Personal Data Processing and Protection Policy
1.1. Introduction
As Nicesay Textile Marketing Industry and Trade Limited Company (“Company”), we attach utmost importance to the legal processing and protection of personal data in accordance with the Personal Data Protection Law No. 6698 (“Law”) and act with this care in all our planning and activities. With this awareness, we present this Personal Data Processing and Protection Policy ("Policy") to your information in order to fulfill the obligation to inform within the scope of Article 10 of the Law and to inform you about all the administrative and technical measures we have taken within the scope of the processing and protection of personal data.
1.2. Purpose of the Policy
The main purpose of this Policy is to make statements about the systems for processing and protecting personal data in accordance with the law and the purpose of the Law, and to inform people whose personal data are processed by our Company, especially Company Stakeholders, Company Officials, Company Business Partners, Candidate Employees, Visitors, company and group company customers, Potential Customers and Third Parties. In this way, it is aimed to ensure full compliance with the legislation in the processing and protection of personal data carried out by our Company and to protect all rights of personal data owners arising from the legislation regarding personal data.
1.3. Scope of the Policy and Personal Data Owners
This policy; has been prepared for the persons whose personal data is processed by our Company, especially Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers and Third Parties through automatic or non-automatic means, provided that it is part of any data recording system and will be applied within the scope of these specified persons. This Policy will not be implemented to legal entities and legal entity data in any way.
Our Company informs the Personal Data Owners in question about the Law by publishing this Policy on the website. Personal Data Processing Policy for Employees will be applied for our company's employees. This Policy will not be applied if the data is not included within the scope of "Personal Data" within the scope specified below or if the Personal Data processing activity carried out by our Company is not done in the ways specified above.
In this context, personal data owners within the scope of this Policy are as follows:
Company Stakeholder:
Stakeholders of the Company are natural persons.
Company Natural Person Business Partner:
They are natural persons with whom the Company has all kinds of business relations.
Stakeholder, Official, Employee of Company Business Partners:
All natural persons, including employees of natural and legal persons (such as business partners, suppliers), stakeholders and officials with whom the Company has all kinds of business relations.
Company official:
Members of the board of directors of the Company and other authorized natural persons.
Employee Candidate:
They are natural persons who have applied for a job to the Company by any means or have made their CV and relevant information available for review by the Company.
Company Customer:
They are natural persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.
Group Company Customer:
They are natural persons who use or have used the products and services offered by the Company Group Companies, regardless of whether they have any contractual relationship with the Group Companies of the Company.
Potential Customer:
They are natural persons who have requested or are interested in using the Company's products and services, or whose this kind of interest has been evaluated in accordance with commercial customs and rule of good faith.
Visitor:
All natural persons who enter the physical premises owned by the Company for various purposes or visit the websites for any purpose.
Third Party:
Other natural persons who are not included in the scope of the Personal Data Protection and Processing Policy prepared for Company Employees and who are not included in any personal data owner category in this Policy.
1.4.Definitions
The concepts included in this Policy have the following meanings:
Companies/Our Companies:
Nicesay Textile Marketing Industry and Trade Limited Company
Personal Data/Data:
It is any information regarding an identified or identifiable natural person.
Specially Qualified Personal Data/Data:
Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
Processing of Personal Data:
It is any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system.
Personal Data Owner/Relevant Person:
It refers to Company Stakeholders and Employees, Company Business Partners, Company Officials, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers, Third Parties and persons whose personal data is processed by the company.
Group Company:
It refers to the company/companies affiliated to the group to which the Company is affiliated.
Data Recording System:
It refers to the recording system in which personal data is structured and processed according to certain criteria.
Data Controller:
It is the natural or legal person who determines the purposes and methods of processing personal data and is responsible for establishing and managing the data recording system.
Data Processor:
It is a natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Explicit Consent:
It is consent regarding a certain subject, based on informed consent and expressed with free will.
Anonymization:
It is the process of making data that was previously associated with a person impossible to associate it with an identified or identifiable natural person in any way, even by matching it with other data.
Law:
It refers to the Personal Data Protection Law No. 6698.
PDP Board:
It is the Personal Data Protection Board.
1.5. Enforcement of the Policy
This Policy, which was issued by the Company and entered into force on the date of its publication, is published on the Company's website (feudeelu.com) and is made available to relevant persons upon the request of Personal Data Owners.
CHAPTER TWO
2. PROCESSING AND TRANSFER OF PERSONAL DATA
2.1. General Principles in Processing Personal Data
Personal Data is processed by the Company in accordance with the procedures and principles put forth in the Law and this Policy. The Company acts with the following principles when processing Personal Data:
Personal Data is processed in accordance with the relevant legal rules and the requirements of the rule of good faith.
Personal Data is ensured to be accurate and up to date. In this context, issues such as determining the sources from which the data is obtained, confirming its accuracy, and evaluating whether it needs to be updated are carefully taken into account.
Personal Data is processed for specific, explicit and legitimate purposes. A legitimate purpose means that the Personal Data processed by the Company is related to and necessary for the work performed or the service offered by the company.
Personal Data is linked to the purpose in order to achieve the purposes determined by the Company, and the processing of Personal Data that is not relevant or needed to achieve the purpose is avoided. It limits the data processed only to what is necessary to achieve the purpose. In this context, Personal Data processed is limited, proportionate, and in connection with the purpose for which they are processed.
If there is a period stipulated in the relevant legislation for the storage of data, it complies with these periods; otherwise, it retains Personal Data only for the necessary period for the purpose for which it is processed. If there is no valid reason to retain Personal Data any longer, the data in question will be deleted, destroyed or anonymized.
2.2. Conditions for Processing Personal Data
The Company does not process Personal Data without the explicit consent of the data owner. If one of the following conditions exists, Personal Data may be processed without the explicit consent of the data owner.
The Company may process the Personal Data of Personal Data Owners in cases clearly put forth by law, even without explicit consent. For example; In accordance with Article 230 of the Tax Procedure Law, the explicit consent of the relevant person will not be required to include the name of the relevant person on the invoice.
Personal Data may be processed without explicit consent in order to protect the life or physical integrity of individuals or another person who are unable to express their consent due to actual impossibility or whose consent cannot be validated. For example, in a situation where the person's consent is not valid due to unconsciousness or mental illness, the Personal Data Owner's Personal Data may be processed during medical intervention to protect life or physical integrity. In this context, data such as blood type, diseases and surgeries, and medicines used can be processed through the relevant health system.
Personal Data belonging to the parties to the contract may be processed, provided that it is directly related to the establishment or execution of a contract by the Company. For example, in accordance with a contract, the account number of the creditor party may be obtained for the payment of money.
The Company may process the Personal Data of Personal Data Owners if it is mandatory to fulfill its legal obligations as the data controller.
Personal Data that has been made public by the Personal Data Owners themselves, in other words, has been disclosed to the public in any way, may be processed by the Company because the legal interest to be protected has disappeared.
The Company may process the Personal Data of Personal Data Owners without seeking explicit consent, in cases where data processing is necessary for the exercise or protection of a legally legitimate right.
The Company may process the Personal Data of Personal Data Owners in cases where it is necessary to process Personal Data to ensure their legitimate interests, provided that it does not harm the fundamental rights and freedoms of Personal Data Owners protected under the Law and the Policy. The Company shows the necessary sensitivity in complying with the basic principles regarding the protection of Personal Data and observing the balance of interests of Personal Data Owners.
2.3. Conditions for Processing of Specially Qualified Personal Data
The Company does not process Specially Qualified Personal Data without the explicit consent of the person concerned. However, Personal Data other than health and sexual life may be processed without the explicit consent of the relevant person in cases stipulated by law. Personal Data regarding health and sexual life are processed by the Company only for the purposes of protecting public health, preventive medicine, medical diagnosis and carrying out treatment and care services, planning and management of health services and their financing, without seeking the express consent of the relevant person, under conditions where we are under a confidentiality obligation. The Company carries out the necessary procedures to take adequate measures determined by the Board in the processing of Specially Qualified Personal Data.
2.4. Conditions for Transfer of Personal Data
Our Company may transfer the Personal Data of Personal Data Owners and Specially Qualified Personal Data to third parties in accordance with the Law, by creating the necessary confidentiality conditions and taking security measures in line with the purposes of processing Personal Data. Our company acts in accordance with the regulations stipulated in the Law when transferring Personal Data. In this context, our Company may transfer personal data to third parties, based and limited on one or more of the Personal Data processing conditions specified in Article 5 of the Law, listed below, in line with legitimate and lawful Personal Data processing purposes, provided that the fundamental rights and freedoms of the Personal Data owner are not harmed, and if it is necessary for the legitimate interests of our Company;
If the Personal Data owner has explicit consent;
If there is a explicit regulation in the law regarding the transfer of Personal Data,
İf it is necessary to protect the life or physical integrity of the Personal Data owner or someone else, and
If the Personal Data owner is unable to express his/her consent due to actual impossibility or if his/her consent is not given legal validity,
If it is necessary to transfer the Personal Data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
If Personal Data transfer is mandatory for our company to fulfill its legal obligations,
If Personal Data has been made public by the Personal Data owner,
If Personal Data transfer is mandatory for the establishment, exercise or protection of a right.
2.4.1. Conditions for Transferring Personal Data Abroad
Our Company may transfer the Personal Data and Specially Qualified Personal Data of Personal Data Owners to third parties abroad by taking the necessary security measures in line with the purposes of processing Personal Data. Personal Data may be transferred by our Company to foreign countries that have been declared to have adequate protection by the PDP Board, or, in the absence of adequate protection, to foreign countries where the data controllers in Turkey and the relevant foreign country have committed in writing to adequate protection and have the permission of the PDP Board.
2.5. Conditions for Transfer of Specially Qualified Personal Data
The Company may transfer the Specially Qualified Personal Data of the Personal Data Owner to third parties in the following cases, in line with legitimate and lawful Personal Data processing purposes, by showing due care, taking the necessary security measures and taking adequate precautions prescribed by the Personal Data Protection Board
(i) In case of explicit consent of the Personal Data Owner, or
(ii) Without the explicit consent of the Personal Data Owner, in the presence of the following conditions;
Specially Qualified Personal Data except the Personal Data Owner's health and sexual life (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, criminal conviction and data regarding security measures and biometric and genetic data), in cases stipulated by law,
Specially Qualified Personal Data regarding the health and sexual life of the Personal Data Owner, only by persons or authorized institutions and organizations who are under the obligation of confidentiality for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing.
2.5.1. Transfer of Specially Qualified Personal Data Abroad
Company may transfer the Specially Qualified Personal Data of the Personal Data Owner to foreign countries where the data controller has adequate protection or undertakes adequate protection by showing due care, taking the necessary security measures and taking adequate precautions prescribed by the Personal Data Protection Board in line with legitimate and lawful Personal Data processing purposes
(i) In case of explicit consent of the Personal Data Owner, or
(ii) Without the explicit consent of the Personal Data Owner, in the presence of the following conditions;
Specially Qualified Personal Data except the Personal Data Owner's health and sexual life (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, criminal conviction and data regarding security measures and biometric and genetic data), in cases stipulated by law,
Specially Qualified Personal Data regarding the health and sexual life of the Personal Data Owner, only by persons or authorized institutions and organizations who are under the obligation of confidentiality for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing.
CHAPTER THREE
3. CLASSIFICATION OF PERSONAL DATA, PURPOSES OF PROCESSING AND TRANSFER, PERSONS TO WHICH THEY WILL BE TRANSFERRED
3.1. Classification of Personal Data
Personal data in the following categories are processed by informing the relevant persons in accordance with Article 10 of the Law by Company in line with the Company's legitimate and lawful personal data processing purposes, based and limited on one or more of the personal data processing conditions specified in Article 5 of the Law, in accordance with the general principles specified in the Law, especially the principles specified in Article 4 regarding the processing of personal data, and in compliance with all obligations set out in the Law and limited to the subjects within the scope of this Policy. It is stated in this section that the personal data processed in these categories are associated with which data owners are regulated within the scope of this Policy.
PERSONAL DATA CATEGORIZATION
PERSONAL DATA CATEGORIZATION DESCRIPTION
Identity Information
It is data that clearly belongs to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system, and contains information about the person's identity; name-surname, Turkish ID number, documents such as driver's license, identity card and passport containing information such as nationality information, mother's name-father's name, place of birth, date of birth, gender, as well as tax number, SSI number, signature information, vehicle license plate, etc. informations.
Communication information
It is data that clearly belongs to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system, and contains information such as telephone number, address, e-mail address, fax number, IP address.
Location Data
Information that determines the location of the Personal Data Owner within the framework of operations carried out by the Company's business units, when using the products and services of group companies, or when employees of the institutions with whom it cooperates are using Company vehicles, which clearly belongs to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; GPS location, travel data, etc.
Transaction Security Information
Personal data processed regarding the technical, administrative, legal and commercial security of both the Personal Data Owner and the Company while carrying out the activities of the Company.
Family Members and Relative Information
Information about the Personal Data Owner's family members (e.g. spouse, mother, father, child), relatives and other persons who can be reached in emergency situations, within the framework of the operations carried out by the Company's business units, about the products and services offered by the group companies, or in order to protect the legal and other interests of the Company and the Personal Data Owner, which clearly belongs to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system.
Physical Location Security Information
Personal data regarding records and documents received upon entering the physical location and during the stay in the physical location, which clearly belongs to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system camera records, fingerprint records and records taken at security points, etc.
Financial Information
Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship the Company has established with the Personal Data Owner, and data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information, which clearly belongs to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system.
Visual/Auditory Information
Photographs and camera records (except for records included within the scope of Physical Space Security Information), voice recordings and data contained in documents that are copies of documents containing personal data, which clearly belongs to an identified or identifiable natural person.
Personal Information
All kinds of personal data processed to obtain information that will be the basis for the formation of personal rights of natural persons who have working relationship with the Company, which clearly belongs to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system.
Legal Transaction Information
Data processed within the scope of the determination and pursuit of the Company's legal credits and rights, and the fulfillment of its debts and legal obligations.
Specially Qualified Personal Data
Data specified in Article 6 of the Law (e.g. health data including blood type, biometric data, religion and society membership information, etc.), which clearly belongs to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system.
Request/Complaint Management Information
Personal data regarding the receiving and evaluation of any requests or complaints directed to the Company, which clearly belongs to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system.
The type of Personal Data processed of the Personal Data Owners specified in Article (1.3.) of Section 1 of the Policy is stated in the table below:
PERSONAL DATA CATEGORIZATION
DATA OWNERS TO WHICH THE RELEVANT PERSONAL DATA IS RELATED
Identity Information
Company Stakeholders, Company Officials, Company Employees, Company Business Partners, Our Employee Candidates, Our Visitors, Company and Group Company Customers, Potential Customers and Third Parties.
Communication information
Company Stakeholders, Company Officials, Company Employees, Company Business Partners, Our Employee Candidates, Our Visitors, Company and Group Company Customers, Potential Customers and Third Parties
Location Data
Company Stakeholders, Company Officials, Company Employees
Transaction Security Information
Company Stakeholders, Company Officials, Company Employees, Company Business Partners, Our Employee Candidates, Our Visitors, Company and Group Company Customers, Potential Customers and Third Parties
Family Members and Relative Information
Company Stakeholders, Company Officials, Company Employees, Company Business Partners
Physical Location Security Information
Company Stakeholders, Company Officials, Company Business Partners, Our Employee Candidates, Our Visitors, Company and Group Company Customers, Potential Customers and Third Parties
Financial Information
Company Stakeholders, Company Officials, Company Business Partners, Our Employee Candidates, Our Visitors, Company and Group Company Customers, Potential Customers and Third Parties
Visual/Auditory Information
Company Stakeholders, Company Officials, Company Business Partners, Our Employee Candidates, Our Visitors, Company and Group Company Customers, Potential Customers and Third Parties.
Personal Information
Company Stakeholders, Company Officials, Company Business Partners
Legal Transaction Information
Company Stakeholders, Company Officials, Company Business Partners, Our Employee Candidates, Our Visitors, Company and Group Company Customers, Potential Customers and Third Parties
Specially Qualified Personal Data
Company Stakeholders, Company Officials, Company Business Partners, Our Employee Candidates, Our Visitors, Company and Group Company Customers, Potential Customers and Third Parties
Request/Complaint Management Information
Company Stakeholders, Company Officials, Company Business Partners, Our Employee Candidates, Our Visitors, Company and Group Company Customers, Potential Customers and Third Parties
3.2. Purposes of Processing and Transfer of Personal Data
Personal Data is processed within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law, and in accordance with the law and the purpose of the Law, limited to following purposes;
Planning and implementing the Company's human resources policies in the best possible way,
Correct planning, execution and management of commercial partnerships and strategies of the Company,
Ensuring the legal, commercial and physical security of the Company and its business partners,
Ensuring corporate functioning, planning and execution of management and communication activities of the Company,
To ensure that Personal Data Owners benefit from the products and services of the Company in the best possible way and to recommend them by customizing them according to their demands, needs and wishes,;
Ensuring data security of the Company at the highest level,
Creation of databases,;
Improving the services offered on the website and eliminating errors that occur on the website,
Communicating with Personal Data Owners who submit their requests and complaints to the Company and ensuring request and complaint management,
Event management,
Management of relationships with business partners or suppliers,
Conducting personnel recruitment processes,
Supporting Group Companies in their personnel recruitment processes and compliance with relevant legislation,
Planning and execution of audit activities to ensure that the activities of the Group Companies are carried out in accordance with the relevant legislation,
Supporting the planning and execution processes of side rights and benefits to be provided to senior managers of the Company and the Group Companies,
Supporting Group Companies in conducting corporate and partnership law transactions,
Execution/monitoring of financial reporting and risk management transactions,
Execution/monitoring of company legal affairs,
Carrying out work to protect the Company’s reputation,
Managing investor relations,
Providing information regarding legislation to authorized institutions,
Creating and tracking visitor records.
If the processing activity carried out for the aforementioned purposes does not comply with any of the conditions stipulated under the Law, your explicit consent is obtained by the Company regarding the relevant processing process.
3.3. Persons to whom personal data will be transferred
Your Personal Data may be transferred to the following categories of persons managed by the Policy, in accordance with the law and the purpose of the Law, for the following purposes:
Persons to whom data can be transferred
Purpose of Data Transfer;
Company Business Partners
Personal data may be transferred on a limited basis in order to carry out various projects while carrying out the company's commercial activities alone or together with Group Companies, to ensure that the fulfillment purposes of the business partnership established for purposes such as receiving services.
Group Companies
It can be transferred limited to ensuring the execution of commercial activities that require the participation of companies affiliated to the group to which the Company is affiliated.
Company Stakeholders
It can be transferred limited for the purposes of the activities carried out by the Company within the scope of corporate law, event management and corporate communication processes, in accordance with the provisions of the relevant legislation.
Company Officials
It can be transferred limited for the purposes of designing strategies regarding the Company's commercial activities, ensuring its management at the highest level and auditing, in accordance with the provisions of the relevant legislation.
Legally Authorized Public Institutions and Organizations
It can be transferred limited for the purpose requested by the relevant public institutions and organizations within their legal authority.
Legally Authorized Private Legal Persons
It can be transferred limited for the purpose requested by the relevant private legal persons within their legal authority in accordance with the provisions of the legislation.
CHAPTER FOUR
4. COLLECTION METHOD AND LEGAL REASON, DELETION, DESTRUCTION AND ANONYMIZATION AND STORAGE PERIOD OF PERSONAL DATA
4.1. Method and Legal Reason for Collecting Personal Data
For the purpose of checking the compliance with Article 1, which regulates the purpose of the Law, and Article 2, which regulates the scope of the Law, Personal Data is collected in any verbal, written or electronic environment through various means such as technical and other methods, and ways such as call center, Company website, mobile application for achieving the purposes set out in the Policy, in order to fulfill the responsibilities arising from the law completely and accurately within the framework of legislation, contract, demand and optional legal reasons and processed by the Company or data processors appointed by the Company.
4.2. Deletion, Destruction or Anonymization of Personal Data
The Company deletes, destroys or anonymizes Personal Data ex officio or upon the request of the data owner, if the reasons requiring processing are eliminated, although it has been processed under the provisions of this Law and other laws provided that the provisions of other laws regarding the deletion, destruction or anonymization of Personal Data. By deleting Personal Data, this data is destroyed in a way that cannot be used again and cannot be recovered. Accordingly, Personal Data is irreversibly deleted from the documents, files, CDs, floppy disks and hard disks in which they are recorded. Destruction of Personal Data means that the destruction of materials suitable for storing data, such as documents, files, CDs, floppy disks and hard disks in which the data is recorded, in a way that the information cannot be retrieved or used again. Anonymization of data means making Personal Data unable to be associated with an identified or identifiable natural person, even if it is matched with other data. You can access our Storage and Disposal Policy here.
4.3. Storage Period of Personal Data
If the period is specified in the legislation, the Company stores Personal Data for the period specified in this legislation. If a period of time is not regulated in the legislation regarding how long personal data should be stored, Personal Data is processed for a period of time that requires processing in accordance with the Company's practices and commercial life customs, depending on the activity carried out by the Company while processing that data, and is then deleted, destroyed or anonymized.
If the purpose of processing personal data has expired and the storage periods determined by the relevant legislation and the Company have expired, personal data can only be stored in order to serve as evidence in possible legal disputes or to assert the relevant right based on personal data or to provide a defense. Storage period is determined based on the statute of limitations for asserting the mentioned right and examples of requests previously made to the Company on the same issues despite the statute of limitations period has passed. In this case, the stored personal data is not accessed for any other purpose and the relevant personal data is accessed only when it needs to be used in the relevant legal dispute. After the mentioned period expires, personal data is deleted, destroyed or anonymized.
CHAPTER FIVE
5. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
The company takes the necessary technical and administrative measures to ensure the appropriate level of security and carries out the necessary inspections or has them carried out in this context, to prevent the unlawful processing of the Personal Data the Company processes, to prevent unlawful access to the data and to ensure the preservation of the data, in accordance with Article 12 of the Law.
5.1. Ensuring the Security of Personal Data
5.1.1. Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data
The Company takes technical and administrative measures according to technological possibilities and implementation costs to ensure that Personal Data is processed in accordance with the law.
(i) Technical Measures Taken to Ensure Lawful Processing of Personal Data
The main technical measures taken by the Company to ensure the lawful processing of Personal Data are listed below:
Personal Data processing activities carried out within the company are audited by established technical systems.
The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
Technically knowledgeable personnel are employed.
(ii) Administrative Measures Taken to Ensure Lawful Processing of Personal Data
The main administrative measures taken by the Company to ensure the lawful processing of Personal Data are listed below:
Employees are informed and trained about Personal Data protection law and the lawful processing of Personal Data.
All activities carried out by the Company are analyzed in detail on a spesific basic of all business units, and as a result of this analysis, Personal Data processing activities are revealed on a spesific basic of the activities carried out by the relevant business units.
The Personal Data processing activities carried out by the Company's business units and the requirements to be fulfilled to ensure that these activities comply with the Personal Data processing conditions put forth by the Law are determined on a specific basis for each business unit and the detailed activity the Company carries out.
In order to ensure legal compliance requirements determined on a business unit basis, awareness is created and implementation rules are determined for the relevant business units, and in order to ensure the control of these issues and the continuity of the implementation, the necessary administrative measures are implemented through company internal policies and training.
In addition to the Company's instructions and exceptions stipulated by law, records are placed that impose the obligation not to process, disclose or use Personal Data, to the contracts and documents managing the legal relationship between the Company and its employees, and employee awareness on this issue is created and obligations arising from the Law are fulfilled by carrying out inspections.
5.1.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data
The Company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and implementation costs in order to prevent imprudent or unauthorized disclosure, access, transfer or any other unlawful access of Personal Data.
(i) Technical Measures Taken to Prevent Unlawful Access to Personal Data
The main technical measures taken by the Company to prevent unlawful access to Personal Data are listed below:
Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed.
Access and authorization technical solutions are implemented in accordance with legal compliance requirements determined on a business unit basis.
Access authorizations are limited and authorizations are reviewed regularly.
The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, and the issues that contains a risk are re-evaluated and the necessary technological solutions are produced.
Software and hardware including virus protection systems and firewalls are installed.
Technically knowledgeable personnel are employed.
Security scans are carried out regularly to detect security vulnerabilities in the applications where Personal Data is collected. These security vulnerabilities found are closed.
(ii) Administrative Measures Taken to Prevent Unlawful Access to Personal Data
The main administrative measures taken by the Company to prevent unlawful access to Personal Data are listed below:
Employees are trained on the technical measures to be taken to prevent unlawful access to Personal Data.
Personal Data processing and authorization processes are designed and implemented within the Company in accordance with legal compliance requirements for processing Personal Data on a business unit basis.
Employees are informed that they cannot disclose the Personal Data they have learned to anyone else, contrary to the provisions of the Law, or use it for purposes other than processing, and that this obligation will continue after they resign from the Company, and the necessary commitments are taken from them in this regard.
Provisions are added to the contracts concluded by the Company with the persons to whom the Personal Data is lawfully transferred, stating that the persons to whom the Personal Data is transferred will take the necessary security measures to protect the Personal Data and ensure that these measures are complied with in their own organizations.
5.1.3. Storing Personal Data in Secure Environments
The Company takes the necessary technical and administrative measures, according to technological possibilities and implementation costs, to store Personal Data in secure environments and to prevent Personal Data from being destroyed, lost or changed for unlawful purposes.
(i) Technical Measures Taken to Store Personal Data in Secure Environments
The main technical measures taken by the Company to store Personal Data in secure environments are listed below:
Systems compatible with technological developments are used to store Personal Data in secure environments.
Personnel specialized in technical matters are employed.
Technical security systems are established for storage spaces, security tests and research are carried out to detect security vulnerabilities on information systems, and existing or potential risks identified as a result of the tests and research are eliminated. The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
Backup programs are used in accordance with the law to ensure that Personal Data is stored safely. By restricting access to the environments where Personal Data is kept, only authorized persons are allowed to access these data, limited to the purpose of storing personal data, and access to the data storage areas where Personal Data is stored is logged and inappropriate access or access attempts are instantly reported to the relevant units.
(ii) Administrative Measures Taken to Store Personal Data in Secure Environments
The main administrative measures taken by the Company to store Personal Data in secure environments are listed below:
Employees are trained to ensure that Personal Data is stored securely.
Legal and technical consultancy services are received to follow the developments in the field of information security, privacy of private life and protection of personal data and to take the necessary actions.
In case of outsourcing services due to technical requirements for the storage of Personal Data by the Company, the contracts concluded with the relevant companies to which the Personal Data is transferred in accordance with the law include provisions stating that the necessary security measures will be taken to protect the Personal Data of the persons to whom the Personal Data is transferred and that these measures will be ensured in their own organizations.
5.1.4. Audit of Measures Taken for the Protection of Personal Data
The company carries out or has the necessary inspections carried out within its own structure in accordance with Article 12 of the Law. These audit results are reported to the relevant department within the scope of the Company's internal functioning and the necessary activities are carried out to improve the measures taken.
5.1.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
The Company operates the system that ensures that if Personal Data processed in accordance with Article 12 of the Law is obtained by others through illegal ways, this situation is notified to the relevant Personal Data Owner and the PDP Board as soon as possible. If deemed necessary by the PDP Board, this situation may be announced on the PDP Board's website or by another method.
5.2. Protecting the Legal Rights of Personal Data Owners
The Company protects all legal rights of Personal Data Owners through the implementation of the Policy and the Law and takes all necessary measures to protect these rights. Detailed information about the rights of Personal Data Owners is provided in the sixth section of this Policy.
5.3. Protection of Specially Qualified Personal Data
The law attaches special importance to certain Personal Data due to the risk of causing victimization and/or discrimination when processed unlawfully. These data include data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. The Company pays utmost attention to the protection of specially qualified personal data, which are determined as "specially qualified" by law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company to protect personal data are implemented with the utmost care in terms of Specially Qualified Personal Data, and the necessary controls are provided within the Company in this regard.
CHAPTER SIX
6. RIGHTS OF PERSONAL DATA OWNER, USE AND EVALUATION OF RIGHTS
6.1. Clarification of Personal Data Owner
In accordance with Article 10 of the Law, the Company informs Personal Data Owners during the acquisition of Personal Data. In this context, the Company clarifies the identity of the Company representative, if any, the purpose for which Personal Data will be processed, to whom and for what purpose the processed Personal Data can be transferred, the method and legal reason for collecting Personal Data, and the rights of the Personal Data Owner.
6.2. Rights of the Personal Data Owner in accordance with the Personal Data Protection Law
The Company notifies you of your rights in accordance with Article 10 of the Law, provides guidance on how to exercise these rights, and carries out the necessary internal functioning, administrative and technical arrangements for all these. The Company, to the persons whose Personal Data is received in accordance with Article 11 of the Law, explains that they have the right to;
Learn whether Personal Data is processed or not,
Request information regarding Personal Data if it has been processed,
Learn the purpose of processing Personal Data and whether they are used for their intended purpose,
Know the third parties to whom Personal Data is transferred domestically or abroad,
Request correction of Personal Data if it has been processed incompletely or incorrectly,
Request the deletion or destruction of Personal Data within the framework of the conditions stipulated in Article 7 of the Law,
Request that the transactions carried out in accordance with paragraphs (d) and (e) of Article 11 of the Law be notified to third parties to whom personal data is transferred,
Object to the emergence of a result that is unfavorable to the individual by analyzing the processed data exclusively through automatic systems,
Request compensation for the damage if they are damaged due to the unlawful processing of Personal Data.
6.3. Situations in which the Personal Data Owner Cannot Assert His/Her Rights
Since the following cases are excluded from the scope of the Law in accordance with Article 28 of the Law, Personal Data Owners cannot assert their rights listed in Article (6.2.) of this Policy in the following cases:
Processing of Personal Data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and obligations regarding data security are complied with.
Processing of Personal Data for purposes such as research, planning and statistics by anonymizing it with official statistics.
Processing of Personal Data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or occur a crime.
Processing of Personal Data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defence, national security, public safety, public order or economic security.
Processing of Personal Data by judicial authorities or enforcement authorities regarding investigation, prosecution, jugdement or enforcement proceedings.
In accordance with Article 28/2 of the Law, Personal Data Owners cannot assert their rights listed in Article (6.2.) of this Policy, except for the right to request compensation for damage, in the cases listed below:
Processing of Personal Data is necessary for the prevention of crime or criminal investigation.
Processing of personal data made public by the Personal Data Owner.
Processing of Personal Data is necessary for the execution of auditing or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations that are public institutions, based on the authority given by the law.
Personal Data processing is necessary to protect the economic and financial interests of the State regarding budget, tax and financial matters.
6.4. Personal Data Owner's Exercise of His Rights
Personal Data Owners will be able to convey their requests to the Company regarding their rights listed in Article (6.2.) of this Policy, free of charge, by filling out and signing the Application Form, which can be accessed from the "Application Form" link, with information and documents that will identify their identities and by the methods specified below or other methods determined by the PDP Board.
(i) After filling out the application form, a copy with a wet signature must be delivered personally or through a notary to the address Güneşli Mh Mahmutbey Cd No:185.A Bağcılar İstanbul,
(ii) After filling out the application form and signing it with your "secure electronic signature" within the scope of the Electronic Signature Law No. 5070, sending the form with the secure electronic signature via registered e-mail to [email protected].
In order for third parties to request an application on behalf of personal data owners, the data owner must have a special power of attorney issued through a notary on behalf of the person making the application.
6.5. Procedure and Duration of the Company's Response to Applications
The company finalizes the requests in the application free of charge as soon as possible, within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the PDP Board may be charged. The company may accept the request or reject it by explaining the reason; submits its answer in writing or electronically. If the request in the application is accepted, the Company fulfills the requirements of the request.
6.6. Personal Data Owner's Right to Complain to the PDP Board
In cases where the application is rejected, the response is found to be insufficient, or the application is not responded in due time, the data owner has the right to complain to the PDP Board within thirty days from the date of learning the answer and, in any case, within sixty days from the date of application.
CHAPTER SEVEN
7. MANAGEMENT STRUCTURE ACCORDING TO THE COMPANY'S PERSONAL DATA PROCESSING AND PROTECTION POLICY
A Personal Data Committee has been established within the Company, in accordance with the decision of the Company's senior management, to manage this Policy and other policies connected to and related to this Policy. The Personal Data Committee is authorized and charged with taking the necessary actions to store and process the data of Personal Data Owners in accordance with the law, this Policy and other policies connected to and related to this Policy.
CHAPTER EIGHT
8. UPDATES, COMPATIBILTY AND CHANGES
8.1. Update and Compatibility
The Company reserves the right to make changes to this Policy and other policies related to this Policy due to changes made in the Law, in accordance with the decisions of the PDP Board or in line with developments in the sector or the field of informatics.
Changes made to this Policy are immediately incorporated into the text and explanations regarding the changes are explained at the end of the Policy.
8.2. Changes
02/04/2018:
Personal Data Processing and Protection Policy has been published.
*There are no older changes.*