POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
Effective Date: 01.01.2020 / Revision No: 01
CONTEXT
I. INTRODUCTION
II. AIM
III. DEFINITIONS
IV. PRINCIPLES TO BE APPLIED IN THE PROCESSING OF PERSONAL DATA
4.1 Carrying out Personal Data Processing Activities in Compliance with the Law and the Rule of Integrity
4.2 Ensuring Personal Data Are Accurate and Up-to-Date When Necessary
4.3 Processing of Personal Data for Specific, Explicit and Legitimate Purposes
4.4. Relating to the Purpose for which Personal Data is Processed, Limited and Measured
4.5 The Period Required for the Purpose for which Personal Data is Processed or Envisioned in the Relevant Legislation
Keeping Up
V. PERSONAL DATA PROCESSING CONDITIONS
VI. OBLIGATIONS OF THE COMPANY AND ITS AFFILIATES
6.1 Obligation to Inform Personal Data Owner
6.2 Obligation to Respond to Applications of Personal Data Owners
6.3 Obligation to Ensure the Security of Personal Data
6.3.1 Taking Technical and Administrative Measures for the Provision of Legal Data Processing
6.3.2 Taking Technical and Administrative Measures to Prevent Unlawful Access to Personal Data
6.4 Obligation to Register in the Data Controllers Registry
VII. ORGANIZATIONAL STRUCTURE WITHIN THE COMPANY
I. INTRODUCTION
With this Policy, WECODE Digital Services A.Ş. The principles that will be adopted by our company and applied in all our activities are set forth. The basic principles regarding how our company will comply with the regulations stipulated in the Law on the Protection of Personal Data No. 6698 (“KVKK”) are determined.
II. AIM
This Policy, WECODE Digital Services A.Ş. It has been prepared with the aim of ensuring that the compliance activities to be carried out in particular are managed and coordinated at the highest level. Our company undertakes to make all necessary arrangements to harmonize its internal functioning in line with the principles set out in this policy, to prepare the necessary infrastructure for the awareness of its employees and business partners, and to plan training and information activities.
III. DEFINITIONS
Open Consent:
Consent on a specific subject, based on information and expressed with free will.
Anonymization:
Modification of personal data in such a way that it loses its quality as personal data and this situation cannot be undone.
Personal Data Owner:
The natural person whose personal data is processed.
Personal Data:
Any information relating to an identified or identifiable natural person. Information about legal entities is not considered Personal Data and is outside the scope of the law.
Special Qualified Personal Data:
Biometric and genetic data as well as data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress code, membership of associations, foundations or unions, health, sexual preferences, criminal convictions and security measures.
Processing of Personal Data:
Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or making personal data fully or partially, automatically or non-automatically provided that it is a part of any data recording system. Any operation performed on the data, such as preventing its use.
Data Processor:
The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Controller:
The natural or legal person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (Data Recording System).
IV. PRINCIPLES TO BE APPLIED IN THE PROCESSING OF PERSONAL DATA
This policy is issued by WECODE Digital Services Inc. It is a continuous guide on how it implements the rules set forth by the KVKK and the relevant legislation.
In this context;
All of our company's management staff and employees constantly analyze the personal data processing activities they carry out within their own body by following this Policy, determine the necessary actions to comply with this Policy and take all kinds of technical and administrative measures. After the determined actions are implemented, internal control mechanisms are operated to ensure the continuity of compliance with the Policy.
In order to ensure compliance with this Policy within our company, training and information activities are organized periodically to increase the awareness of the employees, the necessary compliance processes are carried out for the new employees and the necessary arrangements are made in the relations of our company with the business partners.
In order to ensure compliance with KVKK, personal data is processed by our company in accordance with the general principles and provisions stipulated in the legislation. In this context, the principles and conditions that should be taken into account by our company in all personal data processing activities are discussed in this section. In this respect, the principles to be taken into account during the processing of personal data are listed under the following headings:
4.1 Carrying out Personal Data Processing Activities in Compliance with the Law and the Rule of Integrity:
WECODE Digital Services Inc. acts in accordance with the law and honesty rules within the scope of personal data processing activities. In this context, our company processes only as much personal data as necessary in accordance with the principles of proportionality and necessity in the processing of personal data, and personal data that is not directly related to our business is excluded from the scope of processing.
4.2 Ensuring Personal Data Are Accurate and Up-to-Date When Necessary:
Our company ensures that the personal data it processes is accurate and up-to-date, and takes the necessary measures by establishing the appropriate infrastructure for this purpose. In this direction, systems that will allow personal data owners to correct and update their personal data are developed and put into service within the company.
4.3 Processing of Personal Data for Specific, Explicit and Legitimate Purposes:
Our company processes personal data for specific, clear and legal reasons. In this context, the purpose for which personal data will be processed is determined in advance and it is observed that these purposes are legitimate and in compliance with the law. The personal data processing purposes we have determined are presented to the data owners before their personal data is processed. Personal data is never processed except for the stated purposes.
4.4 Personal Data Being Related to the Purpose for which they are Processed, Limited and Measured:
Our company processes personal data in a way that is suitable for the realization of the determined purposes and avoids the processing of personal data that is not related to the realization of the purpose or that is not needed. In this context; Personal data processing activity for the realization of a new purpose that emerges after the personal data is obtained is not carried out without the consent of the relevant person.
4.5. Retention of Personal Data for the Period Envisioned in the Relevant Legislation or Necessary for the Purpose of Processing:
Our company preserves personal data only for the periods stipulated in the law or for the purpose for which they are processed.
V. TERMS OF PROCESSING PERSONAL DATA
As a rule, personal data is processed based on one or more of the personal data processing conditions specified in Article 5 of the KVKK. In this context, our company evaluates whether personal data processing activities fall within the scope of one of these conditions, and personal data processing activities that are not based on one of these conditions are immediately terminated.
It is regulated in the KVKK that special measures can be introduced for the processing of personal data of a special nature. In this context, measures to be determined by the Board are taken immediately when processing sensitive personal data.
With regard to the transfer of personal data to third parties in the country or abroad, the necessary infrastructure and organizational structure are designed and operated in order to act in accordance with the regulations stipulated in Articles 8 and 9 of the KVKK.
While transferring personal data, necessary security measures are taken in line with the processing purposes. In order to prevent the unlawful processing of personal data, necessary audit and control systems are established within the company and internal awareness is created.
VI. OBLIGATIONS OF THE COMPANY AND ITS AFFILIATES
6.1. Obligation to Inform Personal Data Owner:
Our company enlightens the persons whose data will be processed during the acquisition of personal data, on how their data will be processed. In the KVKK, the minimum issues that should be included in the information are listed. Information is provided on the following matters:
(1) WECODE Digital Services A.Ş. Identity of the Company and its representative, if any,
(2) The purpose for which personal data will be processed,
(3) To whom and for what purpose personal data can be transferred,
(4) Method and legal reasons for collecting personal data,
(5) Rights of the personal data owner. In this context, first of all, personal data collection channels are determined by our company and information texts are determined for each channel.
6.2 Obligation to Respond to Applications of Personal Data Owners:
Personal data owners can use their rights in KVKK regarding their own data by applying in writing or by other methods to be determined by the Board. In this context, our company takes the necessary administrative and technical measures to fulfill its obligations under Article 13 of the KVKK in order to fulfill the rights of personal data owners.
Within the scope of KVKK, personal data owners have the following rights:
(1) Learning whether personal data is processed or not,
(2) If personal data has been processed, requesting information about it,
(3) Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
(4) To know the third parties to whom personal data is transferred in the country or abroad,
(5) Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
(6) Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing cease to exist despite the fact that it has been processed in accordance with the provisions of the KVKK and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
(7) Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
(8) To request the compensation of the damage in case of loss due to unlawful processing of personal data.
Only the written requests of personal data owners are processed. Our company responds to the relevant request as soon as possible and within thirty days at the latest, depending on the nature of the request.
As a result of the evaluation, our company may accept the applications and take the necessary actions or reject the applications with justification. The right to file a complaint with the Board within 30 days is reserved if the personal data owner does not receive a response to his/her application in due time or if his/her application is rejected with justification. In this regard, necessary information is given to personal data owners in advance.
6.3 Obligation to Ensure the Security of Personal Data:
WECODE Digital Services Inc. takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes and to prevent the illegal access to the data and to ensure the preservation of the data. In the event that the Board imposes additional obligations and regulations regarding data security in the future, maximum security is ensured by making reasonable efforts to comply with the said obligations and regulations.
Our company establishes the infrastructure to carry out and have the necessary inspections carried out regarding the technical and administrative measures it carries out. The results of these audits are evaluated by the units in charge of our company and necessary actions are taken immediately.
Our company is obliged to inform the relevant personal data owners and the Board in accordance with the legislation as soon as possible, in case the processed personal data is obtained by others illegally. When situations posing a security risk are detected by our company, measures to eliminate the risk are taken immediately.
6.3.1 Taking Technical and Administrative Measures for the Provision of Legal Data Processing:
The following measures are taken by our company for the legal processing of personal data and are constantly followed:
(1) All processes related to data processing activities within our company are analyzed on the basis of business units, and a "Personal Data Processing Inventory" is prepared in this context.
(2) In accordance with the Personal Data Processing Inventory, the actions to be taken to ensure compliance with the law are determined on a unit basis.
(3) The personal data processing processes carried out are developed, audited by technical systems and reported to the relevant units.
(4) Our company's employees are regularly informed about the legal processing of personal data and the sanctions of illegal data processing. informed and trained.
(5) Regular audits are carried out to raise awareness among employees and necessary administrative measures are implemented through our company's internal policies.
(6) Records regarding the confidentiality of the shared personal data and how they should be processed and stored are added to the contracts and documents governing the legal relationship between our company's employees, affiliates, business partners, suppliers and customers.
(7) Access to personal data is limited to employees assigned for the purpose of processing. Employees are prevented from accessing personal data that they do not use due to their duties.
6.3.2 Taking Technical and Administrative Measures to Prevent Unlawful Access to Personal Data:
In order to prevent unlawful access to personal data, the following measures are taken by our company and are constantly followed:
(1) In order to prevent access to systems and locations where personal data is stored, technical measures are taken within the framework of current technology opportunities, and the measures taken are updated periodically.
(2) Access and authorization technical processes are designed and activated by our company in accordance with business unit-based legal compliance requirements.
(3) The technical measures taken are periodically reported to the relevant person, and technological solutions are produced for issues with security risks.
(4) Relevant software and systems, including software and hardware containing virus protection systems and firewalls, are installed and operated.
(5) Our company's employees are trained on the technical measures taken in this context, additionally, knowledgeable personnel are employed in technical matters or outsourced services are outsourced.
(6) A commitment is taken from the employees of our company that they will not disclose the personal data they have learned to others in violation of the provisions of the KVKK and cannot use them for purposes other than processing. This commitment is arranged to continue even after they leave the job.
(7) Provisions regarding taking the necessary security measures for the protection of personal data shall be added to the contracts concluded by our company with the persons to whom personal data is transferred.
6.4 Obligation to Register in the Data Controllers Registry:
Our company will register in the Data Controllers Registry by submitting the application information and documents listed in the KVKK within the period to be determined and announced by the Board. The information to be presented is listed below:
(1) WECODE Digital Services A.Ş. and the identity and address information of the representative, if any,
(2) The purpose for which personal data will be processed,
(3) Explanations about the data subject group and groups and the data categories of these persons,
(4) Recipient or recipient groups to whom personal data can be transferred,
(5) Personal data intended to be transferred to foreign countries,
(6) Measures taken regarding personal data security,
(7) The maximum period required for the purpose for which personal data is processed.
VII. ORGANIZATIONAL STRUCTURE WITHIN THE COMPANY
In order to manage this policy and other related and related policies within our company, the "Personal Data Protection Committee" responsible for the fulfillment of the actions determined by the senior management for compliance, or the person who will be responsible for this matter, is appointed.
In this context, the following minimum actions are taken by the Committee or assigned personnel:
(1) To determine the basic policies regarding the processing and protection of personal data and what needs to be done to comply with the legislation,
(2) Submitting the determined basic policy and action steps to the approval of the senior management; to monitor and coordinate its implementation,
(3) To decide how the policies regarding the processing and protection of personal data will be implemented and how the audit will be carried out, to make necessary assignments after obtaining the approval of the senior management,
(4) To determine the risks that may arise in the personal data processing activities of the company and to ensure that the necessary measures are taken; submitting improvement suggestions to the top management for approval,
(5) To ensure that employees are trained on the protection of personal data and Company policies,
(6) To decide on the applications of personal data owners at the highest level,
(7) To make necessary arrangements within the company for the company to fulfill its obligations under KVKK,
(8) To follow the developments on the protection of personal data; To advise the senior management on what to do within the scope of these developments,
(9) Managing the relations with the Institution and the Board.
This policy document consists of 7 items and It was approved by the Board of Directors of WECODE Digital Services Inc. on 01 January 2017 and entered into force.