Personal Data Protection Law
CHAPTER ONE
Purpose and Enforcement of the Policy
The Law on the Protection of Personal Data No. 6698 ("Law"), which entered into force on 07.04.2016, sets out the procedures and principles regarding the processing of personal data by real or legal persons who are classified as "data controllers" of personal data and determine the purposes and means of processing personal data, and are responsible for the establishment and management of the data recording system.
This document ("Policy") has been prepared in order to enlighten the real persons whose personal data our Company processes as a data controller within the scope of the above-mentioned article.
Within the scope of the law, personal data is defined as "any information relating to an identified or identifiable natural person"; processing, on the other hand, means "obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means, provided that it is a part of any data recording system. all kinds of operations performed on data, such as blocking".
Among other regulations, the Law imposes an obligation on data controllers to inform / enlighten the data owners whose personal data will be processed during the acquisition of personal data. According to Article 10 of the Law, data controllers include data owners;
The identity of the data controller and its representative, if any,
For what purpose personal data will be processed,
To whom and for what purpose the processed personal data can be transferred,
The method and legal reason for collecting personal data,
It should inform about the other rights listed in Article 11 of the Law.
The subject of this Policy is our Company's customers, shareholders, officers and employees of corporate customers, potential customers, shareholders, officials and employees of our business partners and suppliers, our employee candidates, former employees and interns in our Company and people who have retired from our Company, our visitors, company officials and shareholders, business partner and supplier candidates and other third parties and the issues regarding the processing of personal data related to our employees are regulated within the scope of a separate policy text submitted to the employees in accordance with the Law.
CHAPTER TWO
The Scope of the Law and the Rights and Obligations of Our Company Arising from the Law
Pursuant to Article 4 of the Law, personal data must be processed in accordance with the procedures and principles stipulated in the Law and other relevant legislation. In this context, data controllers are obliged to comply with the following general principles regarding the processing of personal data, except for the fulfillment of the disclosure obligation specified in Part One:
Compliance with the law and honesty rules.
Being accurate and up-to-date when necessary.
Processing for specific, explicit, and legitimate purposes.
Being relevant, limited and restrained to the purpose for which they are processed.
To be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
- Personal Data Processing and Sharing Purposes within the Scope of the Law
- Purposes Regarding the Processing of Personal Data
Our company does not process Personal Data without the explicit consent of the data owner. In the presence of one of the following conditions, our company may process Personal Data without seeking the explicit consent of the data owner. Within the scope of Articles 5 and 6 of the Law, it has determined a number of situations in which data can be processed without explicit consent in terms of personal data and sensitive personal data.
Personal data in accordance with the article,
Data processing is clearly stipulated in the laws,
It is mandatory to process the relevant data for the protection of the life or bodily integrity of the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid,
Provided that it is directly related to the establishment or performance of a contract, it is necessary to process the personal data of the parties to the contract,
Data processing is mandatory for the data controller to fulfill its legal obligation,
Personal data has been made public by the person concerned,
Data processing is mandatory for the establishment, exercise or protection of a right,
Provided that it does not harm the fundamental rights and freedoms of the data subject, it may be processed even if the data owner does not have the prior explicit consent (provided that the necessary clarification has been made) if data processing is mandatory for the legitimate interests of the data controller.
On the other hand, the Law defines data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data as "sensitive nature" or "sensitive" personal data and stipulates more severe conditions for their processing. Accordingly, sensitive personal data can only be processed under the following conditions, except in cases where explicit consent has been obtained from the data owner:
Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or unions, criminal convictions and security measures, and biometric and genetic data of individuals may be processed in cases stipulated by law.
Personal data related to health and sexual life can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
In accordance with data processing, the sharing (transfer) of personal data with a third party is also subject to the explicit consent of the relevant data owner in this direction. However, according to Article 8 of the Law, data transfer can also be carried out under the conditions where data processing is allowed, and in this direction, in the presence of the conditions specified in Section 2.2.a above, personal data or sensitive personal data can be transferred even if the data owner does not consent.
The law has made the transfer abroad of personal data subject to special conditions regarding the transfer of personal data to third parties. Accordingly, personal data;
In case of the explicit consent of the data owner, or
In cases where there is no explicit consent of the data owner, but one or more of the other conditions mentioned above are met;
If there is sufficient protection in the country where the data is transferred and there is no adequate protection in the country where the data is transferred, it can be transferred abroad, provided that the data controller undertakes adequate protection in writing together with the data controller in the relevant foreign country and the permission of the Personal Data Protection Board is obtained.
Pursuant to Article 28 of the Law, the Law will not apply in the following cases:
Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and the obligations regarding data security are complied with.
Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.
Processing of Personal Data by Our Company
|
Data Category: |
Personal Data Categorization Description |
|
Credential: |
Information contained in documents such as driver's license, identity card, residence, passport, attorney ID, marriage certificate (eg. TCKN, passport number, identity card serial number, name-surname, photograph, place of birth, date of birth, age, place of registration, copy of identity card) |
|
Contact Information |
Information used to contact the individual (e.g. e-mail address, telephone number, mobile phone number, address) |
|
Location Data: |
Data used to determine the location of the data subject (e.g. location data obtained during vehicle use) |
|
Customer Information |
Information about customers who benefit from our products and services (e.g. customer number, profession information, etc.) |
|
Customer Transaction Information: |
Information on all kinds of transactions carried out by customers who benefit from our products and services (e.g. requests and instructions, order and basket information, etc.) |
|
Physical Space: Safety Information |
Personal data (e.g. entry and exit logs, visit information, camera recordings, etc.) regarding the records and documents taken during the entrance to the physical space, during the stay in the physical space. |
|
Transaction Security Information: |
Personal data processed in order to ensure the technical, administrative, legal and commercial security of our company and related parties (e.g., information such as website password and password showing that the person is authorized to match that person with the transaction associated with the personal data owner and to perform that transaction) |
|
Risk Management Information |
Personal data processed in order to manage the commercial, technical and administrative risks of our company (eg. IP address, Mac ID, etc. records) |
|
Financial Information: |
Personal data within the scope of information, documents and records showing all kinds of financial results created according to the type of existing legal relationship with the personal data owner (For example: information showing the financial result of the transactions made by the data owner, loan amount, card information, loan payments, interest amount and rate to be paid, debt balance, receivable balance, etc.) |
|
Personal Information: |
All kinds of personal data processed for the purpose of obtaining information that will be the basis for the protection of the personal rights of real persons who have a working relationship with the Personal Data Owner (all kinds of information and documents that are required to be entered into the personnel file by law) |
|
Employee Candidate Information: |
Personal data used in the application evaluation process (e.g. resume, interview notes, personality test results, etc.) belonging to data owners who share their information to apply for a job at our company. |
|
Employee Process Information: |
Personal data related to all kinds of work-related transactions performed by the Company's supplier employees (e.g. entry-exit records, business trips, information about the meetings attended, security query, e-mail traffic monitoring information, vehicle usage information, company card expenditure information) |
|
Employee Performance and Career Development Information |
Personal data processed for the purpose of measuring the performance of the Company's supplier employees and planning and executing career development within the scope of human resources policies (e.g. performance evaluation reports, interview results, trainings for career development) |
|
Benefits and Benefits Information: |
Personal data processed for the purpose of tracking the side rights and benefits offered to the Company's supplier employees and benefiting the supplier employees from them (e.g. private health insurance, vehicle allocation) |
|
Marketing Information: |
Data to be used by our company in marketing activities (e.g. reports and evaluations showing the habits and tastes of the person collected for marketing purposes, targeting information, data enrichment activities) |
|
Legal Process and Compliance Information: |
Personal data processed for the purpose of determining and following up legal receivables and rights and fulfilling debts and legal obligations (e.g. data contained in documents such as court and administrative authority decisions) |
|
Audit & Inspection Information: |
Personal data processed within the scope of our company's legal obligations and compliance with company policies (e.g. audit and inspection reports, relevant interview records and similar records) |
|
Specially-Qualified Personal Data |
Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. |
|
Request/Complaint Management Information |
Personal data regarding the receipt and evaluation of any request or complaint directed to our company |
|
Visual and Audio Data |
Visual and audio recordings associated with the personal data owner (e.g. photographs, camera recordings and audio recordings) |
Within the scope mentioned above, our company processes personal data for the following purposes:
Planning, auditing and execution of information security processes
Creation and management of information technology infrastructure
Planning and execution of fringe benefits and benefits for employees
Planning and/or execution of corporate communication and/or corporate social responsibility and/or non-governmental organizations activities in which employees participate
Planning and execution of employees' access to information authorizations
Follow-up and/or supervision of employees' work activities
Follow-up of financial and/or accounting affairs
Follow-up of legal affairs
Planning of human resources processes
Carrying out effectiveness/efficiency and/or appropriateness analyses of business activities, planning and/or execution of activities
Planning and execution of business activities
Planning and execution of business partners and/or suppliers' access to information authorizations
Management of relationships with business partners and/or suppliers
Planning and/or execution of occupational health and/or safety processes
Planning and/or execution of activities to ensure business continuity
Planning and execution of corporate communication and management activities
Planning and execution of logistics activities
Planning and execution of customer relationship management processes
Planning and/or execution of customer satisfaction activities
Follow-up of customer requests and/or complaints
Execution of personnel procurement processes
Fulfillment of obligations arising from employment contract and/or legislation for company employees
Planning and execution of company audit activities
Planning and execution of external training activities
Planning and execution of the operational activities necessary to ensure that the company's activities are carried out in accordance with the company's procedures and/or relevant legislation
Planning and/or execution of in-house training activities
Ensuring the security of company operations
Ensuring the security of company premises and/or facilities
Planning and/or executing the processes of creating and/or increasing loyalty to the products and/or services offered by the company
Planning and/or execution of the company's production and/or operational risk processes
Execution of corporate and partnership law transactions
Follow-up of contract processes and/or legal requests
Execution of strategic planning activities
Planning and execution of supply chain management processes
Wage management
Planning and execution of production and/or operation processes
Planning and execution of market research activities for the sale and marketing of products and services
Planning and execution of marketing processes of products and/or services
Planning and execution of sales processes of products and/or services
Ensuring that the data is accurate and up-to-date
Providing information to authorized institutions based on legislation
Creation and follow-up of visitor records
- Transfer of Personal Data by Our Company and Classification of the Parties to which Data Transfer is Made
Personal data may be transferred by our Company to our Company officials, affiliates, business partners, suppliers, shareholders, legally authorized public institutions and organizations and private institutions for the above-mentioned purposes.
Our company, as a data controller, enlightens the data owners in accordance with Article 10 of the Law before obtaining their personal data from the data owners within the scope of its obligations arising from the Law. If any data processing process carried out by our company does not meet the conditions specified in the Law and detailed in Sections 2.2.a and b above, explicit consent is obtained from the data owners and the relevant processes are carried out within the framework of the aforementioned explicit consent.
Within the scope of the Law, explicit consent is defined as "consent on a specific subject, based on information and expressed with free will", and in this direction, our Company obtains the explicit consent of the data owners after enlightening them in accordance with Article 10 of the Law.
Although no period has been determined for the storage of personal data within the scope of the law, in accordance with the general principles, it is essential to keep personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed. In order to determine the retention periods in accordance with this principle, our company makes an evaluation based on the legislation in force regarding each data processing process and the purpose of the process. Accordingly, our Company retains personal data at least for the period required by its legal obligations and in any case until the relevant statute of limitations expires.
Our company anonymizes, deletes or destroys personal data in accordance with the Law, with the disappearance of the purpose of processing the relevant personal data within the scope of any process, including the expiry of the aforementioned periods. Within the scope of the law, anonymization is defined as "making personal data unable to be associated with an identified or identifiable natural person in any way, even by matching it with other data", and our Company's anonymization activities are carried out in accordance with the current legislation.
In order to ensure the security of personal data, our company takes reasonable technical and administrative measures to prevent unauthorized access risks, accidental data loss, deliberate deletion or damage to data. In this context, at least the following actions are taken by our Company:
Taking software and hardware security measures in accordance with the processed personal data
Carrying out the audits stipulated within the scope of the law
Ensuring compliance of the Company and employees with the Law through in-house trainings, policies and procedures
Providing and recording access to information on the basis of necessity with in-house authorizations
Follow-up of personal data processing activities on a process basis
Obtaining contractual commitments regarding the protection and security of personal data in relations with suppliers
CHAPTER FOUR
Rights of Data Owners Arising from the Law
- Rights of Data Subjects
According to Article 11 of the Law, personal data owners;
To learn whether personal data about him or her is processed,
If personal data about him/her has been processed, requesting information about it,
To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
To know the third parties to whom personal data is transferred in the country or abroad,
Requesting correction of personal data in case of incomplete or incorrect processing,
Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the law and other relevant laws,
Requesting notification of the transactions made as a result of correction, deletion and destruction requests to third parties to whom personal data has been transferred,
Objecting to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,
In case of damage due to unlawful processing of personal data, it has the right to demand the compensation of the damage.
Paragraph 2 of Article 28 of the Law regulates that in certain cases, the data owner cannot make a claim other than compensation for damages from the data controller. Accordingly
The processing of personal data is necessary for the prevention of crime or criminal investigation,
Processing of personal data made public by the person concerned,
Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, based on the authority granted by the law,
Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial issues,
In such cases, the above-mentioned rights will not be exercised for the relevant data.
- Exercise of Rights
Data owners will be able to use the Application Form to exercise the above-mentioned rights.
Applications must be submitted by hand or through a notary public or by other methods specified in the Law, together with the documents that will identify the relevant data owner, with a wet signed copy of the form .......................................................................................... address or signed with a secure electronic signature issued within the scope of the Electronic Signature Law No. 5070 and ............................................ It can be done by sending an e-mail registered to the address or by e-mail to be sent from the e-mail address previously notified to our Company and registered in our Company's system. If a method other than the aforementioned methods is stipulated by the Personal Data Protection Board, applications can also be submitted by this method.
Data owner requests submitted through one of the above-mentioned methods are evaluated and answered by our Company within a maximum of thirty days. Our company reserves the right to request additional information and documents from the applicant, especially for the purpose of evaluating whether the applicant is the relevant data owner.
As a rule, data owner applications are evaluated free of charge by our Company. However, if a fee has been determined by the Personal Data Protection Board for the request of the data owner, our Company will have the right to demand payment over this fee.