PERSONAL DATA PROCESSING AND PROTECTION POLICY
1. INTRODUCTION
Constitution of the Republic of Türkiye
ARTICLE 20 - Everyone has the right to demand respect for their private and family life. Inviolable confidentiality of private life and family life. (Additional paragraph: 12/9/2010-5982/2 art.) Everyone has the right to request the protection of personal data regarding him/her. This right; It also includes being informed about personal data about oneself, accessing this data, requesting its correction or deletion, and learning whether it is used for its purposes. Personal data can only be processed in cases stipulated by law or with the express consent of the person. The principles and procedures regarding the protection of personal data are regulated by law.
11th Development Plan of the Presidency of the Republic of Türkiye
Article 479. Regulations regarding the protection of personal data will be updated in line with the innovations brought by technology and new approaches adopted on international platforms, and technological development in this field will be encouraged.
479.1. Personal Data Protection Law No. 6698 will be updated taking into account the EU's General Data Protection Regulation. The articles are included.
The Personal Data Protection Law (“KVKK”), prepared within the framework of compliance with the European Union criteria, came into force after being published in the Official Gazette dated 07.04.2016. KVKK contains regulations largely in the same direction as the European Union's directive 95/46/EC, and with the entry into force of KVKK, the protection of individuals' personal data within a comprehensive regulation has been regulated.
With the above-mentioned Constitutional provisions, the Development Plan and the Personal Data Protection Law, regulations have been made regarding the protection of personal data of the person and the exercise of the rights specified in Article 11 of the Law, and the content includes definition and classification of personal data, processing of personal data, obligation to inform, explicit consent. and exceptions, determination of the obligations of real and legal persons processing personal data, establishment of the Personal Data Protection Authority, complaint application procedures and sanctions.
It is our company's priority to regulate the internal functioning of our company within the scope of KVKK, secondary regulations, decisions and regulations of the Personal Data Protection Board, final court decisions and other relevant legislation, within the framework of the principles of service quality, respect for individuals' rights, transparency and honesty adopted by our company, and in line with the new regulations envisaged by the KVKK. are among the topics. For this reason, this Policy has been prepared and put into effect in order to benefit personal data owners from the rights brought by KVKK and to ensure compliance with the Law.
2. PURPOSE AND SCOPE
The policy aims to ensure that the regulations to be introduced by the company within the framework of the basic principles explained above for compliance with KVKK are effectively implemented within the company, by our company's employees and business partners. In line with the basic regulations envisaged by the Policy, all kinds of administrative and technical measures will be taken in terms of the processing and protection of personal data within the company's operation, the necessary internal procedures will be established, all necessary training will be carried out to raise awareness, all necessary measures will be taken for employees and business partners to comply with KVKK processes and the technological infrastructure will be taken. , administrative and legal system will be established.
The policy regulates the basic principles to be observed in all these processes and the issues that our company is obliged to direct the company's internal functioning within the scope of the regulations introduced by KVKK. The internal procedures to be established within the framework of KVKK and relevant legislation will regulate the compliance activities that our company will carry out regarding the protection of personal data. All employees of our company are obliged to act in accordance with the regulations introduced by this Policy, KVKK and all other relevant legislation while performing their duties.
In case of non-compliance with the Policy and the relevant legislative provisions, in addition to the criminal and legal liability stipulated by the legislative provisions, sanctions within the Company, depending on the nature of the incident, up to the termination of the employment contract for justified reasons, will be applied within the framework of the legislation regulating business life.
3.DEFINITIONS
Company: It refers to Estefit Medical Health Beauty and Life Center Construction Tourism Textile Education Services Industry and Trade Limited Company.
Explicit consent: It refers to consent regarding a specific subject, based on information and expressed with free will. The records that the relevant person has been informed and enlightened will be kept and protected in accordance with the company's internal procedures.
Anonymization: It refers to making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.
Related person: It refers to the real person whose personal data is processed. The processing and protection of personal data and special personal data of our company's real or legal person customers, legal entity business partners, shareholders, managers or employees, company consultants, consultants, solution partners, guests and our company stakeholders will be handled by our company within the scope of KVKK and this Policy. .
Personal data: It refers to all kinds of information regarding an identified or identifiable natural person. All information that makes a person identifiable is regulated as personal data and is registered with the Republic of Turkey. Information such as identity number, name-surname, e-mail address, telephone number, address, date of birth, bank account number can be given as examples of personal data. This data has been classified within our company, and issues such as how each category of data can be processed, by whom, for what purpose and for how long are regulated with the Personal Data Processing Inventory.
Special Personal Data: Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data expresses.
Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or disclosing personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. It refers to any action performed on data, such as preventing its use.
Processing data: It refers to the real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller. Who the personnel who are authorized to access personal data and process these data within the meaning of KVKK, to what extent, for what purpose and for how long these personnel can access the data, and the operations they can perform on the data are determined on a departmental basis with in-company procedures.
Data controller: It refers to the real or legal person who determines the purposes and methods of processing personal data and is responsible for establishing and managing the data recording system. Within the scope of KVKK, our Company will have the title of data controller and has been registered in the VERBIS system. During registration, this Commission will be responsible for the monitoring and coordination of all work and transactions within the scope of KVKK and Personal Data Protection Board regulations in order to carry out the transactions to be carried out as the Data Controller.
Data Control Officer: He is the person responsible for recording the Company Contact Person information in the Data Controllers Registry Information System (VERBİS) and changing it when necessary.
Contact Person: The person registered in the Data Controllers Registry Information System (VERBİS) by the Data Controller. The Contact Person is the person responsible for correspondence with the Board, recording the Company Data Inventory to VERBIS, and data subject request management.
4. EXECUTION OF THE POLICY AND RESPONSIBILITIES
The Company, as the Data Controller, is responsible for organizing and implementing all internal operations and processes of this Policy. The data controller within the Company will be authorized and responsible for the regulations, procedures and training activities to be prepared in line with this Policy. All employees, solution partners, suppliers, guests and all relevant third parties throughout our company are obliged to cooperate with the Data Controller in preventing legal responsibilities, risks and dangers that may arise in accordance with the provisions of the relevant legislation, as well as compliance with the Policy. All personnel related to all departments of the Company are obliged to act in accordance with the Policy and ensure compliance with the provisions of the Policy.
This Policy will be announced to all personnel within the company who can access personal data, and will also be accessible at all times by uploading to common information processing systems. Additionally, this Policy has been published on the Company website (www.estefit.com.tr). Any changes that will occur in the Policy will be updated to the information processing system and website, and thus data owners will be informed by reaching the principles stipulated in the Policy.
In case of a conflict between the Policy and the applicable legislative provisions, the Company accepts that the legislative provisions will be applied in its capacity as Data Controller. The Audit Commission is obliged to manage the processes of updating the Policy in accordance with the legislative provisions in case of a conflict of this nature.
5. PERSONAL DATA PROCESSING PRINCIPLES
5.1. General Principles in Processing Personal Data
The Company accepts that it will process the personal data within the scope of this Policy in accordance with the following principles in accordance with Article 4 of the KVKK.
5.1.1. Compliance with the law and the rule of honesty
The Company, in its capacity as Data Controller and as a prudent merchant, accepts that it will carry out personal data processing activities in accordance with the principles brought by the laws and other legal regulations that are in force and will come into force, especially the Constitution and KVKK.
5.1.2. Accuracy and up-to-dateness when necessary
In its personal data processing activities, the Company takes all necessary measures to ensure the accuracy and up-to-dateness of personal data to the extent permitted by the processing method. Administrative and technical mechanisms established by the company will be operated to correct inaccurate or outdated personal data and check its accuracy, in line with the requests to be notified to the company by the relevant person as the Data Controller and the situations that the company deems necessary.
5.1.3. Processing for specific, clear and legitimate purposes
Personal data is processed by the Company in accordance with the law, limited to the requirements of the relevant legislation and the services offered or to be offered, and the purpose of processing personal data is clearly and precisely determined before the data is processed.
5.1.4. Processing data in a limited and measured manner in connection with the purpose for which they are processed
Personal data is processed by the Company in connection with and limited to the purposes for which it is processed and to the extent necessary to achieve this purpose. In this context, it is essential to avoid processing personal data that is not related to the purpose of processing the data and is not needed.
5.1.5. Processing until the period stipulated by the legislation or required by the purpose of processing.
Personal data is retained in line with the periods stipulated by the relevant legislation provisions or for the period required by the purpose of processing the data. At the end of the period stipulated by the legislation provisions or the period required by the purpose of processing the data, personal data is deleted, destroyed or anonymized by the company. Necessary administrative and technical measures will be taken to prevent data from being retained beyond the required period.
6. CONDITIONS FOR PROCESSING PERSONAL DATA
Article 5 of the KVKK regulates the conditions for processing personal data. The processing of personal data by the company is carried out in accordance with the following conditions specified in the KVKK.
6.1.Explicit Consent of the Relevant Person
The main rule in the processing of personal data is that the relevant person has explicit consent for the processing of his/her data. The Company will carry out data processing activities for the transactions covered by the consent, in line with the explicit consent of the relevant person upon being informed about the purpose for which it will be processed and in a clear manner that does not leave any room for hesitation, as stipulated by the KVKK.
Pursuant to KVKK, even if there is no explicit consent of the relevant persons, in cases where it is necessary to process personal data in accordance with the legislation, data processing activities will be considered lawful, provided that other necessary criteria are met. In this context;
-
Turkish Commercial Code No. 6102
-
Turkish Code of Obligations No. 6098
-
Public Procurement Law No. 4734
-
Labor Law No. 4857
-
Social Insurance and General Health Insurance Law No. 5510
-
Occupational Health and Safety Law No. 6331
-
Trade Unions and Collective Labor Agreement Law No. 6356
and other relevant legislative provisions stipulate the processing of personal data, personal data will be processed by the company within the limits set by the legislative provisions.
6.2. The Processing of the Data of the Relevant Person Who Cannot Express His Consent Due to Actual Impossibility or Whose Consent Cannot Be Granted Legal Validity Must Be Processed to Protect His or Another Person's Life or Physical Integrity
Pursuant to KVKK, in cases where it is not possible for the relevant person to express his actual consent or his consent cannot be given legal validity, it is possible to process personal data if the processing of personal data is necessary to protect the life or physical integrity of the relevant person or someone else. The company will process personal data in cases stipulated in accordance with this regulation.
6.3. It is Mandatory to Process Personal Data of the Parties to a Contract, Provided That It is Directly Related to the Establishment and Performance of a Contract
Personal data of the parties to the contract will be processed by the company, provided that it is directly related to the establishment and execution of the contract.
6.4. It is mandatory for the Data Controller to fulfill its legal obligations
In order for the company, which has the title of Data Controller in accordance with KVKK, to fulfill its obligations arising from the legislative provisions, personal data will be processed by the company, subject to the limits of such obligation.
6.5. Processing of Personal Data Made Public by the Relevant Person
If the relevant person makes his/her personal data public, such personal data will be processed by the Company in proportion to the purposes for which it is made public.
6.6. Processing of Data Necessary for the Establishment, Exercise or Protection of a Right
Personal data will be processed by the company to the extent necessary for the establishment, exercise or protection of a right.
6.7. Processing of Personal Data for the Legitimate Interests of the Data Controller
Personal data may be processed in line with the legitimate interests of the company acting as the Data Controller, provided that the fundamental rights and freedoms of the relevant person are not harmed. However, the expression of the company's legitimate interests cannot in any way contradict the principles determined by the KVKK, the purpose of processing personal data, and cannot interfere with the essence of the right guaranteed by the Constitution.
7. CONDITIONS FOR PROCESSING SPECIAL PERSONAL DATA
Article 6 of the KVKK regulates the processing conditions of special personal data. In line with the said article, special personal data includes data regarding individuals' ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures. and biometric and genetic data have the status of special personal data. All business processes and documents within the company were examined and data in this status was determined and classified. The processing processes of special personal data by the Company are carried out in accordance with the following conditions specified in the KVKK.
7.1. Processing of Special Personal Data in Case of Explicit Consent of the Relevant Person
In accordance with KVKK, as a rule, it is prohibited to process special personal data without the explicit consent of the relevant person. In this context, as a primary principle, the company will ensure that the express consent of the relevant persons is obtained in order to process special personal data. Data processing activities will be carried out in line with the scope of the consent of the relevant person regarding the processing of special categories of personal data. The provisions stipulated in the KVKK regarding the processing of special personal data without explicit consent are reserved.
7.2. Processing of Special Personal Data Due to Legislation Provisions, Despite the Lack of Explicit Consent of the Relevant Person
In cases where it is foreseen by the legislation that special personal data can be processed, special personal data of the relevant person, other than the health and sexual life, may be processed in accordance with the provision of KVKK. In this case, the data processing activities to be carried out by the company will be limited to the requirements of the underlying legislation. In legal processes such as lawsuits arising from contracts and enforcement proceedings, the submission of special personal data to legal processes, provided that they are related and limited to the essence of the relevant legal process, and special personal data collected by the courts ex officio or by parties or third parties are included in legal processes, and Storing personal data for the period required for legal processes is considered as processing of personal data due to legislation.
7.3. Processing of Special Personal Data Related to Health and Sexual Life, Subject to the Obligation of Confidentiality, for the Purposes of Execution of Preventive Medicine, Medical Diagnosis, Treatment and Care Services, Planning and Management of Health Services and Financing
In accordance with KVKK, the processing of special personal data regarding the health and sexual life of individuals is subject to the condition of their explicit consent, and in cases where there is no explicit consent, the obligation to keep confidentiality is only for the purpose of carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. It has been regulated that the personal data in question can be processed by the persons under In cases where the Company is under a confidentiality obligation in line with the provisions of the legislation, special personal data regarding the health and sexual lives of the relevant persons may be processed to the extent required by the provisions of this legislation.
7.4. Precautions to be Taken in the Processing of Special Personal Data
In order to process special personal data, it is mandatory to take measures to be determined by the Data Protection Board in accordance with KVKK. The Company will process sensitive personal data in line with the measures to be determined by the Board.
8. TRANSFER OF PERSONAL DATA
Article 8 of KVKK regulates the transfer of personal data to third parties within the country. As a general rule, personal data should not be transferred to third parties without the explicit consent of the person concerned. Compliance with the following criteria will be ensured in the processes regarding the transfer of personal data. It is the company's responsibility to comply with all legislative provisions regarding the transfer of personal data and to adapt the transfer processes in accordance with the legislation provisions that are in force or will come into force, and these processes will be monitored and coordinated by the Data Controller.
8.1. Transfer of Personal Data Domestically
8.1.1. The relevant person has explicit consent for the transfer of personal data
In accordance with Article 8 of the KVKK, the main rule for the transfer of personal data to third parties is the explicit consent of the relevant person. Personal data will be transferred by the Company by carefully determining which personal data of the relevant person has consented to be transferred to third parties within the country and by processing the groups of persons to whom it is transferred into the data inventory.
8.1.2. Transfer of personal data, even if there is no explicit consent of the relevant person, provided that the conditions for processing personal data are met.
In cases where the relevant person does not have explicit consent for the transfer of personal data within the country, articles 6.2., 6.3., 6.4., 6.5., 6.6., 6.7 of this Policy regarding the data processing conditions regarding the processing of personal data. and 6.8. It is possible to transfer personal data to third parties under the conditions explained in the articles and regulated by the 2nd paragraph of Article 5 of the KVKK.
8.1.3. Transfer of personal data, even if there is no explicit consent of the relevant person, provided that the relevant conditions for the transfer of special personal data are met and required by the legislation.
Transfer of special personal data, other than health and sexual life, to third parties is possible even if there is no explicit consent, as the processing of data is foreseen in the legislation. In this case, the company may transfer sensitive personal data to third parties by determining that the conditions set out in Article 7 of this Policy are met. Third parties to whom sensitive personal data will be transferred must also take such precautions.
8.2. Transfer of Personal Data Abroad
8.2.1. The relevant person must have explicit consent for the transfer of personal data abroad
In accordance with Article 9 of the KVKK, as a main rule, personal data cannot be transferred abroad without the explicit consent of the relevant person. For this reason, the company will be required to obtain the express consent of the relevant person for the transfer of personal data abroad. Personal data will be transferred by the Company by carefully determining which personal data the relevant person has consented to be transferred to third parties abroad and by taking into account the safe country list to be published by the Data Protection Board.
8.2.2. Transfer of personal data, even if there is no explicit consent of the relevant person, provided that the conditions for processing personal data are met.
In cases where the relevant person does not have explicit consent for the transfer of personal data abroad, articles 6.2., 6.3., 6.4., 6.5., 6.6., 6.7 of this Policy regarding the data processing conditions regarding the processing of personal data. and 6.8. Transfer of personal data to third parties abroad under the conditions explained in the articles and regulated by the 2nd paragraph of Article 5 of the KVKK is possible by taking into account the safe country list to be published by the Data Protection Board. In accordance with Article 9 of the KVKK, in order to transfer personal data abroad, there must be adequate protection in the country to which the data will be transferred. The safe country list to be announced by the Board will be followed by the Audit Commission and included in the company's internal processes. Until the safe country list is published by the Board, if it is necessary to transfer personal data abroad, personal data will be transferred abroad by the company, provided that the company that will be the Data Controller and the third party to whom the data will be transferred in the country to which the data will be transferred undertake adequate protection and are given permission by the Board. After the announcement of the safe country list by the Board, if there is not sufficient protection in the country to which the data will be transferred, personal data will be transferred abroad, provided that the Company, which will be the Data Controller, and the third party to whom the data will be transferred in the country to which the data will be transferred, undertake adequate protection and have the permission of the Board.
9. DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA
Even if personal data has been processed in accordance with KVKK and other legislative provisions and this Policy, it must be deleted, destroyed or anonymized by the company itself when the reasons requiring the processing of data are eliminated or upon the request of the relevant person. The Company will establish an administrative and technical structure suitable to fulfill all legislative provisions that are in force or will come into force regarding the deletion, destruction or anonymization of data.
10. OBLIGATIONS OF THE COMPANY AS DATA CONTROLLER
10.1. Lighting Obligation
During the acquisition of personal data, the company must inform the personal data owner about the following issues in line with Article 10 of the KVKK:
-
Identity of the data controller and his representative, if any,
-
For what purpose personal data will be processed,
-
To whom and for what purpose personal data can be transferred,
-
Method and legal reasons for collecting personal data,
-
The rights of the personal data owner as explained in Article 11 of the KVKK.
-
In order for the Company to fulfill its obligation in accordance with the law, business processes and data collection channels have been reviewed, the identified issues have been classified and transferred to the inventory, necessary arrangements have been made and communication channels have been established for data owners to exercise their right to apply regarding their personal data.
10.2. Obligation to Ensure the Security of Personal Data
10.2.1. Obligation to prevent unlawful processing of personal data
In addition to processing personal data in accordance with the provisions of KVKK and other legislation and the principles and conditions regulated by this Policy, the company is also obliged to take all kinds of technical and administrative measures to prevent the processing of personal data in violation of the said obligations. In this context, the Company has established systems to prevent the unlawful processing of personal data, has identified the relevant personnel and established procedures to supervise and control these systems. The company will also update the system by keeping track of any updates that may occur for both technical and legal reasons. If personal data processed in accordance with KVKK is obtained by others through illegal means, our company will ensure that this situation is notified to the relevant personal data owner and the KVK Board as soon as possible.
10.2.2. Technical measures to be taken for the legal processing of personal data
Personal data processing activities carried out by company departments were analyzed and a "Personal Data Inventory" was prepared in this context. The necessary administrative structure, hardware and software infrastructure has been established to monitor and control all processes from collection to deletion of personal data. The Audit Commission is responsible for monitoring, updating, auditing and reporting these structures.
10.2.3. Administrative measures to be taken for the lawful processing of personal data
In order to inform all its personnel about KVKK and the lawful processing of personal data, the Company will prepare this Policy and the documents that will be required thereafter and deliver them to each employee, organize the necessary training activities and keep the training participation documents in their personnel files.
The company must comply with the obligations stipulated by the KVKK for the lawful processing of personal data in all documents that regulate the relationship between it and its personnel and contain personal data, that personal data should not be disclosed, that personal data should not be used unlawfully, and that the confidentiality obligation regarding personal data is obliged to the company. It has added records that it continues even after the termination of the employment contract with the company, and the failure of the personnel to comply with these obligations requires the imposition of sanctions that may lead to the termination of the employment contract.
The Company limits access to personal data within the scope of the personal data inventory to be created and the data matrices created, in line with the purpose of processing and to the relevant personnel. It is not possible for all of the company personnel to access all of the personal data processed by the company as the Data Controller, and transactions will be carried out within the framework of access authorizations arranged according to departments.
All activities of the Company were analyzed and department-specific personal data processing activities were determined. The Company has made policies, procedures and other internal regulations to supervise whether the operations of the departments are carried out in a way that fulfills the obligations based on KVKK and this Policy and to ensure the continuity of these practices. The updates will be notified to the employee using all communication channels. With the publication of the update, the new procedure and Policies come into force, and there is no requirement for them to be communicated to the employee in order for them to be binding. The audits to be carried out and the coordination of the documents to be issued for the departments to operate in accordance with KVKK will be carried out together with the department managers and the Audit Commission.
10.2.4. Obligation to prevent unlawful access to personal data
10.2.4.1. Technical measures to be taken to access and preserve personal data in accordance with the law
-
The company will take measures in accordance with technical developments, periodically update and renew the measures taken depending on the speed of development of the technique, and have the reliability of the system tested through penetration tests and other methods. The Company will make all necessary efforts to comply with these new requirements if the Data Protection Board makes regulations regarding such penetration tests and other security measures or refers to technical standards.
-
The technical measures taken will be reported periodically to the relevant party and the Audit Commission in accordance with the internal audit mechanism. Risk-posing issues will be re-evaluated and necessary technical solutions will be produced.
-
The company will install relevant security software and systems, including software and hardware including virus protection systems and firewalls, on all systems used during its activities and authorized to access personal data. In order to access personal data in accordance with the law, access authorizations must be defined in line with the criteria to be issued on a department-role basis. , the access and authorization of user accounts regarding the systems where personal data will be accessed should be restricted and the devices that can access the systems should be limited. The processes of arranging separate procedures and carrying out inspections for each department in terms of technical measures will be carried out by the Audit Commission and department managers.
-
The company will ensure that the necessary software and hardware are installed to prevent external infiltration into the systems where personal data is stored and to monitor possible risks, have penetration tests carried out, ensure that the same security measures are taken in terms of backups to prevent data loss, and will ensure that the third real and/or third parties are working within the scope of disaster planning. It will make the necessary agreements with legal entities to ensure that the security measures introduced by this Policy and the data are stored in accordance with KVKK.
10.2.4.2.Administrative measures to be taken to access and preserve personal data in accordance with the law
-
All Company personnel will be trained on the technical measures to be taken to prevent unlawful access to personal data.
-
In line with the personal data inventory to be created, the Company will limit access to personal data to relevant employees in line with the purpose of processing. All Company personnel should be prevented from accessing all personal data processed by the Company as Data Controller, and access authorizations should be regulated taking into account the purpose of data processing.
-
The Company shall include in all kinds of documents regulating the relationship between it and its personnel, that in order to process personal data in accordance with the law, it must comply with the obligations stipulated by the KVKK, that personal data must not be disclosed, that personal data must not be used unlawfully, and that the obligation of confidentiality regarding personal data is in accordance with the employment contract with the Company. Records will be added that it continues even after its termination.
-
The company will prepare the procedure and all necessary documents regarding access rights to personal data and deliver them to its employees.
10.2.5. Audit of the measures taken to protect personal data
In terms of the technical and administrative measures it will take, the company must establish systems to carry out the necessary inspections regarding the operation of the measures and to have them carried out. By the company; Necessary processes should be designed to increase the awareness and control of departments, business partners and suppliers regarding the protection and processing of personal data. The Company is responsible, in accordance with Article 12 of the KVKK, for the third parties to whom it transfers personal data to fulfill their obligations to process and maintain the data in accordance with the law and to access the data in accordance with the provisions of this Policy and KVKK. For this reason, the company must obtain commitments that include meeting these conditions and granting the company the authority to perform audits in contracts and all kinds of regulations when transferring data to third parties. Again, the company must specifically inform all its employees about the responsibilities arising from the transfer of personal data to third parties.
11. RIGHTS OF THE RELATED PERSON
In accordance with Article 11 of the KVKK, the relevant person, as the Data Controller, has the following rights against the company:
-
To find out whether personal data has been processed and to request information if personal data has been processed,
-
To learn the purpose of processing and whether it is used in accordance with the purpose,
-
Knowing the persons to whom personal data is transferred,
-
To request correction in case of incomplete or incorrect processing and to request the deletion of personal data if the conditions are met and to request that these requests be forwarded to third parties,
-
To object to the emergence of a result against oneself by analyzing the processed data exclusively through automatic systems,
-
To claim damages in case of loss due to illegal processing.
In case personal data owners submit their requests regarding the rights listed above to the company in writing or by other methods to be determined by the Board, in accordance with Article 13 of the KVKK, the company must finalize the relevant request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. If the request requires an additional cost, the fee at the tariff determined by the Board may be charged. If it is understood that the application is due to the company's error, the fee received will be refunded to the relevant person.
While the relevant application is being finalized by the company, information will be provided in a simple language that the person can understand and this information will be sent to the relevant person in writing or electronically. Depending on the nature of the request, the company may accept the application of the relevant person or reject it by explaining the reason. If the application is accepted, the requirements of the request will be fulfilled by the Company without delay. In cases where the personal data owner's application is rejected, the answer given is insufficient, or the application is not responded to in time, necessary warnings will be made and awareness will be raised within the Company about the right to complain to the Board within 30 days.
12. EFFECTIVENESS AND UPDATES
The changes to be made in the policy and the necessary work to put these changes into effect are carried out in accordance with the Personal Data Protection Commission Decisions. The policy will normally be reviewed annually. However, our Company has the right to review, update, change or eliminate this Policy and create a new Policy in a shorter period of time if deemed necessary. The authority to decide on the repeal of the Policy belongs to the Company's Board of Directors.