Personal Data Protection and GDPR Compliance Policy
Transparent Processing · Lawful Basis · Security Controls · Data Subject Rights
Atabaş Group is committed to processing personal data lawfully, fairly, securely and transparently. This policy explains how we collect, use, store, protect and manage personal data in connection with our business operations, website activities, commercial relationships and communications, in line with the General Data Protection Regulation, Regulation (EU) 2016/679, and applicable Turkish personal data protection rules, including Law No. 6698 on the Protection of Personal Data, KVKK, where relevant.
Quick Reference
- Policy ScopeWebsite visitors, customers, suppliers, partners, applicants, contacts
- Main Legal FrameworkGDPR, KVKK, applicable commercial and tax rules
- Core Lawful BasesConsent, contract, legal obligation, legitimate interests
- Main Data CategoriesIdentity, contact, business, technical, transaction, communication
- International TransfersRestricted, documented and safeguarded where required
- Security MeasuresAccess controls, encryption, review, training, vendor controls
- Data RetentionOnly for as long as necessary and legally required
- Data RightsAccess, rectification, erasure, restriction, objection, portability, consent withdrawal
- Contact Email[email protected]
- Last Updated9 March 2026
A governance standard built on clarity and accountability
A strong data protection page should not read like a generic template. It should explain what is processed, why it is processed, on what legal basis, for how long, with what safeguards and with what rights available to individuals.
This policy is designed to provide a clear and practical explanation of Atabaş Group's personal data protection approach. It applies to personal data processed through our website, contact channels, commercial relations, supplier and customer workflows, recruitment interactions, service and support communications and related business administration processes. It also supports broader privacy governance by aligning operational practice with transparency, data minimization, purpose limitation, storage limitation, integrity and confidentiality principles.
Where local law imposes additional or stricter requirements, we interpret and apply this policy in a way that supports lawful and responsible processing. Nothing in this page is intended to reduce or override rights granted under applicable data protection legislation.
Responsible data protection is not only a legal obligation. It is a trust obligation that strengthens commercial credibility, corporate governance and digital integrity.
Scope of application, defined with precision
This section keeps the practical scope of the current page, then refines it into a more accurate corporate compliance format.
Individuals acting on behalf of buyers, importers, suppliers, distributors and business contacts who submit inquiries, communicate with us or participate in commercial transactions.
Individuals whose personal data appears in vendor onboarding records, contractual communications, compliance checks, logistics coordination and invoicing related processes.
Individuals who browse our website, submit contact requests, use product request forms, manage cookie preferences or interact with web based communication features.
Individuals who submit applications, professional profiles, business credentials or introductory documents in connection with employment or collaboration opportunities.
Company officers, signatories, beneficial owners, delivery contacts or authorised representatives whose information may be processed during contractual and compliance workflows.
Any person whose data is reasonably necessary for documented business administration, legal compliance, dispute management, website security or legitimate operational review.
Personal data categories, without over collection
Only data that is relevant to a legitimate business or legal purpose should be processed. This section expands the current page but stays within realistic and necessary categories.
| Data Category | Examples | Typical Context |
|---|---|---|
| Identity Data | Name, surname, title, company role, signature authority details where required | Commercial communication, contracts, verification, onboarding |
| Contact Data | Email address, phone number, mailing address, company contact details | Support, sales, logistics, relationship management |
| Business and Professional Data | Company name, trade role, tax or registration related information, business credentials | Supplier and customer management, due diligence, documentation |
| Transaction Data | Orders, quotations, invoice data, delivery records, payment related references | Commercial execution, accounting, legal retention |
| Communication Data | Emails, inquiry forms, complaint messages, meeting notes, service interactions | Relationship handling, record keeping, dispute prevention |
| Technical and Usage Data | IP address, browser type, device information, cookie selections, website logs | Website security, analytics, consent management, performance |
| Recruitment Data | CV details, career history, references, education and application correspondence | Candidate review and recruitment administration |
| Compliance and Verification Data | Screening results, documentary checks, authority verification, sanctions related review records | Risk management, legal compliance, controlled commercial onboarding |
Purpose limitation, set out clearly
Good privacy governance requires that purposes be specific enough to be understood, yet broad enough to reflect real corporate operations.
To manage inquiries, quotations, product request workflows, contracts, shipments, invoicing, customer support and related transaction administration.
To respond to messages, coordinate with buyers and suppliers, arrange meetings, follow up on requests and maintain professional business relations.
To comply with tax, accounting, commercial, customs, sanctions screening, dispute management and other lawful obligations that apply to our operations.
To protect our website, prevent misuse, maintain security logs, improve performance and manage consent choices for cookies and related technologies.
To keep business records, manage vendor relations, maintain document history, support audits and administer corporate operations responsibly.
To provide newsletters, insights, event notices or promotional communication when the applicable legal basis exists, including consent where required.
The legal grounds that support processing
This section translates the current legal basis list into a stronger policy structure aligned with GDPR Article 6 and comparable lawful basis principles under applicable law.
| Lawful Basis | How It Applies | Examples |
|---|---|---|
| Consent | Where an individual gives a clear, informed and voluntary permission | Optional marketing messages, certain cookie categories, voluntary subscription activity |
| Contractual Necessity | Where processing is needed to enter into, perform or manage a contract | Quotation handling, order execution, delivery coordination, payment administration |
| Legal Obligation | Where we must process data to comply with a legal duty | Accounting retention, tax records, regulatory responses, lawful authority requests |
| Legitimate Interests | Where processing is reasonably necessary for a legitimate business purpose and does not override individual rights | Corporate communication, website security, fraud prevention, document management, limited B2B relationship administration |
| Legal Claims and Defence | Where necessary to establish, exercise or defend legal rights | Dispute handling, evidence preservation, claim response |
How data may be disclosed, only when justified
Data sharing should be limited, purposeful and subject to legal or operational necessity. This section refines the current page into a more credible disclosure model.
Personal data may be shared with carefully selected service providers such as technology vendors, hosting providers, accountants, legal advisers, logistics providers, payment related service partners and similar business processors, but only where the disclosure is relevant and contractually controlled.
Where required by law, court order, regulatory obligation or legitimate legal process, data may be disclosed to competent authorities, auditors or enforcement bodies within the scope of the applicable legal requirement.
Where personal data is transferred outside the European Economic Area or outside the primary jurisdiction of collection, such transfers are handled only where there is an appropriate legal basis and adequate safeguards, such as adequacy decisions, standard contractual clauses, contractual protections, technical security controls or another lawful transfer mechanism recognised by applicable law.
Storage limitation with documented rationale
Retention periods should reflect legal necessity, operational relevance and defensible record keeping. This section improves the current page with more structured examples while avoiding rigid promises where context may vary.
| Record Type | Illustrative Retention Logic | Typical Basis |
|---|---|---|
| Contracts, invoices and transaction records | Retained for the period required by accounting, tax, audit and legal record keeping obligations, often up to 7 years or longer where claims require | Legal obligation, contractual necessity, legal defence |
| Inquiry and business correspondence | Retained only for as long as relevant to business relationship management, follow up or legal record needs | Legitimate interests, contractual necessity |
| Marketing communication records | Retained until consent is withdrawn, objection is raised or the record is no longer operationally necessary | Consent, legitimate interests where lawful |
| Website logs and security records | Retained for a limited period appropriate to security, troubleshooting, misuse prevention and legal needs | Legitimate interests, legal obligation where relevant |
| Recruitment records | Retained for the duration of the recruitment process and a limited follow up period unless a longer retention basis exists | Legitimate interests, pre contractual steps, consent where appropriate |
When personal data is no longer required, we aim to delete, anonymise or securely archive it in accordance with legal and operational requirements. Retention periods may vary where legal claims, audits, investigations or regulatory preservation duties apply.
Rights that individuals can exercise with confidence
This section preserves the rights already mentioned on the live page, then expresses them more clearly and with a stronger corporate compliance structure.
You may ask whether we process your personal data and request access to the relevant information, subject to lawful limitations.
You may request correction of inaccurate, outdated or incomplete personal data that relates to you.
You may request deletion of personal data where a legal basis for continued processing no longer exists, subject to lawful exceptions.
You may request that processing be limited in certain cases, for example while accuracy or objection issues are being assessed.
Where legally applicable, you may request transfer of certain personal data in a structured and commonly used format.
You may object to certain processing activities, especially direct marketing, and you may withdraw consent where consent is the relevant legal basis.
Protecting personal data through technical and organisational controls
A good policy should explain not only rights and legal bases, but also how protection is operationally maintained.
Consent based web preferences, with user control
The current page refers users to the cookie policy. This version keeps that structure while making the role of cookies clearer.
Our website may use cookies, local storage elements, analytics tools and similar technologies to support essential site functions, remember user preferences, measure performance and, where permitted, improve communication and user experience. Not all cookies serve the same purpose. Some are strictly necessary, while others rely on your consent depending on applicable law and configuration.
You may be able to accept, reject or customise certain categories of cookies through our consent interface. For more detailed information about cookie categories, retention logic and browser level controls, please refer to our dedicated Cookie Policy page.
Escalation paths and regulatory recourse
An effective GDPR page should explain what happens if a person has a concern, and where they may turn if they remain dissatisfied.
We encourage individuals to contact us directly so we can review the concern, verify the relevant processing context and respond in a practical and documented manner.
Where permitted by law, individuals may lodge a complaint with the competent supervisory or data protection authority in the jurisdiction that applies to their case.
How to contact us about privacy matters
This section keeps the verified contact points already visible on the live page and reorganises them into a more refined legal page format.
| Contact Channel | Details |
|---|---|
| [email protected] | |
| Main Phone | +90 532 065 99 52 |
| Office Phone | +90 216 422 24 74 |
| Address | Küplüce Mahallesi Atlas Çiçeği Sokak No: 26/1, Üsküdar, İstanbul, Türkiye |
| Additional Corporate Presence | Ümraniye and Beşiktaş, İstanbul, and selected international contact presence as published on the website |
When contacting us regarding privacy matters, please provide enough detail to identify the relevant relationship, communication or transaction context so that your request can be reviewed accurately.
Practical answers for data protection questions
FAQ structure improves readability, search relevance and AI interpretation without adding claims that go beyond the actual policy scope.
Does this policy apply only to website users?
No. It applies more broadly to personal data processed in connection with website use, commercial relations, supplier and customer communications, recruitment processes and related business administration activities.
Does Atabaş Group process personal data for marketing?
Marketing related processing may occur where a lawful basis exists, including consent where required. Individuals can object to direct marketing or withdraw consent where consent is the applicable basis.
Can data be transferred internationally?
Yes, where operationally necessary and legally permitted. Such transfers are assessed carefully and are expected to be supported by appropriate safeguards and security measures.
How long is personal data kept?
Retention depends on the nature of the record, the legal basis for processing and applicable legal obligations. We aim not to keep personal data longer than necessary for the relevant purpose.
How can I exercise my GDPR or privacy rights?
You can contact us using the details listed in this policy. We may ask for identity verification or supporting context before taking action on a request.
Will this policy be updated?
Yes. We may update this page to reflect legal, regulatory, operational or website related changes. The most recent version will be the version published on our website.
Need assistance with a privacy related request?
Contact Atabaş Group for questions regarding data protection, privacy rights and lawful processing
Last updated, 9 March 2026