.
  • PRINCIPLES OF PERSONAL DATA PROCESSING
  • Processing of Personal Data in Compliance with Law and Good Faith Rules

The Company processes Personal Data in accordance with the law and honesty rules and on the basis of proportionality.

  • Taking Necessary Precautions To Keep Personal Data Accurate and Updated When Required

The Company takes all necessary measures to ensure that the Personal Data is complete, accurate and up-to-date, and updates the relevant Personal Data if the Data Subject requests a change in Personal Data within the scope of the KVKK Regulations.

  • Processing of Personal Data for Specific, Clear and Legitimate Purposes

Prior to the Processing of Personal Data, the Company determines the purpose for which Personal Data will be processed. In this context, the Data Subject is enlightened within the scope of the KVK Regulations and their Explicit Consent is obtained when necessary.

  • Being Connected, Limited and Measured for the Purpose of Processing Personal Data

The Company processes Personal Data only in exceptional cases within the scope of the KVK Regulations (Article 5.2 and 6.3 of the KVKK) or in accordance with the purpose within the scope of Open Consent received from the Data Subject (Article 5.1 and Article 6.2 of the KVKK) and in accordance with the principle of proportionality. The Data Controller processes Personal Data in a way that is suitable for the realization of the specified purposes and refrains from processing Personal Data that are not related or needed to achieve the purpose.

 

  • Storage of Personal Data for the Period Stipulated in the Relevant Legislation or Required for the Purpose of Processing
  • The Company maintains Personal Data as necessary for the purpose. In the event that the Company wishes to retain Personal Data for a period longer than stipulated in the KVK Regulations or required by the purpose of Personal Data Processing, the Company acts in accordance with the obligations specified in the KVK Regulations.
  • After the period required by the purpose of Personal Data Processing expires, Personal Data is Deleted or Made Anonymous. In this case, it is ensured that the third parties to whom the Company transfers the Personal Data are also Deleting, Destroying or Anonymizing the Personal Data.
  • The Company and persons authorized by the Company are responsible for the operation of the Deletion, Destruction and Anonymization processes. The Company establishes the necessary technical and administrative procedures in order to carry out studies within this scope.
  1. PROCESSING OF PERSONAL DATA

Personal Data can only be processed by the Company within the scope of the procedures and principles stated below.

  • Open Consent
  • Personal Data are processed after the notification to be made within the framework of fulfillment of the Obligation of Disclosure to Data Subjects and if the Data Subjects give Explicit Consent.
  • The Data Subject's Explicit Consent must be disclosed on a specific subject, based on information and with free will.
  • Within the framework of the Obligation of Disclosure, Data Subjects are informed about the purposes of the processing and transfer of their Personal Data, the recipient groups, the identity of the Data Controller, the method of collecting Personal Data, the legal reasons and the rights of the Data Subjects.
  • Explicit Consent of the Data Subject is obtained through methods in accordance with the KVK Regulations. Explicit Consent is retained by the Company for the period required within the scope of KVK Regulations in a provable manner.
  • Processing of Personal Data without Explicit Consent
  • In cases where it is stipulated to process Personal Data without express consent within the scope of KVK Regulations (Article 5.2 of KVKK), the Company may process Personal Data without obtaining the Explicit Consent of the Data Subject. In the event that Personal Data is processed in this way, the Company processes Personal Data within the limits set by the KVK Regulations. In this context:
  • In other words, if there is an explicit provision in the laws regarding the processing of Personal Data, Personal Data may be processed by the Company without Explicit Consent.
  • Personal Data may be processed by the Company without Explicit Consent if it is mandatory for the protection of the life or body integrity of the Data Subject himself or someone other than the Data Subject, who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid.
  • Provided that it is directly related to the establishment or performance of a contract to which the Data Subject is a party, if the processing of Personal Data belonging to the parties of the contract is required, Personal Data may be processed by the Company without the Explicit Consent of the Data Subjects.
  • If the Processing of Personal Data is mandatory for the Company to fulfill its legal obligation, Personal Data may be processed by the Company without the Explicit Consent of the Data Subjects.
  • Personal Data that has been made public in any way by the Data Subject may be processed by the Company without express consent.
  • If the Processing of Personal Data is mandatory for the establishment, use or protection of a right, Personal Data may be processed by the Company without express consent.
  • Provided that the fundamental rights and freedoms of the Data Subject are not harmed, Personal Data may be processed by the Company without Explicit Consent if data processing is mandatory for the legitimate interests of the Company.

VII. PROCESSING SPECIAL QUALITY PERSONAL DATA

  • Special Quality Personal Data can only be processed if the Data Subject has the Explicit Consent or if it is explicitly required by the law to process Special Quality Personal Data other than sexual life and personal health data.
  • Personal Data on health and sexual life can only be used by persons (e.g. Company physician) or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. can be processed by organizations without explicit consent.
  • While processing Special Qualified Personal Data, all kinds of administrative and technical measures determined and to be determined by the Board are taken, especially the measures included in the Board's Decision dated 31/01/2018 and numbered 2018/10.
  • For employees involved in the processing of Special Quality Personal Data,
  • He will regularly train on KVK Regulations and the security of Special Quality Personal Data.
  • Confidentiality agreements will be made.
  • It will clearly define the authorization scope and duration of users who are authorized to access Special Quality Personal Data.
  • It will periodically carry out authorization checks.
  • Employees who have a job change or leave their job will immediately remove their authority in this area and immediately take back the inventory allocated to the relevant employee.
  • In the event that Special Quality Personal Data is transferred to electronic media, regarding the electronic media where Special Quality Personal Data is processed, stored and / or accessed, the Company:
  • It will preserve Special Quality Personal Data using cryptographic methods.
  • It will keep cryptographic keys in a secure and different environment.
  • It will securely log transaction records of all transactions performed on Special Qualified Personal Data.
  • It will continuously monitor the security updates of the environments where Special Quality Personal Data is located, will regularly perform / have the necessary security tests, and record the test results.
  • If Special Qualified Personal Data is accessed through a software, it will make user authorizations of this software, will regularly perform / have the security tests of these software, and record the test results.
  • In case of remote access to Private Personal Data, it will provide at least a two-step authentication system.
  • In the event that Special Quality Personal Data is processed in a physical environment, regarding the physical environments where the Data is processed, stored and / or accessed, the Company:
  • It will ensure that adequate security measures (against electrical leakage, fire, flood, theft, etc.) are taken according to the nature of the environment where Special Quality Personal Data is located.
  • By ensuring the physical security of these environments, it will prevent unauthorized entry and exit.
  • In case of transfer of Special Quality Personal Data, the Data Controller:
  • If it is necessary to transfer Special Quality Personal Data via e-mail, an encrypted corporate e-mail address or a Registered Electronic Mail (“KEP”) account will be used.
  • If it is necessary to transfer Private Personal Data via removable memory, CD, DVD, etc., it will encrypt it with cryptographic methods and keep the cryptographic key in a different environment.
  • If Special Quality Personal Data needs to be transferred between servers in different physical environments, it will transfer between servers by establishing VPN or SFTP method.
  • If it is necessary to transfer Special Quality Personal Data through paper media, it will take necessary precautions against risks such as theft, loss or being seen by unauthorized persons and send the document in the format of "documents with a confidentiality grade".
  • In addition to the above regulations, the Company, in particular the Personal Data Security Guideline published by the Board regarding the security of Personal Data, including Special Quality Data, and the Board regarding "Adequate Precautions to be Taken by Data Controllers in the Processing of Special Quality Personal Data" dated 31/01/2018 and It will act in accordance with the KVK Regulations, including the Decision No. 2018/10.

VIII.    KİŞİSEL VERİLERİN SAKLANMA SÜRESİ

Kişisel Veriler, Şirket bünyesinde ilgili yasal saklama süreleri müddetince bulundurulmakta olup, bu verilerle ilişkili faaliyetlerin ve işbu Politika’da da belirtilen amaçların gerçekleştirilmesi için gerekli süre boyunca saklanmaktadır. Kullanım amacı sonlanan ve yasal saklama süresi sona eren Kişisel Veriler ise, KVKK’nın 7’nci maddesi uyarınca Şirket tarafından silinmekte, yok edilmekte veya anonim hale getirilmektedir.

  1. VIII. STORAGE PERIOD OF PERSONAL DATA
  • When the legitimate purpose of the Processing of Personal Data disappears, the relevant Personal Data is Deleted, Destroyed or Anonymized.
  • The Company is responsible for the operation of the Deletion, Destruction and Anonymization processes and the necessary procedures are established by the Company in this context.
  • The Company does not store Personal Data in view of the possibility of future use.

X. TRANSFER OF PERSONAL DATA AND PROCESSING OF PERSONAL DATA BY THIRD PARTIES

 

The Company may transfer Personal Data to a third natural or legal person in Turkey and / or abroad in accordance with the KVK Regulations by taking the necessary measures in line with the purposes of Personal Data Processing. In this case, the Company ensures that the third parties to whom Personal Data has been transferred comply with this Policy and audits the compliance of third parties with the KVK Regulations before and during the transfer of Personal Data. In this context, necessary protective regulations are added to the contracts concluded with the third party.

Transfer of Personal Data to Third Parties Found in Turkey

  • Personal Data, KVKK 5.2 and adequate measures taken to record with without the express consent in cases exceptional set out in Article 6.3 or in other cases the data subject of the condition that it be open Consent (KVKK Article 5.1 and Article 6.2), transferred by the Company to third parties in Turkey .
  • Personal Data Transfer to Third Parties Abroad
  • Personal Data are the exceptional data specified in Article 5.2 and Article 6.3 of the KVKK may be transferred by the Company to third parties abroad without Explicit Consent or in other cases, provided that the Data Subject's Explicit Consent is obtained (Article 5.1 and Article 6.2 of the KVKK).
  • In the case that Personal Data is transferred without express consent in accordance with the KVK Regulations, one of the following conditions must be present in terms of the foreign country to which it will be transferred:
  • In the case that Personal Data is transferred without express consent in accordance with the KVK Regulations, one of the following conditions must be present in terms of the foreign country to which it will be transferred:
  • In case the foreign country where the transfer will take place is not included in the Board's list of safe countries, the Company and the data in the relevant country.Obtaining permission from the Board by making a written commitment in accordance with the principles determined by the Board that the responsible persons will provide adequate protection.

XI. COMPANY'S LIGHTING OBLIGATION

The Company enlightens the Data Subjects prior to the Processing of Personal Data in accordance with Article 10 of the KVKK. In this context, the Company fulfills its Disclosure Obligation during the acquisition of Personal Data. The notification to be made to Data Subjects within the scope of the Disclosure Obligation includes the following elements, respectively:

  • Identity of the Data Controller and its representative, if any,
  • For what purpose Personal Data will be processed,
  • To whom and for what purpose the processed Personal Data can be transferred,
  • The method and legal reason for collecting Personal Data,
  • Rights of Data Subjects enumerated in Article 11 of KVKK.
  • The Company provides the necessary information if the Data Subject requests information in accordance with Article 11 of the KVKK.

XII. RIGHTS OF DATA SUBJECTS

The Company responds to the following requests of the Data Subjects whose Personal Data is in their possession, in accordance with the KVK Regulations:

  • Learning whether Personal Data is Processed by the Company,
  • To request information regarding the processing of Personal Data,
  • Learning the purpose of processing Personal Data and whether they are used appropriately for their purpose,
  • To know the third parties to whom Personal Data is transferred domestically or abroad,
  • Requesting correction of Personal Data in case of incomplete or incorrect processing by the Company,
  • To request the Deletion or destruction of Personal Data by the Company in the event that the reasons requiring the Processing of Personal Data to be evaluated within the principles of purpose, duration and legitimacy,
  • In case of correction, deletion or destruction of Personal Data by the Company, requesting that these transactions be notified to third parties to whom Personal Data is transferred,
  • To object to this result in the event of a result against the Data Subject in the event that the processed Personal Data is analyzed exclusively through automated systems,
  • To request the compensation of the damage in case the Personal Data is processed illegally and the Data Subject is damaged for this reason.
  • Data Subjects want to use their rights and / or the Company's actions under this Policy when processing Personal Data.

Posta adresi:

E- posta adresi:

Kep adresi:

  • If Data Subjects submit their requests regarding their rights listed above to the Company in writing, the Company finalizes the request free of charge within thirty days at the latest, depending on the nature of the request. In the event that an additional cost arises regarding the finalization of the requests by the Data Controller, the charges in the tariff determined by the Personal Data Protection Board may be requested by the Data Controller.

XIII. DATA MANAGEMENT AND SECURITY

The Company establishes the necessary organization to fulfill its obligations under the KVK Regulations, to ensure and supervise the implementation of the KVK Procedures required for the implementation of this Policy, and to make suggestions for their functioning.

  • The Company may determine authorized persons and / or receive the necessary support from our third party business partners within the scope of ensuring and auditing the implementation of this Policy and KVK Regulations.
  • Personal Data Processing activities are audited by the company with technical systems according to technological possibilities and implementation costs.
  • The Company informs and educates its employees within the scope of raising internal awareness regarding the protection and legal processing of Personal Data and periodically conducts the necessary audits for its employees.
  • Company employees can only access Personal Data within the authority defined to them and in accordance with the relevant KVK Procedure.
  • Access restrictions have been made and authorization restrictions have been defined within the company.
  • In the company, software and hardware including virus protection systems and firewalls are installed in accordance with technological developments in order to keep Personal Data in secure environments. Security scans are regularly carried out by technically qualified people to detect security vulnerabilities.
  • In the company, backup programs are used to prevent the loss or damage of Personal Data and adequate security measures are taken.
  • Necessary measures will be taken to protect the documents containing Personal Data in the company with encrypted (encrypted) systems. In this context, Personal Data will not be stored in common areas and on the desktop. Files and folders containing Personal Data, etc. documents will not be moved to desktop or public folder, information on company computers will be stored via USB, etc. It cannot be transferred to another device or taken out of the Company.
  • All of the Personal Data processed within the Company are considered as "Confidential Information" by the Company.
  • Company employees have been informed that their obligations regarding the security and confidentiality of Personal Data will continue after the termination of the business relationship and a commitment has been received from Company employees to abide by these rules.

XIV. EDUCATION

The Company provides its employees with the necessary training in the scope of the Policy and the KVK Procedures and KVKK Regulations on the protection of Personal Data.

  • Particular attention is paid to the definition and protection of Special Qualified Personal Data in the trainings.
  • If the Company employee accesses Personal Data physically or in a computer environment, the Company provides training to the relevant employee on these accesses (eg computer program accessed).
  1. AUDIT

The Company has the right to inspect regularly and ex officio that all employees, departments and contractors of the Company act in compliance with this Policy and KVK Regulations and perform the necessary routine inspections within this scope. The company creates the KVK Procedure for these inspections and ensures the implementation of the mentioned procedure.

XVI. VIOLATIONS

Each employee of the company reports the work, transaction or action that he / she thinks is contrary to the procedures and principles specified in the KVK Regulations and this Policy to the Company as soon as possible. In this context, the Company creates an action plan in accordance with this Policy and KVK Procedures for the relevant violation.

  • As a result of the information made, the Company prepares the notification to be made to the Data Subject or the Authority regarding the violation, taking into account the provisions of the applicable legislation, especially the KVK Regulations.

XVII. CHANGES TO THE POLICY

This Policy may be changed from time to time by the Company with the approval of the Board of Partners

  • The Company shares the updated Policy text so that its changes can be reviewed with its employees via e-mail or makes it available to employees and Data Subjects via the following web address.

Relevant web addresses: https://emekcelikkapi.com/uploads//