|
EKSEL İLETİŞİM TİCARET ANONİM ŞİRKETİ INFORMATION AND CLARIFICATION TEXT ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
Article 20 of the Constitution states: “Everyone has the right to request the protection of personal data concerning him or her. This right includes being informed about personal data, accessing such data, requesting their correction or deletion, and being informed whether they are used in accordance with the purposes. Personal data may only be processed in cases stipulated by law or with the explicit consent of the person. The principles and procedures regarding the protection of personal data are regulated by law.” With this provision, personal data has been secured. Likewise, the Law on the Protection of Personal Data No. 6698 (KVKK) extensively regulates the procedures and principles related to the protection of personal data.
As Eksel İletişim Ticaret Anonim Şirketi, the protection of personal data that we lawfully process is among our top priorities. In this context, necessary technical and administrative measures are taken and implemented, and necessary audits are carried out. We would like to inform you in accordance with the current legislation about the methods of obtaining personal data, purposes of processing, legal grounds, protection, storage, transfer, and deletion, destruction or anonymization of data, and the rights of individuals whose personal data is processed.
Definitions
Law: Personal Data Protection Law (KVKK)
Board: Personal Data Protection Board
Authority: Personal Data Protection Authority
President: President of the Personal Data Protection Authority
Personal Data: Any information relating to an identified or identifiable natural person.
Special Categories of Personal Data: Data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
Data Recording System: A system in which personal data is processed based on specific criteria.
Processing of Personal Data: Any operation performed on personal data by automatic means in whole or in part or by non-automatic means provided that it is part of a data recording system such as collection, recording, storage, retention, alteration, rearrangement, disclosure, transfer, acquisition, making available, classification, or prevention of use.
Data Subject: The natural person whose personal data is processed.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted.
Explicit Consent: Freely given, specific, and informed consent.
Destruction: Deletion, destruction, or anonymization of personal data.
Anonymization: Rendering personal data impossible to associate with an identified or identifiable natural person, even when matched with other data.
Deletion of Personal Data: Rendering personal data inaccessible and unusable for relevant users.
Destruction of Personal Data: Rendering personal data inaccessible, unrecoverable, and unusable by anyone.
Publicized Data: Personal data made public by the data subject by any means.
Obligation to Inform: During the collection of personal data, the obligation of the data controller or the authorized person to inform the data subject about the identity of the data controller and its representative (if any), the purpose for which the personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal reason for collecting personal data, and the other rights listed in Article 11 of the Law.
*Eksel acts as the “data controller” within the scope of the Law No. 6698.
Fundamental Principles
The following principles are taken as basis in the processing of personal data:
a) Lawfulness and fairness.
b) Being accurate and, where necessary, up to date.
c) Being processed for specific, explicit, and legitimate purposes.
d) Being relevant, limited, and proportionate to the purposes for which they are processed.
e) Being stored for the period laid down by relevant legislation or the purpose for which they are processed.
Processing of Personal Data
Personal data cannot be processed without the explicit consent of the data subject.
However, personal data may be processed without the explicit consent of the data subject if one of the following conditions applies:
a) It is expressly provided for by the laws.
b) It is necessary for the protection of life or physical integrity of the person or another person, where the data subject is physically or legally incapable of giving consent.
c) Processing of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
ç) It is necessary for compliance with a legal obligation to which the data controller is subject.
d) The data has been made public by the data subject.
e) Data processing is necessary for the establishment, exercise or protection of any right.
f) Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
Conditions for Processing Special Categories of Personal Data
Special categories of personal data, including those relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, cannot be processed without explicit consent.
Personal data, other than those relating to health and sexual life, may be processed without the explicit consent of the data subject if provided for by law.
Personal data relating to health and sexual life may be processed without explicit consent only by persons or authorized institutions and organizations under the obligation of confidentiality, for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of healthcare services and their financing.
Sufficient measures determined by the Board must be taken when processing special categories of personal data.
Deletion, Destruction, or Anonymization of Personal Data
Even if personal data has been processed lawfully, it shall be deleted, destroyed, or anonymized by the data controller ex officio or upon the request of the data subject if the reasons for processing are no longer applicable.
Provisions in other laws regarding deletion, destruction or anonymization of personal data are reserved.
The procedures and principles for deletion, destruction or anonymization of personal data shall be regulated by regulation.
Transfer of Personal Data
Personal data cannot be transferred without the explicit consent of the data subject.
However, personal data may be transferred without the explicit consent of the data subject if one of the conditions set forth in:
a) Article 5(2), or
b) Article 6(3) of the Law is present, provided that adequate measures are taken.
Transfer of Personal Data Abroad
Personal data cannot be transferred abroad without the explicit consent of the data subject.
However, personal data may be transferred abroad without explicit consent if one of the conditions set forth in Article 5(2) and Article 6(3) is present and:
a) Adequate protection is provided in the foreign country to which the data will be transferred, or
b) In the absence of adequate protection, data controllers in Turkey and the relevant foreign country provide a written undertaking for adequate protection and obtain permission from the Board.
The countries where adequate protection is provided are determined and announced by the Board.
Obligation of the Data Controller to Inform
At the time personal data is obtained, the data controller or the person authorized by the data controller is obliged to inform the data subject about:
a) The identity of the data controller and its representative, if any,
b) The purpose for which personal data will be processed,
c) To whom and for what purpose the processed personal data may be transferred,
ç) The method and legal basis of data collection,
d) The rights of the data subject.
Obligations of the Data Controller Regarding Data Security
The data controller is obliged to take all necessary technical and administrative measures to:
a) Prevent unlawful processing of personal data,
b) Prevent unlawful access to personal data,
c) Ensure the safekeeping of personal data.
If personal data is processed by another natural or legal person on behalf of the data controller, the data controller is jointly responsible with such persons for taking the necessary measures.
The data controller is also obliged to carry out or have carried out the necessary audits within its organization to ensure implementation of the provisions of the Law.
The data controller and data processors may not disclose personal data they have learned in breach of the provisions of the Law, and may not use such data for purposes other than processing. This obligation continues even after their duties are terminated.
If personal data is unlawfully obtained by others, the data controller shall notify the data subject and the Board as soon as possible.
Rights of the Data Subject
Everyone has the right to apply to the data controller and:
a) Learn whether their personal data is processed,
b) Request information if their personal data has been processed,
c) Learn the purpose of processing personal data and whether they are used appropriately,
ç) Know the third parties to whom personal data is transferred at home or abroad,
d) Request correction of personal data if it is incomplete or inaccurately processed,
e) Request deletion or destruction of personal data under the conditions stipulated in the Law,
f) Request notification of the operations carried out as per subparagraphs (d) and (e) to third parties to whom the personal data has been transferred,
g) Object to the occurrence of a result against the person through the exclusive analysis of processed data by automatic systems,
ğ) Request compensation for the damage arising from the unlawful processing of personal data.
Application to the Data Controller
The data subject shall submit their requests regarding the implementation of this Law to the data controller in writing or by other methods to be determined by the Board.
The data controller shall finalize the request as soon as possible and within thirty days at the latest, free of charge, depending on the nature of the request. However, if the process requires an additional cost, the fee in the tariff determined by the Board may be charged.
The data controller shall accept the request or reject it with justification and notify the response to the data subject in writing or electronically. If the request is accepted, the necessary actions will be taken. If the request is due to the fault of the data controller, the fee will be refunded.
*You can submit your requests for information and applications by contacting us through our contact page.
Complaint to the Board
If the application is rejected, the response is insufficient, or the application is not responded to in due time, the data subject may file a complaint to the Board within thirty days from the date of learning the response and in any case within sixty days from the date of application.
The complaint cannot be filed without first applying to the data controller.
The right to claim compensation for those whose personal rights are violated is reserved under general provisions.
Exceptions
The provisions of the Law No. 6698 shall not apply in the following cases:
a) Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that the data is not shared with third parties and the obligations regarding data security are observed,
b) Processing of personal data for official statistics and for research, planning and statistics by anonymizing them,
c) Processing of personal data for artistic, historical, literary or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights, and does not constitute a crime,
ç) Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorized by law to ensure national defense, national security, public security, public order or economic security,
d) Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.
Articles 10 (obligation to inform), 11 (rights of the data subject) – except the right to request compensation – and 16 (registration obligation to the Data Controllers Registry) shall not apply in the following cases, provided that the processing is in accordance with the purpose and basic principles of the Law:
a) Processing of personal data is necessary for the prevention of crime or criminal investigation,
b) Processing of personal data made public by the data subject,
c) Processing of personal data is necessary for the performance of supervisory or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations in the nature of public institutions, based on the authority granted by law,
ç) Processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters.
|
|
|