Personal Data Protection and Processing Policy

QUALITY MANAGEMENT

PERSONAL DATA PROTECTION AND PROCESSING POLICY

SECTION ONE: INTRODUCTION
I.IMPORTANCE OF THE PROTECTION OF THE PERSONAL DATA

The protection of the personal data is an Constitutional right and is included within the scope of the priorities of our Company. Hence, for this purpose, it was aimed to establish a system that is continuously updated in our Company and this policy was established. Within the scope of the Personal Data Protection Law no 6698, this Policy is applied in order to fulfill the general clarification obligation and to establish the fundamental principles of the personal data processing rules of our Company at the address of Resitpasa Mah. Degirmentepe Aykan Sok. No: 18/2 Emrigan, 34467 Sariyer/Istanbul and the branches of “Asya Nakliyat Tic. Ltd. Sti.“ in its capacity of Data Controller and within this scope, the fundamental principles are regulated with regard to the protection of the personal data of our customers, potential customers, employees, employee candidates, interns and students, supplier’s/sub-employer’s employees and officials, company shareholders and company partners, visitors and other third persons whose data we process.
 
For the implementation of the issues specified in this Policy, within the Company, the necessary procedures are regulated, the clarification texts in compliance with the Personal Data Processing Inventory specific to the person categories are established, the personal data protection and confidentiality agreements are signed with the Company employees and third parties who have access to the personal data, the job definitions are revised, the necessary administrative and technical measures are taken by Asya Nakliyat Tic. Ltd. Sti.” for the protection of the personal data and the necessary inspections are made or caused to be made within this scope. The subject regarding the Personal Data Protection is adopted also by the senior management and the personal data protection processes are managed by establishing a special Committee (Asya Nakliyat PDP Committee) on this matter.

II.PURPOSE OF THE POLICY

The main purpose of this Policy is to reveal the personal data processing activity carried out by Asya Nakliyat Tic. Ltd. Sti.” in compliance with the law and the principles for the protection of the personal data and to ensure the transparency by making clarifications and informing the persons whose personal data is processed by our company within this scope.
 

III.SCOPE

This Policy is related to all personal data of the persons who we categorizes under the titles of “our customers, potential customers, employees, employee candidaites, interns and students, supplier’s/sub-employer’s employees and officials, company shareholders and company partners, visitors and other third persons whose data we process”, which we process by automatic methods or non-automatic methods on condition that they will be the part of any data recording system.
 

IV.IMPLEMENTATION OF THE POLICY AND THE RELEVANT LEGISLATION

The relevant legal regulations in force on the processing and protection of the personal data will find an area of application primarily. In the case that there is inconsistency between the legislation in force and the Policy, our Company agrees that the legislation in force will find an area of application.
 

V.ACCESS AND UPDATE

The Policy is published at the website of our Company www.asyanakliyat.com and is submitted to the access of the relevant persons upon the request of the personal data owners and is updated when necessary.
 

SECTION TWO: PROCESSING OF THE PERSONAL DATA

 

  1. Our Company can be engaged in personal data processing activity in a purpose-related, limited and prudent manner in line with specific, clear and legitimate purposes which are in compliance with the law and honestly rules, which are accurate and which are up-to-date when necessary with regard to the processing of the personal data in compliance with the article 20 of the Constitution and the article 4 of the PDPL. Our Company keeps the personal data for the period stipulated in the laws or required by the purpose of the personal data processing.
  2. Our Company processes the personal data based on one or several of the terms in the article 5 of the PDPL with respect to the processing of the personal data in accordance with the article 20 of the Constitution and the article 5 of the PDPL.
  3. Our Company processes the personal data of the employees and the employee candidates based on the purposes of predisposition to the work and performance of the employment contract, save for the PDPL no 6698, in accordance with the article 419 of the Code of Obligations.
  4. Our Company makes clarification to the personal data owners, gives the necessary information in the event that the personal data owners request information and apply for using their rights arising from the law and replies the applications within the legal period of time in compliance with the article 20 of the Constitution and the article 10 of the PDPL.
  5. Our Company acts in compliance with the regulations stipulated in terms of the processing of the special quality personal data in accordance with the article 6 of the PDPL.
  6. Our Company complies with the rules stipulated in the law on the transfer of the personal data and makes application by taking into account the decisions taken and the communiques and the lists of safe countries published by the PDPL Board in compliance with the articles 8 and 9 of the PDPL.

 

I.PROCESSING OF THE PERSONAL DATA IN COMPLIANCE WITH THE PRINCIPLES AND RULES STIPULATED IN THE LEGISLATION

 

A.Principles for the Processing of the Personal Data

 

  1. Processing in compliance with the Law and the Honesty Rules

Our Company acts in compliance with the principles and the honesty rules imposed by the legal regulations in the processing of the personal data. Within this scope, our Company takes action by determining the legal bases which will require the processing of the personal data, takes into account the proportionality requirements, does not use the personal data for any purpose other than their intended use and does not carry out processing activity without the knowledge of the persons.
 

  1. Ensuring that the Personal Data is Accurate and, where necessary, Current

Our Company ensures that the personal data that it processes is accurate and current by taking into account the fundamental rights of the personal data owners and its legitimate interests and takes the necessary measures accordingly. Within this scope, the data regarding all person categories is tried to be kept up-to-date. Especially the customer and potential customer data is diligently updated and the persons are not sent e-mails and proposals for marketing and promoting purpose in contrary to their consents.
 

  1. Processing for Certain, Clear and Legitimate Purposes

Our Company clearly and finally establishes the personal data processing purpose which is legitimate and complies with the law. Our Company processes the personal data in connection with and to the extent that it is necessary for the service that it provides. The purpose for processing the personal data is established by our Company before the processing activity and is entered into “the Personal Data Inventory” as well.
 

  1. Ensuring that the Personal Data is related to, restricted with and proportional to the purpose of processing

Our Company processes the personal data in a manner suitable for the achievement of the purposes established and avoids from the processing of the personal data which is not related to the achievement of the purpose or which is not required. Within this scope, the processes are continuously reviewed and the principle of “dataminimanisation” is tried to be realized.
 

  1. Keeping for the period stipulated in the relevant legislation or required for the purpose of processing

Our Company keeps the personal data only for the period specified in the relevant legislation or necessary for the purpose of processing. Within this scope, our Company first of all determines whether any period for keeping the personal data is stipulated in the relevant legislation; if any period has been determined, acts in compliance with this period; takes into account the legal and penal timeout periods within this scope; and keeps the personal data for the period necessary for the purpose of processing. In the case of the expiration of the period or in the case that the reasons requiring the processing of the personal data disappear, the personal data is deleted, destroyed or anonymized in accordance with the “DISPOSAL” procedure of our Company within the scope of BGYS.
 
 

B.Rules for the Processing of the General Quality Personal Data

The protection of the personal data is a right granted in the Constitution and the fundamental rights and freedoms, save for their essence, can be restricted only depending on the reasons specified in the relevant articles of the Constitution and only by law. In accordance with the third paragraph of the article 20 of the Constitution, the personal data will be able to be processed only in the cases stipulated in the law or with the explicit consent of the person. The personal data is processed by our Company without requiring the explicit consent of the relevant person only if the following requirements are met in the processing of the personal data;

  1. It is explicitly stipulated in the laws,
  2. It is strictly required for the protection of the life or physical body integrity of the person who may not disclose his consent due to actual impossibility or whose consent is not accepted as valid and applicable or someone else,
  3. Provided that it is directly related to the execution or performance of a contract, the processing of the personal data of the parties to the contract is strictly necessary,
  4. The personal data is obligatory for the Data Supervisor to be able to fulfill its legal liability,
  5. The personal data has been publicized by the relevant person,
  6. The data processing is mandatory for the establishment, use or protection of a right,
  7. The data processing is obligatory for the legitimate interests of the Data Controller without prejudice to the fundamental rights and freedoms of the personal data owner.

 
If the requirements above are not met, the explicit, free will and information-based consent of the relevant person is applied to by our Company. It is taken as basis that the data is principally based on the reasons of compliance with the law remaining out of the consent by taking into account the dependency relationship of the employee especially in the field of Human Resources and employment affairs and only in the event that these reasons do not exist, the explicit consent is applied to. On the contrary, the processing activity is performed by taking as basis the consent of the relevant person in the activities such as marketing. However, in all cases where the personal data is processes, the data processing activity based on “clarification to the employees” is performed.
 

C.Rules for the Processing of the Special Quality Personal Data

In the processing of the personal data designated as “special quality” by the PDPL, our Company acts in compliance with the regulations stipulated in the PDPL. In the article 6 of the PDPL, certain personal data which bears the risk of causing the unjust treatment of the persons or discrimination when they are processed in contrary to the law is designated as “special quality” and care and sensitivity must be shown in the processing of such data. This data is the data related to race, ethnic origin, political thought, philosophical belief, religion, communion or other believes, appearance, association, foundation or union membership, health, sexual life, conviction or security measures and the biometric and genetic data. The special quality personal data is processed by our Company in the following cases, provided that the necessary measures are taken, in compliance with the PDPL:

  1. The special quality personal data other than the health and sexual life of the personal data owner is processed in the cases stipulated in the laws or based on the explicit consent of the personal data owner, if any,
  2. The special quality personal data regarding the health and sexual life of the personal data owner, however, is processed by the persons or authorized institutions and organizations under the confidentiality obligation or with the explicit consent of the personal data owner only for the purpose of protecting the public health, executing the preventive medicine, medical diagnosis, treatment and care services and planning and managing the health services and their finance.
  3. Regardless of which reason it is based on, the general data processing principles are always taken into account and the compliance with these principles is ensured in the processing courses (PDPL a. 4; see above 2nd Section, I,1).

In relation to the protection of the special quality data, “the Personal Data Protection and Processing Policy” was put into force in our Company and the actions and the necessary measures are taken in accordance with the provisions of this policy in our business departments.
 

D.Making Clarification and Giving Information to the Relevant Persons whose Data is Processed

Our Company makes clarification to the personal data owners during the acquisition of the personal data in compliance with the article 10 of the PDPL. Within this scope, clarification is made to the relevant person whose data is processed on for which purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason of collecting personal data and the rights of the relevant person whose personal data is processed. In the article 11 of the PDPL, “Information Request” is also listed among the rights of the relevant person whose personal data is processed and our Company, within this scope, gives the necessary information if the relevant person whose personal data is processed requests in compliance with the article 20 of the Constitution and the article 11 of the PDPL and the action is taken on this matter with “the Application Form” which is available in our Company and at our Website https://www.asyanakliyat.com/.
 

II.TRANSFER OF THE PERSONAL DATA

Our Company can transfer the personal data and the special quality personal data of the relevant person whose personal data is processed to third persons by taking the necessary security measures in line with the personal data processing purposes complying with the law. Our Company, accordingly, acts in compliance with the regulations stipulated in the article 8 of the PDPL.

A.Principles for the Transfer of the Personal Data

Our Company can transfer the personal data to third persons based on and limited to one or several of the personal data processing requirements set forth in the article 5 of the Law as listed below in line with the personal data processing purposes legitimate and complying with the law:
 
If the relevant person whose personal data is processed gives his explicit consent, based on this explicit consent or

  1. If there is a explicit regulation in the laws regarding that the personal data will be transferred,
  2. If it is compulsory for the protection of the life or physical body integrity of the personal data owner or any other person and if the personal data owner cannot disclose his consent due to actual impossibility or if his consent is not accepted as valid and applicable;
  3. If the transfer of the personal data of the parties to the contract is necessary, provided that it is directly related to the establishment or performance of a contract,
  4. If the personal data transfer is compulsory for our Company to fulfill its legal obligation,
  5. If the personal data has been publicized by the relevant person himself,
  6. If the personal data transfer is compulsory for the establishment, use or protection of any right,
  7. If the personal data transfer is compulsory for the legitimate interests of our Company, provided that it will not cause damage to the fundamental rights and freedoms of the relevant person whose personal data is processed.

 
Regardless of which reason it is based on, the general data processing principles are always taken into account and the compliance with these principles is ensured in the transferring courses (PDPL a. 4; see above 2nd Section, I,1).
 

B.Transfer of the Special Quality Personal Data

Our Company can transfer the special quality data of the relevant person whose personal data is processed to third persons in line with the personal data processing purposes legitimate and complying with the law by showing the necessary care, taking the necessary security measures and taking the sufficient measures stipulated by the PDPL Board.
 

  1. If the relevant person gives his explicit consent, based on this explicit consent or
  2. If the relevant person does not give his explicit consent;
    1. The special quality personal data other than the health and sexual life of the relevant person (data related to race, ethnic origin, political thought, philosophical belief, religion, communion or other believes, appearance, association, foundation or union membership, health, sexual life, conviction or security measures and biometric and genetic data) can be processed in the cases stipulated in the laws,
    2. The special quality personal data regarding the health and sexual life of the personal data owner, however, can be processed by the persons or authorized institutions and organizations under the confidentiality obligation or with the explicit consent of the personal data owner only for the purpose of protecting the public health, executing the preventive medicine, medical diagnosis, treatment and care services and planning and managing the health services and their finance.

 
Regardless of which reason it is based on, the general data processing principles are always taken into account and the compliance with these principles is ensured in the transferring courses (PDPL a. 4; see above 2nd Section, I,1).
 

C.Transfer of the Personal Data to Abroad

Our Company can transfer the personal data and the special quality personal data that it processes to third persons by taking the necessary security measures in line with the personal data processing purposes complying with the law. The personal data is transferred by our Company to the countries which have ensured the compliance with the GDPR by the PDPL Board, the countries which are announced to have sufficient protection (“Foreign Country Having Sufficient Protection”) or the foreign countries for which the data controllers in Turkey and the relevant foreign country committed a sufficient protection in written in the event that such countries do not have sufficient protection and for which the PDPL Law gives consent (“Foreign Country in which the Data Controller Committing the Sufficient Protection is Present”). Our Company, accordingly, acts in compliance with the regulations stipulated in the article 9 of the PDPL.
Our Company can transfer the personal data to the Foreign Countries Having Sufficient Protection or in which the Data Controller Committing the Sufficient Protection is Present and the countries which have ensured compliance with the GDPR if the relevant person whose personal data is processed gives his explicit consent or in case of the presence of any one of the following cases if the relevant person whose personal data is processed does not give his explicit consent in line with the personal data processing purposes legitimate and complying with the law:

  1. If there is a explicit regulation in the laws regarding that the personal data will be transferred,
  2. If it is compulsory for the protection of the life or physical body integrity of the personal data owner or any other person and if the personal data owner cannot disclose his consent due to actual impossibility or if his consent is not accepted as valid and applicable;
  3. If the transfer of the personal data of the parties to the contract is necessary, provided that it is directly related to the establishment or performance of a contract,
  4. If the personal data transfer is compulsory for our Company to fulfill its legal obligation,
  1. If the personal data has been publicized by the relevant person himself,
  2. If the personal data transfer is compulsory for the establishment, use or protection of any right,
  1. If the personal data transfer is compulsory for the legitimate interests of our Company, provided that it will not cause damage to the fundamental rights and freedoms of the relevant person whose personal data is processed.

 

D.Purposes for the Transfer of the Personal Data by our Company and Categories of the Persons to whom the Transfer is made

 

  1. Data Transfer Purposes

The data transfer is made for the purposes such as ensuring that the activities and establishment objectives of our Company are fulfilled, ensuring that the necessary services which our Company provides externally from the supplier and which are required for the fulfillment of the commercial activities of the Company are provided to our Company, ensuring that the human resources and employment policies of our Company are executed and ensuring that the obligations of our Company within the framework of occupational health and safety are fulfilled and the necessary measures are taken.
 

  1. Persons to whom the Data is transferred

Our Company can transfer the personal data to the person categories specified below in compliance with the articles 8 and 9 of the PDPL:
 

Authorized Public Institutions Public institutions and organizations authorized to obtain information and documents from our Company Data sharing is made in accordance with the provisions of the relevant legislation.
 
Authorized Private Law Persons
 
 
Private law persons authorized to obtain information and documents from our Company
Limited data sharing is made for the purpose requested by the relevant private law persons within the scope of their legal authority.
 
 
Suppliers
 
 
Parties providing service to our Company or provided with service by our Company while our Company is executing its commercial activities
Limited data sharing is made for the purpose of ensuring that the necessary services which our Company provides externally from the supplier and which are required for the fulfillment of the commercial activities of the Company are provided to our Company.
 

 
In the transfers made by our Company, the action is taken in compliance with the principles and rules issued in this Policy.
 

III.PERSONAL DATA CATEGORIZATIONS

The persons whose data is processed and, within this scope, the data processed are categorized as follows in our Company;
 

PERSON CATEGORIZATION

 

Employee Candidate Real persons who have made a job application to our Company by any means or who have opened their curriculum vitae and relevant information to our Company for examination
Employee Real persons working in our Company
 
Potential Customer
Real persons who have requested to use our services or who are interested in using our services or who are considered to be interested in using our services in compliance with the commercial customs and honesty rules
 
Supplier’s Personnel
Real persons working in the corporations (such as, without limitation, business partnership, supplier) with which our Company is in all kinds of business relationships
 
Supplier’s Authorized Person
Real persons who are the shareholders and authorized persons of the corporations with which our Company is in a business relationship
 
 
Customer
 
Real persons who use or have used the services provided by our Company regardless of whether they have any contractual relationship with our Company
 
Visitor
Real persons who have entered into the physical premises owned by our Company for various purposes or who visit our websites
 
 
OTHER
Third party real persons who are related to the aforementioned persons in order to ensure the commercial transaction security between our Company and the aforementioned parties or to protect the rights of the mentioned persons and to provide an interest (For example; Family Members and relatives)
 

 
 

DATA CATEGORIZATION

 

 
 
 
Identity Data
Information available in the documents such as Driving Licence, Birth Certificate, Residence Certificate, Passport, Attornership Identity, Marriage Certificate, which is obvious to belong to a real person whose identity is definite or determinable; which is processed partially or wholly in an automatic manner or in a non-automatic manner as a part of the data recording system
 
 
 
Contact Data
Information such as telephone number, address, e-mail, which is obvious to belong to a real person whose identity is definite or determinable; which is processed partially or wholly in an automatic manner or in a non-automatic manner as a part of the data recording system
 
 
 
 
 
Location Data
 
Information determining the location of the personal data owner during the use of ouer services by him or of our employees and the employees of the corporations with which we are in cooperation while they are using the vehicles of our Company, which is obvious to belong to a real person whose identity is definite or determinable; which is processed partially or wholly in an automatic manner or in a non-automatic manner as a part of the data recording system
 
 
 
 
Personal Data
 
All kinds of personal data processed for obtaining the information that will form the basis of the formation of the personal rights of the our employees or the real persons who are in an employment relationship with our Company, which is obvious to belong to a real person whose identity is definite or determinable; which is processed partially or wholly in an automatic manner or in a non-automatic manner as a part of the data recording system
 
 
 
Legal Transaction and Compliance Data
Your personal data processed within the scope of the determination and follow-up of our legal receivables and rights, the settlement of our debts, our legal obligations and the policies of our Company, which is obvious to belong to a real person whose identity is definite or determinable; which is processed partially or wholly in an automatic manner or in a non-automatic manner as a part of the data recording system
 
 
Customer Transaction Data
Information such as the records for the use of our services, the instructions necessary for the use of the services by the customer and the requests, which is obvious to belong to a real person whose identity is definite or determinable and which is included in the data recording system
Physical Space Security Data Personal data regarding the records and documents taken at the entry into the physical space and during the stay inside the physical space, which is obvious to belong to a real person whose identity is definite or determinable and which is included in the data recording system
 
Transaction Security Data
Personal data processed for ensuring the technical, administrative, legal and commercial security while the activities are being carried out, which is obvious to belong to a real person whose identity is definite or determinable and which is included in the data recording system
 
 
 
Risk Management Data
 
Personal data processed by the methods that are used in compliance with the generally accepted legal, commercial customs and honesty rule in these fields for us to be able to manage our commercial, technical and administrative risks, which is obvious to belong to a real person whose identity is definite or determinable and which is included in the data recording system
 
 
 
Financial Data
Personal data processed with respect to the information, documents and records indicating all kinds of financial result created according to the type of the legal relationship which our Company has established with the personal data owner, which is obvious to belong to a real person whose identity is definite or determinable; which is processed partially or wholly in an automatic manner or in a non-automatic manner as a part of the data recording system
 
 
Performance and Carrier Development Data
 
Personal data processed for the purpose of measuring the performance of our employees or the real persons who are in an employment relationship withour Company and planning and executing their carrier development within the scope of the human resources policy of our Company, which is obvious to belong to a real person whose identity is definite or determinable; which is processed partially or wholly in an automatic manner or in a non-automatic manner as a part of the data recording system
 
 
 
 
Marketing Data
 
Personal data processed for customizing and marketing our services in line with the usage habits, taste and needs of the personal data owner and the report and evaluations created as a result of these processing outcomes, which is obvious to belong to a real person whose identity is definite or determinable; which is processed partially or wholly in an automatic manner or in a non-automatic manner as a part of the data recording system
 
 
 
Audio-Visual Data
 
Photographs and camera records (except for the records included within the scope of the Physical Space Security Information), sound records and data included in the documents which are the copies of the documents including personal data, which is obvious to belong to a real person whose identity is definite or determinable; which is processed partially or wholly in an automatic manner or in a non-automatic manner as a part of the data recording system
Special Data
(Health, Sexual Life)
 
Data regarding health and sexual life
Data related to race, ethnic origin, political thought, philosophical belief, religion, communion or other believes, appearance, association, foundation or union membership, health, sexual life, conviction or security measures and biometric and genetic data
 

 
 
                                    

 

SECTION THREE: LEGAL BASES AND PURPOSES FOR THE PROCESSING OF THE PERSONAL DATA
I.LEGAL BASES FOR THE PROCESSING OF THE PERSONAL DATA
1.General Principles

Although the legal bases for the processing of the personal data by our Company differ, the action is taken in compliance with the general principles set forth in the article 4 of the Law no 6698 in all kinds of personal data processing activities. Accordingly; in all kinds of data processing activities, the following general principles are taken into account:
 

  1. Compliance with the law and the honesty rules,
  2. Being accurate and current when necessary,
  3. Being processed for certain, express and legitimate purposes,
  4. Being related to, limited to and proportional to the processing purpose,
  5. Being kept for the period stipulated in the relevant legislation or for the period required for the processing purpose.

 

2.Reasons for the Compliance with the Law

 

  1. Personal Data Owner’s giving his Explicit Consent

One of the processing requirements of the personal data is the explicit consent of the data owner. The explicit consent of the personal data owner should be clarified with respect to a specific subject, based on notification and with free will.
 

  1. Expressly Stipulated in the Laws

The personal data of the data owner can be processed in compliance with the law if expressly stipulated in the laws.
For instance, the notification of the identities of our employees to the competent authorities pursuant to the Identity Notification Legislation.
 

  1. Inability to obtain the Explicit Consent of the Relevant Person due to Physical Impossibility

The personal data of the data owner can be processed if the processing of the personal data is compulsory for protecting the life or physical body integrity of the person who cannot disclose his consent due to the physical impossibility or whose consent is not accepted as valid and applicable or any other person. For instance, sharing the blood type information of the employee who felt faint with the physician.
 

  1. Direct Relation with the Establishment or Performance of the Contract

It is possible to process the personal data if the processing of the personal data of the parties to the contract is necessary, provided that it is directly related to the establishment or performance of a contract. For instance, receiving a CV from the candidate for the establishment of the employment contract, obtaining an address for notification under the contract.
 

  1. Fulfillment of the Legal Obligation by the Company

The personal data of the data owner can be processed if the processing is compulsory for the fulfillment of its legal obligations by our Company as the data controller. For instance, processing the family information in order to have the Employee take advantage from the Minimum Living Allowance.
 

  1. Publicization of the Personal Data by the Personal Data Owner

If the data owner has publicized his personal data by himself, the relevant personal data can be processed. For instance, if the customers of our Company submit their complaints, requests or suggestions in a platform open to the public on the internet, these customers are deemed to have publicized their relevant information. In this case, it is possible for the data to be processed by the authorized person of our Company, provided that it will be limited to the purpose of answering the complaints, requests or suggestions.
 

  1. Compulsory Data Processing for the Establishment or Protection of any right

If the data processing is compulsory for the establishment, use or protection of any right, the personal data of the data owner can be processed. For instance, keeping the data which has the characteristic of an evidence (sales contract, invoice) and using it at the time when it is necessary.
 

  1. Compulsory Data Processing for the Legitimate Interest of our Company

If the data processing is compulsory for the legitimate interests of our Company, provided that it will not cause damage to the fundamental rights and freedoms of the personal data owner, the personal data of the data owner can be processed. For instance, monitoring the critical points of the Company against theft or for occupational safety purpose with security camera.
 

3.Processing of the Special Quality Personal Data and Reasons for the Compliance with the Law

The special quality personal data can be processed by our Company only in the cases stipulated in the laws, provided that the sufficient measures to be determined by the PDPL Board will be taken if the personal data owner does not give his explicit consent. The special quality personal data regarding the health and sexual life of the personal data owner, however, can be processed by the persons or authorized institutions and organizations under the confidentiality obligations only for the purpose of protecting the public health, executing the preventive medicine, medical diagnosis, treatment and care services and planning and managing the health services and their finance. Regardless of which reason it is based on, the general data processing principles are always taken into account and the compliance with these principles is ensured in the processing courses (PDPL a. 4; see above 2nd Section, I,1).
 

II.PURPOSES FOR THE PROCESSING OF THE PERSONAL DATA

Our Company processes personal data as limited to the purposes and conditions included in the personal data processing requirements specified in the second paragraph of the article 5 and the third paragraph of the article 6 of the Personal Data Protection Law no 6698. Within the course of data processing, the aforementioned legal bases are taken into account and, if the other reasons for the compliance with the law are not available, the consent of the relevant person is requested. In this case, the general principles are inspected within the scope of the article 4 and principally it is required from the data processing activity to comply with the principles for the compliance with the law in general. The consent of the relevant person, however, is obtained “explicitly, based on notification and with free will”. The purposes for the processing of the personal data are specified also in “the Personal Data Inventory” of our Company.
 
The personal data is processed especially for the following purposes in the departments of our Company;

  1. For the fulfillment of the mutual obligations arising from the employment contract as the employer, the personal data of the employees should be processed. The personal data of the employees is processed and kept in compliance with the law and the honesty rules, accurately and currently when necessary, in line with the certain, express and legitimate purposes, as related to, limited to and proportional to the purpose. Within this scope, the explicit consent which will be requested from the employees in the cases where the data processing is compulsory for the execution of the processes of establishing, performing and terminating the employment contract in compliance with the law, the legitimate interests of the Company, provided that it will not be in contrary to the fundamental rights and freedomws, the cases expressly stipulated in the law, the fulfillment of the legal obligations related to the employment of the employees, the establishment, use and protection of the right in the cases of legal proceedings, which is based on notification and which the employees will disclose with their own free will in line with the purposes necessary for the employment of the employees in compliance with the laws constitute the legal bases for the processing of the personal data.
  2. Within the scope of the activities required by the field of business of the Company, the legitimate interests of the employer require the processing of the personal data of the employees. The activity of processing the personal data of the employees can be performed due to the reasons such as preventing the misconducts, preventing the theft, ensuring the general security or the occupational health and safety. However, in this case, a great care is shown not to cause damage to the fundamental rights and freedoms of the employees.
  3. The majority of the personal data of the employees which is being processed is derived from the information given to the Company by the employees. Also, in certain cases, the personal data of the employees can be obtained by the Company from the internal resources such as the Company executives or the references of the employees or the data in the systems installed by the public institutions and organizations due to the requirements of the working life.
  4. The personal data of the employees which is being processed is composed of the application forms and references of the employees, the employment contracts and amendments thereof, the contact details of the employees, the information necessary for the payroll, the information regarding the family or relatives such as the persons to be contacted in case of emergencies, the information such as the training records, performance evaluation records, disciplinary records and camera records of the employees.
  5. In relation to the processing of the personal data of the employees, there are rules in many Company policies and procedures. On this matter, especially “the Personal Data Protection and Processing Policy” which is available at the website of the Company can be reviewed. Also, the mentioned document can be accessed from the intranet/QDMS system of the Company and it can be obtained from the Human Resources Department also in paper/hardcopy environment.
  6. The health information of the employees is included among the personal data processed. As a rule, the information regarding the health and sexual life of the employees is processed by the persons or authorized institutions of organizations under the confidentiality obligations for the purpose of protecting the public health, executing the preventive medicine, medical diagnosis, treatment and care services and planning and managing the health services and their finance. Within this scope, the health data of the employees and the relevant details are kept by the workplace doctor and the health department as a rule.
  7. In the event that the employee is a member of the union after being promoted to the “Employee” status (it is not requested in the employee candidate category), the union membership can also be processed in accordance with the express provisions of the law for the fulfillment of the requirements of the legal legislation. Apart from this, the data of the employees in relation to race, ethnic origin, political thought, philosophical belief, religion, communion or other believes, appearance and the biometric and genetic data of the employees are not included among the personal data processed unless expressly stipulated in the law, as a rule, and if an exceptional application will be made, the requirements are carefully evaluated before processing the personal data.
  8. The Company makes inspection and observations on the information communication means (telephone, mobile telephones, computers and internet). The Law no 5651 and the legitimate interests of our Company constitute the legal bases of the mentioned applications.
  9. The vehicle tracking system can be applied for the reasons of “security, management of the vehicles and the personnel in a more effective manner” in the vehicles of our Company. The mentioned activity is also based on the legitimate interests of our Company and performed, provided that it will not cause damage to the fundamental rights and freedoms of the employees.
  10. In line with the purpose of ensuring that the human resources policies of our Company are executed, the provision of the personnel suitable for the vacant positions in compliance with the human resources policies of our Company, the execution of the human resources operations in compliance with the human resources policies of our Company, the selection of the employee candidates, the management of the personal affairs, the determination of the training and carrier plans, the fulfillment of the obligations within the framework of the occupational health and safety and taking the necessary measures constitute the purposes for the processing of the personal data.
  11. Also the personal data of the supplier / sub-employer personnel can be processed by our Corporation. In the Law no 6331, the documents and information required to be controlled in relation to the employees who come from another workplace to the principal employer in relation to the occupational health and safety are specified. Likewise, in the Labor Law no 4857 and the Social Insurances and General Health Insurance Law no 5510, obligations are imposed to the principal employer in relation to the sub-employer workers and the temporary workers and, within this scope, the issues required to be controlled are specified. Accordingly, the processing of the personal data of the workers who work at our workplace as associated to the supplier and another employer is based on the legitimate interests of our enterprise, mainly the mentioned legal regulations.
  12. The personal data is processed in our Relevant Departments also for the purpose of:
  • executing the emergency management processes
  • executing the information security processes
  • executing the auditing/ethical activities
  • executing the training activities
  • executing the access authorizations
  • carrying out the activities in compliance with the legislation
  • carrying out the financing and accounting works
  • executing the company/services engagement processes
  • providing the security of the physical space
  • executing the assignment processes
  • following up and carrying out the legal affairs
  • carrying out the internal audit/investigation/intelligence activities
  • carrying out the communication activities
  • executing the service and operation processes
  • executing the customer relations processes
  • carrying out the activities for the customer satisfaction
  • organization and effectiveness management
  • carrying out the marketing analysis works
  • executing the performance evaluation processes
  • executing the advertising/campaign/promotion processes
  • executing the risk management processes
  • carrying out the keeping and archiving activities
  • carrying out the social responsibility and civil society activities
  • executing the contract processes
  • carrying out the sponsorship activities
  • carrying out the strategic planning activities
  • following up the requests / complaints
  • ensuring the security of the movable goods and resources
  • executing the supply chain management processes
  • executing the services marketing processes
  • ensuring the security of the data controller operations
  • procedures regarding the work and residence permits of the foreign personnel
  • executing the investment processes
  • giving information to the authorized persons, institutions and organizations
  • carrying out the management activities
  • establishing and following up the visitor records.
  • The activity of monitoring with camera at the workplace for the purposes of occupational health and safety, general security and product security is performed, provided that it will not cause damage to the fundamental rights and freedoms of our visitors, the persons whose data is processed within this scope and especially the employees, by taking into account the legitimate interests of the Company.

 

SECTION FOUR: RETENTION, DELETION, DESTRUCTION AND ANONYMIZATION OF THE PERSONAL DATA

 
If the reasons requiring the processing of the personal data disappear even though they have been processed in compliance with the provisions of the relevant law, the personal data is deleted, destroyed or anonymized based on our Company’s own decision or upon the request of the personal data owner as regulated in the article 138 of the Turkish Criminal Law and the article 7 of the PDPL.
 

I.RETENTION OF THE PERSONAL DATA AND RETENTION PERIODS

Our Company retains the personal data if stipulated in the relevant laws and the legislation for the period specified in the relevant legislation. If any period is not regulated in the legislation with respect to how long the personal data is required to be retained, the personal data is processed for the period requiring the processing of the personal data pursuant to the practices of our Company and the customs of its commercial life depending on the services that our Company renders while processing that data and can be retained in order to constitute an evidence in the legal disputes or for the purpose of claiming the relevant right or making the relevant defence depending on the personal data. The retention periods are determined by taking as basis the timeout periods for the mentioned right to be able to be claimed and the examples in the requests which had been previously made to our Company on the same matters despite the expiration of the timeout periods. In this case, the retained personal data is not accessed for any other purpose and the relevant personal data is accessed only when they are required to be used in the relevant legal dispute. In this case, after the expiration of the mentioned period, the personal data is deleted, destroyed or anonymized.
 
 

II.DELETION, DESTRUCTION AND ANONYMIZATION OF THE PERSONAL DATA

If the reasons requiring the processing of the personal data disappear even though they have been processed in compliance with the provisions of the relevant law, the personal data is deleted, destroyed or anonymized based on our Company’s own decision or upon the request of the personal data owner as regulated in the article 138 of the Turkish Criminal Law and the article 7 of the PDPL. Within this scope, our Company fulfills its relevant obligations by the methods clarified in this section.
 

A.Deletion of the Personal Data

 

  1. Procedure of deleting the Personal Data

Our Company can delete the personal data based on its own decision or upon the request of the personal data owner if the reasons requiring the processing of the personal data disappear even though they have been processed in compliance with the provisions of the relevant law. The deletion of the personal data is the procedure of making the personal data inaccessible and unreusable for the relevant users. All kinds of technical and administrative measures necessary for the deleted personal data to become inaccessible and unreusable for the relevant users are taken by our Company.
 

  1. Process of deleting the Personal Data

The process required to be followed in the procedure of deleting the personal data is as follows:

  • Determination of the personal data to be subject to the deletion procedure.
  • Determination of the relevant users for each personal data by using access authorization and control matrix or a similar system.
  • Determination of the authorizations and methods of the relevant users such as access, recovery, reuse etc..
  • Closure and elimination of the authorizations and methods of the relevant users such as access, recovery, reuse etc. within the scope of the personal data.

 

  1. Methods of deleting the Personal Data

As the personal data can be retained in various recording environments, they are deleted by the methods suitable for the recording environments.
 

B.Destruction of the Personal Data

 

  1. Procedure of destroying the Personal Data

Our Company can destroy the personal data based on its own decision or upon the request of the personal data owner if the reasons requiring the processing of the personal data disappear even though they have been processed in compliance with the provisions of the relevant law. The destruction of the personal data is the procedure of making the personal data inaccessible, unrecoverable and unreusable by any person. Our Company takes all kinds of necessary technical and administrative measures related to the destruction of the personal data.
 

  1. Methods of destroying the Personal Data

For the destruction of the personal data, all copies including the data are determined and the systems including the data are destoryed one by one.
 

C.Anonymization of the Personal Data

 

  1. Procedure of anonymizing the Personal Data

The anonymization of the personal data is to cause the personal data not to be able to be correlated with a real person whose identity is definite or determinable by any means even by matching with other data. Our Company can anonymize the personal data when the reasons requiring the processing of the personal data processed in compliance with the law disappear. The personal data is anonymized by causing it not to be able to be correlated with a real person whose identity is definite or determinable even by using the appropriate techniques in terms of the recording environment and the relevant area of activity such as recovery of the data and/or matching of the data with other data by the data controller or the receiver groups. Our Company takes all kinds of necessary technical and administrative measures for the anonymization of the personal data.
 
The personal data which is anonymized can be processed for the purposes such as research, planning and statistics in compliance with the article 28 of the PDPL. This type of processings are out of the scope of the PDPL and the explicit consent of the personal data owner shall not be required.
 

  1. Methods of anonymizing the Personal Data

Anonymization is the prevention of the identification of the relevant person or the loss of the characteristic of being distinguishable within a group or a crowd in such a manner that it cannot be correlated with a real person by removing or changing all direct and/or indirect identifiers within a data cluster. As a result of preventing or losing these characteristics, the data which does not point out a specific person is deemed to have been anonymized. The purpose of anonymization is to disconnect the relation between the data and the person who is identified by that data. All of the relation disconnection procedures carried out by the methods such as grouping, masking, derivation, generalization, randomization which are automatic or non-automatic and which are applied to the records available in the data recording system where the personal data is retained are called as the anonymization methods. As a result of the application of these methods, the data obtained should not be able to identify a specific person.
 
 
 
 

SECTION FIVE: RIGHTS OF THE RELEVANT PERSONS

 

I.SCOPE OF THE RIGHTS OF THE RELEVANT PERSONS AND USE OF THESE RIGHTS

 

A.Rights of the Relevant Persons

The persons whose personal data is processed by our Company have the rights set forth below:

  • Learning whether the personal data has been processed or not,
  • Requesting the relevant information if the personal data has been processed,
  • Learning the purpose of processing the personal data and whether the personal data is used as suitable for the purpose,
  • Knowing the third persons to whom the personal data has been transferred in the country or in abroad,
  • Requesting the correction of the personal data if the personal data has been processed deficiently or incorrectly and request the notification of the procedure that is performed within this scope to the third persons to whom the personal data has been transferred,
  • Requesting the deletion or destruction of the personal data if the reasons requiring the processing of the personal data disappear although the personal data has been processed in compliance with the provisions of the PDPL and the other relevant laws and requesting the notification of the procedures performed within this scope to the third persons to whom the personal data has been transferred,
  • Objecting to the occurrence of a result against the person himself by analyzing the personal data exclusively via automatic systems,
  • Requesting the elimination of the damage if they are exposed to damage due to the processing of the personal data in contrary to the Law.

 

B.Use of the Rights by the Relevant Persons

It is necessary and sufficient for the Relevant Persons to forward their requests related to using their rights specified above to our Company by the following methods in accordance with the first paragraph of the article 13 of the PDPL;
 

 
Application Method
 
 
Address to which the application will be made
 
 
  Information to be indicated in sending the Application
Application in person
(Applicant comes in person and applies with a document certifying his Identity)
 
Resitpasa Mah. Degirmentepe Aykan Sok. No: 18/2 Emirgan, 34467 Sariyer Istanbul / Turkey
 
“Information Request Under the Personal Data Protection Law” shall be written on the envelope.
 
 
Notification via notary public
 
Resitpasa Mah. Degirmentepe Aykan Sok. No: 18/2 Emirgan, 34467 Sariyer Istanbul / Turkey
 
“Information Request Under the Personal Data Protection Law” shall be written on the notification envelope.
   
 
asyanakliyat@hs03.kep.tr
 
By Registered Electronic Mail (REM) by signining with “Secure Electronic Signature”
 
“Information Request Under the Personal Data Protection Law” shall be written to the subject section of the e-mail.
 

 
The application;
must include name, surname and, if the application is in written, signature, T.R. Identity Number for the Turkish citizens, nationality, passport number or identity number, if any, for foreigners, residence or workplace address for notification, electronic mail address, if any, for notification, telephone number and fax number, and subject of the request. The relevant information and documents are also added to the application.
 
It is not possible for the third persons to make a request on behalf of the personal data owners. For any person other than the personal data owner to make a request, there should be available a special power of attorney issued by the personal data owner in the name of the person who will make an application with respect to the subject matter. In the application which you will make in order to use your rights that you have as the personal data owner and which are specified above and which includes your clarifications regarding the right that you request to use, the issue that you request should be clear and understandable, the subject that you request should be related to you or, if you are acting on behalf of any other person, you should be specifically authorized on this matter and your authorization should be certified, the application should include the identity and address information and the documents certifying your identity should be added to the application.
 
It is not possible for the third persons to make a request on behalf of the personal data owners. For any person other than the personal data owner to make a request, there should be available a special power of attorney issued by the personal data owner in the name of the person who will make an application with respect to the subject matter.
 
The application for regarding the data owners is available at the website of our Company.
 

C.Reply to the Applications

In the event that the personal data owner has forwarded his request in compliance with the procedure stipulated, our Company shall conclude the relevant request free of charge within the shortest period of time as per the nature of the request and within no later than thirty days. However, if the procedure requires a separate cost, the fee in the tariff determined by the PDPL Board shall be collected from the applicant by our Company. Our Company may request information from the relevant person in order to determine whether the person who applies is the personal data owner. Our Company may ask questions to the personal data owner in relation to his application in order to clarify the issues set forth in the application of the personal data owner. The applications are managed within our Company in accordance with “the Relevant Person Application Procedure” of our Company.
 

SECTION SIX: ENSURING THE SECURITY OF THE PERSONAL DATA

 

I.TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR ENSURING THE PROCESSING OF THE PERSONAL DATA IN COMPLIANCE WITH THE LAW

Our Company takes all necessary technical and administrative measures in order to ensure the processing of the personal data in compliance with the law. Within this scope,
 

  • Within the scope of our Company, the Data Inventory compatible with the VERBIS system is issued (Data Mapping) and the inspections regarding the compliance with the law and purpose are made herein.
  • For the obligation of our Company to make clarifications to the relevant persons to be able to be fulfilled completely and properly, “the Policy for the Clarification Principles in the Processing of the Personal Data” was put into force.
  • The employees are informed about the personal data protection law and the processing of the personal data in compliance with the law.
  • All activities carried out by our Company are analyzed in detail as specific to all business departments and as a result of this analysis, the personal data processing activities are revealed as specific to the activities performed by the relevant business departments.
  • The personal data processing activities carried out by the business departments of our Company and the requirements to be fulfilled for ensuring the compliance with the personal data processing conditions required by the Law no 6698 are determined as specific to each business department and the detail activity carried out by it.
  • The records imposing the obligation not to process, not to disclose and not to use the personal data, except for the exemptions introduced with the instructions of the Company and by the law, are included into the contracts and documents managing the legal relationship between our Company and the employees and the awareness of the employees on this matter is ensured and the inspections are carried out.
  • The records imposing the obligation not to process, not to disclose and not to use the personal data, except for the exemptions introduced with the instructions of the Company and by the law, are included into the contracts and documents managing the legal relationship between our Company and the third persons processing the data for whom our Company is responsible and “the Supplier Confidentiality Contract” was put into force on this matter.

 
 

II.TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN IN THE PROCESSING OF THE SPECIAL QUALITY PERSONAL DATA

With the PDPL, special importance is attached to certain personal data due to the risk of causing the unjust treatment of the persons or discrimination when they are processed in contrary to the law. This data is the data related to race, ethnic origin, political thought, philosophical belief, religion, communion or other believes, appearance, association, foundation or union membership, health, sexual life, conviction or security measures and the biometric and genetic data.
Our Company acts with sensitivity in the protection of the special quality personal data designated as “special quality” with the PDPL and processed in compliance with the law. Within this scope, the technical and administratie measures taken by our Company for the protection of the personal data are applied carefully in terms of the special quality personal data and the necessary inspections are ensured. Within this scope;

  • With respect to the security and the processing principles of the special quality personal data, “the Personal Data Protection and Processing Policy” was prepared.
  • The employees who are involved within the courses of processing the special quality personal data are given regular trainings on the Law and the relevant regulations and the special quality personal data security, the confidentiality contracts are signed, the authorization scope and duration of the users who are authorized to access to the data are clearly determined, the authorization controls are made, the authorizations of the employees whose duty is changed or who quit the job are immediately revoked and, within this scope, the inventory allocated to the employee by the data controller is withdrawn.
  • If the environments where the special quality personal data is processed, maintained and/or accessed are electronic environments, the data is maintained by using cryptographic methods. The cryptographic keys are kept in secure and different environments, the transaction records of all actions taken on the data are logged securely, the security updates for the environments where the data is available are followed up, the necessary security tests are performed and the test results are recorded.
  • In the event that the data is accessed via software, the user authorizations for this software are made, the security tests of this software are regularly performed and the test results are recorded. If the data is required to be accessed remotely, at least two-grade identity verification system is ensured.
  • If the environments where the special quality personal data is processed, maintained and/or accessed are physical environments, the sufficient security measures are taken (against electricity leakage, fire, flood, theft etc.) as per the nature of the environment where the special quality personal data is available and the unauthorized entries and exits are prevented by ensuring the physical security of these environments.
  • If the special quality personal data will be transferred, it is ensured that the data is transferred with the corporate e-mail address as encoded or by using the Registered Electronic Mail (REM) account if they are required to be transferred by e-mail.
  • If the Special Data is required to be transferred by means of the environments such as Memory, CD, DVD, the data is encoded by the cryptographic methods and the cryptopgrahic key is kept in a different environment.
  • If the special data is transferred between the servers in different physical environments, the data transfer is made by establishing VPN between the servers or by the sFTP method. If the special data is required to be transferred by paper environment, the necessary measures are taken against the risks such as that the documents are stolen, the documents are lost or the documents are seen by unauthorized persons and the document is sent in the format of “classified documents”.
  • In addition to the aforementioned measures, the technical and administrative measures for ensuring the appropriate security level specified in the Personal Data Security Guide published at the website of the Personal Data Protection Board are also taken into account.

 

III.TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR PREVENTING THE ACCESS TO THE PERSONAL DATA IN CONTRARY TO THE LAW

Our Company takes the technical and administrative measures in order to prevent the disclosure of, access to and transfer of the personal data in a careless or unauthorized manner or all accesses to the personal data in contrary to the law in other means.
 

A.Technical Measures taken for preventing the access to the Personal Data in contrary to the law

The main technical measures taken by our Company in order to prevent the access to the personal data in contrary to the law are listed below:
 

  1. Ensuring the Cyber Security

For the personal data security to be ensured, first of all the cyber security products are used, but the measures are not limited to this. The measures such as firewall and gateway are taken. The unused software and services are removed from the devices.
 

  1. Software Updates

By means of the patch management and software updates, it is ensured that the software and hardware properly function and whether the security measures taken for the systems are sufficient is controlled regularly.
 

  1. Access Restrictions

Also the access to the systems including personal data is restricted. Within this scope, the employees are granted access authorization to the extent necessary for the works and duties that they are carrying out and their authorities and responsibilities and the access to the relevant systems is ensured by using user name and password. While creating the mentioned user names and passwords, it is ensured that the combinations to be composed of capital and small letters, numbers and symbols are preferred instead of the number or letter sequences related to the personal information and to be easily estimated. Accordingly, the access authorization and control matrix is created.
 

  1. Encoding

In addition to the use of strong codes and passwords, the access is restricted by the methods such as restricting the number of the password entry trials, ensuring that the codes and passwords are changed at regular intervals, opening the administrator account and admin authority for them to be used only in the cases of necessity and deleting the account or closing the entries without losing time for the employees whose relationship with the data controller is ceased.
 

  1. Anti-Virus Software

For the protection from the malicious software, also the products such as anti-virus, anti-spam which regularly scan the information system network and identify the threats are used and also the necessary files are regularly scanned by keeping such products up-to-date. If personal data will be provided from different websites and/or mobile application channels, it is ensured that the connections are made by SSL or a more secure way.
 

  1. Follow-up of the Personal Data Security
    • It is controlled which software and services function in the information networks,
    • It is determined whether there is penetration or any action that should not occur in the information networks,
    • The record of the actions of all users is regularly kept (such as log records),
    • The security problems are reported rapidly as far as possible,

and an official reporting procedure is established for the employees to notify the security gaps in the systems and services or the threats using these security gaps.
In the undesired incidents such as collapse of the information system, the malicious software, the attacks intending to make out of service, the deficient or wrong data entry, the violations distorting the confidentiality and integrity and misuse of the information system, the evidences are collected and kept in a secure manner.
 

  1. Ensuring the Security of the Environments Including Personal Data

If the personal data is retained in the devices or paper environment available in the premises of the data controllers, the physical security measures are taken against the threats such as that these devices and papers are stollen or lost. The physical environments where the personal data is available are protected against the external risks (fire, flood etc.) by the suitable methods and the entries into / exits from these environments are taken under control.
 
If the personal data is in electronic environment, the access between the network components can be restricted or the separation of the components is ensured in order to prevent the personal data security violation.
 
The measures at the same level are taken also for the paper environments, electronic environments and devices (laptop computer, mobile phone, flash memories) which are outside of the Company premises and which include the personal data of the Company. The personal data to be transferred by electronic mail or mail is also sent carefully and by taking the sufficient measures.
In the event that the employees access to the information system network with their personal electronic devices, the sufficient security measures also for these devices are taken.
 
The method of using the access control authorization and/or encoding methods is applied against the cases such as the devices including personal data are lost or stolen. Within this scope, the code key is kept in the environment to which only the authorized persons can access and the unauthorized access is prevented.
 
The documents in paper environment including personal data are kept in the environments which are locked and which are accessible only to the authorized persons and the unauthorized access to the mentioned documents is prevented.
 

  1. Storage of the Personal Data in the Cloud

The applications for the storage of the personal data in the cloud can be also applied to when necessary. In this case, it should be evaluated by the Company whether the security measures taken by the cloud storage service provider are sufficient and appropriate. Within this scope, the measures specified in the guide and recommendations of the PDP Board are taken into account.
 

  1. Supply, Development and Maintenance of the Information Technologies Systems

While determining the needs related to the supply and development of the new systems or the improvement of the existing systems, the security requirements are taken into consideration by the Company.
 

  1. Back-up of the Personal Data

In the cases such as that the personal data is damaged, destroyed, stolen or lost for any reason, the Company ensures to proceed with the activity within the shortest period of time by using the backed up data. The backed up personal data is accessible only to the system manager and the data set back-ups are kept out of the network.
 

B.Administrative Measures taken for preventing the access to the Personal Data in contrary to the law

The main administrative measures taken by our Company in order to prevent the access to the personal data in contrary to the law are listed below:

  • The employees are informed and trained on the technical measures to be taken for preventing the access to the personal data in contrary to the law.
  • The employees are informed about that they may not disclose the personal data that they learned to others in contrary to the provisions of the PDPL, they may not use the personal data for any purpose other than their intended use and this obligation will continue also after their discharge and accordingly, the necessary commitments are obtained from them.
  • The Personal Data Security Policies and Procedures are established, the controls are regularly made within the scope of the policies and procedures, the controls made are documented and the issues required to be developed are determined. Also, how to manage the risks and security violations that might arise for each personal data category is clearly determined.
  • Reducing the Personal Data as far as possible: The personal data should be accurate and current and should be maintained for the period stipulated in the relevant legislation or necessary for the processing purpose. However, it is evaluated whether the data which is not accurate, which is not current and which does not serve to any purpose is still needed and the personal data which is not needed, however, is deleted, destroyed or anonymized by the personal data retention and disposal policy.
  • Management of the Relations with the Data Processors: When the Company purchases service from the data processors in order to meet its BT need, the action is taken by making sure that the mentioned data processors ensure the security level ensured by them in minimum about the personal data while purchasing service. Within this scope, the protective regulations related to the protection of the personal data are included into the contracts signed with the data processors.
IV.RETENTION OF THE PERSONAL DATA IN SECURE ENVIRONMENTS

Our Company takes the necessary technical and administrative measures according to the technological opportunities and the application cost in order to ensure that the personal data is retained in secure environments and to prevent the personal data from being destroyed, lost or modified for the purposes in contrary to the law.
 

A.Technical Measures taken for the Retention of the Personal Data in Secure Environments

The main technical measures taken by our Company for the retention of the personal data in secure environments are listed below:

  • For the retention of the personal data in secure environments, the systems suitable for the technological developments are used.
  • The technical security systems are established for the retention areas, the technical measures taken are periodically inspected by the inspection mechanism determined by our Company, the issues posing risk are reevaluated and the necessary technological solutions are generated.
  • All necessary infrastructures are used in compliance with the law for ensuring the retention of the personal data in a secure manner.

 

B.Administrative Measures taken for the Retention of the Personal Data in Secure Environments

The main administrative measures taken by our Company for the retention of the personal data in secure environments are listed below:

  • The employees are informed about ensuring that the personal data is retained in a secure manner.
  • In the event that any service is purchased from outside due to the technical requirements about the retention of the personal data by our Company, the contracts signed with the relevant companies to which the personal data is transferred in compliance with the law include the provisions regarding that the persons to whom the personal data is transferred will take the necessary security measures for the purpose of protecting the personal data and they will ensure that these measures are complied with in their own corporations and, on this matter, the action is taken in accordance with the provisions set forth in the Policy for “the Principles for the Protection of the Personal Data in the Relations with the Third Parties” of the Company.

 

V.TRAINING

 

  • Our Company gives the necessary trainings to its employees on the protection of the Personal Data within the scope of the Policy and the PDP Procedures and the PDPL Regulations.
  • In the trainings, the applications for the definition and protection of the Special Quality Personal Data are specifically mentioned.
  • If an employee of our Company accesses to the Personal Data physically or in computer environment, our Company gives training to the relevant employee as specific to these accesses (for instance, computer program accessed).

 

VI.INSPECTION

 

A.Increase and Inspection of the Awareness of the Business Departments on the Protection and Processing of the Personal Data

Our Company ensures that the necessary notifications are made to the business departments for the increase of the awareness for preventing the processing of the personal data in contrary to the law, preventing the data is accessed in contrary to the law and ensuring the maintenance of the data.
 

B.Increase and Inspection of the Awareness of the Business Partners and the Suppliers on the Protection and Processing of the Personal Data

Our Company gives the necessary information to the business partners for the increase of the awareness for preventing the processing of the personal data in contrary to the law, preventing the data is accessed in contrary to the law and ensuring the maintenance of the data.
 
 

C.Inspection of the Measures taken for the Protection of the Personal Data

Our Company is entitled to inspect all the time and ex officio that all employees, departments and contractors of the Company act in compliance with this Policy and the PDP Regulations without making any preliminary notification and, within this scope, carries out or causes to be carried out the routine inspections. The results of these inspections are evaluated within the scope of the internal functioning of the Company and the necessary activities are carried out for the improvement of the measures taken.
 

Measures to be taken in the case of the Disclosure of the Personal Data in an unauthorized manner:

Our Company executes the system which ensures that if the personal data processed in compliance with the article 12 of the PDPL is obtained by others by illegal means, this situation is notified to the relevant personal data owner and the PDP Board within the shortest period of time.