KVKK

POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA AND SPECIAL QUALITY PERSONAL DATA:

 

  1. EPISODE

PURPOSE AND SCOPE OF THE POLICY

The Law on the Protection of Personal Data No. 6698 entered into force in 2016, after the protection of personal data became a constitutional right in 2010; It is a legal protection device that shows the procedures and principles on this issue developed in order to preserve the principle of privacy during the processing of personal data and not to harm fundamental rights and freedoms.

Data controllers, who are obliged to register in the Data Controllers Registry in accordance with Article 16 of the Law No. 6698 (“KVKK” or “Law”), have the obligation to prepare a personal data protection and processing policy in accordance with the personal data processing inventory.

This Personal Data Protection and Processing Policy has been prepared in order to determine the procedures and principles to be applied regarding the protection and processing of personal data in accordance with Law No.

DEFINITIONS

Registry is the registry of data controllers kept by the Presidency of the Personal Data Protection Authority.

Explicit Consent is a declaration of consent on a specific subject, based on information and freely disclosed.

Data recording system is a recording system in which personal data is processed and structured according to certain criteria.

Subjects Defined by the Personal Data Protection Law and Regulation

The Data Controller is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Relevant User is the person who processes personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.

Recipient Group is the category of natural or legal person to whom personal data is transferred by the data controller.

The person concerned is the natural person whose personal data is processed.

Inventory refers   to the personal data processing activities of the data controllers based on their business processes; It is the inventory that they create by associating the personal data processing purposes and legal reason, the data category, the transferred recipient group and the data subject group, by explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries, and the measures taken regarding data security.

Open data is anonymized data that is freely available to everyone on the internet, free of charge or not exceeding the cost of preparation, does not have any intellectual property rights, and can be freely used for any purpose, machine-readable, and thus interoperable with other data and systems.

  1. EPISODE

 

PERSONAL DATA PROCESSING CONDITIONS

The processing of personal data is defined in Article 3 of the Law. According to this; As the Data Controller BAŞARI TUTKUM BİLİŞİM PROJECT VE LOGISTICS ANONİM ŞİRKETİ, obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring personal data completely or partially automatically or non-automatically provided that it is a part of any data recording system, We consider all kinds of operations performed on data such as the acquisition, making available, classification or prevention of use as processing of personal data.

The conditions for the processing of personal data are listed in Article 5 of the Law. If we act accordingly and at least one of the following situations is present, we are processing personal data legally.

  • Existence of the explicit consent of the person concerned,
  • clearly stipulated in the law,
  • It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally recognized,
  • It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
  • It is mandatory for the data controller to fulfill its legal obligation,
  • The person concerned has been made public by himself,
  • Data processing is mandatory for the establishment, exercise or protection of a right,
  • It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

The processing conditions of personal data, that is, their compliance with the law, have been determined by counting in the Law, and these conditions cannot be extended.

As BAŞARI TUTKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ as Data Controller, we process data by meeting the conditions listed above.

I.EXPRESS CONSENT

As the Data Controller, BAŞARI TUTKUM BİLİŞİM PROJECT VE LOGISTICS ANONİM ŞİRKETİ first evaluates whether one of the other data processing conditions can be relied upon in the realization of the data processing activity, and if none of these are available, it seeks the express consent of the data subject.

For example, as BAŞARI TUTKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ, we process the health data of our employees with explicit consent.

 

 

  1. EXPRESSLY FORECAST IN LAW

One of the data processing conditions is that it is clearly stipulated in the law. A provision in the law regarding the processing of personal data will constitute a data processing condition. For example, the processing of data of customer company shareholders who purchase the product in sales contracts is within this scope.

III. ACTUAL IMPOSSIBILITY

The personal data of the person concerned may be processed if it is necessary for the protection of life or bodily integrity of the person or someone else, who is unable to express his or her consent due to actual impossibility or whose consent is not given legal validity.

  1. NECESSARY FOR FORMATION AND PERFORMANCE OF THE AGREEMENT

Provided that it is directly related to the conclusion or performance of a contract, it is possible to process the personal data of the parties to the contract, limited to this purpose, if it is necessary to process the personal data of the parties to the contract. For example, BAŞARI TUTKUM BİLİŞİM PROJE VE LOJİSTİK ANONİM ŞİRKETİ’s processing of personal data regarding customer company employees and shareholders within the scope of logistics services is within this scope.

  1. IT IS MANDATORY TO Fulfill His Legal Obligations

In cases where data processing is necessary for the data controller to fulfill its legal obligations, the personal data of the data subject may be processed.

As BAŞARI TUTKUM BİLİŞİM PROJECT AND LOGISTICS ANONİM ŞİRKETİ, obtaining and processing data such as the employee’s bank account number, dependents, whether his/her spouse is working or not, and social insurance number can be given as an example to this situation.

As an employer, our submission of our employees’ information to the relevant public officials during the tax audit can also be considered within this scope.

  1. PERSONAL DATA HAS BEEN PUBLISHED BY THE RELATED PERSON

Personal data made public by the person concerned, in other words, disclosed to the public in any way, may be processed. An example of this situation is when a person publicly announces their contact information in order to be contacted in certain circumstances. Publicizing can also be mentioned on corporate websites if the workplace phone numbers and corporate e-mail addresses of the employees are shared openly for the access of third parties. However, in order for the personal data to be considered public, the person to whom it belongs must want it to be public. In other words, in order for the publicization to be realized, there must be a will to make it public.

These reasons, in principle, do not perceive a person’s personal data to be in a place where everyone can see it as publicizing, but accepts that the person’s shared data is made public only for that purpose.

VII. WHEN THE PROCESSING OF PERSONAL DATA IS MANDATORY TO SET OR USE A RIGHT

It is possible to process the personal data of the person concerned if it is necessary for the establishment, exercise or protection of a right. For example, the processing of data of BAŞARI TUTKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ employees within the scope of occupational health and safety can be evaluated within this scope.

In addition, after the contracts we have established as Data Controller BAŞARI TUTKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ have expired, keeping documents such as invoices, contracts, sureties for these purposes until the end of the statute of limitations against possible legal proceedings will be considered within this scope.

VIII. DATA PROCESSING IS MANDATORY FOR THE Legitimate Interests of the Data Controller, provided that it does not damage the fundamental rights and freedoms of the person concerned.

Provided that it does not harm the fundamental rights and freedoms of the data subject, it is possible to process personal data if it is necessary for the legitimate interests of the data controller.

In some cases, data processing may be in question in terms of the legitimate interest of the data controller. For example, provided that it does not harm the fundamental rights and freedoms of our employees, we consider the processing of personal data of our employees within the scope of the legitimate interest of the data controller, in order to be taken as a basis in the arrangement of their promotions, salary increases or social rights, or in the distribution of duties and roles in the restructuring of the enterprise.

In addition, monitoring with camera systems within the scope of legitimate interests to ensure the physical space security of the administrative building of BAŞARI TUTKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ can be evaluated within this scope.

  1. EPISODE

BASIC PRINCIPLES ON THE PROCESSING OF PERSONAL DATA

Data Supervisor BAŞARI TUTKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ adopts the following basic principles within the scope of complying with the personal data protection legislation and maintaining compliance:

There are basic principles regarding the processing of personal data, which are accepted in international documents and reflected in the practices of many countries. In Article 4 of the Law, the procedures and principles regarding the processing of personal data are arranged in parallel with the Convention No. 108 and the European Union Directive No. 95/46/EC.

According to this; The general (basic) principles listed in the law in the processing of personal data are as follows:

  • Compliance with the law and the rules of honesty,
  • Being accurate and up-to-date when necessary,
  • Processing for specific, explicit and legitimate purposes,
  • Being connected, limited and restrained with the purpose for which they are processed,
  • To be kept for the period required by the relevant legislation or for the purpose for which they are processed. Principles regarding the processing of personal data should be at the core of all personal data processing activities and all personal data processing activities should be carried out in accordance with these principles.
  1. Principle of Compliance with Law and Integrity Rules

Compliance with the law and the rule of honesty means the obligation to act in accordance with the principles brought by laws and other legal regulations in the processing of personal data.

In accordance with the principle of compliance with the principle of honesty, we always take into account the interests and reasonable expectations of the data subjects while trying to achieve our goals in data processing by the Data Controller BAŞARI TUTKUM BİLİŞİM PROJE VE LOJİSTİK ANONİM ŞİRKETİ. In addition, in principle, we act in a way to prevent the emergence of results that the person concerned does not expect and does not need to wait. In accordance with the aforementioned principle, we also always act in accordance with the information and warning obligations of the Data Controller BAŞARI TUTKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ that the data processing activity in question is transparent for the data subject.

  1. The Principle of Being Accurate and Up-to-Date When Necessary

As Data Controller BAŞARI TUTKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ, we are aware that we have an active duty of care to ensure that personal data is accurate and up-to-date when necessary. Accordingly, we always keep the channels open to ensure that the information of the person concerned is correct and up-to-date.

 

  1. Principle of Processing for Specific, Explicit and Legitimate Purposes

The principle that the purposes of processing personal data are specific, legitimate and clear;

  • Personal data processing activities are clearly understandable by the person concerned,
  • Determining the legal processing condition on which personal data processing activities are carried out,
  • It ensures that the personal data processing activity and the purpose of this activity are presented in detail that will ensure the specificity.

In this respect, as BAŞARI TUTKUM BİLİŞİM PROJECT AND LOGISTICS ANONİM ŞİRKETİ, the Data Controller shows a high sensitivity in compliance with the principle of certainty and clarity in legal transactions and texts (explicit consent, clarification, answering the applications of the data subject, application to the data controller registry) in which the purposes of personal data processing are explained, While presenting the said legal texts to the other party, we keep the use of technical-legal terminology at a minimum so that it can be easily understood by everyone.

Acting in accordance with this principle is also important in terms of compliance with the principle of honesty.

  1. The Principle of Being Related to the Purpose for which they are Processed, Limited and Measured

As Data Supervisor BAŞARI TUTKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ, we avoid unnecessary processing of personal data that is not related to the realization of the purpose, or that the processed data is suitable for the realization of the determined purposes. At this point, we process personal data at a minimum level in order to serve the determined purpose.

Similarly, data processing is not used in order to meet the needs that may arise later. In addition, the processed data will be limited to the personal data necessary for the realization of the purpose. Data Controller BAŞARI TUTKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ in principle avoids data processing that is not necessary for other purposes after providing sufficient data to achieve the purpose.

  1. The Principle of Retention for the Time Required for the Purpose of Processing or Envisioned in the Relevant Legislation

Data Controller BAŞARI TUTKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ keeps personal data for the period required for the purpose for which they are processed, as a requirement of the “purpose-limitation principle”. As stated in Article 12 of the Law, the data controller; must take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the illegal processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data. As Data Controller BAŞARI TUTKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ, we are aware of our obligation to take administrative and technical measures.

In addition to the storage periods determined as Data Controller BAŞARI TUTKUM BİLİŞİM PROJE VE LOJİSTİK ANONİM ŞİRKETİ in accordance with the purpose-limitation principle for the storage of personal data, there are also storage periods determined within the scope of the relevant legislation to which we are subject. According to this; If there is a period stipulated in the legislation for the relevant personal data, it will comply with this period; If such a period is not foreseen, we only store the data for the period necessary for the purpose for which it was processed.

If there is no valid reason for further storage of a data, that data will be deleted and destroyed. It has been mentioned above that personal data cannot be kept for future use or for any other reason.

In addition, as the Data Supervisor BAŞARI TUTKUM BİLİŞİM PROJECT VE LOGISTICS ANONİM ŞİRKETİ, when applying for registration in accordance with Article 16 of the Law, the maximum period required for the processing of personal data has been determined by considering Article 9 of the Regulation on the Registry of Data Controllers, and the necessary periods have been published in our legal texts. .

 

  1. EPISODE

PROCESSING CONDITIONS OF SPECIAL QUALITY PERSONAL DATA

Special categories of personal data are data that, if learned, may cause discrimination or victimization about the person concerned. For this reason, as the Data Controller BAŞARI TUTUKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ, we are aware that the protection and processing of such data should be protected much more strictly than other personal data. As a matter of fact, the Law attaches special importance to these data and introduces a different regulation regarding these data. The law considers these as sensitive personal data or sensitive data. Special categories of personal data may be processed with the express consent of the person concerned or in limited cases listed in the Law.

 

 

PERSONAL DATA CATEGORIES

1-Identity (such as name, surname, mother and father name, date of birth, place of birth, marital status, identity card serial number, TR identity number, signature)

2-Contact (such as address number, e-mail address, contact address, registered e-mail address (KEP), telephone number)

3-Personnel (such as payroll information, disciplinary investigation, entry-exit document records, property declaration information, CV information, performance evaluation reports)

4-Legal Action (such as information in correspondence with judicial authorities, information in the case file)

5-Customer Transaction (such as invoice, promissory note, check information, complaint information, request information)

6-Physical Space Security (such as camera records)

7-Finance (such as credit card information, IBAN Information, assets information)

8-Professional Experience (such as diploma information, industry, courses attended, vocational information, in-service training information, certificates, transcript information)

9-Visual and Audio Recordings (such as visual and audio recordings)

10- Health Data (information about disability, past surgeries, personal health information, prescription, health report, information in the occupational health and safety file)

11-Criminal Conviction and Security Measures (such as information on criminal convictions, information on security measures)

  1. EPISODE

CLARIFICATION OF PERSONAL DATA OWNERS BY BAŞARI TUTUKU BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ

Data Controller BAŞARI TUTKUM BİLİŞİM PROJECT AND LOGISTICS ANONİM ŞİRKETİ carries out the necessary processes to ensure that the data owners are informed during the acquisition of personal data, in accordance with Article 10 of the Law and the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Disclosure Obligation. In this context, in the clarification texts presented to the data owners by BAŞARI TUTUKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ;

  1. Data Officer,
  2. For what purpose the personal data of data subjects will be processed by BAŞARI TUTKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ,
  3. To whom and for what purpose the processed personal data can be transferred,
  4. Method and legal reason for collecting personal data,
  5. Data owner;

– To learn whether personal data is processed or not,

– Requesting information about personal data if it has been processed,

– To learn the purpose of processing personal data and whether they are used in accordance with the purpose,

– To know the third parties to whom personal data is transferred in the country or abroad,

– Requesting correction of personal data in case of incomplete or incorrect processing and requesting that the transaction be notified to third parties to whom the personal data has been transferred,

– To request the deletion or destruction of personal data within the framework of the stipulated conditions and to request the notification of the transaction to the third parties to whom the personal data has been transferred,

– Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,

– In case of loss due to unlawful processing of personal data, they have the right to demand the compensation of the damage.

It is one of our basic principles to fulfill our obligation of informing the data owner completely and accurately, taking into account the necessary procedures and principles.

CONCLUSION OF REQUESTS OF PERSONAL DATA OWNERS BY BAŞARI TUTKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ

In the event that the data subjects submit their requests regarding their personal data to the Data Controller company in writing or by other methods determined by the KVK Board, BAŞARI TUTKUM BİLİŞİM PROJE VE LOJİSTİK ANONİM ŞİRKETİ, in the capacity of data controller, in order to use any right of the person concerned, written in Article 11 of the Law, in accordance with Article 13 of the Law. The requests submitted to us are finalized within 30 (thirty) days at the latest and the relevant person is informed.

Data owners should make their requests regarding their personal data in line with the Communiqué on Application Procedures and Principles to the Data Controller.

Within the scope of ensuring data security, BAŞARI TUTKUM BİLİŞİM PROJECT AND LOGISTICS ANONİM ŞİRKETİ may request information in order to determine whether the applicant is the owner of the personal data subject to the application. In addition, in order to ensure that the application of the personal data owner is concluded in accordance with the request, he may ask questions about the application of the personal data owner.

  1. EPISODE

PROVIDING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA BY BAŞARI TUTKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ

BAŞARI TUTKUM BİLİŞİM PROJECT AND LOGISTICS ANONİM ŞİRKETİ takes all kinds of necessary measures, depending on the nature of the data to be protected, in order to prevent the unlawful disclosure, access, transfer or security deficiencies that may occur in other ways.

  1. Administrative Measures Taken by Data Controller BAŞARI TUTKUM BİLİŞİM PROJE VE LOJİSTİK ANONİM ŞİRKETİ to ensure the Legal Processing of Personal Data and to Prevent Unlawful Access to Personal Data:

– BAŞARI TUTKUM BİLİŞİM PROJECT AND LOGISTICS ANONİM ŞİRKETİ restricts access to the stored personal data to the personnel required to access it as per the job description. In limiting access, whether the data is of special nature and its importance are also taken into account.

– In case the processed personal data is obtained by others unlawfully, this situation is notified to the relevant person and the Board as soon as possible.

– Regarding the sharing of personal data, a framework agreement is signed with the persons to whom personal data is shared, regarding the protection of personal data and data security, or data security is ensured by the provisions added to the existing agreement.

– Employs knowledgeable and experienced personnel about the processing of personal data, and the personnel are given the necessary training within the scope of personal data protection legislation and data security.

– It makes and has the necessary inspections made in order to ensure the implementation of the provisions of the Law within its own legal entity. Confidentiality and security vulnerabilities that arise as a result of audits are eliminated.

  1. Technical Measures Taken by Data Controller BAŞARI TUTKUM BİLİŞİM PROJE VE LOJİSTİK ANONİM ŞİRKETİ in order to ensure the Legal Processing of Personal Data and to Prevent Unlawful Access to Personal Data:

– Necessary internal controls are carried out within the scope of established systems.

– It is ensured that the technical infrastructure is provided to prevent or monitor the leakage of data outside the institution and the relevant matrices are created.

 

  1. EPISODE

IDENTIFICATION OF DATA SPEAKER

BAŞARI TUTKUM BİLİŞİM PROJE VE LOGISTICS ANONİM ŞİRKETİ is a “Data Controller” within the scope of the Law.

Menu