ÖZTANIK BİLİŞİM İLETİŞİM TURİZM İNŞAAT LTD. ŞTİ.
CORPORATE PERSONAL DATA PROTECTION POLICY
Document Information | |
Document Name: | Personal Data Protection Policy |
Document Subject: | The purpose of the Personal Data Protection Policy is to plan the processes regarding the protection of personal data by Öztanık Bilişim İletişim Turizm İnşaat Ltd. Şti. and to determine the principles to be applied in this regard. |
Publish Date: | 18.01.2021 |
Version No: | 1 |
Reference / Reason: | Personal Data Protection Law No. 6698 and other legislation |
Approved By: | Öztanık Bilişim İletişim Turizm İnşaat Ltd. Şti. Board of Directors |
ÖZTANIK BİLİŞİM İLETİŞİM TURİZM İNŞAAT LTD. ŞTİ.
CORPORATE PERSONAL DATA PROTECTION POLICY
1. PURPOSE
The right of every individual to request the protection of their personal data is a sacred right arising from the Constitution. As Öztanık Bilişim İletişim Turizm İnşaat Ltd. Şti., we consider fulfilling the requirements of this right as one of our most valuable duties. Therefore, we attach importance to the processing and protection of your personal data in accordance with the law.
The Corporate Personal Data Protection Policy has been prepared to determine the principles we base on and the procedures we apply while processing and protecting personal data as a result of the importance we attach to the protection of personal data.
2. SCOPE
The Policy covers all kinds of operations performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of all personal data managed by Öztanık Bilişim İletişim Turizm İnşaat Ltd. Şti. by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system.
The Policy relates to all processed personal data of partners, officials, customers, employees, supplier officials and employees, and third parties of Öztanık Bilişim İletişim Turizm İnşaat Ltd. Şti..
Öztanık Bilişim İletişim Turizm İnşaat Ltd. Şti. may change the Policy for the purposes of compliance with the legislation and the decisions of the Personal Data Protection Authority and better protection of personal data.
3. DEFINITIONS
Abbreviation | Definition |
Recipient Group | The category of natural or legal persons to whom personal data is transferred by the data controller. |
Explicit Consent | Consent that is related to a specific issue, based on information and declared with free will. |
Anonymization |
Making personal data impossible to link to an identified or identifiable natural person, even by matching with other data.
|
Data Subject | The natural person whose personal data is processed. |
Concerned User | Persons who process personal data within the data controller organization or in accordance with the authority and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data. |
Destruction | Deletion, destruction or anonymization of personal data, |
Law/KVKK | Personal Data Protection Law No. 6698. |
Recording Medium | Any medium containing personal data processed by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system. |
Personal Data | Any information relating to an identified or identifiable natural person. |
Data Inventory | The inventory where data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with personal data processing purposes and legal reason, data category, transferred recipient group and data subject person group, and explaining the maximum retention period required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and measures taken regarding data security. |
Processing of Personal Data | Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means. |
Board | Personal Data Protection Board. |
Authority | Personal Data Protection Authority |
Special Categories of Personal Data | Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics. |
Periodic Destruction | Deletion, destruction or anonymization process to be performed ex officio at repetitive intervals specified in the personal data storage and destruction policy in case all of the conditions for processing personal data in the Law are eliminated. |
Policy | Personal Data Protection Policy |
Data Processor | The natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller. |
Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
4. GENERAL PRINCIPLES
Öztanık Bilişim İletişim Turizm İnşaat Ltd. Şti. audits the compliance of the data to be processed with the following principles at the preparation stage of the workflow requiring every new personal data processing. Workflows found unsuitable are not implemented.
Öztanık Bilişim İletişim Turizm İnşaat Ltd. Şti. while processing personal data;
(I) Complies with the law and rules of honesty.
(II) Ensures that personal data is accurate and up-to-date when necessary.
(III) Pays attention to the processing purpose being specific, explicit and legitimate.
(IV) Checks that the processed data is connected with the purpose of processing, limited to what is necessary for processing and proportionate.
(V) Retains data only for the period foreseen in the relevant legislation or required for the purpose of processing, and destroys it when the purpose of processing is eliminated.
5. MEASURES TAKEN FOR DATA SECURITY
Öztanık Bilişim İletişim Turizm İnşaat Ltd. Şti. takes all necessary technical and administrative measures to ensure the appropriate security level in order to (i) prevent unlawful processing of personal data, (ii) prevent unlawful access to personal data, (iii) ensure the preservation of personal data.
6.1. Technical Measures
(I) Network security and application security are ensured.
(II) Security measures within the scope of procurement, development and maintenance of information technology systems are taken.
(III) Access logs are kept regularly.
(IV) Current anti-virus systems are used.
(V) Firewalls are used.
(VI) Necessary security measures are taken regarding entries and exits to physical environments containing personal data.
(VII) The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
(VIII) The security of environments containing personal data is ensured.
(IX) Personal data is backed up and the security of backed up personal data is ensured.
(X) User account management and authorization control system are implemented and tracked.
(XI) Log records are kept without user intervention.
(XII) Intrusion detection and prevention systems are used.
(XIII) Encryption is performed.
6.2. Administrative Measures
(I) Disciplinary regulations containing data security provisions for employees exist.
(II) Training and awareness activities regarding data security are carried out for employees at certain intervals.
(III) Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
(IV) Data masking measure is applied when necessary.
(V) Confidentiality undertakings are made.
(VI) Authorization matrix has been created for employees.
(VII) Authorizations of employees who have a change in duty or leave the job in this field are removed.
(VIII) Signed contracts contain data security provisions.
(IX) Personal data security policies and procedures have been determined.
(X) Personal data security issues are reported quickly.
(XI) Personal data security is tracked.
(XII) Personal data is reduced as much as possible.
(XIII) In-house periodic and/or random audits are performed and caused to be performed.
(XIV) Existing risks and threats have been identified.
(XV) Protocols and procedures regarding special categories of personal data security have been determined and implemented.
(XVI) If special categories of personal data are to be sent via e-mail, they are definitely sent encrypted and using KEP or corporate e-mail account.
(XVII) Awareness of data processing service providers regarding data security is ensured.
7. RIGHTS OF THE DATA SUBJECT REGARDING PERSONAL DATA
The data subject may apply to Öztanık Bilişim İletişim Turizm İnşaat Ltd. Şti. and make requests on the following issues:
(I) To learn whether their personal data is processed,
(II) To request information if their personal data has been processed,
(III) To learn the purpose of processing their personal data and whether they are used in accordance with their purpose,
(IV) To learn the third parties to whom their personal data is transferred domestically or abroad,
(V) To request correction of their personal data if it is incomplete or incorrectly processed and to request notification of the transaction made in this scope to third parties to whom personal data is transferred,
(VI) To request the deletion, destruction or anonymization of their personal data if the reasons requiring processing are eliminated despite being processed in accordance with KVKK and other relevant law provisions, and to request notification of the transaction made in this scope to third parties to whom personal data is transferred,
(VII) To object to the emergence of a result against them by analyzing their processed data exclusively through automated systems,
(VIII) To request compensation for the damage in case they suffer damage due to unlawful processing of their personal data.
8. VIOLATION NOTIFICATIONS
Employees of Öztanık Bilişim İletişim Turizm İnşaat Ltd. Şti. report the work, action or fact they think violates KVKK provisions and/or the Policy to Öztanık Bilişim Management. The Management convenes if it deems necessary following this violation notification and creates an action plan regarding the violation.
If the violation has occurred through obtaining personal data by others through illegal means, the Management notifies this situation to the relevant person and the Board within 72 hours within the scope of the Board's decision dated 24.01.2019 and numbered 2019/10.
9. AMENDMENTS
Amendments to the Policy are prepared by the employees assigned by Öztanık Bilişim Management and submitted to the approval of Öztanık Bilişim Board of Directors. The updated Policy may be sent to employees via e-mail or published on the website.
10. EFFECTIVE DATE
This version of the Policy entered into force upon approval by the Board of Directors on 18.01.2021.