RONA LEGALGlobal Law & Consultancy

Privacy Notice — KVKK & GDPR

Last Updated: 27 April 2026

This Privacy Notice describes how RoNa Legal Hukuk Bürosu ("RoNa Legal", "the Firm", "we") processes the personal data of visitors to our website (https://www.ronalegal.com) and recipients of our legal services. It is published in compliance with both the Turkish Personal Data Protection Law No. 6698 ("KVKK") Article 10 and the EU General Data Protection Regulation ("GDPR") Articles 13 and 14.

If you are an EU-based visitor, the GDPR provisions described below apply to you in addition to KVKK. Where the two regimes diverge in practice, we apply whichever standard is stricter.

1. Data Controller

Pursuant to KVKK Article 3/1(ı) and GDPR Article 4(7), the data controller is:

  • Name: RoNa Legal Hukuk Bürosu
  • Av. Rohat Kahraman — Kocaeli Bar Association Reg. No: 4440
  • Av. Nazlican Hilaloğulları — Kocaeli Bar Association Reg. No: 4623
  • Montenegro Office: TQ Plaza, Budva, Montenegro
  • Türkiye correspondence: postal address is published on our contact page
  • Phone (Türkiye): +90 530 277 0845
  • Phone (Montenegro): +382 68 609 165
  • Email: info@ronalegal.com
  • Website: https://www.ronalegal.com

2. Categories of Personal Data Processed

Pursuant to KVKK Article 3/1(d) and GDPR Article 4(1), we process the following categories of personal data:

  • Identity data: name, surname, title
  • Contact data: email address, telephone number
  • Inquiry content: messages submitted through the contact form; case-file information (only after engagement letter signed)
  • Cookies and traffic data: anonymized IP address, browser and device information, pages visited, time spent, referring URL
  • Marketing preference data: cookie consent, email subscription status (only with explicit consent)

3. How We Collect Personal Data

Personal data is collected through the following channels:

  • Contact and consultation request forms on this website
  • Email correspondence
  • Phone calls
  • Case files (after engagement letter signed, governed by the Turkish Attorney Act)
  • Cookie technology (detailed in our Cookie Policy)
  • Third-party integrations: Google Analytics 4, Microsoft Clarity (only with explicit consent)

4. Purposes of Processing

Personal data is processed solely for the following purposes, in accordance with KVKK Article 4(2) and GDPR Article 5(1):

  • Providing legal advisory and attorney services
  • Establishing, maintaining, and terminating the attorney-client relationship
  • Fulfilling legal obligations under the Attorney Act, Bar Association regulations, and other applicable law (tax filings, Bar reporting, registry obligations)
  • Measuring and improving website performance (only with the visitor's explicit consent)
  • Defending our legal rights when required by legal proceedings
  • Sending informational emails (only when subscribed via explicit opt-in; unsubscribe always available)

5. Lawful Bases for Processing

Pursuant to KVKK Articles 5–6 and GDPR Article 6, processing is based on one or more of the following lawful bases:

  • KVKK 5(1) and GDPR 6(1)(a) — Consent: marketing, cookie-based analytics, voluntary contact form submissions
  • KVKK 5(2)(c) and GDPR 6(1)(b) — Contract: processing required to deliver attorney services under an engagement letter
  • KVKK 5(2)(ç) and GDPR 6(1)(c) — Legal obligation: Attorney Act Article 35 (confidentiality), Article 36 (file retention), Code of Obligations No. 6098 (financial records), tax and Bar obligations
  • KVKK 5(2)(f) and GDPR 6(1)(f) — Legitimate interests: site security, fraud prevention, system administration (without overriding the data subject's fundamental rights and freedoms)

6. Transfers

6.1 Domestic Transfers

  • Union of Turkish Bar Associations and Kocaeli Bar — legal obligation
  • Independent counsel from whom we obtain ad-hoc advisory support — file-scope only, under non-disclosure agreement
  • Public authorities — only by court order or legal requirement
  • Tax advisors and accounting service providers — for tax and financial-record obligations

6.2 International Transfers

Our website infrastructure relies on cloud-based service providers. Pursuant to KVKK Article 9 and GDPR Chapter V, international transfers are governed by Standard Contractual Clauses (SCCs):

  • Vercel Inc. (USA) — hosting and CDN. SCCs and DPA executed
  • Sanity.io (USA/EU) — content management system. SCCs and DPA executed
  • Resend Inc. (USA) — transactional email. SCCs and DPA executed
  • Google LLC (USA) — Google Analytics 4. Consent Mode v2 ensures no processing without explicit consent. SCCs and DPA executed
  • Microsoft Corporation (USA) — Microsoft Clarity. SCCs and DPA executed. PII auto-masked
  • Upstash Inc. (USA/EU) — rate-limit cache. DPA executed

7. Retention Periods

Your data is retained for the following periods:

  • Client case files: 5 years from completion (Attorney Act Article 36)
  • Contact form submissions: 1 year (unless deletion requested)
  • Financial records: 5 years (Tax Procedure Law)
  • Google Analytics 4: 14 months (default setting)
  • Microsoft Clarity: auto-deleted after 13 months (platform default)
  • Cookie data: per-cookie retention specified in our Cookie Policy
  • Marketing subscription: 6 months after unsubscribe

8. Data Subject Rights

Pursuant to KVKK Article 11 and GDPR Articles 15-22, you have the following rights:

  • Right of access (KVKK 11(a), GDPR Article 15)
  • Right to be informed about processing (KVKK 11(b))
  • Right to know whether data is used for the stated purposes (KVKK 11(c))
  • Right to know recipients in domestic and international transfers (KVKK 11(ç))
  • Right to rectification (KVKK 11(d), GDPR Article 16)
  • Right to erasure / right to be forgotten under conditions in KVKK Article 7 (KVKK 11(e), GDPR Article 17)
  • Right to require notification of erasure to third-party recipients (KVKK 11(f))
  • Right to object to automated decision-making producing adverse effects (KVKK 11(g), GDPR Article 22)
  • Right to compensation for damages caused by unlawful processing (KVKK 11(ğ))
  • Right to restriction of processing (GDPR Article 18)
  • Right to data portability (GDPR Article 20)
  • Right to withdraw consent at any time (KVKK 5(1), GDPR Article 7(3))

9. How to Exercise Your Rights

Per the Notice on the Procedures and Principles of Application to the Data Controller, you may submit a request through the following channels:

  • Email: info@ronalegal.com — use "GDPR Request" or "KVKK Application" as the subject line
  • Postal: written address provided upon request

Pursuant to KVKK Article 13(2) and GDPR Article 12(3), we will respond to your request within 30 days at no cost. A reasonable fee may apply if the request is manifestly unfounded or excessive.

10. Right to Lodge a Complaint with a Supervisory Authority

If you are dissatisfied with our response or believe processing is unlawful, you may lodge a complaint with:

  • In Türkiye: Personal Data Protection Authority — https://www.kvkk.gov.tr
  • In the EU: the supervisory authority of your Member State of residence

11. Cookies

Our website uses technical, functional, and analytical cookies. For details please see our Cookie Policy: /en/legal/cookie-policy

12. Changes to This Privacy Notice

This Privacy Notice may be updated to reflect legal or business changes. Material changes will be announced on the homepage of our website and, where appropriate, communicated via email to subscribers.