İntroduction
1.1. Generally
Ensuring the confidentiality and security of personal data and compliance with the relevant legal regulations are among the top priorities of Albayrak Holding and Group Companies (‘‘ Company ”), and maximum care is taken in this regard. In this context, this KVK Policy (“Policy”) regarding the processing and protection of personal data and the process managed by other written policies within the Company and the targeted purpose; Our customers, potential customers, employees, employee candidates, visitors and other third parties (“Related Persons”) are informed about the processing, storage and protection of their personal data in accordance with the law and reflecting our corporate culture.
In the preparation of this Policy; Constitution of Turkey and 6698 numbered Personal Data Protection Act (the ” KVKK ”) located regulations, especially in the legal norms relevant for the protection of personal data and the Personal Data Protection Committee of the provisions in the decisions we see as our company guide.
In this Policy, explanations regarding the following basic principles adopted by our Company for the processing of personal data will be made:
– Processing of personal data in accordance with the law and honesty rules,
– Keeping personal data accurate and up-to-date when necessary,
– Processing personal data for specific, clear and legitimate purposes,
– Being connected, limited and measured for the purposes for which personal data are processed,
– Keeping personal data for the period stipulated in the relevant legislation or for the purpose for which they are processed,
– Illumination of the relevant persons,
– Creating the necessary processes for the relevant persons to exercise their rights,
– Taking necessary measures in the processing and preservation of personal data,
– Transfer of personal data to third parties in line with the requirements of the processing purpose,
– Showing the necessary sensitivity in the processing and protection of special quality personal data,
– Deletion, destruction or anonymization of personal data whose purpose of processing is lost.
- Purpose of the Policy
The main purpose of this Policy is to make explanations on the personal data processing activities carried out by our Company in accordance with the law and the procedures adopted for the protection of personal data and to provide transparency by informing the Relevant Persons in this context. In addition, this KVK Policy and other written policies aim to make our principle of compliance with the Personal Data Protection Law and other relevant legal regulations regarding personal data security sustainable.
- Scope of the Policy
The scope of this policy is for natural persons whose personal data are processed by our Company automatically or by non-automatic means provided that they are part of any data recording system, and an Internal Directive on the Protection of Personal Data has been created within the scope of this Policy.
- Implementation of the Policy and Relevant Legislation
This Policy has been concretized and arranged within the principles set forth by the relevant legislation. Our company undertakes and accepts that in case of inconsistency between the legislation in force and this Policy, the applicable legislation will apply.
- Enforcement of the Policy
This policy is approved by the Board of Directors of our Company, published on the website (https://albayrak.com.tr) and made available to the Related Persons by this way.
DEFINITIONS AND ABBREVIATIONS
| Open Consent | Consent on a specific subject, based on information and expressed with free will. |
| Constitution | 1982 dated T.C. Constitution. |
| Anonymous status
Import / Anonymization |
Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching other data. |
| Employee Candidate | Real persons who have applied for a job to our Company in any way or who have submitted their CV and related information to our Company for review. |
| Related person | The natural person whose personal data is processed. |
| Personal Data | Any information pertaining to an identified or identifiable natural person. |
| Processing of Personal Data | Your personal data completely or partially automated, or be part of any data recording system to record non-automatic means obtaining, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, acquisition, can be obtained, making classification such as the Prevention of the use or any operation that is performed on the data. |
| Committee | Personal Data Protection Committee |
| Board – establishment | Personal Data Protection Board. |
| Institution | Personal Data Protection Authority |
| KVKK | Personal Data Protection Law No. 6698 |
| Special Qualified Personal Data | Race or ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, dress, Association or trade union membership, health, sexual life, criminal convictions and security measures, with data on genetic and biometric data. |
| Periodic Disposal Process | In the event that all the terms of processing of personal data contained in the law are eliminated, the deletion, destruction or anonymization process that will be performed at repeated intervals specified in the policy of storing and destroying personal data. |
| Policy | KVK policy. |
| Potential Customer | Persons who have requested to use our services or have been assessed in accordance with the commercial practices and integrity rules to which they will be found. |
| Company, Albayrak Holding and Group Companies, Group companies | https://www.albayrak.com.tr/sektorler-ve-sirketler |
| Data Owner Application Form | 11 of the KVK code. The application form that they will use when using their application for their rights contained in the article. |
| Data Processor | A real and legal person who processes personal data on its behalf based on the authority granted by the data controller. |
| Data Record System | Registry system, directory where personal data are structured and processed according to certain criteria. |
| Data Supervisor | A real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
| Deleting Data | It is making personal data inaccessible and unavailable in any way for the relevant users. |
| Data Destruction | It is making personal data inaccessible, unrecoverable and reusable by anyone. |
| Visiting Institution | Real persons who enter their physical premises for various purposes or visit their websites. |
- PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
3.1. Processing of Personal Data in Compliance with the Principles Prescribed in Legislation
3.1.1. Processing in Compliance with Law and Integrity Rules
Our company has adopted the basic principle to comply with the law and the rules of honesty in all kinds of transactions to be carried out on personal data. In this context, by adopting the principle of transparency, it informs the personal data owners about the purpose of use of the personal data collected through this Policy and other texts.
3.1.2. Ensuring that Personal Data is Accurate and Updated when Required
Our company has a system and process to ensure the accuracy and up-to-dateness of the personal data it processes while conducting its personal data processing activity. In this context, Relevant Persons may make it possible to keep their personal data accurate and up-to-date by applying to our Company.
3.1.3. Processing for Specific, Clear and Legitimate Purposes
Our company clearly determines the purpose of processing personal data within legitimate and legal limits, and presents it to the Related Persons, through this Policy and other texts, before the personal data processing activity begins.
3.1.4. Being Connected, Limited and Measured With The Purposes For Which They Are Processed
Our company processes personal data for the purposes required to carry out the activity in a proportionate and related manner to the field of activity. In this context, while carrying out data processing activities, it carefully avoids processing personal data that are not related to the realization of the purpose and are not needed now / in the future.
3.1.5. Retaining for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are processed
Our company preserves personal data only for the period specified in the relevant legislation or for the purpose for which they are processed. In this context, first of all, it is determined whether a period is determined in the relevant legislation for the storage of personal data, if a period is determined, the process is carried out in accordance with this period, and if a period is not specified, the time required for the purpose of processing each personal data is determined and kept for this period.
In this context, our Company prepares and implements a policy and directive for the deletion, destruction or anonymization of personal data.
3.2. Processing of Personal Data in accordance with the Personal Data Processing Conditions specified in Article 5 of the KVKK and Limited to These Conditions.
Our company processes personal data only on the basis of the express consent of the Related Person or in cases where express consent is not required by law, without explicit consent, limited to these conditions and conditions.
3.2.1. Open Consent
Explicit consent is the statement made by the Related Person with free will on a specific subject and based on information. KVKK m. In accordance with 5/1, our Company respects and abides by the explicit consent of the Relevant Person, if required in the personal data processing activity.
3.2.2. Cases Where Explicit Consent is Not Required
KVKK m. On 5/2, it has accepted the processing of personal data in some cases without the explicit consent of the Related Person. Since obtaining explicit consent from the relevant person in the presence of any of the specified conditions will be considered as misleading the person concerned, our Company does not apply for express consent under these conditions below:
- a) Existence of a provision of law,
- b) Cases of actual impossibility,
- c) It is necessary to process personal data belonging to the parties of the contract, provided that it is directly related to the establishment or execution of the contract,
- d) It is mandatory for the data controller to fulfill his legal obligation,
- e) The personal data of the relevant person has been made public by him,
- f) Data processing is mandatory for the establishment, use or protection of a right,
- g) If data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.
3.3. Processing Special Quality Personal Data
Our company shows maximum sensitivity in the processing and protection processes of personal data determined as “special quality” by the KVKK due to the risk of causing greater victimization or discrimination when processed, and the principles accepted for special quality personal data are also discussed in this Policy.
By our company; Personal data of special nature can only be processed in the following cases, provided that adequate measures to be determined by the Board are taken, if the person concerned does not have the express consent of the person concerned.
- a) Special quality personal data other than the health and sexual life of the relevant person, in cases stipulated by the law,
- b) Special quality personal data regarding the health and sexual life of the person concerned, only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, persons or authorized institutions under confidentiality obligation and can be processed by organizations without the express consent of the person concerned.
Our Company has determined additional precautions and processes regarding the processing of special quality data and access to these data. In this framework, the environments where private personal data are stored are protected by secondary lock and secondary passwords, and can only be processed by authorized persons within the framework of the authorization matrix.
3.4. Transfer of Personal Data
Personal data, in order to fulfill the purposes specified in this Policy, to the supervisory institutions within the framework of audit activities, to our shareholders for reasons arising from the audit and partnership rights in accordance with the Turkish Commercial Code and other relevant legal regulations, to legally authorized public institutions and organizations, domestic and / or To our suppliers and business partners abroad, to real and legal persons to whom service is provided or to third persons to whom services are provided, to the relevant Albayrak Group Companies involved in business processes and to Albayrak Holding, within the framework of the personal data processing conditions and purposes specified in Article 8 and Article 9 of the KVKK. can be transferred.
PRINCIPLES ON THE PROTECTION OF PERSONAL DATA
4.1. Technical and Administrative Measures Taken by Our Company Regarding the Security of Personal Data
4.1.1. Technical Measures
The main technical measures are taken by our company to ensure that the personal data is processed in accordance with the law and to prevent unlawful access to the personal data as follows:
– Personal data processing activities carried out within our company are audited by established technical systems.
– Knowledgeable and experienced personnel are employed in technical matters.
– Departments related to technical issues have been established.
– The technical measures taken are periodically reported to the authorized unit / person as required by the internal audit mechanism.
– A backup program is used in accordance with the law to ensure the safe storage of personal data.
– New technological developments are followed and technical measures are taken on systems, especially in the field of cyber security, the measures taken are periodically updated and renewed.
– Access and authorization technical measures are used within the framework of legal compliance requirements specified in each department within our company.
– Access rights are restricted, authorities are regularly reviewed, former employees’ accounts are closed.
– Software and hardware including virus protection systems and firewalls are used.
– The use of counterfeit software and hardware is strongly avoided. All of our products we use are original and licensed.
In this context, our Company is constantly working on the following technical measures determined by the Board:
– Authorization Matrix
– Authority Control
– Access Logs
– User Account Management
– Network Security
– Application Security
– Encryption
– Penetration Test
– Attack Detection and Prevention Systems
– Log Records
– Data Masking
– Data Loss Prevention Software
– Backup
– Firewalls
– Current Anti-Virus Systems
– Deletion, Destruction or Anonymization
– Key Management
4.1.2. Administrative Measures
The main administrative measures are taken by our company to ensure that the personal data is processed in accordance with the law and to prevent unlawful access to the personal data as follows:
Our personnel are informed and trained on the protection of personal data and the processing of personal data in accordance with the law.
Personal data processing activities carried out by the business units of our company; The requirements to be fulfilled in order to ensure that these activities comply with the data processing conditions specified in the KVKK are examined for each business unit and the activity carried out.
With the agreements and documents that govern the legal relationship between our company and the employees, records imposing the obligation not to process, disclose and use personal data, except for the Company’s instructions and exceptions imposed by law, are placed and the awareness of the employees on this issue is increased.
In order to meet the legal compliance requirements determined on the basis of our business units, awareness is created and implemented in the relevant business units. The necessary administrative measures are implemented through internal policies and trainings to ensure the supervision of these issues and the continuity of the implementation.
Access to personal data and authorization processes are designed and implemented within our Company in accordance with activity-based legal compliance requirements.
It is followed by the Personal Data Protection Committee, which has been established for the convenience and compliance in the follow-up of the work and transactions related to the Personal Data Protection Law and related legal regulations.
In the contracts established by our company with third parties to whom personal data are transferred in accordance with the law, provisions regarding that necessary security measures will be taken in order to protect the transferred personal data and that these measures will be followed in their own organizations are added.
In this context, our Company is constantly working on the following administrative measures determined by the Board:
Preparation of Personal Data Processing Inventory
Corporate Policies (Access, Information Security, Use, Storage and Destruction etc.)
Contracts (Between Data Controller – Data Controller, Data Controller – Data Processor)
Confidentiality Commitments
Internal Periodic and / or Random Audits
Risk Analysis
Employment Contract, Discipline Regulation (Addition of Provisions According to Law)
Corporate Communication (Crisis Management, Informing Processes of the Board and Related Person, Reputation Management etc.)
Education and Awareness Activities (Information Security and Law)
Notification to Data Controllers Registry Information System (VERBİS)
4.2. Raising Awareness and Control of Our Employees in the Field of Personal Data Protection
Our company ensures that necessary trainings and meetings are organized to raise awareness to prevent unlawful processing of personal data, to prevent unlawful access to data and to ensure safe storage of data.
In order to increase the awareness of the current employees of our company about the protection of personal data, we work with professional people in case of need.
4.3. Protection of Special Quality Personal Data
Personal data determined by our company as special with KVKK and processed in accordance with the law are protected with precision. In this context, the technical and administrative measures taken by our Company for the protection of personal data have been determined on the basis of the relevant legal regulation and the “Adequate Measures to be Taken by Data Controllers in the Processing of Special Qualified Personal Data” published by the Personal Data Protection Authority, and carefully is implemented.
4.4. Measures to be Taken Against Unauthorized Disclosure of Personal Data
Our company will notify the relevant person and the Board within 72 hours if the personal data,it processes, is illegally obtained by others.
If deemed necessary by the Board, this may be announced on the Board’s website or by any other method.
4.5. Personal Data Inventory
Each unit of our company creates an up-to-date personal data processing inventory. Unit manager is responsible for the accuracy, timeliness and submission of this inventory to the contact person when necessary. Up-to-date developments in keeping inventories correct, applying the current Company policy on the protection of personal data and protecting personal data are always followed.
APPLICATION OF RELATED PERSONS TO THE DATA CONTROLLER, OUR COMMUNICATION CHANNELS TO CONTACT AND EVALUATION OF THE APPLICATION
5.1. Application Subject
Our company attaches great importance and value to the rights of the relevant people and we provide them with the opportunity and opportunity to exercise these rights. An Application Form for Data Supervisor has been prepared and published on our website by our company, where the relevant persons can easily submit their requests.
Everyone, by applying to our Company, about themselves;
- a) Learning whether personal data is processed,
- b) To request information if personal data has been processed,
- c) Learning the purpose of processing personal data and whether they are used appropriately for their purpose,
ç) To know the third parties in the country or abroad to whom personal data have been transferred,
- d) Request rectification in case personal data are processed incompletely or inaccurately,
- e) To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVKK,
- f) Request notification of the transactions made pursuant to subparagraphs (d) and (e) to third parties to whom personal data have been transferred,
- g) To object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,
ğ) To demand the compensation of the damage in case of damage due to unlawful processing of personal data,
has the rights.
5.2. Application Method and Address
Our communication channels and method to use the above rights are as indicated in the table below:
| Application Method | Application Address | Application Subject Heading |
| Application by hand (If the applicant applies personally, a document certifying her identity, and a notarized power of attorney must be available in case of an application by proxy.) | Maltepe Mah. Fetih Cad. No:6 / 10 Zeytinburnu İstanbul | “Request for Information within the Scope of the Law on Protection of Personal Data” will be written on the envelope. |
| Notification through a notary | Maltepe Mah. Fetih Cad. No:6 / 10 Zeytinburnu İstanbul | “Request for Information within the Scope of the Law on Protection of Personal Data” will be written in the notification envelope. |
| Email Via E-signature / Mobile Signature | kvkk@albayrak.com.tr | “Request for Information within the Scope of the Law on Protection of Personal Data” will be written in the subject part of the e-mail. |
| Application via Registered Electronic Mail (KEP) address | albayrakhol@hs03.kep.tr | “Request for Information within the Scope of the Law on Protection of Personal Data” will be written in the subject part of the e-mail.
|
| E-mail address registered in our systems (Your e-mail address must have previously been matched with your identity in our systems.) | kvkk@albayrak.com.tr | “Request for Information within the Scope of the Law on Protection of Personal Data” will be written in the subject part of the e-mail. |
5.3. Post-Application Process
Applications submitted to us are answered within 30 (thirty) days at the latest begining from the date of receipt to our Company, depending on the nature of the request. Our responses are sent to the Data Supervisor based on the form of notification specified by the applicant in the Application Form.
Related persons; In case the application is rejected in accordance with Article 14 of the KVKK, the response is found to be insufficient or the application is not responded in due time; It can make a complaint to the Board within thirty days from the date our company learns its answer, and in any case within sixty days from the date of application.
5.4. Application Fee
Applications are made free of charge as a rule. However, if the transaction requested by the relevant persons requires an additional cost, the fee in the tariff determined by the Board will be charged by our Company.
ENLIGHTENING AND INFORMING RELATED PERSONS
Our company, in accordance with the regulation in Article 10 of the KVKK, enlightens the relevant persons about the process of obtaining personal data through this Policy and the Clarification Text that is easily accessible on our website and through other texts. In this context, our Company informs the relevant persons about the identity of the data controller, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data and other rights of the person concerned.
In order for the relevant person to use his / her rights stated in the KVKK more easily, an Application Form for Data Supervisor was created and published on the website of our Company. The relevant section has been explained in detail under the heading number 5.
PURPOSE OF PROCESSING PERSONAL DATA AND STORAGE PERIOD
7.1. Purposes of Processing Personal Data
Our company processes personal data as personal data limited to the purposes and conditions within the personal data processing conditions specified in Article 5 and 6 of the KVKK. These terms and conditions;
The processing of personal data is clearly stipulated by the Laws for our Company to engage in relevant activities,
The processing of personal data by our Company is directly related and necessary with the establishment or performance of a contract,
Processing of personal data is mandatory for our Company to fulfill its legal obligation,
Provided that the personal data are made public by the person concerned; processing by the Company in a limited way for your publicizing purpose,
The processing of personal data by the Company is mandatory for the establishment, use or protection of a right of the Company,
It is mandatory to perform personal data processing for the legitimate interests of the Company, provided that the fundamental rights and freedoms of the relevant persons are not harmed,
It is compulsory for our company to process personal data for the protection of the life or physical integrity of the relevant persons or another person, and in this case, the relevant persons are unable to disclose their consent due to actual impossibility or legal invalidity
Special quality personal data other than the health and sexual life of the relevant persons, in the cases stipulated by the law,
Special quality personal data related to the health and sexual life of the relevant persons are processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing.
7.2. Retention Periods of Personal Data
As a company, we keep personal data for the period specified in this legislation, in case it is stipulated in the relevant legislation. In addition, our obligations arising from the relevant contracts, our administrative and legal responsibilities / liabilities are also taken into account in determining the retention periods.
When the purpose of processing personal data has expired and the retention period determined by the relevant legislation and the company has reached the end, these personal data are deleted and backed up only to provide evidence in possible legal disputes or to assert the relevant right related to personal data. In this case, access to personal data is not provided for any other purpose. Personal data are destroyed or anonymized after the expiration of the periods specified in our Company’s Personal Data Storage and Destruction Directive.
The processed personal data and personal data inventories are reviewed in 6-month periods and the personal data that need to be deleted / destroyed are deleted / destroyed within these 6-month periodic destruction periods and the transaction is recorded.
PERSONAL PROCESSING ACTIVITIES WITH BUILDING-FACILITY ENTRANCE AND INSIDE THE BUILDING-FACILITY
8.1. Camera Monitoring Activities Conducted at the Entrances of the Building and Facility and Inside
By our company; In order to ensure the safety of the relevant persons and our Company, we perform security camera monitoring activities at the place, building and facility entrance and inside where we serve and carry out these services, as well as personal data processing activities for the follow-up of entrances / exits and overtime. In this context, as the Company, we act in accordance with the KVKK and other relevant legislation.
8.1.1. Informing about Camera Monitoring Activity
Relevant persons are enlightened by our company in accordance with Article 10 of the KVKK; In this way, it is aimed to prevent harm to the fundamental rights and freedoms of the persons concerned and to ensure transparency. For camera surveillance activities, the Company’s website illuminates both with this Policy (online Policy) and a notification letter (on-site lighting / layered lighting) that will be monitored at the entrances of the monitoring areas.
8.1.2. Purpose and Limitation of Camera Monitoring Activity
As a company, we process personal data in connection with the purpose for which they are processed, in a limited and measured manner in accordance with KVKK. The purpose of continuing the video camera recording and monitoring activities by the company is limited to the purposes listed in this Policy. Accordingly, the monitoring areas of security cameras, their number and when to be monitored are put into practice in a sufficient and limited way to achieve the security purpose.
8.1.3. Ensuring the Security of Data Obtained by Camera Monitoring
All necessary technical and administrative measures are taken by the company to ensure the security of personal data obtained through camera recording. Detailed information can be found in technical measures regarding data protection.
8.1.4. Who Can Access the Information Obtained As A Result of Monitoring and Who Is This Information Transferred To?
Only authorized persons can access the information obtained as a result of monitoring and the storage environment. On the other hand, the live camera images can be watched by the security guards who are employees of the Company or outsourced. A limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.
8.2. Guest Entry / Exit Tracking Carried Out at Building and Facility Entrances and Inside
By the company and outsourced company; Personal data processing activities are carried out for the purpose of ensuring security and tracking guest entries and exits in the Company buildings and facilities for the purposes specified in this Policy.
While obtaining the names and surnames of the persons who come to our buildings and facilities as guests, or through texts posted by the Company or made available to the guests in other ways, the relevant persons are enlightened within this scope. The data obtained for the purpose of tracking guest entry and exit are processed only for this purpose and the relevant personal data are recorded in the data recording system in physical and / or electronic media.
8.3. Recording of Information on Electronic Devices at Building and Facility Entrances
In connection with the care and sensitivity we show as a company to information security and protection of personal data; When our guests use their personal computers or similar electronic devices, we record the MAC addresses of computers or similar electronic devices. The reason for this is to ensure the security of our company and the people whose personal data are within our company.
REVIEW
This policy comes into effect after being approved by the Company’s board of directors. Regarding the changes in the policy, the approval of the person (s) to be authorized by the board of directors is obtained. The issues regarding the implementation of this policy within the Company have been systematized with the internal policies, procedures and internal directives. The policy is reviewed every 6 months and, if necessary, revisions are made regarding the approval of the authorized person.
PERSONAL DATA PROTECTION COMMITTEE
The company has appointed a contact person within the framework of personal data protection law. A committee of 1 person was formed among the company department employees. The committee is chaired by the Company contact person.
The contact person acts with the views and recommendations of the Committee on administrative and technical measures. With regard to administrative and technical measures, the principles determined by the Committee are taken into account. The Committee makes the necessary effort to comply with the Company’s personal data protection legislation. The contact person supervises the Company units for which he is responsible within the scope of personal data protection law. As a result of these audits, it warns the relevant units when necessary and informs the senior management about the situation.
The contact person ensures the coordination of the relevant person applications made to the Company to be answered within the legal periods and in accordance with the procedure. The contact person manages the relations of the Company with the Personal Data Protection Authority.
FORCE
This Policy comes into force as of the date it is accepted and announced by the company’s board of directors / authorized bodies.