditing of business processes.
- Racial and Ethnic Origin Information: Processed only on the basis of explicit consent or a legal obligation, where required for legal compliance (e.g., for foreign personnel work permits) or for social responsibility projects such as combating discrimination.
- Health Information: Data such as disability status, blood type, and health information necessary for emergency response. Processed primarily to fulfil Occupational Health and Safety obligations, provide emergency medical intervention, and make assignments suitable for employees' health conditions, under an obligation of secrecy.
- Information on Criminal Convictions and Security Measures: Information such as criminal records. Processed only where explicitly permitted and required by relevant legislation for purposes such as verifying trustworthiness for certain positions, with all necessary administrative and technical measures in place.
SECTION 4: TRANSFER OF PERSONAL DATA (DOMESTIC AND INTERNATIONAL)
4.1. General Principles
The Lansarin Group may transfer your personal data to third parties in full compliance with the principles set out in Section 2 and for the purposes detailed in Section 3 of this Policy. All transfers are conducted in accordance with the provisions of Article 8 (domestic transfers) and Article 9 (international transfers) of the KVKK, and Chapter V of the GDPR (transfers of personal data to third countries or international organisations). In all data transfers, we implement the necessary technical and administrative measures to ensure the security of the data.
4.2. Domestic Transfer of Personal Data
Where required by our processing purposes and permitted by applicable legislation, your personal data may be transferred to the following recipient groups located within the country:
- a) Authorised Public Institutions and Organisations: To fulfil our legal obligations, your personal data may be shared, limited to the scope of the request, with public institutions and organisations legally authorised to request information, such as courts, prosecutor's offices, ministries, the Social Security Institution (SGK), and tax offices. Such transfers are based on the legal grounds of being "explicitly provided for by law" and "compliance with a legal obligation of the data controller."
- b) Business Partners: Data may be transferred to our business partners with whom we collaborate to carry out our activities, develop joint projects, or receive services, to the extent necessary for the purpose of the partnership. These transfers are generally based on the legal grounds of "performance of a contract" or "our legitimate interests" and are secured through confidentiality agreements.
- c) Suppliers and Service Providers: We may share data with external service providers to sustain our operational activities, including but not limited to accounting and financial advisory firms, law firms, independent audit companies, information technology and cloud service providers, server and hosting companies, banks and financial institutions, travel agencies, and security companies. These parties generally act as "Data Processors," and the security and confidentiality of personal data are ensured through contracts executed with them.
- d) Group Companies: Data may be transferred between LANSARİN ULUSLARARASI İDARİ DANIŞMANLIK VE TERCÜMANLIK TİCARET LİMİTED ŞİRKETİ and LANSARIN INTERNATIONAL LTD. based on our legitimate interests for purposes such as the execution of administrative activities, centralised reporting, internal audits, efficient use of resources, and the operation of common systems and processes.
- e) Natural Persons or Private Legal Entities: In circumstances where it is necessary for the establishment, exercise, or defence of a legal claim, data may be transferred within legal limits to other natural or legal persons who are parties to the legal process.
4.3. International Transfer of Personal Data
Due to the international structure of the Lansarin Group, its global business partners, and certain IT infrastructures it utilises (e.g., cloud-based software, email servers), personal data may be transferred abroad. This includes transfers from our company in Turkey to our company in the United Kingdom and vice versa. International transfers of personal data are carried out only if one of the following legal safeguards is in place:
- a) Explicit Consent: In cases where other conditions cannot be met, based on the data subject's explicit consent, obtained after being informed of the potential risks associated with the transfer.
- b) Transfers to Countries with an Adequacy Decision: The transfer is made to a country that is on the list of "countries with an adequate level of protection" as declared by the Turkish Personal Data Protection Board ("the Board"). Under the GDPR, this includes transfers to countries for which an "adequacy decision" has been issued by the European Commission or the United Kingdom.
- c) Transfers Subject to Appropriate Safeguards: If the destination country does not have an adequate level of protection, the Lansarin Group undertakes to provide the appropriate safeguards required under the KVKK and GDPR. These safeguards may include:
- The execution of Standard Contractual Clauses (SCCs) approved by the European Commission or the ICO, or for transfers from Turkey, the signing of Undertakings (Taahhütname) approved by the Board between the parties.
- The existence of Binding Corporate Rules (BCRs) approved by the Board or the relevant European Data Protection Authority for intra-group data transfers.
- Other derogations specified by law (e.g., where the transfer is necessary for the performance of a contract or for important reasons of public interest).
In all international transfer processes, our primary priority is to ensure that your data is protected at a level at least equivalent to that in Turkey and the European Union.
SECTION 5: DATA RETENTION PERIODS AND DISPOSAL
5.1. General Principles of Data Retention
The Lansarin Group retains personal data in accordance with the principles of "data minimisation" and "storage limitation."
Accordingly, your personal data is retained:
- For the duration of any statutory retention period applicable to the relevant data category (e.g., under the Turkish Commercial Code, Tax Procedure Law, or Labour Law), or;
- If no statutory period is stipulated, for the period necessary to fulfil the purpose for which the data was processed.
The determination of retention periods takes into account legal obligations, statutes of limitation for potential legal disputes, and the purpose of the data processing. Once the processing purpose ceases to exist and/or the statutory retention periods expire, your personal data is disposed of using the methods described below.
5.2. Retention Periods by Data Category
The retention periods specified below are established as a general rule and may vary in the event of a legal obligation or an ongoing legal process.
- Identity Information: As a general rule, for 10 years from the end of the commercial relationship, to fulfil legal obligations and protect rights arising from the relationship.
- Contact Information: For marketing communications, until consent is withdrawn; for other purposes, for 10 years from the end of the relationship.
- Location Information: For the period required by the processing purpose, but not exceeding 10 years.
- Personnel Information: For employees, for 10 years from the termination of the employment contract, as required by legal obligations.
- Legal Transaction Information: For 10 years from the final conclusion of the legal process or dispute, taking into account statutory statutes of limitation.
- Customer Transaction Information: For 10 years from the date of the last transaction, as required by the Turkish Commercial Code and Tax Procedure Law.
- Physical Space Security Information: For a maximum of 1 year, unless a legal obligation or legitimate interest requires a longer period.
- Transaction Security Information: For 10 years, taking into account legal obligations (e.g., Turkish Law No. 5651).
- Risk Management Information: For 10 years from the completion of the risk management process.
- Professional Experience Information: For employees, for 10 years along with their personnel file. For unsuccessful employee candidates, if consent is obtained for consideration for future positions, for a reasonable period; otherwise, data is disposed of immediately upon the completion of the recruitment process.
- Visual and Auditory Records: As a general rule, for 10 years, although this may vary depending on the purpose of processing.
- Racial and Ethnic Origin Information: Disposed of immediately once the purpose of processing ceases; however, if there is a legal obligation (e.g., for a foreign employee's work permit file), it is retained for that period, up to a maximum of 10 years.
- Health Information: For employees, for 10 years as part of their personnel file, in accordance with legal obligations.
- Information on Criminal Convictions and Security Measures: Disposed of after a maximum of 1 year once the purpose of processing ceases or the legal obligation expires.
5.3. Disposal of Personal Data (Deletion, Destruction, or Anonymisation)
Personal data for which the retention period has expired is disposed of proactively in accordance with our Company's periodic disposal schedule (every 6 months) or upon the Data Subject's request, in line with the Turkish Regulation on the Deletion, Destruction, or Anonymisation of Personal Data. This disposal can be carried out using one of three methods:
- Deletion: The process of rendering personal data inaccessible and non-reusable for the relevant users (e.g., employees other than system administrators). This is achieved through methods such as executing a delete command for digital data or revoking access rights.
- Destruction: The process of rendering personal data inaccessible, irretrievable, and unusable by anyone. This is achieved by irreversibly destroying paper-based documents with shredders or by physically destroying the media on which digital data is stored (e.g., through melting, incinerating, or pulverising).
- Anonymisation: The process of modifying personal data in such a way that it can no longer be associated with an identified or identifiable natural person, even by matching it with other data.
The method of disposal to be used is determined by our Company based on the nature of the data, the medium in which it is stored, and its level of importance.
SECTION 6: DATA SECURITY MEASURES
6.1. Our Commitment to Data Security
As a Data Controller, the Lansarin Group undertakes, in accordance with Article 12 of the KVKK and Article 32 of the GDPR, to exercise the utmost care to ensure the security of the personal data it processes. In this context, we implement all necessary technical and administrative measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature of the processing, in order to:
- Prevent the unlawful processing of personal data,
- Prevent unlawful access to personal data,
- And ensure the preservation of personal data.
Our data security measures are regularly reviewed and updated in line with technological advancements.
6.2. Technical Measures
The primary technical measures we take to ensure the security of personal data within our IT infrastructure and technical processes are as follows:
- Cybersecurity: Network and application security are ensured through the use of up-to-date antivirus systems, firewalls, and intrusion detection and prevention systems. The implementation of these cybersecurity measures is continuously monitored.
- Encryption and Key Management: Sensitive data and data transfers are protected using secure encryption methods, and the management of these encryption keys is handled through secure protocols.
- Access and Authorisation Control: Access to personal data is restricted based on the "need-to-know" principle via a user account management and authorisation control system. Access logs are kept regularly and in a manner that prevents tampering.
- Data Integrity and Loss Prevention: Risks of data leakage and loss are minimised through measures such as data masking, data loss prevention (DLP) software, and the use of closed-system networks.
- Backup: Personal data is regularly backed up to prevent potential data loss, and the security of this backup data is ensured with the same level of diligence.
- Security Testing: Penetration tests are regularly conducted to verify the security of our systems.
- Cloud Security: The security of personal data stored in the cloud is ensured through contracts with service providers and the implementation of technological controls.
6.3. Administrative Measures
Our administrative measures, which enhance the effectiveness of technical controls and manage the human element, are as follows:
- Policies and Procedures: Corporate policies and procedures have been established and implemented for subjects such as personal data security, retention, and disposal.
- Authorisation Matrix and Segregation of Duties: A detailed authorisation matrix has been created for employees. The access rights of personnel who leave their position or change roles are immediately revoked.
- Training and Awareness: Regular training and awareness programs on personal data security and privacy are conducted for all employees.
- Contract Management: Data security and confidentiality clauses are included in all contracts with suppliers, business partners, and other data processors. We ensure these service providers are aware of data security requirements and periodically audit their practices.
- Confidentiality Agreements: Confidentiality agreements (or Non-Disclosure Agreements) are signed by all personnel who have access to personal data.
- Risk Analysis and Audit: Current risks and threats are regularly identified, and the compliance of our processes is verified through periodic and/or random internal audits.
- Reporting and Incident Management: A reporting system has been established for potential personal data security issues and breaches, ensuring a rapid response to such incidents.
- Data Minimisation: In accordance with the principle of "necessity," business processes are regularly reviewed to minimise the amount of personal data processed as much as possible.
6.4. Additional Measures for Special Category Personal Data
Due to the sensitive nature of special category personal data, the following additional measures are taken in line with the relevant decisions of the Turkish Personal Data Protection Board, in addition to the measures listed above:
- Separate protocols and procedures specifically for the security of special category personal data have been defined and implemented.
- Additional security controls are applied to the physical and electronic environments where this data is processed, stored, and/or accessed.
- If special category personal data is to be sent via email, it must be sent in an encrypted format and using a secure channel, such as a Registered Electronic Mail (KEP) or a corporate email account.
- For special category data transferred in paper format, a "classified document" status is used, and extra physical security measures are taken.
SECTION 7: RIGHTS OF THE DATA SUBJECT AND APPLICATION PROCEDURES
7.1. Your Rights under the KVKK and GDPR
Regarding the processing of your personal data, you have the right to apply to the Lansarin Group and exercise the following rights in accordance with Article 11 of the KVKK and the relevant articles of the GDPR:
- a) Right to Information and Access:
- To learn whether your personal data is being processed;
- If so, to request information regarding such processing;
- To learn the purpose of the processing and whether your data is used in line with that purpose;
- To know the third parties to whom your personal data is transferred, both domestically and abroad.
- b) Right to Rectification: To request the correction of your personal data if it is incomplete or has been processed incorrectly.
- c) Right to Erasure (Right to be Forgotten): To request the deletion, destruction, or anonymisation of your personal data when the reasons for its processing no longer exist.
- d) Right to Restriction of Processing: To request the restriction of the use of your data (except for storage) when you contest its accuracy or believe the processing is unlawful.
- e) Right to Notification to Third Parties: To request that any rectification, erasure, or destruction activities be notified to the third parties to whom your personal data has been transferred.
- f) Right to Object:
- To object to outcomes that adversely affect you which result from the analysis of your processed data exclusively through automated systems (e.g., automated credit scoring);
- To object, on grounds relating to your particular situation, to processing activities that we carry out based on our legitimate interests.
- g) Right to Data Portability: The right to receive your personal data, which you have provided to us and which is processed by automated means based on your consent or a contract, in a structured, commonly used, and machine-readable format, and the right to transmit that data to another data controller.
- h) Right to Withdraw Consent: If the processing of your personal data is based on your explicit consent, you have the right to withdraw your consent at any time (withdrawal will not affect the lawfulness of processing based on consent before its withdrawal).
- i) Right to Compensation: To request compensation for damages you have suffered due to the unlawful processing of your personal data.
7.2. Application Methods
To exercise your rights listed above, you may submit your requests, along with documents verifying your identity, using one of the following methods:
- By Written Application: You may apply in person with a signed petition or send it via a notary public to our addresses below:
- For Turkey: LANSARİN ULUSLARARASI İDARİ DANIŞMANLIK VE TERCÜMANLIK TİCARET LİMİTED ŞİRKETİ, Öğretmenevleri Mah. 922. Sok. No: 3/15 Konyaaltı/ANTALYA 07070 Turkey
- For the United Kingdom: LANSARIN INTERNATIONAL LTD, 86-90 Paul Street EC2A 4NE London, United Kingdom
- Via Registered Electronic Mail (KEP): For our company in Turkey, you may send an email to our KEP address: lansarin@hs01.kep.tr
- By Email:
- You may send an email to can@lansarin.com from the email address you have previously provided to our Company and which is registered in our systems.
- You may send an email signed with a secure electronic signature or mobile signature to can@lansarin.com.
Your application must clearly state your name, surname, T.R. identity number (for Turkish citizens) or nationality and passport number (for foreign nationals), your address of residence or place of business for notification purposes, your email address and telephone number (if available), and the subject of your request.
7.3. Responding to Applications
Your request will be concluded free of charge as soon as possible and, in any case, no later than thirty (30) days, depending on its nature. However, if the transaction requires an additional cost, a fee may be charged according to the tariff determined by the Personal Data Protection Board. We reserve the right to request additional information or documents to verify your identity and prevent unauthorised applications.
7.4. Right to Lodge a Complaint
If your application is rejected, you find our response insufficient, or we do not respond in a timely manner, you have the right to lodge a complaint with the relevant data protection authority. This right can be exercised within 30 days from the date you receive our response, and in any event, within 60 days from the date of your initial application.
- For Turkey: The Personal Data Protection Authority (KVKK)
- For the United Kingdom: The Information Commissioner’s Office (ICO)
SECTION 8: POLICY AMENDMENTS AND EFFECTIVE DATE
8.1. Amendments to the Policy
The Lansarin Group reserves the right to amend this Privacy Policy in response to changes in legal regulations, technological developments, new business processes, or corporate needs.
All amendments to the Policy shall take immediate effect upon the publication of the updated text on our Company's official website. We will make reasonable efforts to inform data subjects of any material changes through email, notices on our website, or other effective communication channels.
Therefore, we recommend that you periodically review this Policy to stay informed about how your personal data is protected. The "Effective Date" and "Version" number at the top of the Policy will help you track the latest update.
8.2. Effective Date
This Privacy Policy shall enter into force on its date of publication, September 26, 2025, and will be made available to the public on all relevant platforms, including our Company's website. Upon the entry into force of this Policy, any previously published policies or statements on the same subject shall be superseded.
Third-Party Form Processing
Forms submitted on this website are delivered to us via the Web3Forms service (https://web3forms.com), which processes the submitted data solely to forward it to us by email and does not store it permanently.
This privacy policy is effective as of the date of publication and may be updated from time to time.