Personal Data Processing Policy
POLICY ON PROCESSING OF PERSONAL DATA
As per Article 20 of the Constitution of the Republic of Turkey, everyone has the right to request the protection of his/her personal data. This right includes being informed of, having access to and requesting the correction and deletion of his/her personal data, and to e informed whether these are used in consistency with envisaged objectives. Law No: 6698 on Protection of Personal Data (“LPPD”) regulates the fundamental rights and freedoms of the individuals about the processing of their personal data, the liabilities and obligations of the natural and legal persons processing such personal data and principles and procedures to be followed to process such personal data. The purpose of this Principle is to provide harmonization with the obligations about LPPD regulations.
The purpose of this Policy is the protection of the personal data of the customers, visitors, suppliers and third parties ofFİNANSEVİM GAYRİMENKUL OTOMOTİV İLETİŞİM ORGANİZASYON PAZARLAMA SANAYİ VE TİCARET A.Ş. (FİNANSEVİM) governed by this Policy. The protection of the personal data of our employees is governed by the Policy on Protection of the Personal Data of FİNANSEVİM Employees prepared in line with the principles set forth in this Policy. In case of the approval of the relevant section referring these RULES, it will be considered that the Data Owner has been informed of these rules, has read all of them and authorized FİNANSEVİM about the content herein. FİNANSEVİM has right to update, in whole or in part, these regulations on Protection of Personal Data within the scope of amendments in legislations in force and amendments in legal legislations shall be binding on both FİNANSEVİM and our followers.
Law No: 6698 on Protection of Personal Data has been published on Official Gazette dated April 7, 2016 and numbered 29677. Law No: 6698 on Protection of Personal Data (“LPPD”) regulates the fundamental rights and freedoms, including the privacy of the personal life protected by the Constitution, of the natural person data owners about the processing of their personal data, the liabilities and obligations of the natural and legal persons processing such personal data. Law No: 6563 on Regulation of Electronic Commerce also contains provisions on the protection of personal data. Some punitive sanctions are prescribed by Turkish Criminal Law No: 5237 for the protection of personal data.
This Policy on Protection and Processing of the Personal Data (“Policy”) of FİNANSEVİM GAYRİMENKUL OTOMOTİV İLETİŞİM ORGANİZASYON PAZARLAMA SANAYİ VE TİCARET A.Ş. (“FİNANSEVİM”) has been prepared to regulate the fundamental rights and freedoms, including the privacy of the personal life, of the individuals during the processing of their personal data and the liabilities and obligations of and principles and procedures to be followed by the natural and legal persons processing such personal data.With this Policy, it was intended to maintain and develop the activities carried out by FİNANSEVİM in compliance with the principles set forth in LPPD.
With this Policy, it was intended to inform the FİNANSEVİM employees of the issues specified below: The identity of the data controller, The purpose and method of processing of personal data; To whom and for which purposes the processed personal data may be transferred by FİNANSEVİM, The method and legal basis of collection of personal data, Other rights of FİNANSEVİM employees on the personal data processed
Technical and administrative precautions taken for the purpose of data security
Within the scope of this Policy, data owners have been categorized as follows:
Customers Natural persons who receive persona data personal data due to their business relations within the scope of the activities carried out by FİNANSEVİM regardless of the existence of any contractual relationship Third Persons Other natural persons including but not limited to the suppliers, potential customers, potential employees, complainant, intern etc. whose personal data are processed even not defined within the scope of this Policy
The definitions used in this Policy are as follows:
Explicit Consent means consent related to a specific subject which is given freely upon informing which permits and authorizes the relevant person on a permitted subject,
Anonymization means processing of personal data in such a way to make the linking of the data with another data of an identified or identifiable natural person impossible,
Employee means all natura persons who serve for FİNANSEVİM for a for a definite or indefinite period of time, Service Provider means company personnel (supplier, contractor etc.) to/from which FİNANSEVİM provides/receives service Personal Data means any information relating to an identified or identifiable natural person, Processing of Personal Data means any operation which is performed upon personal data whether or partly by automatic means or otherwise than by automatic means which form part of a filing system, such as collection, recording, storage, retain, alteration, re-organization, disclosure, transfer, retrieval, making available, combination, or blocking, Personal Data Owner means the natural person called as “relevant person” in LPPD and whose personal data are processed Personal Data Owner Application Form means the application form to be used by the FİNANSEVİM employees during their application on the exercise of rights mentioned in Article 11 of LPPD, LPPD means Law No: 6698 on Protection of Personal Data, PDPA means Personal Data Protection Authority, Special Categories of Persona Data means data relating to an individual’s racial or ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs; dress and appearance; memberships to any association, foundation or trade union; health or sex life; criminal conviction and security measures, biometric and genetic data,
Data Inventory means the inventory created and detailed by FİNANSEVİM by associating the personal data processing activities which are conducted in line with the business processes with the personal data processing purposes, data categories and the recipient group Data Processor means natural or legal persons who process personal data on behalf of and under the authority given by the data controller. Data Controller means any natural and legal person which determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system Data Controllers Registry means the data controllers registry kept by the Presidency under the supervision of Personal Data Protection Authority
GENERAL PRINCIPLES OF PROCESSING OF PERSONAL DATA
As per Article 3 of LPPD, any kinds of operations performed on personal data whether or partly by automatic means or otherwise than by automatic means which form part of a filing system, such as collection, recording, storage, retain, alteration, re-organization, disclosure, transfer, retrieval, making available, combination, or blocking are included in the scope of the processing of personal data. It is obligatory to follow the principles below during the processing of personal data: Processing in Good Faith and in Accordance with the Law Our Company processes the personal data in line with the good faith principle and in accordance with the principles set forth under LPPD and relevant regulations as well as Constitution. Keep Personal Data Accurate and Up-to-Date Where Necessary Our Company takes necessary technical and administrative measures to ensure accuracy and up-to-datedness of the processed personal data during the processing of the personal data. Processing for Specific, Explicit and Legitimate Purposes Our Company determines and expressly declares the purposes of personal data processing prior to the commencement of processing activities. Relevant, Limited and Proportional to the Purposes for Which They Are Processed Personal data shall be processed by our Company with regards and limited to the determined purposes. We don’t process and personal data on the assumption to be used in the future. Keeping for duration necessary for the purposes for which the data are processed or foreseen under the relevant legislation Our Company shall keep personal data only for a duration stated under the applicable legislation or necessary for the purposes for which the data are processed. CONDITIONS OF PROCESSING PERSONAL DATA
Conditions of Processing Personal Data Our Company may process the personal data and special categories of personal data with the explicit consent of data subject or without explicit consent in cases prescribed in Articles 5 and 6 of LPPD. In case of existence any of the matters specified below, FİNANSEVİM will be entitled to process the personal data of the data subject without seeking for explicit consent:
If processing is specifically envisaged under the laws. If processing is necessary to protect the vital interests or physical integrity of the data subject or a third person if the data subject is not in a condition to express his/her consent due to actual impossibility.
If processing is necessary for execution or a performance of a contract to which data subject is a party. If processing is necessary for our Company to comply with a legal obligation to which the data controller is subject. If personal data has been made public by the data subject. If processing is necessary for the establishment, exercise or protection of a right. If processing is necessary for the purpose of the legitimate interests of our Company provided that such interest does not harm the fundamental rights and freedoms of the data subject. Conditions of Processing of Special Categories of Personal Data: Our Company complies with the conditions for data processing set forth in Article 6 of LPPD concerning the processing of special categories of personal data which may cause discrimination when processed unlawfully. It is prohibited to process the special categories of personal data without explicit concent of the data subjet. However, special categories of personal data may be processed under the conditions specified below without explicit consent of the data subject provided that the precautions determined by the PDPA are taken: a. Processing of Personal Health Data: Personal Health Data may be processed in the event of existence of any conditions set forth below provided to;
(i) take necessary measures prescribed by the PDPA,
(ii) act in compliance with the general principles,
(iii) be under confidentiality obligation:- Explicit and written consent of the data subject- Protection of public health, - Preventive medicine, - Medical diagnosis, conducting of nursing services, - Planning and management of the health services and financing b. Processing of Special Categories of Personal Data Other Than Health and Sexual Life Processing of the data within this scope will be possible upon explicit consent of the data subject or in cases prescribed by laws. CATEGORIZATION OF THE PERSONAL DATA PROCESSED BY OUR COMPANY
Categories of the Personal Data Processed by Orient Insurance
Personal Data Categorization Data Subject Category to which the Personal Data is related Customer Data means the data and information received to benefit from commercial activities and generated about the relevant person as a result of operations carried out by our business units in this context Potential Customers Dealer/Agent Data Natural person Customers, Agents, Brokers, Agent Partners who use the applications of the Company, make sales on behalf of the Company in a specific territory or location based on a contract signed with the Company, perform preparatory works prior to the conclusion of the Contract and help for the execution of the Contract and payment of the compensation amount
Customer Data means the data and information received and generated about the relevant person as a result of our activities and operations carried out by our business units in this context Customers
Third Parties mean other natural persons whose personal data are processed including but not limited to supplier, surety, sufferer/right holder, family members etc. Suppliers Supplier Data means any information required for the provision of products or services Suppliers
As per LPPD; FİNANSEVİM has legal obligations about the protection and processing of the personal data. Such legal obligations are as follows:
Obligation to Notify/Inform FİNANSEVİM is obliged to inform the relevant person during the collection of the personal data and inform the relevant person of the matters specified below within the scope of relevant legislation provisions:
* The identity of the data controller and of its representative, if any,
* The purpose of processing of personal data;
* To whom and for which purposes the processed personal data may be transferred,
* The method and legal basis of collection of personal data,
* Other rights of the relevant person
FİNANSEVİM shall inform the relevant persons of the processing of the personal data through different channels within the scope of the obligation to inform. Obligation to Inform As regulation in Article 11 of LPPD, the rights of data subject, from which the personal data are received, on the protection of such personal data are as mentioned herein (Your Rights Section). As per LPPD, FİNANSEVİM shall be obliged to evaluate the requests concerning said rights and to inform the relevant persons about the scope and operations to be carried out in line with the requests and such notification shall be made within the period of time prescribed by the legal legislation.
Such requests must appropriately be delivered by the relevant person to FİNANSEVİM in writing or through other methods to be determined by PDPA. FİNANSEVİM works to offer more opportunities for the relevant person to make application and exercise its rights provided not to constitute a contradiction with the decision of PDPA on this subject.
Obligation to ensure data security and privacy As per Article 12 of LPPD, our Company takes all necessary technical and organizational measures to provide an appropriate level of security for the purposes of preventing unlawful processing of personal data, preventing unlawful access to personal data and ensuring protection of personal data Technical Measures taken to ensure the lawful processing of personal data and to prevent unlawful Access to personal data FİNANSEVİM has taken any and all technical and technological security measures in order to protect your personal data and your personal data are protected against probable risks. Administrative and Organizational Measures taken to ensure the lawful processing of personal data and to prevent unlawful Access to personal data - To train and raise awareness of the company employees about LPPD, - In cases where data transfer is in question, to ensure the inclusion of any provision in contracts to be concluded with the relevant party to which the personal data are transferred that the party to which the personal data are transferred shall fulfil data security obligations,
- To determine the actions to be taken for the compliance with LPPD and to prepare an internal policy on the implementation of the same, Measures to be taken in case of unlawful disclosure of the personal data
In the event that the processed personal data are unlawfully acquired by others, our Company shall immediately inform the relevant data subject and PDPA of this matter. Obligation to be registered in Data Controllers Registry As per Article 16 of LPPD, FİNANSEVİM is obliged to be registered in Data Controllers Registry within the period of time determined and announced by PDPA within the scope of Regulation and other legislations. RULES ON PROCESSING OF PERSONAL DATA
The principles to be followed for the processing of personal data are as follows: All collected personal data shall be processed in line with the principles set forth in Article 4 and with conditions set forth Articles 5 and 6 of LPPD. As per Article 4 of LPPD, FİNANSEVİM shall be obliged to process the personal data in line with the rules of law and good faith principle, as accurate and updated when necessary, for specified, explicit and legitimate purposes and relevant, limited and proportionate to the purposes for which they are processed.
In this scope;
• FİNANSEVİM is obliged to act in compliance with the rules, prohibitions, rights and principles set forth in the laws and other legal arrangements during the processing of personal data.
• FİNANSEVİM shall be transparent and fulfil the obligations to inform and notify during the processing of personal data as required by good faith principles.
• FİNANSEVİM shall process the personal data for legitimate and legal reasons and only for the purposes explicitly specified by the laws and within the scope of permissions given in cases where required.
• FİNANSEVİM shall process the personal data to the extent necessary. In this scope, the principle of proportionality shall be taken into consideration and such personal data shall not be used for any purposes other than the activities carried out by FİNANSEVİM and matter required by such purposes. Furthermore, FİNANSEVİM must abstain from exceeding the limits required for such purposes and processing unnecessary personal data.
• FİNANSEVİM shall store the personal data for the period laid down by the relevant legislation or required for the relevant purpose of processing and shall not store such personal data without being anonymized (if possible) after the expiration of such period for any reason whatsoever.
PURPOSES OF PROCESSING AND RETENTION PERIOD OF PERSONAL DATA
Purposes of Processing of Personal Data
FİNANSEVİM processes the personal data in line with Articles 5 and 6 of LPPD for the purposes specified below and similar purposes with the explicit consent of the data subject where necessary as per legal legislation.
Personal data and contact information: Name-surname, telephone number, e-mail address details may be processed by Human Resources, Information Technologies and Customer Relations departments To answer the questions and offer an efficient service ,To record address and other details for communication, To arrange all records (IP, log) and documents (Communication Form) in electronic (internet) or printed environment,To provide information to public officials for the matters about public security upon request and as per relevant legislation, To evaluate complaints and suggestions about our services,
To fulfil our legal obligations and exercise our rights arising from the legislations in force.
Supplier Data are processed by the Purchasing and Administrative Affairs departments to maintain the relations and operations with the suppliers of the company and to manage the entire process.
Processed by Accounting department to manage BA/BS reporting process and transferred to Independent Accountant and Financial Advisor and its employees.
Processed by Administrative Affairs department to follow and track cargo operations.
Retention Periods of the Personal Data
Our Company determines whether any retention period is stipulated in relevant legislation for the storage of the personal data. Our Company complies with such periods, if stipulated; if no retention period is stipulated, our Company stores the personal data as long as required for the purpose of processing. If the purpose of processing of the personal data ends and the retention period determined by the relevant legislation and/or our Company expires, they may be stored only for the purpose of constituting evidence for legal disputes, claiming any right concerning the personal data or establishing a defense. Personal data are not stored by our Company for the probability of future use.
POLICY ON TRANSFER OF PERSONAL DATA
The principles and procedures for the transfer of personal data are regulated in Articles 8 and 9 of LPPD and personal data and special categories of personal data of the data subject may be transferred to third parties at home and abroad. As per the Law and other legislations (including but not limited to Insurance Law, Tax Procedural Law, Attorneys’ Law No: 1136 and other relevant legislations, regulations of the regulatory and supervisory authorities and situations required by the public authorities), your personal data may be processed by FİNANSEVİM and may be transferred to third parties from which FİNANSEVİM receives service, contracted institutions, attorneys for the settlement of legal disputes, natural and legal persons that we have proxy relationship, business partners, persons and institutions at home and abroad that we receive service for the storage of data in cloud environment, contracted institutions at home and abroad for the delivery of commercial electronic messages and other third parties. However, personal data may not be transferred without explicit consent of the data subject without prejudice to the exceptions in any case.
>Transfer of the Personal Data at Home
As per Article 8 of LPPD, the transfer of your personal data at home shall be possible provided that any of the conditions mentioned in Article 6 “Conditions of Processing Personal Data” of this Policy is met.
Transfer of the Personal Data Abroad
In the event of transfer of any personal data abroad as per Article 9 of LPPD, the existence of any of the conditions below shall be required besides the fulfilment of the conditions for the transfers at home:
- The country to which the personal data are to be transferred must be announced by the Board to be among the countries having adequate protection level or
- If the country to which the personal data are to be transferred fails to have adequate protection level, the undertaking by the data controllers in Turkey and relevant country to provide the adequate protection level and authorization by the Board
Personal data may not be transferred without explicit consent of the data subject
Group of Individuals that the Personal Data are Transferred by Our Company
As per Articles 8 and 9 of LPPD, our Company may transfer the personal data of the personal data owners within the scope of this Policy to the groups of individuals below for the purposes specified below:
GROUP OF INDIVIDUALS, DEFINITIONS AND PURPOSE OF TRANSFER
Legally Authorized Public Institutions and Organizations; Public institutions and organizations authorized to acquire information and documents of our Company as per the relevant legislation provisions; Limited to the purpose requested by the relevant public institutions and organizations within the scope of legal authority.
Legally Authorized Private Person/Entity; Private Persons/Entities authorized to acquire information and documents of our Company as per the relevant legislation provisions; Limited to the purpose requested by the relevant Private Persons/Entities within the scope of legal authority.
DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
As per Article 7 of LPPD, despite being processed in compliance with the provisions of the relevant legislation, personal data shall be deleted, destroyed or anonymized by our Company, ex officio or upon the request of the data subject, in the event that the reasons for the processing no longer exist.
The principles and procedures for this matter shall be carried out in accordance with LPPD and secondary legislation based on such Law.
RIGHTS OF DATA SUBJECTS AND EXERCISE OF SUCH RIGHTS
As per Article 13 of LPPD, the evaluation of the rights of data subjects and notifications to be made to the personal data owners shall be carried out through this Policy and FİNANSEVİM Personal Data Owner Application Form as well. Personal Data Owners may submit their complaints and suggestions about the processing of their personal data within the scope of principles set forth in relevant form.
Right of Application
As per Article 11 of LPPD, those whose personal data are processed can apply to our Company and request the following matters:
As per LPPD, Data Subject is entitled to;
To learn whether your personal data is already processed or not,
If processed, to learn the purpose of processing of your personal data,
To learn whether your personal data is used for the intended purposes or not;
To learn and know the identity of third parties to whom your personal data is disclosed or transferred at home or abroad;
If your personal data is processed incompletely or inaccurately, to request correction or completion of them,
If and when the causes requiring data processing are no more valid and existing, to request deletion or destruction of your personal data,
To request that third parties to whom their personal data is disclosed or transferred be informed about your requests mentioned in sub-articles (e) and (f) above,
To raise objections against probable results against your interests through analysis of the processed personal data solely and exclusively through automatic means and systems
If you suffer damages and losses due to unlawful or illegal processing of your personal data, to claim indemnification of your damages and losses.
Personal Data Owners can submit their requests on their rights mentioned in the Law in writing by using the KVK application form available on website (delivery by hand with identity validation and through notary) or using Registered Electronic Mail (REM) address, Secured Electronic Signature, Mobile Signature or electronic mail address which was previously notified to and registered in the Data Controller’s system.
Title: FİNANSEVİM GAYRİMENKUL OTOMOTİV İLETİŞİM ORGANİZASYON PAZARLAMA SANAYİ VE TİCARET A.Ş.
Data Controller: FİNANSEVİM GAYRİMENKUL OTOMOTİV İLETİŞİM ORGANİZASYON PAZARLAMA SANAYİ VE TİCARET A.Ş.
Matters Beyond the Scope of the Right of Application
As per Article 28 of LPPD, personal data owners shall not be entitled to claim any rights in the following cases:
a. Processing of personal data by persons in the course of a purely personal or household activity, provided that obligations relating to data security are complied with and data are not transferred to third parties,
b. Processing of personal data for the purposes of research, planning, statistics and similar purposes after being anonymized with official statistics,
c. Processing of personal data for the purposes of art, history, literature or science, or within the scope of freedom of expression, provided that national defense, national security, public safety, public order, economic safety, privacy of personal life or personal rights are not violated,
d. Processing of personal data within the scope of preventive, protective and intelligence-related activities by public institutions and organizations that are assigned and authorized for providing national defence, national security, public safety, public order or economic safety,
e. Processing of personal data by judicial authorities and execution offices with regard to investigation, prosecution, adjudication or execution procedures.
As per sub-article 2 of Article 28 of LPPD, personal data owners shall not be entitled to claim any rights (excluding the right of compensation) in the following cases:
a. Processing of personal data is necessary for prevention of crime or investigation of a crime.
b. Processing of personal data made available to the public by the data owner herself/himself.
c. Processing of personal data is necessary, deriving from the performance of supervision or regulatory duties, or disciplinary investigation or prosecution by assigned and authorized public institutions and organizations and professional organizations with public institution status.
d. Processing of personal data is necessary for the protection of economic and financial interests of the state related to budget, tax, and financial matters.
As per Article 13 of LPPD, our Company shall conclude free of charge the application requests made by the personal data owner as soon as possible but within latest 30 (thirty) days depending on the nature of the application.
The applications of the personal data owners may be refused in the following cases: -a. It if blocks the rights and freedoms of other persons b) If it requires disproportionate effort c) If such data is open to public d) If it poses a risk for the privacy of others e) In case of the existence of one of the cases beyond the scope as per LPPD.
-PUBLICATION OF THIS POLICY – This data policy and rules will be notified to the users with personal data in line with the obligation to inform and shall be published on websites of FİNANSEVİM. This Policy may be revised when deemed necessary by FİNANSEVİM. In cases where such revision is required, the latest version of the Policy shall be available on Company’s website.