|
Document Information |
|
|
Document Name: |
Personal Data Protection Policy |
|
Document Reference: |
The purpose of the Personal Data Protection Policy is to plan the processes for the protection of the personal data by Sen Pazarlama Gayrimenkul Anonim Sirketi and to determine the principles to be applied regarding this issue |
|
Publication Date: |
06.02.2024 |
|
Version No: |
1 |
|
Reference / Reason: |
Personal Data Protection Law No. 6698 and other legislation |
|
Approval Authority: |
Board of Directors of Sen Pazarlama Gayrimenkul Anonim Sirketi |
1. PURPOSE
The right of every individual to request the protection of the personal data related to him/her is a sacred right arising from the Constitution. As Sen Pazarlama Gayrimenkul Anonim Sirketi, we consider fulfilling the requirements of this right as one of our most valuable duties. Therefore, we attach importance to the processing and protection of your personal data in accordance with the law.
The Corporate Personal Data Protection Policy has been prepared in order to establish the principles and procedures that we apply when processing and protecting the personal data as a result of the importance we attach to the protection of the personal data.
2. SCOPE
The Policy all kinds of transactions performed on the data such as obtaining, recording, storing, maintaining, changing, rearranging, clarifying, transferring, taking over, making available, classifying all personal data managed by Sen Pazarlama Gayrimenkul Anonim Sirketi or preventing it from being used by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system.
The Policy relates to all personal data of the partners, officials, customers, employees, supplier officials and employees of Sen Pazarlama Gayrimenkul Anonim Sirketi, and third parties.
Sen Pazarlama Gayrimenkul Anonim Sirketi may amend the Policy for the purposes of complying with the legislation and the decisions of the Personal Data Protection Authority and protecting the personal data better.
3. TANIMLAR
|
Abbreviation |
Definition |
|
Receiver Group |
Category of the natural or legal person to whom the personal data is transferred by the data controller. |
|
Explicit Consent |
Consent on a specific issue, based on information and given with free will. |
|
Anonymization Making the personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data. |
Data Subject Natural person whose personal data is processed. |
|
Relevant User |
Persons who process the personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or department responsible for the technical storage, protection and backup of the data. |
|
Destruction |
Deletion, destruction or anonymization of the personal data. |
|
Law / PDPL |
Personal Data Protection Law No. 6698. |
|
Recording Media |
All kinds of media containing the personal data processed by fully or partially automatic means or non-automatic means, provided that they are part of any data recording system. |
|
Personal Data |
All kinds of information regarding an identified or identifiable natural person. |
|
Data Inventory |
Inventory in which the data controllers clarify and detail the personal data processing activities which they carry out depending on their business processes, the purposes and legal grounds for processing the personal data, the data category, the maximum retention period which is determined by associating with the group of recipients to whom the personal data is transferred and the group of data subjects, and which is necessary for the purposes for which the personal data is processed, the personal data required to be transferred to foreign countries and the measures taken regarding data security. |
|
Processing of the Personal Data |
Any transaction carried out on the personal data such as obtaining, recording, storing, maintaining, changing, rearranging, clarifying, transferring, taking over, making available, classifying the personal data or preventing it from being used by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system. |
|
Committee |
Personal Data Protection Committee established bySen Pazarlama Gayrimenkul Anonim Sirketiin order to manage the Policy and other relevant procedures and to ensure the enforcement of the Policy. |
|
Board |
Personal Data Protection Board. |
|
Authority |
Personal Data Protection Authority |
|
Sensitive Personal Data |
Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data of individuals. |
|
Periodical Destruction Deletion, destruction or anonymization process set forth in the personal data retention and destruction policy and to be carried out ex officio at recurring intervals in the event that all of the conditions for processing the personal data set forth in the Law disappear. |
Policy Personal Data Protection Policy |
|
Data Processor A natural or legal person who processes the personal data on behalf of the data controller based on the authorization granted by the data controller. |
Data Controller A natural or legal person who determines the purposes and means of processing the personal data and is responsible for the establishment and management of the data recording system. |
4. GENERAL PRINCIPLES
Sen Pazarlama Gayrimenkul Anonim Sirketi inspects the compliance of the data to be processed with the following principles during the preparation stage of each new workflow requiring personal data processing. The workflows not considered appropriate are not implemented.
While processing the personal data, Sen Pazarlama Gayrimenkul Anonim Şirketi
(I) Complies with the law and rules of honesty.
(II) Ensures that the personal data is accurate and up-to-date when necessary.
(III) Ensures that the purpose of processing is specific, explicit and legitimate.
(IV) Checks that the processed data is related to the purpose of processing, that it is processed as limited to the extent necessary to be processed and that it is proportionate.
(V) It retains the data only for the period stipulated in the relevant legislation or as necessary for the purpose of processing, and destructs it when the purpose of processing disappears.
5. DUTIES AND RESPONSIBILITIES
A Personal Data Protection Committee has been established within the organization of Sen Pazarlama Gayrimenkul Anonim Sirketi in order to manage this Policy and other relevant procedures regarding the processing of personal data and to ensure the enforcement of the Policy. Sen Pazarlama Gayrimenkul Anonim Sirketi also receives PDPL consultancy support in order to comply with the Personal Data Protection Law No. 6698 when necessary. The Committee may invite the PDPL consultant to its meetings if considers necessary.
The duties and responsibilities of the Committee are specified below.
(I) It convenes ordinarily every 6 months. It may convene extraordinarily if circumstances require (e.g. in the case of a possible data breach).
(II) It discusses the issues that are required to be amended/improved in the Policy.
(III) It determines the issues that can be fulfilled for the lawful processing and protection of the personal data.
(IV) The Committee determines the actions that can be taken in order to raise the PDPL awareness within the company and among the business partners.
(V) It identifies the risks that may be encountered with in the processing and protection of the personal data and takes the necessary administrative and technical measures.
(VI) It ensures the communication and manages the relations with the Authority.
(VII) It evaluates the requests received from the Data Subject.
(VIII) It follows up the periodical destruction processes.
(IX) It updates the Data Inventory.
(X) It makes the assignments regarding the aforementioned issues.
6. MEASURES TAKEN FOR THE DATA SECURITY
Sen Pazarlama Gayrimenkul Anonim Sirketi takes all kinds of necessary technical and administrative measures in order to (i) prevent the unlawful processing of the personal data, (ii) prevent the unlawful access to the personal data, (iii) provide the appropriate level of security to ensure the protection of the personal data.
6.1. Technical Measures
(I) The network security and application security are ensured.
(II) The security measures are taken within the scope of procurement, development and maintenance of the information technology systems.
(III) The access logs are kept regularly.
(IV) The up-to-date anti-virus systems are used.
(V) The firewalls are used.
(VI) The necessary security measures are taken for the entries into and exits from the physical environments containing personal data.
(VII) The security of the physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
(VIII) The security of the environments containing personal data is ensured.
(IX) The personal data is backed up and the security of the backed up personal data is also ensured.
(X) The user account management and authorization control system is implemented and also followed up.
(XI) The log records are kept without user intervention.
(XII) The attack detection and prevention systems are used.
(XIII) Encryption is applied.
6.2. Administrative Measures
(I)There are disciplinary regulations for the employees, which include data security provisions.
(II) The training and awareness raising activities are carried out for the employees on data security at regular intervals.
(III) The corporate policies have been prepared and implemented on access, information security, use, retention and destruction.
(IV) The data masking measures are applied when necessary.
(V) The confidentiality commitments are issued.
(VI) The authorization matrix has been created for the employees.
(VII) The authorities of the employees whose positions have changed or who have left their jobs are revoked in this area.
(VIII) The signed contracts include the data security provisions.
(IX) The personal data security policies and procedures have been established.
(X) The personal data security issues are reported rapidly.
(XI) The personal data security is followed up.
(XII) The personal data is reduced as much as possible.
(XIII) The internal periodical and/or random audits are conducted and had conducted.
(XIV) The existing risks and threats have been identified.
(XV) The protocols and procedures for the security of sensitive personal data have been established and implemented.
(XVI) If the sensitive personal data will be sent by electronic mail, it is necessarily sent as encrypted and by using a KEP or corporate mail account.
(XVII) The awareness of the data processing service providers on data security is ensured.
7. RIGHTS OF THE DATA SUBJECT REGARDING PERSONAL DATA
The data subject can make a request on the following issues by applying to Sen Pazarlama Gayrimenkul Anonim Sirketi:
(I) To learn whether his/her personal data has been processed,
(II) To request information if his/her personal data has been processed,
(III) To learn the purpose of processing his/her personal data and whether it is used in accordance with its intended use,
(IV) To learn the third parties to whom the personal data has been transferred in the country or abroad,
(V) To request the correction of his/her personal data in the case of incomplete or incorrect processing and to request the notification of the transaction made within this scope to third parties to whom the personal data has been transferred,
(VI) To request the deletion, destruction or anonymization of his/her personal data in the event that the reasons requiring its processing disappear, and to request the notification of the transaction made within this scope to third parties to whom the personal data has been transferred although it has been processed in accordance with the provisions of the PDPL and other relevant laws,
(VII) To object to the occurrence of a result against him/her by analyzing the processed data exclusively via automated systems,
(VIII) To request the compensation of the damage if his/her personal data is damaged due to its processing in contrary to the law.
8. BREACH NOTIFICATIONS
The employees ofSen Pazarlama Gayrimenkul Anonim Sirketi report to the Committee any work, action or fact considered to be in breach of the provisions of the PDPL and/or the Policy. The Committee convenes if deemed necessary following this breach notification and develops an action plan regarding the breach.
If the breach has occurred through the acquisition of the personal data by others through unlawful means, the Committee notifies this situation to the data subject and the Authority within 72 hours within the scope of the decision, dated 24.01.2019 and numbered 2019/10, of the Authority.
9. AMENDMENTS
The amendments to the Policy are prepared by the Committee and submitted to the Board of Directors of Sen Pazarlama Gayrimenkul Anonim Sirketi for approval. The updated Policy can be sent to the employees by e-mail or published on the website.
10. EFFECTIVE DATE
This version of the Policy was approved by the Board of Directors and entered into force on 06.02.2024.