Corporate General Information Text Regarding the Protection of Personal Data
SEED TOURISM AND HOTEL SERVICES CONSTRUCTION AND TRADE INC.
CORPORATE PERSONAL DATA PROTECTION POLICY
Document Information
Document Name: Personal Data Protection Policy
Document Relevance: The purpose of the Personal Data Protection Policy is to plan the processes related to the protection of personal data by Seed Tourism and Hotel Services Construction and Trade Inc. and to determine the principles to be applied regarding this matter.
Release Date: 23.09.2020
Version No: 1
Reference / Rationale: Law No. 6698 on the Protection of Personal Data and other relevant legislation
Approval Authority: Board of Directors of Seed Tourism and Hotel Services Construction and Trade Inc.
SEED TOURISM AND HOTEL SERVICES CONSTRUCTION AND TRADE INC.
CORPORATE PERSONAL DATA PROTECTION POLICY
PURPOSE
Everyone has the constitutional right to request the protection of personal data related to them. As Seed Tourism and Hotel Services Construction and Trade Inc., we consider fulfilling this right as one of our most important responsibilities. Therefore, we emphasize processing and protecting your personal data in accordance with the law.
This Corporate Personal Data Protection Policy has been prepared as a result of the importance we attach to personal data protection and aims to determine the principles we follow and the procedures we apply when processing and protecting personal data.
SCOPE
The policy covers all personal data managed by Seed Tourism and Hotel Services Construction and Trade Inc., including personal data obtained, recorded, stored, retained, modified, rearranged, disclosed, transferred, acquired, made accessible, classified, or restricted through any means, whether automatic or not, as part of a data recording system.
The policy is related to the personal data of the shareholders, executives, customers, employees, supplier representatives, employees, and third parties of Seed Tourism and Hotel Services Construction and Trade Inc.
Seed Tourism and Hotel Services Construction and Trade Inc. may change the policy in line with the legislation and decisions of the Personal Data Protection Authority to ensure better protection of personal data.
DEFINITIONS
|
Abbreviation |
Definition |
|---|---|
|
Recipient Group |
The category of natural or legal persons to whom personal data is transferred by the data controller. |
|
Explicit Consent |
Consent given based on information for a specific subject and voluntarily expressed. |
|
Anonymization |
The process of making personal data non-referable to an identified or identifiable person, even when combined with other data. |
|
Data Subject |
The natural person whose personal data is processed. |
|
Relevant User |
The person or unit responsible for the technical storage, protection, and backup of data, except for those processing personal data under the authorization and instruction of the data controller. |
|
Erasure |
The process of deleting, destroying, or anonymizing personal data. |
|
Law / KVKK |
Law No. 6698 on the Protection of Personal Data. |
|
Data Environment |
Any environment where personal data processed by fully or partially automated means or as part of a non-automated data recording system is found. |
|
Personal Data |
Any information relating to an identified or identifiable natural person. |
|
Data Inventory |
The inventory created by data controllers to detail their personal data processing activities, including purposes and legal bases, data categories, recipients, retention periods, and security measures taken. |
|
Personal Data Processing |
Any action performed on personal data, such as obtaining, recording, storing, modifying, transferring, or restricting its use. |
|
Authority |
The Personal Data Protection Authority (KVKK). |
|
Special Categories of Personal Data |
Data concerning an individual’s race, ethnicity, political opinion, philosophical belief, religion, sect, or other beliefs, membership in associations, health, sexual life, criminal convictions, and biometric or genetic data. |
|
Periodic Erasure |
The deletion, destruction, or anonymization of personal data performed regularly once the conditions for processing under the law no longer exist. |
|
Policy |
Personal Data Protection Policy |
|
Data Processor |
A person or entity that processes personal data on behalf of the data controller based on the authorization given. |
|
Data Controller |
The person or entity that determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. |
GENERAL PRINCIPLES
Seed Tourism and Hotel Services Construction and Trade Inc. ensures that any new business process requiring personal data processing complies with the following principles. Processes found not to be compliant are not implemented.
When processing personal data, Seed Tourism and Hotel Services Construction and Trade Inc. adheres to the following principles:
(I) Complies with the law and honesty principles.
(II) Ensures that personal data is accurate and, when necessary, kept up to date.
(III) Ensures that the processing purpose is specific, clear, and legitimate.
(IV) Verifies that the data processed is relevant, limited to what is necessary, and proportional to the purpose of processing.
(V) Retains personal data only for as long as required by the relevant legislation or for the purpose it was collected. Data is erased when the purpose no longer exists.
MEASURES TAKEN FOR DATA SECURITY
Seed Tourism and Hotel Services Construction and Trade Inc. takes all necessary technical and administrative measures to ensure:
(i) The unlawful processing of personal data is prevented.
(ii) Unauthorized access to personal data is prevented.
(iii) The protection of personal data is ensured.
5.1. Technical Measures
• Network and application security are maintained.
• Security measures are taken for procurement, development, and maintenance of information technology systems.
• Access logs are regularly kept.
• Up-to-date antivirus systems are used.
• Firewalls are used.
• Necessary security measures are taken for physical environments containing personal data.
• Security against external risks (fire, flood, etc.) for environments containing personal data is ensured.
• Personal data is backed up, and security of the backed-up data is ensured.
• User account management and authorization control systems are applied and monitored.
• Logs are kept without user intervention.
• Intrusion detection and prevention systems are used.
• Encryption is applied.
5.2. Administrative Measures
• Disciplinary regulations containing provisions for data security are in place for employees.
• Periodic training and awareness activities on data security are conducted for employees.
• Institutional policies on access, information security, use, retention, and destruction are prepared and implemented.
• Data masking measures are applied when necessary.
• Confidentiality agreements are signed.
• An authorization matrix for employees is created.
• The permissions of employees who change positions or leave the company are revoked.
• Contracts signed with employees contain data security provisions.
• Personal data security policies and procedures are established.
• Personal data security issues are reported swiftly.
• Personal data security is monitored.
• Personal data is minimized as much as possible.
• Periodic and/or random internal audits are conducted.
• Current risks and threats are identified.
• Protocols and procedures for the security of special categories of personal data are established and implemented.
• Special categories of personal data sent via email are encrypted and sent using secure methods (KEP or corporate email).
RIGHTS OF THE DATA SUBJECT REGARDING PERSONAL DATA
The data subject may request the following from Seed Tourism and Hotel Services Construction and Trade Inc.:
• Learn whether their personal data is processed.
• Request information if their personal data has been processed.
• Learn the purpose of processing their personal data and whether it is used appropriately.
• Learn about third parties to whom their personal data is transferred, both domestically and internationally.
• Request correction of incorrect or incomplete personal data and request that the correction be communicated to third parties.
• Request the deletion, destruction, or anonymization of their personal data when the reasons for processing no longer exist, and request that the action be communicated to third parties.
• Object to results arising solely from automated data processing that affects them negatively.
• Request compensation for damages caused by unlawful processing of their personal data.
BREACH NOTIFICATIONS
Employees of Seed Tourism and Hotel Services Construction and Trade Inc. report any actions, events, or situations that they believe violate KVKK provisions and/or the Policy to the Management. If necessary, the committee convenes and creates an action plan regarding the breach.
If a breach occurs through unlawful acquisition of personal data, the Management will notify the data subject and the Authority within 72 hours, as per the decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/10.
CHANGES
Changes to the Policy are prepared by the Board of Directors. The updated Policy can be sent to employees via email or published on the company’s website.
EFFECTIVE DATE
This version of the Policy was approved by the Board of Directors on 23.09.2020 and entered into force.