top of page
unitedwords_web_logo_c.png

Personal Data Protection Policy under Law No. 6698

Last Updated: 01/03/2024

With the enactment of the Personal Data Protection Law No. 6698 (hereinafter referred to as the “KVKK” or the “Law”), the protection of individuals’ fundamental rights and freedoms in the processing of personal data, as well as the obligations and principles to be complied with by natural and legal persons who process personal data, have been regulated.

Through its Personal Data Protection and Processing Policy, our organization aims to protect the personal data of employees, former employees, customers, visitors, business partners, third parties, and other natural and legal persons with whom cooperation is established, in accordance with the Personal Data Protection Law No. 6698.

Definitions

The terms used in this Policy are explained in the table below:

 

Explicit Consent:
Consent that is given freely, based on prior information, and relating to a specific subject.

 

Anonymization:
The process of rendering personal data incapable of being associated with an identified or identifiable natural person in any manner, even when matched with other data.

 

Personal Data:
Any information relating to an identified or identifiable natural person.

 

KVKK Board (Personal Data Protection Board):
The Personal Data Protection Board, affiliated with the Prime Ministry, consisting of expert and administrative bodies established to regulate the obligations and procedures to be complied with by natural and legal persons in order to protect individuals’ fundamental rights and freedoms during the processing of personal data.

 

KVKK Authority (Personal Data Protection Authority):
The Personal Data Protection Authority, established under the Personal Data Protection Law No. 6698, possessing administrative and financial autonomy and public legal personality, in order to perform the duties assigned by the Law. (www.kvkk.gov.tr)

 

Special Categories of Personal Data:
Pursuant to Article 6 of the Law, special categories of personal data include data relating to individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and attire, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

 

Data Processing Inventory:
An inventory created and detailed by the Institution by associating personal data processing activities linked to its business processes with the personal data list, categories, processing purposes, recipient groups to whom personal data is transferred, and the relevant data subject groups.

 

Data Processor:
A natural or legal person appointed by the Data Controller who processes personal data on behalf of the Data Controller.

 

Data Recording System:
The recording system in which personal data is processed by being structured according to specific criteria.

 

Data Controller:
The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

 

Data Controller Representative:
Personnel appointed by a resolution of the Board of Directors who manage the Company’s relations with the KVKK Authority.

Note: Most of the terms above have been prepared based on the provisions of the Personal Data Protection Law No. 6698 and the documents published on www.kvkk.gov.tr

Purpose

The primary purpose of this Policy is to establish the rules governing the personal data processing activities carried out by our organization and the procedures implemented for the protection of personal data.

Scope

This Policy covers our employees, customers, visitors, business partners, and related persons, as well as all personal data processed within this scope through verbal, written, and/or electronic means.

Responsibilities

Our organization, acting in the capacity of the Data Controller, is generally responsible for the implementation of this Policy. A committee established for KVKK compliance and the appointed authorized personnel shall be responsible for the execution of this Policy.

General Principles Regarding the Processing of Personal Data

In accordance with the provisions set forth under the section titled “Processing of Personal Data” in the second chapter of the Personal Data Protection Law, the general principles are as follows:

Conditions for the Processing of Personal Data

Personal data may be processed within the framework of fulfilling the obligation to inform data subjects and, where applicable, upon obtaining the explicit consent of the data subjects. In the processing of personal data, the following principles must be complied with:

  • Processing in accordance with the law and principles of good faith,

  • Being accurate and, where necessary, kept up to date,

  • Being processed for specific, explicit, and legitimate purposes,

  • Being relevant, limited, and proportionate to the purposes for which they are processed,

  • Being retained for the period stipulated by the relevant legislation or required for the purposes of processing.

Conditions for Processing Personal Data Without Explicit Consent

Personal data may be processed without the explicit consent of the data subject in the presence of one of the following conditions:

  • Where it is explicitly stipulated by law,

  • Where processing is mandatory to protect the life or physical integrity of the data subject or another person who is unable to express consent due to actual impossibility or whose consent is not legally valid,

  • Where processing is necessary, provided that it is directly related to the establishment or performance of a contract to which the data subject is a party,

  • Where processing is mandatory for the data controller to fulfill its legal obligations,

  • Where the personal data has been made public by the data subject,

  • Where processing is mandatory for the establishment, exercise, or protection of a right,

  • Where processing is mandatory for the legitimate interests of the data controller, provided that such processing does not harm the fundamental rights and freedoms of the data subject.

Conditions for the Processing of Special Categories of Personal Data

The conditions for processing special categories of personal data are as follows:

  • Data relating to individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and attire, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, constitute special categories of personal data.

  • Processing of special categories of personal data without the explicit consent of the data subject is prohibited.

  • Personal data other than health and sexual life listed above may be processed without explicit consent in cases stipulated by law. Personal data relating to health and sexual life may be processed without explicit consent only for purposes such as protection of public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and financing, by persons or authorized institutions and organizations under an obligation of confidentiality.

  • In addition, adequate measures determined by the Board must be taken in the processing of special categories of personal data.

Deletion, Destruction, or Anonymization of Personal Data

  • The rules regarding the deletion, destruction, or anonymization of personal data applied by our organization are as follows:

  • Even if personal data has been processed in accordance with the Law and other applicable legislation, in cases where the reasons requiring processing cease to exist, such personal data shall be deleted, destroyed, or anonymized by the data controller ex officio or upon the request of the data subject.

  • Provisions stipulated in other laws regarding the deletion, destruction, or anonymization of personal data are reserved.

  • The procedures and principles regarding the deletion, destruction, or anonymization of personal data are regulated by secondary legislation.

Transfer of Personal Data

Our rules regarding the transfer of personal data are as follows:

  • Personal data may not be transferred without the explicit consent of the data subject.

  • Transfer of personal data is possible in cases where personal data may be processed without explicit consent, as specified above.

Transfer of Personal Data Abroad

Personal data may be transferred abroad with the explicit consent of the data subject and provided that the following conditions are met:

  • Personal data may not be transferred abroad without the explicit consent of the data subject,

  • The existence of adequate protection in the foreign country,

  • In the absence of adequate protection, the data controllers in Türkiye and the relevant foreign country must provide a written undertaking to ensure adequate protection, and permission must be obtained from the Board.
    Countries with adequate protection are determined and announced by the Board.

Rights of the Data Subject

Data subjects (relevant persons) may apply to the data controller to request the following:

  • To learn whether personal data is being processed,

  • To request information if personal data has been processed,

  • To learn the purpose of processing personal data and whether such data is used in accordance with its purpose,

  • To know the third parties to whom personal data is transferred domestically or abroad,

  • To request correction of personal data if it is incomplete or inaccurately processed,

  • To request deletion or destruction of personal data when the reasons for processing cease to exist,

  • To request notification of third parties to whom personal data has been transferred,

  • To object to the occurrence of a result against the data subject arising from the analysis of processed data exclusively through automated systems,

  • To request compensation for damages in case of losses arising from unlawful processing of personal data.

Obligations of the Data Controller

The obligations of the data controller are as follows:

  • To take all necessary technical and administrative measures to ensure an appropriate level of security in order to prevent unlawful processing of personal data, prevent unlawful access to personal data, and ensure the protection of personal data,

  • Where personal data is processed by another natural or legal person on behalf of the data controller, to be jointly responsible with such persons for the implementation of the aforementioned measures,

  • To conduct or have conducted necessary audits within its organization to ensure the implementation of the provisions of the Law,

  • Data controllers and data processors may not disclose personal data they have learned to others or use such data for purposes other than processing, in violation of the Law; this obligation continues even after termination of their duties,

  • In the event that processed personal data is obtained by others through unlawful means, to notify the relevant data subject and the Board as soon as possible. Where deemed necessary, the Board may announce such situation on its website or through other appropriate methods.

Application to the Data Controller and Complaint

The data subject shall submit requests regarding the implementation of this Law to the data controller in writing or through other methods determined by the Board.

 

The data controller shall conclude the requests included in the application free of charge as soon as possible and no later than thirty (30) days, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board. The data controller shall accept the request or reject it by explaining the reason and notify the data subject in writing or electronically. If the request is accepted, the data controller shall fulfill the requirements without delay. If the application results from the data controller’s fault, the fee collected shall be refunded to the data subject.

Measures for Ensuring the Security of Personal Data

Our organization takes the following measures to ensure the security of personal data:

Technical Measures

Based on its technical capabilities, our organization implements the following measures:

  • Access to computer systems, archives, and cabinets containing personal data is restricted solely to authorized and permitted personnel.

  • Personal data is backed up on a regular basis.

Administrative Measures

Our organization implements the following administrative measures to ensure the security of personal data:

  • Support and oversight of senior management are ensured with respect to the processing and protection of personal data.

Reasons for the Retention of Personal Data

Our organization retains personal data in order to fulfill its commercial and legal obligations, as well as to maintain relationships with customers and business partners. The reasons for the retention of personal data are as follows:

  • As required by law,

  • As required by the obligation to retain information necessary under contracts and applicable legislation,

  • As required by the retention obligations stipulated under relevant regulations.

Reasons for the Destruction (Disposal) of Personal Data

Our organization shall destroy personal data in the following circumstances:

  • Where the purpose requiring the processing or retention of personal data ceases to exist,

  • Where personal data is processed solely based on explicit consent and the data subject withdraws such consent,

  • Where the request submitted by the data subject for the deletion or anonymization of personal data is accepted by the data controller,

  • Where the data subject’s application to the Board regarding the destruction of personal data is deemed appropriate,

  • Where the maximum retention period required for the storage of personal data has expired.

The destruction process shall be carried out by the Data Controller Representative.

 

Methods for the Deletion and Destruction of Personal Data

Our organization carries out the deletion and destruction of personal data as follows:

  • Permanent deletion of data from computer systems,

  • Destruction of personal data contained in printed or paper form using paper shredding machines,

  • Destruction of data stored on disks or similar media through physical destruction methods.

 

Anonymization of Personal Data

Anonymization is a technique used as an alternative to deletion and destruction, ensuring the secure storage of personal data when required. The following techniques are used for anonymization:

  • Rendering certain fields of data indistinguishable through masking,

  • In addition, encryption and other technical methods may be applied based on ERP, Oracle, and other software systems.

bottom of page