This policy is Netsys Bilişim Ticaret A.Ş. It aims to describe the methods adopted for personal data processing and protection of personal data in accordance with the scope of the Personal Data Protection Law (KVKK) No. 6698 and GDPR in all activities carried out by the Company. Personal Data Protection and Processing Policy, Netsys Bilişim Ticaret A.Ş. It contains the principles applied in the processes of collection, use, sharing, storage and destruction by Netsys Bilişim Ticaret A.Ş. It is aimed to inform the persons whose personal data are processed by the institution, especially the customers, employees of the institution, visitors, employees of the institutions we cooperate with and third parties.
This Policy covers all personal data processed in the processes of our institution by automatic or non-automatic means provided that it is a part of any data recording system, of customers, employees of our institution, our visitors, employees of institutions we cooperate with and third parties.
3. Authorities and Responsibilities
All employees, consultants, external service providers and anyone else who stores and processes personal data within the institution is responsible for fulfilling the requirements regarding the destruction of data specified in the Law, Regulation and Policy within the institution.
Each business unit is responsible for storing and protecting the data it produces in its own business processes.
Destructions that will affect business processes and cause data integrity to be damaged, data loss and results contrary to legal regulations; The relevant information systems department will decide, taking into account the type of personal data concerned, the systems in which it is included, and the business unit that processes the data.
The responsibility of the notification or acceptance of the notification or correspondence made with the KVK Board on behalf of the data controller and the registration in the registry is the data controller contact person.
4. Definitions and Abbreviations
Explicit Consent; Consent on a particular subject, based on information and expressed with free will.
Related User; Except for the person or unit responsible for technical storage, protection and backup of the data, they are the persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller.
Destruction; Deletion, destruction or anonymization of personal data.
Law; KVKK Law No. 6698 on the Protection of Personal Data.
Recording Environment; Any environment where personal data is processed wholly or partially automatically or by non-automatic means provided that it is a part of any data recording system.
Personal Data; Any information relating to an identified or identifiable natural person.
Processing of Personal Data; Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking.
Anonymization of Personal Data; Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Deletion of Personal Data; Deletion of personal data; making personal data inaccessible and unusable for Relevant Users in any way.
Destruction of Personal Data; The process of making personal data inaccessible, irretrievable and unusable by anyone in any way.
Board; Personal Data Protection Board.
Special Quality Personal Data; Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Periodic Destruction; The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all of the personal data processing conditions in the Law are eliminated.
Data Owner/Relevant Person; The natural person whose personal data is processed.
Data Processor; The natural or legal person who processes personal data on behalf of the data controller based on the authority given by him.
Data Controller; The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controller Contact Person and Assistants; Since the data controller is a legal person residing in Turkey, the data controller contact person has been appointed. For this reason, the main duty of the contact person and his assistants is the real persons who determine the purposes and means of processing personal data and are responsible for the establishment and management of the data recording system.
Regulation; Regulation on the Deletion, Destruction or Anonymization of Personal Abbreviation Definition Data published in the Official Gazette on October 28, 2017.
5. Policy on Protection and Processing of Personal Data
Our institution presents the necessary measures and the applied process for the protection and processing of personal data in a concrete way with the policy. In cases where this policy is incompatible with the relevant laws and regulations, or if the policy is not up-to-date in line with the updated legislation, Netsys Bilişim Ticaret A.Ş. The Institution accepts that it will comply with the applicable legislation. According to the changes in laws, regulations and legislation, this policy is updated and Netsys Bilişim Ticaret A.Ş. revised to meet the legal requirements of the institution.
5.1. Ensuring the Security of Personal Data
Netsys Bilişim Ticaret A.Ş. ., takes all necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data.
As stipulated in the 1st paragraph of Article 12 of the KVKK;
To prevent the unlawful processing of personal data,
To prevent unlawful access to personal data,
To ensure the protection of personal data.
He is taking measures.
The measures taken by our institution to ensure the security of personal data are detailed in the sub-clauses.
5.1.1. Technical Measures
Netsys Bilişim Ticaret A.Ş. The institution employs knowledgeable and experienced people in order to ensure data security and provides the necessary KVK training to its personnel. Necessary internal controls are made for the established systems. It operates the processes of risk analysis, data classification, Information Security risk assessment and business impact analysis within the established systems. In line with these processes, technical measures are taken in line with the developments in technology. Infrastructure investments are made in accordance with the developing technology. It enables the installation of software and hardware, including virus protection systems and firewalls. It uses the versions of the systems that have taken the necessary security measures against current and known vulnerabilities. It ensures that the access to personal data of employees in information technology units is kept under control. It defines access and authorization in accordance with the legal compliance requirements determined on a business unit basis. It checks the compliance of the accesses with the authorizations. It reports the information obtained as a result of controlling the security of the systems to the relevant parties. Risk points are identified and necessary technical measures are taken. It spreads awareness so that it becomes a part of the corporate culture with a model that constantly processes technical measures in order to maintain the security of Personal Data. It ensures that the measures taken are kept alive with controls.
5.1.2. Administrative Measures
Netsys Bilişim Ticaret A.Ş. The institution takes the necessary administrative measures to ensure the security of personal data and supervises the work of the employees according to these measures. It defines access and authorizations in accordance with the legal compliance requirements determined on a business unit basis and at a level that will not cause disruption of business processes. It defines the access authorizations and rules to personal data of employees in information technology units. Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the KVK Law, and that they cannot use them other than for the purpose of processing, and that this obligation will continue after they leave their job. Necessary commitments are taken from the employees in this direction. Regarding the sharing of personal data with third parties, a framework contract is signed with the persons with whom personal data is shared or it provides data security with the provisions to be added to the contracts. Third parties to whom personal data are shared accept the provisions regarding that they will take the necessary security measures for the protection of personal data and ensure that these measures are complied with in their own organizations. If it is determined that the processed personal data is obtained by others illegally despite the measures taken, the data representative notifies the person concerned and the KVK Board. It is investigated how personal data is obtained by others. Netsys Bilişim Ticaret A.Ş. The Institution implements the necessary administrative measures to eliminate the weaknesses it detects, and takes technical measures when necessary.
5.1.3. Safe Storage of Personal Data
Netsys Bilişim Ticaret A.Ş. The Institution takes the necessary technical and administrative measures according to the technological possibilities and application cost in order to store the personal data it obtains in secure environments. Our rules and method regarding data storage in a secure environment are detailed in the “Data Retention and Destruction Policy”.
5.1.4. Audits Made for the Sustainability of the Protection of Personal Data
Netsys Bilişim Ticaret A.Ş. In accordance with Article 12 of the KVK Law, it carries out the necessary inspections and has them done.
It provides internal and external audits to ensure the sustainability of Information Security Management System and Data Protection Personal Information Management systems. It regularly performs penetration tests to the systems for technical vulnerabilities that may occur in the systems. Systems are regularly monitored by data processing. In addition, system trace records are monitored to ensure security against cyber attacks. Necessary technical and administrative measures are taken after the management systems audits, the data produced by the warning systems and the findings after monitoring the systems. In the audits, when illegal access or processing of personal data is detected, it is reported to the Personal Data Protection Committee. Institution management is informed by the committee.
5.1.5. Measures Taken in Case of Unauthorized Disclosure of Personal Data
Netsys Bilişim Ticaret A.Ş. The Institution notifies the relevant personal data owner and the KVK Board in case of unauthorized disclosure of personal data processed in accordance with Article 12 of the KVK Law.
If deemed necessary by the KVK Board, this situation can be announced on the website of the KVK Board or by any other method.
5.1.6. Measures Implemented by Third Parties to Ensure the Protection of Personal Data
Netsys Bilişim Ticaret A.Ş. The Institution, in its contracts with third parties; mutually maintains the necessary sanction clauses to prevent the unlawful processing of personal data, to prevent unlawful access to the data, and to ensure the preservation of the data. Confidentiality agreements are signed before sharing information with third parties. Necessary information is given to third parties to raise awareness.
5.1.7. Measures Applied for the Protection of Private Personal Data
Adequate measures should be taken for sensitive personal data, both in terms of their qualities and because they may cause victimization or discrimination of individuals. In Article 6 of the KVK Law, a set of personal data that carries the risk of causing victimization or discrimination when processed unlawfully is determined as “special quality”.
These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Netsys Bilişim Ticaret A.Ş. The Institution takes the necessary measures to protect the personal data of special nature, which is determined as “special quality” by the KVK Law and processed in accordance with the law. In the technical and administrative measures taken to protect personal data, sensitivity is shown for special quality personal data.
Netsys Bilişim Ticaret A.Ş. The Institution processes the special quality personal data it processes, provided that adequate measures to be determined by the KVK Board are taken. Before processing sensitive personal data, the explicit consent of the data owner is obtained. If there is no explicit consent of the data owner, personal data can be processed with the authorization given by the laws in accordance with the following criteria.
- Special categories of personal data other than the health and sexual life of the personal data owner, in cases stipulated by the laws,
- Special categories of personal data relating to the health and sexual life of the personal data owner can only be shared with persons or authorized institutions and organizations under the obligation of keeping secrets for the purposes of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. , can be transferred.
5.1.8. Raising Awareness for the Protection of Personal Data
Necessary information is given to business units, trainings are organized and their effectiveness is measured in order to prevent the unlawful processing of personal data, to prevent illegal access to data, and to increase the awareness of data protection. Other policies related to the “Personal Data Protection and Processing Policy” have been published on our institution’s website. Employees of our institution have been informed of this policy.
In case of changes in the relevant laws, regulations or legislation, the policies are revised and re-announced to the employees.
5.2. Principles for the Processing of Personal Data
Principles for the processing of personal data are determined in paragraph 2 of Article 4 of the KVK Law. Netsys Bilişim Ticaret A.Ş. The institution processes personal data in accordance with the determined principles.
The processing of personal data is carried out in accordance with the following principles;
- Compliance with the law and honesty rules.
- Being accurate and up-to-date when necessary.
- Processing for specific, explicit and legitimate purposes.
- Being relevant, limited and proportionate to the purpose for which they are processed.
- To be kept for the period required by the relevant legislation or for the purpose for which they are processed.
5.3. Personal Data Processing Conditions
Netsys Bilişim Ticaret A.Ş. As a public institution, it processes the majority of the data it processes due to legal obligations and by using the powers that are required to be used for the protection of public order. Pursuant to article 5/2 of the relevant law, the full text of which you can access, the processing of data:
- Expressly stipulated in the law.
- It is compulsory for the protection of life or physical integrity of the person or someone else, who is unable to express his consent due to actual impossibility or whose consent is not legally valid.
- It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
- It is mandatory for the data controller to fulfill its legal obligation.
- Being made public by the person concerned.
- Data processing is mandatory for the establishment, exercise or protection of a right.
- Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
For the above-mentioned situation, our institution processes personal data only by obtaining the explicit consent of the data subjects.
5.4. Purposes of Processing Personal Data
To be able to do the work requested by our customers,
- Execution of appointment system processes and promotion of service processes,
- Fulfilling the legal obligations arising from the employment contract legislation of the employees,
- To fulfill our legal obligations and to use the rights arising from the current legislation,
- To provide information to public officials on matters related to public safety upon request and in accordance with the legislation,
- To increase the satisfaction of our customers and / or to organize surveys in the physical environment,
- To offer suggestions to our customers, to inform our customers about our services,
- To take and implement the necessary physical measures in line with legitimate interests,
- Promoting business activities within the scope of social media and informing potential customers and customers within the scope of their work,
- To be able to evaluate complaints, requests and suggestions about our services,
- Your data needs to be processed in order to process these and similar systems.
5.5. Destruction of Personal Data
Our institution destroys the personal data it obtains upon the request of the personal data owners, if it is not necessary to use it due to legal obligations and for the protection of public order. The personal data of the data owners are destroyed in accordance with the decision of the institution when the requirements for the continuation of the service to the customer, the fulfillment of legal obligations, the planning of employee rights and fringe benefits are eliminated. The rules and method regarding the destruction of personal data are detailed in the “Data Retention and Destruction Policy”.
5.6. Transfer of Personal Data to Domestic Persons
Our institution carefully complies with the conditions set forth in the KVKK regarding the sharing of personal data with third parties, without prejudice to the provisions of other laws. In this framework, personal data is not transferred to third parties without the explicit consent of the data owner. However, in the presence of one of the following conditions regulated by KVKK, personal data; It can also be transferred without obtaining the explicit consent of the data owner:
- Clearly stipulated in the law,
- It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid,
- Provided that it is directly related to the establishment or performance of a contract, it is necessary to process the personal data of the parties to the contract,
- It is mandatory for the data controller to fulfill its legal obligation,
- Having been made public by the data owner himself,
- Data processing is mandatory for the establishment, exercise or protection of a right,
- Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner.
Provided that adequate precautions are taken; stipulated in the laws in terms of special quality personal data other than health and sexual life, and in terms of special quality personal data related to health and sexual life,
- Protection of public health,
- Preventive medicine,
- Execution of treatment and care services,
- Your personal data may be transferred without obtaining explicit consent for purposes such as planning and management of health services and financing.
- In the transfer of sensitive personal data, the conditions specified in the processing conditions of this data are complied with.
5.7. Transfer of Personal Data to Persons Abroad
Netsys Bilişim Ticaret A.Ş. In accordance with Article 9 of the KVKK, the explicit consent of the data owner is sought in relation to the transfer of personal data abroad. However, in the presence of conditions that allow the processing of personal data, including sensitive personal data, without the explicit consent of the data owner, personal data may be transferred abroad by our Institution without seeking the explicit consent of the data owner, provided that adequate protection is available in the foreign country where the personal data will be transferred. If the country to be transferred is not determined by the Board among the countries with adequate protection, our Institution and the data controller/data processor in the relevant country will undertake in writing to provide adequate protection. Sample text if data is not transferred to foreign countries: “ Netsys Bilişim Ticaret A.Ş. does not transfer personal data to foreign countries in any way and does not keep personal data on servers held in foreign countries.
5.8. Categorization of Personal Data
Netsys Bilişim Ticaret A.Ş. Personal data are divided into two categories as Data Subject Group and Data Type.
Data Subject Person Group Categories;
- Company employees: Company employees whose personal data are processed in accordance with the relevant legislation, especially the Labor Law and the Occupational Safety legislation.
- Former employees of the Company: Company employees whose personal data are processed even though their employment contract has expired, in terms of data that must be processed for a certain period of time after the termination of the employment contract in accordance with the relevant legislation, especially the Labor Law and the Occupational Safety legislation.
- Company service providers, suppliers, subcontractors and their employees: Real persons or employees of these people who are subcontractors or from whom the Company purchases services or products.
- Company service providers, suppliers, subcontractors and their employees even if the business relationship with the Company has ended: Service providers, suppliers and subcontractors and their employees whose data continues to be processed in accordance with the obligations arising from the legislation, although their contractual relationship with the Company has ended. The data regarding these persons will be deleted or anonymized in accordance with the relevant procedure when the legal obligation to process ends.
5.9. Printed Documents, Camera Records, Personal Data of Website Visitors,
5.9.1. Printed Document
In some cases, our company receives personal data in printed documents for the services it provides to customers. Such data are processed, stored and destroyed in accordance with the conditions specified in the KVK law.
Personnel information used in human resources; It is all kinds of personal data processed for the purpose of obtaining the information that will form the basis of the personal rights of our employees or real persons with whom our institution has a working relationship.
Data received for Health Services; Our company stores personal data for the health services it provides to its employees.
Identifying applicants; Descriptive information given in applications made to receive service from the Company.
5.9.2. Camera record
In order to ensure security by our Institution, personal data processing activities are carried out in our Institution buildings and facilities for monitoring with security cameras and tracking guest entries and exits. Personal data processing is carried out by using security cameras.
In this context, our Institution acts in accordance with the Constitution, KVK Law and other relevant legislation.
Video recordings of our visitors are taken through the camera monitoring system at the entrance of the building, facility and inside the facility of our institution.
Our institution, within the scope of monitoring activity with security cameras; It is aimed to increase the quality of the service provided, to ensure its reliability, to ensure the safety of the institution, customers and other persons.
Our institution acts in accordance with the regulations in the KVK Law in the execution of camera monitoring for security purposes.
The camera monitoring activity carried out by our institution is carried out in accordance with the Law on Private Security Services and the relevant legislation.
Only a limited number of institution employees have access to the records recorded and maintained in the digital environment. On the other hand, live camera images can be watched by outsourced security tasks. A limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality agreement.
In accordance with Article 12 of the KVK Law, our institution takes the necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring.
5.9.3. Personal Data of Website Visitors and Personal Data Received for Internet Access Point Service
On the websites owned by our institution; to ensure that the visitors of these sites perform their visits on the sites in accordance with the purposes of their visit; Internet movements within the site are recorded by technical means (eg cookies).
Our company provides free internet service to all its visitors at open points. Personal data of the trace records of the service provided are kept in accordance with the law 5651 (On Regulation of Broadcasts on the Internet and Fighting Against Crimes Committed Through These Broadcasts) and to verify access information.
5.9.4. Rights of Personal Data Owner
Your data owner rights arising from the “Law on the Protection of Personal Data”, the full text of which can be accessed on the KVKK website, are listed in Article 11 of the relevant law and are as follows:
Article 11- (1) Everyone, by applying to the data controller;
a) Learning whether personal data is processed or not,
b) If personal data has been processed, requesting information about it,
c) Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
ç) To know the third parties to whom personal data is transferred in the country or abroad,
d) Requesting correction of personal data in case of incomplete or incorrect processing,
Your rights mentioned in the above articles can be made by filling the “KVKK Request Form”.
In accordance with the relevant law, the data controller, data controller representative and data controller contact person documents are as follows:
5.9.5. Institution’s Obligation to Clarify and Inform
Within the scope of Article 10 of the KVKK, data owners must be informed before or at the latest when personal data is obtained. The information to be conveyed to the data owners within the framework of the said disclosure obligation is as follows:
- Identity of the data controller and its representative, if any,
- For what purpose personal data will be processed,
- To whom and for what purpose the processed personal data can be transferred,
- Method and legal reason for collecting personal data,
- Other rights listed in article 11 of KVKK.
On the other hand, Article 28 (1) of the KVKK. Within the framework of the article, there is no obligation to inform in the following cases:
- Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with,
- Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,
- Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime,
- Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
- Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.
“Explicit Consent and Clarification Statement” and
has been prepared.
5.10. Terms of Deletion, Destruction and Anonymization of Personal Data
Our institution deletes, destroys or anonymizes the personal data it obtains upon the request of the personal data owners, if it is not compulsory to use it due to legal obligations and for the protection of public order. The rules and method regarding the deletion, destruction and anonymization of personal data are detailed in the “Data Retention and Destruction Policy”.
5.11. Working Principles of the Personal Data Protection Committee
Our institution has established the “Personal Data Protection Committee” in order to fulfill the KVKK requirements and maintain its compliance.
The foremost purpose and objective of the Personal Data Protection Committee:
- Protecting the privacy of private life
- To protect the fundamental rights and freedoms of individuals
- To regulate the duties and authorities of data processors