PERSONAL DATA PROTECTION AND PROCESSING POLICY
ENTRANCE
Protection of personal data is of great sensitivity and is among the priorities of our company. As Zeynep Betül Süleyman Zarif Film (Company) with Mersis No. 3830863463463400001, we do not only evaluate the protection and processing of personal data, which is the basis of privacy, in order to comply with the legislation, but also put forward our view on people and human values as the basis of our approach. With this awareness, as a company, we take all administrative and technical measures to protect and process personal data within the scope of the Personal Data Protection Law No. 6698 (“ KVK Law ”). With this Personal Data Protection and Processing Policy (“ Policy ”), to make statements about the personal data processing activities carried out by the Company in accordance with the law and purpose and the policies adopted for the protection of personal data, which data are personal data by the Company, which personal data are stored, It has been prepared to provide detailed explanations regarding the administrative and technical measures taken regarding the protection of personal data, the processing and preservation of personal data, the clarification and informing of personal data owners, the transfer and protection of personal data to third parties, to inform the relevant persons and to ensure transparency and auditability in this context.
Table of Contents
1. GENERAL DESCRIPTION 3
2. PROCESSING OF PERSONAL DATA 4
3. CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY, PURPOSES OF PROCESSING AND STORAGE PERIOD 6
4. TRANSFER OF PERSONAL DATA AND SPECIAL PERSONAL DATA 17
5. THIRD PARTIES TO WHICH YOUR PERSONAL DATA IS TRANSFERRED AND THE PURPOSES OF TRANSFER 21
6. RIGHTS AND OBLIGATIONS RELATED TO PERSONAL DATA 24
7. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO STORE PERSONAL DATA SECURELY AND PREVENT THEIR ILLEGAL PROCESSING AND ACCESS 28
8. DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA 32
9. STORAGE AND DESTRUCTION PERIOD OF PERSONAL DATA 35
10. OUR UNIT RESPONSIBLE FOR THE PROTECTION, PROCESSING AND DESTRUCTION OF PERSONAL DATA 36
11. INTERNAL DATA PROTECTION BOARD WITHIN THE SCOPE OF PROTECTION AND PROCESSING OF PERSONAL DATA 36
• GENERAL DESCRIPTION
• Scope and Purpose of the Policy
the company and all processes related to these entities are within the scope of this Policy;
• All printed or written documents, documents, files containing personal data
• All databases containing personal data
In this context; It relates to the personal data collected with the consent of the relevant persons , which is processed by fully or partially automatic or non-automatic means provided that it is part of any data recording system . Anonymous and unidentified data, such as data that does not contain personal data obtained for statistical evaluations or studies, and data regarding legal entities are not considered personal data and are not subject to this Policy . This Policy also applies to natural person customers of the Company and its subsidiaries under its control, and other natural persons who do not have a specific framework agreement with the Company and its subsidiaries under its control. Company expressions in this Policy will also include the institution and its subsidiaries under its control.
The scope of application of this Policy regarding the groups of personal data owners mentioned above may be the entire Policy or only some of its provisions.
Although this Policy is directed to natural persons whose personal data are processed by the Company through automatic or non-automatic means provided that it is part of any data recording system, it also regulates issues regarding the protection of personal data of Company employees.
• of the Policy and Related Legislation
Relevant legal regulations in force regarding the processing and protection of personal data, especially the KVK Law, will primarily be implemented. In case of incompatibility between the applicable legislation and the Policy, the Company agrees to apply the applicable legislation.
As a company, we take the necessary administrative and technical measures to protect personal data processed in accordance with the KVK Law.
In the processing of personal data , (i) Processing personal data in accordance with the law and the rules of honesty, (ii) Keeping personal data accurate and updated when necessary, (iii) Processing personal data for specific, clear and legitimate purposes, (iv) Processing personal data in a limited manner in connection with the purpose for which they are processed. and proportionate processing, (v) Keeping personal data for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed, (vi) Enlightening and informing personal data owners, (vii) Creating the necessary technical and administrative infrastructure for personal data owners to exercise their rights, (viii) Taking the necessary technical and administrative measures for the preservation of personal data, (ix) Acting in accordance with the relevant legislation and the regulations of the Personal Data Protection Board in transferring personal data to third parties in line with the requirements of the purpose of processing, (x) Paying the necessary sensitivity to the processing and protection of special personal data. We adopt the principles of display.
In this context, this Policy consists of concretizing and regulating the rules set forth by the relevant legislation within the scope of Company practices.
• Enforcement of the Policy
This Policy has been published by the Company on its website and made available to the public. The Company reserves the right to make changes to this Policy in parallel with legal regulations.
• PROCESSING OF PERSONAL DATA
The Company takes technical and administrative measures according to technological possibilities and implementation costs to ensure that personal data is processed in accordance with the law. Employees are informed that they cannot disclose the personal data they have learned to anyone else in violation of the provisions of the Personal Data Protection Law or use it for purposes other than the purpose of processing, and that this obligation will continue after they leave office, and the necessary commitments are taken from them in this regard. The Company's personal data processing activities include all kinds of actions taken regarding data using automatic, semi-automatic or non-automatic means, without any restrictions. The Company has the right to process a data owner's information during the period when its services are used and after the relationship is terminated, by complying with the principles set out below. The Company may process the personal data of the data owner or third parties specified by the data owner for various purposes, including but not limited to the following :
• The company increases the awareness of data processing institutions such as business partners and suppliers to whom it transfers personal data, about preventing the unlawful processing of personal data, preventing unlawful access to data, and ensuring the legal preservation of data.
• The obligations that the Company, as the data controller, has to comply with when processing personal data and the obligation to comply with the legal, administrative and technical measures developed in this regard are imposed on the data processing institutions with which the institution has relations in various capacities such as suppliers, business partners, in accordance with the nature of the activities they carry out in data processing.
• The Company takes the necessary technical and administrative measures, according to technological possibilities and implementation costs, to store personal data in secure environments and to prevent their destruction, loss or alteration for unlawful purposes.
• The company carries out or has the necessary audits carried out within its own structure in accordance with Article 12 of the KVK Law. The results of these inspections are reported and the necessary activities are carried out to improve the measures taken.
• a company that ensures that if personal data processed in accordance with Article 12 of the KVK Law is obtained by others through illegal means, this situation is notified to the relevant personal data owner and the KVK Board as soon as possible .
The personal data processing activity carried out by the Company covers all kinds of actions taken regarding data using automatic, semi-automatic or non-automatic means, without any restrictions. In other words, personal data processing activity; Receiving, collecting, recording, photographing, sound recording, video recording, organizing, storing, changing data from the data owner or third parties for the purposes of transfer, dissemination or presentation in different ways, grouping or combining, blocking, deleting or destroying, restoring, retrieving or disclosing data, obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, transferring abroad, taking over data by fully or partially automatic or non-automatic means provided that it is part of any recording system . means making it available, classifying it or preventing its use.
• CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY, PURPOSES OF PROCESSING AND STORAGE PERIOD
• Categorization of Personal Data
Before the company; In line with the Company's legitimate and lawful personal data processing purposes, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the KVK Law, especially the principles specified in Article 4 regarding the processing of personal data. Personal data in the following categories, in compliance with the general principles and all obligations regulated in the KVK Law and limited to the subjects within the scope of this Policy (our employee candidates, employees and officials of the institutions we cooperate with, our customers, potential customers, members, other third parties), It is processed by informing the relevant persons in accordance with Article 10 of:
• Personal Data Owners
Personal Data Owner Category
Description
Employee Candidates
Natural persons who have applied for a job to the Company by any means or have made their CV and relevant information available for review by our company.
Employees, Shareholders and Officials of the Institutions We Collaborate with
Natural persons working in institutions (such as but not limited to business partners, suppliers) with which the Company has all kinds of business relations, including the shareholders and officials of these institutions.
Customers
Real persons who purchase the products and services offered by our company, regardless of whether they have any contractual relationship with the company .
Potential Customers
They are real persons who have requested to use or are interested in our products and services, or whose interest has been evaluated in accordance with commercial practices and rules of honesty.
Third Parties
Other real persons who are not covered by this policy and the Company Employees Personal Data Protection and Processing Policy (For example; experts, doctors, trainers, models, real estate owners renting, guarantors, companions, working family members and relatives, former employees)
• Personal Data Categorization and Relevant Data Owners
PERSONAL DATA CATEGORIZATION
PERSONAL DATA CATEGORIZATION DESCRIPTION
PERSONAL DATA SUBJECT CATEGORIZATION
Identity Information
such as driver's license , identity card and passport containing information such as name-surname, TR ID number, nationality information, mother's name-father's name, date of birth, place of birth, gender, as well as tax number , SSI number, signature information, etc. informations
Our Employee Candidates, Employees, Employees, Shareholders and Officials of the Institutions We Collaborate with, Our Customers, Potential Customers, and Other Third Parties
Communication information
Information such as telephone number, address, e-mail address, etc.
Our Employee Candidates, Employees, Employees, Shareholders and Officials of the Institutions We Collaborate with, Our Customers, Potential Customers, Members and Other Third Parties
Customer and Member Information
Name- surname , TR ID number, Credit Card and/or Debit Card Information, Telephone Number, E-Mail Address, Notification Address
Our customers,
Financial Information
Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship the Company has established with the personal data owner, and data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information.
Employees, Employees, Shareholders and Officials of the Institutions We Collaborate with, Our Customers, Other Third Parties
Audio/Visual Information
Data contained in documents that are copies of all kinds of photographs, camera recordings, voice recordings and documents containing personal data
Our Employee Candidates, Employees , Employees, Shareholders and Officials of the Institutions We Cooperate with, Our Customers, Potential Customers, Members and Other Third Parties
Personal Information
All kinds of personal data processed to obtain information that will be the basis for the formation of personnel rights (Resume, etc.).
Our Employee Candidates and Employees
Request/Complaint Management Information
Personal data regarding the receipt and evaluation of any requests or complaints directed to the Company
Our Employee Candidates, Employees, Customers, Potential Customers, and Other Third Parties
Legal Transaction Information
Data processed within the scope of the Company's legal obligations, determination and follow-up of its legal receivables and rights, fulfillment of its debts, and data that may be requested from the Company in order to protect the rights and interests of customers, as well as judicial authorities, arbitral tribunals, etc. Data reported through and legal obligations
Our Employee Candidates, Employees, Employees, Shareholders and Officials of the Institutions We Collaborate with, Our Customers, Potential Customers, Website Visitors, and Other Third Parties
• Personal Data Processing Principles
In accordance with Article 5 of the KVK Law, personal data can only be processed in accordance with the procedures and principles stipulated in the KVK Law and other relevant legal legislation. As a company , personal data is processed in accordance with the procedures and principles specified within the scope of both the KVK Law and other relevant legal legislation; Within the scope of the KVK Law, it is clearly regulated that the following principles must be followed in the processing of personal data.
• Processing of Personal Data in Compliance with Law and Integrity Rules
Company; It carries out the processing of personal data in accordance with legal regulations, especially the Constitution of the Republic of Turkey, the Personal Data Protection Law and other relevant legislation, and the rule of honesty, based on trust.
• Ensuring the Accuracy and Up-to-Date Personal Data Processed
Company; While carrying out its personal data processing activities, the Company has established companies and processes to ensure the accuracy and up-to-dateness of the personal data it processes. In this context, the Company takes the necessary measures to ensure that personal data owners correct their personal data and confirm its accuracy.
• Processing of Personal Data for Specific, Clear and Legitimate Purposes
Within the scope of the obligation to inform in Article 10 of the Personal Data Protection Law, the Company clearly and precisely determines the purpose of processing personal data before starting the processing of personal data, and processes it for clear and lawful purposes.
• Purpose Related, Limited and Measured Processing of Personal Data
The Company processes personal data to the extent necessary and in connection with the purpose of performing the service it determines and offers before starting the processing activity. The Company does not carry out personal data processing activities that are not related to the achievement of the purpose or with the assumption that it will be needed in the future. Processing of personal data is limited to the Company's activities and legal obligations.
• Keeping Personal Data for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose for which they are Processed
The Company retains personal data for a limited period of time stipulated in the KVK Law and relevant legal legislation or required for the purpose for which they are processed. Accordingly , the Company stores personal data for a limited period of time if a period is stipulated in the relevant legislation, or for a period necessary for the purpose for which they are processed, if no period is specified. The company does not store personal data for possible future use. The Company deletes, destroys or anonymizes personal data if the period expires or the reasons requiring processing are eliminated.
• Conditions for Processing Personal Data
The Company processes personal data with your explicit consent, limited to the purposes and conditions specified in the personal data processing conditions specified in the 2nd paragraph of Article 5 and the 3rd paragraph of Article 6 of the KVK Law.
Your personal data may be processed without your explicit consent under the following conditions.
• It is clearly stipulated in the Laws that the Company engages in relevant activities regarding the processing of your personal data.
• The processing of your personal data by the Company is directly related to and necessary for the establishment or performance of a contract,
• Processing of your personal data is mandatory for the Company to fulfill its legal obligations,
• Provided that your personal data has been made public by you; Processing of you by the Company in a limited way for publicization purposes,
• The processing of your personal data by the Company is mandatory for the establishment, exercise or protection of the rights of the Company or you or third parties,
• It is mandatory to process personal data for the legitimate interests of the Company, provided that it does not harm your fundamental rights and freedoms,
• It is mandatory for the company to process personal data to protect the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to express his/her consent due to actual or legal invalidity,
• It is prescribed by law in terms of special categories of personal data other than the health and sexual life of the personal data owner,
• In terms of special personal data regarding the health and sexual life of the personal data owner, individuals or authorized institutions and organizations who are under the obligation of confidentiality, for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. It is processed by.
• Purposes of Processing Personal Data
The company processes your personal data for the following purposes:
• Carrying out the necessary activities to carry out the Company's internal operations, business activities and ensure the security of the Company's operations, and to carry out the effectiveness, efficiency and appropriateness analysis of the business activities,
• Strategy planning activities and Management and execution of relationships with Business Partners or Suppliers,
• Execution of production and/or operation processes,
• Ensuring business continuity and planning and execution of corporate governance and sustainability activities,
• Planning and execution of corporate communication activities,
• event management,
• Carrying out company personnel procurement (recruitment) processes,
• Planning, evaluation and follow-up of purchasing activities,
• Execution/follow-up of company legal affairs,
• Carrying out activities that have legal, technical and administrative consequences and providing information to authorized institutions based on legislation, carrying out activities related to legal requests and legal affairs,
• Keeping data accurate and up to date,
• Collecting, evaluating and responding to data owner's complaints, questions, requests and suggestions,
• Planning and execution of customer relationship management processes,
• Planning and/or execution of customer satisfaction activities,
• Fulfilling the requirements of the contracts concluded with customers,
• Planning and execution of sales processes of products and/or services,
• Following up contract processes and/or legal requests,
• Compliance with legislation,
• Request and complaint management,
• Establishment of possible rights and receivables of the relevant parties,
• Providing information regarding legislation to authorized institutions
• Carrying out activities related to information security processes and information technology infrastructure,
• Planning and execution of emergency management processes, execution of occupational health and/or safety processes,
• Preparation and presentation of various reports, research and/or presentations;
• Carrying out marketing and sales activities,
• METHOD OF COLLECTING YOUR PERSONAL DATA
Personal data of the persons whose personal data are processed within the scope of this Policy, through our Company / website / / partner or supplier companies, and through all kinds of channels, including but not limited to, in written or electronic form, electronic mail (e-mail), short message (sms), online. or physical application form, offers, contact form, etc. It is collected through forms, social media channels, audio recording, video and camera recording methods for the purposes determined in advance and explained in this Policy .
- Data You Have Provided Directly to Us: This personal data includes all personal data provided to the Company by our direct employee candidates, employees, employees, shareholders and officials of the institutions we cooperate with, our customers, potential customers, members and other third parties. For example, name- surname , contact information, identity information, answers to surveys, demographic data and content information are included in this type of data.
If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the KVK Law, your explicit consent regarding the relevant processing process is obtained by the Company in accordance with the procedure and law. If any of the above-mentioned conditions exist, your data may be processed without your explicit consent, in accordance with other principles.
In addition, the personal data collected by the Company during the recruitment process of Candidate Employees, the data subject category from which the Company collects the most personal data, and the special personal data collected according to the nature of the job are processed within the scope of the purposes explained below:
• To evaluate the employee candidate's qualifications, experience and interest, and their suitability for the open position,
• To conduct research about the Employee Candidate by contacting third parties,
• Communicating with the Employee Candidate about the application and recruitment process,
• Contacting the Candidate Employee in case a position is opened later,
• To meet the requirements of the relevant legislation and/or the demands of authorized institutions and organizations.
In this context, Employee Candidates can submit (i) digital application form published in written or electronic form, (ii) e-mail, cargo, reference, etc. to the Company. The resumes they submit through various means are collected within the scope of a predetermined purpose ( iii) through employment and career websites , (iv) during face-to-face interviews, (v) during the recruitment process, (vi) after recruitment.
If they wish, Employee Candidates may submit their requests regarding their rights arising from being Data Owners and arising from the Law, through the application method explained in this Policy .
• Storage Periods of Personal Data
The Company processes Personal Data in accordance with the relevant legislation and the requirements of the code of honesty and uses them within these limits. In this context, the Company takes into account the proportionality requirements in the processing of personal data and does not use personal data other than what is required for the purpose.
Our Company ensures that the Personal Data it processes is accurate and up-to-date, taking into account the fundamental rights and legitimate interests of Personal Data Owners. In this context, it carefully takes into account issues such as determining the sources from which the data is obtained, confirming its accuracy, and evaluating whether it needs to be updated.
The company clearly and precisely determines the purpose of data processing and ensures that this purpose is legitimate. A legitimate purpose means that the Personal Data processed by the Company is related to and necessary for the work it performs or the service it offers. The purpose for which personal data will be processed by the Company is disclosed before the personal data processing activity begins.
The Company ensures that the Personal Data processed is suitable for the achievement of the specified purposes and avoids the processing of Personal Data that is not relevant or needed to achieve the purpose. In order to process data to meet the needs that may arise later, it fulfills the processing conditions of Personal Data regulated in the Law, as if it is starting the processing for the first time. It also limits the data processed to only what is necessary to achieve the purpose. For example, personal data processing activities are not carried out to meet needs that may arise later.
If there is a period stipulated in the relevant legal legislation for the storage of data, the Company complies with these periods; Otherwise, it retains Personal Data only for the period necessary for the purpose for which it is processed. This period is determined by the Company. If there is no valid reason for further storage of Personal Data by our Company, such data will be deleted, destroyed or anonymized.
With the KVK Law, special importance has been attached to certain personal data due to the risk of causing victimization or discrimination to individuals when processed unlawfully. As stated in the definitions section, data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures. biometric and genetic data are Special Personal Data.
Our company considers that Personal Data of a Special Nature is data that may cause the relevant person to be victimized or discriminated against if learned by others. For this reason, all necessary measures are taken sensitively to protect such personal data processed in accordance with the law.
If the purpose of processing personal data has expired and the retention periods determined by the relevant legislation and the Company have come to an end; Personal data can only be stored to serve as evidence in possible legal disputes or to assert the relevant right based on personal data or to establish a defense. In establishing the periods herein, the limitation periods for asserting the mentioned right and the retention periods are determined based on the samples in the requests previously directed to the Company on the same issues, even though the limitation periods have passed. In this case, the stored personal data is not accessed for any other purpose and the relevant personal data is accessed only when it needs to be used in the relevant legal dispute. Here too, after the mentioned period expires, personal data is deleted, destroyed or anonymized.
• TRANSFER OF PERSONAL DATA AND SPECIAL PERSONAL DATA
• Transfer of Personal Data
The Company may transfer the data owner's personal data and sensitive personal data to third parties by taking the necessary security measures in line with the legal personal data processing purposes. In this regard, the company acts in accordance with the regulations stipulated in Article 8 of the KVK Law.
The Company may transfer personal data to third parties on a limited basis and based on one or more of the personal data processing conditions specified in Article 5 of the Personal Data Protection Law, listed below, in line with legitimate and lawful personal data processing purposes and, in some cases, in order to increase data security:
• If the personal data owner has explicit consent,
• If there is a clear regulation in the law regarding the transfer of personal data,
• If it is necessary to protect the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to express his/her consent due to actual impossibility or if his/her consent is not given legal validity.
• If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
• If personal data transfer is mandatory for the Company to fulfill its legal obligations, If personal data has been made public by the personal data owner,
• If personal data transfer is mandatory for the establishment, exercise or protection of a right,
• If personal data transfer is necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
In addition, the Company may transfer personal data to third parties in the following cases, with the express consent of the personal data owner, except in cases of legal obligation:
• Performance of the Membership Agreement and Services,
• Development of services,
• Execution of operational evaluation research,
• For sales and marketing activities,
• Carrying out the necessary work by business units to benefit from the products and services offered by the Company, customizing and recommending the products and services offered by the Company according to the tastes and needs of the customers,
• Ensuring the legal and commercial security of people who have a business relationship with the Company (administrative operations for communication carried out by the Company, evaluation processes of business partner/customer/supplier officials or employees, legal compliance process, audit, financial affairs, etc.),
• Determining and implementing the company's commercial and business strategies and ensuring the execution of the institution's human resources policies,
• this Privacy Policy: (i) ministries, judicial authorities and similar authorized public institutions and organizations, (ii) outsourcing service providers, (iii) cargo companies, (iv) consultancy companies,
• Transfer of Special Personal Data
The Company takes the necessary care, takes the necessary security measures and takes adequate precautions published by the Board; In line with legitimate and lawful personal data processing purposes, the personal data owner's special personal data may be transferred to third parties in the following cases.
• If the personal data owner has explicit consent or
• If there is no explicit consent of the personal data owner;
• Special personal data other than the health and sexual life of the personal data owner ( data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, criminal conviction and security measures and biometric and genetic data) , in cases stipulated by law,
• Special personal data regarding the health and sexual life of the personal data owner can only be used by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. by.
• Transfer of Personal Data Abroad
The Company may transfer the Personal Data and Special Personal Data of Personal Data Owners to third parties abroad by taking the necessary security measures to ensure data security in line with the purposes of processing Personal Data and for other legitimate purposes.
Personal Data by the Company; It may be transferred to foreign countries that have been declared to have adequate protection by the KVK Board, or, in case there is no sufficient protection, to foreign countries where the data controllers in Turkey and the relevant foreign country have committed in writing to adequate protection and have the permission of the KVK Board. In this regard, the company acts in accordance with the regulations stipulated in Article 9 of the KVK Law.
In line with legitimate and lawful personal data processing purposes, the Company may transfer personal data to Foreign Countries Where the Data Controller Has Adequate Protection or Commits to Adequate Protection, if there is the express consent of the personal data owner, or if there is no explicit consent of the personal data owner, in the presence of one of the following situations:
• If there is a clear regulation in the law regarding the transfer of personal data,
• If it is necessary to protect the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to express his/her consent due to actual impossibility or his/her consent is not given legal validity,
• If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
• If personal data transfer is mandatory for the Company to fulfill its legal obligations,
• If personal data has been made public by the personal data owner,
• If personal data transfer is mandatory for the establishment, exercise or protection of a right,
• If personal data transfer is necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
4.3.1 Transfer of Special Personal Data Abroad
The Company shows the necessary care, takes the necessary security measures and takes adequate precautions prescribed by the KVK Board; In line with legitimate and lawful personal data processing purposes, the special data of the personal data owner may be transferred to Foreign Countries Where the Data Controller Has Sufficient Protection or Undertakes Adequate Protection is located in the following cases.
• If the personal data owner has explicit consent or
• If there is no explicit consent of the personal data owner;
• Special personal data other than the health and sexual life of the personal data owner (data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, criminal conviction and security measures and biometric and genetic data), in cases stipulated by law,
• Special personal data regarding the health and sexual life of the personal data owner can only be used by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. within the scope of processing by.
If special personal data needs to be transferred via e-mail, it should be transferred encrypted using a corporate e-mail address or Registered Electronic Mail (KEP) account; if it needs to be transferred via media such as portable memory, CD, DVD, it should be encrypted with cryptographic methods and the cryptographic key should be kept in a different environment, If transfer is made between servers in different physical environments, data transfer is carried out by establishing a VPN between the servers or using the SFTP method. If data is required to be transferred via paper media, necessary precautions are taken against risks such as theft, loss or viewing of the document by unauthorized persons and the document is sent in the format of "confidential documents". Necessary precautions and precautions are taken.
• THIRD PARTIES TO WHICH YOUR PERSONAL DATA IS TRANSFERRED AND THE PURPOSES OF TRANSFER
In accordance with Article 10 of the KVK Law, the Company notifies the personal data owner of the person groups to which personal data is transferred.
In accordance with Articles 8 and 9 of the KVK Law, the Company may transfer the personal data of data owners managed by the Policy to the categories of persons listed below:
• To Company Business Partners,
• To Company Suppliers,
• To company officials,
• Legally Authorized public institutions and organizations,
• To legally authorized private legal persons,
• To other third parties in accordance with the data transfer terms.
The scope of the above-mentioned persons to whom the transfer is made and the purposes of data transfer are stated below.
PERSONS WHO CAN TRANSFER DATA
DEFINITION
PURPOSE OF DATA TRANSFER
Business partner
It defines the parties with whom the Company establishes business partnerships for purposes such as carrying out various projects and receiving services while carrying out its commercial activities.
Limited to ensure the fulfillment of the purposes of establishing the business partnership (e.g. cargo companies, agencies, companies providing server support and cloud computing services, providing IT support, providing traffic / customer satisfaction measurement, profiling and segmentation support, SMS in the field of sales and marketing , Infrastructure providers, solution partners such as logistics, call centers and consultants, etc., and companies providing services in this field , etc.)
Supplier
It defines the parties that provide services to the Company on a contractual basis in accordance with the Company's orders and instructions while carrying out the Company's commercial activities.
Limited to ensuring that the services outsourced by the Company from the supplier and required to carry out the Company's commercial activities are provided to the Company.
Company officials
Public institutions and organizations authorized to receive information and documents from the Company in accordance with the relevant legislation provisions
Limited to the purposes of designing strategies regarding the Company's commercial activities, ensuring their management at the highest level and auditing purposes in accordance with the relevant legislation.
Legally Authorized Public Institutions and Organizations
Private law persons authorized to receive information and documents from the Company in accordance with the relevant legislation provisions
Limited to the purpose requested by the relevant public institutions and organizations within their legal authority
Legally Authorized Private Legal Persons
Private law persons authorized to receive information and documents from the Company in accordance with the relevant legislation provisions
Limited to the purpose requested by the relevant private legal entities within their legal authority (e.g. law offices, auditing firms, payment institutions for the purpose of identity verification in accordance with the Regulation on Measures for the Prevention of Laundering Proceeds of Crime and Financing of Terrorism).
• RIGHTS AND OBLIGATIONS RELATED TO PERSONAL DATA
• Obligation to Inform Personal Data Owners by the Company
In accordance with Article 10 of the KVK Law, the Company informs Personal Data Owners during the acquisition of personal data. In this context, the Company clarifies the identity of its representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the personal data owner.
Article 20 of the Constitution states that everyone has the right to be informed about personal data about themselves. In this regard, Article 11 of the KVK Law includes "requesting information" among the rights of the personal data owner. In this context, the Company provides the necessary information in case the Personal Data Owner requests information in accordance with Article 20 of the Constitution and Article 11 of the Personal Data Protection Law.
• Personal Data Owner's Rights and Application Method
The Company carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the Personal Data Protection Law in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.
If personal data owners submit their requests regarding their rights listed below to the Company in writing, the request will be finalized free of charge within thirty days at the latest, depending on the nature of the request . However, if a fee is stipulated by the KVK Board, the fee in the tariff determined by the KVK Board will be charged by the Company. Those concerned will be informed immediately about this fee.
Personal data owners;
• Learning whether personal data is processed or not,
• Requesting information if personal data has been processed,
• Learning the purpose of processing personal data and whether they are used for their intended purpose,
• Knowing the third parties to whom personal data is transferred at home or abroad,
• In case personal data has been processed incompletely or incorrectly, the correction of these shall be made to the Company and to third parties to whom the personal data has been transferred. notifying the company ,
• Even though personal data has been processed in accordance with the KVK Law and other relevant law provisions, if the reasons requiring processing are eliminated, Deletion or destruction is the responsibility of the Company and the personal data of the transaction carried out in this context. to the Company to notify third parties to whom the data is transferred ,
• Objecting to the emergence of a result that is unfavorable to the person by analyzing the processed data exclusively through automatic companies ,
• In case of damage due to unlawful processing of personal data, they have the right to request compensation for the damage.
Personal Data Owners will be able to submit their requests regarding their rights listed in Article 11 of the Personal Data Protection Law to the Company free of charge, with information and documents that will identify them, and by filling and signing the Application Form , using the following methods or other methods determined by the Personal Data Protection Board :
the application form at https://www.houseofzarif.com/ , a copy with a wet signature must be sent personally or through a notary to Mecidiyeköy Mah. Şehit Ahmet St. Forwarding to Ada Residance Blok NO:6-10 İç Kapı No:45 Şişli/ İstanbul İstanbul ,
In order for third parties to request an application on behalf of personal data owners, the data owner must have a special power of attorney issued through a notary on behalf of the person making the application.
• Situations Excluded from the Rights of the Personal Data Owner
In accordance with Article 28 of the KVK Law; Since the following situations are excluded from the scope of the Personal Data Protection Law, personal data owners cannot assert their rights listed in Article 6.2 of this Policy . These situations,
• Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics
• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
• intelligence activities carried out by public institutions and organizations authorized by law to ensure national defence, national security, public safety, public order or economic security.
• Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial or enforcement proceedings
In accordance with Article 28/2 of the KVK Law; Except for the right of personal data owners to request compensation for damages in the cases listed below, article 6.2 of this Policy . They cannot assert their other rights listed in the article:
• Processing personal data is necessary for the prevention of crime or criminal investigation,
• Processing of personal data made public by the personal data owner,
• Processing of personal data is necessary for the execution of auditing or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations that are public institutions, based on the authority granted by the law,
• Personal data processing is necessary to protect the economic and financial interests of the State regarding budget, tax and financial matters.
• Procedures and Principles for Responding to Data Owner's Applications
An application must be made to the Company only in cases where the Company is deemed to be the data controller within the scope of the Personal Data Protection Law. This situation may exist in cases where the Company collects personal data directly from the relevant person and is deemed to be a data transfer from the data controller to the data controller within the scope of the Personal Data Protection Law.
• Procedure and Time for the Company to Respond to Applications
The personal data owner has the right to comply with Article 6.2 of this Policy . If the request is submitted to the Company in accordance with the procedure in the article, the Company will finalize the relevant request free of charge within thirty days at the latest, depending on the nature of the request. However, if a fee is stipulated by the KVK Board, the Company will charge the applicant the fee in the tariff determined by the KVK Board.
• Information the Company May Request from the Applicant Personal Data Owner
The company may request information from the relevant person in order to determine whether the applicant is the owner of personal data. The Company may ask questions to the personal data owner regarding his application in order to clarify the issues included in the personal data owner's application.
• The Company's Right to Reject the Application of the Personal Data Owner
The Company may reject the application of the applicant by explaining the reasons in the cases mentioned in Article 28 of the KVK Law and in the following cases:
• The request of the personal data owner is likely to hinder the rights and freedoms of other persons
• Requests have been made that require disproportionate effort.
• The requested information must be publicly available information.
• Personal Data Owner's Right to Complain to the Personal Data Protection Board
In cases where the personal data owner's application is rejected in accordance with Article 14 of the Personal Data Protection Law, the response given is found to be insufficient, or the application is not responded to in due time; He/she may file a complaint with the KVK Board within thirty days from the date of learning the Company's response and probably within sixty days from the date of application.
• TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO STORE PERSONAL DATA SECURELY AND PREVENT THEIR ILLEGAL PROCESSING AND ACCESS
technical and administrative measures are taken in accordance with Article 12 of the Personal Data Protection Law in order to process data in accordance with the law, to store the processed data and to protect these data against unlawful access .
• Confidentiality in Processing Personal Data
Personal data processed by the company in accordance with the law is subject to data security. The Company takes all necessary technical and organizational measures to ensure the confidentiality and security of your sensitive personal data and personal data collected through our Website.
Any employee of the Company is prohibited from accessing this data without authorization, processing this data or using it for private or commercial purposes, sharing this data with unauthorized persons or making this data accessible by any other method. The Company's employees can only access personal data appropriately within the scope of the type and scope of their duties. For this purpose, roles and responsibilities are detailed and separated. Processing of this data by any employee of the Company who is not authorized within the scope of his legitimate duty constitutes unauthorized processing.
Managers must inform their employees about the obligation to protect data confidentiality at the beginning of the employment relationship. This obligation will continue after the termination of employment.
• Security in Processing Personal Data
Personal data is protected by the Company against unauthorized access, unlawful data processing or disclosure and accidental loss, alteration or destruction of data. Your personal data is stored in secure working environments that are not available to the public and can only be accessed by authorized Company employees, agents and contractors.
• Technical Measures Taken by the Company Regarding the Confidentiality and Security of Personal Data
The technical measures taken within the scope of personal data processing activities carried out within the company are as follows:
• High-level technical companies are used and these companies are audited periodically.
• Training is provided to relevant persons/departments on technical issues.
• virus protection companies and firewalls are used.
• Backup programs are used in accordance with the law to ensure that personal data is stored safely.
• Companies that comply with technological developments are used to store personal data in secure environments .
• The relevant unit is constantly informed on technical issues.
• companies are established for hiding areas ,
• Technical measures are taken in accordance with the developments in technology, software is used, and the measures taken are periodically updated and renewed within the scope of both natural requirements and legal legislation requirements.
• Access and authorization technical solutions are implemented in accordance with legal compliance requirements determined on a business unit basis.
• Access authorizations are limited and authorizations are reviewed regularly.
• Regular security scans are carried out to detect security vulnerabilities in applications where personal data is collected. The gaps found are closed.
• Administrative Measures Taken by the Company Regarding the Confidentiality and Security of Personal Data
Administrative measures taken within the scope of personal data processing activities carried out within the company are as follows:
• Employees are informed and trained about personal data protection law and the technical measures to be taken to process personal data in accordance with the law, to ensure the safe storage of personal data and to prevent unlawful access. In this way, it is aimed to ensure that the company is kept up to date in terms of obligations.
• All activities carried out by the Company are analyzed in detail for all business units, and as a result of this analysis, personal data processing activities are revealed specific to the commercial activities carried out by the relevant business units.
• Personal data processing activities carried out by the Company's business units; The requirements to be fulfilled to ensure that these activities comply with the personal data processing conditions required by the Personal Data Protection Law are determined on a specific basis for each business unit and the detailed activity it carries out.
• Necessary administrative measures are implemented through in-company policies and training.
• In the contracts and documents governing the legal relationship between the Company and its employees, records are included that impose the obligation not to process, disclose or use personal data, except for the Company's instructions and exceptions imposed by law, and employees' awareness on this issue is created and inspections are carried out.
• Within the scope of commercial activities, commitments are taken to protect personal data of third parties.
• Persons to whom personal data is transferred by the Company in accordance with the law and the contracts concluded with these persons in case technical services are received from third parties regarding the storage of personal data; Provisions are added regarding taking the necessary measures to prevent unlawful processing of personal data, preventing unlawful access to data, and ensuring the lawful preservation of data, and ensuring that these measures are complied with in their own organizations.
• Personal data processing and authorization processes are designed and implemented within the company in accordance with legal compliance requirements for personal data processing on a business unit basis.
• Employees are informed that they cannot disclose the personal data they have learned to anyone else in violation of the provisions of the Personal Data Protection Law or use it for purposes other than the purpose of processing, and that this obligation will continue after they leave office, and the necessary commitments are taken from them in this regard.
• Contracts concluded by the Company with persons to whom personal data is transferred in accordance with the law; Provisions are added stating that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.
• The company carries out or has the necessary audits carried out within its own structure in accordance with Article 12 of the KVK Law. These audit results are reported to the relevant department within the scope of the internal functioning of the Company and the necessary activities are carried out to improve the measures taken.
• The company provides necessary training to its business units, business partners and suppliers in order to raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the preservation of data. In this regard, the company evaluates the participation in relevant trainings, seminars and information sessions and carries out the necessary inspections or has them carried out. The company updates and renews its training in parallel with the update of the relevant legislation.
• The provisions of the legal legislation are complied with regarding the data obtained within the scope of the possible contractual relationship and the relevant parties are fully informed about their rights.
• Precautions to be Taken in Case of Unlawful Disclosure of Personal Data
a company that ensures that if personal data processed in accordance with Article 12 of the KVK Law is obtained by others through illegal means, this situation is notified to the relevant personal data owner and the KVK Board as soon as possible . In case of illegal disclosure of personal data The company will notify the KVK Board within 72 hours at the latest and will immediately take actions in line with current developments.
If deemed necessary by the KVK Board, this situation may be announced on the KVK Board's website or by another method.
• Conducting Audit Activities
In accordance with Article 12 of the KVK Law, the Company carries out the necessary audits within itself and its business partners or has them carried out within the framework of contracts made with third party companies. These audit results are reported to the relevant department within the scope of the internal functioning of the company and the necessary activities are carried out to improve all measures taken.
• DELETION, DESTRUCTION, AND ANONYMOSIS OF PERSONAL DATA
All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least 2 years, excluding other legal obligations.
The company destroys your personal data for the following reasons:
• Expiry of the periods specified by law regarding the storage of personal data,
• Expiry of the destruction period determined by the Company in the Deletion and Destruction Policy ,
• Expiration of the periodic destruction period determined by the Company in the Deletion and Destruction Policy ,
• Amendment or abolition of the relevant legislative provisions that constitute the basis for processing personal data,
• The relevant contract has never been established, the contract is not valid, the contract terminates automatically, the contract is terminated or the contract is withdrawn,
• Elimination of the purpose requiring the processing of personal data,
• Processing personal data is against the law or the rule of honesty,
• In cases where personal data is processed only on the basis of explicit consent, the relevant person withdraws his/her consent,
• The Company accepts the application made by the relevant person regarding the processing of personal data within the framework of his rights,
• In cases where the Company rejects the application made by the relevant person requesting the deletion or destruction of his personal data, the response given is found to be insufficient, or he does not respond within the time period stipulated by law; Making a complaint to the KVK Board and this request being approved by the Board,
• Although the maximum period requiring personal data to be stored has passed, there are no conditions that justify storing personal data for a longer period of time,
• Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the KVK Law.
• Deletion and Destruction Techniques of Personal Data
The Company may delete or destroy personal data based on its own decision or upon the request of the personal data owner, in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the provisions of the relevant law. Deletion or destruction of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way. In this context, the Company deletes or destroys personal data by using the following techniques:
• The Company takes all necessary technical and administrative measures to ensure that deleted personal data are inaccessible and unusable by relevant users,
• the deletion of personal data will result in the inability to access and use other data within the Company , the Company applies the following rules;
• Archiving personal data so that it cannot be associated with the relevant person,
• Not accessible to any other institution, organization and/or person,
• Taking all necessary technical and administrative measures to ensure that personal data is accessed only by authorized persons,
• If a request for deletion is submitted directly by real persons, the personal data of the relevant person will be deleted from the Company's companies .
Deletion of personal data that forms part of any data recording company and is processed by non-automatic means;
• Obscuring unnecessary personal data,
• It is carried out by scanning or masking unnecessary personal data in paper form that is transferred to electronic media without being digitized.
The deletion conditions mentioned above. The deletion or destruction techniques most commonly used by the Company are listed below:
• Physical Destruction ( Physical Destruction ): Personal data can also be processed by non-automatic means, provided that it is part of any data recording company . When such data is deleted/destroyed, personal data is physically destroyed so that it cannot be used later .
• Secure Deletion from Software ( Secure Deletion Software): When data processed wholly or partially automatically and stored in digital media is deleted/destroyed; Methods are used to delete the data from the relevant software so that it cannot be recovered again.
• Secure Deletion by Expert ( Sending) to a Specialist for Secure Deletion ): In some cases, the company may agree with an expert to delete personal data on its behalf. In this case, personal data is securely deleted/destroyed by an expert in this field so that it cannot be recovered again.
• Techniques for Anonymizing Personal Data
Anonymization of personal data means making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data. The Company can anonymise personal data when the reasons requiring the processing of personal data processed in accordance with the law are eliminated.
In accordance with Article 28 of the KVK Law; Anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the Personal Data Protection Law and the express consent of the personal data owner will not be required. Since personal data processed by anonymization will be outside the scope of the Personal Data Protection Law, the rights set out in Article 6 of the Policy will not apply to these data. The anonymization techniques most used by the company are listed below.
• Masking : Data masking is the method of anonymizing personal data by removing the basic identifying information of personal data from the data set.
• Aggregation : With the data aggregation method, many data are aggregated and personal data is made unable to be associated with any person.
• Data Derivation : With the data derivation method, a more general content is created than the content of personal data and it is ensured that personal data cannot be associated with any person.
• Data Shuffling ( Permutation ) : With the data shuffling method, the connection between values and individuals is broken by mixing the values in the personal data set.
• STORAGE AND DESTRUCTION PERIOD OF PERSONAL DATA
The Company deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises. The time period during which periodic destruction will be carried out is six months. Storage periods for personal data are determined in accordance with the Personal Data Protection Law and business processes. The KVK Board may shorten the periods specified in this article in case of irreparable or impossible damages and if there is a clear violation of the law.
If the natural person who owns Personal Data applies to the Company pursuant to Article 13 of the Personal Data Protection Law and requests the deletion or destruction of his/her personal data, the Company:
• If all the conditions for processing personal data have been eliminated; deletes, destroys or anonymizes the personal data subject to the request. The Company finalizes the request of the natural person who is the Personal Data Owner within thirty days at the latest and informs the natural person who is the data owner.
• If all the conditions for processing personal data have been eliminated and the personal data subject to the request has been transferred to third parties, the Company will notify the third party of this situation; Ensures that the necessary procedures are carried out before the third party.
• If all the conditions for processing personal data have not been eliminated, this request may be rejected by the Company by explaining the reason in accordance with the 3rd paragraph of Article 13 of the KVK Law, and the rejection response will be notified to the relevant person in writing or electronically within thirty days at the latest.
• Periods for Ex-Officio Deletion, Destruction or Anonymization of Personal Data
The Company takes into account the following periods within the scope of its obligation to delete, destroy or anonymise personal data:
• In the first periodic destruction following the date on which the obligation arises.
• In any case, the periodic destruction period cannot be longer than 180 days (6 months).
• Periods for Deleting and Destroying Personal Data if the Relevant Person Requests
When the relevant person contacts the Company and requests the deletion or destruction of his/her personal data;
• If all the conditions for processing personal data have been eliminated; The Company may delete, destroy or anonymize the personal data subject to the request. Deletion or destruction requests of relevant persons are concluded by the Company within thirty days at the latest.
• If all the conditions for processing personal data have not been eliminated, this request may be rejected by the Company by explaining the reason and the rejection response will be notified to the relevant person in writing or electronically within thirty days at the latest.