1. The Purpose :
The Company undertakes to act under this Policy and the procedures to be applied under the Policy in terms of Personal Data within its organization.
2. The Scope:
This Policy covers all activities regarding Personal Data that the Company processes and implemented to such activities.
This Policy applies to personal data belonging to company employees, employee candidates, service providers, visitors, and other third parties and this Policy is applied in all recording media and activities for the processing of personal data, where personal data is owned or managed by the Company.
This Policy does not apply to data that does not qualify as Personal Data.
"Explicit Consent" refers to consent-based information about a particular subject and expressed by free will.
“Anonymization " means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching it with other data.
"Disclosure obligation" refers to the obligation of the data officer or authorized person to provide information to the data subject in accordance with Article 10 of the KVKK during the acquisition of personal data.
"Personal data “means any information relating to an identified or identifiable natural person (under this policy,” Personal Data “shall include, to the extent appropriate, the" special qualified personal data" defined below).
“Personal Data Processing” means all kinds of processes performed on the data such as obtaining Persona Data through fully or partially automated methods or non-automated methods provided that the method is a part of any data recording system as well as recording, storing, keeping, changing, rearranging, disclosing, transferring, taking over, making available, classifying such data or preventing the use of it.
“Committee” refers to the committee that is responsible for the fulfillment of this Policy and the KVKK Procedures to be implemented in accordance with the Policy.
"Board" means the Personal Data Protection Board.
“KVKK” means the Law on Protection of Personal Data No. 6698.
“KVK Regulations” refers to personal data protection law No. 6698 for the protection of personal data with other relevant legislation, regulatory and supervisory authorities, official authorities issued by courts and other binding decisions, policy decisions, provisions, conditions, and data protection legislation, and any other applicable international agreements for the references.
“KVK Procedures” refers to the procedures that determine the obligations of the Company, employees, and Committee to comply with this Policy.
“Sensitive Personal Data” refers to the data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions, security measures, biometric and genetic data.
“Deletion or Deletion” means making Personal Data inaccessible and unusable for the relevant users in any way.
“Data Processor” means the natural or legal person who processes personal data on behalf of the data controller upon its authorization.
“Data Subject” means any natural person whose Personal Data is processed by or on behalf of the Company.
“Data Controller” refers to the natural or legal person who determines the purposes and means of Processing Personal Data and is responsible for the establishment and management of the data recording system.
“Destruction” refers to the process of making Personal Data inaccessible, unrecoverable, and unusable by anyone in any way.
4. The protection of personal data
4.1 Processing of Personal Data in Compliance with the Law and the Good Faith
The company processes personal data by the law and the rules of honesty and based on the principle of proportionality.
4.2 Taking Necessary Measures to Keep Personal Data Accurate and Up-to-Date When Necessary
The company takes all necessary measures to ensure that the personal data is complete, accurate and up-to-date, and updates the relevant personal data if the data subject requests changes in the personal data under the KVKK regulations.
4.3 Processing of personal data for specific, clear, and legitimate purposes,
Before the processing of personal data, the company determines for what purpose the personal data will be processed.
In this context, the Data Subject is clarified within the scope of KVK Regulations and Explicit Consent is obtained when necessary.
4.4 Processing personal data in connection with the purpose for which they are processed, in a limited and measured manner
The Company processes Personal Data only in exceptional cases under the KVK Regulations (Articles 5.2 and 6.3 of the KVKK) or for the purpose under the Explicit Consent from the Data Subject (Article 5.1 and Article 6.2 of the KVKK) and in accordance with the principle of proportionality.
The Data Controller processes the Personal Data in a way that is contributory for the realization of the determined purposes and abstains from processing the Personal Data that are not related to the fulfillment of the goal or that are not needed.
4.5 Keeping personal data for the period required by the relevant legislation or for the purpose for which they are processed
The company retains personal data as necessary for the purpose. If the company wishes to retain personal data for a period longer than the period stipulated in the KVK regulations or required for processing personal data, the Company shall comply with the obligations specified in the KVK regulations.
After the period required for processing personal data has expired, personal data is deleted or anonymized. In this case, third parties to which the company transfers personal data also delete, destroy, or anonymize personal data.
The Committee is responsible for the operation of the processes of deletion, destruction, and anonymization. In this context, the necessary technical and administrative procedure is established by the Committee.
4.6 PROCESSING OF PERSONAL DATA - Explicit Consent
Personal data is processed after the information to be made within the framework of the fulfillment of the obligation to inform the data subjects and if the data subjects give explicit consent.
Data Subjects are informed of their rights before Explicit Consent is obtained within the framework of the Disclosure Obligation.
The explicit consent of the data subject is obtained by methods in accordance with the KVK regulations. Explicit consent is evidently maintained by the company for the period required under the KVK regulations. The Committee is obliged to ensure that the Disclosure Obligation is fulfilled in terms of all Personal Data Processing processes and, that Explicit Consent is obtained when necessary and that the Explicit Consent is retained. All department employees that process Personal Data are obliged to comply with the instructions of the Committee, this Policy, and the KVK Procedures annexed to this Policy.
4.7 Processing Of Personal Data Without Explicit Consent
In cases where the processing of personal data is provided without explicit consent under the KVK Regulations (Article 5.2 of KVKK), the company may process personal data without the explicit consent of the data subject. If personal data is processed in this way, the company processes personal data within the limits set out by the KVK regulations.
In this context: if there is a clear provision in the law regarding the processing of personal data, personal data may be processed by the company without explicit consent. Personal data may be processed by the company without the express consent of the data subject, who is unable to disclose his consent due to actual impossibility or whose consent is not granted legal validity, is required to protect the life or body integrity of himself or someone other than the data subject.
The data subject is directly related to the formation or performance of a contract as a party, provided that if the parties to the contract are required for the processing of personal data can be handled by the company without the express consent of the data subject.
If the processing of personal data is mandatory for the company to fulfill its legal obligation, personal data may be processed by the company without the explicit consent of the data subjects.
Personal data that has been publicly disclosed in any way by the data subject may be processed by the company without explicit consent.
If the processing of personal data is mandatory for the establishment, use, or protection of a right, personal data may be processed by the company without explicit consent.-
Personal data may be processed by the company without express consent if data processing is mandatory for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of the data subject.
I. processing of personal data of special nature
4.8 personal data of special nature
The personal data of special nature can only be processed if the data subject has explicit consent or if it is explicitly required by law to process personal data of special nature other than sexual life and personal health data.
Personal data relating to health and sexual life may only be processed, without seeking explicit consent of the data subject, by any person (e.g. company physicians) or authorized public institutions and organizations that have confidentiality obligations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.
While Processing personal data of special nature, the measures determined by the Company are taken.
The Company will regularly provide training on the KVK Regulations and the security of personal data of special nature for the employees involved in the processing of personal data of special nature. Confidentiality agreements will be made.
The company will clearly define the scope and duration of authorization of users who are authorized to access personal data of special nature.
The company will periodically perform authorization checks.
Employees who have a job change or quit their job will immediately remove from the authority list in this area and will immediately take back the inventory allocated to the relevant employee.
In case of transfer to Special Qualified electronic media; Concerning the electronic media where personal data of special nature are processed, stored, and/or obtained, the Company:
will keep cryptographic keys secure and in different environments.
will securely log the transaction records of all movements performed on personal data of special nature.
will constantly monitor the security updates of the environments in which personal data of a special nature are stored, regularly perform/have the necessary security tests, and record the test results.
If personal data of special nature is accessed through software, the company will make user authorizations as to this software, regularly perform/have security tests of this software, and record the test results.
In case of remote access to personal data of special nature, it will provide at least a two-step verification system.
In case of processing personal data of special nature is processed, stored, and/or accessed in the physical environment, the Company:
will ensure that adequate security measures (against electrical leakage, fire, flood, theft, etc.) are taken according to the nature of the environment in which personal data of special nature is located.
will prevent unauthorized entry and exit by ensuring the physical security of these environments.
In case of transfer of personal data of special nature, Data Controller:
If it is necessary to transfer personal data of special nature via e-mail, an encrypted corporate e-mail address or a Registered Electronic Mail (“REM”) address will be used.
If it is necessary to transfer personal data of special nature via media such as portable memory, CD, DVD, it will encrypt with cryptographic methods and keep the cryptographic key in a different environment.
If personal data of special nature needs to be transferred between servers in different physical environments, it will transfer between servers by setting a VPN or using the SFTP method.
If it is necessary to transfer personal data of special nature in written form, it will take the necessary precautions against the risks such as theft, loss, or viewing of the documents by unauthorized persons and will send the document in the form of "classified documents".
In addition to the foregoing regulations, the Company will comply with the KVK Regulations, particularly the Personal Data Security Guide, published by the Board regarding the security of Personal Data, including personal data of special nature.
The Committee is notified by the relevant employee in any circumstance that requires the processing of personal data of special nature.
If it is not explicit whether a data is personal data of special nature or not, the relevant department takes the opinion of the Committee.
1. Storage Period Of The Personal Data
Personal Data is kept within the scope of the relevant legal retention periods within the Company and are kept for the period necessary for the fulfillment of the activities related to this data and the purposes defined in this Policy. Personal Data whose intended purpose has expired and whose legal storage period has expired is deleted, destroyed, or anonymized by the Company in accordance with Article 7 of the KVKK.
4.9 Erasure, destruction or anonymizing of personal data
When the legitimate purpose for the Processing of Personal Data desists, the relevant Personal Data is Erased, Destroyed, or Anonymized. Circumstances where Personal Data should be Erased, Destroyed or Aonymized, are followed up by the Committee.
The Committee is responsible for the operation of the Erasure, Destruction, and Anonymization processes. In this context, the necessary procedure is established by the Committee.
The Company does not store Personal Data considering the possibility of its use in the future.
All Erasure, Destruction, and Anonymization activities that the Company will execute on Personal Data will be carried out under the principles defined in the Personal Data Storage, Destruction, and Anonymization Policy.
4.1 TRANSFERRING PERSONAL DATA AND PROCESSING PERSONAL DATA BY THIRD PARTIES
The Company may transfer Personal Data to a third actual or legal person in Turkey and/or abroad under the KVK Regulations, by taking the necessary measures for Personal Data Processing. In this case, the Company ensures that the third parties to which it transfers Personal Data also comply with this Policy. In this context, necessary protecting regulations are added to the contracts concluded with the third party. The article to be added to the contracts concluded with third parties to whom all kinds of Personal Data are transferred is obtained from the Committee.
Each employee is required to go through the process in this Policy in case of Personal Data transfer. If the third party to whom Personal Data is transferred demands a change in the article conducted by the Committee, the employee promptly notifies the Committee of the situation.
Transferrin Personal Data to Third Parties in Turkey
Personal Data may be transferred by the Company to third parties in Turkey without express consent or in other cases, provided that the explicit consent of the data subject is obtained, in rare cases (Article 5.1 and Article 6.2 of the KVKK) specified in Article 5.2 of the KVKK and in Article 6.3 provided that adequate measures are taken.
Company employees and the Company are mutually responsible for ensuring that the transfer of Personal Data to third parties in Turkey complies with the KVK Regulations.
4.11 Transfer of Personal Data to Third Parties Located Abroad
Personal Data may be transferred by the Company to third parties abroad, in extraordinary cases identified in Article 5.2 and Article 6.3 of the KVKK without Explicit Consent or in other cases, provided that the Explicit Consent of the Data Subject is obtained (Article 5.1 and Article 6.2 of the KVKK).
In case the Personal Data is transferred without explicit consent under the KVK Regulations, one of the following conditions must be present in terms of the foreign country to which it will transfer separately:
The foreign country to which the Personal Data is transferred should be in the status of countries with sufficient protection by the Board (for the list, please follow the current list of the Board),
If the foreign country where the transfer will take place is not included in the safe countries list of the Board, the Company and the Data Controllers in the relevant country should make a written commitment that sufficient protection will provide and obtain permission from the Board.
Company employees and the Company are mutually responsible for ensuring that the transfer of Personal Data to third parties abroad complies with the KVK Regulations.
4.12 CLARIFICATION OBLIGATION OF THE COMPANY
The Company enlightens the Data Subjects before the Processing of Personal Data under Article 10 of the KVKK. In this context, the Company fulfills its Clarification Obligation during the acquisition of Personal Data. The notification to be made to Data Subjects within the scope of the Clarification Obligation includes the following elements, respectively: Identity of the Data Controller and his representative, if any, for what purpose the Personal Data will be processed, to whom and for what purpose the Processed, Personal Data can be transferred, the method and legal reason for collecting Personal Data, the rights of the Data Subjects listed in Article 11 of the KVKK. The Company provides the necessary information in case the Data Subject requests information by Article 20 of the Constitution of the Republic of Turkey and Article 11 of the KVKK.
If requested by the Data Subjects Under the KVKK Regulations, the Company notifies the Data Subject of the Personal Data processed by the Data Subject.
The employee and the Company, following the relevant process, are mutually responsible for ensuring that the required Clarification Obligation is fulfilled before the Processing of Personal Data. In this context, the necessary KVK Procedure is created by the Committee, to report each new data processing process to the Committee.
In case the Data Processor is a third party other than the Company, a written contract must be made by the third party before the Personal Data Processing starts, with a written contract that the third party will act under the obligations stated above. In cases where third parties transfer Personal Data to the Company, the clause to be added to the contracts is obtained from the Committee. Each employee is obliged to go through the process in this Policy in case Personal Data is transferred to the Company by a third party. In case the third party transferring Personal Data requests a change in the article conducted by the Committee, the employee promptly notifies the Committee of the situation.
4.13 The Rights of Data Subject
The Company responds to the below-mentioned requests of the Data Subjects, whose Personal Data it holds, under the KVK Regulations:
To learn whether Personal Data is processed by the Company, to request information about the processing of Personal Data, to learn the purpose of processing Personal Data and whether they are used in accordance with its purpose, To know the third parties to whom Personal Data is transferred, in the country or abroad, Personal Data has been processed incompletely or inaccurately by the Company Requesting the correction of the Personal Data in case of rectification, erasure or destruction of the Personal Data by the Company in case the reasons requiring the processing of Personal Data disappear in order to be evaluated within the principles of purpose, duration and legitimacy, In case of correction, deletion or destruction of the Personal Data by the Company Requesting notification to third parties, Objecting to this result in case of a result against the Data Subject in case the Processed Personal Data is analyzed solely through automated systems, Personal Data To request the compensation of the damage in case the data subject is processed illegally and the Data Subject suffers for this reason.
In case the Data Subjects submit their requests regarding their rights listed above to the Company in writing, the Company will terminate the request free of charge within thirty days at the latest, depending on the type of the request. If a separate cost arises for the conclusion of the requests by the Data Controller, the fees in the tax determined by the Personal Data Protection Board may be requested by the Data Controller.
4.14 Obligations concerning data security
The Company establishes a Committee to fulfill its obligations under the KVK Regulations, to ensure and supervise the implementation of the KVK Procedures necessary for the implementation of this Policy, and to make suggestions for their operation. All employees involved in the relevant process are jointly and severally responsible for the protection of Personal Data under this Policy and KVK Procedures. Personal Data Processing activities are audited by the Company with technical systems according to technological possibilities and application cost.
Personnel competent in technical matters related to Personal Data Processing activities are employed.
Company employees are informed and trained for the protection and legal processing of Personal Data. The necessary KVK Procedure is created to ensure that the employees who need access to Personal Data in the company have access to the be in question Personal Data.
Company employees can access Personal Data only within the authorization defined for them and under the relevant KVK Procedure. Any access and processing done by the employee over his/her authority is against the law and is a reason for termination of the employment contract with just cause.
If the company suspects that the security of the Personal Data of the employee is not adequately provided or if it detects such a security gap, it immediately notifies the Committee of the situation.
Detailed KVK Procedure for the security of Personal Data is created by the Committee.
Each person assigned a Company device is responsible for the security of the devices allocated to his/her own use. Each Company employee or person working within the Company is responsible for the security of the physical files within their area of responsibility.
If there are security measures requested or to be requested additionally for the security of Personal Data within the scope of KVK Regulations, all employees are obliged to comply with additional security measures and to ensure the continuity of these security measures.
Software and hardware including virus protection systems and firewalls are installed under technological developments to store Personal Data in secure environments.
Backup programs are used and adequate security measures are taken to prevent the loss or damage of Personal Data in the Company.
Necessary measures will be taken to protect the documents containing Personal Data in the company with encrypted (encrypted) systems. In this context, Personal Data will not be stored in common areas and on the desktop. Files and folders containing Personal Data, etc. documents will not be moved to desktop or public folder, Information on company computers will be transferred via USB, etc. It cannot be transferred to another device or taken out of the Company. The Committee, together with the Board of Managers, is obliged to take technical and administrative measures for the protection of all Personal Data in the Company, to constantly monitor the developments and administrative activities, to prepare the necessary KVK Procedures, to announce them within the Company, to ensure and supervise their compliance. In this context, the Committee, with the approval of the Board of Managers, organizes the necessary pieces of training to increase the awareness of the employees.
If a department within the company processes Sensitive Personal Data, this department will be informed by the Committee about the importance, security, and confidentiality of the Personal Data they process and the relevant department will act by the Committee's instructions. Only limited employees will be authorized to access Sensitive Personal Data and their list and follow-up will be done by the Committee. All of the Personal Data processed within the Company are considered as "Confidential Information" by the Company. Company employees have been informed that their obligations regarding the security and confidentiality of Personal Data will continue after the termination of the business relationship, and a commitment has been received from the Company employees to comply with these rules.
The Company provides its employees with the necessary training on the protection of Personal Data within the scope of the Policy and the KVK Procedures in its annex and the KVKK Regulations.
Particular attention is paid to the definitions and protection of Special Quality Personal Data in the pieces of training.
If the Company employee accesses Personal Data physically or on a computer, the Company provides training to the relevant employee regarding these accesses (for example, the accessed computer program.
The Company has the right to regularly and ex-officio audit that all employees, departments, and contractors of the Company act in compliance with this Policy and KVK Regulations, without any prior notice, and performs the necessary routine audits in this context. The Committee creates a KVK Procedure regarding these audits, submits it to the approval of the Board of Managers, and ensures the implementation of the in question procedure.
4.17 STATES OF BREACH
Every employee of the company reports to the Committee any work, transaction, or action that he/she considers being hostile to the procedures and principles outlined in the KVK Regulations and this Policy. In this context, the Committee for the relevant violation creates an action plan by this Policy and KVK Procedures.
As a result of the notifications, the Committee prepares the notification to be made to the Data Subject or the Institution regarding the violation, taking into account the provisions of the applicable legislation on the subject, especially the KVK Regulations. In this case, the Data Controller Contact Person carries out the correspondence and communication with the Institution.
4.18 CHANGES TO THE POLICY
This Policy can be changed by the Company with the approval of the General Manager.
The Company shares the updated Policy text with its employees via e-mail so that the changes it has made on the Policy can be reviewed, or makes it available to the employees and Data Subjects via the web address.
4.19 EFFECTIVE DATE OF THE POLICY
This version of the Policy was approved by the General Manager of the Company on 18/12/2018 and entered into efficiency.