1. Controller
The controller responsible for processing personal data on this website pursuant to the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) is:
Av. em. Prof. Dr. Funda Başaran Yavaşlar
Kurfürstendamm 235
10719 Berlin-Germany

Email: info@fundabasaran.de
Phone (DE): +49 30 5189 3613
Mobile/WhatsApp: +49 176 80646150

Türkiye (Istanbul) Office:
Büyükdere Cad., Kanyon Office Building
No. 185/271, 34394 Levent–Istanbul

A Data Protection Officer has not been appointed because the legal requirements under Art. 37 GDPR and § 38 BDSG are not met.

2. General Information on Data Processing
We process personal data only insofar as this is necessary for providing a functional website, for delivering our services, or where you have consented. Processing is carried out in accordance with the GDPR, the BDSG and applicable legal and professional regulations.

3. Processing When Visiting the Website (Server Log Files)
When you access our website, your browser automatically transmits certain information to our server, where it is stored temporarily in so-called log files. The following data may be collected:
• IP address of the requesting device
• Date and time of access
• Name and URL of the accessed file
• Referrer URL (website from which the request originates)
• Browser type and version
• Operating system
• Access status / HTTP status code
• Amount of data transferred

Purpose of processing:
• Ensuring a smooth connection to the website
• Guaranteeing system stability and security (IT security, fraud prevention)
• Administrative evaluation and optimisation of our online offering

Legal basis:Art. 6(1)(f) GDPR (legitimate interest in operating a secure and functional website).
Storage period: Log files are usually deleted within 14 days, unless longer storage is required for security reasons (e.g., to investigate misuse or fraud).

We process personal data strictly in accordance with the principle of data minimisation under Art. 5(1)(c) GDPR and only for the purposes required.

4. Cookies and Similar Technologies
Our website uses cookies. Cookies are small text files stored on your device.

4.1 Technically Necessary Cookies
We only use cookies that are technically required for the proper functioning of the website (e.g., session cookies storing form entries or language settings).
Legal basis: Art. 6(1)(f) GDPR in conjunction with § 25(2) TTDSG (legitimate interest in secure and user-friendly website functionality).

4.2 Optional Cookies / Third-Party Tools
If optional cookies or comparable technologies are used in the future (e.g., analytics, embedded services, external media), this will occur only with your explicit consent via a cookie consent banner.
Legal basis: Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDSG.
You may withdraw your consent at any time with future effect using the cookie settings on our website.

5. Contact (Contact Form, Email, Telephone)
If you contact us by contact form, email, telephone or post, the following data will be processed:
• Name
• Email address
• Telephone number (optional)
• Content of your message
• Any additional voluntary information you provide

Purpose:
• Responding to your enquiry
• Preparing, establishing or performing a legal or consulting mandate
• Documentation and compliance with statutory retention obligations

Legal bases:
• Art. 6(1)(b) GDPR (pre-contractual steps and contract performance, including potential mandates)
• Art. 6(1)(f) GDPR (legitimate interest in processing enquiries)
• Art. 6(1)(c) GDPR (compliance with legal obligations)
As an attorney, I am additionally bound by professional confidentiality obligations (§ 43a BRAO, § 203 German Criminal Code). All information obtained in the context of a mandate is treated strictly confidentially.

Storage period:
Enquiries without mandate relevance are deleted once processed, unless statutory retention obligations apply. If a mandate is established, statutory retention periods (generally 6–10 years) apply.

6. Anti-Money Laundering (AML) / Compliance with the German Money Laundering Act (GwG)
Where we provide legal services that fall within the scope of the German Money Laundering Act (GwG)—for example, advice related to company formations, acquisitions or real estate transactions—we are legally required to fulfil statutory due diligence obligations. These include in particular:
• Identification of the client and, where applicable, the beneficial owner (KYC)
• Collection and verification of identity documents (e.g., ID documents, commercial register excerpts)
• Risk assessment of the mandate
• Documentation and retention of the information collected

Purpose of processing:
• Compliance with statutory due diligence and retention obligations under the GwG
• Prevention of money laundering and terrorism financing
Legal bases:
• Art. 6(1)(c) GDPR in conjunction with statutory obligations under the GwG (in particular §§ 8 et seq. GwG)
• Art. 6(1)(f) GDPR (legitimate interest in complying with professional and regulatory obligations)

Data collected under the GwG is stored for the statutory retention period (generally five years) and subsequently deleted or anonymised unless longer retention is required by law or justified by overriding interests.

 

7. Registration for Events, Webinars and Updates
We occasionally offer events, webinars, information sessions and newsletters. For this purpose, the following personal data may be collected and processed:
• Name
• Email address
• Address and telephone number (where applicable)
• Company or firm information (if provided)
• Details relating to the event or webinar (e.g., preferred date, topic interests, participation preferences)
• Payment and billing information for paid events or webinars (e.g., bank account details, IBAN, transaction information, invoicing details)

Purpose of processing:
• Planning, organising, conducting and following up on events or webinars
• Sending invitations, access details, participation confirmations, materials or recordings
• Statistical evaluation to improve future offerings
• Maintaining professional, client and business contacts

Legal bases:
• Art. 6(1)(b) GDPR – performance of event or webinar arrangements
• Art. 6(1)(a) GDPR – consent (especially newsletters, voluntary information)
• Art. 6(1)(f) GDPR – legitimate interest in professional communication and public representation of the firm
Storage period:
Data is generally stored for up to three years after the last contact unless longer statutory retention obligations apply.
A double opt-in process is used for newsletters; consent can be withdrawn at any time with future effect.

8. Online Meetings (Videoconferencing)
For online meetings, we use videoconferencing services such as Microsoft Teams, Zoom or comparable providers. The following data may be processed:
• Basic data (name, email address)
• Access data (meeting ID, access link, technical connection information)
• Communication content (audio, video, screen sharing, chat messages)
• Metadata (date, time, duration, IP address, device information)

Purpose:
• Conducting client meetings and initial consultations
• Organising, moderating and documenting online communications
• Compliance with professional obligations
• Fulfilling contractual or legal obligations where required

Legal bases:
• Art. 6(1)(b) GDPR – contract and pre-contractual steps
• Art. 6(1)(f) GDPR – legitimate interest in efficient and location-independent communication

Transfer to the USA:
Where personal data is transferred to the United States during the use of such services, no equivalent level of data protection is ensured under US law. Processing may therefore take place only:
• on the basis of appropriate safeguards (e.g., EU Standard Contractual Clauses), or
• if these do not suffice, on the basis of your explicit consent pursuant to Art. 49(1)(a) GDPR.
You will be informed separately in such cases.

9. Hosting and Data Processing on Our Behalf
Our website is hosted by an external service provider. This provider processes personal data (e.g., log files, metadata) strictly according to our instructions.
A Data Processing Agreement (Art. 28 GDPR) has been concluded.
Hosting is carried out on servers located within the EU/EEA.

10. External Links and Social Media Profiles
Our website may contain links to external websites and our profiles on social media platforms (e.g., LinkedIn, Instagram, X, Facebook). These are simple external links.
A connection to the respective platform is established only when you click the link. At that point, the platform may process personal data (e.g., IP address, device data, visited page). We have no influence over this.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing modern communication channels).
Please refer to each platform’s privacy policy for details.

Use of WhatsApp
We offer the option of contacting us via WhatsApp for non-binding initial enquiries and organisational matters (e.g., scheduling). Mandate-related communication or the transmission of confidential information does not take place via WhatsApp due to professional confidentiality obligations (§ 43a BRAO, § 203 German Criminal Code).

WhatsApp may transfer personal data to third countries outside the European Union (in particular the United States). In those countries, a level of data protection equivalent to EU law is not guaranteed. By initiating contact with us via WhatsApp for the first time, you consent to this data transfer in accordance with Art. 49(1)(a) GDPR.

11. Transfer of Personal Data to Third Parties
Personal data is only transferred to third parties if:
• You have given explicit consent (Art. 6(1)(a) GDPR),
• the transfer is necessary for contract performance or pre-contractual measures (Art. 6(1)(b) GDPR),
• there is a legal obligation (Art. 6(1)(c) GDPR),
• the transfer is necessary for the establishment, exercise or defence of legal claims (Art. 6(1)(f) GDPR), or
• third parties act as processors pursuant to Art. 28 GDPR (e.g., hosting, email providers).
In the context of legal services, transfers to courts, authorities or opposing parties occur only when required for the mandate and permitted under professional law.

12. Data Transfers to Third Countries
Data is transferred to countries outside the European Union or the European Economic Area (third countries) only if:
• necessary for contractual performance (Art. 49(1)(b),(c) GDPR),
• you have expressly consented (Art. 49(1)(a) GDPR), or
• appropriate safeguards exist, such as an adequacy decision or EU Standard Contractual Clauses (Art. 45–46 GDPR).

No processing of personal data takes place at our office location in Türkiye. Should a transfer to Türkiye be required in an individual mandate, this will occur exclusively on the basis of Art. 49(1) GDPR (explicit consent or necessity for mandate performance). You will be informed separately in advance.

Please note that the use of certain communication platforms (e.g., WhatsApp, some social media services) may involve transfers to third countries; where relevant to a mandate or communication, you will be informed separately.

13. Rights of Data Subjects
You have the following rights regarding your personal data:
• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent (Art. 7(3) GDPR), effective for the future
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
To exercise your rights, please contact us using the details provided in Section 1.

14. Right to Lodge a Complaint with a Supervisory Authority
If you believe that your personal data is being processed in breach of the GDPR, you may lodge a complaint with a supervisory authority.

For the Berlin office, the competent authority is:
Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59–61
10555 Berlin-Germany
Website: https://www.datenschutz-berlin.de/

15. Data Security
We implement appropriate technical and organisational measures in accordance with Art. 32 GDPR to protect your personal data, including:
• SSL/TLS encryption
• Access control and authorisation management
• Regular data backups
• State-of-the-art security and anti-malware systems
• Logging of security-relevant access
• Incident response and data breach notification procedures (Art. 33–34 GDPR)

16. Updates to This Privacy Policy
This Privacy Policy is valid as of 7 December 2025.
Updates may be required due to changes in our website, services or legal requirements. The current version is always available on this website.