The objective of this Policy is to set forth the principles and procedures regarding the processing and protection of personal data as well as the deletion, disposal and anonymization of such processed personal data by HRSP in compliance with the applicable legislations, which constitute the legal basis of this Policy.
The scope of applicability of this Policy encompasses the personal data of the staff members, staff member candidates, officers and visitors of HRSP, and the employees and the officers of the third parties, with whom HRSP cooperates, as well as any other third party, which are processed fully or partially automatically or through non-automatic means as a part of any data recording system.
Accordingly; the groups of data owners mentioned above may be subject to the applicability of the entirety or only certain provisions of this Policy.
This Policy has been issued on the basis of the Code No. 6698 on the Protection of Personal Data, the Regulation No. 30286 on the Registry of Data Controllers, and the Regulation No. 30224 on the Deletion, Disposal or Anonymization of Personal Data.
The applicable legislations in force shall be attached priority in terms of applicability in respect of the processing, protection and disposal of personal data. HRSP hereby agrees that, in the event of any conflict between the applicable legislations and this Policy, the applicable legislations in force shall be applicable.
The following terms shall have the meanings set forth below for the purpose of the enforcement of this Policy;
a) Recipient group: The group of natural persons or legal entities, to whom the personal data are transferred by the data controller;
b) Concerned user: Any person, who processes personal data as a part of the data controller's organization or in accordance with the powers delegated and instructions placed by the data controller, except for any person or unit, who or which is responsible for the storage, protection and back-up, technically, of data;
c) Disposal: The deletion, disposal or anonymization of personal data;
d) Code: Code No. 6698 on the Protection of Personal Data;
e) Recording media: Any medium, where the personal data are processed fully or partially automatically or through non-automatic means as a part of any data recording system.
f) Personal data: Any information or data that is related to an identified or identifiable natural person;
g) Personal data owner: The natural person, whose personal data are processed;
h) Processing of personal data: Any operation, which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system;
i) Personal data processing inventory: The inventory, which is created by the data controllers by way of the association of the personal data processing activities that are carried out thereby with the purposes of processing of personal data, the data categories, the recipient groups and the groups of persons, being the subject matter of the data, and within which the maximum duration as necessary for the purposes, for which the personal data are processed, the personal data, which are contemplated to be transferred to foreign countries, and the precautions taken in respect of data security are detailed and described thereby;
j) Board: The Personal Data Protection Board;
k) Authority: The Personal Data Protection Authority;
l) Personal data of private nature: The data related to the persons' race, ethnic origin, political view, philosophic belief, religion, sect or other beliefs, appearance and dressing, affiliation to associations, foundations or trade unions, health, sexual life, conviction and safety precautions as well as biometric and genetic data;
m) Periodical disposal: The deletion, disposal or anonymization, which shall be conducted automatically on a periodical and recurrent basis as specified within the personal data storage and disposal policy in the cases, where all of the requirements for the processing of personal data as set forth within the Code cease to be satisfied;
n) Policy: This Policy, on which the data controllers base the identification of the maximum period of time as necessary for the purpose, for which the personal data are processed, and the deletion, disposal and anonymization of the personal data;
o) Registry: The registry of data controllers that is maintained by the Personal Data Protection Board;
p) Data processor: Any natural person or legal entity, who or which processes personal data on behalf of the data controller on the basis of the power delegated thereby;
r) Data recording system: Any recording system, through which personal data are processed by structuring according to specific criteria;
s) Data controller: A natural person or legal entity, who or which determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.
Any term not defined herein shall have the meaning that is ascribed thereto within the Code.
HRSP makes disclosures to the personal data owners during the collection of personal data. Accordingly; HRSP shall disclose to the personal data owner the purposes, for which the personal data are to be processed, the parties, to whom the processed data are to be transferred, and the purpose of such transfers, the method of collection of personal data and the legal reasons for the same as well as the rights of the personal data owner as provided by the Code.
The rights of the personal data owner also include the right to "request information". HRSP shall inform the personal data owner as necessary and appropriate should the personal data owner so request.
HRSP declares to the personal data owners and the concerned parties by way of various public documents, primarily including this Policy, that it processes personal data in compliance with the law and the principle of integrity, and ensures that the concerned parties are informed as appropriate in respect and through the course of the personal data processing activities, and accordingly, ensures accountability and transparency.
HRSP maintains the channels, internal operation, administrative and technical regulations as necessary in compliance with the Code for the assessment of the personal data owners and the information as necessary of the personal data owners.
In the event any personal data owner files a request with HRSP regarding any of the rights thereof as provided below; HRSP shall meet such request as soon as practicable depending on the nature of request but in any case not later than 30 days. In the event the actions to be taken in order to meet any such request require any extra or additional cost, HRSP shall charge the fee as per the rate tariff set forth by the Board. Personal data owners have the right to:
Learn whether or not the respective personal data of the relevant personal data owner have been processed;
Request information as to processing if the respective personal data of the relevant personal data owner have been processed;
Learn the purpose of processing of the respective personal data of the relevant personal data owner and whether data are used in accordance with their purpose;
Know the third parties based at home or in abroad, to whom the respective personal data of the relevant personal data owner have been transferred;
Request notification of the operations performed as a consequence of such requests as rectification, deletion and disposal to third parties to whom the respective personal data of the relevant personal data owner have been transferred, in the cases where the respective personal data of the relevant personal data owner have been processed incompletely or inaccurately;
Request the respective personal data of the relevant personal data owner to be deleted or disposed in the event the reasons that may have required the processing of the respective personal data of the relevant personal data owner in spite of the fact that they have been processed in compliance with the Law and other applicable laws and regulations, and request notification of the relevant operation to third parties to whom the respective personal data of the relevant personal data owner have been transferred;
Object to occurrence of any result that is to her/his detriment by means of analysis of the respective personal data of the relevant personal data owner exclusively through automated systems;
Request compensation for the damages in case the person incurs damages due to unlawful processing of the respective personal data of the relevant personal data owner.
In order to exercise their respective rights provided above, the personal data owners should communicate their requests to HRSP "in writing" methods contemplated by the Code.
In the event the data owners also deliver their personally identifiable information to HRSP while filing and along with the filing of their requests in writing, they shall be responded rapidly and effectively. In the event any data owner requests to exercise any of her/his respective rights as mentioned above, s/he may send or deliver such written in writing along the documents that allow for the identification of herself/himself to the head office of HRSP, which is situated at Dr. Neşet Usman Sok. No:3/2 Kadıköy/İstanbul/Turkey by hand, through the agency of a notary public or in secure electronically signed format.
Any medium, where the personal data, which have been obtained by HRSP and which are processed fully or partially automatically or through non-automatic means as a part of any data recording system, are stored, is considered and referred to as a recording medium. Any and all personal data that are held by and in the possession of HRSP are kept and stored on the respective systems thereof, which are mentioned below and the security of which is ensured in the maximum extent.
The personal data of the data owners are stored securely by HRSP in the media listed below in compliance with the applicable legislations in force, primarily including the provisions of the CPPD, and in accordance with the international data security principles.
Electronic media:
* Exchange Server
HRSP takes any and all legally, technically and administratively required precautions in order to ensure and maintain data security, and acts with the utmost care and in the utmost diligence on the matter.
The staff members of HRSP have been informed that they shall not disclose any personal data, which they may learn or obtain, to others in breach of the applicable provisions of the Code, and that they shall not make use of such data for any other purpose than the intended and specified purpose of processing of the same, and that the said obligations thereof shall remain in full force and effect even after their resignation or dismissal from their position within the organization of HRSP, and their warranties on the mentioned matters have been obtained as necessary and appropriate.
HRSP also raises the awareness of its business partners, suppliers and the like third parties in respect of the prevention of the unlawful processing of personal data, the prevention of unlawful access to personal data and the storage of the personal data in compliance with the applicable law. The processing, protection and storage of personal data also by and at the counters of the third parties, with whom HRSP maintains business relations, have been arranged and regulated on contractual basis with such third parties, and the reason for the processing of such personal data has been accorded with the operations carried out with the third parties.
HRSP conducts any and all required audits and procures the same to be conducted within its own organization. In the cases, where it is established as a result of the audits conducted that the precautions taken should be improved; HRSP promptly takes the necessary actions.
In the event the personal data are captured and/or obtained through illegal or unlawful means by others in spite of the taking of all general, technical and administrative precautions specified below; HRSP fulfills its obligation to notify the respective data owner and the Board of such incident as soon as practicable.
The personal data are processed by HRSP in strict compliance with the principles and procedures provided by the Code and the other applicable legislations. HRSP observes the following principles through the course of its processing of personal data:
a) Compliance with the law and the principles of honesty
HRSP acts in compliance with the guidelines contemplated by the applicable legislations regarding the processing of personal data and the principles of honesty. Giving due consideration to the requirements of proportionality with regards to the processing of personal data, HRSP avoids using the personal data in any such extent that is beyond the achievement of the relevant purpose.
b) Accuracy and, where necessary, currency,
HRSP takes into consideration the fundamental rights and interests of the personal data owners, and ensures the accuracy and currency of the personal data processed thereby. To that end, HRSP also takes the necessary and appropriate precautions.
c) Processing of data for specific, clear and legitimate purposes,
HRSP identifies and sets forth its purposes of processing personal data, which are specific, clear and legitimate, and processes personal data in connection with and only in such limited extent that is necessitated by the services provided thereby. HRSP sets forth and declares the purposes of processing of personal data prior to the commencement of such processing.
d) Relation to the purpose of processing, limitedness and proportionality of the data processed
HRSP processes personal data in such manner that is sufficient and convenient for the accomplishment of the purposes identified and set forth. Accordingly HRSP avoids processing such personal data that are not related to the accomplishment of the purpose of processing of personal data or that do not need to be processed for such purpose.
e) Retention for the period as prescribed by the applicable regulations or as necessary for the relevant purpose of processing.
HRSP retains the personal data for such period that is prescribed by the applicable regulations or is necessary for the relevant purpose of processing. Accordingly; HRSP observes the period that is prescribed by the applicable regulations for the retention of personal data if any such period is prescribed, and if any such period has not been prescribed by the applicable regulations, it retains the personal data for such period that is necessary for the processing of the same. Once the prescribed period expires or in the event the processing of the personal data is no longer required;, the personal data are deleted, disposed or anonymized by HRSP.
HRSP is aware that it is obliged to take any and all technical and administrative precautions as necessary to ensure the appropriate level of security in order to
Prevent the unlawful processing of the personal data,
Prevent the unlawful access the personal data, and
Ensure the protection of the personal data,
and acts with the utmost care and in the utmost diligence in that regards.
In the event any personal data held in the possession of HRSP is processed by any other natural person or legal entity; HRSP shall be jointly responsible with such person or entity in respect of the taking of the precautions specified above.
As a matter of fact; HRSP is aware that it is obliged to conduct any and all such audits as necessary to ensure the enforcement as appropriate of the Code and the relevant legislations and to procure the conduct of such audits, and takes necessary actions to that end.
The titles, units and job descriptions of the staff members, who are involved in the storage and disposal of personal data, are available within ANNEX-1 to this Policy. The persons, whose details are provided within the schedule, shall unfailingly fulfill any and all duties and obligations through the courses of the storage and disposal of personal data.
The processing of personal data requires the explicit consent of the person, whose data are intended to be processed. Explicit consent is only one of the legal requirements for the processing of personal data. Apart from the explicit consent, personal data may be processed in the event of the occurrence of any one or several events. HRSP may process the personal of a person without the explicit consent of such person in the event of the satisfaction of any one or several of the following requirements.
a) Explicit consent: The explicit consent of the owner of the personal data should be declared as a result of an informed decision and with the free will of the concerned person. Accordingly; HRSP shall obtain the explicit consent of the owner of the personal data for the processing of the respective personal data thereof.
b) Explicit contemplation by applicable laws: In the event the processing of the personal data of the data owner may be processed lawfully by HRSP should such processing be contemplated explicitly by applicable laws.
c) Failure to obtain the explicit consent of the concerned person on account of actual impracticability: In the cases, where it is strictly obligatory for the processing of the data of a person, who is physically unable or incapable to express her/his consent or whose consent is legally not considered valid, in order for the protection of the life or physical integrity of such person or any other individual; the personal data of such data owner may be processed. For example; HRSP may disclose the blood type of a staff members thereof, who has an heart attack, to the physicians.
d) The processing of personal data being directly connected to the execution or the performance of a contract: The personal data of the parties of a contract may be processed, provided that such processing is directly connected to and necessary for the execution or the performance of a contract.
e) HRSP's fulfillment of its legal obligations: In the cases, where the processing of data represents a strict requirement for HRSP to fulfill the respective legal obligations thereof, the personal data of the data owner may be processed.
f) Disclosure to public by data owner of her/his personal data: In the cases, where the data owner discloses her/his personal data to the public; such personal data may be processed.
g) The processing of data representing a strict requirement for the creation, exercise or the protection of a right: In the cases, where the processing of data represents a strict requirement for the creation, exercise or the protection of a right; the personal data of the data owner may be processed.
h) The processing of data representing a strict requirement for the preservation and maintenance of the legitimate interests of HRSP: In the cases, where the processing of data is strictly required to preserve and maintain the legitimate interests of HRSP; HRSP may process the personal data provided that the fundamental rights and freedoms of the data owner not be prejudiced.
HRSP transfers the personal data and the personal data of private nature of the owners of the personal data to third parties with due consideration of the nature of its business operations carried out thereby, provided that it takes the appropriate security precautions required by the Code and the applicable legislations in line with the purposes of processing of personal data.
HRSP also transfers personal data to such foreign countries, which have been declared by the Board to have adequate protection, ("Foreign Country with Adequate Protection") or to such foreign countries, where adequate protection is not in place but in respect of which the data controllers in Turkey and in the such foreign countries have warranted to ensure adequate protection and transfer of personal data to which has been authorized by the Board, ("Foreign Country Where Data Controller Warranting Adequate Protection Resides"). In that regards, HRSP acts in compliance with the requirements of the Code.
In the cases, where all of the requirements for the processing of personal data cease to be satisfied; HRSP fulfills its obligations for regarding the deletion, disposal or anonymization of personal data either on its own motion or upon the request of the concerned person.
HRSP acts in compliance with the general principles and the technical and administrative precautions specified within of this Policy, the provisions of the applicable legislations, the resolutions of the Board and the personal data storage and disposal policy through the course of deletion, disposal and anonymization of personal data.
Records of any and all actions taken in respect of the deletion, disposal and anonymization of personal data by HRSP shall be kept, and are retained for a period not shorter than three years except for the cases where legal obligations require otherwise.
Unless resolved otherwise by the Board, HRSP, acting at its discretion, shall delete, dispose of or anonymize the personal data as it deems appropriate on its own motion. HRSP shall select the appropriate action, whether that be deletion, disposal or anonymization, by way of explaining its reasoning for such selection upon the request of the concerned person.
Deletion of personal data is the action of rendering the personal data strictly and conclusively inaccessible and non-reusable by relevant users. HRSP takes any and all technical and administrative precautions as necessary and appropriate to render the deleted personal data strictly and conclusively inaccessible and non-reusable.
Disposal of personal data is the action of rendering the personal data strictly and conclusively inaccessible, non-retrievable and non-reusable by relevant users. HRSP takes any and all technical and administrative precautions as necessary and appropriate in respect of the disposal of personal data.
The anonymization of personal data is the action of modification of the nature of personal data in such manner that they can no longer be associated to an identified or identifiable natural person even by way of matching with other data. The anonymization of personal data requires the modification of the nature of the personal data in such manner that it can no longer be associated to an identified or identifiable natural person even by way of the employment by the data controller, the recipient or the recipient groups of such techniques as restoration or matching with other data that are suitable for the recording medium and the relevant field of activity.
HRSP takes any and all technical and administrative precautions as necessary and appropriate in respect of the anonymization of personal data.
HRSP shall delete, dispose of and/or anonymize the personal data held in its possession by way of employing the methods set forth below.
a) Cloud Application Solutions (Office 365, etc.)
HRSP shall delete the data stored in cloud applications by way of issuing a delete command. While issuing such command, HRSP shall particularly make sure that the relevant user does not have the authority to retrieve deleted data through the cloud system.
b) Personal Data Stored in Printed Form
HRSP shall delete the data stored in printed form by way of blanking. Blanking is performed by way of trimming, where practicable, of the personal data on the relevant document or, where trimming is not practicable, by way of rendering such data invisible for the relevant user through the employment of indelible ink in such matter that such application cannot be undone and the content so blanked cannot be read by way of technological solutions.
c) Office Files Stored on the Central Server
The file should be deleted by way of issuing a delete command on the operating system or the access authorization of the relevant user on the file or the directory, on which such file is kept, should be revoked. While taking such action, HRSP shall make sure that the relevant user is not also a system administrator.
d) Personal Data Stored on Portable Media
HRSP stores the personal data on flash-based storage media in encrypted form, and shall delete the same, using suitable software for such media.
e) Databases
HRSP shall delete the relevant lines that contain personal data by way of issuing the appropriate database commands (DELETE etc.). While taking such action, HRSP shall make sure that the relevant user is not also a database administrator.
HRSP deletes, disposes of or anonymizes the personal data as a part of the first immediate periodical disposal action that follows the date, on which the obligation to delete, dispose of or anonymize the personal data arises.
The period for the deletion, disposal or anonymization of personal data by HRSP is 30 days as of the date, on which the obligation to delete, dispose of or anonymize the personal data arises. Such period may be extended by no longer than 30 days in imperative situations.
HRSP agrees that the Board may shorten the specified periods in the event of the possibility of the occurrence of irreparable losses and damages and the occurrence of unlawfulness.
The Data Owner shall file her/his requests for the enforcement of the Code with HRSP in writing or by other methods that the Board may specify.
HRSP shall meet such request as soon as practicable depending on the nature of request but in any case not later than 30 days. However; In the event the actions to be taken in order to meet any such request require any extra or additional cost, HRSP may charge the fee as per the rate tariff set forth by the Board.
HRSP shall either accept any such request or reject the same, stating the reasons for such rejection, and communicate its reply to the concerned person in writing or electronically. In the event the request filed is accepted, HRSP shall take the appropriate action for the satisfaction of such request. In the cases, where the request is filed on account of a fault or negligence of HRSP; the fee charged shall be refunded.
In the event the Data Owner files a request with HRSP for the deletion or disposal of her/his personal data;
a) If all of the requirements for the processing of personal data have ceased to be satisfied, HRSP shall delete, dispose of or anonymize the personal data, being the subject matter of the relevant request. HRSP shall, in that case, conclude the actions for the satisfaction of the request of the concerned person within not later than 30 days, and inform the concerned person on the matter.
b) If all of the requirements for the processing of personal data have ceased to be satisfied and the personal data, being the subject matter of the relevant request, have been transferred to third parties; HRSP shall notify the relevant third party of such request, and shall procure the necessary action under the Regulation on the Deletion, Disposal or Anonymization of Personal Data to be taken at the counters of the relevant third party.
c) If all of the requirements for the processing of personal data have not ceased to be satisfied; O4C BV may reject such request, explaining the reasons for such rejection, and the rejection shall be communicated to the concerned Data Owner in writing or electronically within not later than 30 days.
This Policy is issued and brought into force on 01/01/2022 This Policy is published on the website of HRSP, and is made available for access of the owners of the personal data upon their request.