Personal Data Protection and Processing Policy
- 1. Purpose and Scope
- 2. Definitions
- 3. Policy
- 4. Data Protection Principles To be Followed While Processing Data
- 5. Personal Data Collected
- 6. The Purposes of Processing the Personal Data
- 7. Methods of Personal Data Processing and Legal Reason
- 8. Storage and Disposal of Personal Data
- 9. Transfer of Personal Data
- 10. Data Security Measures
- 11. Data Protection Officer (DPO)
- 12. Data Inventory
- 13. Rights of Data Subject
- 14. Exercises of Rights of Data Subject
1. Purpose and Scope
The main objective of this Personal Data Protection Policy (the “Policy”) is to provide explanations regarding the personal data processing activities carried out by the Company pursuant to the law and the systems adopted for the protection of personal data and, in this context, to provide transparency by informing the people whose personal data is being processed by our company.
This Policy applies to all activities managed by the Company regarding the processing and protection of personal data by the Company along with the relevant detailed data procedures.
PDPL: 6698 numbered the Personal Data Protection Law (hereinafter referred to as “KVKK”)
GDPR: EU General Data Protection Regulation
Data Processor: The natural person or legal entity that process data on behalf of the data controller with the authority given by the data controller
Data Controller: the one who defines the purpose and the means of processing personal data controller and responsible of the data recording system management
Data Subject: a natural person, includes but not limited to an employee, customer, business partners, stakeholders, authorities, leads, candidate for recruitment, intern, visitors, suppliers, employee of business partners, third parties whose data is processed.
Explicit Consent: consent that is related to a specific issue based on information and expressed with free will.
Personal Data: all information related to a real person whose identity is known or could be identified.
Sensitive Personal Data: Biometric and genetic information related with race, ethnicity, political or philosophical opinions, religion, sect or other believes, appearance, union memberships, health, sex life, convictions and security measures etc.
Processing Personal Data: any kind of transaction performed on the data such as obtaining, saving, storing, protecting, modifying, editing, describing, transferring, receiving, making available, classifying or blocking the use of the data with including them into totally or partially an automatic recording system.
Anonymizing Personal Data: to render data in such a way that it can no longer be associated with an identified or identifiable person even when the personal data is matched with other data.
Deleting Personal Data: to delete or to render personal data in such a way that it is no longer accessible or reusable for the users.
Destroying Personal Data: rendering the personal data to make it inaccessible, unrecoverable and not useable by anyone
Company: Data responsible CottGroup® companies.
KVK Board: Turkish Personal Data Protection Board
KVK Authority: Turkish Personal Data Protection Authority
The Company has different policies that cover protection of personal data along with the information security as regards certain work activities and functions. Unless this Policy has additional provisions or higher standards for the protection of personal data, the other different data protection provisions of the company shall prevail.
The relevant regulation provisions shall be first to apply in processing and protecting personal data; and if there happens any contradiction between the articles of this Policy and the legislation, then current legislation clauses shall prevail.
Herein this Policy is prepared in accordance with the rules and procedures foreseen in the KVKK and related law for the protection of personal data. In this manner, under KVKK the data controller should take every technical and administrative measures to prevent illegal processing and access of the personal data.
4. Data Protection Principles To be Followed While Processing Data
Our Company acts in accordance with the following general principles in all of its Personal Data Processing activities:
- Personal data must be processed lawfully, fairly and transparently,
- Personal data can only be collected for specific, explicit and legitimate purposes,
- Personal data must be adequate, relevant and limited to what is necessary for processing,
- Personal data must be accurate and kept up to date with every effort to erase or rectify without delay,
- Personal data must be kept in a form such that the data subject can be identified only if is necessary for processing,
- Personal data must be processed in a manner that ensures the appropriate security.
5. Personal Data Collected
Your personal data collected by our company varies according to the quality of the relationship with our company and the legal obligations. Your personal data collected can be listed as follows:
- Identity Information (liable to amendments as per to requirements), ID number, name, surname, passport number, if the ID card shared, the information on the card, photo, etc.)
- Contact Information (E-mail address, phone number, mobile phone number, address etc.)
- Client Information (client number, client income information, client profession information, vehicle registration plate, training information etc.)
- Family members and Proximity Information (identification, contact information and professional, training information of the Data Subject’s children, spouses, in particular in relation to employee candidates, etc.)
- Customer Transaction Information (CDR (call detail record), call center records, credit card balances and extracts, payment receipts, client bank orders, and relevant information taken under record in regards; these are directly related to real persons and the orders)
- Physical Security Information (enter-exit records, visit information, camera records etc.)
- Transaction Security Information (website password and password information, etc.)
- Risk Management Information (KKB query results and records associated with Data Subject, address register system records, IP address tracking records etc.)
- Financial Information (in case of legal follow-up, credit card debt, loan amount, loan payments, debt balance, receivable balance in line with the information by the authorities etc.) and accounting information with related records.
- Employee Candidate Information (CV, interview notes, personality test results etc.)
- Legal Procedures and Compliance Information (data on the documents such as court and administrative authority decisions etc.)
- Audit and Inspection Information (Information on any record and transaction relating to the legal pursuit and our rights associated with the Data Subject)
- Sensitive Personal Data (data on health, data on criminal convictions and security measures,)
- Claim/Complaint Management Information (information and records about the demands and complaints made to our Company regarding our services related to the person etc.)
- Reputation Management Information (information collected in order to protect the commercial reputation of our company etc.)
- Audiovisual Data (photos, camera records, auditory recordings etc.)
- The Personal Data types listed do not include all your processed data and personal data similar to the data listed by our company may be processed.
6. The Purposes of Processing the Personal Data
The Company shall inform data subjects during acquiring the personal data due to KVKK and related legislation. In this manner, the Company makes a notification/information regarding the purpose of data processing, transfer of the data and to whom the data shall be transferred, the method of collecting personal data and the legal purpose of collecting personal data.
The purpose of processing personal data information varies according to the relationship between the company and data subject and legal nature of the business.
The purposes of processing personal data by the Company are as follows:
- Within the scope of the company based commercial activities, planning and business development tasks, etc.
- Realization of legally required transactions, performance of obligations,
- Declarations made to official institutions,
- Activities related to the establishment and execution of contracts
- Managing, conducting, planning and improving client relations.
- Activities for the realization of post-contract services
- Monitoring, planning and execution of consultancy activities
- Monitoring, planning and execution of financial and accounting activities
- Planning and execution of information technologies and data security activities
- Planning and execution of physical and electronic / network security activities
- Increasing brand awareness;
- Planning and execution of actions aimed at increasing the level of perception about corporate activities and brand
- Planning, management and execution of organizations, meetings, invitations and events
- Managing the client satisfaction processes during and/or following the completion of service offering processes
- Activities for receiving, evaluating and finalizing demands and complaints,
- Realization and follow-up of transactions and activities to fulfill the obligations arising from the contractual relationship
- Within the scope of planning, execution and management of corporate relations;
- Managing, conducting, planning and developing relations with suppliers / business partners
- Building and conducting corporate managerial communication activities
- Building and conducting external trainings
- Within the scope of legal, technical and commercial security measures among parties in relation with the Company data is processed under;
- Notifying the relevant authorities / institution and/or conducting responsibilities within the audit processes
- Assuring security measures on physical and electronic environments for the parties the Company is involved with
- Keeping records as per to commercial security measures and organizing, conducting and auditing these measures for the parties the Company is involved with
- Assuring the applicable activities are being conducted in regard with data accuracy and making sure the data is up to date
- Planning and/or conducting the Health & Safety processes
- All guest entrances – exits are recorded within the legal requirements and applicable to the legislation
7. Methods of Personal Data Processing and Legal Reason
Personal data can be obtained/received by parties who are the data subject and/or third parties who have explicit consent from the data subject. The obtained personal data can be processed by collecting, saving, editing, configuring, storing, adapting, changing, using, transferring, deleting, destroying and anonymizing.
Personal Data may be processed by one or more of the above methods without the explicit consent of the data subject in the presence of one the legitimate reasons listed in Article 5 of the KVKK:
- Explicitly envisaged in laws and any relevant legislation.
- Being legally mandatory for the person cannot grant consent due to physical incapability or legally forbidden to grant consent in regards with other’s living rights
- Requirement on processing personal data of the parties subject to a contract / agreement, due to the execution of a contract / agreement.
- Legally being mandatory for the data controller to fulfil the legal responsibility.
- Publicized by the relevant person directly.
- Legally being mandatory to be processed for a granted right to be conducted, used and/or protected.
- Processing personal data for legitimate purposes without contracting the basic rights and freedom of the relevant person.
8. Storage and Disposal of Personal Data
- Our company takes into account the law and legislation that is in place during processing the personal data. Within this scope, the retention and period of limitations are taken into account on Personal Data Protection activities. In case the processing activity is disposed, and there is no further legal ground to store personal data, relevant data is to be deleted, destroyed and/or anonymized.
- The personal data shall be subject to retention, disposal or anonymization upon the demand of the data subject and/or the Company’s periodic control in which the Company realizes the reason to process the data is no longer available, due to the Art. 7 of KVKK and other related legislation.
- Personal data that is sent us in any way incorrectly or if the will of the data subject is understood not to give explicit consent, shall be immediately disposed by our Company in accordance with the Law.
- In this manner, the Company has prepared a Storage and Destruction of Personal Data Policy. Please see the Storage and Destruction of Personal Data Policy for further information.
- Our Company will not hold personal data over the period that is required for serving to the purpose of identifying the data subject.
- Our company can only store personal data longer than advised, in order to protect the rights and freedoms of the data subject in line with applying technical and organizational precautions only to serve public welfare, scientific / historic research and/or statistical research.
- The retention period for each category of personal data will be set out in the Storage and Destruction Policy along with the criteria used to determine this period including any statutory obligations Organization Name has to retain the data.
- Personal data must be disposed of securely in accordance with the KVKK provisions and related laws– processed in an appropriate manner to maintain security, thereby protecting the “rights and freedoms” of data subjects. Any disposal of data will be done in accordance with the Storage and Destruction Policy.
9. Transfer of Personal Data
a. Local Transfers
Without prejudice to any situation in which it is obligatory to transfer personal data to administrative of judicial authorities under KVKK or related law, the Company shall transfer personal data with obtaining data subject’s explicit consent unless it is an issue mentioned in the Art. 5 and/or 6 of the KVKK.
Personal data is not transferred to any third party without an explicit consent, unless it is legally required due to the KVKK, relevant legislation and cases where it is mandatory to be shared with the external parties due to administrative / juridical cases. However, as per to the Article 5 and Article 6 of the KVKK, in case legal grounds are present and it is legally required, on third party transferred, consent / explicit consent will not be observed.
Our Company fulfills its obligation to inform the Data Subject regarding this transfer. Accordingly, the institutions, organizations and / or persons that can be transferred are listed below.
b. Abroad Transfers
The Company may transfer the personal data abroad by obtaining explicit consent of the data subject along with taking appropriate and necessary security measures foreseen in the KVKK and related legislation. For the situations in which the explicit consent of the data subject is not sought, it is considered whether the country that the data will be transferred, is in “adequate country” stature and has enough protection or not. If the Authority considers that the transferee country is not in adequate country statute, the Authority approval should be taken, and a data transfer protocol should be signed to guarantee enough protection.
c. Parties Conducting the Transfers
- Within the scope of the Labor Law, Obligations Law, Income Tax Law and Procedures, Commercial Law , Private Employment Agencies and relevant legislations,
- Related public institutions and organizations,
- Competent authority,
- Tax offices work place inspector, ISKUR, regional labor and SGK can be shared with administrative institutions and organizations.
- Apart from these, our Company shall not disclose your personal data in accordance with Articles 8 and 9 of the KVKK and take all security measures specified in the relevant legislation;
- CottGroup® Companies, (Here you can find current CottGroup® Companies.)
- To business partners, suppliers, business partners that we cooperate with at local and/ or abroad,
- Data can be transferred to externally supported law offices, courts and other official and judicial authorities upon request.
10. Data Security Measures
Our company takes technical and administrative measures to prevent data breaches to ensure the security of personal data. In this context, our Company;
- Administrative measures;
- It conducts a risk audit to identify existing risks and threats.
- Awareness studies for employees are conducted periodically.
- There are personal data security policies and procedures.
- It works to minimize personal data as much as possible by adopting the concept of data minimization.
- Ensuring cyber security,
- Monitoring of personal data security,
- Ensuring the security of environments containing personal data,
- Storing personal data in secure areas and cloud computing systems,
- Information technology systems procure, develop and maintain the necessary software and hardware measures, taking personal data in accordance with the conditions required by the law.
11. Data Protection Officer (DPO)
- The Data Protection Officer have specific responsibilities in respect of procedures and is the first point of call for Employees/Staff seeking clarification on any aspect of data protection compliance.
- Data Protection Officer, who Board of Directors considers to be suitably qualified and experienced, has been appointed to take responsibility for CottGroup®’s compliance with this policy on a day-to-day basis and, in particular, has direct responsibility for ensuring that CottGroup® complies with the KVKK and the GDPR, as do Executive’s in respect of data processing that takes place within their area of responsibility.
12. Data Inventory
CottGroup® has established a data inventory as part of its approach to address risks and opportunities throughout its KVKK and GDPR compliance project. CottGroup®’s data inventory determines:
- business processes that use personal data;
- source of personal data;
- volume of data subjects;
- description of each item of personal data;
- processing activity;
- maintains the inventory of data categories of personal data processed;
- documents the purpose(s) for which each category of personal data is used;
- recipients, and potential recipients, of the personal data;
- the role of the CottGroup® throughout the data flow;
- key systems and repositories;
- any data transfers; and
- all retention and disposal requirements.
13. Rights of The Data Subject
Within the scope of Article 11 of the KVKK the data subject has the following rights and if he / she wishes, he / she can use his / her rights by reaching the data controller in the methods determined by him / her:
- To learn whether personal data is being processed,
- To make requests regarding the nature of information held and to whom it has been disclosed,
- To learn the processing purpose of personal data and whether it is used in accordance with this purpose,
- To be informed about the third parties that the personal data is transferred in local or abroad and to make notification as regards the transactions made,
- To demand correction for the personal data that is processed as deficient or incorrect and to notify third parties about this,
- To demand deletion or annihilation of the personal data of which reason to process is no more available, even if the data is processed in accordance with the related law,
- To object any result against the data subject,
- To demand compensation in case of any damage caused by illegal processing of the personal data.
14. Exercises of Rights of Data Subject
If the transaction also requires a cost, the tariff set by the KVKK will be charged.
CottGroup® website: http://www.cottgroup.com