1. IDENTITY OF THE DATA SUBJECT
On 07.04.2016, the Law on Protection of Personal Data No. 6698 (hereinafter referred to as “KVKK”) was published and entered into force.
Within the scope of the said law, our Company AKSIGNER YAZILIM DONANIM SAN. TRADE . A.Ş (hereinafter referred to as “ARKSIGNER”) voluntarily has the title of “Data Controller” within the scope of Article 10 of the KVKK.
This ARKSIGNER Personal Data Protection and Privacy Policy (hereinafter referred to as the "Policy") has been prepared to inform the relevant parties and persons about the processes and principles of processing personal data by ARKSIGNER.
2. DEFINITIONS
Any information relating to an identified or identifiable natural person.
Special Qualified Personal Data
Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data
Data Owner / Relevant Person
Natural person whose personal data is processed
The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system
The natural or legal person who processes personal data on behalf of the data controller based on the authority given by him.
Consent, which is based on being informed about a particular subject and expressed with free will
Processing of Personal Data
Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking.
Anonymization of Personal Data
The fact that personal data cannot be associated with an identified or identifiable natural person in any way, even by matching with other data.
Deletion of Personal Data
Deletion of personal data; making personal data inaccessible and unusable for Relevant Users in any way
Destruction of Personal Data
Making personal data inaccessible, irretrievable and reusable by anyone in any way
Personal Data Protection Authority
Personal Data Protection Board
Data Owner / Relevant Person
Natural person whose personal data is processed
Data Owner / Relevant Person
Natural person whose personal data is processed
3. BASIC PRINCIPLES ON THE PROCESSING OF PERSONAL DATA
Personal data processing activities are carried out in accordance with KVKK and relevant legislation within the scope of legal justifications, basic principles regarding the processing of personal data, processing conditions of personal data, purposes of processing, storage periods and transfer principles.
3.1 LEGAL REASONS FOR DATA PROCESSING ACTIVITIES
Personal data processed within the framework of ARKSIGNER's business activities, for the period stipulated in the relevant legislation.
- Law No. 6698 on the Protection of Personal Data
- Turkish Code of Obligations No. 6098
- Turkish Penal Code No. 5237
- Social Insurance and General Health Insurance Law No. 5510
- Law No. 5651 on Arranging Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts
- Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions
- Pharmaceutical and Medical Preparations Law of the Ministry of Health No. 1262
- Occupational Health and Safety Law No. 6331
- Labor Law No. 4857
- Turkish Commercial Code No. 6102
- Public Procurement Law No. 4734
- Law No. 8529 on Public Procurement Contracts
- Technology Development Zones Law No. 4691
- Electronic Signature Law No. 5070
- Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Attachments
- Regulation on Archive Services
- Technology Development Zones Implementation Regulation
- Regulation on the Procedures and Principles Regarding the Implementation of the Electronic Signature Law
- Other secondary regulations, especially the repealed decisions of the Information Technologies Authority regarding secure electronic signature, which are in effect pursuant to these laws
It is processed within the framework of and stored for as long as the storage periods stipulated under the relevant laws.
3.2. GENERAL PRINCIPLES ON THE PROCESSING OF PERSONAL DATA
While processing personal data by ARKSIGNER, the following principles defined in KVKK are applied.
- Compliance with the law and honesty rules
- Being accurate and up-to-date when needed
- Processing for specific, explicit and legitimate purposes
- Being connected, limited and restrained with the purpose for which they are processed
- To be kept for the period required by the relevant legislation or for the purpose for which they are processed.
3.3. PERSONAL DATA PROCESSING CONDITIONS
Except for the exceptions defined in the KVKK, ARKSIGNER processes personal data by obtaining the explicit consent of the persons concerned. Cases where data can be processed without the explicit consent of the data owner within the framework of the provisions of Article 5 of the KVKK:
- expressly stipulated in the law
- It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid.
- It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract
- Obligatory for the data controller to fulfill its legal obligation
- It has been made public by the data owner in accordance with the purpose of use
- Data processing is necessary for the establishment, exercise or protection of a right.
- Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner.
KVKK 6(2). Pursuant to the provision of the article, the express consent of the persons concerned must be obtained in the processing of sensitive personal data. Special categories of personal data other than health and sexual life data can be processed without the explicit consent of the data owner in cases stipulated by the law.
Personal data related to health and sexual life are only for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, by persons or authorized institutions and organizations under the obligation of secrecy without seeking the explicit consent of the person concerned. can be processed.
3.4. PURPOSE OF PROCESSING PERSONAL DATA
Your personal data obtained by ARKSIGNER is processed within the framework of the purposes described below.
Execution of Emergency Management Processes
Execution of Information Security Processes
Execution of Application Processes of Employee Candidates
Execution of Employee Satisfaction and Loyalty Processes
Fulfillment of Employment Contract and Legislative Obligations for Employees
Execution of Benefits and Benefits Processes for Employees
Conducting Audit/Ethics Activities
Conducting Educational Activities
Conducting Educational Activities
Execution of Activities in Compliance with the Legislation
Execution of Finance and Accounting Affairs
Execution of Company/Product/Services Loyalty Processes
Execution of Assignment Processes
Follow-up and Execution of Legal Affairs
Carrying out Internal Audit / Investigation / Intelligence Activities
Execution of Communication Activities
Planning of Human Resources Processes
Execution / Supervision of Business Activities
Execution of Occupational Health / Safety Activities
Execution of Goods / Services Procurement Processes
Execution of Goods / Services After-Sales Support Services
Execution of Goods / Services Sales Processes
Execution of Goods / Services Production and Operation Processes
Execution of Customer Relationship Management Processes
Execution of Activities for Customer Satisfaction
Organization and Event Management
Execution of Marketing and Analysis Studies
Execution of Advertising / Campaign / Promotion Processes
Execution of Risk Management Processes
Execution of Storage and Archive Activities
Conducting Social Responsibility and Civil Society Activities
Execution of Contract Processes
Execution of Sponsorship Activities
Follow-up of Requests / Complaints
Ensuring the Security of Movable Property and Resources
Execution of Marketing Processes of Products/Services
Ensuring the Security of Data Controller Operations
Execution of Talent/Career Development Activities
Providing Information to Authorized Persons, Institutions and Organizations
Execution of Management Activities
3.5. PERSONAL DATA STORAGE PERIOD
Identity (Name and surname, Mother's and father's name, Mother's maiden name, Date of birth, Place of birth, Marital status, Identity card serial number, TR identity number, etc.)
Contact (Address no, E-mail address, Contact address, Registered e-mail address (KEP), Telephone number etc.)
Personnel (Payroll information, Disciplinary investigation, Recruitment document records, Property declaration information, CV information, Performance evaluation reports, etc.)
Legal Action (Information in correspondence with judicial authorities, information in the case file, etc.)
Any information relating to an identified or identifiable natural person.
Customer Transaction (Call center records, Invoice, promissory note, check information, Information in box office receipts, Order information, Request information, etc.)
Transaction Security (IP address information, website login and exit information, Password and password information, etc.)
Risk Management (Commercial, Technical, Administrative Risk Management etc.)
Finance (Balance sheet information, Financial performance information, Credit and risk information, Asset information, etc.)
Professional Experience (Diploma information, Courses attended, In-service training information, Certificates, Transcript information, etc.)
Marketing (Shopping history, Survey, Cookie Record, Campaign Data, etc.)
Photographs Supplied with Document and Form (Passport Photo, etc.)
Race Ethnicity (Race, Nationality etc.)
Health Information (Disability information, Blood group information, Personal health information, Device and prosthesis information etc.)
Criminal Conviction and Security Measures (Information on criminal conviction, Information on security measures, etc.)
3.5. TRANSFERRING PERSONAL DATA
ARKSIGNER complies with KVKK and relevant legislation regarding the sharing of personal data with third parties. In this context, personal data is not transferred by AKSIGNER to third parties or parties without the explicit consent of the data owner. However, in the presence of one of the following conditions regulated by the KVKK, personal data may be transferred by ARKSIGNER to third parties and parties without the explicit consent of the data owner.
- expressly stipulated in the law
- It is compulsory for the protection of the life or physical integrity of the person or someone else who cannot express his or her consent due to actual impossibility or whose consent is not legally recognized.
- It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract
- It is mandatory for the data controller to fulfill its legal obligation,
- Being publicized by the data owner himself
- Data processing is mandatory for the establishment, exercise or protection of a right
- Data processing is mandatory for the establishment, exercise or protection of a right
Your personal data (provided that adequate precautions are taken) in terms of special categories of personal data other than health and sexual life; For purposes such as the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, in terms of special quality personal data related to health and sexual life, it can be transferred without your explicit consent.
In the transfer of sensitive personal data, the conditions specified in the processing conditions of this data are complied with.
4. LIGHTING OBLIGATION
The information that must be conveyed to the data owners within the framework of the disclosure obligation under Article 10 of the KVKK is as follows:
- Identity of the data controller and its representative, if any
- For what purpose personal data will be processed
- To whom and for what purpose the processed personal data can be transferred
- Method and legal reason for collecting personal data
- Other rights listed in Article 11 of KVKK
28(1) of KVKK. ARKSIGNER has no obligation to inform in the cases listed below.
- Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.
- Processing personal data for purposes such as research, planning and statistics by anonymizing with official statistics
- Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
- Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
- Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings
28(2) of KVKK. Circumstances that do not have the obligation to inform:
- Personal data processing is necessary for the prevention of crime or for criminal investigation
- Processing of personal data made public by the data subject himself
- Personal data processing is necessary for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law.
- The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
5. RIGHTS OF THE DATA SUBJECT
You have the following rights regarding your personal data within the framework of Article 11(1) of the KVKK.
- Learning whether personal data is processed
- If personal data has been processed, requesting information about it
- Learning the purpose of processing personal data and whether they are used in accordance with the purpose
- Knowing the third parties to whom personal data is transferred at home or abroad
- Requesting correction of personal data in case of incomplete or incorrect processing
- Requesting the deletion or destruction of data in case the reasons for the processing of your personal data disappear
- Requesting notification of your corrected or deleted information, if transferred, to third parties to whom personal data has been transferred
- İşlenen verilerin münhasıran otomatik sistemler vasıtasıyla analiz edilmesi suretiyle kişinin kendisi aleyhine bir sonucun ortaya çıkmasına itiraz etme
- Requesting the compensation of the damage in case of loss due to unlawful processing of personal data
5.1. DATA SUBJECT APPLICATION PROCESS
ARKSIGNER will process your requests arising from KVKK through the "ARKSIGNER Personal Data Owner Application Form". ARKSIGNER will conclude your application requests free of charge within 30 (thirty) days at the latest, according to the nature of the request, in accordance with Article 13 of the KVKK. If the request is rejected, the reason for the rejection will be notified to you in writing or electronically.
28(1) of KVKK. Data owners cannot use the rights defined in Article 11 of the KVKK in the cases listed below.
- Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.
- Processing personal data for purposes such as research, planning and statistics by anonymizing with official statistics
- Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
- Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
- Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings
The rights defined in Article 11 of KVKK cannot be used in the following cases.
- The perfection of the personal data processing or being necessary for the investigation
- Processing of personal data made public by the data subject himself
- Personal data processing is necessary for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law.
- The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
6. MEASURES TAKEN TO ENSURE DATA SECURITY
ARKSIGNER takes the following technical and administrative measures for the protection of personal data.
6.1. ADMINISTRATIVE MEASURES
Administrative measures taken by ARKSIGNER to ensure personal data security:
There are disciplinary regulations that include data security provisions for employees.
Training and awareness activities are carried out periodically for employees on data security.
An authorization matrix has been created for employees.
Confidentiality commitments are made.
The authorizations of employees who have a change of job or quit their job in this field are removed.
The signed contracts contain data security provisions.
Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format.
Personal data security policies and procedures have been determined.
Personal data security issues are reported quickly.
Personal data security is monitored.
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
The security of environments containing personal data is ensured.
Personal data is reduced as much as possible.
Existing risks and threats have been identified.
Protocols and procedures for special quality personal data security have been determined and implemented.
Data processing service providers are periodically audited on data security.
Awareness of data processing service providers on data security is ensured.
6.2. TECHNICAL MEASURES
Technical measures taken by ARKSIGNER to ensure personal data security:
Network security and application security are provided.
A closed system network is used for personal data transfers via the network.
Key management is implemented.
Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
The security of personal data stored in the cloud is ensured.
Access logs are kept regularly.
Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
Data masking is applied when necessary.
Current anti-virus systems are used.
Personal data is backed up and the security of the backed up personal data is also ensured.
Kullanıcı hesap yönetimi ve yetki kontrol sistemi uygulanmakta olup bunların takibi de yapılmaktadır.
Personal data is backed up and the security of the backed up personal data is also ensured.
If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using a KEP or corporate mail account.
Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units.
Intrusion detection and prevention systems are used.
Cyber security measures have been taken and their implementation is constantly monitored.
Personal data transferred in portable memory, CD and DVD media are encrypted and transferred.
Data loss prevention software is used.
7. DATA DISPOSAL
The principles and procedures regarding the destruction of data processed by ARKSIGNER at the end of the legal periods are regulated, published and published in the ARKSIGNER Data Retention and Destruction Policy document in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224. entered into force.
8. OTHER MATTERS
- The policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website.
- In case of inconsistency between KVKK and relevant legislation provisions and this Policy, KVKK and related legislation provisions will be applied first.
- The policy is published on the ARKSIGNER corporate website and announced to the relevant persons.
- The policy is published on the ARKSIGNER corporate website and announced to the relevant persons.
- This Policy, prepared by ARKSIGNER, entered into force on 06.04.2020.