GDPR
PROFEN COMMUNICATION TECHNOLOGIES AND SERVICES INDUSTRY AND TRADE INC. POLICY FOR PROTECTION AND PROCESSING OF PERSONAL DATA
Document Name: PROFEN COMMUNICATION TECHNOLOGIES AND SERVICES INDUSTRY AND TRADE INC. Information Form for Personal Data Protection and Processing
Target Group: All natural persons whose personal data is processed by PROFEN COMMUNICATION TECHNOLOGIES AND SERVICES INDUSTRY AND TRADE INC., except for the employees of PROFEN COMMUNICATION TECHNOLOGIES AND SERVICES INDUSTRY AND TRADE INC.
Prepared by: PROFEN COMMUNICATION TECHNOLOGIES AND SERVICES INDUSTRY AND TRADE INC. Legal Department
Version: V.1.0.
Approved by: PROFEN COMMUNICATION TECHNOLOGIES AND SERVICES INDUSTRY AND TRADE INC. Approved by the Legal Department.
Effective Date: 24/09/2020
In cases where there is a conflict between the Turkish language version of the policy and any translation, the Turkish text shall prevail.
© PROFEN COMMUNICATION TECHNOLOGIES AND SERVICES INDUSTRY AND TRADE INC. 2020 This document cannot be reproduced and distributed without the written permission of PROFEN COMMUNICATION TECHNOLOGIES AND SERVICES INDUSTRY AND TRADE INC.
INTRODUCTION
The Personal Data Protection Law No. 6698 (the “Law”) entered into force on April 7, 2016 and includes provisions regarding the processing of all kinds of information related to “identified or identifiable natural persons”.
Personal data protection is among the most important priorities for PROFEN COMMUNICATION TECHNOLOGIES AND SERVICES INDUSTRY AND TRADE INC. (”PIT” or the “Company”) and in this context, maximum effort is made to comply with all applicable legislation. This Personal Data Protection and Processing Policy of PROFEN COMMUNICATION TECHNOLOGIES AND SERVICES INDUSTRY AND TRADE INC. (the “Policy”) explains the principles adopted in the conduct of personal data processing activities carried out by our Company and the basic principles adopted in terms of compliance of the data processing activities of our Company with the provisions in the Personal Data Protection Law No. 6698 (the “Law“), and thus, our Company provides the necessary transparency by informing personal data subjects. With the full awareness of our liability hereunder, your personal data is processed and protected within the scope of this Policy. Detailed information about the personal data subjects in question can be found in Annex-2 (”Annex 2- Personal Data Subject”) to this Policy.
This Policy may be updated from time to time in order to adapt to changing conditions and legislation.
Express Consent | Express Consent refers to any consent that is based on informing a person on a specific subject and is disclosed with free will. |
Anonymization | It refers to rendering personal data impossible to associate with an identified or identifiable natural person, even if it is paired with other data. |
Related Person | It refers to any real person whose personal data is processed (referred to as “data subject” in the Policy). |
Law | The Personal Data Protection Law No. 6698, published in the Official Gazette No. 29677, dated April 7, 2016. |
Personal Data | Personal data refers to any information relating to an identified or identifiable real person. |
Personal Data Subject | Personal data subject refers to any real person whose personal data is processed. |
Processing of Personal Data | Processing of personal data covers all types of actions carried out on data such as obtaining personal data through means that are partially or fully automated or that are non-automated, subject to being part of any data recording system, recording, storing, maintaining, altering, rearranging, disclosing, transferring, taking over, making obtainable, classifying or preventing the use of personal data. |
Special Categories of Personal Data | It refers to data on race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, costume and attire, membership to any association, foundation or trade union, health, sexual life, criminal conviction and security measures and biometric and genetic data. |
Data Recording System | It refers to the recording system in which personal data are configured and processed by certain criteria. |
Data Controller | It refers to any real or legal person who determines the purposes and means of processing of personal data and is responsible for establishing and managing the data recording system. |
2. PRINCIPLES FOR PROCESSING OF PERSONAL DATA
The Company that is the data controller pursuant to Article 4 of the Law acts in accordance with the following principles in the processing of personal data.
Personal data is processed in accordance with law and rules of integrity. In this direction, the Company, as the data controller, acts in accordance with the applicable legislation in all kinds of personal data processing activities and complies with the rules of integrity.
Data controllers should set up the necessary processes to ensure that the personal data they process are accurate and up to date. Accordingly, the Company provides the data subjects with the opportunity to update their data and takes the necessary measures to ensure the correct transfer of the data to the databases.
Data controllers are obliged to inform data subjects about the purposes of processing personal data in line with the disclosure obligations under the Law. Accordingly, the Company, as the data controller, limits its data processing activities to specific and legitimate purposes and informs data subjects clearly within the scope of the disclosure texts regarding these purposes.
Personal data is processed by the Company in connection with and limited to the purpose notified to the data subject at the time of their provision, to the extent necessary for this purpose.
- Keeping for the time period provided for in the relevant legislation or for the purpose of processing
If a certain time period is determined within the scope of the applicable legislation, the data will be stored for such time period. If such a time period is not specified in the legislation, reasonable retention periods are determined by considering the intended use of data and the Company’s procedures, and the data is kept limited to such time periods. Following the expiry of the aforementioned time periods, the data will be deleted, destroyed or anonymized in line with the Company’s procedures.
3. PURPOSE OF PERSONAL DATA PROCESSING BY THE COMPANY
Articles 5 and 6 of the Law sets out the requirements for the processing of personal data and special categories of data. Special categories of personal data is listed in the Law in a limited manner and includes data on a person’s race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, costume and attire, membership to any association, foundation or trade union, health, sexual life, criminal conviction and injunction and biometric and genetic data. While Article 5 of the Law specifies the requirements for processing non-special categories of personal data, the requirements for processing special data are set out in Article 6.
According to the said Article, non-special categories of personal data may be processed in the following cases:
- if data subject’s express consent is obtained;
- if data processing is clearly provided for in laws;
- if the processing of relevant data is mandatory to protect life or body integrity of any person, who is unable to disclose his/her consent due to actual impossibility or whose consent is not considered legally valid, or any other person;
- if the processing of personal data of contracting parties is necessary, provided that the processing is directly related to the execution or performance of a contract;
- if the data processing is mandatory for the data controller to fulfil its legal obligation;
- if the personal data has been publicized by the person concerned;
- if the data processing is compulsory in order to establish, exercise or protect a right;
- if the data processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the person concerned are not damaged.
Special categories of personal data can be processed subject to the requirements listed below:
- if data subject’s express consent is obtained;
- if the processing of special categories of personal data, except for health- and sexual life-related data, is provided for in laws (data on a person’s race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, costume and attire, membership to any association, foundation or trade union, criminal conviction and injunction and biometric and genetic data);
- if health- and sexual life-related data is processed by persons or authorized institutions and organizations under the obligation of secrecy, for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing;
In this context, by the Company process personal data of natural persons in the categories listed in Annex-1 for the following purposes:
- carrying out emergency management processes;
- carrying out information security processes;
- conducting selection and placement processes of employee candidates/trainees/students;
- carrying out application process of employee candidates;
- fulfilment of obligations arising from employment contract and legislation for employees;
- carrying out the processes of fringe benefits and interests for employees;
- carrying out audit / ethics activities;
- carrying out training activities;
- carrying out activities in accordance with the legislation;
- carrying out finance and accounting affairs;
- ensuring the security of physical space;
- carrying out appointment processes;
- monitoring and carrying out legal affairs;
- carrying out internal audit / investigation / intelligence activities;
- carrying out communication activities;
- planning of human resources processes;
- carrying out/supervising business activities;
- carrying out occupational health / safety activities;
- taking and evaluating suggestions for improvement of business processes;
- carrying out business continuity activities;
- carrying out logistics activities;
- carrying out procurement processes for goods / services;
- carrying out after-sales support services for goods/services;
- carrying out procurement processes for goods / services;
- carrying out goods/services production and operations and processes;
- carrying out the processes of customer relations management;
- carrying out customer satisfaction activities;
- organization and event management;
- carrying out marketing analysis studies;
- carrying out advertising / campaign / promotion processes;
- carrying out risk management processes;
- carrying out custody and archiving activities;
- carrying out contract processes;
- follow-up of requests / complaints;
- ensuring the security of movable goods and resources;
- carrying out supply chain management processes;
- carrying out wage policy;
- carrying out marketing processes of products / services;
- Ensuring the security of data controller operations
- foreign personnel residence and work permit procedures;
- carrying out investment processes;
- providing information to authorized persons, institutions and organizations;
- carrying out management activities;
- creation and follow-up of visitor records;
- other- signature authorization and realization of transactions based on this authorization;
- other- management of cargo delivery processes;
- other- carrying out ticketing and accommodation transactions;
- other- resolving legal disputes;
- other- managing Teydeb project application processes;
- carrying out KOSGEB support processes;
- other-ensuring the legal, technical and commercial-business security of the relevant persons in relationship with the Company.
4. TRANSFER OF PERSONAL DATA BY THE COMPANY
4.1. General Requirements for Data Transfer
Article 8 of the Law provides for a distinction for the transfer of personal data whether the data is special categories of personal data. Detailed information related thereto can be found in Annex-3 to this Policy (Annex-3- Third-Parties to whom Personal Data is Transferred by Our Company and Purposes of Transfer”).
According to the said Article, non-special categories of personal data can be transferred to third-parties in the presence of one of the processing requirements specified in Section 3 above. In this context, personal data can be shared by the Company with people other than legal entities:
- if data subject’s express consent is obtained;
- if data processing is clearly provided for in laws;
- if the processing of relevant data is mandatory to protect life or body integrity of any person, who is unable to disclose his/her consent due to actual impossibility or whose consent is not considered legally valid, or any other person;
- if the processing of personal data of contracting parties is necessary, provided that the processing is directly related to the execution or performance of a contract;
- if the data processing is mandatory for the data controller to fulfil its legal obligation;
- if the personal data has been publicized by the person concerned;
- if the data processing is compulsory in order to establish, exercise or protect a right;
- if the data processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the person concerned are not damaged.
Article 8 makes reference to the processing requirements specified in Section 2 also in terms of special categories of personal data, but requires that adequate measures should also be taken for the transfer. Accordingly, special categories of personal data can be shared by the Company with third-parties if:
- the processing of special categories of personal data, except for health- and sexual life-related data, is provided for in laws (data on a person’s race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, costume and attire, membership to any association, foundation or trade union, criminal conviction and injunction and biometric and genetic data); and
- health- and sexual life-related data is processed by persons or authorized institutions and organizations under the obligation of secrecy, for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing;
provided that adequate measures are taken.
4.2. Transfer Abroad
Personal data can be transferred abroad by the Company provided that:
- the data subject’s express consent is obtained;
- in cases where the subject’s express consent is not obtained, but one or more of the other requirements mentioned above are met;
- if there is sufficient protection in the country where the data is transferred; and
- in the event that no sufficient protection is available in the country where the data is transferred, the relevant company undertakes sufficient protection in writing with the data controller in the relevant foreign country and the permission of the Personal Data Protection Board is obtained.
4.3. Parties to whom data is transferred by the Company
Within the scope of the above requirements, personal data is transferred by the Company to:
- suppliers for the purpose of procuring services in the processes that our Company outsources;
- business partners for the purpose of ensuring that the objectives of the business partnership are fulfilled;
- legally authorized public institutions and legally authorized private persons or organizations, being limited to the information requested within the framework of their legal powers; and
- product or service purchasers and their employees and officials for the purpose of carrying out product services and marketing processes.
5. PERSONAL DATA PROCESSED BY THE COMPANY
Our Company informs the related persons pursuant to Article 10 of the Law and the secondary legislation and processes personal data in accordance with the general principles specified in the Law, in particular, the principles specified in Article 4 of the Law, based on, and limited to, at least one of the personal data processing requirements specified in Articles 5 and 6 of the Law in line with the personal data processing purposes of our Company. The categories of personal data processed within the framework of the purposes and conditions specified in this Policy and detailed information about the categories can be found in Annex 1 (”Annex-1- Data Categories”).
6. PROCEDURE OF PERSONAL DATA PROCESSING BY THE COMPANY
As stipulated in the Law, the Company, as the data controller, provides personal data subjects with information about for what purposes it processes personal data, to whom and for what purposes the processed personal data can be transferred, the method and the legal ground of personal data collection and the rights of data subjects during the collection of personal data.
If any process requires express consent pursuant to the Law, the Company obtains the express consents of the data subjects after the aforementioned disclosure is made.
7. DETERMINATION BY THE COMPANY OF RETENTION PERIODS OF PERSONAL DATA
When determining the retention periods of personal data, the Company takes into account the applicable legislation and the purposes of processing the data concerned. In any case, the Company determines the retention periods in the light of its legal obligations and the relevant statute of limitations.
In the event that the purpose of data processing disappears, the data is deleted, destroyed or anonymized, unless there is another legal ground or basis that allows the data to be kept.
8. RIGHTS OF DATA SUBJECTS AND THE EXERCISE OF THESE RIGHTS
8.1. Rights of data subjects
According to Article 11 of the Law, personal data subjects have the following rights against the data controller:
- to find out whether their personal data has been processed;
- to request information if their personal data been processed;
- to find out the purpose of processing of their personal data and whether or not their personal data is used properly;
- to know about third-parties to whom their personal data is transferred home or abroad;
- if their personal data has been processed in an incomplete and incorrect manner, to request for correction of the same;
- to request for deletion or disposition off of their personal data in accordance with the provisions provided for in the relevant legislation;
- to request for notification of the correction, deletion and destruction processes to third-parties to whom their personal data has been transferred;
- to object to the emergence of any consequence against themselves through analysis of the data processed exclusively by means of automated systems;
- in case of any loss and/or damage due to the unlawful processing of personal data, to claim indemnification for losses and/or damages suffered.
Circumstances in which data subjects do not have the right to request is listed in Paragraph 2 of Article 28 of the Law, and in this context, the rights specified above for personal data cannot be exercised if:
- personal data processing is necessary for the prevention of crime or criminal investigation;
- personal data made public by the person concerned is processed;
- personal data processing is necessary for the execution of auditing or regulation duties by authorized public institutions and organizations and professional institutions, which in nature are public institutions, based on the power granted by the law, and for disciplinary investigations or prosecutions;
- personal data processing is necessary for the protection of the State’s economic and financial interests in relation to budget, tax and financial matters.
Since personal data will be outside the scope of the Law in the following cases pursuant to Paragraph 1 of Article 28 of the Law, data subjects’ requests will not be processed in terms of such data:
- processing of personal data by real persons within the scope of activities related to him/her or his/her family members living in the same residence, provided that they are not given to third-parties and obligations regarding data security are complied with;
- processing of personal data for purposes, such as research, planning and statistics, by making them anonymous with official statistics;
- processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defence, national security, public security, public order, economic security, privacy or personal rights, or constitute a crime;
- processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defence, national security, public security, public order or economic security;
- processing of personal data by judicial authorities or enforcement authorities regarding investigations, prosecutions, trials or enforcement proceedings.
8.2. Exercise of Rights by Data Subjects
In order to exercise the above-mentioned rights, data subjects can use the “Form for Applications to be Made to Data Controller by Personal Data Subjects” available at [GDPR Application Form].
Applications will be made by one of the following methods, together with the documents that will determine the identity of the data subject:
- by completing the form and forwarding a signed copy thereof either by hand or through a notary public to Darülaceze Cad., Halit Ziya Türkkan Sk, Famas Plaza, A Blok Kat.10 No.35 Şişli / Istanbul;
- by signing the form with a secure electronic signature under the Electronic Signature Law No. 5070 and sending the same by registered e-mail to profeniletisim@hs03.kep.tr; or
- with a method provided for in the Communiqué on the Procedures and Principles for Applications to Data Controllers.
The Company responds to data subjects who want to exercise the said rights within the limits stipulated by the Law, within a maximum of 30 (thirty) days, as provided for in the Law. In order for third-parties to make an application request on behalf of personal data subjects, there must be a power of attorney issued by the data subject in the name of the third-party before a notary public.
Although applications of data subjects are processed free of charge as a rule, if the application is to be answered in writing within the framework of Article 7 of the Communiqué on the Procedures and Principles for Applications Data Controllers, no fee will be charged up to 10 pages, and a fee of TRY 1.00 will be charged for each page above 10 pages. If the application is to be answered in a recording medium such as CD, flash memory, the fee to be charged will not exceed the cost of the recording medium.
The Company may request information from the relevant person in order to determine whether the applicant is the personal data subject, and may ask the personal data subject questions regarding his/her application in order to clarify the matters specified in the application.
9. PROTECTION OF PERSONAL DATA BY THE COMPANY
The Company takes reasonable technical and administrative measures to prevent unauthorized access risks, accidental loss of, deliberate deletion of, or damage to, personal data, in order to ensure the security of personal data. In this context, the technical and administrative measures taken by the Company are as follows:
- Network security and application security are provided.
- Closed system network is used for personal data transfers via network.
- Key management is implemented.
- Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
- Security of personal data stored in the cloud is provided.
- Training and awareness studies are conducted at regular intervals on data security for employees.
- An authorization matrix has been created for employees.
- Access logs are kept regularly.
- Corporate policies on access, information security, use, storage and disposal have been prepared and implemented.
- Powers of the employees who have been resigned or who have left their jobs are revoked.
- Up-to-date anti-virus systems are used.
- Firewalls are used.
- Personal data security policies and procedures have been established.
- Personal data security issues are reported quickly.
- Personal data security is monitored.
- Security of personal data-containing media is provided.
- Physical environments containing personal data are protected against external risks (fire, flood, etc.).
- Personal data is reduced as much as possible.
- Personal data is backed up and the security of the backed up personal data is ensured.
- A user account management and authorization control system is applied and followed up.
- In-house periodic and/or random audits are carried out and caused to be carried out.
- Log records are kept without user intervention.
- Existing risks and threats have been identified.
- Secure encryption/cryptographic keys are used for private personal data and managed by different departments.
- Intrusion detection and prevention systems are used.
- Cyber security measures have been taken and their implementation is continuously monitored.
- Encryption is carried out.
- Data processing service providers are provided with awareness on data security.
Annex 2– Personal Data Subjects
PERSONAL DATA SUBJECT CATEGORY | DESCRIPTION |
Employee | All real persons working for/employed by PIT. |
Candidate Employee | Natural persons who have applied to PIT for a job in any way or who have opened their resumes and related information for review by PIT. |
Trainee | Persons who do an internship at PIT in order to gain work experience, learn the work done, and improve their professional knowledge and skills. |
Visitor
|
Real persons who have entered into the physical sites owned by PIT for various purposes or who have visited our websites |
Family Members and Relatives | Spouses, children and relatives of data subjects whose personal data is processed within the scope of this Policy within the framework of the activities carried out by PIT. |
Third-Party | Other real persons who are not covered by this Policy and the Policy for Protection and Processing of Personal Data of Employees of PROFEN COMMUNICATION TECHNOLOGIES AND SERVICES (e.g., guarantors, attendants, former employees) |
Suppliers and Suppliers’ Employees/Officials | Real persons who are an official or shareholder of the party providing services to PIT on contract basis in accordance with the orders and instructions of PIT when conducting the commercial activities of PIT. |
Product or Service Buyers and their Employees/Officials | Real persons who are an official or shareholder of the party that PIT provides services or products when carrying out its commercial activities. |
Potential Product or Service Buyers and their Employees/Officials | Real persons who are an employee, official or shareholder of the party that PIT is likely to offer services or products in the future when carrying out its commercial activities. |
Employees, Shareholders and Officials of Organizations We Cooperate with | Real persons employed in organizations with whom PIT has any business relationships, including the shareholders and officials of such organizations (including, but not limited to their business partners, suppliers). |
Company Shareholder | Real persons who are a PIT shareholder. |
Company Official | Real persons who are a board member and other authorized real person of PIT. |
Annex 3- Third Parties to whom Personal Data is transferred by Our Company, and Purposes of Transfer
PIT may, in accordance with Articles 8 and 9 of the PDPL, transfer personal data of data subjects covered by this Policy to the following categories of persons:
- PIT business partners;
- PIT suppliers and their employees and officials;
- PIT product or service buyers and their employees and officials;
- Legally authorized public authorities and organizations;
- Legally authorized private legal persons.
The scope of the persons to whom the transfer is made and the purposes of data transfer are stated below.
PERSONS TO WHOM PERSONAL DATA CAN BE TRANSFERRED | DESCRIPTION | PURPOSE OF DATA TRANSFER |
Suppliers and Suppliers’ Employees/Officials
|
Parties that provide services to PIT on contract basis in accordance with the orders and instructions of PIT when conducting the commercial activities of PIT. | Limited data is transferred in order to ensure that PIT is provided with the services required to fulfil its commercial activities, which PIT outsources from the supplier. |
Product or Service Buyers and their Employees/Officials | Real persons who are an official or shareholder of the party that PIT provides services or products when carrying out its commercial activities. | Limited data is transferred in order to enable PIT to benefit from its commercial activities and to receive the necessary services from PIT. |
Legally Authorized Public Authorities and Organizations | Public institutions and organizations authorized to receive information and documents from PIT in accordance with the provisions of the relevant legislation. | Data is transferred limited with the purpose required by the relevant public institutions and organizations within their legal powers. |
Legally Authorized Private Legal Persons | Private legal persons authorized to receive information and documents from PIT in accordance with the provisions of the relevant legislation. | Data is transferred limited with the purpose required by the relevant private legal persons within their legal powers. |
Business Partners | Parties that PIT has established business partnerships with for purposes, such as carrying out various projects and receiving services in person or with other business partners, when conducting its commercial activities. Data is transferred limited with the purpose of fulfilling of the purposes of establishment of the business partnership of Profen Defence Technologies Industry and Trade INC., Profen Engineering and Construction Industry and Trade INC., ICT Communication Industry and Trade INC. etc. |