……ERKAY KANTAR ………………………………..
THE POLICY FOR PROTECTING AND PROCESSING PERSONAL DATA
As …ERKAY KANTAR……..(” The Company”), we meticulously store the personal data of our valued business partners, service providers and all data subjects who have been in contact with us. All necessary technical and administrative measures have been taken by us in order to fulfill the liabilities are regulated by the Law on Protection of Personal Data No. 6698 (“LPPD”) regarding the protection of personal data properly and in a complete manner and, in all of our departments, the necessary policies to ensure that the employees act in accordance with said measures and liabilities were put in place. We share with you below our Policy for Protecting and Processing Personal Data put into effect at our company.
In this context; we would like to assure you that we shall comply with the relevant legislation and the aforementioned company policy with regards to the personal data shared with us and to kindly remind you that any personal data that may be shared with you is should also be stored in a manner up to high data security standards and for the same reason should not be shared with third parties without any legal grounds. As all suggestions and opinions shall be evaluated, all opinions shared with us are considered to be greatly important.
1. Purpose of the Policy for Protecting and Processing Personal Data
3. Policy’s Application and Modification
4. Policy’s Scope and Amendment
5. Basic Rules Regarding the Processing of Personal Data
6. Rights of the Data Subject Regarding the Processing of Personal Data
7. Principle of Maximum Efficiency
8. Deletion, Destruction and Anonymization of Personal Data
9. Data Accuracy and Up to Dateness
10. Confidentiality and Data Security
11. Purposes of Personal Data Processing
12. Personal Data of Clients, Business Partners, Potential Business Partners, Service Providers and Solution Partners
13. Data Transactions Made Due to the Branch’s Legal Liability or to Explicit Legal Stipulations
14. Processing Sensitive Personal Data
15. Personal Data of Our Employees
16. Transferring of Personal Data
17. Processing Security
19. Notification of Breaches
1. Purpose of the Policy for Protecting and Processing Personal Data
With the Policy for Protecting and Processing Personal Data herein (“Policy”), the intention is all regulations, measures and requirements deemed important in accordance with the LPPD Compliance Process to be adopted within the company . Within this scope, this Policy have the qualifications to guide each individual within the company on how to perceptibly implement the rules put forth by the LPPD and relevant legislation as well as to inform our employees, business partners, service providers and all data subjects who got in contact with us and left his/her personal data to us regarding our policies for the LPPD.
In this respect, the company carries out the necessary adjustments in order to comply with this Policy and periodically operates its internal audit mechanisms regarding compliance in order to ensure the continuity of compliance. All relevant regulations and internal audit mechanisms are prepared by the company in accordance with the principles set forth under the LPPD and relevant legislation; the company regulated and brought various directives and instructions as internal regulations into force within the scope of the protection of personal data. The aforesaid regulations are; The Policy for the Protection and Processing of Sensitive Personal Data, Policy for the Storage and Destruction of Personal Data.
Explicit Consent Consent given regarding a certain subject, based upon information and declared with free will.
Data subject A real person whose personal data is processed.
Destruction Deleting, destroying or anonymizing personal data.
The LPPD The Law on the Protection of Personal Data, No: 6698
Personal data Any information relating to an identified or identifiable natural person
Anonymization of Personal Data Rendering personal data by no means identified or identifiable with a natural person even by linking with other data.
Processing of personal data Any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system
Deletion of personal data The process of rendering the personal data inaccessible or unusable, under any circumstance, for the data subjects.
Destruction of personal data The process of rendering the personal data inaccessible, irretrievable and unusable, under any circumstance, for everyone.
Board The Personal Data Protection Board
Policy Policy for Protecting and Processing Personal Data
Company …ERKAY KANTAR ……………………..
Data controller Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.
2. Policy’s Application and Modification
The Company has the right to modify the Policy and other internal regulations and documents organized in accordance with the Policy, provided that it is in compliance with the LPPD and the personal data is protected better in accordance with the Constitution and personal rights.
3. Policy’s Scope and Modification
This Policy herein aims to protect all personal data of our business partners, service providers, employees and customers or employees of the companies working with us or any other persons, processed through automatic or non-automatic manners provided that they are a part of any data recording system and includes provisions to ensure the said objectives. In this vein, the company takes all necessary administrative and technical measures within the processing and protection of personal data, in the direction of the principles set forth in the LPPD and other legislation; necessary training are conducted with the purpose to raise the awareness of The company employees; internal audit mechanisms are established and maintained; relevant compliance processes are maintained and necessary notifications and warnings are made to the Company employees or applicants and interns or intern applicants within the LPPD. This Policy determines the content and application procedures of these measures and actions. In this context, it has to be stated that The Company undertakes to comply with all the liabilities and obligations set forth by the LPPD.
4. Fundamental Rules Regarding the Processing of Personal Data
The Company processes personal data within the framework of the following principles and rules;
a) Lawful and in good faith: The Company investigates the source of the personal data that it collects itself or receives from third parties and attaches importance to lawful acquisition of these in good faith.
b) Accurate and up-to-date, when necessary: The Company attaches importance to the accuracy, up-to-datedness, non-containment of any false information of all the personal data within itself and finally, to immediately conduct necessary updates in the event that there are changes in the personal data, when the said changes are notified to itself.
c) Processing for specific, explicit and legitimate purposes: The Company shall only process personal data by acquiring explicit written consent of the data subjects via consent forms in which the specific purpose and duration is indicated except for the situations listed in Article 5 of the LPPD, limited to the purposes set forth under the Policy. It does not process, use, or have third parties use the data other than for its own operational purpose.
d) Proportionate, relevant and limited to the processing purposes: The Company uses personal data only to the extent that it is relevant and limited to the purpose for which they are processed and in proportion to what is necessary for its service.
e) Stored only for the period provisioned by relevant legislation or necessary for the processing purpose: The Company stores the personal data it processes in accordance with the time periods as provided by the legislations for Labor Law, Work Health and Safety Law, Social Security Law, Turkish Commercial Law and other legislations and limited to the periods set forth in the Policy for the Storage and Destruction of Personal Data. However, when the abovementioned purposes or reasons which makes the storage lawful cease to exist, The company deletes, destroyes or anonymizes the personal data. Personal data is subjected to the necessary processes in accordance with the procedures and rules set forth under the Policy for the Storage and Destruction of Personal Data.
5. Rights of the Data Subject Regarding the Processing of Personal Data
The Company attaches importance to the rights of the data subjects within the framework of compliance with the LPPD. Hereunder; the data subjects shall have the following rights with regards to the personal data processed by the company in accordance with Article 11 of the LPPD, with the application form prepared by the company and provided upon the request of the data subject, the data subjects shall have the right to request;
a) To learn whether their personal data is processed or not,
b) Relevant information in case their personal data has been processed,
c) To learn the purpose for which their personal data has been processed and whether the personal data has been used in accordance with said purposes,
d) To learn the third parties, domestic or abroad, to whom their personal data has been transferred,
e) Correction of their personal data in the event that they have been processed inadequately or incorrectly,
f) The deletion or destruction of their personal data within the framework provided by the LPPD,
g) The notification of the transactions carried out in accordance with subparagraphs (d) and (e) to the third parties to whom personal data has been transferred,
h) Objection to the results detrimental to themselves arising from the analysis of the processed personal data exclusively via automatic systems,
i) Compensation for the damages that has occurred due to unlawful processing of personal data.
Applications that are received by our Company via the methods specified in our application form shall be responded to within 30 (thirty) days of the date that they reach our Company in accordance with Article 13, paragraph 2 of the LPPD and the reply shall be delivered to the data subject in writing or via electronic media.
In the applications submitted to our company in this manner, The company shall act in compliance with the provisions of the Directive on the Methods to be Followed for the Applications Submitted Regarding Personal Data.
6. The Principle of Maximum Efficiency
In accordance with the maximum efficiency principle, the personal data processed by the company shall be processed only to the extent it is necessary and adequate. In this direction; only the personal data listed under the Policy shall be collected for the reasons stipulated in Article 5 of the LPPD by us and the unnecessary personal data shall neither be collected nor processed nor stored. Most of the personal data processed by the company is transferred to the Company’s information systems; and unnecessary data is not saved to the system within the scope of the Policy for the Storage and Disposal of Personal Data and is deleted, destroyed or anonymized. Such data may be used for statistical purposes.
7. Deletion, Destruction and Anonymization of Personal Data
Personal data is deleted, destroyed or anonymized, automatically or upon the request of the data subject upon the expiration of legally required durations, the finalization of judicial processes or the cease of existence of the lawfulness reasons of The company in accordance with Article 5 and 6 of the LPPD in line with the Policy for the Storage and Disposal of Personal Data. The durations in which the personal data are disposed and the methods for these are indicated in the Policy for the Storage and Disposal of Personal Data.
8. Data Accuracy and Up to Datedness
The personal data stored in the company’s systems are, as a rule, saved upon the declaration of the data subjects and in the manner of their declaration processed automatically or provided that they are a part of any data recording system, via non-automatic methods. The Company is not liable to investigate the accuracy of the data declared by its employees, business partners, customers, service providers, the customers of companies with which The company is working as solution partners and/or other data subjects, who have come into contact with the company. The personal data declared by the data subjects are considered accurate and up to date by the company. The principle of personal data being accurate and up to date is one of the principles adopted by the company and our company shall update the personal data it has processed in the light of the official documents it receives or upon the request of the data subject. We would like to state that notifications made by data subjects regarding the changes in their personal data to data controllers are important within the scope of providing compliance with the LPPD and keeping data up to date.
9. Confidentiality and Data Security
As The Company processes personal data in accordance with the principle of confidentiality and the right to privacy set forth under the Constitution as one of the fundamental rights and freedoms, and abides by the said principle and right in every stage of the data processing activity.
In light of said rule, only authorized persons within the Company may access the personal data within the company. All necessary technical and administrative measures are taken by the company in order to protect the collected personal data and to prevent it from being accessed by unauthorized persons and to prevent the data subjects from suffering. Within this scope, it is ensured that the software is in compliance with the standards, that all work relationships established with third parties are chosen carefully and that this Policy and other internal regulations are abided by within the company. Data protection agreements or protocols are established, in scope of the confidentiality principle, between the Company and the solution partners, business partners, service providers with whom reciprocal personal data transfers are made or with any real persons and legal entities to whom data is transferred regardless of the circumstances.
10. Purposes of Personal Data Processing
The Company may only process personal data with the data subject’s explicit consent or the existence of the lawfulness reasons according to Article 5 of the LPPD as stated below:
a) Explicitly stated by the laws.
b) Mandatory in order to save the life or bodily integrity of a person or another’s who cannot declare consent because of physical impossibility or whose consent is not legally recognized.
c) Provided that it is directly related to the establishment or execution of an agreement, the necessity of processing of personal data of the parties of the agreement.
d) Mandatory in order for the data controller to fulfill legal obligations.
e) Made public by the data subject himself/herself.
f) Mandatory for the establishment, use or protection of a right.
g) Mandatory for the legitimate interests of the data controller, provided that no harm comes to the fundamental rights and freedoms of the data subject.
Accordingly, personal data which are collected by The Company or transferred to The Company are stored for purposes such as;
– Protecting lawful legitimate interests of the real and legal persons that the company is in business relationship with, determining the strategies of the company,
– Determining the deficits in order to develop the company’s business model,
– Examining and resolving the requests and complaints of the data subjects,
– Affixing cameras inside and within the environment of the Company, providing security,
– Advertising of the company’s projects and works, publishing of various interviews and photographs in websites and bulletin,
– The company participating in fairs in relation to its works and collecting the contact information of various persons,
– Requests which the company may face or information which it may need because of all the reasons indicated above
and may be processed within the lawfulness reasons that are indicated above or the explicit consent obtained from the data subject when needed.
11. Personal Data of Business Partners, Potential Business Partners, Service Providers and Solution Partners
The Company collects and processes certain personal data of business partners, service providers and solution partners within the purposes indicated in Article 11 above. The aforesaid personal data is processed only in line with the purpose of the agreement, provided that said personal data is directly relevant to the establishment or execution of the agreements. Personal data is processed in accordance with the necessities of the execution of the agreement and the requirements of the service and are updated when necessary by contacting the data subject.
12. Data Transactions Conducted Due to The Branch’s Legal Liability or Explicit Legal Requirements
Personal data may be processed without acquiring additional consent if the processing is clearly set forth so under the relevant legislation or for the purpose of fulfilling a legal obligation as specified under the legislation. The kind and scope of data processing shall be necessary for the legal data processing activity and shall be in accordance with the relevant legal provisions.
13. Processing Sensitive Personal Data
As the data subject’s data regarding race, ethnic origin, political opinion, philosophical belief, religious sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, penal conviction and security measures and their biometric and genetic data are considered to be sensitive personal data within the scope of the LPPD; The Company acts in accordance with the necessary procedures and principles set forth by the LPPD. The Company further takes all adequate and necessary measures as specified by the Personal Data Protection Board. The matters relating to processing and protection of sensitive personal data are specified separately in detail in the Policy for the Processing and Protection of Sensitive Personal Data.
14. Transfer of Personal Data, Domestic and Abroad
Personal data, within the scope of the abovementioned purposes and when necessary for The Company to fulfill its legal obligations, may be shared with our business partners, suppliers, training and fair organizers, private and public institutions and official authorities.
Personal data is shared in accordance with the regulations set forth under the Articles 8 and 9 of the LPPD and all necessary technical and administrative measures are taken during and following the sharing process in order to ensure data security.
In accordance with Article 8 of the LPPD, personal data may be transferred with the explicit consent of the data subject or without an explicit consent, in the existence of one of the situations mentioned above in Article 11 titled ‘Purposes of Personal Data Processing’.
In accordance with Article 9 of the LPPD, along with the abovementioned circumstances, the foreign country to which personal data is to be transferred shall have adequate protection. The countries with adequate protection are determined by the Personal Data Protection Board.
Accordingly, some documents and information may be shared with …………….company when necessary, we provide the taking of high security measures for the protection of these documents which contain personal data.
15. Transaction Security
All necessary technical and administrative measures are taken by The Company in order to protect the collected personal data and to prevent unauthorized persons from accessing such data and to protect data subjects from suffering. Within this scope, it is ensured that the software is in compliance with the standards, the third parties with whom business relationships are established are chosen carefully and that this Policy and other internal regulations are abided by within the company.
The Company conducts the necessary internal and external audits regarding the protection of personal data and establishes necessary audit mechanisms for the protection of personal data.
17. Notification of the Breaches
The Company, when a breach in relation to personal data is notified to it, immediately takes action in order to remedy such breach. In the event of The Company causing a breach through its fault within the scope of the LPPD and the relevant legislation, The company minimizes the damage of the data subject and compensates the damage. In the event that it is determined that personal data have been acquired by unauthorized persons from the outside, The Company notifies the Personal Data Protection Board of the situation in 72 hours after this situation is noticed.