Information Security Policy

POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

CONCEPTS

Processing of Personal Data Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data fully or partially by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking.
Personal Data Owner/Relevant Person The natural person whose personal data is processed.
Personal Data Any information relating to an identified or identifiable natural person.
Special Qualified Personal Data Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Data Controller The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system).
Deletion It is the process of making personal data inaccessible and unusable for the relevant users in any way.
Annihilation It is the process of making personal data inaccessible, irretrievable and reusable by anyone in any way.
Anonymization It is to render personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. With this method, personal data must be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning personal data by the recipient or recipient groups and matching the data with other data.
Data Processor A natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.

 

SECTION I.

LOGIN

The purpose of this regulation is to protect our customers, employee candidates, employees, people with whom we have business relations, visitors and all other personal data within the scope of the Law on Protection of Personal Data No. 6698.

With this Policy, the principles to be adopted by our Company and to be taken into account at the point of implementation have been set forth in the processing, protection, deletion, destruction and anonymization of personal data.

AIM

The purpose of this Policy is to inform our target audience, whose personal data are processed, and to determine the policy for the protection and processing of personal data, regarding the personal data processing activity carried out by our Company in accordance with the law and the processes adopted for the protection of personal data.

SCOPE

This Policy; It relates to all personal data of real persons processed by our company.

ENFORCEMENT OF THE POLICY

This policy, which has been issued and put into effect by us, is published on our Company’s website and is made available to personal data owners in this way.

 

SECTION II

1- PROCESSING PERSONAL DATA IN ACCORDANCE WITH RELATED LEGISLATION

Our company, in accordance with Article 4 of the KVKK, regarding the processing of personal data;

1.1-Performing Personal Data Processing Activities in Compliance with Law and Integrity

In our company, the processes of processing personal data are carried out in accordance with legal regulations and honesty rules. In this context, our Company processes only as much personal data as necessary, in accordance with the purposes of data processing.

1.2-Ensuring Personal Data Are Accurate and Up-to-Date When Necessary

Our company takes the necessary measures to ensure that personal data is up-to-date and accurate, taking into account the fundamental rights and legitimate interests of personal data owners.

1.3-Processing for Specific, Clear and Legitimate Purposes

The purpose for which personal data will be processed by our company is set out before the personal data processing activity begins.

1.4-Relating to the Purpose for which they are Processed, Limited and Proportionate

Our company processes the data in the nature of personal data as much as required by the business in the context of the requirements brought by the activities it carries out, and in line with the scope and scope of the relevant legal regulations, and the processing of irrelevant or unnecessary personal data is avoided.

1.5-Preservation for as long as required by the relevant legislation or for the purpose for which they are processed.

Our company preserves personal data only for the periods stipulated in the relevant legislation or for the purpose for which they are processed. In this context, if a period is determined for the storage of personal data in the relevant legislation, this period is complied with. If a period has not been determined, personal data are retained for the period necessary for the purpose for which they are processed. Personal data is deleted, destroyed or anonymized by our Company in the event that the period expires or the reasons for its processing disappear. Personal data is not stored by our Company for the possibility of future use. Detailed information on this subject is given in section 7 of this policy.

 

2- PROCESSING PERSONAL DATA

Our company processes personal data only in cases stipulated by law or with the explicit consent of the person.

Apart from express consent, personal data may also be processed in the presence of one of the other conditions listed below;

2.1- Explicit Consent of the Personal Data Owner

One of the conditions for the processing of personal data is the explicit consent of the owner. The explicit consent of the personal data owner should be disclosed on a specific subject, based on information and free will.

2.2- Explicitly Provided in Laws

The personal data of the data owner can be processed in accordance with the law, if it is expressly stipulated in the law.

2.3- Failure to Obtain the Explicit Consent of the Related Person Due to Actual Impossibility

The personal data of the data owner may be processed if it is necessary to process the personal data of the person who is unable to express his or her consent due to actual impossibility or whose consent cannot be validated, in order to protect the life or physical integrity of himself or another person.

2.4- Directly Related to the Establishment or Performance of the Contract

Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process the personal data of the parties to the contract.

2.5- Fulfillment of Legal Obligation

Our company may process the personal data of the data subject if the processing is necessary in order to fulfill its legal obligations as a data controller.

2.6- Making Personal Data Public by the Personal Data Owner

If the personal data of the data owner has been made public by him, it may be processed, limited to the purpose.

2.7- Mandatory Data Processing for the Establishment or Protection of a Right

If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.

2.8- Mandatory Data Processing for the Legitimate Interest of the Data Controller

Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company.

 

3- DISCLOSURE AND INFORMATION OF THE PERSONAL DATA OWNER

Our company clarifies for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the rights of the personal data owner for legal reasons. (See. Illumination Text)

 

4- PROCESSING OF SPECIAL QUALITY PERSONAL DATA

Our company acts in accordance with the regulations stipulated in the KVKK in the processing of personal data determined as “special quality” by KVKK.

These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

By our company; Special categories of personal data are processed in the following cases by taking the necessary precautions:

If the personal data owner has express consent, or

If the personal data owner does not have explicit consent, it may be processed in the cases stipulated by the laws.

Data on health and sexual life are only processed with the explicit consent of the data owner.

III. SECTION

PERSONAL DATA PROCESSED BY OUR COMPANY, PURPOSE OF PROCESSING AND STORAGE PERIOD

  • The personal data processed by our company are listed below. However, which data will be processed for each personal data owner; It may vary depending on various factors such as the type and nature of the relationship between the personal data owner and our Company and the communication channels used.
PERSONAL DATA EXPLANATION
Credentials Data that contains information about the identity of the person; Documents such as driver’s license, identity card and passport that contain information such as name-surname, TR identity number, nationality information, mother’s name-father’s name, place of birth, date of birth, gender, personnel registration number, signature information, etc. informations
Communication information Information such as phone number, address, e-mail address, cap address, fax number, IP address
Family Members and Close Information Information about family members (e.g. spouse, children), relatives and other persons who can be reached in case of emergency, as reported to our Company by the personal data owner, within the framework of the operations carried out by the units of our company.
Safety Information Personal data regarding the records and documents taken at the entrance to the facilities of our company and during the stay in these places; camera recordings and recordings taken at the security point, etc.
Financial Information Personal data processed for all kinds of financial information, documents and records created according to the type of legal relationship our Company has established with the personal data owner, and data such as bank account number, IBAN number, income information.
Audio/Visual Information Photographs, camera recordings
Personal Information All kinds of personal data processed in order to obtain the information that will form the basis of the personal rights of real persons who are in a working relationship with our company
Special Qualified Personal Data Data specified in Article 6 of the KVK Law (eg health data including blood group, biometric data (fingerprint), body size etc. data
Professional Knowledge Data pertaining to diploma and certificate information of employee candidates, our employees and people who have a business relationship with our Company

 

 

  • PERSONAL DATA OWNERS PROCESSED BY OUR COMPANY

Our company’s customers, subsidiaries, visitors, employee candidates, employees, company shareholders, employees of companies with which we have business relations, employees of institutions with which we cooperate.

  • PURPOSE OF PROCESSING PERSONAL DATA

By our company;

Execution of the application processes of employee candidates

Execution of human resources processes

Fulfillment of legal obligations for employees

Conducting social responsibility and civil society activities,

Execution of finance and accounting works,

Conducting communication activities

Execution of the procurement of goods and services

Execution of goods service sales process

Execution of wage policy

Execution of fringe benefits and benefits processes for employees

Execution of Storage and Archive Activities

Execution of Emergency Management Processes,

Conducting Business Activities

Conducting Business Continuity Ensuring Activities,

Ensuring the Security of Movable Property and Resources

Providing Information to Authorized Persons, Institutions and Organizations,

Conducting Educational Activities

Carrying out the Activities in Compliance with the Legislation,

Providing Physical Space Security

Carrying out Internal Audit Activities

Execution of Occupational Health / Safety Activities

Execution of Management Activities,

Execution of Goods / Services Production and Operation Processes

Execution of Goods / Services After-Sales Support Services

Execution of Logistics Activities

Execution of Contract Processes

For purposes such as Execution of risk management processes

  • Fulfilling our legal obligations,

 

  • It is necessary to process the personal data of the parties based on the established business relationship,

 

  • prescribed by law and

 

  • Provided that it does not harm the fundamental rights and freedoms of the person concerned, for legal reasons such as the protection of our Company’s legitimate interests and with the express consent of the person concerned.

 

III of this policy. Personal data specified in section 1 are processed.

 

 

  • PERSONAL DATA STORAGE PERIOD

Our company keeps personal data for the period required by the relevant legislation or for the purpose for which they are processed.

If a period of time is not regulated in the legislation regarding how long personal data should be stored, Personal Data is processed for a period of time that requires processing in accordance with our Company’s practices and commercial life practices, depending on the activity carried out while processing that data.

The purpose of processing personal data has ended; if the storage periods determined by the relevant legislation or our Company have also come to an end; Personal data can only be stored to provide evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. Despite the expiry of the statute of limitations and the statute of limitations for the right to assert the aforementioned right in the establishment of the terms herein, retention periods are determined based on the examples previously submitted to our Company on the same issues. In this case, the stored personal data cannot be accessed for any other purpose and access is provided only when it is necessary to use it in the relevant legal dispute. Here, too, personal data is deleted after the aforementioned period expires,

  1. SECTION
  • OUR COMPANY’S BUILDING, FACILITY ENTRANCES AND INSIDE CAMERA MONITORING ACTIVITY

Our company, within the scope of monitoring with security cameras; Certain areas are subject to camera monitoring in order to ensure the interests of the company and other persons regarding ensuring their safety, and to be limited to this policy, in a way that does not result in an interference with the privacy of the person exceeding the security purposes. Our company acts in accordance with the KVKK in the camera surveillance activities carried out for security purposes. Information regarding the monitoring activity with the camera is made by publishing this policy on the website and by posting the signs and plates and the lighting text regarding the monitoring in the monitoring areas.

Surveillance areas, number of security cameras and when to be monitored are sufficient to achieve the security purpose and are implemented in a limited manner for this purpose. Necessary technical and administrative measures are taken to ensure the security of personal data obtained as a result of camera monitoring. Detailed information about the retention period of our Company’s personal data obtained through camera monitoring is given in article 3.4 of this Policy, entitled Personal Data Retention Periods.

Only a limited number of Company employees have access to live camera footage and recordings recorded and preserved in digital media. A limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality agreement.

 

 

 

 

  • OUR COMPANY’S BUILDING, FACILITY ENTRANCES AND FOLLOWING THE GUEST ENTRANCE AND EXIT INSIDE

By our company; Personal data processing is carried out in order to ensure security and for the purposes specified in this Policy, in order to monitor guest entries and exits in our Company’s buildings and facilities.

While obtaining the names and surnames of people who come to our Company’s premises as guests, personal data owners are informed in this context. The data obtained for the purpose of tracking guest entry-exit is processed only for this purpose and the relevant personal data is recorded in the data recording system in the physical environment.

SECTION V.

TRANSFERRING PERSONAL DATA

Although the third parties to whom personal data can be transferred may vary depending on various factors such as the type and nature of the relationship between the data owner and our Company and the markets in which transactions are made, the third parties to whom the data can be transferred are generally as follows:

Authorized public institutions

Private law legal entities limited to the purpose requested within its legal authority,

Business partners of our company in the country and / or abroad,

Customers, Suppliers,

Our Shareholders, Our Auditors

  1. SECTION

MATTERS REGARDING THE PROTECTION OF PERSONAL DATA

Our company takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes, to prevent illegal access to the data and to ensure the preservation of the data, and in this context, it makes or has the necessary inspections made.

The actions and measures taken by our company to ensure “data security” pursuant to Article 12 of the KVKK are listed below.

Our company takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that personal data is processed in accordance with the law. Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the KVKK and cannot be used for purposes other than processing, and that this obligation will continue after they leave their job, and necessary commitments are taken from them in this direction.

Our company provides the necessary trainings to prevent illegal processing of personal data, to prevent illegal access to data, and to increase awareness to ensure data protection.

Our company takes the necessary technical and administrative measures according to technological possibilities and implementation costs in order to keep personal data in secure environments and to prevent their destruction, loss or alteration for unlawful purposes.

VII. SECTION

TERMS OF DELETING, DESTROYING AND ANONYMIZING PERSONAL DATA

Although it has been processed in accordance with the provisions of the relevant law, as regulated in Article 7 of the KVKK, personal data is deleted, destroyed or anonymized for 3 months, pursuant to the decision of our Company, in the event that the reasons requiring processing are eliminated. In the event that all the conditions for processing personal data are no longer valid, our company also deletes, destroys or anonymizes the personal data subject to the request, upon the request of the person concerned. Our company finalizes the request of the person concerned within thirty days at the latest and informs the person concerned.

In accordance with Article 28 of KVKK, anonymized personal data may be processed for purposes such as research, planning and statistics. Since such transactions are outside the scope of KVKK, the explicit consent of the personal data owner is not sought.

 

 

VIII. SECTION

RIGHTS OF PERSONAL DATA OWNERS; METHOD OF USE AND ASSESSMENT OF THESE RIGHTS

Our company carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the KVKK in order to evaluate the rights of the personal data owners and to provide the necessary information to the personal data owners.

Personal data owners;

Learning whether personal data is processed or not,

If personal data has been processed, requesting information about it,

Learning the purpose of processing personal data and whether they are used in accordance with the purpose,

Knowing the third parties to whom personal data is transferred at home or abroad,

Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,

Despite the fact that it has been processed in accordance with the provisions of the KVKK and other relevant laws, it has the right to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear, and to request the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred.

  1. SECTION

PERSONAL DATA PROTECTION AND PROCESSING POLICY MANAGEMENT STRUCTURE

Our company establishes the necessary management structure in order to fulfill the obligations in the KVK Law and to implement this Policy and to fulfill the following functions.

  • To prepare the basic policies and changes related to the Protection and Processing of Personal Data and submit them to the approval of the senior management in order to put them into effect,
  • To decide how to implement and control the policies regarding the Protection and Processing of Personal Data, and to make internal assignments and ensure coordination within this framework, to submit to the approval of the senior management,
  • To determine the issues that need to be done in order to ensure compliance with the Law on the Protection of Personal Data and the relevant legislation and to submit the necessary actions to the approval of the senior management; to monitor and coordinate its implementation,
  • To raise awareness within the Company and before the Company’s business partners on the Protection and Processing of Personal Data,
  • To determine the risks that may arise in the personal data processing activities of the company, to ensure that the necessary measures are taken, to submit the improvement suggestions to the approval of the senior management,
  • To design and implement trainings on the protection of personal data and the implementation of policies,
  • Answering the applications of personal data owners in due time,
  • Managing the relations with the Personal Data Protection Board and Institution.

While the management structure is being formed, a committee is established and the composition of this committee and the distribution of duties are determined by our Company’s senior management. In addition to the above-mentioned duties, the Committee and the responsible person(s) to be appointed may be assigned other duties and responsibilities depending on the needs of our Company and the nature of the activities it carries out.

  1. SECTION

TECHNICAL AND ADMINISTRATIVE MEASURES FOR THE SECURITY OF PERSONAL DATA

Our company takes the necessary administrative and technical measures for the safe and legal storage of personal data. For this;

  • There are disciplinary regulations for employees that include data security provisions
  • Personal data processing inventory is prepared and up-to-date
  • Contracts (between data controller and data processor)
  • Institutional policies (access, information security, use, data retention and destruction)
  • Business arrangement
  • Disciplinary regulation (add legal provisions)
  • Confidentiality commitments are made.
  • In-house periodic and/or random audits
  • Education and awareness activities
  • Ensuring the security of environments that provide personal data
  • Risk analyzes are made and personal data is reduced as much as possible.
  • Network security and application security are provided,
  • Institutional policies on access information security, use, storage and destruction have been prepared and started to be implemented.
  • Confidentiality commitments are made.
  • Current anti-virus systems are used.
  • Personal data security policies and procedures have been determined.
  • Personal data security is monitored.
  • The security of environments containing personal data is ensured.
  • Personal data is backed up and the security of the backed up personal data is also ensured.
  • Existing risks and threats have been identified.
  • Special categories of personal data must be sent in encrypted form and by using a kep or corporate mail account.
  • Encryption is done.
  • A closed system network is used for personal data transfers via the network.
  • Firewalls are used.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • The security of physical environments containing personal data against external risks is ensured.
  • In case it is determined that the personal data processed or transferred by our company is illegally in the hands of unauthorized persons, the situation will be notified to the KVK Board and the relevant data owner as soon as possible within 72 hours.
Menu