Network Access Information Text
Information Security Policy
Call Center Information Text
COMPANY Personal Data Processing and Protection Policy
COMPANY General Information Text
COMPANY Personal Data Storage and Destruction Policy
KVKK Application Form
Network Access Information Text
NETWORK ACCESS CLARIFICATION TEXT
This clarification text is written by Kodar Bilişim İletişim ve Tanıtım Hizmetleri Tic. as the data controller within the scope of Article 6698 of the Personal Data Protection Law No. 10 and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Disclosure Obligation. Ltd. Ltd. Prepared by.
- Identity of the Data Controller
In accordance with the Personal Data Protection Law No. 6698 (“Law No. 6698”), your personal data; Kodar Bilişim İletişim ve Tanıtım Hizmetleri Tic. as the data controller. Ltd. Ltd. ("Company") may be processed within the scope explained below.
Title: Kodar Bilişim İletişim ve Tanıtım Hizmetleri Tic. Ltd. Ltd.
Internet address : https://www.navbea.com/
E-mail address : info@navbea.com
Address: Teknopol Istanbul Ahmet Yesevi mah. Kerem St. No.9/1 Office No.10 34903 Istanbul / Turkey
Phone number : + 90 (216) 352 02 022.
- Purposes of Processing Personal Data
Your personal data is transferred to Kodar Bilişim İletişim ve Tanıtım Hizmetleri Tic. as the data controller. Ltd. Ltd. It is processed within the scope of the provisions of the Personal Data Protection Law No. 6698 ("KVKK") and within the framework of this Information Text for Keeping Network Access Records within the Scope of Law No. 5651 ("Information Text").
Your personal data categories processed within the scope of providing you with internet access and fulfilling our legal obligations within the scope of the personal data processing conditions specified in Articles 5 and 6 of the KVKK and the purposes of processing such personal data are explained in detail below.
Personal Data Category | Personal Data Processing Purposes |
Identity Data | · Execution of Information Security Processes · Conducting Activities in Compliance with Legislation · Providing Information to Authorized Persons, Institutions and Organizations |
Transaction Security Data
| · Execution of Information Security Processes · Conducting Activities in Compliance with Legislation · Providing Information to Authorized Persons, Institutions and Organizations |
The Company respects your concerns regarding the protection of your privacy and personal data. In this context, the company processes your personal data in accordance with all legislative provisions regarding the protection of personal data, especially KVKK, ensures that your data is hosted securely and takes all necessary security measures against possible unlawful access. This Information Text explains the extent to which your personal data collected within the framework of your use of the company's internet connection is processed. You can find detailed information about the processing of your personal data by the Administration in the Personal Data Processing and Protection Policy available on the website.
- Collecting Method and Legal Reasons for Your Personal Data
Your personal data is collected by the company electronically through the guest internet network and other methods (channels) that may be added in the future, within the scope of legitimate interest personal data processing conditions (legal reasons) as clearly stipulated in the laws regulated in Articles 5 and 6 of the KVKK.
- Transfer of Your Personal Data
Within the company, your personal data can only be accessed to the extent necessary to fulfill their duties by our employees who have limited access to authorization for the purposes detailed above.
On the other hand, your collected personal data may be processed within the scope of personal data processing conditions (legal reasons) if it is clearly stipulated by law, legitimate interest and the establishment, exercise or protection of a right in accordance with Article 8 of the KVKK:
It may be transferred to our suppliers and our suppliers' employees for the purpose of supplying products and/or services in terms of carrying out the company's activities, and to legally authorized organizations and private individuals for the purposes of fulfilling the company's legal obligations and monitoring legal affairs.
- Rights of the Relevant Person
Natural persons whose personal data are processed within the company have the following rights in accordance with Article 11 of the Law:
- Learning whether personal data is processed or not,
- Request information if personal data is processed,
- Learning the purpose of processing personal data and whether they are used in accordance with their purpose,
- Knowing the third parties to whom personal data is transferred at home or abroad,
- To request correction of personal data if it is incomplete or incorrectly processed, and to request notification of the transaction made within this scope to third parties to whom personal data have been transferred,
- Requesting the deletion or destruction of personal data in case the reasons requiring processing no longer exist, even though it has been processed in accordance with the provisions of KVKK and other relevant laws, and requesting that the transaction carried out in this context be notified to third parties to whom personal data has been transferred,
- Object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,
- Request compensation for damages in case of damage due to unlawful processing of personal data.
- The relevant person may submit requests regarding these rights to the Data Controller in accordance with the Communiqué on Application Procedures and Principles. The requests of the relevant person will be evaluated and decided free of charge as soon as possible and within thirty (30) days at the latest. If the evaluation and decision-making process requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be taken as basis. It is presented to the public with our respect.
Information Security Policy
INFORMATION SECURITY POLICY
Kodar Bilişim İletişim ve Tanıtım Hizmetleri Tic. Ltd. Ltd. Within the scope of the Information Security Management standard, information resources and information devices are important assets. All employees who use information assets and resources or provide information are obliged to protect their information assets.
The purpose of this Policy is to protect our Company's information assets against all internal, external, intentional or accidental threats, while ensuring the continuity of basic and supporting business activities.
In our company, all employees who use common information assets are expected to show the necessary sensitivity and to act in a way that respects corporate values. As a requirement of corporate values, confidentiality is given importance. Information is not shared unless the owner of the information requests it, unless authorization is given or unless legal requirements are met.
Our company, in line with ISO 27001:2013 Information Security Management System Standard and ISO 20000-1 Information Technologies Service Management System Standards;
- To provide secure access to its own and its stakeholders' information assets,
- To protect the availability, integrity and confidentiality of information,
- Evaluating and managing risks that may occur on its own and its stakeholders' information assets,
- To protect the reliability and brand image of the institution,
- To apply the necessary sanctions in case of information security violation,
- To provide information security requirements arising from national, international or sectoral regulations to which it is subject, to fulfill the requirements of the relevant legislation and standards, to meet its obligations arising from agreements, and corporate responsibilities towards internal and external stakeholders,
- To reduce the impact of information security threats on business/service continuity and ensure the continuity and sustainability of the business,
- To maintain and improve the level of information security with the established control infrastructure,
- To provide training that will improve competencies in order to increase information security awareness,
- To ensure compliance with the Personal Data Protection Law (KVKK) and the General Data Protection Law (GDPR), which is the European Union legislation,
- Establishing an organizational management structure by being sensitive to personal data security,
- Identifying possible risks with the Service Management System Management System (ISO 20000-1) and creating a risk management using methods such as risk acceptance, risk avoidance, risk reduction, risk control and risk transfer,
It undertakes to comply with the applicable legislation regarding the Service Management System and Information Technologies Management System.
Call Center Information Text
CALL CENTER INFORMATION TEXT ON THE PROTECTION OF PERSONAL DATA
This clarification text is written by Kodar Bilişim İletişim ve Tanıtım Hizmetleri Tic. as the data controller within the scope of Article 6698 of the Personal Data Protection Law No. 10 and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Disclosure Obligation. Ltd. Ltd. Prepared by.
- Identity of the Data Controller
In accordance with the Personal Data Protection Law No. 6698 (“Law No. 6698”), your personal data; Kodar Bilişim İletişim ve Tanıtım Hizmetleri Tic. as the data controller. Ltd. Ltd. ("Company") may be processed within the scope explained below.
Title: Kodar Bilişim İletişim ve Tanıtım Hizmetleri Tic. Ltd. Ltd.
Internet address : https://www.navbea.com/
E-mail address : info@navbea.com
Address: Teknopol Istanbul Ahmet Yesevi mah. Kerem St. No.9/1 Office No.10 34903 Istanbul / Turkey
Phone number : +90 (216) 352 02 02
- Purposes of Processing Personal Data
Your personal data is processed by our company within the framework of the responsibilities imposed on our company by the legislation; Provided that the basic principles of the Law are adhered to, personal data is processed by us or by natural/legal person data processors we appoint, in accordance with the processing conditions specified in Articles 5 and 6 of the Law. In this context, your personal data is processed in line with our processing purposes in the situations and conditions stated below:
- Addressing the caller correctly,
- Confirmation of the call and determination of the number of calls for statistical purposes,
- To be used as evidence in disputes that may arise in the future,
- Conducting audit/ethics activities,
- Conducting internal audit/investigation activities,
- Execution/supervision of business activities,
- Execution of customer relationship management processes,
- Managing performance evaluation processes,
- Follow-up of requests and complaints,
- Carrying out our company's information consultancy service provision process.
- Method of Personal Data Collection and Legal Reason
Your personal data is obtained by sharing the personal data of the data owner during the conversations with our call center and by recording the conversations.
Legal reasons for processing your personal data by the Company; These are the exceptions to the express consent specified in paragraphs a, c, ç, e and f of the second paragraph of Article 5 of the KVKK. Your personal data is processed for the specified legal reasons, in accordance with all applicable legislation and for the purposes specified in this information text.
- Transfer of Personal Data
Our company acts in accordance with the regulations stipulated in the KVKK regarding the transfer of personal data. Without prejudice to the exceptional cases in the legislation, personal data and sensitive data are not transferred to other real or legal persons by us without the explicit consent of the Data Owner.
In exceptional cases stipulated by KVKK and other legislation, utmost care is taken to comply with the forms and limitations stipulated in the legislation when transferring personal data to authorized administrative or judicial institutions or private organizations.
- Rights of the Relevant Person
Relevant persons have the following rights in accordance with Article 11 of the Law:
- Learning whether personal data is processed or not,
- Request information if personal data is processed,
- Learning the purpose of processing personal data and whether they are used in accordance with their purpose,
- Knowing the third parties to whom personal data is transferred at home or abroad,
- To request correction of personal data if it is incomplete or incorrectly processed, and to request notification of the transaction made within this scope to third parties to whom personal data have been transferred,
- Requesting the deletion or destruction of personal data in case the reasons requiring processing no longer exist, even though it has been processed in accordance with the provisions of KVKK and other relevant laws, and requesting that the transaction carried out in this context be notified to third parties to whom personal data has been transferred,
- Object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,
- Request compensation for damages in case of damage due to unlawful processing of personal data.
The relevant person may submit requests regarding these rights to the Data Controller in accordance with the Communiqué on Application Procedures and Principles. In applications, name, surname and signature if the application is written, TR ID number for citizens of the Republic of Turkey, nationality, passport number/identification number for foreigners, residence or workplace address for notification, e-mail address for notification if any, telephone or fax number and request. It is mandatory to have a subject.
In your application containing your explanations regarding the right you have as a personal data owner and which you request to use in order to exercise your above-mentioned rights; The matter you are requesting must be clear and understandable, the matter you are requesting must be personally related to you, or if you are acting on behalf of someone else, you must be specifically authorized in this matter and your authority must be documented, the application must include identity and address information, and documents proving your identity must be attached to the application.
In order to exercise your rights pursuant to Article 11 of the KVKK, you must completely fill out the application form on our website and send a copy with a wet signature to our company's headquarters in person or through a notary.
The requests of the relevant person will be evaluated and decided free of charge as soon as possible and within thirty (30) days at the latest. If the evaluation and decision-making process requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be taken as basis.
COMPANY Personal Data Processing and Protection Policy
KODAR BİLİŞİM İLETİŞİM VE TANITIM HİZMETLERİ TİC. LTD. ŞTİ. PERSONAL DATA PROTECTION AND PROCESSING POLICY
PART 1
1.1 INTRODUCTION
Protection of personal data, Kodar Bilişim İletişim ve Tanıtım Hizmetleri Tic. Ltd. Ltd.'("Company"), and maximum effort is made to comply with all legislation in force in this regard. Within the framework of this Personal Data Protection and Processing Policy ("Policy"), the principles adopted in the execution of personal data processing activities carried out by our Company and the basic principles adopted in terms of compliance of our Company's data processing activities with the regulations in the Personal Data Protection Law No. 6698 ("Law") are explained. and thus, our Company provides the necessary transparency by informing personal data owners. Your personal data is processed within the scope of this Policy, with full awareness of our responsibility in this context.
1.2. PURPOSE
Kodar Bilişim İletişim ve Tanıtım Hizmetleri Tic. Ltd. Ltd. (“Company”), in line with the Personal Data Protection and Processing Policy, undertakes to comply with the principles and rules brought by the Constitution of the Republic of Turkey, the Personal Data Protection Law No. 6698 (KVKK) and other legislation regarding the protection of personal data and to protect the rights of relevant persons. For this purpose, a written personal data protection policy and system has been adopted to be implemented and developed.
The Personal Data Processing and Protection Policy sets out the principles to be adopted by the Company and taken into account in practice regarding the protection and processing of personal data.
The Policy aims to determine the framework and ensure coordination of compliance activities to be carried out specifically for the relevant Company in order to comply with the Personal Data Protection Law No. 6698 ("KVK") regarding the protection and processing of personal data as a Company. In this context, the aim is; Ensuring that the activities are carried out in accordance with the principles of legality, honesty and transparency, and that the company establishes and implements its own standards in the management of personal data; determining and supporting organizational goals and obligations, establishing control mechanisms in line with the acceptable risk level; It is to fulfill the obligations to which it is subject in accordance with international agreements in the field of personal data protection, the Constitution, laws, contracts and professional rules and to protect the interests of individuals in the best way possible.
WHAT IS THE SCOPE?
This policy covers the services provided within the Company. The policy provisions cover all information systems and sub-information, contracts, environmental and physical areas involved in the processing of personal data in the company's fields of activity and work areas, and the systems and regulations produced for all these. This policy covers all departments, directorates of the company, employees of companies providing all kinds of services, interns and contracted personnel. Any action that violates KVKK or this policy is evaluated within the scope of the relevant legislation and sanctions are applied accordingly.
The company's solution partners, public institutions and all third parties working with the company who have or may have access to personal data are invited to read and comply with this policy. Third parties must ensure the protection of personal data with a system that has at least as strong and sufficient standards as the company regarding the protection of personal data.
1.4. AIM
The Company's KVK Policy aims to establish the necessary systems and ensure compliance with the legislation in line with the aim of raising awareness about the legal processing and protection of personal data within the Company.
In this context, the Company's KVK Policy aims to provide guidance in terms of the implementation of the regulations set forth by the KVK Law and relevant legislation.
SECTION 2
2.1. DEFINITIONS AND ABBREVIATIONS
COMPANY: | Kodar Bilişim İletişim ve Tanıtım Hizmetleri Tic. Ltd. Ltd.
|
EXPRESS CONSENT: | Consent regarding a specific subject, based on information and expressed with free will. |
ANONYMOSIS: | It is the alteration of personal data in such a way that it loses its nature as personal data and this situation cannot be reversed. Ex: Masking, aggregation, data corruption, etc. Making personal data unable to be associated with a natural person using techniques. |
RELATED PERSON: | The real person whose personal data is processed. Ex: Customers, visitors, employees and employee candidates. |
PERSONAL DATA: | Any information regarding an identified and identifiable natural person. Therefore, processing of information regarding legal entities is not within the scope of the Law. For example: name-surname, TR ID number, e-mail, address, date of birth, credit card number, bank account number, etc. |
SPECIAL PERSONAL DATA: | Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data are special data. |
PROCESSING OF PERSONAL DATA: | Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking. |
DATA CONTROLLER: | It refers to the natural or legal person who determines the purposes and means of processing personal data and manages the place where the data is systematically kept (data recording system). |
DATA OWNER APPLICATION FORM: | The application form that the Relevant Person will use when applying for their rights stated in Article 11 of the KVK Law. |
CONSTITUTION: | Constitution of the Republic of Turkey, No. 9, dated 1982 November 17863, published in the Official Gazette No. 7, dated 1982 November 2709. |
KVK LAW: | Personal Data Protection Law No. 7, dated 2016 March 29677, published in the Official Gazette No. 24, dated 2016 April 6698. |
POLICY: | Company Personal Data Protection and Processing Policy |
NOTIFICATION ON THE PROCEDURES AND PRINCIPLES TO BE FOLLOWED IN FULFILLING THE DISCLOSURE OBLIGATION: | Communiqué on the Procedures and Principles to be Followed in Fulfilling the Disclosure Obligation, which came into force after being published in the Official Gazette No. 10 dated 2018 March 30356. |
PERSONAL DATA STORAGE AND DESTRUCTION POLICY: | In accordance with the Regulation on Deletion, Destruction and Anonymization of Personal Data, the company determines the maximum period required for the purpose for which personal data is processed and the policy used as the basis for the deletion, destruction and anonymization process. |
PERIODIC DISPOSAL: | The deletion, destruction or anonymization process to be carried out at recurring intervals in case all the processing conditions of personal data specified in the law are eliminated. |
REGISTERED ELECTRONIC MAIL (REP): | It is a system that protects all kinds of commercial, legal correspondence and document sharing as you send it, determines exactly who the recipient is, ensures that the content is not changed, and turns the content into legally valid, safe and definitive evidence. |
DATA CONTROLLERS REGISTRY INFORMATION SYSTEM: | The information system created and managed by the Presidency, accessible over the internet, that data controllers will use in applying to the Registry and other related transactions related to the Registry. |
2.2. CLASSIFICATION OF PROCESSED PERSONAL DATA
Personal Data:
Personal data; It is all kinds of information regarding an identified or identifiable natural person.
Protection of personal data only concerns real persons, and information belonging to legal entities that does not contain information about real persons is excluded from personal data protection. Therefore, this Policy does not apply to data belonging to legal entities.
Personal Data Categories | Subheadings and Explanations |
ID | Documents such as driver's license, identity card and passport containing information such as name and surname, TR ID number, nationality information, mother's name-father's name, mother's maiden name, place of birth, date of birth, gender, as well as tax number, SSI number, signature information, vehicle license plate. etc. information. |
Contact | Contact information; telephone number, address, e-mail address, fax number, etc. are personal data. |
personnel | Payroll information, disciplinary investigation, employment entry-exit document records, CV information, performance evaluation reports, etc. |
Legal action | Correspondence information with Judicial Authorities, information in case files. |
Customer Transaction | Invoice, bill of exchange, check information, request information, order information, etc. data about customers. |
Physical Space Security | Entry and exit records and camera recordings of employees and visitors. |
Transaction Security | Website login and logout information, IP address information, password and password information. |
Finance | Balance sheet information, asset information. |
Professional Experience | Diploma information, courses attended, in-service training information, transcript information, certificates. |
Audiovisual Records | Visual and audio recordings |
Special Personal Data | Data specified in Article 6 of the KVKK (for example, health data including blood type, biometric data, religion and membership information, etc.). |
Special Personal Data:
Personal data of individuals regarding their race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union memberships, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data are qualified personal data.
2.3. ENVIRONMENTS WHERE PERSONAL DATA IS FOUND
Electronic Media | Non-Electronic Media |
|
|
2.4.PURPOSES OF PROCESSING PERSONAL DATA:
As a company, we process personal data for purposes similar to, but not limited to, the following:
- Carrying out legal compliance processes,
- Operations management,
- Carrying out financial and financial affairs,
- Determining and implementing commercial and business strategies,
- Depending on the service contract; fulfillment of service obligations,
- Fulfilling employer responsibilities,
- Ensuring occupational safety, management, supervision and execution of work,
- Receiving and evaluating suggestions for improvement of business processes,
- Informing you about any changes that may occur in our terms of service,
- Preparation of all records and documents that will be the basis for the transaction in electronic (internet/mobile etc.) or physical environment,
- Providing information to public officials on matters related to public security upon request and in accordance with the legislation,
- Fulfilling legal obligations and exercising rights arising from current legislation,
- To be able to fulfill the legal obligation if requested by the relevant authority within the scope of judicial and administrative investigations and if it is necessary to respond,
- Carrying out business activities,
- Carrying out internal audit activities,
- Carrying out emergency management processes,
- Conducting communication activities,
- Carrying out accounting and financial affairs,
- Organization and event management,
- Execution of information security processes,
- Execution of company / product / service commitment processes,
- Ensuring physical space security,
- Carrying out assignment processes,
- Following and executing legal affairs,
- Fulfillment of legal obligations,
- Carrying out internal audit / investigation / intelligence activities,
- Conducting communication activities,
- Planning of human resources processes,
- Execution / supervision of business activities,
- Execution of occupational health / safety activities,
- Receiving and evaluating suggestions for improvement of business processes,
- Carrying out activities to ensure business continuity,
- Carrying out logistics activities,
- Ensuring quality standards,
- Keeping entrances and exits to the institution building under control and preventing unauthorized entries
- Carrying out goods/service purchasing processes,
- Carrying out after-sales support services for goods/services,
- Execution of goods/service sales processes,
- Carrying out goods/service production and operation processes,
- Execution of customer relationship management processes,
- Ensuring the security of financial resources.
- Carrying out activities aimed at customer satisfaction.
- Increasing reliability among customers,
- Organization and event management,
- Conducting marketing analysis studies,
- Conducting performance evaluation processes,
- Execution of advertising / campaign / promotion processes,
- Execution of risk management processes,
- Carrying out strategic planning activities,
- Carrying out social responsibility and civil society activities,
- Execution of contract processes,
- Follow-up of requests / complaints,
- Ensuring the security of movable goods and resources,
- Execution of supply chain management processes,
- Execution of supplier relations management processes,
- Execution of wage policy,
- Issuing product invoices,
- Execution of product policy,
- Carrying out the marketing processes of products / services,
- Work and residence permit procedures for foreign personnel,
- Carrying out talent / career development activities,
- Providing information to authorized persons, institutions and organizations,
- Carrying out management activities,
- Creating and tracking visitor records,
- Carrying out storage and archive activities.
SECTION 3
ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA:
3.1. Ensuring the Security of Personal Data:
In accordance with Article 12 of the Law, our company takes the necessary measures, depending on the nature of the data to be protected, to prevent unlawful disclosure, access, transfer of personal data or security deficiencies that may occur in other ways. In this context, our Company takes administrative measures and carries out inspections or has them carried out to ensure the necessary security level in accordance with the guides published by the Personal Data Protection Board ("Board").
All our employees, stakeholders, guests, visitors and relevant third parties throughout the Company are obliged to cooperate in the operation, activities, processes and implementation of the Company KVK Policy throughout the Company, and in preventing legal risks and imminent danger. All organs and departments of the Company are responsible for ensuring compliance with the Company KVK Policy.
All personnel and employees are obliged to ensure that the data processed by the company and under their responsibility is kept secure and not disclosed to third parties unless they sign a confidentiality agreement.
3.2. Protection of Special Personal Data
The law attaches special importance to certain personal data due to the risk of causing victimization or discrimination when processed unlawfully. These data; Data regarding race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
Our company acts sensitively in the protection of special personal data, which are determined as "special nature" by the Law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company to protect personal data are carefully implemented in terms of special personal data and the necessary controls are provided within the Company. Detailed information regarding the processing of special categories of personal data can be found in Section 4.3 of this Policy. (“Processing of Special Personal Data”) section.
3.3. Increasing Awareness and Control of Business Units on the Protection and Processing of Personal Data
Our company organizes the necessary training for business units to raise awareness on preventing unlawful processing of personal data, unlawful access to personal data and ensuring the protection of personal data. Necessary systems are established to raise awareness of company employees about the protection of personal data, and we work with consultants if necessary. In this regard, our Company evaluates the participation in relevant trainings, seminars and information sessions and updates and renews its trainings in parallel with the updating of the relevant legislation.
3.4. Increasing Awareness and Control of Business Partners and/or Suppliers on the Protection and Processing of Personal Data:
The company ensures the preparation of necessary documents for business partners and/or suppliers in order to raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the preservation of data. In addition, mutual awareness is ensured by signing confidentiality agreements.
PART 4
ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA
One of the most important issues for the company is to comply with the general principles stipulated in the legislation in the processing of personal data. In this context, the Company acts in accordance with the principles listed below in the processing of personal data in accordance with the Constitution and the Personal Data Protection Law.
4.1. Processing of Personal Data in Accordance with the Principles Provided in the Legislation
4.1.1. Engaging in Personal Data Processing Activities in Compliance with Law and Honesty
The Company, in accordance with Article 4 of the KVK Law, regarding the processing of personal data; In accordance with the law and the rules of honesty; accurate and up to date when necessary; Pursuing specific, clear and legitimate purposes; engages in personal data processing in a limited and measured manner in connection with the purpose.
In this context, the Company takes into account the proportionality requirements in the processing of personal data and does not use personal data other than the purposes required.
4.1.2. Ensuring Personal Data is Accurate and Up-to-Date When Necessary
Necessary precautions are taken in data processing procedures to ensure that the processed data is accurate and up-to-date, and the Relevant Person is given the opportunity to update his data and correct any errors in the processed data, if any.
4.1.3. Processing for Specific, Clear and Legitimate Purposes
Personal data is processed in a limited and measured manner in connection with clearly and precisely determined purposes. Processing of personal data that is not relevant or does not need to be processed is avoided. For this reason, we do not process special personal data unless there is a legal requirement, or when we need to process it, explicit consent is obtained by providing clarification on the subject.
4.1.4. Being Related to the Purpose for Processing, Limited and Proportionate
Personal data is processed in a limited and measured manner in connection with clearly and precisely determined purposes. Processing of personal data that is not relevant or does not need to be processed is avoided. For this reason, we do not process special personal data unless there is a legal requirement, or when we need to process it, explicit consent is obtained by providing clarification on the subject.
4.1.5. Preservation for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose for which they are Processed
The company complies with Article 138 of the Turkish Penal Code and Articles 4 and 7 of the KVK Law; It retains the personal data it processes only for the period stipulated in the relevant legislation and laws or as required by the purpose of processing personal data.
In this context, the Company first determines whether a period of time is stipulated in the relevant legislation for the storage of personal data, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which they are processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the Relevant Person's application and with the specified destruction methods (deletion and/or destruction and/or anonymization).
Details are stated in the Personal Data Storage and Destruction Policy.
4.2. Conditions for Processing Personal Data
Except for the express consent of the personal data owner, the basis for personal data processing may be only one of the conditions specified below, or more than one condition may be the basis for the same personal data processing activity. If the data processed is personal data of special nature, the conditions set out in title 4.3 of this Policy (“Processing of Personal Data of a Special Category”) will apply.
I. Clearly Provided in Laws
If the personal data of the Relevant Person is clearly foreseen by the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, it can be said that this data processing condition exists.
- Failure to Obtain Explicit Consent of the Person Relevant Due to Actual Impossibility
If it is necessary to process the personal data of a person who is unable to express his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect his/her life or physical integrity or that of another person, the personal data of the Relevant Person may be processed.
iii. Directly Related to the Establishment or Performance of the Contract
This condition may be deemed to be fulfilled if the processing of personal data is necessary, provided that it is directly related to the establishment or execution of a contract to which the Relevant Person is a party.
IV. Fulfillment of the Legal Obligations of the Data Controller
If processing is mandatory for the Company to fulfill its legal obligations, the personal data of the Relevant Person may be processed.
- Publicizing the Personal Data of the Personal Data Subject
If the Relevant Person has made his personal data public, the relevant personal data may be processed on a limited basis for the purpose of publicization.
VI. Data Processing is Necessary for the Establishment or Protection of a Right
If data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the Relevant Person may be processed.
VII. Data Processing is Necessary for the Legitimate Interest of the Data Controller
Personal data of the Relevant Person may be processed if it is necessary to process data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the Relevant Person.
4.3-Processing of Special Personal Data
The Company shows special sensitivity in the processing of special personal data, the protection of which is believed to be of more critical importance for the Relevant Person in various aspects. Special categories of personal data are processed by our Company in accordance with the principles specified in this Policy and by taking all necessary administrative and technical measures, including the methods determined by the Board, and if the following conditions are met:
(i) Special personal data other than health and sexual lifeIt may be processed without the explicit consent of the data owner, if it is clearly provided for in the law, in other words, if there is a clear provision regarding the processing of personal data in the law governing the relevant activity. Otherwise, explicit consent of the data owner will be obtained in order to process such special personal data.
(ii) Special personal data regarding health and sexual lifemay be processed without explicit consent by persons under the obligation of confidentiality or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. Otherwise, explicit consent of the data owner will be obtained in order to process such special personal data.
4.3.1 Measures for the Protection of Special Personal Data
The Company, as the data controller, takes the following measures in the processing of Special Personal Data included in Article 6 of the Law, in accordance with the Board's decision dated 31.01.2018 and numbered 2018/10:
A- A systematic, clearly defined, manageable and sustainable separate policy has been determined for the security of sensitive personal data,
B-For Employees involved in the processing of special personal data;
- Regular training is provided on the law and related regulations and the security of Special Personal Data,
- Confidentiality agreements are made,
- The authorization scope and duration of users who have access to data are clearly defined,
- Authorization checks are carried out periodically,
- The authorizations of Employees who change their duties or leave their jobs in this area are immediately removed. In this context, the inventory allocated to it by the Data Controller is returned.
C- Environments where Special Personal Data are processed, stored and/or accessed are electronic media,
- Personal Data is stored using cryptographic methods,
- Transaction records of all movements performed on Personal Data are logged securely,
D-Environments where Special Personal Data are processed, stored and/or accessed are physical environments;
- Adequate security measures are taken depending on the nature of the environment where Special Personal Data is stored (against situations such as electricity leakage, fire, flood, theft, etc.), and unauthorized entries and exits are prevented by ensuring the physical security of these environments.
If E-Special Personal Data will be transferred,
- If Personal Data must be transferred via e-mail, it is transferred encrypted via a corporate e-mail address or using a Registered Electronic Mail (KEP) account,
- If it needs to be transferred via media such as Portable Memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment,
- If Personal Data must be transferred via paper, necessary precautions are taken against risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in "Confidential" format.
In addition to the above-mentioned measures, technical and administrative measures are also taken into account to ensure the appropriate level of security specified in the Personal Data Security Guide published on the website of the Personal Data Protection Authority.
4.4. Disclosure of Personal Data Owner
The company informs personal data owners in accordance with Article 10 of the Law and secondary legislation. In this context, the Company informs the relevant persons about who personal data is processed by, as the data controller, and for what purposes, for what purposes it is shared with whom, by what methods it is collected, the legal reason and the rights of data owners within the scope of processing their personal data.
4.5. Transfer of Personal Data
The Company acts in accordance with the decisions and regulations stipulated in the KVKK and taken by the KVK Board regarding the transfer of personal data. Our company takes the necessary security measures in line with the legal personal data processing purposes and transfers the personal data and special personal data of the Relevant Person to third parties (official). and private authorities, third parties). In this regard, the Company acts in accordance with the regulations stipulated in Article 8 of the Law. In case there are groups of people with whom personal data is/might be shared, the relevant person is informed via a clarification text.
4.5.1 Transfer of Personal Data
Even if there is no explicit consent of the personal data owner, if one or more of the conditions stated below are present, personal data may be transferred to third parties by our Company by taking necessary care and taking all necessary security measures, including the methods prescribed by the Board.
- Relevant activities regarding the transfer of personal data are clearly foreseen by law,
- The transfer of personal data by the Company is directly related to and necessary for the establishment or performance of a contract,
- Transfer of personal data is mandatory for our Company to fulfill its legal obligations,
- Transfer of personal data by our Company in a limited way for the purpose of publicization, provided that it has been made public by the data owner,
- Transfer of personal data by the Company is mandatory for the establishment, exercise or protection of the rights of the Company or the data owner or third parties,
- It is mandatory to transfer personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data owner,
- It is necessary for the person who is unable to express his consent due to actual impossibility or whose consent is not given legal validity, to protect his own life or physical integrity, or that of another person.
In addition to the above, personal data may be transferred to foreign countries declared by the Board to have adequate protection. (“Foreign Country with Adequate Protection”) It can be transferred if any of the above conditions are met.
In case there is not sufficient protection, in accordance with the data transfer conditions stipulated in the legislation, data controllers in Turkey and the relevant foreign country undertake to provide adequate protection in writing and to foreign countries where the Board has permission. (“Foreign Country Where the Data Controller Committed to Adequate Protection is Located”) can be transferred.
4.5.2.Transfer of Special Personal Data:
Our company may transfer the special personal data of the Relevant Person to third parties by taking the necessary administrative and technical measures in line with the data processing purposes. In this regard, the Company may transfer special personal data to third parties if one of the processing conditions specified in the above section and one of the conditions below are met.
(i) Special personal data other than health and sexual lifeIf it is clearly provided for in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, it may be processed without the explicit consent of the data owner. Otherwise, explicit consent of the data owner will be obtained.
(ii) Special personal data regarding health and sexual lifemay be processed without explicit consent by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing. Otherwise, explicit consent of the data owner will be obtained.
In addition to the above, personal data, To Foreign Countries with Adequate Protection It can be transferred if any of the above conditions are met. In case there is not sufficient protection, in accordance with the data transfer conditions stipulated in the legislation. To Foreign Countries Where There is a Data Controller Committed to Adequate Protection can be transferred.
PART 5
STORAGE AND DESTRUCTION OF PERSONAL DATA
Our company retains personal data for the period necessary for the purpose for which they are processed and in accordance with the minimum periods stipulated in the legal legislation governing the relevant activity. In this context, our Company first determines whether a period of time is stipulated in the relevant legislation for the storage of personal data, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which they are processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the data owner's application and with the specified destruction methods (deletion and/or destruction and/or anonymization).
SECTION 6
RIGHTS OF PERSONAL DATA OWNERS AND THE USE OF THESE RIGHTS
6.1. Rights of Personal Data Owner
Within the scope of the disclosure obligation, the Relevant Person is informed by the company and systems and infrastructures for this notification are established. The technical and administrative arrangements necessary for the Relevant Person to exercise his rights regarding his personal data are made by our company.
On the personal data of the Relevant Person;
- Learning whether personal data is processed or not,
- If personal data has been processed, requesting information about it,
- Learning the purpose of processing personal data and whether they are used in accordance with their purpose,
- Knowing the third parties to whom personal data is transferred at home or abroad,
- Requesting correction of personal data if it is incomplete or incorrectly processed,
- Requesting the deletion or destruction of personal data in case the reasons requiring the processing of personal data disappear,
- Requesting that the correction, deletion or destruction mentioned above be notified to third parties to whom personal data has been transferred,
- Objecting to an adverse result arising from the analysis of processed data exclusively through automatic systems,
- They have the right to demand compensation for the damage if they suffer damage due to unlawful processing of personal data.
6.2. Exercise of Personal Data Owner's Rights
Relevant Persons have the rights listed above, https://www.navbea.com/ They can use it by submitting it via the Relevant Person application form available at. Detailed information about filling out the form or sending it to the Company is included in this form.
6.3. Our Company's Response to Applications
Our company takes the necessary administrative and technical measures to finalize the applications made by the personal data owner in accordance with the Law and secondary legislation. If the personal data owner submits his request regarding the rights set out in section 6.1. (“Rights of the Personal Data Owner”) to our Company in accordance with the procedure, our Company will finalize the relevant request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. . However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.
6.4. Situations Where the Relevant Person Cannot Assert His Rights
In accordance with the provision 28/2 of the KVKK, it will not be possible for the relevant persons to benefit from the rights specified in Article 11 of the Law, except for the right to demand compensation for damage in the following cases;
- Personal data processing is necessary for the prevention of crime or for criminal investigation,
- Processing of personal data made public by the person concerned.
- Personal data processing is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law.
- The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
PART 7
SPECIAL SITUATIONS WHERE PERSONAL DATA IS PROCESSED
7.1. Camera Monitoring Activities Conducted at and Inside Company Buildings and Facilities
In order to ensure security in the company's buildings and facilities, camera monitoring activities are carried out in accordance with the Law on Private Security Services and relevant legislation. In order to ensure security in its buildings and facilities, the Company carries out security camera monitoring activities for the purposes stipulated in the relevant legislation in force and in accordance with the personal data processing conditions listed in the Law.
In accordance with Article 10 of the Law, the Company informs the personal data owner through multiple methods regarding camera monitoring activities. In addition, in accordance with Article 4 of the Law, the Company processes personal data in a limited and measured manner in connection with the purpose for which they are processed.
The purpose of maintaining video camera monitoring by the Company is limited to the purposes listed in this Policy. In this regard, the monitoring areas of security cameras, their number and when they will be monitored are implemented in a way that is sufficient and limited to achieve the security purpose. Only a limited number of employees have access to live camera images and records recorded and preserved in digital environment. A limited number of people who have access to the records declare with a confidentiality agreement that they will protect the confidentiality of the data they access.
7.2.Monitoring of Guest Entrance and Exit at the Company Building and Facility Entrances and Inside
The Company carries out personal data processing activities to ensure security and to monitor guest entries and exits in the Company buildings and facilities for the purposes specified in this Policy. While the names and surnames of people who come to the Company's buildings as guests are obtained, or through texts posted in the Company or made accessible to guests in other ways, the personal data owners in question are clarified in this context.
The data obtained for the purpose of tracking guest entry and exit is processed only for this purpose and the relevant personal data is recorded in the data recording system in the physical environment.
7.3.Website Visitors
Cookie records are used to improve the functioning and use of the company's official website. It is aimed to make the time spent on the company's official website more productive and enjoyable. In addition, some cookies are used to remember the preferences made on the website, thus providing users with an improved and personalized experience. Personal data is collected through cookies on the website, the collected data can be processed, transferred and stored. For detailed information about the cookies used on the website, visit the official website. https://www.navbea.com/yer You can review the Cookie Policy.
PART 8
OBLIGATIONS RELATED TO PERSONAL DATA PROCESSING ACTIVITIES
Our company must comply with the obligations stipulated by the KVK Law for data controllers. In this context, the main issues that we are obliged to comply with are listed below:
8.1. Registration and Notification Obligation to the Data Controllers Registry
Our Company is obliged to register with the Data Controllers Registry in accordance with Article 16 of the KVK Law and the procedures and principles of the Regulation on Data Controllers' Registry, and this obligation has been fulfilled by our Company.
8.2. Obligation to Inform the Data Owner
While the company collects personal data; First of all, the relevant persons are clearly informed and clarified in accordance with Article 10 of the KVKK and the Communiqué on the Procedures and Principles to be Followed in the Fulfillment of the Disclosure Obligation. In our clarification texts;
- Company name, full address and contact information,
- Information regarding the representative identity, if available,
- Personal data categories,
- The purpose for which personal data will be processed,
- To whom and for what purpose personal data can be transferred,
- Data collection method and legal reason,
- There are subheadings and contents such as the rights of the relevant person listed in Article 11 of the KVKK. In addition to the information above, application methods are also listed in our clarification text. Thanks to these methods, it is aimed to be transparent and accessible in the Protection of Personal Data.
As a company, care is taken to ensure that this Policy, which is available to the public, is clear, understandable and easily accessible.
In addition, the "Information Texts" regarding the Personal Data Protection Law for employees, prospective employees, visitors, customers and camera systems can be reviewed on the company's website.
8.3. Obligation to Ensure the Security of Personal Data
The Company is aware of the importance of ensuring the security of personal data and observing the fundamental rights and freedoms of data owners, in accordance with Article 12 of the KVK Law;
- To prevent unlawful processing of personal data,
- To prevent unlawful access to personal data and
- It is obliged to take all necessary technical and administrative measures to ensure the appropriate level of security in order to ensure the protection of personal data.
Being aware of the importance of ensuring security in every aspect within the company, the Company, in accordance with Article 12 of the KVK Law, aims to ensure the appropriate level of security to prevent the personal data it processes from being processed unlawfully, to prevent the data from being accessed unlawfully, and to ensure the preservation of data. Necessary technical and administrative measures are taken and necessary inspections are carried out in this context.
The Company takes the necessary technical and administrative measures, within technological possibilities, to ensure that personal data is processed in accordance with the law. In this context, the measures taken by our Company are as follows:
8.3.1. Administrative Measures
- Information Texts (Employee, Candidate Employee, Customer, Camera Systems) and Explicit Consent Texts have been prepared.
- There are disciplinary regulations that include data security provisions for employees.
- Training and awareness activities are carried out periodically for employees on data security.
- Department access permissions have been regulated.
- The department has been provided with training to protect some personal data.
- Confidentiality commitments are made.
- A disciplinary regulation has been prepared for employees who do not comply with security policies and procedures.
- The signed contracts contain data security provisions.
- Layered camera lighting texts are hung in the areas where the cameras are located.
- Awareness was created by informing employees about the technical and administrative risks associated with storing personal data.
- A personal data processing inventory has been prepared.
- Personal Data Protection Committee has been established.
- Personal data security policies and procedures have been determined.
- Personal data security issues are reported quickly.
- Personal data security is monitored.
- Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
- Physical environments containing personal data are secured against external risks (fire, flood, etc.).
- The security of environments containing personal data is ensured.
- Personal data is reduced as much as possible.
- Protocols and procedures for special quality personal data security have been determined and implemented.
- A list of personnel duties and titles has been prepared.
- Contracts have been made compatible with KVKK.
8.3.2. Technical Measures
- The company employs knowledgeable and experienced people to ensure data security and provides its personnel with necessary training on the protection of personal data.
- Necessary internal controls are carried out within the scope of the established systems.
- Network security and application security are provided.
- An authorization matrix has been created for employees.
- Access logs are kept regularly.
- Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
- Data masking is applied when necessary.
- The authorizations of employees who have a change in duty or quit their job in this field are removed.
- Current anti-virus systems are used.
- Personal data is backed up and the security of the backed up personal data is also ensured.
- In-house periodic and/or random audits are conducted and made.
- Log records are kept without user intervention.
- Existing risks and threats have been identified.
- Personal data transferred in portable memory, CD and DVD media are encrypted and transferred.
- Data processing service providers are periodically audited on data security.
- Awareness of data processing service providers on data security is provided.
8.4. Obligation to Fulfill the Decisions Made by the KVK Board
The Company acts in accordance with the decisions made by the KVK Board, which operates to ensure that personal data is processed in accordance with fundamental rights and freedoms and is the executive body of the KVK Authority.
8.5. Obligation to Respond to Data Owner Applications
In accordance with Article 13 of the KVK Law, as the data controller, the Company concludes the requests of data owners regarding their personal data as soon as possible and within thirty (30) days at the latest, depending on the nature of the request. Data owners must make their requests regarding their personal data in accordance with the Communiqué on the Procedures and Principles of Application to the Data Controller.
8.6. Obligation to Delete, Destroy and Anonymise Personal Data:
If all the conditions for processing personal data specified in Articles 5 and 6 of the KVKK are eliminated, the personal data must be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the relevant person. In the deletion, destruction or anonymization of personal data, the general principles in Article 4 of the Law and Article 12. It is mandatory to act in accordance with the technical and administrative measures to be taken within the scope of the article, relevant legislative provisions, Board decisions and personal data storage and destruction policy. The data controller is obliged to explain the methods applied for the deletion, destruction and anonymization of personal data in the relevant policies and procedures. In accordance with Article 7 of the Regulation on Deletion, Destruction or Anonymization of Personal Data mentioned above, a Storage and Destruction Policy has also been created by the company.
8.6.1 Conditions for Deletion, Destruction and Anonymization of Personal Data:
In accordance with Article 138 of the Turkish Penal Code, Article 7 of the KVK Law and the "Regulation on Deletion, Destruction and Anonymization of Personal Data", although it has been processed in accordance with the provisions of the relevant law, in case the reasons requiring processing are eliminated, based on the company's own decision. or upon the request of the relevant person, personal data is deleted, destroyed or made anonymous. The company has created a policy on this issue in accordance with the provisions of the regulation, and in accordance with this policy, destruction is carried out according to the nature of the data. In accordance with this regulation, periodic destruction dates have been determined by the company, and a calendar has been created according to which periodic destruction will be carried out at various intervals with the beginning of the obligation.
PART 9
9.1. IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION
The relevant legal regulations in force regarding the processing and protection of personal data will primarily be applied. In case of incompatibility between the current legislation and the Policy, our Company accepts that the current legislation will apply. The Policy concretizes and regulates the rules set forth by the relevant legislation within the scope of Company practices.
9.2. ENFORCEMENT OF THE POLICY
The effective date of this Policy is 20/10/2023. This Policy is available on the Company's website. https://www.navbea.com/ It is published and made available to relevant persons upon the request of personal data owners.
9.3.DISTRIBUTION
The Policy is published on the Company website and announced to third parties and Company employees.
Information Security Officer Furkan Şen |
COMPANY General Information Text
CLARIFICATION TEXT ON THE PROTECTION OF PERSONAL DATA
This clarification text is written by Kodar Bilişim İletişim ve Tanıtım Hizmetleri Tic. as the data controller within the scope of Article 6698 of the Personal Data Protection Law No. 10 and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Disclosure Obligation. Ltd. Ltd. Prepared by.
- Identity of the Data Controller
In accordance with the Personal Data Protection Law No. 6698 (“Law No. 6698”), your personal data; Kodar Bilişim İletişim ve Tanıtım Hizmetleri Tic. as the data controller. Ltd. Ltd. ("Company") may be processed within the scope explained below.
Title: Kodar Bilişim İletişim ve Tanıtım Hizmetleri Tic. Ltd. Ltd.
Internet address : https://www.navbea.com/
E-mail address : info@navbea.com
Address: Teknopol Istanbul Ahmet Yesevi mah. Kerem St. No.9/1 Office No.10 34903 Istanbul / Turkey
Phone number : +90 (216) 352 02 02
- Purposes of Processing Personal Data
Within the scope of Article 10 of the KVKK and Article 5 of the Communiqué, personal data obtained within the scope of supply in accordance with the processing conditions specified in Article 4 of the KVKK can be processed for the following purposes:
- Carrying out legal compliance processes,
- Operations management,
- Carrying out financial and financial affairs,
- Determining and implementing commercial and business strategies,
- Depending on the service contract; fulfillment of service obligations,
- Fulfilling employer responsibilities,
- Ensuring occupational safety, management, supervision and execution of work,
- Receiving and evaluating suggestions for improvement of business processes,
- Informing you about any changes that may occur in our terms of service,
- Preparation of all records and documents that will be the basis for the transaction in electronic (internet/mobile etc.) or physical environment,
- Providing information to public officials on matters related to public security upon request and in accordance with the legislation,
- Fulfilling legal obligations and exercising rights arising from current legislation,
- To be able to fulfill the legal obligation if requested by the relevant authority within the scope of judicial and administrative investigations and if it is necessary to respond,
- Carrying out business activities,
- Carrying out internal audit activities,
- Carrying out emergency management processes,
- Conducting communication activities,
- Carrying out accounting and financial affairs,
- Organization and event management,
- Execution of information security processes,
- Execution of company / product / service commitment processes,
- Ensuring physical space security,
- Carrying out assignment processes,
- Following and executing legal affairs,
- Fulfillment of legal obligations,
- Carrying out internal audit / investigation / intelligence activities,
- Conducting communication activities,
- Planning of human resources processes,
- Execution / supervision of business activities,
- Execution of occupational health / safety activities,
- Receiving and evaluating suggestions for improvement of business processes,
- Carrying out activities to ensure business continuity,
- Carrying out logistics activities,
- Ensuring quality standards,
- Keeping entrances and exits to the institution building under control and preventing unauthorized entries
- Carrying out goods/service purchasing processes,
- Carrying out after-sales support services for goods/services,
- Execution of goods/service sales processes,
- Carrying out goods/service production and operation processes,
- Execution of customer relationship management processes,
- Ensuring the security of financial resources.
- Carrying out activities aimed at customer satisfaction.
- Increasing reliability among customers,
- Organization and event management,
- Conducting marketing analysis studies,
- Conducting performance evaluation processes,
- Execution of advertising / campaign / promotion processes,
- Execution of risk management processes,
- Carrying out strategic planning activities,
- Carrying out social responsibility and civil society activities,
- Execution of contract processes,
- Follow-up of requests / complaints,
- Ensuring the security of movable goods and resources,
- Execution of supply chain management processes,
- Execution of supplier relations management processes,
- Execution of wage policy,
- Issuing product invoices,
- Execution of product policy,
- Carrying out the marketing processes of products / services,
- Work and residence permit procedures for foreign personnel,
- Carrying out talent / career development activities,
- Providing information to authorized persons, institutions and organizations,
- Carrying out management activities,
- Creating and tracking visitor records,
- Carrying out storage and archive activities.
- Method of Personal Data Collection and Legal Reason
Your personal data;
- Various contracts you have signed with our Company and e-mails, faxes and letters you have sent to our Company,
- Verbal statement of the data owner,
- Website, social media, call center, e-mail, digital or printed survey, printed form, scanning of criminal records,
- Social networks that allow you to log in when registering or logging into our websites,
- Contact forms that you fill out to contact us on our websites or third party websites,
- Cookies used for online applications and those who want to access these applications, our mobile applications,
- Membership form that you fill out electronically or physically,
- Faxes and letters that process data on behalf of our company or support our company at any stage that requires the operation of the company,
- Our customer service channels, including our employees, digital marketing and call center,
- Social media channels, Google etc. use of search engines,
- Tenancy agreements and other agreements, campaigns, applications, forms, offers,
- SSI records are collected through the channels through which our Company communicates with you.
This personal data; "It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract" in subparagraph c) of the second paragraph of Article 5 of the KVKK, and "it is mandatory for the data controller to fulfill its legal obligation" in subparagraph (d). ” is processed based on the legal grounds stated in paragraph (f) that “data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person”.
- Transfer of Personal Data
Your collected personal data; Personal data processing terms and conditions specified in Article 8 of the Law to our product or service providers, banks with which we have agreements within the scope of payment services, legally authorized public institutions and legally authorized private persons within the scope of the fulfillment of our legal obligations and as clearly stipulated in the law, in line with the realization of the above-mentioned Purposes. can be transferred within the framework of its purposes.
- Rights of the Relevant Person
Relevant persons have the following rights in accordance with Article 11 of the Law:
- Learning whether personal data is processed or not,
- Request information if personal data is processed,
- Learning the purpose of processing personal data and whether they are used in accordance with their purpose,
- Knowing the third parties to whom personal data is transferred at home or abroad,
- To request correction of personal data if it is incomplete or incorrectly processed, and to request notification of the transaction made within this scope to third parties to whom personal data have been transferred,
- Requesting the deletion or destruction of personal data in case the reasons requiring processing no longer exist, even though it has been processed in accordance with the provisions of KVKK and other relevant laws, and requesting that the transaction carried out in this context be notified to third parties to whom personal data has been transferred,
- Object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,
- Request compensation for damages in case of damage due to unlawful processing of personal data.
The relevant person may submit requests regarding these rights to the Data Controller in accordance with the Communiqué on Application Procedures and Principles. In order to exercise your above-mentioned rights, you can personally hand-deliver your request with the necessary information that identifies you, send it through a notary or other methods determined by the Personal Data Protection Board.
The requests of the relevant person will be evaluated and decided free of charge as soon as possible and within thirty (30) days at the latest. If the evaluation and decision-making process requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be taken as basis.
Information Security Officer Furkan Şen |
COMPANY Personal Data Storage and Destruction Policy
KODAR BİLİŞİM İLETİŞİM VE TANITIM HİZMETLERİ TİC. LTD. ŞTİ. PERSONAL DATA STORAGE AND DESTRUCTION POLICY
PART 1
1.1 INTRODUCTION
Protection of personal data, Kodar Bilişim İletişim ve Tanıtım Hizmetleri Tic. Ltd. Ltd. ("Company"), and maximum effort is made to comply with all legislation in force in this regard. With this Personal Data Storage and Destruction Policy ("Policy"), the technical and administrative protection of personal data processed by our Company, and the destruction of personal data in accordance with the provisions of the Personal Data Protection Law ("Law") and other relevant legal regulations in case the conditions for processing personal data are eliminated. is provided.
1.2. PURPOSE
This Personal Data Storage and Destruction Policy ("Policy"), Personal Data Protection Law No. 6698 ("KVKK" or "Law") and the Personal Data that came into force by being published in the Official Gazette dated 28 October 2017, which constitutes the secondary regulation of the Law. It has been prepared by our Company, as the data controller, in order to fulfill our obligations in accordance with the Regulation on Deletion, Destruction or Anonymization (“Regulation”) and to inform data owners about the deletion, destruction and anonymization processes.
WHAT IS THE SCOPE?
Personal data belonging to company employees, employee candidates, all departments and directorates of the company, employees of companies providing all kinds of services, interns and contracted personnel, service providers, visitors and other third parties are within the scope of this Policy and all personal data owned or managed by the company are processed. It is applied to recording environments and activities related to personal data processing.
SECTION 2
2.1. DEFINITIONS AND ABBREVIATIONS
COMPANY: | Kodar Bilişim İletişim ve Tanıtım Hizmetleri Tic. Ltd. Ltd. |
EXPRESS CONSENT: | Consent regarding a specific subject, based on information and expressed with free will. |
ANONYMOSIS: | It is the alteration of personal data in such a way that it loses its nature as personal data and this situation cannot be reversed. Ex: Masking, aggregation, data corruption, etc. Making personal data unable to be associated with a natural person using techniques. |
PERSONAL DATA: | Any information regarding an identified and identifiable natural person. Therefore, processing of information regarding legal entities is not within the scope of the Law. For example: name-surname, TR ID number, e-mail, address, date of birth, credit card number, bank account number, etc. |
ELECTRONIC ENVIRONMENT: | Environments where personal data can be created, read, changed and written with electronic devices. |
NON-ELECTRONIC MEDIA: | All written, printed, visual, etc. except electronic media. other media |
SPECIAL PERSONAL DATA: | Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data are special data. |
PROCESSING OF PERSONAL DATA: | Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking. |
DATA CONTROLLER: | It refers to the natural or legal person who determines the purposes and means of processing personal data and manages the place where the data is systematically kept (data recording system). |
DATA OWNER APPLICATION FORM: | The application form that the Relevant Person will use when applying for their rights stated in Article 11 of the KVK Law. |
CONSTITUTION: | Constitution of the Republic of Turkey, No. 9, dated 1982 November 17863, published in the Official Gazette No. 7, dated 1982 November 2709. |
KVK LAW: | Personal Data Protection Law No. 7, dated 2016 March 29677, published in the Official Gazette No. 24, dated 2016 April 6698. |
POLICY: | Company Personal Data Storage and Destruction Policy |
NOTIFICATION ON THE PROCEDURES AND PRINCIPLES TO BE FOLLOWED IN FULFILLING THE DISCLOSURE OBLIGATION: | Communiqué on the Procedures and Principles to be Followed in Fulfilling the Disclosure Obligation, which came into force after being published in the Official Gazette No. 10 dated 2018 March 30356. |
PERSONAL DATA STORAGE AND DESTRUCTION POLICY: | In accordance with the Regulation on Deletion, Destruction and Anonymization of Personal Data, the Company determines the maximum period required for the purpose for which personal data is processed and the policy used as the basis for the deletion, destruction and anonymization process. |
DESTRUCTION: | Deletion, destruction or anonymization of personal data. |
RELATED USER: | Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data. |
RELATED PERSON: | The natural person whose personal data is processed. |
RECORDING MEDIA: | Any environment where personal data is processed wholly or partially automatically or by non-automatic means provided that it is a part of any data recording system. |
PERIODIC DISPOSAL: | The deletion, destruction or anonymization process to be carried out at recurring intervals in case all the processing conditions of personal data specified in the law are eliminated. |
REGISTERED ELECTRONIC MAIL (REP): | It is a system that protects all kinds of commercial, legal correspondence and document sharing as you send it, determines exactly who the recipient is, ensures that the content is not changed, and turns the content into legally valid, safe and definitive evidence. |
DATA CONTROLLERS REGISTRY INFORMATION SYSTEM: | The information system created and managed by the Presidency, accessible over the internet, that data controllers will use in applying to the Registry and other related transactions related to the Registry. |
REGULATION: | Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017. |
2.2. AUTHORITIES AND RESPONSIBILITIES
In fulfilling the requirements regarding the destruction of data specified by the Law, Regulation and Policy within the company, all employees, consultants, external service providers and anyone else who stores and processes personal data within the company are responsible for fulfilling these requirements.
Each business unit is obliged to store and protect the data it produces in its own business processes.
The "Data Controller Contact Person" is responsible for transactions such as notification or acceptance of notifications or correspondence made with the Personal Data Protection Board on behalf of the data controller and registration in the registry.
2.3. ENVIRONMENTS WHERE PERSONAL DATA IS FOUND
Personal data is stored securely by our Company in accordance with the law in the environments specified below.
Electronic Media | Non-Electronic Media |
|
|
SECTION 3
EXPLANATIONS ON STORAGE AND DISPOSAL
By our company; Personal data belonging to employees, employee candidates, visitors and employees of third parties, institutions or organizations with whom we have relations as service providers are stored and destroyed in accordance with the Law. In this context, detailed explanations regarding storage and disposal are given below.
3.1. EXPLANATIONS REGARDING STORAGE
In Article 3 of the Law, the concept of processing personal data is defined, in Article 4, it is stated that the personal data processed should be related to the purpose for which they are processed, limited and proportionate and should be kept for the period foreseen in the relevant legislation or for the period required for the purpose for which they are processed, and in Articles 5 and 6, it is stated that the processing conditions of personal data has been counted. Accordingly, within the framework of our Company's activities, personal data is stored for a period of time stipulated in the relevant legislation or appropriate for our processing purposes.
3.1.1. Legal Reasons Requiring Storage
Personal data processed within the framework of our company's activities are retained for the period stipulated in the relevant legislation. In this context, personal data;
- Personal Data Protection Law No. 6698,
- Turkish Code of Obligations No. 6098,
- Law No. 6502 on Consumer Protection,
- Banking Law No. 5411,
- Regulation on the Employment of Disabled Persons, Ex-Convicts and Terrorism Victims,
- Turkish Commercial Code No. 6102,
- Tax Procedure Law No. 213,
- Regulation on Internet Mass Use Providers,
- Enforcement and Bankruptcy Law No. 2004,
- Social Insurance and General Health Insurance Law No. 5510,
- Occupational Health and Safety Law No. 6331,
- Occupational Health and Safety Services Regulation,
- Labor Law No. 4857,
- Law No. 5651 on Regulating Publications Made on the Internet and Combating Crimes Committed Through These Publications,
- Law No. 6563 on the Regulation of Electronic Commerce,
- International Labor Law No. 6735,
- Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Extensions,
- Regulation on Archive Services, Other Regulations in Force According to These Laws
It is stored for the specified storage period.
3.1.2. Processing Purposes Requiring Storage
Our company stores the personal data it processes within the scope of its activities for the following purposes:
- Carrying out legal compliance processes,
- Operations management,
- Carrying out financial and financial affairs,
- Determining and implementing commercial and business strategies,
- Depending on the service contract; fulfillment of service obligations,
- Fulfilling employer responsibilities,
- Ensuring occupational safety, management, supervision and execution of work,
- Receiving and evaluating suggestions for improvement of business processes,
- Informing you about any changes that may occur in our terms of service,
- Preparation of all records and documents that will be the basis for the transaction in electronic (internet/mobile etc.) or physical environment,
- Providing information to public officials on matters related to public security upon request and in accordance with the legislation,
- Fulfilling legal obligations and exercising rights arising from current legislation,
- To be able to fulfill the legal obligation if requested by the relevant authority within the scope of judicial and administrative investigations and if it is necessary to respond,
- Carrying out business activities,
- Carrying out internal audit activities,
- Carrying out emergency management processes,
- Conducting communication activities,
- Carrying out accounting and financial affairs,
- Organization and event management,
- Execution of information security processes,
- Execution of company / product / service commitment processes,
- Ensuring physical space security,
- Carrying out assignment processes,
- Following and executing legal affairs,
- Fulfillment of legal obligations,
- Carrying out internal audit / investigation / intelligence activities,
- Conducting communication activities,
- Planning of human resources processes,
- Execution / supervision of business activities,
- Execution of occupational health / safety activities,
- Receiving and evaluating suggestions for improvement of business processes,
- Carrying out activities to ensure business continuity,
- Carrying out logistics activities,
- Ensuring quality standards,
- Keeping entrances and exits to the institution building under control and preventing unauthorized entries
- Carrying out goods/service purchasing processes,
- Carrying out after-sales support services for goods/services,
- Execution of goods/service sales processes,
- Carrying out goods/service production and operation processes,
- Execution of customer relationship management processes,
- Ensuring the security of financial resources.
- Carrying out activities aimed at customer satisfaction.
- Increasing reliability among customers,
- Organization and event management,
- Conducting marketing analysis studies,
- Conducting performance evaluation processes,
- Execution of advertising / campaign / promotion processes,
- Execution of risk management processes,
- Carrying out strategic planning activities,
- Carrying out social responsibility and civil society activities,
- Execution of contract processes,
- Follow-up of requests / complaints,
- Ensuring the security of movable goods and resources,
- Execution of supply chain management processes,
- Execution of supplier relations management processes,
- Execution of wage policy,
- Issuing product invoices,
- Execution of product policy,
- Carrying out the marketing processes of products / services,
- Work and residence permit procedures for foreign personnel,
- Carrying out talent / career development activities,
- Providing information to authorized persons, institutions and organizations,
- Carrying out management activities,
- Creating and tracking visitor records,
- Carrying out storage and archive activities.
3.2. REASONS REQUIRING DESTRUCTION
Personal data;
- Amendment or abolition of the relevant legislative provisions that constitute the basis for processing,
- The purpose that requires processing or storage is eliminated,
- In cases where processing of personal data is carried out only on the basis of explicit consent, the relevant person must withdraw his/her explicit consent,
- In accordance with Article 11 of the Law, the application made by the relevant person for the deletion and destruction of his personal data within the framework of his rights is accepted by the Institution,
- In cases where the company rejects the application made by the relevant person requesting the deletion, destruction or anonymization of personal data, finds the answer given insufficient, or does not respond within the time period stipulated in the Law; Complaining to the Board and this request being approved by the Board,
- The maximum period requiring personal data to be stored has passed and there are no conditions that justify storing personal data for a longer period of time.
In such cases, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by our Company upon the request of the relevant person.
PART 4
MEASURES TAKEN REGARDING THE PROTECTION OF PERSONAL DATA
In accordance with Article 12 of the Law, our Company takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and carries out the necessary inspections or has it done. Even though all technical and administrative measures have been taken, if the processed personal data is obtained by third parties through illegal means, our Company notifies the relevant persons and units as soon as possible.
4.1 Technical Measures
Within the scope of technical measures taken by our company:
- In order to ensure data security, it employs knowledgeable and experienced people and provides its staff with necessary training on the protection of personal data.
- Necessary internal controls are carried out within the scope of the established systems.
- Network security and application security are provided.
- An authorization matrix has been created for employees.
- Access authorizations are limited and authorizations are reviewed regularly.
- Access logs are kept regularly.
- By restricting access to the environments where Personal Data is kept, only authorized persons are allowed to access these data, limited to the purpose of storing personal data.
- Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
- Data masking is applied when necessary.
- The authorizations of employees who have a change in duty or quit their job in this field are removed.
- Current anti-virus systems are used.
- Personal data is backed up and the security of the backed up personal data is also ensured.
- In-house periodic and/or random audits are conducted and made.
- Log records are kept without user intervention.
- Existing risks and threats have been identified.
- Personal data transferred in portable memory, CD and DVD media are encrypted and transferred.
- Data processing service providers are periodically audited on data security.
- Awareness of data processing service providers on data security is provided.
4.2 Administrative Measures
The administrative measures taken by our company regarding the personal data processed are as follows:
- Information Texts (Employee, Candidate Employee, Customer, Camera Systems, Covid-19 Pandemic Process) and Explicit Consent Texts have been prepared.
- There are disciplinary regulations that include data security provisions for employees.
- Training and awareness activities are carried out periodically for employees on data security.
- Access permissions have been regulated.
- Training on protecting personal data was provided on a unit basis.
- In order to ensure legal compliance requirements determined on a unit basis, awareness is created specifically for the relevant unit and implementation rules are determined; Necessary administrative measures are taken to ensure the control of these issues and the continuity of the application.
- Confidentiality commitments are made.
- A disciplinary regulation has been prepared for employees who do not comply with security policies and procedures.
- The signed contracts contain data security provisions.
- Layered camera lighting texts are hung in the areas where the cameras are located.
- Awareness was created by informing employees about the technical and administrative risks associated with storing personal data.
- All activities carried out by the company were analyzed in detail for all units, and as a result of this analysis, a personal data processing inventory was prepared for the activities carried out by the relevant units.
- Personal data security policies and procedures have been determined.
- Personal data security issues are reported quickly.
- Personal data security is monitored.
- Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
- Physical environments containing personal data are secured against external risks (fire, flood, etc.).
- The security of environments containing personal data is ensured.
- Personal data is reduced as much as possible.
- Protocols and procedures for special quality personal data security have been determined and implemented.
- Contracts have been made compatible with KVKK.
- If the processed personal data is obtained by others through illegal means, this situation is reported to the relevant person and the Board as soon as possible.
PART 5
PERSONAL DATA DESTRUCTION TECHNIQUES
At the end of the period stipulated in the relevant legislation or the storage period required for the purpose for which they are processed, personal data are destroyed by our Company ex officio or upon the application of the relevant person, in accordance with the relevant legislation, using the techniques specified below.
5.1. Deletion of Personal Data
Deletion of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way. Our company may use one or more of the following methods as a method of deleting personal data:
Data Recording Environment | DESCRIPTION |
Personal Data on Servers | For personal data on the servers whose retention period has expired, the system administrator removes the access authorization of the relevant users and deletes them. |
Personal Data in Electronic Media | Among the personal data in the electronic environment, those whose period of storage has expired are made inaccessible and unusable for other employees (relevant users) except the database administrator. |
Personal Data in Physical Environment | Personal data kept in physical environment, for those whose period of storage has expired, are made inaccessible and unusable by all employees except the unit manager responsible for the document archive. In addition, blackening is also applied by drawing/painting/erasing the surface so that it cannot be read. |
Personal Data Contained in Portable Media | Among the personal data kept in flash-based storage media, those that have expired are stored in secure environments with encryption keys, by being encrypted by the system administrator and access authorization is given only to the system administrator. |
5.2. Destruction of Personal Data
Destruction of personal data is the process of making personal data inaccessible, irretrievable and unusable by anyone using the following methods. Our company may use one or more of the following methods as a method of destroying personal data:
Data Recording Environment | DESCRIPTION |
Personal Data in Physical Environment | Personal data stored on paper that have expired are irreversibly destroyed in paper shredding machines. |
Personal Data Contained in Optical / Magnetic Media | Personal data contained in optical media and magnetic media whose storage period has expired are physically destroyed, such as melting, burning or pulverizing. In addition, the data on the magnetic media is rendered unreadable by passing it through a special device and exposing it to a high magnetic field. |
5.3. Anonymization of Personal Data
Anonymization of personal data means making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.
In order for personal data to be anonymized; Personal data must be returned by the data controller or third parties and/or made impossible to associate with an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording environment and relevant field of activity, such as matching the data with other data.
Our company may use one or more of the following methods to anonymize personal data:
Method | DESCRIPTION |
Masking | Data masking is the method of anonymizing personal data by removing the basic identifying information of personal data from the data set. |
Regional Hiding | In the regional hiding method, if a single data has a deterministic nature because it creates a very less visible combination, hiding the relevant data provides anonymization. |
Removing Records
| In the derecording method, the data line that contains a singularity is removed from the records and the stored data is made anonymous. |
Global Coding | With the data derivation method, a more general content is created from the content of personal data and it is ensured that personal data cannot be associated with any individual. For example; Specifying ages instead of dates of birth; stating the region of residence instead of full address. |
Adding Noise | The method of adding noise to the data, especially in a data set where numerical data is predominant, makes the data anonymous by adding some positive or negative deviations to the existing data at a determined rate. |
In accordance with Article 28 of the Law; Anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the Law and the express consent of the personal data owner will not be required.
Our company can make ex officio decisions regarding the deletion, destruction or anonymization of personal data and can freely determine the method to be used according to the category it has chosen. In addition, within the scope of Article 13 of the Regulation, if the relevant person chooses one of the categories of deletion, destruction or anonymization of his/her personal data during the application, our Company will be free to choose the methods to be used in the relevant category.
PART 6
STORAGE AND DISPOSAL PERIOD
Our company stores personal data for the periods specified in 6.1 for the purpose for which they are processed. If a period of time is stipulated in the legislation for the storage of personal data in question, this period is observed. If there is no period stipulated in the legislation, personal data will be stored for the maximum period for keeping the personal data in the table in 6.1.
In case the obligation to delete, destroy or anonymise arises due to the expiration of these periods, our Company will delete, destroy or anonymize personal data in the first periodic destruction process following this date.
All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.
6.1. Storage and Destruction Periods Table
PERSON GROUP WHOSE DATA IS PROCESSED | DATA CATEGORY | DATA STORAGE PERIOD |
Working | Identity, Communication, Location, Personnel, Legal Process, Physical Space Security, Process Security, Professional Experience, Audio-Visual Records, Duty and Title Data, Belief Information, Employee Relative Information. | It is kept for 10 (ten) years from the termination of the employment contract. |
Working | Health | It is kept for 15 (fifteen) years from the termination of the employment contract. (Occupational Health and Safety Services Regulation Article 7) |
Employee Candidate | Identity, Communication, Legal Process, Professional Experience, Audio-Visual Records, Position and Title Data. | 6 months from the date of job application, 10 years from the termination of the employment contract |
E-Commerce Information | E-Commerce Membership Information | 6563 year from the creation of the record in accordance with the Law on the Regulation of Electronic Commerce No. 1. |
Website Visitor | Transaction Security | 2 years from the creation of the record. |
Product/Service Recipient | Identity, Communication, Transaction Security, Customer Transaction | Each product/service purchased by the service recipient is stored for 146 (ten) years in accordance with Turkish Code of Obligations Article 82 and Turkish Commercial Code Article 10. |
Product/Service Recipient, Supplier, Employee, Intern | Physical Space Security | 3 Months from the Date of Recording in Ordinary Times, Statute of Limitations for Legal Cases |
Institutions/Companies (Suppliers) with which the company cooperates | Identity, Contact Information, Financial Information | It is kept for 146 years during and after the termination of the business/commercial relationship in accordance with the Turkish Code of Obligations Article 82 and the Turkish Commercial Code Article 10. |
PART 7
7.1.PERIODIC DESTRUCTION PERIOD
In accordance with Article 11 of the Regulation, our Company has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out in our Company every year in June and December.
7.2. IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION
The relevant legal regulations in force regarding the processing and protection of personal data will primarily be applied. In case of incompatibility between the current legislation and the Policy, our Company accepts that the current legislation will apply.
7.3. PUBLISHING AND STORAGE OF THE POLICY
The effective date of this Policy is 20/10/2023. The policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the Company's website.
7.4. UPDATED PERIOD OF THE POLICY
The policy is reviewed as needed and necessary sections are updated. If there is a change in the Policy, the effective date of the Policy and relevant articles will be updated accordingly.
Information Security Officer Furkan Şen |
KVKK Application Form
KVKK APPLICATION FORM
GENERAL INFORMATION
Personal data owners who are defined as relevant persons in the Personal Data Protection Law No. 6698 ("KVK Law") (hereinafter referred to as "Applicant") are granted the right to make certain requests regarding the processing of their personal data in Article 11 of the KVK Law. .
In accordance with the first paragraph of Article 13 of the KVK Law; Applications regarding these rights to our Company, which is the data controller, must be submitted to us in writing or by other methods determined by the Personal Data Protection Board ("Board").
In this context, applications to be made to our Company in "written" form, by printing this form;
- By personal application of the Applicant,
- through a notary,
- The “secure electronic signature” defined by the Applicant in the Electronic Signature Law No. 5070
It can be forwarded to us by signing with "signature" and sending it to the Company's registered e-mail address.
Below, information is given specific to written application channels on how written applications can be submitted to us.
Application Method | Address to apply | Information to be Included in the Application |
Application in Person (The applicant must come in person and apply with a document proving his/her identity) | Teknopol Istanbul Ahmet Yesevi mah. Kerem St. No.9/1 Office No.10 34903 Istanbul / Turkey | In the application; a) Name, surname and signature if the application is written, b) TR identity number for citizens of the Republic of Turkey, nationality, passport number or identification number, if any, for foreigners, c) Domicile or workplace address for notification, ç) If available, the e-mail address, telephone and fax number for notification, d) The subject of the request must be present. Information and documents regarding the subject are added to the application. “Information Request Within the Scope of the Personal Data Protection Law” will be written on the envelope. |
Notification via notary | Teknopol Istanbul Ahmet Yesevi mah. Kerem St. No.9/1 Office No.10 34903 Istanbul / Turkey | In the application; a) Name, surname and signature if the application is written, b) TR identity number for citizens of the Republic of Turkey, nationality, passport number or identification number, if any, for foreigners, c) Domicile or workplace address for notification, ç) If available, the e-mail address, telephone and fax number for notification, d) The subject of the request must be present. Information and documents regarding the subject are added to the application. “Information Request Within the Scope of the Personal Data Protection Law” will be written on the envelope. |
Via Registered Electronic Mail (KEP) by signing with “secure electronic signature” | ……………………cap | In the application; a) Name, surname and signature if the application is written, b) TR identity number for citizens of the Republic of Turkey, nationality, passport number or identification number, if any, for foreigners, c) Domicile or workplace address for notification, ç) If available, the e-mail address, telephone and fax number for notification, d) The subject of the request must be present. Information and documents regarding the subject are added to the application. “Personal Data Protection Law Information Request” will be written in the subject line of the e-mail. |
- Applicant Contact Information
Name and surname: | |
Turkish Identity Number: | |
Address: | |
Mobile phone: | |
E-mail address: |
- The Applicant's Relationship with Our Company (Customer, Business Partner, Employee Candidate, Former Employee, Third Party Company Employee, Shareholder/Partner, etc.)
☐ Customer | ☐ Business Partner/Solution Partner/Consultant |
☐ Visitor | ☐ Other (Explain…) |
The unit you are in contact with within our company: | |
Konu: |
☐ My Former Employee ☐ Years I worked: | ☐ Job Application/Resume Sharing ☐ Date I Made: |
☐ I am a Third Party Company Employee (Please specify the company you work for and the position information.) | ☐ Other |
Please specify your request under Article 11 of KVKK:
Request No. | Demand | Your choice (Please mark your request with an X) |
1. | I want to know whether your company processes my personal data/data.
Personal Data Protection Law m11/1(c) | |
2. | If your company processes personal data about me, I request information about these data processing activities.
Personal Data Protection Law m11/1(b) | |
3. | I would like to learn the purpose of processing my personal data by your company and whether it is used for its intended purpose.
Personal Data Protection Law m11/1(c) | |
4. | If my personal data is transferred by your company to third parties at home or abroad, I want to know about these third parties.
Personal Data Protection Law m11/1(ç) | |
5. | I think my personal data has been processed incompletely or incorrectly by your Company and I would like it to be corrected. (Indicate the personal data you want to be corrected in the "your choice" field, and send additional documents containing correct and complementary information regarding the personal data. (Copy of identity card, residence, etc.)
Personal Data Protection Law m11/1(d) | |
6. | Although my personal data has been processed in accordance with the provisions of KVKK and other relevant Laws, I think that the reasons requiring processing have disappeared, therefore I would like my personal data to be deleted or destroyed.
Personal Data Protection Law m11/1(e) | |
7. | I would like my personal data (Request No. 5), which I think has been processed incompletely or incorrectly, to be corrected by the third parties to whom it has been transferred by your Company. (Indicate the personal data you want to be corrected in the "your choice" field, and send additional documents containing correct and complementary information regarding the personal data. (Copy of identity card, residence, etc.)
Personal Data Protection Law m11/1(f) | |
8. | Although my personal data has been processed in accordance with the provisions of KVKK and other relevant Laws, I think that the reasons requiring processing have disappeared (Request No. 6), therefore I would like my personal data to be deleted or destroyed by the third parties to whom it has been transferred.
Personal Data Protection Law m11/1(f) | |
9. | I think that my personal data processed by your company is analyzed exclusively through automatic systems and as a result of this analysis, a result is against me. I would like to object to this result being against me. Please indicate the analysis result that you think is against you in the "Your Choice" field and also send the documents supporting your objection.
Personal Data Protection Law m11/1(g) | |
10. | I suffered a loss due to the unlawful processing of my personal data by your company. I demand compensation for this damage. Please indicate the issue that is against the law in the "Your Choice" field and also send the documents supporting your objection. (Court Decision, Board Decision, Documents showing the amount of material damage, etc.)
Personal Data Protection Law m11/1(ğ) | |
Additional remarks:
|
Please Select the Method of Notifying You of Our Response to Your Application.
- I want it sent to my address.
- I want it to be sent to my e-mail address. (We will be able to respond to you faster if you choose the e-mail method.)
- I want to receive it by hand. (In case of receipt by proxy, a notarized power of attorney or authorization document is required.)
This application form has been created to determine your relationship with our Company, to completely identify your personal data processed by our Company, if any, and to respond to your application correctly and within the legal period.
Our company reserves the right to request additional documents and information (copy of identity card or driver's license, etc.) for identification and authorization determination in order to prevent your personal data from being shared with third parties unlawfully and to ensure the security of your personal data.
I accept, declare and undertake that the information regarding your requests submitted within the scope of this application form is correct and up-to-date, otherwise I will be liable for any legal and/or criminal liability that may arise.
Applicant (Personal Data Owner)
Name and surname :
Application date :
Signature :