Policy on Processing and Protection of Personal Data
Policy on Processing and Protection of Personal Data
PART ONE
§ 1. INTRODUCTION
1.1. Introduction
EVOLOG NAKLIYAT VE LOJISTIK HIZMETLERI TICARET LIMITED ŞIRKETI
As the "Company", we attach great importance to the processing and protection of personal data in accordance with Law No 6698 on the Protection of Personal Data (hereinafter referred to as the "Law") and we act with this care in all our planning and activities. With this in mind, we hereby present this Policy on Processing and Protection of Personal Data (hereinafter referred to as the ‘Policy’) for your information in order to fulfil our responsibility to inform you within the scope of Article No 10 of the Law and to inform you of all administrative and technical measures we take within the scope of processing and protection of personal data.
1.2. The Purpose of the Policy
The main purpose of this Policy is to make clarifications on the systems for the processing and protection of personal data in accordance with the Law and the purpose of the Law, and in this context, to inform the persons whose personal data are processed by our Company, especially Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Customers of the Company, Potential Customers and Third Parties. In this way, it is aimed to ensure full compliance with the legislation in the processing and protection of personal data carried out by our Company and to protect all rights of personal data owners arising from the legislation on personal data.
1.3. Scope of the Policy and Personal Data Subjects
This Policy is prepared for persons whose personal data are processed by our Company, especially Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Customers of the Company, Potential Customers and Third Parties, by automatic or non-automatic means provided that they are part of any data recording system; and, it shall be applied within the scope of the specified persons. This Policy shall in no way apply to legal entities and their data.
By publishing this Policy on its website, our Company aims to inform the aforementioned Personal Data Subjects about the Law. For the employees of our Company, the Policy on the Processing of Personal Data for Employees shall apply.
In the event that the data is not included in the scope specified below, i.e. within the scope of 'Personal Data', or in the event that the Personal Data processing activity carried out by our Company is not carried out in the above-mentioned ways, this Policy shall not apply.
In this context, within the scope of this Policy, the Personal Data Subjects are as follows:
Company Stakeholders
They are real persons who are Stakeholders of the Company.
Real Person Business Partners of the Company
They are real persons with whom the Company is in any kind of business relationship.
Stakeholder, Official, Employee of the Business Partners of the Company
They are all real persons, including Employees, Stakeholders, and Officials of real and legal persons (such as Business Partners and Suppliers) with whom the Company is in any kind of business relationship.
Company Officials
They are the Members of the Board of Directors of the Company and other duly authorised real persons.
Employee Candidate
They are real persons who have applied for a job to the Company by any means or who have submitted their CV and related information for the review of the Company.
Customers of the Company
They are real persons, who are using or who have used services and products presented by the Company regardless of whether they have any contractual relationships with the Company.
Visitors
They are real persons, who have shown their interest and demand in the use of the products and services of the Company, or real persons, whose potential to have such interest is considered in accordance with commercial practice rules and honesty rules.
Potential Customer
They are all real persons who visit the physical premises owned by the Company for various purposes or visit the websites for any purpose.
Third Person
They are other real persons who are not included in the scope of the Policy on the Protection and Processing of Personal Data prepared for the Employees of the Company and who are not categorised as any personal data subject under this Policy.
1.4. Definitions
The terms used in this Policy shall have the following meanings:
Company/Our Company
It refers to "EVOLOG NAKLIYAT VE LOJISTIK HIZMETLERI TICARET LTD ŞTI"
Personal Data
It refers to any information relating to an identified or identifiable real person.
Sensitive Personal Data
It refers to data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
The Protection of Personal Data
It refers to all kinds of transactions carried out on data such as obtaining, recording, retaining, preserving, modifying, re-modifying, disclosing, transferring, taking over, making accessible, classifying or preventing the use of personal data fully or partially automatically or by non-automatic means, provided that it is a part of any data recording system.
Personal Data Subjects/Concerned Persons
It refers to Company Stakeholders, Company Business Partners, Company Officials, Employee Candidates, Visitors, and Customers of the Company, Potential Customers, Third Parties and persons whose personal data are processed by the Company.
Data Recording System
It refers to the recording system where personal data are organised and processed according to certain criteria.
Data Controller
It refers to the real or legal person who defines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system.
Data Processor
It refers to real or legal persons who process personal data on behalf of the Data Controller on the basis of the authorisation granted by the Data Controller.
Explicit Consent
It refers to consent on a specific subject, based on information and expressed with free will.
Anonymization
It refers to the process of making the data previously associated with a person impossible to be associated with an identified or identifiable real person under any circumstances, even by matching with other data.
Law
It refers to Law No 6698 on the Protection of Personal Data.
KVK (Protection of Personal Data) Committee
It refers to the Personal Data Protection Committee.
1.5. Enforceability of the Policy
This Policy, which is prepared and entered into force by the Company, is updated on the date of 01.03.2019, published on the Company's website (www.evolog.com.tr) and made available to the relevant persons upon the request of the Personal Data Subjects.
PART TWO
§ 2. PROCESSING AND TRANSFER OF PERSONAL DATA
2.1. General Principles Regarding the Processing of Personal Data
Personal Data is processed by the Company in accordance with the procedures and principles stipulated in the Law and this Policy. When processing Personal Data, the Company shall act in accordance with the following principles:
Personal Data shall be processed in accordance with the relevant rules of law and the requirements of good faith.
It shall be ensured that Personal Data is accurate and up to date. In this context, matters such as identifying the sources from which the data are obtained, confirming their accuracy, and assessing whether they need to be updated shall be carefully considered.
Personal Data shall be processed for specific, explicit, and legitimate purposes. The legitimacy of the purpose means that the Personal Data processed by the Company is related to and necessary for the business it conducts or the services it provides.
Personal Data is the information necessary for the realisation of the purposes set by the Company. Processing of Personal Data that is not related to the realisation of the purpose or is not needed shall be avoided. It keeps the processed data limited only to what is necessary for the realisation of the purpose. In this context, the processed Personal Data are relevant, limited and proportionate to the purpose for which they are processed.
If there is a period prescribed for the retention of data in the relevant legislation, the Company shall comply with these periods. Otherwise, it shall retain Personal Data only for the period required for the purpose for which they are processed. In the event that there is no longer a valid reason for the further retention of Personal Data, such data shall be deleted, destructed, or anonymised.
2.2. Requirements for the Processing of Personal Data
The Company shall not process Personal Data without the explicit consent of the data subject. In the presence of one of the following requirements, Personal Data may be processed without seeking the explicit consent of the data subject.
Even if the Company does not have the explicit consent of the Personal Data Owners for the processing of Personal Data, it may process it in cases expressly stipulated in the Laws. For example, according to Article No 230 of the Tax Procedure Law, explicit consent from the data subject shall not be sought for the inclusion of the name of the data subject on the invoice.
Personal Data may be processed without explicit consent in order to protect the life or physical integrity of persons who are unable to disclose their consent due to actual impossibility or whose consent cannot be validated, or of another person. For example, in a situation where the person is unconscious or mentally ill and his/her consent is not valid, the Personal Data of the Personal Data Subject may be processed during medical intervention for the protection of life or body integrity. In this context, data such as blood type, previous illnesses and operations, and medications used can be processed through the relevant health system.
Provided that it is directly related to the establishment or performance of a contract by the Company, the Personal Data of the parties to the contract may be processed. For example, the Account Number of the creditor party may be obtained for the payment of money in accordance with a contract.
In order to meet its legal obligations as a Data Controller, the Company may process the Personal Data of Personal Data Subjects if it is mandatory to do so.
The Company may process the Personal Data made public by the Personal Data Subjects themselves, in other words, the Personal Data disclosed to the public in any way, when the legal benefit to be protected is no longer available.
In cases where data processing is mandatory for the exercise or protection of a legitimate legal right, the Company may process the Personal Data of Personal Data Subjects without seeking explicit consent.
Provided that the fundamental rights and freedoms of the Personal Data Owners protected under the Law and the Policy are not harmed, the Company may process the Personal Data of the Personal Data Subjects in cases where the processing of Personal Data is mandatory for the provision of legitimate interests. The Company displays the necessary sensitivity to comply with the basic principles regarding the protection of Personal Data and to respect the balance of interests of Personal Data Owners.
2.3. Requirements for the Processing of Sensitive Personal Data
The Company cannot process Sensitive Personal Data without the explicit consent of the data subject. However, Personal Data other than health and sexual life may be processed without the explicit consent of the data subject in cases stipulated by law. Even in conditions under the obligation of confidentiality, Personal Data relating to health and sexual life can be processed by the Company only for the protection of public health, preventive medicine, medical diagnosis and treatment and care services, planning and management of health services and financing, without seeking the explicit consent of the data subject. The Company shall follow necessary procedures to take adequate measures determined by the Committee in the processing of Sensitive Personal Data.
2.4. Requirements for the Transfer of Personal Data
Our Company shall have the right to transfer Personal Data and Sensitive Personal Data of Personal Data Subjects to third parties in accordance with the Law by establishing the necessary confidentiality conditions and by taking security measures in line with the purposes of processing Personal Data. During the transfer of Personal Data, our Company shall act in accordance with the regulations stipulated in the Law. In this context, in line with legitimate and lawful purposes of processing Personal Data, our Company may transfer Personal Data if Personal Data transfer is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the Personal Data Subject, based on and limited to one or more of the Personal Data processing requirements specified in Article No 5 of the Law, listed below:
(If there is explicit consent of the Personal Data Subject)
If there is a clear provision in the laws regarding the transfer of Personal Data, if it is mandatory for the protection of the life or physical integrity of the Personal Data Subject or someone else, and
If the Personal Data Subject is unable to express his/her consent due to actual impossibility or if his/her consent is not legally valid,
Provided that it is directly related to the establishment or performance of a contract, if it is necessary to transfer the Personal Data of the parties to the contract,
If the transfer of Personal Data is mandatory for the fulfilment of our Company's legal obligations,
If the Personal Data is made public by the Personal Data Subject,
If the transfer of Personal Data is mandatory for the establishment, exercise or protection of a right,
2.4.1. Requirements for the Transfer of Personal Data Abroad
By taking the necessary security measures in line with the purposes of processing Personal Data, our Company may transfer Personal Data and Sensitive Personal Data of Personal Data Subjects to third parties abroad. Personal Data may be transferred by our Company to foreign countries that are announced by the KVK Committee to have adequate protection. In the absence of adequate protection, such Personal Data may be transferred to foreign countries if the Data Controllers in Turkey and in the relevant foreign country undertake adequate protection in writing and the KVK Committee authorises such transfer.
2.5. Requirements for the Transfer of Sensitive Personal Data
The Company may transfer the Sensitive Personal Data of the Personal Data Subjects to third parties in the following cases in line with the legitimate and lawful Personal Data processing purposes by taking due care, taking the necessary security measures and taking adequate measures stipulated by the KVK Committee.
(i) if there is explicit consent of the Personal Data Subject or;
(ii) In the presence of the following conditions, without seeking the explicit consent of the Personal Data Subject:
Sensitive Personal Data other than the health and sexual life of the Personal Data Subject (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, criminal conviction and security measures and biometric and genetic data) can be transferred to persons or authorised institutions and organisations, who are bound by the obligation of confidentiality, in cases stipulated by law.
Sensitive Personal Data relating to the health and sexual life of the Personal Data Subject can be transferred to persons or authorised institutions and organisations, who are bound by the obligation of confidentiality, for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
2.5.1. Transfer of Sensitive Personal Data Abroad
The Company may transfer the Sensitive Personal Data of the Personal Data Subject to foreign countries in the following cases, where the data controller has adequate protection or undertakes adequate protection, in line with the legitimate and lawful Personal Data processing purposes by taking due care, taking the necessary security measures and taking adequate measures stipulated by the KVK Committee.
(i) if there is explicit consent of the Personal Data Subject or;
(ii) In the presence of the following conditions, without seeking the explicit consent of the Personal Data Subject:
Sensitive Personal Data other than the health and sexual life of the Personal Data Subject (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, criminal conviction and security measures and biometric and genetic data) can be transferred to persons or authorised institutions and organisations, who are bound by the obligation of confidentiality, in cases stipulated by law.
Sensitive Personal Data relating to the health and sexual life of the Personal Data Subject can be transferred to persons or authorised institutions and organisations, who are bound by the obligation of confidentiality, for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
PART THREE
§ 3. PURPOSES OF PROCESSING AND TRANSFER OF PERSONAL DATA, PERSONS TO WHOM PERSONAL DATA SHALL BE TRANSFERRED
3.1. Purposes of Processing and Transferring Personal Data
Personal Data shall be processed in accordance with the Law and the purpose of the Law, limited to the following purposes, within the scope of the Personal Data Processing Requirements specified in Article No 5 and Article No 6 of the Law:
Optimal planning and implementation of the policies of human resources departments,
Proper planning, execution and management of the company's commercial partnerships and strategies,
Ensuring the legal, commercial and physical security of the Company and its business partners,
Ensuring the corporate functioning of the company, planning and execution of management and communication activities,
Ensuring that Personal Data Subjects benefit from the Company's products and services in the best way possible; customising and recommending these products and services according to the demands, needs and requests of Personal Data Subjects,
Ensuring data security at the highest level,
Creation of databases,
Improvement of the services offered on the website and elimination of any errors on the website,
Contacting the Personal Data Subjects who submit their requests and complaints to the Company and ensuring the management of such requests and complaints,
Management of events,
Management of relationships with business partners or suppliers,
Execution of basic processes related to recruitment of the personnel,
Supporting the planning and execution processes of the fringe rights and benefits to be provided to senior executives,
Execution/follow-up of financial reporting and risk management transactions,
Execution/follow-up of the legal affairs of the Company,
Performing studies to protect the reputation of the Company,
Managing the relationships with investors,
Providing information resulting from the legislation for competent authorities,
Creation and follow-up of visitor records.
In the event that the personal data is processed for the aforementioned purposes and does not meet any of the conditions stipulated under the Law, your explicit consent shall be sought by the Company with respect to the relevant processing process.
3.2. Persons to whom Personal Data shall be Transferred
Personal Data may be shared with our business and solution partners, banks and third parties who perform technical, logistics and other similar operations on our behalf in order to ensure that the services provided to you are complete and flawless and only to the extent appropriate to the nature of the service. These third parties consist of persons who are obliged to have access to the relevant information in order to provide the relevant services fully and flawlessly.
Apart from these, your Personal Data may be transferred -limited only to the relevant persons or institutions- in case the Company has to share the data with other third parties in order to ensure complete and flawless delivery of the service, in case it is necessary for the Company to fulfil its legal obligations, in case it is expressly stipulated in the laws or in case there is a judicial/administrative order issued in accordance with the law.
A portion of the Personal Data may be shared with advertisers in an aggregated anonymised form together with information about other users only, in order to enable targeted tailoring of advertisements.
Anonymised data is information that cannot be associated with you, our visitors/customers, and does not contain your ID information or make your ID identifiable. In the case of anonymised data, your confidentiality is guaranteed.
PART FOUR
§ 4. METHOD AND LEGAL GROUNDS FOR THE COLLECTION OF PERSONAL DATA; DELETION, DESTRUCTION, ANONYMISATION AND RETENTION PERIOD OF PERSONAL DATA
4.1. Method and Legal Grounds for the Collection of Personal Data
For the purpose of ensuring compliance with Article No 1 concerning the purpose of the Law and Article No 2 concerning the scope of the Law, Personal Data shall be collected by all kinds of verbal, written, electronic, technical and other methods, through various means such as call centre, Company website, mobile application, in order to fulfil the purposes set out in the Policy, within the framework of legal grounds based on legislation, contract, demand and request, in order to fulfil the responsibilities arising from the law in a complete and accurate manner. In addition, such data shall be processed by the Company or the Data Processors authorised by the Company.
4.2. Deletion, Destruction or Anonymization of Personal Data
Without prejudice to the provisions of other laws regarding the deletion, destruction or anonymisation of Personal Data, the Company shall delete, destruct or anonymise Personal Data ex officio or upon the request of the Data Subject, in the event that the grounds requiring the processing of Personal Data disappear, although it is processed in accordance with the provisions of this Law and other laws. Upon deletion of Personal Data, these data are destroyed in such a way that they cannot be used and recovered in any way again. According to this, Personal Data shall be irreversibly deleted from the documents, files, CDs, floppy disks, hard discs, etc. where they are stored/retained. Destruction of Personal Data refers to the destruction of materials suitable for storing/retaining data such as documents, files, CDs, diskettes, hard discs, etc. where data is stored so that the information cannot be recovered and used again. Anonymisation of Personal Data means that Personal Data cannot be associated with an identified or identifiable real person, even if it is matched with other data.
4.3. How Long Will The Personal Data Be Stored/Retained?
If stipulated in the legislation, the Company shall retain Personal Data for the period specified in this legislation. If a period of time is not prescribed in the legislation on how long personal data should be stored/retained, Personal Data shall be processed for the period required to be processed in accordance with the practices of the Company and the customs of the Company's commercial life, depending on the activity carried out by the Company while processing that data, and then deleted, destructed or anonymised.
If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and the Company have come to an end; personal data may be retained only for the purpose of constituting evidence in possible legal disputes or for the assertion or defence of the relevant right related to personal data. Retention periods are determined based on the statute of limitations for asserting the aforementioned right, as well as examples of previous requests made to the Company on similar matters, even after the statute of limitations had expired. In this case, the retained personal data cannot be accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. Upon expiry of the aforementioned period, personal data are deleted, destructed, or anonymised.
Detailed rules regarding the techniques of the Company regarding the retention, deletion, destruction, and anonymisation of Personal Data are available in the Company's Policy on Retention and Destruction of Personal Data.
PART FIVE
§ 5. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
As per Article No 12 of the Law, the Company shall take the necessary technical and administrative measures aimed at ensuring the appropriate level of security in order to prevent unlawful processing of the Personal Data it processes, to prevent unlawful access to the data and to ensure the preservation of the data. In this context, it shall carry out or have the necessary audits carried out.
5.1. Ensuring The Security Of Personal Data
5.1.1. Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data
In order to ensure the lawful processing of Personal Data, the Company shall take technical and administrative measures according to the technological possibilities and the cost of implementation.
(i) Technical Measures Taken to Ensure Lawful Processing of Personal Data
The main technical measures taken by the Company to ensure the lawful processing of Personal Data are listed below:
The Personal Data processing activities carried out under the roof of the Company are supervised by the technical systems established.
The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
Personnel knowledgeable in technical issues are employed.
(ii) Administrative Measures Taken to Ensure Lawful Processing of Personal Data
The main administrative measures taken by the Company to ensure the lawful processing of Personal Data are listed below:
Employees are informed and instructed about the law on the protection of Personal Data and the processing of Personal Data in accordance with the law.
All activities carried out by the Company are analysed in detail for all business units. As a result of such analysis, Personal Data processing activities are revealed specific to the activities carried out by the relevant business units.
The Personal Data processing activities carried out by the business units of the Company, the requirements to be fulfilled in order to ensure that these activities comply with the Personal Data Processing Conditions sought by the Law are determined specifically for each business unit and the detailed activity it carries out.
In order to ensure the requirements of legal compliance determined on a business unit basis, awareness is raised specific to the relevant business units and rules of practice are determined. Necessary administrative measures are implemented through internal policies and training to ensure the supervision of these issues and the continuity of the implementation.
In the contracts and documents governing the legal relationships between the Company and the employees, records that impose the obligation not to process, disclose and use Personal Data, except for the Company's instructions and the exceptions imposed by law, are included and the awareness of the employees in this regard is created and the obligations arising from the Law are fulfilled by conducting inspections.
5.1.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data
The Company adopts technical and administrative measures according to the nature of the data to be protected, technological capabilities and cost of implementation in order to prevent imprudent or unauthorised disclosure, access, transfer or any other unlawful access to Personal Data.
(i) Technical Measures Taken to Prevent Unlawful Access to Personal Data
The main technical measures taken by the Company to prevent unlawful access to Personal Data are listed below:
Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed.
Technical solutions for access and authorisation are put into use in accordance with the legal compliance requirements determined on a business unit basis.
Access authorisations are limited and authorisations are regularly reviewed.
The technical measures taken are periodically reported to the relevant person as required by the internal audit mechanism. Issues that pose a risk are re-evaluated and necessary technological solutions are produced.
Software and hardware including virus protection systems and firewalls are installed.
Personnel knowledgeable in technical issues are employed.
In order to identify security vulnerabilities in the applications where Personal Data is collected, security scans are carried out regularly. It is ensured that the detected vulnerabilities are eliminated.
(ii) Administrative Measures Taken to Prevent Unlawful Access to Personal Data
The main administrative measures taken by the Company to prevent unlawful access to Personal Data are listed below:
Employees are trained on the technical measures to be taken to prevent unlawful access to Personal Data.
On a business unit basis, Personal Data access and authorisation processes are designed and implemented within the Company in accordance with the requirements of legal compliance with the processing of Personal Data.
Employees are advised that they cannot disclose the Personal Data they have acquired to anyone else in violation of the provisions of the Law and cannot use them for purposes other than processing, and that this obligation shall remain in force even after their resignation. And, necessary commitments are taken from them in this direction.
In the contracts concluded by the Company with the persons to whom Personal Data are transferred in accordance with the law, provisions stipulating that the persons to whom Personal Data are transferred shall take the necessary security measures to protect Personal Data and ensure that these measures are complied with in their own organisations shall be included.
5.1.3. Storage/Retention of Personal Data in Secure Environments
The Company shall take the necessary technical and administrative measures in accordance with the technological possibilities and the cost of implementation in order to store/retain Personal Data in secure environments and to prevent the destruction, loss or alteration of Personal Data for unlawful purposes.
(i) Technical Measures Taken for the Retention of Personal Data in Secure Environments
The main technical measures taken by the Company to retain Personal Data in secure environments are listed below:
Systems in line with technological developments are used to store Personal Data in secure environments.
Personnel specialised in technical issues are employed.
Technical security systems are installed for the storage areas, security tests and research are carried out to identify security vulnerabilities on IT systems, and existing or potential risk issues identified as a result of the tests and research are eliminated. The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
In order to ensure the safe storage/retention of Personal Data, backup programs are used in accordance with the law.
Access to data is restricted and, limited to the purpose of retaining personal data, only authorised persons are allowed to access the mediums where personal data are retained, and all accesses are logged. Access to the data storage areas where Personal Data is stored is logged and inappropriate access or access attempts are instantly notified to the relevant persons.
(ii) Administrative Measures Taken for the Retention of Personal Data in Secure Environments
The main administrative measures taken by the Company to retain Personal Data in secure environments are listed below:
Employees are trained to ensure that Personal Data is stored/retained securely.
Legal and technical consultancy services are procured in order to closely follow the developments in the field of information security, privacy of private life and protection of personal data and to take necessary actions.
In the event that an outsourced service is procured by the Company due to technical requirements for the retention of Personal Data, in the contracts concluded with the relevant companies to which Personal Data are transferred in accordance with the law, provisions (stating that the persons to whom Personal Data are transferred shall take the necessary security measures to protect Personal Data and ensure that these measures are complied with in their own organisations) shall be included.
5.1.4. Auditing the Measures Taken on the Protection of Personal Data
The Company carries out or has carried out the necessary audits within its own organisation in accordance with Article No 12 of the Law. The results of these audits are reported to the relevant department within the scope of the internal functioning of the Company and necessary actions are taken for the improvement of the measures taken.
5.1.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
In the event that Personal Data processed in accordance with Article No 12 of the Law is obtained by others through unlawful means, the Company shall run the system that ensures that this situation is notified to the relevant Personal Data Subject and the KVK Committee as soon as possible. If deemed necessary by the KVK Committee, this situation may be announced on the website of the KVK Committee or by any other method.
5.2. Observing the Legal Rights of Personal Data Subjects
The Company observes all legal rights of Personal Data Owners regarding the implementation of the Policy and the Law and takes all measures necessary to protect these rights. Detailed information on the rights of Personal Data Subjects is provided in Part Six of this Policy.
5.3. Protection of the Sensitive Personal Data
The Law attributes special importance to certain Personal Data due to the risk of causing victimisation and/or discrimination when processed unlawfully. These data are data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. The Company shows utmost sensitivity to the protection of Sensitive Personal Data, which is defined as ‘sensitive’ by the Law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company for the protection of personal data are also implemented with the utmost care in terms of Sensitive Personal Data and the necessary audits are provided within the Company in this regard.
PART SIX
§ 6. RIGHTS OF THE PERSONAL DATA SUBJECT; EXERCISE AND EVALUATION OF RIGHTS
6.1. Informing the Personal Data Owner
In accordance with Article No 10 of the Law, the Company shall enlighten the Personal Data Owners during the acquisition of Personal Data. In this context, the Company provides information about the identity of its representative, if any, the purpose for which Personal Data shall be processed, to whom and for what purpose the processed Personal Data may be transferred, the method and legal grounds for collecting Personal Data and the rights of the Personal Data Subject.
6.2. Rights of the Personal Data Owner Pursuant to the Law on the Protection of Personal Data
Pursuant to Article No 10 of the Law, the Company informs you of your rights, provides guidance on how to exercise such rights and carries out the necessary internal functioning, administrative and technical arrangements for all these. Pursuant to Article No 11 of the Law, the Company shall explain to the persons whose Personal Data are collected that they have the following rights:
To learn whether personal data is processed,
To request information if personal data is processed,
To learn the purpose of processing personal data and whether personal data is used for the right purposes,
To know third parties, to whom personal data are transferred both within and outside borders of the country,
To request correction of the personal data in case they are processed incorrectly or incompletely,
To request the deletion or destruction of Personal Data within the framework of the conditions set forth in Article No 7 of the Law,
To request notification of the transactions made pursuant to subparagraphs (d) and (e) of Article No 11 of the Law to third parties to whom personal data are transferred,
To object results conflicting the interests of the person in case processed data are analysed exclusively through automatic systems,
To request compensation for his/her damages in case he/she suffers due to incorrect processing of personal data.
6.3. Cases Where The Personal Data Subject Cannot Claim His/Her Rights
Since the following cases are excluded from the scope of the Law pursuant to Article No 28 of the Law, Personal Data Subjects cannot claim their rights listed in Article No (6.2.) of this Policy in the following cases:
Processing of Personal Data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that such Personal Data are not disclosed to third parties and obligations regarding data security are respected;
Processing of Personal Data for purposes such as research, planning and statistics by anonymising them with official statistics;
Processing of Personal Data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime;
Processing of Personal Data within the scope of preventive, protective and intelligence activities carried out by public authorities and institutions entrusted and authorised by law to ensure national defence, national security, public safety, public order or economic security;
Processing of Personal Data by judicial authorities or execution authorities in connection with investigations, prosecutions, trials, or execution proceedings.
Pursuant to Article No 28/2 of the Law, in the cases listed below, Personal Data Subjects cannot claim their rights listed in Article No (6.2.) of this Policy, except for the right to claim compensation for damages:
If processing of Personal Data is necessary for the prevention of crimes or for criminal investigations;
If the personal data made public by the Personal Data Subject himself/herself is processed;
If the processing of Personal Data is necessary for the execution of supervisory or regulatory duties and disciplinary investigations or prosecutions by the competent and competent public authorities and institutions and professional organisations in the nature of public institutions, based on the authority granted by the law;
If the processing of Personal Data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and financial matters;
6.4. Use of Rights of the Personal Data Subject
Personal Data Subjects shall be able to submit their requests regarding their rights listed in Article No (6.2.) of this Policy to the Company free of charge by filling out and signing the Application Form, which is available at the link www.evolog.com.tr, with the information and documents that shall verify their identities and by the methods specified below or by other methods determined by the KVK Committee:
(i) The Applicant shall fill in the Application Form and submit a wet signed copy of this Application Form in person or through a notary public to the following address: HALKALI MERKEZ MAHALLESI DEREBOYU CADDESI NO 56 KÜÇÜKÇEKMECE/ISTANBUL
(ii) The Applicant shall fill in the Application Form and sign it with a 'Secure Electronic Signature' within the scope of Law No 5070 on Electronic Signatures and then send the application form (bearing a Secure Electronic Signature) by registered e-mail to the following e-mail address: evolog@hs01.kep.tr
(iii) The Applicant shall come in person, submit the application form by using the electronic mail address previously notified to the Company and registered in the Company's system, by applying with a document verifying his/her identity and information and documents related to the subject of the application
In order for third parties to make an application request on behalf of personal data subjects, there must be a special power of attorney issued by the data subject through a notary public for the name of the person who will make the application.
6.5. The Method and Deadline for the Company to Respond to the Applications
Depending on the nature of the request, the Company shall finalise the requests included in the application free of charge as soon as possible, within thirty days at the latest. However, if the transaction in question requires an additional cost, the fee in the tariff determined by the KVK Committee may be charged. The Company may either accept the request or reject it by explaining its reasoning and notify its response in writing or electronically. If the request in the application is accepted, the Company shall fulfil the requirements of the request.
6.6. The Right of the Personal Data Subject to File a Complaint to the KVK Committee
In the event that the application is rejected, the response is found insufficient or the application is not responded to in due time; the data subject shall have the right to file a complaint to the KVK Committee within thirty days from the date of receipt of the response and in any case within sixty days from the date of application.
PART SEVEN
§ 7. MANAGEMENT STRUCTURE OF THE COMPANY ACCORDING TO THE POLICY ON PROCESSING AND PROTECTION OF PERSONAL DATA
In order to manage this Policy and other policies related to and associated with this Policy, a Personal Data Committee is established within the Company in accordance with the decision of the senior management of the Company. The Personal Data Committee is authorised and tasked to take the necessary actions for the retention and processing of the data of the Personal Data Subjects in accordance with the Law, this Policy and other policies related to and associated with this Policy. The Policy on Retention and Destruction of Personal Data published on the Company's website contains detailed information regarding the persons assigned to the Personal Data Committee and their duties.
PART EIGHT
§ 8. UPDATE, COMPLIANCE AND AMENDMENTS
8.1. Update and Compliance
The Company reserves the right to make amendments to this Policy and other policies related to and associated with this Policy upon amendments to the Law, in accordance with the decisions of the KVK Committee or in line with the developments in the sector or in the field of IT.
Any amendments made to this Policy shall be immediately incorporated into the text and explanations regarding the amendments shall be disclosed at the end of the Policy.
8.2. Amendments
01.03.2019: The Policy on Processing and Protection of Personal Data is published.
*There are no older dated amendments.
PART ONE
§ 1. INTRODUCTION
1.1. Introduction
EVOLOG NAKLIYAT VE LOJISTIK HIZMETLERI TICARET LIMITED ŞIRKETI
As the "Company", we attach great importance to the processing and protection of personal data in accordance with Law No 6698 on the Protection of Personal Data (hereinafter referred to as the "Law") and we act with this care in all our planning and activities. With this in mind, we hereby present this Policy on Processing and Protection of Personal Data (hereinafter referred to as the ‘Policy’) for your information in order to fulfil our responsibility to inform you within the scope of Article No 10 of the Law and to inform you of all administrative and technical measures we take within the scope of processing and protection of personal data.
1.2. The Purpose of the Policy
The main purpose of this Policy is to make clarifications on the systems for the processing and protection of personal data in accordance with the Law and the purpose of the Law, and in this context, to inform the persons whose personal data are processed by our Company, especially Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Customers of the Company, Potential Customers and Third Parties. In this way, it is aimed to ensure full compliance with the legislation in the processing and protection of personal data carried out by our Company and to protect all rights of personal data owners arising from the legislation on personal data.
1.3. Scope of the Policy and Personal Data Subjects
This Policy is prepared for persons whose personal data are processed by our Company, especially Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Customers of the Company, Potential Customers and Third Parties, by automatic or non-automatic means provided that they are part of any data recording system; and, it shall be applied within the scope of the specified persons. This Policy shall in no way apply to legal entities and their data.
By publishing this Policy on its website, our Company aims to inform the aforementioned Personal Data Subjects about the Law. For the employees of our Company, the Policy on the Processing of Personal Data for Employees shall apply.
In the event that the data is not included in the scope specified below, i.e. within the scope of 'Personal Data', or in the event that the Personal Data processing activity carried out by our Company is not carried out in the above-mentioned ways, this Policy shall not apply.
In this context, within the scope of this Policy, the Personal Data Subjects are as follows:
Company Stakeholders
They are real persons who are Stakeholders of the Company.
Real Person Business Partners of the Company
They are real persons with whom the Company is in any kind of business relationship.
Stakeholder, Official, Employee of the Business Partners of the Company
They are all real persons, including Employees, Stakeholders, and Officials of real and legal persons (such as Business Partners and Suppliers) with whom the Company is in any kind of business relationship.
Company Officials
They are the Members of the Board of Directors of the Company and other duly authorised real persons.
Employee Candidate
They are real persons who have applied for a job to the Company by any means or who have submitted their CV and related information for the review of the Company.
Customers of the Company
They are real persons, who are using or who have used services and products presented by the Company regardless of whether they have any contractual relationships with the Company.
Visitors
They are real persons, who have shown their interest and demand in the use of the products and services of the Company, or real persons, whose potential to have such interest is considered in accordance with commercial practice rules and honesty rules.
Potential Customer
They are all real persons who visit the physical premises owned by the Company for various purposes or visit the websites for any purpose.
Third Person
They are other real persons who are not included in the scope of the Policy on the Protection and Processing of Personal Data prepared for the Employees of the Company and who are not categorised as any personal data subject under this Policy.
1.4. Definitions
The terms used in this Policy shall have the following meanings:
Company/Our Company
It refers to "EVOLOG NAKLIYAT VE LOJISTIK HIZMETLERI TICARET LTD ŞTI"
Personal Data
It refers to any information relating to an identified or identifiable real person.
Sensitive Personal Data
It refers to data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
The Protection of Personal Data
It refers to all kinds of transactions carried out on data such as obtaining, recording, retaining, preserving, modifying, re-modifying, disclosing, transferring, taking over, making accessible, classifying or preventing the use of personal data fully or partially automatically or by non-automatic means, provided that it is a part of any data recording system.
Personal Data Subjects/Concerned Persons
It refers to Company Stakeholders, Company Business Partners, Company Officials, Employee Candidates, Visitors, and Customers of the Company, Potential Customers, Third Parties and persons whose personal data are processed by the Company.
Data Recording System
It refers to the recording system where personal data are organised and processed according to certain criteria.
Data Controller
It refers to the real or legal person who defines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system.
Data Processor
It refers to real or legal persons who process personal data on behalf of the Data Controller on the basis of the authorisation granted by the Data Controller.
Explicit Consent
It refers to consent on a specific subject, based on information and expressed with free will.
Anonymization
It refers to the process of making the data previously associated with a person impossible to be associated with an identified or identifiable real person under any circumstances, even by matching with other data.
Law
It refers to Law No 6698 on the Protection of Personal Data.
KVK (Protection of Personal Data) Committee
It refers to the Personal Data Protection Committee.
1.5. Enforceability of the Policy
This Policy, which is prepared and entered into force by the Company, is updated on the date of 01.03.2019, published on the Company's website (www.evolog.com.tr) and made available to the relevant persons upon the request of the Personal Data Subjects.
PART TWO
§ 2. PROCESSING AND TRANSFER OF PERSONAL DATA
2.1. General Principles Regarding the Processing of Personal Data
Personal Data is processed by the Company in accordance with the procedures and principles stipulated in the Law and this Policy. When processing Personal Data, the Company shall act in accordance with the following principles:
Personal Data shall be processed in accordance with the relevant rules of law and the requirements of good faith.
It shall be ensured that Personal Data is accurate and up to date. In this context, matters such as identifying the sources from which the data are obtained, confirming their accuracy, and assessing whether they need to be updated shall be carefully considered.
Personal Data shall be processed for specific, explicit, and legitimate purposes. The legitimacy of the purpose means that the Personal Data processed by the Company is related to and necessary for the business it conducts or the services it provides.
Personal Data is the information necessary for the realisation of the purposes set by the Company. Processing of Personal Data that is not related to the realisation of the purpose or is not needed shall be avoided. It keeps the processed data limited only to what is necessary for the realisation of the purpose. In this context, the processed Personal Data are relevant, limited and proportionate to the purpose for which they are processed.
If there is a period prescribed for the retention of data in the relevant legislation, the Company shall comply with these periods. Otherwise, it shall retain Personal Data only for the period required for the purpose for which they are processed. In the event that there is no longer a valid reason for the further retention of Personal Data, such data shall be deleted, destructed, or anonymised.
2.2. Requirements for the Processing of Personal Data
The Company shall not process Personal Data without the explicit consent of the data subject. In the presence of one of the following requirements, Personal Data may be processed without seeking the explicit consent of the data subject.
Even if the Company does not have the explicit consent of the Personal Data Owners for the processing of Personal Data, it may process it in cases expressly stipulated in the Laws. For example, according to Article No 230 of the Tax Procedure Law, explicit consent from the data subject shall not be sought for the inclusion of the name of the data subject on the invoice.
Personal Data may be processed without explicit consent in order to protect the life or physical integrity of persons who are unable to disclose their consent due to actual impossibility or whose consent cannot be validated, or of another person. For example, in a situation where the person is unconscious or mentally ill and his/her consent is not valid, the Personal Data of the Personal Data Subject may be processed during medical intervention for the protection of life or body integrity. In this context, data such as blood type, previous illnesses and operations, and medications used can be processed through the relevant health system.
Provided that it is directly related to the establishment or performance of a contract by the Company, the Personal Data of the parties to the contract may be processed. For example, the Account Number of the creditor party may be obtained for the payment of money in accordance with a contract.
In order to meet its legal obligations as a Data Controller, the Company may process the Personal Data of Personal Data Subjects if it is mandatory to do so.
The Company may process the Personal Data made public by the Personal Data Subjects themselves, in other words, the Personal Data disclosed to the public in any way, when the legal benefit to be protected is no longer available.
In cases where data processing is mandatory for the exercise or protection of a legitimate legal right, the Company may process the Personal Data of Personal Data Subjects without seeking explicit consent.
Provided that the fundamental rights and freedoms of the Personal Data Owners protected under the Law and the Policy are not harmed, the Company may process the Personal Data of the Personal Data Subjects in cases where the processing of Personal Data is mandatory for the provision of legitimate interests. The Company displays the necessary sensitivity to comply with the basic principles regarding the protection of Personal Data and to respect the balance of interests of Personal Data Owners.
2.3. Requirements for the Processing of Sensitive Personal Data
The Company cannot process Sensitive Personal Data without the explicit consent of the data subject. However, Personal Data other than health and sexual life may be processed without the explicit consent of the data subject in cases stipulated by law. Even in conditions under the obligation of confidentiality, Personal Data relating to health and sexual life can be processed by the Company only for the protection of public health, preventive medicine, medical diagnosis and treatment and care services, planning and management of health services and financing, without seeking the explicit consent of the data subject. The Company shall follow necessary procedures to take adequate measures determined by the Committee in the processing of Sensitive Personal Data.
2.4. Requirements for the Transfer of Personal Data
Our Company shall have the right to transfer Personal Data and Sensitive Personal Data of Personal Data Subjects to third parties in accordance with the Law by establishing the necessary confidentiality conditions and by taking security measures in line with the purposes of processing Personal Data. During the transfer of Personal Data, our Company shall act in accordance with the regulations stipulated in the Law. In this context, in line with legitimate and lawful purposes of processing Personal Data, our Company may transfer Personal Data if Personal Data transfer is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the Personal Data Subject, based on and limited to one or more of the Personal Data processing requirements specified in Article No 5 of the Law, listed below:
(If there is explicit consent of the Personal Data Subject)
If there is a clear provision in the laws regarding the transfer of Personal Data, if it is mandatory for the protection of the life or physical integrity of the Personal Data Subject or someone else, and
If the Personal Data Subject is unable to express his/her consent due to actual impossibility or if his/her consent is not legally valid,
Provided that it is directly related to the establishment or performance of a contract, if it is necessary to transfer the Personal Data of the parties to the contract,
If the transfer of Personal Data is mandatory for the fulfilment of our Company's legal obligations,
If the Personal Data is made public by the Personal Data Subject,
If the transfer of Personal Data is mandatory for the establishment, exercise or protection of a right,
2.4.1. Requirements for the Transfer of Personal Data Abroad
By taking the necessary security measures in line with the purposes of processing Personal Data, our Company may transfer Personal Data and Sensitive Personal Data of Personal Data Subjects to third parties abroad. Personal Data may be transferred by our Company to foreign countries that are announced by the KVK Committee to have adequate protection. In the absence of adequate protection, such Personal Data may be transferred to foreign countries if the Data Controllers in Turkey and in the relevant foreign country undertake adequate protection in writing and the KVK Committee authorises such transfer.
2.5. Requirements for the Transfer of Sensitive Personal Data
The Company may transfer the Sensitive Personal Data of the Personal Data Subjects to third parties in the following cases in line with the legitimate and lawful Personal Data processing purposes by taking due care, taking the necessary security measures and taking adequate measures stipulated by the KVK Committee.
(i) if there is explicit consent of the Personal Data Subject or;
(ii) In the presence of the following conditions, without seeking the explicit consent of the Personal Data Subject:
Sensitive Personal Data other than the health and sexual life of the Personal Data Subject (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, criminal conviction and security measures and biometric and genetic data) can be transferred to persons or authorised institutions and organisations, who are bound by the obligation of confidentiality, in cases stipulated by law.
Sensitive Personal Data relating to the health and sexual life of the Personal Data Subject can be transferred to persons or authorised institutions and organisations, who are bound by the obligation of confidentiality, for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
2.5.1. Transfer of Sensitive Personal Data Abroad
The Company may transfer the Sensitive Personal Data of the Personal Data Subject to foreign countries in the following cases, where the data controller has adequate protection or undertakes adequate protection, in line with the legitimate and lawful Personal Data processing purposes by taking due care, taking the necessary security measures and taking adequate measures stipulated by the KVK Committee.
(i) if there is explicit consent of the Personal Data Subject or;
(ii) In the presence of the following conditions, without seeking the explicit consent of the Personal Data Subject:
Sensitive Personal Data other than the health and sexual life of the Personal Data Subject (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, criminal conviction and security measures and biometric and genetic data) can be transferred to persons or authorised institutions and organisations, who are bound by the obligation of confidentiality, in cases stipulated by law.
Sensitive Personal Data relating to the health and sexual life of the Personal Data Subject can be transferred to persons or authorised institutions and organisations, who are bound by the obligation of confidentiality, for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
PART THREE
§ 3. PURPOSES OF PROCESSING AND TRANSFER OF PERSONAL DATA, PERSONS TO WHOM PERSONAL DATA SHALL BE TRANSFERRED
3.1. Purposes of Processing and Transferring Personal Data
Personal Data shall be processed in accordance with the Law and the purpose of the Law, limited to the following purposes, within the scope of the Personal Data Processing Requirements specified in Article No 5 and Article No 6 of the Law:
Optimal planning and implementation of the policies of human resources departments,
Proper planning, execution and management of the company's commercial partnerships and strategies,
Ensuring the legal, commercial and physical security of the Company and its business partners,
Ensuring the corporate functioning of the company, planning and execution of management and communication activities,
Ensuring that Personal Data Subjects benefit from the Company's products and services in the best way possible; customising and recommending these products and services according to the demands, needs and requests of Personal Data Subjects,
Ensuring data security at the highest level,
Creation of databases,
Improvement of the services offered on the website and elimination of any errors on the website,
Contacting the Personal Data Subjects who submit their requests and complaints to the Company and ensuring the management of such requests and complaints,
Management of events,
Management of relationships with business partners or suppliers,
Execution of basic processes related to recruitment of the personnel,
Supporting the planning and execution processes of the fringe rights and benefits to be provided to senior executives,
Execution/follow-up of financial reporting and risk management transactions,
Execution/follow-up of the legal affairs of the Company,
Performing studies to protect the reputation of the Company,
Managing the relationships with investors,
Providing information resulting from the legislation for competent authorities,
Creation and follow-up of visitor records.
In the event that the personal data is processed for the aforementioned purposes and does not meet any of the conditions stipulated under the Law, your explicit consent shall be sought by the Company with respect to the relevant processing process.
3.2. Persons to whom Personal Data shall be Transferred
Personal Data may be shared with our business and solution partners, banks and third parties who perform technical, logistics and other similar operations on our behalf in order to ensure that the services provided to you are complete and flawless and only to the extent appropriate to the nature of the service. These third parties consist of persons who are obliged to have access to the relevant information in order to provide the relevant services fully and flawlessly.
Apart from these, your Personal Data may be transferred -limited only to the relevant persons or institutions- in case the Company has to share the data with other third parties in order to ensure complete and flawless delivery of the service, in case it is necessary for the Company to fulfil its legal obligations, in case it is expressly stipulated in the laws or in case there is a judicial/administrative order issued in accordance with the law.
A portion of the Personal Data may be shared with advertisers in an aggregated anonymised form together with information about other users only, in order to enable targeted tailoring of advertisements.
Anonymised data is information that cannot be associated with you, our visitors/customers, and does not contain your ID information or make your ID identifiable. In the case of anonymised data, your confidentiality is guaranteed.
PART FOUR
§ 4. METHOD AND LEGAL GROUNDS FOR THE COLLECTION OF PERSONAL DATA; DELETION, DESTRUCTION, ANONYMISATION AND RETENTION PERIOD OF PERSONAL DATA
4.1. Method and Legal Grounds for the Collection of Personal Data
For the purpose of ensuring compliance with Article No 1 concerning the purpose of the Law and Article No 2 concerning the scope of the Law, Personal Data shall be collected by all kinds of verbal, written, electronic, technical and other methods, through various means such as call centre, Company website, mobile application, in order to fulfil the purposes set out in the Policy, within the framework of legal grounds based on legislation, contract, demand and request, in order to fulfil the responsibilities arising from the law in a complete and accurate manner. In addition, such data shall be processed by the Company or the Data Processors authorised by the Company.
4.2. Deletion, Destruction or Anonymization of Personal Data
Without prejudice to the provisions of other laws regarding the deletion, destruction or anonymisation of Personal Data, the Company shall delete, destruct or anonymise Personal Data ex officio or upon the request of the Data Subject, in the event that the grounds requiring the processing of Personal Data disappear, although it is processed in accordance with the provisions of this Law and other laws. Upon deletion of Personal Data, these data are destroyed in such a way that they cannot be used and recovered in any way again. According to this, Personal Data shall be irreversibly deleted from the documents, files, CDs, floppy disks, hard discs, etc. where they are stored/retained. Destruction of Personal Data refers to the destruction of materials suitable for storing/retaining data such as documents, files, CDs, diskettes, hard discs, etc. where data is stored so that the information cannot be recovered and used again. Anonymisation of Personal Data means that Personal Data cannot be associated with an identified or identifiable real person, even if it is matched with other data.
4.3. How Long Will The Personal Data Be Stored/Retained?
If stipulated in the legislation, the Company shall retain Personal Data for the period specified in this legislation. If a period of time is not prescribed in the legislation on how long personal data should be stored/retained, Personal Data shall be processed for the period required to be processed in accordance with the practices of the Company and the customs of the Company's commercial life, depending on the activity carried out by the Company while processing that data, and then deleted, destructed or anonymised.
If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and the Company have come to an end; personal data may be retained only for the purpose of constituting evidence in possible legal disputes or for the assertion or defence of the relevant right related to personal data. Retention periods are determined based on the statute of limitations for asserting the aforementioned right, as well as examples of previous requests made to the Company on similar matters, even after the statute of limitations had expired. In this case, the retained personal data cannot be accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. Upon expiry of the aforementioned period, personal data are deleted, destructed, or anonymised.
Detailed rules regarding the techniques of the Company regarding the retention, deletion, destruction, and anonymisation of Personal Data are available in the Company's Policy on Retention and Destruction of Personal Data.
PART FIVE
§ 5. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
As per Article No 12 of the Law, the Company shall take the necessary technical and administrative measures aimed at ensuring the appropriate level of security in order to prevent unlawful processing of the Personal Data it processes, to prevent unlawful access to the data and to ensure the preservation of the data. In this context, it shall carry out or have the necessary audits carried out.
5.1. Ensuring The Security Of Personal Data
5.1.1. Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data
In order to ensure the lawful processing of Personal Data, the Company shall take technical and administrative measures according to the technological possibilities and the cost of implementation.
(i) Technical Measures Taken to Ensure Lawful Processing of Personal Data
The main technical measures taken by the Company to ensure the lawful processing of Personal Data are listed below:
The Personal Data processing activities carried out under the roof of the Company are supervised by the technical systems established.
The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
Personnel knowledgeable in technical issues are employed.
(ii) Administrative Measures Taken to Ensure Lawful Processing of Personal Data
The main administrative measures taken by the Company to ensure the lawful processing of Personal Data are listed below:
Employees are informed and instructed about the law on the protection of Personal Data and the processing of Personal Data in accordance with the law.
All activities carried out by the Company are analysed in detail for all business units. As a result of such analysis, Personal Data processing activities are revealed specific to the activities carried out by the relevant business units.
The Personal Data processing activities carried out by the business units of the Company, the requirements to be fulfilled in order to ensure that these activities comply with the Personal Data Processing Conditions sought by the Law are determined specifically for each business unit and the detailed activity it carries out.
In order to ensure the requirements of legal compliance determined on a business unit basis, awareness is raised specific to the relevant business units and rules of practice are determined. Necessary administrative measures are implemented through internal policies and training to ensure the supervision of these issues and the continuity of the implementation.
In the contracts and documents governing the legal relationships between the Company and the employees, records that impose the obligation not to process, disclose and use Personal Data, except for the Company's instructions and the exceptions imposed by law, are included and the awareness of the employees in this regard is created and the obligations arising from the Law are fulfilled by conducting inspections.
5.1.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data
The Company adopts technical and administrative measures according to the nature of the data to be protected, technological capabilities and cost of implementation in order to prevent imprudent or unauthorised disclosure, access, transfer or any other unlawful access to Personal Data.
(i) Technical Measures Taken to Prevent Unlawful Access to Personal Data
The main technical measures taken by the Company to prevent unlawful access to Personal Data are listed below:
Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed.
Technical solutions for access and authorisation are put into use in accordance with the legal compliance requirements determined on a business unit basis.
Access authorisations are limited and authorisations are regularly reviewed.
The technical measures taken are periodically reported to the relevant person as required by the internal audit mechanism. Issues that pose a risk are re-evaluated and necessary technological solutions are produced.
Software and hardware including virus protection systems and firewalls are installed.
Personnel knowledgeable in technical issues are employed.
In order to identify security vulnerabilities in the applications where Personal Data is collected, security scans are carried out regularly. It is ensured that the detected vulnerabilities are eliminated.
(ii) Administrative Measures Taken to Prevent Unlawful Access to Personal Data
The main administrative measures taken by the Company to prevent unlawful access to Personal Data are listed below:
Employees are trained on the technical measures to be taken to prevent unlawful access to Personal Data.
On a business unit basis, Personal Data access and authorisation processes are designed and implemented within the Company in accordance with the requirements of legal compliance with the processing of Personal Data.
Employees are advised that they cannot disclose the Personal Data they have acquired to anyone else in violation of the provisions of the Law and cannot use them for purposes other than processing, and that this obligation shall remain in force even after their resignation. And, necessary commitments are taken from them in this direction.
In the contracts concluded by the Company with the persons to whom Personal Data are transferred in accordance with the law, provisions stipulating that the persons to whom Personal Data are transferred shall take the necessary security measures to protect Personal Data and ensure that these measures are complied with in their own organisations shall be included.
5.1.3. Storage/Retention of Personal Data in Secure Environments
The Company shall take the necessary technical and administrative measures in accordance with the technological possibilities and the cost of implementation in order to store/retain Personal Data in secure environments and to prevent the destruction, loss or alteration of Personal Data for unlawful purposes.
(i) Technical Measures Taken for the Retention of Personal Data in Secure Environments
The main technical measures taken by the Company to retain Personal Data in secure environments are listed below:
Systems in line with technological developments are used to store Personal Data in secure environments.
Personnel specialised in technical issues are employed.
Technical security systems are installed for the storage areas, security tests and research are carried out to identify security vulnerabilities on IT systems, and existing or potential risk issues identified as a result of the tests and research are eliminated. The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
In order to ensure the safe storage/retention of Personal Data, backup programs are used in accordance with the law.
Access to data is restricted and, limited to the purpose of retaining personal data, only authorised persons are allowed to access the mediums where personal data are retained, and all accesses are logged. Access to the data storage areas where Personal Data is stored is logged and inappropriate access or access attempts are instantly notified to the relevant persons.
(ii) Administrative Measures Taken for the Retention of Personal Data in Secure Environments
The main administrative measures taken by the Company to retain Personal Data in secure environments are listed below:
Employees are trained to ensure that Personal Data is stored/retained securely.
Legal and technical consultancy services are procured in order to closely follow the developments in the field of information security, privacy of private life and protection of personal data and to take necessary actions.
In the event that an outsourced service is procured by the Company due to technical requirements for the retention of Personal Data, in the contracts concluded with the relevant companies to which Personal Data are transferred in accordance with the law, provisions (stating that the persons to whom Personal Data are transferred shall take the necessary security measures to protect Personal Data and ensure that these measures are complied with in their own organisations) shall be included.
5.1.4. Auditing the Measures Taken on the Protection of Personal Data
The Company carries out or has carried out the necessary audits within its own organisation in accordance with Article No 12 of the Law. The results of these audits are reported to the relevant department within the scope of the internal functioning of the Company and necessary actions are taken for the improvement of the measures taken.
5.1.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
In the event that Personal Data processed in accordance with Article No 12 of the Law is obtained by others through unlawful means, the Company shall run the system that ensures that this situation is notified to the relevant Personal Data Subject and the KVK Committee as soon as possible. If deemed necessary by the KVK Committee, this situation may be announced on the website of the KVK Committee or by any other method.
5.2. Observing the Legal Rights of Personal Data Subjects
The Company observes all legal rights of Personal Data Owners regarding the implementation of the Policy and the Law and takes all measures necessary to protect these rights. Detailed information on the rights of Personal Data Subjects is provided in Part Six of this Policy.
5.3. Protection of the Sensitive Personal Data
The Law attributes special importance to certain Personal Data due to the risk of causing victimisation and/or discrimination when processed unlawfully. These data are data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. The Company shows utmost sensitivity to the protection of Sensitive Personal Data, which is defined as ‘sensitive’ by the Law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company for the protection of personal data are also implemented with the utmost care in terms of Sensitive Personal Data and the necessary audits are provided within the Company in this regard.
PART SIX
§ 6. RIGHTS OF THE PERSONAL DATA SUBJECT; EXERCISE AND EVALUATION OF RIGHTS
6.1. Informing the Personal Data Owner
In accordance with Article No 10 of the Law, the Company shall enlighten the Personal Data Owners during the acquisition of Personal Data. In this context, the Company provides information about the identity of its representative, if any, the purpose for which Personal Data shall be processed, to whom and for what purpose the processed Personal Data may be transferred, the method and legal grounds for collecting Personal Data and the rights of the Personal Data Subject.
6.2. Rights of the Personal Data Owner Pursuant to the Law on the Protection of Personal Data
Pursuant to Article No 10 of the Law, the Company informs you of your rights, provides guidance on how to exercise such rights and carries out the necessary internal functioning, administrative and technical arrangements for all these. Pursuant to Article No 11 of the Law, the Company shall explain to the persons whose Personal Data are collected that they have the following rights:
To learn whether personal data is processed,
To request information if personal data is processed,
To learn the purpose of processing personal data and whether personal data is used for the right purposes,
To know third parties, to whom personal data are transferred both within and outside borders of the country,
To request correction of the personal data in case they are processed incorrectly or incompletely,
To request the deletion or destruction of Personal Data within the framework of the conditions set forth in Article No 7 of the Law,
To request notification of the transactions made pursuant to subparagraphs (d) and (e) of Article No 11 of the Law to third parties to whom personal data are transferred,
To object results conflicting the interests of the person in case processed data are analysed exclusively through automatic systems,
To request compensation for his/her damages in case he/she suffers due to incorrect processing of personal data.
6.3. Cases Where The Personal Data Subject Cannot Claim His/Her Rights
Since the following cases are excluded from the scope of the Law pursuant to Article No 28 of the Law, Personal Data Subjects cannot claim their rights listed in Article No (6.2.) of this Policy in the following cases:
Processing of Personal Data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that such Personal Data are not disclosed to third parties and obligations regarding data security are respected;
Processing of Personal Data for purposes such as research, planning and statistics by anonymising them with official statistics;
Processing of Personal Data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime;
Processing of Personal Data within the scope of preventive, protective and intelligence activities carried out by public authorities and institutions entrusted and authorised by law to ensure national defence, national security, public safety, public order or economic security;
Processing of Personal Data by judicial authorities or execution authorities in connection with investigations, prosecutions, trials, or execution proceedings.
Pursuant to Article No 28/2 of the Law, in the cases listed below, Personal Data Subjects cannot claim their rights listed in Article No (6.2.) of this Policy, except for the right to claim compensation for damages:
If processing of Personal Data is necessary for the prevention of crimes or for criminal investigations;
If the personal data made public by the Personal Data Subject himself/herself is processed;
If the processing of Personal Data is necessary for the execution of supervisory or regulatory duties and disciplinary investigations or prosecutions by the competent and competent public authorities and institutions and professional organisations in the nature of public institutions, based on the authority granted by the law;
If the processing of Personal Data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and financial matters;
6.4. Use of Rights of the Personal Data Subject
Personal Data Subjects shall be able to submit their requests regarding their rights listed in Article No (6.2.) of this Policy to the Company free of charge by filling out and signing the Application Form, which is available at the link www.evolog.com.tr, with the information and documents that shall verify their identities and by the methods specified below or by other methods determined by the KVK Committee:
(i) The Applicant shall fill in the Application Form and submit a wet signed copy of this Application Form in person or through a notary public to the following address: HALKALI MERKEZ MAHALLESI DEREBOYU CADDESI NO 56 KÜÇÜKÇEKMECE/ISTANBUL
(ii) The Applicant shall fill in the Application Form and sign it with a 'Secure Electronic Signature' within the scope of Law No 5070 on Electronic Signatures and then send the application form (bearing a Secure Electronic Signature) by registered e-mail to the following e-mail address: evolog@hs01.kep.tr
(iii) The Applicant shall come in person, submit the application form by using the electronic mail address previously notified to the Company and registered in the Company's system, by applying with a document verifying his/her identity and information and documents related to the subject of the application
In order for third parties to make an application request on behalf of personal data subjects, there must be a special power of attorney issued by the data subject through a notary public for the name of the person who will make the application.
6.5. The Method and Deadline for the Company to Respond to the Applications
Depending on the nature of the request, the Company shall finalise the requests included in the application free of charge as soon as possible, within thirty days at the latest. However, if the transaction in question requires an additional cost, the fee in the tariff determined by the KVK Committee may be charged. The Company may either accept the request or reject it by explaining its reasoning and notify its response in writing or electronically. If the request in the application is accepted, the Company shall fulfil the requirements of the request.
6.6. The Right of the Personal Data Subject to File a Complaint to the KVK Committee
In the event that the application is rejected, the response is found insufficient or the application is not responded to in due time; the data subject shall have the right to file a complaint to the KVK Committee within thirty days from the date of receipt of the response and in any case within sixty days from the date of application.
PART SEVEN
§ 7. MANAGEMENT STRUCTURE OF THE COMPANY ACCORDING TO THE POLICY ON PROCESSING AND PROTECTION OF PERSONAL DATA
In order to manage this Policy and other policies related to and associated with this Policy, a Personal Data Committee is established within the Company in accordance with the decision of the senior management of the Company. The Personal Data Committee is authorised and tasked to take the necessary actions for the retention and processing of the data of the Personal Data Subjects in accordance with the Law, this Policy and other policies related to and associated with this Policy. The Policy on Retention and Destruction of Personal Data published on the Company's website contains detailed information regarding the persons assigned to the Personal Data Committee and their duties.
PART EIGHT
§ 8. UPDATE, COMPLIANCE AND AMENDMENTS
8.1. Update and Compliance
The Company reserves the right to make amendments to this Policy and other policies related to and associated with this Policy upon amendments to the Law, in accordance with the decisions of the KVK Committee or in line with the developments in the sector or in the field of IT.
Any amendments made to this Policy shall be immediately incorporated into the text and explanations regarding the amendments shall be disclosed at the end of the Policy.
8.2. Amendments
01.03.2019: The Policy on Processing and Protection of Personal Data is published.
*There are no older dated amendments.
PART ONE
§ 1. INTRODUCTION
1.1. Introduction
EVOLOG NAKLIYAT VE LOJISTIK HIZMETLERI TICARET LIMITED ŞIRKETI
As the "Company", we attach great importance to the processing and protection of personal data in accordance with Law No 6698 on the Protection of Personal Data (hereinafter referred to as the "Law") and we act with this care in all our planning and activities. With this in mind, we hereby present this Policy on Processing and Protection of Personal Data (hereinafter referred to as the ‘Policy’) for your information in order to fulfil our responsibility to inform you within the scope of Article No 10 of the Law and to inform you of all administrative and technical measures we take within the scope of processing and protection of personal data.
1.2. The Purpose of the Policy
The main purpose of this Policy is to make clarifications on the systems for the processing and protection of personal data in accordance with the Law and the purpose of the Law, and in this context, to inform the persons whose personal data are processed by our Company, especially Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Customers of the Company, Potential Customers and Third Parties. In this way, it is aimed to ensure full compliance with the legislation in the processing and protection of personal data carried out by our Company and to protect all rights of personal data owners arising from the legislation on personal data.
1.3. Scope of the Policy and Personal Data Subjects
This Policy is prepared for persons whose personal data are processed by our Company, especially Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Customers of the Company, Potential Customers and Third Parties, by automatic or non-automatic means provided that they are part of any data recording system; and, it shall be applied within the scope of the specified persons. This Policy shall in no way apply to legal entities and their data.
By publishing this Policy on its website, our Company aims to inform the aforementioned Personal Data Subjects about the Law. For the employees of our Company, the Policy on the Processing of Personal Data for Employees shall apply.
In the event that the data is not included in the scope specified below, i.e. within the scope of 'Personal Data', or in the event that the Personal Data processing activity carried out by our Company is not carried out in the above-mentioned ways, this Policy shall not apply.
In this context, within the scope of this Policy, the Personal Data Subjects are as follows:
Company Stakeholders
They are real persons who are Stakeholders of the Company.
Real Person Business Partners of the Company
They are real persons with whom the Company is in any kind of business relationship.
Stakeholder, Official, Employee of the Business Partners of the Company
They are all real persons, including Employees, Stakeholders, and Officials of real and legal persons (such as Business Partners and Suppliers) with whom the Company is in any kind of business relationship.
Company Officials
They are the Members of the Board of Directors of the Company and other duly authorised real persons.
Employee Candidate
They are real persons who have applied for a job to the Company by any means or who have submitted their CV and related information for the review of the Company.
Customers of the Company
They are real persons, who are using or who have used services and products presented by the Company regardless of whether they have any contractual relationships with the Company.
Visitors
They are real persons, who have shown their interest and demand in the use of the products and services of the Company, or real persons, whose potential to have such interest is considered in accordance with commercial practice rules and honesty rules.
Potential Customer
They are all real persons who visit the physical premises owned by the Company for various purposes or visit the websites for any purpose.
Third Person
They are other real persons who are not included in the scope of the Policy on the Protection and Processing of Personal Data prepared for the Employees of the Company and who are not categorised as any personal data subject under this Policy.
1.4. Definitions
The terms used in this Policy shall have the following meanings:
Company/Our Company
It refers to "EVOLOG NAKLIYAT VE LOJISTIK HIZMETLERI TICARET LTD ŞTI"
Personal Data
It refers to any information relating to an identified or identifiable real person.
Sensitive Personal Data
It refers to data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
The Protection of Personal Data
It refers to all kinds of transactions carried out on data such as obtaining, recording, retaining, preserving, modifying, re-modifying, disclosing, transferring, taking over, making accessible, classifying or preventing the use of personal data fully or partially automatically or by non-automatic means, provided that it is a part of any data recording system.
Personal Data Subjects/Concerned Persons
It refers to Company Stakeholders, Company Business Partners, Company Officials, Employee Candidates, Visitors, and Customers of the Company, Potential Customers, Third Parties and persons whose personal data are processed by the Company.
Data Recording System
It refers to the recording system where personal data are organised and processed according to certain criteria.
Data Controller
It refers to the real or legal person who defines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system.
Data Processor
It refers to real or legal persons who process personal data on behalf of the Data Controller on the basis of the authorisation granted by the Data Controller.
Explicit Consent
It refers to consent on a specific subject, based on information and expressed with free will.
Anonymization
It refers to the process of making the data previously associated with a person impossible to be associated with an identified or identifiable real person under any circumstances, even by matching with other data.
Law
It refers to Law No 6698 on the Protection of Personal Data.
KVK (Protection of Personal Data) Committee
It refers to the Personal Data Protection Committee.
1.5. Enforceability of the Policy
This Policy, which is prepared and entered into force by the Company, is updated on the date of 01.03.2019, published on the Company's website (www.evolog.com.tr) and made available to the relevant persons upon the request of the Personal Data Subjects.
PART TWO
§ 2. PROCESSING AND TRANSFER OF PERSONAL DATA
2.1. General Principles Regarding the Processing of Personal Data
Personal Data is processed by the Company in accordance with the procedures and principles stipulated in the Law and this Policy. When processing Personal Data, the Company shall act in accordance with the following principles:
Personal Data shall be processed in accordance with the relevant rules of law and the requirements of good faith.
It shall be ensured that Personal Data is accurate and up to date. In this context, matters such as identifying the sources from which the data are obtained, confirming their accuracy, and assessing whether they need to be updated shall be carefully considered.
Personal Data shall be processed for specific, explicit, and legitimate purposes. The legitimacy of the purpose means that the Personal Data processed by the Company is related to and necessary for the business it conducts or the services it provides.
Personal Data is the information necessary for the realisation of the purposes set by the Company. Processing of Personal Data that is not related to the realisation of the purpose or is not needed shall be avoided. It keeps the processed data limited only to what is necessary for the realisation of the purpose. In this context, the processed Personal Data are relevant, limited and proportionate to the purpose for which they are processed.
If there is a period prescribed for the retention of data in the relevant legislation, the Company shall comply with these periods. Otherwise, it shall retain Personal Data only for the period required for the purpose for which they are processed. In the event that there is no longer a valid reason for the further retention of Personal Data, such data shall be deleted, destructed, or anonymised.
2.2. Requirements for the Processing of Personal Data
The Company shall not process Personal Data without the explicit consent of the data subject. In the presence of one of the following requirements, Personal Data may be processed without seeking the explicit consent of the data subject.
Even if the Company does not have the explicit consent of the Personal Data Owners for the processing of Personal Data, it may process it in cases expressly stipulated in the Laws. For example, according to Article No 230 of the Tax Procedure Law, explicit consent from the data subject shall not be sought for the inclusion of the name of the data subject on the invoice.
Personal Data may be processed without explicit consent in order to protect the life or physical integrity of persons who are unable to disclose their consent due to actual impossibility or whose consent cannot be validated, or of another person. For example, in a situation where the person is unconscious or mentally ill and his/her consent is not valid, the Personal Data of the Personal Data Subject may be processed during medical intervention for the protection of life or body integrity. In this context, data such as blood type, previous illnesses and operations, and medications used can be processed through the relevant health system.
Provided that it is directly related to the establishment or performance of a contract by the Company, the Personal Data of the parties to the contract may be processed. For example, the Account Number of the creditor party may be obtained for the payment of money in accordance with a contract.
In order to meet its legal obligations as a Data Controller, the Company may process the Personal Data of Personal Data Subjects if it is mandatory to do so.
The Company may process the Personal Data made public by the Personal Data Subjects themselves, in other words, the Personal Data disclosed to the public in any way, when the legal benefit to be protected is no longer available.
In cases where data processing is mandatory for the exercise or protection of a legitimate legal right, the Company may process the Personal Data of Personal Data Subjects without seeking explicit consent.
Provided that the fundamental rights and freedoms of the Personal Data Owners protected under the Law and the Policy are not harmed, the Company may process the Personal Data of the Personal Data Subjects in cases where the processing of Personal Data is mandatory for the provision of legitimate interests. The Company displays the necessary sensitivity to comply with the basic principles regarding the protection of Personal Data and to respect the balance of interests of Personal Data Owners.
2.3. Requirements for the Processing of Sensitive Personal Data
The Company cannot process Sensitive Personal Data without the explicit consent of the data subject. However, Personal Data other than health and sexual life may be processed without the explicit consent of the data subject in cases stipulated by law. Even in conditions under the obligation of confidentiality, Personal Data relating to health and sexual life can be processed by the Company only for the protection of public health, preventive medicine, medical diagnosis and treatment and care services, planning and management of health services and financing, without seeking the explicit consent of the data subject. The Company shall follow necessary procedures to take adequate measures determined by the Committee in the processing of Sensitive Personal Data.
2.4. Requirements for the Transfer of Personal Data
Our Company shall have the right to transfer Personal Data and Sensitive Personal Data of Personal Data Subjects to third parties in accordance with the Law by establishing the necessary confidentiality conditions and by taking security measures in line with the purposes of processing Personal Data. During the transfer of Personal Data, our Company shall act in accordance with the regulations stipulated in the Law. In this context, in line with legitimate and lawful purposes of processing Personal Data, our Company may transfer Personal Data if Personal Data transfer is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the Personal Data Subject, based on and limited to one or more of the Personal Data processing requirements specified in Article No 5 of the Law, listed below:
(If there is explicit consent of the Personal Data Subject)
If there is a clear provision in the laws regarding the transfer of Personal Data, if it is mandatory for the protection of the life or physical integrity of the Personal Data Subject or someone else, and
If the Personal Data Subject is unable to express his/her consent due to actual impossibility or if his/her consent is not legally valid,
Provided that it is directly related to the establishment or performance of a contract, if it is necessary to transfer the Personal Data of the parties to the contract,
If the transfer of Personal Data is mandatory for the fulfilment of our Company's legal obligations,
If the Personal Data is made public by the Personal Data Subject,
If the transfer of Personal Data is mandatory for the establishment, exercise or protection of a right,
2.4.1. Requirements for the Transfer of Personal Data Abroad
By taking the necessary security measures in line with the purposes of processing Personal Data, our Company may transfer Personal Data and Sensitive Personal Data of Personal Data Subjects to third parties abroad. Personal Data may be transferred by our Company to foreign countries that are announced by the KVK Committee to have adequate protection. In the absence of adequate protection, such Personal Data may be transferred to foreign countries if the Data Controllers in Turkey and in the relevant foreign country undertake adequate protection in writing and the KVK Committee authorises such transfer.
2.5. Requirements for the Transfer of Sensitive Personal Data
The Company may transfer the Sensitive Personal Data of the Personal Data Subjects to third parties in the following cases in line with the legitimate and lawful Personal Data processing purposes by taking due care, taking the necessary security measures and taking adequate measures stipulated by the KVK Committee.
(i) if there is explicit consent of the Personal Data Subject or;
(ii) In the presence of the following conditions, without seeking the explicit consent of the Personal Data Subject:
Sensitive Personal Data other than the health and sexual life of the Personal Data Subject (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, criminal conviction and security measures and biometric and genetic data) can be transferred to persons or authorised institutions and organisations, who are bound by the obligation of confidentiality, in cases stipulated by law.
Sensitive Personal Data relating to the health and sexual life of the Personal Data Subject can be transferred to persons or authorised institutions and organisations, who are bound by the obligation of confidentiality, for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
2.5.1. Transfer of Sensitive Personal Data Abroad
The Company may transfer the Sensitive Personal Data of the Personal Data Subject to foreign countries in the following cases, where the data controller has adequate protection or undertakes adequate protection, in line with the legitimate and lawful Personal Data processing purposes by taking due care, taking the necessary security measures and taking adequate measures stipulated by the KVK Committee.
(i) if there is explicit consent of the Personal Data Subject or;
(ii) In the presence of the following conditions, without seeking the explicit consent of the Personal Data Subject:
Sensitive Personal Data other than the health and sexual life of the Personal Data Subject (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, criminal conviction and security measures and biometric and genetic data) can be transferred to persons or authorised institutions and organisations, who are bound by the obligation of confidentiality, in cases stipulated by law.
Sensitive Personal Data relating to the health and sexual life of the Personal Data Subject can be transferred to persons or authorised institutions and organisations, who are bound by the obligation of confidentiality, for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
PART THREE
§ 3. PURPOSES OF PROCESSING AND TRANSFER OF PERSONAL DATA, PERSONS TO WHOM PERSONAL DATA SHALL BE TRANSFERRED
3.1. Purposes of Processing and Transferring Personal Data
Personal Data shall be processed in accordance with the Law and the purpose of the Law, limited to the following purposes, within the scope of the Personal Data Processing Requirements specified in Article No 5 and Article No 6 of the Law:
Optimal planning and implementation of the policies of human resources departments,
Proper planning, execution and management of the company's commercial partnerships and strategies,
Ensuring the legal, commercial and physical security of the Company and its business partners,
Ensuring the corporate functioning of the company, planning and execution of management and communication activities,
Ensuring that Personal Data Subjects benefit from the Company's products and services in the best way possible; customising and recommending these products and services according to the demands, needs and requests of Personal Data Subjects,
Ensuring data security at the highest level,
Creation of databases,
Improvement of the services offered on the website and elimination of any errors on the website,
Contacting the Personal Data Subjects who submit their requests and complaints to the Company and ensuring the management of such requests and complaints,
Management of events,
Management of relationships with business partners or suppliers,
Execution of basic processes related to recruitment of the personnel,
Supporting the planning and execution processes of the fringe rights and benefits to be provided to senior executives,
Execution/follow-up of financial reporting and risk management transactions,
Execution/follow-up of the legal affairs of the Company,
Performing studies to protect the reputation of the Company,
Managing the relationships with investors,
Providing information resulting from the legislation for competent authorities,
Creation and follow-up of visitor records.
In the event that the personal data is processed for the aforementioned purposes and does not meet any of the conditions stipulated under the Law, your explicit consent shall be sought by the Company with respect to the relevant processing process.
3.2. Persons to whom Personal Data shall be Transferred
Personal Data may be shared with our business and solution partners, banks and third parties who perform technical, logistics and other similar operations on our behalf in order to ensure that the services provided to you are complete and flawless and only to the extent appropriate to the nature of the service. These third parties consist of persons who are obliged to have access to the relevant information in order to provide the relevant services fully and flawlessly.
Apart from these, your Personal Data may be transferred -limited only to the relevant persons or institutions- in case the Company has to share the data with other third parties in order to ensure complete and flawless delivery of the service, in case it is necessary for the Company to fulfil its legal obligations, in case it is expressly stipulated in the laws or in case there is a judicial/administrative order issued in accordance with the law.
A portion of the Personal Data may be shared with advertisers in an aggregated anonymised form together with information about other users only, in order to enable targeted tailoring of advertisements.
Anonymised data is information that cannot be associated with you, our visitors/customers, and does not contain your ID information or make your ID identifiable. In the case of anonymised data, your confidentiality is guaranteed.
PART FOUR
§ 4. METHOD AND LEGAL GROUNDS FOR THE COLLECTION OF PERSONAL DATA; DELETION, DESTRUCTION, ANONYMISATION AND RETENTION PERIOD OF PERSONAL DATA
4.1. Method and Legal Grounds for the Collection of Personal Data
For the purpose of ensuring compliance with Article No 1 concerning the purpose of the Law and Article No 2 concerning the scope of the Law, Personal Data shall be collected by all kinds of verbal, written, electronic, technical and other methods, through various means such as call centre, Company website, mobile application, in order to fulfil the purposes set out in the Policy, within the framework of legal grounds based on legislation, contract, demand and request, in order to fulfil the responsibilities arising from the law in a complete and accurate manner. In addition, such data shall be processed by the Company or the Data Processors authorised by the Company.
4.2. Deletion, Destruction or Anonymization of Personal Data
Without prejudice to the provisions of other laws regarding the deletion, destruction or anonymisation of Personal Data, the Company shall delete, destruct or anonymise Personal Data ex officio or upon the request of the Data Subject, in the event that the grounds requiring the processing of Personal Data disappear, although it is processed in accordance with the provisions of this Law and other laws. Upon deletion of Personal Data, these data are destroyed in such a way that they cannot be used and recovered in any way again. According to this, Personal Data shall be irreversibly deleted from the documents, files, CDs, floppy disks, hard discs, etc. where they are stored/retained. Destruction of Personal Data refers to the destruction of materials suitable for storing/retaining data such as documents, files, CDs, diskettes, hard discs, etc. where data is stored so that the information cannot be recovered and used again. Anonymisation of Personal Data means that Personal Data cannot be associated with an identified or identifiable real person, even if it is matched with other data.
4.3. How Long Will The Personal Data Be Stored/Retained?
If stipulated in the legislation, the Company shall retain Personal Data for the period specified in this legislation. If a period of time is not prescribed in the legislation on how long personal data should be stored/retained, Personal Data shall be processed for the period required to be processed in accordance with the practices of the Company and the customs of the Company's commercial life, depending on the activity carried out by the Company while processing that data, and then deleted, destructed or anonymised.
If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and the Company have come to an end; personal data may be retained only for the purpose of constituting evidence in possible legal disputes or for the assertion or defence of the relevant right related to personal data. Retention periods are determined based on the statute of limitations for asserting the aforementioned right, as well as examples of previous requests made to the Company on similar matters, even after the statute of limitations had expired. In this case, the retained personal data cannot be accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. Upon expiry of the aforementioned period, personal data are deleted, destructed, or anonymised.
Detailed rules regarding the techniques of the Company regarding the retention, deletion, destruction, and anonymisation of Personal Data are available in the Company's Policy on Retention and Destruction of Personal Data.
PART FIVE
§ 5. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
As per Article No 12 of the Law, the Company shall take the necessary technical and administrative measures aimed at ensuring the appropriate level of security in order to prevent unlawful processing of the Personal Data it processes, to prevent unlawful access to the data and to ensure the preservation of the data. In this context, it shall carry out or have the necessary audits carried out.
5.1. Ensuring The Security Of Personal Data
5.1.1. Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data
In order to ensure the lawful processing of Personal Data, the Company shall take technical and administrative measures according to the technological possibilities and the cost of implementation.
(i) Technical Measures Taken to Ensure Lawful Processing of Personal Data
The main technical measures taken by the Company to ensure the lawful processing of Personal Data are listed below:
The Personal Data processing activities carried out under the roof of the Company are supervised by the technical systems established.
The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
Personnel knowledgeable in technical issues are employed.
(ii) Administrative Measures Taken to Ensure Lawful Processing of Personal Data
The main administrative measures taken by the Company to ensure the lawful processing of Personal Data are listed below:
Employees are informed and instructed about the law on the protection of Personal Data and the processing of Personal Data in accordance with the law.
All activities carried out by the Company are analysed in detail for all business units. As a result of such analysis, Personal Data processing activities are revealed specific to the activities carried out by the relevant business units.
The Personal Data processing activities carried out by the business units of the Company, the requirements to be fulfilled in order to ensure that these activities comply with the Personal Data Processing Conditions sought by the Law are determined specifically for each business unit and the detailed activity it carries out.
In order to ensure the requirements of legal compliance determined on a business unit basis, awareness is raised specific to the relevant business units and rules of practice are determined. Necessary administrative measures are implemented through internal policies and training to ensure the supervision of these issues and the continuity of the implementation.
In the contracts and documents governing the legal relationships between the Company and the employees, records that impose the obligation not to process, disclose and use Personal Data, except for the Company's instructions and the exceptions imposed by law, are included and the awareness of the employees in this regard is created and the obligations arising from the Law are fulfilled by conducting inspections.
5.1.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data
The Company adopts technical and administrative measures according to the nature of the data to be protected, technological capabilities and cost of implementation in order to prevent imprudent or unauthorised disclosure, access, transfer or any other unlawful access to Personal Data.
(i) Technical Measures Taken to Prevent Unlawful Access to Personal Data
The main technical measures taken by the Company to prevent unlawful access to Personal Data are listed below:
Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed.
Technical solutions for access and authorisation are put into use in accordance with the legal compliance requirements determined on a business unit basis.
Access authorisations are limited and authorisations are regularly reviewed.
The technical measures taken are periodically reported to the relevant person as required by the internal audit mechanism. Issues that pose a risk are re-evaluated and necessary technological solutions are produced.
Software and hardware including virus protection systems and firewalls are installed.
Personnel knowledgeable in technical issues are employed.
In order to identify security vulnerabilities in the applications where Personal Data is collected, security scans are carried out regularly. It is ensured that the detected vulnerabilities are eliminated.
(ii) Administrative Measures Taken to Prevent Unlawful Access to Personal Data
The main administrative measures taken by the Company to prevent unlawful access to Personal Data are listed below:
Employees are trained on the technical measures to be taken to prevent unlawful access to Personal Data.
On a business unit basis, Personal Data access and authorisation processes are designed and implemented within the Company in accordance with the requirements of legal compliance with the processing of Personal Data.
Employees are advised that they cannot disclose the Personal Data they have acquired to anyone else in violation of the provisions of the Law and cannot use them for purposes other than processing, and that this obligation shall remain in force even after their resignation. And, necessary commitments are taken from them in this direction.
In the contracts concluded by the Company with the persons to whom Personal Data are transferred in accordance with the law, provisions stipulating that the persons to whom Personal Data are transferred shall take the necessary security measures to protect Personal Data and ensure that these measures are complied with in their own organisations shall be included.
5.1.3. Storage/Retention of Personal Data in Secure Environments
The Company shall take the necessary technical and administrative measures in accordance with the technological possibilities and the cost of implementation in order to store/retain Personal Data in secure environments and to prevent the destruction, loss or alteration of Personal Data for unlawful purposes.
(i) Technical Measures Taken for the Retention of Personal Data in Secure Environments
The main technical measures taken by the Company to retain Personal Data in secure environments are listed below:
Systems in line with technological developments are used to store Personal Data in secure environments.
Personnel specialised in technical issues are employed.
Technical security systems are installed for the storage areas, security tests and research are carried out to identify security vulnerabilities on IT systems, and existing or potential risk issues identified as a result of the tests and research are eliminated. The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
In order to ensure the safe storage/retention of Personal Data, backup programs are used in accordance with the law.
Access to data is restricted and, limited to the purpose of retaining personal data, only authorised persons are allowed to access the mediums where personal data are retained, and all accesses are logged. Access to the data storage areas where Personal Data is stored is logged and inappropriate access or access attempts are instantly notified to the relevant persons.
(ii) Administrative Measures Taken for the Retention of Personal Data in Secure Environments
The main administrative measures taken by the Company to retain Personal Data in secure environments are listed below:
Employees are trained to ensure that Personal Data is stored/retained securely.
Legal and technical consultancy services are procured in order to closely follow the developments in the field of information security, privacy of private life and protection of personal data and to take necessary actions.
In the event that an outsourced service is procured by the Company due to technical requirements for the retention of Personal Data, in the contracts concluded with the relevant companies to which Personal Data are transferred in accordance with the law, provisions (stating that the persons to whom Personal Data are transferred shall take the necessary security measures to protect Personal Data and ensure that these measures are complied with in their own organisations) shall be included.
5.1.4. Auditing the Measures Taken on the Protection of Personal Data
The Company carries out or has carried out the necessary audits within its own organisation in accordance with Article No 12 of the Law. The results of these audits are reported to the relevant department within the scope of the internal functioning of the Company and necessary actions are taken for the improvement of the measures taken.
5.1.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
In the event that Personal Data processed in accordance with Article No 12 of the Law is obtained by others through unlawful means, the Company shall run the system that ensures that this situation is notified to the relevant Personal Data Subject and the KVK Committee as soon as possible. If deemed necessary by the KVK Committee, this situation may be announced on the website of the KVK Committee or by any other method.
5.2. Observing the Legal Rights of Personal Data Subjects
The Company observes all legal rights of Personal Data Owners regarding the implementation of the Policy and the Law and takes all measures necessary to protect these rights. Detailed information on the rights of Personal Data Subjects is provided in Part Six of this Policy.
5.3. Protection of the Sensitive Personal Data
The Law attributes special importance to certain Personal Data due to the risk of causing victimisation and/or discrimination when processed unlawfully. These data are data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. The Company shows utmost sensitivity to the protection of Sensitive Personal Data, which is defined as ‘sensitive’ by the Law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company for the protection of personal data are also implemented with the utmost care in terms of Sensitive Personal Data and the necessary audits are provided within the Company in this regard.
PART SIX
§ 6. RIGHTS OF THE PERSONAL DATA SUBJECT; EXERCISE AND EVALUATION OF RIGHTS
6.1. Informing the Personal Data Owner
In accordance with Article No 10 of the Law, the Company shall enlighten the Personal Data Owners during the acquisition of Personal Data. In this context, the Company provides information about the identity of its representative, if any, the purpose for which Personal Data shall be processed, to whom and for what purpose the processed Personal Data may be transferred, the method and legal grounds for collecting Personal Data and the rights of the Personal Data Subject.
6.2. Rights of the Personal Data Owner Pursuant to the Law on the Protection of Personal Data
Pursuant to Article No 10 of the Law, the Company informs you of your rights, provides guidance on how to exercise such rights and carries out the necessary internal functioning, administrative and technical arrangements for all these. Pursuant to Article No 11 of the Law, the Company shall explain to the persons whose Personal Data are collected that they have the following rights:
To learn whether personal data is processed,
To request information if personal data is processed,
To learn the purpose of processing personal data and whether personal data is used for the right purposes,
To know third parties, to whom personal data are transferred both within and outside borders of the country,
To request correction of the personal data in case they are processed incorrectly or incompletely,
To request the deletion or destruction of Personal Data within the framework of the conditions set forth in Article No 7 of the Law,
To request notification of the transactions made pursuant to subparagraphs (d) and (e) of Article No 11 of the Law to third parties to whom personal data are transferred,
To object results conflicting the interests of the person in case processed data are analysed exclusively through automatic systems,
To request compensation for his/her damages in case he/she suffers due to incorrect processing of personal data.
6.3. Cases Where The Personal Data Subject Cannot Claim His/Her Rights
Since the following cases are excluded from the scope of the Law pursuant to Article No 28 of the Law, Personal Data Subjects cannot claim their rights listed in Article No (6.2.) of this Policy in the following cases:
Processing of Personal Data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that such Personal Data are not disclosed to third parties and obligations regarding data security are respected;
Processing of Personal Data for purposes such as research, planning and statistics by anonymising them with official statistics;
Processing of Personal Data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime;
Processing of Personal Data within the scope of preventive, protective and intelligence activities carried out by public authorities and institutions entrusted and authorised by law to ensure national defence, national security, public safety, public order or economic security;
Processing of Personal Data by judicial authorities or execution authorities in connection with investigations, prosecutions, trials, or execution proceedings.
Pursuant to Article No 28/2 of the Law, in the cases listed below, Personal Data Subjects cannot claim their rights listed in Article No (6.2.) of this Policy, except for the right to claim compensation for damages:
If processing of Personal Data is necessary for the prevention of crimes or for criminal investigations;
If the personal data made public by the Personal Data Subject himself/herself is processed;
If the processing of Personal Data is necessary for the execution of supervisory or regulatory duties and disciplinary investigations or prosecutions by the competent and competent public authorities and institutions and professional organisations in the nature of public institutions, based on the authority granted by the law;
If the processing of Personal Data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and financial matters;
6.4. Use of Rights of the Personal Data Subject
Personal Data Subjects shall be able to submit their requests regarding their rights listed in Article No (6.2.) of this Policy to the Company free of charge by filling out and signing the Application Form, which is available at the link www.evolog.com.tr, with the information and documents that shall verify their identities and by the methods specified below or by other methods determined by the KVK Committee:
(i) The Applicant shall fill in the Application Form and submit a wet signed copy of this Application Form in person or through a notary public to the following address: HALKALI MERKEZ MAHALLESI DEREBOYU CADDESI NO 56 KÜÇÜKÇEKMECE/ISTANBUL
(ii) The Applicant shall fill in the Application Form and sign it with a 'Secure Electronic Signature' within the scope of Law No 5070 on Electronic Signatures and then send the application form (bearing a Secure Electronic Signature) by registered e-mail to the following e-mail address: evolog@hs01.kep.tr
(iii) The Applicant shall come in person, submit the application form by using the electronic mail address previously notified to the Company and registered in the Company's system, by applying with a document verifying his/her identity and information and documents related to the subject of the application
In order for third parties to make an application request on behalf of personal data subjects, there must be a special power of attorney issued by the data subject through a notary public for the name of the person who will make the application.
6.5. The Method and Deadline for the Company to Respond to the Applications
Depending on the nature of the request, the Company shall finalise the requests included in the application free of charge as soon as possible, within thirty days at the latest. However, if the transaction in question requires an additional cost, the fee in the tariff determined by the KVK Committee may be charged. The Company may either accept the request or reject it by explaining its reasoning and notify its response in writing or electronically. If the request in the application is accepted, the Company shall fulfil the requirements of the request.
6.6. The Right of the Personal Data Subject to File a Complaint to the KVK Committee
In the event that the application is rejected, the response is found insufficient or the application is not responded to in due time; the data subject shall have the right to file a complaint to the KVK Committee within thirty days from the date of receipt of the response and in any case within sixty days from the date of application.
PART SEVEN
§ 7. MANAGEMENT STRUCTURE OF THE COMPANY ACCORDING TO THE POLICY ON PROCESSING AND PROTECTION OF PERSONAL DATA
In order to manage this Policy and other policies related to and associated with this Policy, a Personal Data Committee is established within the Company in accordance with the decision of the senior management of the Company. The Personal Data Committee is authorised and tasked to take the necessary actions for the retention and processing of the data of the Personal Data Subjects in accordance with the Law, this Policy and other policies related to and associated with this Policy. The Policy on Retention and Destruction of Personal Data published on the Company's website contains detailed information regarding the persons assigned to the Personal Data Committee and their duties.
PART EIGHT
§ 8. UPDATE, COMPLIANCE AND AMENDMENTS
8.1. Update and Compliance
The Company reserves the right to make amendments to this Policy and other policies related to and associated with this Policy upon amendments to the Law, in accordance with the decisions of the KVK Committee or in line with the developments in the sector or in the field of IT.
Any amendments made to this Policy shall be immediately incorporated into the text and explanations regarding the amendments shall be disclosed at the end of the Policy.
8.2. Amendments
01.03.2019: The Policy on Processing and Protection of Personal Data is published.
*There are no older dated amendments.
Our Services
© EvoLog™. All Rights Reserved.
Our Services
© EvoLog™. All Rights Reserved.
Our Services
© EvoLog™. All Rights Reserved.