PERSONAL DATA PROTECTION AND PROCESSING POLICY
DESE CREW MANAGEMENT
DENİZCİLİK LOJİSTİK HİZMETLERİ SANAYİ
TİCARET LİMİTED ŞİRKETİ
PERSONAL DATA PROTECTION
AND PROCESSING POLICY
SECTION - INTRODUCTION
1.1
Introduction
The protection of personal data is
among the most important priorities of DESE Crew Management Denizcilik Lojistik
Hizmetleri Sanayi Ticaret Limited Şirketi ("Company")
and it makes maximum efforts to comply with all applicable legislation in
this regard. This DESE Crew Management Denizcilik Lojistik Hizmetleri Sanayi
Ticaret Limited Şirketi Personal Data Protection and Processing Policy ("Policy") constitutes an
important part of this issue.
Within the framework of this Policy,
the principles adopted in the conduct of personal data processing activities
carried out by our Company and the basic principles adopted in terms of
compliance of our Company's data processing activities with the regulations
contained in the Personal Data Protection Law No. 6698 ("Law") are explained and thus, our Company
provides the
necessary transparency by informing the personal data owners. With full
awareness of our responsibility within this scope, your personal data is
processed and protected within the scope of this Policy.
1.2
Scope
This Policy relates to all personal
data of persons other than the employees of our Company (employees, interns,
shareholders, officers of our Company), which are processed automatically or
non-automatically provided that they are part of any data recording system.
Detailed information regarding the personal data owners in question
can be found in Annex-2 ("Annex 2-
Personal Data Owners") of this Policy, and the definitions used in
this Policy and which should be explained for completeness can be found in
Annex-1 ("Annex 1-
Definitions") of this Policy.
The activities carried out by our
Company regarding the protection of personal data of Company employees are
managed under the DESE Crew Management Denizcilik Lojistik Hizmetleri Sanayi
Ticaret Limited Şirketi Employee Personal Data Protection and Processing
Policy, which is organized in parallel with the principles in this Policy.
SECTION - ISSUES RELATED TO THE
PROCESSING OF PERSONALDATA
2.1
Personal Data Processing Principles
Our Company processes personal data
in accordance with the procedures and principles stipulated in the Law and
other relevant legislation.
2.1.1.
Processing in accordance with the Law and Good
Faith
Personal
data are processed in accordance with the rules of honesty,
with transparent methods and by fulfilling the obligation to inform. While
fulfilling the disclosure obligation, if possible, the purpose of processing is
explained at the time of obtaining the data and access to detailed information
is provided.
2.1.2.
Ensuring the Accuracy of Personal Data and Keeping
it Up-to-Date When Necessary
Necessary administrative and
technical measures are taken in data processing procedures to ensure that the
processed data is accurate and up-to-date. Since a significant part of the data
is processed on the basis of the declaration of the Data Subjects, it reflects
these statements in the most accurate way and the Data Subjects are given the
opportunity to apply to update the data and correct errors, if any, in
accordancewiththe law.
2.1.3.
Processing for Specific, Explicit and Legitimate
Purposes
As DESE Crew Management Denizcilik
Lojistik Hizmetleri Sanayi Ticaret Limited Şirketi, the scope and content of
personal data are clearly defined and the activities are processed within the
legitimate purposes determined in accordance with the legislation.
2.1.4.
Personal Data is Relevant, Limitedand Proportionate
to the Purpose for which it is Processed
We process personal data in
connection with the purposes we have determined, in a limited and measured
manner. Processing of personal data that is not relevant or not needed to be
processed is avoided. For this reason, personal data of a special nature is not
processed unless there is a legal requirement or explicit consent is obtained
when it is necessary to process it.
2.1.5.
Retention of Personal Data for the Periods
Stipulated in the Legal Regulations or Required by Legitimate Interests
Many regulations in the legislation
require personal data to be kept for a certain period of time. Therefore,
processed personal data are stored for the period stipulated in the relevant
legislation or for the period required for the purposes of processing personal
data.
In the event that the retention
period stipulated in the legislation expires or the purpose of processing
disappears, personal data are deleted, destroyed or anonymized automatically or
upon the request of the data subject.
2.2
Processing of Personal Data
2.2.1
Processing of Personal Data
The explicit consent of the
personal data owner is only one of the legal grounds that make it possible to
process personal data in accordance with the law, and in the presence of one of
the following conditions, personal data is processed by our Company without
seeking the explicit consent of the data owner.
The basis of the personal data
processing activity may be only one of the following conditions, or more than
one condition may be the basis of the same personal data processing activity.
In the event that the processed data is personal data of special nature, the
conditions set out in section 2.2.2 of this Policy ("Processing of Personal Data of Special Nature")
shall
apply.
•
Explicitly stipulated in the
law.
•
It is mandatory for the
protection of the life or physical integrity of the person who is unable to
disclose his/her consent due to actual impossibility or whose consent is not
legally valid.
•
Provided that it is
directlyrelated to the conclusion or performance of a contract, it is necessary
to process personal data of the parties to the contract.
•
It is mandatory for the data
controller to fulfill its legal obligation.
•
It has been made public by the
person concerned.
•
Data processing is mandatory
for the establishment, exercise or protection of a right.
•
Data processing is mandatory
for the legitimate interests of the Company, provided that it does not harm the
fundamental rights and freedoms of the data subject.
2.2.2
Processing of Special Categories of Personal Data
Some personal data are regulated
separately as 'sensitive personal data' and are subject to special protection.
These data are of special importance due to the risk of causing victimization
or discrimination when processed unlawfully.
Sensitive personal data are
processed by our Company in accordance with the principles set forth in this
Policy and by taking all necessary administrative and technical measures,
including the methods to be determined by the Personal Data Protection Board ("Board") and in the
presence
of the following conditions:
•
Sensitive personal data other than health and sexual life
can be processed with the explicit consent of the data subject or
without explicit consent in cases explicitly stipulated by law.
•
Sensitive personal data relating to health and sexual life
may be processed by persons under the obligation of confidentiality
or authorized institutions and organizations for the protection of public
health, preventive medicine, medical diagnosis, treatment and care services,
planning and management of health services and financing, if the data subject
gives explicit consent or without explicit consent.
2.3
Purposes of Processing Personal Data
The personal data processing
purposes of our Company within the scope of the personal data specified in this
Policy and the processing conditions of special categories of personal data in
accordance with the Law and other relevant legislation are as follows.
•
Planning and/or execution of
our Company's human resources policies and processes,
•
Planning and/or execution of
activities to ensure the legal and technical security of our Company and
related persons who are in business relations with our Company,
•
Carrying out the necessary work
and carrying out the relevant business processes in order to benefit the
relevant persons from the products and/or services offered by and/or on behalf
and account of our Company,
•
Carrying out the necessary work
by our relevant business units for the realization of the commercial and/or
operational activities carried out by our Company and carrying out the related
business processes,
•
Planning and/or execution of
our Company's commercial and/or business strategies.
It is possible to access detailed
information regarding the personal data processing purposes in question from
Annex-3 ("Annex 3- Personal Data
Processing Purposes") of this Policy.
2.4
Categories of Personal Data Processedby OurCompany
In accordance with the Law and
other relevant legislation provisions, our Company processes personal data of
personal data owners within the framework of the purposes and conditions
specified in this Policy in accordance with the Law and other relevant legislation
provisions, including identity, communication, financial, customer, customer
transaction, transaction security, risk management, physical space security,
audit and inspection, legal transaction and compliance, reputation management,
request / complaint management, data of family members and relatives, visual
and audio, marketing, vehicle, employee candidate, employee, employee
transaction, employee performance and career development, fringe benefits and
benefits, insurance and special categories of personal data.
Detailed information on the personal
data categories in question can be found in Annex 4 ("Annex 4 - Personal Data Categories") of this
Policy.
SECTION - ISSUES RELATED TO THE
TRANSFER OF PERSONALDATA
Our Company may transfer personal
data and sensitive personal data to domestic and/or foreign third parties ("Third Parties") by taking
the necessary security measures in line with the lawful personal data
processing purposes. In this direction, our Company acts in accordance with the
principles set out in Articles 8 and 9 of the Law and in accordance with the
decisions taken by the PDP Board.
3.1
Transfer of Personal Data
3.1.1.
Domestic Transfer of Personal Data
Our Company may transfer personal
data to third parties without seeking the explicit consent of the data owner in
the presence of the explicit consent of the data owner or in the presence of
the conditions listed below, by taking due care and taking all necessary
security measures, including the methods determined by the Board:
•
Explicitly stipulated in the
law.
•
It is mandatory for the
protection of the life or physical integrity of the person who is unable to
disclose his/her consent due to actual impossibility or whose consent is not
legally valid.
•
Provided that it is directly
related to the conclusion or performance of a contract, it is necessary to
process personal data of the parties to the contract.
•
It is mandatory for the data
controller to fulfill its legal obligation.
•
It has been made public by the
person concerned.
•
Data processing is mandatory
for the establishment, exercise or protection of a right.
•
Data processing is mandatory
for the legitimate interests of the Company, provided that it does not harm the
fundamental rights and freedoms of the data subject.
3.1.2.
Transfer of Personal Data Abroad
Personal data cannot be transferred
abroad without the explicit consent of the data subject.
However,
the existence of one of the reasons for compliance with the
law contained in this Policy and the existence of one of the conditions
specified in the second paragraph of Article 5 and the third paragraph of
Article 6 stipulated in the Law and in the foreign country where the personal
data will be transferred;
•
Adequate protection,
•
In the absence of adequate
protection, the data may be transferred abroad without seeking the explicit
consent of the data subject, provided that the data controllers in Turkey and
in the relevant foreign country undertake adequate protection in writing and
the Board has the permission of the Board.
•
Countries with adequate
protection shall be determined and announced by the Board.
•
The Board shall decide whether
there is adequate protection in the foreign country and whether a permit shall
be granted in accordance with subparagraph (b) of paragraph 2;
•
a) International conventions to
which Turkey is a party,
•
b) the reciprocity status
regarding data transfer between the country requesting personal data and
Turkey,
•
c) For each concrete personal
data transfer, the nature of the personal data and the purpose and duration of
processing,
•
ç) The relevant legislation and
practice of the country to which the personal data will be transferred,
•
d) It evaluates the measures
undertaken by the data controller in the country where the personal data will
be transferred and decides, if necessary, by taking the opinion of the relevant
institutions and organizations. In these cases, personal data may be
transferred abroad without explicit consent.
3.2
Transfer of Sensitive Personal Data
Our Company may transfer special
categories of personal data domestically or abroad in line with the purposes of
lawful data processing, with due care and by taking the necessary security
measures, including the methods specified by the Board, and inthe presence of
the following conditions;
•
Sensitive personal data other than health and sexual life
can be transferred if the data subject gives explicit consent or in
cases clearly stipulated in the laws without explicit consent.
•
Sensitive personal data relating to health and sexual life
may be transferred by persons under the obligation of
confidentiality or authorized institutions and organizations for the protection
of public health, preventive medicine, medical diagnosis, treatment and care
services, planning and management of health services and financing, if the data
subject gives explicit consent or without explicit consent.
If special categories of personal
data are to be transferred abroad, in addition to the existence of other
processing conditions listed in Article 6 of the Law in order to make the
transfer without the explicit consent of the data subject, our Company may
transfer special categories of personal data to foreign countries with adequate
protection or to foreign countries where there is a data controller who
undertakes adequate protection if the Board authorizes the relevant foreign
transfer.
3.3
Groups of Persons to whom Personal Data is
Transferred
Our Company may transfer personal
data to the categories of recipient groups listed below in accordance with
Articles 8 and 9 of the Law:
•
Legally Authorized Public
Authority,
•
Legally Authorized Special,
•
Affiliation
•
Supplier
Detailed
information regarding the third parties to whom such personal data are
transferred can be found in Annex 5 ("Annex
5 - Categories of Third Parties to whom Personal Data are Transferred") of
this Policy.
SECTION - STORAGE AND
DESTRUCTION OF PERSONAL DATA
Pursuant to the obligation to
delete, destroy or anonymize personal data stipulated in the Turkish Penal
Code, the Law and other relevant legislation, personal data shall be deleted,
destroyed or anonymized in accordance with the ex officio decision of our
Company or the request of the personal data owner if the reasons requiring its
processing disappear, although it has been processed by our Company in
accordance with the law.
SECTION - ENSURING THE SECURITY
AND CONFIDENTIALITY OF PERSONAL DATA
Our Company takes all necessary
measures according to the nature of the data to be protected in order to
prevent unlawful disclosure, access, transfer of personal data or security
weaknesses that may arise for other reasons.
In this context, all necessary
administrative and technical measures are taken by our Company, an audit system
is established within our Company, and in case of unlawful disclosure of
personal data, the measures stipulated in the Law are acted in accordance with.
5.1
Administrative Measures Taken by Our Company to
Ensure Lawful Processing of Personal Data and to Prevent Unlawful Access to
Personal Data
•
There are disciplinary
regulations for employees that include data security provisions.
•
Training and awareness raising
activities on data security are carried out for employees at regular intervals.
•
Corporate policies on access,
information security, use, storage and disposal have been prepared and
implemented.
•
Confidentiality commitments are
made.
•
Employees who are reassigned or
leave their jobs are de-authorized in this area.
•
The signed contracts contain
data security provisions.
•
Personal data security policies
and procedures have been determined.
•
Personal data security issues
are reported quickly.
•
Necessary security measures are
taken regarding entry and exit to physical environments containing personal
data.
•
Physical environments
containing personal data are secured against external risks (fire, flood,
etc.).
•
Security of environments
containing personal data is ensured.
•
Internal periodic and/or random
audits are conducted and commissioned.
•
Existing risks and threats have
been identified.
•
Protocols and procedures for
the security of sensitive personal data have been determined and implemented.
•
Data processing service
providers are periodically audited on data security.
•
Awareness of data processing
service providers on data security is ensured.
5.2
Technical Measures Taken byOur Company to Ensure
Lawful Processing of Data and to Prevent Unlawful Access to Personal Data
•
Network security and
application security are ensured.
•
Closed system network is used
for personal data transfers through the network.
•
Security measures are taken
within the scope of procurement, development and maintenance of information
technology systems.
•
The security of personal data
stored in the cloud is ensured.
•
Access logs are kept regularly.
•
Up-to-date anti-virus systems
are used.
•
Firewalls are used.
•
Personal data security is
monitored.
•
Personal data is minimized as
much as possible.
•
Personal data is backed up and
the security of backed up personal data is also ensured.
•
User account management and
authorization control system are implemented and monitored.
•
Log records are made and made
in a way that there is no user intervention.
•
Intrusion detection and
prevention systems are used.
•
Penetration test is applied.
•
Cyber security measures have
been taken and their implementation is constantly monitored.
•
Encryption is performed.
Measures to
be Taken in Case of Unlawful Disclosure of Personal Data
Within the scope of personal data
processing activities carried out by our Company, in the event that personal
data is unlawfully obtained by unauthorized persons, the situation will be
notified to the relevant persons and the Board within 72 hours at the latest.
SECTION - DISCLOSURE OF PERSONAL
DATA SUBJECTS
In accordance with Article 10 of
the Law, our Company fulfills its obligation to inform the personal data owners
during the acquisition of personal data.
Article 20 of the Constitution of
the Republic of Turkey states that "Everyone has the right to request the
protection of personal data concerning him/her. This right includes the right
to be informed about personal data concerning oneself, to access such data, to
request their correction or deletion, and to learn whether they are used for
their intended purposes. For this purpose, in accordance with Article 11 of the
Law, necessary information is provided in case the relevant persons request
information. Detailed information on the rights of the personal data owner is
provided in section 7.1 of this Policy ("Rights of the Personal Data
Owner").
7.
SECTION - RIGHTS OF THE PERSONAL DATAOWNERAND EXERCISE OF
THESE
RIGHTS
7.1
Rights of the Personal Data Subject
•
Pursuant to the Law, the rights
that personal data subjects may exercise are set out below:
•
Learn whether personal data is
being processed,
•
Requestinformation if their
personal data has been processed,
•
Personal data
processing purpose
and of these for the purpose of
appropriate to
find out if they are being used,
•
To know the third parties to
whom personal data are transferred domestically or abroad,
•
To request correction of
personal data in case of incomplete or incorrect processing,
•
To request the deletion or
destruction of personal data within the framework of the conditions stipulated
in Article 7 of the Law,
•
To object to the emergence of a
result to the detriment of the person himself/herself by analyzing the
processed data exclusively through automated systems,
•
In case of damage due to
unlawful processing of personal data, it has the right to demand compensation
for the damage.
7.2
Situations where Data Subjects cannot assert their
rights
In the cases specified in Article 28
of the Law, personal data owners will not be able to assert their rights
specified in Article 11 of the Law. Although these situations constitute
exceptions, they are outside the scope of data protection of the Law. These
situations are stated below:
•
Processing of personal data by
natural persons within the scope of activities related to themselves or their
family members living in the same residence, provided that personal data are
not disclosed to third parties and the obligations regarding data security are
complied with.
•
Processing of personal data for
purposes such as research, planning and statistics by anonymizing them with
official statistics.
•
Processing of personal data for
artistic, historical, literary or scientific purposes or within the scope of
freedom of expression, provided that such processing does not violate national
defense, national security, public security, public order, economic security,
privacy or personal rights or constitute a crime.
•
Processing of personal data
within the scope of preventive, protective and intelligence activities carried
out by public institutions and organizations authorized by law to ensure
national defense, national security, public security, public order or economic
security.
•
Processing of personal data by
judicial or enforcement authorities in relation to investigations,
prosecutions, trials or executions.
In the cases listed below, personal
data owners cannot assert their other rights listed in Article 11 of the Law,
except for the right to demand compensation for the damage:
•
Processing of personal data is
necessary for the prevention of crime or criminal investigation.
•
Processing of personal data
made public by the data subject himself/herself.
•
Personal data processing is
necessary for the execution of supervisory or regulatory duties and
disciplinary investigation or prosecution by the authorized and authorized
public institutions and organizations and professional organizations in the
nature of public institutions based on the authority granted by law.
•
Processing of personal data is
necessary for the protection of the economic and financial interests of the
State in relation to budgetary, tax and fiscal matters.
7.3
Exercise of Rights by Personal Data Subjects
Personal data
owners may submit their requests regarding the exercise of the rights specified
in Article 11 of the Law to ....
By filling out the Company Relevant
Person Application Form in writing or by registered electronic mail (KEP)
address, secure electronic signature, mobile signature or by using your e-mail
address that you have previously notified to our Company and registered in our
system.
7.4
Responding to Applications by our Company
All necessary administrative and
technical measures are taken to finalize the applications to be made by the
personal data owner effectively, in accordance with the law and the rule of
honesty.
Our company may accept the
applications of the personal data owner or reject them by explaining the
reason. Our Company will be able to notify the relevant response to the
personal data owner in writing or electronically.
In the event that the personal data owner submits his/her request regarding the rights under section 7.1 ("Rights of the Personal Data Owner") to our Company in accordance with the procedures mentioned in section 7.3 ("Exercise of Rights by Personal Data Owners"), our Company will finalize the relevant request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the Data Controller may request the fees in the tariff determined by the Board from the applicant.
ANNEX-1 - DEFINITIONS
|
Personal Data |
Any
information relating to an identified or identifiable natural person, |
|
Board |
Personal Data
Protection Board, |
|
Processing of Personal Data |
Obtaining, recording, storing, preserving, maintaining,
changing
personal data by fully or partially automatic means or by non-automatic means
provided tha it is part of any data recording system, any operation performed on the data, such as rearranging,
disclosing,
transferring, taking over, making available, classifying or preventing its
use, |
|
Data Processor
|
A natural or legal person who processes personal data on behalf
of the
data controller based on the authorization granted by the data controller, |
|
Data Recording System |
Recording system where personal data is structured and
processed
according to certain criteria |
|
Data
Controller |
The natural or legal person who determines the purposes and
means of
processing personal data and is responsible for the establishment and
management of the data recording system, refers to. |
|
Data Owner |
The natural
person whose personal data is processed, |
|
Open Consent |
Consent on a specific
subject, based on
information and expressed with free will |
|
Sensitive Personal Data |
Data relating
to race, ethnic origin, political opinion, philosophical belief, religion,
sect or other beliefs, appearance and dress, membership of associations,
foundations or trade unions, health, sexual life, criminal convictions and
security measures, and biometric and genetic data are sensitive personal
data. |
ANNEX-2 - PERSONAL DATA SUBJECTS
|
DATA
OWNER
|
EXPLANATION
|
|
Employee / Trainee Candidate |
It means real persons
who have applied for a job to our Company by any means or who have opened
their CV and related information to our Company's review. |
|
Former Employee |
Natural persons whose employment contract
with our Company has been terminated for any reason (resignation, dismissal,
retirement, etc.). |
|
Customer |
It means real persons who use or have used
the products and services offered by our Company. |
|
Legal Entity Customer Employee / Officer / Sharehold er |
Real persons who are shareholders, officers
or employees of our legal entity customers who use or have used the products
and services offered by our Company means. |
|
Invoice Issuance Person or Delivery To be done Person (Non- Customer) |
During the utilization of the services
provided by our company by our customers, the invoice is issued on behalf of
another real person or the service means the real persons subject to this
request in the event that he/she requests the realization on behalf of
someone else. |
|
Contest Participant |
It means real persons
who participate in our Company's campaigns or competitions. |
|
DATA
OWNER
|
EXPLANATION
|
|
Family Members |
Family members or relatives of persons who
have benefited from or been injured by the products or services of our
Company. |
|
Visitor |
It means real persons who visit our Company's
premises or websites or who have joined our Company's guest internet network.
|
|
Lessor |
It means the real
persons who rent out the real estates rented for our Company's locations. |
|
Group Company Shareholder / Officer / Employee |
Shareholders/officials/employees of companies
directly or indirectly controlled by the controlling shareholder or
shareholders of our Company |
|
Business Partner Sharehold er / Officer / Employee |
Real persons who are shareholders, officers
or employees of legal entity companies with which our Company has established
or intends to establish a cooperation, business partnership or program
partnership. |
|
Supplier |
Real persons who are shareholders, officers
or employees of companies that provide goods and/or services to our Company
pursuant to an existing or prospective contract with our Company |
ANNEX-3 - Purposes of Processing
Personal Data
|
MAIN
OBJECTIVES
(PRIMARY)
|
SUB-OBJECTIVES (SECONDARY)
|
|
The human resources policies and processes of our
company planning and/or execution |
Planning and/or
execution of employee induction and/or personnel processes |
|
|
Planning and/or execution of the application,
selection and evaluation processes of employee candidates |
|
|
Planning and/or execution of
internal/external communication activities necessary for the placement of
employee candidates and/or students and/or interns |
|
|
Planning and/or execution of reference and/or
intelligence activities in personnel recruitment activities |
|
|
Planning and/or execution of activities to
meet employee information/document requests |
|
|
Planning and/or
execution of internal orientation activities |
|
|
Planning and/or
execution of personnel appointment/promotion processes |
|
|
Planning and/or
execution of talent/career development activities |
|
|
Planning and/or execution of activities to be
carried out within the framework of occupational health and/or safety |
|
|
Planning and/or
execution of employee performance/talent evaluation processes |
|
|
Planning and/or
execution of human resources processes |
|
MAIN
OBJECTIVES
(PRIMARY)
|
SUB-OBJECTIVES (SECONDARY)
|
|
|
Planning and/or
execution of internal/external training activities |
|
|
Planning and/or execution of fringe benefits
and/or benefits for
employees |
|
|
Planning and/or
execution of employee satisfaction and/or engagement processes |
|
|
Planning and/or execution of the processes of
receiving and evaluating suggestions from employees for improving business
processes and/or increasing employee productivity |
|
|
Planning and/or execution of corporate
communication for employees and/or corporate social responsibility and/or
non-governmental organization activities in which employees participate |
|
|
Employees'
domestic/international travels (events |
|
|
Planning and/or
execution of employee remuneration |
|
|
Planning and/or execution of processes for
providing incentive and reward services to employees |
|
|
Making internal information announcements in
case of recruitment, appointment, promotion, special occasions and/or exit |
|
|
Fulfillment of obligations arising from the
employment contract and/or legislation for employees |
|
MAIN
OBJECTIVES
(PRIMARY)
|
SUB-OBJECTIVES (SECONDARY)
|
|
Our Company and our
business with our Company in a relationship with the relevant planning
and/or execution of activities to ensure the legal and technical security of
persons |
Planning and/or
execution of the necessary operational activities to ensure that the
Company's activities are carried out in accordance with Company procedures
and/or relevant legislation |
|
|
Planning and/or execution of corporate and
partnership law
transactions |
|
|
Follow-up of legal
affairs |
|
|
Legislative
obligations to official institutions and/or organizations Providing information within the scope,
submitting the requested information and documents and/or recording the
responses |
|
|
Ensuring that data is
accurate and/or up-to-date |
|
|
Ensuring the security
of company operations |
|
|
Planning, auditing
and/or execution of information security processes |
|
|
Establishment and/or
management of information technology infrastructure |
|
|
Planning and/or execution of our Company's
legal compliance activities
|
|
|
Planning and/or
execution of authentication activities |
|
|
Planning and/or execution of
internal/external audit, inspection and/or control activities of our Company |
|
MAIN
OBJECTIV
ES
(PRIMARY
)
|
SUB-OBJECTIVES (SECONDARY)
|
|
|
Planning and/or execution of activities
related to the prevention, detection, investigation and/or finalization of
fraud cases |
|
|
Follow-up of contract
processes and/or legal requests |
|
|
Ensuring the security
of company fixtures and/or resources |
|
|
Planning and/or execution of emergency and/or
incident management processes |
|
|
Ensuring the security
of company premises and/or facilities |
|
|
Creation and/or
follow-up of visitor records |
|
|
Planning and/or
execution of network monitoring and management activities |
|
By the Company and/or The appreciation and use of the products and
services offered on behalf and account of our Company by the relevant persons
customized according to their habits and needs planning and/or execution of
the activities necessary for its recommendati on and promotion to relevant
persons |
|
|
|
Planning and/or
execution of activities for customer satisfaction and/or experience |
|
MAIN
OBJECTIV
SUB-OBJECTIVES
(SECONDARY)
ES
(PRIMARY
)
|
|
|
|
Planning and/or
execution of campaign and/or promotion and/or publicity processes |
|
|
Identification and/or evaluation of people to
be subject to marketing activities in line with consumer behavior criteria |
|
|
Design and/or execution of personalized
marketing (segmentation, profiling, etc.) and/or promotional activities |
|
|
Design and/or execution of advertising and/or
promotion and/or marketing activities in digital and/or other media |
|
|
Design and/or execution of activities to be
developed on customer acquisition and/or value creation for existing
customers in digital and/or other channels |
|
|
Planning and/or execution of data analytics
and/or data enrichment activities for marketing purposes |
|
|
Planning and/or execution of cross-selling
activities related to other products offered by our Company |
|
|
Planning and/or execution of market research
activities for sales and/or marketing of products and services |
|
|
Planning and/or execution of the processes of
creating and/or increasing loyalty to the products and/or services offered by
our Company |
|
|
Planning and/or execution of campaign
performance measurement and reporting activities |
|
|
Planning and/or
execution of marketing processes of products and/or services |
|
MAIN
OBJECTIV
ES
(PRIMARY
)
|
SUB-OBJECTIVES (SECONDARY)
|
|
|
Planning and/or
execution of raffle/competition activities |
|
|
Planning and/or
execution of activities related to surveys conducted by our Company |
|
By
our Company and/or Products and/or services offered on
behalf and account of our Company Carrying out the necessary work to benefit
the relevant people and carrying out the relevant business processes |
|
|
|
Creation and/or follow-up of application
and/or sales processes for products and/or services |
|
|
Planning and/or
execution of customer relationship management processes |
|
|
Planning and/or
execution of virtual pos/cash collection transactions |
|
|
Planning and/or
execution of activities related to the delivery of products |
|
|
Evaluation of customer requests and/or
complaints collected through digital and/or other channels |
|
|
Realization and/or follow-up of payment
transactions of
products/services |
|
|
Planning and/or execution of activities
related to invoice issuance, verification and/or cancellation |
|
MAIN
OBJECTIVES
(PRIMARY)
|
|
SUB-OBJECTIVES (SECONDARY)
|
|
The commercial
and/or operational activities carried out by our Company necessary work by
our relevant business units for the realization of and execution of
related business processes |
|
|
|
|
Follow-up of
financial and/or accounting affairs |
|
|
|
Planning and/or execution of activities for
conducting effectiveness/efficiency and/or relevance analysis of business
activities |
|
|
|
Planning and/or execution of activities for
conducting effectiveness/efficiency and/or relevance analysis of business
activities |
|
|
|
Planning and/or
execution of corporate governance activities |
|
|
|
Planning and/or
execution of business continuity activities |
|
|
|
Planning and/or
execution of procurement processes |
|
MAIN
OBJECTIVES
(PRIMARY)
|
SUB-OBJECTIVES (SECONDARY)
|
|
|
Planning and/or
execution of business activities |
|
|
Planning and/or
execution of operations and/or efficiency processes |
|
|
Defining and/or auditing the authorization of
our employees and persons outside the Company to access information |
|
|
Planning and/or execution of activities to
ensure the business follow-up of 3rd party employees who have a business
relationship with our Company |
|
|
Planning and/or execution of satisfaction and
loyalty activities for business partner/supplier
employees/authorities/shareholders |
|
|
Planning and/or
execution of internal/external reporting activities |
|
Planning and/or execution of our Company's
commercial and/or business strategies |
|
|
|
Management of relationships with business
partners and/or suppliers |
|
|
|
|
MAIN
OBJECTIVES
(PRIMARY)
|
SUB-OBJECTIVES (SECONDARY)
|
|
|
Planning and/or execution of strategic
planning activities |
|
|
Conducting and/or executing budget studies |
|
|
Planning
and/or execution of the Company's
financial risk processes |
|
|
Planning and/or execution of risk assessment
activities and/or feasibility studies for potential business partner/supplier
selection |
ANNEX- 4 - Categories of Personal
Data
|
PERSONAL DATA
CATEGORIES
|
EXPLANATION
|
|
Identity Information |
Driver's licenses, identity cards, passports,
professional IDs and similar documents that clearly belong to an identified
or identifiable natural person means all information contained in the
documents. |
|
Contact Information |
It means telephone number, address, e-mail
and similar contact information that clearly belongs to an identified or
identifiable natural person. |
|
Financial Information |
It is clear that it belongs to an identified
or identifiable natural person, partially or completely automatically or by
means of a data recording system means personal data processed in relation to
information, documents and records showing all kinds of financial results
that are processed non- automatically as part of the data processing process.
|
|
PERSONAL
EXPLANATION
DATA
CATEGORIES
|
|
|
Customer Information |
Means data relating to the customer obtained
during the performance of our commercial activities, which clearly belongs to
an identified or identifiable natural person. |
|
Customer Transaction Information |
Records for the use of our products and
services that clearly belong to an identified or identifiable natural person,
such as our customer's instructions and requests for the use of our products
and services means information. |
|
Transaction Security
Information |
It means personal data that clearly belongs
to an identified or identifiable natural person and is processed to ensure
the technical, administrative, legal and commercial security of our Company while
carrying out our Company's commercial activities. |
|
Risk Management Knowledge |
Clearly belonging to an identified or
identifiable natural person, It means personal data processed in order to
minimize the risks in accordance with our Company's policies and legislative
obligations. |
|
Physical Space Security Information |
It means personal
data relating to records and documents taken at the entrance to the physical
space, during the stay in the physical space, which clearly belong to an
identified or identifiable natural person. |
|
Audit and Inspection Knowledge |
Clearly belonging to
an identified or identifiable natural person, It means personal
data processed within the scope of compliance with our Company's legal
obligations and Company policies and audit. |
|
Legal Procedure and Compliance Knowledge |
With the determination and follow-up of our
legal receivables and rights and the performance of our debts, which clearly
belong to an identified or identifiable natural person means personal data
processed within the scope of our legal obligations and compliance with our
Company's policies. |
|
Reputation Management Knowledge |
It means information that clearly belongs to
an identified or identifiable natural person, information collected for the
purpose of protecting the commercial reputation of our Company and
information about the evaluation reports and actions taken. |
|
Request/Compla int
Management Information |
It means personal data relating to the
receipt and evaluation of all kinds of requests and/or complaints addressed
to our Company, which clearly belong to an identified or identifiable natural
person. |
|
PERSONAL
EXPLANATION DATA
CATEGORIES
|
|
|
Family Members and Relatives |
means information
about the family members and relatives of our customers or employees, which
clearly belongs to an identified or identifiable natural person |
|
Audiovisual Data |
Photographs, videos, etc., which clearly
belong to an identified or identifiable natural person, means data of visual
or auditory nature. |
|
Vehicle Information |
It means information about the vehicles
associated with the data subject, which clearly belongs to an identified or
identifiable natural person. |
|
Employee Candidate Information |
It means the CV information of our employee
and/or internship candidates who have applied for a job to our company in any
way. |
|
Employee Information |
It means the information that will be the
basis for the creation of the personal rights and files of our employees
and/or the employees of the company we cooperate with, which clearly belongs
to an identified or identifiable natural person. |
|
Employee Transaction Information |
It means personal data that clearly belongs
to an identified or identifiable natural person and is related to our
employees and/or their business and transactions. |
|
Employee Performance and Career Development Information |
Within the scope of our Company's human
resources policies and procedures, our employees, whose identity clearly
belongs to an identified or identifiable real person, are evaluated for their
performance and career development. means personal data processed for the
purposes of planning and execution. |
|
Benefits and Benefits Information |
The planning of the fringe benefits and
benefits that we offer and will offer to our employees, which clearly belong
to an identified or identifiable natural person, and the objective criteria
for entitlement to them means personal data processed for the determination
and follow-up of entitlements. |
|
Insurance Information |
It means personal data relating to the
insurances provided by our Company in favor of its employees, which clearly
belongs to an identified or identifiable natural person. |
|
|
|
|
PERSONAL
DATA
CATEGORIES
|
EXPLANATION
|
|
Sensitive Personal Data |
Data relating to race, ethnic origin,
political opinions, philosophical beliefs, religion, sect or other beliefs,
appearance and dress, membership of associations, foundations or trade
unions, health, sexual life, criminal convictions and security measures, and
biometric and genetic data, which clearly belong to an identified or
identifiable natural person. |
ANNEX-5 - Categories of Third
Parties to whom Personal Data is Transferred
|
THIRD
PERSON
S
|
EXPLANATION
|
|
Legally |
Public institutions
and organizations legally authorized to receive |
|
Authorized Public Authority |
information and
documents from our Company. |
|
Legally |
Private law persons
legally authorized to receive information and documents |
|
Authorized Private Institution |
from our Company. |
|
Subsidiary |
Subsidiaries of our
Company means legal entities. |
|
Suppliers |
Parties that provide goods or services for
our Company to continue its commercial activities in line with the
instructions received from the Company and based on the contract between the
Company and our Company. |
