Document Name: | Policy on the Protection and Processing of Personal Data |
Document Content: | The objective of this policy is to define the procedures issued by BNTPRO BİLGİ VE İLETİŞİM HİZMETLERİ ANONİM ŞİRKETİ for the purpose of obtaining, processing, maintaining and destroying Personal Data and to determine the principles regarding the other procedures established for informing the data subjects and published pursuant to this policy. |
Reference / Justification | Law on the Protection of Personal Data No. 6698, Relevant Regulations and Board Decisions |
1.Information on the Data Controller
Data Supervisor | BNTPRO BİLGİ VE İLETİŞİM HİZMETLERİ ANONİM ŞİRKETİ |
Address | Değirmen Yolu Caddesi Çetinkaya Sok. N:16 Gürbüz Plaza 1. Kat Ataşehir/İstanbul |
CRS No: | |
Contact Information | Tel: 02165770268 Fax: 02165740268 e-mail: kvkk@bntpro.com |
Contact Person | Semra Keskin Güngör |
2.Definitions and Abbreviations
Explicit Consent | Refers to a consent about a specific subject based on information and expressed in free will. |
Recipient Group | Shall refer to the category of natural or legal person to whom Personal Data is transferred by the Data Controller. |
Anonymization of personal data | Shall refer to making personal data unlikely to be associated with any identifiable real person in any way even when personal data is paired with other data. |
Anonymized Data | Shall refer to making the personal data unlikely to be associated with any identified or identifiable real person in any way even when personal data is paired with other data. |
Obligation of Disclosure | Shall refer to the disclosure obligation of the Data Controller or a person authorized by the same during the obtaining process of Personal Data towards the Data Subject in compliance with the LPPD. |
BNTPRO or Company | Shall refer to BNTPRO BİLGİ VE İLETİŞİM HİZMETLERİ ANONİM ŞİRKETİ. |
Administrative Measures | Shall refer to the measures contained in Article 7 pf the PPPPD. |
Destruction | Shall refer to the deletion, destruction or anonymization of Personal Data in accordance with the technique specified under the LPPD. |
Data Subject | Shall refer to all real persons whose Personal Data are processed by or on behalf of the Company. |
Relevant User | Shall refer to the persons who process Personal Data within the Data Controller organization or who does so pursuant to the authorization and instruction received from the Data Controller except for the person or unit responsible for the technical storage, protection and backup of the data. |
Contact Person | Refers to the employee who is elected from the Commission and carrying out the Company’s relations with the Agency and who is appointed by the resolution of the board of directors. |
Law | Shall refer to the Law on the Protection of Personal Data No. 6698. |
Recording Environment | Refers to any media where Personal Data processed by non-automatic means is contained provided that the personal data that is wholly or partially automatic or shall be a part of any data recording system. |
Personal Data | Refers to any kind of information related to an identified or identifiable real person (the term “Personal Data” within the scope of PPPPD shall also include Sensitive Personal Data defined below, as appropriate). |
Personal Data Inventory | Shall refer to the inventory where the Company explains in detail the Personal Data Prcessing activities carried out by it based on the business processes, the maximum period established by means of associating the Recipient group to which the data has been transferred with the data subject group and whixh is required fort he purposes for which Personal Data has been processed as well as the measures taken related to the Personal Data envisaged to be transferred to foreign countries when needed and the measures related to data security. |
PDI | Shall refer to the Personal Data Inventory. |
Processing of Personal Data | Refers to any action realized on the data such as obtaining, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, acquisition, recapture, classification or preventing the use of the same by non-automatic means provided that personal data is wholly or partially a part of an automatic data recording system, |
Policy on the Protection and Processing of Personal Data | Shall refer to all other procedures that are issued and published in accordance with this policy, in order to determine the processes of processing and protection of personal data and to inform the data subjects. |
PPD | Shall refer to the Protection of Personal Data. |
LPPD | Shall refer to the Law on the Protection of Personal Data |
PPPPD | Shall refer to the Policy on the Protection and Processing of Personal Data. |
Commission | Shall refer to the commission responsible for the fulfillment of this Policy as well as the PPD Procedures to be implemented depending on this Policy. |
Board | Shall refer to the Personal Data Protection Board. |
Agency | Shall refer to the Personal Data Protection Agency. |
PPD Regulations | Shall refer to the Law on the Protection of Personal Data No. 6698 and other relevant legislation on the protection of Personal Data, regulatory and supervisory authorities, courts and the binding decisions resolved by other public authorities, principle decisions, provisions, instructions and applicable international conventions on data protection and to any other legislation. |
PPD Procedures | Shall refer to the procedures which determine the obligations that the company, employees, Commission and Contact Person should follow within the scope of the PPPPD. |
Deletion of personal data | Refers to the process of making personal data inaccessible to and not reusable by the users concerned. |
Sensitive Personal Data Personal Data | Refers to data about the race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership to an association, foundation or trade union, medical condition, sexual life, criminal conviction and security measures as well as biometric and genetic data of persons. |
Data Controller | Shall refer to a real or legal person other than BNTPRO who has established any legal procedure with BNTPRO and has the responsibility to set up and manage the Data Recording System in accordance with the LPPD by means of specifying the purposes and means of processing |
3.Introduction
BNTPRO BİLGİ VE İLETİŞİM HİZMETLERİ ANONİM ŞİRKETİ, in its capacity as the data controller, attaches great importance to the protection of Personal Data of its customers, employees and other real persons who are third parties, both to ensure compliance with its legal obligations and the Company’s quality policy. PPPPD has been issued in order to define the steps of processing and protection of Personal Data and to inform the relevant persons. BNTPRO aims to build a secure data infrastructure where Personal Data is controlled end-to-end with the PPPPD and other related written PPD Procedures.
The main target of the PPPPD is to process and protect the personal data of BNTPRO’s customers, potential customers, employees, candidates, visitors, employees of institutions and solution partners with whom BNTPRO cooperates and third parties in accordance with the law.
In this context, necessary administrative and technical measures, included but not limited to those specified under the PPPPD, have been taken for the processing and protection of personal data in accordance with the Law and the relevant legislation by BNTPRO. Technical and administrative measures taken to ensure the end-to-end audit processes of the Personal Data processed by BNTPRO will be described under the PPPPD.
4.Objective of the Policy
The main objective of the PPPPD is to inform the employees in the first place as well as shareholders and employees of customers, dealers, authorized services and solution partners and third parties regarding the processing and maintenance of personal data obtained in accordance with the law with the end-to-end and 360-degree control principle by BNTPRO and also to ensure transparency of the data processing processes.
BNTPRO aims to obtain a minimum quantity of Personal Data limited to its field of activity and transactions. The primary objectives of the PPPPD are to extract unnecessary and dysfunctional data from the Recording Media and not to obtain and retain unnecessary Personal Data.
5.Basic Methods and Principles Regarding the Processing of Personal Data
BNTPRO undertakes to process Personal Data within the following basic limits while performing the operations subject to its field of activity.
In this context, excluding those specified under the Law:
- To ensure that Personal Data is processed in accordance with the consent obtained by the disclosure and informing of the data subjects.
- To ensure that personal data is processed in accordance with the law and rules of integrity in all data processing activities,
- To process personal data linked to, limited and measured with the purpose of being processed for the explicit and legitimate purposes specified under the disclosure and informative texts.
- To retain the personal data during the period specified in this policy and for the maximum period stipulated under the legislation.
- to provide the necessary opportunities for data owners to exercise their rights, in addition to taking the necessary technical and administrative measures to protect personal data within the scope of end-to-end and 360-degree audit principles.
- To comply with Board regulations regarding the practices such as transfer of data to third parties, anonymization, deletion etc. as per the law and the relevant legislation.
Basic Principles
BNTPRO processes personal data belonging to its employees, candidate employees, trainees, candidate trainees, real person customers, employees of legal entity customers, dealers and authorized service employees, visitors, supplier company employees, shareholders and employees of solution partners and third parties, such as identity information (name, surname, Turkish Republic identity number, gender, age, date of birth), contact information (e-mail address, phone number address information, IP address), professional data, visual data, educational data, family members data and health data and performs this process within the framework of financial/legal/commercial obligations in order for the personal data owners listed hereunder to make use of the goods and services offered by BNTPRO efficiently, to improve product and service diversity, to monitor and improve service quality and be informed about marketing, promotion and innovations as the result of these services as well as the performance of the contracts and fulfillment of work.
BNTPRO discloses to data owners in accordance with Article 10 of the LPPD and requests the consent of the data owners in cases where consent is required and processes these personal data based on the following criteria.
Personal Data Processing Conditions
With this PPPPD, conditions to process personal data have been regulated and BNTPRO represents that it processes the personal data in accordance with the Law and the conditions stated below.
BNTPRO processes Personal Data excluding the exceptions specified under the Law, but only by ensuring the Explicit Consent of the Data Subject. In case the following cases listed in the Law exist, personal data may be processed even without the explicit consent of the Data Subject.
- In the case it’s clearly prescribed by the law,
- The existence of an obligation to protect the life or bodily integrity of the person who cannot explain his/her consent due to actual impossibility or whose consent is not deemed valid in legal terms.
- The necessity of processing the personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract,
- The existence of an obligation for the Data Controller to perform its legal liability.
- The data has been publicized by the Data Subject,
- Data processing to be mandatory for the establishment, exercise or protection of a right,
- Data processing is obligatory for the legitimate interests of the data supervisor, provided that the basic rights and freedom of the person concerned are not damaged.
Conditions for Processing Sensitive Personal Data
BNTPRO will not process the data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress codes, association, foundation or trade union memberships, health, sexual life, criminal conviction and security measures as well as biometric and genetic data without the explicit consent of the Data Subject.
In this context, such data will not be processed without the explicit consent of the data subjects, provided that adequate measures determined by the Board have been taken. However, sensitive personal data related to other than health and sexual life may be processed in the cases prescribed by law without the explicit consent of the data owner.
Conditions to Transfer Personal Data to Third Parties
BNTPRO shares the Personal Data of the Data Subject with Third Parties by taking the administrative and technical measures stipulated by the Law under the following conditions, if required by its activities.
Transfer of Personal Data to local persons
Regarding the sharing of personal data with third parties, BNTPRO carefully complies with the conditions set out in the Law, provided that the provisions of other laws are reserved. In this context, Personal Data will not be transferred to third parties by BNTPRO without the explicit consent of the Data Subject. However, Personal Data may be transferred to third parties without the explicit consent of the Data Subject, in the case any of the following conditions set out in the Law exist:
- In the case it’s clearly prescribed by the law,
- The existence of an obligation to protect the life or bodily integrity of the person who cannot explain his/her consent due to actual impossibility or whose consent is not deemed valid in legal terms.
- The necessity of processing the personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract.
- The existence of an obligation for the data controller to perform its legal liability.
- The fact that the data has been publicized by the data owner itself,
- Data processing to be mandatory for the establishment, exercise or protection of a right,
- Provided that it does not harm the fundamental rights and freedoms of the data owner, it is an obligation to process data for legitimate interests of the data officer.
- Provided that adequate precautions have been taken, if it is set forth in the laws in terms of sensitive personal data other than that related to health and sexual life,
- Protection of public health.
Transfer of Personal Data to Third Parties Abroad
Explicit Consent of the Data Subject will be sought regarding the transfer of personal data abroad pursuant to Article 9 of the Law. However, in the case conditions permitted to process Personal Data without the explicit consent of the Data Subject are present, personal data may be transferred abroad without seeking the explicit consent of the data subject, provided that there is sufficient protection in the abroad country where the Personal Data will be transferred. If the country where the personal data is to be transferred has not been determined by the Board to exist among the countries with sufficient protection, the data controller/data processor in the relevant country will undertake to BNTPRO to provide adequate protection in written form.
6.Scope of the Policy
PPPPD is related to all personal data of employees, candidate employees, trainees, candidate trainees, real person customers, employees of legal entity customers, dealers and authorized service employees, visitors, supplier company employees, shareholders and employees of solution partners and third parties processed automatically or in a non-automated manner provided that it is a part of any data recording system within the scope of BNTPRO activities and defined under the Law and the relevant legislation and contained in such legislation.
BNTPRO represents that the Recorded Media, which includes the following Personal Data, will be held subject to technical and administrative measures under the PPPPD:
- Desktop and Portable computers used on behalf of BNTPRO,
- Physical or virtual servers used on behalf of BNTPRO
- Network devices and shared/unshared disk drives for data storage on the network
- Cloud systems, Mail servers
- Peripherals such as printer, fingerprint reader,
- Any storage device that allows storage of Personal Data such as CD, Flash Disk.
7. Administrative Measures taken to Protect Personal Data
BNTPRO has taken the following administrative measures to collect, share and destroy Personal Data when it is required to be collected and retained in accordance with the Law.
Establishment of a LPPD Compliance Commission
An LPPD Compliance Commission was formed with the participants from the HR, Accounting, Sales, Marketing, Technical Support, Training and IT departments to establish the BNTPRO Data Inventory and prepare the PPPPD. The Commission in question continues its duties as the PPD Follow-up Commission. It is obligatory that the Contact Person and the personnel responsible for IT Security are present in the Commission.
Creating a Data Inventory
BNTPRO established the PDI in accordance with its field of activity and by analyzing all personal data processing activities carried out for all business units in detail by such business units. BNTPRO has held the data contained in the PDI subject to a risk classification and has taken measures to protect Personal Data in accordance with the Law and the relevant legislation to ensure data integrity. BNTPRO PDI will be updated by the Commission when required.
BNTPRO ensures that the PPPPD is updated in accordance with its field of activity, technical and commercial developments and the General Privacy Policy.
Protection of Sensitive Data
BNTPRO sensitively handles the protection of personal data defined as “sensitive” and processed in accordance with the law and retains the Sensitive Personal Data separately from other Personal Data in encrypted form.
In this scope, based on the workplace medical and occupational health service provided by BNTPRO, the health data of the employees will be processed as Sensitive Personal Data, the processing period of such Sensitive Personal Data will be determined, a non-disclosure agreement will be signed with the personnel who can access this data, the access authorization and scope of the said personnel will be determined in this context, necessary training will be given to these personnel and periodic audits will be carried out to ensure compliance of the process with the PPPPD, the Law and the relevant legislation. If the relevant personnel are assigned to a task which does not require access to this data or in any case, the employment contract is terminated for any reason, the access authorization will be removed immediately.
Preparation of PPD Procedures
BNTPRO issued procedures such as the Data Acquisition Procedure, Data Anonymization and Destruction Procedure, Personal Data Classification Procedure, Personal Data Sharing Procedure, LPPD Training Procedure, etc. as well as the related process and put the same into effect together with the PPPPD. With these procedures, it is aimed to ensure that Personal Data are processed in accordance with the Law and within this scope, regular information and trainings will be given to the personnel.
Risk Analysis Procedures
BNTPRO has held its existing processes subject to risk analysis in terms of Protection of Personal Data in order to establish a 360-degree and end-to-end audit. BNTPRO conducts Personal Data impact and risk analyzes in organizational structure changes or upon the creation of new processes.
Audits and Trainings
BNTPRO has established a Commission to monitor the up-to-date and sound functioning of data security processes in accordance with Article 12 of the Law to supervise the technical and administrative measures taken under the PPPPD. The commission regularly performs inspections, whether planned or unplanned. These audit results are reported within the scope of internal operations of the Company and the necessary activities are being carried out to improve the measures taken.
BNTPRO provides regular Personal Data Protection trainings on the measures related to the protection of Personal Data to its employees who are in the position of Data Subjects assigned by the Commission. With these trainings, it is aimed to raise the awareness of employees about the Protection of Personal Data.
Establishment of the Legal Framework
BNTPRO ensures that the LPPD related regulations are added to the legal texts executed with third parties, which BNTPRO has to share data with in order to fulfill its legal and contractual obligations, for the full and complete execution of the PPPPD.
Related User Actions
BNTPRO has put into effect the legal texts regulating the legal responsibilities of its subsidiaries that are in the position of Relevant Users, suppliers, subcontractors and solution partners in order to ensure their full compliance with the PPPPD. In this context, BNTPRO HR processes and policies are harmonized with the PPPPD.
The access authorizations to the Personal Data of the Relevant Users whose legal relation with BNTPRO has ended will be cancelled.
Breach Processes and Notifications
In the case of personal data breach, corporate communication procedures and information processes will be determined within the scope of the PPPPD. Independence has been established between the units responsible for the implementation and supervision of the PPPPD in the process management and arrangements have been made to prevent conflicts of interest.
8. Technical Measures taken to Protect Personal Data
BNTPRO takes technical measures to the extent technological possibilities are available and depending on the application costs in accordance with the nature of the data processed in order to preserve, transfer, share and destroy personal data in accordance with the Law. BNTPRO takes the security measures within the scope of supply, development and maintenance of information technology systems.
BNTPRO has put into force the following general measures with this PPPPD to prevent the disclosure, access, transfer and/or data leakage of Personal Data by unauthorized persons or any other form of illicit access.
Network Security Measures
Necessary software and hardware will be installed to ensure network security. In this context, firewalls and intrusion detection and prevention systems and current versions of these software are used. BNTPRO uses a closed system network for personal data transfers through the network.
Cloud Systems Usage Measures
BNTPRO implements encryption measures and controls the PPD principles of the Cloud provider to keep Personal Data stored in the cloud systems used to perform its transactions in a manner compliant with the LPPD.
Storage Device Limitations
BNTPRO has issued and put into effect the procedure for using storage devices compatible with the PPPPD. In this context, CD, Flash Disk, External Memory etc. restrictions have been imposed on the use of all types of external storage devices, except for the authorized personnel.
Authority Matrices and User Passwords
Personnel authorization matrices have been designed to access the Recording Environment used by BNTPRO and where Personal Data is stored.
Cyber Security Measures
Software and hardware containing virus protection systems, data vulnerabilities and firewalls. BNTPRO employs expert personnel for the control and inspection of its systems
Audit Measures
All information systems, including applications where personal data are collected, will be regularly kept subject to both physical and structural external impact tests by BNTPRO to detect security gaps and vulnerabilities and it is ensured the gaps detected according to the results of this test are closed.
Masking, Anonymization and Destruction Measures
The technical infrastructure required for the implementation of the procedures put into practice for the destruction and anonymization of Personal Data has been established upon the request of the Data Subjects or in cases of legal obligation. As per the law, technical measures have been taken to use non-consensual data in masked form.
Restrictions on Desktop and Portable Computers
Necessary explanation and legal obligation texts have been issued in order not to save the Personal Data on desktop and portable computers allocated to the use of BNTPRO employees. The personal data contained in the desktop and portable computers will be backed up in the case it is mandatory for the Company to perform its activities. After the termination of the employment contracts, personal data on these computers will be irreversibly destroyed.
Keeping System Logs
BNTPRO keeps the system logs within the bounds of technical possibility. Logs related to deletion and destruction processes kept in accordance with personal data destruction procedure will be recorded with a time stamp seal.
9.Data Breach Processes
BNTPRO has published and implemented the process chart and written procedure to be followed in cases of violations of the Personal Data security obligations contained in the Law, PPD Regulations and the PPPPD.
BNTPRO has prepared the Violation Notification Procedure, being aware that it is under the obligation to inform the Agency and the Data Subject no later than 72 hours after the occurrence of the data breach. The Commission will be responsible towards the BNTPRO Board of Directors regarding the sound functioning of the procedure and the notifications to be served in a timely manner.
10. Disclosure Obligation of BNTPRO
BNTPRO will be responsible for the disclosure to Data Subjects in accordance with article 10 of the Law before the processing of Personal Data or during processing stage at the latest. In this context, BNTPRO has adopted the principle of disclosing the data of the Data Subjects before it has been obtained. The disclosure obligation will be fulfilled by BNTPRO again if the processing of Personal Data is a required process.
While fulfilling its disclosure obligation, BNTPRO will provide the following content depending on the nature of the Processing of Personal Data:
- Identification of the data controller or its representative, if any,
- For what purpose the personal data is to be processed,
- to whom and for what purpose the personal data of the Data Subject can be transferred,
- The method and legal grounds of collecting personal data,
- Other rights of the Data Subject listed under Article 11.
BNTPRO will make the necessary information in accordance with article 20 of the Constitution and the article 11 of the Law with the appropriate communication tools upon the request of the Data Subject.
BNTPRO has issued its internal procedures within the scope of this PPPPD to ensure the necessary Disclosure Obligation is fulfilled before the processing of Personal Data. The disclosure texts to be used have been shared with the Relevant Users. The Relevant User, who performs Data Processing with the Commission, will be responsible for the follow-up of the processes and necessary procedures have been established for reporting each new data processing activity to the Commission.
Contractual arrangements have been made to ensure that the Relevant Users in the position of third parties comply with the disclosure obligation before processing the data on behalf of BNTPRO.
In the disclosure texts provided by BNTPRO to the Data Subjects, the results related to the failure of the Data Subject to provide consent are also disclosed.
Disclosure notifications served to the Data Subjects will be provided by suitable means such as in written, verbal, online form, etc. depending on the nature of the data to be processed and the Data Processing activity. BNTPRO will maintain the records regarding the fulfillment of the disclosure obligation within the framework of the extent provided by the law of proof. BNTPRO has no obligation of disclosure in the following situations described under articles 28/I and II of the Law.
- Provided that personal data is not disclosed to third parties and the obligations relating to data security are adhered to, processing the same within the scope of the operations related to the family individuals living with fully itself or living in the same housing by the real persons,
- Processing of personal data for the purposes of investigation, planning and statistics by means of anonymizing with official statistics,
- Processing of personal data within the context of artistic, historical, literary or scientific purposes or freedom of speech provided that the personal data does not breach the natural defense, national security, public security, public order, economic security and confidentiality of private life or personal rights, and does not constitute a crime.
- Processing the personal data within the scope of preventive, protective and intelligence operations executed by state institutions and organizations so authorized by the law to ensure national defense, national security, public safety, public order or economic security.
- Processing of personal data by judicial or enforcement authorities in relation to the investigation, proceedings, litigation or execution procedures.
- Processing of personal data being required for the prevention of committing an illegal act or for a criminal investigation,
- Processing of personal data publicized by the data owner itself,
- Processing of personal data being required for disciplinary investigation or prosecution and conducting supervisory or regulatory duties by the authorized state institutions and organizations and professional public organizations by the power granted by the law.
- Processing of personal data being required for protecting economic and financial interest of the State in relation to the budget, tax and financial matters.
11.Rights and Requests of the Data Subject
BNTPRO, as per Article 13 of the Law, has established a Personal Data Application and Response Procedure in accordance with the PPPPD as the Data Controller for the requests of the Data Subject and procedures for directing to a template in written form have been established for the applications that do not meet the application conditions specified under the law. Technical preparations have been made in order to carry out the necessary procedures in accordance with these procedures. BNTPRO holds a systematic infrastructure to implement this procedure.
In the case personal data owners place their requests related to their rights listed below by personal application submitting their identity cards, in written form or with registered electronic mail (REM) address, secure electronic signature, mobile signature or by means of using an e-mail address notified to BNTPRO by the data subject and registered in the BNTPRO system together with their verifiable identities to BNTPRO, BNTPRO will respond to the request within thirty days at the latest free of charge depending on the nature of the request.
Personal data owners will be able to claim all rights stated under the relevant article of the law, including all processing activities, purposes and transfer information of their entire personal data with the application they will file in accordance with this procedure.
Rights of the Data Subjects
Data Subjects are entitled to the following rights:
- To learn whether personal data has been processed or not,
- If personal data has been processed, to request information regarding this,
- To learn the purpose of processing personal data and whether they are used appropriately in accordance with this purpose,
- To have information about third parties to which personal data is transferred either in Turkey or abroad,
- To request the correction of personal data if it is incomplete or improperly processed and to request that the process carried out in this context be notified to third parties to whom personal data is transferred,
- To request that personal data be deleted or destroyed even if it has been processed in accordance with the provisions of the Law and other relevant laws and in the case that the reasons for such processing are not present any more to request that the process carried out in this context be notified to third parties,
- To object to the occurrence of a result against the person himself by means of analyzing the processed data exclusively through automated systems,
- To demand that damages be eliminated in the event of a corruption due to the processing of personal data contrary to the law,
Cases where the Data Subjects cannot Claim Their Rights
As per Article 28 of the Law, the Data Subjects cannot claim their rights listed under 11.1.1 in this respect since the below cases are excluded from the Law:
- Processing of personal data for the purposes of investigation, planning and statistics by means of anonymizing with official statistics,
- Processing of personal data within the context of artistic, historical, literary or scientific purposes or freedom of speech provided that the personal data does not breach the natural defense, national security, public security, public order, economic security and confidentiality of private life or personal rights, and does not constitute a crime.
- Processing the personal data within the scope of preventive, protective and intelligence operations executed by state institutions and organizations so authorized by the law to ensure national defense, national security, public safety, public order or economic security.
- Processing of personal data by judicial or enforcement authorities in relation to the investigation, proceedings, litigation or execution procedures.
Pursuant to Article 28/2 of the LPPD, the data owners may not claim their other rights listed under 11.1.1 in the following cases, excluding the right to claim damage:
- Processing of personal data being required for the prevention of committing an illegal act or for a criminal investigation,
- Processing of personal data publicized by the personal data owner itself,
- Processing of personal data being required for disciplinary investigation or prosecution and conducting supervisory or regulatory duties by the authorized state institutions and organizations and professional public organizations by the power granted by the law.
- Processing of personal data being required for protecting economic and financial interest of the State in relation to the budget, tax and financial matters.
Exercising the Rights of the Data Subjects
Data Subjects will be able to submit their requests regarding their rights stated under this Policy to BNTPRO free of charge, by filling in and signing the Application Form with the information and documents which will determine their identity and with the following methods or other methods determined by the Board. Comprehensive regulation on this matter has been issued in the Personal Data Application and Response Procedure.
- After filling in the form at the web address of BNTPRO, delivery of an originally signed copy of the form, either in person or by registered mail to be sent to the address Değirmen Yolu Cad. Çetinkaya Sok. N:16 Gürbüz Plaza 1. Delivery to Kat Ataşehir / İstanbul or personal application,
- Filling out the form at the BNTPRO web address and sending the form signed with “secure electronic signature” within the scope of the Electronic Signature Law No. 5070 by the electronic mail registered to the address kvkk@bntpro.com, making an application with secure electronic signature, mobile signature or by using the e-mail address previously reported to BNTPRO by the data subject and registered in BNTPRO’s system.
In order for the above-mentioned application to be accepted as a valid one, the Data Subject, in accordance with the Communiqué on the Application Procedures to the Data Controller, will be obliged to state the following information during the application:
- Name, surname and signature if the application is in written form,
- Turkish Republic Identity Number for the Turkish Republic citizens, nationality if the applicant is of foreign origin, passport number or identity number, if available,
- The place of residence or place of business constituting the basis for notification
- Electronic mail address constituting the basis for notification, if any, phone and fax number,
- Subject matter of the request.
Otherwise, the application will not be considered as a valid application. For the applications to be made without filling in the application form, the issues listed hereunder must be fully submitted to BNTPRO.
In order for third parties to make an application on behalf of the personal data owners, a special power of attorney issued by the data owner in the name of the applicant should be present.
12. Processing of Data Collected by Third Parties by BNTPRO
BNTPRO obtains Personal Data of the Data Subjects within the scope of the service and maintenance operations provided by its side to its contractual customers under its field of activity. BNTPRO pays utmost attention not to obtain data outside this scope. If it is mandatory and unavoidable to obtain and process Personal Data in terms of the activity being carried out, BNTPRO checks that the data in question is Personal Data obtained by the Relevant User who is a Third Party has been done so by means of complying with the obligation of disclosure in accordance as prescribed by the Law. It prepares the legal framework required to hold the Relevant User responsible for any possible damages to be incurred due to the failure to comply with the obligations by the Relevant User arising from the Law. In the event that the data sharing relationship between BNTPRO and the Relevant Users in the third party position occurs in the form of transfer of personal data from the data officer to the data officer under the Law, the Relevant User will inform the Data Subject that this personal data may be sent to BNTPRO before sending the data to BNTPRO.
13. Personal Data Inventory and Classification of Personal Data
BNTPRO has established a PPPPD in accordance with the general principles stated in the Law and all the obligations regulated under the Law and pursuant to the principles adopted under the PPPPD during the VERBIS registration process. As of the publication of the PPPPD, BNTPRO will process Personal Data in the following categories. The continuity of the business will be based on BNTPRO’s discretion to increase and decrease the category classes below in the light of the changing conditions. BNTPRO agrees that updating the PPPPD in the changes of any data category and that the Data Subject who will be affected by the change will be informed.
PERSONAL DATA CATEGORY | CATEGORY DESCRIPTION |
Identity Data | It is the data group which contains information about the identity of the person (Name Surname, Turkish Republic ID No., mother’s maiden name, date of birth, place of birth, marital status, ID card serial number, ID card copy, etc.). |
Communication Data | It is the data group to be used to reach the person (Phone, address, e-mail etc.) |
Location Data | It is the data group showing the location information of the person (GPS location, HGS recording data, etc.). |
Personal Information | It is the data group containing information about the person in terms of labor law and the SSI law (Payroll, Disciplinary Investigation, statement of employment, declaration of property information, resumé information, performance assessment reports, etc.). |
Legal Transaction Data | It is the data group used by the company for judicial processes within the scope of its activities (lawsuit and execution file information, correspondence with judicial authorities, etc.) |
Customer Transaction Data | It is the data group used by the company for customer transactions within the scope of its activities (call center records, invoice, promissory note, cheque, order information, etc.). |
Physical Space Security Data | It is the data group containing the data used for Physical Space security (Photograph, sound records, camera recording, Visitor license copy/scan, ID card copy/scan, passport copy/scan etc.) |
Transaction Security Data | It is the data group that contains the data used for the security of the transactions performed within the scope of IT (IP Number, Log Records, Password and Passphrase, Website records etc.) |
Risk Management Data | It is the data group that contains the data used by the company in managing its commercial and administrative risks (Performance records, Credit Ratings, Delayed Collection etc.) |
Financial Data | It is the data group that contains the financial information of the Data Subject (bank account number, IBAN number, card information, bank name, financial profile, mail order form, credit rating) |
Professional Experience Data | It is the data group that contains information related to the profession of the person (diploma information, courses attended, vocational training information, certificates, transcript information, etc.). |
Marketing Data | It is the data group that contains the data used by the company while managing its marketing activities (shopping history information, questionnaire, cookie records, information obtained through campaigns, etc.). |
Biometric Data | It is the data group that contains biometric data (such as palm information, fingerprint information, retinal scan information, facial recognition information) |
Visual and Audial Recording Data | It is the data group containing audiovisual data belonging to the person. (Photograph, sound recording, camera recording, license copy/scan, ID copy/scan, passport copy/scan, etc.) |
Health Data | It is the data group that contains the person’s health information (information about disability status, blood type information, personal health information, device and prosthesis information, etc.) |
Travel Data | It is the data group that contains information about the person’s travels (Flight information, flight card, tour route, miles card number, accommodation data, etc.) |
Criminal Conviction and Security Measures Data | It is the data group related to the sanctions imposed on the person in the past (criminal prosecution, criminal record, disciplinary record, etc.) |
BNTPRO has established a Personal Data Inventory containing sub-category groups associated with the data in the above data category, storage conditions, the administrative and technical measures taken regarding the data as well as the retention periods.
BNTPRO carried out operations for the detection of Personal Data obtained without consent and/or which are not related to company activities, in Data Recording Environments, especially in desktop and portable computers, which have been allocated to the use of the Related Users during the establishment stage of the PDI and destroyed the obtained illegal data with the method and procedure defined within the scope of the Personal Data Destruction Policy.
14. Personal Data Processing Objectives
BNTPRO processes personal data contained under the Data Categories stated in Article 13 of the PPPPD limited to the purposes and conditions within the scope of the personal data processing requirements specified in paragraph 2 of article 5 and paragraph 3 of article 6 of the Law. The table below shows which data category is processed according to the data processing objectives.
PERSONAL DATA PROCESSING OBJECTIVES | PERSONAL DATA CATEGORY |
Conduct of Emergency Management Processes, | Identity, Communication, Location, Personal info, Physical Space Security, Transaction Security, Risk Management, Professional Experience, Marketing, Audiovisual Records, Health, Travel, Criminal Conviction and Security Measures |
Performance of Information Security processes, | Identity, Communication, Location, Customer Transaction, Physical Space Security, Transaction Security, Risk Management, Professional Experience, Audiovisual Records, Travel, Criminal Conviction and Security Measures |
Conducting the Process of Employee Candidate/Trainee/Student selection and recruitment | Identity, Communication, Personal info, Customer Transaction, Transaction Security, Professional Experience, Audiovisual Records, Health, Criminal Conviction and Security Measures |
Conducting the process of employee candidate application processes | Identity, Communication, Personal info, Legal Transaction, Transaction Security, Professional Experience, Audiovisual Records, Health, Criminal Conviction and Security Measures |
Performance of Employee Satisfaction and Engagement Processes | Identity, Communication, Personal info, Customer Transaction, Professional Experience, Marketing, Audiovisual Records, Health, Travel |
Fulfillment of the obligations arising from the employment contract and legislation for the employees | Identity, Communication, Location, Personal info, Legal Transaction, Customer Transaction, Physical Space Security, Transaction Security, Risk Management, Professional Experience, Marketing, Audiovisual Records, Health, Travel, Criminal Conviction and Security Measures |
Conducting the Fringe Benefits and Interests Processes for Employees | Identity, Communication, Personal info, Legal Transaction, Professional Experience, Audiovisual Records, Health, Criminal Conviction and Security Measures |
Performance of Audit/Ethics Activities | Identity, Communication, Location, Personal info, Legal Transaction, Customer Transaction, Physical Space Security, Transaction Security, Risk Management, Professional Experience, Marketing, Audiovisual Records, Travel, Criminal Conviction and Security Measures |
Conduct of training activities, | Identity, Communication, Personal info, Customer Transaction, Professional Experience, Marketing, Audiovisual Records |
Management of access authorizations | Identity, Communication, Personal info, Legal Transaction, Physical Space Security, Transaction Security, Risk Management, Professional Experience, Audiovisual Records, Travel, Criminal Conviction and Security Measures |
Performance of Activities in Compliance with the Legislation | Identity, Communication, Personal info, Legal Transaction, Customer Transaction, Physical Space Security, Transaction Security, Risk Management, Professional Experience, Marketing, Audiovisual Records, Health, Criminal Conviction and Security Measures |
Performance of Financial and Accounting Affairs, | Identity, Communication, Personal info, Legal Transaction, Customer Transaction, Transaction Security, Risk Management, Professional Experience, Health, Travel |
Performance of Company/Product/Service Engagement Processes | Identity, Communication, Personal info, Customer Transaction, Transaction Security, Professional Experience, Marketing |
Provision of Physical Space Security | Identity, Communication, Personal info, Physical Space Security, Transaction Security, Risk Management, Audiovisual Records, Travel, Criminal Conviction and Security Measures |
Performance of Assignment Processes | Identity, Communication, Personal info, Legal Transaction, Customer Transaction, Professional Experience, Audiovisual Records, Travel |
Tracking and Conduct of Legal Affairs | Identity, Communication, Personal info, Legal Transaction, Customer Transaction, Physical Space Security, Transaction Security, Risk Management, Marketing, Audiovisual Records, Health, Criminal Conviction and Security Measures |
Conduct of Internal Audit/Investigation/Intelligence Activities | Identity, Communication, Personal info, Legal Transaction, Customer Transaction, Physical Space Security, Transaction Security, Risk Management, Marketing, Audiovisual Records, Health, Travel, Criminal Conviction and Security Measures |
Conduct of communication activities, | Identity, Communication, Personal info, Customer Transaction, Professional Experience, Marketing, Audiovisual Records |
Planning of Human Resources Processes | Identity, Communication, Personal info, Legal Transaction, Professional Experience, Health, Travel, Criminal Conviction and Security Measures |
Performance/Control of Business Activities | Identity, Communication, Location, Personal info, Legal Transaction, Physical Space Security, Transaction Security, Professional Experience, Marketing, Audiovisual Records, Health, Travel, Criminal Conviction and Security Measures |
Conduct of Occupational Health and Safety | Identity, Communication, Personal info, Legal Transaction, Physical Space Security, Professional Experience, Health, Travel |
Receiving and Assessment of Suggestions of the Improvement of Business Processes | Identity, Communication, Personal info, Legal Transaction, Professional Experience, Travel |
Performance of Business Continuity Activities | Identity, Communication, Location, Personal info, Legal Transaction, Customer Transaction, Physical Space Security, Transaction Security, Professional Experience, Marketing, Audiovisual Records, Health, Travel, Criminal Conviction and Security Measures |
Performance of Logistics Operations | Identity, Communication, Customer Transaction, Marketing, Travel |
Conduct of Goods/Services Purchase Processes | Identity, Communication, Customer Transaction, Professional Experience, Marketing |
Performance of After Sales Support Services for Goods/Services | Identity, Communication, Personal info, Customer Transaction, Transaction Security, Risk Management, Professional Experience, Marketing |
Conduct of Goods/Services Sales Processes | Identity, Communication, Personal info, Customer Transaction, Transaction Security, Risk Management, Professional Experience, Marketing, Travel |
Performance of Goods/Services Production and Operation Processes | Identity, Communication, Personal info, Customer Transaction, Transaction Security, Risk Management, Professional Experience, Marketing, Travel |
Conducting customer relationship management processes | Identity, Communication, Personal info, Customer Transaction, Transaction Security, Risk Management, Professional Experience, Marketing |
Performance of Activities for Customer Satisfaction | Identity, Communication, Personal info, Customer Transaction, Transaction Security, Risk Management, Professional Experience, Marketing |
Organization and Event Management | Identity, Communication, Personal info, Customer Transaction, Professional Experience, Marketing, Travel |
Performance of Marketing Analysis Procedures | Identity, Communication, Customer Transaction, Professional Experience, Marketing |
Conduct of the Performance Evaluation Processes | Identity, Communication, Personal info, Legal Transaction, Customer Transaction, Transaction Security, Professional Experience |
Performance of Advertising/Campaign/Promotion Processes | Identity, Communication, Customer Transaction, Professional Experience, Marketing |
Performance of Risk Management Processes | Identity, Communication, Personal info, Legal Transaction, Customer Transaction, Physical Space Security, Transaction Security, Risk Management, Professional Experience, Marketing, Health |
Performance of Storage and Archive Activities | Identity, Communication, Location, Personal info, Legal Transaction, Customer Transaction, Physical Space Security, Transaction Security, Risk Management, Professional Experience, Marketing, Audiovisual Records, Health, Travel, Criminal Conviction and Security Measures |
Conduct of Social Responsibility and Civil Society Activities | Identity, Communication, Personal info, Customer Transaction, Professional Experience, Marketing, Health |
Conduct of Contract Processes | Identity, Communication, Personal info, Legal Transaction, Customer Transaction, Risk Management, Professional Experience, Marketing |
Performance of Sponsorship Activities | Identity, Communication, Marketing |
Performance of Strategic Planning Activities | Identity, Communication, Personal info, Legal Transaction, Customer Transaction, Transaction Security, Risk Management, Professional Experience, Marketing |
Requests/Tracking of Complaints | Identity, Communication, Personal info, Legal Transaction, Customer Transaction, Transaction Security, Risk Management, Marketing |
Ensuring the Security of Movable Property and Resources | Identity, Communication, Personal info, Physical Space Security, Transaction Security, Risk Management, Audiovisual Records |
Conduct of Supply Chain Management Processes | Identity, Communication, Customer Transaction, Risk Management, Marketing |
Execution of Wages Policy | Identity, Communication, Location, Personal info, Legal Transaction, Customer Transaction, Physical Space Security, Transaction Security, Risk Management, Professional Experience, Marketing |
Performance of Product/Service Marketing Processes | Identity, Communication, Customer Transaction, Marketing |
Ensuring the Security of the Data Controller Operations | Identity, Communication, Location, Personal info, Legal Transaction, Customer Transaction, Physical Space Security, Transaction Security, Risk Management, Professional Experience, Marketing, Audiovisual Records, Health, Travel, Criminal Conviction and Security Measures |
Foreign Personnel Work and Residence Permit Procedures | Identity, Communication, Personal info, Professional Experience, Health, Criminal Conviction and Security Measures |
Conduct of Investment Processes | Identity, Communication, Personal info, Legal Transaction, Customer Transaction, Transaction Security, Risk Management, Professional Experience, Marketing |
Performance of Talent/Career Development Activities | Identity, Communication, Personal info, Customer Transaction, Professional Experience, Marketing |
Providing Information to Authorized Persons, Institutions and Organizations | Identity, Communication, Location, Personal info, Legal Transaction, Customer Transaction, Physical Space Security, Transaction Security, Risk Management, Professional Experience, Marketing, Audiovisual Records, Health, Travel, Criminal Conviction and Security Measures |
Conduct of management activities, | Identity, Communication, Location, Personal info, Legal Transaction, Customer Transaction, Physical Space Security, Transaction Security, Risk Management, Professional Experience, Marketing, Audiovisual Records, Health, Travel, Criminal Conviction and Security Measures |
Creating and Tracking Visitor Records | Identity, Communication, Legal Transaction, Transaction Security, Risk Management |
15. Data Subject Groups
The relevant Data Subject groups in relation to the data obtained in the data categories under the BNTPRO PDI are shown below.
PERSONAL DATA CATEGORY | DATA SUBJECT GROUP |
Identity Data | Employee Candidate, Employee, Shareholder/Partner, Potential Product or Service Buyer, Exam Candidate, Intern, Supplier Employee, Supplier Official, Product or Service Recipient, Parent/Guardian/Representative, Employee Relatives, Visitor |
Communication Data | Employee Candidate, Employee, Shareholder/Partner, Potential Product or Service Buyer, Exam Candidate, Intern, Supplier Employee, Supplier Official, Product or Service Recipient, Parent/Guardian/Representative, Employee Relatives, Visitor |
Location Data | Employee, Shareholder/Partner |
Personal Information | Employee Candidate, Employee, Intern |
Legal Transaction Data | Employee, Shareholder/Partner, Intern, Supplier Employee, Supplier Official, Product or Service Recipient, Parent/Guardian/Representative |
Customer Transaction Data | Potential Product or Service Recipient, Supplier Representative, Product or Service Recipient, Parent/Guardian/Representative, |
Physical Space Security Data | Employee Candidate, Employee, Shareholder/Partner, Potential Product or Service Buyer, Exam Candidate, Intern, Supplier Employee, Supplier Official, Product or Service Recipient, Parent/Guardian/Representative, Visitor |
Transaction Security Data | Employee Candidate, Employee, Shareholder/Partner, Potential Product or Service Buyer, Exam Candidate, Intern, Supplier Employee, Supplier Official, Product or Service Recipient, Parent/Guardian/Representative, Visitor |
Risk Management Data | Employee, Shareholder/Partner, Potential Product or Service Recipient, Supplier Employee, Supplier Official, Product or Service Recipient, Parent/Guardian/Representative |
Professional Experience Data | Employee Candidate, Employee, Shareholder/Partner, Potential Product or Service Buyer, Exam Candidate, Intern, Supplier Employee, Supplier Official, Product or Service Recipient |
Marketing Data | Potential Product or Service Recipient, Exam Candidate, Product or Service Recipient, Parent/Guardian/Representative, |
Biometric Data | Employee, Shareholder/Partner, |
Visual and Audial Recording Data | Employee Candidate, Employee, Shareholder/Partner, Potential Product or Service Buyer, Exam Candidate, Intern, Supplier Employee, Supplier Official, Product or Service Recipient, Parent/Guardian/Representative, Visitor |
Health Data | Employee, Shareholder/Partner, Intern, Supplier Employee, |
Travel Data | Employee, Shareholder/Partner, Intern, Supplier Employee, |
Criminal Conviction and Security Measures Data | Employee, Shareholder/Partner, |
16. Retention Period for Personal Data
BNTPRO retains data with the following basic principles in cases where it is required to retain the data processed under the PPPPD.
- In cases where BNTPRO is under legal obligation regarding the processing of Personal Data, it shall retain the data for the periods specified under the relevant laws and regulations.
- In cases where there is no provision regulating the processing or storage of Personal Data, Personal data will be stored in connection with the activity carried out while BNTPRO is processing Personal Data and in accordance with the industrial practices. These periods have been specified under the PDI in detail. The data will then be deleted, destroyed or anonymized in accordance with the relevant policy established by BNTPRO in accordance with the nature of the data.
- BNTPRO retains the personal data, the processing purpose of which has ended and those with the proper attributes among the ones that have expired as defined by the PPPPD and PDI only in order to constitute evidence in legal disputes or to set forth the relevant right related to personal data or to establish a defense accordingly. The period mentioned hereunder will be reserved for the purpose of claiming the right mentioned in establishing such period of time, for an additional 5-year period and for the mentioned purpose only. The personal data stored within the scope of this article will not be accessed for any other purpose and BNTPRO provides personal data to be accessed only when it is necessary to be used in a relevant legal dispute. The data will be deleted, destroyed or anonymized in accordance with the procedure established in compliance with the PPPPD.
17.Personal Data Recipient Groups
BNTPRO will notify the data groups to whom it will transfer Personal Data when required in accordance with Article 10 of the Law. BNTPRO will transfer personal data to the recipient groups stated below in accordance with Article 10 of the Law pursuant to the objectives specified under the PPPPD.
- Real or Private Legal Entities
- Banks and insurance companies
- Travel agencies
- Institutions and organizations providing health services to employees
- Hotels
- Training Companies
- Business partners,
- BNTPRO Shareholders
- BNTPRO Suppliers,
- Legal and Financial Advisors
- Legally authorized public institutions and organizations,
18. Personal Data Processing in BNTPRO Workspaces
Camera Recording Data
For ensuring the physical space security, BNTPRO monitors the premises using the security camera in certain areas in BNTPRO buildings. Personal Data will be processed during these processes.
Within the scope of the BNTPRO security camera surveillance activity, interests related to ensuring the security of the Company and other persons are aimed. In this context, there will absolutely be no camera recording in private areas. In the areas monitored by the camera, information signs are available for and visible to the visitors and the cameras have been located in a visible manner as well. In addition, the information that camera monitoring is performed is announced to all employees and visitors and individuals are all informed on this matter. Technical and administrative measures will be taken by BNTPRO to ensure the security of the personal data obtained as a result of the camera surveillance, in accordance with Article 12 of the LPPD.
Visitor Internet Access Data
For the purpose of ensuring security by BNTPRO and in line with the objectives stated under this Policy, Internet access is provided to the guests who make a request during their period of stay in the buildings and premises. SMS is sent to the visitors for this purpose only for the operation of the system. GSM records shall be deleted after confirmation SMS has been sent. In this case, the log records of the internet access will be recorded according to the provisions of the Law numbered 5651 and the prevailing provisions of the legislation regulated by this Law. These records will be processed only in order to be requested by authorized public institutions or to fulfil the legal obligations in the audit processes to be carried out within BNTPRO.
19.Destruction of Personal Data
BNTPRO will delete, destroy or anonymize the Personal Data it has obtained and processed as per the PPPPD and the Law
- After the removal of the processing objectives stated under the Law and the PPPPD and the expiration of the retention periods or,
- Immediately upon the request of the Data Subject,
in accordance with the “Regulation on Deletion, Destruction and Anonymization of Personal Data” published by the Agency and other provisions of the relevant legislation. BNTPRO has established a procedure in accordance with the provisions of the regulation in this respect shall perform the destruction process according to the nature of the data as per this policy. The periodic destruction dates have been determined by BNTPRO in accordance with the PPPPD and the Destruction Procedure and with the start of the obligation, a schedule has been formed according to the periodic destruction at various intervals.
20.Miscellaneous Issues
In the case of inconsistency between the LPPD and other relevant provisions of the legislation and this Policy, the LPPD in the first place and other relevant legislative provisions shall apply.
In the case of any changes in the Policy, the effective date of the Policy and the related articles shall be updated accordingly. The table of updates is stated in the “Document Identification Information”.
21. Revision and Abolition
The PPPPD prepared by BNTPRO was published on date 20/12/2019 and entered into force on the same date.