PURPOSE OF THE POLICY
The main purpose of this Policy is to determine the principles of the methods and processes for the protection of personal data by the Company. In this context, the steps to be followed and the rules to be complied with in all stages such as processing, storing, sharing and destroying personal data are addressed in detail in the Policy. The Company undertakes to comply fully with the relevant legislation and regulations by taking the necessary technical and administrative measures to ensure the security and confidentiality of personal data.
SCOPE OF THE POLICY
● The Policy covers and applies to all activities related to Personal Data processed by the Company.
● The Policy does not apply to data that does not constitute Personal Data.
● The Policy may be amended from time to time with the approval of the Board of Directors, if required by the PDPL regulations or if deemed necessary by the Data Controller, Representative or Committee.
DEFINITIONS
The definitions used in this Policy have the following meanings;
● "Explicit Consent" refers to the consent explicitly given by the Data Subject based on being informed about the processing of their Personal Data and with free will.
● "Anonymization" refers to the process of making Personal Data unidentifiable, even if matched with other data, in such a way that it cannot be associated with any identified or identifiable natural person.
● "Anonymized Data" refers to data that cannot be linked to any natural person in any way.
● "Personal Data" refers to any information relating to an identified or identifiable natural person (within the scope of this Policy, the term "Personal Data" will also include "Special Category Personal Data" as defined below, where appropriate).
● "Personal Data Processing" refers to any operation performed on Personal Data, whether by automated means or not, such as collection, recording, storage, maintenance, modification, reorganization, disclosure, transfer, acquisition, making available, classification or preventing the use of data, provided that it is part of a data recording system.
● "Committee" refers to the committee responsible for the implementation of this Policy and the procedures to be implemented in accordance with the Policy.
● "Board" refers to the Personal Data Protection Board.
● "Authority" refers to the Personal Data Protection Authority.
"PDPL" refers to the Law on Protection of Personal Data No. 6698.
● "Data Protection Regulations" refers to the Law on Protection of Personal Data No. 6698 and other relevant legislation on the protection of personal data, binding decisions, principle decisions, provisions, instructions given by regulatory and supervisory authorities, courts and other official bodies, applicable international agreements on data protection and all other legislation.
● "Data Protection Procedures" refers to the procedures approved by the Board of Directors and put into effect, which determine the obligations of the Company, employees, Committee and Data Controller Representative within the scope of this Policy.
● "Sensitive Personal Data" refers to data relating to individuals' race, ethnic origin, political opinions, philosophical beliefs, religious, denominational or other beliefs, dress, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
● "Deletion or Erasure" is the process of making Personal Data inaccessible and unusable for relevant users.
● "Data Inventory" refers to the inventory containing information on the Company's Personal Data Processing activities, such as Personal Data Processing processes and methods, Personal Data Processing purposes, data category, third parties to whom Personal Data is transferred, etc.
● "Data Processor" refers to a natural or legal person who processes Personal Data on behalf of the Data Controller, having been authorized by the Data Controller.
● "Data Subject" refers to all natural persons whose Personal Data is processed by the Company or on behalf of the Company.
● "Data Controller" refers to the natural or legal person who determines the purposes and means of processing Personal Data and is responsible for the establishment and management of the data recording system.
● "Data Controller Representative" refers to the employee selected from within the Committee, who manages the Company's relations with the Institution and is appointed by a Board of Directors decision.
● "Destruction" is the process of destroying Personal Data, making it inaccessible, unrecoverable and unusable by anyone.
PRINCIPLES OF PERSONAL DATA PROCESSING
● Processing Personal Data in Accordance with Law and Principles of Fairness
The Company processes personal data in accordance with the law and principles of fairness, based on the principle of proportionality.
● Taking Necessary Measures to Ensure Personal Data is Accurate and Up-to-Date When Necessary
The Company takes all necessary measures to ensure that personal data is complete, accurate and up-to-date. If the data subject requests a change in their personal data, the relevant personal data is updated promptly. In this process, regular checks are carried out to ensure the accuracy and currency of the data, and necessary corrections are made.
● Processing Personal Data for Specific, Legitimate and Explicit Purposes
Before processing personal data, the Company determines the purpose for which the data will be processed. In this context, the Data Subject is informed within the scope of the Data Protection Regulations and, if necessary, their Explicit Consent is obtained.
● Processing Personal Data in a Manner Relevant to the Purpose, Limited and Proportionate
The Company processes personal data only for the purpose specified in the Data Protection Regulations, in exceptional cases (PDPL Article 5.2 and Article 6.3), or within the scope of Explicit Consent obtained from the Data Subject (PDPL Article 5.1 and Article 6.2), and in accordance with the principle of proportionality.
● Retention of Personal Data for as Long as Necessary and Deletion Afterwards
The Company retains Personal Data for as long as necessary in accordance with the purpose.
If the Company wishes to retain personal data for a longer period than that stipulated in the PDPL Regulations or required by the purpose of Personal Data Processing, it shall act in accordance with the obligations specified in the Data Protection Regulations.
Personal Data is Deleted, Destroyed or Anonymized after the period required by the purpose of Personal Data Processing. In this context, the Company ensures that third parties to whom it has transferred Personal Data also Delete, Destroy or Anonymize the Personal Data.
The Data Controller Representative and the Committee are responsible for the operation of the Deletion, Destruction and Anonymization processes. In this context, the necessary procedure is established by the Data Controller Representative and the Committee.
PROCESSING OF PERSONAL DATA
Personal Data may be processed by the Company only within the scope of the procedures and principles set out below.
● Explicit Consent
Personal Data is processed after informing the Data Subjects within the framework of fulfilling the Obligation to Inform and upon obtaining their Explicit Consent.
The Data Subjects are informed of their rights before obtaining Explicit Consent within the framework of the Obligation to Inform.
The Data Subject's Explicit Consent is obtained using methods compliant with the PDPL Regulations. Explicit Consents are kept by the Company in a verifiable manner for the period required under the PDPL Regulations.
The Data Controller Representative and the Committee are responsible for ensuring that the Obligation to Inform is fulfilled for all Personal Data Processing processes and, if necessary, for obtaining and maintaining Explicit Consent. All department employees who process Personal Data are obliged to comply with the instructions of the Data Controller Representative and the Committee, the Policy and the PDPL Procedures attached to this Policy.
● Processing Personal Data Without Obtaining Explicit Consent
In cases where the PDPL Regulations provide for the processing of Personal Data without obtaining Explicit Consent (PDPL Article 5.2 and Article 6.3), the Company may process Personal Data without obtaining the Data Subject's Explicit Consent.
In cases where Personal Data is processed in this way, the Company processes Personal Data within the limits set by the PDPL Regulations. In this context:
● Personal Data may be processed by the Company without Explicit Consent for the protection of the life or physical integrity of the Data Subject and/or a person other than the Data Subject who is unable to express their consent due to actual impossibility or whose consent is not legally valid.
● If the conditions for the establishment, implementation, performance or termination of a contract are met, Personal Data relating to the parties to the contract may be processed by the Company without the Explicit Consent of the Data Subjects.
● Personal Data may be processed by the Company without the Explicit Consent of the Data Subjects if the processing of Personal Data is necessary for the Company to fulfill its legal obligations.
● Personal Data made public by the Data Subject may be processed by the Company without obtaining Explicit Consent.
● Personal Data may be processed by the Company without obtaining Explicit Consent if the processing of Personal Data is the only possible way to establish, exercise or protect a right.
● Personal Data may be processed by the Company without Explicit Consent if the processing of data is necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the Data Subject.
PROCESSING OF SPECIAL CATEGORY PERSONAL DATA
Data relating to individuals' race, ethnic origin, political opinions, philosophical beliefs, religious, denominational or other beliefs, dress, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, is special category personal data.
Special category personal data;
● Explicitly stipulated in laws,
● Necessary for the protection of the life or physical integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally valid, or for the protection of the life or physical integrity of another person (for example, processing of blood type data for the purpose of protecting the life of a person who is unable to express their consent due to unconsciousness),
● Relating to data made public by the relevant person and in accordance with the will to make it public (for example, processing of blood type and allergy information shared in a publicly accessible area for use in accordance with the purpose of use in emergencies),
● Necessary for the establishment, exercise or protection of a right (for example, storage of health data relating to a former employee for the purpose of exercising the right of defense in potential lawsuits after the termination of the employment relationship),
● Necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and for the planning, management and financing of health services by persons or authorized institutions and organizations subject to confidentiality obligations (for example, data processed by the Ministry of Health, all health institutions and the Social Security Institution for these purposes),
● Necessary for the fulfillment of legal obligations in the areas of employment, occupational health and safety, social security, social services and social assistance (for example, processing of health data for the purpose of fulfilling the employer's obligation to employ disabled persons in accordance with the Labor Law No. 4857),
● By foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, in accordance with their establishment purposes and the legislation to which they are subject, limited to their areas of activity and not to be disclosed to third parties; processing of special category personal data relating to their current or former members and persons with whom they are regularly in contact (for example, processing of personal data of persons who make donations to these organizations in connection with and limited to the areas of activity of these organizations)
may be processed without obtaining explicit consent from the data subject.
The Company, taking into account the established practice of the Personal Data Protection Board ("PDPB"), processes special category personal data by obtaining the explicit consent of the data subject only if none of the conditions listed above are met.
When processing Special Category Personal Data, the measures determined by the Board are taken.
In every case where the processing of Special Category Personal Data is required, the Data Controller Representative is informed by the relevant employee.
If it is not clear whether a data is Special Category Personal Data, the relevant department obtains an opinion from the Data Controller Representative.
DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
When the legitimate purpose for processing Personal Data ceases to exist, the relevant Personal Data is Deleted, Destroyed or Anonymized. The Data Controller Representative and the Committee monitor the situations where Personal Data needs to be Deleted, Destroyed or Anonymized.
The Data Controller Representative and the Committee are responsible for the operation of the Deletion, Destruction and Anonymization processes. In this context, the necessary procedure is established by the Data Controller Representative and the Committee.
The Company does not store personal data with the possibility of using it in the future.
TRANSFER OF PERSONAL DATA AND PROCESSING OF PERSONAL DATA BY THIRD PARTIES
The Company may transfer personal data to natural and legal persons under private law, shareholders, business partners, subsidiaries and affiliated companies, suppliers, community companies, authorized public institutions and organizations in accordance with the PDPL Regulations. The Company ensures that third parties to whom it transfers personal data also comply with this Policy. In this context, necessary protective provisions are added to the contracts concluded with third parties. The clause to be added to the contracts concluded with all third parties to whom personal data is transferred is obtained from the Data Controller Representative. Each employee is obliged to follow the process set out in this Policy in the event of personal data transfer. If the third party to whom personal data is to be transferred requests changes to the clause provided by the Data Controller Representative, the employee immediately informs the Data Controller Representative.
● Transfer of Personal Data to Third Parties Located in Turkey
Personal Data may be transferred by the Company to third parties located in Turkey, subject to obtaining the Explicit Consent of the Data Subject (PDPL Article 5.1 and Article 6.2) or in exceptional cases specified in PDPL Article 5.2 and Article 6.3, without obtaining Explicit Consent.
The Company employees and the Data Controller Representative are jointly and severally liable for ensuring that the transfer of Personal Data to third parties located in Turkey complies with the PDPL Regulations.
●Transfer to Third Parties Located Abroad
Personal Data may be transferred by the Company to third parties located abroad, subject to obtaining the Explicit Consent of the Data Subject (PDPL Article 5.1 and Article 6.2) or in exceptional cases specified in PDPL Article 5.2 and Article 6.3, without obtaining Explicit Consent.
In cases where Personal Data is transferred without obtaining Explicit Consent in accordance with the PDPL Regulations, the following conditions must also be met with respect to the foreign country to which it will be transferred:
The foreign country to which Personal Data is transferred must be classified by the Board as a country with adequate protection (the Company follows the Board's current list),
If the foreign country to which the transfer will take place is not on the Board's list of safe countries, the Company and the Data Controllers in the relevant country must obtain permission from the Board by providing a written undertaking that adequate protection will be provided.
The Company employees and the Data Controller Representative are jointly and severally liable for ensuring that the transfer of Personal Data to third parties located abroad complies with the PDPL Regulations.
THE COMPANY'S OBLIGATION TO INFORM
The Company informs Data Subjects in accordance with Article 10 of the PDPL before processing Personal Data. In this context, the Company fulfills the Obligation to Inform during the collection of Personal Data. The notification to be made to Data Subjects within the scope of the Obligation to Inform includes the following elements in order:
● Identity of the Data Controller and, if any, its representative,
● The purpose for which Personal Data will be processed,
● To whom and for what purpose the processed Personal Data may be transferred,
● The method and legal basis for collecting Personal Data,
● The rights of Data Subjects. 10.2. The Company provides the necessary information in accordance with Article 20 of the Constitution of the Republic of Turkey and Article 11 of the PDPL if the Data Subject requests information.
If requested by Data Subjects, the Company informs the Data Subject of the Personal Data it processes.
The employee and the Data Controller Representative who follow the relevant process are jointly and severally liable for ensuring that the necessary Obligation to Inform is fulfilled before the processing of Personal Data. In this context, the necessary PDPL Procedure is established by the Data Controller Representative and the Committee for the purpose of reporting each new processing process to the Data Controller Representative.
If the Data Processor is a third party other than the Company, the third party must undertake in writing that it will comply with the above-mentioned obligations before starting to process Personal Data. The clause to be added to the contracts in cases where third parties transfer Personal Data to the Company is obtained from the Data Controller Representative. Each employee is obliged to follow the process set out in this Policy in the event of personal data transfer from a third party to the Company. If the third party transferring Personal Data requests changes to the clause provided by the Data Controller Representative, the employee immediately informs the Data Controller Representative.
RIGHTS OF DATA SUBJECTS
The Company responds to the following requests of Data Subjects whose Personal Data it holds in accordance with the PDPL Regulations:
● Learning whether Personal Data is processed by the Company,
● Requesting information regarding the processing of Personal Data, if any,
● Learning the purpose of processing Personal Data and whether it is used in accordance with its purpose,
● Knowing the third parties to whom Personal Data is transferred domestically or abroad,
● Requesting the correction of Personal Data if it is incomplete or incorrect by the Company,
● Requesting the Deletion, Destruction or Anonymization of Personal Data by the Company if the reasons requiring the processing of Personal Data cease to exist, including the purpose, duration and legitimacy principles,
● Objecting to the outcome if the processed Personal Data is analyzed exclusively by automated systems, resulting in an outcome against the Data Subject,
● Requesting compensation for damages if Personal Data is processed unlawfully and the Data Subject suffers damages as a result.
Data Subjects can submit their requests in person by written application to the address Çifte Havuzlar, Mahallesi, YTÜ-Davutpaşa Kampüsü No:151 A1 Blok Esenler/İstanbul, or by e-mail to [email protected], or by notary, if they wish to exercise their rights and/or if they believe that the Company did not act in accordance with this Policy when processing Personal Data.
DATA MANAGEMENT AND SECURITY
The Company appoints a Data Controller Representative and establishes a Committee to fulfill its obligations under the PDPL Regulations, to ensure and supervise the implementation of the necessary PDPL Procedures for the implementation of this Policy, and to make suggestions regarding their operation.
All employees involved in the relevant process are jointly and severally liable for the protection of Personal Data in accordance with this Policy and the PDPL Procedures.
The Company monitors Personal Data processing activities with technical systems according to technological capabilities and implementation costs.
Personnel with knowledge of technical matters related to Personal Data processing activities are employed.
Company employees are informed and trained on the protection and lawful processing of Personal Data.
The necessary PDPL Procedure is established to provide access to Personal Data for employees who need to access it, and the Data Controller Representative and the Committee are jointly and severally liable for its establishment and implementation.
Company employees can access Personal Data only within the scope of the authority defined for them and in accordance with the relevant PDPL Procedure. Any access and processing beyond the employee's authority is unlawful and constitutes a valid reason for termination of the employment contract.
If the employee suspects that the security of Personal Data is not sufficiently ensured or detects such a security breach, they immediately inform the Data Controller Representative.
A detailed PDPL Procedure regarding the security of Personal Data is established by the Data Controller Representative and the Committee.
Each person assigned a Company device is responsible for the security of the devices assigned to their use.
Each Company employee or person working within the Company is responsible for the security of physical files within their area of responsibility.
In the event that security measures required or to be additionally required for the security of Personal Data within the scope of the PDPL Regulations, all employees are obliged to comply with additional security measures and ensure their continuity.
The Company establishes software and hardware, including virus protection systems and firewalls, in accordance with technological developments to ensure that Personal Data is stored in secure environments.
The Company uses backup programs and takes adequate security measures to prevent the loss or damage of Personal Data.
Documents containing Personal Data are protected by encrypted (encrypted) systems at the Company. In this context, Personal Data is not stored in common areas or on desktops. Files, folders, etc. containing Personal Data are not moved to the desktop or shared folders, information on Company computers is not transferred to another device such as a USB, etc. without the prior written approval of the Data Controller Representative, and is not taken outside the Company.
The Committee, together with the Board of Directors, is responsible for taking technical and administrative measures to protect all Personal Data within the Company, continuously monitoring developments and administrative activities, preparing the necessary PDPL Procedures and submitting them to the Board of Directors for approval, announcing them within the Company after approval, ensuring compliance and supervision. In this context, the Committee and the Data Controller Representative organize the necessary trainings to raise the awareness of employees.
If a department within the Company processes Special Category Personal Data, this department is informed by the Committee about the importance, security and confidentiality of the Personal Data they process, and the relevant department acts in accordance with the Committee's instructions. Access to Special Category Personal Data is granted only to a limited number of employees, and their list and tracking is done by the Committee.
All Personal Data processed within the Company is considered "Confidential Information" by the Company.
Company employees have been informed that their obligations regarding the security and confidentiality of Personal Data will continue even after the termination of their employment relationship, and commitments have been obtained from Company employees to comply with these rules.
TRAINING
The Company provides its employees with the necessary training on the protection of Personal Data within the scope of the PDPL Regulations, as well as the Policy and the PDPL Procedures attached to it. Trainings specifically address the definitions and protection practices of Special Category Personal Data.
If a Company employee accesses Personal Data physically or in a computer environment, the Company provides training to the relevant employee on these accesses (for example, the computer program accessed).
SUPERVISION
The Company has the right to conduct regular and spontaneous audits at any time without prior notice, to ensure that all employees, departments and contractors of the Company act in accordance with this Policy and the PDPL Regulations, The Company performs necessary routine audits within this scope.
The Committee and the Data Controller Representative establish Data Protection Procedure for these audits, submit it to the Board of Directors for approval, and ensure the implementation of the said procedure.
VIOLATIONS
Each employee of the Company reports to the Committee any work, transaction or action that they believe is contrary to the procedures and principles specified in the PDPL Regulations and this Policy. In this context, the Committee, in accordance with this Policy and the PDPL Procedures, prepares an action plan for the relevant violation.
As a result of the notifications made, the Committee prepares a notification to be made to the Data Subject or the Board, taking into account the provisions of the applicable legislation, primarily the PDPL Regulations, regarding the violation. The Data Controller Representative conducts the correspondence and communication with the Authority.
We submit this to your attention.
Sincerely.