5. APPLICATION PRINCIPLES
5.1. DATA PROCESSING PRINCIPLES
The company will comply with the personal data protection legislation and data protection principles. The data processing principles adopted by the company include:
- Processing personal data only if it is clearly necessary for legitimate corporate purposes,
- Processing as much personal data as necessary for these purposes and not processing more than necessary (providing data minimization),
- To give clear information to individuals about who and how their personal data is used,
- Processing only relevant and appropriate personal data,
- Processing personal data fairly and lawfully,
- To keep an inventory of personal data categories processed by the Company,
- Keeping personal data accurate and up-to-date when necessary,
- To store personal data only for as long as required by legal regulations, the Company's legal obligations or legitimate corporate interests,
- To store personal data in a way that does not allow access to the identity information of Data Owners for more than a time reasonably necessary for the purposes for which personal data is processed,
- Continue to protect data privacy at the beginning of any project or activity. phase and then service life as a key factor throughout (Privacy Enforcement Policy),
- Respecting the rights of individuals regarding their personal data, including the right of access,
- To transfer personal data abroad only in accordance with the express consent of the persons or in case of adequate protection,
- To implement the exceptions allowed in accordance with the legislation,
- To establish and implement the personal data protection system for the implementation of the policy,
- Iç, which is party to the personal data protection system when necessary; and external stakeholders and to what extent they are involved in the Company's personal data protection system,
- Identifying employees who have special powers and responsibilities regarding the personal data protection system.
All personal data processing activities must be carried out in accordance with the following data protection principles. The company's policies and procedures aim to ensure compliance with these principles:
- Compliance with the law and the rules of honesty
- Being accurate and up to date when necessary
- Processing for specific, clear and legitimate purposes
- Related, limited and reputable for the purpose for which they are processed; don't be
- The purpose for which they are processed or processed in the relevant legislation; Storage for the required time.
In this direction, the Company includes disclosure and privacy statements regarding the personal data processing activities it carries out, in the data collection channels and in the relevant forms. Areas where notifications containing clear and understandable information about whom and for what purposes are processed by the company are to be included and announced by the KVK Committee. is determined by. These notices include the following:
- Identity and contact information of the Company as the data controller,
- Types of personal data processed,
- Purposes of processing personal data,
- Methods of collecting personal data,
- Based on which legal reason personal data is processed,
- Data owner's rights,
- Third where data can be shared; parties.
In the personal data inventory, the reasons/purposes for the processing of personal data are determined and the personal data is used for another legal reason or for the stated purpose without the explicit consent of the data owner. cannot be used outside. In the event that conditions arise that require the use of personal data for purposes other than those specified in the personal data inventory, this situation is notified to the KVK Committee by the relevant employee/unit/department. The KVK Committee checks the suitability of the new purpose and, if necessary, ensures that the data owner is informed about the new purpose and new data processing activity.
Personal data; It must be processed to a relevant and limited extent appropriate for the purposes for which it is processed, and must be accurate and up-to-date. The accuracy and up-to-dateness of the data kept for a long time should be reviewed. The company is responsible for educating all employees on the correct and up-to-date collection and storage of data.
The KVK Committee should be informed about all data collection channels.
The accuracy and up-to-dateness of the data kept regarding the employees is the responsibility of the relevant employee.
Customers/customers/relationships and other relevant persons should inform the Company to update the processed personal data.
Personal data should be processed in such a way that the data subject can be identified only if necessary for the purpose of data processing.
Backup of personal data, etc. Due to the requirements, safe destruction methods determined by the Board regarding personal data are applied in order to protect the rights and freedoms of individuals in case of storage beyond the specified period or in case of data security weakness.
When personal data needs to be processed for more than the specified time in accordance with the procedure in which the storage and destruction process is defined, the written approval of the KVK Committee is obtained.
All Company units that process Personal Data are responsible for complying with the above-mentioned principles as well as the measures enforcing the applicable data protection laws, and must be able to prove that they comply.
5.2. RISK ASSESSMENT
The company identifies the risks associated with the processing of personal data types. Certain types of data processing activity; If it is likely to pose a high risk to personal rights and freedoms in line with its structure, context and purpose, the Company should manage potential risks by conducting an impact analysis prior to its data processing activity. With a single value for multiple data processing activities with similar risksdownload is bearable.
After the impact analysis, if it is understood that the Company is about to start a data processing activity that may pose a high risk to personal rights and freedoms, the approval of the KVK Committee is sought on this issue. If the KVK Committee deems it necessary, it receives an opinion from the Board on the subject.
5.3. OBTAINING EXPRESS CONSENT
The company is a written/oral; accepts the consent expressed by declaration or clear confirming action as express consent. Explicit consents are obtained in writing or systematically in a way that is suitable for proof. Explicit consent can be withdrawn by the data owner at any time.
In case the data processing activity based on explicit consent will be continuous or repeated, the express consents obtained are checked. The up-to-dateness and correctness of these express consents is the responsibility of the relevant unit. Explicit consent forms or other relevant proof tools regarding the data processing activity based on explicit consent are kept by the relevant unit.
5.4. DATA SECURITY
All employees are responsible for keeping the data processed by the Company under their responsibility securely and thirdly, unless they sign a confidentiality agreement. is responsible for ensuring that it is not disclosed to the party.
Personal data should only be accessed by those who need it.
The events that threaten the security of personal data, as soon as they are determined definitively by the KVK Committee, and in any case, as soon as possible after the event is learned; It is notified to the Board and the relevant person within 72 hours.
5.5. DATA SHARING
Personal data can only be used in accordance with the law and equity; can be shared with people. Accordingly, in order for personal data to be shared, one of the following conditions must be met:
- Obtaining the explicit consent of the data owner,
- Clarity in laws,
- The person who is unable to express his/her consent due to actual impossibility or whose consent is not legally valid, must be compulsory for the protection of his or someone else's life or bodily integrity,
- Provided that it is directly related to the establishment or performance of a contract to which the Company is or will be a party, it is necessary to process the personal data of the parties to the contract,
- Legal liability of the company; it must be mandatory in order to fulfill it,
- The person concerned has been made public by himself,
- Data processing is mandatory for the establishment, use or protection of the rights of the Company,
- Compulsory data processing for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the person concerned.
Personal data can be transferred abroad only on the condition that the above conditions are met and there is adequate protection in the destination country or the explicit consent of the data owner is obtained for this transfer.
In the transfer of personal data abroad, the list of countries with adequate protection determined by the Board is taken into account.
When it comes to the transfer of personal data abroad, the KVK Committee provides the necessary permissions and notifications to the Board in accordance with the Law and relevant legislation.
Registering in writing with the requirements of all transactions regarding the sharing of personal datashould be taken under. These records are audited periodically by the KVK Committee.
In case of a regular data sharing relationship without a legal basis or legal obligation, a KVK Commitment is made with the party in question specifying the terms of data sharing.p>
5.6. MANAGEMENT OF RECORDS
Personal data cannot be kept longer than necessary for the purposes of processing. Classification of records containing personal data and their respective retention periods, Procedure for Recording, Storing and Destroying Personal Data; determined in accordance with.
Personal data that has expired or needs to be destroyed upon the rightful request of the data owner is anonymized or deleted or destroyed in accordance with the procedure in which the storage and destruction process is defined.
5.7. RIGHTS OF DATA OWNERS
Data owners have the following rights regarding data processing activities and records at the Company:
- Learning whether your personal data is processed or not,
- Request information about personal data if it has been processed,
- Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
- Third, where personal data is transferred at home or abroad; know people,
- In case of incomplete or incorrect processing of personal data, requesting their correction,
- To request the deletion or destruction of personal data that does not have a legal justification or basis for processing in accordance with KVKK or this policy,
- Correction or deletion made at the request of the third party to which personal data is transferred; requesting people to be notified,
- Objecting to the emergence of a result against the person by analyzing the processed data exclusively through automated systems,
- Demanding the compensation of the damage in case of loss due to unlawful processing of personal data.
Application Procedure of the Data Owner
Data owners may apply to the Company for their requests regarding their rights listed above in accordance with the application procedures set forth in the Communiqué on Application Procedures and Principles to the Data Controller.
In this case, the Company shall respond to the request as soon as possible and as quickly as possible, depending on its nature. It will conclude free of charge within 30 (thirty) days. However, if the transaction requires an additional cost, the Company may demand the fee in the tariff determined by the Board. Procedures for receiving, transmitting and finalizing requests, Procedure for Receiving, Evaluating and Responding to Data Owner Applications; performed in accordance with.
The right of access and contact information of the data owners are included in the notifications and the web address so that the data owners can manage their requests.
All employees of the company are responsible for guiding data owners regarding the correct application method for data subject access requests addressed to them, regardless of their job description; ;r. Company employees should be informed by the KVK Committee on how to act on requests from data owners.
Applications within this scope;
- With the personal application of the Data Owner
- Can be done through a notary.
6. RELEASE AND PUBLIC KEEPING UPDATED
This Policy entered into force on 01.09.2022; The Law will be re-evaluated by the KVK Committee at the beginning of each year in line with the relevant secondary legislation, Board Decisions and Company business processes and will be updated if necessary.
RECEIVE, EVALUATION AND RESPONSE OF DATA SUBJECT APPLICATIONS PROCEDUREÜRÜ
Version : 1
&Date of issue : 01.09.2022
The Procedure for Receiving, Evaluating and Responding to These Data Owner Applications; (“Procedure”), for information purposes by data owners |unvan|’NE (“The Company”) has been prepared in order to determine the procedures and principles regarding the business and transactions regarding the receipt, evaluation and response of the applications made.
Work and procedures regarding the receipt, evaluation and response of applications made by data owners regarding personal data are carried out in accordance with this Procedure prepared by the Company in this direction.
Law on Protection of Personal Data No. 6698
Personal Data Protection Board
Real person whose personal data is processed
As long as it is within the scope of the law, all kinds of real persons with an identified or identifiable natural person; info
2. RECEIVING THE APPLICATION
2.1. Form of Application
Data Owners shall submit their applications to the Company contact person in writing in accordance with Article 13 of the Law, in order to obtain information about the personal data collected by the Company and to exercise their rights specified in Article 11 of the Law.
Accordingly, applications to be made by Data Owners can be made in writing as follows:
2.2. Contents of the Application
In order to evaluate the requests of the Data Owner, it will first be determined whether the Data Owner is the owner of the personal data processed by the Company. In this regard, in applications to be made to our Company within the scope of the Law, the identity information of the Data Owner must be stated clearly and fairly.
In contingent requests, the Data Owner must provide the necessary information on how this condition is fulfilled and submit the documents to prove this claim to the Company.
Applications not received through the means specified in this Procedure, if the identity of the Data Owner has been determined and the information and/or documents required for the application within the scope of the Law have been provided by the Company, applications made through such means may be evaluated. Otherwise, the applications will be rejected due to irregularity.
Applications that do not meet the qualifications specified in this article will be evaluated and the Data Owner will be contacted until the requested information is obtained; however, if the requested information and/or documents are not provided by the Data Owner, the Data Owner's application will be rejected due to irregularity.
3. OTHER SITUATIONS
3.1. Application Made by Proxy or Legal Representative
Applications to be made to the Company within the scope of the law can also be made by the representative or legal representative of the Data Owner upon submission of the official document to prove it.
3.2. Application Fee
According to the law, it is envisaged that the Data Controller will conclude the request forwarded to him free of charge. However, it has been stated that if the transaction also requires a cost, it may be possible to charge a fee in line with the principles to be determined by the Board. In this context, if finalizing the applications to the Company requires any additional costs, the Company may charge a fee from the Data Owner.
4. APPLICATION EVALUATION PROCESS
If it is determined that there is incomplete information and/or documents in the applications made by the Data Owner, this matter will be notified to the Data Owner. If the requested information and/or documents are not provided by the Data Owner, the Data Owner's application will be rejected due to irregularity.
The third In cases where it is not possible to respond to the Data Owner's application without sharing the personal data of the persons, the Company will do the following: step-by-step evaluation process will be applied:
- Third of the application; It will be evaluated whether it is possible to reply without sharing the personal data of the person (for example, deleting or blackening the personal data of the third person).
- Üç" It will be determined whether the person gives explicit consent to the sharing of personal data.
- Üç" If the person's express consent will not be obtained, it will be evaluated whether the personal data in question can be shared without express consent.
The third In case it is not possible to finalize the application without sharing the data of the person; First of all, it will be applied to obtain explicit consent from the Data Owner, whose personal data has to be shared. "Third" If the person does not consent to the sharing of their data, The application will be answered by extracting the information of the person completely.
Third, whose personal data will be shared; if the person cannot be reached, the third; The Company will show maximum care and sensitivity regarding the sharing of information containing personal data. In this way, if necessary, the third; Personal data of individuals may also be shared.
5. EVALUATION OF APPLICATIONS
The requests of the Data Owner are handled by the Company as soon as possible and as soon as possible; It will be evaluated and finalized within thirty (30) days.
Applications made to the Company, maximum three times; (3) will be forwarded to the relevant department of the Company within the day; Research to be carried out by the department to which the application is directed will be concluded within a maximum of one (1) week.
6. ANSWERING APPLICATIONS
Applications made by the Data Owner to the Company are answered by the contact person appointed at the Company, and the following information is included in the responses to the applications:
- Applicant Making the Request
- Information and Documents Provided as a result of Requests
- Talbin Date of purchase
- If extra information and documents related to the request are requested; the date of these requests and the date of receipt of the relevant replies
- Transactions regarding the request
- Company Responses to Requests
- Request Response Date
- Authorized Signature
The event records, documents and results related to the relevant application are stored in the electronic directory created on this subject. A copy of the written shipment record is also stored in the archive.
7. RELEASE AND PUBLIC KEEPING UPDATED
This Procedure entered into force on 01.09.2022; The Law will be re-evaluated by the KVK Committee at the beginning of each year in line with the relevant secondary legislation, Board Decisions and Company business processes and will be updated if necessary.