İzbaş İzmir Serbest Bölge Kurucu ve İşleticisi Anonim Şirketi
PERSONAL DATA PROTECTION AND PROCESSING POLICY
Approved by the Directors Board.
ABBREVIATIONS AND CONCEPTS
KVKK/Law |
Personal Data Protection Law No. 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677 |
GDPR |
EU (European Union) General Data Protection Regulation |
Constitution |
The Constitution of the Republic of Turkey, dated 7 November 1982 and numbered 2709, published in the Official Gazette dated 9 November 1982 and numbered 17863 |
Data Processor |
Except for the person or unit responsible for technical storage, protection and backup of the data, the person who processes personal data outside the organization of the data controller and in line with the authorization and instruction received from the data controller. |
Data Owner/Data Subject |
Natural persons whose personal data are processed, such as employees, customers, business partners, shareholders, officials, potential customers, candidate employees, interns, visitors, suppliers, employees of the institutions with which the Company is affiliated, and third parties and other persons, including but not limited to those listed herein. |
Data Controller |
The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. For the purposes of this Policy, İzbaş İzmir Serbest Bölge Kurucu ve İşleticisi Anonim Şirketi will hereinafter be referred to as the Data Controller. |
Open Consent |
Consent on a specific issue, based on information and freely given. |
Disposal |
Deletion, disposal or anonymization of personal data. |
Storage/Recording Environment |
Any environment in which personal data processed by fully or partially automated or non-automated means, provided that it is part of any data recording system. |
Personal Data |
Any information relating to an identified or identifiable natural person. |
Sensitive Personal Data |
Personal data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. |
Processing of Personal Data |
Any operation performed on personal data such as obtaining, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system. |
Anonymization of Personal Data |
Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data. |
Deletion of Personal Data |
The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way. |
Disposal of Personal Data |
The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way. |
Periodic Disposal |
Deletion, destruction or anonymization to be carried out ex officio at recurring intervals in the event that all of the conditions for processing personal data specified in the Law are eliminated. |
Regulation |
Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017 and numbered 30224 and entered into force as of January 1, 2018. |
PDP Board / Board |
Personal Data Protection Board |
PDP Authority |
Personal Data Protection Authority |
Policy |
Data Controller Personal Data Protection and Processing Policy |
Turkish Penal Code |
Turkish Penal Code dated September 26, 2004 and numbered 5237; published in the Official Gazette dated October 12, 2004 and numbered 25611. |
Obligation to Inform |
The data controller shall inform the relevant persons about the identity of the Data Controller, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the data subject listed in Article 11 of the KVKK. |
Data Controllers Registry Information System (VERBIS) |
It is a data registry system created by the Board Presidency under the supervision of the Board, where data controllers register and declare information about their data processing activities. |
1. INTRODUCTION
1.1. Objective
As the Data Controller, we are aware of our responsibility for the protection of personal data, which is regulated as a constitutional right, and taking it under legal guarantee, and we give importance to the safe use of your personal data.
The purpose of this policy is to regulate the methods and principles to be followed by İzbaş İzmir Serbest Bölge Kurucu ve İşleticisi Anonim Şirketi to ensure that it processes and protects personal data in accordance with the Law on the Protection of Personal Data (KVKK) published in the Official Gazette dated April 7, 2016 and numbered 29677.
In this way, it is aimed to ensure full compliance with the legislation in the processing and protection of personal data carried out by the Data Controller and to protect all rights of personal data owners arising from the legislation on personal data.
1.2. Scope
This policy applies to the activities carried out by İzbaş İzmir Serbest Bölgesi Kurucu ve İşleticisi Anonim Şirketi for the processing and protection of all personal data.
This policy covers natural persons whose personal data are processed by the Data Controller through automatic or non-automatic means, provided that they are part of any data recording system. This Policy does not apply to legal entities and legal entity data in any way.
Groups of Persons Whose Data are Processed under the Policy |
Employee |
Product or Service Recipient |
Supplier Officer |
Shareholder/Partner |
Visitor |
Supplier Employee |
Potential Product or Service Buyer |
Parent / Guardian / Representative |
Subject of the news |
Employee Candidate |
Intern |
Public Official |
Rapporteur |
Occupational Health and Safety Specialist |
Doctor |
Workplace Physician |
Website Visitors |
The entire scope of application of this Policy will cover all of the personal data owners in the above-mentioned categories of the relevant group of persons; some of its provisions may only be directed to certain groups of relevant persons.
This policy is implemented by the Data Controller in the activities carried out for the processing and protection of all personal data, together with the relevant detailed data procedures.
1.3. Implementation of the Policy and Related Legislation
Within the scope of this Policy, the relevant legal regulations and data security principles in force in the national legislation on the processing and protection of personal data will primarily apply. In case of incompatibility between the legislation in force and the Policy, the Data Controller agrees that the legislation in force will be applied.
2. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
In accordance with Article 12 of the KVKK, the Data Controller takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and to carry out or have the necessary audits carried out within this scope.
2.1. Ensuring the Security of Personal Data
2.1.1. Technical and Administrative Measures Taken to Ensure the Processing of Personal Data in Accordance with the Law, to Prevent Unlawful Access to Personal Data and to Store Personal Data in Secure Environments
Subject to the confidentiality of personal data, the Data Controller takes technical and administrative measures in accordance with the technological possibilities and the cost of implementation in order to ensure the appropriate level of security in order to ensure that personal data is processed in accordance with the law, to prevent unlawful access to this data, to prevent its loss and destruction, to ensure its storage and preservation in secure environments.
2.1.1.1. Technical Measures Taken to Ensure the Processing of Personal Data in Accordance with the Law, to Prevent Unlawful Access to Personal Data and to Store Personal Data in Secure Environments
The main technical measures taken by the Data Controller, subject to personal data confidentiality, to ensure that personal data is processed in accordance with the law, to prevent unlawful access to this data, to prevent loss and destruction, to ensure the appropriate level of security in order to ensure storage and preservation in secure environments are listed below:
Technical Measures |
Network security and application security are ensured |
Access logs are kept regularly |
Corporate policies on access, information security, use, storage and disposal have been prepared and implemented |
Up-to-date anti-virus systems are used |
Firewalls are used |
Personal data is backed up and the security of the backed up personal data is also ensured |
User account management and authorization control system is implemented and monitored |
Data loss prevention software is used |
Log records are kept without user intervention |
If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using KEP or corporate mail account |
Secure encryption/cryptographic keys are used for sensitive personal data and managed by different units |
Intrusion detection and prevention systems are used |
2.1.1.2. Administrative Measures Taken to Ensure the Lawful Processing of Personal Data, to Prevent Unlawful Access to Personal Data and to Store Personal Data in Secure Environments
The main administrative measures taken by the Data Controller, subject to personal data confidentiality, to ensure that personal data is processed in accordance with the law, to prevent unlawful access to this data, to prevent loss and destruction, to ensure the appropriate level of security in order to ensure that it is stored and stored in secure environments are listed below:
Administrative Measures |
Disciplinary arrangements are in place for employees that include data security provisions |
Training and awareness activities on data security for employees are carried out at regular intervals |
Authorization matrix has been created for employees |
Confidentiality commitments are made |
Employees who change their position or leave their job are de-authorized in this area |
The signed contracts contain data security provisions |
Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format |
Personal data security policies and procedures have been determined |
Personal data security issues are quickly reported |
Personal data security is monitored |
Necessary security measures are taken for entering and exiting physical environments containing personal data |
Physical environments containing personal data are secured against external risks (fire, flood, etc.) |
Security of environments containing personal data is ensured |
Personal data is minimized as much as possible |
Existing risks and threats have been identified |
Protocols and procedures for the security of sensitive personal data have been determined and implemented |
Awareness of data processing service providers on data security is ensured |
2.1.2. Supervision of Measures Taken for the Protection of Personal Data
In accordance with Article 12 of the KVK Law, the Data Controller conducts or has the necessary audits carried out within its own organization. The results of the measure audit carried out within the scope of the audit activities required to fulfill the obligations of the legal regulations that constitute the personal data protection planning are reported to the relevant department within the scope of the internal functioning of the Data Controller and necessary activities are carried out to improve the measures taken.
2.1.3. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
The Data Controller has the obligation to protect the personal data it processes against unauthorized access, illegal processing, disclosure, loss and alteration. In the event that the personal data processed in accordance with Article 12 of the KVKK is obtained and used by unauthorized others through unlawful means, it carries out the system that ensures that this situation is notified to the relevant personal data owner and the PDP Board as soon as possible.
2.2. Observing the Rights of the Data Subject; Creating Channels to Communicate These Rights to the Data Controller and Evaluating the Requests of Data Subjects
The Data Controller carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 13 of the KVKK in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.
If personal data owners submit their requests regarding their rights listed below in writing to us, the Data Controller, will finalize the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the rate schedule determined by the PDP Board will be charged to the applicant data owner.
Personal data owners;
Learn whether personal data is being processed,
Request information if their personal data has been processed,
To learn the purpose of processing personal data and whether they are used in accordance with their purpose
To know the third parties to whom personal data are transferred domestically or abroad,
To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
Although it has been processed in accordance with the provisions of the KVKK and other relevant laws, to request the deletion or disposal of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
In case of damage due to unlawful processing of personal data, it has the right to demand the compensation of the damage.
2.3. Protection of Sensitive Personal Data
KVKK shows great importance to certain sensitive personal data due to the risk of causing victimization or discrimination in case of unlawful processing.
These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
The Data Controller acts sensitively in the protection of special categories of personal data, which are determined as "special categories" by the KVKK and processed in accordance with the law. In this context, the technical and administrative measures taken by the Data Controller for the protection of personal data are carefully implemented in terms of special categories of personal data and necessary audits are provided within the Data Controller and a Policy on Processing and Protection of Special Categories of Personal Data is also established.
2.4. Awareness Raising and Audit of Business Units on Protection and Processing of Personal Data
The Data Controller ensures that the necessary trainings are organized for the business units in order to raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the protection of data.
Necessary systems are established to ensure that the existing employees of the business units of the Data Controller and the employees who are newly included in the business unit are aware of the protection of personal data, and if necessary, professional persons are hired.
The results of the trainings conducted to increase the awareness of the business units of the Data Controller on the protection and processing of personal data are reported to the Data Controller. In this direction, the Data Controller evaluates the participation in the relevant trainings, seminars and information sessions and conducts or has the necessary audits carried out. As the Data Controller, the trainings carried out by us are updated and renewed in parallel with the updating of the relevant legislation.
3. ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA
The Data Controller, in accordance with Article 20 of the Constitution and Article 4 of the KVKK, in the processing of personal data; in accordance with the law and good faith; accurate and up-to-date when necessary; pursuing specific, clear and legitimate purposes; personal data processing activities in a purpose-related, limited and measured manner.
The Data Controller retains personal data for the period stipulated by law or required by the purpose of personal data processing.
Pursuant to Article 20 of the Constitution and Article 5 of the KVKK, the Data Controller processes personal data based on one or more of the conditions in Article 5 of the KVKK regarding the processing of personal data.
In accordance with Article 20 of the Constitution and Article 10 of the KVKK, the Data Controller informs the personal data subjects and provides the necessary information in case the personal data subjects request information.
In accordance with Article 6 of the KVKK, the Data Controller acts in accordance with the regulations stipulated for the processing of special categories of personal data.
In accordance with Articles 8 and 9 of the KVKK, the Data Controller acts in accordance with the regulations stipulated in the law and set forth by the PDP Board regarding the transfer of personal data.
3.1. Processing of Personal Data in Compliance with the Principles Stipulated in the Legislation
3.1.1. Processing in accordance with the Law and Good Faith
The Data Controller acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, the Data Controller takes into account the proportionality requirements in the processing of personal data and does not use personal data for purposes other than its purpose.
3.1.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary
Data Controller; It ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of personal data owners and their legitimate interests. It takes necessary measures in this direction.
3.1.3. Processing for Specific, Explicit and Legitimate Purposes
The Data Controller clearly and precisely determines the legitimate and lawful purpose of personal data processing. The Data Controller processes personal data in connection with and to the extent necessary for the services it provides. The purpose for which personal data will be processed by the Data Controller is determined before the personal data processing activity begins.
3.1.4. Being relevant, limited and proportionate to the purpose for which they are processed
The Data Controller processes personal data in a manner that is conducive to the realization of the specified purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed.
3.1.5. Preservation for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed
The Data Controller retains personal data only for the period specified in the relevant legislation or for the period required for the purpose for which they are processed. In this context, the Data Controller first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period of time is determined, it acts in accordance with this period, and if a period of time is not determined, it keeps personal data for the period required for the purpose for which they are processed. Personal data are deleted, disposed of or anonymized by the Data Controller at the end of the period or in the event that the reasons requiring their processing disappear. Personal data are not stored by the Data Controller with the possibility of future use.
3.2. Processing of Personal Data Based on and Limited to One or More of the Personal Data Processing Conditions Stated in Article 5 of the KVKK
Protection of personal data is a constitutional right. Fundamental rights and freedoms may be restricted without prejudice to their essence only for the reasons specified in the relevant articles of the Constitution and only by law. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may only be processed in cases stipulated by law or with the explicit consent of the person. In this direction and in accordance with the Constitution; the Data Controller processes personal data only in cases stipulated by law or with the explicit consent of the person.
3.3. Informing the Personal Data Owner
In accordance with Article 10 of the Data Controller and KVKK, we inform personal data owners during the acquisition of personal data. In this context, we inform about the identity of the Data Controller and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data and the rights of the personal data owner.
Article 20 of the Constitution stipulates that everyone has the right to be informed about personal data concerning him/her. In this direction, "requesting information" is also listed among the rights of the personal data owner in Article 11 of the KVKK. In this context, the Data Controller provides the necessary information in case the personal data owner requests information in accordance with Article 20 of the Constitution and Article 11 of the KVKK.
While fulfilling the disclosure obligation, the Data Controller acts in accordance with the Law No. 6698, the Communiqué on the Procedures and Principles to be followed in the Fulfillment of the Disclosure Obligation, the Board decisions published on the website of the Authority and the Guide to the Fulfillment of the Disclosure Obligation prepared by the Authority.
3.4. Processing of Special Categories of Personal Data
In the processing of personal data determined as "special quality" by the KVKK, the Data Controller acts in strict compliance with the regulations stipulated in the KVKK.
In Article 6 of the KVKK, some personal data that have the risk of causing victimization or discrimination when processed unlawfully are determined as "special categories". These data are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
In accordance with the KVKK, special categories of personal data are processed by the Data Controller in the following cases, provided that adequate measures to be determined by the PDP Board are taken:
If the personal data subject has explicit consent
or
If the personal data subject does not have explicit consent;
Sensitive personal data other than the health and sexual life of the personal data owner, in cases stipulated by law,
Sensitive personal data relating to the health and sexual life of the personal data owner are processed only by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
A separate policy for the processing of special categories of personal data is established by the Data Controller.
3.5. Transfer of Personal Data
The Data Controller may transfer the personal data and sensitive personal data of the personal data owner to third parties by taking the necessary security measures in line with the lawful personal data processing purposes. In this direction, the Data Controller acts in accordance with the regulations stipulated in Article 8 of the KVKK.
3.5.1. Conditions for Transfer of Personal Data
In line with legitimate and lawful personal data processing purposes, the Data Controller may transfer personal data to third parties based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Law listed below:
If there is explicit consent of the personal data owner.
If there is a clear regulation in the laws regarding the transfer of personal data.
If it is mandatory for the protection of the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to disclose his consent due to actual impossibility or his consent is not legally valid.
If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
If personal data transfer is mandatory for the Data Controller to fulfill its legal obligation.
If the personal data has been made public by the personal data subject.
If personal data transfer is mandatory for the establishment, exercise or protection of a right.
If personal data transfer is mandatory for the legitimate interests of the Data Controller, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
3.5.2. Transfer of Sensitive Personal Data
The Data Controller may transfer the personal data of the personal data owner to third parties in the following cases in line with the legitimate and lawful personal data processing purposes by taking the necessary care, taking the necessary security measures and adequate measures stipulated by the PDP Board.
If the personal data subject has explicit consent
or
If the personal data subject does not have explicit consent
Sensitive personal data (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and apparel, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data) other than the health and sexual life of the personal data owner, in cases stipulated by law,
Sensitive personal data relating to the health and sexual life of the personal data owner are transferred only to persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
3.6. Transfer of Personal Data Abroad
The Data Controller may transfer the personal data and sensitive personal data of the personal data owner to third parties abroad by taking the necessary security measures in line with the lawful personal data processing purposes.
As a result of the widespread use of company applications that provide information services today, communication through instant messaging or online communication channels is established through platforms and applications of foreign origin. Therefore, it is possible to transfer data abroad through these platforms.
Personal data are transferred by the Data Controller to foreign countries declared to have adequate protection by the PDP Board or, in the absence of adequate protection, to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and where the PDP Board has permission ("Foreign Country Where the Data Controller Undertakes Adequate Protection"). In this direction, the Data Controller acts in accordance with the regulations stipulated in Article 9 of the KVKK.
3.6.1. Conditions for Transferring Personal Data Abroad
In line with the legitimate and lawful personal data processing purposes, the Data Controller may transfer personal data to Foreign Countries with Adequate Protection or to Foreign Countries where there is a Data Controller Committed to Adequate Protection in the presence of one of the following cases if the personal data owner has explicit consent or if the personal data owner does not have explicit consent:
3.6.2. Transfer of Sensitive Personal Data Abroad
If the personal data subject has explicit consent
or
If the personal data subject does not have explicit consent;
Sensitive personal data other than the health and sexual life of the personal data owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data), in cases stipulated by law,
Sensitive personal data relating to the health and sexual life of the personal data owner can only be transferred within the scope of processing by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
4. CATEGORIZATION, PROCESSING PURPOSES AND STORAGE PERIODS OF PERSONAL DATA PROCESSED BY THE DATA CONTROLLER
In accordance with Article 10 of the KVKK, the Data Controller informs the personal data owner of which personal data owner groups' personal data are processed, the purposes of processing the personal data of the personal data owner and the retention periods within the scope of the disclosure obligation.
4.1. Categorization of Personal Data
The following categories of personal data are processed by the Data Controller by informing the relevant persons in accordance with Article 10 of the KVKK, in line with the legitimate and lawful personal data processing purposes of the Data Controller, based on one or more of the personal data processing conditions specified in Article 5 of the KVKK and limited to the subjects within the scope of this Policy by complying with the general principles specified in the KVKK, especially the principles specified in Article 4 regarding the processing of personal data, and all obligations regulated in the KVKK.
Category of Personal Data |
Description |
Identity Data |
Data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of a data recording system; containing information about the identity of the person; (documents such as driver's license, identity card and passport containing information such as name-surname, Turkish ID number, nationality information, mother's name-father's name, place of birth, date of birth, gender, and information such as tax number, Social Security number, signature information, vehicle license plate, etc.) |
Communication Data |
Information that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; (information such as telephone number, address, e-mail address, fax number, IP address) |
Financial Data |
Data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; (Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by the Data Controller with the personal data owner and data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information) |
Professional Experience Data |
Data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; data containing information about the identity of the person; (Data processed according to the type of legal relationship established by the Data Controller with the Personal Data Owner; data such as diploma information, courses attended, vocational training information, certificates, candidate application forms, reference interview information, job interview information, transcript information). |
Criminal Conviction and Security Measures Data |
Data belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, (data such as the criminal record of the Personal Data Owner obtained within the framework of the operations carried out by the business units of the Data Controller or in order to carry out the business processes of natural persons in a working relationship with the Data Controller or to protect the legal and other interests of the Data Controller and the Personal Data Owner) |
Location Data |
Information that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system (information that determines the location of the personal data owner within the framework of the operations carried out by the business units, during the use of products and services or while using the vehicles of the employees, GPS location, travel data, etc.). |
Audio/Visual Data |
Data that clearly belongs to an identified or identifiable natural person (photographs and camera recordings (except for recordings within the scope of Physical Space Security Information), voice recordings and data contained in documents that are copies of documents containing personal data) |
Personnel Information |
All kinds of personal data that clearly belong to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed to obtain information that will be the basis for the formation of the employee’s rights of natural persons who are in a working relationship with the Data Controller |
Health Data |
Personal data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system (health data such as health report, disability tax exemption certificates, insurance certificates, military service status certificates of the Personal Data Owner and / or family members obtained within the framework of the operations carried out by the business units of the Data Controller, in relation to the products and services offered or in order to carry out the business processes of natural persons in a working relationship with the Data Controller or to protect the legal and other interests of the Data Controller and the Personal Data Owner) |
Legal Process Data |
Data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed within the scope of the Data Controller's legal processes, determination of receivables and rights, follow-up and fulfillment of debts and legal obligations, information in correspondence with judicial authorities, incoming and outgoing documents, information such as case files. |
Venue Security Data |
Personal data relating to records and documents taken at the entrance to the physical space, during the stay in the physical space, camera recordings, records taken at the security point, etc., which are clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system. |
Risk Management Data |
Data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed for the management of all kinds of commercial, technical, administrative risks created according to the type of legal relationship established by the Data Controller with the Personal Data Owner. |
Customer Transaction Data |
Information such as call center records, invoice, promissory note check information, order information, request information, request information, offer, service number obtained and produced about the relevant person as a result of the commercial activities of the Data Controller and the operations carried out by the business units, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system. |
Marketing Data |
Data obtained through shopping history information, surveys, cookie records, campaigns, which are clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, obtained and produced about the relevant person as a result of the commercial activities of the Data Controller and the operations carried out by the business units. |
Process Security Information |
Personal data such as IP Address information, Website login and exit information, password and password information, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed regarding the technical, administrative, legal and commercial security of both the Personal Data Owner and the Data Controller while carrying out the activities of the Data Controller. |
Vehicle Information |
Data such as Vehicle License Plate, Vehicle License Plate, Embezzled Vehicle Information, Vehicle License Plate, Vehicle License Plate, Vehicle License Plate, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system. |
Family Member and Relative Data |
Information on family members who clearly belong to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system |
4.2. Purposes of Processing Personal Data
The Data Controller processes personal data limited to the purposes and conditions within the personal data processing conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the KVKK. These purposes and conditions are listed below:
It is clearly stipulated in the Laws that the Data Controller is engaged in the relevant activity regarding the processing of your personal data
The processing of your personal data by the Data Controller is directly related and necessary for the establishment or performance of a contract
Processing of your personal data is mandatory for the Data Controller to fulfill its legal obligation
Provided that your personal data has been made public by you; processing by the Data Controller in a limited manner for the purpose of publicization by you
Processing of your personal data by the Data Controller is mandatory for the establishment, use or protection of the rights of the Data Controller or you or third parties
It is mandatory to carry out personal data processing activities for the legitimate interests of the Data Controller, provided that it does not harm your fundamental rights and freedoms
Processing of personal data by the Data Controller is mandatory for the protection of the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to disclose his consent due to actual or legal invalidity
It is stipulated in the laws for personal data of special nature other than the health and sexual life of the personal data owner
In terms of personal data of special nature related to the health and sexual life of the personal data owner, it is processed by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
In this context, the Data Controller processes your personal data for the following purposes:
Purposes of Processing |
Monitoring and Execution of Legal Affairs |
Execution of Storage and Archive Activities |
Execution of Contract Processes |
Providing Information to Authorized Persons, Institutions and Organizations |
Execution of Management Activities |
Execution of Activities in Compliance with the Legislation |
Execution of Assignment Processes |
Execution / Supervision of Business Activities |
Execution of Emergency Management Processes |
Ensuring Physical Space Security |
Ensuring the Security of Movable Property and Resources |
Execution of Activities for Customer Satisfaction |
Execution of Communication Activities |
Execution of Supply Chain Management Processes |
Execution of Risk Management Processes |
Execution of Finance and Accounting Affairs |
Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees |
Execution of Fringe Benefits and Benefits Processes for Employees |
Creating and Tracking Visitor Records |
Execution of Business Continuity Ensuring Activities |
Planning Human Resources Processes |
Execution of Occupational Health / Safety Activities |
Execution of Logistics Activities |
Execution of Customer Relationship Management Processes |
Conducting Audit / Ethics Activities |
Receiving and Evaluating Suggestions for Improvement of Business Processes |
Tracking Requests / Complaints |
Execution of Goods / Service Procurement Processes |
Execution of Goods / Services Production and Operation Processes |
Conducting Internal Audit / Investigation / Intelligence Activities |
Execution of Goods / Service Sales Processes |
Execution of Wage Policy |
Execution of Goods / Services After Sales Support Services |
Conducting Training Activities |
Execution of Employee Satisfaction and Loyalty Processes |
Execution of Employee Candidate Application Processes |
Execution of Employee Candidate / Intern / Student Selection and Placement Processes |
Execution of Termination Procedures |
Execution of Performance Evaluation Processes |
Execution of Human Resources Processes |
Ensuring the Security of Data Controller Operations |
Execution of Access Authorizations |
Organization and Event Management |
Foreign Personnel Work and Residence Permit Procedures |
Execution of Information Security Processes |
Execution of Company / Product / Service Loyalty Processes |
Conducting Marketing Analysis Studies |
If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the KVKK, your explicit consent is obtained by the Data Controller regarding the relevant processing process.
4.3. Retention of Personal Data
4.3.1. Retention Periods of Personal Data
If stipulated in the relevant laws and regulations, the Data Controller retains personal data for the period specified in these regulations. The retention periods determined by the Data Controller are stated below:
Categories of Personal Data |
Retention Period |
Identification Data |
10 years from the end of the purpose of data processing 1 year from the end of the purpose of data processing 15 years from the termination of the employment contract 10 years from the termination of the legal relationship Storage capacity up to 10 Years from the end of the activity 2 years from the end of the processing purpose 10 Years from the Termination of the Legal Relationship 10 Years from the Expiry of the Purpose of Processing 15 Years from the Termination of the Employment Relationship 10 Years from the Termination of Operations 15 Years from the Termination of Employment 10 Years After Termination of the Purpose of Processing 1 year from the end of the processing purpose 6 months from the end of the pandemic 10 years from the end of the processing purpose 5 years from the end of the processing purpose 2 Years |
Communication Data |
10 years from the end of the purpose of data processing 10 years from the termination of the legal relationship 15 years from the termination of the employment contract 10 Years from the end of the activity 10 Years from the Expiry of the Purpose of Processing 15 Years from the Termination of the Employment Relationship 10 Years from the Termination of the Legal Relationship 10 Years from the Termination of Operations 1 year from the end of the processing purpose 15 Years from the Termination of Employment 10 years from the end of the processing purpose 5 years from the end of the processing purpose 2 years from the end of the processing purpose 1 Year |
Vehicle Data |
10 years from the end of the purpose of data processing 10 Years from the end of the activity 15 years from the termination of the employment contract 15 Years from the Termination of Employment |
Financial Data |
10 years from the end of the purpose of data processing 10 years from the termination of the legal relationship 15 years from the termination of the employment contract 10 Years from the end of the activity 10 Years from the Termination of the Legal Relationship 10 Years from the Termination of Operations 15 Years from the Termination of Employment |
Professional Experience Data |
10 years from the end of the purpose of data processing 15 years from the termination of the employment contract 10 Years from the end of the activity 1 year from the end of the processing purpose 1 Year |
Criminal Conviction and Security Measure Data |
10 years from the end of the purpose of data processing 10 years from the termination of the legal relationship 1 year from the end of the processing purpose 15 years from the termination of the employment contract |
Location Data |
10 years from the end of the purpose of data processing 15 years from the termination of the employment contract 15 Years from the Termination of Employment 5 years from the end of the processing purpose |
Audio and Visual Recording Data |
10 years from the end of the purpose of data processing 15 years from the termination of the employment contract Storage capacity up to 10 Years from the Expiry of the Processing Purpose 10 Years from the end of the activity |
Personnel Data |
10 years from the end of the purpose of data processing 15 years from the termination of the employment contract 10 years from the termination of the legal relationship 15 Years from the Termination of Employment 10 Years from the Termination of the Legal Relationship 1 year from the end of the processing purpose 1 Year |
Health Data |
10 years from the end of the purpose of data processing 10 Years from the end of the activity 15 years from the termination of the employment contract 1 year from the end of the processing purpose 6 months from the end of the pandemic 15 Years from the Termination of the Employment Relationship |
Legal Process Data |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship |
Venue Security Data |
Storage capacity up to 45 days 15 years from the termination of the employment contract |
Risk Management |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the Termination of Operations 10 years from the end of the purpose of data processing |
Customer Transaction Data |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the Termination of Operations 10 Years from the Termination of the Legal Relationship 10 years from the end of the processing purpose 2 years from the end of the processing purpose 10 years from the end of the purpose of data processing |
Employee Relatives Data |
15 years from the termination of the employment contract |
Marketing |
10 years from the end of the processing purpose 5 years from the end of the processing purpose 2 years from the end of the processing purpose 10 years from the end of the purpose of data processing |
Process Security |
2 years from the end of the processing purpose 5 years from the end of the processing purpose 10 years from the end of the purpose of data processing 2 Years |
If a period of time is not regulated in the legislation regarding how long personal data should be stored, Personal Data is processed for the period required to be processed in accordance with the practices and customs of the commercial life of the Data Controller, depending on the activity carried out by the Data Controller while processing that data, and then deleted, destroyed or anonymized. You can find detailed information on this subject in the Policy on Deletion, Destruction or Anonymization of Personal Data of the Data Controller.
If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and the Data Controller have come to an end; personal data can only be stored for the purpose of constituting evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. In the establishment of the periods here, the retention periods are determined based on the statute of limitations for the assertion of the aforementioned right and the examples in the requests previously addressed to the Data Controller on the same issues despite the expiration of the statute of limitations. In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. After the aforementioned period expires, personal data are deleted, destroyed or anonymized.
4.3.2. Responsibility and Distribution of Duties in the Storage of Personal Data
All units and employees of the Data Controller actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law by properly implementing the technical and administrative measures taken by the responsible units within the scope of the Policy, training and raising awareness of the unit employees, monitoring and continuous supervision.
4.3.3. Storage Environments
Personal data belonging to data subjects are securely stored by the Data Controller in the environments listed in the table below in accordance with the relevant legislation, especially the provisions of the KVKK:
Storage Environments |
Computer |
Locked Archive Cabinet |
Company Server |
Locked Cabinet |
Hard Disk |
Archive Cabinet |
Domestic Email Server |
Server |
Archive Room |
Excel Program |
Software Program - Domestic |
Paper |
Notebook |
Flash Memory |
Domestic Server |
Encrypted File |
Access Restricted File |
5. CATEGORIZATION OF THE OWNERS OF THE PERSONAL DATA PROCESSED BY THE DATA CONTROLLER
The table below details the categories of personal data subjects mentioned above and the types of personal data processed by the persons within these categories.
Personal Data Owner Category and Description |
Categories of Processed Personal Data of the Data Subject |
Employee (Real persons who have an employment contract with the Data Controller) |
Identity Communication Location Personel Legal Process Venue Security Audio and Visual Recordings Criminal Conviction and Security Measures Vehicle Information Health Information Risk Management Finance Professional Experience Employee's Family Member and Relative Information Process Security Marketing |
Product or Service Recipient (Natural persons whose personal data are obtained through the business relations of the Data Controller within the scope of the operations carried out by the business units of the Data Controller, regardless of whether they have any contractual relationship with the Data Controller) |
Identity Communication Vehicle Information Finance Legal Process Venue Security Customer Transaction Risk Management |
Supplier Employee Supplier Employee (Real persons authorized to represent the Data Controller who are bound to the Data Controller by a supply contract) |
Identity Communication Finance Professional Experience Criminal Conviction and Security Measures Personel Health Legal Process Risk Management Visual/Audio Records Customer Transaction Venue Security |
Shareholder/Partner (Real persons who are shareholders of the Data Controller) |
Identity Visual/Audio Records Communication Venue Security Legal Process Risk Management Finance Professional Experience |
Visitor (Real persons who have entered the physical premises owned by the Data Controller for various purposes or who visit our websites) |
Identity Venue Security Visual/Audio Records Health Process Security |
Supplier Employee (Natural persons who are bound to the Data Controller by a supply contract and have an employment contract with the Data Controller) |
Venue Security Identity Communication Professional Experience Health Visual/Audio Records Finance Location Process Security Marketing |
Potential Product or Service Buyer (Natural persons whose personal data are obtained through the business relations of the Data Controller within the scope of the operations carried out by the business units of the Data Controller as a basis for the future legal relationship with the Data Controller) |
Venue Security Identity Communication Visual/Audio Records Health Customer Transaction Marketing Location Process Security |
Parent / Guardian / Representative (Person(s) authorized to act on behalf of the natural or legal person who has a legal relationship with the Data Controller) |
Identity Communication Finance Legal Process |
Subject of the news (The person about whom the news was reported) |
Identity Communication Visual/Audio Records |
Employee Candidate (Natural persons who have applied for a job to the Data Controller by any means or who have opened their CV and related information to the examination of the Data Controller) |
Identity Communication Personel Professional Experience Criminal Conviction and Security Measures Legal Process Visual/Audio Records Health Venue Security |
Intern (Real persons who are in an internship relationship with the Data Controller) |
Identity Communication Personel Professional Experience Health |
Public Official (Other groups of people) |
Identity Communication |
Rapporteur (Other groups of people) |
Identity Visual/Audio Records |
Occupational Health and Safety Specialist (Other groups of people) |
Identity Communication Professional Experience |
Doctor (Other groups of people) |
Identity Professional Experience |
Workplace Physician (Other groups of people) |
Identity Professional Experience |
Website Visitors (Other groups of people) |
Process Security Marketing |
6. THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED BY THE DATA CONTROLLER AND THE PURPOSES OF TRANSFER
In accordance with Article 10 of the KVKK, the Data Controller informs the personal data owner about the groups of persons to whom personal data are transferred.
The Data Controller may transfer the personal data of the data owners managed by the Policy in accordance with Articles 8 and 9 of the KVKK to domestic and foreign recipient groups within the scope of the transfer reasons based on the data category listed below:
Category of Data |
Reason of Transfer |
Recipient |
||
Domestic |
Abroad |
Domestic |
Abroad |
|
Identity |
Legal Obligation Court Order |
|
Authorized Public Institutions and Organizations Supplier Natural Persons or Private Law Legal Entities |
Suppliers Natural Persons or Private Law Legal Entities |
Communication |
Legal Obligation Court Order |
|
Authorized Public Institutions and Organizations Supplier Natural Persons or Private Law Legal Entities |
Suppliers Natural Persons or Private Law Legal Entities |
Vehicle Data |
Legal Obligation Court Order |
|
Authorized Public Institutions and Organizations |
|
Finance |
Legal Obligation Court Order |
|
Authorized Public Institutions and Organizations Suppliers Natural Persons or Private Law Legal Entities |
Suppliers |
Professional Experience |
Legal Obligation Court Order |
|
Authorized Public Institutions and Organizations Suppliers Natural Persons or Private Law Legal Entities |
|
Criminal Records |
Legal Obligation Court Order |
|
Authorized Public Institutions and Organizations Suppliers |
|
Location |
Legal Obligation |
|
Authorized Public Institutions and Organizations |
|
Visual/Audio Records |
Legal Obligation Court Order |
|
Authorized Public Institutions and Organizations Natural Persons or Private Law Legal Entities |
|
Personel |
Legal Obligation Court Order |
|
Authorized Public Institutions and Organizations Supplier |
|
Health |
Legal Obligation Court Order |
|
Authorized Public Institutions and Organizations Supplier |
|
Legal Process |
Legal Obligation Court Order |
|
Authorized Public Institutions and Organizations Supplier |
|
Venue Security |
Legal Obligation Court Order |
|
Authorized Public Institutions and Organizations Supplier |
|
Risk Management |
Legal Obligation Court Order |
|
Authorized Public Institutions and Organizations Supplier Natural Persons or Private Law Legal Entities |
|
Customer Transaction |
Legal Obligation Court Order |
|
Authorized Public Institutions and Organizations Supplier Natural Persons or Private Law Legal Entities |
Suppliers |
Employee Relative Info |
Legal Obligation Court Order |
|
Authorized Public Institutions and Organizations |
|
Marketing |
Legal Obligation Court Order |
|
Authorized Public Institutions and Organizations |
|
Process Security |
Legal Obligation Court Order |
|
Authorized Public Institutions and Organizations |
|
The definition and scope of the recipient groups to which the above-mentioned transfers are made are set out in the table below.
Persons to whom data can be transferred |
Definition of Persons to Whom Data Can Be Transferred |
Authorized Public Institutions and Organizations |
Public institutions and organizations authorized to receive information and documents from the Data Controller in accordance with the provisions of the relevant legislation. (All ministries, judicial, administrative institutions and organizations under the Presidency, especially the Ministry of Justice, the Constitutional Court, the Court of Cassation, the Council of State, the Regional Courts of Appeal, Local Courts and other courts of the Republic of Turkey, all departments and levels of the Turkish Grand National Assembly, other administrative and financial accident institutions, Governorships, District Governorships, Security Directorates, Consulates of the relevant country, Population and Citizenship Courts, all departments and degrees of the departments and institutions of the Turkish Grand National Assembly, other administrative and financial accident institutions, Governorships, District Governorships, Security Directorates, Consulates of the relevant country, Population and Citizenship Affairs Directorates, Tax Offices, all central and provincial organizations and units of the Ministry of Finance, Customs Directorates and Chief Directorates, SSI, General Directorate of Free Zones of the Undersecretariat of Foreign Trade, Free Zones, All Public Banks and all other authorized public institutions and organizations) |
Suppliers |
Defines the parties that provide services to the Data Controller on a contractual basis in accordance with the orders and instructions of the Data Controller while carrying out the commercial activities of the Data Controller |
Real Persons or Private Law Legal Entities |
Private law persons or real persons authorized to receive information and documents from the Data Controller in accordance with the provisions of the relevant legislation |
7. PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO THE PROCESSING CONDITIONS IN THE LAW
The Data Controller informs the personal data owner about the personal data it processes in accordance with Article 10 of the KVKK.
7.1. Processing of Personal Data and Sensitive Personal Data
7.1.1. Processing of Personal Data
The explicit consent of the personal data owner is only one of the legal grounds that make it possible to process personal data in accordance with the law. Apart from explicit consent, personal data may also be processed in the presence of one of the other conditions listed below. The basis of the personal data processing activity may be only one of the following conditions, or more than one of these conditions may be the basis of the same personal data processing activity. In case the processed data is personal data of special nature; the conditions stated below under the heading 7.1.2. under this section are applied.
Although the legal grounds for the processing of personal data by the Data Controller may vary, all kinds of personal data processing activities are carried out in accordance with the general principles specified in Article 4 of the KVKK.
7.1.1.1.1. Explicit Consent of the Personal Data Owner
One of the conditions for processing personal data is the explicit consent of the owner. The explicit consent of the personal data owner must be related to a specific subject, based on information and free will.
For personal data processing activities other than the purpose of processing for the reasons for obtaining personal data, at least one of the conditions in 7.1.1.1.2 - 7.1.1.8 of this title is sought; If one of these conditions is not present, these personal data processing activities are carried out by the Data Controller based on the explicit consent of the personal data owner for these processing activities.
For the processing of personal data based on the explicit consent of the personal data owner, the explicit consent of the personal data owners is obtained through the relevant methods.
7.1.1.2. Explicitly Stipulated in Laws
The personal data of the data subject may be processed in accordance with the law if it is clearly stipulated in the law.
7.1.1.3. Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility
The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself/herself or another person.
7.1.1.4. Directly Related to the Establishment or Performance of the Contract
Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process personal data belonging to the parties to the contract.
7.1.1.5. Fulfillment of the Legal Obligation by the Data Controller
The personal data of the data subject may be processed if the processing is mandatory for the Data Controller to fulfill its legal obligations as a data controller.
7.1.1.6. Publicization of Personal Data by the Personal Data Owner
In the event that the data subject has made his/her personal data public by himself/herself, the relevant personal data may be processed.
7.1.1.7. Data Processing is Mandatory for the Establishment or Protection of a Right
Personal data of the personal data owner may be processed if data processing is mandatory for the establishment, exercise or protection of a right.
7.1.1.8. Data Processing is Mandatory for the Legitimate Interest of the Data Controller
Provided that it does not harm the fundamental rights and freedoms of the personal data owner, data may be processed if it is mandatory for the legitimate interests of the Data Controller.
7.1.2. Processing of Special Categories of Personal Data
if the personal data owner does not have explicit consent, provided that adequate measures to be determined by the PDP Board are taken, special categories of personal data are processed by the Data Controller in the following cases:
Sensitive personal data other than the health and sexual life of the personal data owner, in cases stipulated by law,
Sensitive personal data relating to the health and sexual life of the personal data subject can only be collected by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
7.2. Building, Facility Entrances and Personal Data Processing Activities Conducted within the Building Facility
Personal data processing activities carried out by the Data Controller at the entrances of the building facility and within the facility are carried out in accordance with the Constitution, the KVKK and other relevant legislation.
In order to ensure security by the Data Controller, personal data processing activities are carried out for the monitoring of guest entrances and exits with security cameras in the buildings and facilities of the Data Controller.
Personal data processing activity is carried out by the Data Controller through the use of security cameras and recording of guest entrances and exits.
Cameras are divided into two as indoor and outdoor cameras. Indoor cameras are positioned at an angle that will not directly attract our employees or visitors, except for sinks, rooms, changing cabins and room interiors. The locations of the cameras have been carefully determined to ensure that the monitoring activity is kept to a minimum and limited to the purpose of monitoring.
7.2.1. Data Controller Camera Surveillance Activities Carried Out at Building, Facility Entrances and Inside
In this section, explanations will be made regarding the camera surveillance system of the Data Controller and information will be provided on how personal data, confidentiality and fundamental rights of the person are protected.
Within the scope of security camera surveillance activity, the Data Controller aims to protect the interests of the Data Controller and other persons to ensure the security of the Data Controller and other persons.
7.2.2. Execution of Monitoring Activities with Security Cameras in accordance with KVK Law
The Data Controller acts in accordance with the regulations in the KVKK in carrying out camera surveillance activities for security purposes. In order to ensure security in its buildings and facilities, the Data Controller carries out security camera monitoring activities for the purposes stipulated in the relevant legislation in force and in accordance with the personal data processing conditions listed in the KVKK.
7.2.3. Announcement of Camera Monitoring Activity
The personal data owner is informed by the Data Controller in accordance with Article 10 of the KVKK. The Data Controller notifies with more than one method regarding the camera surveillance activity of the clarification made regarding general issues. Thus, it is aimed to prevent damage to the fundamental rights and freedoms of the personal data owner and to ensure transparency and enlightenment of the personal data owner.
For the camera surveillance activity by the Data Controller; this Policy is published on the Data Controller's website (online policy regulation) and a notification letter regarding the monitoring is posted at the entrances of the areas where the monitoring is carried out (on-site disclosure).
7.2.4. Purpose of and Limitation to the Purpose of Camera Surveillance
In accordance with Article 4 of the KVK Law, the Data Controller processes personal data in a limited and measured manner in connection with the purpose for which they are processed.
The purpose of video camera surveillance by the Data Controller is limited to the purposes listed in this Policy. In this direction, the monitoring areas, number and time of monitoring of security cameras are sufficient to achieve the security purpose and are limited to this purpose. Areas that may result in interference with the privacy of the person in a way that exceeds the security purposes (for example, toilets) are not subject to monitoring.
7.2.5. Ensuring the Security of the Data Obtained
Necessary technical and administrative measures are taken by the Data Controller to ensure the security of personal data obtained as a result of camera surveillance activity in accordance with Article 12 of the KVKK.
7.2.6. Retention Period of Personal Data Obtained through Camera Surveillance Activity
Detailed information on the Data Controller's retention period for personal data obtained through camera surveillance is provided in Article 4.3 of this Policy titled Retention Periods of Personal Data.
If it is understood that the video recordings obtained from the security camera constitute evidence in a criminal investigation before the deletion period, if it constitutes evidence in a criminal investigation, it is kept until it is submitted to the judicial authority.
Video recordings obtained from security cameras are kept for 10 years if it is understood that they constitute evidence in a legal dispute before the deletion period.
7.2.7. Who has access to the information obtained as a result of monitoring and to whom this information is transferred
Only a limited number of Data Controller employees have access to the records recorded and stored in digital media with live camera images. The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.
8. CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
Although the Data Controller has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVKK, personal data shall be deleted, destroyed or anonymized upon the Data Controller's own decision or upon the request of the personal data owner, if the reasons requiring its processing disappear.
In this context:
Expiration or nullity of the contract on the basis of processing,
Withdrawal of consent in processing activities based on explicit consent,
Data Subject's application for deletion-destruction-anonymization and acceptance of this application,
The decision that the request to be made by the Personal Data Protection Board should be met as a result of the Data Owner's application and the rejection of this application,
Expiration of the retention period,
Periodic destruction operations carried out within the Data Controller,
As a result, the Data Controller deletes, destroys or anonymizes the Personal Data collected.
In terms of Deletion, Destruction or Anonymization of Personal Data, the Data Controller creates a separate policy in detail within the scope of the Regulation on Deletion, Destruction or Anonymization of Personal Data.
9. RIGHTS OF PERSONAL DATA SUBJECTS; METHODOLOGY FOR THE EXERCISE AND EVALUATION OF THESE RIGHTS
9.1. Rights of the Data Subject and Exercising These Rights
9.1.1. Rights of the Personal Data Subject
Personal data subjects have the following rights:
Learn whether personal data is being processed
Request information if their personal data has been processed,
To learn the purpose of processing personal data and whether they are used for their intended purpose,
To know the third parties to whom personal data are transferred domestically or abroad,
To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
Although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
In case of damage due to unlawful processing of personal data, to demand compensation for the damage.
9.1.2. Cases Where the Personal Data Owner Cannot Assert His/Her Rights
Pursuant to Article 28 of the KVK Law, personal data owners cannot assert the rights of personal data owners listed in 9.1.1. in these matters, since the following cases are excluded from the scope of the KVK Law:
Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public safety, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution procedures.
Pursuant to Article 28/2 of the KVKK; In the cases listed below, personal data owners cannot assert their other rights listed in 9.1.1. except for the right to demand compensation for the damage:
Processing of personal data is necessary for the prevention of crime or criminal investigation.
Processing of personal data made public by the personal data owner himself/herself.
Processing of personal data is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.
Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters.
9.1.3. Exercising the Rights of the Personal Data Owner
Personal Data Owners may submit their requests regarding their rights listed under Title 9.1.1. of this section to the Data Controller free of charge by filling out and signing the Application Form with the information and documents that will identify their identity and by the methods specified below or by other methods determined by the Personal Data Protection Board:
www.izbas.net a copy of which is available at or İzmir Serbest Bölgesi Panaz Mevkii Maltepe Köyü Menemen/İZMİR After filling out the form, which you can obtain from the address of the Data Controller, you can send a wet signed copy to the same address of the Data Controller personally or through a notary public.
In order for third parties to make an application request on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the person who will make the application.
9.1.4. Personal Data Owner's Right to File a Complaint to the PDP Board
Pursuant to Article 14 of the KVK Law, the personal data owner may file a complaint to the KVK Board within thirty days from the date of learning the response of the Data Controller and in any case within sixty days from the date of application in case the application is rejected, the response is found insufficient or the application is not responded in due time.
9.2. Response of the Data Controller to the Applications
9.2.1. Procedure and Duration of the Data Controller's Response to Applications
In the event that the personal data owner submits his/her request to the Data Controller in accordance with the procedure in section 9.1.3. of this section, the Data Controller will finalize the relevant request free of charge within thirty days at the latest, depending on the nature of the request. However, if a fee is stipulated by the PDP Board, the fee in the tariff determined by the PDP Board will be charged by the Data Controller from the applicant.
9.2.2. Information that the Data Controller may request from the Applicant Personal Data Subject
The Data Controller may request information from the relevant person in order to determine whether the applicant is the personal data owner. In order to clarify the issues in the application of the personal data owner, the Data Controller may ask questions to the personal data owner about the application.
9.2.3 Data Controller's Right to Reject the Personal Data Subject's Application
The Data Controller may reject the application of the applicant in the following cases by explaining the reason:
Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public safety, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution procedures.
Processing of personal data is necessary for the prevention of crime or criminal investigation.
Processing of personal data made public by the personal data owner himself/herself.
Processing of personal data is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.
Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters.
The request of the personal data owner is likely to prevent the rights and freedoms of other persons
Requests have been made that require disproportionate effort.
The requested information is publicly available.
10. THE RELATIONSHIP OF THE DATA CONTROLLER'S POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA WITH OTHER POLICIES
The Data Controller may also establish sub-policies for internal use regarding the protection and processing of personal data related to the principles set forth in this Policy, as well as other policies for certain groups of persons, especially employees.
The principles of the Data Controller's sub-policies for internal use are reflected in publicly available policies to the extent relevant, and it is aimed to inform those concerned within this framework and to ensure transparency and accountability regarding the personal data processing activities carried out by the Data Controller.
Thank you for reviewing our PDP Policy
İzbaş İzmir Serbest Bölge Kurucu ve İşleticisi Anonim Şirketi
İzmir Serbest Bölgesi Panaz Mevkii Maltepe Köyü Menemen/İZMİR
+90 (232) 842 63 11
info@izbas.net
www.izbas.net
İZBAŞ's professional team is ready to give you all the information you need to invest in İzmir Free Zone.
Click here to fill in the formİZBAŞ İZMİR SERBEST BÖLGE KURUCU VE İŞLETİCİ A. Ş. © 2022 | ALL RIGHTS RESERVED.