Personal Data Protection and Processing Policy

PERSONAL DATA PROTECTION AND PROCESSING POLICY

 
1. PURPOSE and SCOPE
As TEKNOKON, we put emphasis on your safety. As TEKNOKON we take technical and administrational precautions to ensure that your personal data preserved and processed as per the Law Nr. 6698 on Protection of Personal Data, issued for the purpose of protecting, in particular the right of privacy with respect to processing of any personal data, as well as the fundamental rights and freedoms of individuals.
In this context, we aim to inform you about TEKNOKON’s basic principles and processes of collecting, using, processing, transferring and storing personal data with our Personal Data Protection and Processing Policy in order to inform you about the processing, preservation and transfer of your personal data in accordance with Personal Data Protection Law.

2. DEFINITIONS
Explicit Consent:
Freely given, specific and informed consent.
Anonymising: Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.
Application Form: Application form containing data subject’s request related to use aforementioned rights ; Application Form Concerning Data Subject’s Application to Data Controller As Per Law No.6698 (Personal Data Protection Law)"
Employee: Teknokon personnel.
Prospective Trainee: Real persons who have applied for a position at Teknokon by any means or disclosed their resumes and personal data to be reviewed by Teknokon
Destruction: Deletion, disposal or, anonymization of personal data.
Business Partner: The parties with which TEKNOKON is in cooperation for purposes such as carrying out various projects or receiving services, etc..
Law / PDP: Turkish Personal Data Protection Law numbered 6698
Personal Data: Any and all kind of information relating to an identified or identifiable natural person.
Processing of Personal Data: Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.
Erasure of Personal Data: Erasure of personal data is the process of rendering personal data inaccessible and unusable for all relevant users.
Destruction of Personal Data: Destruction of personal data is the process of rendering personal data inaccessible and unusable for any person.
Anonymysation of Personal Data: Anonymisation of personal data is defined as rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.
Board: Personal Data Protection Board
Authority: the Personal Data Protection Authority
Customer: Real persons who has relationship with TEKNOKON within the frame of contract and whose personal data is obtained through the business relationships of TEKNOKON.
Sensitive Personal Data: Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures and the biometric and genetic data.
Periodical disposal: The deletion, disposal or anonymization, which shall be conducted automatically on a periodical and recurrent basis as specified within the personal data storage and disposal policy in the cases, where all of the requirements for the processing of personal data as set forth within the Code cease to be satisfied.
Policy: Policy that constituted by TEKNOKON, according to Law, for protection and processing of personal data hereof.
Company Authority: TEKNOKON board member and other real authorities.
Data Processor: Real or legal persons processing the personal data on behalf of and based on the authority given by the data manager
Data Registry System: The registry system which the personal data is registered into through being structured according to certain criteria
Controller: The natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.
Data Owner: Real person whose personal information is processed.
Legislation: "Legislation of Deletion, Disposal or Anonymisation of Personal Data” which have been promulgated on 10.28.2017.

3. PERSONAL DATA PROTECTION PROCEDURES AND PRINCIPLES
3.1. GENERAL PRINCIPLES

Article #20/III of the Constitution ensures the protection personal data by clarifying that personal data may only processed under certain conditions presented with PDP Law or with Data Owner’s explicit consent. According to this right granted to personal data owners, TEKNOKON processes personal data in line with principles presented in related legislation or if there is no explicit consent, then according to principle explained below:
3.1.1. Processing Personal Data in accordance with the Law and Good Faith:
TEKNOKON, complies with the rules of law and good faith within the scope of the personal data processing activities.
3.1.2. Ensuring that Personal Data is Accurate and Up-To-Date When Needed
TEKNOKON take due precautions that the personal data it processes is accurate and up-to-date whenever needed and to ensure that provided information represents actual state informs Data Owners with necessary notifications.
3.1.3. Processing for Specific, Clear and Legitimate Purposes
TEKNOKON, sets its purpose clearly and precisely in processing personal data legitimately and legally. TEKNOKON, processes such data to the extent it relates to the commercial activity it carries out.
3.1.4. Being Related, Limited and Appropriate for the Purposes of Processing
TEKNOKON, processes the Personal Data in a manner appropriate for the fulfillment of the specified purposes and refrains from processing any Personal Data that is not related with or not needed for fulfillment of the specified purposes..
3.1.5. Storage for a Period Given in the Relevant Legislation or as Required for the Purpose of Processing
TEKNOKON stores the personal data in a manner limited to the periods specified in the relevant legislation or to the purpose for which it is processed.
Accordingly, TEKNOKON, if the related legislation specifies any period with respect to the storage of personal data, then such period should be observed. But if no such period is mentioned, then personal data should be store for as long as it is needed for the purpose of processing.
3.2. PURPOSE OF PROCESSING PERSONAL DATA
Personal Data obtained from TEKNOKON can be processed within the scopes below:
  • To ensure that our legal obligations are fulfilled as required or mandated by legal arrangements,
  • Obligated for constructing/executing relationship within the scope of contract,
3.3. CONDITIONS OF PERSONAL DATA PROCESSING
Conditions of personal data processing is regulated by Law, and TEKNOKON processes personal data according to provisions presented below.
TEKNOKON, other than exceptioned mentioned in Law, solely processes personal data with obtaining data owner’s  explicit consent .
In case of situations explained below which are mentioned in Law, personal data may be processed  even without explicit consent  of data owner.
  • It is explicitly provided for by the law,
  • It is mandatory for the protection of life or to prevent the physical injury of a person, in cases where that person can not express consent or whose consent is legally invalid due to physical disability,
  • Processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfillment of that contract.
  • It is mandatory for the controller to fulfill its legal obligations,
  • The data is made manifestly public by the data subject,
  • Data processing is mandatory for the establishment, exercise or protection of any right,
  • It is mandatory for the legitimate interests of the controller, provided that such processing shall not violate the fundamental rights and freedoms of the data subjects.
3.4. PROVISIONS REGARDING THE PROTECTION OF PERSONAL DATA
Pursuant to the article #12 of the Law, TEKNOKON takes necessary technical and administrative measures to maintain appropriate level of security in order to prevent the personal data it processes from being processed illegally, prevent the data from being accessed illegally and maintain such data and carries out necessary inspection or gets such inspection done, in this respect.
3.4.1. Technical Precautions to Be Taken in Order for Legal Processing Of Personal Data, Prevention of Illegal Access to the Personal Data and Secure Storage of Personal Data
  • Regarding personal data protection, technical measures taken in line with technological capabilities and those measures updated and renewed in periodic manner.
  • Regular inspections are made towards execution of measures taken.
  • Security software and hardware made available/used in this manner.
  • Clearance to personal data processed by TEKNOKON, is limited with determined cause and related company employees.
3.4.2. Administrational Precautions to Be Taken in Order for Legal Processing Of Personal Data, Prevention of Illegal Access to the Personal Data and Secure Storage of Personal Data
  • TEKNOKON employees are informed and trained regarding the of protecting personal data.
  • TEKNOKON includes such provisions in the contracts which are made with persons to whom personal data transferred in line with the Law, regarding the fact that the persons to whom the personal data is transferred shall be required to take any and all necessary measures to protect the personal data and shall ensure that such measures are observed at its own organization.
  • Processed executed by TEKNOKON inspected with utmost care to details and action made within the frame of personal data processing is detected specific to each business unit.
  • In this concept, required steps identified to ensure compliance between data processing actions made and personal data protection conditions which are detailed in Personal Data Protection Law.
  • TEKNOKON identifies necessary practices to meet legal compliance requirements according to company structures as well as regulates administrational measures, in-house policies and trainings to ensure of inspection and sustainability of those aforementioned practices.
  • Contracts and documents regulating the legal relation between our TEKNOKON and employees, apart from exceptions introduced by TEKNOKON instructions and law, are subject to obligations not to process, disclose and use personal data and employees’ awareness are raised in this respect and controls are conducted.
  • The employees keep informed regarding the disclosing of the personal data which they learnt to the other persons contrary to the PDPL provisions and not to use except processing purpose and continuation this obligation after they resign and the necessary commitments are taken from them in this direction.
3.4.3. Auditing The Measures Taken for Personal Data Protection
TEKNOKON, in accordance with Article 12 of Law, undertakes audits related to technical and administrational measures taken or have them undertaken within the frame of personal data protection and ensuring safety of personal data. Results of such audit are reported to the relevant department within the scope of TEKNOKON’s internal functioning, while necessary activities for the improvement of measures are taken.
3.5. CONDITIONS OF PROCESSING SENSITIVE PERSONAL DATA
TEKNOKON demonstrates high precision of processing Sensitive Personal Data which is considered as more critical to protect in respect to many aspects for Data Owner.
The certain personal data bearing a risk that causes to unjust treatment or discrimination of the persons when processing illegally are determined as “specific” data in Article 6 of the Law. These data are race, ethnic origin, political party membership, philosophical belief, religion, religious sect or other beliefs, appearance, association, foundation or trade union membership, health, sexual life, criminal conviction and data related to security measures and biometric and genetic data.
Sensitive Personal Data processed by TEKNOKON, according to Law, provided that adequate measures which are determined by Board has been taken and also only following conditions are exists:
  • If there is explicit consent of the personal data owner or
  • If there is not explicit consent of the personal data owner;
(i) Specific personal data except health and sexual life of the personal Data Owner, in cases foreseen by laws,,
(ii) Specific personal data related to the health and sexual life of the personal data owner only can be processed by the persons having confidentiality obligation and authorized institutions and organizations in order to protect public health, to carry out medical diagnosis, treatment and nursing services and to plan and to manage health care services and its financing.
3.6. PROVISIONS REGARDING PROTECTION OF SENSITIVE PERSONAL DATA
TEKNOKON, with the responsibility of Data Controller and according to Board’s decision #2018/10 dated 01.31.2018 related to Article #6 of the Law, take following provisions:
3.6.1. Procedures for Employees who involves Sensitive Personal Data processing presented below;
  • Regular trainings on Law, related legislations and protection of Sensitive Personal Data provided,
  • Non-disclosure agreements are signed,
  • For employees who are granted personal data access privilege; scope and period of that privilege explicitly defined;
  • Regular privilege controls are made,
  • Privileges of reassigned or released are immediately taken back. In this case, Data Controller takes back the inventory allocated to that Employee.
3.6.2. If Personal Data processed, stored and/or accessed in electronic environment, following measures are taken;
  • Personal Data secured by using cryptographic methods,
  • Cryptographic keys maintained in secure and physically different environments,
  • Process records of all actions made within Personal Data are logged in a secure manner,
  • Security updates about the environments where Personal Data maintained followed constantly and required security examinations made/have been made and test results are logged,
  • In case a software tool is used to access Personal Data, access authorization allocated to necessary users, software security test made/have been made regularly and test results are logged,
  • For conditions where remote access is necessary, authentication system with least two approval stages are used.
3.6.3. If Personal Data processed, stored and/or accessed in physical environment, following measures are taken;
  • Depending the conditions of environment where Sensitive Personal Data maintained, adequate security measures (against electrical leakage, fire, flood, robbery, etc.) are taken,
  • Those environments made secure against unauthorized entries.
3.6.4. Sensitive Personal Data transfer is executed with following measures taken;
  • If Personal Data will be necessarily transferred by e-mail; corporate e-mail account with password protection or Registered Electronic Mail (KEP) accounts are used,
  • If Personal Data will be necessarily transferred by External Hard Disk, CD or DVD, cryptographic enciphering methods are used and cryptographic key maintained in different environment,
  • In case transfer between servers which are physically located in different environments, transfer process is done with either installing VPN between servers or sFTP method,
  • If Personal Data is transferred in paper format, adequate measures against theft, loss and access by unauthorized person is taken and document is sent in "Confidential" format.
  • In addition to measures presented above, technical and administrational measures for ensuring adequate security level in Personal Data Security Guide published in Authority is also taken into account.
3.7. KİŞİSEL VERİLERİN AKTARILMASI
TEKNOKON, with taking required safety measures and adequate precautions, transfers legally obtained Personal Data and/or Sensitive Personal of Data Owner to third parties. Accordingly, TEKNOKON, may transfer Personal Data to third parties under the condition that processing conditions mentioned herein Policy and conditions explained below exists.
  • If there is explicit consent of the personal data owner;
  • If there is explicit regulation in laws that concerns Personal Data transferring,
  • If it is mandatory for the protection of life or to prevent the physical injury of a person, in cases where that person can not express consent or whose consent is legally invalid due to physical disability;
  • If transferring of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfillment of that contract.,
  • If transferring of personal data is mandatory for TEKNOKON to fulfill legal obligation,
  • If the personal data is made manifestly public by the data subject,,
  • If data transferring is mandatory for the establishment, exercise or protection of any right,
  • It is mandatory for the legitimate interests of the controller, provided that such transferring shall not violate the fundamental rights and freedoms of the data subjects.
3.9. TRANSFERRING PERSONAL DATA ABROAD
According to legal and legitimate Personal Data processing purposes, if there is explicit consent of Data Owner or if there is not explicit consent of the personal data owner then in case of any of circumstances explained below exists; TEKNOKON, transfers personal data to foreign countries where Data Controller declared to provide an adequate level of data protection:
  • If there is explicit regulation in laws that concerns Personal Data transferring,
  • If it is mandatory for the protection of life or to prevent the physical injury of a person, in cases where that person can not express consent or whose consent is legally invalid due to physical disability;
  • If transferring of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfillment of that contract.,
  • If transferring of personal data is mandatory for TEKNOKON to fulfill legal obligation,
  • If the personal data is made manifestly public by the data subject,,
  • If data transferring is mandatory for the establishment, exercise or protection of any right,
  • It is mandatory for the legitimate interests of the controller, provided that such transferring shall not violate the fundamental rights and freedoms of the data subjects.
3.10. TRANSFERRING SENSITIVE PERSONAL DATA ABROAD
According to legal and legitimate Personal Data processing purposes, if there is explicit consent of Data Owner or if there is not explicit consent of the personal data owner then in case of any of circumstances explained below exists; TEKNOKON with necessary attention and taking required safety measures and adequate precautions determined by Board , transfers personal data to foreign countries where Data Controller declared to provide an adequate level of data protection.
  • If there is explicit consent of the personal data owner or
  • If there is not explicit consent of the personal data owner;
(i) Specific personal data except health and sexual life of the personal Data Owner, in cases foreseen by laws,,
(ii) Specific personal data related to the health and sexual life of the personal data owner only can be processed by the persons having confidentiality obligation and authorized institutions and organizations in order to protect public health, to carry out medical diagnosis, treatment and nursing services and to plan and to manage health care services and its financing.
4. PRINCIPLES ABOUT PERSONAL DATA STORAGE PERIOD
TEKNOKON stores any personal data for the period specified by the relevant legislation and according to TEKNOKON’s legal obligations.
If the legislation does not specify any period as regards how long the personal data should be stored; then for a period depending on the activity performed by TEKNOKON while processing such data, Personal Data is processed for a period of contract; and for a period in accordance with the internal practices and business routines of the business life of TEKNOKON. When this period is over; these data will be erased, destroyed or anonymised.
In case the purpose of processing personal data has disappeared and erase/anonymisation has demanded by Personal Data Owner(s) and the storage period(s) set by the relevant legislation or specified by TEKNOKON have ended; Personal Data can only be stored, to constitute an evidence or to claim the relevant right related to the personal data or to establish the justification.
TEKNOKON predicates period of limitation which explained in related legislation for determination of personal data storing period.
Accordingly, the stored personal data cannot be accessed for any other purpose and such personal data can only be accessed only when it is required to be used in the related legal dispute.
Personal data is erased, destructed or anonymised following the expiry of the period mentioned herein.
5. ERASE, DESTRUCTION AND ANONYMISING PERSONAL DATA
TEKNOKON shall delete, destruct or anonymize the personal data on its own motion or upon the request of the owner of personal data, in case the reasons, which require processing is disappear, even though it has been processed in accordance with the provisions of the relevant law as laid down in Article #7 of the Personal Data Protection Law and Article #138 of Turkish Criminal Law.
6. OBLIGATIONS and RIGHTS
6.1. TEKNOKON’S DISCLOSURE AND INFORMING OBLIGATION

TEKNOKON, discloses to the personal data owners during obtaining of personal data in compliance with the Article 10 of the PDPL.
  • In this concept, TEKNOKON informs Data Owner about;
  • the identity of Data Controller and its representative, if any,
  • the purpose for which the personal data is processed;,
  • to whom and for what purposes such personal data can be transferred;,
  • the method and legal reason of personal data collection and
  • legal rights owned by the personal data owner.
Article # 20 of the Constitution stipulates that everyone has the right to be informed about his/her personal data about. Therefore, the Article #11 of the Law mentions that “information request” is one of the rights owned by the owner of personal data. Within this scope, TEKNOKON provides the necessary information if requested by the Owner of Personal Data, pursuant to the Article #20 of the Constitution and Article #11 of the Law.
6.2. THE RIGHTS OF PERSONAL DATA OWNERS
Data Owners has following rights:
  • Get to know whether TEKNOKON is processed any personal data,
  • If the personal data was processed by TEKNOKON, to request information related to processing,
  • If the personal data was processed by TEKNOKON, to learn the purpose of personal data processing and whether they are used according to their purpose or not,
  • To know third persons who the personal data are transferred at home and abroad,
  • In the event that the personal data are processed incompletely or incorrectly, to request correction of them,
  • In the event that the personal data are processed incompletely or incorrectly by TEKNOKON, to request informing third parties whom the personal data transferred to about the situation,
  • Although they are processed in compliance with PDPL and other relevant law provisions, to request deletion or destroying personal data in the event that the reasons required the processing has been removed,
  • In the event that the reasons required the processing has been removed to request informing the third parties whom personal data transferred to about the situation,
  • Raise an objection to occurrence of any result against themselves, due to analysis of personal data which is processed by TEKNOKON exclusively by means of automated systems.
  • Request compensation for the damages in case they incur damages due to illegal processing of personal data.
  • Personal data owners should forward their requests related to use aforementioned rights - Application Form Concerning Data Subject’s Application to Data Controller As Per Law No.6698 - to TEKNOKON in written or via other methods determined by Personal Data Protection Board.
6.3. EXCEPTIONS
According to Article#28 of the Law, the provisions of this Law shall not be applied in the following cases where, therefore Data Owners shall not allege the rights aforementioned:
  • personal data is processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with.
  • personal data is processed for the purpose of official statistics and for research, planning and statistical purposes after having been anonymized.
  • personal data is processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defense, national security, public security, public order, economic security, right to privacy or personal rights are not violated or they are processed so as not to constitute a crime.
  • personal data is processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorized and assigned to maintain national defense, national security, public security, public order or economic security.
  • personal data is processed by judicial authorities or execution authorities with regard to investigation, prosecution, criminal proceedings or execution proceedings..
According to Article #28/2 of the Law, TEKNOKON’s Obligation to Inform shall not apply in following cases where Personal Data processing:
  • is required for the prevention of a crime or crime investigation.
  • is carried out on the data which is made public by the data subject himself.
  • is required for inspection or regulatory duties and disciplinary investigation and prosecution to be carried out by the public institutions and organizations and by professional associations having the status of public institution, assigned and authorized for such actions in accordance with the power conferred on them by the law.
  • is required for protection of State’s economic and financial interests with regard to budgetary, tax-related and financial issues.
7. AUTHORITY and RESPONSIBILITIES
Personal Data Protection and Processing Policy come into operation by the approval of Corporate Board. In addition, modifications related to Personal Data Protection and Processing policy is also possible with approval of Corporate Board.
Authorized Board Member who is granted authority by Board of Director and in line with regulation is responsible for ensuring, maintaining and sustaining TEKNOKON’s compatibility to current Law, coordination across departments, evaluating whether TEKNOKON’s operations is compatible to Law.
8. CATEGORIZATION OF PERSONAL DATA
By informing the relevant parties in accordance with Article 10 of the Law, in line with the lawful and legitimate processing purposes of TEKNOKON’s based on and limited to one or more than one of the conditions for data processing set forth under Article 5 of the Law no. 6698, below mentioned categories of personal data are processed in accordance with the principles based on Article 4 of the Law no. 6698 and other general principles and obligations provided under the Law and limited to the subjects (Customer, Potential Customer, Visitor, Third Person, Company Shareholder, Company Official, Employees, Shareholders and Officials of Institutions that Our Company cooperates with) specified under this Policy.
CATEGORIZATION OF PERSONAL DATA
EXPLANATION
Identity Information
All identity information; for example name and surname, identity number, gender, date of birth, tax number, tax certificate which explicitly belongs to an identified or identifiable real person and processed wholly or partly by automatic means or by non-automatic means as a part of the data recording system.
Contact Information
Information such as phone number, address, e-mail, fax number, IP address which explicitly belongs to an identified or identifiable real person and processed wholly or partly by automatic means or by non-automatic means as a part of the data recording system
Financial Information
Based on the nature of the legal relation established between TEKNOKON and the data subject; such as bank account number (in case of balance return), IBAN number, which explicitly belongs to an identified or identifiable real person and processed wholly or partly by automatic means or by non-automatic means as a part of the data recording system.
Personnel Information
Any personal data processed for obtaining the information that is required for the establishing the basis of personnel rights of our employees or real persons having a working relation with TEKNOKON; which explicitly belongs to an identified or identifiable real person and processed wholly or partly by automatic means or by non-automatic means as a part of the data recording system.
Sensitive Personal Data
Data stated under Article 6 of PDP Law which explicitly belongs to an identified or identifiable real person and processed wholly or partly by automatic means or by non-automatic means as a part of the data recording system
Request/ Complaint Management Information
Personal data relating to the receipt and evaluation of all requests or complaints addressed to TEKNOKON which explicitly belongs to an identified or identifiable real person and processed wholly or partly by automatic means or by non-automatic means as a part of the data recording system
According to regulated issues in Policy and Articles 8 and 9 of Law, TEKNOKON may transfer personal data of the data subjects, governed by the Policy, to the below listed categories of persons:
Persons and corporations who granted permission according to Law #5549: Prevention of Laundering of Crime Revenues ; public legal entities such as MASAK and regulation authorities; public authorities such as ministries and judicial authorities; TEKNOKON’s employees, legal, financial and tax consultants, auditors; principal shareholders; program partner organizations in based in Turkey/abroad that our company cooperates with and receives services and 3. Parties that you have granted your explicit consent.
 
Concept and purposes of persons to whom personal data is transferred is explained below.

Persons where Personal Information can be conveyed to Definition
Purpose of Data Transfer

Business Partner
Defines the parties with which TEKNOKON is in cooperation by itself or by means of principal shareholders for purposes such as carrying out various projects or receiving services, etc..
Limited with ensuring the performance of the purposes of establishing the business partnership.
Group Companies & Company Officials
TEKNOKON board members and other real authorities. Limited with the purpose of planning the strategies regarding business operations of the TEKNOKON in accordance with the relevant legislation, managing at corporate level and auditing
Legally Authorized Public Organizations and Institutions
In accordance with the relevant legislation, public organizations and institutions authorized to receive information and documentation from the TEKNOKON
Limited with the purposes of the request made by the organization and institution within the scope of their legal authorization
Legal Entities of Private Law
In accordance with the relevant legislation, legal entities of private law authorized to receive information and documentation from TEKNOKON Limited with the purposes of the request made by the relevant legal entities private law within the scope of their legal authorization.