Personal Data Protection and Processing Policy
DEFINITIONS
Explicit consent: Consent on a specific issue, based on information
and expressed with free will.
Constitution: Constitution of the Republic of Turkey dated November
7, 1982 and numbered 2709; published in the Official Gazette dated November 9, 1982 and numbered 17863.
Anonymization: Changing personal data in such a way that it loses its
personal data nature and this situation cannot be reversed. Ex: Masking, aggregation, data corruption, etc.
techniques to make personal data unassociable with a natural person.
Application Form: "Application Form Regarding the Applications to be
made to the Data Controller by the Relevant Person (Personal Data Owner) in accordance with the Law No. 6698
on the Protection of Personal Data", which includes the application to be made by personal data owners to
exercise their rights.
Employee Candidate: Natural persons who have applied for a job to the
Company by any means or who have opened their resume and related information to the Company's review.
Relevant Person: The natural person whose personal data is processed
Company Akyacht Yatçılık Sanayi ve Ticaret Anonim Şirketi
Intercity Company(ies): Other company(ies) in which real and/or legal
persons who are shareholders of Ekim Turizm Ticaret ve Sanayi Anonim Şirketi are shareholders
Employees, Shareholders and Authorities of the Institutions We Cooperate with:
Real persons, including, but not limited to, employees, shareholders and officials of the
organizations (such as business partners, suppliers) with which the Company has any kind of business
relationship.
Business Partner: Parties with whom the Company has established a
business partnership for purposes such as carrying out various projects and receiving services, either
personally or together with Intercity Companies while carrying out its commercial activities.
Processing of personal data: Any operation performed on personal data
such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking
over, making available, classifying or preventing the use of personal data by fully or partially automatic
means or by non-automatic means provided that it is part of any data recording system.
Personal Data Processing Inventory: Inventory in which data
controllers detail the personal data processing activities they carry out depending on their business
processes by associating them with the purposes and legal grounds for processing personal data, data
category, transferred recipient group and data subject group and by explaining the maximum retention period
required for the purposes for which personal data are processed, the personal data foreseen to be
transferred to foreign countries and the measures taken regarding data security
Personal data subject: The natural person whose personal data is
processed. For example; employee candidates.
Personal data: Any information relating to an identified or
identifiable natural person. Therefore, the processing of information on legal entities is not covered by
the Law. For example; name-surname, TRKN, e-mail, address, date of birth, credit card number, etc.
KVKK Law on the Protection of Personal Data dated March 24, 2016 and
numbered 6698, published in the Official Gazette dated April 7, 2016 and numbered 29677
Board: Personal Data Protection Board
Institution Personal Data Protection Authority
Sensitive personal data: Data relating to race, ethnic origin,
political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of
associations, foundations or trade unions, health, sexual life, criminal convictions and security measures,
and biometric and genetic data.
Policy This Personal Data Processing and Protection Policy
Company Shareholder Real persons who are shareholders of the Company
Company Authorized Person: Company board members and other authorized
real persons.
Supplier Parties that provide services to the Company on a
contractual basis in accordance with the Company's orders and instructions while conducting the Company's
commercial activities.
Turkish Penal Code: Turkish Penal Code dated September 26, 2004 and
numbered 5237; published in the Official Gazette dated October 12, 2004 and numbered 25611.
Third Person: Natural persons whose personal data are processed
within the scope of the Policy, who are not defined differently within the scope of the Policy (e.g.
guarantor, companion, family members and relatives, former employees).
Data processor: A natural or legal person who processes personal data
on behalf of the data controller based on the authorization granted by the data controller.
Data controller: The person who determines the purposes and means of
processing personal data and manages the place where the data is kept systematically (data recording
system).
Data Controllers Registry (VERBIS): The registry of data controllers
kept by the Presidency under the supervision of the Personal Data Protection Board
Visitor Natural persons who have entered the physical premises owned
by the Company for various purposes or who visit our websites.
TABLE OF CONTENTS
1.4. PRIORITY IN THE IMPLEMENTATION OF POLICY AND RELATED
LEGISLATION. 6
2. PROTECTION OF PERSONAL DATA. 6
2.1. OBSERVANCE OF DATA SUBJECT RIGHTS AND EVALUATION OF DATA
SUBJECTS' REQUESTS. 6
2.2. PROTECTION OF SPECIAL CATEGORIES OF PERSONAL
DATA. 7
2.4. ENSURING THE SECURITY OF PERSONAL DATA.
7
2.4.1. Technical and Administrative Measures Taken to Ensure
Lawful Processing of Personal Data. 7
2.4.1.2 Administrative Measures.
8
2.4.2. Supervision of Measures Taken for the Protection of
Personal Data. 9
2.4.3. Measures to be taken in case of unauthorized disclosure
of personal data. 9
3. ISSUES REGARDING THE PROCESSING OF PERSONAL
DATA. 10
3.1. PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE
PRINCIPLES STIPULATED IN THE LEGISLATION 10
3.1.1. Processing in accordance with the Law and Good
Faith. 10
3.1.2. Ensuring that Personal Data is Accurate and Up-to-Date
When Necessary. 10
3.1.3. Processing for Specific, Explicit and Legitimate
Purposes. 10
3.1.4. Being relevant, limited and proportionate to the purpose
for which they are processed. 10
3.3. PROCESSING OF DATA PROCESSED BY INTERCITY COMPANIES BY THE
COMPANY. 10
3.4. ENLIGHTENING AND INFORMING THE PERSONAL DATA
SUBJECT. 11
3.5. PROCESSING OF PERSONAL DATA OF SPECIAL
NATURE. 11
4.1. CATEGORIZATION OF PERSONAL DATA.
11
4.2. PURPOSES OF PROCESSING PERSONAL DATA.
13
5. CATEGORIZATION OF THE OWNERS OF THE PERSONAL DATA PROCESSED
BY THE COMPANY 15
6.1 TRANSFER OF PERSONAL DATA. 17
6.1.1 Transfer of Personal Data.
18
6.1.2. Transfer of Sensitive Personal Data.
18
6.2. TRANSFER OF PERSONAL DATA ABROAD.
18
6.2.1. Transfer of Personal Data Abroad.
18
6.2.2. Transfer of Sensitive Personal Data Abroad.
19
6.3
Persons Transferred and Purpose of Data Transfer 19
7. PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO THE
PROCESSING CONDITIONS IN THE LAW 20
7.1. PROCESSING OF PERSONAL DATA AND SPECIAL CATEGORIES OF
PERSONAL DATA. 20
7.1.1. Processing of Personal Data.
20
7.1.2. Processing of Special Categories of Personal
Data. 21
8.1. CAMERA SURVEILLANCE ACTIVITIES CARRIED OUT AT BUILDING AND
FACILITY ENTRANCES AND INSIDE 21
8.1.1. Legal Basis for Camera Surveillance
Activity. 21
8.1.2. Execution of Monitoring Activities with Security Cameras
in accordance with KVKK. 21
8.1.3. Announcement of Camera Surveillance
Activity. 22
8.1.4. Purpose of Camera Surveillance and Limitation to the
Purpose. 22
8.1.5. Ensuring the Security of the Data Obtained.
22
8.1.6. Storage Period of Personal Data Obtained through Camera
Surveillance Activities. 22
9.1. METHOD AND LEGAL REASON FOR COLLECTING PERSONAL
DATA. 23
9.2. DELETION, DESTRUCTION OR ANONYMIZATION OF PERSONAL
DATA. 23
9.2.1. Conditions for Deletion, Destruction and Anonymization
of Personal Data. 23
9.2.2. Techniques for Deletion, Destruction and Anonymization
of Personal Data. 24
9.2.2.1. Techniques for Deletion and Destruction of Personal
Data. 24
9.2.2.2.2. Techniques for Anonymizing Personal
Data. 24
9.3. Retention Period of Personal Data.
24
10. RIGHTS OF PERSONAL DATA SUBJECTS; METHODOLOGY FOR
EXERCISING AND EVALUATING THESE RIGHTS 25
10.1 RIGHTS OF THE DATA OWNER AND EXERCISING THESE
RIGHTS. 25
10.1.1. Rights of the Personal Data Owner
25
10.1.2. Cases where the Personal Data Owner cannot assert
his/her rights. 25
10.1.3. Exercising the Rights of the Personal Data
Owner 26
10.1.4. Personal Data Subject's Right to File a Complaint to
the Board. 26
10.2. APPLICATIONS FOR INTERCITY COMPANIES.
26
10.3. THE COMPANY'S RESPONSE TO APPLICATIONS.
26
10.3.1. Procedure and Duration of the Company's Response to
Applications. 26
10.3.2. Information that the Company may request from the
Applicant Personal Data Subject 26
10.3.3. The Company's Right to Refuse the Personal Data
Subject's Application. 26
PERSONAL DATA PROCESSING POLICY
PART ONE
1. INTRODUCTION
According to Article 20 of the Constitution of the Republic of Turkey, everyone has the
right to request the protection of personal data concerning him/her. The Company pays utmost attention to
the protection of personal data, which is a constitutional right; in this context, the Company determines a
company policy in accordance with the Law No. 6698 on the Protection of Personal Data ("KVKK"), which
regulates the protection of fundamental rights and freedoms of individuals in the processing of personal
data and the obligations of those who process personal data and the procedures and principles to be complied
with in order to protect the personal data of real persons whose data it processes.
Information regarding the identity of the data controller for all kinds of personal data
processing activities covered by this Policy is provided below.
Data Controller: Akyacht Yatçılık Sanayi ve Ticaret Anonim Şirketi
("Company")
Address: Sepetlipinar SB Mahallesi, 104. Cad.,
No:8/2 Başiskele - KOCAELİ
1.2. BUT Ç
The main purpose of this Policy is to make explanations about the personal data
processing activity carried out by the Company in accordance with the law and the systems adopted for the
protection of personal data, and in this context, to ensure transparency by informing all relevant natural
persons whose data are processed by the Company mentioned below.
1.3. SCOPE
This Policy is related to all personal data of natural persons detailed in Section 5
below, which are processed automatically or non-automatically provided that they are part of any data
recording system. Our Company informs the Personal Data Owners about the Law by publishing this Policy on
its website.
1.4. PRIORITY IN THE IMPLEMENTATION OF POLICY AND
RELEVANT LEGISLATION
In case of any incompatibility between the legislation in force and the Policy, the
Company accepts that the legislation in force will be applied.
1.5. EFFECTIVE DATE
This Policy was issued by the Company and entered into force on December 2023.
This Policy is updated in cases where it is necessary to update it and/or when
necessary, such as changes in legislation, Board decisions or developments in the sector and in
the field of informatics. Changes made within this scope are immediately entered into the text
and explanations regarding the changes are entered into the Change Table at the end of the policy.
This Policy and the amendments made to the Policy within the scope of the update shall be
deemed to have entered into force upon its publication on the Company's website.
PART TWO
2. PROTECTION OF PERSONAL DATA
The Company takes the necessary technical and administrative measures to ensure the
appropriate level of security in order to prevent unlawful processing of the personal data it processes, to
prevent unlawful access to the data and to ensure the preservation of the data, and to carry out or have the
necessary audits carried out within this scope.
2.1. OBSERVANCE OF DATA SUBJECT'S RIGHTS AND EVALUATION
OF DATA SUBJECTS' REQUESTS
The Company carries out the necessary channels, internal functioning, administrative and
technical arrangements to evaluate the rights of personal data owners and to provide the necessary
information to personal data owners.
The requests of personal data owners submitted to the Company are evaluated in accordance
with Article 10 of this Policy.
2.2. PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA
Data relating to race, ethnic origin, political opinion, philosophical belief, religion,
sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions,
health, sexual life, criminal convictions and security measures, and biometric and genetic data, which are
of special importance due to the risk of causing victimization or discrimination when processed unlawfully,
are personal data of special nature.
The Company acts sensitively in the protection of sensitive personal data. In this
context, the technical and administrative measures taken by the Company for the protection of personal data
are carefully implemented in terms of sensitive personal data and necessary audits are provided within the
Company.
2.3. RAISING AWARENESS AND SUPERVISION OF BUSINESS UNITS ON THE PROTECTION AND
PROCESSING OF PERSONAL DATA
The Company ensures that necessary trainings are organized for business units in order to
raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the
protection of data.
Necessary systems are established to ensure that the current employees of the Company's
business units and the employees who are newly included in the business unit are aware of the protection of
personal data, and if necessary, professional persons are hired in this regard.
The results of the trainings conducted to raise the awareness of the Company's business
units on the protection and processing of personal data are reported to the Company. In this direction, the
Company evaluates the participation in the relevant trainings, seminars and information sessions and
conducts or has the necessary audits carried out. The Company updates and renews its trainings in parallel
with the updating of the relevant legislation.
2.4. ENSURING THE SECURITY OF PERSONAL DATA
In accordance with Article 12 of the Law, the Company takes the necessary measures
according to the nature of the data to be protected in order to prevent unlawful disclosure, access,
transfer or other security deficiencies that may occur in other ways. In this context, our Company takes
technical and administrative measures to ensure the necessary level of security in accordance with the
guidelines published by the Board, and conducts or has audits carried out.
2.4.1. Technical and Administrative Measures Taken to Ensure Lawful Processing of
Personal Data
The Company takes technical and administrative measures to ensure that personal data is
processed in accordance with the law, according to technological possibilities and implementation cost.
2.4.1.1.Technical Measures
Technical Measures Taken to Ensure Lawful Processing of Personal Data
The main technical measures taken by the Company to ensure the lawful processing of
personal data are listed below:
Personal data processing activities carried out within the Company are audited
through technical systems established. In this context, ISO 27001 Information Security Management System has
been complied with and all environments where personal data are created, processed, stored, displayed and
transmitted are subject to technical measures.
The technical measures taken are periodically reported to the relevant person
as required by the internal audit mechanism.
In order to maintain technical competence, the Company's information security
infrastructure is audited every year by a third party organization.
Technically knowledgeable personnel are employed. An Information Security Team
was formed and necessary appointments were made.
Technical Measures to Prevent Unlawful Access to Personal Data
The main technical measures taken by the Company to prevent unlawful access to personal
data are listed below:
Technical measures are taken in accordance with the developments in
technology, and the measures taken are periodically updated and renewed.
Access and authorization technical solutions are implemented in accordance
with the legal compliance requirements determined on a business unit basis.
Access authorizations are limited, and authorizations are regularly reviewed.
The technical measures taken are periodically reported to the relevant person
as required by the internal audit mechanism, and the issues that pose a risk are re-evaluated and necessary
technological solutions are produced.
Software and hardware including virus protection systems and firewalls are
installed.
Technically knowledgeable personnel are employed.
Intrusion detection and prevention systems are used and regular vulnerability
and penetration tests are conducted.
Security scans are regularly performed to identify security vulnerabilities in
applications where personal data is collected. The vulnerabilities found are closed.
Technical Measures Taken for Storing Personal Data in Secure Environments
The main technical measures taken by the Company to store personal data in secure
environments are listed below:
Systems in line with technological developments are used to store personal
data in secure environments.
Personnel specialized in technical issues are employed.
Technical security systems are installed for storage areas, the technical
measures taken are periodically reported to the relevant person as required by the internal audit mechanism,
the issues that pose a risk are re-evaluated and the necessary technological solutions are produced.
Backup programs are used in accordance with the law to ensure that personal
data is stored securely.
Access to data storage areas containing personal data is logged and
inappropriate access or access attempts are instantly communicated to the relevant persons.
2.4.1.2 Administrative Measures
Administrative Measures Taken to Ensure Lawful Processing of Personal Data
The main administrative measures taken by the Company to ensure the lawful processing of
personal data are listed below:
Employees are informed and trained on the law on the protection of personal
data and the processing of personal data in accordance with the law.
All activities carried out by the Company are analyzed in detail specific to
all business units, and as a result of this analysis, personal data processing activities are revealed
specific to the commercial activities carried out by the relevant business units.
The personal data processing activities carried out by the business units of
the Company are determined specifically for each business unit and the activity it carries out.
In order to ensure the legal compliance requirements determined on a business
unit basis, awareness is raised and implementation rules are determined for the relevant business units; the
necessary administrative measures are implemented through internal policies and trainings to ensure the
supervision of these issues and the continuity of the implementation.
In the contracts, internal regulations and related documents governing the
legal relationship between the Company and the employees, records that impose an obligation not to process,
disclose and use personal data, except for the Company's instructions and exceptions imposed by law, are
included and employee awareness is raised and audits are carried out.
Administrative Measures to Prevent Unlawful Access to Personal Data
The main administrative measures taken by the Company to prevent unlawful access to
personal data are listed below:
Employees are trained on the technical measures to be taken to prevent
unlawful access to personal data.
Access to personal data and authorization processes are designed and
implemented within the company in accordance with the legal compliance requirements for processing personal
data on a business unit basis.
Employees are informed that they cannot disclose the personal data they have
learned to anyone else in violation of the provisions of the KVKK and cannot use it for purposes other than
processing, and that this obligation will continue after they leave their duties, and that sanctions will be
imposed on them in case of contrary behavior in accordance with both the relevant legislation and the
internal regulations of the personnel, and necessary commitments are taken from them in this direction.
Provisions are added to the contracts concluded by the Company with the
persons to whom personal data are transferred in accordance with the law; that the persons to whom personal
data are transferred will take the necessary security measures to protect personal data and ensure that
these measures are complied with in their own organizations.
Access to all electronic media where personal data is processed by the Company
is controlled, security tightenings are made, and violations are detected and examined with the help of
security solutions.
All data transfer routes are kept under control, permissions related to data
transfers are audited, data transfer activities are filtered, trace records are taken and protected.
Track records are continuously analyzed and reported
Personal data is encrypted in the environments where it is recorded, stored
and transmitted, and key management is applied for cryptographic controls within the organization
Security measures are taken within the scope of information systems, system
procurement, development and maintenance.
Risks and threats are identified. Risk analysis, residual risk and risk
handling processes are defined and operated.
Administrative Measures Taken for Storing Personal Data in Secure Environments
The main administrative measures taken by the Company to store personal data in secure
environments are listed below:
Employees are trained to ensure that personal data is stored securely.
Legal and technical consultancy services are obtained in order to follow the
developments in the field of information security, privacy of private life and protection of personal data
and to take necessary actions. In the event that an external service is obtained by the Company due to
technical requirements for the storage of personal data, the contracts concluded with the relevant companies
to which personal data are transferred in accordance with the law include provisions stating that the
persons to whom personal data are transferred will take the necessary security measures to protect personal
data and ensure that these measures are complied with in their own organizations.
Access permissions for all environments are designed according to the
need-to-know principle. Personnel access rights are revised in cases such as resignation or change of duty.
Permissions can only be granted or changed with the approval of the relevant unit supervisor.
2.4.2. Supervision of Measures Taken for the Protection of Personal Data
In accordance with Article 12 of the KVKK, the Company conducts or has the necessary
audits carried out within its own organization. The results of these audits are reported to the relevant
department within the scope of the internal functioning of the Company and necessary activities are carried
out to improve the measures taken.
2.4.3. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
In the event that personal data processed in accordance with Article 12 of the KVKK is
obtained by others through unlawful means, the Company operates a system that ensures that this situation is
notified to the relevant personal data owner and the Board as soon as possible.
If deemed necessary by the Board, this situation may be announced on the Board's website
or by any other method.
PART THREE
3. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA
The Company strictly complies with the matters specified in the legislation on the
processing of personal data.
3.1. PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES STIPULATED IN
THE LEGISLATION
3.1.1. Processing in Compliance with Law and Good Faith
The Company acts in accordance with the principles introduced by legal regulations and
the general rule of trust and honesty in the processing of personal data. In this context, the Company takes
into account the proportionality requirements in the processing of personal data and does not use personal
data for purposes other than those required by the purpose.
3.1.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary
The Company ensures that the personal data it processes are accurate and up-to-date,
taking into account the fundamental rights of personal data owners and their legitimate interests. It takes
necessary measures in this direction. For example, the Company has established a system for personal data
subjects to correct and confirm the accuracy of their personal data.
3.1.3. Processing for Specific, Explicit and Legitimate Purposes
The Company clearly and precisely determines the legitimate and lawful purpose of
personal data processing. The Company processes personal data as much as is necessary in connection with and
necessary for the commercial activity it carries out. The purpose for which personal data will be processed
by the Company is determined before the personal data processing activity begins.
3.1.4. Being relevant, limited and proportionate to the purpose for which they are
processed
The Company processes personal data in a manner that is conducive to the achievement of
the specified purposes and avoids the processing of personal data that is not related to the achievement of
the purpose or is not needed, and processes personal data limited to the specified purposes. For example,
personal data processing activities are not carried out to meet the needs that may arise later.
3.1.5. Storage for the Period Stipulated in the Relevant Legislation or Required
for the Purpose for which they are Processed
The Company retains personal data only for the period specified in the relevant
legislation or for the period required for the purpose for which they are processed. In this context, the
Company first determines whether a period of time is stipulated for the storage of personal data in the
relevant legislation, if a period of time is determined, it keeps it for the minimum period stipulated in
the legal legislation to which the relevant activity is subject, and if no period of time is determined, it
keeps personal data for the period required for the purpose for which they are processed. Personal data are
deleted, destroyed or anonymized by the Company in the event that the period expires or the reasons
requiring their processing disappear. Personal data are not stored by the Company with the possibility of
future use.
3.2. PROCESSING PERSONAL DATA BASED ON AND LIMITED TO
ONE OR MORE OF THE PERSONAL DATA PROCESSING CONDITIONS SPECIFIED IN ARTICLE 5 OF THE KVKK
Protection of personal data is a constitutional right. Fundamental rights and freedoms
may be restricted without prejudice to their essence only for the reasons specified in the relevant articles
of the Constitution and only by law. Pursuant to the third paragraph of Article 20 of the Constitution,
personal data may only be processed in cases stipulated by law or with the explicit consent of the person.
In this direction and in accordance with the Constitution, the Company processes personal data only in cases
stipulated in the legislation or with the explicit consent of the person.
3.3. PROCESSING OF DATA PROCESSED BY INTERCITY
COMPANIES BY THE COMPANY
The Company may also process the personal data processed by Intercity Companies in order
to carry out the activities of Intercity Companies in accordance with the principles, objectives and
strategies of the Company and to protect the rights and interests of the Company and its reputation. In the
event that the personal data sharing between Intercity Companies and the Company takes place within the
scope of personal data transfer from the data controller to the data controller within the scope of KVKK,
the relevant Intercity Companies shall inform the person that his/her personal data may be sent to the
Company during the personal data collection phase.
3.4. DISCLOSURE AND INFORMATION OF THE
PERSONAL DATA SUBJECT
In accordance with Article 10 of the KVKK, the Company enlightens Personal Data Owners
during the acquisition of personal data. In this context, the Company informs about the identity of the
representative, if any, the purpose for which personal data will be processed, to whom and for what purpose
the processed personal data can be transferred, the method and legal reason for collecting personal data and
the rights of the personal data owner.
"Requesting information" is also listed among the rights of the personal data owner in
Article 11 of the KVKK. In this context, the Company provides the necessary information in case the Personal
Data Owner requests information in accordance with Article 20 of the Constitution and Article 11 of the
KVKK.
3.5. PROCESSING OF PERSONAL DATA OF SPECIAL NATURE
The Company acts in strict compliance with the regulations stipulated in the KVKK in the
processing of personal data determined as "special quality" by the KVKK.
Special categories of personal data are processed by the Company in the following cases,
provided that adequate measures to be determined by the Board are taken:
a.
If the personal data subject has explicit consent or
b.
If the personal data subject does not have explicit consent;
Sensitive personal data other than the health and sexual life of the personal
data owner, in cases stipulated by law,
Sensitive personal data relating to the health and sexual life of the personal
data subject are processed only for the purposes of protecting public health, preventive medicine, medical
diagnosis, treatment and care services, planning and management of health services and financing, by persons
or authorized institutions and organizations under the obligation of confidentiality.
CHAPTER FOUR
4. CATEGORIZATION, PROCESSING PURPOSES AND STORAGE
PERIODS OF PERSONAL DATA PROCESSED BY OUR COMPANY
In accordance with Article 10 of the LPPD, the Company informs the personal data owner
which personal data of which personal data owner groups are processed within the scope of the disclosure
obligation, the purposes of processing the personal data of the personal data owner and the retention
periods.
4.1. CATEGORIZATION OF PERSONAL DATA
The following categories of personal data are processed by informing the data subjects in
accordance with Article 10 of the LPPD.
|
PERSONAL DATA CATEGORIZATION |
EXPLANATION |
|
Identity Information |
Data that clearly belongs to an identified or identifiable natural
person; processed partially or completely automatically or non-automatically as part of the
data recording system; containing information about the identity of the person; documents
such as driver's license, identity card and passport containing information such as
name-surname, Turkish ID number, nationality, mother's name-father's name, place of birth,
date of birth, age, gender, and information such as tax number, SSI number, signature
information, vehicle license plate, etc. |
|
Contact Information |
Information such as telephone number, address, e-mail address, social
media accounts, fax number, IP address, which clearly belongs to an identified or
identifiable natural person; processed partially or completely automatically or
non-automatically as part of the data recording system |
|
Family Members and Relatives |
Information about the personal data owner's family members (e.g. spouse,
mother, father, child), relatives and other persons who can be reached in case of emergency,
which clearly belongs to an identified or identifiable natural person; processed partially
or completely automatically or non-automatically as part of the data recording system;
within the framework of the operations carried out by the Company's business units, related
to the products and services offered by the Company's affiliates or in order to protect the
legal and other interests of the Company and the personal data owner |
|
Physical Space Security Information |
Personal data clearly belonging to an identified or identifiable natural
person; processed partially or fully automatically or non-automatically as part of the data
recording system; personal data related to records and documents taken at the entrance to
the physical space, during the stay in the physical space; camera recordings, CCTV
recordings, office entry and exit records and records taken at the security point, etc. |
|
Financial Information |
Personal data that clearly belongs to an identified or identifiable
natural person; processed partially or completely automatically or non-automatically as part
of the data recording system; Personal data processed regarding information, documents and
records showing all kinds of financial results created according to the type of legal
relationship established by the Company with the personal data owner, and data such as bank
account number and information, IBAN number, credit card number and information, balance
sheet account information, account transactions breakdown, financial aids,
immovable/portable information allocated to the employee by the employer, financial
performance, information on assets, surety status, insurance information, credit rating,
debt information (loan, mortgage information, execution proceedings, etc.) financial
profile, asset data, income/salary information.) financial profile, asset data,
income/salary information |
|
Audio/Visual Information |
Information that clearly belongs to an identified or identifiable natural
person; photographs and camera recordings (except for recordings within the scope of
Physical Space Security Information), voice recordings and data contained in documents that
are copies of documents containing personal data, etc. |
|
Personal Information |
All kinds of personal data such as payroll information, disciplinary
investigation, performance evaluation, employment document records, CV / resume, work permit
document, residence permit document, clothing measurements, etc., which are processed
partially or completely automatically or non-automatically as part of the data recording
system, which clearly belong to an identified or identifiable natural person; processed for
obtaining information that will be the basis for the formation of the personal rights of
natural persons who have a working relationship with the Company. |
|
Sensitive Personal Data |
Data that clearly belongs to an identified or identifiable natural
person; processed partially or completely automatically or non-automatically as part of the
data recording system; data specified in Article 6 of the KVKK (e.g. health data including
blood type) |
|
Complaints and Suggestions Information |
Personal data clearly belonging to an identified or identifiable natural
person; processed partially or completely automatically or non-automatically as part of the
data recording system; personal data regarding the receipt and evaluation of any request or
complaint addressed to the Company |
|
Legal Process Knowledge |
Judicial authority correspondence, case file information, etc., which
clearly belongs to an identified or identifiable natural person; processed partially or
completely automatically or non-automatically as part of the data recording system. |
|
Education and Work Information |
Information that clearly belongs to an identified or
identifiable natural person; processed partially or completely automatically or
non-automatically as part of the data recording system; Military Service Status, CV /
Resume, Education Status, Past Salary and Premium Information, Reasons for Termination of
Previous Employment, Foreign Language Skills, Skills, Education Status, Exam and Training
Results, Employment Document (from Former Workplace), SSI Service Transcript,
Diploma Sample, Professional Development Certificates, Occupational Information, Job
Qualification Status, Career History, etc. |
|
Customer Transaction Information |
Information that clearly belongs to an identified or
identifiable natural person; processed partially or completely automatically or
non-automatically as part of the data recording system; call center records, invoice / check
/ bill information, order or request information, etc.
|
|
Vehicle Information |
Vehicle license, license plate etc. information
|
|
Employee Performance and Career Development Information |
Information that clearly belongs to an identified or
identifiable natural person; processed partially or completely automatically or
non-automatically as part of the data recording system; the loyalty score, performance
evaluation information, work history, professional competencies, interests and hobbies,
interview and recruitment evaluations, interview, Education Information, etc.
of the real person working for the purpose of conducting recruitment /
employment, personnel recruitment processes |
|
Information on Criminal Conviction and Security Measures |
Criminal Registry Information that clearly belongs to an identified or
identifiable natural person; processed partially or completely automatically or
non-automatically as part of the data recording system |
|
Transaction Security Information |
Information that clearly belongs to an identified or
identifiable natural person; processed partially or completely automatically or
non-automatically as part of the data recording system; ip address information, website
login and exit information, username and password, Password and User Information of the
Devices Used by the Employee within the Company, Internal Access and Authorization
Information, E-signature, log records, etc. |
|
Transaction Information |
Data such as survey information, declaration information, cookie records,
which clearly belong to an identified or identifiable natural person; processed
partially or completely automatically or non-automatically as part of the data recording
system; processed within the framework of the activities carried out by the
Company, related to the services provided or to protect the legal and other interests of the
Company and the personal data owner |
|
Health Information |
Information on disability status, blood group information, personal
health information, information on devices and prostheses used, etc., which clearly belongs
to an identified or identifiable natural person; processed partially or completely
automatically or non-automatically as part of the data recording system. |
4.2. PURPOSES OF PROCESSING PERSONAL DATA
The Company processes personal data limited to the purposes and conditions within the
personal data processing conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of
the KVKK. These purposes and conditions;
It is clearly stipulated in the legislation that the Company is engaged in the
relevant activity regarding the processing of your personal data
The processing of your personal data by the Company is directly related and
necessary for the establishment or performance of a contract
Processing of your personal data is mandatory for the Company to fulfill its
legal obligation
Provided that your personal data has been made public by you; processing by
the Company limited to the purpose of publicization by you
Processing of your personal data by the Company is mandatory for the
establishment, use or protection of the rights of the Company or you or third parties
It is mandatory to carry out personal data processing activities for the
legitimate interests of the Company, provided that it does not harm your fundamental rights and freedoms
The processing of personal data by the Company is mandatory for the protection
of the life or physical integrity of the personal data owner or someone else, and in this case, the personal
data owner is unable to disclose his consent due to actual or legal invalidity
It is stipulated in the laws for personal data of special nature other than
the health and sexual life of the personal data owner
In terms of personal data of special nature related to the health and sexual
life of the personal data owner, it is processed by persons or authorized institutions and organizations
under the obligation of confidentiality for the protection of public health, preventive medicine, medical
diagnosis, treatment and care services, planning and management of health services and financing.
|
Terms of Processing |
Scope |
Example |
|
Law Provision |
Tax Legislation, Labor Legislation, Trade Legislation etc. |
Employee personal information must be kept in accordance with the
legislation. |
|
Performance of the Contract |
Contract of Employment, Contract of Sale, Contract of Carriage, Contract
of Work, etc. |
The processing of your personal data by the Company is directly related
and necessary for the establishment or performance of a contract |
|
Actual Impossibility |
A person who is unable to give consent due to actual impossibility or who
lacks the power of discernment. |
The processing of personal data by the Company is mandatory for the
protection of the life or physical integrity of the personal data owner or someone else, and
in this case, the personal data owner is unable to disclose his consent due to actual or
legal invalidity |
|
Legal Liability of the Data Controller |
Financial Audits, Security Legislation, Compliance with Sector-Focused
Regulations. |
Processing of your personal data is mandatory for the
Company to fulfill its legal obligation |
|
Making Public |
Making information about oneself available to the public. |
Provided that your personal data has been made public by you; processing
by the Company limited to the purpose of publicization by you |
|
Establishment, Protection and Exercise of Right |
Mandatory data to be used for filing lawsuits, registration procedures,
all kinds of title deed transactions, etc. |
Retention of necessary information about a departing employee during the
statute of limitations. Processing of your personal data by the Company is mandatory for
the establishment, use or protection of the rights of the Company or you or third
parties |
|
Legitimate Interest |
Provided that the fundamental rights of the data subject are not harmed,
data may be processed if it is mandatory for the legitimate interest of the data controller.
|
It is mandatory to carry out personal data processing activities for the
legitimate interests of the Company, provided that it does not harm your fundamental rights
and freedoms |
In this context, the Company processes your personal data limited to the following
purposes:
Yacht construction, maintenance, repair and repair works,
Performance of sales and leasing of marine vessels,
Execution of after-sales services,
Planning and execution of corporate sustainability activities,
Event management,
Management of relationships with business partners or suppliers
Providing the necessary information in line with the requests and audits of
regulatory and supervisory institutions and official authorities,
Improving service quality and customer satisfaction,
Follow-up of human resources processes,
Execution of company personnel recruitment processes
Supporting the personnel recruitment processes of Intercity Companies
Execution/follow-up of the Company's financial reporting and risk management
processes
Conducting finance and financial affairs
Execution/follow-up of company legal affairs
Planning and execution of corporate communication activities
Execution of corporate governance activities
Realization of company and partnership law transactions
Request and complaint management
Ensuring the security of company values
Supporting Intercity Companies in compliance with relevant legislation
Supporting the planning and execution processes of the fringe benefits and
benefits to be provided to the senior executives of the Company and Intercity Companies
Planning and execution of audit activities to ensure that the activities of
Intercity Companies are carried out in accordance with the procedures of Intercity Companies and the
relevant legislation
Supporting Intercity Companies in the realization of corporate and partnership
law transactions
Carrying out activities to protect the reputation of Intercity Companies
Managing investor relations
Providing information to authorized institutions due to legislation
Creation and follow-up of visitor records
Necessary for the performance of the employment contract
Fulfillment of legal obligations,
Labor Law, Occupational Health and Safety Law, Social Security Law and related
legislation and other laws and legislation
Ensuring security within the company
Performance of customer contracts,
Management of the company, conduct of business, implementation of company
policies
Ensuring and improving the company's occupational health and safety
Ensuring the legal and commercial security of the Company and persons in
business relations with the Company; determining and implementing human resources policies and business
strategies
·
Development and marketing of services in line with our commercial
activities
In the event that the processing activity carried out for the aforementioned purposes
does not meet any of the conditions stipulated under the KVKK, your explicit consent is obtained by the
Company regarding the relevant processing process.
SECTION FIVE
M
5. CATEGORIZATION OF THE OWNERS OF THE PERSONAL DATA
PROCESSED BY THE COMPANY
Personal data owner refers to real persons whose personal data are processed in
accordance with Law No. 6698, and although the personal data of the categories of personal data owners
listed below are processed by the Company, the scope of application of this Policy is limited to the
categories of personal data owners described below.
|
PERSONAL DATA SUBJECT CATEGORIZATION |
EXPLANATION |
|
Employee/Candidate Employee |
Real persons who have applied for a job to the Company by any means or
who have opened their CV and related information to the Company's review. |
|
Former Employee |
Real persons who have applied for a job to the Company by any means or
who have opened their resume and related information to the Company's review, but whose
employment contract relationship with the Company has ended. |
|
Trainee/Intern Candidate |
Real persons who have applied for a job to do their internship at the
Company or who have opened their resume and related information to the Company's review.
|
|
Real Person Customer/Customer Candidate |
Natural persons whose personal data are obtained through the Company's
business relations within the scope of the operations carried out by the Company and its
business units |
|
Natural Person Supplier/Business Partner/Solution
Partner/Stakeholder/Authority/Employee |
Real persons who provide services to the Company on a contractual basis
in accordance with the Company's orders and instructions while carrying out the Company's
commercial activities, real persons with whom the Company has any kind of business
relationship, real persons who are its employees' officers or shareholders. |
|
Shareholder |
Real persons who are shareholders of the Company |
|
Company Official / Business Partner / Solution Partner |
Members of the Company's board of directors and other authorized real
persons |
|
Intercity Companies |
Other companies in which real and/or legal persons who are shareholders
of Ekim Turizm Ticaret ve Sanayi Anonim Şirketi are shareholders |
|
Contracting Party |
Real persons with whom the Company has concluded an employment contract
within the scope of the operations carried out by the Company and its business units. |
|
Third natural person |
Other natural persons not covered by this Policy and the Company
Employees Personal Data Protection and Processing Policy (e.g. guarantors, companions,
former employees) |
|
Visitor |
Real persons who have entered the physical premises owned by the Company
for various purposes |
|
Website Visitor |
Real persons who visit the website owned by the Company |
Although the categories of persons whose personal data are processed by the Company are
within the scope of the above-mentioned scope, persons outside of these categories may also direct their
requests to the Company within the scope of KVKK; the requests of these persons will also be evaluated
within the scope of this Policy.
The table below details the categories of personal data subjects mentioned above and the
types of personal data processed by the persons within these categories.
|
PERSONAL DATA CATEGORIZATION |
PERSONAL DATA CATEGORIZATION DESCRIPTION |
CATEGORY OF DATA SUBJECT TO WHICH THE RELEVANT PERSONAL DATA
RELATES |
|
Identity Information |
Data containing information about the identity of the person;
name-surname, Turkish ID number, nationality, place of birth, date of birth, gender,
workplace information, registration number, tax number, title, biography, etc. and documents
such as driver's license, professional ID, identity card |
Company and/or Intercity Companies Customer, Customer Candidate,
Employee, Employee Candidate, Former Employee, Intern, Intern Candidate, Company
Shareholder, Company Official, Visitor, Intrnet Visitor, Supplier, Employees and Authorities
of the Institutions (Business Partner) with which we cooperate, Third Party |
|
Contact Information |
Telephone number, address, e-mail address, fax number, etc. |
Company and/or Intercity companies Customer, Customer Candidate,
Employee, Employee Candidate, Former Employee, Trainee, Trainee Candidate, Company
Shareholder, Company Official, Supplier, Employees, Shareholders and Authorities of the
Institutions (Business Partner) with which we are in cooperation, Third Party |
|
Family Members and Relatives |
Family members of the personal data owner processed within the framework
of the activities carried out by the Company, related to the services provided or in order
to protect the legal and other interests of the Company and the personal data owner (e.g. spouse, mother, father, child), information about relatives and
other persons who can be contacted in case of emergency) |
Company and/or Intercity companies Employee, Employee Candidate, Intern,
Intern Candidate |
|
Physical Space Security Information |
Personal data relating to records and documents taken at the entrance to
the physical space, during the stay in the physical space; camera records, vehicle
information records and records taken at the security point, etc. |
Company and/or Intercity companies Customers, Customer Candidates,
Visitors, Former Employees, Employees, Employee, Employee Candidates, Interns, Intern
Candidates, Company Shareholders, Company Authorities, Suppliers, Employees, Shareholders
and Authorities of the Institutions (Business Partners) with which we cooperate, Third
Parties |
|
Financial Information |
Personal data processed regarding information, documents and records
showing all kinds of financial results created according to the type of legal relationship
established by the Company and/or Intercity Companies with the personal data subject, and
data such as bank account number, IBAN number, income information, debt/credit information
|
Customer of the Company and/or Intercity companies, Former Employee,
Employee, Employee, Employee Candidate, Intern, Intern Candidate, Company Shareholder,
Company Official, Supplier, Employees, Shareholders and Authorities of the Institutions
(Business Partner) with which we are in cooperation, Third Party |
|
Audio/Visual Information |
Photographs and camera recordings (excluding recordings within the scope
of Physical Space Security Information) and audio recordings |
Company and/or Intercity companies Customer, Customer Candidate,
Employee, Employee Candidate, Former Employee, Intern, Intern Candidate, Company
Shareholder, Company Official, Visitor, Supplier, Employees and Authorities of the
Institutions (Business Partner) with which we are in cooperation, Third Party |
|
Personal Information |
Data such as payroll information, performance evaluation, employment
document records, CV/resume, work permit document |
Company and/or Intercity companies Employee Candidate,
Employee, Former Employee, Intern, Intern Candidate |
|
Sensitive Personal Data |
Data specified in Article 6 of the KVKK, |
Prospective Employee, Employee, Former
Employee, Intern, Company Shareholder, Company Official |
|
Complaints and Suggestions Information |
Personal data relating to the receipt and evaluation of any request or
complaint addressed to the Company |
Company and/or Intercity companies Customer, Customer Candidate, Employee
Candidate, Former Employee, Intern, Intern Candidate, Company Shareholder, Company Official,
Visitor, Internet Visitor, Supplier, Employees and Authorities of the Institutions We
Cooperate with, Third Party |
|
Legal Procedure and Compliance Knowledge |
Personal data processed within the scope of determination and follow-up
of our legal receivables and rights and performance of our debts and compliance with our
legal obligations and the Company's policies |
Company and/or Intercity Customer, Employee, Former Employee, Intern,
Company Shareholder, Company Official, Supplier, Relator, Employees and Authorities of the
Institutions (Business Partner) with which we are in cooperation, Third Party |
|
Education and Work Information |
Educational Background, Past Salary and Bonus Information, Reasons for
Termination of Previous Employment, Foreign Language Skills, Skills, Educational Background,
Certificate of Employment (from former employer), Diploma Sample, Professional
Development Certificates, Occupational Information, Job Qualifications, Career History, etc.
|
Company and/or Intercity companies Employee, Employee
Candidate, Former Employee, Intern, Intern Candidate
|
|
Customer Transaction Information
|
Invoice information, order or request information, etc. |
Customers, Prospective Customers, Employees,
Suppliers, Suppliers, Employees and Authorities of the
Institutions (Business Partners) with which we cooperate with the Company and/or Intercity
companies |
|
Vehicle Information |
License plate and registration information of the vehicle
|
Company and/or Intercity companies' Customers, Employees,
Former Employees, Interns, Visitors, Suppliers, Employees and Authorities of
the Institutions (Business Partners) with which we cooperate, Third Parties |
|
Employee Performance and Career Development Information |
Recruitment / employment, performance evaluation information, work
history, professional competencies, interview and induction assessments, etc.
|
Company and/or Intercity companies Employee, Former Employee, Intern |
|
Information on Criminal Conviction and Security Measures |
Criminal Record Information,
|
Company and/or Intercity companies Employee, Employee Candidate, Former
Employee, Intern, Intern Candidate |
|
Transaction Security Information |
Your personal data processed to ensure our technical, administrative,
legal and commercial security during the execution of our activities (e.g. log records, IP
information, authentication information) |
Customers of the Company and/or Intercity companies, Employees, Former
Employees, Interns, Company Shareholders, Company Officials, Visitors, Internet Visitors,
Suppliers, Employees and Authorities of the Institutions (Business Partners) with which we
cooperate, Third Parties |
|
Transaction Information |
Data such as survey information, declaration information, call center
records, membership information, cookie records, which are processed within the framework of
the activities carried out by the Company, related to the services provided or to protect
the legal and other interests of the Company and the personal data owner |
Customers of the Company and/or Intercity companies, Customer Candidate,
Employee, Former Employee, Intern, Company Shareholder, Company Official, Visitor, Employees
and Authorities of the Institutions (Business Partner) with which we cooperate, Third
Parties |
|
Health Information |
Information on disability status, blood type information, personal health
information, etc.
|
Company and/or Intercity companies Employee, Former Employee, Employee
Candidate, Intern, Company Shareholder, Company Official |
SECTION SIX
6. THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED
BY THE COMPANY AND THE PURPOSES OF TRANSFER
6.1 TRANSFER OF PERSONAL DATA
The Company may transfer the personal data and sensitive personal data of the personal
data owner to third parties by taking the necessary security measures in line with the lawful personal data
processing purposes. In this direction, the Company acts in accordance with the regulations stipulated in
Article 8 of the KVKK.
6.1.1 Transfer of Personal Data
The Company may transfer personal data to third parties based on and limited to one or
more of the following personal data processing conditions in line with legitimate and lawful personal data
processing purposes:
If there is explicit consent of the personal data subject,
If there is a clear regulation in the laws regarding the transfer of
personal data,
If it is necessary to transfer personal data of the parties to the contract,
provided that it is directly related to the establishment or performance of a contract,
If personal data transfer is mandatory for the Company to fulfill its legal
obligation,
If the personal data has been made public by the personal data subject,
If personal data transfer is mandatory for the establishment, exercise or
protection of a right,
If personal data transfer is mandatory for the legitimate interests of the
Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
6.1.2. Transfer of Sensitive Personal Data
By taking due care, taking the necessary security measures and taking adequate measures
stipulated by the Board; In line with legitimate and lawful personal data processing purposes, the Company
may transfer the personal data owner's sensitive personal data to third parties in the following
cases.
a.
If the personal data subject has explicit consent or,
b.
If the personal data subject does not have explicit consent;
Sensitive personal data other than the health and sexual life of the personal
data owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other
beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal
convictions and security measures, and biometric and genetic data), in cases stipulated by
law,
Personal data of special nature relating to the health and sexual life of the
personal data subject can only be accessed by persons or authorized institutions and organizations under the
obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical
diagnosis, treatment and care services, planning and management of health services and financing.
6.2. TRANSFER OF PERSONAL DATA ABROAD
The Company may transfer personal data and sensitive personal data of the personal data
owner to third parties by taking necessary security measures in line with the lawful personal data
processing purposes.
The Company may transfer personal data to foreign countries declared by the Board to have
adequate protection ("Foreign Country with Adequate Protection") or, in the absence of adequate
protection, to foreign countries where the data controllers in Turkey and the relevant foreign country
undertake adequate protection in writing and where the Board has permission ("Foreign Country Where the
Data Controller Undertakes Adequate Protection").
6.2.1. Transfer of Personal Data Abroad
In line with the legitimate and lawful personal data processing purposes, the Company may
transfer personal data to Foreign Countries with Adequate Protection or to Foreign Countries where there is
a Data Controller Committed to Adequate Protection in the presence of one of the following cases if the
personal data owner has explicit consent or if the personal data owner does not have explicit consent:
If there is a clear regulation in the laws regarding the transfer of personal
data,
If it is mandatory for the protection of the life or physical integrity of the
personal data subject or someone else and the personal data subject is unable to disclose his/her consent
due to actual impossibility or his/her consent is not legally valid;
If it is necessary to transfer personal data of the parties to the contract,
provided that it is directly related to the establishment or performance of a contract,
If personal data transfer is mandatory for the Company to fulfill its legal
obligation,
If the personal data has been made public by the personal data subject,
If personal data transfer is mandatory for the establishment, exercise or
protection of a right,
If personal data transfer is mandatory for the legitimate interests of the
Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
6.2.2. Transfer of Sensitive Personal Data Abroad
By taking due care, taking the necessary security measures and taking adequate measures
stipulated by the Board; In line with legitimate and lawful personal data processing purposes, the Company
may transfer the personal data of the personal data owner to Foreign Countries with Adequate Protection or
to Foreign Countries where there is a Data Controller Committed to Adequate Protection in the following
cases.
a.
If the personal data subject has explicit consent or
b.
If the personal data subject does not have explicit consent;
Sensitive personal data other than the health and sexual life of the personal
data owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs,
appearance and dress, membership of associations, foundations or trade unions, criminal convictions and
security measures, and biometric and genetic data), in cases stipulated by law,
Personal data of special nature related to the health and sexual life of the
personal data owner can only be processed by persons or authorized institutions and organizations under the
obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis,
treatment and care services, planning and management of health services and financing.
6.3Transferred Persons and Purpose of Data
Transfer
The Company informs the personal data owner of the groups of persons to whom personal
data are transferred in accordance with Article 10 of the KVKK.
The Company may transfer the personal data of the data subjects governed by the Policy to
the categories of persons listed below:
Company partners,
Company suppliers,
Intercity Companies,
Company shareholders,
Company officials,
Legally authorized public institutions and organizations
To legally authorized private law persons
The scope of the above-mentioned persons to whom data is transferred and the purposes of
data transfer are stated below.
|
Persons to whom data can be transferred |
Definition |
Data Transfer Purpose |
|
Business Partner |
It defines the parties with whom the Company has established business
partnerships for purposes such as carrying out various projects and receiving services,
either personally or together with Intercity companies while conducting its commercial
activities. |
Limited to ensure the fulfillment of the purposes for which the joint
venture was established |
|
Supplier |
Defines the parties that provide services to the Company on a contractual
basis in accordance with the Company's orders and instructions while carrying out the
Company's commercial activities. |
Limited to the purpose of providing the Company with the services
outsourced by the Company from the supplier and necessary to fulfill the Company's
commercial activities. |
|
Shareholders |
Real persons who are shareholders of the Company |
Limited to the purposes of the activities carried out by the Company
within the scope of corporate law, event management and corporate communication processes in
accordance with the provisions of the relevant legislation |
|
Company Authorities/Company Business and Solution Partners |
Company board members and other authorized natural persons |
In accordance with the provisions of the relevant legislation, limited to
the purposes of designing strategies for the Company's commercial activities, ensuring their
management at the highest level and auditing |
|
Legally Authorized Public Institutions and Organizations |
Public institutions and organizations authorized to receive information
and documents from the Company in accordance with the provisions of the relevant
legislation |
Limited to the purpose requested by the relevant public institutions and
organizations within the legal authority |
|
Legally Authorized Private Law Persons |
Private law persons authorized to receive information and documents from
the Company in accordance with the provisions of the relevant legislation |
Limited to the purpose requested by the relevant private law persons
within their legal authority |
|
Intercity Companies |
Other companies in which real and/or legal persons who are shareholders
of Ekim Turizm Ticaret ve Sanayi Anonim Şirketi are shareholders |
Limited to the purpose of ensuring that the services necessary to fulfill
the Company's commercial activities are provided to the Company. |
CHAPTER SEVENTH
7. PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO
THE PROCESSING CONDITIONS IN THE LAW
The Company informs the personal data owner about the personal data it processes in
accordance with Article 10 of the KVKK.
7.1. PROCESSING OF PERSONAL DATA AND SPECIAL CATEGORIES
OF PERSONAL DATA
7.1.1. Processing of Personal Data
The explicit consent of the personal data owner is only one of the legal grounds that
make it possible to process personal data in accordance with the law. Apart from explicit consent, personal
data may also be processed in the presence of one of the other conditions listed below. The basis of the
personal data processing activity may be only one of the following conditions, or more than one of these
conditions may be the basis of the same personal data processing activity.
Although the legal grounds for the processing of personal data by the Company may differ,
the Company acts in accordance with the general principles specified in Article 4 of the KVKK in all kinds
of personal data processing activities.
Explicit Consent of the Personal Data Owner: One of the
conditions for processing personal data is the explicit consent of the owner. The explicit consent of the
personal data owner must be related to a specific subject, based on information and free will.
For personal data processing activities other than the purpose of
processing for the reasons for obtaining personal data, at least one of the conditions under this heading is
sought; If one of these conditions is not present, these personal data processing activities are carried out
by the Company based on the explicit consent of the personal data owner for these processing activities.
For the processing of personal data based on the explicit consent of the
personal data owner, the explicit consent of the personal data owners is obtained through the relevant
methods.
Explicitly Stipulated in Laws: The personal data of the
data subject may be processed in accordance with the law if it is explicitly stipulated in the law.
·
Failure to Obtain Explicit Consent of the Data Subject Due to
Actual Impossibility : The personal data of the data
subject may be processed if it is mandatory to process the personal data of the person who is unable to
disclose his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in
order to protect his/her or another person's life or physical integrity.
Direct Relevance to the Establishment or Performance of a Contract:
Provided that it is directly related to the conclusion or performance of a contract, it is
possible to process personal data if it is necessary to process personal data of the parties to the
contract.
Fulfillment of the Company's Legal Obligation: Personal
data of the data subject may be processed if the processing is mandatory for the Company to fulfill its
legal obligations as the data controller.
Publicization of Personal Data by the Data Subject: If the
data subject has made his/her personal data public by himself/herself, the relevant personal data may be
processed.
Data Processing is Mandatory for the Establishment or Protection of a
Right: If data processing is mandatory for the establishment, exercise or protection of
a right, the personal data of the personal data owner may be processed.
Data Processing is Mandatory for the Legitimate Interest of the Company:
Provided that it does not harm the fundamental rights and freedoms of the personal data
owner, data data may be processed if data processing is mandatory for the legitimate interests of the
Company.
7.1.2. Processing of Sensitive Personal Data
Special categories of personal data are processed by the Company in the following cases
if the personal data owner does not have explicit consent, provided that adequate measures to be determined
by the Board are taken:
Sensitive personal data other than the health and sexual life of the personal
data owner, in cases stipulated by law,
Personal data of special nature relating to the health and sexual life of the
personal data subject can only be accessed by persons or authorized institutions and organizations under the
obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical
diagnosis, treatment and care services, planning and management of health services and financing.
CHAPTER EIGHT
8. BUILDING, FACILITY ENTRANCES AND PERSONAL DATA
PROCESSING ACTIVITIES CARRIED OUT WITHIN THE BUILDING AND FACILITY AND INTERNET SITE
VISITORS
Personal data processing activities carried out by the Company at the entrances of the
building facility and within the facility are carried out in accordance with the Constitution, KVKK and
other relevant legislation.
In order to ensure security, the Company carries out personal data processing activities
for the monitoring of guest entrances and exits with security cameras in the Company buildings and
facilities.
Personal data processing activity is carried out by the Company through the use of
security cameras and recording of guest entrances and exits.
8.1. CAMERA SURVEILLANCE ACTIVITIES CARRIED OUT AT BUILDING AND FACILITY ENTRANCES
AND INSIDE
In this section, explanations will be made regarding the Company's camera surveillance
system and information will be provided on how personal data, confidentiality and fundamental rights of the
person are protected.
Within the scope of security camera surveillance activity; the Company aims to protect
the interests of the company and other persons in ensuring the security of the company and other persons.
8.1.1. Legal Basis for Camera Surveillance
Camera surveillance activities carried out by the Company are carried out in accordance
with the Law on Private Security Services and the relevant legislation.
8.1.2. Execution of Monitoring Activities with Security Cameras According to KVKK
The Company acts in accordance with the regulations in the KVKK in carrying out camera
surveillance activities for security purposes. The Company carries out security camera monitoring activities
in order to ensure security in its buildings and facilities, for the purposes stipulated in the relevant
legislation in force and in accordance with the personal data processing conditions listed in the
KVKK.
8.1.3. Announcement of Camera Surveillance Activities
The personal data owner is informed by the Company in accordance with Article 10 of the
LPPD. The Company notifies the personal data subject with more than one method regarding the camera
surveillance activity of the information it provides regarding general issues. Thus, it is aimed to prevent
damage to the fundamental rights and freedoms of the personal data owner, to ensure transparency and
enlightenment of the personal data owner.
The Company publishes this Policy on the Company's website for camera surveillance and
hangs a notification letter regarding the surveillance at the entrances of the areas where surveillance is
carried out.
8.1.4. Purpose and Limitation of Camera Surveillance
In accordance with Article 4 of the KVKK, the Company processes personal data in a
limited and measured manner in connection with the purpose for which they are processed.
The purpose of the Company's video camera monitoring activities is limited to the
purposes listed in this Policy. Accordingly, the monitoring areas, the number and the time of monitoring of
the security cameras are sufficient to achieve the security purpose and are limited to this purpose. Areas
that may result in interference with the privacy of the person in a way that exceeds the security purposes
(for example, toilets) are not subject to monitoring.
8.1.5. Ensuring the Security of the Data Obtained
In accordance with Article 12 of the LPPD, the Company takes necessary technical and
administrative measures to ensure the security of personal data obtained as a result of camera surveillance
activities.
8.1.6. Storage Period of Personal Data Obtained through Camera Surveillance
Detailed information on the Company's retention period for personal data obtained through
camera surveillance activities is provided in Article 9 of this Policy titled Retention Periods of Personal
Data.
8.1.7. Who Has Access to the Information Obtained as a Result of Monitoring and to
Whom This Information is Transferred
Only a limited number of Company employees have access to the records recorded and stored
digitally with live camera footage. The limited number of people who have access to the records declare that
they will protect the confidentiality of the data they access with a confidentiality undertaking.
8.2. MONITORING OF GUEST ENTRANCES AND EXITS CARRIED
OUT AT AND INSIDE COMPANY BUILDINGS AND FACILITIES
The Company carries out personal data processing activities to ensure security and to
monitor guest entrances and exits in the Company buildings and facilities for the purposes specified in this
Policy.
While the names and surnames of the persons who come to the Company premises as guests
are obtained or through the texts posted in the Company or otherwise made available to the guests, the
personal data owners in question are enlightened within this scope. The data obtained for the purpose of
tracking guest entry-exit are processed only for this purpose and the relevant personal data are recorded in
the data recording system in a physical environment.
8.3. STORAGE OF RECORDS REGARDING INTERNET ACCESS
PROVIDED TO OUR VISITORS IN COMPANY BUILDINGS AND FACILITIES
For the purposes of ensuring security by the Company and for the purposes specified in
this Policy; Internet access can be provided by the Company to our Visitors who request it during your stay
in our buildings and facilities. In this case, log records regarding your internet access are recorded in
accordance with the Law No. 5651 and the mandatory provisions of the legislation regulated in accordance
with this Law; These records are processed only upon request by authorized public institutions and
organizations or in order to fulfill our legal obligation in the audit processes to be carried out within
the Company.
Only a limited number of Company employees have access to the log records obtained within
this framework. Company employees who have access to the aforementioned records access these records only
for use in requests or audit processes from authorized public institutions and organizations and share them
with legally authorized persons. The limited number of people who have access to the records declare that
they will protect the confidentiality of the data they access with a confidentiality undertaking.
8.4. WEBSITE VISITORS
On the websites owned by the Company; In order to ensure that visitors to these sites
perform their visits on the sites in accordance with their visit purposes; In order to be able to show them
customized content and to engage in online advertising activities, it records internet movements within the
site by technical means (e.g. cookies-cookie), provided that users are given the option to change this
setting from browsers.
Detailed explanations regarding the protection and processing of personal data regarding
these activities are available on the relevant websites.
CHAPTER NINE
9. THE COMPANY'S METHOD AND LEGAL REASON FOR COLLECTING
PERSONAL DATA, THE OBLIGATION TO DELETE, DESTROY AND ANONYMIZE PERSONAL DATA AND THE STORAGE
PERIOD
9.1. METHOD AND LEGAL REASON FOR COLLECTING PERSONAL DATA
For the purpose
of checking compliance with Article 1 regulating the purpose of the Law and Article 2 regulating the scope of
the Law, Personal Data is collected in all kinds of verbal, written, electronic media; by technical and other
methods, through various means such as call center, Company website, mobile application, in order to fulfill the
responsibilities arising from the law within the framework of legislation, contract, request and optional legal
reasons in order to fulfill the purposes set out in the Policy, and is processed by the Company or data
processors assigned by the Company.
9.2. DELETION, DESTRUCTION OR ANONYMIZATION OF PERSONAL DATA
Without prejudice
to the provisions of other laws regarding the deletion, destruction or anonymization of Personal Data, the
Company deletes, destroys or anonymizes Personal Data ex officio or upon the request of the data owner in the
event that the reasons requiring its processing disappear, although it has processed it in accordance with the
provisions of this Law and other laws. With the deletion of Personal Data, this data is destroyed in such a way
that it cannot be used and recovered in any way again. Accordingly, Personal Data shall be irreversibly deleted
from the documents, files, CDs, diskettes, hard disks, etc. in which they are stored. Destruction of Personal
Data, on the other hand, refers to the destruction of materials suitable for storing data such as documents,
files, CDs, diskettes, hard disks, etc. in which the data is recorded in such a way that the information cannot
be recovered and used again. Anonymization of data means making Personal Data impossible to be associated with
an identified or identifiable natural person even if it is matched with other data.
9.2.1. Conditions for Deletion, Destruction and
Anonymization of Personal Data
Although the Company has been processed in accordance with the provisions of the relevant
law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVKK, personal data shall be
deleted, destroyed or anonymized upon the Company's own decision or upon the request of the personal data
owner if the reasons requiring its processing disappear.
Detailed regulations regarding the Company's techniques for the storage, deletion,
destruction and anonymization of Personal Data are included in the Personal Data Retention and Destruction
Policy published on the Company's website.
Although it has been processed in accordance with the provisions of the relevant law,
personal data shall be deleted, destroyed or anonymized upon the decision of the Company or upon the request
of the personal data owner if the reasons requiring its processing disappear. In this context, the Company
fulfills its relevant obligation by the methods described in this section.
9.2.2. Techniques for Deletion, Destruction and
Anonymization of Personal Data
9.2.2.1. Techniques for Deletion and Destruction of Personal Data
Although the Company has been processed in accordance with the provisions of the relevant
law, it may delete or destroy personal data based on its own decision or upon the request of the personal
data owner if the reasons requiring its processing disappear. The most commonly used deletion or destruction
techniques used by the Company are listed below:
Physical Destruction: Personal data may also be processed
by non-automatic means, provided that they are part of any data recording system. When such data is
deleted/destroyed, the system of physically destroying the personal data in a way that cannot be used later
is applied.
Secure Deletion from Software: When deleting/destroying
data processed by fully or partially automated means and stored in digital media; methods are used to delete
the data from the relevant software in a way that cannot be recovered again.
Secure Erasure by an Expert: In some cases, the Company
may hire an expert to erase personal data on its behalf. In this case, personal data is securely
deleted/destroyed by the expert in a way that cannot be recovered again.
9.2.2.2.2. Techniques for Anonymizing Personal Data
Anonymization of personal data means that personal data cannot be associated with an
identified or identifiable natural person under any circumstances, even by matching with other data. The
Company may anonymize personal data when the reasons requiring the processing of personal data processed in
accordance with the law disappear.
In accordance with Article 28 of the KVKK; anonymized personal data may be processed for
purposes such as research, planning and statistics. Such processing is outside the scope of KVKK and the
explicit consent of the personal data owner will not be sought. Since personal data processed by
anonymization will be outside the scope of KVKK, the rights set out in Section 10 of the Policy will not
apply to this data. The most commonly used anonymization techniques used by the Company are listed below.
Masking: Data masking is a method of anonymizing personal
data by removing the basic identifying information of personal data from the data set. Example: By
removing the information such as name, T.R. Identity Number, etc. that enables the identification of the
personal data owner, the personal data owner is transformed into a data set where it becomes impossible to
identify the personal data owner.
Aggregation With the data aggregation method, many data
are aggregated and personal data cannot be associated with any individual. Example: Revealing that
there are Z number of employees of X age without showing the ages of the employees individually.
Data Derivation: With the data derivation method, a more
general content is created from the content of personal data and it is ensured that personal data cannot be
associated with any person. Example: Specifying ages instead of dates of birth; specifying the region
of residence instead of the street address.
Data Hashing: With data hashing method, the values in the
personal data set are mixed to break the link between the values and the persons. Example: Changing
the quality of voice recordings to make it impossible to associate the voices with the data subject.
9.3. Retention Period of Personal Data
The Company stores Personal Data for the period specified in this legislation, if stipulated in
the legislation. If a period of time is not regulated in the legislation regarding how long personal data should
be kept, Personal Data is processed for the period required to be processed in accordance with the practices and
customs of the Company's practices and commercial life, depending on the activity carried out by the Company
while processing that data, and then deleted, destroyed or anonymized.
If the purpose of processing personal data has expired and the retention periods determined by
the relevant legislation and the Company have expired; personal data can only be stored for the purpose of
constituting evidence in possible legal disputes or to assert the relevant right related to personal data or to
establish a defense. In the establishment of the periods here, the retention periods are determined based on the
statute of limitations for the assertion of the right in question and the examples in the requests previously
addressed to the Company on the same issues despite the expiration of the statute of limitations. In this case,
the stored personal data is not accessed for any other purpose and access to the relevant personal data is
provided only when it is required to be used in the relevant legal dispute. After the aforementioned period
expires, personal data are deleted, destroyed or anonymized.
SECTION TEN
10. RIGHTS OF PERSONAL DATA SUBJECTS; METHODOLOGY FOR
EXERCISING AND EVALUATING THESE RIGHTS
The Company informs the personal data owner of the rights of the personal data owner in
accordance with Article 10 of the KVKK and guides the personal data owner on how to exercise these rights,
and the Company carries out the necessary channels, internal functioning, administrative and technical
arrangements in accordance with Article 13 of the KVKK in order to evaluate the rights of personal data
owners and to inform the personal data owners.
10.1 RIGHTS OF THE DATA SUBJECT AND EXERCISING THESE
RIGHTS
10.1.1. Rights of the Personal Data Owner
Personal data subjects have the following rights:
Learn whether personal data is being processed,
Request information if their personal data has been processed,
To learn the purpose of processing personal data and whether they are used for
their intended purpose,
To know the third parties to whom personal data are transferred domestically
or abroad,
To request correction of personal data in case of incomplete or incorrect
processing and to request notification of the transaction made within this scope to third parties to whom
personal data is transferred,
Although it has been processed in accordance with the provisions of the KVKK
and other relevant laws, to request the deletion or destruction of personal data in the event that the
reasons requiring its processing disappear and to request notification of the transaction made within this
scope to third parties to whom personal data is transferred,
To object to the emergence of a result to the detriment of the person
himself/herself by analyzing the processed data exclusively through automated systems,
In case of damage due to unlawful processing of personal data, to demand
compensation for the damage.
10.1.2. Cases where the Personal Data Owner cannot assert his/her rights
Pursuant to Article 28 of the KVKK, personal data owners cannot assert the rights of
personal data owners listed in 10.1.1. in these matters, since the following cases are excluded from the
scope of KVKK:
Processing of Personal Data by natural persons within the scope of activities
related to themselves or their family members living in the same residence, provided that they are not
disclosed to third parties and the obligations regarding data security are complied with.
Processing of personal data for purposes such as research, planning and
statistics by anonymizing them with official statistics.
Processing of personal data for artistic, historical, literary or scientific
purposes or within the scope of freedom of expression, provided that such processing does not violate
national defense, national security, public security, public order, economic security, privacy or personal
rights or constitute a crime.
Processing of personal data within the scope of preventive, protective and
intelligence activities carried out by public institutions and organizations authorized by law to ensure
national defense, national security, public security, public order or economic security.
Processing of personal data by judicial or enforcement authorities in relation
to investigations, prosecutions, trials or executions.
Pursuant to Article 28/2 of the KVKK; In the cases listed below, personal data owners
cannot assert their other rights listed in 10.1.1. except for the right to demand compensation for the
damage:
Processing of personal data is necessary for the prevention of crime or
criminal investigation.
Processing of personal data made public by the personal data subject
himself/herself.
Personal data processing is necessary for the execution of supervisory or
regulatory duties and disciplinary investigation or prosecution by the authorized and authorized public
institutions and organizations and professional organizations in the nature of public institutions based on
the authority granted by law.
Processing of personal data is necessary for the protection of the economic
and financial interests of the State in relation to budgetary, tax and fiscal matters.
10.1.3. Exercising the Rights of the Personal Data Owner
Personal Data Owners will be able to submit their requests regarding their rights listed
in this section to the Company free of charge by filling out and signing the Application Form with the
information and documents that will identify their identity and by the methods specified below or by other
methods determined by the Personal Data Protection Board:
·
akyacht.com After filling in the form found at
the address of the applicant, a copy of the form with wet signature must be sent to the address
"Sepetlipınar SB Mahallesi, 104. Cad., No: 8/2, Başiskele/Kocaeli" by hand,
registered mail with return receipt or notary public,
With mobile signature,
Submitting the application form to [email protected] by using the e-mail address
previously notified to the Company and registered in the Company system.
In order for third parties to make an application request on behalf of personal data
owners, there must be a special power of attorney issued by the data owner through a notary public on behalf
of the person who will make the application.
10.1.4. Personal Data Owner's Right to File a Complaint to the Board
The personal data owner may file a complaint to the Board within thirty days from the
date of learning the Company's response and in any case within sixty days from the date of application in
case his/her application is rejected, the response is found insufficient or the application is not responded
in due time in accordance with Article 14 of the KVKK.
10.2. APPLICATIONS FOR INTERCITY COMPANIES
If applications regarding the personal data processing activities of Intercity Companies
are made to the Company, these applications are also processed and finalized by the Company.
10.3. THE COMPANY'S RESPONSE TO APPLICATIONS
10.3.1. Procedure and Duration of the Company's Response to Applications
In the event that the personal data owner submits his/her request to the Company in
accordance with the procedure in the section titled 10.1.3. of this section, the Company will finalize the
relevant request free of charge within thirty days at the latest, depending on the nature of the request.
However, if a fee is stipulated by the Board, the Company will charge the applicant the fee in the tariff
determined by the Board.
10.3.2. Information that the Company may request from the Applicant Personal Data
Subject
The Company may request information from the relevant person in order to determine
whether the applicant is the personal data owner. In order to clarify the issues in the application of the
personal data owner, the Company may ask the personal data owner questions about the application.
10.3.3. The Company's Right to Reject the Application of the Personal Data Owner
The Company may reject the application of the applicant by explaining its reasoning in
the following cases:
Processing of personal data for purposes such as research, planning and
statistics by anonymizing them with official statistics.
Processing of personal data for artistic, historical, literary or scientific
purposes or within the scope of freedom of expression, provided that it does not violate national defense,
national security, public security, public safety, public order, economic security, privacy of private life
or personal rights or does not constitute a crime.
Processing of personal data within the scope of preventive, protective and
intelligence activities carried out by public institutions and organizations authorized by law to ensure
national defense, national security, public security, public order or economic security.
Processing of personal data by judicial or enforcement authorities in relation
to investigations, prosecutions, trials or executions.
Processing of personal data is necessary for the prevention of crime or
criminal investigation.
Processing of personal data made public by the personal data subject
himself/herself.
Personal data processing is necessary for the execution of supervisory or
regulatory duties and disciplinary investigation or prosecution by the authorized and authorized public
institutions and organizations and professional organizations in the nature of public institutions based on
the authority granted by law.
Processing of personal data is necessary for the protection of the economic
and financial interests of the State in relation to budgetary, tax and fiscal matters.
The request of the personal data owner is likely to prevent the rights and
freedoms of other persons
Demands were made that required disproportionate effort.
The requested information is publicly available.
CHAPTER ELEVEN
11. MANAGEMENT STRUCTURE IN ACCORDANCE WITH THE COMPANY'S POLICY
ON THE PROCESSING AND PROTECTION OF PERSONAL DATA
A Personal Data Committee has been established within the Company in accordance with the
decision of the Company's senior management to manage this Policy and other policies related and related to
this Policy. The Personal Data Committee is authorized and tasked with taking the necessary actions
for the storage and processing of Personal Data Owners' data in accordance with the law, this Policy and
other policies related and related to this Policy. The Personal Data Retention and Destruction Policy
published on the Company's website contains detailed regulations regarding the persons assigned to the
Personal Data Committee and their duties.
CHAPTER TWELVE
12. UPDATES, HARMONIZATION AND AMENDMENTS
|
AMENDMENT TABLE
|
||
|
Amended Article |
Amendment Date |
Reason for Amendment |