Privacy Policy

Ekolit Teknoloji Cihazları Dış Ticaret Limited Şirketi

POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

Protection of personal data is one of the top priorities of Ekolit Teknoloji Cihazlari Dış Ticaret Limited Şirketi (the “Company"). The most important part of this matter consists of the protection and processing of the personal data of our employee candidates, company shareholders, company officials, visitors and employees, shareholders and officials of the institutions we work with and third parties, governed by this Policy.

According to the Constitution of the Republic of Turkey,  everyone has the right to request the protection of his/her personal data. Regarding the protection of personal data, which is a right guaranteed by the Constitution, the Company pays due attention to the protection of the personal data of employee candidates, company shareholders, company officials, visitors; employees, shareholders and officials of the institutions they cooperate with, and any third parties, which are governed by this Policy and makes this a Company policy.

In this respect, the Company takes the necessary administrative and technical measures to protect the personal data processed within the scope of the legal legislation.

The primary principles adopted by the company in processing personal data in this Policy are as follows:

  • Processing personal data in accordance with the law and honesty rules,
  • Keeping personal data accurate and up-to-date when necessary,
  • Processing personal data for specific, explicit and legitimate purposes,
  • Processing of personal data in connection with the purpose they are processed, in a limited and proportional manner,
  • Storing personal data for the period stipulated in the relevant legislation or necessary for the purpose of processing,
  • Informing and briefing the data owners,
  • Setting up the necessary system for personal data owners to exercise their rights,
  • Taking the necessary measures to protect personal data,
  • Comply with the relevant legislation and the regulations of the PPD Board when transferring personal data to third parties in line with the requirements of the processing purpose,
  • Pay due attention to the processing and protection of special category (sensitive) data.

ARTICLE 1: THE PURPOSE OF THE POLICY

The main purpose of the policy is to provide transparency and trust by informing the persons whose personal data are processed by our company especially our customers, employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders, and officials of the institutions we cooperate with, and third parties, of the personal data processing activity carried out by the company in accordance with the law.

ARTICLE 2: CONTENT AND DEFINITIONS

This Policy concerns all personal data, which belongs to our employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties, processed automatically or non-automatically, provided that it is a part of any data recording system.

With regard to the groups of personal data owners in the categories mentioned above, the application scope of this Policy may be the whole of the Policy or only part of it.

The definitions of the concepts contained in this policy text are as follows:

Recipient group                                         : Category of natural or legal persons to whom personal data have been transferred by the data controller.

Open consent                                             : Informed consent based on free will for any matter

Anonymization                      : Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by cross-referencing with other data.

Employee                                               : Company staff

Electronic media                              : Environments where personal data can be created, read, modified and written with electronic devices

Non-electronic media              : All written, printed, visual, etc. media that are outside of electronic media

Service provider                                : A natural or legal person that provides services within a certain agreement with the organization

Relevant person                                             : The real person whose personal data is processed

Relevant user                                     :Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for technical storage, protection and backup of the data.

Destruction                                                   : Deletion, disposal, or anonymization of personal data

Law                                                : Law No. 6698 on the Protection of Personal Data

Recording media                                      : Any media where personal data is fully or partially automated or operable in non-automatic ways as part of any data recording system

Personal data                                         : All information related to an identified or identifiable real person.

Personal data processing inventory            : An inventory in which data officers detail the activities of processing personal data that they perform depending on their business processes by explaining the purposes and legal reasons for processing personal data, the category of data, the group of recipients transferred, and the group of persons subject to the data, the maximum period of storage of personal data created by them and required for the purposes for which they are processed, the personal data intended for transfer to foreign countries, and the measures taken to ensure data security

Processing of Personal Data                 : Provided that it is fully or partially automated or is part of any data recording system, all kinds of operations performed on the data such as obtaining, recording, storing, storing, modifying, rearranging, disclosing, transferring, inheriting, making available, classifying or preventing the use of personal data by non-automatic means.

Board                                                  : Personal Data Protection Board

Sensitive (special category) data                    : Any data on an individual’s race, ethnic origin, political view, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data

Periodic disposal                                 : The deletion, destruction or anonymization process that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all the conditions for processing personal data in the law are eliminated

Policy                                              : Personal Data Storage and Disposal Policy

Company                                                 :Ekolit Teknoloji Cihazları Dış Ticaret Limited Şirketi

Data processor                                       :Actual or legal entity that processes personal data on behalf of the data controller based on the authority of the data controller

Data registration system                              : Registration system, where personal data is processed by being structured based on specific criteria

Data controller                                 : The actual or legal entity responsible for the installation and management of the data registration system, and determines the purposes and properties of the personal data

Data Controllers' Registry  : An information system created and managed by the Presidency, accessible over the internet, to be used by data controllers in the application to the Registry and other related transactions related to the Registry.

VERBIS                                               : Data Controllers' Registry

Regulation                                        : Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017

ARTICLE 3: APPLICATION OF THE POLICY AND RELEVANT LEGISLATION

Relevant legal regulations in force on the processing and protection of personal data shall be applied as a priority. In the event of an inconsistency between the applicable legislation and the Policy, our Company agrees that the applicable legislation shall be applied.

The policy was created by the embodiment of rules set out by the applicable legislation in the Company's implementation.

ARTICLE 4: ENFORCEMENT OF THE POLICY

This Policy issued by our Company enters into force on the day it is published on our website. The effective date will be updated if the policy is amended.

The Policy is published on our company’s website and made available to the relevant persons upon the request of personal data owners.

ARTICLE:5 CONSIDERATIONS RELATED TO THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the LPPD,  our Company takes all necessary administrative, technical, and legal measures to prevent the unlawful processing of, or access to, the data, and to ensure the appropriate security of the data, and conducts all relevant and required inspections.

ARTICLE 6: ENSURING THE SECURITY OF PERSONAL DATA

6.1 Technical and Administrative Measures Taken to Ensure the Lawful Processing of Personal Data

Our company takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that personal data is processed in accordance with the law.

 

 

  • Technical Measures Taken to Ensure the Legal Processing of Personal Data

The key technical measures taken by our company to ensure that personal data is processed according to the law are listed below:

  1. The personal data processing activities carried out by our Company are supervised by the technical systems established.
  2. The technical measures taken are periodically reported to the responsible person in accordance with the internal audit mechanism.
  3. Staff with technical knowledge is employed.
    • Administrative Measures Taken to Ensure the Lawful Processing of Personal Data

The main administrative measures taken by our company to ensure that personal data is processed in accordance with the law are listed below:

  1. Employees are informed and trained on the law on the protection of personal data and the lawful processing of personal data.
  2. All activities carried out by our company are analyzed by all business units in detail. This analysis reveals the personal data processing activities specific to the commercial activities performed by the relevant business units.
  3. Personal data processing activities carried out by our company's business units and the requirements to be fulfilled in order to ensure that these activities comply with the personal data processing conditions set by Law No. 6698 shall be determined for each business unit and its activities.
  4. In order to ensure legal compliance requirements of our business units, awareness is raised for the relevant business units and implementation rules are determined. Necessary administrative measures are implemented through in-house policies and training in order to ensure supervision and continuity of implementation.
  5. Contracts and documents governing the legal relationship between our company and its employees include records that impose an obligation not to process, disclose or use personal data (with the exception of the company's instructions and those made by law), and awareness is created among employees in this regard and audits are carried out.

6.2 Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

Our company takes technical and administrative measures based on the nature of data, technological facilities, and the cost of implementation to prevent imprudent or unauthorized disclosure, access, transfer of, or any other unlawful access to personal data.

  • Technical Measures Taken to Prevent Unlawful Access to Personal Data

The key technical measures taken by our company to prevent personal data from accessing the law are listed below:

  1. Technical measures are being taken in accordance with the developments in technology, measures are periodically updated and renewed.
  2. In accordance with the legal compliance requirements determined on a business unit basis, technical solutions regarding access and authorization are implemented.
  3. The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, the issues that pose a risk are re-evaluated and the necessary technological solution is produced.
  4. Software and hardware that include virus protection systems and firewalls are installed.
  5. Staff with technical knowledge is employed.

 

  • Administrative Measures Taken to Prevent Unlawful Access to Personal Data

The main administrative measures taken by our company to prevent unlawful access to personal data are listed below:

  1. Employees are trained on the technical measures to be taken to prevent unlawful access to personal data.
  2. Access to personal data and authorization processes are designed and implemented within the Company in accordance with business unit-based legal compliance requirements.
  3. Employees are informed that they cannot disclose the personal data that they have learned to others in violation of the provisions of the PPD Law, and that they cannot use such data for any purpose other than processing, and that this liability will continue after they leave office, and accordingly, they make the necessary commitments.
  4. In the contracts drawn up with the persons to whom personal data has been transferred in accordance with the law, the company has added provisions that the persons to whom personal data has been transferred shall take the necessary security measures to protect personal data and ensure compliance with these measures in their own organizations.

6.3 Storage of Personal Data in Secure Environments

Our company takes the necessary technical and administrative measures according to technological possibilities and implementation costs in order to keep personal data in secure environments and to prevent their destruction, loss or alteration for unlawful purposes.

  • Technical Measures Taken to Store Personal Data in Secure Environments

The main technical measures taken by our company for the storage of personal data in secure environments are listed below:

  1. In order to store personal data in secure environments, systems in accordance with technological developments are used.
  2. Personnel with the required technical expertise are employed.
  3. For storage spaces, technological security systems are built, and the technical measures implemented are reported to the appropriate person on a regular basis in accordance with the internal audit mechanism. The potentially dangerous concerns are re-evaluated, and the requisite technological remedy is developed.
  4. In order to ensure the safe storage of personal data, backup programs are used in accordance with the law.
    • Administrative Measures Taken to Store Personal Data in Secure Environments

The main administrative measures taken by our company for the storage of personal data in secure environments are listed below:

  1. Employees are trained to ensure that personal data is stored securely.
  2. In case that our Company obtains any outside service due to technical requirements for storage of personal data, in the contracts concluded with the relevant companies to which the personal data is transferred in accordance with the law, the provisions regarding that the persons to whom the personal data are transferred will take the necessary security measures for the protection of personal data and that these measures will be complied with in their own establishments.

6.4 Inspection of Measures Taken on the Protection of Personal Data

Pursuant to Article 12 of the LPPD, our Company conducts or has others perform the necessary inspections within its organization. These inspection results are reported to the relevant unit within the scope of the internal operation of the company, and necessary actions are taken to improve the measures taken.

6.5 Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

If personal data processed in accordance with Article 12 of the LPPD is obtained by others in unlawful ways, our Company will ensure that this is reported to the relevant personal data owner and the PDP Board as soon as possible.

If deemed necessary by the PDP Board, this may be announced on the website of the PDP Board or by any other method.

ARTICLE: 7 RESPECTING THE RIGHTS OF THE DATA OWNER, CREATING THE CHANNELS TO COMMUNICATE THESE RIGHTS TO OUR COMPANY AND EVALUATION OF THE DATA OWNERS' REQUESTS

Our company manages the channels, internal processing, administrative and technical arrangements in accordance with Article 13 of LPPD to assess the rights of personal data owners and make the necessary information available to personal data owners.

If the owners of personal data submit their requests for the rights listed below to our Company in writing, our Company will finalize the request as soon as possible and for free within thirty days at the latest, depending on the nature of the request. However, if the transaction also requires a cost, the fee set by our Company at the tariff determined by the PDP Board will be charged. Personal data owners have the right to;

  1. Find out if their personal data has been processed,
  2. Request information about their personal data if it has been processed,
  3. Find out the purpose of processing personal data and whether they are used for their intended purpose,
  4. Be informed of the third parties to whom personal data is transferred at home or abroad,
  5. In case their personal data are processed incompletely or incorrectly, request correction thereof and request that the third parties to whom their personal data have been provided are notified about the corrections accordingly,
  6. Request deletion or destruction of personal data, and request notification of the third parties to whom personal data have been provided about the actions performed in this way if the reasons for processing no longer apply to the personal data, which in any event, has been processed in accordance with the PDP Law and other applicable law,
  7. Object to emergence of an outcome against their own interests upon analysis of the processed data exclusively by automatic systems,
  8. Request the compensation of the damage in case of loss due to unlawful processing of personal data.

More detailed information about the rights of data owners is provided in this Policy.

ARTICLE: 8 PROTECTION OF SENSITIVE PERSONAL DATA

Per the PDP Law, special importance is attached to certain personal data due to the risk of causing victimization or discrimination in case of unlawful processing.

This includes data on race, ethnic origin, political view, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.

The Company pays strict attention to protecting special category data, which is designated by the PDP Law as "sensitive" and processed in accordance with the law. In this respect, the technical and administrative measures taken by our Company for the protection of personal data are applied with due care in terms of such special category data, and the necessary controls are provided within the Company.

Detailed information about the processing of special category (sensitive) data is provided in this Policy.

ARTICLE:9 INCREASING AND SUPERVISING THE AWARENESS OF BUSINESS UNITS IN THE PROTECTION AND PROCESSING OF PERSONAL DATA

Our company ensures that the necessary training is organized for the business units in order to prevent the unlawful processing of personal data and illegal access to the data and to raise awareness to ensure the preservation of the data.

Systems are established to raise awareness of the protection of personal data among current employees of the Company’s business units and newly-recruited employees, and professional people are worked with if needed.

ARTICLE 10: INCREASING AND SUPERVISING THE AWARENESS OF BUSINESS PARTNERS AND SUPPLIERS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

Our company provides training and seminars for partners in preventing the processing of personal data against law, preventing access to data in violation of the law, and increasing awareness of data protection.

The training programs conducted for the company's partners are repeated periodically. Systems are established to raise awareness of the protection of personal data among current employees of the business partners and newly-recruited employees of the business units, and professional people are worked with if needed.

The results of the training programs, aimed at increasing the awareness of the Company’s business partners on the protection and processing of personal data, are reported to the Holding. Accordingly, our company evaluates the participation in the relevant training, seminars and information sessions and carries out the necessary supervision processes or has them done. Our company updates and renews its training in parallel with the update of the relevant legislation.

ARTICLE 11: CONSIDERATIONS ON THE PROCESSING OF PERSONAL DATA

In accordance with Article 20 of the Constitution and Article 4 of the LPPD, regarding the processing of personal data, our company carries out personal data processing activities in a limited and proportional manner, in accordance with the law and the rules of honesty, in an accurate and up-to-date manner when necessary, for specific, clear and legitimate purposes and in connection with the purpose. Our company preserves personal data as long as the law requires it, or as required by the purpose of personal data processing.

Our company, under Articles 20 of the Constitution and Articles 5 of LPPD, processes personal data based on one or more of the provisions provided under Article 5 of the LPPD for processing personal data.

In accordance with Articles 20 of the Constitution and 10 of the LPPD, our Company informs the data owners and provides the necessary information if requested by the owners of personal data.

Our company complies with the regulations for the processing of special category (sensitive) personal data in accordance with Article 6 of LPPD.

Our company complies with the regulations stipulated in the law on transferring personal data in accordance with Articles 8 and 9 of LPPD, defined by the PDP Board.

ARTICLE 12: PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES PROVIDED FOR IN THE LEGISLATION

12.1 Processing in Accordance with the Law and the Rule of Honesty

Our company acts in accordance with the principles established by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, our Company takes into account the proportionality requirements in the processing of personal data and does not use personal data for reasons other than those required by the purpose.

12.2 Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

Our company provides accurate and up-to-date personal data handling by taking into account the fundamental rights of its personal data owners and their legitimate interests. In this direction, it takes the necessary measures.

12.3 Processing for Specific, Explicit and Legitimate Purposes

Our company defines clearly and precisely its purpose of processing personal data, which is legitimate and consistent with the law. Our company processes personal data in connection with the service it provides and as much as required for these.

12.4 Being Connected, Limied and Proportonal With Respect to Purpose of Processing

Our company processes personal data in a manner that is suitable for the purposes set and avoids processing personal data that is not relevant to the execution of the purpose or that is not needed. For example, no personal data processing activities are carried out to meet the needs that are likely to arise later.

12.5 Storing for as Long as Required by the Relevant Legislation or for the Purpose of Their Processing

Our company stores personal data only for as long as required by the relevant legislation or for the purpose for which they are processed. In this context, our Company first determines whether a period is foreseen for the storage of personal data in the relevant legislation. If a period is determined, our company acts in accordance with this period, and if a period is not determined, personal data is stored for the period required for the purpose for which they are processed. In case of expiration of the period or elimination of the reasons requiring processing, personal data are deleted, destroyed or anonymized by our Company. Our Company does not store personal data in case of future use. Detailed information about this issue is provided in this Policy.

ARTICLE 13: PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO ONE OR MORE OF THE PERSONAL DATA PROCESSING TERMS SET FORTH IN ARTICLE 5 OF LPPD

Protection of personal data is a Constitutional right. Fundamental rights and freedoms, without touching their essence, can be limited only for the reasons specified in the relevant articles of the Constitution and only by law. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may only be processed in the cases stipulated by the law or by the express consent of the person. In this respect and in accordance with the Constitution, our company processes personal data only as stipulated by the law or with the express consent of the person. Detailed information about this issue is provided in this Policy.

ARTICLE 14: PROVIDING CLARIFICATION TO AND INFORMING OF THE PERSONAL DATA OWNER

Our company informs personal data owners during the acquisition of personal data, in accordance with Article 10 of the LPPD. In this context, clarifications are made about the identity of the Holding and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the rights of the personal data owner for legal reasons. Detailed information about this issue is provided in this Policy.

Article 20 of the Constitution states that everyone has the right to be informed about personal data related to them. Accordingly, Article 11 of the LPPD includes the right to “request information” among the rights of the personal data owner. In this context, our company provides the necessary information in case the personal data owner requests information in accordance with Article 20 of the Constitution and Article 11 of the LPPD. Detailed information about this issue is provided in this Policy.

ARTICLE: 8 PROCESSING OF SPECIAL CATEGORY/SENSITIVE PERSONAL DATA

Our company strictly complies with the regulations stipulated in the LPPD in the processing of personal data determined as "special category (sensitive)" by the LPPD.

In Article 6 of the LPPD, a set of personal data that carries the risk of causing victimization or discrimination when processed unlawfully is determined as "special category (sensitive)". This includes data on race, ethnic origin, political view, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.

In accordance with the LPPD, our Company processes special category data in the following cases, provided that adequate measures are taken, as determined by the PDP Board:

  1. If the personal data owner has explicit consent, or
  2. If the personal data owner does not have explicit consent;
  • When prescribed by law, sensitive personal data other than data about the health and sexual life of the data owner,
  • Special categories of personal data regarding the health and sexual life of the personal data owner are only processed for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services, and financing, and only by persons or authorized institutions and organizations under the obligation to keep secrets.

ARTICLE 16: TRANSFER OF PERSONAL DATA

By adopting the required security measures in line with the personal data processing goals in accordance with the legislation, our company can transfer the personal data and sensitive personal data of the personal data owner to third parties (third party companies, business partners, third real persons). In this respect, our company complies with the regulations set out in Article 8 of the LPPD. Detailed information about this issue is provided in this Policy.

16.1 Transfer of Personal Data

Our company may transfer personal data to third parties based on one or more of the personal data processing requirements established in Article 5 of the Law listed below, and in a restricted manner, in accordance with the reasonable and permissible personal data processing purposes:

  1. If the personal data owner has explicit consent;
  2. If there is a clear regulation in the law on the transfer of personal data,
  3. If it is necessary for the protection of the life or physical integrity of the personal data owner or someone else, and if the personal data owner is unable to express his/her consent due to actual impossibility or if his/her consent is not legally valid;
  4. If the personal data of the parties of an agreement must be transferred, with direct respect to the construction or execution of an agreement,
  5. If the transfer of personal data is mandatory for our company to fulfill its legal obligation,
  6. If the personal data is made public by the personal data owner,
  7. If the transfer of personal data is mandatory for the establishment, exercise, or protection of a right,
  8. If personal data transfer is mandatory for the legitimate interests of our Company, provided that it does not damage the fundamental rights and freedoms of the personal data owner.

16.2 Transfer of Special Category/Sensitive Personal Data

In the following cases, our company may transfer sensitive data of the personal data owner to third parties in accordance with the legitimate and lawful personal data processing purposes, by exercising due diligence, implementing the necessary security measures, and following the PDP Board's recommendations.

  1. If the personal data owner has explicit consent, or
  2. If the personal data owner does not have explicit consent;

 

  • Special category (sensitive) personal data other than the health and sexual life of the personal data owner (data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, criminal conviction and security measures, as well as biometric and genetic data) and in cases stipulated by the laws,

 

  • Special categories of personal data regarding the health and sexual life of the personal data owner are only processed for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services, and financing, and only by persons or authorized institutions and organizations under the obligation to keep secrets.

ARTICLE 17: TRANSFER OF PERSONAL DATA ABROAD

Our company may transfer the personal data and special category data of the data owner to third parties for the purposes of lawful personal data processing and by taking the necessary security measures. Personal data is transferred by our Company to foreign countries declared to have adequate protection (“Foreign Country with Sufficient Protection”) by the PDP Board and in the absence of sufficient protection, the personal data is transferred to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing (“Foreign Country of Data Controller Undertaking Adequate Protection”) and where the permission of the PDP Board is available. Accordingly, the Company complies with the regulations stipulated by Article 9 of the LPPD. Detailed information about this issue is provided in this Policy.

17.1 Transfer of Personal Data Abroad

Our company can transfer the personal data to Foreign Countries with Sufficient Protection or a Foreign Country of Data Controller Undertaking Adequate Protection, if there is the express consent of the personal data owner, in line with the legitimate and lawful personal data processing purposes, or if there is no explicit consent of the personal data owner but in the presence of one of the following conditions:

If there is a clear regulation in the law on the transfer of personal data,

  1. If it is necessary for the protection of the life or physical integrity of the personal data owner or someone else, and if the personal data owner is unable to express his/her consent due to actual impossibility or if his/her consent is not legally valid;

 

  1. If the personal data of the parties of an agreement must be transferred, with direct respect to the construction or execution of an agreement,

 

  1. If the transfer of personal data is mandatory for our company to fulfill its legal obligation,
  2. If the personal data is made public by the personal data owner,

 

  1. If the transfer of personal data is mandatory for the establishment, exercise, or protection of a right,

 

  1. If personal data transfer is mandatory for the legitimate interests of our Company, provided that it does not damage the fundamental rights and freedoms of the personal data owner.

16.2 Transfer of Special Category/Sensitive Personal Data Abroad

In accordance with the legitimate and lawful personal data processing purposes, our company may transfer the sensitive data of the personal data owner to a Foreign Country with Sufficient Protection or a Foreign Country of Data Controller Undertaking Adequate Protection by showing due diligence, taking the necessary security measures and taking the adequate precautions prescribed by the PDP Board, in the following cases.

  1. If the personal data owner has explicit consent, or
  2. If the personal data owner does not have explicit consent;

 

  • Special category (sensitive) personal data other than the health and sexual life of the personal data owner (data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, criminal conviction and security measures, as well as biometric and genetic data) and in cases stipulated by the laws,

 

  • Regarding special category (sensitive) data pertaining to the health and sexual life of the data owner, within the scope of processing by persons bound by an obligation of confidentiality or authorized institutions and organizations and only for the protection of public health, preventive medicine, medical diagnosis, treatment and healthcare services, and the planning and management of healthcare services and funding.

ARTICLE 18: CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY, PURPOSES OF PROCESSING AND STORAGE PERIODS

Under the disclosure obligation in accordance with Article 10 of the LPPD, our company notifies the personal data owner of which personal data owner groups are processing their personal data, the purposes of processing the personal data of the personal data owner and the storage periods.

 

ARTICLE 19: CATEGORIZATION OF PERSONAL DATA

Pursuant to Article 10 of the LPPD, our company processes personal data in the following categories, limited to the periods covered by this Policy, by informing the relevant persons and in line with the legitimate and lawful personal data processing purposes of our Company and within the scope of and limited to one or more of the personal data processing conditions specified in Article 5 of the LPPD, and in a way that complies with the general principles set forth in the LPPD and all the obligations set forth in the LPPD, in particular the principles set forth in Article 4 of the LPPD regarding the processing of personal data. It is also stated in this Policy that the personal data processed in these categories are related to which data owners are regulated under this Policy.

IDENTIFICATION INFORMATION: All information, which is clearly belonging to an identified or identifiable natural person, partially or completely processed automatically or non-automatically as part of the data recording system, and which is contained in documents such as Driver's License, Identity Card, Residence, Passport, Attorney's ID, Marriage Certificate.

CONTACT INFORMATION: Information, which is processed partially or completely automatically or non-automatically as part of the data recording system, which clearly belongs to an identified or identifiable natural person; information such as phone number, address, and e-mail.

CUSTOMER INFORMATION: Information, which is clearly belonging to an identified or identifiable natural person, partially or completely processed automatically or non-automatically as a part of the data recording system, and which is obtained and produced about the person concerned as a result of our commercial activities and the operations carried out by our business units in this context.

PHYSICAL SPACE SAFETY INFORMATION: Information that clearly belongs to an identified or identifiable natural person and is included in the data recording system; such as personal data regarding the records and documents taken during the entrance to the physical space and during the stay in the physical space.

TRANSACTION SECURITY INFORMATION: Information that clearly belongs to an identified or identifiable natural person and is included in the data recording system; such as your personal data processed to ensure our technical, administrative, legal and commercial security while conducting our commercial activities.

RISK MANAGEMENT INFORMATION: Information that clearly belongs to an identified or identifiable natural person and is included in our data risk recording system; such as data that can be used and processed in accordance with the generally accepted legal, commercial practice and good faith in these fields so that we can manage technically and administratively.

FINANCIAL INFORMATION: Information clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; such as personal data processed regarding information, documents, and records showing all kinds of financial results created according to the type of legal relationship our company has established with the personal data owner.

PERSONAL INFORMATION: Information clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; such as all kinds of personal data processed for the purpose of obtaining the information that will form the basis for the personal rights of our employees or real persons who have a working relationship with our Company.

EMPLOYEE CANDIDATE INFORMATION; Information clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; such as personal data processed regarding individuals who have applied to become an employee of our company or who have been evaluated as an employee candidate in line with the human resources needs of our company in accordance with the rules of commercial practice and honesty, or who have a working relationship with our Company.

EMPLOYEE TRANSACTION INFORMATION: Information that clearly belongs to an identified or identifiable natural person, which is processed partially or completely automatically or non-automatically as a part of the data recording system; such as personal data processed for all kinds of work-related transactions carried out by our employees or real persons who have a working relationship with our company.

WORK PERFORMANCE AND CAREER DEVELOPMENT INFORMATION: Information clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; such as data processed for the purpose of measuring the performance of our employees or real persons who have a working relationship with our Company, and for the planning and execution of their career development within the scope of our company's human resources policy.

BENEFITS AND INTERESTS INFORMATION: Information clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; such as your personal data processed for the planning of fringe benefits and interests that we offer and will offer to the employees or other real persons who have a working relationship with our Company, to determine the objective criteria for entitlement to these, and to follow up the progress payments.

LEGAL PROCESS AND COMPLIANCE INFORMATION: Information clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; such as your personal data that is processed within the scope of determination, follow-up and performance of our legal receivables and rights, and compliance with our legal obligations and our company's policies.

AUDIT AND INSPECTION INFORMATION: Information clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; such as your personal data that is processed within the scope of our company's legal obligations and compliance with company policies.

PRIVATE/SENSITIVE PERSONAL DATA: Data clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as a part of the data recording system and specified in Article 6 of Law No. 6698.

REQUEST/ COMPLAINT MANAGEMENT INFORMATION: Information clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; such as personal data regarding the receipt and evaluation of any request or complaint directed to our company.

ARTICLE 20: PURPOSES OF PROCESSING PERSONAL DATA

According to the categorization prepared by our Company, the main objectives for the processing of personal Data are shared below:

  1. Carrying out the necessary studies by our related business units for the realization of the commercial activities carried out by our company and performing the related business processes,
  2. Planning and execution of commercial and/or business strategies of our company,
  3. Performing the work required by our business units to benefit the relevant individuals from the products and services offered by our company and the execution of relevant processes.
  4. Planning and execution of our Company’s human resources policies and processes,
  5. Ensure the legal, technical and commercial safety of the persons in a business relationship with our Company.

The data processing purposes within the scope of the aforementioned higher-level purposes are as follows:

  1. Event Management
  2. Planning and Execution of Research and Development Activities
  3. Planning and Execution of Business Activities
  4. Planning and Execution of Corporate Communication Activities
  5. Planning and Execution of Information Security Processes
  6. Establishment and Management of Information Technology Infrastructure
  7. Planning and Execution of Business Partners and/or Suppliers' Authorizations to Access Information and Facilities
  8. Planning and Execution of Benefits and Interests to Supplier and/or Business Partner Employees
  9. Monitoring Financial and/or Accounting Affairs
  10. Planning and Execution of Logistics Activities
  11. Management of Relations with Business Partners and/or Suppliers
  12. Conducting Activities Aimed at Identifying the Financial Risks of Customers
  13. Planning and Execution of Customer Relationship Management Processes
  14. Monitoring Contract Processes and/or Legal Claims
  15. Monitoring Customer Requests and/or Complaints
  16. Planning Human Resources Processes
  17. Execution of Personnel Employment Processes
  18. Following up Legal Affairs
  19. Planning and Execution of the Operational Activities Necessary to Ensure that the Company's Activities are Carried Out in Accordance with the Company's Procedures and/or the Relevant Legislation
  20. Collecting the Entry and Exit Records of the Employees of Business Partners/Suppliers
  21. Creation and Tracking of Visitor Records
  22. Planning and Execution of the Company's Audit Activities
  23. Planning and/or Execution of Occupational Health and/or Safety Processes
  24. Ensuring that the data are accurate and up to date
  25. Management and/or Supervision of Relations with Affiliates
  26. Ensuring the Security of Company Premises and/or Facilities
  27. Ensuring the Security of the Company's Assets and/or Resources
  28. Planning and/or Execution of the Company's Financial Risk Processes

In order to treat personal data for purposes other than those listed above, our Company obtains the express consent of personal data owners. The following personal data processing activities are carried out by the relevant business units with the express consent of the data owners. Within this framework; in the absence of the aforementioned conditions, the purposes of personal data processing are applied with the express consent of the personal data owners;

  1. Planning and Execution of Business Partners and/or Suppliers' Authorizations to Access Information and Facilities
  2. Planning and Execution of Logistics Activities
  3. Monitoring Contract Processes and/or Legal Claims
  4. Planning Human Resources Processes
  5. Execution of Personnel Employment Processes
  6. Collecting the Entry and Exit Records of the Employees of Business Partners/Suppliers
  7. Planning and Execution of the Company's Audit Activities
  8. Planning and/or Execution of Occupational Health and/or Safety Processes
  • Management of Relations with Business Partners and/or Suppliers
  • Planning and/or Execution of Customer Satisfaction Activities
  • Planning and Execution of the Operational Activities Necessary to Ensure that the Company's Activities are Carried Out in Accordance with the Company's Procedures and/or the Relevant Legislation
  • Ensuring the Security of Company Premises and/or Facilities.

ARTICLE 21: PERIODS OF STORAGE OF PERSONAL DATA

Our company stores personal data for the period specified in these legislation, if provided in the relevant laws and regulations.

If a period of time is not regulated in the legislation regarding how long personal data should be kept, then personal data is processed in connection with the services our company provides while processing that data in accordance with our Company's practices and commercial practices, for the period that requires it to be processed. It is then deleted, destroyed, or anonymized. Detailed information about this issue is provided in this policy.

If the purpose of processing personal data has ended and the storage periods determined by the relevant legislation and the company have come to an end, personal data can only be stored to provide evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. In the establishment of the periods herein, the time-out periods for asserting the aforementioned right as well as the examples in the requests made to our Company on the same issues before, despite the expiry of the statute of limitations, are essential in determining the retention periods. In this situation, the saved personal data is not accessible for any other reason, and access to the relevant personal data is granted only when it is required to use it in the relevant legal dispute. Personal data is deleted, destroyed, or anonymized after the expiration of the period mentioned herein.

ARTICLE 22: CATEGORIZATION OF THE OWNERS OF PERSONAL DATA PROCESSED BY OUR COMPANY

Personal data of the following categories of personal data subjects are processed by our company, with the scope of application of this Policy being limited to our customers, potential customers, employee candidates, company shareholders, company officials, visitors, employees, shareholders, and officials of the institutions we cooperate with, and third parties.

The activities of our employees on the protection and processing of personal data will be evaluated under the Policy of the Holding Employees on the Protection and Processing of Personal Data.

While the categories of people whose personal data are processed by our company fall within the above-mentioned scope, people who do not fall into these categories may nonetheless contact us under the LPPD. These people's requests will likewise be considered under the terms of this policy.

Below, the concepts of the customer, potential customer, visitor, employee candidate, shareholder and board member, natural persons in the institutions we cooperate with, and third parties related to these persons, which are all within the scope of this Policy, are explained.

ARTICLE 23: CATEGORIES AND THEIR DESCRIPTIONS

Visitor; Real persons who have entered the physical premises owned by our company for various purposes or visited our websites.

Third Parties; Third-party real people associated with these people to ensure the security of business transactions between our company and other parties, or to protect the rights of mentioned and to secure interests, or real people who do not fall under this policy and under the policy of protecting and processing personal data of company employees.

Employee Candidate; Natural persons who have applied for a job in our company by any means or have opened their resume information to our company.

Company Shareholder; real persons who are the shareholders of our company.

Company Official; a member of the company's board of directors and other authorized natural persons.

Employees, institutions, shareholders, and officials with whom we cooperate; Natural persons in institutions with which our company has any kind of business relationship (including, but not limited to, business partners, offices, suppliers, shareholders, and authorized personnel of these institutions).

ARTICLE 24: THIRD PARTIES WITH WHOM PERSONAL DATA IS TRANSFERRED BY OUR COMPANY AND PURPOSES FOR SUCH TRANSFER

In accordance with Article 10 of the LPPD, our Company notifies the personal data owners of the groups of persons to whom the personal data are transferred.

In accordance with Articles 8 and 9 of the LPPD, our company may transfer the personal data of the service recipients to the following categories of persons:

  1. Company's business partners,
  2. Company suppliers,
  3. Company subsidiaries,
  4. Shareholders of the Company,
  5. Legally Authorized public institutions and organizations,
  6. Legally authorized private legal persons.

The scope and data transfer purposes of the aforementioned persons being transferred are as follows;

  1. Limited to the purpose of ensuring that the objectives of the partnership are met,
  2. Limited to the purpose of ensuring that the services that our company outsources from the supplier and that are necessary to carry out the commercial activities of our company are provided to our company.
  3. Limited to the purpose of ensuring the execution of commercial activities that require the participation of our company in its subsidiaries.
  4. Limited to the purpose of designing and supervising the strategies and inspection activities of our company in accordance with the provisions of the legal legislation.
  5. In the event that legally authorized public institutions and organizations request information and documents from our company within the framework of legal legislation, limited to the purpose requested within our legal authorities.
  6. In case legally authorized private legal persons request information and documents from our company within the framework of legal legislation, limited to the purpose requested within our legal powers,

The transfers carried out by our company are carried out in accordance with the considerations set out in the policy.

Our company informs the personal data owner about the personal data it processes in accordance with Article 10 of the LPPD.

Even though the legal grounds for the processing of personal data by our company differ, all kinds of personal data processing activities are carried out in accordance with the general principles specified in Article 4 of Law No. 6698.

For the processing of personal data based on the explicit consent of the personal data owner, express consent is obtained from visitors and third parties.

The personal data of the data owner will be processed in accordance with the law if it is explicitly foreseen in the law.

In the event that the processing of personal data is necessary in order to protect the life or bodily integrity of the person or another person, who is unable to express his or her consent due to actual impossibility, or whose consent cannot be validated, personal data of the data owner can be processed.

It is possible to process personal data if it is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract.

If processing is mandatory for our company to fulfill its legal obligations as the data controller, the personal data of the data subject may be processed.

If the data subject’s personal data has been publicized by himself/herself, the relevant personal data may be processed.

If data processing is mandatory for the establishment, use or protection of a right, the personal data of the data subject may be processed.(invoice, etc.)

The data owner's personal data will be processed if it is necessary for our company's legitimate interests, as long as it does not infringe on the data owner's fundamental rights and freedoms (for the purpose of performing in-house calculations, etc.).

The personal data processing activities carried out by our Company at the entrances to the building facility and within the facility are carried out in accordance with the Constitution, the Law on Personal Data Protection (LPPD), and other relevant legislation.

Our Company carries out security camera surveillance activity at company buildings and facilities and performs personal data processing activities to monitor visitor entries and exits in order to ensure security

Personal data processing activities are carried out by our Company through the use of security cameras and recording of guest entrances and exits.

In this context, our Company acts in accordance with the Constitution, the Law on Personal Data Protection, and other relevant legislation. Our company’s aim is to improve the quality and reliability of the service we provide as part of our surveillance activities through security camera surveillance, to ensure the security of the company, our employees, and others, and to protect the interests of third parties in our services. In carrying out camera monitoring activities for security purposes by our company, we act in accordance with the regulations contained in the LPPD.

In order to ensure the security of the buildings and premises, our company operates surveillance cameras in accordance with the personal data processing requirements specified in the LPPD and for the purposes specified in the laws.

Our company announces the so-called monitoring activity in accordance with Article 10 of the LPPD.

In addition to the general information provided by our company, in accordance with the relevant regulations in the EU, our company provides notification about camera surveillance and monitoring activities by more than one method. In this way, it is aimed to prevent damage to the basic rights and freedoms of the personal data owner, to ensure transparency, and to inform the personal data owner.

In accordance with Article 4 of the LPPD, our Company processes personal data in a limited and proportional way in relation to the purpose for which they are processed.

The purpose of the Company’s continuing video camera surveillance activities is limited to the purposes stated in this Policy. In this direction, this should be implemented in a way that the surveillance areas of security cameras, the number of cameras, and the timing for surveillance are sufficient to achieve the purpose of security and limited to this purpose. Areas that may result in interference with the privacy of the person exceeding the security objectives (for example, toilets) are not subject to surveillance.

Our Company takes the necessary technical and administrative measures to ensure the security of the personal data collected by camera surveillance as per Article 12 of the LPPD.

Our company processes personal data in order to ensure security and for the purposes set forth in this Policy, such as monitoring visitor admissions and exits in company buildings and facilities.

On the websites owned by our company, the internet movements of the visitors within the site are recorded by technical means in order to ensure that the visitors of these sites perform their visits on the sites in accordance with the purposes of their visit and to show them customized content,

Even though the personal data has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the LPPD, in the event that the reasons requiring its processing are eliminated, personal data shall be deleted, destroyed or anonymized upon our company's own decision or upon the request of the personal data owner. Our company fulfills this relevant legal obligation through legal methods.

ARTICLE 25: METHODS OF DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

25.1 Methods of Deletion and Destruction of Personal Data

Our company, even though it has been processed in accordance with the provisions of the relevant law, may delete or destroy personal data upon its decision or upon the request of the personal data owner, if the reasons for processing no longer apply. The top-used deletion or disposal/destruction techniques used by our company are listed below:

 

  • Physical Destruction

Personal data can also be processed in non-automatic ways, provided that it is part of any data recording system. When deleting/destroying such data, a system is applied that the personal data will be physically destroyed in a way that cannot be used afterwards.

25.1.2 Securely Deleting from the Software

When deleting/destroying data processed through fully or partly automatic means and stored in digital media, methods are used to delete data from the relevant software in a way that will not be recoverable.

  • Secure Deletion by Expert

In some cases, the company may work with an expert to delete personal data on its behalf. In this case, personal data will be securely deleted/destroyed in a way that cannot be recovered by the expert in this respect.

25.2 Techniques for Anonymizing Personal Data

Anonymization of personal data means making personal data impossible to link to an identified or identifiable natural person, even by cross-referencing it against other data. Our company can anonymize personal data when the reasons requiring the processing of personal data processed in accordance with the law are eliminated.

In accordance with Article 28 of the LPPD, personal data that has been anonymized may be processed for such purposes as research, planning and statistics. Such processing is outside the scope of the LPPD and the explicit consent of the personal data owner will not be sought. Since the personal data processed by being anonymized will be outside the scope of LPPD and the rights regulated in the Policy shall not apply to such data.

The most commonly used anonymization techniques by our company are as follows;

  • Masking

Data masking is the method of anonymizing personal data by removing the basic identifier data of the personal data from the data set.

  • Aggregation

Many data are aggregated and personal data is changed so that it cannot be correlated with any single person using the data aggregation approach.

  • Data Derivation

The method of data derivation generates a more broad content from the content of personal data, ensuring that personal data cannot be linked to any individual.

  • Data Hashing

The values in the personal data set are intermingled when using the data hashing method, and the link between the values and persons is broken.

Our company informs the personal data owner of the rights of the personal data owner in accordance with Article 10 of the LPPD and guides the personal data owner on how to use these rights, and carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the LPPD in order to evaluate the rights of personal data owners and to provide necessary information to personal data owners.

ARTICLE 26: THE RIGHTS OF THE DATA OWNER AND THE EXERCISING OF THESE RIGHTS

26.1 Rights of the Personal Data Owner

Personal data owners have the following rights:

  1. Find out if personal data has been processed
  2. Request information about your personal data if it has been processed
  3. Find out the purpose of processing personal data and whether they are used for their intended purpose,
  4. Be informed of the third parties to whom personal data is transferred at home or abroad,
  5. In case their personal data are processed incompletely or incorrectly, request correction thereof and request that the third parties to whom their personal data have been provided are notified about the corrections accordingly,
  6. Request deletion or destruction of personal data, and request notification of the third parties to whom personal data have been provided about the actions performed in this way if the reasons for processing no longer apply to the personal data, which in any event, has been processed in accordance with the PDP Law and other applicable law,
  7. Object to emergence of an outcome against their own interests upon analysis of the processed data exclusively by automatic systems,
  8. Request the compensation of the damage in case of loss due to unlawful processing of personal data.

26.2 Cases where the Personal Data Owner Cannot Extend His or Her Rights

Since the following cases are excluded from the scope of LPPD in accordance with Article 28 of LPPD, personal data owners cannot claim the following rights in these matters:

  1. Processing of personal data for such purposes as research, planning and statistics by anonymizing the personal data as official statistics
  2. Processing personal data for the objectives of art, history, literature, or science, or as part of freedom of expression, as long as it does not compromise national defense, national security, public security, public order, economic security, privacy, or personal rights, or constitutes a crime.

 

  1. Processing of personal data by governmental institutions and organizations that are permitted and authorized by law in order to ensure national defense, national security, public safety, public order, or economic security.
  2. Processing of personal data by judicial authorities or enforcement authorities in connection with investigations, prosecutions, trials or executions

Pursuant to item 28/2 of LPPD, individual data owners may not be able to assert any of the other rights in cases listed below, excluding the right to request that damage be corrected:

  1. In case that the processing of personal data is necessary to prevent the commission of a crime or to investigate a crime.
  2. In case of processing of personal data made public by the personal data owner.
  3. When personal data processing is required by the authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution based on the authority granted by the law.
  4. Processing of personal data by judicial authorities or enforcement authorities in connection with investigations, prosecutions, trials or executions

26.3 Exercising of the Rights of the Personal Data Owner

Personal data owners will be able to convey their requests regarding the aforementioned rights in this section to our Company, free of charge, using the following method:

  1. by applying personally to the address of İvedik OSB Mahallesi Melih Gökçek Bulvarı Eminel Business Center No:58 Yenimahalle/ANKARA, after filling out the form at alkalizerwater.com and signing it with wet signature,
  2. by courier or mail to the address of İvedik OSB Mahallesi Melih Gökçek Bulvarı Eminel Business Center No:58 Yenimahalle/ANKARA, after filling out the form on alkalizerwater.com and signing it with wet signature,
  3. by sending the secure electronically signed form to info@alkalizerwater.com, after filling out the form on alkalizerwater.com and signing with your "secure electronic signature" as stated in the Electronic Signature Law No. 5070.

It is not possible for third parties to make a request on behalf of personal data owners.

In order for any person other than the personal data owner to make a request, there must be a special power of attorney issued in the name of the person who will make the request.

Personal data owners shall fill in the above-referenced form of "Application Form regarding the Applications to the Data Controller by the Data Subject (Personal Data Owner) Pursuant to the Law on Protection of Personal Data No. 6698" as a request to exercise their rights.  This form also details the method of application.

26.4 The Right of the Personal Data Owner to File a Complaint with the PDP Board

Pursuant to Article 14 of the LPPD, in cases where the application of the personal data owner is rejected, the response given is insufficient or the application is not answered in due time, the data owner has the right to issue a complaint to the PDP Board within thirty days from the date the notification of the company's response, and in any case within sixty days from the date of application.

ITEM 27: COMPANY RESPONDING TO APPLICATIONS

27.1 The Procedure and Duration of Our Company's Responding to Applications

In case the personal data owner submits a request to our Company in accordance with the procedure set forth in the above section of this section, our company will conclude the relevant request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request.

However, if the transaction also requires a cost, the fee set by our Company at the tariff determined by the PDP Board will be charged.

27.2 Information that Our Company May Request from the Applicant Personal Data Owner

Our company may request information from the subject to determine whether the applicant is a personal data owner or not.

In order to clarify the matters included in the application of the personal data owner, our company may ask the personal data owner about their application.

27.3 The Company’s Right to Reject an Application by the Personal Data Owner

Our company may reject the application of the applicant in the following cases by providing a reason:

  1. Processing of personal data for such purposes as research, planning and statistics by anonymizing the personal data as official statistics
  2. Processing personal data for art, history, literature or scientific purposes or
  • within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights or constitute a crime.
  • Processing of personal data by governmental institutions and organizations that are permitted and authorized by law in order to ensure national defense, national security, public safety, public order, or economic security.
  • Processing of personal data by judicial authorities or enforcement authorities in connection with investigations, prosecutions, trials or executions
  • In case that the processing of personal data is necessary to prevent the commission of a crime or to investigate a crime.
  • In case of processing of personal data made public by the personal data owner.
  • When personal data processing is required by the authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution based on the authority granted by the law.
  • In case the processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax, and financial issues
  • The possibility that the request of the personal data owner may interfere with the rights and freedoms of other persons
  • The fact that requests have been made that require disproportionate effort.
  • The fact that the requested information is to be publicly available information.

ARTICLE 28: THE RELATIONSHIP OF THE COMPANY'S PERSONAL DATA PROTECTION AND PROCESSING POLICY WITH OTHER POLICIES           

The basic policies on the protection and processing of Personal Data, which are related to the principles laid down by the Company with this Policy, are stated. These policies are also to be linked to the basic policies of the Company in other areas to ensure harmonization between the processes that the Company operates with different policy principles for similar purposes.

The “Personal Data Protection Board” has been established within the Company in accordance with the decision of the Company's senior management to manage this policy and other policies related to this policy. The duties of this board are stated below.

  1. To prepare and put into effect the basic policies regarding the Protection and Processing of Personal Data, and submit them for the approval of senior management.
  2. To determine how to put rules on the protection and processing of personal data into effect and maintain control over them. To make in-house assignments and bring coordination issues to top management for approval in this context.
  3. To identify the issues that must be addressed in order to ensure compliance with the Personal Data Protection Law and other related regulations. To submit what needs to be done for upper management approval and keep track of and coordinate the implementation of the plan.
  4. To raise awareness regarding the protection and processing of personal data both inside the company and among the institutions with which it cooperates.
  5. To ensure that the necessary measures are taken by identifying the risks that may occur in the company's personal data processing activities and to submit improvement proposals for approval of senior management.
  6. To design training on the protection of personal data policies and to enforce their implementation.
  7. To resolve the applications of personal data owners at the highest level.
  8. To coordinate the execution of information and training activities in order to ensure that personal data owners are informed about their personal data processing activities and their legal rights.
  9. To prepare the changes in the basic policies regarding the Protection and Processing of Personal Data and submit them to the approval of the senior management in order to put them into effect.
  10. To follow the developments and regulations on the Protection of Personal Data and to advise senior management on what needs to be done within the Company in accordance with these developments and regulations.
  11. To coordinate relations with the Board and Institution of Personal Data Protection.
  12. To perform other duties assigned by the senior management of the company regarding the protection of personal data.

Some of the specified policies are intended for in-house use. It is aimed to reflect the principles of in-house policies to the public policies to the extent relevant, to inform the relevant parties in this framework, and to ensure transparency and accountability regarding the personal data processing activities carried out by the Company.

Yukarı
() Ürün
Eşya 0
Tutar $0.00