1- PURPOSE AND SCOPE OF THE POLICY:
Our company attaches great importance to the procession and protection of the personal data pursuant to its basic principles. Our company's policy has been intended to harmonize the operations being carried out by company with the Personal Data Protection Law No. 6698.
Our company's policy has been constituted in order to determine the methods and processes required in compliance with the regulations applicable to the protection of the personal data in accordance with our main purpose. It is hereby intended to inform our employees, employee candidates, company managers, guests, as well as the employees/managers of our business associates, and third persons - the persons, whose personal data are processed either automatically, or unautomatically, provided that they are to be a part of any data recording system, by our company - in this respect.
- The terms being referred in this policy of our company have the following meanings:
- Explicit Consent: Means a consent relating to a certain subject which is based on information and taken at one's free will;
- Anonymization: Means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data;
- Concerned Official. Means the natural person, whose personal data is processed.
- Personal Data: Means any and all information relating to an identified or identifiable natural person.
- Personal Health Data: Means any and all health information relating to an identified or identifiable natural person, as being stipulated under the 'Regulation on the Procession and Maintaining the Privacy of Personal Health Data', published on Issue No.29863 of the Official Gazette, dated 20.10.2016.
- Processing of Personal Data: Means all kinds of processes performed on personal data, including obtaining, recording, storing, keeping, changing, re-arranging, disclosure, transmission, acquisition, making available, classification or prevention of use thereof in whole or in part, automatically or in non-automatic ways, provided that they are to be a part of any data recording system.
- Board: Means to be the Personal Data Protection Board
- Agency: Means to be the Personal Data Protection Agency
- Commitee: Means to be the committee in charge of the fulfillment of the procedures to be applied in compliance with the policy.
- LPPD: Means to be the Personal Data Protection Law No. 6698.
- Data Processor: Means to be the natural person or legal entity that processes personal data on behalf of the data controller on the basis of the authority vested by the latter.
- Data Controller Representative: Means to be the person that maintains the relations between the company and the Agency, who is elected among the committee, and appointed by virtue of a board resolution.
- Data Inventory: Means to be the inventory that contains the information, including the processes and methods, and the purposes of personal data procession, as well as the data categories, and third persons to whom the personal data are transferred, etc., intended to the personal data procession operations of the company.
- Data Recording System: Means to be the recording system in which the personal data is registered upon being structured according to certain criteria.
- Data Controller: Means to be a natural or legal person, who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the data registry system.
3- PROCESSION OF PERSONAL DATA IN ACCORDANCE WITH THE PERSONAL DATA PROTECTION LAW:
It is mandatory under PDPL to comply with the following general principles with regards to the procession of personal data.
- Compliance with the Law and the Rules of Good Faith:
Personal data procession is carried out on the basis of law and god faith, and pursuant to the conditions required by the purpose thereof.
- Ensuring that Personal Data are Accurate and Up-to-Date when needed:
Our company carries out any and all works necessary for keeping the personal data complete, accurate, and up-to-date, and develops respective systems by taking the basic rights of the data subjects, and its own legitimate benefits into consideration. In case the person concerned demands any change regarding his/her personal data, respective personal data are updated by us.
- Procession for Specific, Clear and Legitimate Purposes:
Legally legitimate purposes of personal data procession are clearly indicated by our company prior to commencing the respective personal data procession. In this regard, the person concerned is informed of the Personal Data Protection (PDP) regulations, and his/her explicit consents are sought in cases required by law.
- Data being in Connection, Limited, and Consistent with the Purpose of their Procession:
Our company processes personal data in relation with and limited to the indicated purpose, and in a way not to exceed the frame of the same purpose. Data procession is not carried out on the basis of conditions that are likely to happen.
- Storage of Data for a Period Stipulated by the Respective Legislation, or the Purpose of Procession:
Company keeps the personal data to the extent according to the respective purpose thereof. In cases when it is necessary to keep the personal data for a period longer than either the period stipulated under the respective regulations, or the period required by the respective personal data procession purpose, our company is to keep such personal data by way of acting in compliance with the obligations stipulated under the respective regulations.
Following the expiration of the period required by the personal data procession purpose, respective personal data are either deleted, or anonymized by our company. It is further ensured that, such personal data are to be either deleted, or anonymized by the third persons to whom they are transferred.
Committee is responsible from carrying out the aforementioned deletion and anonymization processes. The procedure required in this respect is created by the Committee.
4- SUITABILITY TO THE PERSONAL DATA PROCESSION CONDITIONS:
Our company carries out the personal data procession activities in compliance with the data procession conditions stipulated under the Article 5 of Personal Data Protection Law (PDPL). Personal data may be processed only within the scope of the methods and principles indicated below:
- Explicit Consent of the Personal Data Subject:
Personal data may be processed following the fulfillment of the obligation of disclosing respective information to the person concerned, and upon receiving the explicit consent of the person concerned in this respect. Prior to obtain the explicit consent within the frame of the obligation of disclosing information, the persons concerned are notified of their rights, explicit consents thereof are obtained by the methods in compliance with the respective regulations, and such data are kept within the required period.
Employees of all the departments processing the personal data are obliged to abide by the Committee’s instructions and by this policy as well.
Processing of Personal Data is Possible by the Following Manners without Seeking for the Explicit Consent Condition:
- In Case where Personal Data Processing Activities are Clearly Stipulated under the Laws:
- In cases where regulations intended to personal data procession are stipulated under the laws, our company is to carry out personal data procession in connection with the respective regulations.
- Failure Obtaining the Explicit Consent of the Data Subject due to Actual Impossibilities, and Imperativeness of Personal Data Procession under the Current Circumstances:
- In case the personal data subject is unable to disclose her/his consent due to actual impossibilities, or the data processing in question is imperative for saving the life or body integrity of the data subject him/herself, or of another person, our company may process the personal data in question.
Personal Data Processing in Connection with the Creation or Execution of a Contract:
As long as the conditions of being in direct connection with the creation, implementation, execution, or termination of a contract are fulfilled, the personal data belonging to the parties of the contract in question may be processed by our company without seeking for the explicit consents of the persons concerned.
Necessity of Data Procession for Our Company so as to Fulfill Its Legal Obligations as Being the Data Controller:
In cases where our company is burdened with legal obligations, our company may process personal data without seeking for the explicit consents of the persons concerned in order to fulfill such obligations.
When Personal Data are Publicized by the Person Concerned:
The personal data of the person concerned, which have been disclosed to the public by any way whatsoever, may be processed by our company in compliance with the purpose of such disclosure.
When Data Processing is Mandatory to Establish, Exercise or Protect a Right:
In cases deemed mandatory with the intent of constituting, exercising, or protecting a right, our company is to carry out data procession activities responsibly in compliance with the respective mandate. Personal data being processed within this frame may be processed by the Company within the knowledge of the Data Controller Representative without seeking for explicit consent.
In Case It is Mandatory to Process Data for Legitimate Interests of the Data Controller, provided that Fundamental Rights and Freedoms of the Person Concerned are not Prejudiced:
Our company may process data in cases where its legitimate interests necessitate, provided that the basic rights and freedoms are not to be harmed in this respect..
5- SUITABILITY TO THE PROCESSION OF PERSONAL DATA WITH SPECIAL CHARACTERISTICS:
Our company processes the personal data with special characteristics, which are referred under PDPL in limited numbers, in compliance with the regulations stipulated under the law. A number of personal data, illegal procession of which may cause discriminations or victimizations, are defined as “personal data with special characteristics”.
These data are referred to in the law as the data relating to a person's racial or ethnic origin, political opinion, religious beliefs, sect, or other beliefs, dressing, membership to an association, foundation, or to a trade union, health, sexual life, criminal record, and security measures, as well as his/her genetic data. Personal data with special characteristics may be processed by our company under the following two conditions:
- Explicit consent of the personal data subject is received; or
- Explicit consent of the personal data subject is not received;
• Personal data other than health and sexual life are allowed to be processed without the explicit consent of the person concerned in the cases provided for by law.
• However, data relating to health and sexual life may only be processed by persons obliged to keep secret or authorized agencies and administrations for purposes such as preserving public health, rendering services such as preventive medicine, medical diagnosis, treatment and care giving, planning and management of health services and financing of such services.
The measures to be determined respectively by the Committee shall be taken by our company while processing personal data with special characteristics. On each and every occasion that requires the procession of the personal data with special characteristics, Data Controller Representative is notified by the employee concerned. In case it is not possible to determine whether the data are with special characteristics, the respective opinion of the Committee is sought by the department concerned.
6- ACTIVITIES BEING CARRIED OUT AT THE ENTRANCES AND INSIDE THE BUILDINGS AND FACILITIES WITHIN THE SCOPE OF PERSONAL DATA PROCESSION;
Camera Surveillance Activity:
Camera surveillance is applied at the buildings and facilities. The notification on how to keep the personal data and basic rights protected in this respect is to be made by our company.
Camera surveillance, which is applied in compliance with the Law on the Private Security Services, and with the respective regulations as well, is intended to protect the company and third parties.
Monitoring the Departures of the Guests:
The personal data, which consist of the name-surname information being obtained by the security personnel at the entrance to our buildings and facilities are registered for the sole purpose of keeping the track of the entries and departures.
Information regarding such data, which are entered in the data recording system at the physical environment, is disclosed to our guests by means of the texts being issued to their access within the scope of the respective disclosure obligation.
7- DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA:
Personal data are either deleted, or anonymized, when the legitimate purpose of their registration ceases. Company does not keep the personal data on the likelihood to use them in the future.
The conditions, which require the deletion or anonymization of the personal data, are followed up by the Committee appointed by the company that has been defined as the “data controller” within the scope of the law. The procedure required in this respect is created by our company.
8- TRANSFER OF PERSONAL DATA AND PROCESSION OF PERSONAL DATA BY 3. PARTIES:
Our company acts in compliance with the principles stipulated under Art. 8 and 9 of PDPL in respect of the transfer of the personal data.
Our company is entitled to transfer personal data to any third-party natural person or legal entity in compliance with the respective regulations. On such occasions, the company further causes the third-party transferees of the personal data abide by this policy. Respective protective regulations to be provided by our company are inserted in the contracts entered into with such third-parties in this regard. In case any change is to be demanded by the person, whose personal data are transferred, the Data Controller Representative is promptly notified of the situation by the employee concerned. Such a demand of change is assessed by the committee, and data are updated respectively.
Transfer of Personal Data to Third Parties Domiciled in Turkey:
- Personal data may not be processed without explicit consent of the person concerned.
- Personal data may be transferred to third-parties domiciled at home without seeking for explicit consent in cases where explicit consent is not sought as stipulated under the Art. 5/2 and 6/3 of PDPL.
Committee, as well as the company employees that perform such transfers are responsible from the performance of personal data transfers to the third-parties domiciled at home in compliance with the respective regulations.
Transfer of Personal Data to Third Parties Domiciled Abroad:
- Personal data may not be transferred to third-parties domiciled abroad without explicit consent of the person concerned.
- Personal data may be transferred to third-parties domiciled abroad without seeking for explicit consent in cases where explicit consent is not sought as stipulated under the Art. 5/2 and 6/3 of PDPL.
The availability of such conditions is sought regarding the country where the personal data transfer is to be made to the foreign third-parties domiciled therein:
1- Applicability of adequate protection in the foreign country in question Countries with adequate protection are identified and announced by the Board.
2- In case adequate protection is not applicable in the foreign country in question (not being included in the list of the safe countries to be determined by the Board), our company and the data controller domiciled in that country undertakes in writing to maintain adequate protection, while the permit of the Board is further sought.
Committee, as well as the company employees that perform such transfers are responsible from the performance of personal data transfers to the third-parties domiciled abroad in compliance with the respective regulations.
9- TRANSFER OF PERSONAL HEALTH DATA:
Personal health data may not be transferred by the company without having them anonymized. However transfer to public institutions and organization is permissible within the frame of maintaining the protection of the public health, and preventive medicine, medical diagnosis, treatment, and care services as well, planning and management of the health services and their financing, and in cases where it is stipulated explicitly under the laws.
In case the personal health data are to be transferred without being anonymized, the company notifies the Committee respectively, and the Committee takes any and all of the measures necessary for the fulfillment of the obligations within he frame of the regulations stipulated regarding the transfer of the personal health data.
Committee is responsible from ensuring the transfers of personal health data to third-parties are carried out in compliance with the respective regulations.
10- SCOPE OF THE RESPONSIBILITY PERTAINING TO THE TRANSFER OF PERSONAL DATA:
As being the data controller in accordance with the respective articles of the PDPL, the company is responsible from the procession of the personal data, and their transfers to third-parties. In case any breach of law occurs, despite the measures taken by the data controller in compliance with the respective regulations, Committee is to ascertain the cause of such a breach. In case the company is to be imposed with any sanction due to the breach in question, our right to recourse to the company employee, who has committed the breach, is reserved. It is therefore the responsibility of each and every company employee to ensure that the personal data procession and transfer activities are carried out in compliance with the law.
11- GROUPS OF PEOPLE TO WHOM PERSONAL DATA TRANSFER IS MADE BY OUR COMPANY:
Provided that such transfers are to be carried out limited to the purpose demanded legally by the persons concerned, and in compliance with the conditions of data transfer to third-parties stipulated under the PDPL, data transfer is permissible to business partners, suppliers, authorized public institutions and organizations, as well as to the authorized special law persons with the intent of carrying on the business activities.
12- DISCLOSURE TO THE PERSONAL DATA SUBJECTS:
The identity details of our company as being the data controller, the purposes for which we process the personal data, the persons to whom we may transfer the personal data we process, as well as the purposes of such transfers, the method by which we collect personal data, as well as the legal causes thereof are all indicated in the disclosure text we submitted to the data subjects. The application form we issue for the demands of the data subjects, on the other hand, consists of the channels of access to our company for claiming any demand.
We refer to the rights of the data subject also in our policy within the scope of our disclosure obligation of ours as the data controller stipulated under Art.10 of PDPL. Upon applying to our company, data subjects are entitled;
- To find out whether their personal data has been processed,
- To request respective information if their personal data have been processed,
- To find out the reason for processing of their personal data and whether this has been used properly for that purpose,
- To be informed of the domestic or international third parties to which the personal data has been transferred,
- To request the correction of personal data that has been processed insufficiently or incorrectly,
- To demand the deletion or destruction of the personal data upon the cease of the grounds on which they are processed in consideration of the principles of purpose, period, and legitimacy,
- To request that the third parties to whom personal data have been transferred be notified of the actions regarding the correction, deletion or destruction of personal data,
- To object to an adverse result following the analysis of the processed data by automatic systems exclusively; and,
- To demand indemnification of loss if they suffer loss due to the illegal procession of their personal data.
Such applications to be submitted to our company shall be concluded free of charge in no longer than thirty days, depending on the nature of the request as being stipulated under Art. 13/2 of PDPL. In the instance which the procedure requires an additional expense, the fee indicated in the price list determined by the Board may be received.
Our company may demand information from the applicant, and address questions to him/her upon his/her application in order to ascertain whether the said person is the subject of the data in question.
Conditions Excluded from the Scope of the Rights of the Personal Data Subjects in Accordance with the Regulations of PDPL:
The conditions to which the provisions of law may not be applicable are stipulated under Art.28 of PDPL. The conditions under which the personal data subjects may not lay claim to their rights are stipulated as follows:
- Procession of the personal data for research, planning, and statistical purposes, by the manner of anonymization via official statistics,
- Procession of the personal data within the scope of artistic, historical, literal, or scientific purposes, provided that such a procession is not to violate national defense, national security, public security, public order, economic security, confidentiality of private life, or personal rights, or not to cause any crime,
- Procession of the personal data within the scope of the preventive, protective, and intelligence activities being conducted by the legally authorized public institutions and organizations with the intent of maintaining national defense, national security, public security, public order, or economic security,
- Procession of the personal data by the judicial or execution authorities in respect of investigation, proceeding, trial, or execution processes.
The conditions under which the personal data subjects may not lay claim to their rights, except laying claim for damage recovery, on the other hand, are stipulated under Art. 28/2 of PDPL:
- Personal Data processing is necessary for the prevention of crime or for a criminal investigation,
- Personal data that have been publicized by the Related Person him/herself have been processed,,
- The processing of the personal data is necessary for the execution of inspection or regulation duties or disciplinary investigation or inquiry by the authorized and competent public authorities and entities, or professional institutions that are in the nature of a public institution based on the authorities granted to them by the laws,
- Personal Data processing is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial matters.
13- CATEGORIZATION OF PERSONAL DATA BEING PROCESSED BY OUR COMPANY:
The categories of data that are clearly belonging to a natural person who is identified or identifiable, and that are completely or partially processed either automatically, or unautomatically as part of a data recording system are given as follows;
- Identity Information The data consisting of the identity details of the person. Such documents including driving license, birth certificate, passport that contains such information as TR ID#, nationality, father’s/mother’s names, POB/DOB, and such information including Tax ID#, SSI (Soc. Sec. Inst.)#, signature details, license plate, etc. as well
- Contact Details Such information as the phone number, address, e-mail address, IP address, etc.
- Location Data GPS location, travel data, which determine the location of the vehicles and devices being used while performing our business activities
- Information on Family Members and Relatives The information regarding the family members, and relatives of the personal data subjects, as well as the third-parties who may be contacted under emergency conditions with the intent of protecting the legal benefits of our company, and those of the data subjects in question
- Physical Location Security Information Personal data regarding the records registered, and documents received at the time of entry to the physical location and during the stay thereat, as well as the camera records, fingerprint records, and the records taken at the security checkpoint
- Process Security Information The personal data being processed for the technical, administrative, legal, and commercial security of the data subject and the company in the course of our company’s business operations
- Risk Management Information The personal data being processed while the methods required for the management of commercial, technical, and administrative risks are in use
- Audiovisual Information Photograph and camera records (excluding the security information of the physical location), voice records, as well as the data contained in the documents with the quality of copies of the documents containing personal data
- Personal Information All sorts of personal data intended for obtaining the information required for the accrual of the personal rights of natural persons in employment relation with the company
- Employee Candidate Information The personal data being processed in respect of the individuals, who are either considered as employee candidates, or in employment relation with our company in line with the human resources needs of our company
- Personal Data with Special Characteristics Personal data referred to in Art.6 of PDPL (health data, including blood group, biometric data, religion, and information regarding the affiliated associations)
Demand/Complaint Management Information sonal data regarding the receipt and assessment of any and all sorts of demands or complaints addressed to our company
Categorization of the Data Transferes:
- Customers of the Company Disregarding any contractual relation they have entered with our company, the natural persons, personal data of whom are processed within the scope of the operations being carried out by our business units
- Guests of the Company Natural persons who have entered to the physical settlement we own, or visited our websites for various purposes.
- Employee Candidates of the Company
- Suppliers of the Company The parties rendering services in compliance with the company’s orders and instructions, and on contractual basis, in the course of the business operations
- Our Business Partners The parties, with whom the company has established business partnerships in the course of its business operations
- Legally Authorized Public Institutions and Organizations The public institutions and organizations which are authorized to collect the information and documents of the company by virtue of the provisions of the respective regulations
- Legally Authorized Legal Entities of Private Law The legal entities of private law, who are authorized to collect the information and documents of the company by virtue of the provisions of the respective regulations
14- DATA MANAGEMENT AND SECURITY:
The company establishes the Committee in order to fulfill its obligations falling within the scope of the law, to ensure and check the implementation of the regulations required for the implementation of the policy, to deliver opinions regarding the functionality thereof, and appoints one of the Committee members as the Data Controller Representative.
All employees involved in the process are jointly responsible from personal data protection.
Personal data protection activities are checked by technical systems in consideration of technological facilities and application costs, and personnel knowledgeable in technical issues are employed in our company.
Employees of the company are informed and trained on the Law on the protection of personal data, and processing of personal data in accordance with the law.
Any regulation necessary is made in order to provide access to the personal data for the employees in the company that should have access to such data. Committee is responsible from the development and implementation of the regulations.
Company’s employees are entitled to access to the personal data only within the authority that is defined for them, and in accordance with the provisions of the respective law. Any access and procession that breaches the authority of the employee is deemed illegal, and constitutes the ground for the rightful termination of his/her employment contract.
In case an employee is of the opinion that the personal data protection is not maintained adequately, or has detected a security gap in this respect, the company promptly notifies the Data Controller Representative accordingly.
Each and every person, who is allocated with a company device, is responsible from the security of this device.
In case there are security measures being required / to be required additionally for personal data protection within the scope of the respective regulations, all the employees become obliged to abide by such additional security measures, and to maintain the continuity of them.
Software and hardware consisting of virus protection systems and firewalls are used in order to ensure the storage of personal data within the company in secure environments.
Back-up programs are used, and security measures of adequate level are applied in the company in order to secure the personal data from any loss or damage.
Documents that contain personal data are protected by encrypted systems in the company. In this context, personal data are not allowed to be kept at common spaces and desktops. It is not allowed to move the documents that contain personal data, such as files, folders, etc. to the desktop, or to the common folder, and to transfer the information stored in the Company computers to another device, such as USB, etc., or outside the Company without the prior written consent of the Data Controller Representative.
In case a department in the company processes personal data with special characteristics, the said department is notified by the Committee regarding the importance, security, and confidentiality of the data it processes, and the said department acts in accordance with the respective instructions of the Committee. The authority to access to personal data with special characteristics is vested only to a limited group of employees, and the Committee keeps the list and track of such employees.
The whole of the personal data being processed in the company are deemed as “Confidential Information” by the Company.
The company’s employees have been notified of the fact that, their obligations regarding the security and confidentiality of the personal data shall last also after the termination of their employment relations, and their commitments have been received for abiding by the respective rules.
In case the personal data are to be seized illegally by unauthorized persons within the scope of the personal data procession activities in progress, PDP (Personal Data Protection) Board, and the data subjects concerned shall promptly be notified of this situation.
15- COMMITTEE IN CHARGE OF PROTECTION AND PROCESSION OF PERSONAL DATA:
The committee in charge of the fulfillment of the procedures to be applied in compliance with the policy is elected and established by the Board of Directors. The established Committee shall elect a Data Controller Representative among the natural person members thereof. Duties of the Committee:
- To cause the creation of the policies, procedures and instructions, to make effort for the fulfillment of such works in the company,
- To decide for in-company application and audit, to distribute duties, and to maintain coordination,
- To raise awareness in the company,
- To identify the risks, and to ensure that necessary measures are taken,
- To design trainings regarding the instructions, and to cause the execution thereof,
- To resolve on the applications of the personal data subjects,
- To coordinate the relationship between the PDP Board and Agency,
- To fulfill the other duties that may be given by the company management in this respect.
Committee is responsible from taking any measure necessary for the procession and protection of the personal data. It is further obliged to take any technical and administrative measure necessary for the protection of all the personal data being kept within the company, as well as to monitor the respective developments and administrative activities together with the Board of Directors, to draw up the necessary PDP policy, and submit to the approval of the Board of Directors, and upon receipt of the said approval, to announce it throughout the Company, and to maintain and monitor the compliance thereto..
16- EFECTIVE DATE
This Policy becomes effective as of the date it is approved by the Board of Directors.
The regulations stipulated under the Policy are revised once a year, and in case of necessity to make change therein, respective change is made upon receiving the approval of the Board of Directors.