POLICY RELATING TO PROTECTION AND PROCESSING OF PERSONAL DATA
The Law on the Protection of Personal Data No. 6698 (Law) regulates the principles relating to processing and protection of personal data which have to be observed in order to protect fundamental rights and freedoms, in particular right of privacy.
Our company is aware of the principles and its liabilities which have to be fulfilled in accordance with the Law. The confidentiality and protection of personal data are of great importance for our company. It is one of our priorities to fulfill the requirements in comply with the Law and to follow a policy relating to protection and processing of personal data in accordance with international standards.
Accordingly, the general principles and procedures relating to protection and processing of personal data are stated in our “Policy Relating to Protection and Processing of Personal Data” (Policy) in accordance with the Law and are implemented in our company.
I. OUR AIM:
In order to raise awareness of protection of personal data in our company, taking necessary measures, establishing the relevant procedures and ensuring the compliance of the internal operations with the Law are our aims.
Our Policy shall guide our company, the representatives of our company, our employees, our business partners and our visitors with regard to the implementation of the procedures and principles regulated by the Law.
II. DETERMINATION OF THE LIABILITIES:
In order to ensure compliance with the Law and with our Policy, to fulfill our obligations in accordance with the same, to take necessary measures, to implement the instructions, procedures and training activities, responsible persons from different departments of our company have been assigned. It is the task of these responsible persons to point the way to others and to be guides relating to the implementation of the Law and our Policy. Compliance with the Law and our Policy is observed and monitored by these responsible persons in all departments of our company.
III. GENERAL PRINCIPLES OF OUR POLICY:
1. GENERAL PRINCIPLES:
The following general principles apply for the processing of personal data in accordance with the Law:
a. PROCESSING PERSONAL DATA LAWFULLY AND IN GOOD FAITH:
Relating to processing personal data, our company acts in compliance with the laws, secondary legislation, the decisions of the Data Protection Authority and with the principals regulated by other relevant regulations.
In accordance with the principles of good faith, processing personal data is limited to the purpose of processing data, the reasonable expectations of the data owner are taken into consideration and the data owner is informed before about all kinds of processing related to his / her personal data. If required by law, the explicit consent of the data owner relating to the processing of his / her personal data are obtained.
b. PROVIDING THE ACCURACY AND WHERE NECESSARY THE ACTUALITY OF THE PERSONAL DATA:
Providing the accuracy and the actuality of personal data is necessary for the protection of fundamental rights and freedoms of the data owner.
In order to ensure the accuracy and the actuality of personal data, the correctness of the sources of personal data is tested and necessary measures are taken for that. Data owner is given the right to request for adjustment or deletion of his / her personal data which are not correct or actual.
c. PROCESSING PERSONAL DATA WITH SPECIFIC, EXPLICIT AND LEGITIMATE PURPOSES:
Personal data are processed for specific, explicit and legitimate purposes. Within this framework, our company determines the purposes for which personal data are processed by the “inventory relating to processing of personal data” which is required by law. Before processing personal data we inform the data owner about the processing purposes and, where required, we ask for the explicit consent of the data owner. Personal data are only processed within the scope of given information and explicit consent of the data owner.
d. RELEVANCE WITH, LIMITATION TO AND PROPORTIONALITY TO THE PURPOSES FOR WHICH THE PERSONAL DATA ARE PROCESSED:
“Limitation to the purpose” is one of the most important principles relating to protection of personal data. Processing personal data has to be relevant with, limited to and proportionate to the purpose for which the personal data are processed.
In this respect, our company avoids processing personal data which are not related to the purpose of processing or are not needed. Personal data are not processed for purposes which are not present and which are expected to occur afterwards. Minimizing of personal data processing is essential in our company.
e. RETAINING PERSONAL DATA FOR THE PERIOD DETERMINED BY THE RELEVANT LEGAL REGULATION OR FOR THE TIME DEEMED NECESSARY FOR THE PURPOSE OF PROCESSING:
Personal data are retained only for the period determined by the relevant legal regulation and for the time required for the purpose for which the personal data are processed.
2. CONDITIONS FOR PROCESSING PERSONAL DATA:
Our company complies with the data processing requirements set out in the Articles 5 and 6 of the Law and the general principles while processing personal data. Accordingly relating to processing of personal data it is determined whether the explicit consent of the data owner or one of the other data processing requirements (where the data owners explicit consent is not
required) is given. Personal data are not processed in cases where the processing requirements set out in Articles 5 and 6 of the Law are not met.
3. TRANSFERRING PERSONAL DATA TO THIRD PARTIES:
While processing personal data in accordance with Article 8 and 9 of the Law personal data are transferred to third parties in Turkey and abroad only in cases where the explicit consent of the data owner and / or the other conditions are given and by taking the sufficient protection measures.
In order to prevent the access to personal data by unauthorized third parties, all necessary measures are taken.
4. INFORMING THE PERSONAL DATA OWNER:
To be informed about the processing of his / her personal data, is the most natural right of the data owner.
Relating to the processing of personal data, as a data controller our company informs the owner of the personal data (e.g. employees, candidates, visitors, customers) about the below mentioned issues in accordance with Article 10 of the Law and the relevant secondary legislations;
- The purposes for which personal data are processed,
- To whom and for what purpose the personal data may be transferred,
- The method and the legal reasons for collection of personal data and
- Rights of the personal data owner regulated in Article 11 of the Law.
While fulfilling its information obligations, our company considers all circumstances of the particular case.
5. PROVIDING DATA SAFETY:
In order to;
- Prevent unlawful processing of personal data,
- Prevent unlawful access to personal data,
- Ensure the retention of personal data and
- Ensure the appropriate level of security
all necessary technical and administrative measures are taken in accordance with Article 12 of the Law. While doing this our company is aware of the importance of ensuring the security of personal data and observing the fundamental rights and freedoms of the data owners.
6. ERASURE, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA:
Despite being processed under the provisions of the Law and other related legislation, personal data have to be erased, destructed or anonymized by the data controller, ex officio or upon demand by the data owner, upon disappearance of reasons which require the process in accordance with Article 7 of the Law.
In order to fulfill these obligations necessary procedures and a separate policy has been prepared in our company.
In this respect, upon disappearance of reasons which require the process and in cases where the personal data are not needed any more, the personal data are immediately destroyed / deleted in our company. In addition, in certain periods, personal data which have to be destroyed / deleted, their users, users' access methods are determined, the necessary destruction operations are carried out and the access to personal data are eliminated in accordance with the Law and the relevant legislation.
7. REQUESTS OF DATA OWNER TO OUR COMPANY:
As a data controller, according to the Article 13 of the Law and the relevant secondary legislation the requests and applications of the data owner are finalized by our company as soon as possible, latest within thirty (30) days.
Data owner shall send requests relating to his / her rights in writing to following e-mail address: [email protected]. Any costs that may occur during the evaluation of your application will be reflected to the applicant within the limits and measures specified in the law.
Data owner has following rights:
- Learn whether his / her personal data are processed or not,
- Request information if his / her personal data are processed,
- Learn the purpose of processing of his / her personal data and whether these data are used for intended purposes,
- Knowing the third parties to whom his / her personal data are transferred at home or abroad;
- Request the rectification of incomplete or inaccurate data, if any, and request notification of the operations carried out to third parties to whom his / her personal data have been transferred,
- Despite being processed under the provisions of the Law and other related legislation, in case of disappearance of reasons which require the process of personal data, request the erasure or destruction of his / her personal data and request notification of the operations carried out to third parties to whom his / her personal data have been transferred,
- Object to the processing, exclusively by automatic means, of his / her personal data, which leads to an unfavourable consequence for the data owner,
- Request compensation for the damage arising from the unlawful processing of his / her personal data.