KVKK ILLUMINATION TEXT
Terms of the policy cover all information systems and sub information, contracts, environments and physical areas included in the subject and area of activities of Hage Grup and all systems and settings produced therefor.
This policy applies to all units, staff of the company providing support service, visitors, third parties, interns and contract employees of Hage Grup.
The purpose of Personal Data Protection Policy and System is to ensure that Hage Grup develops and realizes its standards regarding personal data management, to determine and support the organizational objectives and responsibilities, to establish control mechanisms in compliance with the acceptable risk level of Hage Grup, to fulfill responsibilities that ‘Hage Grup’ is subject to as per international conventions, the Constitution, the Law, contracts, and codes of practice with respect to personal data protection and to secure the benefits of the individuals in the best way possible.
In case they violate this policy in any way whatsoever, all units, company staff providing support service, interns and contract employees will be subjected to disciplinary regulations of Hage Grup and if the violation in question constitutes any crime or misdemeanor, relevant authorities are notified accordingly as soon as possible.
The solution partners of Hage Grup, who have access to or have a possibility to access personal data, and all third parties working with Hage Grup are encouraged to read and to abide by this policy. No third party can provide access to personal data processed by Hage Grup without signing a written confidentiality agreement which stipulates responsibilities whose standards are at least as strict as the ones of Hage Grup and the supervising right of Hage Grup thereon.
Explicit consent: means freely given, specific and informed consent,
Anonymization: means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data,
President: means President of the Personal Data Protection Authority
Data subject: (natural person concerned) means the natural person, whose personal data are processed
Personal data: means any information relating to an identified or identifiable natural person,
Sensitive personal data: The data regarding the race, ethnicity, political view, philosophical belief, religion, sect and other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal records and security precautions as well as biometric and genetic data of the individuals,
Processing of personal data: means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof,
KVKK: Personal Data Protection Act no: 6698,
The Board: means the Personal Data Protection Board,
Authority: means the Personal Data Protection Authority,
Data Processor: means the natural or legal person who processes personal data on behalf of the data controller upon its authorization,
Data filling system: means the system where personal data are processed by being structured according to specific criteria,
Data controller: means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.
The members of the Committee of KVK with expertise and experience in personal data protection legislation and practices are assigned by the Board of Directors and they directly report to the Board of Directors.
All data processing activities must be conducted in compliance with data protection principles provided hereinbelow. The policy and procedures of Hage Grup aspire to ensure compliance with these principles:
In line with this, Hage Grup publishes clarification texts/privacy notices on their personal data processing activities on data collection channels. Hage Grup determines the areas where these notices, which include explicit and clear information with respect to which data is processed for which purposes, are to be available and declared. These notices cover the items listed hereinbelow:
Data Subjects have the rights listed hereinbelow regarding the data processing activities about them at Hage Grup:
The data subjects demand access to their personal data and demand to exercise their right listed hereinabove. Regarding these demands, the responses are given within 30 days. The processes for receiving, communicating and responding to demands are conducted according to the Demand Management Procedure.
Data subjects may deliver their requests by mailing to firstname.lastname@example.org as e-mail.
Regardless of their job definition, all employees of Hage Grup are liable to direct data subjects about the right application method regarding their access demands submitted to them. The staff of Hage Grup must be informed and trained about how to handle the demands of data subjects.
Hage Grup considers the consent that is given by the data subject regarding specified data processing activities and based on notification and that manifests the decision to have their data processed by their freewill by written/oral declaration and/or explicit confirmatory act as explicit consent. When it comes to sensitive data, explicit consent must absolutely be received in written form. Explicit consent may always be retrieved by the data subject.
Explicit consent may be received by having explicit consent form template signed by data subject or by making a contract with the data subject or including the items covered by this template in the electronic form. Explicit consent regarding the routinely processed personal data of employees, prospective employees and customers are received by means of relevant contracts and forms.
In case the data processing activities based on explicit consent is continuous or to be repeated, a single list of people whose explicit consents are received is kept by the relevant unit. The relevant unit is responsible for keeping this list correct and up to date. Explicit consent forms regarding data processing activities based on explicit consent and relevant proofs are kept by relevant unit.
All employees are responsible for keeping the personal data processed by Hage Grup and under their responsibility secure.
Personal data must be accessible to solely the ones required to access such data. Security of the personal data is maintained as per KVK Policy of Hage Grup and related documents.
Data security incidents regarding personal data is communicated as soon as possible to the Board of KVK and the relevant person by Hage Grup.
With respect to the transfer of personal data abroad, list of countries where adequate protection is available prepared by the Board of KVK is taken into consideration.
When it comes to transferring personal data abroad, it is ensured that required permit and notification procedures before the Board of KVK are conducted as per relevant legislation.
In the scope of Data Controller Registry Information System, data processing purposes for personal data processing activities conducted by Hage Grup are as such:
|PERSONAL DATA SUBJECT CATEGORY||DEFINITIONS|
|Prospective Employee||Real persons who have applied for a job at Hage Grup in any way or who have submitted their CV’s and related information for Hage Grup to view.|
|Employee||The employees whose personal data is processed within the framework of activities related to events, employee satisfaction, human resources, audit, maintaining the security of information technologies and infrastructure and legal compliance that are conducted by Hage Grup .|
|Supplier’s Employee||Employee of the party that provides services to Hage Grup based on contract and in compliance to the orders and instructions given by Hage Grup while Hage Grup conducts its business activities.|
|Authorized Personnel of the Supplier||Authorized Personnel of the party that provides services to Hage Grup based on contract and in compliance to the orders and instructions given by Hage Grup while Hage Grup conducts its business activities.|
|Customer (Person Purchasing Product or Service)||Regardless of whether there is a contractual relationship with Hage Grup, the real persons whose personal data is obtained through the business relationships within the scope of operations conducted by the business units of Hage Grup.|
|Legal Guardian, Guardian, Representative||The persons whose personal data is obtained at Hage Grup and who hold a title of legal guardian, guardian or representative.|
|Visitor||Real persons who enter the physical campuses of Hage Grup for various purposes or who visit our websites.|
|Other (Speaker)||Real persons who give a speech at the exhibitions held by Hage Grup.|
|PERSONAL DATA CATEGORIES||DEFINITIONS|
|Identity Information||The data includes information regarding the identity of the person: full name, TR identity number, nationality, place of birth, date of birth, sex, workplace, registry number, tax identification number, title, biography etc. as well as documents such as occupational ID, ID and passport|
|Contact Information||The information such as telephone number, address, e-mail address, fax number etc.|
|Process Security Information||Your personal data processed for us to provide our technical, administrative, legal and business security while conducting our activities (e.g. log records, IP information, identity authentication information)|
|Customer Process Information||Information such as call center records, invoice, bill, check information, information on teller receipts, order information, demand information|
|Personnel Information||Personnel data such as payroll information, disciplinary proceeding, employment/leaving job certificate records, declaration of property information, CV information, and performance evaluation reports|
|Prospective Employee Information||The information that may be involved in the CV of the prospective employee|
|Location||Location information of where the person is etc.|
|Legal Transaction Information||Personal data processed within the scope of establishment and follow-up of legal debt and rights, discharge of our debts, our legal liabilities and compliance with the policies of our Company|
|Financial Information||Personal data processed regarding any information, document and records that manifests any sort of financial result created based on the type of relationship between Hage Grup and personal data subject as well as data such as bank account number, IBAN, income information, debt/credit information|
|Risk Management||Such as data processed for the management of business, technical and administrative risks|
|Physical Environment Security Data||The data regarding the records and documents taken at the entry of the physical environment and during the visit such as camera records, vehicle information records and the records taken at the security point|
|Occupational Experience||Information such as diploma, the courses attended, on-the-job training, certificates and transcript|
|Visual and Auditory Data||Photograph and camera recordings (except for the records in the scope of Physical Environment Security Data) and voice records|
|Health Data||Information about disabilities, blood type, personal health, medical device and prosthesis etc.|
|Criminal Records and Security Precautions||Information regarding criminal records and security precautions|
|Association Membership||Association membership information etc.|
|Philosophical Belief, Religion, Sect and Other Beliefs||Information regarding other beliefs, religious attachment, philosophical belief, sect attachment etc.|
|SHARED PARTY CATEGORY||DEFINITION||SHARING PURPOSE|
|Real persons or private law legal persons||Private law legal persons who have the power to obtain information and document from the Company as per relevant legislation provisions||It is limited to the demanded purpose within the limits of the legal power of relevant private law persons.|
|Public||All real and legal persons||It is limited to the purpose of being publicly shared by Hage Grup.|
|Business Partners||The parties with whom Hage Grup has established a business partnership with various purposes such as conducting their business activities||It is limited to the purpose ensuring that the goals of the partnership are achieved.|
|Suppliers||Parties that provide services to Hage Grup based on contract and in compliance to the orders and instructions given by Hage Grup while Hage Grup conducts its business activities||It is limited to the purpose ensuring that the services that are outsourced from the supplier and that are required to conduct Company’s business activities|
|Affiliates and Subsidiaries||The companies of which the Company is a shareholder||It is limited to ensuring that the business activities that require the contribution of the affiliates of the Company are conducted.|
|Suppliers||The parties that provide services to Hage Grup based on contract and in compliance to the orders and instructions given by Hage Grup within the scope of conducting business activities of Hage Grup||It is limited to the purpose ensuring that the services that are outsourced from the supplier and that are required to conduct Company’s business activities|
|Group Companies||All companies that constitute Hage Grup||It is limited to purposes such as planning strategies regarding the business activities of the Company and conducting of the activities as well as audit.|
|Authorized State Institutions and Organizations||State institutions and organizations that have power to obtain information and documents from the Company as per relevant legislation provisions||It is limited to the demanded purpose within the limits of the legal power of authorized state institutions and organizations.|
Personal data, may not be kept any longer than the period of time required for its processing purposes. The classification of the records that include personal data and the storage period therefor are stipulated by Storage and Destruction Policy.
When the storage period is over or upon the rightful demand of the data subject, personal data is anonymized, deleted or destroyed as per Storage and Destruction Policy so that the real person who is the data subject cannot be identified.
Document Ownership and Approval
The owner of this document is the Committee of KVK and it is responsible for reviewing this document regularly as per review requirements specified hereinabove.
The updated version of this document has been made available to all Hage Grup staff on common areas and has been published at the website of the company.