PRINCIPLES OF CONFIDENTIALITY AND PROTECTION OF PERSONAL DATA
PURPOSE AND SCOPE
This Privacy and Personal Data Protection Principles (hereinafter referred to as “Principles”) sets out the principles adopted by Demsa İç ve Dış Ticaret A.Ş. (hereinafter referred to as the “Company”) regarding the protection of personal data and aims to inform all relevant groups of persons within the scope of the Personal Data Protection Law No. 6698 (hereinafter referred to as “KVKK No. 6698”).
PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
As the Company, we process your personal data in the capacity of Data Controller within the framework of the following principles.
Processing in Compliance with the Law and the Rule of Honesty
In the processing of your personal data, we act in accordance with the principles introduced by legal regulations and the general rule of trust and honesty. In accordance with this principle, in particular, we take into account your interests and reasonable expectations while trying to achieve our personal data processing purposes, do not abuse our rights and act in accordance with the principle of transparency in our data processing activities.
Ensuring that Personal Data is Accurate and Up-to-Date When Necessary
In line with this principle, which emphasizes the importance of the accuracy and timeliness of personal data, periodic checks and updates are made to ensure that the processed data is accurate and up-to-date, taking into account your legitimate interests, and necessary measures are taken accordingly. In this context, systems for checking the accuracy of personal data and making necessary corrections are established within the Company. In addition, the accuracy of the sources from which personal data are collected is checked and requests arising from inaccurate personal data are taken into consideration. Therefore, this principle is also applied in accordance with the right to request correction of your personal data in accordance with KVKK No. 6698.
Processing for Specific, Explicit and Legitimate Purposes
Your personal data is processed based on clear, specific and legitimate data processing purposes. In this context, we ensure that our personal data processing activities are clearly understandable by the relevant persons, and we determine and clearly state which purposes and legal processing conditions are based on Article 3 of these Principles.
Being Relevant, Limited and Proportionate to the Purpose of Processing
Your personal data are processed in a measured, purpose-related and limited manner in order to achieve the envisaged purpose(s) and the processing of personal data that is not related to the realization of the purpose or is not needed is avoided. Again, within the scope of this principle, personal data is not collected or processed for purposes that do not exist and are thought to be realized later.
Preservation for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed
Your personal data are retained only for the period stipulated in the relevant legislation or required for the purpose for which they are processed. In this regard, the Company takes and implements the relevant administrative and technical measures. In this context, first of all, it is determined whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period is determined, this period is acted in accordance with this period, if a period is not determined, personal data is stored for the period required for the purpose for which they are processed. In the event that the necessity of the relevant processes disappears, access to your personal data by unrelated departments is prevented within the scope of the deletion action specified in KVKK No. 6698. In the event that the period expires or the reasons for processing disappear, your personal data are destroyed or anonymized in accordance with the personal data protection legislation, unless there is a legal reason that allows them to be processed for a longer period of time.
CONDITIONS FOR PROCESSING PERSONAL DATA
Within the scope of the KVKK No. 6698, your personal and sensitive personal data can be processed within the framework of the conditions stipulated below.
Explicitly Stipulated by Laws
The basic rule is that personal data cannot be processed without the explicit consent of the persons concerned, and according to this exception, your personal data may be processed in cases where personal data processing is explicitly stipulated in the laws.
Failure to Obtain Explicit Consent of the Data Subject Due to Actual Impossibility
Your personal data may be processed if it is mandatory to process personal data in order to protect the life or physical integrity of the person concerned or another person who is unable to disclose his consent due to actual impossibility or whose consent cannot be recognized as valid.
Direct Relevance to the Establishment or Performance of the Contract
Provided that it is directly related to the establishment or performance of the contract, your personal data may be processed if it is necessary to process personal data belonging to the parties to the contract.
Publicization of Personal Data
In the event that your personal data has been made public by you, i.e. shared with the public by you, it may be processed in connection with and in proportion to the purpose of publicization.
Data Processing is Mandatory for the Establishment or Protection of a Right
Within the scope of the execution and management of the processes regarding the legal and commercial rights of the Company, your personal data may be processed if data processing is mandatory for the establishment, use or protection of the right in question.
Processing of Data Based on Legitimate Interest
Your personal data may be processed if data processing is necessary for the legitimate interests of the Company. In the event that our Company needs to process data depending on the processing condition in question, it makes an evaluation by considering your fundamental rights and freedoms and decides according to the result of the evaluation.
Processing Based on Explicit Consent
Although the processing of personal data based on explicit consent is the main rule, the explicit consent of the data subjects is not relied upon in the presence of other conditions specified in this article. Otherwise, abuse of right may be mentioned. In this context, in cases where your personal data is not processed based on any of the conditions specified in these Principles, it is processed based on your explicit consent.
Processing of Special Categories of Personal Data
We process your sensitive personal data based on your explicit consent in accordance with Article 6 of the KVKK No. 6698. In the same article, we can process your sensitive personal data other than health and sexual life only in cases stipulated by law, and your sensitive personal data related to health and sexual life only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality, without seeking your explicit consent.
TRANSFER OF PERSONAL DATA
Your personal and sensitive data may be transferred to our domestic business partners, public institutions and organizations and the like or to our business partners abroad within the scope of Article 2 of these Principles. While making such transfers, compliance with Articles 8 and 9 of the KVKK No. 6698 is observed. If necessary, your explicit consent is obtained and the transfer is provided within this framework.
SECURITY OF PERSONAL DATA
The Company takes all reasonable administrative and technical measures to prevent unauthorized access risks, accidental data loss, intentional deletion of data or damage to data in order to ensure the security of personal data and to prevent unlawful processing.
All reasonable technical and physical measures are taken to prevent access to personal data by persons other than those authorized to access it. In this context, especially the authorization system is designed in such a way that it is not possible for individuals and systems to access more personal data than necessary.
The Company conducts and has the necessary audits carried out in its own institution or organization in order to ensure the implementation of the provisions of KVKK No. 6698.
The measures taken are as follows.
Network security and application security are ensured.
Closed system network is used for personal data transfers through the network.
Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
There are disciplinary regulations that include data security provisions for employees.
Training and awareness raising activities on data security are carried out for employees at regular intervals.
An authorization matrix has been established for employees.
Access logs are kept regularly.
Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
Confidentiality undertakings are made.
The authorizations of employees who change their duties or leave their jobs in this area are removed.
Up-to-date anti-virus systems are used.
Firewalls are used.
Signed contracts contain data security provisions.
Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format.
Personal data security policies and procedures have been determined.
Personal data security issues are reported quickly.
Personal data security is monitored.
Necessary security measures are taken for entry and exit to and from physical environments containing personal data.
Security of environments containing personal data is ensured.
Personal data is minimized as much as possible.
Personal data is backed up and the security of backed up personal data is also ensured.
User account management and authorization control system is implemented and monitored.
Internal periodic and/or random audits are carried out and conducted.
Log records are kept without user intervention.
Existing risks and threats have been identified.
Protocols and procedures for the security of sensitive personal data have been determined and implemented.
If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using KEP or corporate mail account.
Intrusion detection and prevention systems are used.
Cyber security measures have been taken and their implementation is constantly monitored.
Encryption is performed.
Sensitive personal data transferred on portable memory sticks, CDs and DVDs are encrypted.
Data processing service providers are periodically audited on data security.
Awareness of data processing service providers on data security is ensured.
Data loss prevention software is used.
RIGHTS OF THE DATA SUBJECT, APPLICATION PROCEDURES AND PRINCIPLES
As a data subject, Law No. 6698 Article 11. In case you have a request regarding your rights under Article 11 of Law No. 6698 and if you are a citizen of the European Union, you have the following rights under the GDPR; You can submit your requests regarding your rights to withdraw your explicit consent, to receive information about your data and to access your data, to correct, delete or limit the processing of your personal data in certain circumstances, data portability under certain conditions, to object to the processing of your personal data and similar rights by filling out the Application Form on the Protection of Personal Data, which you can obtain from our website, or with your application that meets the minimum conditions stipulated by the Communiqué on the Procedures and Principles of Application to the Data Controller. As the Company, we will finalize your application free of charge as soon as possible and within thirty days at the latest, depending on the nature of your request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be charged by the Company. Upon your application to us, you can inform us about this in case your application is rejected, the response is insufficient or the application is not responded to in due time, and as the person concerned, you have the right to apply to the competent data protection authority in your country within thirty days from the date you learn our response and in any case within sixty days from the date of your duly made application.