GDPR — EU Data Protection
For data subjects who are European Union citizens or resident in the EU, Doğanay Siber Emniyet Teknolojileri ("DSET") applies the following policies as part of its General Data Protection Regulation (GDPR) compliance. This text is a supplement to the KVKK Disclosure Notice.
1. Data Controller
DSET — Doğanay Siber Emniyet Teknolojileri
Hacettepe Teknokent, Beytepe — Çankaya, Ankara, Türkiye
Email: [email protected] · Phone: +90 536 662 38 09
Although DSET does not have a Data Protection Officer (DPO) resident in the EU, the data protection officer can be reached directly via [email protected].
2. Legal Bases (Article 6)
- 6(1)(a) — Explicit consent (e.g. newsletter sign-up)
- 6(1)(b) — Performance of a contract (service agreement)
- 6(1)(c) — Legal obligation (tax, commercial registration)
- 6(1)(f) — Legitimate interest (information security, fraud prevention)
3. Special Categories (Article 9)
Special categories of personal data, such as health data, criminal-offence data or biometric data that may be encountered during digital forensics services, are processed only with the explicit consent of the data subject or under a judicial order. Such data is held in separate, encrypted storage and destroyed at the end of the service.
4. Rights of the Data Subject (Chapter III)
| Article | Right | Period |
|---|---|---|
| 15 | Right of access | 30 days |
| 16 | Right to rectification | 30 days |
| 17 | Right to erasure / to be forgotten | 30 days |
| 18 | Right to restriction of processing | 30 days |
| 20 | Data portability — in a structured format | 30 days |
| 21 | Right to object | At first processing |
| 22 | Right not to be subject to automated decision-making | — |
5. Data Transfers (Chapter V)
DSET does not carry out data transfers within the scope of GDPR Articles 44-49. All data processing operations take place within the borders of Türkiye. As Türkiye does not have an official adequacy decision from the EU Commission, transfers for EU data subjects are based on explicit consent or fall under the Article 49 derogations.
6. Data Breach Notifications (Article 33-34)
When a personal data breach is detected:
- the relevant supervisory authority is notified within 72 hours (KVKK)
- if it poses a high risk to data subjects, they are notified directly
- it is documented in the breach register
7. Children's Data (Article 8)
DSET services are not marketed directly to individuals under 18. When children's data is detected it is deleted immediately.
8. Right to Lodge a Complaint
If you are not satisfied with DSET's data processing practices:
- you may apply to the relevant EU Supervisory Authority
- for Türkiye: the Personal Data Protection Authority (KVKK)
- you can find the appropriate authority via the EDPB: edpb.europa.eu