Privacy Policy

TABLE OF CONTENTS

GIPTA OFFICE STATIONERY and PROMOTIONAL PRODUCTS MANUFACTURING INDUSTRY INC. PERSONAL DATA PROCESSING, PROTECTION, STORAGE, AND DESTRUCTION POLICY ANKARA – 2020

1. INTRODUCTION

1.1. PURPOSE AND SCOPE OF THE POLICY

Law No. 6698 on the Protection of Personal Data (“Law”) entered into force on 7 April 2016; This GIPTA OFİS KIRTASİYE VE PROMOSYON ÜRÜNLERİ İMALAT SANAYİ A.Ş. (“GIPTA OFİS KIRTASİYE“), Personal Data Processing and Protection Policy (“Policy”) aims to ensure GIPTA OFİS KIRTASİYE‘s compliance with the law and to determine the principles to be followed by the Authority in fulfilling the obligations regarding the protection and processing of personal data. Personal data refers to contact information such as IP, address, telephone, e-mail addresses, especially identity information; vehicle and licence plate information; family status information; job title, profession and workplace information; graduation and professional experience information and photographs, images and similar information.

The Policy determines the conditions for processing personal data and sets out the main principles adopted by the institution in the processing of personal data. In this context, the Policy covers all personal data processing activities within the scope of the Law, all owners of personal data processed by the Institution and all personal data processed by the Institution.

In the event that personal data is shared with the Authority, the Authority, as the Data Controller, will be able to obtain, record, store, store, maintain, update, modify, reorganise, disclose, transfer, transfer, share, share, classify, anonymise, and process personal information within the framework described in the law, in cases and to the extent permitted by the legislation, and in other ways listed in the law.

Regarding your personal data processed by the Institution; The principles of processing personal data and special categories of personal data, the purpose and conditions of processing such data, and the practices and principles regarding the transfer, destruction and your rights on the processed data in the country are notified to you below.

The Institution will act in accordance with the procedures and processes set out in this policy in order to comply with the KVKK and other relevant regulations and to process, use, destroy, transfer and other matters in accordance with the Law and other regulations.

1.2. DEFINITIONS

Explicit Consent: It is the consent regarding a specific subject, based on the information of the person concerned and expressed with the free will of the person concerned.

Open Data: Anonymised data that is made available to everyone over the internet free of charge or at a cost not exceeding the cost of preparation, does not have any intellectual property rights and can be freely used for any purpose, can be read by machines and thus can work together with other data and systems,

Recipient Group: The category of natural or legal person to whom personal data is transferred by the data controller.

Anonymisation: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Relevant User: Persons who process personal data within the organisation of the data controller or in accordance with the authorisation and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.

Contact Person: The person responsible for ensuring the communication between the data controller and the data subject or the Personal Data Protection Authority. If the data controller is a legal person resident in Turkey, it is obliged to appoint a contact person and to process the information of this contact person to VERBIS during the registration to the Data Controllers Registry.

Law: Law dated 24.03.2016 and numbered 6698 on the Protection of Personal Data.

Blackout: Processes such as crossing out, colouring and icing the whole of personal data in a way that cannot be associated with an identified or identifiable natural person.

Recording Medium: Any medium in which personal data is processed by fully or partially automated or non-automated means, provided that it is part of any data recording system.

De-identification: Processing of personal data in such a way that it cannot be associated with the person concerned without being combined with other data stored in a different environment, provided that technical and administrative measures are taken to ensure that personal data cannot be associated with an identified or identifiable natural person.

Personal Data Processing Inventory: It is the inventory that data controllers create by associating the personal data processing activities they carry out depending on their business processes with the purposes of processing personal data, data category, transferred recipient group and data subject group, and detail the maximum time required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.

Personal Data Owner/Related Person: The natural person whose personal data is processed,

Personal Data: Any information relating to an identified or identifiable natural person,

Destruction of Personal Data: Deletion, destruction or anonymisation of personal data.

Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganising, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Deletion of Personal Data: The process of making personal data inaccessible and non-reusable in any way for the relevant users,

Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way,

Board: Personal Data Protection Board.

Masking: Processes such as deleting, crossing out, colouring and starring certain areas of personal data so that they cannot be associated with an identified or identifiable natural person.

Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, and biometric and genetic data are personal data of special nature.

Periodic Destruction: The process of deletion, destruction or anonymisation to be performed ex officio at recurring intervals specified in the personal data retention and destruction policy in case all the conditions for processing personal data specified in the Law disappear.

Registry: The registry of data controllers kept by the Personal Data Protection Authority (VERBIS).

Third Party: Third party real persons who are related to these persons in order to ensure the security of commercial transactions between our institution and the above-mentioned parties or to protect the rights of the aforementioned persons and to obtain benefits (For example, employees or officials of the company from which service is received, visitors, etc.).

Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorisation granted by the data controller.

Data Recording System: The recording system in which personal data is structured and processed according to certain criteria.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Destruction: The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way.

Visitor: Natural persons who have entered the physical areas owned by our organisation for various purposes or who visit our websites.

2. RESPONSIBILITIES and DUTIES

All units and employees of the Institution actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law, by properly implementing the technical and administrative measures taken by the responsible units within the scope of the Policy, training and raising awareness of the unit employees, monitoring and continuous supervision. The distribution of the titles, units and job descriptions of those involved in the processing, storage and destruction of personal data is given in Table 1.

Title / Unit Mission

Employer / Employer Representative

Responsible for employees to act in accordance with the policy

Human Resources, Finance / Accounting, Sales / Marketing Unit, Security Unit, Legal Unit, Secretariat / Customer Representative, Purchasing Unit

Responsible for the execution of the policy in accordance with their duties.

Real and Private Law Legal Entities (Lawyer, Occupational Safety Expert, Workplace Physician, Independent Financial Advisor, Consultant, etc.)

They are obliged to process, store and destroy the personal data they receive from the Institution in accordance with the matters specified in the confidentiality agreement and this policy and the relevant law.

Tablo 1

3. THE PURPOSES OF THE ORGANISATION FOR PROCESSING DATA, PROCESSED DATA AND DATA SUBJECT PERSON GROUPS

3.1. VERİ KONUSU KİŞİ GRUPLARI

Data subjects within the scope of the Policy are all natural persons other than the employees of the organisation whose personal data are processed by the organisation. In this context, the categories of data subjects are as follows:

Employee: Refers to real persons employed at the workplace.

Employee Candidate: Refers to real persons who apply for a job.

Trainee/Apprentice: Refers to natural persons doing internship for vocational education and training.

Family Members and Relatives: It refers to the family and relatives of the Apprentice / Trainee Student.

Parent / Guardian / Representative: It refers to the real persons who have custody representing the trainees under custody.

Event Participant: Refers to real persons who participate in meetings and events organised by the institution.

Visitor: Refers to real persons who come to visit the organisation.

Supplier: It refers to the authorised person acting on behalf of the real and legal entity that provides services to the institution in line with the needs of the institution.

Supplier Employee: A real person who is employed by the supplier and produces goods or services on behalf of the supplier.

Authority / Representative of the Institution: Refers to real persons authorised to represent the institution.

Reference Person: Refers to the real person who is a reference to the job applicant.

Third Parties: Refers to natural persons other than the above-mentioned categories of data subjects and employees of the organisation.

Data subject categories are specified for general information sharing purposes. The fact that the data subject does not fall within the scope of any of these categories does not eliminate the nature of the data subject as stated in the Law.

3.2.1. ÇALIŞAN / ÇALIŞAN ADAYI / TEDARİKÇİ ÇALIŞANI / STAJYER AÇISINDAN KİŞİSEL VERİ İŞLEME AMAÇLARI

Your personal data and special categories of personal data may be processed by the Institution for the following purposes in accordance with the personal data processing conditions in the Law and the relevant legislation:

  • Fulfilment of obligations arising from the employment contract for employees and the Labour Law No. 4857 and related regulations,
  • 5510 numbered Social Insurance and General Health Insurance law and related regulations to carry out the relevant processes,
    Creation of personal file,
  • Carrying out occupational health and safety activities within the framework of the Occupational Health and Safety Law No. 6331 and related regulations,
  • Execution of fringe benefits and benefit processes stipulated by law,
  • Creation of emergency plan and determination of emergency teams,
  • Prevention of unauthorised access to personal data and protection of confidentiality,
  • Carrying out the job application, evaluation and placement process,
  • Carrying out suggestion, request, complaint and survey activities,
  • Carrying out audit and disciplinary processes,
  • Fulfilment of the obligations related to the law on the regulation of publications on the internet and combating offences committed through these publications,
  • Occupational health and safety training, vocational qualification trainings, on-the-job trainings, etc. for the execution of records related to trainings,
  • Identification of employees authorised to access, process or transfer personal data within the framework specified by law,
  • Execution of activities in accordance with the legislation and fulfilment of legal obligations,
  • Evaluation of the performance of all kinds of products and services produced in the workplace,
  • Tracking and control of entries and exits to and from the workplace, tracking with biometric data (fingerprint / hand / face recognition etc.) in the Attendance Tracking System,
  • Ensuring the physical space and life safety of employees,
  • Carrying out the necessary assignment processes within or outside the workplace,
  • Follow-up and execution of legal affairs,
  • Carrying out communication activities, planning human resources processes,
  • Execution / supervision of business activities,
  • Keeping records of all kinds of health checks carried out within the scope of occupational health and safety activities, provided that they are limited to preventive medicine, medical diagnosis and treatment purposes in paragraph 3 of Article 6 of the Law, sharing these results with the workplace physician, employer representative and authorised public institutions and organisations in order to evaluate these results and fulfil the legal obligation,
  • Receiving and evaluating suggestions for the improvement of business processes,
  • Carrying out activities to ensure business continuity,
  • Organisation and event management, Performance evaluation processes,
  • Printing of business cards, creation of corporate mail identity,
  • Ensuring that the packages received by cargo and courier are forwarded to the relevant employee,
  • Use of vehicle tracking system for the safety of employees using vehicles belonging to the workplace and for the execution of work,
  • Execution of contract processes, follow-up of requests and complaints,
  • Execution of supply chain management processes,
  • Fulfilment of the wage obligation arising from the employment contract,
  • Providing information to authorised persons, institutions and organisations,
  • Making payments regarding the salary garnishment deductions of employees’ salaries to the execution files,
  • Fulfilment of all kinds of court orders,
  • Managing the management activities, power of attorney and signature circular processes to be carried out within the scope of assignment with representation,
  • Carrying out service and transport activities,
  • If the prospective employees give their consent, verifying your data with the reference persons listed in your CV, contacting the relevant persons and confirming the information in the job application form,
  • Execution of processes regarding the processing and transfer of your identity, photographs and images for the purposes of event management, training, promotion, marketing and corporate communication activities, if you consent,
  • Carrying out the necessary processes for travel, accommodation, excursions, organisations and events at home and abroad, if you give your consent,

3.2.2 PERSONAL DATA PROCESSING PURPOSES FOR THE VISITOR

  • For the detection and control of entrances and exits,
  • Recording of camera footage for privacy and security reasons in the workplace,
  • Due to accidents that our visitors may face due to the execution of the work within the boundaries of the workplace (Occupational Health and Safety Obligation)
  • In order to identify the relevant person in case of any dispute / unfair act and other situations arise,

3.3. DATA CATEGORY DEFINITIONS

Identity Card: Name-Surname, Turkish ID Number, Mother-Father Name, Mother’s Maiden Name, Date of Birth, Place of Birth, Marital Status, Identity Card Serial Number, Family Sequence No, Family Sequence No, Sequence No, Volume No, City of Registration, District of Registration, Neighbourhood / Village of Registration, Gender, Nationality, Last Validity Date.

Contact: Open address, telephone number, corporate or personal e-mail address, internal contact information (Internal No. etc.), registered electronic mail address (kep), (including family members and relatives)

Location Location information in the vehicle tracking system,

Personnel Information: Payroll Information, Disciplinary Investigation Information, Employment Information (Date of Employment, Occupation Code, etc.), Institution Title Information, Institution Registry Number Information, Job / Duty Information, Curriculum Vitae Information, Property Declaration Information, Military Status, Leave Information (Paid and Unpaid Leaves All), Working Hours / Shift Information, Foreign Work Permit Information, Consent Information (Overtime, Parent or Guardian Approval, etc.), Performance Evaluation Reports, Retirement Information, Job Requests, Complaints and Suggestions Information,

Legal Transaction and Compliance Information: Personal data processed within the scope of determination, follow-up and fulfilment of our legal receivables and rights and our legal obligations and compliance with the policies of the Institution.

Customer Transaction Information: Invoice Information, Promissory Note Information, Cheque Information, Receipt Information, Order Information, Goods / Service Request Information, Box Office Receipts and similar information,

Professional Experience Information: Diploma Information, Professional Qualification Information, Course Attended Information, Certificate Information, Vehicle / Operator Driving Licence Information (Including Work Machine, Commercial, Private Vehicle), Transcript Information (Higher Education, School and Trainee Information), Bonservis / Service / Work Information and similar information,

Family Members and Relatives Information: Personal data of employees’ family members and relatives.

Physical Space Security Information: Personal data related to camera recordings taken at the entrance to the physical space, during the stay in the physical space and documents such as identity cards etc.

Transaction Security: Website Login and Logout Information, Password and Password Information, IP Address Information and internet access records during the use of the internet and computers belonging to our organisation.

Financial Information: Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by our institution with the personal data owner.

Audio and Visual Data Information: Records such as photographs, audio and video recordings.

Special Categories of Data – Health Information: Document / information showing the health status that must be obtained from employees in accordance with the legislation.

Special Quality Data – Criminal Conviction and Security Measures: Criminal record given by judicial authorities,

Vehicle Licence Plate Information: The information on the licence plate of the vehicle for the purpose of tracking visitors to the institution or identifying the vehicles of employees.

3.3.1. PERSONAL DATA PROCESSED IN TERMS OF EMPLOYEE / EMPLOYEE CANDIDATE / SUPPLIER EMPLOYEE / INTERN

Personal data provided to us by the Employees / Employee Candidates / Supplier Employees / Interns themselves may be processed. Your processed personal data includes the information you provide in the job application form, identity, contact, location, personal, legal action, physical space security, finance, professional experience, audio-visual records, transaction security, health information, criminal conviction and security measures, biometric data, reference person information, family and relative data, vehicle license plate information and similar information.

3.3.2. PERSONAL DATA PROCESSED IN TERMS OF THE VISITOR

Visitor visual data; closed circuit security camera images, visitor identification information, vehicle information, the organization and title of the visitor.

4. PRINCIPLES and TERMS REGARDING THE PROCESSING OF PERSONAL DATA

4.1. PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

  • Your personal data is processed by the Institution in accordance with the personal data processing principles set out in Article 4 of the Law. These principles must be complied with for each personal data processing activity:
  • Processing personal data in accordance with the law and honesty rules; The Authority acts in accordance with the laws, secondary regulations and general principles of law in the processing of your personal data; It attaches importance to processing personal data limited to the purpose of processing and taking into account the reasonable expectations of data subjects.
    Personal data being accurate and up-to-date; It is paid attention to whether your personal data processed by the Institution is up to date and whether the relevant checks are made. In this context, data subjects are given the right to request correction or deletion of their inaccurate and outdated data.
  • Processing of personal data for specific, explicit and legitimate purposes; The Authority determines the purposes of data processing before each personal data processing activity and ensures that these purposes are not unlawful.
    Personal data is relevant, limited and proportionate to the purpose for which it is processed; The data processing activity is limited by the Authority to the personal data necessary to fulfill the purpose of collection and necessary steps are taken to ensure that personal data not related to this purpose are not processed.
  • Retention of personal data for the period required by the legislation or processing purposes; Personal data are deleted, destroyed or anonymized by the Authority after the purpose of personal data processing is eliminated or upon expiration of the period stipulated in the legislation.

4.2. CONDITIONS FOR THE PROCESSING OF PERSONAL DATA

  • Your personal data is processed by the Institution in the presence of at least one of the personal data processing conditions specified in Article 5 of the Law. Explanations regarding these conditions are given below:
  • Explicit consent of the personal data owner In cases where other data processing conditions do not exist, in accordance with the general principles under the heading 3.1., the personal data of the data owner can be processed by the Authority with the free will of the data owner, having sufficient information about the personal data processing activity, in a manner that leaves no room for hesitation and only limited to that transaction.
  • In case the personal data processing activity is explicitly stipulated in the laws, personal data may be processed by the Authority without the explicit consent of the data subject. In this case, the Authority will process personal data within the framework of the relevant legal regulation.
  • In the event that the explicit consent of the data subject cannot be obtained due to actual impossibility and personal data processing is mandatory, personal data belonging to the data subject who is unable to disclose his consent or whose consent cannot be validated by the Authority will be processed by the Authority in the event that personal data processing is mandatory to protect the life or physical integrity of the data subject or a third person.
  • If the personal data processing activity is directly related to the establishment or performance of a contract, personal data processing activity will be carried out if it is necessary to process personal data belonging to the parties of the contract established or already signed between the data subject and the Authority.
  • If it is mandatory to carry out personal data processing activities in order to fulfill the legal obligation of the data controller, the Authority processes personal data in order to fulfill its legal obligations stipulated under the applicable legislation.
  • If the data owner has made his/her personal data public, the personal data that has been disclosed to the public in any way by the data owner and made publicly available to everyone as a result of publicization can be processed by the Authority limited to the purpose of publicization, even without the explicit consent of the data owners.
    In the event that personal data processing is mandatory for the establishment, exercise or protection of a right, the Authority may process the personal data of the data subject without the explicit consent of the data subjects within the scope of the obligation.
  • Provided that it does not harm the fundamental rights and freedoms of the data subject, if data processing is mandatory for the legitimate interests of the data controller, personal data may be processed by the Authority, provided that the balance of interests of the Authority and the data subject is observed. In this context, in the processing of data based on legitimate interest, the Authority first determines the legitimate interest to be obtained as a result of the processing activity. It evaluates the possible impact of the processing of personal data on the rights and freedoms of the data subject and performs the processing activity if it is of the opinion that the balance is not impaired.

4.3 CONDITIONS FOR THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

  • Article 6 of the Law specifies a limited number of special categories of personal data. These are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
  • The Authority may process sensitive personal data in the following cases by ensuring that additional measures determined by the Personal Data Protection Board are taken:
    Processing of sensitive personal data other than health and sexual life can be processed if the data subject gives explicit consent or if it is explicitly stipulated by law.
  • Law No. 6331 on Occupational Health and Safety (OHS) (Workplace Medicine services), but for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, persons under the obligation of confidentiality or authorized institutions and organizations can be processed without seeking the explicit consent of the data subject.

5. TRANSFER OF PERSONAL DATA

  • In accordance with the additional regulations listed in Articles 8 and 9 of the Law and determined by the Personal Data Protection Board, the Authority may transfer personal data to domestic institutions and organizations in the presence of the conditions for the transfer of personal data.
  • Transfer of personal data to third parties in the country, in the presence of at least one of the data processing conditions specified in Articles 5 and 6 of the Law and explained under Title 3 of this Policy and provided that the basic principles regarding the data processing conditions are complied with, your personal data may be transferred by the Authority.
  • Within the general principles of the Law and the data processing conditions in Articles 8 and 9, the Authority may transfer data to the parties categorized in the table below.

5.1. PERSONAL DATA TRANSFERRED IN TERMS OF EMPLOYEE / EMPLOYEE CANDIDATE / SUPPLIER EMPLOYEE / INTERN

Legally Authorized Public Institution and Organization

Scope: Public institutions and organizations legally authorized to receive information and documents from the institution (e.g. Ministry of Family, Labor and Social Services, SSI)

Purpose of Transfer: The data is shared in order to fulfill the employer’s responsibilities or legal obligations against the employees, which are clearly stipulated in the laws.

Legally Authorized Private Institutions or Persons

Scope: Private law persons legally authorized to receive information and documents from the institution (e.g. Lawyer, Occupational Safety Expert, Workplace Physician, Independent Financial Advisor)

Purpose of Transfer: Sharing of data limited to the purpose of fulfilling the obligations specified in the Labor Law No. 4857, Social Security and General Health Insurance Law No. 5510 and Occupational Health and Safety Law No. 6331

Public Data

Scope: Publication of employees or executives of the organization on the web, social media, newsletters or written visual media for activities such as events, organizations or corporate advertising.

Transfer Objective: Corporate advertising and marketing.

Supplier (Service, Catering, etc.)

Scope: Parties that provide services for the organization to continue its commercial activities in line with the instructions received from the organization and based on the contract between the organization and the organization.

Purpose of Transfer: Transfer limited to the receipt of outsourced services from the supplier.

5.2. PERSONAL DATA TRANSFERRED FROM THE POINT OF VIEW OF THE VISITOR

Legally Authorized Public Institution and Organization

Scope: Judicial Authorities, Police Units, Hospitals and Health Institutions

Purpose of Transfer: It is transferred for the purpose of fulfilling confidentiality, security, safety of life and property, and occupational health and safety obligations.

6. ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN FOR PERSONAL DATA

  • Network security is provided for computers containing personal data.
  • The security of personal data stored in the cloud is ensured.
  • Training and awareness raising activities on data security are carried out periodically for employees.
  • Persons authorized to access personal data have been identified and an authorization matrix has been created.
  • In accordance with Law No. 5651, appropriate access records are kept regularly.
  • Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
  • Data masking measures are applied when necessary.
  • Confidentiality undertakings are made with institutions and organizations to which personal data are transferred.
  • Employees who change their duties or leave their jobs are unauthorized to access personal data.
  • Up-to-date anti-virus systems and firewalls are in place.
  • Signed contracts contain data security provisions.
  • Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format.
  • Personal data security policies and procedures have been determined.
  • Personal data security issues are reported quickly.
  • Personal data security is monitored.
  • Necessary security measures are taken for entry and exit to and from physical environments containing personal data.
  • The security of environments containing personal data is ensured.
  • Personal data is minimized as much as possible.
  • User account management and authorization control system are implemented and monitored.
  • Internal periodic and/or random audits are carried out and it is checked whether the confidentiality of personal data is ensured.
  • Access records are kept without user intervention.
  • Risks and threats regarding possible personal data breaches have been identified.
  • Protocols and procedures for the security of sensitive personal data have been determined and implemented.
  • If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using KEP or corporate mail account.
  • Data processing service providers are periodically audited on data security.
  • Awareness of data processing service providers on data security is ensured.

7. DELETION, DESTRUCTION OR ANONYMIZATION OF PERSONAL DATA

Pursuant to Article 7 of the Law, although it has been processed in accordance with the law, the Authority deletes, destroys or anonymizes personal data ex officio or upon the request of the data subject if the reasons requiring its processing disappear. Although the purpose of processing personal data has ended and the relevant legislation and retention periods have come to an end, the retention period may be extended in order to constitute evidence only in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. After the expiration of the statute of limitations for the assertion of the aforementioned right, personal data are deleted, destroyed or anonymized.

7.1 RECORDING MEDIA

Personal data are processed and stored by the organization on personal computers, mobile devices, information security devices (firewall, modem), paper and printed visual media.

7.2 LEGAL GROUNDS FOR RETENTION

Personal data processed within the framework of the activities of the Authority are retained for the period stipulated in the relevant legislation.

In this context, personal data;

  • Law No. 6698 on the Protection of Personal Data,
  • Turkish Commercial Code No. 6102,
  • Law No. 213 on Tax Procedure,
  • Turkish Code of Obligations No. 6098,
  • Public Procurement Law No. 4734,
  • Law No. 5510 on Social Security and General Health Insurance,
  • Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through These Publications,
  • Law No. 6331 on Occupational Health and Safety,
  • Law No. 6502 on Consumer Protection,
  • Law No. 4982 on Access to Information,
  • Law No. 3071 on the Exercise of the Right to Petition,
  • Labor Law No. 4857
  • Law No. 5434 on Retirement Health,
  • Law No. 2828 on Social Services,
  • Regulation on Occupational Health and Safety Services,

They are retained for the retention periods stipulated under other secondary regulations in force pursuant to these laws.

7.3 PROCESSING PURPOSES REQUIRING RETENTION

Article 2 of the policy describes in detail the data processing purposes of the organization.

7.4 REASONS REQUIRING DESTRUCTION

Personal data;

  • Amendment or abrogation of the relevant legislation provisions that constitute the basis for processing,
    The purpose requiring processing or storage disappears,
  • In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject may withdraw his/her explicit consent,
  • Pursuant to Article 11 of the Law, the institution accepts the application made by the person concerned regarding the deletion and destruction of his/her personal data within the framework of his/her rights,
  • In cases where the Authority rejects the application made by the person concerned with the request for the deletion, destruction or anonymization of his personal data, finds the answer inadequate or does not respond within the period stipulated in the Law; to file a complaint to the Board and this request is approved by the Board,
  • The maximum period for which the personal data is required to be retained has expired and there are no circumstances that would justify retaining the personal data for a longer period of time,

In such cases, it shall be deleted, destroyed or ex officio deleted, destroyed or anonymized by the institution upon the request of the person concerned.

7.5 DELETION OF PERSONAL DATA

Personal data stored on personal computers and electronic media are irretrievably deleted by the data subject when the retention period expires.

Personal data in physical media are torn up/destroyed in a way that cannot be recovered by the relevant person when the retention period expires.

7.6 RETENTION AND DESTRUCTION PERIODS BY PROCESS

Data Owner Process Storage Time Destruction Period

Employee

Contract Processes

15 Years from the Termination of Employment

At the first periodic destruction following the end of the storage period

Product or Service Recipient

10 Years from Contract Expiration

Employee

Emergency Processes

15 Years from the Termination of Employment

At the first periodic destruction following the end of the storage period

Supplier Employee

15 Years from Contract Expiration

Employee

Information Security Processes

15 Years from the Termination of Employment

At the first periodic destruction following the end of the storage period

Supplier Officer

15 Years from Contract Expiration

Supplier Employee

15 Years from Contract Expiration

Employee Candidate

Execution of Employee Candidate / Intern / Student Application, Selection and Placement Processes

5 Years from Job Application Date

At the first periodic destruction following the end of the storage period

Intern

5 Years from Job Application Date

Employee

On-the-job training, certified training and similar training processes

15 Years from the Termination of Employment

At the first periodic destruction following the end of the storage period

Supplier Employee

15 Years from Contract Expiration

Employee

Occupational Health / Safety Processes

15 Years from the Termination of Employment

At the first periodic destruction following the end of the storage period

Intern

15 Years from the Termination of Employment

Supplier Employee

15 Years from Contract Expiration

Product or Service Recipient

Customer Relationship Management Processes

10 Years

At the first periodic destruction following the end of the storage period

Potential Customer

10 Years

Employee

Personal Filing Processes

İş Akdinin Sona Ermesinden İtibaren 15 Yıl

At the first periodic destruction following the end of the storage period

Supplier Employee

15 Years from Contract Expiration

Product or Service Recipient

Advertising / Campaign / Promotion Processes

5 Years

At the first periodic destruction following the end of the storage period

Potential Customer

5 Years

Employee

Camera Recordings

2 months

At the first periodic destruction following the end of the storage period

Product or Service Recipient / Potential Customer

Visitor

Supplier Employee

Supplier Officer

Shareholder / Partner

Employee

Internet Access Records

2 Years

At the first periodic destruction following the end of the storage period

Product or Service Recipient

Visitor

Supplier Employee

Supplier Officer

Shareholder / Partner

Employee

Financial Records Required for Salary and Contract Processes

15 Years from the Termination of Employment

At the first periodic destruction following the end of the storage period

Intern

15 Years from the Termination of Employment

Product or Service Recipient

10 Years

Shareholder / Partner

Legal Relationship + 30 Years

Employee

Organizations such as trips, events, meetings, etc.

10 years from the end of the organization

At the first periodic destruction following the end of the storage period

Event Participant

Intern

Data Owner

Process

Storage Time

Destruction Period

Employee

Evaluation of Information Requests, Customer Complaints and Suggestions

5 Years from the Application Date

At the first periodic destruction following the end of the storage period

Intern

Product or Service Recipient

Potential Customer

8. WEBSITE VISITORS

On the websites owned by the Institution; In order to ensure that the visitors of these sites perform their visits on the sites in accordance with the purposes of their visits; In order to show them customized content and to engage in online advertising activities, internet movements within the site are recorded by technical means.

9. CAMERA SURVEILLANCE ACTIVITIES CARRIED OUT INSIDE THE INSTITUTION BUILDING

The camera surveillance activity carried out by the Authority is carried out in accordance with the Law on Private Security Services and the relevant legislation. In order to ensure security in its buildings and facilities, the Authority carries out security camera monitoring activities for the purposes stipulated in the relevant legislation in force and in accordance with the personal data processing conditions listed in the Law. The personal data owner is informed by the Institution in accordance with Article 10 of the Law.

For camera surveillance activity by the Authority; This Policy is published on the website of the Authority and a notification letter regarding the monitoring is posted at the entrances of the areas where the monitoring is carried out. In accordance with Article 4 of the Law, the Authority processes personal data in a limited and measured manner in connection with the purpose for which they are processed. It is not subjected to monitoring in areas that may result in interference that exceeds the privacy and security purposes of the person. Only a limited number of employees of the Institution have access to the records recorded and stored in digital media with live camera images. The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.

10. MONITORING OF VISITOR ENTRANCES AND EXITS CARRIED OUT INSIDE THE BUILDING

Personal data processing activities are carried out by the Institution for the purposes of ensuring security and for the purposes specified in this Policy, for the monitoring of visitor entrances and exits in the buildings and facilities of the Institution and limited to this purpose. While the names and surnames of the persons who come to the Authority’s buildings as visitors are obtained or through the texts posted in the institution or otherwise made available to visitors, the personal data owners in question are enlightened within this scope.

11. ENSURING THE SECURITY OF PERSONAL DATA

As an institution, we carry out the necessary administrative and technical measures within the framework of the necessary technological infrastructure to ensure the security of your personal data that we process within the framework of company activities in accordance with the law and the relevant legislation; In this direction, we carry out the necessary audits by taking measures against data breach, unauthorized access, data loss, unauthorized modification of data and other threats. Despite all these measures and precautions, if there is still a data breach, we immediately notify the relevant persons and the Personal Data Protection Authority as soon as possible and within 72 hours at the latest.

In this context, we identify existing risks and threats, conduct awareness raising activities by training our employees, and determine policies and procedures regarding personal data security. The administrative and technical measures taken by our organization to ensure “data security” in accordance with Article 12 of the law are stated below and necessary controls are carried out in order to implement these measures properly.

12. DISCLOSURE AND RIGHTS OF DATA SUBJECTS

According to Article 10 of the Law, data subjects must be informed about the processing of personal data before or at the latest at the time of processing personal data. Pursuant to the relevant article, the necessary structure has been established within the Authority to ensure that data subjects are informed in every situation where personal data processing activities are carried out by the Authority as the data controller.

In this context;

Please review section 2.2 of the Policy for the purpose of processing your personal data.

Please see Section 4 of the Policy for the parties to whom your personal data is transferred and the purpose of transfer.

Please refer to section 3.2 of the Policy to review the conditions for processing your personal data, which can be collected through different channels in physical or electronic media.

Regarding the personal data processed within the scope of the activities of the Institution, the data owner can apply for your rights listed in Article 11 of the law and Article 10 of the Relevant Regulation;

  • Learn whether their personal data and/or personal health data are being processed,
  • Request information if their personal data and/or personal health data have been processed,
  • Access to and request for personal health data,
  • To learn the purpose of processing personal data and/or personal health data and whether they are used in accordance with their purpose,
  • To know the third parties to whom personal data and/or personal health data are transferred domestically or abroad,
  • To request correction of personal data and/or personal health data in case of incomplete or incorrect processing,
  • To request the deletion or destruction of personal data under the conditions stipulated in Article 7 of the Law and the deletion of personal health data under the conditions stipulated in Article 9 of the Regulation,
  • Request notification of the third parties to whom personal data/personal health data are transferred of the transactions made in accordance with the principles specified in subparagraphs (f) and (g) of this article,
  • To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
  • In case of damage due to unlawful processing of personal data, it has the right to demand compensation for the damage.

In matters related to the processing of your personal data, you may apply by filling out the “Personal Data Request Form” available on the Company’s website and by “proving your identity” by using one of the methods specified in the form. If you exercise your rights and make an application on the above-mentioned issues, your requests in your application will be finalized free of charge according to the nature of the request and within thirty days at the latest; however, if the transaction requires an additional cost, you may be charged a fee according to the tariff to be determined by the Personal Data Protection Board.

Responses to data subject applications by the Authority are notified to data subjects in writing or electronically. If the application is rejected, the reasons for rejection will be explained to the data subject with justification.

13. SCOPE OF THE LAW and RESTRICTIONS REGARDING ITS APPLICATION

  • The following situations are outside the scope of the Law:
  • Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that the personal data is not disclosed to third parties and the obligations regarding data security are complied with.
  • Processing of personal data for purposes such as research, planning and statistics by anonymizing personal data with official statistics.
  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
  • Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution procedures.
  • In the cases listed below, the Authority is not required to notify the data subjects and the data subjects will not be able to use their rights specified in the Law, except for their rights regarding the compensation of their damages:
  • Processing of personal data is necessary for the prevention of crime or criminal investigation,
  • Processing of personal data made public by the data subject himself/herself,
  • Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or
  • prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of
  • public institutions based on the authority granted by law,

Processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters.

14. EFFECTIVENESS and AMENDMENT

The Policy has been published by “GIPTA OFİS KIRTASİYE” on its website and made public. In case of conflict between the legislation in force, especially the Law, and the regulations in this Policy, the provisions of the legislation shall apply.

GIPTA OFİS KIRTASİYE” reserves the right to make changes in the policy in parallel with legal regulations. The current text of the Policy can be accessed from the website of the Institution at http://www.gipta.com.tr.