Gecem Led Aydınlatma

Işığın Yolu

Menu

Personal Data Protection Policy

  1. Legal Basis : regulated in Article 20 of the Constitution; this right, that everyone has the right to demand the protection of their personal data; In accordance with the Law on the Protection of Personal Data No. 6698, on the basis of the basic legal basis that the personal data can be processed only in cases stipulated by the law or with the explicit consent of the person. We attach utmost importance to the protection and processing of Personal Data in accordance with the law and we act with this care in all our planning and activities. As a company,
  2. Aim: With the Law No. 6698 on the Protection of Personal Data in force, the protection of fundamental rights and freedoms of individuals, in particular the privacy of private life, and the obligations of natural and legal persons processing personal data, as well as the procedures and principles to be followed, are regulated in the processing of personal data. The aim of our policy, which was prepared by taking into account the regulation in question; ensuring compliance with the obligations regarding the protection of personal data, processing, transferring and protecting the confidentiality of the information provided within the scope of the activities carried out by our Company, by evaluating with a risk-based approach, determining strategies, internal controls and measures, operating rules and responsibilities, and raising awareness of the employees of the institution on these issues. At the same time; our customers,
  3. Scope:  This policy; It relates to all personal data of our customers, potential customers, employees, employee candidates, Company shareholders, Company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties, which are processed automatically or non-automatically, provided that they are part of any data recording system. .
  4. Definitions
    1. Explicit Consent Consent  , which is based on being informed about a particular subject and expressed with free will.
    2. Anonymization  It is the alteration of personal data in such a way that it loses its ability to be associated with an identified or identifiable person and this situation cannot be undone. Example: Masking, aggregation, data corruption etc. making personal data incapable of being associated with a natural person with techniques.
    3. Persons working in the Company pursuant to the employment contract concluded with the Employee  Company
    4. Employee Candidate Natural  persons who have either applied for a job in any way or have opened their CV and related information to the Company’s inspection.
    5. Employees, Shareholders and Authorities of the Institutions We Collaborate  with, natural persons, including the shareholders and officials of these institutions, working in the institutions (such as but not limited to business partners, suppliers) with which the company has all kinds of business relations
    6. Processing of Personal Data:  Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use.
    7. Personal Data Owner The  natural person whose personal data is processed. For example; Customers and employees.
    8. Personal Data  Any information relating to an identified or identifiable natural person. The processing of information regarding legal persons is not within the scope of the law. For example; name-surname, TR, e-mail, address, date of birth, credit card number etc.
    9.  Real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Customer Company.
    10. Special Qualified Personal Data: Data  related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data are special data.
    11.  Real persons who have requested or interested in using our Potential Customer Products and Services or who have been evaluated in accordance with the rules of commercial practice and honesty that they may have
    12. Company Shareholder:  Natural persons who are shareholders of the company
    13. Company Official : Member of the company’s board of directors and other authorized natural persons
    14. Third  Party Real persons (e.g. Family Members and relatives) who are related to these persons in order to ensure the security of commercial transactions between the Third Party Company and the above-mentioned parties or to protect the rights of the said persons and to obtain benefits.
    15. Data Processor  is the natural and legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller. For example, the firm or companies that hold the Company’s data, etc.
    16. Data Controller The  person who determines the purposes and means of processing personal data, manages the place where the data is kept in a systematic way (data recording system), provides the necessary information to the data owner about his personal information as a result of the request / application of the data owner, and makes the referrals.
    17. Visitor  Real persons who have entered the physical premises of the Company for various purposes or visited our websites
  5. abbreviations
    1. VKK:  Law No. 6698, Law No. 6698 on the Protection of Personal Data, dated March 24, 2016, published in the Official Gazette dated April 7, 2016 and numbered 29677.
    2. Constitution:  Published in the Official Gazette dated 9 November 1982 and numbered 17863; The Constitution of the Republic of Turkey, dated 7 November 1982 and numbered 2709.
    3. KVK Board  Personal Data Protection Board
    4. KVK Authority  Personal Data Protection Authority
    5. Policy  Company Personal Data Protection and Processing Policy
    6. TBK  published in the Official Gazette dated February 4, 2011 and numbered 27836; Turkish Code of Obligations dated 11 January 2011 and numbered 6098.
    7. TCK  published in the Official Gazette dated October 12, 2004 and numbered 25611; Turkish Penal Code No. 5237 dated 26 September 2004.
    8. Turkish Commercial  Code No. 6102, dated January 13, 2011, published in the Official Gazette dated 14 February 2011 and numbered 27846.
  6. Data Categories:  The company may save, process or transfer data for the following categories of data.
    1. Identity  (such as name, surname, mother – father name, date of birth, place of birth, marital status, identity card serial number, tc identity number)
    2. Contact  (such as address number, e-mail address, contact address, registered e-mail address (KEP), telephone number)
    3. Location  (location information of its location)
    4. Personnel  (such as payroll information, disciplinary investigation, entry-exit document records, resume information, performance evaluation reports)
    5. Legal Action  (such as information in correspondence with judicial authorities, information in the case file)
    6. Customer Transaction  (such as invoice, promissory note, check information, order information, request information)
    7. Physical Space Security  (such as employee and visitors entry and exit registration information, camera recordings)
    8. Transaction Security  (such as IP address information, website login and exit information, password and password information)
    9. Risk Management  (such as information processed to manage commercial, technical, administrative risks)
    10. Finance  (such as balance sheet information, financial performance information, credit and risk information, asset information)
    11. Professional Experience  (such as diploma information, courses attended, vocational training information, certificates, transcript information)
    12. Marketing  (shopping history information, survey, cookie records, information obtained through campaign work)
    13. Audio-Visual Recordings  (such as audio-visual recordings)
    14. Apparel and Dress  (information on disguise and clothing)
    15. Health Information  (such as disability information, blood group information, personal health information, device used and prosthesis information)
    16. Criminal Conviction and Security Measures  (such as information on criminal convictions, information on security measures)
    17. Biometric Data  (such as palm information, fingerprint information, retina scan information, facial recognition information)
  7. Personal Data Processing Purposes  The Company may record, process or transfer personal data for the following purposes.
    1. Execution of Emergency Management Processes
    2. Execution of Information Security Processes
    3. Execution of Employee Candidate / Intern / Student Selection and Placement Processes
    4. Execution of Application Processes of Employee Candidates
    5. Execution of Employee Satisfaction and Loyalty Processes
    6. Fulfillment of Employment Contract and Legislative Obligations for Employees
    7. Execution of Benefits and Benefits Processes for Employees
    8. Conducting Audit / Ethical Activities
    9. Conducting Educational Activities
    10. Execution of Access Authorizations
    11. Execution of Activities in Compliance with the Legislation
    12. Execution of Finance and Accounting Affairs
    13. Execution of Company / Product / Service Loyalty Processes
    14. Providing Physical Space Security
    15. Execution of Assignment Processes
    16. Follow-up and Execution of Legal Affairs
    17. Carrying out Internal Audit / Investigation / Intelligence Activities
    18. Execution of Communication Activities
    19. Planning of Human Resources Processes
    20. Execution / Supervision of Business Activities
    21. Execution of Occupational Health / Safety Activities
    22. Receiving and Evaluating Suggestions for Improvement of Business Processes
    23. Conducting Business Continuity Ensuring Activities
    24. Execution of Logistics Activities
    25. Execution of Goods / Services Procurement Processes
    26. Execution of Goods / Services After-Sales Support Services
    27. Execution of Good / Service Sales Processes
    28. Execution of Goods / Services Production and Operation Processes
    29. Execution of Customer Relationship Management Processes
    30. Execution of Activities for Customer Satisfaction
    31. Organization and Event Management
    32. Conducting Marketing Analysis Studies
    33. Execution of Performance Evaluation Processes
    34. Execution of Advertising / Campaign / Promotion Processes
    35. Execution of Risk Management Processes
    36. Execution of Storage and Archive Activities
    37. Conducting Social Responsibility and Civil Society Activities
    38. Execution of Contract Processes
    39. Execution of Sponsorship Activities
    40. Execution of Strategic Planning Activities
    41. Follow-up of Requests / Complaints
    42. Ensuring the Security of Movable Property and Resources
    43. Execution of Supply Chain Management Processes
    44. Execution of Wage Policy
    45. Execution of Marketing Processes of Products / Services
    46. Ensuring the Security of Data Controller Operations
    47. Foreign Personnel Work and Residence Permit Procedures
    48. Execution of Investment Processes
    49. Execution of Talent / Career Development Activities
    50. Providing Information to Authorized Persons, Institutions and Organizations
    51. Execution of Management Activities
    52. Creating and Tracking Visitor Records
  8. Personal Data Transfer Recipient Groups  The Company may transfer personal data to the following Personal Data Transfer Recipient groups.
    1. Real Persons and Private Law Legal Entities
    2. Shareholders
    3. Business partner
    4. supplier
    5. Authorized Public Institutions and Organizations
  9. Persons Subject to Personal Data  – The Company may record, process or transfer personal data according to the following types of persons.
    1. Employee Candidate
    2. Worker
    3. Potential Product and Service Buyer
    4. Intern
    5. Supplier Employee
    6. Supplier Official
    7. Product or Service Recipient
    8. Parent/Guardian/Representative
    9. Visitor
  10. Personal Data Retention Periods:  Personal data retention periods are regulated in detail in the Personal Data Retention and Disposal Policy.
  11. Deletion, Destruction or Anonymization of Personal Data:
    1. Although the personal data has been processed in accordance with the law, in the event that the reasons for the processing disappear, these data are deleted, destroyed or anonymized by the data controller ex officio or upon the request of the person concerned.
    2. The data controller deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.
    3. The actions to be taken regarding these matters are explained in detail in the Personal data retention and destruction policy.
  12. Transfer of Personal Data Personal data  obtained for processing within the framework of the general principles specified in the Law may be transferred to third parties by obtaining the explicit consent of the person concerned.
    1. Domestic transfer:  Details regarding the domestic transfer of personal data and private personal data are regulated in the Personal Data Transfer procedure.
    2. Transfer abroad:  Personal data can be transferred to countries where adequate protection exists, provided that the explicit consent of the person concerned is present, in case of the existence of the conditions specified in the Law. Data transfer to countries where there is no adequate protection can be carried out in the presence of the conditions specified in the Law, in addition to the express consent, in addition to the written commitment of adequate protection and the permission of the Board. Details on the subject are regulated in the Procedure for Transfer of Personal Data.
  13. General (Basic) Principles in the Processing of Personal Data:  Personal data will be processed in accordance with the following basic principles as detailed in the personal data processing procedure.
    1. Compliance with the law and the rules of honesty,
    2. Being accurate and up-to-date when necessary,
    3. Processing for specific, explicit and legitimate purposes,
    4. Being connected, limited and restrained with the purpose for which they are processed,
    5. To be kept for the period required by the relevant legislation or for the purpose for which they are processed.
  14. Explicit Consent: Consent  about a specific subject, based on information and expressed with free will. As detailed in the procedure for obtaining explicit consent, the Explicit consent must be related to a specific subject, the consent must be based on information and be disclosed with free will.
  15. Obligation to inform:  During the acquisition of personal data, the relevant persons are informed by the company. As detailed in the Clarification Procedure, this information includes at least the following subjects.
    1. Identity of the data controller and its representative, if any,
    2. For what purpose personal data will be processed,
    3. To whom and for what purpose personal data can be transferred,
    4. Method and legal reason for collecting personal data,
    5. Other rights of the person concerned as listed in Article 11 of the Law.
  16. Methods of claiming rights of the person concerned:  By applying to the Company; To learn whether the personal data concerning them are processed, to request them if they have been processed, to correct them if the content of the data is incomplete or incorrect, to delete and destroy them if it is unlawful, to notify the third parties to whom the data has been disclosed and the actions to be taken accordingly, and to claim damages due to the illegal processing of the data. have the right to demand removal. The person concerned can exercise their right of appeal and complaint as specified in the Relevant Person’s Claims Procedure.
    • Application:  It is obligatory for the persons concerned to apply to the data controller in order to exercise their rights. A complaint cannot be made to the Board before this remedy is exhausted.
    • Complaint:  In order for the person concerned to apply for a complaint, the application to the Company must be rejected, the response given is insufficient, or the application must not have been answered within 30 days. It is not possible for the persons concerned to directly complain to the Board without applying to the Company.
  17. Obligation to Fulfill Board Decisions:  If the Board determines the existence of a violation as a result of the examination to be carried out on matters falling within its scope of duty, upon a complaint or ex officio if it learns about the alleged violation, it decides that the unlawful violations will be eliminated by the Company and notifies the relevant parties of the decision. As detailed in the Fulfillment of Board Decisions procedure, the Company fulfills this decision without delay and within thirty days at the latest as of the date of notification.
  18. Data Controllers Registry (VERBIS) registration obligation:  The Company registers and updates the data controllers’ registration system, where they are required to register and where they declare information about data processing activities, as specified in the Data Controllers Registry (VERBIS) registration procedure.
  19. Personal Data Violation:  In case the processed personal data is obtained by others unlawfully, the Company notifies the relevant person and the Board as soon as possible as specified in the Personal Data Breach Procedure. If necessary, the Board may announce this situation on its own website or by any other method it deems appropriate.
  20. Personal Data Security Measures  :  The Company takes the following technical and administrative measures in accordance with the Company’s structure in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the protection of personal data.
    1. Network security and application security are provided.
    2. A closed system network is used for personal data transfers via the network.
    3. There are disciplinary regulations that include data security provisions for employees.
    4. Training and awareness activities are carried out periodically for employees on data security.
    5. An authorization matrix has been created for employees.
    6. Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
    7. Confidentiality commitments are made.
    8. The authorizations of employees who have a change in duty or quit their job in this field are removed.
    9. Current anti-virus systems are used.
    10. Firewalls are used.
    11. The signed contracts contain data security provisions.
    12. Personal data security policies and procedures have been determined.
    13. Personal data is reduced as much as possible.
    14. Personal data is backed up and the security of the backed up personal data is also ensured.
    15. User account management and authorization control system is implemented and these are also followed.
    16. In-house periodic and/or random audits are conducted and made.
    17. Existing risks and threats have been identified.
    18. Protocols and procedures for special quality personal data security have been determined and implemented.
    19. If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using KEP or corporate mail account.
    20. Data processing service providers are periodically audited on data security.
    21. Awareness of data processing service providers on data security is provided.
Close
Language
English
Close
Sign in
Close
Cart (0)

No products in the cart.

Language
English