Legal
Privacy Policy
Last updated 10 June 2026
1. Data controller
Turkkanlar Legal is the controller of the personal data processed through this website and through the client portal.
- Controller: Turkkanlar Legal — Sezen Türkkanlar
- Address: World Trade Center, Edificio Sur, Barcelona, Spain
- Email: info@turkkanlarlegal.com
The firm has not appointed a Data Protection Officer: law firms are not among the cases in which Article 34.1 of Organic Law 3/2018 (LOPDGDD) makes one mandatory. Privacy enquiries are handled directly by the firm at the email address above.
2. Regulatory framework and layered information
Personal data are processed in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) and with Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD).
We follow the layered-information model of Article 11 LOPDGDD: every form on this site that collects personal data shows a short first-layer notice (controller, purpose, rights), and this policy is the complete second layer containing all the information required by Articles 13 and 14 GDPR. Information on the cookies used by this site is set out in the Cookie Policy.
3. Purposes, legal bases and retention
We process personal data for the following purposes, on the following legal bases and for the following periods:
| Processing | Legal basis | Retention |
|---|---|---|
| Handling contact messages and consultation requests sent through the website | Art. 6.1.b GDPR — pre-contractual measures taken at your request | Until your enquiry is dealt with; then blocked (section 8) |
| Managing your immigration case through the client portal: case files, documents, intake forms, communications and notifications | Art. 6.1.b GDPR — performance of the legal-services engagement (hoja de encargo) | Duration of the engagement plus the limitation periods in section 8 |
| Compliance with statutory obligations: tax law and anti-money-laundering rules — Law 10/2010, under whose Article 2.1.ñ lawyers are obliged subjects for certain operations | Art. 6.1.c GDPR — legal obligation | The statutory periods listed in section 8 |
| Platform security: access logs, session management and abuse prevention | Art. 6.1.f GDPR — legitimate interest in securing the service | Short technical periods, then deletion |
We do not use your data for advertising, we do not sell them, and we do not carry out profiling or automated decision-making within the meaning of Article 22 GDPR: every stage of your case is decided and controlled by a lawyer, never by the platform.
4. Special categories and criminal-record data
Immigration files routinely include a criminal-record certificate (certificado de antecedentes penales), which Spanish residence procedures almost always require, and may include health data such as the medical certificates requested for certain visas.
Special categories of data (Article 9.1 GDPR, including health data) are processed under Article 9.2.f GDPR: processing necessary for the establishment, exercise or defence of legal claims, which covers the work of lawyers in judicial, administrative and extrajudicial proceedings. Data relating to criminal convictions and offences are processed under Article 10 LOPDGDD; Article 10.3 LOPDGDD expressly permits such processing when carried out by lawyers and procuradores for the purpose of collecting the information provided by their clients for the exercise of their functions.
Documents tagged as sensitive (criminal-record and medical certificates) receive the strictest storage treatment in the portal and are never named in notification emails — a notification will say that a document needs attention, never which one or what it contains.
Where a procedure involves a minor (for example, family-member applications), the consent threshold under Article 7 LOPDGDD is 14 years; below that age, the data are provided by the parents or guardians within the engagement.
5. Employee data provided by employers
When a business client opens a case for one of its employees, the firm obtains that employee’s data from the employer, not from the employee. In that case the duties of Article 14 GDPR apply: the employee receives, with the invitation to the client portal and in any event within one month, a notice identifying Turkkanlar Legal as controller, explaining the purpose of the processing and the rights available, and stating expressly that the source of the data is their employer.
Business clients warrant that they are entitled to share their employees’ data with the firm for this purpose (see the Terms of Use).
6. Recipients of your data
Your data are communicated only to the following recipients:
- The Spanish public authorities competent for each immigration procedure — among others the Unidad de Grandes Empresas y Colectivos Estratégicos (UGE), the Oficinas de Extranjería, Spanish consulates and the Dirección General de la Policía (for the TIE card). This disclosure is inherent in the engagement you entrust to us.
- Courts and public bodies, where a legal obligation requires it (Art. 6.1.c GDPR).
- Service providers acting as processors under contracts pursuant to Article 28 GDPR: our EU hosting provider; the firm’s own self-hosted database and document storage, which runs on infrastructure controlled by the firm — no third-party database processor is involved; self-hosted automation tooling; and our email service provider.
We never sell personal data and we never share them for advertising purposes.
7. Where your data is stored, and security
All personal data are stored on servers located in the European Union. No international transfers of data outside the EU/EEA take place (Chapter V, Articles 44–49 GDPR). If a transfer ever became necessary, it would only be carried out with the safeguards required by the GDPR — an adequacy decision or standard contractual clauses (Art. 46.2.c) — and this policy would be updated beforehand.
In accordance with Article 32 GDPR, the firm applies technical and organisational measures appropriate to the risk: encryption of data in transit and at rest, role-based access control, restricted access to case files, versioned document storage and audit logging, all on self-hosted infrastructure under the firm’s control.
8. Retention and blocking of data
Retention is governed by the following criteria:
- Client case files: the duration of the engagement plus the limitation periods of the legal actions that may arise from it.
- Civil liability: 5 years (Article 1964.2 of the Civil Code).
- Anti-money-laundering documentation: 10 years (Article 25 of Law 10/2010).
- Tax and accounting records: 4 to 6 years (Article 66 of the General Tax Law; Article 30 of the Commercial Code).
- Web enquiries: until the enquiry has been dealt with.
When a retention period ends, or when you request erasure that cannot yet be fully carried out because of a legal obligation, the data are blocked in accordance with Article 32 LOPDGDD: they are frozen, excluded from ordinary access and kept solely at the disposal of judges, courts and competent public authorities until the limitation periods expire, after which they are deleted. Deleting a portal account therefore means blocking, not immediate destruction, of the case data the firm must keep.
9. Your rights
You may exercise at any time the rights of access, rectification, erasure, restriction of processing, data portability and objection (Articles 15–21 GDPR; Articles 13–18 LOPDGDD), the right not to be subject to decisions based solely on automated processing (Article 22 GDPR — the platform takes none) and, where processing is based on consent, the right to withdraw it at any time without affecting prior processing (Article 7.3 GDPR).
To exercise them, write to info@turkkanlarlegal.com indicating the right you wish to exercise and attaching proof of identity. We will respond within one month (Article 12.3 GDPR). Portal users will also find a privacy-requests channel in their account settings.
Please note that, as a law firm, we may be obliged to keep certain data even after an erasure request, where retention is required for compliance with a legal obligation or for the establishment, exercise or defence of legal claims (Article 17.3.b and 17.3.e GDPR). In that case the data are blocked as described in section 8.
10. Complaints before the AEPD
If you consider that the processing of your data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority (Article 77 GDPR): Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, www.aepd.es. We would appreciate the chance to address your concern first at the email address above, but contacting us is not a precondition for complaining to the AEPD.
11. Professional secrecy
Everything you entrust to the firm is additionally protected by the professional secrecy of the legal profession: Article 542.3 of the Organic Law on the Judiciary (LOPJ), Articles 21–23 of the General Statute of the Spanish Legal Profession (Royal Decree 135/2021) and Article 5 of the Code of Conduct of the Spanish Legal Profession (2019). Professional secrecy binds the firm’s lawyers, staff and systems and operates alongside — never instead of — the data-protection rules described in this policy.
12. Changes to this policy
Any change to this policy will be published on this page with a new “last updated” date. If a change materially affects how your data are processed, portal users will be notified before it takes effect. This policy is available in English, Spanish and Turkish; in case of divergence, the Spanish version prevails.
