Promat Academy
PDPL
Document Name:PROMAT BASIM YAYIN SAN. VE TİC. A.Ş. Personal Data Protection and Processing Policy
Prepared by:PROMAT BASIM YAYIN SAN. VE TİC. A.Ş.
Version:1.0
Effective Date:15.06.2020
1. Personal Data Processing and Protection Policy
1.1. Introduction
As PROMAT BASIM YAYIN SAN. VE TİC. A.Ş. (“Company”), we attach utmost importance to the processing and protection of personal data in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”) and we act with this care in all our planning and activities. With this awareness, we hereby present this Policy on Processing and Protection of Personal Data (“Policy”) for your information in order to fulfill the obligation of disclosure under Article 10 of the Law and to inform you of all administrative and technical measures we take within the scope of processing and protection of personal data.
1.2. Purpose of the Policy
The main purpose of this Policy is to make explanations about the systems for the processing and protection of personal data in accordance with the law and the purpose of the Law, and in this context, to inform the persons whose personal data are processed by our Company, especially Company Stakeholders, Company Authorities, Business Partners, Suppliers, Supplier Employees, Legal Entities from whom we Purchase Services, Employee Candidates, Visitors, Company Customers, Potential Customers and Third Parties. In this way, it is aimed to ensure full compliance with the legislation in the processing and protection of personal data carried out by our Company and to protect all rights of personal data owners arising from the legislation on personal data.
1.3. Scope of the Policy and Personal Data Owners
This Policy has been prepared for the persons whose personal data are processed by our Company through automated or non-automated means provided that they are part of any data recording system, including Company Stakeholders, Company Officials, Business Partners, Suppliers, Supplier Employees, Legal Entities from whom we Purchase Services, Employee Candidates, Visitors, Company Customers, Potential Customers and Third Parties, and will be applied within the scope of these specified persons. This Policy will not be applied to legal entities and legal entity data in any way as required by the Law.
Our Company informs the Personal Data Subjects about the Law by publishing this Policy on its website. For the employees of our Company, “Personal Data Processing Policy for Employees” will be applied. This Policy will not be applied if the data is not included in the scope of “Personal Data” within the scope specified below or if the Personal Data processing activity carried out by our Company is not in the above-mentioned ways.
- Company Stakeholder: Stakeholders of the Company are real persons.
- Company Real Person Business Partner: Real persons with whom the Company has all kinds of business relations.
- Stakeholder, Official, Employee of the Company’s Business Partners: All real persons, including employees, Stakeholders and officials of real and legal persons (such as business partners, suppliers) with whom the Company has all kinds of business relations.
- Employee Candidate: Natural persons who have applied for a job to the Company by any means or who have opened their resume and related information to the Company’s review.
- Employee: Natural persons who have an employment contract with the Company within the scope of the Labor Law.
- Company Customer: Natural persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.
- Potential Customer: Natural persons who have made a request or interest in using the Company’s products and services or who have been evaluated in accordance with the commercial custom and honesty rules that they may have this interest.
- Visitor: All real persons who enter the physical premises owned by the Company for various purposes or visit the websites for any purpose.
- Third Party: Other natural persons who are not included in the scope of the Personal Data Protection and Processing Policy prepared for Company Employees and who are not included in any personal data owner category in this Policy.
- Supplier Official: Authorized persons belonging to the main employer or sub-employer in the main employer and sub-employer relations we work with.
- Supplier Employee: Employees of the principal employer or sub-employer in the principal employer and sub-employer relationships we work with.
| Our Company | : | PROMAT BASIM YAYIN SAN. VE TİC. A.Ş. |
| Personal Data/Datas | : | Any information relating to an identified or identifiable natural person. |
| Sensitive Personal Data/Datas | : | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. |
| Processing of Personal Data | : | Any operation performed on Personal Data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of Personal Data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system. |
| Personal Data Owner/Related Person | : | Company Stakeholders and Employees, Company Business Partners, Company Authorities, Employee Candidates, Visitors, Company Customers, Potential Customers, Third Parties and persons whose personal data are processed by the Company. |
| Data Recording System | : | It refers to the registration request where personal data is structured and processed according to certain criteria. |
| Data Controller | : | The natural or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system. |
| Data Processor | : | A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller. |
| Open Consent | : | It is consent on a specific subject, based on information and expressed with free will. |
| Anonymization | : | It is the process of making the data previously associated with a person impossible to associate with an identified or identifiable natural person under any circumstances, even by matching it with other data. |
| Law | : | Law No. 6698 on the Protection of Personal Data. |
| KVK Board | : | Personal Data Protection Board. |
1.5. Enforcement of the Policy
This Policy, which is issued by the Company and entered into force on the date of its publication, is published on the Company’s website (www.promat.com.tr) and made available to the relevant persons upon the request of the Personal Data Owners.
2. PROCESSING AND TRANSFER OF PERSONAL DATA
2.1. General Principles for Processing Personal Data
- Personal Data is processed by the Company in accordance with the procedures and principles stipulated in the Law and this Policy. The Company acts in accordance with the following principles when processing Personal Data:
- Personal Data is processed in accordance with the relevant legal rules and the requirements of the rule of good faith.
- It is ensured that Personal Data is accurate and up-to-date. In this context, issues such as determining the sources from which the data is obtained, confirming its accuracy, and evaluating whether it needs to be updated are carefully considered.
- Personal Data is processed for specific, explicit and legitimate purposes. The legitimate purpose means that the Personal Data processed by the Company is related to and necessary for the business or service provided by the Company.
- Personal Data is related to the purpose in order to realize the purposes determined by the Company, and the processing of Personal Data that is not related to the realization of the purpose or is not needed is avoided. It limits the processed data only to what is necessary for the realization of the purpose. Personal Data processed within this scope are relevant, limited and proportionate to the purpose for which they are processed.
- If there is a period stipulated in the relevant legislation for the storage of data, it complies with these periods; otherwise, it retains Personal Data only for the period required for the purpose for which they are processed. In the event that there is no valid reason for further retention of Personal Data, such data shall be deleted, destroyed or anonymized.
2.2. Terms of Processing Personal Data
- The Company does not process Personal Data without the explicit consent of the data subject. In the presence of one of the following conditions, Personal Data may be processed “without seeking the explicit consent of the data subject”.
- The Company may process the Personal Data of Personal Data Owners in cases expressly stipulated in the laws even without explicit consent. For example; there is no need for explicit consent in the fulfillment of legal legislative obligations.Personal Data may be processed without explicit consent in order to protect the life or physical integrity of persons who are unable to disclose their consent due to actual impossibility or whose consent cannot be recognized as valid, or of another person. For example, in a situation where the person is unconscious or mentally ill and his/her consent is not valid, the Personal Data of the Personal Data Owner may be processed during medical intervention in order to protect his/her life or body integrity. In this context, data such as blood type, previous diseases and surgeries, medications used can be processed through the relevant health system.
- Provided that it is directly related to the establishment or performance of a contract by the Company, Personal Data of the parties to the contract may be processed. For example, information such as the account number, iban information of the creditor party may be obtained in order to pay the money in accordance with a contract concluded.
- The Company may process the Personal Data of Personal Data Owners if it is mandatory in order to fulfill its legal obligations as a data controller.
- The Company may process the Personal Data of Personal Data Owners made public by the Company itself, in other words, the Personal Data disclosed to the public in any way, since the legal benefit to be protected has disappeared.
- The Company may process the Personal Data of Personal Data Owners without seeking explicit consent in cases where data processing is mandatory for the exercise or protection of a legitimate right.
- The Company may process the Personal Data of Personal Data Owners in cases where the processing of Personal Data is mandatory for the provision of legitimate interests, provided that it does not harm the fundamental rights and freedoms of Personal Data Owners protected under the Law and Policy. The Company shows the necessary sensitivity to comply with the basic principles regarding the protection of Personal Data and to observe the balance of interests of Personal Data Owners.
2.3. Conditions for Processing Sensitive Personal Data
The Company does not process Sensitive Personal Data without the explicit consent of the data subject. However, Personal Data other than health and sexual life may be processed without the explicit consent of the person concerned in cases stipulated by law. Personal Data relating to health and sexual life are processed by the Company without seeking the explicit consent of the data subject only for the protection of public health, preventive medicine, medical diagnosis and treatment and care services, planning and management of health services and financing, under the conditions that we are under the obligation of confidentiality. The Company carries out the necessary procedures to take adequate measures determined by the Board in the processing of Special Categories of Personal Data.
2.4. Conditions for Transfer of Personal Data
Our Company may transfer Personal Data and Sensitive Personal Data of Personal Data Owners to third parties in accordance with the Law by establishing the necessary confidentiality conditions and taking security measures in line with the purposes of processing Personal Data. Our Company acts in accordance with the regulations stipulated in the Law during the transfer of Personal Data. In this context, in line with the legitimate and lawful Personal Data processing purposes of our Company, based on and limited to one or more of the following Personal Data processing conditions specified in Article 5 of the Law
- Personal Data to third parties:
- If there is explicit consent of the Personal Data owner;
- If there is a clear regulation in the laws regarding the transfer of Personal Data, if it is mandatory for the protection of the life or physical integrity of the Personal Data owner or someone else, and
- If the Personal Data owner is unable to disclose his/her consent due to actual impossibility or if his/her consent is not legally valid,
- If it is necessary to transfer Personal Data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
- If Personal Data transfer is mandatory for our Company to fulfill its legal obligation,
- If the Personal Data has been made public by the Personal Data owner,
- If the transfer of Personal Data is mandatory for the establishment, exercise or protection of a right,
- Provided that it does not harm the fundamental rights and freedoms of the Personal Data owner, it may transfer Personal Data if it is mandatory for the legitimate interests of our Company.
2.4.1. Conditions for Transferring Personal Data Abroad
Our Company does not transfer Personal Data and Sensitive Personal Data of Personal Data Subjects to third parties abroad in line with the purposes of Personal Data processing. The situation in the context of projects that may be taken in the future in this regard is mentioned in 2.5.1 in the context of both Personal Data and Sensitive Personal Data.
2.5. Conditions for Transfer of Sensitive Personal Data
Our company does not transfer any of the personal data it processes abroad for the time being. However, as required by the projects the company will take in the future, by making the relevant changes in accordance with the KVK Law and Board decisions, by taking the necessary care, taking the necessary security measures and taking adequate measures stipulated by the KVK Board; In line with legitimate and lawful Personal Data processing purposes, there may be the possibility of transferring the Personal Data Owner’s Special Qualified Personal Data to foreign countries where the data controller has adequate protection or undertakes adequate protection in the following cases:
(i) in case of explicit consent of the Personal Data Owner or
(ii) In the presence of the following conditions, without seeking the explicit consent of the Personal Data Owner;
- Personal Data of Special Nature other than the health and sexual life of the Personal Data Owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, criminal conviction and security measures, and biometric and genetic data), in cases stipulated by law,
- Personal Data of Special Nature related to the health and sexual life of the Personal Data Owner only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality.
2.5.1. Transfer of Sensitive Personal Data Abroad
Our company does not transfer any of the personal data it processes abroad for the time being. However, as required by the projects the company will take in the future, by making the relevant changes in accordance with the KVK Law and Board decisions, by taking the necessary care, taking the necessary security measures and taking adequate measures stipulated by the KVK Board; In line with legitimate and lawful Personal Data processing purposes, there may be the possibility of transferring the Personal Data Owner’s Special Qualified Personal Data to foreign countries where the data controller has adequate protection or undertakes adequate protection in the following cases:
(i) in case of explicit consent of the Personal Data Owner or
(ii) In the presence of the following conditions, without seeking the explicit consent of the Personal Data Owner;
- Personal Data of Special Nature other than the health and sexual life of the Personal Data Owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, criminal conviction and security measures, and biometric and genetic data), in cases stipulated by law,
- Personal Data of Special Nature related to the health and sexual life of the Personal Data Owner only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality.
3. CLASSIFICATION OF PERSONAL DATA, PURPOSES OF PROCESSING AND TRANSFER, PERSONS TO WHOM PERSONAL DATA WILL BE TRANSFERRED
3.1. Classification of Personal Data
| PERSONAL DATA CATEGORIZATION | : | PERSONAL DATA CATEGORIZATION EXPLANATION |
| Identity Information | : | Data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; containing information about the identity of the person; documents such as driver’s license, identity card and passport containing information such as name-surname, Turkish ID number, nationality information, mother’s name-father’s name, place of birth, date of birth, gender, and information such as tax number, Social Security number, signature information, vehicle license plate, etc. |
| Contact Information | : | Information such as telephone number, address, e-mail address, fax number, IP address, which clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system. |
| Location Data | : | Information that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; information that determines the location of the Personal Data Owner within the framework of the operations carried out by the business units of the Company, during the use of the products and services of the group companies or while using the Company vehicles by the employees of the institutions with which it cooperates; GPS location, travel data, |
| Transaction Security Information | : | Personal data processed regarding the technical, administrative, legal and commercial security of both the Personal Data Owner and the Company while conducting the Company’s activities. For example, IP address information, website login and exit information, password and password information, |
| Family Members and Relatives | : | Information about the Personal Data Owner’s family members (e.g. spouse, mother, father, child), relatives and other persons who can be reached in case of emergency within the framework of the operations carried out by the Company’s business units, related to the products and services offered by the group companies or in order to protect the legal and other interests of the Company and the Personal Data Owner, which clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system. |
| Physical Space Security Information | : | Personal data relating to records and documents, which are clearly belonging to an identified or identifiable natural person; processed partially or wholly automatically or non-automatically as part of a data recording system; records and documents taken at the entrance to the physical space, during the stay in the physical space; camera records, fingerprint records and records taken at the security point, |
| Financial Information | : | Data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information and personal data processed in relation to information, documents and records showing all kinds of financial results created according to the type of legal relationship established by the Company with the Personal Data Owner, which clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system. |
| Audio/Visual Information | : | Photographs and camera recordings (excluding recordings within the scope of Physical Space Security Information), voice recordings and data contained in documents that are copies of documents containing personal data, which clearly belong to an identified or identifiable natural person. |
| Personal Information | : | Any personal data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; processed to obtain information that will be the basis for the formation of the personal rights of natural persons who are in a working relationship with the Company. |
| Legal Process Knowledge | : | Data processed within the scope of the determination and follow-up of the Company’s legal receivables and rights and the performance of its debts and its legal obligations. |
| Risk Management | : | Information processed for the management of commercial, technical, administrative risks, |
| Sensitive Personal Data | : | Data specified in Article 6 of the Law (e.g. health data, including blood type, biometric data, religion and membership of associations), which clearly belongs to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system. |
| Request/Complaint Management Information | : | Personal data clearly belonging to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; Personal data regarding the receipt and evaluation of any request or complaint addressed to the Company. |
Within the Company; In line with the legitimate and lawful personal data processing purposes of the Company, in accordance with the legitimate and lawful personal data processing purposes of the Company, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Law, in compliance with the general principles specified in the Law, especially the principles specified in Article 4 regarding the processing of personal data, and all obligations set out in the Law, and limited to the subjects within the scope of this Policy, personal data in the categories specified below are processed by informing the relevant persons in accordance with Article 10 of the Law. It is also stated in this section which data subjects are related to the personal data processed in these categories within the scope of this Policy. The types of Personal Data of the Personal Data Owners specified in Article (1.3.) of Section 1 of the Policy are specified as follows:
Data Category – Data Subject Person Group
1-Identity
- Employee Candidate
- Employee
- Shareholder/Partner
- Intern
- Supplier Officer
- Product or Service Recipient
2-Communication
- Employee Candidate
- Employee
- Shareholder/Partner
- Intern
- Supplier Officer
- Product or Service Recipient
3-Location
- Employee
4-Personnel
- Employee Candidate
- Employee
- Intern
5-Legal Action
- Employee
- Shareholder/Partner
- Supplier Officer
- Product or Service Recipient
6-Customer Transaction
- Potential Product or Service Buyer
- Supplier Officer
- Product or Service Recipient
7-Physical Space Security
- Employee Candidate
- Employee
- Shareholder/Partner
- Potential Product or Service Buyer
- Intern
- Supplier Officer
- Product or Service Recipient
8-Transaction Security
- Employee
- Shareholder/Partner
11-Vocational Experience
- Employee Candidate
- Employee
- Intern
12-Marketing
- Supplier Officer
- Product or Service Recipient
13-Visual and Audio Recordings
- Employee Candidate
- Employee
- Shareholder/Partner
- Intern
- Supplier Officer
- Product or Service Recipient
21-Health Information
- Employee Candidate
- Employee
- Intern
23- Criminal Conviction and Security Measures
- Employee
24-Biometric Data
- Employee
3.2. Purposes of Processing and Transferring Personal Data
Personal Data; in accordance with the law and the purpose of the Law,
- Optimal planning and implementation of human resources policies,
- Proper planning, execution and management of commercial partnerships and strategies,
- Ensuring the legal, commercial and physical security of itself and its business partners,
- Ensuring corporate functioning, planning and execution of management and communication activities,
- Ensuring that the Personal Data Subjects benefit from the products and services in the best way possible and recommending them by customizing them according to their demands,
- needs and requests,
- Ensuring the highest level of data security,
- Creation of databases,
- Improvement of the services offered on the website and elimination of errors on the website,
- Contacting the Personal Data Subjects who submit their requests and complaints to it and ensuring the management of requests and complaints,
- Event management,
- Management of relationships with business partners or suppliers,
- Execution of personnel recruitment processes,
- Supporting the personnel recruitment processes of Group Companies and compliance with relevant legislation,
- Supporting the planning and execution of the fringe benefits and benefits to be provided to the Company and its senior executives,
- Assisting in the realization of partnership law transactions,
- Execution/follow-up of financial reporting and risk management processes,
- Execution/follow-up of company legal affairs,
- Carrying out activities to protect its reputation,
- Managing investor relations,
- Providing information to authorized institutions due to legislation,
- Creation and follow-up of visitor records,
- Carrying out management activities,
- To ensure the execution of the transactions to be carried out in accordance with the contract,
- Identification of risk factors,
- Execution of financial processes,
- Realization of objectives such as marketing and customer satisfaction,
- Implementation of Occupational Health and Safety measures and obligations,limited to the purposes of the Law within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law. In the event that the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the Law, your explicit consent is obtained by the Company regarding the relevant processing process.
3.3. Persons to whom Personal Data will be Transferred
Your Personal Data may be transferred to the categories of persons listed below, which are governed by the Policy in accordance with the law and the purpose of the Law, for the following purposes:
| Persons to whom data can be transferred | Data Transfer Purpose |
| Legally Authorized Public Institutions and Organizations, Shareholders, Internal Audit Firm, | It can be transferred limited to the purpose requested by the relevant public institutions and organizations, shareholders and internal audit firm within the legal authority. |
| Legally Authorized Private Law Persons | It may be transferred limited to the purpose requested by the relevant private law persons, such as banks, within the scope of its legal authority in accordance with the provisions of the legislation. |
4. METHOD AND LEGAL REASON FOR COLLECTING PERSONAL DATA, DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA AND STORAGE PERIOD
4.1. Method and Legal Grounds for Collecting Personal Data
For the purpose of checking compliance with Article 1 regulating the purpose of the Law and Article 2 regulating the scope of the Law, Personal Data is collected in all kinds of verbal, written, electronic media; by technical and other methods, through various means such as call center, Company website, mobile application, in order to fulfill the responsibilities arising from the law within the framework of legislation, contract, request and optional legal reasons in order to fulfill the purposes set out in the Policy, and is processed by the Company or data processors assigned by the Company.
4.2. Deletion, Destruction or Anonymization of Personal Data
Without prejudice to the provisions of other laws regarding the deletion, destruction or anonymization of Personal Data, the Company deletes, destroys or anonymizes Personal Data ex officio or upon the request of the data owner in the event that the reasons requiring its processing disappear, although it has processed it in accordance with the provisions of this Law and other laws. With the deletion of Personal Data, this data is destroyed in such a way that it cannot be used and recovered in any way again. Accordingly, Personal Data is irreversibly deleted from the documents, files, CDs, diskettes, hard disks, etc. in which they are stored. Destruction of Personal Data, on the other hand, refers to the destruction of materials suitable for storing data such as documents, files, CDs, diskettes, hard disks, etc. in which the data is recorded in such a way that the information cannot be recovered and used again. Anonymization of data means making Personal Data impossible to be associated with an identified or identifiable natural person even if it is matched with other data.
4.3. Retention Period of Personal Data
The Company stores Personal Data for the period specified in this legislation, if stipulated in the legislation. If a period of time is not regulated in the legislation on how long personal data should be kept, Personal Data is processed for the period required to be processed in accordance with the practices and customs of the Company’s practices and commercial life, depending on the activity carried out by the Company while processing that data, and then deleted, destroyed or anonymized.
If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and the Company have come to an end; personal data may only be stored for the purpose of constituting evidence in possible legal disputes or for the assertion or defense of the relevant right related to personal data. In the establishment of the periods here, the retention periods are determined based on the statute of limitations for the assertion of the right in question and the examples in the requests previously addressed to the Company on the same issues despite the expiration of the statute of limitations. In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. After the aforementioned period expires, personal data are deleted, destroyed or anonymized.
5. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
In accordance with Article 12 of the Law, the Company takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of the Personal Data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and conducts or has the necessary audits carried out within this scope.
5.1. Ensuring the Security of Personal Data
5.1.1. Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data
The Company takes technical and administrative measures to ensure that Personal Data is processed in accordance with the law, according to technological possibilities and cost of implementation.
(i) Technical Measures Taken to Ensure Lawful Processing of Personal Data
The main technical measures taken by the Company to ensure the lawful processing of Personal Data are listed below:
- Personal Data processing activities carried out within the Company are audited by the technical systems established.
- The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
- Personnel knowledgeable in technical issues are employed.
(ii) Administrative Measures Taken to Ensure Lawful Processing of Personal Data
The main Administrative Measures taken by the Company to ensure the lawful processing of Personal Data are listed below:
- Employees are informed and trained on the law on the protection of Personal Data and the processing of Personal Data in accordance with the law.
- All activities carried out by the Company are analyzed in detail specific to all business units, and as a result of this analysis, Personal Data processing activities are revealed specific to the activities carried out by the relevant business units.
- Personal Data processing activities carried out by the business units of the Company; The requirements to be fulfilled in order to ensure that these activities comply with the Personal Data processing conditions required by the Law are determined specifically for each business unit and the detailed activity it carries out.
- In order to ensure the legal compliance requirements determined on a business unit basis, awareness is raised and implementation rules are determined for the relevant business units; the necessary administrative measures to ensure the supervision of these issues and the continuity of the implementation are implemented through internal policies and trainings.
- In the contracts and documents governing the legal relationship between the Company and the employees, records that impose the obligation not to process, disclose and use Personal Data, except for the Company’s instructions and exceptions imposed by law, are included in the contracts and documents governing the legal relationship between the Company and the employees, and the obligations arising from the Law are fulfilled by raising employee awareness and conducting audits.
5.1.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data
The Company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and cost of implementation in order to prevent imprudent or unauthorized disclosure, access, transfer or any other unlawful access to Personal Data.
(i) Technical Measures Taken to Prevent Unlawful Access to Personal Data
The main technical measures taken by the Company to prevent unlawful access to Personal Data are listed below:
- Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed.
- Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on a business unit basis.
- Access authorizations are limited and authorizations are regularly reviewed.
- The technical measures taken are periodically reported to the relevant person as required by the internal audit mechanism, and the issues that pose a risk are re-evaluated and the necessary technological solutions are produced.
- Software and hardware including virus protection systems and firewalls are installed.
- Technically knowledgeable personnel are employed. /li>
Security scans are regularly performed to identify security vulnerabilities in applications where Personal Data is collected. It is ensured that the vulnerabilities found are closed.
(ii) Administrative Measures to Prevent Unlawful Access to Personal Data
The main administrative measures taken by the Company to prevent unlawful access to Personal Data are listed below:
- Employees are trained on the technical measures to be taken to prevent unlawful access to Personal Data.
- Personal Data access and authorization processes are designed and implemented within the Company in accordance with the legal compliance requirements for processing Personal Data on a business unit basis.
- Employees are informed that they cannot disclose the Personal Data they have learned to anyone else in violation of the provisions of the Law and cannot use it for purposes other than processing, and that this obligation will continue after they leave their duties, and necessary commitments are obtained from them in this direction.
- In the contracts concluded by the Company with the persons to whom Personal Data are transferred in accordance with the law; Provisions are added that the persons to whom Personal Data are transferred will take the necessary security measures to protect Personal Data and ensure that these measures are complied with in their own organizations.
5.1.3. Storage of Personal Data in Secure Environments
The Company takes the necessary technical and administrative measures according to technological possibilities and implementation cost in order to store Personal Data in secure environments and to prevent its destruction, loss or alteration for unlawful purposes.
(i) Technical Measures Taken to Store Personal Data in Secure Environments
The main technical measures taken by the Company to store Personal Data in secure environments are listed below:
- Systems in accordance with technological developments are used to store Personal Data in secure environments.
- Personnel specialized in technical issues are employed.
- Technical security systems are installed for storage areas, security tests and researches are conducted to identify security vulnerabilities on information systems, and existing or potential risk issues identified as a result of the tests and researches are eliminated. The technical measures taken are periodically reported to the relevant person as required by the internal audit mechanism.
- Backup programs are used in accordance with the law to ensure the safe storage of Personal Data.
- Access to the environments where Personal Data is kept is restricted and only authorized persons are allowed to access this data limited to the purpose for which the personal data is stored, access to the data storage areas where Personal Data is stored is logged and inappropriate access or access attempts are instantly communicated to those concerned.
(ii) Administrative Measures Taken to Store Personal Data in Secure Environments
The main administrative measures taken by the Company to store Personal Data in secure environments are listed below:
- Employees are trained to ensure that Personal Data is stored securely.
- Legal and technical consultancy services are obtained in order to follow the developments in the field of information security, privacy and protection of personal data and to take necessary actions.
- In the event that an external service is obtained by the Company due to technical requirements for the storage of Personal Data, the contracts concluded with the relevant companies to which Personal Data is transferred in accordance with the law include provisions stating that the persons to whom Personal Data is transferred will take the necessary security measures to protect Personal Data and ensure that these measures are complied with in their own organizations.
5.1.4. Supervision of Measures Taken for the Protection of Personal Data
In accordance with Article 12 of the Law, the Company conducts or has the necessary audits performed within its own organization. The results of these audits are reported to the relevant department within the scope of the internal functioning of the Company and necessary activities are carried out to improve the measures taken.
5.1.5. Measures to be taken in case of unauthorized disclosure of personal data
The Company operates a system that ensures that if the Personal Data processed in accordance with Article 12 of the Law is obtained by others illegally, this situation is notified to the relevant Personal Data Owner and the PDP Board as soon as possible. If deemed necessary by the PDP Board, this situation may be announced on the website of the PDP Board or by another method.
5.2. Observing the Legal Rights of Personal Data Subjects
The Company observes all legal rights of Personal Data Owners with the implementation of the Policy and the Law and takes all necessary measures to protect these rights. Detailed information on the rights of Personal Data Owners is provided in the sixth section of this Policy.
5.3. Protection of Special Categories of Personal Data
The Law attributes special importance to certain Personal Data due to the risk of causing victimization and/or discrimination when processed unlawfully. These data are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. The Company shows maximum sensitivity to the protection of special quality Personal Data, which is determined as “special quality” by the Law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company for the protection of personal data are implemented with the utmost care in terms of Special Categories of Personal Data and the necessary audits are provided within the Company in this regard.
6. RIGHTS OF THE PERSONAL DATA OWNER, EXERCISE AND EVALUATION OF RIGHTS
6.1. Informing the Personal Data Owner
In accordance with Article 10 of the Law, the Company informs Personal Data Owners during the acquisition of Personal Data. In this context, if any, the identity of the Company representative, the purpose for which Personal Data will be processed, to whom and for what purpose the processed Personal Data can be transferred, the method and legal reason for collecting Personal Data and the rights of the Personal Data Owner.
6.2. Rights of the Personal Data Owner in accordance with the PDP Law
Pursuant to Article 10 of the Law, the Company informs you of your rights; provides guidance on how to exercise such rights and carries out the necessary internal functioning, administrative and technical arrangements for all these. Pursuant to Article 11 of the Law, the Company notifies the persons whose Personal Data is received;
- To learn whether Personal Data is processed or not,
- Request information if their Personal Data has been processed,
- To learn the purpose of processing Personal Data and whether they are used in accordance with their purpose,
- To know the third parties to whom Personal Data is transferred domestically or abroad,
- To request correction of Personal Data in case of incomplete or incorrect processing,
- To request the deletion or destruction of Personal Data within the framework of the conditions stipulated in Article 7 of the Law,
- Request notification of the transactions made pursuant to subparagraphs (d) and (e) of Article 11 of the Law to third parties to whom personal data are transferred,
- To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
- In case of damage due to unlawful processing of Personal Data, to demand the compensation of the damage,
that they have rights.
6.3. Cases where the Personal Data Owner cannot assert his/her rights
As the following cases are excluded from the scope of the Law pursuant to Article 28 of the Law, Personal Data Owners cannot assert their rights listed in Article (6.2.) of this Policy in the following cases:
- Processing of Personal Data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that Personal Data is not disclosed to third parties and obligations regarding data security are complied with.
- Processing of Personal Data for purposes such as research, planning and statistics by anonymizing it with official statistics.
- Processing of Personal Data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
- Processing of Personal Data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
- Processing of Personal Data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution procedures.
Pursuant to Article 28/2 of the Law; In the cases listed below, Personal Data Owners cannot assert their rights listed in Article (6.2.) of this Policy, except for the right to demand compensation for damages:
- Personal Data processing is necessary for the prevention of crime or criminal investigation.
- Processing of personal data made public by the Personal Data Owner himself/herself.
- Personal Data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.
- Personal Data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters.
6.4. Exercise of Rights by the Personal Data Owner
Personal Data Owners may submit their requests regarding their rights listed in Article (6.2.) of this Policy to the Company free of charge by filling out and signing the Application Form below with the information and documents that will identify their identities and the methods specified below or other methods determined by the PDP Board:
(i) After filling out the application form, sending a wet signed copy of the application form to the address (current address to be written) personally by hand or through a notary public,
(ii) After filling out the application form and signing it with your “secure electronic signature” within the scope of the Electronic Signature Law No. 5070, sending the form with secure electronic signature to yimakmuhendislik@hs03.kep.tr by registered e-mail.
In order for third parties to make an application request on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the person who will make the application.
6.5. Procedure and Duration of the Company’s Response to Applications
The Company shall finalize the requests in the application free of charge as soon as possible, within thirty days at the latest, depending on the nature of the request. However, if the transaction in question requires an additional cost, the fee in the tariff determined by the PDP Board may be charged. The Company may accept the request or reject it by explaining its reasoning; notifies its response in writing or electronically. If the request in the application is accepted, the Company fulfills the requirements of the request.
6.6. Personal Data Owner’s Right to File a Complaint to the PDP Board
In cases where the application is rejected, the response is found insufficient or the application is not responded to in due time; the data subject has the right to file a complaint to the PDP Board within thirty days from the date of learning the response and in any case within sixty days from the date of application.
7. THE COMPANY’S MANAGEMENT STRUCTURE IN ACCORDANCE WITH THE POLICY ON THE PROCESSING AND PROTECTION OF PERSONAL DATA
A Personal Data Committee has been established within the Company in accordance with the decision of the Company’s senior management to manage this Policy and other policies related and related to this Policy. The Personal Data Committee is authorized and tasked with taking the necessary actions for the storage and processing of Personal Data Owners’ data in accordance with the law, this Policy and other policies related and related to this Policy.
8. UPDATES, COMPLIANCE AND CHANGES
8.1. Update and Compliance
The Company reserves the right to make changes to this Policy and other policies related and related to this Policy due to amendments to the Law, in accordance with the decisions of the PDP Board or in line with developments in the sector or in the field of informatics.
Changes made to this Policy are immediately incorporated into the text and explanations regarding the changes are explained at the end of the Policy.
8.2. Amendments
Personal Data Processing and Protection Policy was published on 15.06.2020. There is no earlier amendment.
CLARIFICATION TEXT ON PROCESSING AND PROTECTION OF PERSONAL DATA
As PROMAT BASIM YAYIN SAN. VE TİC.A.Ş. (“Company”), we attach importance to the processing and preservation of all kinds of personal data belonging to all persons associated with the Company, including those who benefit from our products and services, in accordance with the Personal Data Protection Law No. 6698 (“KVK Law”). As Data Controller, we process your personal data as explained below and within the limits prescribed by the legislation.
Purposes of Processing and Transferring Personal Data
Personal Data; planning, execution and management of the Company’s human resources policies, commercial partnerships, management and communication activities and strategies in accordance with the law and the purpose of the Law, enabling the Personal Data Owners to benefit from its products and services in the best way and to recommend them by customizing them according to their demands, needs and requests, within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law, limited to the purposes of ensuring data security at the highest level, improving the services offered on the website and eliminating errors on the website, communicating with the Personal Data Owners who submit their requests and complaints to it and ensuring the management of requests and complaints, event management, providing information to authorized institutions arising from the legislation, creating and tracking visitor records. and 6. of the Law and within the scope of the personal data processing conditions specified in Articles 8 and 9 of the Law, it is obtained or shared with, recorded, transferred to electronic systems by the Company’s partners-business partners, successors and/or third parties/organizations to be determined by them, and if the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the Law, your explicit consent is obtained by the Company regarding the relevant processing process.
Method and Legal Grounds for Collecting Personal Data
For the purpose of checking the compliance with Article 1 regulating the purpose of the Law and Article 2 regulating the scope of the Law, Personal Data; in all kinds of verbal, written, electronic media; It is collected by technical and other methods, call center, Company website, mobile application, etc., in order to fulfill the responsibilities arising from the law within the framework of legislation, contract, request and optional legal reasons in order to fulfill the purposes set out in the Policy, and is processed by the Company or data processors assigned by the Company.
Rights of the Personal Data Owner in accordance with the KVK Law
Pursuant to Article 10 of the Law, the Company informs you of your rights; provides guidance on how to exercise such rights and carries out the necessary internal functioning, administrative and technical arrangements for all these. Pursuant to Article 11 of the Law, the Company informs the persons whose Personal Data is received; to learn whether Personal Data is processed, to request information if Personal Data has been processed, to learn the purpose of processing Personal Data and whether it is used in accordance with its purpose, to know the third parties to whom Personal Data is transferred domestically or abroad, to request correction of Personal Data in case of incomplete or incorrect processing, to request correction of Personal Data within the framework of the conditions stipulated in Article 7 of the Law. To request the deletion or destruction of Personal Data within the framework of the conditions stipulated in Article 7 of the Law, To request notification of the transactions made pursuant to subparagraphs (d) and (e) of Article 11 of the Law to third parties to whom personal data is transferred, To object to the occurrence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems, In case of damage due to unlawful processing of Personal Data, it explains that they have the right to demand the compensation of the damage.
Personal Data Owners can submit their requests regarding their rights listed below to the Company free of charge by filling out and signing the Application Form, which can be accessed from the link below, with the information and documents that will identify their identity and the methods specified below or other methods determined by the PDP Board:
(i) After the application form is filled in, a wet-signed copy of the application form should be submitted personally or through a notary public to Cevizli mah. Bağdat cad. Ethem Güral business Mrkz.No:515/3 Maltepe/Istanbul,
(ii) After the application form is filled in and signed with your secure electronic signature within the scope of the Electronic Signature Law No. 5070, sending the form with secure electronic signature to promat@promat.hs03.kep.tr via registered e-mail.
(iii) They will be able to submit their requests to the Company free of charge by filling out and signing the Application Form below with information and documents that will identify their identity and by the methods specified below or by other methods determined by the PDP Board: After the application form is filled in, a wet signed copy of the application form should be sent to Orhangazi Mah. 1673 Sok. No:34 Esenyurt/Istanbul, After the application form is filled in and signed with your “secure electronic signature” within the scope of the Electronic Signature Law No. 5070, sending the form with secure electronic signature to promat@promat.hs03.kep.tr via registered e-mail.
In order for third parties to make an application request on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the person who will make the application.