Hane Yazılım Bilişim Teknolojileri Limited Şirketi
PERSONAL DATA PROTECTION POLICY
I. DATA PRIVACY COMMITMENT
1.1. This Personal Data Protection Policy (“Policy”), Hane Software Information Technologies Limited Company (“Company”) while fulfilling its obligations to protect Personal Data and processing Personal Data in accordance with the provisions of the relevant legislation, especially the Law on Protection of Personal Data No. 6698. and/or determines the principles to be followed by the Company.
1.2. The Company undertakes to act in accordance with this Policy and the procedures to be applied in accordance with the Policy in terms of Personal Data within its own body.
II. PURPOSE OF THE POLICY
The main purpose of this Policy is to determine the principles regarding the methods and processes for the protection of Personal Data by the Company.
III. SCOPE OF THE POLICY
3.1. This Policy; It covers all activities related to Personal Data that the company processes and is applied to such activities.
3.2. This Policy does not apply to Anonymized data or data that does not qualify as Personal Data.
3.3. This Policy may be changed from time to time, if required by the KVK Regulations or when the Company's Data Controller Representative or committee deems it necessary.
IV. DEFINITIONS
The definitions in this Policy have the following meanings;
“Explicit Consent” means the consent expressed by the Data Subject on the basis of being informed about the processing of his Personal Data and with free will.
“Anonymization” means making the Personal Data incapable of being associated with an identified or identifiable natural person in any way, even by matching it with other data.
“Anonymized Data” means data that cannot be related to a natural person in any way.
“Personal Health Data” means all kinds of health information relating to an identified or identifiable natural person as specified in the Regulation on the Processing and Privacy of Personal Health Data published in the Official Gazette dated 20.10.2016 and numbered 29863.
“Personal Data” means any information relating to an identified or identifiable natural person (within the scope of this Policy, the term “Personal Data” will also include “Special Quality Personal Data” and “Personal Health Data” defined below as appropriate).
"Personal Data Processing" - Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available the Personal Data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system means all kinds of operations performed on data such as classification or prevention of use.
“Committee” means the committee responsible for the implementation of this Policy and the procedures to be applied in accordance with this Policy.
“Board” means the Personal Data Protection Board.
“KVKK” means the Law on Protection of Personal Data No. 6698.
“KVK Regulations” include the Law No. 6698 on the Protection of Personal Data and other relevant legislation on the protection of Personal Data, binding decisions, policy decisions, provisions, instructions and applicable international agreements on data protection and other applicable laws and regulations issued by regulatory and supervisory authorities, courts and other official authorities. means all kinds of legislation.
“KVK Procedures” means the procedures that determine the obligations that the Company, employees, Committee and Data Controller Representative must comply with within the scope of this Policy.
“Special Quality Personal Data” refers to the data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures. refers to biometric and genetic data.
“Deletion or Deletion” means the irreversible destruction or destruction of Personal Data.
“Data Inventory” includes Personal Data Processing processes and methods, Personal Data Processing purposes, data category, third parties to whom Personal Data is transferred, etc., for the Company's Personal Data Processing activities. means the inventory containing the information.
“Data Processor” means the natural or legal person who processes Personal Data on behalf of the Data Controller, upon authorization by the Data Controller.
“Data Subject” means any natural person whose Personal Data is processed by or on behalf of the Company.
“Data Controller” refers to the natural or legal person who processes Personal Data by specifying the Processing purposes and Processing ways, and who is responsible for establishing and managing the data recording system.
“Data Controller Representative” Be responsible for the preparation and implementation of data management, privacy and security policies within the company.
“Regulation” means the Regulation on the Processing of Personal Health Data and Ensuring Privacy, published in the Official Gazette dated 20.10.2016 and numbered 29863.
V. PRINCIPLES OF PERSONAL DATA PROCESSING
5.1. Processing of Personal Data in Compliance with Law and Integrity Rules
Personal Data is processed by the Company in accordance with the law and the rules of honesty and on the basis of proportionality.
5.2. Taking Necessary Precautions to Keep Personal Data Accurate and Up-to-Date When Necessary
The Company takes all necessary measures to ensure that Personal Data is complete, accurate and up-to-date. In case the Data Subject requests changes to Personal Data, it updates the relevant Personal Data.
5.3. Processing of Personal Data for Specific, Legitimate and Clear Purposes
Before the Processing of Personal Data, the purpose for which the Personal Data will be Processed is determined by the Company. In this context, the Data Subject is clarified within the scope of KVK Regulations and their Explicit Consent is obtained when necessary.
5.4. Relating to the Purpose for which Personal Data is Processed, Limited and Measured
The Company processes Personal Data only in exceptional cases within the scope of KVK Regulations (Articles 5.2 and 6.3 of the KVKK) or for the purpose within the scope of the Explicit Consent from the Data Subject (Article 5.1 and Article 6.2 of the KVKK) and in accordance with the principle of proportionality.
5.5. Retention of Personal Data as Necessary and Deletion Afterward
5.5.1. The Company retains Personal Data for as long as necessary for the purpose. In case the Company wishes to retain Personal Data for a longer period than required by the KVK Regulations or required by the Personal Data Processing purpose, the Company acts in accordance with the obligations specified in the KVK Regulations.
5.5.2. After the period required by the Personal Data Processing purpose expires, Personal Data is Deleted or Anonymized. The third parties to whom the Company transfers Personal Data are also provided to delete or make the Personal Data Anonymous.
5.5.3. The Data Controller Representative and Committee are responsible for the operation of the Deletion and Anonymization processes. In this context, the necessary procedure is established by the Data Controller Representative and the Committee.
VI. PROCESSING PERSONAL DATA
Personal Data can only be processed by the Company within the scope of the procedures and principles set forth below.
6.1. Open Consent
6.1.1. In this case, Personal Data is processed after the notification to be made within the framework of the fulfillment of the Obligation to Inform the Data Subjects and if the Data Subjects give their Explicit Consent.
6.1.2. Data Subjects are informed of their rights before Explicit Consent is obtained within the framework of the Disclosure Obligation.
6.1.3. Explicit Consent from the Data Subject is obtained by methods in accordance with the KVK Regulations. Explicit Consent is provably retained by the Company for the required period of time within the scope of KVK Regulations.
6.1.4. The Data Controller Representative and the Committee are obliged to ensure that the Clarification Obligation is fulfilled in terms of all Personal Data Processing processes and that the Explicit Consent is obtained and maintained when necessary. All department employees that process Personal Data are obliged to comply with the instructions of the Data Controller Representative and the Committee, this Policy and the KVK Procedures annexed to this Policy.
6.2. Processing of Personal Data without Explicit Consent
6.2.1 In cases where the Processing of Personal Data is foreseen without the Explicit Consent within the scope of the KVK Regulations (Articles 5.2 and 6.3 of the KVKK), the Company may process the Personal Data without the Explicit Consent of the Data Subject. In case Personal Data is processed in this way, the Company processes the Personal Data within the limits drawn by the KVK Regulations. In this context:
6.2.1.1. Personal Data may be processed by the Company without Explicit Consent in order to protect the life or physical integrity of the Data Subject and/or a person other than the Data Subject, who is unable to express his or her consent due to actual impossibility or whose consent is not legally valid.
6.2.1.2. If the conditions are directly related to the establishment, implementation, performance or termination of a contract, the Personal Data of the parties to the contract may be processed by the Company without the Explicit Consent of the Data Subjects.
6.2.1.3. If the processing of Personal Data is necessary for the Company to fulfill its legal obligation, Personal Data may be processed by the Company without the Explicit Consent of the Data Subjects.
6.2.1.4. Personal Data made public by the Data Subject may be processed by the Company without obtaining the Express Consent.
6.2.1.5. If the processing of Personal Data without express consent is the only possible way to establish, exercise or protect a right, Personal Data may be processed by the Company within the knowledge of the Data Controller Representative without obtaining the Explicit Consent.
6.2.1.6. Before or during the conclusion of the contract, Personal Data may be processed by the Company without express consent in order to meet the demands of the contracting parties.
VII. PROCESSING OF SPECIAL QUALITY PERSONAL DATA
7.1. Sensitive Personal Data can only be processed if the Explicit Consent of the Data Subject is available or if they are explicitly required by law in terms of Sensitive Personal Data other than sexual life and personal health data.
7.2. Personal Data related to health and sexual life can only be processed without express consent for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. Therefore, until otherwise stipulated in the KVK Regulations, Personal Health Data and sexual life data can only be processed by the Company physician, who is under the scope of Explicit Consent or under the obligation to keep secrets.
7.3. While processing Special Quality Personal Data, the measures determined by the Board are taken.
7.4. In any case that requires the Processing of Special Quality Personal Data, the Data Controller Representative is informed by the relevant employee.
7.5. If it is not clear whether a data is Special Quality Personal Data or not, the opinion of the Data Controller Representative is taken by the relevant department.
VIII. DELETING, DESTROYING AND ANNOUNCEMENT OF PERSONAL DATA
8.1. Personal Data are Deleted or Anonymized when the legitimate purpose for their Processing ceases. Situations where Personal Data needs to be deleted or made Anonymous are followed up by the Data Controller Representative and the Committee.
8.2. The Data Controller Representative and Committee are responsible for the operation of the Deletion and Anonymization processes. In this context, the necessary procedure is established by the Data Controller Representative and the Committee.
8.3. The Company does not store Personal Data considering the possibility of future use.
IX. TRANSFERRING PERSONAL DATA AND PROCESSING PERSONAL DATA BY THIRD PARTIES
The Company may transfer Personal Data with a third natural or legal person (“Contractor”) in accordance with the KVK Regulations. In this case, the Company ensures that the third parties to which it transfers Personal Data also comply with this Policy. In this context, necessary protective regulations are added to the contracts concluded with third parties. In this context, the item to be added to the contracts concluded with third parties to whom all kinds of Personal Data are transferred is obtained from the Data Controller Representative. Each employee is obliged to go through the process in this Policy in case of Personal Data transfer. In case the third party to whom Personal Data is transferred requests a change in the item conveyed by the Data Controller Representative, the employee immediately notifies the Data Controller Representative.
9.1. Transfer of Personal Data to Third Parties in Turkey
9.1.1. Personal Data may be transferred by the Company to third parties in Turkey without explicit consent in exceptional cases specified in Article 5.2 and Article 6.3 of the KVKK, or on condition that the Explicit Consent of the Data Subject is obtained in other cases (Article 5.1 and Article 6.2 of the KVKK).
9.1.2. Company employees and Data Controller Representative are jointly responsible for ensuring that the transfer of Personal Data to third parties in Turkey complies with the KVK Regulations.
9.2. Transfer to Third Parties Located Abroad
9.2.1. Personal Data may be transferred by the Company to third parties in Turkey without explicit consent in exceptional cases specified in Article 5.2 and Article 6.3 of the KVKK, or on condition that the Explicit Consent of the Data Subject is obtained in other cases (Article 5.1 and Article 6.2 of the KVKK).
9.2.2. In case the Personal Data is transferred without express consent in accordance with the KVK Regulations, one of the following conditions must be present in terms of the foreign country to which it will be transferred separately:
9.2.2.1. The foreign country to which the Personal Data is transferred is in the status of countries with adequate protection by the Board (for the list, please follow the current list of the Board)
9.2.2.2. If the foreign country where the transfer will take place is not included in the safe countries list of the Board, the Company and the data controllers in the relevant country make a written commitment that adequate protection will be provided and obtain permission from the Board.
9.2.3. Company employees and Data Controller Representative are jointly responsible for ensuring that the transfer of Personal Data to third parties abroad complies with the KVK Regulations.
9.3. Transfer of Personal Health Data
9.3.1. Personal Health Data is not transferred by the Company without Anonymization.
9.3.2. Personal Health Data may be transferred by the Company to public institutions and organizations only if it is expressly stipulated in the laws and for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
9.3.3. In case of transferring Personal Health Data without Anonymization, the Company Data Controller Representative is notified and in this case, the Data Controller Representative takes the necessary measures to fulfill the obligations under the KVK Regulations for the transfer of Personal Health Data.
9.3.4. Company employees and Data Controller Representative are jointly responsible for ensuring that the transfer of Personal Health Data complies with the KVK Regulations.
X. COMPANY'S LIGHTING OBLIGATION
10.1. The Company enlightens the Data Subjects before the Processing of Personal Data in accordance with Article 10 of the KVKK. In this context, the Company fulfills its Disclosure Obligation during the acquisition of Personal Data. The notification to be made to the Data Subjects within the scope of the Disclosure Obligation includes the following elements, respectively:
10.1.1. Identity of the Data Controller and his representative, if any,
10.1.2. For what purpose the Personal Data will be processed,
10.1.3. To whom and for what purpose the Processed Personal Data can be transferred,
10.1.4. Method and legal reason for collecting Personal Data,
10.1.5. Rights of Data Subjects.
10.2. In accordance with Article 20 of the Constitution of the Republic of Turkey and Article 11 of the KVKK, the Company provides the necessary information in case the Data Subject requests information.
10.3. If requested by the Data Subjects, the Company notifies the Data Subject of the Personal Data processed by the Data Subject.
10.4. The employee who follows the relevant process and the Data Controller Representative are jointly responsible for ensuring that the necessary Disclosure Obligation is fulfilled before the Processing of Personal Data. In this context, the necessary KVK Procedure is created by the Data Controller Representative and the Committee in order to report each new processing process to the Data Controller Representative.
10.5. In case the Data Processor is a third party other than the Company, a written contract must be made by the third party before the Personal Data Processing starts, with a written contract that the third party will act in accordance with the obligations stated above. In relations where third parties transfer Personal Data to the Company, the item to be added to the contracts is obtained from the Data Controller Representative. Each employee is obliged to go through the process in this Policy in case Personal Data is transferred to the Company by a third party. In case the third party transferring Personal Data requests a change in the item conveyed by the Data Controller Representative, the employee immediately notifies the Data Controller Representative.
XI. RIGHTS OF DATA SUBJECTS
11.1. The Company responds to the following requests of the Data Subjects, whose Personal Data it holds, in accordance with the KVK Regulations:
11.1.1. Learning whether the company processes its own Personal Data,
11.1.2. Learning which Personal Data the company processes,
11.1.3. Learning whether the company transfers its Personal Data,
11.1.4. Learning the third parties to whom the Company transfers their Personal Data and the Data Controller of the third parties and the identity of the Data Processor,
11.1.5. Learning the purpose of processing the Company's Personal Data,
11.1.6. Requesting the Company to update its Personal Data,
11.1.7. Requesting the Company to Delete, Anonymize or Destroy Personal Data,
11.1.8. Obtain a copy of Personal Data held by the Company.
In cases where Data Subjects want to exercise their rights and/or think that the Company does not act within the scope of this Policy while processing Personal Data, they can contact the Company Data Controller using the contact information below.
Data Controller: Hane Software Information Technologies Limited Company
E-mail: doktoruzman.com@gmail.com
Post: Aksu mahallesi, OMÜ caddesi, NO: 165, Teknopark Atakum, Samsun, Turkey
Phone: 0850 220 02 37
11.2. In case the Data Subjects submit their requests regarding their rights listed above in writing to the Company, the Company will conclude the request free of charge within thirty days at the latest, depending on the nature of the request. However, if a fee is foreseen by the Board, the fee in the tariff determined by the Board is charged by the Company.
XII. DATA MANAGEMENT AND SECURITY
12.1. The Company appoints a Data Controller Representative and establishes a Data Protection Committee in order to fulfill its obligations under the KVK Regulations, to establish the necessary KVK Procedures for the implementation of this Policy and to supervise them.
12.2. All employees involved in the relevant process, Committee members and Data Controller Representative are jointly and severally responsible for the protection of Personal Data in accordance with this Policy and KVK Procedures.
12.3. Personal Data Processing activities are audited by the Company with technical systems according to technological possibilities and application costs.
12.4. Personnel knowledgeable in technical matters related to Personal Data Processing activities are employed.
12.5. Company employees are informed and trained about the protection and legal processing of Personal Data.
12.6. The necessary KVK Procedure is established in order to ensure that the employees who need access to Personal Data in the company have access to the said Personal Data, and the Data Controller Representative and the Committee are jointly responsible for its creation and implementation.
12.7. Company employees can access Personal Data only within the authorization defined for them and in accordance with the relevant KVK Procedure. Any access and processing done by the employee in excess of his/her authority is against the law and is a reason for termination of the employment contract with just cause.
12.8. If the company suspects that the security of the Personal Data is not adequately provided, or detects such a security gap, the company immediately notifies the Data Controller Representative of the situation.
12.9. Detailed KVK Procedure for the security of Personal Data is created by the Data Controller Representative and the Committee.
12.10. Each person assigned a Company device is responsible for the security of the devices allocated to him/her.
12.11. Each Company employee or person working within the Company is responsible for the security of the physical files within their area of responsibility.
12.12. In the event that there are security measures requested or to be requested additionally for the security of Personal Data within the scope of KVK Regulations, all employees are obliged to comply with additional security measures and to ensure the continuity of these security measures.
12.13. In the Company, software and hardware including virus protection systems and firewalls are installed in accordance with technological developments to keep Personal Data in secure environments.
12.14. Backup programs are used and adequate security measures are taken in order to prevent the loss or damage of Personal Data in the Company.
12.15. Documents containing Personal Data in the company are protected by encrypted (encrypted) systems. In this context, Personal Data is not stored in common areas and on the desktop. Files and folders containing Personal Data, etc. documents are not moved to the desktop or public folder, without the prior written consent of the Data Controller Representative, the information on the Company computers can be transferred to USB, etc. It cannot be transferred to another device, cannot be taken out of the Company.
12.16. The Committee and Data Controller Representative are responsible for taking technical and administrative measures for the protection of all Personal Data in the Company, constantly following the developments and administrative activities, and preparing and announcing the necessary KVK Procedures, ensuring that they are complied with and supervising them. In this context, the Committee and the Data Officer Representative organize the necessary trainings to increase the awareness of the employees.
12.17. If a department within the company processes Sensitive Personal Data, this department is informed by the Data Controller Representative about the importance, security and confidentiality of the Personal Data they process, and they act in accordance with the instructions of the Data Controller Representative of the relevant department. Access to Special Qualified Personal Data is only given to limited employees, and their list and follow-up are made by the Data Controller Representative.
12.18. All of the Personal Data processed within the Company are considered as "Confidential Information" by the Company.
12.19. Company employees have been informed that their obligations regarding the security and confidentiality of Personal Data will continue after the termination of the business relationship, and a commitment has been received from the Company employees to comply with these rules.
of the company reports to the Data Controller Representative any work, transaction or action that he or she considers to be contrary to the procedures and principles set forth in the KVK Regulations and within the scope of this Policy. In this context, the necessary KVK Procedure is created by the Committee and the Data Controller Representative.
15.2. As a result of the notifications made, the Data Controller Representative is obliged to notify the Data Subject or the authorized Board regarding the acts or events of violation, taking into account the provisions of the applicable legislation on the subject, especially the provisions of the KVK Regulations. In case of violations, the action plan is also created by the Data Controller Representative.
XVI. RESPONSIBILITIES
Responsibilities within the company are respectively employee, department and Data Supervisor Representative. In this context;
16.1. The Committee members responsible for the implementation of the Policy and the Representative of the Data Controller are appointed by the Company management.
16.2. Employees who operate the process causing the violation, in order of actions contrary to the Policy and KVK Procedures and the KVK Regulations, and the relevant Committee members and Data Controller Representative who do not take any action in this regard despite being reported to them, are jointly and severally liable.
XVII. CHANGES TO THE POLICY
17.1. This Policy may be changed by the Company from time to time.
17.2. The Company shares the updated Policy text with its employees via e-mail so that the changes it has made on the Policy can be reviewed, and makes it available to the employees and Data Subjects via the following web address.
Related web address: https://www.doktoruzman.com/proctectionofpersoneldata
XVIII. EFFECTIVE DATE OF THE POLICY
This Policy was approved by the Company's Board of Directors on 10.12.2020 and entered into force.