IŞIK PERDE RAYLARI SAN. TİC. A. Ş.
CORPORATE POLICY FOR PROTECTION OF PERSONAL DATA
|Document Name:||Corporate Policy for Protection of Personal Data|
|Objective of Document:||The objective of Corporate Policy for Protection of Personal Data is planning of the processes for protection of personal data by Işık Perde Rayları San. Tic. A. Ş. and determination of the principles to be applied in this respect.|
|Date of Publication:||01.09.2020|
|Reference / Reason:||Law No 6698 on the Protection of Personal Data and other legislations|
|Approving Authority:||Board of Işık Perde Rayları San. Tic. A. Ş.|
IŞIK PERDE RAYLARI SAN. TİC. A. Ş.
CORPORATE POLICY FOR PROTECTION OF PERSONAL DATA
The right of each individual to ask for protection of his/her own personal data is a divine right arising out of the Constitution. As Işık Perde Rayları San. Tic. A. Ş. , we regard fulfilling the requirements of this right as one of our most valuable duties. Therefore, we give importance to legal processing and protection of your personal data.
The Corporate Policy for Protection of Personal Data has been prepared to determine the principles we take as basis and the procedures we apply while processing and protecting personal data as a result of the importance we give to the protection of personal data.
This policy includes any and all operations performed on the data such as obtaining through the methods which are completely or partly automatic or non-automatic provided that it is a part of any data recording system, recording, storing, keeping, changing, rearranging, explaining, transferring, taking over, making available, classifying or preventing use of all personal data managed by Işık Perde Rayları San. Tic. A. Ş.
This policy is related to any and all processed personal data of the partners, authorities, customers, employees, supplier authorities and supplier employees of Işık Perde Rayları San. Tic. A. Ş. and third parties.
Işık Perde Rayları San. Tic. A. Ş. can change the Policy for the purposes of compliance with the legislation and the decision of Committee of Protection of Personal Data and better protection of personal data.
|Receiver Group||Natural or legal person category to whom personal data is transferred by data controller.|
|Express Consent||The consent related to a specific issue, based on being informed and explained with freewill.|
|Anonymization||Making the personal data unrelated to a natural person whose identity is known or identifiable in any manner whatsoever even by matching personal data with other data.|
|Relevant Person||The natural person whose personal data is processed.|
|Relevant User||Those who process personal data within the organization of data controller or in line with the authority and instruction given by the data controller except for the person or unit responsible for technical storage, protection and backup of the data.|
|Disposal||Deletion, elimination or anonymization of personal data.|
|Law/KVKK||Law No 6698 on the Protection of Personal Data.|
|Recording Medium||Any and all mediums including the personal data processed through the methods which are completely or partially automatic or non-automatic provided that it is a part of any data recording system.|
|Personal Data||Any and all information related to the natural person whose identity is known or identifiable.|
|Data Inventory||The inventory explaining personal data processing operations performed by data controllers based on business processes, purposes of processing personal data and legal reasons, data categories, the receiver group and maximum time of keeping necessary for the purposes connected with the person group subject to the data and for processing personal data, the personal data anticipated to be transferred to foreign countries and the precautions taken in relation to data security in details.|
|Processing of Personal Data||Any and all operations performed on the data such as obtaining through the methods which are completely or partly automatic or non-automatic provided that it is a part of any data recording system, recording, storing, keeping, changing, rearranging, explaining, transferring, taking over, making available, classifying or preventing use of all personal data.|
|Committee||Committee of Protection of Personal Data.|
|Agency||Agency for Protection of Personal Data|
|Sensitive Personal Data||The data of people about their race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership to an association, foundation or union, health, sexual life, penal conviction and security precautions and biometric and genetic data.|
|Periodical Disposal||In case all of the requirements for processing personal data stated in the Law have been removed completely, the operations of deletion, elimination or anonymization to be performed ex officio at the intervals stated in the policy for storage and disposal of personal data and periodically.|
|Policy||Corporate Policy for Protection of Personal Data|
|Data Processor||A natural or legal person who processes the personal data in the name of data controller based on the authority given by the data controller.|
|Data Controller||A natural or legal person who determines purposes and means of processing personal data and responsible for establishment and management of data recording system.|
|Board||Board of Işık Perde Rayları San. Tic. A. Ş.|
4. GENERAL PRINCIPLES
Işık Perde Rayları San. Tic. A. Ş. audits compliance of the data to be processed to the following principles at the preparation stage of every new business flow which requires processing of personal data. The business flows found inconvenient are not put into practice.
While processing personal data, Işık Perde Rayları San. Tic. A. Ş.;
- Abides by law and good faith.
- Ensures that the personal data is accurate and updated when necessary.
- Attends that the purpose for processing is specific, clear and legitimate.
- Controls that the processed data is connected with the purpose of processing, it is processed limitedly to the necessary extent and it is moderate.
- Keeps the data only for the period anticipated in the applicable legislation or required by the purpose of processing, disposes the data when the purpose of processing has been removed.
5. PRECAUTIONS FOR DATA SECURITY
Işık Perde Rayları San. Tic. A. Ş. takes any and all necessary technical and administrative precautions for provision of suitable security level (i) to prevent illegal processing of personal data, (ii) to prevent illegal access to personal data, and (iii) to ensure protection of personal.
5.1. Technical Precautions
- Network security and application security is provided.
- Security precautions within the scope of provision, development and maintenance of information technologies systems are taken.
- Access logs are kept regularly.
- Updated anti-virus systems are used.
- Firewalls are used.
- Necessary security precautions related to entry into and exit from physical places containing personal data are taken.
- Security of physical places containing personal data is provided against external risks (fire, flood, etc.).
- Security of environments containing personal data is provided.
- Personal data is backed up and security of backed up personal data is provided.
- User account management and authority control system is applied and also followed.
- Log records are kept in a way that no user intervention will be possible.
- Intrusion detection and prevention systems are used.
- Encryption is applied.
- There are disciplinary arrangements containing data security provisions for the employees.
- Trainings and awareness operations are carried out for the employees about data security at specific intervals.
- Corporate policies have been prepared and started to be applied about the issues of access, data security, use, storage and disposal.
- Data masking is applied when necessary.
- Confidentiality commitments are made.
- An authority matrix has been created for the employees.
- Authorities of the employees who have changed duty or quit the job are removed in this area.
- The signed contracts include data security provisions.
- Policies and procedures for personal data security have been determined.
- The problems about personal data security are reported immediately.
- Personal data security is followed up.
- Personal data is decreased as much as possible.
- In-house periodical and/or random audits are performed and made to be performed.
- The existing risks and threats have been determined.
- Protocols and procedures for security of sensitive personal data have been determined and are being applied.
- If sensitive personal data will be sent through electronic mail, it is sent encrypted absolutely and using REM or corporate mail account.
- Awareness of data processing service providers about data security is provided.
6. RIGHTS OF RELEVANT PERSON RELATING TO PERSONAL DATA
The relevant person can make a request about the following issues by applying to Işık Perde Rayları San. Tic. A. Ş.:
- To learn whether his/her personal data is processed or not,
- To demand relevant information if his/her personal data has been processed,
- To learn the purpose of processing his/her personal data and whether it is used according to this purpose,
- To learn the third parties to whom his/her personal data is transferred at home and abroad,
- If his/her personal data has been processed deficiently or wrongly, to ask for correction of it and notification of such corrections to the third persons to whom the personal data has been transferred,
- Although it has been processed in accordance with KVKK and other applicable law provisions, to ask for deletion, elimination or anonymization of his/her personal data in case the reasons requiring the data processing have been removed and notification of such operations to the third persons to whom the personal data has been transferred,
- If he/she incurs a loss due to illegal processing of his/her personal data, to ask for indemnification of the loss.
- To raise an objection to any result against him/her having occurred by analysing his/her processed data exclusively by means of automatic systems,
7. NOTIFICATION OF BREACHES
The employees of Işık Perde Rayları San. Tic. A. Ş. report the business, action or fact which are thought to breach the provisions of KVKK and/or the Policy to the Board. The Board, if it finds necessary, assembles following notification of such breach and prepare an action plan about the breach.
If the breach has occurred through acquisition of personal data by other persons illegally, the Board notifies this situation to the relevant person and the Committee of Protection of Personal Data within 72 hours in accordance with the decision dated 24.01.2019 and numbered 2019/10 of the Committee of Protection of Personal Data.
The amendments on the policy are prepared by the employees authorized by Işık Perde Management and submitted for the approval of the Board of Işık Perde Rayları San. Tic. A. Ş.. The updated Policy is sent to the employees by e-mail or published on the internet site.
9. EFFECTIVE DATE
This version of the Policy entered into force having been approved by the Board on 01.09.2020.