IŞIK PERDE RAYLARI SAN. TİC. A. Ş.
KURUMSAL KİŞİSEL VERİLERİN KORUNMASI POLİTİKASI
| Document Information | |
|---|---|
| Document Name: | Corporate Policy for Protection of Personal Data |
| Objective of Document: | Kişisel Verilerin Korunması Politikasının amacı, Işık Perde Rayları San. Tic. A. Ş. tarafından kişisel verilerin korunmasına yönelik süreçlerin planlanması ve bu konuya ilişkin uygulanacak esasların belirlenmesidir. |
| Date of Publication: | 01.09.2020 |
| Version No: | 1 |
| Reference / Reason: | Law No 6698 on the Protection of Personal Data and other legislations |
| Approving Authority: | Işık Perde Rayları San. Tic. A. Ş. Yönetim Kurulu |
IŞIK PERDE RAYLARI SAN. TİC. A. Ş.
KURUMSAL KİŞİSEL VERİLERİN KORUNMASI POLİTİKASI
1. OBJECTIVE
Her bireyin kendisi ile ilgili kişisel verilerin korunmasını isteme hakkı Anayasa’dan doğan kutsal bir haktır. Işık Perde Rayları San. Tic. A. Ş. olarak bu hakkın gereklerini yerine getirmeyi en değerli görevlerimizden biri olarak kabul ediyoruz. Bu nedenle kişisel verilerinizin hukuka uygun olarak işlenmesine ve korunmasına önem veriyoruz. Kurumsal Kişisel Verilerin Korunması Politikası da kişisel verilerin korunmasına verdiğimiz önemin bir sonucu olarak kişisel verileri işlerken ve korurken temel aldığımız ilkeleri ve uyguladığımız prosedürleri belirlemek amacıyla hazırlanmıştır.
The Corporate Policy for Protection of Personal Data has been prepared to determine the principles we take as basis and the procedures we apply while processing and protecting personal data as a result of the importance we give to the protection of personal data.
2. SCOPE
Politika Işık Perde Rayları San. Tic. A. Ş.’nin yönettiği bütün kişisel veriler verilerin tamamen veya kısmen otomatik olan ya da herhangi bir veri kayıt sisteminin parçası olmak kaydıyla otomatik olmayan yollarla elde edilmesi, kaydedilmesi, depolanması, muhafaza edilmesi, değiştirilmesi, yeniden düzenlenmesi, açıklanması, aktarılması, devralınması, elde edilebilir hâle getirilmesi, sınıflandırılması ya da kullanılmasının engellenmesi gibi veriler üzerinde gerçekleştirilen her türlü işlemi kapsamaktadır.
Politika Işık Perde Rayları San. Tic. A. Ş.’nin ortaklarının, yetkililerinin, müşterilerinin, çalışanlarının, tedarikçi yetkililerinin ve çalışanlarının ve üçüncü kişilerin işlenen tüm kişisel verilerine ilişkindir.
Işık Perde Rayları San. Tic. A. Ş. Politika’yı mevzuata ve Kişisel Verileri Koruma Kurumu’nun kararlarına uyum ve kişisel verilerin daha iyi korunması amaçlarıyla değiştirebilir.
DEFINITIONS
| Abbreviation | Definition |
|---|---|
| Receiver Group | Natural or legal person category to whom personal data is transferred by data controller. |
| Express Consent | The consent related to a specific issue, based on being informed and explained with freewill. |
| Anonymization | Making the personal data unrelated to a natural person whose identity is known or identifiable in any manner whatsoever even by matching personal data with other data. |
| Relevant Person | The natural person whose personal data is processed. |
| Relevant User | Those who process personal data within the organization of data controller or in line with the authority and instruction given by the data controller except for the person or unit responsible for technical storage, protection and backup of the data. |
| Disposal | Deletion, elimination or anonymization of personal data. |
| Law/KVKK | Law No 6698 on the Protection of Personal Data. |
| Recording Medium | Any and all mediums including the personal data processed through the methods which are completely or partially automatic or non-automatic provided that it is a part of any data recording system. |
| Personal Data | Any and all information related to the natural person whose identity is known or identifiable. |
| Data Inventory | The inventory explaining personal data processing operations performed by data controllers based on business processes, purposes of processing personal data and legal reasons, data categories, the receiver group and maximum time of keeping necessary for the purposes connected with the person group subject to the data and for processing personal data, the personal data anticipated to be transferred to foreign countries and the precautions taken in relation to data security in details. |
| Processing of Personal Data | Any and all operations performed on the data such as obtaining through the methods which are completely or partly automatic or non-automatic provided that it is a part of any data recording system, recording, storing, keeping, changing, rearranging, explaining, transferring, taking over, making available, classifying or preventing use of all personal data. |
| Committee | Committee of Protection of Personal Data. |
| Agency | Agency for Protection of Personal Data |
| Sensitive Personal Data | The data of people about their race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership to an association, foundation or union, health, sexual life, penal conviction and security precautions and biometric and genetic data. |
| Periodical Disposal | In case all of the requirements for processing personal data stated in the Law have been removed completely, the operations of deletion, elimination or anonymization to be performed ex officio at the intervals stated in the policy for storage and disposal of personal data and periodically. |
| Policy | Corporate Policy for Protection of Personal Data |
| Data Processor | A natural or legal person who processes the personal data in the name of data controller based on the authority given by the data controller. |
| Data Controller | A natural or legal person who determines purposes and means of processing personal data and responsible for establishment and management of data recording system. |
| Board | Işık Perde Rayları San. Tic. A. Ş. Yönetim Kurulu |
4. GENERAL PRINCIPLES
Işık Perde Rayları San. Tic. A. Ş. her yeni kişisel veri işlemeyi gerektiren iş akışının hazırlık aşamasında işlenecek verilerin aşağıdaki ilkelere uygunluğunu denetler. Uygun bulunmayan iş akışları hayata geçirilmez.
Işık Perde Rayları San. Tic. A. Ş. kişisel verileri işlerken;
- Abides by law and good faith.
- Ensures that the personal data is accurate and updated when necessary.
- Attends that the purpose for processing is specific, clear and legitimate.
- Controls that the processed data is connected with the purpose of processing, it is processed limitedly to the necessary extent and it is moderate.
- Keeps the data only for the period anticipated in the applicable legislation or required by the purpose of processing, disposes the data when the purpose of processing has been removed.
5. PRECAUTIONS FOR DATA SECURITY
Işık Perde Rayları San. Tic. A. Ş. (i) kişisel verilerin hukuka aykırı olarak işlenmesini önlemek, (ii) kişisel verilere hukuka aykırı olarak erişilmesini önlemek, (iii) kişisel verilerin muhafazasını sağlamak amacıyla uygun güvenlik düzeyini temin etmeye yönelik gerekli her türlü teknik ve idari tedbirleri alır.
5.1. Technical Precautions
- Network security and application security is provided.
- Security precautions within the scope of provision, development and maintenance of information technologies systems are taken.
- Access logs are kept regularly.
- Updated anti-virus systems are used.
- Firewalls are used.
- Necessary security precautions related to entry into and exit from physical places containing personal data are taken.
- Security of physical places containing personal data is provided against external risks (fire, flood, etc.).
- Security of environments containing personal data is provided.
- Personal data is backed up and security of backed up personal data is provided.
- User account management and authority control system is applied and also followed.
- Log records are kept in a way that no user intervention will be possible.
- Intrusion detection and prevention systems are used.
- Encryption is applied.
Administrative Precautions
- There are disciplinary arrangements containing data security provisions for the employees.
- Trainings and awareness operations are carried out for the employees about data security at specific intervals.
- Corporate policies have been prepared and started to be applied about the issues of access, data security, use, storage and disposal.
- Data masking is applied when necessary.
- Confidentiality commitments are made.
- An authority matrix has been created for the employees.
- Authorities of the employees who have changed duty or quit the job are removed in this area.
- The signed contracts include data security provisions.
- Policies and procedures for personal data security have been determined.
- The problems about personal data security are reported immediately.
- Personal data security is followed up.
- Personal data is decreased as much as possible.
- In-house periodical and/or random audits are performed and made to be performed.
- The existing risks and threats have been determined.
- Protocols and procedures for security of sensitive personal data have been determined and are being applied.
- If sensitive personal data will be sent through electronic mail, it is sent encrypted absolutely and using REM or corporate mail account.
- Awareness of data processing service providers about data security is provided.
6. RIGHTS OF RELEVANT PERSON RELATING TO PERSONAL DATA
İlgili kişi, Işık Perde Rayları San. Tic. A. Ş.’ye başvurarak aşağıda yer alan konularda talepte bulunabilir:
- To learn whether his/her personal data is processed or not,
- To demand relevant information if his/her personal data has been processed,
- To learn the purpose of processing his/her personal data and whether it is used according to this purpose,
- To learn the third parties to whom his/her personal data is transferred at home and abroad,
- If his/her personal data has been processed deficiently or wrongly, to ask for correction of it and notification of such corrections to the third persons to whom the personal data has been transferred,
- Although it has been processed in accordance with KVKK and other applicable law provisions, to ask for deletion, elimination or anonymization of his/her personal data in case the reasons requiring the data processing have been removed and notification of such operations to the third persons to whom the personal data has been transferred,
- If he/she incurs a loss due to illegal processing of his/her personal data, to ask for indemnification of the loss.
- To raise an objection to any result against him/her having occurred by analysing his/her processed data exclusively by means of automatic systems,
7. NOTIFICATION OF BREACHES
Işık Perde Rayları San. Tic. A. Ş. çalışanları, KVKK hükümlerini ve/veya Politika’yı ihlal ettiğini düşündüğü iş, eylem veya olguyu Yönetim Kuruluna raporlar. Yönetim Kurulu bu ihlal bildirimi akabinde gerekli görmesi halinde toplanır ve ihlale ilişkin bir eylem planı oluşturur.
If the breach has occurred through acquisition of personal data by other persons illegally, the Board notifies this situation to the relevant person and the Committee of Protection of Personal Data within 72 hours in accordance with the decision dated 24.01.2019 and numbered 2019/10 of the Committee of Protection of Personal Data.
AMENDMENTS
Politika üzerindeki değişiklikler Işık Perde Yönetim’inin yetkilendirdiği çalışanlar tarafından hazırlanır ve Işık Perde Rayları San. Tic. A. Ş. Yönetim Kurulu’nun onayına sunulur. Güncellenen Politika çalışanlara e-posta yolu ile gönderilebilir veya internet sitesi üzerinde yayınlanır.
9. EFFECTIVE DATE
This version of the Policy entered into force having been approved by the Board on 01.09.2020.