GDPR
İNTEGRAL ENTEGRE YAPI TEK. SAN. TİC. ANONİM ŞİRKETİ PERSONAL DATA PROTECTION, STORAGE, PROCESSING, AND DESTRUCTION POLICY
I. INTRODUCTION
1.1. Introduction to Policy
1.2. Purpose and Scope of the Policy
1.3. Definitions
1.4. Enforcement of the Policy
II. PROCESSING AND TRANSFERRING PERSONAL DATA
2.1. Principles to be Applied in the Processing of Personal Data
2.2. Personal Data Processing Conditions
2.3. Conditions of Processing of Sensitive Personal Data
2.4. Terms of Transfer of Personal Data
2.5. Terms of Transfer of Sensitive Personal Data
2.6. Conditions for Transferring Personal Data Abroad
2.7. Conditions for Transferring Sensitive Personal Data Abroad
III. PURPOSE OF PROCESSING AND TRANSFERRING PERSONAL DATA, AND PERSONS TO WHOM PERSONAL DATA WILL BE TRANSFERRED
3.1. Purposes of Processing and Transferring Personal Data
3.2. Persons to whom Personal Data will be Transferred
IV. METHOD OF COLLECTION AND LEGAL REASON OF PERSONAL DATA, DELETING, DESTROYING AND ANONYMIZATION
4.1. Method and Legal Reason for Personal Data Collection
4.2. Storage of Personal Data
4.3. Deletion, Destruction or Anonymization of Personal Data and Periodic Destruction
4.3.1. Deleting Personal Data
4.3.2. Destruction of Personal Data
4.3.3. Anonymization of Personal Data
4.3.4. Periodic Destruction
V. ENSURING THE SECURITY OF PERSONAL DATA
5.1. Technical and Administrative Measures Taken to Ensure Legal Processing of Personal Data
5.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data
5.3. Technical and Administrative Measures Taken for Storing Personal Data in Secure Environments
5.4. Supervision of the Measures Taken for the Protection of Personal Data
5.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
VI. RIGHTS OF PERSONAL DATA OWNER
6.1. Rights of Personal Data Owner
6.2. Cases where the Personal Data Owner Cannot Assert Their Rights
6.3. Exercise of Personal Data Owner's Rights
6.4. Response Time to Applications
VII. EFFECTIVENESS AND UPDATES
İNTEGRAL ENTEGRE YAPI TEK. SAN. TİC. ANONİM ŞİRKETİ PERSONAL DATA PROTECTION, STORAGE, PROCESSING, AND DESTRUCTION POLICY
I. INTRODUCTION
1.1. Introduction to the Policy
As İNTEGRAL ENTEGRE YAPI TEK. SAN. TİC. ANONİM ŞİRKETİ ("Company" or "Integral"), we attach utmost importance to the lawful processing and protection of personal data in accordance with the Law on the Protection of Personal Data No. 6698 ("Law No. 6698"). We act with respect and a sense of duty toward the constitutional right of everyone to demand the protection of their personal data. With this awareness, we have established this "Integral Entegre Yapı Tek. San. Tic. Anonı̇m Şı̇rketı̇ Personal Data Protection, Storage, Processing, and Destruction Policy" ("Policy") to govern and ensure the necessary diligence in protecting the personal data of employees and job applicants, company shareholders, company officials, visitors, employees, shareholders, and officials of collaborating institutions, and third parties, and we have made it a company policy.
In compliance with the relevant legislation regarding the processing, protection, and destruction of personal data, we hereby present this Policy to inform you about all the administrative and technical measures we have taken.
1.2. Purpose and Scope of the Policy
The primary purpose of this Policy is to provide information about the systems related to the acquisition, processing, protection, storage, erasure, destruction, and anonymization of personal data that are carried out in compliance with the law and the objectives of Law No. 6698. Through this, we aim to ensure transparency by informing individuals whose personal data is processed by our company, including our employees, job applicants, company shareholders, company officials, visitors, employees, shareholders, and officials of collaborating institutions, and third parties. The ultimate goal is to fully comply with the relevant legislation during the processing, protection, erasure, and anonymization of personal data performed by the Company, and to safeguard all rights of data owners concerning personal data as stipulated in the legislation.
This Policy shall not apply to any and all personal data that may be automatically processed by employees, job applicants, company shareholders, company officials, visitors, employees, shareholders, and officials of collaborating institutions, and third parties as part of any data registration system and in any way apply to legal entities and entity data.
1.3. Definitions
Explicint Consent |
: |
Consent relating to a particular subject, based on informed, and disclosed with free will. |
Anonymization |
: |
To anonymize personal data means to alter the data in such a way that it loses its character as personal data and cannot be reversed. |
Application form |
: |
Application Form for Applications to be made by the Related Person (Personal Data Owner) to the Data Controller in accordance with the Law on Protection of Personal Data No. 6698", which includes the application to be made by the personal data owners to exercise their rights.
|
Employee |
: |
They are the natural people under the employment contract at Integral.
|
Employee Candidate |
: |
Natural persons who have applied for a job in any way to Integral or have shared their background and knowledge with Integral.
|
Employees, Shareholders, and Officials of Co-operative Institutions |
: |
Natural persons, including employees, shareholders, and officials of institutions with which Integral has all kinds of business relations. |
Business Partner |
: |
The parties with whom Integral establishes business partnerships, either directly or in collaboration with its Group Companies, to carry out various projects and obtain services while conducting its commercial activities.
|
Processing of Personal Data |
: |
Any processing operation carried out on personal data, either wholly or partially, through automated means or as part of any data recording system or non-automated means, including collection, recording, storage, retention, alteration, reorganization, disclosure, transmission, takeover, rendering data accessible, classification, or preventing the use of data. |
Personal Data Owner |
: |
The natural person whose personal data has been processed. |
Personal Data |
: |
Any information relating to a specific or identifiable real person. |
Sensitive Personal Data |
: |
Data related to race, ethnicity, political thought, philosophical belief, religion, sectarianism or other beliefs, attire, association, foundation or union membership, health, sexual life, criminal conviction, and security measures, and biometric and genetic data.
|
Periodic Destruction |
: |
In the event that all of the personal data processing conditions in the law are eliminated, the deletion, destruction, and anonymization process that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy.
|
Third Party |
: |
Natural persons whose personal data are processed within the scope of the policy, who are not defined differently within the scope of the policy.
|
Data Processor |
: |
The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
|
Data Controller |
: |
The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system). Within the scope of this policy, Integral is the data controller. |
Deletion of Data |
: |
It means that all relevant users within the company are encrypted to prevent access to personal data and only the data protection officer has this password. |
Data Destruction |
: |
It refers to the complete elimination of personal data by physical or technological means that it cannot be reversed anymore. |
Visitor |
: |
Natural persons who have entered Integral's physical premises for various purposes or have visited our websites. |
1.4. Enforcement of the Policy
This Policy, prepared by Integral and put into effect on 20/06/2023, is published on Integral's website at "https://echran.com" and made accessible to relevant individuals upon request by data owners.
II. PROCESSING AND TRANSFERRING PERSONAL DATA
2.1. Principles to be Applied in the Processing of Personal Data
Personal Data is processed by Integral in accordance with the Law No. 6698 and the procedures and principles stipulated in this Policy, and in this context, the principles and conditions to be considered in personal data processing activities are listed below.
2.1.1. Personal data is processed according to the relevant law rules and the requirements of the honesty rule, with respect to the proportionality requirements and in accordance with its purpose.
2.1.2. Personal data is kept accurate and up-to-date, taking into account the fundamental rights of data owners and their own legitimate interests. In this direction, Integral is taking appropriate actions.
2.1.3. Personal data is processed as necessary and in connection with the products and services offered for certain explicit and legitimate purposes.
2.1.4. Personal data is processed in a manner that is favorable for the fulfillment of the stated goals and avoids the processing of personal data that is not or is not needed for the purpose.
2.1.5. Personal data is retained for the periods specified in Law No. 6698 or limited to the purpose for which they were processed. If there is no valid reason for further retention of personal data, such data will be deleted, destroyed, or anonymized.
2.2. Personal Data Processing Conditions
As a rule, personal data is processed if the data owner gives explicit consent, and Integral may also process personal data in the presence of one of the other conditions listed below, apart from express consent. The legal basis for the processing of personal data may be any one of the following conditions or multiple conditions for the same personal data processing activity. If the processed data is custom-skilled personal data, the terms set out in heading 2.3 are applied below. Although legal grounds for processing personal data may vary by Integral, any personal data processing activity is governed by the general principles set forth in section 4 of the 6698 Act.
2.2.1. In cases expressly stipulated in the laws, personal data may be processed even if there is no explicit consent from the personal data owners regarding the processing of their personal data.
2.2.2. Personalized data may be handled without explicit consent for the protection of the life or body integrity of any person or person who is unable to disclose their consent due to actual impossibility or whose consent cannot be validated.
2.2.3. Provided that it is directly related to the establishment or performance of a contract, personal data may be processed if it is necessary to process the personal data of the parties to the contract.
2.2.4. If data processing is required in order to meet Integral's legal obligations as a data manager, the data holder's personal data may be processed.
2.2.5. Relevant personal data may be processed if the data owner has made his or her personal data publicly available.
2.2.6. If data processing is mandatory for the establishment, use, or protection of a legitimate right, the personal data of the data owner can be handled without explicit consent.
2.2.7. Personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of Integral, but not harmful to the fundamental rights and freedoms of the personal data owner.
2.3. Conditions of Processing of Sensitive Personal Data
Personal data that is qualified by the Integral is not expressly consensual to the personal data owner, but may be processed in the following cases as long as adequate measures are taken that will be determined by the Personal Data Protection Board.
2.3.1. Private personal data other than the health and sexual life of the personal data holder can be processed in legally envisaged cases.
2.3.2. Private personal data relating to the health and sexual life of the personal data holder may be handled only in accordance with the processing of individuals or authorized institutions and organizations that are obliged to keep secrets for the purpose of protecting public health, conducting protective medicine, medical diagnostics, treatment, and care, planning and managing health care and financing.
2.4. Terms of Transfer of Personal Data
Integral may transfer the personal data and sensitive personal data of the personal data owner to third parties (third party companies, group companies, third natural persons) in line with the purposes of personal data processing, in accordance with the law, by taking the necessary security measures and establishing confidentiality conditions. In this direction, Integral acts in accordance with the regulations stipulated in Article 8 of Law No. 6698.
For purposes of personal data processing that are legitimate and in accordance with the law, integral may only transfer personal data to third parties on the basis of one or more of the personal data processing requirements set out in Article 5 of Law 698. Further information regarding these states is provided in Article 2.2 of this Policy.
2.5. Terms of Transfer of Sensitive Personal Data
Integral, by showing due diligence, taking the necessary security measures and adequate measures prescribed by the Personal Data Protection Board; In line with the legitimate and lawful personal data processing purposes, it may transfer the sensitive data of the personal data owner to third parties only in cases stipulated by the law or in cases with the explicit consent of the person.
2.5.1. In the event of open consent of the personal data owner
2.5.2. If the explicit consent of the data owner is not obtained, (i) sensitive personal data other than data related to the data owner's health and sexual life (such as race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, and attire, membership in associations, foundations or trade unions, criminal conviction and security measures-related data, as well as biometric and genetic data) can be processed and transferred in cases prescribed by the law, (ii) personal data related to the data owner's health and sexual life can only be processed and transferred by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, carrying out preventive medicine, medical diagnosis, treatment, and care services, planning and managing health services and financing.
2.6. Conditions for Transferring Personal Data Abroad
Integral may transfer the Personal Data and Sensitive Personal Data of the Personal Data Owners to third parties abroad by taking the necessary security measures in line with the personal data processing purposes. Personal data by Integral; It can be transferred to foreign countries declared to have adequate protection by the Personal Data Protection Board, or to foreign countries where the data controllers in Turkey and the relevant foreign country undertake in writing to provide adequate protection and where the permission of the Personal Data Protection Board is available, in case of insufficient protection. In this respect, Integral acts in accordance with the regulations stipulated in Article 9 of Law No. 6698.
2.7. Conditions for Transferring Sensitive Personal Data Abroad
Integral, by showing due diligence, taking the necessary security measures and adequate measures prescribed by the Personal Data Protection Board; In line with the legitimate and lawful Personal Data processing purposes, it can transfer the sensitive personal data of the personal data owner to foreign countries where the data controller has sufficient protection or undertakes to provide adequate protection in the following cases.
2.7.1. If the personal data owner has explicit consent, or
2.7.2. In the presence of the following conditions, without seeking the explicit consent of the personal data owner;
2.7.2.1. Sensitive personal data other than data related to the data owner's health and sexual life (such as race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, and attire, membership in associations, foundations or trade unions, criminal conviction and security measures-related data, as well as biometric and genetic data) can be processed and transferred in cases prescribed by the law,
2.7.2.2. Personal data related to the data owner's health and sexual life can only be processed and transferred by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, carrying out preventive medicine, medical diagnosis, treatment, and care services, planning and managing health services and financing.
III. PURPOSE OF PROCESSING AND TRANSFERRING PERSONAL DATA AND PERSONS TO WHOM PERSONAL DATA WILL BE TRANSFERRED
3.1. Purposes of Processing and Transferring Personal Data
Integral processes personal data solely for the purposes and conditions specified in the 2nd paragraph of Article 5 and the 3rd paragraph of Article 6 of Law No. 6698, which set out the personal data processing conditions.
3.1.1. Planning and executing the necessary operational activities to ensure that company activities may execute in accordance with Company procedures and/or related legislation,
3.1.2. Planning and execution of business activities,
3.1.3. Planning and execution of business management activities,
3.1.4. Planning and execution of business continuity activities,
3.1.5. Retention, planning and execution of event and organization records,
3.1.6. Planning and execution of business communications activities,
3.1.7. Planning and execution of partner management processes,
3.1.8. Planning, supervision and execution of information security processes,
3.1.9. Building and managing the information technology infrastructure,
3.1.10. Planning and execution of human resources processes and needs,
3.1.11. Execution of processes for employee employment,
3.1.12. Planning and execution of fringe benefits and benefits for employees,
3.1.13. Planning and monitoring the performance evaluation processes of the employees,
3.1.14. The planning and execution of skill-career development activities,
3.1.15. Planning and/or executing organizational communication/responsibility/event projects for employees,
3.1.16. Monitoring and/or control of the business activities of the employees,
3.1.17. Planning and execution of external or internal training activities within the company.
3.1.18. Planning and execution of employee satisfaction and/or loyalty processes,
3.1.19. Authentication and registration of employees,
3.1.20. Execution of legal obligations regarding the employment of employees,
3.1.21. Opening a salary account to employees, giving rental cars, giving telephone lines, giving food cards when necessary, execution of automatic private pension transactions,
3.1.22. Follow-up and monitoring of the sick leave of the employees or the health conditions necessary for the employee to fulfill his duty,
3.1.23. Following the foreclosures on the workers' salaries,
3.1.24. Organizing the travels of the employees on behalf of the Company,
3.1.25. In case of emergencies, contacting the individuals provided by the employee voluntarily with their own consent.
3.1.26. Detection and control of employees' entry and exit from work,
3.1.27. Preparation of reporting and analysis for senior management,
3.1.28. Execution of functions such as software, enterprise resource planning, reporting, marketing, etc.
3.1.29. Determining and executing the wage policies of the employees,
3.1.30. Ensuring employees benefit from promotions and campaigns,
3.1.31. Recording camera images due to the privacy and security practices of the employees in the workplace, ensuring safe passage between departments with the fingerprint system,
3.1.32. Creating and tracking visitor records,
3.1.33. Planning and execution of emergency management processes,
3.1.34. Ensuring the security of the company premises, fixtures, and resources,
3.1.35. Planning and execution of the Company's operational risk processes,
3.1.36. Execution of other operational activities that may occur.
If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the Law No. 6698, your express consent is obtained by Integral regarding the relevant processing process.
3.2. Persons to whom Personal Data will be Transferred
As Integral, in accordance with Articles 8 and 9 of Law No. 6698, we may share the personal data of our employees with third parties, including service providers and recipients, Group Companies, banks, car rental companies, GSM operators, meal companies, individual retirement companies, hospitals and healthcare institutions, occupational health and safety companies, audit firms, information security companies, customs companies, financial advisors/accounting firms, law firms, financing companies, authorized institutions and organizations, and official authorities, to develop and execute the services provided to our employees, for the purposes stated above and in cooperation with our business partners and other third parties.
IV. METHOD OF COLLECTION, STORAGE, AND LEGAL REASON OF PERSONAL DATA, DELETING, DESTROYING, AND ANONYMIZATION
4.1. Method and Legal Reason for Personal Data Collection
Personal data is collected in order to provide the services offered by Integral in all kinds of verbal, written or electronic media within the determined legal framework and to carry out commercial activities for the purposes specified in this Protocol, within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law No. 6698. Personal data may be processed by data processors appointed by Integral.
4.2. Storage of Personal Data
Integral stores personal data in accordance with the principles set forth in Law No. 6698 for the period prescribed in the relevant legislation. The Company retains personal data in cases where it is explicitly stipulated in the law when obtaining consent is impossible due to physical impossibility when it is necessary to protect the life or bodily integrity of the data owner or another person when it is directly related to the establishment or performance of a contract when processing is necessary to fulfill a legal obligation when processing is necessary for the establishment, exercise, or protection of a right when processing is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data owner are not harmed. Integral, also; has the right to keep the Personal Data in case of obtaining express consent and in case of exceptions specified in the 2nd paragraph of the 5th article and the 3rd paragraph of the 6th article of the Law No. 6698.
4.3. Deletion, Destruction or Anonymization of Personal Data and Periodic Destruction
Integral, if the relevant personal data retention periods are not specified in the Law No. 6698 and the legislation, personal data is retained until the end of the purpose for which they are processed. The retention periods are determined by taking into account Integral's practices and commercial life practices. Integral deletes or anonymizes the relevant personal data when the specified periods expire and there is no other legal reason (such as providing evidence in legal disputes, asserting a right that can be proven with personal data, establishing a defense, and responding to information requests from authorized public institutions). In addition, upon the request of the personal data owner, personal data is deleted, destroyed, or anonymized unless there is a different legal basis requiring the data to be kept.
4.3.1. Deletion of Personal Data
The deletion of Personal Data, whether in whole or in part, refers to the process of making the respective data inaccessible and unrecoverable by the relevant users. For Personal Data processed as part of any Data Recording System and through non-automated means, the erasure process is carried out by anonymizing unnecessary Personal Data in paper format that has been scanned or transferred to an electronic medium. Integral performs this process when it entirely or automatically processes data, and when data is erased, it ensures that the data becomes inaccessible and unrecoverable. Integral ensures that the data is made inaccessible and unrecoverable for any user when performing this process.
During the Deletion of Personal Data, the Integral employees perform the deletion by choosing the appropriate method as follows:
4.3.1.1. The data in the cloud system is deleted by issuing the delete command. Integral pays attention to the fact that the Related User does not have the authority to restore the deleted data on the cloud system while performing the aforementioned operation.
4.3.1.2. Personal data in paper format is erased using the darkening method. The redaction process involves cutting off the Personal Data on the relevant document whenever possible, and when not feasible, it is made invisible to the concerned users by using a permanent ink that cannot be reversed and technological solutions to ensure it cannot be read.
4.3.1.3. Office files located on the central server are deleted with the delete command in the file operating system or the access rights of the Related User on the file or the directory where the file is located are removed. While performing the aforementioned operation, it is noted that the Related User is not also a system administrator.
4.3.1.4. Personal data in portable media, Personal Data in flash-based storage media are stored encrypted and deleted using software suitable for these media.
4.3.1.5. Personal data in databases are deleted with database commands (DELETE, etc.) of the relevant lines containing Personal Data. While performing the aforementioned transaction, it should be noted that the Related User is not also a database administrator.
4.3.2. Destruction of Personal Data
The process of Destruction is carried out by Integral when data is processed in physical record environments. This process ensures that the data becomes inaccessible, cannot be reused, and cannot be recovered again.
During the destruction of Personal Data, the Integral employees perform the destruction by choosing the appropriate method as follows:
4.3.2.1. If the Overwrite method is to be used, the old data is made unreadable by writing random data consisting of 0 and 1 at least 8 times with software on magnetic media and rewritable optical media.
4.3.2.2. Magnetization If the magnetic method is to be used, the media is subjected to a physical change in a high magnetic field and the data on it is rendered unreadable.
4.3.2.3. If the Physical Destruction method is to be used, it is the process of melting, dusting, grinding, and physical destruction of optical media or magnetic media. Applicable when magnetizing or overwriting methods fail.
4.3.2.4. Any copies of Personal Data encryption keys will be destroyed after notification of Personal Data to the contracted service provider for destruction of data stored on cloud systems.
4.3.2.5. For the Destruction of Personal Data in Peripheral Systems, overwriting, magnetizing or physical destruction is applied on the indoor unit, if available, or on the entire device, if available, in systems such as printer, fingerprint unit, door entrance turnstile and containing Personal Data.
4.3.2.6. For the destruction of Personal Data in paper and microfiche environments, the main media containing the Personal Data is permanently and physically overwritten and destroyed, as the data is physically written on the media. During this process, the media is shredded or cut into unrecognizable dimensions, preferably in horizontal and vertical directions, and into small pieces that cannot be reassembled. As for the Personal Data transferred to electronic environments through scanning, appropriate methods as mentioned above are used, one or more of them, depending on the electronic environment they are located in, to ensure their destruction.
4.3.3. Anonymization of Personal Data
Anonymization is when Integral processes Personal Data completely or automatically, making it impossible to associate with an identified or identifiable natural person, even if it is matched with other data.
During the Anonymization of Personal Data, Integral employees perform the Anonymization process by choosing the appropriate one of the following methods:
4.3.3.1. Methods that do not provide value disorder do not include a change or append to the values that the data set has, and will instead make changes to all of the rows or columns contained in the set. For example, Extracting Variables, Extracting Records, Regional Hide, Generalization, Lower and Upper Limit Encoding, Global Encoding, Sampling, and so on.
4.3.3.2. Unlike the methods mentioned above, which provide value disorder, the current values are changed to create a deformation of the data set's values. For example, Micro Consolidation, Data Exchange, Noise Adding, etc.
4.3.4. Periodic Destruction of Personal Data
Physical and digital data that have completed the legal retention and destruction periods are periodically destroyed. Integral deletes, destroys, or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises. Periodic Destruction takes place at 6-month intervals for all Personal Data. The legal storage and destruction periods to be taken as a basis during the Periodic Destruction are determined in the Data Inventory.
V. ENSURING THE SECURITY OF PERSONAL DATA
In accordance with Article 12 of the Law No. 6698, Integral takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the Personal Data it processes, to prevent illegal access to the data and to ensure the preservation of the data, and in this context, it makes or has the necessary inspections made.
5.1. Technical and Administrative Measures Taken to Ensure Legal Processing of Personal Data
To ensure that Personal Data is processed in accordance with the law, Integral is taking technical and administrative measures at technological facilities and operational costs.
5.1.1. Technical Measures
5.1.1.1. Personal data processing activities within the Integral are controlled by established technical systems.
5.1.1.2. The technical measures are reported periodically in connection with the need for internal control mechanisms.
5.1.1.3. Staff knowledgeable in technical matters are employed.
5.1.2. Administrative Measures
5.1.2.1. Employees are informed and trained about the law on the protection of Personal Data and the legal processing of Personal Data.
5.1.2.2. All activities carried out by Integral are analyzed in detail specific to all business units, and as a result of this analysis, Personal Data processing activities are revealed, specific to the activities carried out by the relevant business units.
5.1.2.3. A detailed analysis of all integral's activities is conducted in a specific business unit, resulting in Personal Data processing activities in a specific function by each business unit.
5.1.2.4. In order to meet the legal compliance requirements determined on the basis of the business unit, awareness is created specific to the relevant business units, and the rules of practice are determined; Necessary administrative measures are implemented through in-house policies and training to ensure the supervision of these issues and the continuity of implementation.
5.1.2.5. Except for Integral's instructions and the exceptions made by law, in the contracts and documents governing the legal relationship between Integral and employees, records that impose the obligation not to process, disclose or use Personal Data are placed, awareness of the employees is created in this regard, and the obligations arising from the Law are fulfilled by conducting audits.
5.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data
Integral takes technical and administrative measures to prevent the disclosure, access, transfer or other unlawful access to Personal Data in a negligent or unauthorized manner, according to the nature of the data to be protected, technological possibilities and implementation costs.
5.2.1. Technical Measures
5.2.1.1. Technical actions are taken, actions taken, and periodically updated and refreshed to accommodate technology advances.
5.2.1.2. Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on a business unit basis.
5.2.1.3. Access privileges are restricted; privileges are regularly reviewed. The technical precautions are periodically reported in relation to the need for control mechanism; risk-related considerations are re-evaluated and necessary technological solutions are produced.
5.2.1.4. Software and hardware including virus protection systems and firewalls are being installed.
5.2.1.5. Personnel knowledgeable in technical matters are employed.
5.2.1.6. Security scans are regularly passed to detect security vulnerabilities in applications where Personal Data is collected. The vulnerabilities found are closed.
5.2.2. Administrative Measures
5.2.2.1. Employees are trained on technical measures to be taken to prevent unlawful access to Personal Data.
5.2.2.2. Personal Data access and authorization processes are designed and implemented within Integral in accordance with the legal compliance requirements for the processing of Personal Data on a business unit basis.
5.2.2.3. Employees are informed that the Personal Data they have learned cannot be disclosed to others in violation of the provisions of the Law and cannot be used for purposes other than processing and that this obligation will continue after they leave their job, and necessary commitments are taken from them in this direction.
5.2.2.4. Contracts concluded by Integral with the persons to whom Personal Data are transferred in accordance with the law; Provisions are added that the persons to whom Personal Data are transferred will take the necessary security measures for the protection of Personal Data and ensure that these measures are complied with in their own organizations.
5.3 Technical and Administrative Measures Taken for Storing Personal Data in Secure Environments
Integral takes the technical and administrative measures required at technological facilities and operational costs to prevent personal data from being stored in secure environments and destroyed, lost, or replaced for unlawful purposes.
5.3.1. Technical Measures
5.3.1.1. Systems suitable for technological developments are used to store Personal Data in secure environments.
5.3.1.2. Specialist personnel are employed in technical matters.
5.3.1.3. Technical security systems are installed for storage areas, security tests, and research are conducted to detect security vulnerabilities in information systems, and any identified current or potential risks are addressed based on the results of these tests and research. The technical measures taken are periodically reported to the relevant parties as part of the internal audit mechanism.
5.3.1.4. To ensure that Personal Data is stored safely, backup programs are being used in a legal manner.
5.3.1.5. Access to the data is restricted to the environments where Personal Data is kept, and only authorized persons are allowed to access this data limited to the purpose of storing personal data, accesses to data storage areas where Personal Data are stored are logged and inappropriate accesses or access attempts are instantly communicated to those concerned.
5.3.2. Administrative Measures
5.3.2.1. Employees are trained to ensure that Personal Data is stored securely.
5.3.2.2. Legal and technical consultancy services are obtained in order to follow the developments in the field of information security, privacy and protection of personal data and to take necessary actions.
5.3.2.3. If it becomes necessary for Integral to outsource services for the storage of Personal Data due to technical requirements, the contracts with the relevant companies to whom the Personal Data is lawfully transferred will include provisions that ensure the recipients of the Personal Data will take necessary security measures for its protection and ensure compliance with these measures within their organization.
5.4. Supervision of the Measures Taken for the Protection of Personal Data
Integral conducts or arranges the necessary audits within its organization in accordance with Article 12 of the Law No. 6698. The results of these audits are reported to the relevant department within the internal functioning of Integral, and necessary activities are carried out to improve the measures taken.
5.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
Integral carries out the system that allows personal data processed in accordance with section 12 of Act 6698 to be communicated to the relevant personal data owner and to the Personal Data Protection Board as soon as possible if it is obtained by other people illegally. This may be posted on the Personal Data Protection Board's website or in any other way if deemed necessary by the Personal Data Protection Board.
VI. RIGHTS OF PERSONAL DATA OWNER
6.1. Rights of Personal Data Owner
Personal data owners have the rights to learning whether their personal data is being processed, to request information if their personal data is being processed, to learning the purpose of the processing of their personal data and whether they are being used in accordance with the intended purpose, to be informed about the third parties to whom their personal data is transferred, whether domestically or internationally, to request the correction of their personal data in case they are incomplete or inaccurate, to request the deletion or destruction of their personal data within the framework of the conditions stipulated in the relevant legislation, to request that the correction, deletion, and destruction processes made in accordance with the relevant legislation be notified to the third parties to whom their personal data has been shared, to object to the emergence of a result against you by analyzing their processed personal data exclusively through automated systems, in case they suffer damage due to unlawful processing of their personal data, to request compensation for the damage.
6.2. Cases where the Personal Data Owner Cannot Assert Their Rights
Personal data owners cannot claim their rights listed in Article 6.1 of this Policy, as they are excluded from the scope of Law No. 6698 in the following cases pursuant to Article 28 of Law No. 6698.
6.2.1. Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,
6.2.2. Processing personal data for purposes of art, history, literature or scientific purpose, or freedom of expression, without infringing or criminalizing national defense, national security, public safety, public order, economic security, privacy or personality rights.
6.2.3. Processing personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security,
6.2.4. Processing of personal data by judicial authorities or execution authorities in connection with the investigation, prosecution, trial or execution,
6.2.5. Processing of Personal Data by real persons within the scope of activities related to themselves or family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.
Personal data owners cannot claim their rights listed in article 6.1 of this Policy, except for the right to demand compensation in accordance with Article 28.2 of the Law No. 6698.
6.2.6. That personal data processing is necessary to prevent crime from happening or to investigate crimes,
6.2.7. Processing personal data that has been publicly processed by the individual data owner himself,
6.2.8. Personal data may be processed by authorized and competent public institutions and organizations, including professional organizations with public institution status, based on the authority granted by the law, for the purpose of carrying out their inspection or regulatory duties and conducting disciplinary investigations or prosecutions.
6.2.9. The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax, and financial matters.
6.3. Exercise of Personal Data Owner's Rights
Personal Data Owners will be able to reach the Human Resources unit of the company on the "https://echran.com" website with the information and documents that will identify their requests regarding their rights listed in Article 6.1 of this Policy and with the methods specified below or other methods determined by the Personal Data Protection Board. They will be able to fill and sign the application form and send it to Integral free of charge.
6.3.1. After the application form is filled, a wet-signed copy can be sent to “İkitelli OSB. Bedrettin Dalan Boulevard No:23/100 Metro34 Plaza Başakşehir/Istanbul” address,
6.3.2. Submitting the application form by using the e-mail address previously notified to Integral and registered in Integral's system by applying with the document proving the identity of the applicant and the information and documents related to the subject of the application by coming personally
6.3.3. After the application form is filled and signed with your secure electronic signature within the scope of Electronic Signature Law No. 5070, sending the secure electronic signature form to [email protected] via registered e-mail
As a general rule, Integral fulfills data owners' requests free of charge. However, if there is an additional cost for the requested process, the fees specified in the tariff determined by the Personal Data Protection Board may be requested from the data owner making the application.
Missing application forms will not be processed by Integral. Integral is able to request additional information and documentation from the applicant to verify whether the applicant has personal data or to clarify the request if the content of the form is not understood.
In order for third parties to apply on behalf of personal data owners, a special power of attorney issued by the data owner through a notary public on behalf of the third person to apply must be present.
6.4. Integral's Response Time to Applications
If the personal data holder passes the application form to Integral as set forth in article 6.3 of this Policy, Integral will respond to the request as soon as possible and within thirty days at the latest, according to the nature of the request contained in the form.
The data owner's request is evaluated considering its compliance with Law No. 6698 and the obligations that our company must comply with under the legislation, and it is fulfilled to the extent possible. If it is determined that fulfilling the request is not possible based on the evaluation, the data owner's application is responded to with a justified explanation.
Personal data owner; In case the application is rejected pursuant to Article 14 of the Law No. 6698, the person finds the answer insufficient or the application is not answered in due time; a complaint can be made to the Personal Data Protection Board within thirty days from the date our company learns of the answer, and in any case within sixty days from the date of application to Integral.
VII. EFFECTIVENESS AND UPDATES
This policy, edited by Integral, is dated 20.06.2023. It is possible to update all or part of this Policy.
The policy is posted on our Company's website "https://echran.com" and is made available to individuals at the request of personal data owner.