Your choices are stored on this device.
Required for login, cart, security and storing your cookie choice. Always active.
Usage statistics that help us improve the site (Google Analytics). Without your consent these cookies are never loaded.
Used to show relevant offers and measure campaigns.
Remembers choices like language and theme.
PERSONAL DATA PROCESSING AND RETENTION POLICY
The Personal Data Protection Law No. 6698 ("KVKK" or the "Law") regulates the protection of fundamental rights and freedoms of individuals in the processing of personal data and the obligations, procedures and principles to be complied with by natural and legal persons processing personal data.
The protection of personal data is among the most important priorities of Geolifespirit Yazilim Elektronik Anonim Sirketi ("Company"). In order to inform personal data subjects, the principles adopted in the conduct of personal data processing activities carried out by our Company and the basic principles adopted in terms of compliance with the regulations under the KVKK are explained within the framework of the Personal Data Processing and Retention Policy ("Policy"). Being aware of our responsibility in this regard, your personal data is processed and protected within the scope of this Policy.
The main purpose of this Policy is to make explanations regarding the personal data processing activities carried out lawfully by the Company and the systems adopted for the retention of personal data, and to ensure transparency by informing the persons whose personal data is processed by our Company in this context.
This Policy relates to all personal data processed by our Company through fully or partially automated means, or through non-automated means provided that they are part of any data recording system.
The definitions used in this Policy are set out below:
| Explicit Consent: | Consent relating to a specific matter, based on information and expressed by free will. |
|---|---|
| Employee: | Natural person who is an employee of the Company. |
| Relevant Person: | Natural person whose personal data is processed. |
| Relevant User: | Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data. |
| Relevant Person Application Form: | The application form to be used by relevant persons whose personal data is processed within the Company when exercising their rights set out in Article 11 of the Law. |
| Destruction: | Deletion, destruction or anonymization of personal data. |
| Law or KVKK: | Personal Data Protection Law No. 6698. |
| Recording Medium: | Any medium containing personal data processed through fully or partially automated means, or through non-automated means provided that they are part of any data recording system. |
| Personal Data: | Any information relating to an identified or identifiable natural person. |
| Processing of Personal Data: | Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, fully or partially through automated means or through non-automated means provided that they are part of any data recording system. |
| Anonymization of Personal Data: | Rendering personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching it with other data. |
| Deletion of Personal Data: | Rendering personal data inaccessible and non-reusable in any way for Relevant Users. |
| Destruction of Personal Data: | The process of rendering personal data inaccessible, irretrievable and non-reusable by anyone in any way. |
| Board: | Personal Data Protection Board. |
| Authority: | Personal Data Protection Authority. |
| Special Categories of Personal Data: | Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. |
| Data Processor: | Natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. |
| Data Controller: | Natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
| Regulation: | Regulation on the Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette on 28 October 2017 and entered into force. |
The relevant legal regulations in force regarding the processing and retention of personal data shall primarily apply. In case of any inconsistency between the applicable legislation and the Policy, our Company accepts that the applicable legislation shall apply.
The Policy has been prepared by concretizing the rules set forth by the relevant legislation within the scope of Company practices.
Our Company processes personal data in accordance with Article 20 of the Constitution and Article 4 of the KVKK, in line with the principles of: (i) compliance with law and good faith, (ii) accuracy and, where necessary, being up to date, (iii) processing for specific, explicit and legitimate purposes, (iv) being connected with, limited to and proportionate to the purpose, and (v) retention for the period prescribed under the relevant legislation or required for the purpose for which the data is processed.
Our Company processes personal data and special categories of personal data with the explicit consent of the relevant person or without the explicit consent of the relevant person in the cases set out in Articles 5 and 6 of the KVKK. Relevant persons are informed by our Company in accordance with Article 10 of the KVKK regarding personal data processing processes, and the necessary information is provided if the relevant person requests information.
Our Company acts in accordance with the regulations prescribed by law and set forth by the Board regarding the transfer of personal data in accordance with Articles 8 and 9 of the KVKK.
Processing of Personal Data in Accordance With the Principles Prescribed in the Legislation
Our Company acts in accordance with the principles introduced by legal regulations and the general rule of trust and good faith in the processing of personal data. In this context, our Company takes into account the requirements of proportionality in the processing of personal data and processes personal data only to the extent required by the purpose and in a limited manner.
Our Company ensures that the personal data it processes is accurate and up to date by taking into account the fundamental rights of personal data subjects and its own legitimate interests. It takes the necessary measures and establishes appropriate mechanisms in this regard.
Our Company clearly and precisely determines the legitimate and lawful purpose of personal data processing. Our Company processes personal data within the scope of purposes connected with the service it provides.
Our Company processes personal data in a manner suitable for achieving the determined purposes and avoids processing personal data that is not related to or needed for achieving the purpose.
Our Company retains personal data for the period specified in the relevant legislation or required for the purpose for which it is processed. In this context, our Company first determines whether a period is prescribed under the relevant legislation for the retention of personal data; if a period is determined, it complies with that period; if no period is determined, it retains personal data for the period required for the purpose for which it is processed. Upon expiry of the period or the disappearance of the reasons requiring processing, personal data is deleted, destroyed or anonymized by our Company.
Unless the Board decides otherwise, the appropriate method among deletion, destruction or anonymization of personal data ex officio is selected by us. However, upon the request of the Relevant Person, the appropriate method will be selected by explaining the reason.
The protection of personal data is a constitutional right. Fundamental rights and freedoms may be limited only on the grounds specified in the relevant articles of the Constitution and only by law, without infringing upon their essence. Pursuant to paragraph three of Article 20 of the Constitution, personal data may be processed only in cases prescribed by law or with the explicit consent of the person. Our Company processes personal data within the framework of these rules.
The basis of a personal data processing activity may be only one of the conditions stated below, or more than one of these conditions may form the basis of the same personal data processing activity.
Although the legal grounds for the processing of personal data by our Company vary, all personal data processing activities are carried out in accordance with the general principles specified in Article 4 of the KVKK.
One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the personal data subject must relate to a specific matter, be based on information and be expressed by free will.
For the processing purpose relating to the reasons for obtaining personal data, at least one of the conditions under subparagraphs (b), (c), (d), (e), (f), (g) and (h) of this heading is sought; if none of these conditions exist, these personal data processing activities are carried out by our Company based on the explicit consent of the personal data subject for such processing activities.
The personal data of the data subject may be processed lawfully if the processing of personal data is expressly provided for by law.
The personal data of the data subject may be processed if it is mandatory to process the personal data of a person who is unable to express their consent due to actual impossibility or whose consent is not legally valid, in order to protect the life or bodily integrity of that person or another person.
Personal data may be processed if processing personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of a contract.
The personal data of the data subject may be processed if processing is mandatory for our Company, as data controller, to fulfill its legal obligations.
If the personal data of the data subject has been made public by the data subject, the relevant personal data may be processed limited to the purpose of making it public.
The personal data of the data subject may be processed if processing is mandatory for the establishment, exercise or protection of a right.
The personal data of the data subject may be processed if processing is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data subject.
In accordance with the KVKK, special categories of personal data are processed by our Company in the following cases, provided that adequate measures to be determined by the Board are taken:
If the personal data subject has explicit consent, or
If the personal data subject does not have explicit consent, but;
Special categories of personal data other than health and sexual life,
in cases expressly provided for by laws,
Special categories of personal data relating to health and sexual life
are processed by persons under an obligation of confidentiality or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and financing.
Our Company informs personal data subjects at the time personal data is obtained in accordance with Article 10 of the Law. In this context, relevant persons are informed about by whom personal data is processed as data controller, for what purposes it is processed, with whom and for what purposes it is shared, by which methods it is collected, its legal ground, and the rights of data subjects within the scope of the processing of their personal data.
Article 20 of the Constitution sets forth that everyone has the right to be informed about personal data concerning them. Accordingly, "requesting information" is also included among the rights of the personal data subject in Article 11 of the Law. In this context, our Company provides the necessary information if the personal data subject requests information in accordance with Article 20 of the Constitution and Article 11 of the Law.
Our Company may transfer the personal data and special categories of personal data of the personal data subject to third parties (business partner companies, third natural persons) by taking the necessary security measures in line with lawful personal data processing purposes. In this regard, our Company acts in accordance with the regulations set out in Article 8 of the KVKK.
Our Company may transfer personal data to third parties in line with legitimate and lawful personal data processing purposes, based on one or more of the personal data processing conditions specified in Article 5 of the Law listed below and in a limited manner, with due care and by taking all necessary security measures, including the methods prescribed by the Board:
If the personal data subject has explicit consent,
If there is an express regulation in the laws regarding the transfer of
personal data,
If it is mandatory for the protection of the life or bodily integrity
of the personal data subject or another person and the personal data subject is unable to express consent due to actual impossibility or the consent is not legally valid;
If the transfer of personal data belonging to the parties to a contract
is necessary, provided that it is directly related to the establishment or performance of a contract,
If personal data transfer is mandatory for our Company to fulfill its
legal obligation,
If personal data has been made public by the personal data subject, in
a manner limited to the purpose of making it public,
If personal data transfer is mandatory for the establishment, exercise
or protection of a right,
If personal data transfer is mandatory for the legitimate interests of
our Company, provided that it does not harm the fundamental rights and freedoms of the personal data subject.
PURPOSES**
The following personal data of relevant persons is processed by our Company.
| PERSONAL DATA CATEGORIZATION | DESCRIPTION |
|---|---|
| Identity Information: | Name, surname, date of birth. |
| Contact Information: | Phone number, address, e-mail address. |
| User Information, User Transaction Information and Financial Information: | Membership information, membership ID number, data regarding the date and time you benefit from Company services, your reasons for contacting the Company, invoice and payment information, balance information (data such as invoice copies sent to the user and receipt copies of payments received from users, invoice number, invoice amount, invoice issuance date), reference code. |
| Transaction Security Information: | Membership/user information, password information. |
| Marketing Information: | Reports and evaluations showing your habits and preferences, targeting information, cookie records and similar information. |
| Request/Complaint Management Information: | Requests and complaints you submit through the Site and your comments shared on the Site. |
| Risk Management Information: | Information processed for the management of commercial, technical and administrative risks. |
| Visual and Audio Records: | Photo. |
Personal data is processed within our Company based on at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law and in a limited manner, in accordance with the general principles specified in the Law.
The purposes of processing personal data are:
Conducting Information Security Processes
Conducting Application Processes of Employee Candidates
Fulfilling Obligations Arising from Employment Contracts and Legislation for Employees
Conducting Fringe Benefits and Benefits Processes for Employees
Conducting Audit / Ethics Activities
Conducting Training Activities
Conducting Access Authorizations
Conducting Activities in Compliance With Legislation
Conducting Finance and Accounting Affairs
Conducting Assignment Processes
Follow-up and Conduct of Legal Affairs
Conducting Internal Audit / Investigation / Intelligence Activities
Conducting Communication Activities
Planning Human Resources Processes
Conducting / Auditing Business Activities
Conducting Goods / Services Procurement Processes
Conducting After-Sales Support Services for Goods / Services
Conducting Goods / Services Sales Processes
Conducting Customer Relationship Management Processes
Conducting Activities for Customer Satisfaction
Conducting Marketing Analysis Studies
Conducting Advertising / Campaign / Promotion Processes
Conducting Risk Management Processes
Conducting Retention and Archive Activities
Conducting Contract Processes
Follow-up of Requests / Complaints
Conducting Marketing Processes of Products / Services
Providing Information to Authorized Persons, Institutions and Organizations
Conducting Management Activities
In accordance with Article 12 of the Law, our Company takes the necessary measures according to the nature of the data to be protected in order to prevent unlawful disclosure, access, transfer or other security deficiencies that may occur in relation to personal data.
In this context, our Company takes the necessary administrative measures within its organization to ensure the required level of security in accordance with the guides published by the Board and carries out or has audits carried out. These audit results are reported to the relevant department within the internal functioning of the Company, and the necessary activities are carried out to improve the measures taken.
If processed personal data is obtained by others through unlawful means, our Company operates the system that ensures this situation is notified to the relevant personal data subject and the Board as soon as possible.
In accordance with Article 12 of the Law, our Company takes all necessary technical and administrative measures to ensure an appropriate level of security in order to prevent unlawful processing of personal data it processes, prevent unlawful access to personal data and ensure the retention of personal data.
The technical measures taken by our Company to ensure lawful processing of personal data are listed below:
Network security and application security are ensured.
Key management is implemented.
Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
An authorization matrix has been created for employees.
Access logs are kept regularly.
The authorizations of employees whose duties change or who leave their employment are revoked in this area.
Up-to-date anti-virus systems are used.
Firewalls are used.
Personal data security is monitored.
Personal data is backed up and the security of backed-up personal data is also ensured.
User account management and authorization control systems are implemented and monitored.
Log records are kept in a manner that does not allow user intervention.
Intrusion detection and prevention systems are used.
Penetration testing is applied.
Cybersecurity measures have been taken and their implementation is continuously monitored.
Encryption is applied.
The administrative measures taken by our Company to prevent unlawful access to personal data are listed below:
Training and awareness activities on data security are carried out for employees at certain intervals.
The obligation to inform relevant persons is fulfilled.
Corporate policies on access, information security, use, retention and destruction have been prepared and implemented.
Confidentiality undertakings are executed.
Signed contracts contain data security provisions.
Personal data security policies and procedures have been determined.
Personal data security issues are reported quickly.
Necessary security measures are taken regarding entries and exits to physical environments containing personal data.
The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
The security of environments containing personal data is ensured.
Personal data is minimized as much as possible.
Existing risks and threats have been identified.
Internal periodic and/or random audits are carried out and caused to be carried out.
Protocols and procedures for the security of special categories of personal data have been determined and implemented.
Awareness of data processor service providers regarding data security is ensured.
Personal data belonging to relevant persons is securely retained by the Company in the environments listed in the table below, primarily in accordance with the KVKK provisions and relevant legislation and within the framework of international data security principles, in the environments included in the table below (Table 1).
(Table 1: Personal Data Recording Media Table)
<table> <colgroup> <col style="width: 50%" /> <col style="width: 50%" /> </colgroup> <thead> <tr class="header"> <th><strong>ELECTRONIC MEDIA</strong></th> <th><strong>NON-ELECTRONIC MEDIA</strong></th> </tr> </thead> <tbody> <tr class="odd"> <td><p>Environments where data is kept in technological devices such as computers and phones:</p> <ul> <li><p>Servers (domain, backup, e-mail, database, web, file sharing, etc.);</p></li> <li><p>Software;</p></li> <li><p>Information security devices;</p></li> <li><p>Personal computers (desktop, laptop);</p></li> <li><p>Mobile devices (phone, tablet, etc.);</p></li> <li><p>Optical disks and removable memories (CD, DVD, USB, external disk, etc.).</p></li> </ul></td> <td><p>Environments where data is kept by printing on paper or microfilms:</p> <ul> <li><p>Paper;</p></li> <li><p>Written, printed, visual media.</p></li> </ul></td> </tr> </tbody> </table>Personal data belonging to the relevant person is securely retained by the Company in the electronic or non-electronic environments listed above within the framework of the limits specified in the Law and other relevant legislation, especially for the purposes of (i) performing the contract, (ii) maintaining commercial activities, (iii) fulfilling legal obligations and (iv) managing customer relations, within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law.
The reasons requiring retention are as follows:
Retention because the retention of personal data is expressly provided for in the legislation,
Retention because personal data is directly related to the establishment and performance of contracts,
Retention depending on the fulfillment of any legal obligation that the Company is obliged to comply with,
Retention because personal data has been made public by the relevant person themselves,
Retention depending on the establishment, exercise or protection of a right,
Retention because it is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of persons,
Retention because the explicit consent of relevant persons exists in terms of retention activities that require obtaining the explicit consent of relevant persons.
Our Company first determines whether a period is prescribed under the relevant legislation for the retention of personal data. If a period is prescribed under the relevant legislation, it complies with that period; if no period is prescribed, it retains personal data for the period required for the purpose for which it is processed. If the purpose of processing personal data has ceased to exist and the retention periods stipulated by the relevant legislation and/or determined by our Company have expired, personal data may be retained only for the limitation periods prescribed by law for the purpose of constituting evidence in possible legal disputes, asserting the relevant right related to the personal data or establishing a defense. Personal data is not retained by our Company based on the possibility of future use.
The process-based retention and destruction periods determined by the Company are included in the table below (Table 2).
(Table 2: Process-Based Retention and Destruction Periods)
| PROCESS | RETENTION PERIOD1 | DESTRUCTION PERIOD |
|---|---|---|
| Personal Data Relating to Service Recipients | 10 years from the performance of the contract | In the first periodic destruction process following expiry of the retention period |
| Personal Data Relating to Employees | 10 years from the end of the contract | In the first periodic destruction process following expiry of the retention period |
| Personal Data Obtained Due to Contract Transactions | 10 years from the end of the contract | In the first periodic destruction process following expiry of the retention period |
| All Personal Data Relating to Accounting and Financial Transactions | 10 years from the year following the year in which it was received | In the first periodic destruction process following expiry of the retention period |
| Personal Data Relating to IP Addresses | 3 years from the date received | In the first periodic destruction process following expiry of the retention period |
Your data retained within the scope of the Law will be retained for the maximum period specified under the relevant legislation or required for the purpose for which it is processed and, in any event, for the statutory limitation periods. As regulated under Article 138 of the Turkish Penal Code and Article 7 of the Law, although processed in accordance with the relevant legal provisions, personal data will be deleted, destroyed or anonymized ex officio or upon your request if the reasons requiring its processing cease to exist, under the conditions determined pursuant to the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224 and pursuant to this regulation.
The deletion, destruction and anonymization techniques most commonly used by the Company are listed below.
<table> <colgroup> <col style="width: 21%" /> <col style="width: 78%" /> </colgroup> <thead> <tr class="header"> <th colspan="2"><strong>DELETION OF PERSONAL DATA</strong></th> </tr> </thead> <tbody> <tr class="odd"> <td><strong>METHOD</strong></td> <td><strong>DESCRIPTION</strong></td> </tr> <tr class="even"> <td><strong>Secure Deletion From Software</strong></td> <td><p>When deleting data processed fully or partially by automated means and retained in digital environments, methods are used to delete the data from the relevant software in a manner that makes it inaccessible and non-reusable for Relevant Users.</p> <p>Deleting the relevant data in the software system by issuing a delete command; removing the access rights of the relevant user on the file located on the central server or the directory where the file is located; deleting the relevant rows in databases with database commands; or deleting the data contained in portable media, namely flash media, using appropriate software may be considered within this scope.</p> <p>However, if deletion of personal data results in other data also being inaccessible and unusable within the system, personal data will also be deemed deleted if it is archived in a manner that cannot be associated with the relevant person, provided that the following conditions are met.</p> <ul> <li><p>It is closed to access by any other institution, organization or person,</p></li> <li><p>All necessary technical and administrative measures are taken to ensure that personal data can be accessed only by authorized persons.</p></li> </ul></td> </tr> <tr class="odd"> <td><strong>Redaction of Personal Data in Paper Media</strong></td> <td>This is the method of physically cutting the relevant personal data out of the document or making it invisible and covering it with permanent ink in a way that cannot be reversed or read by technological solutions, in order to prevent the use of personal data for purposes other than the intended purpose or to delete the data requested to be deleted.</td> </tr> </tbody> </table> <table> <colgroup> <col style="width: 21%" /> <col style="width: 78%" /> </colgroup> <thead> <tr class="header"> <th colspan="2"><strong>DESTRUCTION OF PERSONAL DATA</strong></th> </tr> </thead> <tbody> <tr class="odd"> <td><strong>METHOD</strong></td> <td><strong>DESCRIPTION</strong></td> </tr> <tr class="even"> <td><strong>Physical Destruction</strong></td> <td><p>Documents kept in non-electronic media are destroyed with document shredders in a manner that prevents them from being reassembled.</p> <p>This is the physical destruction of optical and magnetic media containing personal data in electronic environments, such as melting, burning or pulverizing them. Data is made inaccessible by operations such as melting, burning, pulverizing optical or magnetic media or passing it through a metal grinder.</p></td> </tr> </tbody> </table> <table> <colgroup> <col style="width: 100%" /> </colgroup> <thead> <tr class="header"> <th><strong>ANONYMIZATION OF PERSONAL DATA</strong></th> </tr> </thead> <tbody> <tr class="odd"> <td><p><strong>Variable Removal:</strong> With the method of removing descriptive data, after the collected data is brought together, the "highly descriptive" variables in the created data set are removed and the existing data set is anonymized. For example, anonymization is achieved by removing data groups such as the names, surnames and residence information of persons who are highly descriptive.</p> <p><strong>Record Removal:</strong> In the record removal method, data rows containing uniqueness among the data are removed from the records, thereby anonymizing the retained data. For example, if there is only one senior manager in a company, the remaining data can be anonymized by removing the data belonging to this person from records where the seniority, salary and gender data of employees at the same level are kept.</p> <p><strong>Regional Masking:</strong> In the regional masking method, if a single data item has a determining nature because it creates a very rarely visible combination, masking the relevant data provides anonymization. For example, if only one person among the relevant data controllers in the company's department list is 65 years old, writing "Unknown" instead of "Age:65" or leaving this part blank in a data set where age, gender and health status information regarding whether the person can play football is kept together will provide anonymization.</p> <p><strong>Generalization:</strong> With the data aggregation method, many data items are aggregated and personal data is rendered impossible to associate with any person. For example, presenting that there are Z employees at age X without showing the ages of employees one by one.</p> <p><strong>Global Coding:</strong> With the data derivation method, more general content is created from the content of personal data and the personal data is rendered impossible to associate with any person. For example, specifying ages instead of employees' dates of birth, or specifying the region of residence instead of the full address.</p></td> </tr> </tbody> </table>Our Company informs the personal data subject of the categories of persons to whom personal data is transferred in accordance with Article 10 of the Law.
Our Company may transfer personal data processed in accordance with Articles 8 and 9 of the Law to the following categories of persons:
Company business partners,
Company customers,
Company shareholders,
Legally authorized public institutions and organizations,
Legally authorized private law persons.
| Persons to Whom Data May Be Transferred | Definition | Purpose of Data Transfer |
|---|---|---|
| Business Partner | Refers to the parties with whom our Company establishes business partnerships while carrying out its commercial activities, for purposes such as sale, promotion and marketing of our Company's products and services, after-sales support and conducting joint customer loyalty programs. | Limited to ensuring the fulfillment of the purposes for which the business partnership was established. |
| Customer | Refers to natural or legal persons to whom the Company provides services and products while carrying out its commercial activities. | Limited to ensuring the provision of the products and services offered by our Company to its customers. |
| Our Shareholders | Our shareholders who are authorized under the relevant legislation to design strategies and audit activities relating to the Company's commercial activities. | Limited to the purposes of designing strategies and conducting audits regarding our Company's commercial activities in accordance with the relevant legislation. |
| Legally Authorized Public Institutions and Organizations | Public institutions and organizations authorized to obtain information and documents from our Company under the relevant legislation. | Limited to the purpose requested by the relevant public institutions and organizations within their legal authority. |
| Legally Authorized Private Law Persons | Private law persons authorized to obtain information and documents from our Company under the relevant legislation. | Limited to the purpose requested by the relevant private law persons within their legal authority. |
Our Company informs the personal data subject of their rights in accordance with Article 10 of the Law, guides the personal data subject on how to exercise these rights, and carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 13 of the Law for the evaluation of the rights of personal data subjects and the provision of the necessary information to personal data subjects.
RIGHTS OF THE DATA SUBJECT AND EXERCISE OF THESE RIGHTS
Personal data subjects have the following rights:
To learn whether personal data is processed,
To request information if personal data has been processed,
To learn the purpose of processing personal data and whether such
data is used in accordance with its purpose,
To know the third parties to whom personal data is transferred in
Turkiye or abroad,
To request correction of personal data if it is incomplete or
inaccurate and to request that the transaction carried out in this respect be notified to third parties to whom personal data has been transferred,
To request deletion or destruction of personal data if the reasons
requiring its processing cease to exist, although it has been processed in accordance with the KVKK and other relevant laws, and to request that the transaction carried out in this respect be notified to third parties to whom personal data has been transferred,
To object to the occurrence of a result against the person by
analyzing the processed data exclusively through automated systems,
To request compensation for damages in case of loss due to unlawful
processing of personal data.
Since the following cases are excluded from the scope of the Law pursuant to Article 28 of the KVKK, personal data subjects cannot assert their rights in these matters:
Processing of personal data for purposes such as research, planning
and statistics by anonymizing it with official statistics.
Processing of personal data for artistic, historical, literary or
scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy or personal rights, or constitute a crime.
Processing of personal data within the scope of preventive,
protective and intelligence activities carried out by public institutions and organizations authorized and assigned by law to ensure national defense, national security, public security, public order or economic security.
Processing of personal data by judicial authorities or enforcement
authorities in relation to investigation, prosecution, trial or execution proceedings.
Pursuant to Article 28/2 of the Law, in the following cases, personal data subjects cannot assert their other rights except the right to request compensation for damages:
Processing of personal data is necessary for the prevention of crime
or criminal investigation.
Processing of personal data made public by the personal data subject
themselves.
Processing of personal data is necessary for the performance of
supervisory or regulatory duties and disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations having the nature of public institutions, based on the authority granted by law.
Processing of personal data is necessary for the protection of the
economic and financial interests of the State in relation to budget, tax and financial matters.
Personal data subjects may submit their requests regarding the rights listed in this section to the Company by filling out the "Relevant Person (Personal Data Subject) Application Form" through the methods determined by the Board. The application method is also explained in detail in this form.
It is not possible for third parties to make requests on behalf of personal data subjects. In order for a person other than the personal data subject themselves to make a request, there must be a special power of attorney issued by the personal data subject in the name of the person who will make the application.
Pursuant to Article 14 of the KVKK, in cases where the application is rejected, the response given is found insufficient, or no response is given to the application within the prescribed period, the personal data subject may file a complaint with the Board within thirty days from the date they learn of our Company's response and, in any event, within sixty days from the application date.
THE COMPANY'S RESPONSE TO APPLICATIONS
If the personal data subject submits their request to our Company in accordance with the procedure stated above, our Company will finalize the relevant request free of charge as soon as possible and in any event within thirty days, depending on the nature of the request.
However, if the transaction requires an additional cost, the fee in the tariff determined by the Board will be charged by our Company to the applicant.
Our Company may request information from the relevant person in order to determine whether the applicant is the personal data subject.
Our Company may ask the personal data subject questions regarding their application in order to clarify the matters included in the application of the personal data subject.
Our Company may reject the application of the applicant by explaining the reason in the following cases:
Processing of personal data for purposes such as research, planning
and statistics by anonymizing it with official statistics.
Processing of personal data for artistic, historical, literary or
scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy or personal rights, or constitute a crime.
Processing of personal data within the scope of preventive,
protective and intelligence activities carried out by public institutions and organizations authorized and assigned by law to ensure national defense, national security, public security, public order or economic security.
Processing of personal data by judicial authorities or enforcement
authorities in relation to investigation, prosecution, trial or execution proceedings.
Processing of personal data is necessary for the prevention of crime
or criminal investigation.
Processing of personal data made public by the personal data subject
themselves.
Processing of personal data is necessary for the performance of
supervisory or regulatory duties and disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations having the nature of public institutions, based on the authority granted by law.
Processing of personal data is necessary for the protection of the
economic and financial interests of the State in relation to budget, tax and financial matters.
The request of the personal data subject is likely to prevent the
rights and freedoms of other persons.
Requests requiring disproportionate effort have been made.
The requested information is publicly available information.
One of the cases excluded from the scope under the Law exists.
The relevant retention periods may be updated by the Company where necessary. ↩