DR. ŞEN
PERSONAL DATA PROTECTION AND PROCESSING POLICY
CONCEPTS
| Processing of Personal Data | Personal data is processed completely or Obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of data by partially automatic means or non-automatic means provided that it is part of any data recording system. any transaction performed. |
| Personal Data Owner/Relevant Person | A natural person whose personal data is processed. |
| Personal Data | An identified or identifiable natural person any information about a person. |
| Special Personal Data | Race, ethnicity, political thought, philosophical data related to beliefs, religion, sect or other beliefs, dress code, association, foundation or union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data. |
| Data Controller | The place where the data is systematically kept, which determines the purposes and means of processing personal data (data recording system) administering person. |
| Deletion | Personal data for the relevant users is the process of making it inaccessible and non-reusable in any way. |
| Destruction | Personal data is the process of making it inaccessible, irreversible and reusable by anyone in any way. |
| Anonymization | It is the process of making personal data incapable of being associated with an identified or identifiable natural person in any way, even if matched with other data. With this method, personal data must be rendered incapable of being associated with an identified or identifiable natural person, even through the use of techniques appropriate for the recording medium and relevant field of activity, such as the return of personal data by the recipient or recipient groups and matching of data with other data. |
| Data Processor | A natural or legal person who processes personal data on behalf of the data controller based on the authority granted to him. |
PART I
INTRODUCTION
The purpose of this regulation is to protect the privacy of our customers, job candidates, employees, and business partners within the scope of the Personal Data Protection Law No. 6698. , constitutes the protection of our visitors and all other data that has the nature of personal data.
This Policy sets forth the principles to be adopted by our Company and taken into consideration in terms of implementation regarding the processing, protection, deletion, destruction and anonymization of personal data.
PURPOSE
The purpose of this Policy is to ensure that our Company processes, protects, deletes, destroys and anonymizes personal data in accordance with the law. to inform our target audience, whose personal data is processed, about the personal data processing activity carried out and the processes adopted for the protection of personal data, and to determine the personal data protection and processing policy.
SCOPE
This Policy; All personal data of real persons processed by our Company is related to data.
POLITICS OF THE POLICY
This policy, which was prepared and put into effect by us, is published on our Company’s website and is thus made accessible to personal data owners.
PART II
1-PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH RELEVANT LEGISLATION
Our company, in accordance with Article 4 of the KVKK, regarding the processing of personal data;
1.1-Personal Carrying Out Data Processing Activities
In our company, personal data processing processes are carried out in accordance with legal regulations and rules of integrity. In this context, our company only processes personal data as much as necessary.
1.2-Ensuring that Personal Data is Accurate and Up-to-Date When Necessary
Our company takes the necessary measures to ensure that personal data is up-to-date and accurate, taking into account the fundamental rights of personal data owners and their own legitimate interests.
1.3-Processing for Specific, Clear and Legitimate Purposes
The purpose for which personal data will be processed by our company is determined before the personal data processing activity begins.
1.4-Related, Limited and Proportionate to the Purpose for Which They Are Processed
Our company processes personal data to the extent required by the business and within the scope and in line with the relevant legal regulations, in the context of the requirements of the activities it carries out, and the processing of irrelevant or unnecessary personal data is avoided.
1.5-Storing for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose of Processing
Our Company stores personal data only for the periods stipulated in the relevant legislation or limited to the purpose for which they are processed. In this context, if a period is specified for the storage of personal data in the relevant legislation, this period is complied with. If no period is specified, personal data is stored for the period necessary for the purpose for which they are processed. In the event that the period expires or the reasons requiring processing are eliminated, personal data is deleted, destroyed or anonymized by our Company. Personal data is not stored by our Company with the possibility of future use. Detailed information on this subject is provided in section 7 of this policy.
2- PROCESSING OF PERSONAL DATA
Our Company processes personal data only in cases stipulated in the law or with the express consent of the person.
In addition to express consent, personal data may also be processed if one of the other conditions listed below exists;
2.1- Explicit Consent of the Personal Data Owner
One of the conditions for processing personal data is the explicit consent of the owner. The explicit consent of the personal data owner must be related to a specific subject, based on information and expressed with free will.
2.2- Explicit Provision in Laws
The personal data of the data owner may be processed in accordance with the law if it is explicitly provided for in the law.
2.3- Failure to Obtain the Explicit Consent of the Person Concerned Due to Actual Impossibility
If the processing of personal data is mandatory for the protection of the life or physical integrity of the person or another person who is unable to express his/her consent due to actual impossibility or whose consent cannot be recognized as valid, the personal data of the data owner may be processed.
2.4- Direct Relation to the Establishment or Performance of a Contract
Provided that it is directly related to the establishment or performance of a contract, personal data may be processed if the processing of personal data belonging to the parties to the contract is necessary.
2.5- Fulfillment of Legal Obligations
Our Company may process the personal data of the data owner if processing is mandatory in order to fulfill its legal obligations as the data controller.
2.6- Making Personal Data Public by the Personal Data Owner
If the personal data of the data owner is made public by him/her, it may be processed, provided that it is limited to the purpose.
2.7- Data Processing is Mandatory for the Establishment or Protection of a Right
If data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.
2.8- Data Processing is Mandatory for the Legitimate Interest of the Data Controller
The personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
3- ENLIGHTENING AND INFORMING THE PERSONAL DATA OWNER
Our company provides information on the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the personal data owner. (See Information Text)
4- PROCESSING OF SPECIAL NATURE PERSONAL DATA
Our company complies with the regulations stipulated in the KVKK in the processing of personal data determined as “special nature” by the KVKK.
These data are; data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
By our company; Special personal data is processed in the following cases by taking the necessary precautions:
If the personal data owner has given his/her explicit consent or
If the personal data owner does not have his/her explicit consent, it can be processed in the cases stipulated by law.
Data on health and sexual life however, and only with the explicit consent of the data owner.
PART III
PERSONAL DATA PROCESSED BY OUR COMPANY, PURPOSES OF PROCESSING AND STORAGE PERIOD
- Personal data processed by our Company are specified below. However, which data will be processed for each personal data owner may vary depending on various factors such as the type and nature of the relationship between the personal data owner and our Company and the communication channels used.
| PERSONAL DATA | DESCRIPTION |
| Identity Information | Data containing information about the identity of the person; Documents such as driver’s license, identity card and passport containing information such as name-surname, Turkish Republic identity number, nationality information, mother’s name-father’s name, place of birth, date of birth, gender, as well as personnel registration number, signature information, etc. information |
| Contact Information | Information such as telephone number, address, e-mail address, kep address, fax number, IP address |
| Family Members and Relatives Information | Information about family members (e.g. spouse, child), relatives and other persons who can be reached in emergency situations, as reported to our Company by the personal data owner within the scope of operations carried out by our Company units |
| Security Information | Personal data regarding records and documents taken at the entrance to our Company’s facilities and during the stay in these places; camera recordings and records taken at security points, etc. |
| Financial Information | All kinds of financial information, documents and records created according to the type of legal relationship our company has established with the personal data owner, and personal data processed regarding such data as bank account number, IBAN number, income information |
| Visual/Auditory Information | Photograph, camera recordings |
| Personal Information | All kinds of personal data processed to obtain information that will form the basis for the formation of personal rights of real persons who have a working relationship with our company |
| Special Personal Data | Data specified in Article 6 of the Personal Data Protection Law (e.g. health data including blood type, biometric data (fingerprint), body size, etc. data |
| Professional Information | Data regarding diploma and certificate information of job candidates, our employees and people who have a business relationship with our Company |
- PERSONAL DATA SUBJECTS PROCESSED BY OUR COMPANY
Our Company’s customers, affiliates, visitors, job candidates, employees, company shareholders, employees of companies we have a business relationship with, employees of institutions we cooperate with.
- PURPOSES OF PROCESSING PERSONAL DATA
By our company;
Conducting application processes of employee candidates
Conducting human resources processes
Fulfilling obligations arising from legislation for employees
Conducting social responsibility and civil society activities,
Conducting finance and accounting works,
Conducting communication activities
Conducting the purchasing process of goods and services
Conducting the sales process of goods and services
Conducting the wage policy
Conducting fringe benefits and benefits processes for employees
Conducting storage and archive activities
Conducting emergency management processes,
Conducting business activities
Conducting business continuity activities,
Ensuring the security of movable goods and resources
Providing information to authorized persons, institutions and organizations,
Conducting training activities
Conducting activities in accordance with legislation,
Ensuring physical space security
Conducting internal audit activities
Conducting occupational health / safety activities Execution
Execution of Management Activities,
Execution of Goods / Services Production and Operation Processes
Execution of Goods / Services After-Sales Support Services
Execution of Logistics Activities
Execution of Contract Processes
Execution of Risk Management Processes
For purposes such as
- To fulfill our legal obligations,
- When it is necessary to process personal data of the parties based on the established business relationship,
- It is foreseen by the laws and
- Protection of the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the relevant person, and with the explicit consent of the relevant person
Personal data specified in Section III. 1 of this policy is processed.
- PERSONAL DATA STORAGE PERIOD
Our Company processes personal data in accordance with the relevant legislation for the period foreseen or necessary for the purpose for which they are processed.
If there is no period regulated in the legislation regarding how long personal data should be stored, Personal Data is processed for the period required to be processed in accordance with the practices of our Company and the customs of its commercial life, depending on the activity carried out by our Company while processing that data.
If the purpose of processing personal data has ended; if the storage periods determined by the relevant legislation or our Company have also come to an end; personal data can only be stored to constitute evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. In establishing the periods here, the storage periods are determined based on the statute of limitations for asserting the said right and the examples of requests previously directed to our Company on the same issues despite the expiration of the statute of limitations. In this case, the stored personal data cannot be accessed for any other purpose and access to the relevant personal data is provided only when it is necessary to be used in the relevant legal dispute. Here, after the mentioned period expires, personal data is deleted, destroyed or anonymized.
- SECTION
- CAMERA MONITORING ACTIVITY CONDUCTED AT AND INSIDE THE BUILDINGS AND FACILITIES OF OUR COMPANY
Within the scope of our company’s security camera monitoring activity; in order to secure the interests of the company and other people regarding ensuring their security and limited to this policy, certain areas are subject to camera monitoring in a way that does not result in an intervention that exceeds the security purposes of the person’s privacy. In the camera monitoring activity carried out by our company for security purposes, KVKK is complied with. Information regarding the camera monitoring activity is provided by publishing this policy on the website and by hanging signs and plaques and an information text stating that monitoring will be carried out in the monitoring areas.
The monitoring areas, number and when monitoring of security cameras are implemented in a sufficient and limited manner to achieve the security purpose. Necessary technical and administrative measures are taken to ensure the security of personal data obtained as a result of camera monitoring activities. Detailed information regarding the retention period of personal data obtained through camera monitoring activities by our Company is provided in Article 3.4 of this Policy titled Personal Data Storage Periods.
Only a limited number of Company employees have access to the records recorded and stored in digital environment with live camera images. The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality commitment.
- MONITORING OF GUEST ENTRANCES AND EXITS CONDUCTED AT AND WITHIN OUR COMPANY BUILDINGS AND FACILITIES
Our Company carries out personal data processing activities to monitor guest entries and exits in our Company buildings and facilities in order to ensure security and for the purposes specified in this Policy.
While the names and surnames of the people who come to our Company buildings as guests are obtained, personal data owners are informed in this context. The data obtained for the purpose of monitoring guest entry and exit is processed only for this purpose and the relevant personal data is recorded in the data recording system in a physical environment.
SECTION V
TRANSFER OF PERSONAL DATA
While the third parties to whom personal data may be transferred may vary depending on various factors such as the type and nature of the relationship between the data owner and our Company and the markets where the transaction is carried out, the third parties to whom data may be transferred are generally as follows:
Authorized public institutions and organizations
Private law legal entities limited to the purpose requested within the scope of their legal authority,
Our Company’s business partners in Turkey and/or abroad,
Customers, Suppliers,
Our Shareholders, Our Auditors
- SECTION
ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA
Our Company takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data it processes, to prevent unlawful access to data and to ensure the preservation of data, and in this context, audits or have them done.
The actions and measures taken by our company to ensure “data security” in accordance with Article 12 of the KVKK are stated below.
Our company takes technical and administrative measures according to technological possibilities and implementation costs to ensure that personal data is processed in accordance with the law. Employees who use personal data they learn in violation of the KVKK provisions They are informed that they cannot disclose it to anyone else and cannot use it for purposes other than the purpose of processing, and that this obligation will continue after they leave office, and the necessary commitments are obtained from them in this regard.
Our Company provides the necessary training to increase awareness to prevent unlawful processing of personal data, unlawful access to data, and to ensure the preservation of data.
Our Company takes the necessary technical and administrative measures according to technological possibilities and implementation costs to store personal data in secure environments and to prevent its destruction, loss or alteration for unlawful purposes.
SECTION VII
CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
As regulated in Article 7 of the KVKK, personal data is deleted, destroyed or anonymized for 3 months upon the decision of our Company, if the reasons requiring its processing are eliminated, despite being processed in accordance with the relevant provisions of the law. If all the conditions for processing personal data are eliminated, our company will delete, destroy or anonymize the personal data subject to the request upon the request of the relevant person. Our company will finalize the request of the relevant person within thirty days at the latest and inform the relevant person.
In accordance with Article 28 of the KVKK, anonymized personal data may be processed for purposes such as research, planning and statistics. Since such transactions are outside the scope of the KVKK, the explicit consent of the personal data owner is not required.
SECTION VIII
RIGHTS OF PERSONAL DATA OWNERS; METHOD OF EXERCISE AND EVALUATION OF THESE RIGHTS
Our company carries out the necessary channels, internal operations, administrative and technical arrangements in accordance with Article 13 of the KVKK in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.
Personal data owners;
They have the right to learn whether personal data has been processed,
To request information about personal data if it has been processed,
To learn the purpose of processing personal data and whether it is used in accordance with its purpose,
To know the third parties to whom personal data is transferred domestically or abroad,
To request correction of personal data if it is processed incompletely or incorrectly and to request notification of the transaction made within this scope to the third parties to whom personal data is transferred,
Despite being processed in accordance with the provisions of the KVKK and other relevant laws, if the reasons requiring processing are eliminated, to request the deletion or destruction of personal data and to request notification of the transaction made within this scope to the third parties to whom personal data is transferred.
- SECTION
PERSONAL DATA PROTECTION AND PROCESSING POLICY MANAGEMENT STRUCTURE
Our Company establishes the necessary management structure to fulfill the obligations under the Personal Data Protection Law and to implement this Policy and to fulfill the following functions.
- Prepare and submit to the approval of the senior management for the basic policies and amendments regarding the Protection and Processing of Personal Data, to put them into effect,
- Decide on how the implementation and auditing of the policies regarding the Protection and Processing of Personal Data will be carried out and make internal assignments within this framework and submit to the approval of the senior management for the coordination,
- Determine the issues that need to be done to ensure compliance with the Personal Data Protection Law and relevant legislation and submit the actions to be taken to the approval of the senior management; to monitor and coordinate its implementation,
- To raise awareness within the Company and among the Company’s business partners regarding the Protection and Processing of Personal Data,
- To identify the risks that may arise in the Company’s personal data processing activities and to ensure that the necessary measures are taken, to submit improvement suggestions to the approval of the senior management,
- To design and ensure the implementation of training on the protection of personal data and the implementation of policies,
- To respond to the applications of personal data owners within the due date,
- To manage the relations with the Personal Data Protection Board and Institution.
While the management structure is being established, a committee is established and the members of this committee and the distribution of duties are determined by our Company’s senior management. In addition to the duties specified above, the Committee and the responsible person/persons to be appointed in this regard may be given other duties and responsibilities according to the needs of our Company and the nature of the activities it carries out.
- SECTION
TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE SECURITY OF PERSONAL DATA
Our company takes the necessary administrative and technical measures to ensure that personal data is stored legally and securely. For this;
- There are disciplinary regulations that include data security provisions for employees
- Personal data processing inventory has been prepared and is kept up to date
- Contracts (between data controller and data processor)
- Corporate policies (access, information security, use, data storage and destruction)
- Employment contract
- Disciplinary regulation (adding provisions in accordance with the law)
- Confidentiality commitments are made.
- Periodic and/or random audits within the institution
- Training and awareness activities
- Ensuring the security of environments providing personal data
- Risk analyses are conducted and personal data is reduced as much as possible
- Network security and application security are ensured,
- Corporate policies have been prepared and implemented regarding access, information security, use, storage and destruction.
- Privacy commitments are made.
- Up-to-date anti-virus systems are used.
- Personal data security policies and procedures have been determined.
- Personal data security monitoring is carried out.
- Security of environments containing personal data is ensured.
- Personal data is backed up and the security of backed up personal data is also ensured.
- Current risks and threats have been determined.
- Special personal data is sent in encrypted form and using a kep or corporate mail account.
- Encryption is carried out.
- A closed system network is used in personal data transfers via network.
- Firewalls are used.
- Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
- Security of physical environments containing personal data against external risks is ensured.
- If it is determined that personal data processed or transferred by our company has been unlawfully obtained by unauthorized persons, the situation will be reported to the Personal Data Protection Board within 72 hours and to the relevant data owner as soon as possible.