OUR POLICY ON THE PROCESSING AND PROTECTION OF PERSONAL DATA UNDER THE LAW NO 6698
PURPOSE AND EFFECTIVENESS OF THE POLICY
Within the scope of the Personal Data Protection Law No. 6698, it specifies the procedures and principles regarding the processing of personal data by natural or legal persons for the establishment and management of the data system, which is classified as a "data controller" and which determines the purposes and means of processing personal data. While personal data is defined in the law as “any information relating to an identified or identifiable natural person”; The processing of personal data is the acquisition, recording, storage, preservation, modification, rearrangement, disclosure, transfer, takeover, making available of personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. It is defined as “any kind of operation performed on data such as classification or prevention of use”. In the Law No. 6698, along with other regulations, data controllers are obliged to inform the data owners whose personal data will be processed. In Article 10 of the relevant law, the data controller or the person authorized by him during the acquisition of personal data, to the relevant persons; It is obliged to inform about the identity of the data controller and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and other rights listed in Article 11.
The purpose of this document is to inform / enlighten the data owners that they are processing their personal data as the data controller in the light of the above-mentioned items.
The subject of this document is our company's customers, partners, officials and employees, potential customers and stakeholders of our business partners, officials, employees and employee candidates, former employees, interns, retirees, visitors, company officials and partners, business partner and supplier candidates and other A policy text is issued to our employees, who are third parties, in accordance with the relevant Law on the processing of personal data.
THE SCOPE OF THE RELEVANT LAW AND OUR COMPANY'S RIGHTS AND OBLIGATIONS ARISING FROM THE LAW
GENERAL PRINCIPLES ON THE PROCESSING OF PERSONAL DATA
Pursuant to Article 4 of the relevant Law, personal data can only be processed in accordance with the procedures and principles stipulated in this Law and other laws. In this context, data controllers are obliged to comply with the law and the rules of honesty in the processing of personal data, To be accurate and up-to-date when necessary, To be processed for specific, clear and legitimate purposes, To be connected, limited and restrained for the purpose for which they are processed, For as long as required by the relevant legislation or for the purpose for which they are processed. obliged to comply with the principles of preservation.
PURPOSE OF PROCESSING AND SHARING PERSONAL DATA
PURPOSE OF PROCESSING PERSONAL DATA
Within the scope of the law, personal data cannot be processed without the explicit consent of the data owner. However, within the scope of Articles 5 and 6 of the Law, certain situations in which data can be processed without express consent have been determined in terms of personal data and sensitive personal data. Personal data pursuant to Article 5,
The data processing is clearly stipulated in the law, The processing of the relevant data is mandatory for the protection of the life or physical integrity of the person who is unable to express his consent due to actual impossibility or whose consent is not legally recognized, Provided that it is directly related to the establishment or performance of a contract, It is necessary to process personal data, Data processing is mandatory for the data controller to fulfill his legal obligation, Personal data is made public by the person concerned, Data processing is mandatory for the establishment, exercise or protection of a right, Provided that it does not harm the fundamental rights and freedoms of the data subject, In cases where data processing is mandatory for the legitimate interests of the data controller, it can be processed even if the data owner does not have prior explicit consent (provided that the necessary clarification has been made).
On the other hand, the Law includes biometric data regarding the race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures. and genetic data as "special quality" or "sensitive" personal data and stipulated more severe conditions for their processing.
Accordingly, special categories of personal data can only be processed under the following conditions, except in cases where explicit consent is obtained from the data owner:
Data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data of individuals may be processed in the cases stipulated by the laws.
Personal data related to health and sexual life can only be processed by persons or authorized institutions and organizations that are under the obligation of confidentiality for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
PURPOSE REGARDING THE SHARING OF PERSONAL DATA
In accordance with data processing, the sharing (transfer) of personal data with a third party is also subject to the explicit consent of the data owner. However, data transfer can also be carried out under the conditions where data processing is allowed according to Article 8 of the Law, and in this regard, in the presence of the above-mentioned conditions, personal data or personal data of special nature can be transferred even without the consent of the data owner.
Regarding the transfer of personal data to third parties, the law makes the transfer abroad subject to special conditions.
Accordingly, personal data;
In case of explicit consent of the data owner, or in cases where there is no explicit consent of the data owner, but one or more of the other conditions mentioned above are met; o If there is sufficient protection in the country where the data is transferred and o If there is not enough protection in the country where the data is transferred, it can be transferred abroad provided that the data controller undertakes in writing with the data controller in the relevant foreign country and obtains the permission of the Personal Data Protection Board.
SITUATIONS OUT OF THE SCOPE OF THE LAW
In accordance with Article 28 of the Law, the relevant Law will not be applied in the following cases:
- Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.
- Processing of personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.
- Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
- Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
- Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.
PROCESSING OF PERSONAL DATA BY OUR COMPANY
CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY
Personal data is processed by our company under the following classes:
Identity Information: Information contained in documents such as driver's license, identity card, residence, passport, attorney ID, marriage certificate (e.g. TCKN, passport number, identity card serial no., name-surname, photo, place of birth, date of birth, age, place of registration, copy of proof of identity card)
Contact Information: Information used to contact the person (e.g. e-mail address, telephone number, mobile phone number, address)
Location data: Data to identify the location of the data subject
Customer Information: Information about customers who benefit from our products and services (eg customer number, occupation information, etc.)
Customer Transaction Information: Information regarding any transaction performed by customers using our products and services (e.g. requests and instructions, rental periods, etc.)
Physical Space Security Information: Personal data regarding the records and documents taken at the entrance to the physical space, during the stay in the physical space (e.g. entry-exit records, visit and visitor information, camera recordings, etc.)
Transaction Security Information: Personal data processed in order to ensure the technical, administrative, legal and commercial security of our company and related parties
Risk Management Information: Personal data processed in order to manage the commercial, technical and administrative risks of our company (eg IP address, Mac ID, etc. records)
Financial Information: Personal data within the scope of information, documents and records showing all kinds of financial results created according to the type of legal relationship with the personal data owner (For example: information showing the financial result of the transactions made by the data owner, loan amount, card information, loan payments, interest to be paid amount and ratio, debit balance, credit balance, etc.)
Personal data that is the basis for the personal rights of the employees (any information and document that must be entered in the personnel file by law)
Employee Candidate Information: Personal data used in the application evaluation process (e.g. CV, interview notes, personality test results, etc.)
Personal Information: The company's cooperation Employee Transaction Information: Personal data related to all kinds of work-related transactions carried out by the cooperation employees of the Company (eg, entry-exit records, business trips, information about meetings attended, security query, e-mail traffic monitoring information, vehicle usage information, company card spending) information)
Employee Performance and Career Development Information: Personal data processed for the purpose of measuring the performance of the Company's cooperation employees and planning and carrying out their career development within the scope of human resources policies
Marketing Information: Data to be used by our company in marketing activities (eg reports and evaluations showing personal tastes and habits of the person collected for marketing purposes, target information, cookie records, data enrichment activities)
Benefits and Benefits Information: Personal data processed for the follow-up of the company's fringe benefits and benefits offered to supplier employees and for cooperation employees to benefit from them.
Visual and Audio Data: Visual and audio recordings associated with the personal data owner
Request / Complaint Management Information: Personal data regarding the receipt and evaluation of all kinds of requests or complaints directed to our company (eg, requests and complaints against the Company, records and reports regarding them)
Audit and Inspection Information: Personal data processed within the scope of our company's compliance with its legal obligations and company policies (eg audit and inspection reports, relevant interview records and similar records)
Legal Transaction and Compliance Information: Personal data processed for the purpose of determination and follow-up of legal claims and rights, and performance of debts and legal obligations (e.g. data contained in documents such as court and administrative authority decisions)
Sensitive Personal Data: Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric data. and genetic data
PURPOSE OF PROCESSING PERSONAL DATA BY OUR COMPANY
- Our company processes personal data in the above-mentioned categories for the following purposes.
- Planning and execution of fringe benefits and benefits for employees
- Planning and/or execution of corporate communication for employees and/or corporate social responsibility and/or non-governmental organizations activities in which employees participate
- Planning and execution of employees' access rights to information
- Monitoring and/or supervision of employees' business activities
- Planning, auditing and execution of information security processes
- Creation and management of information technology infrastructure
- Follow-up of finance and/or accounting works
- Compensation Management
- Follow-up of legal affairs
- Planning and execution of corporate communication activities
- Planning and execution of corporate governance activities
- Planning of human resources processes
- Execution of personnel procurement processes
- Planning and/or execution of efficiency/efficiency and/or appropriateness analyzes of business activities
- Planning and execution of business activities
- Planning and execution of information access authorizations of business partners and/or suppliers
- Management of relations with business partners and/or suppliers
- Planning and/or execution of occupational health and/or safety processes
- Planning and/or execution of business continuity activities
- Planning and execution of logistics activities
- Planning and execution of customer relationship management processes
- Planning and/or execution of customer satisfaction activities
- Follow-up of customer requests and/or complaints
- Fulfillment of obligations arising from employment contracts and/or legislation for company employees
- Planning and execution of company audit activities
- Planning and execution of external training activities
- Planning and execution of the necessary operational activities to ensure that the company's activities are carried out in accordance with company procedures and / or relevant legislation
- Planning and/or execution of in-company training activities
- Planning and execution of in-house orientation activities
- Ensuring the security of company operations
- Ensuring the security of company premises and/or facilities
- Planning and/or execution of the processes of creating and/or increasing loyalty to the products and/or services offered by the company
- Planning and/or execution of the company's production and/or operational risk processes
- Realization of corporate and partnership law transactions
- Follow-up of contract processes and/or legal requests
- Execution of strategic planning activities
- Planning and execution of supply chain management processes
- Ensuring that data is accurate and up-to-date
- Providing information to authorized institutions based on legislation
- Creation and tracking of visitor records
- Planning and execution of production and/or operation processes
- Planning and execution of market research activities for sales and marketing of products and services
- Planning and execution of marketing processes of products and / or services
- Planning and execution of sales processes of products and / or services
TRANSFER OF PERSONAL DATA BY OUR COMPANY AND THE CATEGORIZATION OF THE PARTIES TO THE DATA TRANSFER
Personal data may be transferred by our company to our Company officials, affiliates, business partners, suppliers, shareholders, legally authorized public institutions and organizations and private institutions for the above-mentioned purposes.
PROCESSING OF PERSONAL DATA BY OUR COMPANY
Our company, as the data controller, informs the data owners in line with Article 10 of the relevant Law before obtaining their personal data from the data owners, within the scope of the obligations arising from the Law. If any data processing process carried out by our company does not meet the conditions specified in the Law and detailed above, explicit consent is obtained from the data owners and the related processes are carried out within the framework of the aforementioned explicit consent. Within the scope of the law, express consent is defined as “consent related to a certain subject, based on information and expressed with free will”, and accordingly, our Company obtains their explicit consent after informing the data owners in accordance with Article 10 of the Law. Although no period has been determined for the storage of personal data within the scope of the law, it is essential to keep personal data for as long as required by the relevant legislation or for the purpose for which they are processed, in accordance with general principles. Our company makes an evaluation based on the legislation in force regarding each data processing process and the purpose of the process, in order to determine the retention periods in accordance with the said principle. Accordingly, our Company keeps personal data at least for the period required by its legal obligations and until the relevant statute of limitations expires. Circus Our company anonymizes, deletes or destroys personal data in accordance with the Law when the purpose of processing the relevant personal data disappears within the scope of any process, including the expiration of the aforementioned periods. Within the scope of the law, anonymization is defined as “making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching them with other data”. Our Company's anonymization activities are carried out in accordance with the current legislation.
PERSONAL DATA SECURITY
In order to ensure the security of personal data, our company takes technical and administrative measures to prevent unauthorized access risks, accidental data loss, deliberate deletion or damage to data. In this context, at least the following actions are taken by our Company:
- Taking software and hardware security measures in accordance with the processed personal data
- Carrying out the inspections stipulated under the law
- Ensuring compliance of the Company and employees with the Law through in-company trainings, policies and procedures
- Ensuring and recording access to information on the basis of necessity with in-house authorizations
- Follow-up of personal data processing activities on a process basis
- Obtaining contractual commitments regarding the protection and security of personal data in relations with suppliers
LAW RIGHTS OF DATA OWNERS
RIGHTS OF DATA OWNERS
According to Article 11 of the Law, personal data owners;
- To learn whether personal data about himself is processed,
- If personal data about him/her has been processed, requesting information about it,
- To learn the purpose of processing personal data and whether they are used in accordance with the purpose,
- To know the third parties to whom personal data is transferred in the country or abroad,
- Requesting correction of personal data in case of incomplete or incorrect processing,
- Requesting the deletion or destruction of personal data in the event that the reasons requiring processing disappear, although it has been processed in accordance with the provisions of the law and other relevant laws,
- Requesting notification of the transactions made as a result of the correction, deletion and destruction requests to the third parties to whom the personal data has been transferred,
- Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
- It has the right to demand the compensation of the damage in case of loss due to the unlawful processing of personal data.
Paragraph 2 of Article 28 of the Law regulates that in certain circumstances, the data owner cannot make a claim from the data controller other than the compensation of his losses. According to this,
- The processing of personal data is necessary for the prevention of crime or for criminal investigation,
- Processing of personal data made public by the person concerned,
- The processing of personal data is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority granted by the law,
- In cases where the processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budget, tax and financial matters, the above-mentioned rights cannot be used for the relevant data.
USE OF RIGHTS
Data owners will be able to use the Application Form to exercise the above-mentioned rights. Applications can be submitted to Şerifali mah. Pole socket. Workhub Plaza no:40 ÜMRANİYE/İSTANBUL or by sending an e-mail registered to firstname.lastname@example.org by signing with a secure electronic signature regulated under the Electronic Signature Law No. 5070, or by sending an e-mail address previously notified to our Company and registered in our Company's system. can be done via e-mail. If a method other than the aforementioned methods is foreseen by the Personal Data Protection Board, applications can also be submitted by this method. Requests of data subjects transmitted by one of the methods mentioned above are evaluated and answered by our Company within a maximum of thirty days. Our company reserves the right to request additional information and documents from the applicant, especially in order to evaluate whether the applicant is the relevant data owner. As a rule, data subject applications are evaluated by our Company free of charge. However, if a fee has been determined by the Personal Data Protection Board regarding the request of the data owner, our Company will have the right to demand payment over this fee.