i. Introduction
ii. Objective
iii. Scope
iv. Definitions
v. General Principles of Personal Data Processing
vi. Conditions of Personal Data Processing
vii. Conditions of Processing Sensitive Personal Data
viii. Company’s Duty to Disclose
ix. Acquiring Express Consent
x. Matters Regarding Personal Data Protection
xi. Protecting the Rights of the Relevant Person and Evaluating the Enquiries of the Relevant Person
xii. Circumstances wherein the Relevant Person Cannot Fully or Partially Exercise Their Rights
xiii. Exercise of the Rights of the Relevant Person and Application Form to Data Administrators
xiv. Transmission of Personal Data and Third-Party Processing
xv. Data Transmission to Third Parties within Turkey
xvi. Data Transmission to Third Parties Abroad
xvii. Personal Data Retention Period
xviii.Retention and Disposing of Personal Data
xix. Inspection
xx. Enforcement of the Policy and Requirements to Remain Current
Ulukok Technology Services JSC / Relate (Ulukok Teknoloji Hizmetleri AS / Relate), “Company” or “our Company”, attaches great importance to the protection of fundamental rights and freedoms of others, particularly to the right to privacy set out in Article 20 of the Constitution of the Republic of Turkey, in protecting and processing Personal Data. Therefore, the Company assumes a careful manner in lawfully protecting and processing Personal Data in compliance with the Law on Protection of Personal Data No 6698 (6698 Sayili Kisisel Verilerin Korunmasi Kanunu), “Statute” or “KVKK Law”, and behaves with care throughout all action-planning and operations. Our Company takes the necessary steps to protect and process Personal Data in a cautious and careful manner not only to ensure compliance with laws, but also due to the high value we have for people. With this policy, our Company presents its principles to be adopted and regarded when protecting and processing Personal Data.
This Privacy Policy, “Policy”, aims to perform its activities lawfully to comply with the KVKK Law, KVKK Board decisions, and secondary legislations; and informing data owners in a transparent and accurate manner.
This Policy encompasses all actions in relation to the Personal Data processed by the Company and is applied to these actions.
Express Consent: Informed and free consent.
Explicitation: With its lexical meaning being “the process of making something explicit or known to everybody”, the concept of “Explicitation” is one of the exceptions of the KVKK Law Article 5 requirement to “obtain Express Consent to process Personal Data”.
Anonymisation: The process of removing and modifying personally identifiable information aiming that it cannot be associated with any one individual.
Duty to Disclose: Data Administrator’s obligation to inform data owners on by whom their data will be shared, with who their data will be shared, for what purpose their data will be shared, and on what legal grounds their data will be shared.
Company: Persons who process personal data within the data administrating organisation or with the authority and instructions given by Data Administrators excluding the person or department who are responsible for the technical storage, protection, and backup of the relevant personal data; ie our company Ulukok Technology Services JSC / Relate.
Disposing: Destroying, wiping, erasing, blurring, or anonymising personal data.
Data Processing: All operations on data that are fully or partially automated, or unautomated and as a part of any Data Recording System; which include collection, obtention, save, storage, preservation, adaptation or alteration, retrieval, disclosure, transmission or dissemination, organisation or categorisation, takeover, or restriction, and so forth.
Board/Board of KVKK: Board of the protection of Personal Data.
Institution: Institution of the protection of Personal Data, consisting of the Board of KVKK and the Presidency.
Relevant Person: Data owner whose data is subject to Data Processing.
Personal Data: All data belonging or in relation to identifiable and unidentifiable person(s).
Automated Data Processing: Automatic processing activities performed by devices with processors such as computers, phones, and watches within algorithms generated through software and hardware, without human interference.
Sensitive Personal Data: All data concerning one’s racial or ethnic origin, political opinions, philosophical belief, religious faith, appearance, trade-union membership, health, sexual life or orientation, criminal convictions and other security measures, and biometric or genetic data.
Data Administrator: Natural or legal person who determines the means and objectives of Data Processing and is responsible for establishing and managing Data Recording Systems.
Registry: Registry of Data Administrators.
Data Processor: Natural or legal person who processes Personal Data on behalf of Data Administrator with the authority granted by Data Administrator.
Data Recording System: Recording system in which Personal Data are processed by configuring these data based upon certain criteria.
Data Category: Groupings of Personal Data categorised based upon common characteristics.
1. Lawfulness, Fairness, and Transparency: Our Company processes Personal Data in compliance with the relevant legislation and good faith, uses Personal Data within the frame of the relevant legislations and honesty, and behaves in a way in which the Company prevents results that the Relevant Person does not and need not anticipate from occurring. Our Company ensures the transparency of the Personal Data Processing, and acts in accordance with its duties to inform and to warn.
2. Accuracy: Our Company ensures the Personal Data that it processes in consideration of the rights and legitimate interests of data owners are correct and up to date. In doing so, our Company places great importance on ensuring that the source of the data in question are clear, verifying its accuracy, and evaluating whether the data need to be updated. Our Company ensures, in compliance with our duty of care, that the routes that provides that the information of the data owner is accurate are available.
3. Processing for Specified, Explicit, and Legitimate Purposes: Our Company establishes its purpose for processing explicitly and precisely and ensures the legitimacy of this purpose. Legitimacy means that the Personal Data processed by our Company are in connection with, and necessary for, its work or its services. Our Company does not process Personal Data for any other purpose beyond these purposes. Therefore, we carefully cater for compliance with the principle of specific and explicit purposes in our legal operations and texts wherein these purposes are expounded.
4. Being Adequate, Relevant, and Limited to Purpose: Our Company ensures that the Personal Data in question are feasible to realise the determined purposes and abstains from processing Personal Data that are neither relevant nor needed. Our Company does not collect or cannot process Personal Data for purposes that do not exist and are expected to occur subsequently. For the purpose of meeting the needs of probable purposes that may subsequently occur, our Company realises the lawful conditions for Personal Data Processing as though it is beginning to process Personal Data for the first time. Additionally, we keep our Personal Data Processing proportionate to what is necessary and ensure reasonable balance between Data Processing and the purpose.
5. No Longer than Necessary for the Purpose or Foreseen by the Law: Our Company complies with the time period set out by relevant legislations for data storage; and in the event of no time period set out by law, we ensure storing Personal Data for as long as our processing purpose requires. Where there is no longer a valid cause for our Company to store Personal Data; the data in question shall be erased, destroyed, blurred, or anonymised. The procedures of the storage and disposing of Personal Data are comprehensively contained in our Storage and Disposing of Personal Data Policy.
1. Personal Data can only be processed by the Company as the following rules and procedures allow:
2. Personal Data Processing operations shall, in any event, have the following 3 elements for the operations to be lawful:
a. Compliance with the general principles,
b. Processing under one of the Data Processing conditions,
c. Informing the Relevant Person.
3. Personal Data can be processed by obtaining Express Consent from the Relevant Person after the Duty to Disclose is discharged. Express Consent shall be obtained in accordance with the terms of KVKK Law. In the event that KVKK Law does not foresee such requirement, Personal Data shall be processed without the Express Consent of the Relevant Person. Circumstances wherein Personal Data can be processed without Express Consent are as follows (Article 5(2)):
a. If explicitly foreseen by the law: When clearly provided by the law, Personal Data can be processed without Express Consent from the Relevant Person.
b. If, in the event that the Relevant Person cannot give their Express Consent due to factual impossibilities or their consent falls short of legal validity, it is necessary in order to protect against a threat deathly or grievous bodily harm to themselves or someone else: When events in which Express Consent cannot be obtained or is invalid occur, Our Company processes Personal Data without Express Consent for the purpose of protecting persons’ life or bodily integrity.
c. If, provided that it is in direct relation to the forming or performance of a contract, processing Personal Data owned by the parties to the contract is necessary: In such events, in the nature of things, our Company processes Relevant Person’s Personal Data without Express Consent limited to this purpose.
d. If Data Processing is necessary in order to fulfil the Company’s legal obligations: Our Company processes Relevant Person’s Personal Data in circumstances that require such occurrence to fulfil its legal obligations as Data Administrator.
e. If data owner has made it explicit: Limited to making explicit, our Company may process Personal Data that have been made explicit, or in any way made public, by the Relevant Persons.
f. If Data Processing is necessary for granting, use, or protection of a right: Our Company processes Personal Data without the Express Consent of the Relevant Persons in circumstances that requires Data Processing for the use or protection of a legitimate right.
g. If, on condition that it shall not harm the fundamental rights and freedoms of Personal Data owners, Data Processing is necessary for the legitimate interests of data owners: In such circumstances, our Company may process Relevant Person’s Personal Data without their Express Consent. Our Company emphasises the importance of compliance with the general principles of Personal Data Processing and pay regard to the balance of interests of the persons with relation to our Company. Legitimate interest refers to a legitimate, effective to the degree of comparing to the fundamental rights and freedoms of the person, specific, and existing interest. Our Company takes additional precautionary measures to protect the rights of the Relevant Persons. Our Company ensures a reasonable balance between our interests and the fundamental rights and freedoms of the Relevant Persons.
1. In processing such data, our Company takes measures set out by the Board.
1. In compliance with Article 10 of the Statute, our Company informs Personal Data owners when obtaining Personal Data. According to Article 10; the reasons for which Personal Data will be processed, to whom and for what reasons Personal Data can be transmitted, the methods and legal purposes of Personal Data collection, and the rights of Personal Data owners must be explained.
1. Provided that it does not fall within the scope of Article 5(2), our Company carries out its Personal Data Processing activities by obtaining Express Consent. In circumstances set out in Article 5(2), our Company does not acquire Express Consent from the Relevant Person to avoid deception.
2. Our Company, in any case, fulfils its Duty to Disclose even when our Personal Data Processing activities are performed with Express Consent. Company’s Duty to Disclose and the requirement of Express Consent are not mutually exclusive and are carried out independently of one another.
3. Express Consent is obtained through written/printed or online Express Consent protocols.
1. In accordance with the law, our Company takes all kinds of necessary technical and administerial measures aiming to securely protect Personal Data and to provide the proper security level to prevent Personal Data from unlawful processing and access. These technical and administerial measures are comprehensively contained in our Storage and Disposing of Personal Data Policy. Our Company regularly carries out conformity activities with the KVKK Law to ensure compliance with the Statute and other legislations.
2. Our Company takes all necessary technical and administerial measures, within its technological facilities and performance budget, to prevent relevant Data Administrators and Data Processors from unlawfully disclosing Personal Data to third parties and using it beyond the processing purpose. In this regard, our Company conducts briefings and trainings, ensures that relevant employees sign a non-disclosure agreement upon recruitment, and ensures that other Data Administrators and Data Processors sign a non-disclosure agreement as well as a standby letter of credit.
3. In the event that the Personal Data processed by our Company is unlawfully obtained by third parties, our Company conducts the necessary operations to inform the Board and the Relevant Person of this event within the time period set out by the Board. If found necessary by the Board, the aforementioned event will be announced on the Board’s website or in any other method that the Board find suitable.
4. Our Company places regard on the legal rights of the Relevant Persons in relation to the performance of the Policy and the Statute and takes all necessary measures for the protection of those rights.
5. All data concerning one’s racial or ethnic origin, political opinions, philosophical belief, religious faith, appearance, trade-union membership, health, sexual life or orientation, criminal convictions and other security measures, and biometric or genetic data is of Sensitive Personal Data. Our Company is conscious of that Sensitive Personal Data is the type of data of which disclosure to third parties can result in unfair treatment towards or discrimination against the Relevant Person, and in a careful manner takes the adequate measures set out by the Board to protect this type of data that are being lawfully processed by our Company.
1. Our Company responses in compliance with the KVKK Law to data owner’s enquiries regarding the matters related to themselves listed as below:
a. To learn whether their Personal Data are processed by the Company;
b. If so, to request information regarding the Data Processing;
c. To learn the purpose of Data Processing and whether their Personal Data are used accordingly;
d. To learn about the third parties within or outside Turkey with whom their Personal Data is transmitted;
e. If their Personal Data has been processed incorrectly or with missing information, to request its correction;
f. If the Company corrected or disposed their personal information, to request that third parties shall be informed;
g. To request erasing, destroying, blurring, or anonymising their Personal Data if the purpose for Personal Data Processing has been ceased;
h. To challenge the occurrence of any result against the Relevant Person by means of the exclusive analysation of the processed data through automated systems; and
i. If they have suffered a harm or loss due to unlawful Personal Data Processing, to make a compensation claim.
1. This Policy and the terms of the Statute shall not be applied in circumstances where:
a- On condition that they are not shared with third parties and that data security obligations are fulfilled; Personal Data is processed by natural persons within the scope of the activities fully regarding the data owner or family members with whom the data owner shares the same house;
b- Personal Data is processed by anonymising them with official statistics for the purposes such as research, planning, or statistics;
c- On condition that it does not constitute a crime or violate national defence, national security, public security, public order, economic security, right to privacy, or personal rights; Personal Data is processed for the purposes such as art, history, literature, or science, or within the scope of freedom of speech;
d- Personal Data is processed within the scope of preventative, protective, and informative activities carried out by public authorities authorised by law to ensure national defence, national security, public security, public order, or economic security;
e- Personal Data is processed by judicial authorities and enforcement offices in relation to investigation, prosecution, or enforcement operations.
2. So long as it is proportionate to and in compliance with the purpose and basic principles of the Policy and the Statute; Article 10 in which Data Administrator’s Duty to Disclose is set forth, except for right to claim compensation Article 11 in which the personal rights of the Relevant Person are set forth, and Article 16 in which Data Administrator’s duty to register to the Registry is set forth shall not be applied in circumstances where:
a- Personal Data Processing is necessary for the prevention of the commission of a crime or for the investigation of a crime,
b- Personal Data that have been anonymised by the Relevant Person are being processed,
c- Personal Data Processing is necessary for the performance of inspection or regulation duties and for disciplinary investigation or prosecution by public authorities and professional associations acting as a public authority,
d- Personal Pata Processing is necessary for the economic and financial interests of the country in relation to budgeting, taxing, and other financial matters,
1. Requests and enquiries regarding the application of the Statute can be emailed to kvkk@ulukok.com.tr, personally deliver in writing or sent through a notary to “Resitpasa Mahallesi, Katar Caddesi, ITU Ari 1 Teknokent Binasi, No:2⁄5 Ic Kapi No:19 Sariyer/ISTANBUL”, or conveyed online via registered email (REM), secure e-signature, or mobile signature.
2. If available, requests and enquiries may be delivered to and by the email address that has been reported to our Company and belongs to a Relevant Person in our Company’s system.
3. Requests and enquiries must contain:
a- Name, surname, and if in writing, signature;
b- For Turkish citizens, ID number (TC kimlik no);
c- For foreign citizens, their nationality as well as passport number or their ID number if they have one;
d- Home or work correspondence address;
e- If available; correspondence email address, phone number, and fax number; and
f- Subject of the request or enquiry.
4. Information and documents regarding the subject of the request or enquiry must be enclosed or attached in the application.
5. Our Company shall finalise requests for free as soon as practicable based upon the type of the request and within 30 days at the latest. However, in the event that the request requires additional costs, our Company may charge the fees set out in the tariff by the Board.
6. Our Company may accept requests or decline requests by explaining the reasoning and informs the Relevant Person of our response in writing or via email. If accepted, our Company does what is necessary at the soonest possible date and informs the Relevant Person. In the event that the request stems from the Company’s mistake or misdoing, our Company refunds the application fee paid by the Relevant Person.
7. In situations that the request is declined, the Relevant Person is not satisfied by the reasoning of the Company’s rejection, or the Company has not responded within due course; the Relevant Person may make a complaint to the Board within 30 days of learning the response and in all cases within 60 days of the request.
1. Our Company may transmit Personal Data to natural or legal third parties in accordance with the KVKK Law.
2. In such event, the Company ensures that those third parties to whom we transmit Personal Data also comply with this Policy.
3. Our Company annexes the necessary protectionary arrangements to agreements with third parties.
1. Personal Data may be transmitted to third parties located within Turkey upon Express Consent and, in exceptional circumstances set out in KVKK Article 5(2) (general exceptions) and Article 6(3) (Sensitive Personal Data exception), without Express Consent.
2. Company employees and Data Administration representative are jointly responsible for ensuring that the data transmission complies with the Statute.
1. Personal Data may be transmitted to third parties outside Turkey upon Express Consent.
2. In exceptions set out in Articles 5(2) and 6(3), Personal Data may be transmitted abroad without Express Consent if there is adequate protection in the country to which the data is being transferred. Countries with adequate protection are provided by the Board.
3. In the event of adequate protection secured in the receiving country, Personal Data may be transmitted to third parties abroad without Express Consent on condition that our Company and the Data Administrator in the receiving country guarantee adequate protection and obtain the Board’s permission.
4. Company employees and Data Administrator representative are jointly responsible for ensuring the data transmission complies with the Statute.
1. The Statute provides that in the event that the reasons for Data Processing have been ceased despite having processed in accordance with the Statute and other relevant legislations; Personal Data shall be erased, destroyed, blurred, or anonymised by the Company automatically or by Relevant Person’s request.
2. Erasing is the act of rendering Personal Data inaccessible and nonreusable by relevant users.
3. Destroying is the act of rendering Personal Data inaccessible, irretrievable, and nonreusable by any person.
4. Blurring is the act of rendering Personal Data unidentifiable without additional data in relation to the requirement of technical and organisational measures to prevent Personal Data from exclusion and association with a specific data owner.
5. Anonymising is the act of rendering Personal Data non-associable with any natural person who is or can be identified even if the Personal Data are associated with other data.
6. Without prejudice to any provisions regarding the disposing of Personal Data set out in other legislations; our Company sua sponte or upon request erases, destroys, blurs, or anonymises Personal Data that we have lawfully processed according to the Statute and other relevant legislations, in compliance with the Storage and Disposing of Personal Data Policy following the cease of the reasons for Data Processing.
1. Our Company retains Personal Data within the time period provided in statutes and other legislations. If no time period has been foreseen by the law, our Company retains Personal Data in compliance with the Storage and Disposing of Personal Data Policy for as long as the purpose for the processing of that specific data requires; and thereafter periodically erased, destroyed, blurred, or anonymised.
1. Our Company carries out and allows to carry out inspections that are necessary in order to ensure the regularity and continuity of the precautions, the compliance with the legislation, and the data security.
1. The Policy, which has been prepared by our Company and came into effect on 04.08.2021, is published on our website to allow the Relevant Persons to access.
2. This Policy may be amended or changed if our Company finds it necessary.
3. In the event that the Policy has been amended or changed, it shall be preserved by remarking the time period for which it is valid.