PERSONAL DATA PROCESSING AND PROTECTION POLICY
According to Article 20, Paragraph 3 of the Constitution of the Republic of Turkey, “Everyone has the right to demand the protection of personal data concerning him/her. This right includes being informed about personal data concerning him/her, accessing these data, requesting their correction or deletion, and learning whether they are used in accordance with their purposes. Personal data may only be processed in cases foreseen by law or with the explicit consent of the person…”
The right to the Protection of Personal Data has also taken its place as a fundamental human right in Article 8 of the European Union Charter of Fundamental Rights and Article 16 of the Treaty on the Functioning of the European Union.
Article 4 of the KVKK lists the basic principles that must be followed for the processing of personal data. The principles in question are taken into consideration within the scope of all personal data processing activities carried out by XXX (“COMPANY” or Company) and are meticulously implemented. The basic principles followed by the company in data processing processes are as follows:
Processing in Accordance with Law and the Rule of Honesty: While fulfilling its obligation to process and protect personal data, the “COMPANY” acts in accordance with the general principles of law and the rule of honesty.
Processing Personal Data Accurately and Up-to-Date: The “COMPANY” is aware that providing accurate and up-to-date information about individuals in personal data is of great importance for the protection of individuals’ rights. It shows the utmost care expected from it in order to ensure that the personal data being processed is accurate and up-to-date.
Processing Personal Data for Specific, Clear and Legitimate Purposes: The KVKK requires data processing activities to be processed for specific, clear and legitimate purposes. The “COMPANY” also carries out personal data processing activities within the framework of this principle for specific, clear and legitimate purposes required by its activities.
Limited and Moderate Processing Related to the Purpose of Processing: “COMPANY” processes personal data within the limits sufficient to achieve the purposes determined within the scope of the activities it carries out. “COMPANY” acts in accordance with the principle of being limited and moderate by avoiding processing unnecessary personal data.
Storage for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose of Processing: Personal data being processed by “COMPANY” is stored for the period until the conditions for processing personal data cease to exist. When the said purposes cease to exist, the storage of the relevant personal data by “COMPANY” will be terminated. The Company transparently informs all relevant parties with the necessary documents regarding all data processing processes.
INTRODUCTION
The Law on the Protection of Personal Data No. 6698 (KVKK/Law) was published in the Official Gazette dated April 7, 2016, with the aim of protecting the fundamental rights and freedoms of individuals, primarily the right to privacy, in the processing of personal data belonging to real persons and regulating the obligations of real and legal persons processing personal data and the procedures and principles to be followed.
1. PURPOSE OF THE POLICY
The XXX Personal Data Processing and Protection Policy (Policy) has been prepared with the aim of disciplining the processing of personal data to be processed during the activities carried out in accordance with the legislation and protecting the fundamental rights and freedoms, primarily the right to privacy, as stipulated in the Constitution.
While preparing the “Policy”, it was determined as a basic principle to first determine which data the working units within the “COMPANY” organization collect, why they collect it and why they transfer this data to third parties and to understand the Company’s personal data processing procedure. In addition, this Policy aims to determine the administrative and technical measures to be taken within and outside the “COMPANY” organization to protect data privacy, to explain these measures and to inform and enlighten individuals whose data is processed.
2. SCOPE OF THE POLICY
The scope of the “Policy” includes all real persons whose data is processed directly or indirectly due to the activities of the “COMPANY”.
This “Policy” includes customized information on the data processed within the scope of the transactions and activities in the “COMPANY” organization, the categorization of the data, data recipient groups, the legal reason and method of data collection, third party groups to whom the data is transferred, data processing periods, and data destruction periods.
3. DEFINITIONS
Explicit Consent: Refers to consent based on information and expressed with free will regarding a specific subject.
Cookie: Small files saved on users' computers or mobile devices that help store preferences and other information on the web pages they visit.
Relevant User: Persons who process personal data within the data controller organization or in accordance with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data.
Destruction: Deletion, destruction or anonymization of personal data.
Contact Person: The natural person notified by the data controller during registration in the Registry for communication to be established with the Institution regarding the obligations of legal entities resident in Turkey and the legal entity data controller representative not resident in Turkey within the scope of the Law and secondary regulations to be issued based on this Law.
(The contact person is not authorized to represent the Data Controller. As the name suggests, it is the person assigned to only “liaise” with the data controller and the relevant persons and the Institution.)
KVKK: Personal Data Protection Law No. 6698 dated March 24, 2016, published in the Official Gazette No. 29677 dated April 7, 2016.
Recording Environment: Any environment containing personal data processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system.
Personal Data: Any information related to an identified or identifiable natural person.
Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.
Anonymizing Personal Data: Making personal data in no way associable with an identified or identifiable natural person, even by matching it with other data.
Deleting Personal Data: Making personal data inaccessible and unusable by any means for the Relevant Users.
Destruction of Personal Data: Making personal data inaccessible, irretrievable and reusable by anyone.
Board: Personal Data Protection Board.
Institution: Personal Data Protection Institution.
Special Personal Data: Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, foundation or union membership, health, sexual life, criminal conviction and security measures of individuals, as well as biometric and genetic data.
Periodic Destruction: The process of deleting, destroying or anonymizing personal data specified in the personal data storage and destruction policy and carried out ex officio at recurring intervals in the event that all conditions sought for processing personal data are eliminated.
Policy: The personal data processing and protection policy established by the Data Controller.
VERBİS: It is a registration system in which real and legal persons processing personal data must register before starting to process personal data and enter information on a categorical basis regarding the personal data they are processing.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller
Data Recording System: A recording system where personal data is structured and processed according to certain criteria.
Data Owner/Relevant Person: A natural person whose personal data is processed.
Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
4. COMPANY KVKK STRUCTURE
The data controller is XXX for personal data processing activities within the scope of this Policy.
Within the framework of the KVKK compliance program, our Company has organized a separate organization regarding the protection of personal data processes in order to guarantee the continuity of compliance with the KVKK, carried out the work and transactions in accordance with this and provided the necessary equipment. Within this framework, a “Personal Data Protection Commission” has been established within our Company and a Contact Person has been assigned.
4.1. Personal Data Protection Commission
In order to demonstrate our determination to ensure sustainable compliance with personal data protection legislation and to ensure the effectiveness of our personal data protection system, a KVKK Commission has been established within our Company. The KVKK Commission Chair and the KVKK Commission members are determined by the Board of Directors and carry out their duties.
4.2. Contact Person
In order to fulfill the obligation to appoint a contact person as stipulated by the legislation, a contact person who has received the necessary training and has the competence sought in KVKK has been assigned. The primary responsibility of the contact person is to ensure communication between the Board and the relevant persons and the data controller, as stipulated by the legislation, and the contact person does not have the authority to represent the data controller. The contact person will also work to ensure that the KVKK Commission fulfills its duties and responsibilities. The Contact Person is a natural member of the KVKK Commission within our organization and calls the KVKK Commission to a meeting when necessary.
5. PURPOSES OF PROCESSING YOUR PERSONAL DATA, PERSONAL DATA WE PROCESS, COLLECTION METHODS AND LEGAL REASONS
i. Purposes of Processing
Your personal data will be used in accordance with the limits stipulated in the KVKK and to fulfill the purposes specified in the legislation regarding the “COMPANY”. The purposes of processing are as follows;
a. Fulfilling the obligations regarding xxx activities and auditing stipulated by the XXX Law,
b. Establishing rights arising from xxx activities within the scope of XXX Legislation,
c. Carrying out the necessary work by the relevant units for you to benefit from the services offered by our Company,
ç. Contacting you for the purpose of promoting our Company and its activities through the communication channels you have shared with us,
d. Providing personnel in the areas the company needs, fulfilling rights and obligations within the scope of legislation regulating business life, primarily the Labor Law No. 4857, the Occupational Health and Safety Law No. 6331 and the Social Insurance and General Health Insurance Law No. 5510,
e. Carrying out activities such as paying salaries, providing travel allowances, making revolving fund payments, etc. regarding personnel, conducting internal correspondence,
f. Providing information and documents to authorized public institutions and organizations and judicial authorities within the scope of the cases specified in the laws,
g. Ensuring the functionality of the organization and event management processes (seminars, conferences, meetings, training, symposiums, etc.) in the company and announcing them to the public, ensuring the continuity of the website and social media accounts with up-to-date data in order to ensure the company's public awareness and maintain its up-to-dateness, managing promotion and advertising processes,
ğ. Keeping archives in accordance with the procedures specified in the legislation in order to carry out storage and archive activities and to create annual unit activity reports,
h. Creation and tracking of visitor records,
ı. Ensuring the security of the building, personnel and visitors,
i. Anonymization of data and use in statistical activities for research purposes,
j. Receiving and responding to applications of relevant persons to be made within the scope of KVKK.
ii. Your Personal Data We Process
Identity Information: Your name, surname, Turkish Republic identity number, mother's name, father's name, place and date of birth, personnel registration number, nationality information and other information provided to the Company with your explicit consent.
Contact Information: Your residence address, workplace address, telephone number and e-mail address, KEP address and, if any, your mobile phone number, fax number or other communication channels that you have provided with your consent so that we can reach you.
Your Work and Education Information: Your identity information, information about your employment status, your contact information, information about your education status (“University graduate, master's degree graduate, physics department graduate”) and your past graduation information, information about the courses/seminars you attended, your certificate information and national or international exam results.
Your Financial Information: Bank name and branch information, bank account number information, IBAN number information obtained for the payment of salaries and fringe benefits, refund of excessive and undue payments, realization of payments to be made from the revolving fund, and making payments for assignments outside the Company.
Visual/Auditory Information: In conferences, seminars, theater shows, exhibitions, debates and similar events organized by the Company; static or streaming images and/or sounds of the venue and participants of the event for the purposes of promoting, announcing and popularizing the event, and visual/auditory information provided by cameras installed at the Company headquarters, branches and representative offices to ensure security. The visual/auditory information obtained in the said events may be used on the Company's website, on social media platforms used by the Company and in works printed by the Company, in a manner that will not exceed the Company's activities and is limited to the purpose of the event. Or, it may be sent to third parties (printing house, publisher, institution, organization, etc.) to be printed/published with the permission and under the control of the Company. This method of use will not cover security camera footage, and before the relevant visual/auditory personal data is used (for example; at the beginning of the event), participants will be informed separately and their explicit consent will be obtained.
Special Personal Data: Special personal data regarding health, criminal convictions and security measures are processed for disabled individuals who are employed within the Company in order to fulfill the employment obligations arising from the legislation and/or for whom security measures have been implemented.
Although the Company does not have any other direct special personal data processing purpose other than these purposes, your religion, appearance-dress, philosophical belief, political opinion and health data that may be obtained indirectly within the scope of the data obtained from the identity document, photographs or static/flowing images within the scope of the events that you have submitted to the Company (for example, clothing, devices and prosthetics that can be understood from the photograph) and other special information that you have voluntarily specified in a document provided by the Company.
iii. Methods of Collecting Your Personal Data
Your personal data is collected through the member registration form, registration/application forms filled out over the internet, receipt and expense documents, image and audio recording devices used in events, security camera recordings and the communication channels in question in case of sending personal data to the COMPANY official e-mail address bilgi@xxx.tr or any e-mail address belonging to the Company using the extension “@xxx.tr”, to the KEP address xxx@hs01.kep.tr or to the fax address +90 xxxx.
Personal data is also collected by physically sending a document, physically filling out a document provided by the Company, calling the lines +90 xxxx or other extension numbers belonging to the Company.
Your personal data is also collected automatically through cookies used on the https://www.xxx.tr/tr address and its extensions. The cookies in question are only necessary for the visitor to use the site at full efficiency and are used to remember the visitor's preferences and do not provide any other personal data. You can access our cookie policy at aaa.xxx.tr.
iii. Legal Reasons for Processing Personal Data
The KVKK lists the conditions for processing personal data in the second paragraph of its 5th article. If the purposes for which personal data is processed by a data controller can be assessed within the framework of the personal data processing conditions listed in the KVKK, that data controller can process personal data in accordance with the law. In this context, personal data processing activities are carried out by the Company in cases where the Company's activity can be assessed within the scope of the personal data processing conditions regulated in the KVKK. The Company does not engage in any personal data processing activities that do not fall within the scope of the personal data processing conditions.
The personal data processing conditions included in the KVKK are as follows;
The explicit consent of the relevant person,
It is clearly provided for in the laws,
It is mandatory for the protection of the life or physical integrity of the person who is unable to express his/her consent due to a de facto impossibility or whose consent is not legally valid, or of another person,
The processing of personal data belonging to the parties to the contract is necessary, provided that it is directly related to the establishment or performance of a contract,
It is mandatory for the data controller to fulfill its legal obligation,
It is made public by the data owner,
Data processing is mandatory for the establishment, exercise or protection of a right,
Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner.
The basic processing condition for special personal data is also express consent and the Company does not fundamentally aim to process special personal data. However, your special personal data that we need to process due to our activities or that you have given your explicit consent to are also processed within the framework of the legislation in a measured manner.
The conditions listed in the KVKK for the processing of special personal data are as follows;
The explicit consent of the relevant person,
It is clearly foreseen in the laws for special personal data other than health and sexual life,
Personal data related to health and sexual life can only be processed for;
Protection of public health,
Preventive medicine,
Medical diagnosis,
Execution of treatment and care services,
Planning and management of health services and their financing,
Persons or authorized institutions and organizations under the obligation of confidentiality may process the relevant person's explicit consent without seeking the relevant person's explicit consent.
6. TRANSFER OF PERSONAL DATA
Domestic transfer: As is known, in accordance with Article 8/2-a and b of the KVKK, personal data can be transferred domestically without obtaining explicit consent if it is processed within the scope of Article 5/2 and 6/3 of the KVKK. The transfer is made to third parties by the “COMPANY” in accordance with the relevant provisions, and if it does not fall within the scope of the said provisions, the explicit consent of the relevant persons is sought.
Transfer abroad: As a rule, the “COMPANY” does not make any overseas transfers. However, it is possible that the data and documents processed by the “COMPANY” are kept on computers located outside the Company, e-mails are sent and records are accessed from the said computers, and the systems and/or e-mail providers where this data is kept and transferred are located abroad. In addition, especially in overseas organizations, event arrangements, hotel accommodations, obtaining visas, purchasing airline tickets, conducting and planning overseas events, it may be necessary to transfer personal data abroad. In this case, the transfer will be made in accordance with the provisions of Article 9 of the KVKK.
Your personal data is shared with authorized public institutions and organizations, judicial authorities, enforcement authorities, security units, and suppliers, business partners and shareholders from whom contracted products and or services are purchased, for the purposes specified in this Policy and through the means provided herein. The table showing the parties to whom the sharing is made is below:
| Persons to Whom Data Can Be Transferred |
Definition |
Purpose |
| Business Partner |
Parties with whom the company establishes a business partnership while conducting its commercial activities |
Sharing of personal data limited to the purpose of ensuring that the purposes for which the business partnership was established are fulfilled |
| Shareholders |
Shareholders authorized to design strategies and audit activities related to the company's commercial activities in accordance with the provisions of the relevant legislation |
Sharing of personal data limited to the purpose of designing strategies and auditing activities related to the company's commercial activities |
| Company Authorities |
Members of the board of directors and other authorized persons persons |
Sharing of personal data limited to the design of strategies for the company's commercial activities, ensuring its highest level of management and auditing purposes |
| Legally Authorized Private Law Persons |
Private law persons legally authorized to receive information and documents from the company |
Sharing of data limited to the purpose requested by the relevant private law persons within their legal authority |
| Legally Authorized Public Institutions and Organizations |
Public institutions and organizations legally authorized to receive information and documents from the company |
Sharing of personal data limited to the purpose requested by the relevant public institutions and organizations |
7. RIGHTS OF THE RELEVANT PERSON
Within the scope of KVKK, the relevant person;
To learn whether your Personal Data has been processed,
To request information if your Personal Data has been processed,
To learn the purpose of processing your Personal Data and whether they are used in accordance with their purpose,
To know the third parties to whom your Personal Data has been transferred domestically or abroad,
To request correction of your Personal Data if they are processed incompletely or incorrectly,
To request the deletion or destruction of your Personal Data within the framework of the conditions stipulated in the KVKK legislation,
To request that the operations regarding the destruction or correction of your Personal Data be notified to the third parties to whom the data has been transferred,
To object to the emergence of a result against you by exclusively analyzing the processed data through automated systems,
To request compensation for the damages you suffer due to the unlawful processing of your Personal Data.
How Can You Exercise Your Rights?
Data owners can submit their rights listed above to our Company by filling out the application form published on www.xxx.com or obtained from the “COMPANY” center using the following methods.
In the application procedure, the “COMPANY” carries out its transactions within the scope of the Communiqué on the Procedures and Principles of Application to the Data Controller. In this context, the application must be made in accordance with Article 5 of the said communiqué.
The form must be filled in completely;
By personally presenting a signed copy of the Application Form together with a document that will provide identification to XXX Address,
By sending a signed copy of the Application Form, which has been completely completed, together with a document that will provide identification to XXX Address via a notary,
By signing the Application Form with the “secure electronic signature” defined in the Electronic Signature Law No. 5070 and sending it to kvkk@xxx.com.tr,
By sending it to xxx@hs1.kep.tr via KEP from the Registered Electronic Mail (KEP) account,
In addition, by filling out and signing this application form, scanning the signed form and uploading it to the computer, and sending it to kvkk@xxx.com.tr by e-mail (if this method is preferred, a document that will provide identification must also be attached to the e-mail)
Or, it should be sent to us using other methods to be determined by the Board.
The application must include;
Name, surname and signature,
Turkish Republic identity number for citizens of the Republic of Turkey, nationality, passport number or identity number if any for foreigners,
Residence or workplace address for notification,
Email address, telephone and fax number for notification, if any,
The subject of the request must be included.
Information and documents related to the subject must be attached to the application.
In written applications, the date the document is notified to the data controller or its representative is the application date.
In applications made by other methods; the date the application reaches the data controller is the application date
“COMPANY” will finalize the requests of the relevant persons regarding their rights listed above, which will be conveyed in writing or by other methods to be determined by the Board, as soon as possible and within thirty days at the latest after the date of transmission. Data owners’ applications may be charged within the scope of the tariffs published by the Board. In accordance with Article 7 of the relevant Communiqué, if the application of the relevant person is to be answered in writing, no fee will be charged for up to ten pages. A processing fee of 1 Turkish Lira may be charged for each page over ten pages. If the answer to the application is given on a recording medium such as a CD or flash memory, the fee that may be requested by the data controller cannot exceed the cost of the recording medium.
In order to respond to applications made by data owners, the “COMPANY” may request additional information and documents to verify the identity of the applicant, prevent the unlawful transmission of another person’s personal data to unrelated persons, and clarify the applicant’s request. If the information and documents in question are not shared, the data owner’s application may not be answered.
It is of great importance to confirm that the application was made by the “identity owner” and/or authorized person. Likewise, while the aim is to protect personal data, providing personal data to third parties due to failure to verify identity and performing transactions within the scope of the rights explained in Article 11 of the KVKK will harm the interests of the relevant person that need to be protected. For this reason, we hope that you will understand our sensitivity regarding identity verification processes and assist our Company.
“COMPANY” finalizes the requests as soon as possible and within 30 days at the latest. The evaluation result is notified to the relevant person in writing or electronically, and if the request is accepted, the necessary action is taken in accordance with the KVKK.
In cases where the applications of the relevant persons are rejected, the response is found insufficient or the application is not responded to in a timely manner, the relevant person may file a complaint with the Personal Data Protection Board within 30 days from the date on which the response is learned, in accordance with Article 14 of the KVKK.
8. LEGAL EXCEPTIONS IN THE PROCESSING OF PERSONAL DATA AND SPECIAL NATURED PERSONAL DATA AND EXPLICIT CONSENT EXPLANATION
It is desired that the “COMPANY” adopt the method of applying for the “explicit consent” of the relevant persons as a principle. Considering the processing purposes and conditions specified in this Policy, there is no need to obtain the consent of the relevant persons in terms of data processing conditions that fall within the scope of legal exceptions.
However, this situation should not be interpreted as the “COMPANY” not benefiting from the exception provisions under any circumstances and/or choosing to obtain explicit consent in all cases.
9. INFORMATION REGARDING PROCESSING OF PERSONAL DATA
9.1. Channels Where Personal Data Is Obtained
Our company obtains personal data primarily through the following channels:
Organization, Event, Conference Participant-Guest
Employee Personal File Documents
Camera Recordings,
SMS/E-Mail, Telephone
Website, Applications, Cookies and Similar Tracking Technologies,
Fax,
Mail, Cargo or Courier Services,
Location Tracking Device,
Fingerprint Reader,
Other Physical and Electronic Environments.
Depending on technological developments, the “COMPANY” may add new channels to the personal data acquisition channels above or abandon the use of some of the existing channels. In such cases, in order to maintain transparency and accountability, the channels used will be correctly stated by updating the Policy.
9.2. Classification of Personal Data
Categorizing personal data is extremely important to ensure compliance with the legislation. Our legislation basically collects personal data under two categories as personal data and special personal data. We have categorized the categories in question according to data types.
The categories of personal data and special personal data of the “COMPANY” are shared in the table below:
| Personal Data Category |
Description |
| Communication Data |
All personal data that can be used for communication purposes with individuals will be evaluated under this category. (address no, e-mail address, contact address, registered electronic mail address (KEP), telephone number) |
| Special Personal Data |
Race-Ethnic Origin, Health, Biometric Data, Criminal Conviction-Security Measures, Religion-Sect, Philosophical Belief, Union, Foundation, Association Memberships, Dress Code |
| … |
… |
9.3. Classification of Related Persons
The classification of “COMPANY” regarding related persons is shown in the table below:
| Classes of Related Persons |
Description |
| Customer |
Represents real persons who benefit from the products and services offered by the Company. |
| Employee Candidate |
Represents real persons who send a CV to the Company or apply for a job through other methods. |
| Third Parties |
Represents real persons excluding the data subject categories listed above and the employees of the Company. |
| … |
… |
10. STORAGE AND DESTRUCTION OF PERSONAL DATA
“COMPANY” stores the personal data of the data owners whose personal data it processes in electronic and physical environments by taking the necessary technical and administrative security measures.
“COMPANY”’s personal data storage period is calculated by taking into account the periods specified in the relevant legislation.
In the event that the personal data processing purposes that will eliminate the existence of the personal data processing conditions stipulated in the KVKK are terminated, the personal data will be destroyed by the “COMPANY”. The said destruction processes are carried out ex officio in 6-month periods in accordance with the provisions of the relevant legislation or are concluded if the requests from the data owners are found appropriate. In accordance with the legislation, the “COMPANY” will fulfill the relevant person’s requests for deletion and/or destruction within 30 days at the latest, unless another period is stipulated in the legislation, and inform the relevant person.
The minutes regarding the destruction of personal data will be kept by the “COMPANY” for a period of 3 years. The periods stipulated in special legislations are reserved, and in case the periods herein change due to changes made in the KVKK and relevant legislation, the current periods in question will be applied.
“COMPANY” uses deletion, anonymization or destruction destruction techniques.
The processes regarding destruction are carried out and decided by the KVKK Commission.
11. OBLIGATION TO INFORM
In accordance with Article 10 of the KVKK, the “COMPANY” shall fulfill the obligation to inform stated in the KVKK by providing the following information to the relevant data owners during the collection of personal data:
The identity of the data controller and its representative, if any,
The purpose for which the personal data will be processed,
To whom and for what purpose the processed personal data may be transferred,
The method and legal reason for collecting personal data,
Other rights listed in Article 11.
In order to fulfill its obligation to inform while carrying out its activities, the “COMPANY” prepares appropriate information texts and presents them to the relevant persons.
12. MEASURES REGARDING THE SECURITY OF PERSONAL DATA
The “COMPANY”, with the awareness of the responsibility of being a well-established company, shows all necessary reasonable care and attention regarding ensuring the confidentiality and security of the personal data it processes. In addition to the requirements of the relevant legislation, the “COMPANY” takes the necessary technical and administrative measures to ensure data confidentiality and security within the framework of Article 12 of the KVKK at a reasonable level. The aim of the said administrative and technical security measures is to prevent the unlawful processing of personal data, to prevent unlawful access to personal data and to preserve personal data at an appropriate security level.
In the event that personal data is processed by another real or legal person (data processor) on its behalf, the “COMPANY” will take the necessary measures to ensure that the above-mentioned measures are also taken by the relevant data processors.
In the event that personal data is unlawfully obtained by third parties, it will notify the data owners, the Board and other relevant public institutions and organizations in accordance with the provisions of the relevant legislation.
While taking measures regarding the security of personal data, the Personal Data Security Guide (Technical and Administrative Measures) published by the Board and the Board decisions are taken into consideration.
Administrative Measures
• Establishing and operating an information security management system within the company,
• Signing commitments and confidentiality agreements with company personnel and relevant parties,
• Conducting risk analyses on business processes,
• Creating personal data inventories,
• Operating information security policies and procedures,
• Organizing and evaluating training on information security and personal data processing activities,
• Operating computers, etc. In order to prevent unauthorized access to the tools and equipment, only authorized persons should use the tools and equipment in question,
• Reviewing the activities with internal or independent audits,
Technical Measures
• Necessary measures are taken by revealing the risks, threats, weaknesses and vulnerabilities, if any, regarding the Company's information systems through penetration tests.
• As a result of real-time analyses with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.
• Access to information systems and authorization of users are carried out through security policies via the access and authorization matrix and the corporate active directory.
• When software changes and/or updates are to be made on systems, trials are carried out in the test environment, if any, security gaps are detected and necessary measures are taken, and the final state of the change to be made is given after these processes. (It is mentioned in the decision, it must be done.)
• Necessary measures are taken for the physical security of the company's information systems equipment, software and data.
• In order to ensure information systems security against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, ensuring the physical security of the side switches that form the area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, network access control, systems that prevent malware, etc.) measures are taken.
• Risks to prevent unlawful processing of personal data are determined, technical measures appropriate to these risks are taken and technical controls are carried out regarding the measures taken.
• Access procedures are established within the Company and reporting and analysis studies are carried out regarding access to personal data.
• The Company takes the necessary measures to ensure that deleted personal data is inaccessible and non-reusable for the relevant users.
• In the event that personal data is obtained by others unlawfully, the Company has carried out appropriate preparations to notify the relevant person and the Board.
• Security vulnerabilities are monitored, appropriate security patches are installed and information systems are kept up-to-date.
• Strong passwords are used in electronic environments where personal data is processed.
• Secure record keeping (logging) systems are used in electronic environments where personal data is processed.
• Data backup programs are used to ensure the secure storage of personal data.
• Access to personal data stored in electronic or non-electronic environments is restricted according to access principles.
• Access to the company's website is encrypted with the SHA 256 Bit RSA algorithm using a secure protocol (HTTPS).
• A separate policy has been determined for the security of sensitive personal data. (To be written separately below)
• Training has been provided on the security of sensitive personal data for employees involved in sensitive personal data processing processes, confidentiality agreements have been made, and the authorizations of users with access to the data have been defined.
• Electronic environments where sensitive personal data is processed, stored and/or accessed are protected using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of the environments are constantly monitored, necessary security tests are regularly performed/carried out, test results are recorded,
• Adequate security measures are taken for physical environments where sensitive personal data is processed, stored and/or accessed, physical security is ensured and unauthorized entry and exit are prevented.
• If sensitive personal data needs to be transferred via e-mail, it is transferred encrypted using a corporate e-mail address or KEP account. If it needs to be transferred via portable memory, CD, DVD, it is encrypted using cryptographic methods and the cryptographic key is kept in a different environment.
• If the transfer is made between servers in different physical environments, VPN is established between the servers or data transfer is carried out using the sFTP method.
• If it needs to be transferred via paper, necessary precautions are taken against risks such as theft, loss or unauthorized viewing of the document and the document is sent in a “confidential” format.
13. STORAGE OF RECORDS RELATED TO INTERNET SERVICES PROVIDED IN THE COMMON AREA
In order to ensure security by the “COMPANY” and for the purposes specified in this Policy; the “COMPANY” may provide internet access to visitors who request it during their stay at the “COMPANY” premises. In order to provide this access, visitors are requested to provide their name, surname and TR ID number information. In addition, log records regarding internet access are recorded in accordance with the mandatory provisions of Law No. 5651 and the legislation regulated pursuant to this Law; these records are processed only upon request by authorized public institutions and organizations or in order to fulfill the relevant legal obligation in the audit processes to be carried out within the “COMPANY”.
Company employees who have access to the aforementioned records access these records only for use in requests from authorized public institutions and organizations or in audit processes and transfer them to legally authorized persons. The obligation to inform is fulfilled before the relevant processing activity.
14. PROCESSING OF PERSONAL DATA COLLECTED THROUGH COOKIES
Our company uses cookies to improve the operation and use of our web pages or mobile applications and tries to make the time you spend on our digital platforms more productive and enjoyable.
We also use some cookies to remember the preferences you make on our web sites and mobile applications, thus providing you with an improved and personalized experience according to your preferences. Your personal data is processed and transferred through cookies on our digital platforms.
Our company takes the necessary technical and administrative measures to ensure the security of personal data collected through cookies in accordance with Article 12 of the KVKK.
For detailed information, you can access our cookie policy by using the www.sirket.com link.
15. TRAINING AND SUPERVISION OF EMPLOYEES AND DATA PROCESSORS ON KVKK
The company provides its employees with the necessary awareness training in order to fulfill the obligations stipulated by the legislation within the scope of personal data protection law and to protect the rights of the relevant person. It is ensured that new employees who join the company also receive this training. Professional support is received in both internal and external training and supervision processes.
The company also carefully selects its data processors, presents the compliance of data processors with KVKK as a condition of its business processes and periodically inquires about the KVKK compliance status of data processors. In this context, the company signs the necessary contracts and commitments with data processors, monitors their implementation and terminates its contractual relationship with data processors that do not meet the conditions.
16. DATA CONTROLLER IDENTITY
Information regarding the identity of the data controller for all personal data processing activities within the scope of this policy is provided below.
| Data Controller |
COMPANY |
| Address |
|
| Phone |
|
| KEP |
|
| Internet Site |
|
17. ENFORCEMENT
This Policy prepared by the Company entered into force on … and was presented to the public. In case of conflict between the current legislation, primarily the Law, and the regulations included in this Policy, the provisions of the legislation shall apply.
The Company reserves the right to make changes to the Policy in line with legal regulations. You can access the current version of the Policy on the internet address (www.imajmetal.com.tr).
