DESE GROUP COMPANIES
PERSONAL DATA PROTECTION AND PROCESSING POLICY
1. SECTION - INTRODUCTION
1.1
Introduction
The protection of personal data is among the most important priorities of DESE Group Companies ("Company")
and it makes maximum efforts to
comply with all applicable legislation in this
regard. This DESE Group Companies Personal Data Protection and Processing
Policy ("Policy") constitutes an important part of this
issue.
Within the
framework of this Policy, the
principles adopted in the conduct of personal data processing activities
carried out by our Company and the basic principles adopted in terms of
compliance of our Company's data processing activities with the regulations
contained in the Personal
Data Protection
Law No. 6698
("Law") are explained and thus, our Company provides the necessary
transparency by informing the personal data owners. With full awareness of our responsibility within this scope, your personal data is processed and protected within the scope of this
Policy.
1.2
Scope
This Policy relates to all
personal data of persons other than the employees of our Company (employees,
interns,
shareholders, officers
of our
Company), which are
processed automatically or non-automatically provided that they are part of any data
recording system.
Detailed information regarding the personal data owners in question can be found in Annex-2 ("Annex 2- Personal
Data Owners")
of this Policy, and the definitions used in this Policy and which should
be explained for completeness can be found in Annex-1 ("Annex 1- Definitions") of this Policy.
The activities carried
out by our Company
regarding the protection
of personal
data of Company
employees are managed under the
DESE Group Companies Employee
Personal Data Protection and Processing Policy,
which is organized in parallel with the principles in this Policy.
2.
SECTION - ISSUES RELATED TO THE PROCESSING OF PERSONALDATA
2.1
Personal Data Processing Principles
Our Company processes personal
data in accordance with the procedures and principles stipulated in the Law and
other relevant legislation.
2.1.1.
Processing in accordance with the Law and Good Faith
Personal data are processed in accordance with the rules of honesty, with transparent methods and by fulfilling the obligation to
inform. While fulfilling the disclosure obligation, if possible,
the purpose of
processing is explained
at the time of obtaining
the data and access to detailed
information is provided.
2.1.2.
Ensuring the Accuracy of Personal Data and Keeping it Up-to-Date When Necessary
Necessary administrative and technical
measures are
taken in data processing procedures to ensure that the processed data is accurate and up-to-date. Since a significant part of the data is processed on the basis of the declaration
of the Data Subjects, it
reflects these statements in the most accurate way and the Data Subjects
are given the opportunity to apply to update the data and correct errors, if any, in accordancewiththe
law.
2.1.3.
Processing for Specific, Explicit and Legitimate Purposes
As DESE Group Companies, the scope and content of personal data are
clearly defined and the
activities are processed
within the legitimate
purposes determined
in accordance
with the legislation.
2.1.4.
Personal Data is Relevant, Limitedand Proportionate to the Purpose for which it is Processed
We process personal
data in connection with
the purposes we have determined, in a
limited
and measured manner. Processing of personal data that is not relevant or not needed to be processed is avoided. For this reason,
personal data
of a special
nature is not processed unless
there is a legal
requirement or explicit consent is obtained when it is necessary to process it.
2.1.5.
Retention of Personal Data for the Periods Stipulated in the Legal Regulations or Required by
Legitimate Interests
Many regulations in
the legislation
require
personal data to be kept for a certain period
of time. Therefore,
processed personal data are stored for the period stipulated in the relevant legislation or for the period
required for the
purposes
of processing
personal
data.
In the event that the retention
period stipulated in the legislation expires or the purpose of processing
disappears, personal data are deleted, destroyed or
anonymized automatically or upon the
request of the data subject.
2.2
Processing of Personal Data
2.2.1
Processing of Personal Data
The explicit consent of the personal data owner is only one of the legal grounds that make it possible to process personal
data in accordance with the
law, and in the presence of one of the following conditions, personal
data is processed by our Company without seeking the explicit consent of the data
owner.
The basis of the personal data processing activity may be only one of the following conditions, or more than one condition may be the basis of the same personal data processing activity. In the event that the processed data is personal
data of
special
nature, the
conditions set out
in section 2.2.2 of this Policy ("Processing
of Personal Data of Special Nature") shall apply.
•
Explicitly stipulated in the law.
•
It is mandatory for the protection of the life or physical integrity of the person who is unable
to disclose his/her consent
due to actual impossibility or whose consent is not legally valid.
•
Provided that it is directlyrelated to the conclusion or performance of a contract, it is necessary to process personal
data of the parties to the contract.
•
It is mandatory for the data controller to fulfill its legal obligation.
•
It has been made public by the person concerned.
•
Data processing is mandatory for the establishment, exercise or protection of a right.
•
Data processing is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject.
2.2.2
Processing of Special Categories of Personal Data
Some personal data
are regulated
separately as 'sensitive
personal
data' and are subject to special
protection. These data are of special importance due to the risk of causing
victimization or discrimination when processed unlawfully.
Sensitive personal data are processed by our Company in accordance with the principles set forth in this Policy and by taking all necessary administrative and
technical measures, including the methods to
be determined by the Personal Data Protection Board ("Board") and in the presence of the following
conditions:
•
Sensitive personal data other than health and sexual life can be processed
with
the
explicit consent
of the data subject or without explicit consent in cases explicitly stipulated by law.
•
Sensitive personal
data relating
to health
and sexual
life may be processed by persons
under the obligation of confidentiality or authorized institutions
and organizations for the
protection of public
health, preventive medicine, medical diagnosis, treatment and care services,
planning and management of health
services and financing, if the data subject gives explicit consent or without
explicit consent.
2.3
Purposes of Processing Personal Data
The personal data processing
purposes of our Company within the scope of the personal data specified in this
Policy and the processing conditions of special categories of personal data in accordance
with the Law and other relevant legislation are as follows.
•
Planning and/or execution of our Company's human resources policies and processes,
•
Planning and/or execution of activities to
ensure the legal and technical security of our Company and related persons who
are in business relations with our Company,
•
Carrying out the necessary work and carrying out
the relevant business processes in order to benefit the
relevant persons from
the
products and/or services offered by and/or on behalf
and account of our Company,
•
Carrying out
the necessary work by
our relevant
business
units for the realization of the
commercial and/or operational activities carried out by our Company and carrying out the related
business processes,
•
Planning and/or execution of our Company's commercial and/or business strategies.
It is possible
to access detailed
information regarding the personal data processing purposes in question
from Annex-3
("Annex 3-
Personal Data
Processing Purposes") of this
Policy.
2.4
Categories of Personal Data Processed by Our Company
In accordance with the Law and
other relevant legislation provisions, our Company processes personal data of
personal data owners within the framework of the purposes and conditions
specified in this Policy in accordance with the Law and other relevant legislation
provisions, including identity,
communication, financial, customer, customer transaction, transaction security,
risk management, physical space
security, audit and inspection, legal transaction and compliance, reputation management, request
/ complaint
management, data of
family
members and
relatives, visual and audio,
marketing, vehicle, employee candidate, employee,
employee transaction, employee
performance and career
development, fringe benefits
and benefits,
insurance and special categories of personal data.
Detailed information on the personal data categories in question can be found in Annex 4 ("Annex 4 - Personal Data Categories") of this
Policy.
3.
SECTION - ISSUES RELATED TO THE
TRANSFER OF PERSONALDATA
Our Company may transfer personal
data and
sensitive
personal data to domestic and/or
foreign third parties
("Third Parties") by taking
the necessary
security
measures in
line with the lawful
personal data processing purposes. In this direction, our Company acts in
accordance with the principles set out in Articles 8 and 9 of the Law and
in accordance with the decisions taken
by the PDP Board.
3.1
Transfer of Personal Data
3.1.1.
Domestic Transfer
of Personal Data
Our Company may transfer personal data to third parties without seeking the explicit consent of the data owner in the
presence of the explicit consent of the
data owner or in the presence of the conditions
listed below, by taking due care and taking all necessary security
measures,
including the methods determined by the Board:
•
Explicitly stipulated in the law.
•
It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
•
Provided that it is directly related to the
conclusion or performance of a contract, it is necessary to process
personal
data of the parties to the contract.
•
It is mandatory for the data controller to fulfill its legal obligation.
•
It has been made public by the person concerned.
•
Data processing is mandatory for the establishment, exercise or protection of a right.
•
Data processing is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject.
3.1.2.
Transfer of Personal Data Abroad
Personal data cannot be transferred abroad without the explicit consent of the data subject.
However, the existence of one of the reasons for compliance with the law contained in this Policy and the existence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 stipulated in the Law and in the foreign country where
the
personal data will
be transferred;
•
Adequate protection,
•
In the absence of adequate protection, the data may be transferred abroad without seeking the explicit consent of the data subject, provided that the data controllers in Turkey and in the relevant foreign country
undertake adequate protection in writing and the Board has the permission of the Board.
•
Countries with adequate protection shall be determined and announced by the Board.
•
The Board shall decide whether there is adequate protection in the foreign country and whether a permit shall be granted in accordance with subparagraph
(b) of paragraph 2;
•
a) International conventions to which Turkey is a party,
•
b) the reciprocity status regarding data transfer between the country requesting personal data and Turkey,
•
c) For each concrete personal data transfer, the nature of the personal data and the purpose and duration of
processing,
•
ç) The relevant legislation and practice of the country to which the personal data will be transferred,
•
d) It evaluates the measures undertaken by the data controller in the country where the
personal data will be transferred and decides,
if necessary, by
taking the opinion of the
relevant institutions and organizations.
In these cases, personal data may be transferred abroad without explicit consent.
3.2
Transfer of Sensitive Personal Data
Our Company may transfer special categories of personal data domestically or abroad in line with the purposes of lawful
data processing,
with due care and by taking the necessary security
measures, including
the methods specified by the Board, and inthe presence of the following conditions;
•
Sensitive personal
data other
than health
and sexual
life can be transferred if the data subject
gives explicit consent or in cases clearly stipulated in the
laws
without explicit consent.
•
Sensitive personal data relating to health and sexual life may be transferred by persons under the obligation of confidentiality or authorized institutions and organizations for the protection of
public
health, preventive medicine, medical diagnosis, treatment and care
services, planning and
management of health services and financing, if the data subject gives explicit consent or without explicit
consent.
If special categories of personal
data are to be transferred abroad, in
addition to the existence
of other processing conditions listed in
Article 6 of the Law in order to make the transfer without the explicit
consent
of the data subject,
our Company may transfer special
categories of
personal data to foreign countries with
adequate protection or to foreign countries where there is a data controller
who undertakes
adequate protection if the Board authorizes the relevant foreign transfer.
3.3
Groups of Persons to whom Personal Data is Transferred
Our Company may transfer personal
data to the categories of recipient groups listed below in accordance
with Articles 8 and 9 of the Law:
•
Legally Authorized Public Authority,
•
Legally Authorized Special,
•
Affiliation
•
Supplier
Detailed information regarding the third parties to whom such personal data are transferred can be found in
Annex 5 ("Annex 5 - Categories of
Third Parties to whom Personal Data are Transferred") of this Policy.
4.
SECTION
- STORAGE
AND DESTRUCTION OF PERSONAL DATA
Pursuant to the obligation to delete, destroy or anonymize personal data stipulated in the Turkish Penal Code, the Law and other relevant legislation, personal data shall be deleted, destroyed or anonymized in accordance with the ex officio decision of our Company or the request of the personal data owner if the reasons requiring its processing disappear, although it has been processed by our Company in accordance with
the law.
5.
SECTION
- ENSURING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA
Our Company takes
all necessary
measures
according to the nature of the data to be protected in order
to prevent
unlawful disclosure,
access, transfer of personal data or security weaknesses
that may arise for other reasons.
In this context, all necessary
administrative and technical measures are taken by our Company, an audit system is established within our Company, and
in case of unlawful disclosure of
personal
data, the
measures
stipulated in
the Law are acted in accordance with.
5.1
Administrative Measures Taken by Our Company to Ensure Lawful Processing of Personal
Data and to Prevent Unlawful
Access to
Personal
Data
•
There are disciplinary regulations for employees that include data security provisions.
•
Training and awareness raising activities on data security are carried out for employees at regular intervals.
•
Corporate policies on access, information security, use, storage and disposal have been prepared and implemented.
•
Confidentiality commitments are made.
•
Employees who are reassigned or leave their jobs are de-authorized in this area.
•
The signed contracts contain data security provisions.
•
Personal data security policies and procedures have been determined.
•
Personal data security issues are reported quickly.
•
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
•
Physical environments containing personal data
are secured
against
external risks
(fire, flood, etc.).
•
Security of environments containing personal data is ensured.
•
Internal periodic and/or random audits are conducted and commissioned.
•
Existing risks and threats have been identified.
•
Protocols and procedures for the
security
of sensitive
personal
data have been
determined and implemented.
•
Data processing service providers are
periodically audited on data security.
•
Awareness of data processing service providers on data security is ensured.
5.2
Technical Measures Taken by Our Company to Ensure Lawful Processing of Data and to Prevent
Unlawful Access to Personal Data
•
Network security and application security are ensured.
•
Closed system network is used for personal data transfers through the network.
•
Security measures are taken within the scope of procurement, development and
maintenance of information technology
systems.
•
The security of personal data stored in the cloud is ensured.
•
Access logs are kept regularly.
•
Up-to-date anti-virus systems are used.
•
Firewalls are used.
•
Personal data security is monitored.
•
Personal data is minimized as much as possible.
•
Personal data is backed up and the security of backed up personal data is also ensured.
•
User account management and authorization control system are implemented and
monitored.
•
Log records are made and made in a way that there is no user intervention.
•
Intrusion detection and prevention systems are used.
•
Penetration test is applied.
•
Cyber security measures have been taken and their implementation is constantly monitored.
5.3
Measures to be Taken in Case of Unlawful Disclosure of Personal Data
Within the scope
of personal data processing activities carried out by our Company, in the event that personal data is unlawfully obtained
by unauthorized
persons,
the situation
will be
notified
to the relevant persons and
the Board within 72 hours at the latest.
6.
SECTION - DISCLOSURE OF PERSONAL DATA SUBJECTS
In accordance with Article 10 of the Law, our Company fulfills its obligation to inform the personal data owners during
the acquisition
of personal
data.
Article 20 of the Constitution of the Republic of Turkey states that "Everyone has the right to request the protection of personal data concerning him/her. This right includes
the right to be informed about personal data concerning oneself, to
access such data, to request their correction or deletion, and to learn whether
they are used for their intended purposes. For this purpose, in accordance with
Article 11 of the Law, necessary information is provided in case the relevant
persons request information. Detailed information on the rights of the personal
data owner is provided in section 7.1 of this Policy ("Rights of the
Personal Data Owner").
7.
SECTION - RIGHTS OF THE PERSONAL DATAOWNERAND
EXERCISE OF THESE RIGHTS
7.1
Rights of the Personal Data Subject
•
Pursuant to the Law, the rights that personal data subjects may exercise are set out below:
•
Learn whether personal data is being processed,
•
Requestinformation if their personal data has been processed,
•
Personal
data processing
purpose and
of these for the purpose of appropriate
to find out if they are being
used,
•
To know the third parties to whom personal data are transferred domestically or abroad,
•
To request correction of personal data in case of incomplete or incorrect processing,
•
To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
•
To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through
automated systems,
•
In case of damage due to unlawful processing of personal data, it has the right to demand compensation for the damage.
7.2
Situations where Data Subjects cannot assert their rights
In the cases specified in Article
28 of the Law, personal data owners will not be able to assert their rights specified
in Article 11 of the Law.
Although these situations constitute exceptions, they are outside the scope of data protection
of the Law. These situations are stated below:
•
Processing of personal data by natural persons
within the scope of activities related to themselves or their family members living in the same residence, provided that personal data are
not disclosed to third parties and the obligations regarding data security are
complied with.
•
Processing of personal data for purposes such as
research, planning and statistics by anonymizing them with official statistics.
•
Processing of personal
data for
artistic, historical, literary
or scientific
purposes
or within the scope of freedom
of expression, provided that such processing does not violate national
defense, national security, public security, public order, economic security, privacy or personal
rights or constitute a crime.
•
Processing of personal data within the scope of
preventive, protective and intelligence activities carried out
by public
institutions and organizations
authorized by law to ensure
national defense,
national
security, public
security, public order
or economic
security.
•
Processing of personal data by judicial or
enforcement authorities in relation to investigations, prosecutions, trials or executions.
In the cases
listed
below, personal
data owners
cannot
assert their
other
rights listed
in Article 11 of
the Law, except for the right to
demand compensation for the damage:
•
Processing of personal data is necessary for the prevention of crime or criminal investigation.
•
Processing of personal data made public by the data subject himself/herself.
•
Personal data processing is necessary for the execution of supervisory or regulatory duties
and
disciplinary investigation or prosecution by the authorized and authorized
public institutions and organizations and professional organizations in the
nature of public institutions based on the
authority granted by
law.
•
Processing of personal
data is necessary for
the protection
of the economic
and financial interests
of the State in relation to budgetary, tax and fiscal matters.
7.3
Exercise of Rights by Personal Data Subjects
Personal data owners may submit their requests regarding the exercise of the rights specified in Article 11 of the Law to
....
By filling out the Company
Relevant Person
Application Form in writing or by registered electronic mail (KEP)
address, secure electronic signature, mobile signature or by using your
e-mail address that you have
previously notified to our Company and registered in our system.
7.4
Responding to Applications by our Company
All necessary administrative and technical
measures are taken to finalize the
applications
to be made by the personal data owner effectively, in accordance with the law and the rule of honesty.
Our company may accept the
applications of the personal data owner or reject them by explaining
the reason. Our Company
will be
able to notify
the relevant
response
to the personal data owner
in writing or electronically.
In the event that
the
personal data owner submits
his/her request regarding the rights under section 7.1 ("Rights of the Personal Data
Owner") to our Company in accordance with the procedures mentioned
in section 7.3 ("Exercise of Rights
by Personal
Data Owners"),
our
Company will finalize
the relevant
request
free of charge
as soon as
possible
and within 30 (thirty) days at the latest, depending on
the nature of the request.
However, if the transaction requires
an additional cost, the Data
Controller may request the fees in the tariff determined by the Board from the applicant.
ANNEX-1 -
DEFINITIONS
|
Personal Data
|
Any information
relating to an
identified or identifiable
natural person,
|
|
Board
|
Personal Data Protection Board,
|
|
Processing of
Personal Data
|
Obtaining, recording, storing,
preserving, maintaining, changing personal data by fully or
partially automatic means or
by non-automatic
means provided that it is part of
any data recording system, any operation
performed on the data, such
as rearranging, disclosing, transferring, taking over,
making available,
classifying or preventing its
use,
|
|
Data Processor
|
A natural or
legal
person who
processes personal data
on behalf
of the data
controller based on the
authorization granted by the data controller, |
|
Data Recording System
|
Recording system
where personal
data
is structured
and processed
according to certain criteria |
|
Data Controller
|
The natural or legal
person
who determines
the purposes
and means of
processing personal data and is
responsible for the establishment and management of the data recording
system, refers to.
|
|
Data Owner
|
The natural person
whose personal
data
is processed,
|
|
Open Consent
|
Consent on a specific subject, based
on information
and expressed
with
free will
|
|
Sensitive Personal Data
|
Data relating to race, ethnic
origin, political
opinion, philosophical belief,
religion, sect or other beliefs, appearance and dress, membership of
associations, foundations or trade unions, health, sexual life, criminal
convictions and security measures, and biometric and genetic data are
sensitive personal data. |
ANNEX-2 - PERSONAL DATA SUBJECTS
|
DATA
OWNER
|
EXPLANATION
|
|
Employee /
Trainee Candidate
|
It means real
persons who
have
applied for
a job
to our
Company
by any means
or who have
opened
their CV
and related
information to our
Company's review.
|
|
Former Employee
|
Natural persons whose
employment contract with
our Company
has been
terminated for any reason (resignation, dismissal, retirement, etc.).
|
|
Customer
|
It
means real
persons who use
or have
used
the products
and
services offered
by our Company.
|
|
Legal Entity
Customer Employee
/
Officer / Sharehold er
|
Real
persons
who are
shareholders, officers or
employees of our
legal
entity customers who use or have used the products and services
offered by our Company
means.
|
|
Invoice Issuance Person or Delivery To be done
Person (Non-
Customer)
|
During the
utilization of the services provided by our company by our customers, the
invoice is issued on behalf of another real person or the service means the real persons subject to
this request
in the
event
that he/she
requests the realization on behalf of someone else.
|
|
Contest Participant
|
It
means real
persons who participate
in our
Company's campaigns or competitions.
|
|
DATA
OWNER
|
EXPLANATION
|
|
Family Members
|
Family
members or relatives
of persons
who have
benefited from or
been
injured by the products or services of our Company.
|
|
Visitor
|
It means
real persons
who visit
our
Company's premises
or websites
or who have
joined our Company's guest
internet network.
|
|
Lessor
|
It means
the real
persons
who rent
out the
real
estates rented
for
our Company's locations.
|
|
Group Company
Shareholder / Officer / Employee
|
Shareholders/officials/employees of companies directly or indirectly
controlled by the controlling shareholder or shareholders of our Company
|
|
Business Partner Sharehold
er / Officer /
Employee
|
Real
persons who are shareholders,
officers or employees of legal entity companies with which
our Company
has established
or intends
to establish
a cooperation, business partnership or
program partnership.
|
|
Supplier
|
Real
persons who
are shareholders,
officers or employees
of companies
that provide goods and/or services to
our Company pursuant to an existing or prospective contract with our Company
|
ANNEX 3 - Purposes of Processing Personal Data
|
MAIN OBJECTIV ES (PRIMARY
)
|
SUB-OBJECTIVES (SECONDARY)
|
|
The
human resources policies and processes of our company planning
and/or
execution
|
Planning
and/or
execution of
employee induction and/or
personnel processes
|
|
|
Planning and/or execution
of the
application, selection and
evaluation processes of employee
candidates
|
|
|
Planning
and/or execution of internal/external communication activities necessary for the placement of employee
candidates and/or students
and/or interns
|
|
|
Planning
and/or
execution of
reference and/or intelligence
activities in personnel recruitment activities
|
|
|
Planning
and/or
execution of
activities to meet
employee information/document requests
|
|
|
Planning and/or execution
of internal
orientation activities
|
|
|
Planning and/or execution
of personnel
appointment/promotion processes
|
|
|
Planning and/or execution
of talent/career
development activities
|
|
|
Planning
and/or
execution of
activities to be
carried out within
the framework
of occupational health and/or safety
|
|
|
Planning
and/or
execution of
employee performance/talent evaluation
processes
|
|
|
Planning and/or execution of human resources processes
|
|
MAIN OBJECTIV ES (PRIMARY
)
|
SUB-OBJECTIVES (SECONDARY)
|
|
|
Planning and/or execution
of internal/external training activities
|
|
|
Planning and/or execution
of fringe
benefits and/or benefits
for employees
|
|
|
Planning and/or execution
of employee
satisfaction and/or engagement processes
|
|
|
Planning and/or execution
of the processes of receiving and evaluating suggestions from employees for
improving business processes and/or increasing employee productivity
|
|
|
Planning and/or execution
of corporate communication for employees and/or corporate social
responsibility and/or non-governmental organization activities in which
employees participate
|
|
|
Employees' domestic/international travels (events
|
|
|
Planning and/or execution
of employee
remuneration
|
|
|
Planning
and/or
execution of
processes for providing
incentive and reward
services to employees
|
|
|
Making internal information
announcements in case
of recruitment,
appointment, promotion, special occasions and/or exit
|
|
|
Fulfillment
of obligations
arising
from the
employment contract and/or
legislation for employees
|
|
MAIN OBJECTIV ES (PRIMARY
)
|
SUB-OBJECTIVES (SECONDARY)
|
|
Our Company
and our business with our Company in a relationship
with the relevant
planning
and/or execution of activities to ensure the legal and technical security of
persons
|
Planning and/or
execution of
the
necessary operational activities to ensure that the
Company's activities are carried
out in accordance with Company procedures and/or relevant legislation
|
|
|
Planning and/or execution
of corporate
and partnership
law transactions
|
|
|
Follow-up of legal
affairs
|
|
|
Legislative obligations to
official institutions and/or
organizations
Providing
information within the
scope,
submitting the
requested information and documents and/or recording the responses
|
|
|
Ensuring that data
is accurate
and/or
up-to-date
|
|
|
Ensuring the security
of company
operations
|
|
|
Planning, auditing and/or
execution of information
security processes
|
|
|
Establishment and/or management
of information
technology infrastructure
|
|
|
Planning and/or execution
of our
Company's legal compliance
activities
|
|
|
Planning and/or execution
of authentication
activities
|
|
|
Planning
and/or
execution of
internal/external audit,
inspection and/or
control activities of our Company
|
|
MAIN
OBJECTIV
SUB-OBJECTIVES (SECONDARY) ES
(PRIMARY
)
|
|
|
|
Planning
and/or
execution of
activities related to
the prevention,
detection, investigation and/or
finalization of fraud cases
|
|
|
Follow-up of contract
processes and/or legal
requests
|
|
|
Ensuring the security
of company
fixtures and/or resources
|
|
|
Planning and/or execution
of emergency
and/or
incident management processes
|
|
|
Ensuring the security
of company
premises and/or facilities
|
|
|
Creation and/or follow-up
of visitor
records
|
|
|
Planning and/or execution
of network
monitoring and management
activities
|
|
By the Company and/or
The appreciation
and use
of the products and services offered on behalf and account of our Company by the
relevant persons customized
according to their habits and needs planning
and/or execution of the activities
necessary for its recommendati on
and promotion to
relevant persons
|
|
|
|
Planning
and/or
execution of
activities for customer
satisfaction and/or experience
|
|
MAIN
OBJECTIV
SUB-OBJECTIVES (SECONDARY) ES
(PRIMARY
)
|
|
|
|
Planning
and/or
execution of
campaign and/or promotion
and/or
publicity processes
|
|
|
Identification
and/or
evaluation of
people
to be subject to
marketing activities in line with consumer behavior criteria
|
|
|
Design
and/or
execution of
personalized marketing (segmentation, profiling, etc.) and/or promotional
activities
|
|
|
Design
and/or
execution of
advertising and/or promotion
and/or
marketing activities in digital and/or other media
|
|
|
Design
and/or
execution of
activities to be
developed on customer
acquisition and/or value creation for
existing customers in digital and/or other channels
|
|
|
Planning
and/or
execution of
data
analytics and/or
data
enrichment activities for
marketing purposes
|
|
|
Planning
and/or
execution of
cross-selling activities related
to other
products offered by our Company
|
|
|
Planning
and/or
execution of
market
research activities
for sales
and/or marketing of products and
services
|
|
|
Planning
and/or
execution of
the
processes of
creating and/or increasing
loyalty to the products and/or services offered by our Company
|
|
|
Planning
and/or
execution of
campaign performance measurement and reporting activities
|
|
|
Planning and/or execution
of marketing
processes of products
and/or
services
|
|
MAIN
OBJECTIV
SUB-OBJECTIVES (SECONDARY) ES
(PRIMARY
)
|
|
|
|
Planning and/or execution
of raffle/competition activities
|
|
|
Planning
and/or
execution of
activities related to
surveys
conducted by
our Company
|
|
By our Company and/or Products
and/or
services offered on behalf
and account of our
Company
Carrying out the necessary work to benefit
the relevant people and
carrying
out the
relevant business processes
|
|
|
|
Creation
and/or
follow-up of
application and/or sales
processes for products and/or
services
|
|
|
Planning and/or execution
of customer
relationship management processes
|
|
|
Planning and/or execution
of virtual
pos/cash collection transactions
|
|
|
Planning and/or execution
of activities
related
to the
delivery of products
|
|
|
Evaluation
of customer
requests and/or complaints
collected through digital
and/or other channels
|
|
|
Realization and/or follow-up
of payment
transactions of products/services
|
|
|
Planning and/or execution
of activities
related
to invoice
issuance, verification and/or cancellation
|
|
MAIN
OBJECTIV
SUB-OBJECTIVES (SECONDARY) ES
(PRIMARY
)
|
|
|
The commercial
and/or operational activities carried out by our Company necessary work
by our relevant
business units for
the realization of and
execution of related
business processes
|
|
|
|
Follow-up of financial
and/or
accounting affairs
|
|
|
Planning
and/or
execution of
activities for conducting
effectiveness/efficiency and/or
relevance analysis of business activities
|
|
|
Planning
and/or
execution of
activities for conducting
effectiveness/efficiency and/or
relevance analysis of business activities
|
|
|
Planning and/or execution
of corporate
governance activities
|
|
|
Planning and/or execution of business continuity activities
|
|
|
Planning and/or execution
of procurement
processes
|
|
MAIN
OBJECTIV
SUB-OBJECTIVES (SECONDARY) ES
(PRIMARY)
|
|
|
|
Planning and/or execution of business activities
|
|
|
Planning and/or execution
of operations
and/or
efficiency processes
|
|
|
Defining
and/or
auditing the
authorization of our
employees and persons outside
the Company to access information
|
|
|
Planning
and/or
execution of
activities to ensure
the business
follow-up of 3rd party
employees who have a business relationship with our Company
|
|
|
Planning and/or execution
of satisfaction and loyalty activities
for business partner/supplier employees/authorities/shareholders
|
|
|
Planning and/or execution
of internal/external reporting activities
|
|
Planning and/or
execution of
our Company's commercial
and/or business strategies
|
|
|
|
Management of relationships with business partners
and/or suppliers
|
|
MAIN
OBJECTIV
SUB-OBJECTIVES (SECONDARY) ES
(PRIMARY
)
|
|
|
|
Planning and/or execution
of strategic
planning activities
|
|
|
Conducting and/or executing
budget
studies
|
|
|
Planning and/or execution
of the
Company's financial risk
processes
|
|
|
Planning
and/or
execution of
risk
assessment activities and/or
feasibility studies for potential business partner/supplier selection
|
ANNEX
4 - Categories
of Personal Data
|
PERSONAL
DATA
CATEGORIES
|
EXPLANATION
|
|
Identity Information
|
Driver's licenses, identity cards,
passports, professional IDs and similar documents that clearly
belong
to an identified or
identifiable natural person
means all information contained in the documents.
|
|
Contact Information
|
It means telephone number, address,
e-mail
and similar
contact
information that clearly belongs to an identified or identifiable
natural person.
|
|
Financial
Information
|
It is
clear
that it
belongs to an
identified or identifiable
natural person, partially or
completely automatically
or by
means of a data recording system
means personal data processed
in relation
to information,
documents and records showing all kinds of financial results that are processed
non- automatically as part of the data processing process.
|
|
PERSONAL
EXPLANATION
DATA CATEGORIES
|
|
|
Customer Information
|
Means data
relating to
the customer
obtained during the
performance of our commercial
activities, which clearly belongs
to an identified or identifiable natural person.
|
|
Customer Transaction
Information
|
Records for the use
of our products
and services that clearly belong to an identified or identifiable
natural person, such
as our
customer's instructions and requests for the use of our products and
services
means information.
|
|
Transaction
Security Information
|
It
means personal data that clearly
belongs to an identified or identifiable natural person and
is processed
to ensure
the technical,
administrative, legal and commercial security of our Company while carrying
out our Company's commercial activities.
|
|
Risk Management
Knowledge
|
Clearly belonging to
an identified
or identifiable
natural person,
It means personal
data processed in
order to minimize the risks in accordance with our Company's policies and legislative
obligations.
|
|
Physical Space
Security Information
|
It means personal
data relating to
records and documents taken at the entrance
to the
physical space, during
the stay
in the
physical space, which
clearly belong to an identified or identifiable natural person.
|
|
Audit and Inspection Knowledge
|
Clearly
belonging to an
identified or identifiable
natural person,
It means
personal data
processed within the
scope
of compliance
with
our Company's legal obligations and Company policies and audit.
|
|
Legal Procedure and Compliance Knowledge
|
With
the determination and follow-up
of our legal receivables and rights and the performance of our
debts,
which clearly
belong
to an identified or
identifiable natural person
means personal
data processed
within
the scope
of our
legal
obligations and compliance
with our Company's policies.
|
|
Reputation Management Knowledge
|
It
means information
that
clearly belongs
to an
identified or identifiable
natural person, information collected for the purpose of protecting the
commercial reputation of our Company and information about the evaluation
reports and actions taken.
|
|
Request/Compla int Management
Information
|
It
means personal
data
relating to
the receipt
and evaluation
of all
kinds
of requests and/or complaints addressed to our Company, which clearly
belong to an identified or identifiable natural person.
|
|
PERSONAL
EXPLANATION
DATA CATEGORIES
|
|
|
Family Members and Relatives
|
means information about the family
members and relatives of our
customers or
employees, which clearly
belongs to an
identified or identifiable natural person
|
|
Audiovisual Data
|
Photographs,
videos, etc., which clearly
belong to an identified or identifiable natural person,
means data
of visual
or auditory
nature.
|
|
Vehicle Information
|
It means
information about
the vehicles
associated with the
data subject,
which clearly belongs to an identified or identifiable natural person.
|
|
Employee Candidate
Information
|
It means
the CV
information of our
employee and/or internship
candidates who have applied for a job
to our company in any way.
|
|
Employee Information
|
It
means the information that will be the
basis for the creation of the personal rights and files of our employees and/or the
employees of the company
we cooperate
with,
which clearly
belongs
to an
identified or identifiable natural person.
|
|
Employee Transaction
Information
|
It means personal data that
clearly belongs to
an identified
or identifiable
natural person and is related to our employees and/or their business and transactions.
|
|
Employee Performance and Career
Development Information
|
Within the scope of our Company's human
resources policies and procedures, our employees, whose identity
clearly belongs to
an identified
or identifiable real person, are evaluated for their performance and career development.
means
personal data processed for the purposes of planning
and execution.
|
|
Benefits and
Benefits Information
|
The planning of the fringe
benefits and benefits that we offer and will offer to our employees, which
clearly belong to an identified or identifiable natural person, and the
objective criteria for entitlement to them
means personal
data processed for the
determination and follow-up of entitlements.
|
|
Insurance Information
|
It means personal data
relating to the insurances provided by our Company in favor of its employees,
which clearly belongs to an identified or identifiable natural person.
|
|
PERSONAL
EXPLANATION
DATA CATEGORIES
|
|
|
Sensitive Personal
Data
|
Data
relating to
race,
ethnic origin,
political opinions, philosophical beliefs, religion, sect or other
beliefs, appearance and dress, membership of associations, foundations or
trade unions, health, sexual life, criminal convictions and security
measures, and biometric and genetic data, which clearly belong to an
identified or identifiable natural person.
|
ANNEX
5 - Categories
of Third Parties
to whom Personal
Data is Transferred
|
Suppliers
|
Parties
that provide goods or services for our Company to continue its commercial activities in line
with the
instructions received from
the Company
and based on the contract between the Company and our Company.
|
|
THIRD PERSON S
|
EXPLANATION
|
|
Legally
|
Public institutions and
organizations legally authorized
to receive
|
|
Authorized
|
information and documents
from
our Company.
|
|
Public
|
|
|
Authority
|
|
|
Legally
|
Private law persons
legally authorized to
receive information and documents
|
|
Authorized
|
from
our Company.
|
|
Private
|
|
|
Institution
|
|
|
Subsidiary
|
Subsidiaries
of our
Company
means legal
entities.
|