POLICY ON THE PROCESSING AND PROTECTION OF PERSONAL DATA UNDER THE LAW NO 6698
Chapter 1. Purpose and Enforcement of the Policy
The Law on Protection of Personal Data No. 6698 (“Law”) entered into force on 7 April 2016. The law establishes the procedural and essays of the processing of personal data by real or legal persons, who are classified as “data responsible” and who determine the purposes and means of processing personal data, responsible for the establishment and management of the data logging system.
As part of the law, personal data is “any information relating to a specific or identifiable real person”; the process is “obtaining, recording, storing, preserving, maintaining, modifying personal data in ways that are completely or partially automatic, or are not automatically part of any data logging system, reorganization, disclosure, transfer, takeover, make achievable, classification any action on data, such as preventing it from being used,” is defined as.
The law, among other regulations, imposes an obligation on data controllers to inform / clarification the data owners whose personal data will be processed during the acquisition of personal data. According to Article 10 of the Law, data controllers;
• Should inform the identity of the data manager and his/her representative, if any,
• Should inform for what purpose personal data will be processed,
• Should inform to whom and for what purpose the processing of personal data can be transferred,
• Should inform to the method and legal reason for collecting personal data,
• Should inform about other rights listed in Article 11 of the Law.
This document (“KVKK Policy”) has been written for the purpose of enlightening the real persons whose personal data our COMPANY processes as the data controller, within the scope of the above-mentioned article. The subject of this Policy is our COMPANY's officials and employees, our customers, our business partners, and suppliers' shareholders, officials and employees, our employee candidates, former employees and interns, people who have retired from our COMPANY, our visitors, business partners, and supplier candidates and other third parties, and matters regarding the processing of personal data regarding our employees are regulated within the scope of a separate policy text presented to the employees in accordance with the Law.
Chapter 2. Scope of the Law and Our COMPANY's Rights and Obligations arising from the Law
1. General Principles Regarding the Processing of Personal Data
Pursuant to Article 4 of the Law, personal data must be processed in accordance with the procedures and principles stipulated in the Law and other relevant legislation. In this context, data responsibilities are obliged to comply with the following general principles regarding the processing of personal data, except as the illumination obligation stated in Chapter 1 above:
• Compliance with the law and the rules of honesty.
• Being accurate and up-to-date when needed.
• Processing for specific, explicit, and legitimate purposes.
• Being relevant, limited, and proportionate to the purpose for which they are processed.
• To be kept for the period required by the relevant legislation or for the purpose for which they are processed.
1. Purposes of Personal Data Processing and Sharing Under the Law
2. Purposes Regarding the Processing of Personal Data
In accordance with the law, personal data cannot be processed without the express consent of the data owner as a rule. However, the Law is 5 and 6. in terms of its articles, it has identified a number of situations in which data can be processed without explicit consent in terms of personal data and specially qualified personal data.
Personal data pursuant to Article 5,
• Data processing is clearly envisaged in the law,
• It is necessary to process the relevant data in order to protect the life or bodily integrity of the person or anyone else, who is unable to express his or her consent due to actual impossibility or whose consent is not legally valid,
• Provided that it is directly related to the establishment of the commission of a contract, it is necessary to process the personal data of the parties to the contract,
• Obligatory data processing in order for the data controller to fulfill his or her legal obligations
• Having personal data made public by the person concerned,
• Data processing is mandatory for the establishment, exercise, or protection of a right,
• Provided that it does not harm the fundamental rights and freedoms of the data subject, data processing may be required for the legitimate interests of the data controller, even if the prior explicit consent of the data owner is not obtained (provided that the necessary illumination has been made).
On the other hand, the Law, the people's race, ethnicity, their political opinion, Philosophical belief, religion, cult or other beliefs, attire and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data are defined as “special quality” or “sensitive” personal data and provide more severe conditions for the processing of them. Accordingly, special categories of personal data can only be processed under the following conditions, except in cases where express consent is obtained from the data owner.
• Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, attire and clothing, membership of associations, foundations or unions, criminal convictions and security measures, and biometric and genetic data of individuals may be processed in the cases stipulated by the laws.
• Personal data on health and sexual life will only be processed by persons or authorized institutions under the obligation to keep a secret, for the protection of public health, the conduct of preventive medicine, medical diagnosis, treatment and maintenance services, planning and management of health services and financing.
1. Purposes of Sharing Personal Data
In accordance with data processing, the sharing (transfer) of personal data with a third party is subject to the express consent of the relevant data owner. However, data transfer can also be carried out under the conditions where data processing is allowed according to Article 8 of the Law, and accordingly, in the presence of the conditions specified in Section 2.II.a above, personal data or special quality personal data can be transferred even without the consent of the data owner.
Regarding the transfer of personal data to third parties, the law makes the transfer abroad subject to special conditions. Accordingly, personal data can be transferred according to appropriate maintenance conditions.;
• In case of explicit consent of the data subject, or,
• In cases where there is no explicit consent of the data owner, but one or more of the other conditions mentioned above are met; If there is sufficient protection in the country where the data is transferred and there is not enough protection in the country where the data is transferred, it can be transferred abroad, provided that the data controller undertakes in writing with the data controller in the relevant foreign country and that the permission of the Personal Data Protection Board is obtained.
• Circumstances Outside the Scope of the Law
In accordance with Article 28 of the Law, the Law will not be applied in the following cases:
• Processing of personal data by real persons in the context of activities involving family members who live in the same residence or themselves, provided that they are not given to third parties and that their obligations regarding data security are complied with.
• Processing of personal data for research, planning, and statistics by anonymization with official statistics.
• Processing personal data for art, history, literature, or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy, or personal rights or constitute a crime,
• Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security,
• Processing of personal data by judicial authorities or execution authorities in relation to the investigation, prosecution, trial, or execution proceedings.
Chapter 3. Processing Personal Data by OUR COMPANY
1.Categorization of Personal Data Processed by OUR COMPANY
Personal data is processed by OUR COMPANY under the categories defined below:
Data Category Personal Data Category Description
Identity Information Driver's license, identity card, residence, passport, attorney's license, the information contained in documents such as a marriage certificate (e.g. TCKN, passport no., ID card serial no., first name last name, photo, place of birth, date of birth, age, where it is registered to the population, a certificate of identity register copy)
Communication Information Information used to communicate with the person (e.g. email address, phone number, mobile phone number, address)
Location Data Data that identifies the location of the data owner (e.g. location data obtained during vehicle use)
Customer Information Information for customers who benefit from our products and services (e.g. customer number, occupation information, etc.)
Customer Transaction Information Information on any transaction performed by customers who benefit from our products and services (e.g. request and instructions, order and basket information, etc.)
Physical Location Safety Information Personal data regarding the records and documents taken during the entrance to the physical space, during the stay in the physical space (e.g. entry-exit logs, visit information, camera recordings, etc.)
Transaction Security Information Personal data is processed in order to ensure the technical, administrative, legal, and commercial security of our COMPANY and the related parties (e.g. information such as website password and code showing that the person is authorized to match the transaction associated with the personal data owner and that person and to perform that transaction)
Risk Management Information Personal data is processed in order to manage the commercial, technical and administrative risks of our company (e.g. IP address, Mac ID, etc. records)
Financial Information Personal data within the scope of information, documents, and records showing all kinds of financial results created according to the type of current legal relationship with the personal data owner (For example information showing the financial result of the transactions made by the data owner, loan amount, card information, loan payments, interest amount and rate to be paid, debit balance, credit balance, etc.)
Personal Information Personal data, which is the basis for the personal rights of the employees of our COMPANY (all kinds of information and documents that are legally required to be entered in the personnel file)
Employee Candidate Information Belonging to data owners who share their information in order to apply for a job with our COMPANY, Personal data used in the application evaluation process (e.g. CV, interview notes, personality test results, etc.)
Employee Process Information Personal data related to all kinds of work-related transactions carried out by our COMPANY employees (e.g. entry-exit records, business trips, information about meetings attended, security inquiries, e-mail traffic monitoring information, vehicle usage information, company card spending information)
Employee Performance and Career Development Information Personal data is processed for the purpose of measuring the performance of our COMPANY employees and planning and carrying out their career development within the scope of human resources policies (eg. performance evaluation reports, interview results, career development pieces of training)
Fringe benefits and Interests Information Personal data is processed to follow on up the fringe benefits and interests offered to our COMPANY employees and to enable supplier employees to benefit from them (e.g. private health insurance, vehicle allocation)
Marketing Information Data to be used by OUR COMPANY in marketing activities (e.g., reports and evaluations showing the habits and tastes of the person collected for marketing purposes, targeting information, cookie records, data enrichment activities)
Legal Process and Compliance Information Personal data that is processed for the purpose of legal receivables and rights determination and monitoring and the performance of debt and legal obligations (e.g. data contained in documents such as court and administrative authority decisions)
Audit and Inspection Information Personal data processed within the scope of our COMPANY's compliance with its legal obligations and policies (e.g. audit and inspection reports, relevant interview records, and similar records)
Special Qualified Personal Data Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire and apparel, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data
Request/Complaint Management Information Personal data regarding the receipt and evaluation of all kinds of requests or complaints directed to OUR COMPANY (e.g. requests and complaints, records and reports related to them)
Visual and Audio Data Audio-visual recordings (e.g. photographs, camera recordings, and audio recordings) associated with the personal data subject
Description of Personal Data Category
1. Purposes of Processing Personal Data by OUR COMPANY
OUR COMPANY processes personal data within the scope specified above for the following purposes:
• Planning, monitoring, and processing of information security processes
• Building and managing the information technology infrastructure
• Planning and execution of fringe benefits and interests for employees
• Planning and/or execution of corporate communication for employees and/or corporate social responsibility and/or non-governmental organizations activities in which employees participate
• Monitoring and/or supervision of employees' business activities
• Follow up on finance and/or accounting
• Follow up on law work
• Planning of human resources processes
• Performing effectiveness/efficiency and/or relevance analyses of its activities
planning and/or execution of activities
• Planning and execution of activities
• Planning and execution of information access authorizations of business partners and/or suppliers
• Management of relations with business partners and/or suppliers
• Planning and/or execution of occupational health and/or safety processes
• Planning and/or execution of business continuity activities
• Planning and execution of corporate communication activities
• Planning and execution of corporate governance activities
• Planning and execution of logistics activities
• Planning and execution of customer relationship management processes
• Planning and/or execution of customer satisfaction activities
• Follow-up of customer requests and/or complaints
• Execution of personnel procurement processes
• Fulfilment of obligations arising from employment contracts and/or legislation for the employees of our COMPANY
• Planning and execution of audit activities of our COMPANY
• Planning and execution of training activities abroad
• Planning and execution of the necessary operational activities to ensure that our COMPANY's activities and procedures and/or their execution are in accordance with the relevant legislation
• Planning and/or execution of training activities within our COMPANY
• Planning and execution of orientation activities within our COMPANY
• Ensuring the security of our COMPANY's field of activity and/or facilities
• Planning and/or execution of the processes of creating and/or increasing loyalty to the services offered by OUR COMPANY
• Follow-up of contract processes and/or legal requests
• Execution of strategic planning activities
• Planning and execution of supply chain management processes
• Compensation Management
• Ensuring data is accurate and up-to-date
• Giving information to authorized institutions based on legislation
• Creating and tracking visitor records
Transfer of Personal Data by OUR COMPANY and Categorization of Data Transferred Parties
Personal data will be transferred by OUR COMPANY to our authorities, affiliates, business partners, suppliers, legally authorized public institutions and organizations, and private institutions for the above-mentioned purposes.
1. Procedure of Processing Personal Data by OUR COMPANY
OUR COMPANY, as a data controller, informs the data owners in line with Article 10 of the Law before obtaining their personal data from the data owners, within the scope of the obligations arising from the Law. If any data processing process carried out by OUR COMPANY does not meet the advantages specified in the Law and detailed in Section 2.II.a and b above, explicit consent is obtained from the data owners and the related processes are carried out within the framework of the aforementioned express consent.
In accordance with the law, open consent is defined as “consent based on a specific matter, informed and disclosed by free will” and therefore OUR COMPANY shall define the data holders article 10 of the law in accordance with the article, it provides open consent after being enlightened.
Although no period has been determined for the storage of personal data within the scope of the law, it is essential to keep personal data for as long as required by the relevant legislation or for the purpose for which they are processed, in accordance with general principles. OUR COMPANY makes an evaluation based on the legislation in force regarding each data processing process and the purpose of the process, in order to determine the retention periods in accordance with the said principle. Accordingly, OUR COMPANY keeps personal data at least for the period required by its legal obligations and in any case, until the relevant statute of limitations expires.
OUR COMPANY anonymizes, deletes, or destroys personal data in accordance with the Law, when the purpose of processing the relevant personal data disappears within the scope of any process, including the expiration of the aforementioned periods. Within the scope of the law, anonymization is defined as “making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching them with other data” Our Company's anonymization activities are carried out in accordance with the current legislation.
1. Security of Personal Data
In order to ensure the security of personal data, OUR COMPANY takes reasonable technical and administrative measures to prevent unauthorized access risks, accidental data loss, deliberate deletion, or damage to data. In this context, at least the following actions are taken by us:
• Taking software and hardware security measures in accordance with the processed personal data
• The implementation of the controls stipulated under the law
• OUR COMPANY ensures compliance of employees with the Law through internal training and procedures
• OUR COMPANY provides and registers access to information based on the necessity with internal authorizations
• Follow up of personal data processing activities on a process basis
• Acquiring contractual commitments to protect and ensure the safety of personal data in relationships with suppliers
Chapter 4. Legal Rights of Data Owners
1. The Right of Data Owners
According of article 11 of the law, the owner of personal data has the following rights;
• To learn whether personal data about himself is processed,
• If personal data about him/her has been processed, requesting information about it,
• Learning the purpose of processing personal data and whether they are used in accordance with the purpose,
• Knowing the third parties to whom personal data is transferred at domestic or abroad,
• Requesting correction of personal data in case of incomplete or incorrect processing,
• Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the law and other relevant laws,
• Requesting notification of the transactions made as a result of rectification, deletion, and destruction requests, to third parties to whom personal data has been transferred,
• Objecting to the emergence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,
• In the event that personal data is damaged due to unlawful processing, it has the right to demand compensation for the damage.
Paragraph 2 of Article 28 of the Law regulates that in certain circumstances, the data owner cannot make a claim from the data controller other than the compensation of the damages. According to this,
• Personal data processing is necessary for the prevention of crime or for criminal investigation,
• Processing of personal data made public by the person concerned,
• Personal data processing is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of the public institution, based on the authority given by the law,
• In cases where the processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budget, tax, and financial matters, the above-mentioned rights shall not be used for the relevant data.
1. Use of Rights
Data owners will be able to use the Application Form to use the rights mentioned above.
Applications, together with the documents to determine the identity of the relevant data owner, a wet-signed copy of the form should be sent by hand or through a notary public or other methods specified in the Law to the address –ŞİRKETİMİZ YILMAZLAR MAKİNA VE OTOM ULAŞ. TAR. SANVE TİC.LTD. ŞTİ. Organize Sanayi Bölgesi/Odunpazarı 24. Caddesi No:2, 26100 Organize Sanayi Bölgesi/Eskişehir Turkey –or an address of email@example.com by e-mail sent from the e-mail address previously notified to our COMPANY and registered in our COMPANY system. If a method other than the aforementioned methods is foreseen by the Personal Data Protection Board, applications can also be submitted by this method.
Data owner requests submitted by one of the methods mentioned above are evaluated and answered by OUR COMPANY within a maximum of thirty days. OUR COMPANY reserves the right to request additional information and documentation from the applicant, especially in order to assess whether the applicant has the relevant data.
Data owner applications are considered free of charge by OUR COMPANY as a rule. However, if a fee has been set by the Personal Data Protection Board regarding the request of the data owner, our Company will be entitled to request payment at this rate.