Personal Data Protection Policy
As E4 METAL FURNITURE PAZARLAMA SANAYİ ve TİCARET LİMİTED ŞİRKETİ (“Company”), we attach utmost importance to the legal protection and processing of Personal Data in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”), and we act with such care in all our planning and activities. As a company, we take all administrative and technical measures in compliance with the legislation regarding the protection and processing of Personal Data, which is the basis of privacy. With the Personal Data Protection and Processing Notice (“Notice”), we aim to comply with the applicable national and international legislation, especially the Personal Data Protection Law No. 6698 (“Law”) and the European Union General Data Protection Regulation (“GDPR”). You can find detailed information on the protection and processing of personal data under the GDPR at http://www.efordesing.com. The purpose of the Personal Data Protection and Processing Policy (“Policy”) is to protect the fundamental rights and freedoms of individuals, especially the privacy of private life regulated in Article 20 of the Constitution, in the protection and processing of Personal Data in accordance with the purpose of the Law, and to comply with the obligations of our Company and the Law. to inform the Personal Data Owners about the procedures and principles to be complied with. In line with the purpose of the policy, it is aimed to ensure full compliance with the legislation and to protect the right to privacy and data security of Personal Data Owners in the protection and processing of Personal Data carried out by our Company. In order to prevent any unlawful access or leakage of data, we share our customers' data only with our trusted business partners at a minimum level and take security measures in accordance with the applicable legislation.
1. DEFINITIONS
• Explicit consent: It refers to the declaration of consent on a specific subject, based on information and freely declared by the data owners.
• Anonymization: It means making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
• Relevant person/data owner: Refers to the real person whose personal data is processed.
• Personal data: It refers to any information relating to an identified or identifiable natural person.
• Special categories of personal data: It refers to data subject to a stricter protection regime within the scope of the Law, which may cause the Data Owner to be victimized or exposed to discrimination in cases such as their disclosure or loss.
• Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. means all kinds of operations performed on data such as classification or prevention of use.
• Data recording system: It refers to the recording system in which personal data is processed and structured according to certain criteria.
• Data controller: It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
2. PROTECTION OF PERSONAL DATA
Our Company takes all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the illegal processing and access of Personal Data, and to protect Personal Data in accordance with the Law. Our company observes all legal rights of Personal Data Owners with the implementation of the Policy and Law and takes all necessary measures to protect these rights.
Our company carries out and has the necessary inspections made in order to establish the data security described above and to ensure the regularity and continuity of the measures taken.
Our company takes all necessary technical and administrative measures according to the technological possibilities and application costs so that the relevant data controllers and data processors do not disclose the Personal Data they have to others in violation of the provisions of the Law and Policy and do not use them for purposes other than processing. In this context, informing and training activities about the Law and Policy are carried out with our Company employees.
In the event that the Personal Data processed by our Company is obtained by others through unlawful means, our Company carries out the necessary actions to notify the relevant Personal Data Owner and the KVK Board as soon as possible. If deemed necessary by the KVK Board, this situation may be announced on the website of the KVK Board or by any other method deemed appropriate by the KVK Board.
Our company considers that Special Quality Personal Data are data that may cause the person concerned to be victimized or exposed to discrimination if learned by others, therefore, all necessary measures are taken sensitively to protect such personal data that are processed in accordance with the law.
3. PROCESSING AND TRANSFER OF PERSONAL DATA
Our company ensures that the processed Personal Data are suitable for the realization of the determined purposes and avoids the processing of Personal Data that is not related to the realization of the purpose or is not needed. Our company keeps the processed data limited to what is necessary for the realization of the purpose.
Personal Data is processed by our company in accordance with the procedures and principles stipulated in the Law and this Policy. Our company's Personal Data is processed in accordance with the relevant legislation and the requirements of the good faith and used within these limits. Our company clearly and precisely determines the purpose of data processing.
Our company complies with these periods if there is a period stipulated in the relevant legislation for data storage; otherwise, it retains Personal Data only for as long as is necessary for the purpose for which it was processed. The retention periods of the processed data are included in our policies. In the event that there is no valid reason for further storage of a Personal Data by our company or upon the application of the person whose data is collected, the said data is deleted, destroyed or anonymized.
Our company does not process Personal Data without the explicit consent of the data owner. Our company may process Personal Data without seeking the explicit consent of the data owner, in the presence of one of the following conditions. Our company may process the Personal Data of Personal Data Owners, even if there is no explicit consent, in cases expressly stipulated by the laws. Our company may process the Personal Data of Personal Data Owners if it is necessary to fulfill its legal obligations as a data controller.
Personal Data may be processed commercially by our company regarding the establishment or performance of a contract.
Our company may transfer the Personal Data of Personal Data Owners and Private Personal Data to third parties specified in this protocol in accordance with the Law, by creating the necessary confidentiality conditions and taking security measures in line with the purposes of processing Personal Data.
⦁ If there is express consent of the Personal Data owner;
⦁ If there is a clear regulation in the law regarding the transfer of Personal Data,
⦁ If it is necessary for the protection of the life or bodily integrity of the Personal Data owner or someone else, and if the Personal Data owner is unable to express his consent due to actual impossibility or if his consent is not legally valid,
⦁ If it is necessary to transfer the Personal Data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
⦁ If Personal Data transfer is mandatory for our company to fulfill its legal obligation,
⦁ If the Personal Data has been made public by the Personal Data owner,
⦁ If the transfer of Personal Data is necessary for the establishment, use or protection of a right,
⦁ Personal Data may be transferred if it is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the Personal Data owner.
Our company takes the necessary security measures in line with the purposes of Personal Data processing and transfers the Personal Data and Private Personal Data of the Personal Data Owners abroad.
4. CLASSIFICATION OF PERSONAL DATA, PURPOSE OF PROCESSING AND TRANSFER, PERSONS TO BE TRANSFERRED
4.1. Personal Data Types:
Identity (such as name, surname, mother and father's name, mother's maiden name, date of birth, place of birth, marital status, identity card serial no, tc identity number), communication (address no, e-mail address, contact address, registered electronic postal address (such as cap), phone number), location (location information of the place of residence), personnel (such as payroll information, disciplinary investigation, entry-exit document records, property declaration information, CV information, performance evaluation reports), legal action ( information in correspondence with judicial authorities, information in the case file), customer transaction (call center records, invoice, promissory note, check information, information in box office receipts, order information, request information), physical place security (entry and exit registration information of employees and visitors, camera records), finance (such as balance sheet information, financial performance information, credit and risk information, asset information), professional experience (diploma information, courses attended, vocational training information, certificate such as information, transcript information), marketing (shopping history information, survey, cookie records, information obtained through campaign work), visual and audio recordings (such as visual and audio recordings-camera recording-photo), costume and clothing (related to clothing and clothing). information), association membership (such as association membership information), foundation membership (such as foundation membership information), union membership (such as union membership information), health information (information about disability, blood group information, personal health information, device used and prosthesis) information), criminal conviction and security measures (such as information on criminal convictions, information on security measures), biometric data (such as palm information, fingerprint information, retina scan information, face recognition information) for the purposes specified in this protocol. .
Credentials
Data containing information about the identity of the person: name-surname, T.C. identity number, marital status, nationality information, mother-father name-surname, place of birth - date, gender and other identity information, driver's license, identity card and passport and related documents, tax number, SGK number, signature information, vehicle plate and other information.
Communication information
Phone number, address, e-mail address, fax number, IP address and other information.
Transaction Security Information
Personal data processed regarding the technical, administrative, legal and commercial security of both the Personal Data Owner and the Company while carrying out the Company's activities
Financial Information
Personal data, bank account number, branch code, bank card information, IBAN number, credit card information, financial profile, and personal data processed for information, documents and records showing all kinds of financial results arising in accordance with the employee-employer relationship established by the Company with the Relevant Person , credit rating, assets data, income information and other information.
Visual and Audio Information
Photo and camera recordings, audio recordings and any data including this data and other information
Personal Information
All kinds of personal data processed for obtaining information that will be the basis for the protection of personal rights of real persons who are in a working relationship with the Personal Data Owner
Location Information
Information that determines the location of the Relevant Person while the Company or Company group companies are using vehicles by the Relevant Person within the framework of the activities and operations of the Company or its group companies or the companies and institutions with which it cooperates; GPS location, travel data and other information
Family Members and Close Information
Family members of the Related Person (e.g. spouse, mother, father, child) in order to protect the legal and other interests of the Company or the Company's group companies or the companies and institutions with which it cooperates or in order to protect the legal and other interests of the Company and the Related Person. ), their relatives and other persons who can be reached in case of emergency, as defined above, their identity and contact information.
Physical Space Security Information
Personal data regarding the records and documents taken at the entrance to the physical space, during the stay in the physical space; camera records, fingerprint records and records taken at the security point and other data
Legal Transaction Information
Data processed within the scope of the determination of the legal receivables and rights of the Company, its follow-up and the performance of its debts and its legal obligations
Sensitive Personal Information
Data specified in accordance with Article 6 of the Law (health data, biometric data, religion and membership association information, etc.)
Request/Complaint Management Information
Personal data regarding the receipt and evaluation of the request or complaint directed to our company
⦁ Purposes of Processing Personal Data
Your personal data; Planning and implementing our human resources policies in the best way, planning and executing our commercial partnerships and strategies correctly, Ensuring the legal, commercial and physical security of our Company and our business partners, Ensuring the corporate functioning of our Company, Working to make the best use of the products and services offered by our Company. ; Suggesting the products and services offered by our company according to your demands, needs and wishes, ensuring the highest level of data security, creating databases, improving the services offered on our company's website, communicating with those who have submitted their requests and complaints to our company, It is processed within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law, limited to the purposes of eliminating errors.
In addition to our Company's Websites, Execution of our Company's Emergency Management Processes, Execution of Information Security Processes, Execution of Employee Candidates / Interns / Employee Candidates Application Processes, Employee Satisfaction and Loyalty Processes, Fulfillment of Work Contract and Legislation Obligations for Employees, Subsidiary for Employees Execution of Rights and Benefits Processes, Execution of Audit / Ethical Activities, Execution of Training Activities, Execution of Access Authorities, Execution of Activities in Compliance with the Legislation, Execution of Finance and Accounting Affairs, Execution of Firm / Product / Services Loyalty Processes, Ensuring Physical Space Security, Execution of Appointment Processes, Law Follow-up and Execution of Jobs, Conducting Internal Audit / Investigation / Intelligence Activities, Execution of Communication Activities, Planning of Human Resources Processes, Execution / Audit of Business Activities, İş S Execution of Network / Safety Activities, Receiving and Evaluation of Suggestions for the Improvement of Business Processes, Execution of Business Continuity Activities, Execution of Logistics Activities, Execution of Goods / Services Purchasing Processes, Execution of Goods / Services After-Sales Support Services, Execution of Goods / Service Sales Processes, Goods / Execution of Service Production and Operation Processes, Execution of Customer Relationship Management Processes, Execution of Activities for Customer Satisfaction, Organization and Event Management, Execution of Marketing Analysis Studies, Performance Evaluation Processes, Execution of Advertising / Campaign / Promotion Processes, Execution of Risk Management Processes, Storage and Execution of Archive Activities, Execution of Social Responsibility and Civil Society Activities, Execution of Contract Processes, Execution of Sponsorship Activities, Strategic Planning Activities Execution of Requests / Complaints, Ensuring the Security of Movable Goods and Resources, Execution of Supply Chain Management Processes, Execution of Remuneration Policy, Execution of Marketing Processes of Products / Services, Ensuring the Security of Data Supervisor Operations, Foreign Personnel Work and Residence Permit Processes, Execution of Investment Processes, Talent / Personal data is obtained for the purpose of Carrying out Career Development Activities, Providing Information to Authorized Persons, Institutions and Organizations, Executing Management Activities, Creating and Tracking Visitor Records.
⦁ Purposes of Transfer of Personal Data
Your Personal Data, the best planning and implementation of our human resources policies, the correct planning and execution of our commercial partnerships and strategies, ensuring the legal, commercial and physical security of our company and our business partners, ensuring the corporate functioning of our company, making the best use of the products and services offered by our company. work for; Suggesting the products and services offered by our company according to your demands, needs and wishes, ensuring the highest level of data security, creating databases, improving the services offered on our company's website, communicating with those who have submitted their requests and complaints to our company, It is transferred within the scope of the conditions specified in Articles 8 and 9 of the Law, limited to the purposes of eliminating errors.
⦁ Persons to whom Personal Data will be Transferred
Your Personal Data; It can be transferred to our shareholders, business partners, suppliers, group companies, affiliates, companies and institutions with which we cooperate, companies from which we get outsourced services (security, health, work safety, law, etc.), authorized institutions and organizations in order to fulfill our contractual or legal obligations.
⦁ Deletion, Destruction or Anonymization of Personal Data
Without prejudice to the provisions in other laws regarding the deletion, destruction or anonymization of Personal Data, our Company will delete the Personal Data ex officio or upon the request of the data owner, in the event that the reasons for its processing disappear, although it has been processed in accordance with the provisions of this Law and other laws, destroy or anonymize.
With the deletion of personal data, this data is destroyed in a way that it cannot be used again in any way and cannot be restored. Accordingly, the data is deleted from the tools such as documents, files, CDs, floppy disks, hard disks in which they are registered, in a way that cannot be recycled.
Destruction of data, on the other hand, means the destruction of materials suitable for data storage such as documents, files, CDs, floppy disks, hard disks, in which the data is recorded, so that the information cannot be retrieved and used again.
By anonymizing the data, it is meant that the Personal Data cannot be associated with an identified or identifiable natural person, even if it is matched with other data.
⦁ Retention Period of Personal Data
Our company stores Personal Data in accordance with the periods stipulated in the laws and other legislation. If there is no provision in the laws and other legislation regarding how long Personal Data should be kept, the Personal Data is processed until the purpose of processing the Personal Data is realized when the Personal Data is processed by our Company, and then it is deleted, destroyed or anonymized.
5. RIGHTS OF PERSONAL DATA SUBJECT
According to Article 11 of the Law, data owners have the following rights against the data controller.
⦁ Learning whether personal data about himself is processed.
⦁ If personal data about him has been processed, do not request information about it.
⦁ Learning the purpose of processing personal data and whether they are used in accordance with the purpose.
⦁ Knowing the third parties to whom personal data is transferred at home or abroad.
⦁ Requesting correction of personal data in case of incomplete or incorrect processing.
⦁ Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in the relevant legislation.
⦁ Requesting notification of the transactions made as a result of requests for correction, deletion and destruction to third parties to whom personal data has been transferred.
⦁ Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems.
⦁ Requesting the compensation of the damage in case of loss due to unlawful processing of personal data.
We respond to data owners who want to exercise these rights within the limits set forth in the Law, within a maximum of thirty days, as stipulated in the Law. In order for third parties to apply on your behalf, there must be a special power of attorney issued by a notary public on behalf of the person who will apply.
Although your applications are processed free of charge as a rule, if a fee schedule is stipulated by the Personal Data Protection Board, a fee may be charged over this tariff. We can request information from the person concerned in order to determine whether the applicant is the Data Owner, and we can ask questions about the application to the Data Owner in order to clarify the issues stated in the application.
To exercise the above-mentioned rights, you can contact us through our contact information on our website.
6. EXCEPTIONAL CONDITIONS
⦁ Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.
⦁ Processing personal data for purposes such as research, planning and statistics by making it anonymous with official statistics.
⦁ Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
⦁ Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
In the event that personal data is processed by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings, the provisions of this Policy and the Law do not apply.
⦁ The processing of personal data is necessary for the prevention of crime or for criminal investigation.
⦁ Processing of personal data made public by the person concerned.
⦁ The processing of personal data is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law.
In cases where personal data processing is necessary for the protection of the economic and financial interests of the State with regard to budget, tax and financial matters, Articles 10, 11 and 16 of the relevant law are not applicable.
7. DATA SECURITY
In order to ensure the security of your personal data, we take reasonable technical and administrative measures to prevent unauthorized access risks, accidental data loss, deliberate deletion or damage to data.
In order to take administrative and technical measures in our company, Network security and application security are provided, Closed system network is used in personal data transfers via network, Key management is implemented, Security measures are taken within the scope of procurement, development and maintenance of information technology systems, Personal data stored in the cloud is secured, For employees There are disciplinary regulations that include data security provisions, Training and awareness studies are carried out periodically on data security for employees, An authorization matrix is created for employees, Access logs are kept regularly, Institutional policies on access, information security, use, storage and destruction are prepared and implemented , Data masking measures are applied when necessary, Confidentiality commitments are made, Employees who have a job change or quit their job are removed from their authority in this area, Current anti-virus systems are used, Firewall is used. Signed contracts contain data security provisions, Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in confidential document format, Personal data security policies and procedures are determined, Personal data security problems are quickly reported, Personal data security monitoring Necessary security measures are taken regarding entry and exit to physical environments containing personal data, The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured, The security of environments containing personal data is ensured, Personal data is reduced as much as possible, Personal data is backed up and The security of the backed up personal data is also ensured, User account management and authorization control system are implemented and these are followed up, periodic and/or random audits are carried out and made, Log records user intervention o Existing risks and threats are determined, Protocols and procedures for special quality personal data security are determined and implemented, If sensitive personal data is to be sent via e-mail, it is sent in encrypted form and using KEP or corporate mail account, Secure encryption for sensitive personal data / cryptographic keys are used and managed by different units, Intrusion detection and prevention systems are used, Penetration testing is carried out, Cyber security measures are taken and their implementation is constantly monitored, Encryption is made, Data of special persons transferred in portable memory, CD, DVD media are encrypted and transferred, Data processing Service providers are periodically audited on data security, Data processing service providers are made aware of data security, Data loss prevention software is used.
⦁ We ensure data security by using software and hardware containing virus and similar anti-malware systems, firewalls and intrusion prevention systems.
⦁ We carry out access to personal data within the partnership with a controlled process within the framework of authorizations on the basis of unit/role/application and in accordance with the nature of the data.
⦁ In accordance with Article 12 of the Law, we ensure that the necessary audits are carried out in order to ensure the implementation of the provisions of the Law.
⦁ We ensure that internal policies and procedures and data processing activities comply with the Law.
⦁ We subject access to sensitive personal data to more stringent measures.
⦁ In case of external access to personal data for reasons such as outsourcing, we take commitments from the external service provider to ensure compliance with the Law.
⦁ We take the necessary actions to inform all our employees, especially those who have access to personal data, about their duties and responsibilities under the Law.
1. DEFINITIONS
• Explicit consent: It refers to the declaration of consent on a specific subject, based on information and freely declared by the data owners.
• Anonymization: It means making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
• Relevant person/data owner: Refers to the real person whose personal data is processed.
• Personal data: It refers to any information relating to an identified or identifiable natural person.
• Special categories of personal data: It refers to data subject to a stricter protection regime within the scope of the Law, which may cause the Data Owner to be victimized or exposed to discrimination in cases such as their disclosure or loss.
• Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. means all kinds of operations performed on data such as classification or prevention of use.
• Data recording system: It refers to the recording system in which personal data is processed and structured according to certain criteria.
• Data controller: It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
2. PROTECTION OF PERSONAL DATA
Our Company takes all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the illegal processing and access of Personal Data, and to protect Personal Data in accordance with the Law. Our company observes all legal rights of Personal Data Owners with the implementation of the Policy and Law and takes all necessary measures to protect these rights.
Our company carries out and has the necessary inspections made in order to establish the data security described above and to ensure the regularity and continuity of the measures taken.
Our company takes all necessary technical and administrative measures according to the technological possibilities and application costs so that the relevant data controllers and data processors do not disclose the Personal Data they have to others in violation of the provisions of the Law and Policy and do not use them for purposes other than processing. In this context, informing and training activities about the Law and Policy are carried out with our Company employees.
In the event that the Personal Data processed by our Company is obtained by others through unlawful means, our Company carries out the necessary actions to notify the relevant Personal Data Owner and the KVK Board as soon as possible. If deemed necessary by the KVK Board, this situation may be announced on the website of the KVK Board or by any other method deemed appropriate by the KVK Board.
Our company considers that Special Quality Personal Data are data that may cause the person concerned to be victimized or exposed to discrimination if learned by others, therefore, all necessary measures are taken sensitively to protect such personal data that are processed in accordance with the law.
3. PROCESSING AND TRANSFER OF PERSONAL DATA
Our company ensures that the processed Personal Data are suitable for the realization of the determined purposes and avoids the processing of Personal Data that is not related to the realization of the purpose or is not needed. Our company keeps the processed data limited to what is necessary for the realization of the purpose.
Personal Data is processed by our company in accordance with the procedures and principles stipulated in the Law and this Policy. Our company's Personal Data is processed in accordance with the relevant legislation and the requirements of the good faith and used within these limits. Our company clearly and precisely determines the purpose of data processing.
Our company complies with these periods if there is a period stipulated in the relevant legislation for data storage; otherwise, it retains Personal Data only for as long as is necessary for the purpose for which it was processed. The retention periods of the processed data are included in our policies. In the event that there is no valid reason for further storage of a Personal Data by our company or upon the application of the person whose data is collected, the said data is deleted, destroyed or anonymized.
Our company does not process Personal Data without the explicit consent of the data owner. Our company may process Personal Data without seeking the explicit consent of the data owner, in the presence of one of the following conditions. Our company may process the Personal Data of Personal Data Owners, even if there is no explicit consent, in cases expressly stipulated by the laws. Our company may process the Personal Data of Personal Data Owners if it is necessary to fulfill its legal obligations as a data controller.
Personal Data may be processed commercially by our company regarding the establishment or performance of a contract.
Our company may transfer the Personal Data of Personal Data Owners and Private Personal Data to third parties specified in this protocol in accordance with the Law, by creating the necessary confidentiality conditions and taking security measures in line with the purposes of processing Personal Data.
⦁ If there is express consent of the Personal Data owner;
⦁ If there is a clear regulation in the law regarding the transfer of Personal Data,
⦁ If it is necessary for the protection of the life or bodily integrity of the Personal Data owner or someone else, and if the Personal Data owner is unable to express his consent due to actual impossibility or if his consent is not legally valid,
⦁ If it is necessary to transfer the Personal Data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
⦁ If Personal Data transfer is mandatory for our company to fulfill its legal obligation,
⦁ If the Personal Data has been made public by the Personal Data owner,
⦁ If the transfer of Personal Data is necessary for the establishment, use or protection of a right,
⦁ Personal Data may be transferred if it is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the Personal Data owner.
Our company takes the necessary security measures in line with the purposes of Personal Data processing and transfers the Personal Data and Private Personal Data of the Personal Data Owners abroad.
4. CLASSIFICATION OF PERSONAL DATA, PURPOSE OF PROCESSING AND TRANSFER, PERSONS TO BE TRANSFERRED
4.1. Personal Data Types:
Identity (such as name, surname, mother and father's name, mother's maiden name, date of birth, place of birth, marital status, identity card serial no, tc identity number), communication (address no, e-mail address, contact address, registered electronic postal address (such as cap), phone number), location (location information of the place of residence), personnel (such as payroll information, disciplinary investigation, entry-exit document records, property declaration information, CV information, performance evaluation reports), legal action ( information in correspondence with judicial authorities, information in the case file), customer transaction (call center records, invoice, promissory note, check information, information in box office receipts, order information, request information), physical place security (entry and exit registration information of employees and visitors, camera records), finance (such as balance sheet information, financial performance information, credit and risk information, asset information), professional experience (diploma information, courses attended, vocational training information, certificate such as information, transcript information), marketing (shopping history information, survey, cookie records, information obtained through campaign work), visual and audio recordings (such as visual and audio recordings-camera recording-photo), costume and clothing (related to clothing and clothing). information), association membership (such as association membership information), foundation membership (such as foundation membership information), union membership (such as union membership information), health information (information about disability, blood group information, personal health information, device used and prosthesis) information), criminal conviction and security measures (such as information on criminal convictions, information on security measures), biometric data (such as palm information, fingerprint information, retina scan information, face recognition information) for the purposes specified in this protocol. .
Credentials
Data containing information about the identity of the person: name-surname, T.C. identity number, marital status, nationality information, mother-father name-surname, place of birth - date, gender and other identity information, driver's license, identity card and passport and related documents, tax number, SGK number, signature information, vehicle plate and other information.
Communication information
Phone number, address, e-mail address, fax number, IP address and other information.
Transaction Security Information
Personal data processed regarding the technical, administrative, legal and commercial security of both the Personal Data Owner and the Company while carrying out the Company's activities
Financial Information
Personal data, bank account number, branch code, bank card information, IBAN number, credit card information, financial profile, and personal data processed for information, documents and records showing all kinds of financial results arising in accordance with the employee-employer relationship established by the Company with the Relevant Person , credit rating, assets data, income information and other information.
Visual and Audio Information
Photo and camera recordings, audio recordings and any data including this data and other information
Personal Information
All kinds of personal data processed for obtaining information that will be the basis for the protection of personal rights of real persons who are in a working relationship with the Personal Data Owner
Location Information
Information that determines the location of the Relevant Person while the Company or Company group companies are using vehicles by the Relevant Person within the framework of the activities and operations of the Company or its group companies or the companies and institutions with which it cooperates; GPS location, travel data and other information
Family Members and Close Information
Family members of the Related Person (e.g. spouse, mother, father, child) in order to protect the legal and other interests of the Company or the Company's group companies or the companies and institutions with which it cooperates or in order to protect the legal and other interests of the Company and the Related Person. ), their relatives and other persons who can be reached in case of emergency, as defined above, their identity and contact information.
Physical Space Security Information
Personal data regarding the records and documents taken at the entrance to the physical space, during the stay in the physical space; camera records, fingerprint records and records taken at the security point and other data
Legal Transaction Information
Data processed within the scope of the determination of the legal receivables and rights of the Company, its follow-up and the performance of its debts and its legal obligations
Sensitive Personal Information
Data specified in accordance with Article 6 of the Law (health data, biometric data, religion and membership association information, etc.)
Request/Complaint Management Information
Personal data regarding the receipt and evaluation of the request or complaint directed to our company
⦁ Purposes of Processing Personal Data
Your personal data; Planning and implementing our human resources policies in the best way, planning and executing our commercial partnerships and strategies correctly, Ensuring the legal, commercial and physical security of our Company and our business partners, Ensuring the corporate functioning of our Company, Working to make the best use of the products and services offered by our Company. ; Suggesting the products and services offered by our company according to your demands, needs and wishes, ensuring the highest level of data security, creating databases, improving the services offered on our company's website, communicating with those who have submitted their requests and complaints to our company, It is processed within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law, limited to the purposes of eliminating errors.
In addition to our Company's Websites, Execution of our Company's Emergency Management Processes, Execution of Information Security Processes, Execution of Employee Candidates / Interns / Employee Candidates Application Processes, Employee Satisfaction and Loyalty Processes, Fulfillment of Work Contract and Legislation Obligations for Employees, Subsidiary for Employees Execution of Rights and Benefits Processes, Execution of Audit / Ethical Activities, Execution of Training Activities, Execution of Access Authorities, Execution of Activities in Compliance with the Legislation, Execution of Finance and Accounting Affairs, Execution of Firm / Product / Services Loyalty Processes, Ensuring Physical Space Security, Execution of Appointment Processes, Law Follow-up and Execution of Jobs, Conducting Internal Audit / Investigation / Intelligence Activities, Execution of Communication Activities, Planning of Human Resources Processes, Execution / Audit of Business Activities, İş S Execution of Network / Safety Activities, Receiving and Evaluation of Suggestions for the Improvement of Business Processes, Execution of Business Continuity Activities, Execution of Logistics Activities, Execution of Goods / Services Purchasing Processes, Execution of Goods / Services After-Sales Support Services, Execution of Goods / Service Sales Processes, Goods / Execution of Service Production and Operation Processes, Execution of Customer Relationship Management Processes, Execution of Activities for Customer Satisfaction, Organization and Event Management, Execution of Marketing Analysis Studies, Performance Evaluation Processes, Execution of Advertising / Campaign / Promotion Processes, Execution of Risk Management Processes, Storage and Execution of Archive Activities, Execution of Social Responsibility and Civil Society Activities, Execution of Contract Processes, Execution of Sponsorship Activities, Strategic Planning Activities Execution of Requests / Complaints, Ensuring the Security of Movable Goods and Resources, Execution of Supply Chain Management Processes, Execution of Remuneration Policy, Execution of Marketing Processes of Products / Services, Ensuring the Security of Data Supervisor Operations, Foreign Personnel Work and Residence Permit Processes, Execution of Investment Processes, Talent / Personal data is obtained for the purpose of Carrying out Career Development Activities, Providing Information to Authorized Persons, Institutions and Organizations, Executing Management Activities, Creating and Tracking Visitor Records.
⦁ Purposes of Transfer of Personal Data
Your Personal Data, the best planning and implementation of our human resources policies, the correct planning and execution of our commercial partnerships and strategies, ensuring the legal, commercial and physical security of our company and our business partners, ensuring the corporate functioning of our company, making the best use of the products and services offered by our company. work for; Suggesting the products and services offered by our company according to your demands, needs and wishes, ensuring the highest level of data security, creating databases, improving the services offered on our company's website, communicating with those who have submitted their requests and complaints to our company, It is transferred within the scope of the conditions specified in Articles 8 and 9 of the Law, limited to the purposes of eliminating errors.
⦁ Persons to whom Personal Data will be Transferred
Your Personal Data; It can be transferred to our shareholders, business partners, suppliers, group companies, affiliates, companies and institutions with which we cooperate, companies from which we get outsourced services (security, health, work safety, law, etc.), authorized institutions and organizations in order to fulfill our contractual or legal obligations.
⦁ Deletion, Destruction or Anonymization of Personal Data
Without prejudice to the provisions in other laws regarding the deletion, destruction or anonymization of Personal Data, our Company will delete the Personal Data ex officio or upon the request of the data owner, in the event that the reasons for its processing disappear, although it has been processed in accordance with the provisions of this Law and other laws, destroy or anonymize.
With the deletion of personal data, this data is destroyed in a way that it cannot be used again in any way and cannot be restored. Accordingly, the data is deleted from the tools such as documents, files, CDs, floppy disks, hard disks in which they are registered, in a way that cannot be recycled.
Destruction of data, on the other hand, means the destruction of materials suitable for data storage such as documents, files, CDs, floppy disks, hard disks, in which the data is recorded, so that the information cannot be retrieved and used again.
By anonymizing the data, it is meant that the Personal Data cannot be associated with an identified or identifiable natural person, even if it is matched with other data.
⦁ Retention Period of Personal Data
Our company stores Personal Data in accordance with the periods stipulated in the laws and other legislation. If there is no provision in the laws and other legislation regarding how long Personal Data should be kept, the Personal Data is processed until the purpose of processing the Personal Data is realized when the Personal Data is processed by our Company, and then it is deleted, destroyed or anonymized.
5. RIGHTS OF PERSONAL DATA SUBJECT
According to Article 11 of the Law, data owners have the following rights against the data controller.
⦁ Learning whether personal data about himself is processed.
⦁ If personal data about him has been processed, do not request information about it.
⦁ Learning the purpose of processing personal data and whether they are used in accordance with the purpose.
⦁ Knowing the third parties to whom personal data is transferred at home or abroad.
⦁ Requesting correction of personal data in case of incomplete or incorrect processing.
⦁ Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in the relevant legislation.
⦁ Requesting notification of the transactions made as a result of requests for correction, deletion and destruction to third parties to whom personal data has been transferred.
⦁ Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems.
⦁ Requesting the compensation of the damage in case of loss due to unlawful processing of personal data.
We respond to data owners who want to exercise these rights within the limits set forth in the Law, within a maximum of thirty days, as stipulated in the Law. In order for third parties to apply on your behalf, there must be a special power of attorney issued by a notary public on behalf of the person who will apply.
Although your applications are processed free of charge as a rule, if a fee schedule is stipulated by the Personal Data Protection Board, a fee may be charged over this tariff. We can request information from the person concerned in order to determine whether the applicant is the Data Owner, and we can ask questions about the application to the Data Owner in order to clarify the issues stated in the application.
To exercise the above-mentioned rights, you can contact us through our contact information on our website.
6. EXCEPTIONAL CONDITIONS
⦁ Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.
⦁ Processing personal data for purposes such as research, planning and statistics by making it anonymous with official statistics.
⦁ Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
⦁ Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
In the event that personal data is processed by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings, the provisions of this Policy and the Law do not apply.
⦁ The processing of personal data is necessary for the prevention of crime or for criminal investigation.
⦁ Processing of personal data made public by the person concerned.
⦁ The processing of personal data is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law.
In cases where personal data processing is necessary for the protection of the economic and financial interests of the State with regard to budget, tax and financial matters, Articles 10, 11 and 16 of the relevant law are not applicable.
7. DATA SECURITY
In order to ensure the security of your personal data, we take reasonable technical and administrative measures to prevent unauthorized access risks, accidental data loss, deliberate deletion or damage to data.
In order to take administrative and technical measures in our company, Network security and application security are provided, Closed system network is used in personal data transfers via network, Key management is implemented, Security measures are taken within the scope of procurement, development and maintenance of information technology systems, Personal data stored in the cloud is secured, For employees There are disciplinary regulations that include data security provisions, Training and awareness studies are carried out periodically on data security for employees, An authorization matrix is created for employees, Access logs are kept regularly, Institutional policies on access, information security, use, storage and destruction are prepared and implemented , Data masking measures are applied when necessary, Confidentiality commitments are made, Employees who have a job change or quit their job are removed from their authority in this area, Current anti-virus systems are used, Firewall is used. Signed contracts contain data security provisions, Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in confidential document format, Personal data security policies and procedures are determined, Personal data security problems are quickly reported, Personal data security monitoring Necessary security measures are taken regarding entry and exit to physical environments containing personal data, The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured, The security of environments containing personal data is ensured, Personal data is reduced as much as possible, Personal data is backed up and The security of the backed up personal data is also ensured, User account management and authorization control system are implemented and these are followed up, periodic and/or random audits are carried out and made, Log records user intervention o Existing risks and threats are determined, Protocols and procedures for special quality personal data security are determined and implemented, If sensitive personal data is to be sent via e-mail, it is sent in encrypted form and using KEP or corporate mail account, Secure encryption for sensitive personal data / cryptographic keys are used and managed by different units, Intrusion detection and prevention systems are used, Penetration testing is carried out, Cyber security measures are taken and their implementation is constantly monitored, Encryption is made, Data of special persons transferred in portable memory, CD, DVD media are encrypted and transferred, Data processing Service providers are periodically audited on data security, Data processing service providers are made aware of data security, Data loss prevention software is used.
⦁ We ensure data security by using software and hardware containing virus and similar anti-malware systems, firewalls and intrusion prevention systems.
⦁ We carry out access to personal data within the partnership with a controlled process within the framework of authorizations on the basis of unit/role/application and in accordance with the nature of the data.
⦁ In accordance with Article 12 of the Law, we ensure that the necessary audits are carried out in order to ensure the implementation of the provisions of the Law.
⦁ We ensure that internal policies and procedures and data processing activities comply with the Law.
⦁ We subject access to sensitive personal data to more stringent measures.
⦁ In case of external access to personal data for reasons such as outsourcing, we take commitments from the external service provider to ensure compliance with the Law.
⦁ We take the necessary actions to inform all our employees, especially those who have access to personal data, about their duties and responsibilities under the Law.