INTERNET PLATFORM LIGHTING TEXT
1. ID of DATA SPEAKER
Our CompanyLaw
2. COLLECTION, PROCESSING AND PROCESSING PURPOSE OF PERSONAL DATA
Your personal data listed below are collected electronically and are processed for the purposes listed below:
- Your identity and contact information that you will include in your application by using the "e-mail list" and/or "contact" form on our website,
- Your digital trace data and cookie data will also be processed if you visit or browse our website.
Your personal data; It is processed for the purposes of providing our company's services, performing after-sales services, increasing customer satisfaction, evaluating and responding to complaints and suggestions, making statistical analyzes, fulfilling legal and regulatory requirements, providing necessary information in line with the requests and inspections of official authorities, and ensuring data security.
On the other hand, if you give your explicit consent, your identity and contact data will also be processed for promotional, e-mail newsletter sending and marketing purposes.
3. TRANSFERRING PERSONAL DATA
Your personal data, within the scope of the Law and other legislation and for the purposes described in article 2 of this Clarification Text, depending on the reason that requires it to be transferred and limited for this reason; Within the scope of the law and related regulations; It can be transferred to supervisory and regulatory public institutions and organizations (BTK, TurkStat, courts, banks, etc.), auditors, companies that provide software and hardware support services, and legally authorized private individuals such as lawyers.
4. YOUR RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA
The rights of real persons whose personal data are processed are listed in Article 11 of the Law. If you, as a personal data owner, submit your requests regarding your rights listed in the relevant article of the Law, in accordance with the application procedures stipulated in the Communiqué on Application Procedures and Principles to the Data Controller, by providing your identity confirmation to the official address of our company, in person or through a notary public, as soon as possible, depending on the nature of your request, and will be finalized free of charge within thirty (30) days at the latest. However, if the transaction requires an additional cost, it may request the fee in the tariff determined by the Personal Data Protection Board.
EXPRESS CONSENT TO THE PROCESSING OF PERSONAL DATA
Lighting Text
Commercial Message Approval
Also, in accordance with the Law No. 6563 on the Regulation of Electronic Commerce, via the channels I have marked below ; I consent to you contacting me for commercial communication, newsletter sending and advertising and promotional purposes regarding products and services.
SMS
Call
POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
Version : 1
Date of Edit: 01.09.2022
1. PURPOSE
CompanyPolicy
The purpose of the policy is to establish rules for the internal management of personal data, to determine objectives and obligations, to establish control mechanisms in line with a reasonable risk level, to fulfill legal obligations in the field of personal data protection and to protect the interests of individuals in the best possible way.
2. SCOPE
Policy provisions cover company employees, sub-employees and interns who provide support services to all units of the Company, especially the Board of Directors. Any action that violates the Personal Data Protection Law No. 6698 or this Policy is evaluated within the scope of the relevant legislation and sanctions are applied accordingly. All third parties that work with this Policy are invited to read and abide by this Policy.
3. DEFINITIONS
Explicit consent: | Consent on a specific subject, based on information and expressed with free will, |
Anonymization: | Indicates that personal data cannot be associated with an identified or identifiable natural person in any way, even by matching with other data. |
Contact Person: | The natural person notified by the Data Controller during registration to the Registry for the communication to be established with the Institution regarding the obligations of the data controller, |
Law: | 6698 Personal Data Protection Law No. |
Personal data: | Any information relating to an identified or identifiable natural person, |
Personal Data Inventory: | Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data processing purposes and legal reason, the data category, the transferred recipient group and the data subject group by explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security, |
Processing of personal data: | Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or classifying personal data by fully or partially automated or non-automatic means provided that it is part of any data recording system. any operation performed on the data, such as preventing its use, |
Corporation: | Personal Data Protection Authority, |
Board: | Personal Data Protection Board, |
KVK Committee: | The structure consisting of real person or persons appointed by the data controller, who performs the administrative follow-up and coordination of the processes established within the scope of the Law, |
KVK Commitment: | Document determining the legal obligations of third parties with whom data is shared, |
Register: | Institution the registry of data controllers held by |
Data Processor: | The natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller, |
Data controller: | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system, |
expresses. |
|
4. RESPONSIBILITIES
The Company has the title of Data Controller in accordance with the Law. Everyone who is a company employee is responsible for the development and promotion of good practices in the processing of personal data within the Company and other obligations.
All employees of the Company who process personal data are responsible for complying with the Personal Data Protection legislation.
The Company is responsible for realizing the necessary notifications and trainings so that all its employees know their responsibilities in the field of personal data protection and have the necessary awareness.
4.1. KVK Committee:
The members of the KVK Committee are appointed by the Board of Directors, taking into account that they receive regular training and experience in the Law and secondary legislation and its applications, and report directly to the Board of Directors. The KVK Committee was established as the committee responsible for managing the personal data protection system, ensuring and documenting compliance with the Law and other relevant legislation, and is responsible to the Board of Directors in these matters.
4.2. KVK Committee Duties and Responsibilities:
- The KVK Committee, the Board of Directors, the protection of personal data
- The KVK Committee is responsible for ensuring that the Company policies and procedures are up-to-date, data processing audits and trainings are carried out in accordance with the planned schedule, and that they are in compliance with the relevant legislation.
- KVK The KVK Committee acts together with the relevant employees in all matters related to the protection of personal data.
- The KVK Committee checks that the data processed through the personal data inventory, which is updated every year, is appropriate and relevant.
- The KVK Committee will conduct internal audits/external audits on an annual basis. It checks that all data processing methods are appropriate and relevant.
- The KVK Committee determines the procedure in which the data processing activity is stopped and the storage and destruction process of the processed data is defined in terms of personal data that it determines to be inappropriate or unrelated or excessive in terms of processing purposes. is responsible for its safe disposal in accordance with.
- The KVK Committee is obliged to instruct the relevant unit to evaluate the type, storage period and amount of the processed data through the data inventory, and to review the accuracy or timeliness of certain data.
5. APPLICATION PRINCIPLES
5.1. DATA PROCESSING PRINCIPLES
The company will comply with personal data protection legislation and data protection principles. The data processing principles adopted by the Company include:
- Processing personal data only if it is clearly necessary for legitimate corporate purposes,
- Processing as much personal data as necessary for these purposes and not processing more than necessary (data minimization),
- Providing clear information to individuals about who and how their personal data is used,
- Processing only relevant and appropriate personal data,
- Processing personal data fairly and in accordance with the law,
- li>Keeping an inventory of personal data categories processed by the Company,
- Keeping personal data accurate and up-to-date when necessary,
- Personal data only for the period required by legal regulations, the Company's legal obligations or legitimate corporate interests
- To store personal data in a way that does not allow access to the identity information of Data Owners longer than is reasonably necessary for the purposes for which the personal data is processed,
- Data privacy, h as a key factor in the initial phase of any project or activity and subsequently throughout its service life (Privacy Enforcement Policy),
- Respecting the rights of individuals regarding their personal data, including the right of access,
- Transferring personal data abroad only in accordance with the express consent of the individuals or in case of adequate protection,
- To implement the exceptions allowed in accordance with the legislation,
- Establish and implement the personal data protection system for the implementation of the policy,
- When necessary, the internal and external stakeholders who are party to the personal data protection system and their personal data of the Company To determine to what extent they are involved in the data protection system,
- Identify employees with special powers and responsibilities regarding the personal data protection system.
All personal data processing activities comply with the following data protection principles should be done as The Company's policies and procedures aim to ensure compliance with these principles:
- Compliance with the law and integrity
- To be accurate and up-to-date when necessary
- Processing for specific, clear and legitimate purposes
- To be relevant, limited and proportionate to the purpose for which they are processed
- As stipulated in the relevant legislation or processed being kept for the period necessary for the purpose.
In this direction, the Company includes disclosure and privacy statements regarding the personal data processing activities it carries out, in the data collection channels and in the relevant forms. The areas where the notifications containing clear and understandable information about who and for what purposes are processed by the company are determined by taking the opinion of the KVK Committee. These notices include the following:
- Identity and contact information of the Company as data controller,
- Types of personal data processed,
- Purposes of processing personal data,
- Collection methods of personal data
- The legal grounds on which personal data is processed,
- Rights of the data owner,
- Third parties to whom the data can be shared.
In the personal data inventory, the reasons/purposes for the processing of personal data are determined and personal data cannot be used for other than the stated purpose without any other legal reason or the explicit consent of the data owner. If conditions arise that require the use of a personal data for purposes other than those specified in the personal data inventory, this situation is reported to the KVK Committee by the relevant employee/unit/direction. The KVK Committee checks the suitability of the new purpose and, if necessary, ensures that the data owner is informed about the new purpose and new data processing activity.
Personal data; It must be processed to a limited extent, relevant and appropriate for the purposes for which it is processed, and must be accurate and up-to-date. The accuracy and up-to-dateness of data kept for a long time should be reviewed. The company is responsible for educating all employees on the correct and up-to-date collection and storage of data.
The KVK Committee should be informed about all data collection channels.
The accuracy and up-to-dateness of the data held regarding the employees It is the responsibility of the relevant employee.
Employees/customers/institutions and other relevant persons should inform the Company to update the processed personal data.
Personal data should be processed in such a way that the data subject can be identified only if necessary for the purpose of data processing.
Backup of personal data, etc. In order to protect the rights and freedoms of individuals, in case of data security weakness or to be kept beyond the specified period due to the requirements, secure destruction methods determined by the Board are applied. If a longer period is required, the written approval of the KVK Committee is obtained.
All Company units that process Personal Data are responsible for complying with both the principles set forth above and the measures enforcing applicable data protection laws, and must be able to prove that they comply.
5.2. RISK ASSESSMENT
The company determines the risks associated with the processing of personal data types. Certain types of data processing activities; If it is likely to pose a high risk to personal rights and freedoms in line with its structure, context and purposes, the Company should manage potential risks by performing an impact analysis prior to data processing. A single assessment can be based on multiple data processing activities with similar risks. s approval is sought. If the KVK Committee deems it necessary, it receives the opinion of the Board on the subject.
5.3. OBTAINING EXPRESS CONSENT
The company may make a written/oral statement or express consent, based on information and free will, regarding certain data processing activities by the data owner and in cases required by the Law. accepts consent expressed by confirmatory action as express consent. Explicit consents are obtained in writing or systematically in a way that is suitable for proof. Explicit consent can always be withdrawn by the data owner.
If the data processing activity based on explicit consent will be continuous or repeated, the explicit consents obtained are checked. The up-to-dateness and accuracy of these explicit consents is the responsibility of the relevant unit. Explicit consent forms or other relevant proof tools regarding data processing activity based on explicit consent are kept by the relevant unit.
5.4. DATA SECURITY
All employees are obliged to ensure that the data processed by the Company, which are under their responsibility, are kept secure and not disclosed to third parties unless they sign a confidentiality agreement.
Only access to personal data.
The events that threaten the security of personal data are reported to the Board and the relevant person as soon as possible after they are definitively determined by the KVK Committee, and in any case, within 72 hours at the latest after learning of the event.
5.5. DATA SHARING
Personal data can only be shared with third parties in accordance with the law and equity. Accordingly, one of the following conditions is required for personal data to be shared:
- Obtaining the explicit consent of the data owner,
- It is clearly stipulated in the laws,
- It is compulsory for the protection of the life or bodily integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid,
- Company Provided that it is directly related to the establishment or performance of a contract to which .
- It is mandatory for the Company to fulfill its legal obligation,
- The data subject has been made public by himself,
- Data processing is mandatory for the establishment, exercise or protection of the Company's rights,
- Provided that it does not harm the fundamental rights and freedoms of the data subject, the Company
Personal data can be transferred abroad only if the above conditions are met and there is adequate protection in the destination country or the explicit consent of the data owner is obtained for this transfer.
In the transfer of personal data abroad, the list of countries with adequate protection determined by the Board is taken into account.
When it comes to the transfer of personal data abroad, the KVK Committee provides the necessary permissions and notifications to the Board in accordance with the Law and relevant legislation.
All transactions regarding the sharing of personal data should be recorded in writing with their justifications. These records are audited periodically by the KVK Committee.
In case of a regular data sharing relationship without a legal basis or legal obligation, a KVK Commitment is made with the party in question, which determines the conditions for data sharing.
5.6. MANAGEMENT OF RECORDS
Personal data cannot be kept longer than necessary for the purposes of processing. The classification of records containing personal data and their retention periods are determined in accordance with the Personal Data Recording, Storage and Disposal Procedure. anonymized or deleted or destroyed.
5.7. RIGHTS OF DATA OWNERS
Data owners have the following rights regarding data processing activities and records with the Company:
- Learning whether personal data has been processed,
- Request information about personal data if it has been processed,
- Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
- Knowing the third parties to whom personal data is transferred, at home or abroad,
- To request correction of personal data in case of incomplete or incorrect processing,
- To request the deletion or destruction of personal data for which there is no legal justification or basis for processing in accordance with KVKK or this policy,
- li>
- To request that the corrections or deletions made upon his/her request be notified to the third parties to whom the personal data has been transferred,
- To object to the emergence of a result against the person by analyzing the processed data exclusively through automated systems,
- Demanding the removal of the damage in case of loss due to unlawful processing of personal data.
Application Procedure of the Data Owner
Data owners can apply to the Company for their requests regarding their rights listed above in accordance with the application procedures set forth in the Communiqué on Application Procedures and Principles to the Data Controller.
In this case, the Company will conclude the request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on its nature. However, if the transaction requires an additional cost, the Company may request the fee in the tariff determined by the Board. The processes regarding the receipt, transmission and finalization of requests are carried out in accordance with the Procedure for Receiving, Evaluating and Responding to Data Subject Applications.
The right of access and contact information of data subjects are included in the notifications and the web address so that data subjects can direct their requests.
p>
All employees of the Company, regardless of their job description, are obliged to guide the data owners regarding the correct application method for the data subject access requests addressed to them. Company employees should be informed by the KVK Committee on how to act on requests from data owners.
Applications in this context;
- With the personal application of the Data Owner
- It can be done through a notary.
6. EFFECTIVENESS AND KEEPING UPDATED
This Policy entered into force on 01.09.2022; The law will be re-evaluated by the KVK Committee at the beginning of each year in line with the relevant secondary legislation, Board Decisions and Company business processes and updated if necessary.
PROCEDURE FOR RECEIVING, EVALUATION AND ANSWERING DATA SUBJECT APPLICATIONS
Version : 1
Date of Issue : 01.09.2022
ProcedureCompany
Works and procedures regarding the receipt, evaluation and response of applications made by data owners regarding personal data, this Procedure prepared by the Company in this direction
1. DEFINITIONS
Law: | 6698 Law on Protection of Personal Data No. |
Board: | Personal Data Protection Board |
Data Owner: | Natural person whose personal data is processed |
Personal Data: | Any information relating to an identified or identifiable natural person, as long as it is within the scope of the law |
2. REGISTERING THE APPLICATION
2.1. Form of Application
Data Owners shall submit their applications to the Company contact person in writing in accordance with Article 13 of the Law, in order to obtain information about the personal data collected by the Company and to exercise their rights specified in Article 11 of the Law. .
Accordingly, applications to be made by Data Owners can be made in writing as follows:
- The image of our company
- Officially through the notary public.
2.2. Content of the Application
In order for the Data Owner's requests to be evaluated, it will first be determined whether the Data Owner is the owner of the personal data processed by the Company. In this regard, the identity information of the Data Owner must be clearly and truthfully stated in the applications to be made to our Company within the scope of the Law.
Applications not received through the means specified in this Procedure, if the identity of the Data Owner has been determined and the information and/or documents required for the application within the scope of the Law have been provided by the Company, applications made through such means may be evaluated. Otherwise, the applications will be rejected due to violation of the procedure.
Applications that do not meet the qualifications specified in this article will be evaluated and the Data Owner will be contacted until the requested information is obtained; however, if the requested information and/or documents are not provided by the Data Owner, the Data Owner's application will be rejected due to irregularity.
3. OTHER CASES
3.1. Application Made by Proxy or Legal Representative
Applications to be made to the Company within the scope of the law can also be made by the representative or legal representative of the Data Owner, provided that the official document to prove it is submitted.
3.2. Application Fee
The Law stipulates that the Data Controller shall conclude the request submitted to him free of charge. However, it has been stated that if the transaction also requires a cost, it may be possible to make a fee in line with the principles to be determined by the Board. In this context, if finalizing the applications to the Company requires any additional cost, the Company may charge a fee from the Data Owner.
4. APPLICATION EVALUATION PROCESS
In cases where it is determined that there are missing information and/or documents in the applications made by the Data Owner, this matter will be notified to the Data Owner. If the requested information and/or documents are not provided by the Data Owner, the Data Owner's application will be rejected due to irregularity. the evaluation process will apply:
- Replying the application without sharing the personal data of the third party (for example, deleting the personal data of the third party) or blackout) will be evaluated.
- It will be determined whether the third party has given explicit consent to the sharing of personal data.
- In case the third party's explicit consent is not obtained, it will be evaluated whether the personal data in question can be shared without explicit consent.
In case it is not possible to finalize the application without sharing the data of the third party; first of all, it will be applied to obtain explicit consent from the Data Owner whose personal data has to be shared. If the third party does not consent to the sharing of their data, the application will be answered by completely extracting the information of the third party. In this way, personal data belonging to third parties may also be shared if necessary.
5. EVALUATION TIMES OF APPLICATIONS
The requests of the Data Owner will be evaluated and finalized by the Company as soon as possible and within thirty (30) days at the latest.
Applications made to the Company, will be directed to the relevant department of the Company within a maximum of three (3) days; The inquiries to be made by the department to which the application is directed will be concluded within a maximum of one (1) week.
6. RESPONSE TO APPLICATIONS
Applications made to the Company by the Data Owner are answered by the contact person appointed before the Company and the following information is included in the responses to the applications:
- Applicant Making the Request
- Requests
- Information and Documents Provided as a Result of Requests
- The Request Receipt date
- If extra information and documents regarding the request are requested; the date of these requests and the date of receipt of the relevant replies
- Transactions regarding the request
- Company's Responses to Requests
- Date of Request Response
- Authorized Signature
Related Application Event records, documents and results related to this issue are stored in the electronic directory created on this subject. A copy of the written submission record is also stored in the archive.
7. EFFECTIVENESS AND KEEPING UPDATED
This Procedure has entered into force on 01.09.2022; The Law will be re-evaluated by the KVK Committee at the beginning of each year in line with the relevant secondary legislation, Board Decisions and Company business processes and updated if necessary.
