POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
SECTION 1: GENERAL INFORMATION ON THE POLICY
1. Introduction
As Özak Yenigün Ziylan Adi Ortaklığı (the “Company”),
acting in the capacity of the "Data Controller" within the scope of the Law
no. 6698 on the Protection of Personal Data (the “Law”),
it is our priority for the personal data of the natural persons associated
with our Company, including without limitation, our customers, potential
customers, suppliers, visitors, website users, company shareholders, and
officials as well as the employees, shareholders, and officials of the
institutions that we collaborate with, in addition to our employees and
prospective employees to be processed in compliance with the Law and
secondary legislation to ensure that the relevant persons as the personal
data owners exercise their rights in an efficient manner thereof. During
the performance of our operations, we carry out procedures relating to
processing, storage, and transfer of personal data of all personal data
owners associated with our Company in line with this Policy on the
Protection and Processing of Personal Data (the “Policy”)
thereof. The essential principle of this Policy and our Company relating to
processing of personal data is to protect such personal data and the
fundamental rights and liberties of natural persons whose personal data are
collected as well as taking all necessary administrative and technical
measures/actions in order to protect such personal data.
2. Objective of the Policy
The primary objective of this Policy is to set out the methods to be
followed with regards to processing, storage, transfer, and deletion, or
anonymization of personal data transferred to us by personal data owners
during our business, social responsibility, and similar activities by our
Company acting in the capacity of the "data controller" under the Law
within the framework of the principles as provided in the Law thereof.
Within this scope, we aim to ensure transparency by providing necessary
information to personal data owners, including, in particular, our
customers, potential customers, prospective employees, company
shareholders, company officials, visitors as well as the employees,
shareholders, and officials of institutions that we collaborate with and
other third parties, whose personal data are processed by Özak Yenigün
Ziylan Adi Ortaklığı thereof.
3. Scope of the Policy
This Policy is applicable to personal data of all personal data owners,
including without limitation, our employees, prospective employees,
shareholders/partners, visitors, business associates, customers, potential
customers, suppliers, affiliates, website users/visitors, etc. in other
words, all personal data owners who are associated with our Company during
the performance of our activities. This Policy is not applicable to any
data relating to legal entities.
In case of any conflict between the applicable legislation on processing
and protection of personal data and this Policy, the provisions of the
applicable legislation in force shall be applicable thereof.
4. Effective Date of the Policy
This Policy has entered into force to be effective as of June 1st, 2020
upon approval of the Company. The previous version of this Policy as
formerly published on the website was abolished as of the effective date of
this Policy thereof.
In case any change to this Policy is required, the relevant provisions
shall be revised accordingly.
The details of such changes to this Policy are provided under Section 11 of
this Policy.
SECTION 2: CLASSIFICATION OF PERSONAL DATA
1.
1. Personal Data
Personal data as a term include all kinds of information on an identified
or identifiable natural person. In this Policy, personal data as a term
shall also include sensitive personal data in line with the applicable
legislation thereof.
2. Sensitive Personal Data
Sensitive personal data consist of a natural person's racial or ethnic
origin, political opinions, philosophical beliefs, religion, sect, or other
beliefs, physical appearance and attire, association, foundation, or trade
union membership, data concerning health, data concerning sex life or
sexual orientation, criminal conviction, data concerning security measures
as well as biometric data and genetic data of such natural persons.
SECTION 3: DATA SUBJECT GROUPS AND DATA CATEGORIES
2.
1. Personal Data Categorization
Personal data in the following categories are processed by the Company by
providing information to the data subjects as per article 10 of the Law
thereof. This section includes information about which personal data are
processed under such categories in relation to the data subject groups as
defined in this Policy and what types of personal data of the data subjects
are processed under such categories thereof. Such personal data include
those explicitly evident that they belong to an identified or identifiable
natural person as processed, in part or in whole, by automatic systems, or
otherwise by non-automatic systems provided that such personal data are
part of a data recording system as follows:
PERSONAL DATA CATEGORIZATION
|
INFORMATION ON PERSONAL DATA CATEGORIZATION
|
Identity Information
|
All kind of information as contained in documents such as
the driver's license, ID card, certificate of residence,
passport, attorney's ID card, (birth) certificate, and
marriage certificate, etc. is defined as identity
information.
Personal data as processed by the Company of its
prospective employees, company shareholders, company
officials, visitors as well as the employees, shareholders,
and officials of the institutions that the Company
collaborates with.
|
Contact Information
|
Phone number, address, e-mail address, etc. are defined as
contact information.
Personal data as processed by the Company of its customers,
potential customers, prospective employees, company
shareholders, company officials, visitors as well as the
employees, shareholders, and officials of the institutions
that the Company collaborates with.
|
Geolocation Data
|
Data identifying the geographical location of our employees
as personal data subjects when driving Company vehicles are
defined as geolocation data.
Personal data as processed by the Company of the company
employees.
|
Customer Data
|
Data obtained and/or generated about the data subject as a
result of our business activities and operations as carried
out by our business units within this scope.
Customer data as processed by the Company;
|
Information on Family Members and Relatives
|
Information on family members and relatives of the personal
data owner as processed for the purpose of protection of
the legitimate interests of the Company and the personal
data owner.
Information on the family members of our employees as
processed by the Company thereof.
|
Customer Transaction Information
|
Such information consists of records relating to the use of
our products and services as well as any necessary
instructions and requests as provided by the customer as
required for the use of such products and services.
Customer data as processed by the Company.
|
Physical Site Security Information
|
Personal data relating to the records and documents as
obtained during entry to a physical site and during
visiting such a physical site.
Information as processed by the Company about our visitors,
company officials, customers as well as the employees of
the institutions that we collaborate with.
|
Process Security Information
|
Personal data as processed for the purpose of ensuring our
technical, administrative, legal, and commercial security
during the performance of our business activities.
Information as processed by the Company about our visitors,
third parties, company officials as well as employees,
shareholders, and officials of the institutions that we
collaborate with.
|
Risk Management Information
|
Personal data processed by such methods as implemented in
line with generally accepted legal, customs of trade, and
good faith principles in this regard for the purpose of the
management of our commercial, technical, and administrative
risks thereof.
Data as processed by the Company of its customers,
potential customers, prospective employees, company
shareholders, company officials, visitors as well as those
of the employees, shareholders, and officials of the
institutions that the Company collaborates with.
|
Financial Information
|
Personal data as processed in relation to any information,
documentation, and records indicating any kind of financial
results generated based on the type of legal relationship
as established by and between the Company and the personal
data owner thereof.
Data as processed by the Company of its customers,
employee, company shareholders, company officials as well
as the employees, shareholders, and officials of the
institutions that the Company collaborates with.
|
Personnel Information
|
Any kind of personal data as processed to obtain
information on the basis of constituting personal benefits
of our employees or natural persons having an
employee-employer relationship with the Company.
Personal data as processed by the Company about our
employees as well as the employees of the institutions that
we collaborate with.
|
Prospective Employee Information
|
Personal data as processed in relation to the individuals
who have submitted a job application to become an employee
of the Company, or evaluated as a prospective employee in
line with the human resources needs of the Company as per
the customs of trade and good faith principles, or those
having an employee-employer relationship with the Company
thereof.
Information on prospective employees as processed by the
Company.
|
Employee Operation Information
|
Personal data processed in relation to all kinds of
processes as performed by our employees or those having an
employee-employer relationship with the Company regarding
the business activities of the Company thereof.
Information as processed by the Company about our employees
as well as the employees of the institutions and vendors
that we collaborate with.
|
Employee Performance and Career Development Information
|
Personal data as processed for the purpose of measurement
of the performance of our employees or those having an
employee-employer relationship with the Company as well as
planning and management of their career development in line
with the Human Resources Policy of the Company thereof.
Personal data as processed by the Company of the company
employees.
|
Fringe Benefits and Other Employee Benefits Information
|
Personal data as processed for the purpose of planning of
fringe benefits and other employee benefits presented or to
be presented in the future to our employees or those having
an employee-employer relationship with the Company,
determination of the objective eligibility criteria for
such benefits as well as following up such entitlement
thereof.
Personal data as processed by the Company of the company
employees.
|
Legal Proceedings and Legal Compliance Information
|
Personal data as processed for the purpose of determination
and follow-up of our legal claims and rights as well as the
fulfillment of our obligations in addition to compliance to
our legal obligations and corporate policies thereof.
Personal data as processed by the Company of its customers,
potential customers, prospective employees, company
shareholders, company officials, visitors as well as the
employees, shareholders, and officials of the institutions
that the Company collaborates with, and those of the third
parties.
|
Audit and Supervision Information
|
Personal data as processed within the scope of compliance
to legal obligations and corporate policies of the Company.
Personal data as processed by the Company of its customers,
potential customers, prospective employees, company
shareholders, company officials, visitors as well as the
employees, shareholders, and officials of the institutions
that the Company collaborates with, and those of the third
parties.
|
Sensitive Personal Data
|
Personal data as defined in article 6 of the Law thereof.
Personal data as processed by the Company of our
prospective employees, employees, company shareholders,
company officials as well as the employees of the
institutions that we collaborate with.
|
Health Information
|
Personal data such as information concerning disability
status, blood type, personal health information as
processed for the purpose of the fulfillment of our legal
obligations as well as providing fringe benefits to our
employees thereof.
The Company processes the health information of its
employees.
|
Audio-Visual Records
|
Audio-visual records may be captured during the performance
of our business processes and operations.
Such data consist of those related to our employees and
visitors.
|
Marketing Information
|
Such information consists of personal data as processed for
ensuring marketing by customization of our products and
services in line with usage patterns, interests, and
requirements of the personal data owner as well as any
reports and assessments generated as a result of the
outcomes of processing of such information thereof.
Information as processed by the Company about its customers
and potential customers.
|
Biometric Data
|
Such data consist of palm print data, fingerprint data,
retinal scanning data, facial recognition data, etc.
Such data as processed by the Company consist of data of
the employees.
|
Request/Complaint Management Information
|
Personal data relating to the receipt and evaluation of any
kind of requests or complaints submitted to the Company.
Personal data as processed by the Company of its customers,
potential customers, prospective employees, company
shareholders, company officials, visitors as well as the
employees, shareholders, and officials of the institutions
that the Company collaborates with, and those of the third
parties.
|
SECTION 4: PROCESSING OF PERSONAL DATA
3.
1. General Principles for Processing of Personal Data
Personal data are processed by the Company in compliance with the
procedures and principles as provided under the Law and this Policy.
The Company acts in line with the following principles when processing
such personal data:
-
Compliance to applicable law and good faith principles;
-
Ensuring that such personal data are accurate and up-to-date as
required;
-
Processing of personal data for specific, explicit, and legitimate
purposes;
-
Processing of personal data in relation to, limited and
proportional to the intended purpose for processing; and
-
Storage of personal data for a period as provided in applicable
legislation or as required for the intended purpose for processing
of such personal data
.
2. Conditions for Processing of Personal Data
The Company does not process personal data without the explicit consent of
the personal data owner thereof. However, such personal data may be
processed without any requirement for explicit consent of the personal data
owner in case of any of the following conditions:
-
Such processing of personal data is explicitly provided under
applicable law;
-
Processing of such personal data is required for the protection of
life or physical integrity of the data subject or any other person
in such cases where such data subject is unable to provide its
explicit consent due to actual impossibility or where such explicit
consent is not deemed to be legally valid thereof.
-
Processing of personal data of the contracting parties is required,
provided that such personal data are directly related to the
establishment or execution of an agreement:
For instance, the bank account information of the payee may be received
for the purpose of the payment of the amounts under an agreement
executed by and between the parties thereof.
-
Processing of such personal data is required for the data
controller to fulfill its legal obligations thereof.
-
Such personal data have been made public by the data subject
itself:
In other words, personal information as previously disclosed to the
public may be processed without the explicit consent of the personal
data owner as the legal interest for the protection of such personal
data is no longer applicable.
-
Processing of such personal data is required for allocation, use,
or protection of any claims or rights thereof.
-
Processing of such personal data is required for the legitimate
interests of the data controller provided that such processing of
personal data shall not cause any harm to the fundamental rights
and liberties of the data subject thereof.
3. Conditions for Processing of Sensitive Personal Data
The Company does not process Sensitive Personal Data without an explicit
consent of the data subject thereof. The Company shall carry out necessary
processes in order to take adequate measures as determined by the Personal
Data Protection Board for processing of such Sensitive Personal Data.
4. Our Intended Purposes for Processing of Personal Data
Personal Data as collected by the Company are processed for the following
purposes within the scope of the conditions for processing of personal data
as provided in articles 5 and 6 of the Law. In case the operation of
processing of personal data for the following purposes fails to meet any of
the conditions as provided under the Law, then the Company obtains the
explicit consent of the personal data owner in relation to such processing
of personal data thereof.
· Performance of emergency procedures;
· Performance of information and/or data security procedures;
· Management of access authorizations;
· Ensuring security of the premises;
· Performance of communication operations;
· Performance of storage and archiving operations;
· Performance of internal audit, investigation, and intelligence
operations;
· Performance of risk management procedures;
· Ensuring the security of movable property and resources;
· Management of organization activities and events
· Performance of management activities;
· Performance of business and administrative activities;
· Providing support services to customers and reporting within the scope of
the relevant contract and applicable service standards;
· Formation, updating, and development of the services to be provided to
our customers by determining the interests and requirements of our
customers thereof;
· Ensuring the fulfillment of our legal obligations as required or
obligated by statutory regulations;
· Providing campaigns, surveys, and promotions;
· Contacting persons having a business relationship with the Company;
· Performing advertisement and marketing operations;
· Compliance management;
· Vendor / supplier management, program and services;
· Statutory reporting,
· Optimal planning and implementation of human resources policies;
· Correct planning, performance, and management of business partnerships
and strategies;
· Ensuring legal, commercial, and physical security of the Company and its
business associates;
· Ensuring corporate operation as well as planning and execution of
management and communication activities;
· Ensuring the highest level of data security;
· Creation of databases;
· Development of web services and debugging on the corporate website;
· Contacting Personal Data owners who have submitted their requests and
complaints to the Company as well as ensuring the management of such
requests and complaints thereof;
· Efficiency management;
· Performance of staff recruitment procedures;
· Providing the Group Companies with support relating to staff recruitment
and compliance to applicable legislation;
· Planning and performance of audit and supervision activities in order to
ensure the performance of the operations of the Group Companies in
compliance with the applicable legislation;
· Providing the Group Companies with support relating to the performance of
the operations under corporations law and legislation;
· Performance and follow-up of financial reporting and risk management
processes;
· Performance and follow-up of operations under corporate law;
· Performance of operations for maintaining corporate reputation;
· Creation and follow-up of visitor records;
· Planning and performance of the activities relating to business
operations and business continuity;
· Follow-up of financial and/or accounting operations;
· Providing competent authorities with information in relation to
applicable legislation and preparation for audits to be conducted by such
competent authorities;
· Planning and performance of corporate communication activities;
· Planning and performance of operational procedures;
· Planning and performance of the authorized staff of the business
associates and/or suppliers to access information;
· Planning and performance of customer relationship management procedures;
· Follow-up of customer requests and/or complaints
,
· Follow-up of contracting procedures and/or legal claims
;
· Planning and performance of marketing survey activities for sales and
marketing of the services
;
· Performance of sales and after-sale operations as well as purchasing
operations
;
· Planning and/or performance of procedures for creating and/or increasing
customer engagement to the products and/or services as provided by the
Company;
· For the purposes of ensuring the performance of corporate human resources
policies and evaluation of job applications in compliance with corporate
human resources policies;
· Fulfillment of the obligations and taking necessary actions within the
scope of occupational health and safety procedures;
· Fulfillment of the obligations on behalf of the company employees arising
out of the contract of employment and/or applicable legislation thereof;
· Performance of the procedures relating to commencement and termination of
the employment of the personnel;
· Evaluation of wages and performance procedures as well as management of
salaries and payrolls;
· Planning and/or performance of in-company training activities;
· For the purpose of ensuring the legal and commercial security of the
Company and persons having a business relationship with the Company;
· Planning and performance of necessary operational activities in order
to ensure that the Company operations are carried out in compliance
with corporate procedures and/or applicable legislation
;
· Ensuring the security of Company premises and/or buildings and
facilities;
· Ensuring the security of Company assets (i.e. fixtures and fittings etc.)
and/or resources;
· For the purpose of determination and implementation of corporate
commercial and business strategies
;
· Performance of social responsibility activities conducted by the Company;
· Planning and performance of customs operations procedures;
· Completion of quality procedures;
SECTION 5: TRANSFER OF PERSONAL DATA
1. Conditions for Transferring Personal Data
As a corporation, we act in compliance with the decisions and regulations
as provided under the Law and taken by the Board regarding the transfer of
Personal Data and we take any necessary actions thereof. Provided that the
exceptional circumstances as contained in the applicable legislation are
reserved, the Company does not transfer personal data and sensitive
personal data to any natural persons or legal entities without the explicit
consent of the Data Subject thereof. However, personal data may be
transferred:
· In such cases as described in article 2 of Section 4 in this Policy, or
· For sensitive personal data, in such cases as described in article 2 of
Section 4 in this Policy, or
· Sensitive personal data concerning the health and sex life or sexual
orientation of the Data Subject may only be transferred to the natural
persons or authorized institutions and organizations under confidentiality
obligation for the purposes of protection of public health, preventive
healthcare, medical diagnosis, treatment and healthcare services, planning
and management of healthcare services as well as their financing
without any requirement for an explicit consent thereof.
Media used by the Company for the transfer of such personal data consist of
methods such as corporate intranet, electronic mail, printed copy, MS Excel
worksheet, VPN, and secure file transfer.
2. Conditions for International Transfer of Personal Data
As a rule, personal data may not be transferred abroad without the explicit
consent of the Data Subject thereof. However, in case of any of the
exceptional circumstances as defined in article 2 of Section 4 in this
Policy and in case such third parties abroad are:
· Located in any of the countries as listed by the Board to ensure adequate
protection of personal data, or
· In cases where such third parties are not located in any of the countries
ensuring adequate data protection, then on the condition that the data
controllers in Turkey and in the relevant countries abroad provide a
written commitment to ensure adequate data protection and also provided
that the Board grants permission thereof,
then such personal data may be transferred abroad without an explicit
consent thereof.
3. Our Intended Purposes for Transferring Personal Data and
Third-Parties to Whom Personal Data Are Transferred
For the purposes as provided in Article 4 of this Policy, Personal data may
be transferred to:
· Business associates and business contacts;
· Affiliates and group companies;
¨ Özak Global Holding A.Ş.
¨ Akyön Tesis Yönetim Hizmetleri A.Ş.
¨ Aktay Otel İşletmeleri A.Ş.
¨ Akyön Özel Güvenlik ve Koruma Hizmetleri A.Ş.
¨ Kamer İnşaat Ticaret ve Sanayi A.Ş.
¨ İnt-Er Yapı İnşaat Turizm San. ve Tic. A.Ş.
¨ Kübrateks Tekstil San. ve Dış. Tic. A.Ş.
¨ Özak Gayrimenkul Yatırım Ortaklığı A.Ş.
¨ Özak Tekstil Konfeksiyon Turizm San. ve Tic. A.Ş.
· Legally authorized public institutions and organizations;
· Legally authorized private persons/entities;
· Domestic and foreign server service providers of the Company; and
provided that all necessary technical and administrative measures are taken
in line with the principles and rules as described in this Policy.
4. Personal Data Stipulated to be Transferred to Foreign Countries
Due to the ongoing abroad activities of Company, personal data limited to
contact details may be transferred abroad based on the explicit consent of
the personal data owners to be limited by the scope of such explicit
consent and provided that it is also limited to the circumstances as
required by the operational procedure with our foreign business associates
located abroad.
SECTION 6: METHOD FOR COLLECTION OF PERSONAL DATA AND THE LEGAL BASIS
4.
1. Method for Collection of Personal Data and the Legal Basis
Personal Data are collected by the Company by technical and procedural
methods employed through various means such as our website, e-mails,
application forms, request forms, secure electronic transactions, printed
forms, log sheets, and physical channels, or in verbal, written, or digital
environment, through automatic systems, in part or in whole, or through
non-automatic systems provided that such personal data are part of a data
recording system to be processed for the purposes of providing our business
services to our customers within the framework of legitimate reasons
arising out of and enforceable based on the applicable legislation,
contracts, claims, customs of trade, and good faith principles as
applicable in terms of the performance of our business operations in this
regard as well as the fulfillment of legal obligations of the Company,
fulfillment of the requirements of the business relationship established
with our customers and establishment, exercising, and protection of mutual
rights in this regard, and protection of the legitimate interests of the
Company provided that the fundamental rights and liberties of the personal
data owners having a business relationship with the Company are protected
thereof. Within this context, characteristic methods for Collection of
Personal Data, intended purposes for collection of personal data, and
activities carried out in this regard are as follows:
a) Security Camera Surveillance Activity At the Building and Facility
Entrances and Inside the Buildings and Facilities
Within the scope of security camera surveillance activity, the Company aims
to improve the quality of services provided, to ensure the reliability of
such services, to ensure the security of the Company, its customers, and
others, and to protect the interests of the customers relating to the
services provided to such customers thereof.
· Legal Basis for Camera Surveillance Activity
Camera surveillance activity as undertaken by the Company is carried out in
compliance with the Law on Private Security Services and applicable
legislation thereof.
· Providing Information on Camera Surveillance Activity
As per article 10 of the Law on the Protection of Personal Data, the
Company provides the personal data owner with necessary information
thereof.
With regards to camera surveillance activity, the Company published this
Policy on its website (online Policy amendment) and a warning sign
about camera surveillance was placed at the entrances of the locations
subject to surveillance (providing on-site information).
·
Intended Purpose for Camera Surveillance Activity and Such Activity
Being Limited to the Purpose
The intended purpose for camera surveillance activity as carried out by the
Company is limited to the purposes as provided in this Policy. Areas where
surveillance would be too invasive for the privacy of individuals beyond
the intended purposes for security (e.g. restrooms, prayer rooms, etc.) are
not subject to camera surveillance activity.
· Ensuring Security of Captured Personal Data
In compliance with article 12 of the Law on the Protection of Personal
Data, all reasonable technical and administrative measures as provided in
this Policy are taken with a view to instating the security of the captured
personal data by the Company as a result of camera surveillance activity.
·
Parties Authorized to Access the Captured Personal Data by Camera
Surveillance Activity and Parties to Whom Such Personal Data Are
Transferred
Only a limited number of Company employees has access to the security
camera footage as captured and stored in digital environment. On the other
hand, in-company security staff and administrative affairs personnel may
view live feed as received from the security camera systems. Others are not
allowed to access such footage.
b) Supervision of Visitor Entry-Exit Procedures At Building and
Facility Entrances and Inside the Buildings and Facilities
The Company processes personal data for the supervision of visitors' entry
and exit procedures in the Company buildings and facilities in order to
ensure the security and for the purposes as defined in this Policy.
Names and last names as well as vehicle plate numbers of the persons who
are visiting the Company premises as a guest are obtained and such persons
as the personal data owners are duly informed by texts placed in various
locations in the Company premises or otherwise made available to the guests
thereof.
c) Website Visitors
The Company uses technical methods (e.g. cookies, etc.) to log online
website activities of the visitors of the websites as owned by the Company
in order to ensure that the visitors of such websites navigate the websites
in line with the intended purposes of visiting such websites, provide the
visitors with customized content, and carry out online advertisement
activities thereof. Visitors of our website are provided with our "Cookies
Policy" and comprehensive information is provided to such visitors in line
with our obligation to provide required information to our visitors
thereof.
d) Mobile Applications of the Company
The Company develops mobile applications used by our customers by
downloading such applications to their mobile devices with an aim to
facilitate the provision of services as provided by the Company to our
customers. Explicit consent of the customers are obtained by providing
comprehensive information within the scope of our obligation to provide
required information to our customers using our mobile applications just
before they enter any personal information thereof.
SECTION 7: DELETION, DISPOSAL, AND ANONYMIZATION OF PERSONAL DATA
5.
1. Deletion, Disposal, or Anonymization of Personal Data
The Company undertakes deletion, disposal, or anonymization of Personal
Data, either ex officio or upon request by the personal data owner, in case
the conditions for processing of such personal data are no longer
applicable provided that applicable provisions as contained in other laws
and legislation relating to deletion, disposal, or anonymization of
Personal Data shall be reserved. Upon deletion of Personal Data, such data
are destroyed in such a manner to prevent them being reused or recovered.
Data disposal processes are carried out by documenting such disposal
process in a formal report in periodic disposal periods as determined by
the Company thereof.
2. Term for Storage and Disposal of Personal Data
The Company stores Personal Data during the period as provided in
applicable legislation provided that storage of Personal Data is stipulated
in such applicable legislation. In case such legislation does not set out
the storage period of personal data, then Personal Data is processed for a
period as required by the Company procedures and customs of trade in
relation to the operations performed during processing of such personal
data, and then personal data are subject to deletion, disposal or
anonymization thereof.
In case the purpose for processing of personal data is no longer applicable
and the storage period as provided in applicable legislation and/or as
determined by the Company has also expired, then such personal data may
only be stored to constitute evidence for any potential legal disputes or
claim for the rights associated with such personal data or defend such
rights thereof. In such cases, the Company determines the storage periods
of personal data by taking into consideration the statute of limitation
periods for claiming for such rights as well as previous examples contained
in the requests as received by the Company on similar cases regardless of
whether the statute of limitation periods has expired thereof. In that
case, such stored personal data may not be accessed for any other purpose
and the relevant personal data may only be accessed when they are required
to be used to resolve such legal disputes thereof. Upon expiration of the
storage period as defined in this paragraph, such personal data are subject
to deletion, disposal, or anonymization thereof.
SECTION 8: ACTIONS TAKEN FOR THE SECURITY OF PERSONAL DATA
The Company takes all necessary technical and administrative measures and
performs or gets all necessary controls done in order to ensure adequate
level of security to prevent unlawful processing, unlawful access to as
well as ensuring the protection of Personal Data as processed by the
Company in compliance with article 12 of the Law thereof.
6.
1. Technical Measures Taken for Personal Data Security
Provided that such measures are limited to those for ensuring the security
and protection of personal data:
· Network security and application security are ensured;
· Closed computer network system is used in personal data transfers through
the network;
· Necessary security measures with regards to the procurement, development,
and maintenance of information technology systems are taken;
· In-company technical organization is implemented for the purposes of
processing and storage of personal data in compliance with the applicable
legislation thereof;
· Data masking is applied as a measure whenever deemed required;
· Technical infrastructure is established in order to ensure the security
of the databases on which personal data are intended to be stored;
· Established Technical infrastructure procedures are subject to follow-ups
and controls;
· Reporting procedures for the technical measures taken as well as control
processes are determined;
· Technical measures are periodically updated and revised;
· Associated risks are reviewed and necessary technological solutions are
created;
· Up-to-date anti-virus protection systems, firewall, and similar software
or hardware security products are used and security systems in line with
technological developments are installed;
· Applications through which personal data are collected are subject to
periodic security scans and any identified security breaches are eliminated
thereof;
· Backup programs are used in compliance with applicable law in order to
ensure the secure storage of personal data;
· Access to data storage media and/or data is strictly limited to the
access of the authorized personnel and limited to the purpose for storage
of personal data, and any unauthorized access or attempted access is
instantly reported to the authorized personnel by keeping log entries for
access to data storage spaces where such personal data are stored;
· Logs are subject to periodic review;
· Expert technical staff is employed;
· User account management and authorization control systems are in place
and subject to follow-up;
· Logs are kept in such a manner to prevent any user intervention;
· In case sensitive personal data are required to be transferred by e-mail,
such sensitive personal data are always sent by encryption and via KEP
address (registered e-mail address) or by using a corporate e-mail account;
· Secure encryption and/or cryptographic keys are used for sensitive
personal data and managed by different units;
· Cyber-attack detection and prevention systems are in place;
· Penetration test is performed;
· Cybersecurity measures have been taken and its implementation is subject
to continuous supervision;
· Encryption is ensured.
2. Administrative Measures Taken for Personal Data Security
Provided that such measures are limited to those for the protection of
personal data:
· Corporate policies and procedures are created for access to personal data
by those, including employees of our group companies and affiliates, data
security, data usage, storage, and disposal, and policies for using tools
and equipment associated with the use of databases and applications
containing personal data are issued and implemented thereof;
· Employees are duly informed and trained on protection and processing of
personal data in compliance with applicable law;
· Data security training and awareness activities for employees are
organized on a regular basis;
· Within the scope of the agreements with our employees and/or corporate
policies as published, actions to be taken in case of any unlawful
processing of personal data by our company employees are determined;
· Agreements and procedures as executed with our employees contain
provisions imposing obligations to prevent unlawful processing, disclosure,
and use of personal data in such an unlawful manner thereof, and relevant
awareness and control activities are carried out in this regard;
· Company employees are subject to disciplinary actions relating to data
security;
· Our employees are informed about the fact that their obligations not to
disclose to others any personal data they have in possession in any manner
as contrary to the provisions of the Law and not to process such personal
data for any purpose other than the intended purpose for processing of such
personal data shall continue to be applicable to them even after they have
left their job and such employees provide a written commitment not to
disclose or process such personal information thereof;
· Corporate policies on access, data security, use, storage, and disposal
of personal data are issued and implemented;
· The agreements as executed by and between the Company and the parties, to
whom personal data are transferred in compliance with applicable law,
contain provisions ensuring that the parties, to whom personal data are
transferred, shall take the necessary security measures for the protection
of such personal data and ensure compliance with such measures in their own
institutions thereof;
· The scope of access to personal data by our company employees is
determined based on the roles and responsibilities/functions of such
employees, and their authorities to access such personal data are limited
accordingly whereas their authorities are periodically reviewed, an
authorization matrix is designated, and the authorizations of the employees
who leave their job or are subject to reassignment are removed thereof;
· Recent developments on the data security, right of privacy, and
protection of personal data are followed and necessary legal and technical
consultancy services are procured in order to take any necessary actions
thereof;
· Compliance of collaborated data processors and other data controllers to
the Law and secondary legislation is investigated, necessary instructions
are provided, and their awareness on compliance is ensured;
· Any issues about personal data security are duly reported without delay;
· Personal data security is subject to follow-up;
· Personal data volume is reduced as much as possible;
· Personal data are subject to backup and the security of such personal
data subject to backup are also ensured;
· Internal periodic and/or random controls are performed and/or get to be
performed;
· Current risks and threats are identified;
· Protocols and procedures for the security of sensitive personal data have
been determined and implemented;
· Necessary security measures are taken for entry to and exit from the
environments/media containing personal data;
· The environments containing personal data are protected against external
risks (e.g. fire, flood, etc.);
· Awareness of service providers who process personal data is ensured for
data security;
· Technical staff is employed accordingly; and
· The system ensuring timely reporting to the relevant personal data owner
and the Personal Data Protection Board in case of any unlawful access to
such personal data by unauthorized parties have been established and
implemented.
3.
Physical Actions Taken for Personal Data Security
· Occupation-based physical access measures are taken at the locations
where personal data are stored;
· Documents as well as archiving/storage equipment containing personal data
are stored in locked cabinets;
· Card pass systems are used in working spaces;
· Working spaces are monitored by closed-circuit camera system (CCTV)
without intrusion to the privacy of the employees;
· Documents and storage equipment containing personal data are securely
disposed of, and are subject to backup to prevent data loss in line with
the rules and principles as provided under the Law on the Protection of
Personal Data and this Policy thereof.
4. Procedure to be Followed for Unauthorized Disclosure of Personal
Data
Pursuant to article 12 of the Law, the Company notifies the relevant data
owner and the Board as soon as possible and within 72 hours at the latest
from the determination of the unlawful access by third parties of the
processed Personal Data.
5.
Auditing the Actions Taken for the Protection of Personal Data
Pursuant to article 12 of the Law on the Protection of Personal Data, the
Company performs or causes to perform internal audits every 6 months as
required thereof. The audit results are reported to the relevant department
within the scope of the internal procedures of the Company and the
necessary actions are taken in order to improve the measures taken thereof.
6. Raising Awareness and Supervision of the Employees on Protection and
Processing of Personal Data
The Company ensures organization of necessary training to be provided to
its current employees and new employees recently recruited in any business
unit, in order to raise awareness on prevention of unlawful processing of
and unlawful access to personal data as well as ensuring protection of such
personal data thereof. The current employees of the Company are provided
with awareness training every 4 months thereof.
SECTION 9: RIGHTS OF THE PERSONAL DATA OWNER
7.
1. Providing Clarification to the Personal Data Owner
During the collection of Personal Data as per article 10 of the Law, the
Company provides clarification/information to the personal data owner about
the identity of the Company representative, if any, intended purposes for
processing of Personal Data, to whom and for what purposes such Personal
Data as processed may be transferred, the method for collection of Personal
Data and legal basis thereof as well as the rights of the Personal Data
Owner thereof.
2. Rights of the Personal Data Owner
Pursuant to article 11 of the Law, the Company provides information to the
personal data owners about their rights as follows:
· Learning about whether such personal data are processed;
· Requesting for information if such personal data have been processed;
· Learning about the purpose for processing of personal data and whether
such personal data are used in line with their intended purposes thereof;
· Being informed about domestic or foreign third parties to whom such
personal data are transferred;
· Requesting for correction of any incomplete or inaccurate information in
case such personal data as processed contain any incomplete or inaccurate
information thereof;
· Requesting for deletion or disposal of personal data within the scope of
the conditions as provided in article 7 of the Law thereof;
· Requesting for notification of the processes carried out pursuant to
items (d) and (e) of Article 11 of the Law to the third parties to whom
such personal data have been transferred;
· Raising an objection in case of any result against the personal data
owner arising out of the analysis of the processed data exclusively through
automatic systems; and
· Requesting for compensation of damages in case the personal data owner
incurs damages and/or loss due to unlawful processing of its personal data
thereof.
3. Exercising of the Rights by the Personal Data Owner
Personal data owners may submit to the Company their requests for
exercising their rights as defined in this Policy through our website at www.buyukyali.com by the methods as described in our
website, by completing the "Application Form" and complying with the
conditions as provided in the "Application Form" thereof.
4. Petition Right of the Personal Data Owner to the Personal Data
Protection Board
If the application as submitted by the personal data owner is rejected by
the Company, or the personal data owner considers that the response
provided was not satisfactory, or the Company fails to provide a response
in due time, the personal data owner shall be entitled to submit an
official complaint to the Board within thirty (30) days from the receipt of
the response and in any case, within sixty (60) days from the date of
application thereof.
5. Data Controller's Right to Reject the Application of the Personal Data
Owner
The Company is entitled to reject the application as submitted by the
personal data owner in case certain conditions are met as described in this
Policy. Conditions where the Company as the Data Controller is entitled to
exercise its right to reject the application of the personal data owner are
as follows:
Regarding the personal data subject to the application submitted by the
relevant personal data owner;
· In case such personal data are processed for purposes such as research,
planning, and statistics, etc. after anonymization of such personal data by
official statisticalization procedures;
· In case such personal data are processed for the purposes such as art,
history, literature, or science or within the context of freedom of
expression provided that such processing of personal data shall not violate
or constitute any crime against national defense, national security, public
safety, public order, economic security, right of privacy, or personal
rights thereof;
· In case such personal data are processed within the scope of preventive,
protective, and intelligence actions as conducted by the competent public
institutions and organizations as designated and authorized by law to
ensure national defense, national security, public safety, public order, or
economic security;
· In case such personal data are processed by judicial or execution
authorities in relation to investigation, prosecution, litigation, or
execution;
· In case processing of personal data is required for prevention of
committing a crime or for criminal investigation;
· Processing of personal data as previously made public by the personal
data owner;
· In case processing of personal data is required for the performance of
supervisory or regulatory functions as well as disciplinary investigation
or prosecution by the competent public institutions and organizations as
well as public professional organizations as designated and authorized by
law;
· In case processing of personal data is required for the protection of the
economic and financial interests of the State in relation to budgetary,
taxation, and financial matters;
· In case the request of the relevant personal data owner may potentially
hinder the rights and liberties of others;
· In case of requests requiring disproportionate efforts; and
· In case the requested information is publicly available information, then
the Company as the Data Controller may exercise its right to reject the
application thereof.
SECTION 10: PERSONNEL RESPONSIBLE FOR ENSURING COMPLIANCE TO THIS
POLICY
As per the resolution of the Company senior management, the Personal Data
Committee was formed within the Company for the management of this Policy
as well as other policies arising out of and in relation to this Policy
thereof. The Personal Data Committee shall be authorized and be responsible
for the performance of all necessary procedures for storage and processing
of the personal data of Personal Data Owners in compliance with the
applicable law, this Policy as well as other policies arising out of and in
relation to this Policy thereof. The main responsibilities of the Personal
Data Committee are as follows:
· Drafting basic policies on Protection and Processing of Personal Data,
and submitting such policies to the senior management for approval of the
same for implementation;
· Deciding on the performance and procedures for implementation and control
of the policies on Protection and Processing of Personal Data, ensuring
internal assignment and coordination within this scope, and submission of
the same to the senior management for approval thereof;
· Determination of the actions required to ensure compliance to the Law on
the Protection of Personal Data and applicable legislation, and submission
of such required actions to the senior management for approval as well as
ensuring supervision and coordination of the implementation of such actions
thereof;
· Raising awareness about the Protection and Processing of Personal Data
within the Company as well as in other institutions that the Company
collaborates with;
· Determination of any potential risks relating to the processing of
personal data by the Company and ensuring that all necessary actions are
taken as well as submission of proposals for improvement to the senior
management for their approval;
· Designation and ensuring implementation of training activities for the
protection of personal data as well as for the implementation of the
policies thereof;
· Providing the ultimate and final resolution of the applications as
submitted by personal data owners;
· Coordination of informing and training activities to ensure that personal
data owners are duly informed about the operations regarding the processing
of personal data as well as about their legal rights thereof;
· Drafting amendments to basic policies on Protection and Processing of
Personal Data, and submitting such policies to the senior management for
approval of the same for implementation;
· Following the developments and regulations on the Protection of Personal
Data, providing the senior management with recommendations on the actions
as required to be taken within the Company in line with such developments
and regulations thereof;
· Coordination of the relationship between the Committee and the Personal
Data Protection Board thereof; and
· Performance of other functions to be assigned by the senior management of
the Company on the protection of personal data.
SECTION 11: REVISIONS AND CHANGES
The Company reserves the right to make changes to this Policy and other
policies arising out of and in relation to this Policy in line with any
amendment to the Law and secondary legislation as well as any resolutions
of the Committee and/or any developments in the industry or informatics
thereof. Any changes to this Policy are immediately incorporated into the
text and any comments relating to such changes are provided in this
section.
June 1st, 2020 : This Policy on the Processing and Protection of
Personal Data entered into force upon approval by the Company thereof.