Recent developments in data protection legislation have caused much activity in Turkey, introducing completely new compliance obligations, carrying significant structural and operational implications for companies. Moroğlu Arseven’s strong privacy and data protection practice offers a comprehensive approach, assisting with a full range of issues in this context, from assistance with data breaches and crisis management, through to full scope compliance programs or the role data plays during corporate transactions.
Moroğlu Arseven’s significant expertise and formulaic approach to data and privacy issues provide clients with the systematic analysis and wide-lensed legal risk assessment which is now necessary for Turkey. The firm can tailor the depth and breadth of advice to suit client requirements, from day-to-day questions through to planning and executing a full-scope regulatory compliance project.
The firm works closely with clients of all sizes and complexities, providing strategic guidance for acquiring, structuring, managing, transferring, using, anonymising, destroying and protecting personal data, including special categories of data which receive additional layers of protection. The firm has developed a market reputation for providing clear, quality and concentrated legal advice within this rapidly evolving and expanding area of Turkish law.
Moroğlu Arseven’s team understands the technical aspects of data, including how it is collected, stored, transferred, audited and secured, along with each step’s technical limitations, practical nuances and international best practices. These additional layers of knowledge ensure efficient client communication and enable Moroğlu Arseven to effectively apply legal considerations to each client’s individual processes and technology infrastructure, particularly during time critical security breaches.
Moroğlu Arseven’s broad experience enables the firm to effectively support clients to plan and launch new technology products or services, as well as advise on industry-specific data and privacy rules, such as healthcare, banking, finance, telecommunications, leisure, marketing, retail and e-commerce.
Comprehensive data protection compliance projects
Moroğlu Arseven has significant experience supporting large multinational clients to develop and implement comprehensive, end-to-end data protection compliance programs, often addressing high volumes of data or complex structures. These projects take various forms to suit each client’s requirements, from extensive full-scope projects through to top-down document compliance services.
Given the relatively new legislative requirements, data protection compliance projects can lead to significant and wide-reaching implications for how a company operates in Turkey. Moroğlu Arseven is sensitive to these aspects and integrates advice from other practice areas into these projects, to ensure implementation is as smooth as possible in the circumstances.
Compliance projects typically involve assisting clients to prepare data inventories and conduct legal risk analysis, working closely with individual business units to understand the full scope of their data collection, data flow, data storage and other processing activities. The firm then produces comprehensive reports to identify important legal risk areas, along with recommendations for action. Finally, Moroğlu Arseven supports with implementing the compliance scheme. Common aspects include establishing internal and external policies, assigning data protection responsibilities, establishing relationships with the data subjects, introducing data control and audit mechanisms, as well as creating methods for data storage, retention, amendment and destruction. The firm has notable experience drafting tailored and boilerplate agreements, privacy policies, procedures, statements and consents for clients.
Data protection retainer services
Moroğlu Arseven assists a range of domestic and multinational clients with data protection retainer services, helping with issues as they arise in each client’s day-to-day operations. The firm’s support addresses questions about how to deal with the data and privacy aspects of specific business circumstances or commercial arrangements. Common issues include drafting privacy policies, layered notices and consents, assessing supply-chain security, staff training for data processing and security, as well as questions about online profiling, cookies, marketing, information governance and records management. We also regularly guide clients on developments arising from new legislation or based on decisions from the Data Protection Board.
The firm has notable experience advising on requests from data subjects. Our support includes dealing with complaints, access requests, rectification, anonymization, deletion and data porting, as well as issues arising from sensitive data categories, the right to be forgotten, privacy by design and automated data processing or profiling.
The firm also provides proactive updates as further rules and development are released, including topics such as registration, licensing, reporting and management of disputes or investigations.
Representation and regulatory relations
Moroğlu Arseven has notable experience assisting clients with regulatory relations for data protection and privacy issues in Turkey. The firm has a strong track record representing clients before the Turkish Data Protection Authority and Data Protection Board during registrations, as well as instances such as security or data breaches, or other types of applications and communications which client must undertake under the Turkish Data Protection Law.
Data transfers
Moroğlu Arseven assists clients with all aspects of cross-border data structuring and data transfers, along with assessing multi-jurisdiction liability risks. We regularly assist clients to negotiate and draft cross-border data transfer or processing agreements. The firm’s support includes dealing with previously un-mapped data processing structures, blacklisted countries, as well as complicated transnational corporate structures.
We often assist clients with local implementation of GDPR-related compliance issues. Our experience includes working closely with the head-offices of multinational clients, supporting these to understand the differences between the Turkish and EU data protection regimes. Such projects often involve leveraging and localizing GDPR-related documents in Turkey.
Data breaches and security incidents
Moroğlu Arseven guides clients through the stressful and complicated steps which companies must follow when a security breach occurs, with a strong focus on ensuring responses are pragmatic and proportionate. We also advise during pre-emptive projects to develop policies, incident response procedures and technical protocols to guard against or mitigate these incidents. Moroğlu Arseven supports clients which face external attacks, unintentional information disclosures, as well as intentional data leaks. The firm has a strong reputation for understanding technical information security requirements and procedures for cyber risk control, as well as providing effective crisis management support, which controls the narrative and limits its impact.
Our support includes all aspects of assessing an incident’s legal implications, making immediate follow-ups or taking remedial steps, understanding any PCI DSS obligations, dealing with breach notifications, coordinating forensic technical experts, navigating multi-country disclosure requirements, as well as engaging with potential regulatory investigations.
The firm offers an integrated approach in this context, drawing together cross-disciple teams to assist clients with a full spectrum of issues which can arise from these critical incidents. These range from criminal, employment, insurance and contractual liability, through to conducting internal investigations and assessing litigation alternatives for addressing any unauthorized use and disclosure of personal information by third-parties.
Employee privacy
Moroğlu Arseven assists with the full spectrum of privacy and personal data issues which arise within the employment relationship. Issues in this context include collecting, processing, storing and deleting personal data about employees and job applicants, drafting employment agreements and policies, introducing outsourcing arrangements, dealing with BYOD practices and policies, as well as carrying out data audits and reviewing existing HR or recruitment processes.
Our support includes all privacy aspects of electronic employee monitoring, including intercepting emails or calls, conducting background and criminal checks, as well as using CCTV systems and collecting biometric information. We also support employers to deal with subject access requests in the context of employment disputes.
Personal data security and privacy issues play essential roles during disciplinary processes and internal investigations into suspected wrongdoing by employees. Moroğlu Arseven assists employers to develop robust systems for receiving such tips, which balance many competing interests, while simultaneously protecting employee and whistle-blower privacy concerns.
Data protection within corporate transactions
Personal data and privacy issues play increasing roles during transactional decision-making, particularly where transaction parties are based in different countries and potentially subject to different regulatory regimes. Similarly, databases of personal information often form part of the key assets being transferred. Moroğlu Arseven applies a privacy by design approach, to ensure clients integrate data-related sensitivities into all deal phases, from due diligence, through to deal structuring and negotiating representation or warranties.
Moroğlu Arseven closely integrates data protection advice into transactional context, including mergers, acquisitions, joint ventures, strategic partnerships and outsourcing arrangements. For instance, selecting which data to disclose or anonymize, establishing data processing agreements for data rooms, as well as assessing a target company’s data storage systems, data transfer practices and technical security mechanisms. We also assist with data issues in the context of regulatory processes, such as obtaining competition clearance, as well as implementation-related issues such as database integration and transitional services agreements.