DATA PROTECTION AGREEMENT
Last Updated: 01 January 2026
This Data Protection Agreement (“Agreement”) governs the processing of personal data within the scope of professional legal services provided by Aigerim Sabit Bikmaz, Attorney-at-Law, in accordance with the Turkish Law on the Protection of Personal Data No. 6698 (“KVKK”), Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), where applicable, the Attorneyship Act No. 1136, as well as all relevant secondary legislation, binding decisions, guidelines, and established practice of the Turkish Personal Data Protection Authority.
This Agreement is an integral part of the attorney–client relationship and shall be interpreted in light of statutory duties arising from the legal profession, including attorney–client privilege, professional secrecy, and the independence of the legal profession.
1. Parties
This Agreement is entered into between:
Aigerim Sabit Bikmaz, Attorney-at-Law, registered with the Ankara Bar Association under registration number 41640, having her registered address at Mustafa Kemal Mahallesi Dumlupınar Bulvarı No: 274/2 D:75, Çankaya, Ankara, Türkiye, Tax Identification Number 11793190618, Maltepe Tax Office (hereinafter referred to as the “Attorney”)
and
The client receiving legal services, whether a natural or legal person (hereinafter referred to as the “Client”).
The Attorney and the Client shall hereinafter be referred to individually as a “Party” and collectively as the “Parties”.
2. Definitions
For the purposes of this Agreement, the following terms shall have the meanings set out below.
“Personal Data” means any information relating to an identified or identifiable natural person, as defined under Article 3 of the Law No. 6698 on the Protection of Personal Data and Article 4(1) of the General Data Protection Regulation.
“Special Categories of Personal Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation, as regulated under Article 6 of the General Data Protection Regulation and Article 6 of the Law No. 6698.
“Processing” or “Processing of Personal Data” means any operation or set of operations performed on personal data, whether or not by automated means, including but not limited to the collection, recording, storage, adaptation, alteration, disclosure, transfer, retrieval, restriction, erasure, or destruction of personal data, as defined under Article 3 of the Law No. 6698 and Article 4(2) of the General Data Protection Regulation.
“Data Controller” means the natural or legal person who determines the purposes and means of the processing of personal data, within the meaning of Article 3 of the Law No. 6698 and Article 4(7) of the General Data Protection Regulation.
“Data Processor” means the natural or legal person who processes personal data on behalf of the Data Controller and upon its documented instructions, within the meaning of Article 3 of the Law No. 6698 and Article 4(8) of the General Data Protection Regulation.
“Data Subject” means the natural person whose personal data is processed.
“Data Protection Legislation” means the Law No. 6698, the General Data Protection Regulation where applicable, all relevant secondary legislation, binding decisions and guidelines of the Turkish Personal Data Protection Authority, and any other applicable data protection laws and regulations.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data, as defined under Article 12 of the Law No. 6698 and Article 4(12) of the General Data Protection Regulation.
“Legal Services” means all professional legal services provided by the Attorney to the Client, including but not limited to legal consultancy, litigation, arbitration, mediation, enforcement proceedings, regulatory advisory, compliance advisory, and all ancillary legal support services rendered within the scope of the legal mandate.
“Instructions” means the lawful, explicit, and documented instructions given by the Client to the Attorney, where applicable, regarding the processing of personal data, provided that such instructions do not conflict with mandatory provisions of law, the Attorney’s professional independence, statutory confidentiality obligations, or attorney–client privilege.
“Sub-Processor” means any third party engaged by the Attorney to process personal data on her behalf, solely to the extent objectively necessary for the provision of the Legal Services and subject to confidentiality and data protection obligations consistent with this Agreement.
3. Subject Matter
This Agreement regulates the processing of personal data carried out in connection with and strictly limited to the provision of Legal Services by the Attorney to the Client.
This Agreement shall also apply to the processing of personal data shared prior to the formal establishment of an attorney–client relationship, including data disclosed during preliminary consultations, initial communications, and inquiries, all of which shall be deemed confidential and protected by professional secrecy.
4. Qualification of the Parties
Depending on the nature of the Legal Services and the factual circumstances of the data processing activity, the Parties acknowledge that either Party may qualify as a Data Controller within the meaning of the applicable data protection legislation, or that the Attorney may act as a Data Processor on behalf of the Client where personal data is processed solely upon the Client’s lawful and documented instructions.
Nothing in this Agreement shall be construed as limiting, waiving, or otherwise affecting the Attorney’s statutory duties, professional secrecy obligations, or independence arising from attorney-at-law practice.
For the avoidance of doubt, in the context of the provision of legal services, the Attorney primarily acts as an independent Data Controller, determining the purposes and means of the processing of personal data in accordance with statutory duties arising from the Attorneyship Act No. 1136.
The Attorney may act as a Data Processor only in exceptional and limited circumstances where personal data is processed solely on the basis of the Client’s lawful, explicit, and documented instructions, and only to the extent such processing does not conflict with mandatory legal provisions, professional secrecy, attorney–client privilege, or the Attorney’s professional independence.
5. Scope, Purpose and Duration of Processing
Personal data shall be processed exclusively for purposes that are specific, explicit, and legitimate, and which are directly connected to the performance of the Legal Services. The processing shall be limited to what is adequate, relevant, and necessary in light of the purposes pursued.
Personal data shall be retained for the duration required under applicable legislation, professional obligations arising from attorney-at-law practice, bar association regulations, and statutory limitation periods.
In all cases, personal data shall be retained in strict compliance with Article 39 of the Attorneyship Act No. 1136, which mandates the retention of all files and records created within the scope of professional legal activities for a minimum period of three (3) years following the completion or finalization of the relevant legal work, including advisory, transactional, project-based, and non-contentious legal services.
6. Obligations Regarding Personal Data Processing
The Attorney undertakes to process personal data in full compliance with the Data Protection Legislation and to strictly observe attorney–client privilege, professional secrecy, and statutory confidentiality obligations.
The Attorney shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the nature of the Legal Services and the risks associated with the processing of personal data.
The Attorney shall ensure that any person authorized to process personal data is subject to a legally binding obligation of confidentiality.
Where acting as a Data Processor, the Attorney shall process personal data solely for the purposes inherent to the provision of Legal Services and in accordance with the Client’s lawful Instructions.
The Attorney shall provide assistance to the Client in responding to data subject requests, to the extent such assistance is required by law and compatible with professional secrecy.
The Attorney shall notify the Client without undue delay of any Personal Data Breach, to the extent such notification is required under the applicable Data Protection Legislation.
The exercise of data subject rights under the applicable data protection legislation shall be subject to the overriding obligations of professional secrecy, attorney–client privilege, and statutory confidentiality arising from the Attorneyship Act No. 1136.
Where the fulfillment of a data subject request would require the disclosure of information protected by professional secrecy or legal privilege, the Attorney shall be entitled to lawfully restrict or refuse such request to the extent permitted by law.
7. Sub-Processing
The Attorney may engage Sub-Processors only where such engagement is objectively necessary for the provision of the Legal Services. All Sub-Processors shall be bound by confidentiality and data protection obligations equivalent to those set out in this Agreement.
The Attorney shall remain responsible for the acts and omissions of Sub-Processors to the extent required by applicable law.
8. Transfer of Personal Data
Personal data may be transferred, where permitted or required by law, to courts, arbitral tribunals, judicial and administrative authorities, banks, financial institutions, insurers, auditors, and service providers involved in the performance of the Legal Services.
Any cross-border transfer of personal data shall be carried out in strict compliance with Article 9 of the Law No. 6698 and, where applicable, Chapter V of the General Data Protection Regulation, based on a valid legal ground and appropriate safeguards, and without prejudice to professional secrecy and attorney–client privilege obligations.
9. Retention, Deletion, and Anonymization
Personal data shall be retained for the periods mandated by applicable legislation and professional obligations. Upon expiration of such periods, personal data shall be securely deleted, destroyed, or anonymized in accordance with the Law No. 6698 and the guidelines of the Turkish Personal Data Protection Authority.
10. VERBİS Registration
The Parties acknowledge that attorneys-at-law are exempt from registration with the Data Controllers’ Registry (VERBİS) due to statutory confidentiality obligations and the nature of legal professional activities. This exemption does not relieve the Attorney from compliance with the substantive obligations set forth under the Law No. 6698.
11. Liability
Each Party shall remain responsible for compliance with data protection obligations within the scope of its own role as Data Controller or Data Processor. Neither Party shall be liable for breaches arising from the other Party’s unlawful acts, omissions, or instructions.
12. Contact
All requests, notices, or communications relating to the processing of personal data shall be addressed to the Attorney at the following email address and/or registered office address:
E-mail: abikmaz@gratanet.com
Registered office address: Mustafa Kemal Mahallesi Dumlupınar Bulvarı No: 274/2 D:75, Çankaya, Ankara, Türkiye.
13. Applicable Law and Jurisdiction
This Agreement shall be governed by and construed in accordance with the laws of the Republic of Türkiye. The courts of Türkiye shall have exclusive jurisdiction, unless mandatory provisions of law provide otherwise.
14. Incorporation and Legal Effect of the Annexes
The annexes attached to and forming part of this Agreement, including Annex 1 (Technical and Organizational Measures) and Annex 2 (Sub-Processors), are hereby expressly incorporated by reference into this Agreement and shall constitute an integral, inseparable, and legally binding part hereof.
The provisions contained in the Annexes shall have the same legal force and effect as the provisions of the main body of this Agreement and shall be interpreted and applied together therewith.
In the event of any inconsistency, discrepancy, or conflict between the provisions of this Agreement and the provisions of any Annex, the provisions of this Agreement shall prevail, unless the relevant Annex expressly provides otherwisewith respect to the specific matter regulated therein.
Compliance with the Annexes constitutes a mandatory contractual obligation, and any material breach of the Annexes shall be deemed a breach of this Agreement.
DATA PROTECTION AGREEMENT
ANNEX 1
TECHNICAL AND ORGANIZATIONAL MEASURES
Pursuant to Article 12 of the Law No. 6698 on the Protection of Personal Data and Article 32 of Regulation (EU) 2016/679, the Attorney has implemented and shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
The measures implemented are proportionate to the scale of the Attorney’s professional activities and the sensitive nature of legal services, and include, without limitation, the following:
1. Physical Access Control
Measures designed to prevent unauthorized physical access to premises, facilities, and physical storage media where personal data is processed or stored:
2. System Access Control
Measures designed to prevent unauthorized access to information systems used for processing personal data:
3. Data Access Control
Measures ensuring that personal data is accessible only to authorized persons and only to the extent necessary for the performance of Legal Services:
4. Transmission and Disclosure Control
Measures governing the secure transmission, transfer, and disclosure of personal data:
5. Input Control and Traceability
Measures enabling verification of whether, when, and by whom personal data has been entered, modified, or deleted:
6. Availability and Integrity Control
Measures designed to protect personal data against accidental or unlawful destruction, loss, or unavailability:
DATA PROTECTION AGREEMENT
ANNEX 2
SUB-PROCESSORS
For the purposes of providing professional legal services, the Attorney may engage third parties as sub-processors solely to the extent objectively necessary for the performance of the Legal Services.
The categories of sub-processors and the scope of their processing activities are set out below.
1. Information Technology and Infrastructure Service Providers
Sub-processors providing information technology services, including but not limited to:
2. Accounting, Tax, and Financial Service Providers
Sub-processors providing accounting and financial compliance services, including:
3. Archiving, Document Management, and Destruction Services
Sub-processors engaged for:
4. Professional Support and Auxiliary Services
Sub-processors engaged on a case-by-case basis, including:
5. General Obligations Applicable to All Sub-Processors
This Data Protection Agreement (“Agreement”) governs the processing of personal data within the scope of professional legal services provided by Aigerim Sabit Bikmaz, Attorney-at-Law, in accordance with the Turkish Law on the Protection of Personal Data No. 6698 (“KVKK”), Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), where applicable, the Attorneyship Act No. 1136, as well as all relevant secondary legislation, binding decisions, guidelines, and established practice of the Turkish Personal Data Protection Authority.
This Agreement is an integral part of the attorney–client relationship and shall be interpreted in light of statutory duties arising from the legal profession, including attorney–client privilege, professional secrecy, and the independence of the legal profession.
1. Parties
This Agreement is entered into between:
Aigerim Sabit Bikmaz, Attorney-at-Law, registered with the Ankara Bar Association under registration number 41640, having her registered address at Mustafa Kemal Mahallesi Dumlupınar Bulvarı No: 274/2 D:75, Çankaya, Ankara, Türkiye, Tax Identification Number 11793190618, Maltepe Tax Office (hereinafter referred to as the “Attorney”)
and
The client receiving legal services, whether a natural or legal person (hereinafter referred to as the “Client”).
The Attorney and the Client shall hereinafter be referred to individually as a “Party” and collectively as the “Parties”.
2. Definitions
For the purposes of this Agreement, the following terms shall have the meanings set out below.
“Personal Data” means any information relating to an identified or identifiable natural person, as defined under Article 3 of the Law No. 6698 on the Protection of Personal Data and Article 4(1) of the General Data Protection Regulation.
“Special Categories of Personal Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation, as regulated under Article 6 of the General Data Protection Regulation and Article 6 of the Law No. 6698.
“Processing” or “Processing of Personal Data” means any operation or set of operations performed on personal data, whether or not by automated means, including but not limited to the collection, recording, storage, adaptation, alteration, disclosure, transfer, retrieval, restriction, erasure, or destruction of personal data, as defined under Article 3 of the Law No. 6698 and Article 4(2) of the General Data Protection Regulation.
“Data Controller” means the natural or legal person who determines the purposes and means of the processing of personal data, within the meaning of Article 3 of the Law No. 6698 and Article 4(7) of the General Data Protection Regulation.
“Data Processor” means the natural or legal person who processes personal data on behalf of the Data Controller and upon its documented instructions, within the meaning of Article 3 of the Law No. 6698 and Article 4(8) of the General Data Protection Regulation.
“Data Subject” means the natural person whose personal data is processed.
“Data Protection Legislation” means the Law No. 6698, the General Data Protection Regulation where applicable, all relevant secondary legislation, binding decisions and guidelines of the Turkish Personal Data Protection Authority, and any other applicable data protection laws and regulations.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data, as defined under Article 12 of the Law No. 6698 and Article 4(12) of the General Data Protection Regulation.
“Legal Services” means all professional legal services provided by the Attorney to the Client, including but not limited to legal consultancy, litigation, arbitration, mediation, enforcement proceedings, regulatory advisory, compliance advisory, and all ancillary legal support services rendered within the scope of the legal mandate.
“Instructions” means the lawful, explicit, and documented instructions given by the Client to the Attorney, where applicable, regarding the processing of personal data, provided that such instructions do not conflict with mandatory provisions of law, the Attorney’s professional independence, statutory confidentiality obligations, or attorney–client privilege.
“Sub-Processor” means any third party engaged by the Attorney to process personal data on her behalf, solely to the extent objectively necessary for the provision of the Legal Services and subject to confidentiality and data protection obligations consistent with this Agreement.
3. Subject Matter
This Agreement regulates the processing of personal data carried out in connection with and strictly limited to the provision of Legal Services by the Attorney to the Client.
This Agreement shall also apply to the processing of personal data shared prior to the formal establishment of an attorney–client relationship, including data disclosed during preliminary consultations, initial communications, and inquiries, all of which shall be deemed confidential and protected by professional secrecy.
4. Qualification of the Parties
Depending on the nature of the Legal Services and the factual circumstances of the data processing activity, the Parties acknowledge that either Party may qualify as a Data Controller within the meaning of the applicable data protection legislation, or that the Attorney may act as a Data Processor on behalf of the Client where personal data is processed solely upon the Client’s lawful and documented instructions.
Nothing in this Agreement shall be construed as limiting, waiving, or otherwise affecting the Attorney’s statutory duties, professional secrecy obligations, or independence arising from attorney-at-law practice.
For the avoidance of doubt, in the context of the provision of legal services, the Attorney primarily acts as an independent Data Controller, determining the purposes and means of the processing of personal data in accordance with statutory duties arising from the Attorneyship Act No. 1136.
The Attorney may act as a Data Processor only in exceptional and limited circumstances where personal data is processed solely on the basis of the Client’s lawful, explicit, and documented instructions, and only to the extent such processing does not conflict with mandatory legal provisions, professional secrecy, attorney–client privilege, or the Attorney’s professional independence.
5. Scope, Purpose and Duration of Processing
Personal data shall be processed exclusively for purposes that are specific, explicit, and legitimate, and which are directly connected to the performance of the Legal Services. The processing shall be limited to what is adequate, relevant, and necessary in light of the purposes pursued.
Personal data shall be retained for the duration required under applicable legislation, professional obligations arising from attorney-at-law practice, bar association regulations, and statutory limitation periods.
In all cases, personal data shall be retained in strict compliance with Article 39 of the Attorneyship Act No. 1136, which mandates the retention of all files and records created within the scope of professional legal activities for a minimum period of three (3) years following the completion or finalization of the relevant legal work, including advisory, transactional, project-based, and non-contentious legal services.
6. Obligations Regarding Personal Data Processing
The Attorney undertakes to process personal data in full compliance with the Data Protection Legislation and to strictly observe attorney–client privilege, professional secrecy, and statutory confidentiality obligations.
The Attorney shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the nature of the Legal Services and the risks associated with the processing of personal data.
The Attorney shall ensure that any person authorized to process personal data is subject to a legally binding obligation of confidentiality.
Where acting as a Data Processor, the Attorney shall process personal data solely for the purposes inherent to the provision of Legal Services and in accordance with the Client’s lawful Instructions.
The Attorney shall provide assistance to the Client in responding to data subject requests, to the extent such assistance is required by law and compatible with professional secrecy.
The Attorney shall notify the Client without undue delay of any Personal Data Breach, to the extent such notification is required under the applicable Data Protection Legislation.
The exercise of data subject rights under the applicable data protection legislation shall be subject to the overriding obligations of professional secrecy, attorney–client privilege, and statutory confidentiality arising from the Attorneyship Act No. 1136.
Where the fulfillment of a data subject request would require the disclosure of information protected by professional secrecy or legal privilege, the Attorney shall be entitled to lawfully restrict or refuse such request to the extent permitted by law.
7. Sub-Processing
The Attorney may engage Sub-Processors only where such engagement is objectively necessary for the provision of the Legal Services. All Sub-Processors shall be bound by confidentiality and data protection obligations equivalent to those set out in this Agreement.
The Attorney shall remain responsible for the acts and omissions of Sub-Processors to the extent required by applicable law.
8. Transfer of Personal Data
Personal data may be transferred, where permitted or required by law, to courts, arbitral tribunals, judicial and administrative authorities, banks, financial institutions, insurers, auditors, and service providers involved in the performance of the Legal Services.
Any cross-border transfer of personal data shall be carried out in strict compliance with Article 9 of the Law No. 6698 and, where applicable, Chapter V of the General Data Protection Regulation, based on a valid legal ground and appropriate safeguards, and without prejudice to professional secrecy and attorney–client privilege obligations.
9. Retention, Deletion, and Anonymization
Personal data shall be retained for the periods mandated by applicable legislation and professional obligations. Upon expiration of such periods, personal data shall be securely deleted, destroyed, or anonymized in accordance with the Law No. 6698 and the guidelines of the Turkish Personal Data Protection Authority.
10. VERBİS Registration
The Parties acknowledge that attorneys-at-law are exempt from registration with the Data Controllers’ Registry (VERBİS) due to statutory confidentiality obligations and the nature of legal professional activities. This exemption does not relieve the Attorney from compliance with the substantive obligations set forth under the Law No. 6698.
11. Liability
Each Party shall remain responsible for compliance with data protection obligations within the scope of its own role as Data Controller or Data Processor. Neither Party shall be liable for breaches arising from the other Party’s unlawful acts, omissions, or instructions.
12. Contact
All requests, notices, or communications relating to the processing of personal data shall be addressed to the Attorney at the following email address and/or registered office address:
E-mail: abikmaz@gratanet.com
Registered office address: Mustafa Kemal Mahallesi Dumlupınar Bulvarı No: 274/2 D:75, Çankaya, Ankara, Türkiye.
13. Applicable Law and Jurisdiction
This Agreement shall be governed by and construed in accordance with the laws of the Republic of Türkiye. The courts of Türkiye shall have exclusive jurisdiction, unless mandatory provisions of law provide otherwise.
14. Incorporation and Legal Effect of the Annexes
The annexes attached to and forming part of this Agreement, including Annex 1 (Technical and Organizational Measures) and Annex 2 (Sub-Processors), are hereby expressly incorporated by reference into this Agreement and shall constitute an integral, inseparable, and legally binding part hereof.
The provisions contained in the Annexes shall have the same legal force and effect as the provisions of the main body of this Agreement and shall be interpreted and applied together therewith.
In the event of any inconsistency, discrepancy, or conflict between the provisions of this Agreement and the provisions of any Annex, the provisions of this Agreement shall prevail, unless the relevant Annex expressly provides otherwisewith respect to the specific matter regulated therein.
Compliance with the Annexes constitutes a mandatory contractual obligation, and any material breach of the Annexes shall be deemed a breach of this Agreement.
DATA PROTECTION AGREEMENT
ANNEX 1
TECHNICAL AND ORGANIZATIONAL MEASURES
Pursuant to Article 12 of the Law No. 6698 on the Protection of Personal Data and Article 32 of Regulation (EU) 2016/679, the Attorney has implemented and shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
The measures implemented are proportionate to the scale of the Attorney’s professional activities and the sensitive nature of legal services, and include, without limitation, the following:
1. Physical Access Control
Measures designed to prevent unauthorized physical access to premises, facilities, and physical storage media where personal data is processed or stored:
- Access to office premises is restricted to authorized persons only.
- Physical case files containing personal data are stored in lockable cabinets or secured rooms.
- Documents containing personal data are not left unattended in open or publicly accessible areas.
- Office equipment and devices used for legal services are physically protected against theft, damage, power failures, and environmental risks.
- Visitors’ access to areas where personal data is processed is limited and supervised.
2. System Access Control
Measures designed to prevent unauthorized access to information systems used for processing personal data:
- All computers, mobile devices, and electronic systems used for Legal Services are protected by individual authentication mechanisms, including strong passwords.
- Access credentials are assigned on a personal basis and are not shared.
- Operating systems and software applications are kept up to date through regular security updates and patches.
- Reputable antivirus, firewall, and malware protection solutions are implemented and maintained.
- Access rights are revoked without delay where authorization is no longer required.
3. Data Access Control
Measures ensuring that personal data is accessible only to authorized persons and only to the extent necessary for the performance of Legal Services:
- Access to personal data is strictly limited to data that is necessary for the specific legal mandate.
- Where external professional support services are used, access is limited on a need-to-know basis.
- Personal data stored electronically is protected through encryption or equivalent security measures where technically feasible.
- Physical and electronic storage media are securely disposed of or destroyed when no longer required.
4. Transmission and Disclosure Control
Measures governing the secure transmission, transfer, and disclosure of personal data:
- Personal data is transmitted through secure and reliable communication channels.
- Encrypted email services or secure document-sharing platforms are used where appropriate, particularly for sensitive data.
- Public or unsecured networks are avoided when accessing or transmitting client data.
- The identity and authorization of recipients are verified prior to any disclosure of personal data.
5. Input Control and Traceability
Measures enabling verification of whether, when, and by whom personal data has been entered, modified, or deleted:
- Significant data processing activities related to legal matters are documented where appropriate.
- Electronic document management systems, where used, allow tracking of access and modification history.
- Procedures are implemented to ensure the accuracy, completeness, and integrity of personal data processed.
6. Availability and Integrity Control
Measures designed to protect personal data against accidental or unlawful destruction, loss, or unavailability:
- Regular backups of electronic personal data are performed.
- Backup copies are stored securely and protected against unauthorized access.
- Reasonable disaster recovery and business continuity measures are implemented, proportionate to the scale of operations.
- Measures are in place to restore access to personal data in a timely manner in the event of a technical or physical incident.
DATA PROTECTION AGREEMENT
ANNEX 2
SUB-PROCESSORS
For the purposes of providing professional legal services, the Attorney may engage third parties as sub-processors solely to the extent objectively necessary for the performance of the Legal Services.
The categories of sub-processors and the scope of their processing activities are set out below.
1. Information Technology and Infrastructure Service Providers
Sub-processors providing information technology services, including but not limited to:
- secure cloud-based data storage services;
- professional email and communication service providers;
- data hosting, backup, and disaster recovery service providers;
- providers of encrypted document-sharing and collaboration platforms.
2. Accounting, Tax, and Financial Service Providers
Sub-processors providing accounting and financial compliance services, including:
- certified public accountants and financial advisors;
- invoicing, bookkeeping, and tax compliance service providers.
3. Archiving, Document Management, and Destruction Services
Sub-processors engaged for:
- physical or electronic archiving of legal files;
- secure long-term storage of documents subject to legal retention obligations;
- professional shredding or destruction of physical documents and storage media.
4. Professional Support and Auxiliary Services
Sub-processors engaged on a case-by-case basis, including:
- sworn translators and interpreters;
- court messengers and enforcement support personnel;
- expert consultants appointed in connection with specific legal matters;
- information technology support providers offering maintenance and troubleshooting services.
5. General Obligations Applicable to All Sub-Processors
- All sub-processors are selected with due professional care and diligence.
- Sub-processors are contractually bound by confidentiality and data protection obligations equivalent to those set out in the Agreement.
- Sub-processors may not engage further sub-processors without ensuring equivalent safeguards.
- The Attorney remains responsible for the acts and omissions of sub-processors to the extent required by applicable law.
