Client: Eren Holding — one of Türkiye’s largest diversified conglomerates, spanning premium retail brands (Lacoste, Burberry, Gant, Nautica, Superstep) and heavy-industry operations including port terminals, cement plants and paper (kraft/crepe) production facilities.
Vircon Legal Role: A group-wide personal data protection (KVKK) and compliance program — built on field work, training and on-site implementation rather than paperwork alone.
Background
Eren Holding operates across two very different worlds: consumer-facing retail, where large volumes of customer and e-commerce personal data are processed every day, and capital-intensive industry — ports, cement and paper plants — with large blue-collar workforces, heavy visitor and contractor flows, and customs-driven data obligations. Establishing a single, defensible KVKK posture across both required far more than a template policy.
Challenge
Retail and industrial operations carry fundamentally different data-protection risk profiles. The retail brands needed customer-facing transparency — website and e-commerce privacy notices, cookie and consent flows, and marketing permissions. The industrial sites needed workforce- and operations-focused controls, and surfaced a real tension between customs legislation (which requires collecting and retaining certain personal data at ports and in cross-border logistics) and KVKK’s data-minimisation and storage-limitation principles. The program also had to reach a large blue-collar workforce, for whom standard office-style training simply does not work.
Solution
Vircon Legal ran a hands-on, site-by-site compliance program rather than a desk exercise. We carried out field studies at retail and production sites, delivered tailored training — including dedicated blue-collar training designed for the shop floor — and supported the on-site implementation of the resulting controls. We drafted and revised the group’s website and e-commerce privacy texts, and worked through the conflicts between customs-mandated data handling and KVKK, designing retention and lawful-basis positions that satisfy both regimes. We also managed the personal-data transfer process in the group’s acquisition of Intersport, structuring the lawful transfer of customer and employee data as part of the transaction.
Impact
The group moved to a consistent, operational KVKK compliance posture across both retail and heavy industry: policies that are genuinely applied on the ground, a trained workforce spanning white- and blue-collar roles, compliant customer-facing data flows, and a defensible resolution of the customs/KVKK tension.
Related
For more on the practice areas relevant to this engagement, see Compliance, Data & Privacy (KVKK + GDPR) and KVKK Audit.