Personal Data Protection Law

PART FIRST

Purpose and Enforcement of the Policy

The Law on Protection of Personal Data No. 6698 (“Law”), which entered into force on 07.04.2016, is responsible for the establishment and management of the data recording system, which is classified as “data controller”, determines the purposes and means of processing personal data, and is responsible for the establishment and management of the data recording system. sets out the procedures and principles regarding the processing of data.

This document (“Policy”) has been prepared in order to enlighten the real persons whose personal data our Company processes as the data controller within the scope of the above-mentioned article.

Within the scope of the law, personal data is defined as "any information relating to an identified or identifiable natural person"; Processing refers to “obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automated or non-automatic means provided that it is a part of any data recording system. or any kind of operation performed on the data, such as preventing its use.

The law, among other regulations, obliges data controllers to inform / enlighten the data owners whose personal data will be processed during the collection of personal data. According to Article 10 of the Law, data controllers;

  • Identity of the data controller and its representative, if any,
  • The purpose for which personal data will be processed
  • To whom and for what purpose the processed personal data can be transferred,
  • The method and legal reason for collecting personal data,
  • She should inform about the other rights listed in Article 11 of the Law.
The subject of this Policy is our Company's customers, corporate customers' shareholders, officials and employees, potential customers, shareholders, officials and employees of our business partners and suppliers, and our candidates, former employees and interns in our Company, retirees of our Company, our visitors, company officials and shareholders, business partner and our supplier candidates and other third parties, matters regarding the processing of personal data regarding our employees are regulated within the scope of a separate policy text presented to the employees in accordance with the Law.

PART TWO

Scope of the Law and Our Company's Rights and Obligations arising from the Law

  • 1. General Principles on the Processing of Personal Data
    In accordance with Article 4 of the Law, personal data must be processed in accordance with the procedures and principles stipulated in the Law and other relevant legislation. In this context, data controllers are obliged to comply with the following general principles regarding the processing of personal data, apart from fulfilling the obligation of disclosure specified in the First Section:
    • Compliance with the law and integrity.
    • Be accurate and up-to-date when needed.
    • Processing for specific, explicit and legitimate purposes.
    • Be relevant, limited and restrained for the purpose for which they are processed.
    • Preservation for as long as required by the relevant legislation or for the purpose for which they are processed.
  • Purposes of Processing and Sharing Personal Data under the 2nd Law
    • a. Purposes of Processing Personal Data
      Our company does not process Personal Data without the explicit consent of the data owner. Our company may process Personal Data without seeking the explicit consent of the data owner, in the presence of one of the following conditions. Within the scope of Articles 5 and 6 of the Law, certain situations in which data can be processed without express consent have been determined in terms of personal data and special quality personal data.
      • Personal data pursuant to Article,
      • The data processing is clearly stipulated in the law,
      • The processing of the relevant data is obligatory for the protection of the life or bodily integrity of the person or anyone else, who is unable to express his or her consent due to actual impossibility or whose consent is not given legal validity,
      • Provided that it is directly related to the establishment or performance of a contract, it is necessary to process the personal data of the parties to the contract,
      • Compulsory data processing in order for the data controller to fulfill its legal obligations,
      • The personal data has been made public by the person concerned,
      • Compulsory data processing for the establishment, exercise or protection of a right,
      • Provided that it does not harm the fundamental rights and freedoms of the data subject, in cases where data processing is necessary for the legitimate interests of the data controller, it can be processed even if there is no prior explicit consent of the data owner (provided that the necessary clarification has been made).
      • On the other hand, the Law does not apply to people's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, their clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures. defined data and biometric and genetic data as “special quality” or “sensitive” personal data and stipulated more severe conditions for their processing. Accordingly, special categories of personal data can only be processed under the following conditions, except in cases where express consent is obtained from the data owner:
      • The data regarding the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership of associations, foundations or unions, criminal convictions and security measures, and biometric and genetic data of individuals, in cases stipulated by the laws. can be processed.
      • Personal data related to health and sexual life can only be processed by persons or authorized institutions and organizations that are under the obligation of confidentiality for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. .
    • b. Purposes of Sharing Personal Data

      In accordance with data processing, the sharing (transfer) of personal data with a third party is also subject to the explicit consent of the relevant data owner. However, data transfer can also be carried out under the conditions where data processing is allowed according to Article 8 of the Law, and in this regard, in the presence of the conditions specified in Section 2.2.a above, personal data or sensitive personal data can be transferred even without the consent of the data owner.

      The law binds the transfer abroad to special conditions regarding the transfer of personal data to third parties. Accordingly,

        personal data;
      • In case of explicit consent of the data owner, or
      • In cases where there is no explicit consent of the data owner but one or more of the other conditions mentioned above are met;
      • In case there is sufficient protection in the country where the data is transferred and there is not enough protection in the country where the data is transferred, it can be transferred abroad provided that the data controller undertakes in writing together with the data controller in the relevant foreign country and the permission of the Personal Data Protection Board is obtained.
  • Circumstances Outside the Scope of the 3rd Law
    According to Article 28 of the Law, the Law will not be applied in the following cases:
  • Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.
  • Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
  • Processing personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
  • Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

PART THREE

Processing of Personal Data by Our Company

1. Classification of Personal Data Processed by Our Company

Data Category: Personal Data Categorization Disclosure
Credential: Information contained in documents such as driver's license, identity card, residence, passport, attorney ID, marriage certificate (eg TCKN, passport no., identity card serial no., name-surname, photo, place of birth, date of birth, age , place of registration, proof of identity card sample)
Contact Info Information used to contact the person (eg e-mail address, phone number, mobile phone number, address)
Location Data: Data to identify the location of the data subject (eg location data obtained while driving) Customer Information Information about customers who benefit from our products and services (eg customer number, occupation information, etc.) Customer Transaction Information: Information regarding any transaction performed by customers who benefit from our products and services (eg, requests and instructions, order and basket information, etc.)
Physical Space: Security Information Personal data regarding the records and documents taken at the entrance to the physical space, during the stay in the physical space (eg entry-exit logs, visit information, camera recordings, etc.)
Transaction Security Information: Personal data processed in order to ensure the technical, administrative, legal and commercial security of our company and related parties (e.g., information such as website password and password indicating that the person is authorized to match the transaction associated with the personal data owner and that person and to perform that transaction)
Risk Management Information Personal data processed in order to manage our company's commercial, technical and administrative risks (eg IP address, Mac ID, etc. records)
Financial Information: Personal data within the scope of information, documents and records showing all kinds of financial results created according to the type of legal relationship with the personal data owner (For example: information showing the financial result of the transactions made by the data owner, loan amount, card information, loan payments, interest to be paid amount and ratio, debit balance, credit balance etc.)
Specific Information: All kinds of personal data processed to obtain information that will be the basis for the protection of personal rights of real persons who are in a working relationship with the Personal Data Owner (all kinds of information and documents that must be entered in the personnel file by law)
Candidate Information: Personal data used in the application evaluation process (eg, CV, interview notes, personality test results, etc.)
Running Process Info: Personal data regarding all kinds of work-related transactions performed by the supplier employees of the Company (e.g. entry-exit records, business travels, information about meetings attended, security inquiries, e-mail traffic monitoring information, vehicle usage information, company card spending information) )
Employee Performance and Career Development Personal data whose information is processed for the purpose of measuring the performance of the company's supplier employees and planning and carrying out their career development within the scope of human resources policies (eg performance evaluation reports, interview results, career development trainings)
Side Rights and Benefits Information: Personal data processed for the follow-up of the fringe benefits and benefits offered to the supplier employees of the Company and for the supplier employees to benefit from them (eg private health insurance, vehicle allocation)
Marketing Information: Data to be used by our company in marketing activities (eg, the habits of the person collected for marketing purposes, reports and evaluations showing their tastes, targeting information, data enrichment activities)
Legal Action and Compliance Information: Identification and follow-up of legal claims and rights, debt and legal Personal data processed for the purpose of fulfillment of obligations (eg data contained in documents such as court and administrative authority decisions)
Audit & Inspection Information: Personal data processed within the scope of our company's compliance with its legal obligations and company policies (eg audit and inspection reports, related interview records and similar records)
Private Personal Data Data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Request/Complaint Management Information Personal data regarding the receipt and evaluation of all kinds of requests or complaints directed to our company. Visual and Audio Data Visual and audio records associated with the personal data owner (eg. photos, camera recordings and audio recordings)

2. Purposes of Processing Personal Data by Our Company

  • Our company processes personal data within the scope specified above for the following purposes:
  • Planning, auditing and execution of information security processes
  • Creating and managing information technology infrastructure
  • Planning and execution of fringe benefits and benefits for employees
  • Corporate communication for employees and/or planning and/or execution of corporate social responsibility and/or non-governmental organizations activities in which employees participate
  • Planning and execution of employees' access to information
  • Monitoring and/or supervision of employees' business activities
  • Finance and/or accounting affairs
  • Follow-up of legal affairs
  • Planning of human resources processes
  • Planning and/or executing activities to perform effectiveness/efficiency and/or appropriateness analyzes of business activities
  • Planning and execution of business activities
  • Planning and executing information access authorizations of business partners and/or suppliers
  • Management of relations with business partners and/or suppliers
  • Planning and/or execution of occupational health and/or safety processes
  • Planning and/or execution of business continuity activities
  • Planning and execution of corporate communication and management activities
  • Planning and execution of logistics activities
  • Planning and execution of customer relationship management processes
  • Planning and/or execution of customer satisfaction activities
  • Follow-up of customer requests and/or complaints
  • Execution of personnel procurement processes
  • Fulfilling obligations arising from employment contracts and/or legislation for company employees
  • Planning and execution of company audit activities
  • Planning and execution of external training activities
  • Planning and executing the necessary operational activities to ensure that the company's activities are carried out in accordance with company procedures and/or relevant legislation
  • Planning and/or execution of in-company training activities
  • Ensuring the security of company operations
  • Ensuring the security of company premises and/or facilities
  • Planning and/or executing the processes of creating and/or increasing loyalty to the products and/or services offered by the company
  • Planning and/or execution of the company's production and/or operational risk processes
  • Company and partnership law transactions
  • Follow-up of contract processes and/or legal requests
  • Execution of strategic planning activities
  • Planning and execution of supply chain management processes
  • Wage management
  • Planning and execution of production and/or operation processes
  • Planning and execution of market research activities for sales and marketing of products and services
  • Planning and execution of marketing processes of products and/or services
  • Planning and execution of sales processes of products and/or services
  • Ensuring data is accurate and up-to-date
  • Giving information to authorized institutions based on legislation
  • Creating and tracking visitor records

3. Transfer of Personal Data by Our Company and Classification of Data Transferred Parties

Personal data may be transferred by our Company to our Company officials, affiliates, business partners, suppliers, shareholders, legally authorized public institutions and organizations and private institutions for the above-mentioned purposes.

4. Procedure for Processing Personal Data by Our Company

Our company, as a data controller, informs the data owners in line with Article 10 of the Law before obtaining their personal data from the data owners, within the scope of its obligations arising from the Law. If any data processing process carried out by our company does not meet the conditions specified in the Law and detailed in Sections 2.2.a and b above, explicit consent is obtained from the data owners and the related processes are carried out within the framework of the aforementioned express consent.

Explicit consent within the scope of the law is defined as "consent related to a certain subject, based on information and expressed with free will", and accordingly, our Company provides their explicit consent after informing the data owners in accordance with Article 10 of the Law.

Although no period has been determined for the storage of personal data within the scope of the law, it is essential to keep personal data for as long as required by the relevant legislation or for the purpose for which they are processed, in accordance with general principles. Our company makes an evaluation based on the legislation in force regarding each data processing process and the purpose of the process, in order to determine the retention periods in accordance with the said principle. Accordingly, our Company keeps personal data at least for the period required by its legal obligations, and in any case, until the relevant statute of limitations expires.

Our company anonymizes, deletes or destroys personal data in accordance with the Law, when the purpose of processing the relevant personal data disappears within the scope of any process, including the expiration of the aforementioned periods. Within the scope of the law, anonymization is defined as “making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching them with other data”. Our Company's anonymization activities are carried out in accordance with the current legislation.

5. Personal Data Security

    In order to ensure the security of personal data, our company takes reasonable technical and administrative measures to prevent unauthorized access risks, accidental data loss, deliberate deletion or damage to data. In this context, at least the following actions are taken by our Company:
  • Taking software and hardware security measures appropriate to the processed personal data
  • Performing the audits foreseen under the law
  • Ensuring compliance of the Company and employees with the Law through in-company trainings, policies and procedures
  • Providing and recording access to information on the basis of necessity with in-company authorizations
  • Process-based follow-up of personal data processing activities
  • Taking contractual commitments regarding the protection and security of personal data in relations with suppliers

PART FOUR

Rights of Data Owners Arising from Law

    1. Rights of Data Owners
  • Personal data owners according to Article 11 of the Law;
  • Learning whether personal data about himself/herself is processed,
  • Requesting information on personal data related to him/her,
  • Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
  • Knowing the third parties to whom personal data is transferred at home or abroad,
  • To request correction of personal data in case of incomplete or incorrect processing,
  • Demanding the deletion or destruction of personal data in the event that the reasons requiring processing are eliminated, although it has been processed in accordance with the provisions of the law and other relevant laws,
  • Requesting notification of the transactions made as a result of requests for correction, deletion and destruction, to third parties to whom personal data has been transferred,
  • Objecting to the emergence of a result against the person by analyzing the processed data exclusively through automated systems,
  • Has the right to demand the compensation of the damage in case of loss due to unlawful processing of personal data.

Paragraph 2 of Article 28 of the Law regulates that in certain circumstances, the data owner cannot make a claim from the data controller other than the compensation of his losses. According to this,

  • Personal data processing is necessary for the prevention of crime or for criminal investigation,
  • Processing of personal data made public by the person concerned,
  • Personal data processing is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law,
  • Personal data processing is necessary for the protection of the economic and financial interests of the State with regard to budget, tax and financial matters,
    • In such cases, the above-mentioned rights cannot be exercised for the relevant data.

    2. Exercise of Rights
  • Data owners will be able to use e-mail communication to exercise the above-mentioned rights.
  • Applications must be submitted to Asmalı Mescit Mah. Olivia Geçidi street No:5 D:3 Beyoğlu Istanbul or signed with a secure electronic signature issued under the Electronic Signature Law No. 5070 It can be done by sending an e-mail registered to info@kesifzone.com or by e-mail sent from the e-mail address previously notified to our Company and registered in our Company's system. If a method other than the aforementioned methods is foreseen by the Personal Data Protection Board, applications can also be submitted by this method.
  • The requests of data subjects transmitted by one of the above-mentioned methods are evaluated and answered by our Company within a maximum of thirty days. Our company reserves the right to request additional information and documents from the applicant, especially in order to evaluate whether the applicant is the relevant data owner.
  • As a rule, data subject applications are evaluated by our Company free of charge. However, if a fee has been determined by the Personal Data Protection Board regarding the request of the data owner, our Company will have the right to demand payment over this fee.