1. Purpose
The purpose of this Personal Data Protection and Processing Policy is to fulfill the legal obligations arising from the decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 on the Adequate Precautions to be Taken by Data Controllers in the Processing of Special Quality Personal Data. is to set forth the technical and administrative measures taken in the processing of personal data.
2. Definitions
ABBREVIATION |
DEFINITION |
Open Consent |
Consent on a particular subject, based on information and expressed with free will. |
Disposal |
Deletion, destruction or anonymization of personal data. |
Law |
Law on Protection of Personal Data No. 6698. |
Personal data |
Any information relating to an identified or identifiable natural person. |
Anonymization of personal data |
Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. |
Processing of personal data |
Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data completely or partially by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking. |
Deletion of personal data |
The process of making personal data inaccessible and unusable for the relevant users in any way. |
Disposal of personal data |
The process of making personal data inaccessible, irretrievable and unusable by anyone in any way. |
Committee |
Personal Data Protection Committee |
Policy |
Policy on Protection and Processing of Private Personal Data |
Company |
DINCERLER TEXTILE INDUSTRY AND TRADE INC |
Data owner |
Natural person whose personal data is processed |
Data Controller |
The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system |
3. Processing of Private Personal Data
Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are of special nature. are personal data.
The Company complies with the Law and other legislative provisions in the processing of sensitive personal data. Accordingly, special categories of personal data are processed in accordance with the following principles:
- Compliance with the law and honesty rules
- Being accurate and up-to-date when needed
- Being connected, limited and restrained with the purpose for which they are processed
- Processing for specific, explicit and legitimate purposes
- To be kept for the period required by the legislation or for the purpose for which they are processed.
Special categories of personal data other than health and sexual life are processed by the Company in cases where the explicit consent of the data owner is obtained or in cases stipulated by the laws.
Data on health and sexual life are processed in cases where the explicit consent of the data owner is obtained or for the purpose of protecting public health, carrying out medical diagnosis, treatment and care services, planning and managing preventive medicine, health services and financing.
In the processing of health data, the provisions of the Regulation on the Processing of Personal Health Data and Ensuring the Privacy, which came into force after being published in the Official Gazette dated 20 October 2016 and numbered 29863, are also complied with.
4. Technical and Administrative Measures Taken for the Protection of Private Personal Data
The Company takes all kinds of measures to ensure the security of sensitive personal data by processing sensitive personal data in accordance with the Law and relevant legislation. The measures taken in this context are listed below:
5. Administrative Measures
- The company provides regular trainings on the protection and processing of special quality personal data for employees involved in the processing of special quality personal data.
- The company concludes confidentiality agreements with its employees to ensure data security.
- Users who have access to data, authorization scopes and durations are clearly defined and periodic authorization checks are carried out.
- Employees who have a change of job or quit their job are immediately removed from accessing personal data. In this context, the company immediately receives returns on the inventories allocated to the employees.
6. Technical Measures
a. Technical Measures Taken in Terms of Private Personal Data Stored and/or Accessed Electronically
- Special categories of personal data are stored using cryptographic methods.
- Cryptographic keys are kept in secure and different environments.
- Transaction records of all movements performed on sensitive personal data are securely logged.
- Security updates of environments with sensitive personal data are constantly monitored, necessary security tests are regularly carried out and test results are recorded.
- User authorizations are made for software that access sensitive personal data, security tests of these softwares are/are made regularly and test results are recorded.
- In cases where private personal data is accessed remotely, at least two-stage verification system is used.
b. Technical Measures Taken in Terms of Private Personal Data Stored and/or Accessed in Physical Environment
- Adequate security measures are taken according to the nature of the environment where sensitive personal data is stored.
- The physical security of these environments is ensured and unauthorized entries and exits are prevented.
7. Transfer of Private Personal Data
The Company transfers special quality personal data within the framework of the data processing conditions in Articles 8 and 9 of the Law. In order to ensure data security, the following rules are applied by the Company in data transfer and periodic audits are carried out within this scope.
In cases where sensitive personal data is transferred via e-mail, the transfer is made with an encrypted corporate e-mail address or by using a Registered Electronic Mail (KEP) account.
- Transfer via Media such as Portable Memory, CD, DVD
In cases where special quality personal data is transferred via media such as portable memory, CD, DVD, encryption is performed with cryptographic methods and the cryptographic key is kept in a different environment.
- Transfer Between Servers in Different Physical Environments
In the transfer of sensitive personal data between servers in different physical environments, data transfer is carried out by establishing a VPN between servers or by sFTP method.
If sensitive personal data needs to be transferred via paper media, necessary precautions are taken against risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in the form of “confidential documents”.
8. Storage and Disposal of Private Personal Data
Special quality personal data is stored by the Company in accordance with the Law and other legislation and the Adequate Precautions to be Taken by Data Controllers in the Processing of Special Quality Personal Data published by the Board in the following cases:
- Obtaining the explicit consent of the data subject
- The fact that the storage of sensitive personal data other than health and sexual life is prescribed by law
- Storage of data on health and sexual life for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing
The sensitive personal data stored by the Company in accordance with the Law and other legislation is deleted, destroyed or anonymized ex officio or upon the request of the data owner, in case the following reasons arise:
- In cases where the private data storage activity is based on the explicit consent of the data owner, the explicit consent is withdrawn.
- The purpose of storing sensitive personal data has been realized, impossible or eliminated by any other means.
- Change or repeal of the provisions of the legislation that form the basis for the storage of sensitive personal data
- All of the processing conditions in Article 6 of the Law have disappeared
- The Company’s justification and positive conclusion of the data owner’s request for the destruction of his personal data of a special nature duly communicated to the Company
- In cases where the Company rejects the application made by the data owner for the destruction of sensitive personal data, if the answer given is insufficient or does not respond within the time stipulated in the Law; Complaining to the Board and approval of this request by the Board.
Other matters regarding the storage and destruction of sensitive personal data are regulated in the Company’s Personal Data Retention and Destruction Policy.
9. Update
The changes made in this Policy are shown in the table below.
Policy Update Date |
Changes |
|
|
|
|