PERSONAL DATA PROTECTION AND PROCESSING POLICY

PERSONAL DATA PROTECTION AND PROCESSING POLICY

LEGAL NOTICE

It is forbidden to partially or completely copy, reproduce, use, publish and distribute all content in this Policy text without permission, except for individual-academic use. Legal action will be taken against those who do not comply with this prohibition in accordance with the Law No. 5846 on Intellectual and Artistic Works. All rights of the product are reserved.

  1. INTRODUCTION

Within the framework of the principles of superior service quality, respect for the rights of individuals, transparency and honesty determined by Karayel Arge Dış Ticaret Hizmetleri (hereinafter referred to as “Karayel Arge Dış Ticaret Hizmetleri” or the Company), it is among our priorities to regulate the internal functioning of our Company within the scope of the Law, Regulation, Regulation, Circular, Communiqué, Personal Data Protection Board Decisions and relevant legislation in line with the new regulations stipulated by the Personal Data Protection Law (hereinafter referred to as “Law” and/or “KVKK”).

Our Center shows the necessary sensitivity regarding the security of personal data and attaches great importance to visitor/patient privacy and to the best possible and careful processing and storage of all kinds of personal data belonging to our visitors. In addition to our visitors, companions, patients and employees of the institutions and organizations we cooperate with; This policy has been prepared and put into effect in order to protect and process personal data within the framework of the “Law No. 6698 on the Protection of Personal Data”, “Regulation on the Processing of Personal Health Data and Ensuring Privacy” and the basic principles contained in the relevant legislation.

According to paragraph 3 of Article 20 of the Constitution of the Republic of Turkey, “Everyone has the right to request the protection of personal data concerning him/her. This right includes the right to be informed about personal data concerning him/her, to access such data, to request their correction or deletion, and to learn whether they are used for their intended purposes. Personal data may only be processed in cases stipulated by law or with the explicit consent of the person.”

The right to protection of personal data as a fundamental human right is enshrined in Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union. Article 4 of the LPPD lists the basic principles that must be complied with for the processing of personal data. These principles are taken into consideration and meticulously applied within the scope of all personal data processing activities carried out by the Company. The basic principles that the Company follows in data processing processes in relation to the field it serves are as follows:

Processing in accordance with the Law and Good Faith “COMPANY” acts in accordance with the general principles of law and the rule of honesty while fulfilling its obligation to process and protect personal data.
Accurate and Up-to-date Processing of Personal Data: “COMPANY” is aware that the provision of accurate and up-to-date personal data about individuals is of great importance for the protection of individuals' rights. It shows the utmost care to be expected from it in order to ensure that the personal data being processed is accurate and up-to-date.
Processing Personal Data for Specific, Explicit and Legitimate Purposes: KVKK requires data processing activities to be processed for specific, explicit and legitimate purposes. “Within the framework of this principle, the COMPANY carries out personal data processing activities for specific, explicit and legitimate purposes required by its activities.
Processing that is relevant, limited and proportionate to the purpose for which it is processed: The “COMPANY” processes personal data within the limits sufficient to fulfill the purposes determined within the scope of the activities it carries out. “COMPANY” acts in accordance with the principle of limitation and proportionality by refraining from processing personal data that is not needed.
Preservation for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which it is Processed: The personal data processed by the “COMPANY” are retained for the period until the personal data processing conditions are eliminated. When the aforementioned purposes disappear, the “COMPANY” will terminate the retention of the relevant personal data. The Company transparently informs all relevant parties about all data processing processes with the necessary documents.
  1. DEFINITIONS

Open Consent:

Consent on a specific issue, based on information and freely given.
Anonymization: Changing personal data in such a way that it loses its personal data nature and this situation cannot be reversed. For example, masking, aggregation, data corruption, etc. Making personal data unassociated with a real person by means of techniques. It is possible to anonymize personal data for various purposes, but in accordance with the request and / or consent of the person concerned, so as not to violate the scope of KVKK and explicit consent. Necessary measures will be taken within the Institution to prevent the anonymized personal data from being made identifiable by various methods.
Cookie: They are small files saved on users' computers or mobile devices that help store preferences and other information about the web pages they visit.
Contact Person: Refers to the natural person whose personal data is processed. The processing and protection of personal data and special categories of personal data of our Company's real and/or legal person business partners, shareholders, managers or employees, guests and employees will be handled by our Company within the scope of KVKK and Policy.

Related User:

Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.

Destruction:

Deletion, destruction or anonymization of personal data.
Contact Person The real person notified by the data controller during registration to the Registry for communication with the Authority regarding the obligations of legal entities resident in Turkey and non-resident legal entity data controller representative under the Law and the secondary regulations to be issued based on this Law. The contact person is not authorized to represent the Data Controller; it is only the person assigned to provide “liaison” for the communication between the data controller and the relevant persons and the Authority.
Employees, Shareholders and Authorities of the Institutions we cooperate with: It refers to natural persons, including, but not limited to, shareholders and officials of these institutions, working in institutions (such as business partners, suppliers, etc.) with which our Center has all kinds of business relations.

KVKK:

Law on the Protection of Personal Data dated March 24, 2016 and numbered 6698, published in the Official Gazette dated April 7, 2016 and numbered 29677.

Recording Environment:

Any medium containing personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system.
Any information relating to an identified or identifiable natural person.
Processing of Personal Data:

Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
.

Anonymization of Personal Data: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Deletion of Personal Data:

Making personal data inaccessible and non-reusable in any way for the Relevant Users.
Destruction of Personal Data: The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way.
Board: Personal Data Protection Board.

Institution:

Personal Data Protection Authority.
Processing of Personal Data: It refers to all kinds of operations performed on personal data such as obtaining, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Personal Data: It refers to any information relating to an identified or identifiable natural person. All information that makes the person identifiable is regulated as personal data, and information such as TR Identity Number, Name and Surname, e-mail address, telephone number, residence address, date of birth, bank account number can be given as examples of personal data. These data have been classified within our Center and issues such as how, by whom, for what purpose and for how long each category of data will be processed are regulated by the data inventory.
visitor Refers to visitors and/or visitors who benefit from commercial services from our organization.
Sensitive Personal Data: Irk, etnik köken, siyasi düşünce, felsefi inanç, din, mezhep veya diğer inançlar, kılık kıyafet, dernek vakıf ya da sendika üyeliği, sağlık, cinsel hayat, ceza mahkûmiyeti ve güvenlik tedbirleriyle ilgili veriler ile biyometrik ve genetik veriler özel nitelikli verileri ifade eder.

Periyodik İmha:

Kişisel verilerin işlenmesi için aranan şartların tamamının ortadan kalkması durumunda kişisel verileri saklama ve imha politikasında belirtilen ve tekrar eden aralıklarla resen gerçekleştirilecek silme, yok etme veya anonim hale getirme işlemi.

Politics:

Personal data processing and protection policy created by the Data Controller.
Third Person It refers to third party real persons who are associated with these persons in order to ensure the security of our Company's commercial transactions with the aforementioned parties or to protect the rights of the aforementioned persons and to provide benefits (For example, employees or officials of the company from which the service is received, parent-guardian, companion, etc.).
Data Processor: Refers to the natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.

VERBIS:

It is a registration system that natural and legal persons who process personal data must register before starting to process personal data and enter category-based information about the personal data they process.
Data Recording System: A recording system where personal data is structured and processed according to certain criteria.
Data Subject/Related Person: The natural person whose personal data is processed.
Data Controller: It refers to the natural or legal person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system).

Visitor:

It refers to real persons who have entered the physical areas owned by our Center for various purposes or who visit our websites.

Within the scope of KVKK, our Center will have the title of data controller and will be registered in VERBIS system. During registration, a team consisting of 3 people (Personal Data Officer Team) will be established from within our Center or through external service providers to carry out the transactions to be carried out in the capacity of data officer, and this team will be responsible for the follow-up and coordination of all business and transactions within the scope of KVKK and Data Protection Board regulations. In cases requiring a decision to be taken, after receiving the opinion of our Center's attorney or KVKK Legal Advisor, it will present its advisory decision to the management, and the decision taken following the approval of the management will be put into practice. In cases where it is not possible to employ within the Company, the Company provides such support through service providers.

  1. PURPOSE

The main purpose of this Policy is to make explanations about the personal data processing activities carried out by Karayel Arge Foreign Trade Services in accordance with the legislation and the actions taken to protect personal data, and in this context, to ensure transparency by informing the persons whose personal data are processed by our Center, especially our customers, companions, visitors, employees and corporate officials, employees, officials and third parties of the institutions we cooperate with. Personal data processed by Karayel Arge may vary depending on the services provided, but are collected by physical and/or digital methods. Our patient representatives, physicians, healthcare personnel, etc., our employees, service provider/supplier companies and their employees and the companies with which we engage in all kinds of commercial activities, our call center; special categories of personal data and general categories of personal data, especially health data collected verbally, in writing or digitally through our Company's website, online services and similar means, are processed for the purposes listed below and within the scope of other needs that may arise in the future, including but not limited to these:

  • Planning and managing the internal procedures of our company,
  • Training and developing our employees, protecting the personal processes and legal rights of our employees, monitoring and preventing misconduct and unauthorized transactions,
  • Fulfillment of risk management and quality improvement activities,
  • Conducting research
  • Fulfillment of legal and regulatory requirements,
  • Issuing receipts and invoicing for our services,
  • Verification of the credentials presented by visitors or customers,
  • Confirmation of your relationship with the institutions contracted with our Center,
  • Sharing information requested by other contracted companies within the scope of financing our services,
  • Responding to all your questions and complaints regarding our services,
  • Taking all necessary technical and administrative measures within the scope of data security of our Company's systems and applications,
  • Analyzing your usage and storing your data in order to develop and improve the services we provide to you,
  • Maintaining the information regarding your cloud data that must be kept in accordance with the relevant legislation,
  • Ensuring financial reconciliation with our contracted institutions, banks and all other organizations (public and private) whose expenses are collected, regarding the services provided to you,
  • Sharing only the information requested with public institutions and organizations in accordance with the relevant legislation,
  • Measuring and increasing customer satisfaction,
  • The organization sends discount agreements, greeting, reminder messages,
  • Fulfillment of our company's contracts and legal obligations as required.

Personal data is collected and processed in all kinds of verbal, written or digital media in order to fulfill the above-mentioned purposes.

  1. SCOPE

This Policy covers the following personal data of our visitors, corporate officials, employees, persons, institutions and organizations with whom we are in cooperation and all kinds of legal relations, and their employees, officials and third parties processed in physical and/or digital environment.

5.PERSONAL DATA CATEGORIZATION

  1. Identity Information

All information about the identity of the person in documents such as driver's license, identity card, passport, lawyer ID, marriage certificate

  1. Contact Information

Information for contacting the data subject such as phone number, address, residence, e-mail

  1. Location Data

Data which clearly belongs to an identified or identifiable natural person and which are included in the data recording system and which are used to determine the location of the data subject

  1. Family Members and Relatives

Information about the family members and relatives of the personal data owner, which clearly belongs to an identified or identifiable natural person and is included in the data recording system and processed in order to protect the legal interests of the relevant Institution and the data owner

  1. Physical Space

Personal data related to records and documents such as camera recordings, fingerprint records taken at the entrance to the physical space, during the stay in the physical space

  1. Transaction Security Information

Your personal data processed to ensure our technical, administrative, legal and commercial security while carrying out our activities

  1. Financial Information

Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by our company with the personal data owner

  1. Employee Candidate Information

Personal data processed about individuals who have applied to become an employee of our Center or who have been evaluated as an employee candidate in line with the human resources needs of our Center in accordance with commercial practices and honesty rules or who are in a working relationship with our Center

  1. Personal Information

Payroll Information, Disciplinary Investigation, employment-exit document records, property declaration information, resume information, information about performance evaluation reports.

  1. Performance and Career Development Information

Information on Performance Evaluation interviews, results, reports, tests, etc.

  1. Fringe Benefits

Information on Fringe Benefits

Personal data processed within the scope of determination, follow-up and fulfillment of our legal receivables and rights, and compliance with our legal obligations and Hospital policies

  1. Professional Experience

Personal data related to the content of the employment contract, information/date of commencement of employment, information/date of termination of employment

Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive personal data.

Data that clearly belongs to an identified or identifiable natural person and is included in the data recording system and will be used by the Hospital in marketing activities

  1. Incident Management Knowledge

Personal data processed in order to take the necessary legal, technical and administrative measures against the events that develop in order to protect the commercial rights and interests of our company and the rights and interests of the service recipients

  1. Audiovisual Data

Visual and audio recordings that clearly belong to an identified or identifiable natural person and are associated with the personal data subject and are included in the data recording system

According to the groups of personal data owners, the scope of application of this policy may be the entire Policy (such as our visitors); only some of its provisions (for example, only our employees, suppliers, etc.).

Personal data may also be processed when telephones, call centers or websites that provide communication with audio and video belonging to our personnel are used to benefit from the online services of our institution; in-house training, participation in events organized by the institution or visiting websites.

  1. IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION

The processing and protection of personal data is carried out within the framework of the relevant legal regulations in force. Karayel Arge Foreign Trade Services Personal Data Protection Policy has been prepared in accordance with current regulations.

The policy was created by integrating it with Karayel Arge applications within the framework of the rules set forth by the relevant legislation. It carries out the necessary preparations by adhering to the effective periods stipulated in the KVKK. When necessary, the personal data specified in Article 3 under the scope heading above can be processed within the framework of the provisions of the legislation such as “Regulation on the Processing of Personal Health Data and Protection of Privacy”, “Customer Rights Regulation” regulations, etc., and will be transferred to the physical archives and information systems of our Institution. Personal data will be protected in both digital and physical environment in accordance with the legal periods defined in the institution procedures.

  1. DISTRIBUTION OF TASKS FOR THE IMPLEMENTATION OF THE POLICY

Title

Job Description

Contact Person

In order to fulfill the obligation to appoint a contact person stipulated by the legislation, a contact person who has received the necessary training and has the required competence in the field of KVKK has been appointed. The main responsibility of the contact person is to ensure the communication of the data controller with the Board and relevant persons as stipulated by the legislation, and the contact person does not have the authority to represent the data controller. The contact person will also work towards the fulfillment of the duties and responsibilities of the KVKK Commission. The Contact Person is a natural member of the KVKK Commission within our organization and calls the KVKK Commission to a meeting when necessary.

Personal Data Unit Manager

It is obliged to carry out / have carried out / direct all kinds of planning, analysis, research, risk identification studies in the projects carried out in the process of compliance with the Law; to manage the processes to be carried out in accordance with the Law, Personal Data Processing and Protection Policy and Personal Data Storage and Destruction Policy and to resolve the requests received by the relevant persons.

  1. PERSONAL DATA PROCESSING PRINCIPLES
General Principles for Processing Personal Data: The Hospital accepts that the personal data remaining within the scope of this Policy in accordance with Article 4 of the KVKK will be processed in accordance with the following principles:
Compliance with the Law and Good Faith: The Hospital, as a prudent merchant in the capacity of data controller, accepts that it will carry out personal data processing activities in accordance with the provisions of all legislation that will enter into force, especially the Constitution and KVKK, and in accordance with the rule of honesty stipulated by Article 2 of the Turkish Civil Code.
Accuracy and Timeliness: The Company takes all necessary measures to ensure the accuracy and timeliness of personal data to the extent technically possible in the processing of personal data. The administrative and technical mechanisms established by the Company will be operated by the Company for the correction and accuracy of inaccurate or outdated personal data in the event that the requests to be notified by the data subject to the Company in the capacity of data controller are deemed necessary by the Company itself.
Processing for Specific, Explicit and Legitimate Purposes: Personal data are processed by our Company in accordance with the law, limited to the requirements of the relevant legislation provisions and the services offered or to be offered, and the purpose of processing personal data is clearly and precisely determined before the data is started to be processed.
Processing in connection with the Purpose, Limited and Measured: Personal data are processed by our Company in connection with and limited to the purposes for which they are processed and to the extent necessary for the realization of this purpose. In this context, it is essential to avoid the processing of personal data that is not related to the purpose of processing and is not needed.
Processing Limited to the Period Stipulated by the Provisions of the Legislation or Required by the Purpose of Processing: Personal data are retained for the periods stipulated by the provisions of the relevant legislation and/or for the period required by the purpose of processing the data. At the end of the period stipulated by the provisions of the legislation or at the end of the period required by the purpose of processing, personal data are deleted, destroyed or anonymized by the Company. Necessary administrative and technical measures will be taken to prevent the retention of data at the end of the required period.
  1. CONDITIONS FOR PROCESSING PERSONAL DATA

Protection of personal data is a constitutional right. Pursuant to paragraph 3 of Article 20 of the Constitution, personal data can only be processed in cases stipulated by law or with the explicit consent of the person. In this direction and in accordance with the Constitution; our Center processes personal data only in cases stipulated by law or with the explicit consent of the person.

Although the legal basis for the processing of personal data by our Center varies, we act in accordance with the general principles specified in Article 4 of the KVKK No. 6698 in all kinds of personal data processing activities.

The explicit consent of the personal data owner is only one of the legal grounds that allow personal data to be processed in accordance with the law. Apart from explicit consent, personal data may also be processed in the presence of one of the other conditions listed below. The basis of the personal data processing activity may be only one of the following conditions, or more than one of these conditions may be the basis of the same personal data processing activity. In case the processed data is personal data of special nature, the following conditions shall apply:

Explicit Consent of the Personal Data Owner:

The main rule in the processing of personal data is the explicit consent of the data subject for the processing of his/her data. The hospital will carry out data processing activities for the transactions covered by the consent in line with the explicit consent of the relevant person upon the clarification of the data subject on the purpose of processing in a clear manner that will not leave any room for hesitation as stipulated by the KVKK.

Explicit Provision in the Laws: In cases where it is mandatory to process personal data in accordance with the provisions of the legislation, even without the explicit consent of the data subjects in accordance with the KVKK, data processing activities will be deemed lawful provided that other necessary criteria are met.
Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility: Pursuant to the LPPD, it is possible to process personal data in cases where it is not possible for the data subject to disclose his/her consent or where his/her consent cannot be legally validated, if it is mandatory to process personal data in order to protect the life or physical integrity of the data subject or someone else. The Company will process personal data in the cases stipulated in accordance with this regulation.
Direct Relevance to the Establishment or Performance of the Contract: Provided that it is directly related to the establishment and execution of the contract, personal data belonging to the parties to the contract will be processed by our Center.
Fulfillment of the Legal Obligation by the Institution: In order for the Company, which has the title of Data Controller pursuant to KVKK, to fulfill its obligations arising from the provisions of the legislation, personal data will be processed by the Company, subject to the limits of the said obligation.

Kişisel Veri Sahibinin Kişisel Verisini Alenileştirmesi:

İlgili kişinin kişisel verilerini alenileştirmesi halinde Şirket tarafından söz konusu kişisel veriler, alenileştirilme amaçları ile orantılı olarak işlenecektir.

Data Processing is Mandatory for the Establishment or Protection of a Right: Personal data will be processed by the Company to the extent necessary for the establishment, exercise or protection of a right.
Data Processing is Mandatory for the Legitimate Interest of our Hospital: Personal data may be processed in line with the legitimate interests of the Company, which has the title of Data Controller, provided that the fundamental rights and freedoms of the data subject are not harmed. However, the expression of the legitimate interests of the Company can in no way be contrary to the principles determined by the KVKK, the purpose of processing personal data and cannot interfere with the essence of the right guaranteed by the Constitution.

  1. CONDITIONS FOR THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

Our Center acts in accordance with the regulations stipulated in the KVKK in the processing of personal data determined as “special quality” by the KVKK.

In Article 6 of the LPPD, certain personal data which, when processed unlawfully, may cause victimization or discrimination of persons, are defined as “special categories”. These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

In accordance with the KVKK, special categories of personal data are processed by our Center in the following cases, provided that adequate measures to be determined by the Personal Data Protection Board are taken:

  • If the personal data subject has explicit consent or,
  • Even without the explicit consent of the personal data owner; personal data of special nature other than the health and sexual life of the personal data owner, in cases stipulated by law,
  • Sensitive personal data relating to the health and sexual life of the personal data subject are processed only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality.
  1. ENSURING THE SECURITY OF PERSONAL DATA

Our Center takes the necessary technical and administrative measures to ensure a high level of security in order to prevent unlawful processing of the personal data it processes and to ensure the preservation of the data, and conducts or has the necessary audits carried out within this scope.

The measures taken by our Company to ensure “data security” in accordance with Article 12 of the KVKK are stated below:

  • Our Company takes technical and administrative measures according to technological possibilities and implementation cost to ensure that personal data is processed in accordance with the law.
  • Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the KVKK and cannot use them for purposes other than processing, and that this obligation will continue after they leave their duties, and necessary commitments are taken from them in this direction.
  • Our Company takes technical and administrative measures to prevent imprudent or unauthorized disclosure, access, transfer or other forms of unlawful access to personal data.
  • Our Company also raises awareness on the basis of data processing institutions such as business partners and suppliers to whom it transfers personal data in order to prevent unlawful processing of personal data, to prevent unlawful access to data and to ensure that data is kept in accordance with the law.
  • The obligations that our Company has to comply with when processing personal data as a data controller and the obligation to comply with the legal, administrative and technical measures developed in this regard Contracts are made to the data processing institutions that our Company has relations with in various capacities such as suppliers and business partners in accordance with the nature of their activities in data processing.
  • Our Company conducts or has the necessary audits performed within its own organization. The results of these audits are reported to the relevant department within the scope of the internal functioning of the Company and necessary actions are taken to improve the measures taken.
  • In the event that personal data processed in accordance with Article 12 of the KVKK is obtained by others through unlawful means, our Company operates a system that ensures that the relevant personal data owner and the Personal Data Protection Board are notified as soon as possible.
  1. TRANSFER OF PERSONAL DATA

Our Company may transfer the personal data and sensitive personal data of the personal data owner to third parties (third party companies, institutions, group companies, third real persons) by taking the necessary security measures in line with the lawful personal data processing purposes. In this direction, our Company acts in accordance with the regulations stipulated in Article 8 of the KVKK.Your personal data, within the scope of the Law and other legislation and for the purposes stated above, private insurance companies that Karayel Arge works with, Social Security Institution, General Directorate of Security, General Directorate of Population, courts and all public institutions and organizations authorized to request personal data, third parties providing health services that we cooperate with for medical diagnosis, Your data may be shared with your authorized representatives, the institution you are affiliated with and/or we are working with, lawyers, tax consultants and auditors, third parties from whom we receive consultancy including IT experts, regulatory and supervisory bodies and public authorities, domestic systems, our suppliers, support service providers and business partners whose services we benefit from or cooperate with. (For information on the third party groups with whom your data is shared, you can obtain the full list by filling out the Application Form to the Data Controller).

Domestic Transfer Pursuant to Article 8/II-a and b of the LPPD, if personal data is processed within the scope of Article 5/II and 6/III of the LPPD, it is possible to transfer it domestically without obtaining explicit consent. The Company transfers to third parties in accordance with the relevant provisions, and in the event that it does not fall within the scope of the said provisions, the explicit consent of the relevant persons is applied.
Transfer Abroad: As a rule, the Company does not make overseas transfers. However, it may be possible that the data and documents processed by the Company are kept on computers located outside the Company, that e-mails are sent and records are accessed from such computers, that the systems and/or databases of e-mail providers where these data are kept and transferred are located abroad. In addition, there may be an obligation to transfer personal data abroad, especially in overseas organizations, event arrangements, hotel accommodations, obtaining visas, obtaining airline tickets, conducting and planning overseas events. In this case, the transfer will be made by complying with the provisions of Article 9 of the KVKK.

Your personal data is shared with authorized public institutions and organizations, judicial authorities, enforcement authorities, law enforcement authorities, law enforcement units, suppliers, business partners and shareholders, company officials, legally authorized private law and public institutions and organizations for the purposes shown in this Policy and by the means herein. The table below shows the parties with whom disclosures are made:

Persons to whom data can be transferred Definition Objective
Business Partner Parties with whom the Company establishes business partnerships while conducting its commercial activities Sharing of personal data limited to the purpose of ensuring the fulfillment of the purposes for which the business partnership was established
Shareholders Shareholders who are authorized to design the strategies and audit activities regarding the company's commercial activities in accordance with the provisions of the relevant legislation Sharing of personal data limited to the design of strategies regarding the Company's commercial activities and for audit purposes
Company Authorities Board members and other authorized persons

Sharing of personal data limited to designing strategies for the commercial activities of the company, ensuring its management at the highest level and for audit purposes

Legally Authorized Private Law Persons Private law persons legally authorized to obtain information and documents from the company Sharing data limited to the purpose requested by the relevant private law persons within their legal authority
Legally Authorized Public Institutions and Organizations Public institutions and organizations legally authorized to receive information and documents from the company Sharing personal data limited to the purpose of requesting information by the relevant public institutions and organizations

The Company does not transfer any data that does not concern the legal purposes of personal data transfer. For example; Even if we have obtained it with your consent, your IP address information is not shared with any third party, including the persons and organizations shown above. The exception to this determination is if the transfer of the data in question is mandated by the legislation, or is mandatory for a criminal investigation, or is requested by an official authority based on legislation and with justification.

  1. CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Although it has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVKK, personal data shall be deleted, destroyed or anonymized in accordance with the relevant procedures of our Center or upon the request of the personal data owner if the reasons requiring its processing disappear.

In this context, our Company trains and assigns relevant business units and increases their awareness in order to fulfill the relevant obligation.

While obtaining the names and surnames of the persons who come to the buildings of our Center, or through the texts posted at the Institution or otherwise made available to the guests, the personal data owners in question are enlightened within this scope.

For the purposes of ensuring security by our Center and for the purposes specified in this Policy; Internet access can be provided by our Center to our visitors who request it during their stay in our buildings and facilities. In this case, log records regarding internet access are recorded in accordance with the provisions of Law No. 5651 and the legislation regulated in accordance with this Law; These records are processed only upon request by authorized public institutions and organizations or in order to fulfill our legal obligation in the audit processes to be carried out within the Institution. Website visitors can obtain information about which data is processed through the “Karayel Arge Tasarım Website Clarification Text” on our website.

Only a limited number of Company employees have access to the log records obtained within this framework. Company employees who have access to the relevant records access these records only for use in requests or audit processes from authorized public institutions and organizations and share them with legally authorized persons. The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with the Confidentiality Agreement (Undertaking).

On the websites owned by our Center; To ensure that visitors to these sites perform their visits on the sites in accordance with their visit purposes; It records internet movements within the site through technical tools (cookies-cookies) in order to show them customized content and to carry out online promotional activities.

  1. CLARIFICATION AND INFORMATION OF THE PERSONAL DATA SUBJECT

In accordance with Article 10 of the LPPD, Karayel Arge Foreign Trade Services informs personal data owners during the acquisition of personal data. The Data Controller fulfills its obligation to inform personal data subjects by informing them through the relevant “Clarification Text”, “Explicit Consent Text”, “Information on the Closed Circuit Camera System in the Business and the Rights of the Data Subject”, “Explicit Consent Text on Social Media Processes”.

In this context, Karayel Arge informs the personal data owners about the identity of the commercial enterprise during the acquisition of their personal data, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the personal data owner under Article 11 of the KVKK.

Article 20 of the Constitution stipulates that everyone has the right to obtain information about their personal data. In this direction, “the right to request information” is also listed among the rights of the personal data owner in Article 11 of the KVKK. In this context, our Center provides the necessary information in case the personal data owner requests information in accordance with Article 20 of the Constitution and Article 11 of the KVKK.

By announcing the corporate policy on the protection of personal data to personal data owners and those concerned through various public documents, our Center ensures informing those concerned in personal data processing activities and ensures accountability and transparency within this framework. In addition, our Center also informs the persons concerned about its activities and the articles in the law by different methods, especially when it applies for the “explicit consent” of the persons.

  1. RIGHTS OF THE DATA SUBJECT; REQUESTING INFORMATION, COMMUNICATION CHANNELS, RIGHT TO APPLY TO THE DATA CONTROLLER AND EVALUATION OF DATA SUBJECTS' REQUESTS

Our Company carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 13 of the LPPD in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.Kişisel veri sahipleri aşağıda sıralanan haklarına ilişkin taleplerini yazılı olarak ve kimliği tespit edici belgeleri ibraz etmek koşullarıyla şahsen başvuru ile veya özel yetkili vekâletname ile Veri Sorumlusu olan Şirketimize iletmeleri durumunda Veri Sorumlusu, talebin niteliğine göre talebi en kısa sürede ve en geç otuz gün içinde ücretsiz olarak sonuçlandırmaktadır. Kişisel veri sahipleri kendisiyle ilgili olmak kaydıyla;

  • To learn whether personal data is processed,
    To request information if personal data has been processed,
    To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
    To know the third parties to whom personal data is transferred domestically or abroad,
    To request correction of personal data in case of incomplete or incorrect processing,
    To request the deletion or destruction of personal data,
    In case of correction, deletion or destruction of personal data, to request notification of these transactions to third parties to whom personal data is transferred,
    To object to the occurrence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,
    In case of damage due to unlawful processing of personal data, it has the right to demand compensation for the damage.

Pursuant to Article 13/I of the LPPD, the request for the exercise of the above-mentioned rights must be submitted to our Company, which is the Data Controller, “in writing”. The Application Form and ways of application to the Data Controller are available on our website. The applications of data subjects may be charged within the framework of the tariffs published by the Board. Pursuant to Article 7 of the relevant Communiqué, if the application of the data subject is to be answered in writing, no fee is charged up to ten pages. A transaction fee of 1 (one) Turkish Lira may be charged for each page over ten pages. If the response to the application is given in a recording medium such as CD, flash memory, the fee that may be requested by the data controller cannot exceed the cost of the recording medium.

In order to exercise the rights specified within the framework of the KVKK, the necessary information identifying the identity and explanations regarding the rights to be exercised, as well as stating which right specified in Article 11 of the KVKK is related to the use of the request, will ensure that the application regarding the request is answered more quickly and effectively.

  1. BUILDING, FACILITY ENTRANCES AND PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT WITHIN THE BUILDING AND FACILITY AND INTERNET SITE VISITORS

Our Center acts in accordance with the regulations in the KVKK in carrying out camera surveillance activities for security purposes.

Personal data processing activities are carried out to monitor the entrance and exit of patients, customers, personnel, visitors, visitors, and supplier company employees with security camera surveillance in the buildings and facilities of our organization.

Personal data processing activities are carried out by our Company through the use of security cameras and recording guest entrances and exits.

In this context, Karayel Arge Foreign Trade Services acts in accordance with the Constitution, KVKK and other relevant legislation.

Video recordings and, where necessary, audio recordings of our visitors are taken by means of a camera surveillance system at the building, facility entrances and inside the facility.

Within the scope of security camera surveillance activities, our organization aims to increase the quality of the service provided, to ensure its reliability, to ensure the safety of the institution, visitors and other employees, and to protect the interests of visitors regarding the healthcare and other services they receive.

Camera surveillance activities carried out by our organization are carried out in accordance with the Law on Private Security Services and the relevant legislation.

Only authorized employees of the institution and/or employees of the supplier company have access to the records recorded and stored in digital media. Live camera footage can be viewed by outsourced security officers. Camera recordings are stored for 27 days.

In accordance with Article 12 of the KVKK, necessary technical and administrative measures are taken by our organization to ensure the security of personal data obtained as a result of camera surveillance activities.

  1. ENTRY INTO FORCE

Karayel Arge Dış Ticaret Hizmetleri (“Karayel Arge Dış Ticaret Hizmetleri”) Personal Data Protection and Processing Policy enters into force upon publication on 2022. In the event that all or certain articles of the Policy are renewed, the effective date of the Policy enters into force on the date of revision of that article for the renewed article.

Approved by: (Lawyer) Preparation Date: 24.05.2025
Revision Date: 01.06.2024

KVKK

Law on the Protection of Personal Data

KVKK

GET A QUİCK QUOTE

We Offer You the Most Suitable Offers

GET A QUOTE

Bu sitede çerezler kullanılmaktadır. Sitede gezinmeye devam ederek çerezlerimizin kullanımını kabul etmiş olursunuz. Daha Fazla Bilgi