Protection of Personal Data
Protection of Personal Data
CHAPTER ONE: GENERAL INFORMATION ABOUT THE POLICY
Introduction
As Özak Gayrimenkul Yatırım Ortaklığı Anonim Şirketi (the “Company”), within the scope of the Law on the Protection of Personal Data No. 6698 (“Law” or “KVKK”), and in our capacity as the “Data Controller”, it is our priority to ensure that the personal data of real persons associated with our Company—including our customers, potential customers, suppliers, visitors, users of our website, company shareholders, company officials, employees, shareholders and officials of the institutions with which we cooperate, employee candidates, and our employees—are processed in accordance with the Law and its applicable legislation, and that the rights of the data subjects whose data is processed are effectively protected.
We carry out all operations related to the processing, storage, and transfer of personal data belonging to data subjects we are in contact with during our activities in accordance with this Personal Data Protection and Processing Policy (the “Policy”).
Respecting the fun damental rights and freedoms of individuals whose personal data is collected, and taking the necessary administrative and technical measures to ensure the protection of personal data, constitute the core principles of both this Policy regarding the processing of personal data and our Company.
1. Purpose of Policy
The primary purpose of this Policy is to determine the methods employed by our Company, which acts as a "data controller" under the Law, for the processing, storage, transfer, deletion, or anonymization of personal data shared by data subjects during our commercial, social responsibility, and similar activities, in accordance with the principles set forth in the Law. In this context, we aim to ensure transparency by informing those whose personal data is processed by Özak Gayrimenkul Yatırım Ortaklığı Anonim Şirketi, particularly our customers, potential customers, job candidates, company shareholders, company officials, visitors, employees, shareholders, and officials of institutions we collaborate with, and third parties.
2. Scope of the Policy
This Policy governs the personal data of our employees, prospective employees, shareholders/partners, visitors, business partners, customers, potential customers, suppliers, affiliates, website visitors, and all data subjects with whom we interact during our operations, including, but not limited to, the aforementioned. This Policy does not apply to data belonging to legal entities. If any inconsistency is detected between the applicable legislation regarding the processing and protection of personal data and this Policy, the provisions of the applicable legislation will apply.
3. Enforcement of the Policy
This Policy was approved by our Company and entered into force on June 1, 2020. With the entry into force of this Policy, the Policy previously published on our website has been repealed. If changes to the Policy are necessary, the relevant articles will be updated accordingly. Explanations regarding changes to this Policy are set forth in Section Eleven of this Policy.
CHAPTER TWO: DEFINITIONS AND ABBREVIATIONS
1. Definitions
1.1. Explicit Consent Consent based on information on a specific subject and expressed with free will.
1.2. Anonymization is the irreversible alteration of personal data, such that it no longer can be associated with an identified or identifiable person. For example, rendering personal data incapable of being associated with a natural person through techniques such as masking, aggregation, data corruption, etc.
1.3. Employee: Persons working in the Company in accordance with the employment contract made between the Company and the Company.
1.4. Employee Candidate: Natural persons who have either applied for a job through any means or have made their resume and related information available for review by the Company.
1.5. Natural Persons and Private Law Legal Entities: Natural persons are persons who are alive and fully born and currently living according to the Turkish Civil Code. Private Law Legal Entities refer to Commercial Companies defined in the Turkish Commercial Code and associations and foundations defined in the Turkish Civil Code.
1.6. Open to All: It refers to a group of people that does not constitute any particular feature and includes everyone, that is, all people.
1.7. Shareholders: Natural or legal persons who own shares in the Company of the data controller.
1.8. Business Partner: Parties with whom the data controller carries out commercial activities and has a commercial relationship.
1.9. Employees, Shareholders and Officials of Institutions We Collaborate with: Natural persons who work in institutions with which the Company has any kind of business relationship (such as, but not limited to, business partners, suppliers), including shareholders and officials of these institutions.
1.10. Affiliates and Subsidiaries: If the data controller holds a stake in another company's capital, an affiliate refers to a company in which the data controller holds a share of the capital. If the company holds more than 50% of the voting rights of the company in which it is a partner, the relationship between the company and the partner constitutes a subsidiary. If the majority is not held by the company, the relationship is simply an affiliate.
1.11. Processing of Personal Data: Any operation performed on data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.
1.12. Personal Data Owner: The natural person whose personal data is processed. For example; customers and employees.
1.13. Personal Data: Any information relating to an identified or identifiable natural person. Processing information relating to legal entities is not within the scope of the law. For example, name-surname, Turkish ID number, e-mail address, date of birth, credit card number, etc.
1.14. Customer: Real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.
1.15. Special Personal Data: Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress code, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data are special data.
1.16. Potential Customer: Real persons who have requested or shown interest in using our products and services or who have been assessed in accordance with commercial practices and rules of integrity to be likely to have such interest.
1.17. Intern: Real persons who have applied for an internship in the company by any means and who aim to put their theoretical knowledge of the profession into practice in the workplace.
1.18. Company Shareholder: Real persons who are shareholders of the company.
1.19. Company Official: Member of the company's board of directors and other authorized real persons.
1.20. Supplier: Parties that have a business relationship with the Data Controller based on a service agreement and/or agency agreement for the procurement of services within the scope of the Data Controller's commercial activities.
1.21. Group Companies: According to the definition in the Turkish Commercial Code, "Companies that are directly or indirectly affiliated with the dominant company constitute the group of companies together with it.
1.22. Third Party: Third party natural persons (e.g. family members and relatives) who are related to the above-mentioned parties to ensure the security of commercial transactions between the company and the above-mentioned parties or to protect the rights of the above-mentioned parties and to provide benefits.
1.23. Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. For example, a firm or company that holds the Company's data, etc.
1.24. Data Controller: The data controller is the person who determines the purposes and means of processing personal data, manages the place where the data is systematically kept (data recording system), provides the necessary information and directs the data owner regarding their personal information as a result of the data owner's request/application.
1.25. Authorized Public Institutions and Organizations: Public institutions and organizations that are authorized by their relevant legislation to request information and documents from the Data Controller and are also required to make transfers in order for the Data Controller to fulfill its legal obligations.
1.26. Visitor: Natural persons who have entered the physical premises of the Company for various purposes or visited our websites.
2. Abbreviations
2.1. KVKK: Law No. 6698 on the Protection of Personal Data, published in the Official Gazette No. 29677, dated April 7, 2016, Law No. 6698, dated March 24, 2016.
2.2. Constitution: The Constitution of the Republic of Türkiye, dated 7 November 1982 and numbered 2709, published in the Official Gazette, dated 9 November 1982 and numbered 17863.
2.3. KVK Board: Personal Data Protection Board
2.4. KVK Institution: Personal Data Protection Authority
2.5. Policy: Company Personal Data Protection and Processing Policy
2.6. TBK: Turkish Code of Obligations No. 6098 dated January 11, 2011, published in the Official Gazette No. 27836 dated February 4, 2011.
2.7. TCK: Turkish Penal Code No. 5237 dated September 26, 2004, published in the Official Gazette No. 25611 dated October 12, 2004.
2.8. TTK: Turkish Commercial Code No. 6102 dated January 13, 2011, published in the Official Gazette No. 27846 dated February 14,
CHAPTER THREE: DATA SUBJECT GROUPS AND DATA CATEGORIES
1. Personal Data Categorization
The Company processes personal data in the following categories by informing the relevant individuals pursuant to Article 10 of the Law. This section specifies which data subjects the personal data processed in these categories relate to, as regulated by this Policy, and the types of personal data of individuals within these categories are processed. Data clearly belonging to an identified or identifiable individual, processed partially or fully automatically, or non-automatically as part of a data recording system;
|
PERSONAL DATA CATEGORIZATION |
EXPLANATION ON PERSONAL DATA CATEGORIZATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CHAPTER FOUR: METHOD OF COLLECTING PERSONAL DATA AND LEGAL REASON
1. Method and Legal Reason for Collecting Personal Data
Personal Data is collected by our Company through technical and procedural methods implemented through various channels such as our website, e-mails, application forms, offer forms, secure electronic transactions, printed forms, registration forms, and physical channels, or through verbal, written, or electronic means, fully or partially automated, or non-automated provided that they are part of any data recording system. Personal Data is collected for the purposes of providing you with our commercial services and conducting our commercial activities within this framework, within the framework of legal reasons arising and enforced based on relevant legislation, contracts, demands, commercial practices, and rules of integrity. This data is collected for the purposes of enabling our Company to fulfill its legal responsibilities, fulfilling the requirements of the business relationship we have established with you, establishing, exercising, and protecting our mutual rights in this regard, and protecting our Company's legitimate interests by observing the fundamental rights and freedoms of personal data owners with whom we have a relationship. In this context, the specific Personal Data Collection methods, the purposes of collection, and the activities carried out in this regard are as follows:
1.1. Camera Monitoring Activities Conducted at Building and Facility Entrances and Inside the Building Facility
Within the scope of its security camera monitoring activities, our company aims to improve the quality of the service provided, ensure its reliability, ensure the safety of the company, customers and other persons, and protect the interests of customers regarding the service they receive.
1.1.1 Legal Basis for Camera Surveillance
The camera monitoring activity carried out by our company is carried out in accordance with the Law on Private Security Services and relevant legislation.
- Announcement of Camera Surveillance Activity
- Our company informs the personal data owner in accordance with Article 10 of the Personal Data Protection Law.
Regarding the camera surveillance activity carried out by our Company, this Policy is published on our Company's website (online Policy regulation) and a notice stating that surveillance will be carried out is posted at the entrances of the areas where surveillance is carried out (on-site lighting).
- Purpose of Carrying Out Camera Monitoring Activity and Limitation to the Purpose
Our Company's purpose in conducting video camera surveillance is limited to the purposes listed in this Policy. Areas where personal privacy may be compromised beyond security purposes (e.g., restrooms, prayer rooms) are not subject to monitoring.
1.1.2 Ensuring the Security of the Obtained Data
In accordance with Article 12 of the Personal Data Protection Law, our company takes the technical and administrative measures listed in this policy to the extent appropriate to ensure the security of personal data obtained as a result of camera surveillance
1.1.3. Who Can Access the Information Obtained as a Result of Monitoring and To Whom This Information Is Transferred
Only a limited number of Company employees have access to recordings, which are recorded and maintained digitally. Live camera footage is available to company security guards and administrative department employees. Access to other individuals is prohibited
2. Monitoring of Guest Entrances and Exits at Building and Facility Entrances
Our Company processes personal data to ensure security and monitor guest entries and exits from Company buildings and facilities for the purposes specified in this Policy. The names and surnames of guests visiting Company buildings and facilities are collected, as well as their vehicle license plate information. These personal data subjects are informed of this information through text posted on the Company premises or otherwise made available to guests.
3. Website Visitors
Our Company records the internet activity on the websites it owns using technical means (e.g., cookies) to ensure that visitors to these sites conduct their visits in accordance with their intended purpose, to display personalized content, and to engage in online advertising. Visitors to our website are presented with our "Cookie Policy" and are provided with comprehensive information within the scope of the disclosure obligation.
4. Our Company's Mobile Applications
To make our services easier for our customers to use, our company develops mobile applications that our customers can install on their mobile phones. We provide comprehensive information to our customers using our mobile application before they enter any information, and obtain their explicit consent..
CHAPTER FIVE: PROCESSING OF PERSONAL DATA
1. General Principles in the Processing of Personal Data
Our Company processes personal data in accordance with the procedures and principles stipulated in the Law and this Policy. When processing personal data, our Company acts in accordance with the following principles set forth in Article 4 of the Personal Data Protection Law:
1.1. Compliance with law and rules of integrity,
Compliance with the law and the rule of honesty means the obligation to act in accordance with the principles introduced by laws and other legal regulations in the processing of personal data. The rule of honesty means that individuals should act in accordance with the rules of trust and in a manner expected from a reasonable person when exercising their rights.
1.2. Being accurate and up to date when necessary,
Keeping your personal data accurate and up-to-date is essential for protecting the fundamental rights and freedoms of individuals. This principle protects the rights of the data subject and is also in the interests of the data controller.
1.3. Processing for specified, explicit and legitimate purposes,
This principle requires data controllers to clearly and precisely define the purpose of data processing and to ensure that this purpose is legitimate. Legitimate purposes mean that the data being processed is relevant to and necessary for the business or service being performed..
1.4 Being connected, limited and proportionate to the purpose for which they are processed,
The fact that the processed data are suitable for achieving the specified purposes necessitates avoiding the processing of personal data that is not relevant or necessary to achieve the purpose. Furthermore, data processing should not be undertaken to meet needs that may arise later. The principle of proportionality means striking a reasonable balance between data processing and the intended purpose.
1.5. Storage for the period required by the relevant legislation or for the purpose for which they are processed.
Personal data must be retained for the period necessary for the purpose for which it is processed, as required by the "principle of purpose limitation." If the data controller exceeds the retention periods stipulated by the legislation to which it is subject, as well as the retention periods they themselves determine, due to their legal obligations, personal data must be deleted, destroyed, or anonymized.
2. Our Purposes for Processing Personal Data
Personal Data collected by the Company is processed for the purposes listed below, in accordance with the personal data processing conditions set forth in Articles 5 and 6 of the Law. If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the Law, the Company obtains the explicit consent of the data subject for the relevant processing process. Your personal data is processed by our Company for the purposes listed below:
- Execution of emergency processes,
- Execution of information security processes,
- Execution of access authorizations,
- Ensuring physical space security,
- Carrying out communication activities,
- Carrying out storage and archive activities,
- Conducting internal audit, investigation and intelligence activities,
- Execution of risk management processes,
- Ensuring the security of movable goods and resources,
- Organization and event management,
- Carrying out management activities,
- Carrying out our commercial and administrative activities,
- Providing support services and reporting to customers within the scope of the contract and service standards,
- Determining our customers' preferences and needs and shaping, updating and developing the services to be provided to our customers within this scope.,
- To ensure the fulfillment of our legal obligations as required or mandated by legal regulations.,
- Conducting campaigns, surveys, and promotions,
- To contact people who have business relations with the company,
- Advertising and marketing,
- compliance management,
- Vendor/supplier management, programs and services,
- legal reporting,
- Billing,
- Planning and implementing human resources policies in the best possible way,
- Correct planning, execution and management of commercial partnerships and strategies,
- Ensuring the legal, commercial and physical security of herself and her business partners,
- Ensuring institutional functioning, planning and execution of management and communication activities,
- Ensuring data security at the highest level,
- Creation of databases,
- Improving the services offered on the website and correcting errors on the website,
- Communicating with Personal Data Owners who submit their requests and complaints and ensuring request and complaint management,
- Event management,
- Carrying out personnel recruitment processes,
- Supporting Group Companies in personnel recruitment processes and compliance with relevant legislation,
- Planning and execution of audit activities to ensure that the activities of the Group Companies are carried out in accordance with the relevant legislation,
- Supporting Group Companies in carrying out corporate and partnership law transactions,
- Execution/monitoring of financial reporting and risk management processes,
- Execution/follow-up of company legal affairs,
- Carrying out activities to protect the reputation,
- Creating and tracking visitor records,
- Planning and execution of business activities and business continuity activities,
- Monitoring of finance and/or accounting affairs,
- Providing information to authorized institutions regarding legislation and preparation for authorized institution audits,
- Planning and execution of corporate communication activities,
- Planning and execution of operational processes,
- Planning and execution of business partners and/or suppliers' access to information,
- Planning and execution of customer relationship management processes,
- Follow-up of customer requests and/or complaints,
- Monitoring contract processes and/or legal requests,
- Planning and execution of market research activities for sales and marketing of services,
- Sales and after-sales operations and purchasing operations,
- Planning and/or executing processes to create and/or increase loyalty to the products and/or services offered by the company,
- To ensure that our company's human resources policies are implemented and job applications are evaluated in accordance with human resources policies,
- Fulfilling obligations and taking necessary measures within the framework of occupational health and safety,
- Fulfilling the obligations arising from the employment contract and/or legislation for the company employees,
- Carrying out personnel entry and exit procedures,
- Evaluating the wage-performance process, managing wages and payrolls,
- Planning and/or execution of in-company training activities,
- In order to ensure the legal and commercial security of our company and the people who have business relations with our company,
- Planning and execution of operational activities necessary to ensure that company activities are carried out in accordance with company procedures and/or relevant legislation,
- Ensuring the security of company premises and/or facilities,
- Ensuring the security of company assets and/or resources,
- In line with the purpose of determining and implementing our company's commercial and business strategies,
- Social responsibility activities carried out by our company,
- Planning and execution of customs operations processes,
- Completion of quality processes
3. Legal Reasons for Processing Personal Data
The legal reasons for processing personal data are regulated in Article 5 of the KVKK. The company does not process personal data without the explicit consent of the data owner. However, if one of the conditions stipulated in Article 5 of the KVKK exists, personal data may be processed without the explicit consent of the data owner:
3.1. Personal data cannot be processed without the explicit consent of the person concerned.
3.2. If one of the following conditions is met, it is possible to process personal data without the explicit consent of the person concerned:
3.2.1. It is clearly provided for in the laws.
3.2.2. If it is necessary for the protection of the life or physical integrity of a person who is unable to give her consent due to a physical impossibility or whose consent is not legally valid, or of someone else.
3.2.3. It is necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract.
3.2.4. It is mandatory for the data controller to fulfill its legal obligations.
3.2.5. It has been made public by the person concerned herself.
3.2.6. Data processing is necessary for the establishment, exercise or protection of a right.
3.2.7. Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.
4. Legal Reasons for Processing Special Personal Data
The legal grounds for processing personal data are regulated in Article 6 of the KVKK.
Processing of special categories of personal data is prohibited. However, the processing of these data;
a) The explicit consent of the relevant person,
b) Clearly provided for in the laws,
c) If it is necessary for the protection of the life or physical integrity of a person who is unable to give his consent due to a physical impossibility or whose consent is not legally valid, or if it is necessary for the protection of the life or physical integrity of another person,
ç) It is in accordance with the personal data that the relevant person has made public and with his/her will to make it public,
d) It is necessary for the establishment, use or protection of a right,
e) It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation of confidentiality or authorized institutions and organizations,
f) It is mandatory to fulfill legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance,
g) It is possible for foundations, associations, and other non-profit organizations or formations established for political, philosophical, religious, or union purposes to be directed to their current or former members and affiliates, or to those who are in regular contact with these organizations and formations, provided that it complies with the legislation and objectives to which they are subject, is limited to their areas of activity, and is not disclosed to third parties.
(4) In the processing of special personal data, it is also necessary to take adequate measures determined by the Board.
The Company carries out the necessary procedures to take adequate measures determined by the Board in the processing of Special Personal Data.
CHAPTER SIX: TRANSFER OF PERSONAL DATA
1. Conditions for Transfer of Personal Data
As a company, we act in accordance with the decisions and regulations stipulated in the Law and taken by the Board regarding the transfer of Personal Data and we take the necessary measures. Subject to the exceptional circumstances set out in the legislation, personal data and special data will not be transferred to other natural persons or legal entities without the express consent of the Data Subject. However, personal data:
- In the cases described in Article 3 of the Fifth Section of this Policy,
- In the cases listed in Article 4 of the Fifth Chapter of this Policy regarding special personal data, data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, membership to associations, foundations or unions, criminal convictions and security measures, as well as biometric and genetic data,
- Special Personal Data must be clearly stipulated in the Laws, it must be necessary for the protection of the life or physical integrity of the person who is unable to give his consent due to a physical impossibility or whose consent is not legally valid, or it must be in accordance with the will of the person to make public the personal data that the person concerned has made public, It is necessary for the establishment, exercise or protection of a right, It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services and the planning, management and financing of health services by persons under the obligation of confidentiality or by authorized institutions and organizations, It is mandatory to fulfill legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance, Information may be transferred without explicit consent to current or former members and affiliates of foundations, associations, and other non-profit organizations or formations established for political, philosophical, religious, or union purposes, provided that it complies with the legislation and objectives to which they are subject, is limited to their areas of activity, and is not disclosed to third parties. Information may be transferred to individuals who are in regular contact with these organizations and formations, provided that it is not disclosed to third parties.
The media tools used by our company during the transfer are intranet, e-mail, hard copy, Excel spreadsheet, VPN, and secure file transfer.
2. Conditions for Transferring Personal Data Abroad
Personal data may be transferred to countries with adequate protection, provided that the relevant person gives explicit consent and the conditions specified in the Law are met. Data transfer to countries where there is insufficient protection can be carried out in cases where the conditions specified in the Law are met, in addition to explicit consent, a written commitment to adequate protection is made, and the Board's permission is obtained.
3. Our Purposes for Transferring Personal Data and Third Parties to Which Personal Data May Be Transferred
Personal data are processed for the purposes specified in Article 2 of the Fifth Section of this Policy;
- To our suppliers,
- To our subsidiaries and group companies,
- Özak Global Holding A.Ş.
- Özak Yenigün Ziylan Adi Ortaklığı
- Aktay Otel İşletmeleri A.Ş,
- Akyön Tesis Yönetim Hizmetleri A.Ş.
- Kamer İnşaat Ticaret ve Sanayi A.Ş.
- Legally authorized public institutions and organizations,
- To legally authorized private law persons,
- To our shareholders,
- To the domestic and international server service providing companies from which we receive server services,
- To audit companies
It can be transferred provided that the necessary technical and administrative measures are taken in accordance with the principles and rules explained in this Policy.
4. Personal Data Planned to Be Transferred to Foreign Countries
Since our company has operational processes abroad, personal data transfer can be made with our foreign business partners located abroad, limited to the situations necessitated by operational processes, with the express consent of the data owners, limited to only contact information.
CHAPTER SEVEN: DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
1. Deletion, Destruction or Anonymization of Personal Data
Without prejudice to the provisions of other laws regarding the deletion, destruction or anonymization of Personal Data, our Company shall delete, destroy or anonymize Personal Data ex officio or upon the request of the data owner, if the reasons requiring processing are eliminated. By deleting Personal Data, these data are destroyed in a way that they cannot be used or recovered in any way. Data destruction procedures are carried out within our company within the periodic destruction periods determined by keeping a record.
2. Duration of Storage and Destruction of Personal Data
The Company stores Personal Data for the period specified in the legislation, if stipulated in the legislation. If there is no specific period stipulated in the legislation regarding how long personal data should be stored, Personal Data is processed for the period required by the Company's practices and business practices, depending on the activity carried out by our Company while processing that data, and is then deleted, destroyed or anonymized.
If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and the Company have expired, personal data may only be stored to constitute evidence in possible legal disputes or to assert or defend the relevant right related to personal data. In establishing the periods here, the retention periods are determined based on the limitation periods for asserting the aforementioned right and examples of previous requests made to the Company on the same issues despite the expiration of the limitation periods. In this case, stored personal data is not accessed for any other purpose and access is provided only when it is necessary to use it in the relevant legal dispute. Here too, after the period mentioned above expires, personal data is deleted, destroyed or made anonymous.
CHAPTER EIGHT: MEASURES TAKEN REGARDING PERSONAL DATA SECURITY
In accordance with Article 12 of the Law, the Company takes the necessary technical and administrative measures to prevent the unlawful processing of the Personal Data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and to ensure the appropriate level of security, and to conduct or have the necessary audits conducted within this scope.
1. Technical Measures Taken Regarding Personal Data
To ensure and preserve the security of personal data, but not limited to the following;
Provides network security and application security,
- A closed system network is used for personal data transfers via the network.
- Security measures are taken within the scope of information technology systems procurement, development and maintenance,
- In-house technical organization is made to process and store personal data in accordance with the legislation,
- Data masking measures are applied when necessary,
- Creating the technical infrastructure to ensure the security of databases where personal data will be stored,
- The processes of the established technical infrastructure are monitored and audited,
- Procedures for reporting the technical measures taken and audit processes are determined,
- Technical measures are periodically updated and renewed,
- Risky situations are re-examined and necessary technological solutions are produced,
- Current anti-virus protection systems, firewalls and similar software or hardware security products are used and security systems in line with technological developments are installed,
- Applications that collect personal data are regularly scanned to detect security vulnerabilities, and any vulnerabilities found are closed,
- Backup programs are used in accordance with the law to ensure the safe storage of personal data,
- By restricting access to the environments and/or data where personal data is kept, only authorized persons are allowed to access this data, limited to the purpose for which personal data is stored, and by keeping log records of access to data storage areas where personal data is located, inappropriate access or access attempts are instantly communicated to the relevant parties.
- Regularly reviewing log records,
- Employing employees who are experts in technical matters,
- User account management and authorization control systems are implemented and monitored.
- Log records are kept in a way that does not require user intervention,
- If sensitive personal data is to be sent via e-mail, it must be encrypted and sent using a KEP or corporate mail account,
- Secure encryption and cryptographic keys are used for sensitive personal data and are managed by different units,
- Intrusion detection and prevention systems are used,
- Penetration testing is being carried out,
- Cyber security measures have been taken and their implementation is constantly monitored,
- Encryption is done.
2. Administrative Measures Taken Regarding Personal Data Security
To protect your personal data, but not limited to the following;
Access to personal data, including our group companies and affiliate employees, Corporate policies and procedures are created regarding information security, usage, storage and destruction, Policies regarding the use of tools and equipment used in databases and applications containing personal data are prepared and implemented.
- Employees are informed and trained regarding the legal protection and processing of personal data,
- Training and awareness activities are carried out for employees on data security at regular intervals.
- The measures to be taken in cases of unlawful processing of personal data by our company employees are recorded in the contracts we make with our employees and/or the policies we create.
- The contracts and instructions signed with our employees include clauses that impose an obligation not to process, disclose or use personal data in any way contrary to the law, and awareness is raised and audits are carried out on this issue.
- Disciplinary regulations that include data security are implemented for employees,
- Our employees are informed that their obligation not to disclose the personal data they have learned to anyone else in violation of the provisions of the Law and not to use it for purposes other than processing will continue after they leave their job, and they are undertaken to this end.
- Institutional policies are prepared and implemented regarding access, information security, usage, storage and destruction,
- Provisions are added to the contracts concluded with our company and the persons to whom personal data is legally transferred, stating that the persons to whom the data is transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.
- The scope of access to personal data of our employees is determined according to their duties and positions within the company, their access rights are limited, their rights are regularly reviewed, an authority matrix is created, and the authority of employees who leave their jobs or whose duties are changed is removed in this area.
- Developments in the field of information security, privacy and personal data protection are monitored and legal and technical consultancy services are received to take the necessary actions.
- The compliance of the data processors and other data controllers we work with with the Law and related legislation is questioned, necessary guidance is provided and their awareness is ensured,
- Personal data security issues are reported quickly,
- Personal data security is monitored,
- Personal data is reduced as much as possible,
- Personal data is backed up and the security of the backed up personal data is ensured,
- Periodic and/or random internal audits are carried out or commissioned,
- Existing risks and threats are identified,
- Protocols and procedures for the security of special personal data have been determined and implemented,
- Necessary security measures are taken regarding entry and exit to environments containing personal data,
- The security of environments containing personal data is ensured against external risks (fire, flood, etc.),
- Data processing service providers are made aware of data security.
- Personnel related to technical issues are employed.
- A system has been established and is being implemented that ensures that if personal data is obtained by others through illegal means, this situation is reported to the relevant personal data owner and the Personal Data Protection Board as soon as possible.
3. Physical Measures Taken Regarding Personal Data Security
- Role-based physical access measures are taken for the points where personal data is located,
- Documents and storage devices containing personal data are kept in locked cabinets.
- Card access systems are implemented for work areas,
- Work areas are monitored with a closed circuit camera recording system in a way that does not violate the privacy of employees,
- Documents and storage media containing personal data are securely destroyed and backed up in accordance with the rules set out in the KVKK and this Policy to prevent loss.
4. Procedures to be Followed in Case of Unauthorized Disclosure of Personal Data
In accordance with Article 12 of the Law, if the processed Personal Data is obtained by others through illegal means, our Company notifies the relevant data owner and the Board as soon as possible and within 72 hours at the latest after the situation is detected.
5. Audit of Measures Taken for the Protection of Personal Data
In accordance with Article 12 of the Personal Data Protection Law, our company conducts or has the necessary audits conducted within its own organization every 6 months.
The results of these audits are reported to the relevant department within the scope of the Company's internal operations and necessary actions are taken to improve the measures taken.
6. Employees on the Protection and Processing of Personal Data
6.1. Raising Awareness and Supervision
Our company organizes the necessary training for its current employees and newly incorporated employees within the business unit to raise awareness about preventing the unlawful processing of personal data, unlawful access to data, and ensuring the preservation of data. It provides awareness training to its current employees every four months.
CHAPTER NINE: OBLIGATIONS OF THE DATA CONTROLLER
1. Obligation to Disclose
The Company informs the relevant parties regarding the collection of personal data. This information covers, at a minimum, the following topics.
1.1. The identity of the data controller and its representative, if any,
1.2. The purpose for which personal data will be processed,
1.3. To whom and for what purpose personal data can be transferred,
1.4. The method and legal reason for collecting personal data,
1.5. Other rights of the relevant person listed in Article 11 of the Law,
2. Obligation to Fulfill Board Decisions
If the Board determines the existence of a violation as a result of the investigation it will conduct on the issues within its scope of duty, either upon a complaint or upon learning of an alleged violation, it decides that the Company shall remedy the unlawful violations and notify the relevant parties of the decision. As detailed in the Execution of Board Decisions procedure, the Company shall execute this decision without delay and within thirty days at the latest from the date of notification.
3. Data Controllers Registry (VERBIS) Registration Obligation
The Company registers and updates the records in the registration system where data controllers are required to register and declare information regarding their data processing activities, as specified in the Data Controllers Registry (VERBIS) registration procedure.
CHAPTER TEN: RIGHTS OF THE PERSONAL DATA OWNER
1. Data Owner's Rights
Our company provides the following to persons whose personal data is collected in accordance with Article 11 of the Law:
To learn whether personal data is being processed,
- Request information regarding the termination of personal data,
- To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
- To know the third parties to whom personal data is transferred, either domestically or abroad,
- To request correction of personal data if it is processed incompletely or incorrectly,
- Request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
- To request that the transactions carried out pursuant to subparagraphs (d) and (e) of Article 11 of the Law be notified to third parties to whom personal data has been transferred,
- To object to the emergence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,
- Explains that they have the right to demand compensation for damages in the event of damages arising from the unlawful processing of personal data.
2. Methods of Seeking Rights by Personal Data Owners
Data subjects have the right to contact the Company to learn whether their personal data has been processed, to request it if it has been processed, to request correction of the data if it is incomplete or inaccurate, to request deletion or destruction if it is unlawful, to request notification of the actions to be taken accordingly to third parties to whom the data was disclosed, and to request compensation for any damages arising from the unlawful processing of the data. Data subjects may exercise their rights of appeal and complaint, as detailed in the Data Subject's Rights Claim Procedure.
Application : To exercise their rights, data subjects must first contact the data controller. Complaints to the Board cannot be filed without exhausting this avenue.
- You can submit your requests within the scope of Article 11 of the Law, which regulates the rights of the relevant person, in writing in accordance with the "Communiqué on the Procedures and Principles of Application to the Data Controller" or by using the registered electronic mail (KEP) address, secure electronic signature, mobile signature or the electronic mail address previously notified by you and registered in our system.
- Personal data owners may submit their requests regarding their rights listed in this Policy to our Company via our website http://www.fisekhane.com/, by using the methods specified on our website, through the “Application Text” and by fulfilling the conditions set forth in this “Application Text”.
Complaint : In cases where the application is rejected by our Company, the response is deemed insufficient by the data owner, or our Company does not respond to the application in a timely manner, the data owner has the right to lodge a complaint with the Board within thirty days from the date on which he/she learns of the response, and in any case within sixty days from the date of application. It is not possible for the relevant persons to complain directly to the Board without applying to the Company.
3. Data Controller's Right to Reject the Application of the Personal Data Owner
The Company has the right to reject the application made by the personal data owner in the presence of certain conditions as stated in this policy. The situations in which the Data Controller Company may exercise its right of rejection regarding the application are listed below.
Personal data subject to the application of the relevant person;
- Processing for purposes such as research, planning and statistics by making it anonymous with official statistics,
- Processing for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime,
- Processing within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security,
- Processing by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings,
- Processing is necessary for the prevention of crime or criminal investigation,
- Processing of personal data made public by the owner herself,
- The processing is necessary for the performance of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with public institution status, based on the authority granted by law,
- The processing is necessary to protect the economic and financial interests of the State in relation to budgetary, tax and financial matters,
- The owner's request may interfere with the rights and freedoms of other persons,
- Requests requiring disproportionate effort have been made,
- If the requested information is publicly available, the Data Controller Company may exercise its right to reject the application.
CHAPTER ELEVEN: PERSONNEL RESPONSIBLE FOR COMPLIANCE WITH THE POLICY
A Personal Data Committee has been established within the Company in accordance with the decision of the Company's senior management to manage this Policy and other policies related to and affiliated with this Policy. The Personal Data Committee is authorized and responsible for carrying out the necessary procedures to store and process the data of Personal Data Owners in accordance with the law, this Policy and other policies related to and associated with this Policy.
The main duties of this Personal Data Committee are:
- To prepare basic policies regarding the Protection and Processing of Personal Data and submit them to the approval of senior management in order to put them into effect,
- To decide how the policies regarding the Protection and Processing of Personal Data will be implemented and audited, and to submit to the approval of the senior management the matters of assigning internal tasks and ensuring coordination within this framework.
- To determine the matters that need to be done to ensure compliance with the Personal Data Protection Law and relevant legislation and to submit the necessary actions to the approval of the senior management; to oversee their implementation and to ensure coordination,
- To raise awareness within the Company and the institutions with which the Company cooperates regarding the Protection and Processing of Personal Data,
- To identify the risks that may arise in the company's personal data processing activities and to ensure that the necessary measures are taken; to submit improvement suggestions for approval by senior management,
- Designing and ensuring the implementation of training on the protection of personal data and the implementation of policies,
- To decide on the applications of personal data owners at the highest level,
- To coordinate the execution of information and training activities to ensure that personal data owners are informed about personal data processing activities and their legal rights,
- To prepare changes to the basic policies regarding the Protection and Processing of Personal Data and submit them to the approval of the senior management in order to put them into effect,
- To follow the developments and regulations regarding the Protection of Personal Data; to make recommendations to the senior management on what needs to be done within the Company in accordance with these developments and regulations,
- To coordinate relations with the Personal Data Protection Board and Institution,
- To carry out other duties assigned by the Company's senior management regarding the protection of personal data.
CHAPTER TWELVE: UPDATES AND CHANGES
The Company reserves the right to make changes to this Policy and other policies related to and related to this Policy in line with the changes made in the Law and related legislation, Board decisions and/or developments in the sector or in the field of informatics. Any changes made to this Policy are immediately incorporated into the text and explanations regarding the changes are stated in this section.
01/06/2020 : This Personal Data Processing and Protection Policy has been accepted by our Company and entered into force.
Title: Özak Gayrimenkul Yatırım Ortaklığı A.Ş.
Mercy number: 0662077516700018
Email address: [email protected]
Cap address: [email protected]
Postal address: İkitelli OSB Mah.10 Cad. 34 Portall Plaza No:7D/8 Başakşehir - İstanbul