CFA INTERNATIONAL PERSONAL DATA PROCESSING POLICY
1. PURPOSE
This document aims to establish the Company's policies on the processing, storage, and protection of personal data in accordance with the law and the purpose of Law No. 6698 on the Protection of Personal Data, and to inform individuals whose personal data is processed by the Data Controller, including Company Partners, Company Partner Representatives, Company Officials, Company Employees, Employee Candidates, Interns, Visitors, Customers, Prospective Customers, Customer Representatives, Suppliers, Supplier Employees, Supplier Subcontractors, and their employees, as well as third parties, about the processes related to the protection of personal data, and to regulate the procedures and principles to be followed regarding the processing, storage, and protection of personal data.
In this way, it is aimed to ensure full compliance with the legislation and the protection of all rights arising from the legislation regarding personal data owners in the activities of processing and protecting personal data carried out by the Data Controller.
2. SCOPE
This policy covers real persons whose personal data is processed by the Data Controller through automatic or non-automatic means, including but not limited to Company Partners, Company Partner Representatives, Company Officials, Company Employees, Employee Candidates, Interns, Visitors, Customers, Prospective Customers, Customer Representatives, Suppliers, Supplier Employees, Supplier Subcontractors, and third parties. This Policy shall not be applied to legal entities and their personal data in any way.
The Data Controller informs Personal Data Owners about the Law through this Policy by publishing it on its website. In addition to the provisions of this policy, the Personal Data Processing and Protection Policy for Employees is also implemented for Data Controller employees. In case the data processed by the Data Controller does not fall within the scope of "Personal Data" as defined below or the processing of Personal Data carried out by the Data Controller is not in the ways specified in the Policy, this Policy will not be applicable. In this context, the real persons within the scope of this Policy are defined in the following descriptions. The Policy covers all activities of the Data Controller related to the processing of personal data, and all Data Controller employees and relevant third parties are required to comply with its requirements.
3. DEFINITIONS AND ABBREVIATIONS
| Company / Our Company / Data Controller | CFA International |
|---|---|
| Personal Data / Data | Any kind of information related to an identified or identifiable real person. |
| Special Categories of Personal Data / Data | Race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. |
4. POLICY TEXT
4.1 Processing and Transfer of Personal Data
4.1.1 General Principles for the Processing of Personal Data
The Personal Data processed by the Company are processed in accordance with the procedures and principles envisaged in the Law and in this Policy. The Company acts in accordance with the following principles when processing Personal Data:
aa. Personal Data are processed in compliance with relevant legal rules and the requirements of honesty.
bb. Personal Data are ensured to be accurate and up-to-date. In this context, issues such as the determination of the sources from which the data are obtained, verification of accuracy, and assessment of whether updating is necessary are carefully taken into account.
cc. Personal Data are processed for specific, clear, and legitimate purposes. Legitimacy implies that the Personal Data processed by the Company are related to the work or service provided by the Company, connected to the activities and processes carried out by the Company, and necessary for these.
dd. Personal Data processed are limited to those related to the purpose for which they are processed and are relevant to the purpose. Processed Personal Data are limited, relevant, and proportionate to the purpose for which they are processed.
ee. If there is a period stipulated by legislation for the retention of data, compliance with these periods is ensured. Otherwise, Personal Data are kept only for the period required for the purpose for which they were processed. If there is no valid reason for keeping Personal Data for a longer period, the data are deleted, destroyed, or anonymized.
4.1.2 Conditions for the Processing of Personal Data
The Company does not process personal data without the explicit consent of the data subject. However, if one of the following conditions is met, Personal Data may be processed without the explicit consent of the data subject:
i. The Company may process Personal Data of Data Subjects even if there is no explicit consent in cases explicitly stipulated by the laws. For example, no explicit consent is required for including the name of the relevant person on the invoice in accordance with Article 230 of the Tax Procedure Law.
ii. Personal Data other than those related to health and sexual life can be processed without the explicit consent of the data subject, as explicitly prescribed by the Law, in cases where it is impossible to obtain consent due to factual impossibility or if the consent cannot be legally validated. For example, in a situation where a person's consciousness is impaired or the person is mentally ill and their consent is not valid due to these reasons, Personal Data of the Data Subject can be processed to protect the life or bodily integrity of the person or another person during medical intervention. In this context, data such as blood type, past illnesses, and surgeries, and medications used can be processed through the relevant healthcare system.
iii. Personal Data belonging to the parties of the contract may be processed directly related to the establishment or performance of a contract by the Company. For example, the account number information of the payee party may be obtained for the payment of a contract.
iv. The Company, as the data controller, may process the Personal Data of Data Subjects if necessary to fulfill its legal obligations.
v. Personal Data that has been made public by the Data Subjects themselves, in other words, in any way disclosed to the public by the Company, may be processed when the legal interest that needs to be protected ceases to exist.
vi. In cases where data processing is mandatory for the exercise or protection of a legitimate right by the Company, Personal Data of Data Subjects may be processed without seeking explicit consent.
vii. In cases where it is mandatory to process Personal Data of Data Subjects for the provision of the legitimate interests of Data Subjects without harming the fundamental rights and freedoms protected under the Law and Policy, the Company may process the Personal Data of Data Subjects. The Company demonstrates the necessary sensitivity regarding compliance with the fundamental principles of Personal Data protection and the balance of interests of Data Subjects.
4.1.3 Conditions for Processing Special Categories of Personal Data
The Company does not process Special Categories of Personal Data without the explicit consent of the data subject. However, Personal Data other than health and sexual life may be processed without the explicit consent of the data subject in cases prescribed by the law. Personal Data related to health and sexual life can be processed by the Company only for the purposes of protecting public health, performing preventive medicine, conducting medical diagnosis and treatment, planning and managing health services and their financing, under the conditions where we are obliged to keep it confidential, without seeking the explicit consent of the data subject. The Company takes the necessary measures prescribed by the Board in the processing of Special Categories of Personal Data.
In addition to the provisions in this Policy, the Company has established a separate policy regarding the security of Special Categories of Personal Data in a systematic, clearly defined, manageable, and sustainable manner. The Special Categories of Personal Data Security Policy is implemented in this regard.
4.1.4 Conditions for Transfer of Personal Data
Our Company may transfer Personal Data and Special Categories of Personal Data of Data Subjects to third parties in compliance with the Law, by creating necessary confidentiality conditions and taking security measures, in line with the purposes of processing Personal Data. Our Company acts in accordance with the regulations stipulated in the Law during the transfer of Personal Data. In this context, our Company may transfer Personal Data to third parties in the presence of the following conditions and limited to the following conditions, based on one or more of the personal data processing conditions specified in Article 5 of the Law and:
- If the explicit consent of the Personal Data subject is available,
- If there is an explicit provision in the laws regarding the transfer of Personal Data,
- If it is necessary to protect the life or physical integrity of the Personal Data subject or someone else,
- If the Personal Data subject is unable to disclose his/her consent due to actual impossibility or if his/her consent is not legally valid,
- If it is necessary to transfer Personal Data for the establishment or performance of a contract directly related to the parties of a contract,
- If the transfer of Personal Data is mandatory for our Company to fulfill its legal obligation,
- If the Personal Data has been made public by the Personal Data subject,
- If the transfer of Personal Data is mandatory for the establishment, exercise, or protection of a right,
- If the transfer of Personal Data is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the Personal Data subject.
4.1.4.1 Conditions for the Transfer of Personal Data Abroad
Our Company may transfer the Personal Data and Special Categories of Personal Data of Data Subjects to third parties abroad, who have declared in writing that they provide sufficient protection, or in foreign countries where sufficient protection is not available, provided that there is permission from the Personal Data Protection Board, in accordance with the purposes of processing Personal Data, by taking necessary security measures for the purposes of Personal Data processing. The transfer of Personal Data by our Company to foreign countries where it is declared that it has sufficient protection by the DPA or where sufficient protection is not available, is subject to the permission of the DPA.
4.1.5 Conditions for the Transfer of Special Categories of Personal Data
The Company, by taking the necessary care and precautions, and by taking the adequate measures prescribed by the DPA, and in accordance with legitimate and legal purposes of processing Personal Data, may transfer the Special Categories of Personal Data of the Data Subject to third parties under the following conditions:
(i) In the event of explicit consent of the Personal Data Subject, or
(ii) In the presence of the following conditions, without seeking the explicit consent of the Personal Data Subject;
a) Special Categories of Personal Data other than the health and sexual life of the Personal Data Subject (race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing and apparel, association, foundation or union membership, criminal record, and security measures, and biometric and genetic data), in cases prescribed by the laws,
b) Special Categories of Personal Data related to the health and sexual life of the Personal Data Subject can only be transferred by individuals or institutions authorized to keep it confidential or authorized public institutions and organizations, for the purposes of protecting public health, carrying out preventive medicine, conducting medical diagnosis, treatment and care services, planning and managing health services and their financing, under the obligation to keep it confidential.
4.1.5.1 Conditions for the Transfer of Special Categories of Personal Data Abroad
The Company, by taking the necessary care and precautions, and by taking the adequate measures prescribed by the DPA, and in accordance with legitimate and legal purposes of processing Personal Data, may transfer the Special Categories of Personal Data of the Data Subject to foreign countries where the data controller provides sufficient protection or undertakes to provide sufficient protection, under the following conditions:
(i) In the event of explicit consent of the Personal Data Subject, or
(ii) In the presence of the following conditions, without seeking the explicit consent of the Personal Data Subject;
a) Special Categories of Personal Data other than the health and sexual life of the Personal Data Subject (race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing and apparel, association, foundation or union membership, criminal record, and security measures, and biometric and genetic data), in cases prescribed by the laws,
b) Special Categories of Personal Data related to the health and sexual life of the Personal Data Subject can only be transferred by individuals or institutions authorized to keep it confidential or authorized public institutions and organizations, for the purposes of protecting public health, carrying out preventive medicine, conducting medical diagnosis, treatment and care services, planning and managing health services and their financing, under the obligation to keep it confidential.
4.2 Classification of Personal Data, Purposes of Processing and Transfer, Persons to Whom They Will Be Transferred
4.2.1 Classification of Personal Data
In our Company; Personal Data belonging to the data subjects are processed within the scope of this Policy, limited to the subjects covered by this Policy, in line with the principles specified in the Law, including primarily the principles specified in Article 4 of the Regulation regarding the processing of personal data for the legitimate and legal purposes of our Company, based on one or more of the personal data processing conditions specified in Article 5 of the Law, and the general principles specified in the Law, without seeking the explicit consent of the data subjects, and provided that the data subjects are informed in accordance with Article 10 of the Law. In this section, it is also stated which data subjects are related to the personal data processed in these categories.
| PERSONAL DATA CATEGORY | DESCRIPTION OF PERSONAL DATA CATEGORY |
|---|---|
| Identity Information | Data that is clearly about a specific or identifiable real person; processed partially or completely automatically or non-automatically as part of the data recording system; includes information about a person's identity such as name, last name, nationality, mother's name, father's name, mother's maiden name, place of birth, date of birth, gender, marital status; and documents such as driver's license, ID card, passport, tax number, social security number, signature information, vehicle license plates, etc. |
| Contact Information | Data that is clearly about a specific or identifiable real person; processed partially or completely automatically or non-automatically as part of the data recording system; includes information such as address number, phone number, contact address, email address, registered electronic mail address (KEP), fax number, IP address, etc. |
| Location Data | Data that is clearly about a specific or identifiable real person; processed partially or completely automatically or non-automatically as part of the data recording system; includes information about the location of the Personal Data Subject, which is relevant to the location of the Company's vehicles and identifiable location information in emergency calls, GPS location, travel data, etc. |
| Employee Information | Data that is clearly about a specific or identifiable real person; processed partially or completely automatically or non-automatically as part of the data recording system; includes information processed to establish the basic information required for the rights of individuals in the working relationship with the Company; includes payroll information, disciplinary investigations, employment document records, asset declaration information, resume information, performance evaluation reports, SGK documents, inventory documents, passport information, photograph, bank information, permission form, travel form, expense form, Occupational Health and Safety Certificates, insurance information, driver information, and all kinds of personal data. |
| Legal Transaction Information | Data processed in the context of the Company's legal processes, determination, pursuit of receivables and rights, and legal obligations, such as information in correspondence with judicial authorities, incoming and outgoing documents, lawsuit files, etc. |
| Customer Transaction Information | Data that is clearly about a specific or identifiable real person; processed partially or completely automatically or non-automatically as part of the data recording system; includes information obtained and produced about the relevant individual as a result of the commercial activities of the Company and the operations carried out by the Company's units, such as call center records, invoices, promissory notes, check information, order information, request information, offers, service numbers, etc. |
| Physical Space Security Information | Personal data related to the entry and exit of a physical space, the records and documents taken during the stay in the physical space; includes personal data such as camera records, fingerprint records, and records taken in terms of security. |
| Transaction Security Information | Personal data such as IP Address information processed for the technical, administrative, legal, and commercial security of the Personal Data Subject and the Company during the conduct of the Company's activities, Internet Site entry-exit information, password information, etc. |
| Risk Management Information | Data processed for the management of all kinds of commercial, technical, administrative risks created depending on the type of the legal relationship established by the Company with the Personal Data Subject. |
| Financial Information | Information, documents, and records showing all kinds of financial results created depending on the type of legal relationship established by the Company with the Personal Data Subject, such as bank account number, IBAN number, credit card information, financial profile, asset information, income information, etc. |
| Professional Experience Information | Information processed according to the type of legal relationship established by the Company with the Personal Data Subject, such as diploma information, courses attended, in-service training information, certificates, candidate application forms, reference interview information, job interview information, transcript information, etc. |
| Marketing Information | Information obtained and generated about the relevant individual as a result of the commercial activities and operations of the Company, such as shopping history information, surveys, cookie records, data obtained through campaign activities. |
| Family Members and Close Information | Information about the family members (e.g., spouse, parents, children), relatives, and other persons who can be reached in emergencies, obtained within the framework of the operations carried out by the Company units or related to the products and services it offers, or to protect the legal and other interests of the Company and the Personal Data Subject. |
| Visual/Audio Information | Information related to a specific or identifiable real person, such as photographs and camera records (excluding records falling under Physical Space Security Information), audio records, and data contained in documents that contain personal data. |
| Clothing Information | Information about identifiable clothing obtained partially or completely automatically or non-automatically according to the type of legal relationship established by the Company with the Personal Data Subject, such as photographs, job interview information, candidate application forms. |
| Association/Foundation/Union Membership Information | Information about identifiable association, foundation, and/or union membership obtained partially or completely automatically or non-automatically, such as photographs, job interview information, candidate application forms. |
| Health Information | Health data of the Personal Data Subject and/or family members obtained within the framework of the operations carried out by the Company units or related to the products and services it offers, or to protect the legal and other interests of the Company and the Personal Data Subject, such as Health Reports, Disability Tax Exemption Certificates, insurance documents, military service status certificates, etc. |
| Criminal Convictions and Security Measures Information | Data on criminal records of the Personal Data Subject obtained within the framework of the operations carried out by the Company units or in the working relationship with the Company, and data such as judicial fines and penalties, security measures, etc. |
| Biometric and Genetic Data | Biometric and genetic data obtained within the framework of the operations carried out by the Company units or related to the products and services it offers, or to protect the legal and other interests of the Company and the Personal Data Subject, such as fingerprint records, iris records, etc. |
| Data on Social and Economic Life | Data related to the social and economic life of the Personal Data Subject, obtained within the framework of the operations carried out by the Company units or related to the products and services it offers, or to protect the legal and other interests of the Company and the Personal Data Subject, such as records of charity activities, bank account information, etc. |
The types of Personal Data processed for the Data Subjects specified in the Policy are as follows:
| PERSONAL DATA CATEGORY | DATA SUBJECTS RELATED TO THE RELEVANT PERSONAL DATA |
|---|---|
| Identity Information | Employee, Customer, Prospective Customer, Customer Representative, Employee Candidates, Interns, Company Partner, Company Partner Representative, Company Representative, Visitor, Suppliers, Supplier Representatives/Employees |
| Contact Information | Employee, Employee Candidates, Interns, Customer, Prospective Customer, Customer Representative, Company Partner, Company Partner Representative, Company Representative, Visitor, Suppliers, Supplier Representatives/Employees, Third Parties |
| Location Data | Employee, Customer, Prospective Customer, Customer Representative, Employee Candidates, Interns, Company Partner, Company Partner Representative, Company Representative, Visitor, Suppliers, Supplier Representatives/Employees |
| Employee Information | Employee, Employee Candidates, Interns, Company Partner, Company Partner Representative, Company Representative |
| Legal Transaction Information | Employee, Customer, Prospective Customer, Customer Representative, Employee Candidates, Interns, Company Partner, Company Partner Representative, Company Representative, Visitor, Suppliers, Supplier Representatives/Employees, Third Parties |
| Customer Transaction Information | Customer, Prospective Customer, Customer Representative, Employee Candidates, Interns, Company Partner, Company Partner Representative, Company Representative, Visitor, Suppliers, Supplier Representatives/Employees, Third Parties |
| Physical Space Security Information | Employee, Customer, Prospective Customer, Customer Representative, Employee Candidates, Interns, Company Partner, Company Partner Representative, Company Representative, Visitor, Suppliers, Supplier Representatives/Employees |
| Transaction Security Information | Employee, Customer, Prospective Customer, Customer Representative, Employee Candidates, Interns, Company Partner, Company Partner Representative, Company Representative, Visitor, Suppliers, Supplier Representatives/Employees |
| Risk Management Information | Employee, Customer, Prospective Customer, Customer Representative, Employee Candidates, Interns, Company Partner, Company Partner Representative, Company Representative, Visitor, Suppliers, Supplier Representatives/Employees |
| Financial Information | Customer, Prospective Customer, Customer Representative, Employee Candidates, Interns, Company Partner, Company Partner Representative, Company Representative, Visitor, Suppliers, Supplier Representatives/Employees |
| Professional Experience Information | Employee, Employee Candidates, Interns |
| Marketing Information | Customer, Prospective Customer, Customer Representative, Employee Candidates, Interns, Company Partner, Company Partner Representative, Company Representative, Visitor |
| Family Members and Close Information | Employee, Customer, Prospective Customer, Customer Representative, Employee Candidates, Interns, Company Partner, Company Partner Representative, Company Representative, Visitor |
| Visual/Audio Information | Customer, Prospective Customer, Customer Representative, Employee Candidates, Interns, Company Partner, Company Partner Representative, Company Representative, Visitor |
| Clothing Information | Employee, Employee Candidates, Interns |
| Association/Foundation/Union Membership Information | Employee, Employee Candidates, Interns |
| Health Information | Employee, Employee Candidates, Interns, Customer, Prospective Customer, Customer Representative |
| Criminal Convictions and Security Measures Information | Employee, Employee Candidates, Interns, Customer, Prospective Customer, Customer Representative |
| Biometric and Genetic Data | Employee, Employee Candidates, Interns, Customer, Prospective Customer, Customer Representative |
| Data on Social and Economic Life | Employee, Employee Candidates, Interns, Customer, Prospective Customer, Customer Representative |
4.3 Purposes of Processing and Transfer of Personal Data
Personal Data; in accordance with the law and the purpose of the Law, it is processed by the Data Controller limited to the personal data processing conditions specified in Articles 5 and 6 of the Law for the following purposes;
- To plan and implement its policies in the best way,
- To plan, execute, and manage its commercial partnerships and strategies correctly,
- To ensure its own and its business partners' legal, commercial, and physical security,
- To ensure the operation of corporate processes, plan and execute management and communication activities,
- To benefit the Personal Data Owners from its products and services in the best way and offer them according to their requests, needs, and wishes by making them special for them,
- To provide the highest level of data security,
- To establish databases,
- To improve the services offered on the website and eliminate errors on the website,
- To contact Personal Data Owners who submit their requests and complaints, and ensure the management of requests and complaints,
- Event management,
- Management of relationships with business partners or suppliers,
- Conducting personnel recruitment processes,
- Execution and follow-up of financial reporting and risk management transactions,
- Execution and follow-up of company legal affairs,
- Conducting activities for the protection of its reputation,
- Management of investor relations,
- Providing information to authorized institutions in accordance with the legislation,
- Creating and tracking visitor records.
is processed within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law limited to the purposes mentioned above. If the processing activity carried out for the mentioned purposes does not meet any of the conditions envisaged within the scope of the Law, your explicit consent is obtained by the Company regarding the relevant processing process.
4.3.1 Persons to Whom Personal Data Will Be Transferred
Your Personal Data may be transferred to the person categories listed below, in accordance with the law and the purpose of the Law, which is managed by the Policy, for the following purposes:
| Persons to Whom Data Transfer Can Be Made | Purpose of Data Transfer |
|---|---|
| Suppliers | For the purpose of ensuring the provision of services necessary for our company's commercial activities by the Company, to ensure the fulfillment of the purposes of the business partnership established for purposes such as carrying out various projects with the Company itself or together with Group Companies while performing the Company's commercial activities, etc. |
| Company Officials | It can be transferred for the purpose of designing strategies related to the commercial activities of the Company, ensuring the highest level of management, and for audit purposes in accordance with the relevant legislation provisions. |
| Subsidiary Company | It can be transferred in accordance with the legislation provisions within the scope of the authority and responsibilities of the Subsidiary Company within the partnership relationship of the Company with the Subsidiary Company. |
| Authorized Public Institutions and Organizations | It can be transferred for the purpose requested by the relevant public institutions and organizations within the legal authority. |
| Related Private Law Persons | It can be transferred for the purpose requested by the relevant private law persons within the legal authority. |
| Occupational Health and Safety Specialist | It can be transferred for the purpose requested by the Company's Occupational Health and Safety specialist within the legal authority in accordance with the legislation provisions. |
| Company Internal Units | It can be transferred for the purpose of conducting the Company's business processes and activities, and performing its obligations. |
| Independent Audit Firm | It can be transferred in accordance with the legal authority to independent audit firms with independent audit authority within the scope of the Company's legal obligations. |
5. METHOD AND LEGAL BASIS OF COLLECTING PERSONAL DATA, DELETION, DESTRUCTION, ANONYMIZATION, AND RETENTION PERIOD OF PERSONAL DATA
5.1 Method and Legal Basis of Collecting Personal Data
In order to check the compliance of Personal Data with Article 1 regulating the purpose of the Law and Article 2 regulating the scope of the Law, Personal Data are collected by the Company or data processors assigned by the Company, by any means such as verbal, written, electronic media, technical and other methods, from various sources such as call centers, Company website, mobile applications, etc., within the framework of the legal obligations arising from the law, contracts, and request and consent-based legal reasons, in order to fulfill the responsibilities arising from the law completely and correctly.
5.2 Deletion, Destruction, or Anonymization of Personal Data
Without prejudice to the provisions in other laws regarding the deletion, destruction, or anonymization of Personal Data, even though the Company has processed Personal Data in accordance with this Law and other legal regulations, Personal Data are deleted, destroyed, or anonymized by the Company ex officio or upon the request of the data subject when the reasons requiring processing cease to exist. Deletion of Personal Data means that these data will never be used again and will be destroyed in a way that cannot be recovered. Accordingly, Personal Data is deleted irretrievably from tools such as records, files, CD, floppy disk, hard disk, where they are registered. Destruction of Personal Data means the destruction of data storage materials such as records, files, CDs, floppy disks, hard disks, which are suitable for data storage, in such a way that the information cannot be retrieved or used again. Anonymization of data refers to making Personal Data unrelated to a real person who can be identified, even if it is matched with other data.
5.3 Retention Period of Personal Data
The Company keeps Personal Data for the period stipulated in the relevant legislation, if any. If there is no period specified in the legislation on how long personal data should be kept, Personal Data are processed for a period required by the Company's practices and commercial life in accordance with the activities carried out by the Company when processing that data, and then deleted, destroyed, or anonymized.
When the purpose of processing Personal Data has ended, and the end of the storage periods determined by the relevant legislation and the Company has been reached; Personal Data are only kept for the purpose of providing evidence in possible legal disputes or asserting or defending the related right depending on the legislation, even if the statutory periods of limitation for the right in question have passed, and the storage periods are determined based on examples from previous requests submitted to the Company on the same subjects. In this case, access to the stored personal data is provided only when necessary for the relevant legal dispute. After the end of the mentioned period, personal data are deleted, destroyed, or anonymized.
Detailed arrangements regarding the storage, deletion, destruction, and anonymization of Personal Data are included in the Personal Data Deletion, Destruction, and Anonymization Policy.
6. MATTERS REGARDING THE PROTECTION OF PERSONAL DATA
The Company takes the necessary technical and administrative measures to prevent the unlawful processing of Personal Data, prevent unauthorized access to data, and ensure the preservation of data in accordance with Article 12 of the Law. In this context, necessary audits are conducted or outsourced.
6.1 Ensuring the Security of Personal Data
6.1.1 Technical and Administrative Measures Taken to Ensure the Lawful Processing of Personal Data
The Company takes technical and administrative measures in accordance with technological possibilities and application costs to ensure the lawful processing of Personal Data.
(i) Technical Measures Taken to Ensure the Lawful Processing of Personal Data
The main technical measures taken by the Company to ensure the lawful processing of Personal Data are as follows:
a. Personal Data processing activities within the Company are monitored with established technical systems.
b. Technical measures taken are periodically reported to the relevant authorities as part of the internal audit mechanism.
c. Knowledgeable personnel are employed in technical matters.
d. ISO 27001 Information Security Management System is implemented within our Company.
(ii) Administrative Measures Taken to Ensure the Lawful Processing of Personal Data
The main administrative measures taken by the Company to ensure the lawful processing of Personal Data are as follows:
a. Employees are informed and trained on data protection laws and the lawful processing of Personal Data.
b. All activities carried out by the Company's business units are analyzed in detail, and based on this analysis, Personal Data processing activities specific to each business unit are determined.
c. The Personal Data processing activities of the Company's business units are determined for each business unit and specific detailed activities in order to ensure compliance with the processing conditions required by the Law.
d. Records are included in contracts and documents governing the legal relationship between the Company and employees, specifying the obligation not to process, disclose, or use Personal Data except as required by law, and awareness is created among employees in this regard, and audits are conducted to fulfill the obligations arising from the Law.
6.1.2 Technical and Administrative Measures Taken to Prevent Unauthorized Access to Personal Data
The Company takes technical and administrative measures based on the nature of the data to be protected, technological possibilities, and application costs in order to prevent the disclosure, access, transfer, or any other unlawful access to Personal Data.
(i) Technical Measures Taken to Prevent Unauthorized Access to Personal Data
The main technical measures taken by the Company to prevent unauthorized access to Personal Data are as follows:
a. Technical measures are taken in line with technological advancements, and these measures are periodically updated and renewed.
b. Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined at the business unit level.
c. Access permissions are restricted, and permissions are regularly reviewed.
d. Technical measures taken are reported periodically to the relevant authorities as part of the internal audit mechanism, and technological solutions are produced to address identified existing or potential risk factors.
e. Software and hardware, including virus protection systems and security walls, are installed.
f. Knowledgeable personnel are employed in technical matters.
g. Regular security scans are conducted to detect security vulnerabilities in applications where Personal Data is collected. Identified vulnerabilities are addressed.
(ii) Administrative Measures Taken to Prevent Unauthorized Access to Personal Data
The main administrative measures taken by the Company to prevent unauthorized access to Personal Data are as follows:
a. Employees are trained on technical measures to prevent unauthorized access to Personal Data.
b. Access and authorization processes for Personal Data are designed and implemented within the Company in accordance with legal compliance requirements determined at the business unit level.
c. Employees are informed that they cannot disclose Personal Data in violation of the provisions of the Law, use it for purposes other than processing, and this obligation continues even after their departure, and the necessary commitments are obtained from them in this regard.
d. Contracts concluded with third parties for the storage of Personal Data due to technical requirements are included in contracts, stating that the third parties to whom Personal Data is transferred will take the necessary security measures to protect Personal Data and ensure compliance with these measures in their organizations.
6.1.3 Storage of Personal Data in Secure Environments
The Company takes the necessary technical and administrative measures, considering technological possibilities and application costs, to store Personal Data in secure environments and prevent its unlawful destruction, loss, or alteration.
(i) Technical Measures Taken for the Secure Storage of Personal Data
The main technical measures taken by the Company for the secure storage of Personal Data are as follows:
a. Systems that are compatible with technological advancements are used to store Personal Data securely.
b. ISO 27001 Information Security Management System has been established, certified, and operated.
c. Specialists in technical matters are employed.
d. Technical security systems are established for storage areas, security tests and research are conducted to identify security vulnerabilities in information systems, and identified current or potential risk factors are addressed based on the results of these tests and research. Technical measures taken are reported periodically to the relevant authorities as part of the internal audit mechanism.
f. Backup programs are used in a lawful manner to ensure the secure storage of Personal Data.
g. Access to data storage areas is restricted, allowing only authorized personnel, limited to the purpose of storing personal data, and access to data storage areas is logged, and inappropriate access or access attempts are instantly communicated to the relevant authorities.
(ii) Administrative Measures Taken for the Secure Storage of Personal Data
The main administrative measures taken by the Company for the secure storage of Personal Data are as follows:
a. Employees are trained to ensure the secure storage of Personal Data.
b. Regular awareness training sessions are organized, and awareness emails are sent.
c. Legal and technical consultancy services are obtained to follow developments in information security, the privacy of private life, and the protection of personal data and to take necessary actions.
d. In case external services are obtained due to technical requirements for the storage of Personal Data, contracts are concluded with the relevant companies to ensure that Personal Data is transferred in accordance with the law, including provisions stating that the persons to whom Personal Data is transferred will take the necessary security measures to protect Personal Data and ensure compliance with these measures in their organizations.
6.1.4 Audit of Measures Taken for the Protection of Personal Data
The Company conducts the necessary internal audits and external audits by independent certification bodies in accordance with Article 12 of the Law and takes the necessary measures to improve the results of these audits within the scope of the Company's internal procedures (e.g., Regulatory Preventive Action Records).
6.1.5 Measures to Be Taken in Case of Unauthorized Disclosure of Personal Data
In case Personal Data processed in accordance with Article 12 of the Law is obtained by others through illegal means, the Company records this situation with the Information Security Violation Record, and also operates a system to ensure that it is reported to the relevant Personal Data Owner and the Data Protection Authority as soon as possible. If deemed necessary by the Data Protection Authority, this situation may be announced on the website of the Data Protection Authority or by another method.
6.2 Protection of the Legal Rights of Personal Data Owners
The Company respects all legal rights of Personal Data Owners and takes all necessary measures to protect these rights in the implementation of this Policy and the Law. Detailed information about the rights of Personal Data Owners is provided in the sixth section of this Policy.
6.3 Protection of Special Categories of Personal Data
The Company pays the utmost attention to the protection of special categories of Personal Data, which are defined as "sensitive" by the Law and are processed in accordance with the law. In this context, technical and administrative measures taken for data protection are applied with maximum care regarding Special Categories of Personal Data, and necessary audits are conducted within the Company on this subject.
7. RIGHTS OF THE DATA SUBJECT, EXERCISING RIGHTS, AND EVALUATION
7.1 Informing the Data Subject
The Company, in accordance with Article 10 of the Law, informs Data Subjects during the collection of Personal Data. In this context, if applicable, the Company provides information about the identity of the Company's representative, the purpose of processing Personal Data, to whom and for what purpose Personal Data may be transferred, the method of collecting Personal Data, and the legal basis for processing, as well as the rights of the Data Subject. Under this obligation to inform, the Company informs the relevant individuals both in writing through informational texts (e.g., GDPR Information Statement) and verbally through communication tools by relevant departments of the Company.
7.2 Rights of the Data Subject According to the Personal Data Protection Law
The Company, in accordance with Article 10 of the Law, informs you of your rights; guides on how to exercise these rights, and establishes the necessary internal procedures, administrative, and technical regulations for all of these. The Company, in accordance with Article 11 of the Law, informs the individuals whose Personal Data is processed about:
- Learning whether Personal Data is processed,
- If Personal Data is processed, requesting information about it,
- Learning the purpose of processing Personal Data and whether they are used for their intended purpose,
- Knowing third parties in the country or abroad to whom Personal Data is transferred,
- Requesting the correction of Personal Data if it is incomplete or incorrect,
- Requesting the deletion or destruction of Personal Data within the framework of the conditions stipulated in Article 7 of the Law,
- If Personal Data is processed in violation of the law, requesting compensation for the damage suffered,
- Objecting to the occurrence of a result against the person by analyzing the processed data exclusively through automated systems,
- Requesting the compensation of damages in case of Personal Data being processed unlawfully.
are explained.
7.3 Cases Where the Data Subject Cannot Exercise Their Rights
In accordance with Article 28 of the Law, the following cases are excluded from the scope of the Law, so Data Subjects cannot exercise their rights listed in Article 6.2 of this Policy in the following cases:
a. Processing of Personal Data by real persons entirely on their own or by family members living in the same household within the scope of activities related to themselves, provided that Personal Data is not disclosed to third parties and data security obligations are complied with.
b. Processing of Personal Data for research, planning, and statistical purposes by anonymizing them through official statistics.
c. Processing of Personal Data for art, history, literature, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, the privacy of private life, or personal rights or does not constitute a crime.
d. Processing of Personal Data by public institutions and organizations authorized and authorized by law to carry out preventive, protective, and intelligence activities for the purpose of ensuring national defense, national security, public security, public order, or economic security.
e. Processing of Personal Data by judicial authorities or enforcement authorities in connection with investigation, prosecution, trial, or execution proceedings.
In accordance with Article 28/2 of the Law; in the following cases, Data Subjects cannot exercise their rights listed in Article 6.2 of this Policy, except for the right to claim compensation for damages:
f. Necessity of processing Personal Data for the prevention of a crime or for the conduct of a criminal investigation.
g. Processing of Personal Data that has been made public by the Data Subject.
h. Necessity of processing Personal Data by public institutions and organizations authorized and authorized by law for the conduct of inspections or regulatory duties or for the initiation of disciplinary investigation or prosecution.
i. Necessity of processing Personal Data for the protection of the economic and financial interests of the State in relation to budget, taxation, and financial matters.
7.4 Exercising the Rights of the Data Subject
Data Subjects can exercise their rights listed in Article 6.2 of this Policy by filling out and signing the Application Form that can be reached from the Data Controller Request Form link, with information and documents that identify them, and using the methods specified below or other methods determined by the DPA:
(i) After filling out the application form, sending it by notary to the address İsmetiye Mah. Sütcü İmam Sk. Karaca İş Merkezi No: 5/6 Battalgazi, Malatya,
(ii) After filling out the application form and signing it with your secure electronic signature, sending the electronically signed form to [email protected],
(iii) You can send it to [email protected] from your registered email address to our Company.
In order for third parties to apply on behalf of the Data Subject, there must be a special power of attorney prepared by the Data Subject through a notary.
7.5 Company's Response to Applications and Duration
The Company concludes the requests included in the application, depending on the nature of the request, within the shortest time possible, not exceeding thirty days at the latest. However, if the process requires an additional cost, a fee can be charged according to the tariff determined by the DPA. The Company may accept or reject the request, explaining the reasons, and notifies the response in writing or electronically. If the request is accepted, the Company fulfills the request.
7.6 Right to Complain to the DPA by the Data Subject
In cases where the application is rejected, the response is found inadequate, or if no response is received within the deadline; the Data Subject has the right to complain to the DPA within thirty days from the date they learn about the response and in any case, within sixty days from the date of application.
8. MANAGEMENT ACTIVITIES UNDER THE COMPANY'S PERSONAL DATA PROCESSING AND PROTECTION POLICY
Our Company has appointed a Contact Person for the purpose of establishing communication for responding to requests made within the scope of the relevant Law and for fulfilling our Company's obligations to register with the Data Controllers Registry Information System (VERBIS). Within the Company, this Policy and related and affiliated policies, within the scope of business processes, are carried out by the Regulation and Law, Quality and Process Management Units. In this context, it performs the necessary procedures for the storage and processing of Personal Data of Data Subjects in compliance with the law, this Policy, and related and affiliated policies.
9. UPDATES, COMPLIANCE, AND CHANGES
9.1 Update and Compliance
The Company reserves the right to make changes to this Policy and related and affiliated policies due to changes in the Law, decisions of the DPA, or developments in the sector or in the field of informatics. This policy and other relevant policies/regulations are reviewed annually and updated.
Changes made in this Policy are immediately incorporated into the text, and explanations regarding the changes are provided at the end of the Policy.