PERSONAL DATA PROCESSING AND PROTECTION POLICY
CONTENTS
PREFACE
1. Purpose and Scope
2. Definitions
3. Identity of the Data Controller
4. Purposes of Data Processing
5. Organizational Structure of the Data Controller
5.1. Company Bodies
5.2. Board Structure
6. Organization Structure for Personal Data Protection
6.1. Personal Data Protection Unit
6.2. Contact Person
7. General Principles for Processing Personal Data
8. Conditions for Processing Personal Data
9. Conditions for Processing Special Categories of Personal Data
10. Legal Exceptions and Explicit Consent Declaration for Processing Personal and Special Categories of Data
10.1. Processing Personal Data Without Explicit Consent
10.2. Processing Special Categories of Data Without Explicit Consent
10.3. Full Exceptions to the Application of the Data Protection Law
10.4. Partial Exceptions
11. General Information on Processing Personal Data
11.1. Channels Through Which Personal Data is Obtained
11.2. Categorization of Personal Data
11.3. Categorization of Data Subjects
12. Storage and Destruction of Personal Data
13. Sharing of Personal Data with Third Parties
14. Obligation to Inform
15. Rights of the Data Subject
16. Measures for Personal Data Security
17. Storage of Records Related to Internet Access Provided to Visitors
18. Processing of Personal Data Collected Through Cookies
19. Other Provisions
PREFACE
The right to the protection of personal data has been recognized as a fundamental human right in Article 8 of the European Union's Charter of Fundamental Rights and Article 16 of the Treaty on the Functioning of the European Union. Additionally, personal data is regulated under Article 20 of the Constitution of the Republic of Turkey titled "Privacy of Private Life," thereby including it among fundamental rights.
Due to its importance, the Personal Data Protection Law No. 6698 ("KVKK") was published in the Official Gazette dated April 7, 2016, to protect primarily the privacy of private life along with the fundamental rights and freedoms of individuals during the processing of personal data belonging to natural persons, and to regulate the obligations of natural and legal persons processing personal data, and the procedures and principles to be followed.
1. PURPOSE AND SCOPE
Grazhan International Foreign Trade Ltd. Co. ("COMPANY") Personal Data Processing and Protection Policy ("Policy") has been prepared within the framework of the legislation on personal data, aiming to discipline the processing of personal data and to protect fundamental rights and freedoms, primarily the privacy of private life, as foreseen by the Constitution.
In preparing the "Policy," the primary principle has been to determine which data the COMPANY's working units collect, why they collect this data, and why there is a need to transfer this data to third parties, and to understand the COMPANY's personal data processing method. While transferring the requirements of the relevant legislation into the "Policy," it is also principled to explain, in a simple and understandable language, which data the COMPANY obtains and why it processes this data, while adhering to the necessity of protecting personal data. Additionally, it is aimed to take necessary administrative and technical measures to protect data privacy within and outside the COMPANY's organization and to inform and enlighten individuals whose data is processed.
The "Policy" covers all natural persons whose data is processed by the COMPANY.
Within the scope of this "Policy," an attempt has been made to provide specialized information about the data processed within the framework of operations and activities within the COMPANY's organization, data categorization, groups of data recipients, legal reasons and methods for data collection, groups of third parties to whom data is transferred, data processing periods, and data destruction periods. However, if data processing activities are to be carried out by the COMPANY beyond the current processing activities, it is possible to carry out processing activities and provide information within the scope of a separate enlightenment text, adhering to the basic principles and premises stated in this policy. In this case, the enlightenment provided will constitute an inseparable part of this "Policy," and it cannot be claimed that it is not included in this "Policy." Indeed, as per Article 5 of the Communiqué on the Procedures and Principles for the Fulfillment of the Obligation to Inform, enlightenment can be provided through physical or electronic means such as verbal, written, voice recording, or call center.
2. DEFINITIONS
Explicit Consent | Consent that is specific to a particular issue, based on information, and given freely. |
Company | Grazhan International Foreign Trade Ltd. Co. located at 1341 Cd. No:27 İvedik OSB/Ankara |
Cookie | Small files that help store users' preferences and other information on the web pages they visit on their computers or mobile devices. |
Relevant User | Persons who process personal data within the data controller's organization or under the authorization and instruction from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data. |
Destruction | Deletion, destruction, or anonymization of personal data. |
Contact Person | A natural person notified by the data controller to the Registry during registration, for communication with the Authority regarding the obligations under the Law and secondary regulations based on this Law for legal entities residing in Turkey and for representatives of non-resident legal entity data controllers. (The contact person is not authorized to represent the Data Controller. As the name suggests, this person is appointed only to facilitate communication between the data controller, data subjects, and the Authority.) |
Law/KVKK | The Personal Data Protection Law No. 6698, published in the Official Gazette No. 29677 dated April 7, 2016. |
Recording Medium | Any medium where personal data processed wholly or partially automatically, or part of any data recording system processed non-automatically is located. |
Personal Data | Any information relating to an identified or identifiable natural person. |
Processing of Personal Data | Any operation performed on personal data such as collection, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, acquisition, rendering accessible, classification, or preventing its use, wholly or partially by automatic or non-automatic means provided that it is part of any data recording system.
|
Anonymization of Personal Data | Rendering personal data into a form where it cannot be associated with an identified or identifiable natural person in any way, even by matching it with other data. |
Deletion of Personal Data | Making personal data inaccessible in any way and unusable by relevant users. |
Destruction of Personal Data | The process of rendering personal data completely inaccessible, irretrievable, and unusable by anyone. |
Special Categories of Personal Data | Data regarding individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. |
Periodic Destruction | The process of deletion, destruction, or anonymization that will be carried out at regular intervals as specified in the personal data storage and destruction policy when all conditions for processing personal data have ceased to exist. |
Policy | The personal data protection policy created by the Company. |
Data Processor | A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by it. |
Data Recording System | A system where personal data is structured and processed according to certain criteria. |
Data Subject/Concerned Person | The natural person whose personal data is processed. |
Data Controller | The natural or legal person who determines the purposes and means of processing personal data, and is responsible for establishing and managing the data recording system. |
Regulation | The Regulation on the Deletion, Destruction, or Anonymization of Personal Data. |
Source: | Personal Data Protection Law No. 6698 - Regulation on Deletion, Destruction, or Anonymization of Personal Data - Regulation on the Registry of Data Controllers - Communiqué on the Procedures and Principles for the Fulfillment of the Obligation to Inform - Communiqué on the Procedures and Principles for Applications to the Data Controller |
|
|
