INTERNET PLATFORM LIGHTING TEXT
1. IDENTITY OF DATA SPEAKER
1 (“Our Company”) Personal Data Protection Law No. 6698 (“Law&rdquo ;) and carries out personal data processing activities in accordance with the regulations in the Law and other applicable legislation.
2. COLLECTION, PROCESSING AND PROCESSING PURPOSE OF PERSONAL DATA
Your personal data listed below are collected electronically and are processed for the following purposes:
- The "email list" on our website and/or “communication” Your identity and contact information that you will include in your application by using the form,
- If you visit or browse our website, your digital trace data and cookie data will also be processed.
Your personal data; Providing our company's services, performing after-sales services, increasing customer satisfaction, evaluating and responding to complaints and suggestions, performing statistical analysis, fulfilling legal and regulatory requirements, obtaining necessary information in line with the requests and inspections of official authorities, data It is processed for the purpose of ensuring its security.
On the other hand, if you give your explicit consent, your identity and contact data will also be processed for promotional, e-mail newsletter sending and marketing purposes.
3. TRANSFERRING PERSONAL DATA
Your personal data, within the scope of the Law and other legislation and for the purposes described in Article 2 of this Clarification Text, depending on the reason that requires it to be transferred and limited for this reason; Within the scope of the law and related regulations; It can be transferred to supervisory and regulatory public institutions and organizations (BTK, T&C, courts, banks, etc.), auditors, companies that provide software and hardware support services, and legally authorized private individuals such as lawyers.
4. YOUR RIGHTS TO THE PROTECTION OF PERSONAL DATA
The rights of real persons whose personal data are processed are listed in Article 11 of the Law. If you, as a personal data owner, submit your requests regarding your rights listed in the relevant article of the Law, in person or through a notary public, by providing your identity confirmation to the official address of our company in accordance with the application procedures set forth in the Communiqué on Application Procedures and Principles to the Data Controller, your request according to its nature as soon as possible and at the latest will conclude it free of charge within thirty (30) days. However, if the transaction requires an additional cost, it may request the fee in the tariff determined by the Personal Data Protection Board.
CLEAR CONSENT TEXT ON THE PROCESSING OF PERSONAL DATA
My As informed in the Illumination Text, the introduction, e-mail I consent to the sending of the message and its processing for marketing purposes.
Commercial Message Confirmation
Also, in accordance with the Law No. 6563 on the Regulation of Electronic Commerce, through the channels I have marked below; I give my consent for you to contact me for commercial communication, newsletter delivery and advertising and promotion purposes regarding products and services.
SMS
Search
POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
Version : 1
&Date of issue : 01.09.2022
1. AMA&Cedil;
1 (“The Company”) and all its employees, regarding the protection of personal data of the T.C. It undertakes to comply with the principles, decisions and rules brought by the Constitution and the Law on the Protection of Personal Data No. 6698, as well as other applicable legislation, and to protect the rights of individuals whose data is processed by the Company. For this purpose, the Company has adopted this Personal Data Protection and Processing Policy (“Policy”) enforced .
The purpose of the policy is to establish rules for the internal management of personal data, to determine targets and obligations, to establish control mechanisms in line with a reasonable risk level, to establish the legal obligation in the field of personal data protection; It is the fulfillment of obligations and the best possible protection of the interests of individuals.
2. SCOPE
Policy provisions cover company employees, sub-employees and interns who provide support services to all units of the Company, especially the Company's board of directors. Any violation of the Personal Data Protection Law No. 6698 or this Policy; The action is evaluated within the scope of the relevant legislation and sanctions are applied accordingly.
Again, the Company's business partners, suppliers and all third parties working with the Company who have or may have access to personal data; parties are invited to read and abide by this Policy.
3. DEFINITIONS
Explicit consent: |
Consent on a specific subject, based on information and expressed with free will, |
Anonymization: |
It means that personal data cannot be associated with an identified or identifiable real person under any circumstances, even by matching with other data. |
Contact Person: |
The real person notified by the Data Controller during registration to the Registry for the communication to be established with the Authority regarding the obligations of the data controller, |
Law: |
Law on Protection of Personal Data No. 6698, |
Personal data: |
Any kind of identity related to an identified or identifiable real person; information, |
Personal Data Inventory: |
Personal data processing activities carried out by data controllers depending on their business processes; personal data processing purposes and legal reason, data category, transferred recipient group and data subject group, and the maximum storage period required for the purposes for which personal data is processed, and their transfer to foreign countries. The inventory they detailed by explaining the personal data collected and the measures taken regarding data security, |
Processing of personal data: |
Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over personal data in whole or in part by automatic or non-automatic means, provided that it is a part of any data recording system, all kinds of things that are performed on the data, such as making it available, classifying or preventing its use; process, |
Corporation: |
Personal Data Protection Authority'nu, |
Board: |
Personal Data Protection Board, |
KVK Committee: |
The structure consisting of real person or persons appointed by the data controller, who performs the administrative follow-up and coordination of the processes established within the scope of the Law, |
KVK Commitment: |
Third with data sharing; the document in which the legal obligations of the parties are determined, |
Register: |
The registry of data controllers kept by the Institution, |
Data Processor: |
The real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller, |
Data controller: |
The real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system, |
expresses. |
|
4. RESPONSIBILITIES
The Company has the title of Data Controller in accordance with the Law. Everyone who is an employee of the Company is responsible for the development, promotion and other obligations of good practices in the processing of personal data within the Company.
All employees of the Company who process personal data are responsible for complying with the Personal Data Protection legislation.
The company is responsible for carrying out the necessary notifications and trainings so that all its employees know their responsibilities in the field of personal data protection and have the necessary awareness.
Company employees are responsible for ensuring the accuracy and up-to-dateness of all personal data provided to the Company by them or pertaining to them.
4.1. KVK Committee:
Members of the KVK Committee are appointed by the Board of Directors, taking into account that they receive regular training and experience in the Law and secondary legislation and its applications, and submit a report directly to the Board of Directors. The KVK Committee was established as the committee responsible for the management of the personal data protection system, ensuring and documenting compliance with the Law and other relevant legislation, and is responsible to the Board of Directors in these matters.
4.2. KVK Committee Duties and Responsibilities:
- The KVK Committee should inform the Board of Directors about the personal data protection legislation and developments.
- KVK Committee, Company policies, proceduresIt is responsible for ensuring that data processing is up-to-date, data processing audits and trainings are carried out in accordance with the planned schedule, and that they are in compliance with the relevant legislation.
- The KVK Committee acts together with the relevant employees in all matters related to the protection of personal data.
- The KVK Committee is responsible for ensuring that personal data that is not clearly necessary for the purpose of processing is not collected and processed.
- The KVK Committee checks that the data processed through the personal data inventory, which is updated every year, is appropriate and relevant.
- As the KVK Committee will/will do on an annual basis; audits/external audits and checks that all data processing methods are appropriate and relevant.
- The KVK Committee is responsible for stopping the data processing activity in terms of personal data that it determines to be inappropriate or not relevant or excessive in terms of the purpose of processing, and for the safe destruction of the processed data in accordance with the procedure in which the storage and destruction process is defined.
- The KVK Committee is responsible for instructing the relevant unit to evaluate the type, storage time and amount of the processed data, and to review the accuracy or up-to-dateness of certain data through the data inventory. is liable.
5. APPLICATION PRINCIPLES
5.1. DATA PROCESSING PRINCIPLES
The company will comply with the personal data protection legislation and data protection principles. The data processing principles adopted by the company include:
- Processing personal data only if it is clearly necessary for legitimate corporate purposes,
- Processing as much personal data as necessary for these purposes and not processing more than necessary (providing data minimization),
- To give clear information to individuals about who and how their personal data is used,
- Processing only relevant and appropriate personal data,
- Processing personal data fairly and lawfully,
- To keep an inventory of personal data categories processed by the Company,
- Keeping personal data accurate and up-to-date when necessary,
- To store personal data only for as long as required by legal regulations, the Company's legal obligations or legitimate corporate interests,
- To store personal data in a way that does not allow access to the identity information of Data Owners for more than a time reasonably necessary for the purposes for which personal data is processed,
- Continue to protect data privacy at the beginning of any project or activity. phase and then service life as a key factor throughout (Privacy Enforcement Policy),
- Respecting the rights of individuals regarding their personal data, including the right of access,
- To transfer personal data abroad only in accordance with the express consent of the persons or in case of adequate protection,
- To implement the exceptions allowed in accordance with the legislation,
- To establish and implement the personal data protection system for the implementation of the policy,
- Iç, which is party to the personal data protection system when necessary; and external stakeholders and to what extent they are involved in the Company's personal data protection system,
- Identifying employees who have special powers and responsibilities regarding the personal data protection system.
All personal data processing activities must be carried out in accordance with the following data protection principles. The company's policies and procedures aim to ensure compliance with these principles:
- 5. APPLICATION PRINCIPLES
5.1. DATA PROCESSING PRINCIPLES
The company will comply with the personal data protection legislation and data protection principles. The data processing principles adopted by the company include:
- Processing personal data only if it is clearly necessary for legitimate corporate purposes,
- Processing as much personal data as necessary for these purposes and not processing more than necessary (providing data minimization),
- To give clear information to individuals about who and how their personal data is used,
- Processing only relevant and appropriate personal data,
- Processing personal data fairly and lawfully,
- To keep an inventory of personal data categories processed by the Company,
- Keeping personal data accurate and up-to-date when necessary,
- To store personal data only for as long as required by legal regulations, the Company's legal obligations or legitimate corporate interests,
- To store personal data in a way that does not allow access to the identity information of Data Owners for more than a time reasonably necessary for the purposes for which personal data is processed,
- Continue to protect data privacy at the beginning of any project or activity. phase and then service life as a key factor throughout (Privacy Enforcement Policy),
- Respecting the rights of individuals regarding their personal data, including the right of access,
- To transfer personal data abroad only in accordance with the express consent of the persons or in case of adequate protection,
- To implement the exceptions allowed in accordance with the legislation,
- To establish and implement the personal data protection system for the implementation of the policy,
- Iç, which is party to the personal data protection system when necessary; and external stakeholders and to what extent they are involved in the Company's personal data protection system,
- Identifying employees who have special powers and responsibilities regarding the personal data protection system.
All personal data processing activities must be carried out in accordance with the following data protection principles. The company's policies and procedures aim to ensure compliance with these principles:
- Compliance with the law and the rules of honesty
- Being accurate and up to date when necessary
- Processing for specific, clear and legitimate purposes
- Related, limited and reputable for the purpose for which they are processed; don't be
- The purpose for which they are processed or processed in the relevant legislation; Storage for the required time.
In this direction, the Company includes disclosure and privacy statements regarding the personal data processing activities it carries out, in the data collection channels and in the relevant forms. Areas where notifications containing clear and understandable information about whom and for what purposes are processed by the company are to be included and announced by the KVK Committee. is determined by. These notices include the following:
- Identity and contact information of the Company as the data controller,
- Types of personal data processed,
- Purposes of processing personal data,
- Methods of collecting personal data,
- Based on which legal reason personal data is processed,
- Data owner's rights,
- Third where data can be shared; parties.
In the personal data inventory, the reasons/purposes for the processing of personal data are determined and the personal data is used for another legal reason or for the stated purpose without the explicit consent of the data owner. cannot be used outside. In the event that conditions arise that require the use of personal data for purposes other than those specified in the personal data inventory, this situation is notified to the KVK Committee by the relevant employee/unit/department. The KVK Committee checks the suitability of the new purpose and, if necessary, ensures that the data owner is informed about the new purpose and new data processing activity.
Personal data; It must be processed to a relevant and limited extent appropriate for the purposes for which it is processed, and must be accurate and up-to-date. The accuracy and up-to-dateness of the data kept for a long time should be reviewed. The company is responsible for educating all employees on the correct and up-to-date collection and storage of data.
The KVK Committee should be informed about all data collection channels.
The accuracy and up-to-dateness of the data kept regarding the employees is the responsibility of the relevant employee.
Customers/customers/relationships and other relevant persons should inform the Company to update the processed personal data.
Personal data should be processed in such a way that the data subject can be identified only if necessary for the purpose of data processing.
Backup of personal data, etc. Due to the requirements, safe destruction methods determined by the Board regarding personal data are applied in order to protect the rights and freedoms of individuals in case of storage beyond the specified period or in case of data security weakness.
When personal data needs to be processed for more than the specified time in accordance with the procedure in which the storage and destruction process is defined, the written approval of the KVK Committee is obtained.
All Company units that process Personal Data are responsible for complying with the above-mentioned principles as well as the measures enforcing the applicable data protection laws, and must be able to prove that they comply.
5.2. RISK ASSESSMENT
The company identifies the risks associated with the processing of personal data types. Certain types of data processing activity; If it is likely to pose a high risk to personal rights and freedoms in line with its structure, context and purpose, the Company should manage potential risks by conducting an impact analysis prior to its data processing activity. With a single value for multiple data processing activities with similar risksdownload is bearable.
After the impact analysis, if it is understood that the Company is about to start a data processing activity that may pose a high risk to personal rights and freedoms, the approval of the KVK Committee is sought on this issue. If the KVK Committee deems it necessary, it receives an opinion from the Board on the subject.
5.3. OBTAINING EXPRESS CONSENT
The company is a written/oral; accepts the consent expressed by declaration or clear confirming action as express consent. Explicit consents are obtained in writing or systematically in a way that is suitable for proof. Explicit consent can be withdrawn by the data owner at any time.
In case the data processing activity based on explicit consent will be continuous or repeated, the express consents obtained are checked. The up-to-dateness and correctness of these express consents is the responsibility of the relevant unit. Explicit consent forms or other relevant proof tools regarding the data processing activity based on explicit consent are kept by the relevant unit.
5.4. DATA SECURITY
All employees are responsible for keeping the data processed by the Company under their responsibility securely and thirdly, unless they sign a confidentiality agreement. is responsible for ensuring that it is not disclosed to the party.
Personal data should only be accessed by those who need it.
The events that threaten the security of personal data, as soon as they are determined definitively by the KVK Committee, and in any case, as soon as possible after the event is learned; It is notified to the Board and the relevant person within 72 hours.
5.5. DATA SHARING
Personal data can only be used in accordance with the law and equity; can be shared with people. Accordingly, in order for personal data to be shared, one of the following conditions must be met:
- Obtaining the explicit consent of the data owner,
- Clarity in laws,
- The person who is unable to express his/her consent due to actual impossibility or whose consent is not legally valid, must be compulsory for the protection of his or someone else's life or bodily integrity,
- li>
- Provided that it is directly related to the establishment or performance of a contract to which the Company is or will be a party, it is necessary to process the personal data of the parties to the contract,
- Legal liability of the company; it must be mandatory in order to fulfill it,
- The person concerned has been made public by himself,
- Data processing is mandatory for the establishment, use or protection of the rights of the Company,
- Compulsory data processing for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the person concerned.
Personal data can be transferred abroad only on the condition that the above conditions are met and there is adequate protection in the destination country or the explicit consent of the data owner is obtained for this transfer.
In the transfer of personal data abroad, the list of countries with adequate protection determined by the Board is taken into account.
When it comes to the transfer of personal data abroad, the KVK Committee provides the necessary permissions and notifications to the Board in accordance with the Law and relevant legislation.
Registering in writing with the requirements of all transactions regarding the sharing of personal datashould be taken under. These records are audited periodically by the KVK Committee.
In case of a regular data sharing relationship without a legal basis or legal obligation, a KVK Commitment is made with the party in question specifying the terms of data sharing.
p>5.6. MANAGEMENT OF RECORDS
Personal data cannot be kept longer than necessary for the purposes of processing. Classification of records containing personal data and their respective retention periods, Procedure for Recording, Storing and Destroying Personal Data; determined in accordance with.
Personal data that has expired or needs to be destroyed upon the rightful request of the data owner is anonymized or deleted or destroyed in accordance with the procedure in which the storage and destruction process is defined.
5.7. RIGHTS OF DATA OWNERS
Data owners have the following rights regarding data processing activities and records at the Company:
- Learning whether your personal data is processed or not,
- Request information about personal data if it has been processed,
- Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
- Third, where personal data is transferred at home or abroad; know people,
- In case of incomplete or incorrect processing of personal data, requesting their correction,
- To request the deletion or destruction of personal data that does not have a legal justification or basis for processing in accordance with KVKK or this policy,
- Correction or deletion made at the request of the third party to which personal data is transferred; requesting people to be notified,
- Objecting to the emergence of a result against the person by analyzing the processed data exclusively through automated systems,
- Demanding the compensation of the damage in case of loss due to unlawful processing of personal data.
Application Procedure of the Data Owner
Data owners may apply to the Company for their requests regarding their rights listed above in accordance with the application procedures set forth in the Communiqué on Application Procedures and Principles to the Data Controller.
In this case, the Company shall respond to the request as soon as possible and as quickly as possible, depending on its nature. It will conclude free of charge within 30 (thirty) days. However, if the transaction requires an additional cost, the Company may demand the fee in the tariff determined by the Board. Procedures for receiving, transmitting and finalizing requests, Procedure for Receiving, Evaluating and Responding to Data Owner Applications; performed in accordance with.
The right of access and contact information of the data owners are included in the notifications and the web address so that the data owners can manage their requests.
All employees of the company are responsible for guiding data owners regarding the correct application method for data subject access requests addressed to them, regardless of their job description; ;r. Company employees should be informed by the KVK Committee on how to act on requests from data owners.
Applications within this scope;
- With the personal application of the Data Owner
- Can be done through a notary.
6. RELEASE AND PUBLIC KEEPING UPDATED
This Policy entered into force on 01.09.2022; The Law will be re-evaluated by the KVK Committee at the beginning of each year in line with the relevant secondary legislation, Board Decisions and Company business processes and will be updated if necessary.
RECEIVE, EVALUATION AND RESPONSE OF DATA SUBJECT APPLICATIONS PROCEDUREÜRÜ
Version : 1
&Date of issue : 01.09.2022
The Procedure for Receiving, Evaluating and Responding to These Data Owner Applications; (“Procedure”), for information purposes by data owners 1’NE (“The Company”) has been prepared in order to determine the procedures and principles regarding the business and transactions regarding the receipt, evaluation and response of the applications made.
Work and procedures regarding the receipt, evaluation and response of applications made by data owners regarding personal data are carried out in accordance with this Procedure prepared by the Company in this direction.
1. DEFINITIONS
Law:
Law on Protection of Personal Data No. 6698
Board:
Personal Data Protection Board
Data Owner:
Real person whose personal data is processed
Personal Data:
As long as it is within the scope of the law, all kinds of real persons with an identified or identifiable natural person; info
2. RECEIVING THE APPLICATION
2.1. Form of Application
Data Owners shall submit their applications to the Company contact person in writing in accordance with Article 13 of the Law, in order to obtain information about the personal data collected by the Company and to exercise their rights specified in Article 11 of the Law.
Accordingly, applications to be made by Data Owners can be made in writing as follows:
- Your identity confirmation to the official address of our company in person; or
- In official procedure through the notary public.
2.2. Contents of the Application
In order to evaluate the requests of the Data Owner, it will first be determined whether the Data Owner is the owner of the personal data processed by the Company. In this regard, in applications to be made to our Company within the scope of the Law, the identity information of the Data Owner must be stated clearly and fairly.
In contingent requests, the Data Owner must provide the necessary information on how this condition is fulfilled and submit the documents to prove this claim to the Company.
Applications not received through the means specified in this Procedure, if the identity of the Data Owner has been determined and the information and/or documents required for the application within the scope of the Law have been provided by the Company, applications made through such means may be evaluated. Otherwise, the applications will be rejected due to irregularity.
Applications that do not meet the qualifications specified in this article will be evaluated and the Data Owner will be contacted until the requested information is obtained; however, if the requested information and/or documents are not provided by the Data Owner, the Data Owner's application will be rejected due to irregularity.
3. OTHER SITUATIONS
3.1. Application Made by Proxy or Legal Representative
Applications to be made to the Company within the scope of the law can also be made by the representative or legal representative of the Data Owner upon submission of the official document to prove it.
3.2. Application Fee
According to the law, it is envisaged that the Data Controller will conclude the request forwarded to him free of charge. However, it has been stated that if the transaction also requires a cost, it may be possible to charge a fee in line with the principles to be determined by the Board. In this context, if finalizing the applications to the Company requires any additional costs, the Company may charge a fee from the Data Owner.
4. APPLICATION EVALUATION PROCESS
If it is determined that there is incomplete information and/or documents in the applications made by the Data Owner, this matter will be notified to the Data Owner. If the requested information and/or documents are not provided by the Data Owner, the Data Owner's application will be rejected due to irregularity.
The third In cases where it is not possible to respond to the Data Owner's application without sharing the personal data of the persons, the Company will do the following: step-by-step evaluation process will be applied:
- Third of the application; It will be evaluated whether it is possible to reply without sharing the personal data of the person (for example, deleting or blackening the personal data of the third person).
- Üç" It will be determined whether the person gives explicit consent to the sharing of personal data.
- Üç" If the person's express consent will not be obtained, it will be evaluated whether the personal data in question can be shared without express consent.
The third In case it is not possible to finalize the application without sharing the data of the person; First of all, it will be applied to obtain explicit consent from the Data Owner, whose personal data has to be shared. "Third" If the person does not consent to the sharing of their data, The application will be answered by extracting the information of the person completely.
Third, whose personal data will be shared; if the person cannot be reached, the third; The Company will show maximum care and sensitivity regarding the sharing of information containing personal data. In this way, if necessary, the third; Personal data of individuals may also be shared.
5. EVALUATION OF APPLICATIONS
The requests of the Data Owner are handled by the Company as soon as possible and as soon as possible; It will be evaluated and finalized within thirty (30) days.
Applications made to the Company, maximum three times; (3) will be forwarded to the relevant department of the Company within the day; Research to be carried out by the department to which the application is directed will be concluded within a maximum of one (1) week.
6. ANSWERING APPLICATIONS
Applications made by the Data Owner to the Company are answered by the contact person appointed at the Company, and the following information is included in the responses to the applications:
- Applicant Making the Request
- Requests
- Information and Documents Provided as a result of Requests
- Talbin Date of purchase
- If extra information and documents related to the request are requested; the date of these requests and the date of receipt of the relevant replies
- Transactions regarding the request
- Company Responses to Requests
- Request Response Date
- Authorized Signature
The event records, documents and results related to the relevant application are stored in the electronic directory created on this subject. A copy of the written shipment record is also stored in the archive.
7. RELEASE AND PUBLIC KEEPING UPDATED
This Procedure entered into force on 01.09.2022; The Law will be re-evaluated by the KVK Committee at the beginning of each year in line with the relevant secondary legislation, Board Decisions and Company business processes and will be updated if necessary.