What you looking for ?

THIRD PARTY (REFERENCE) INFORMATION TEXT

YA-SA HOLDING Inc.
PERSONAL DATA PROTECTION AND PROCESSING POLICY

YA-SA HOLDING Inc.

Address: Küçük Çamlıca mh. Üçpınarlar cd. No: 40 - 34674 Üsküdar Istanbul/TURKEY
Phone/Fax : 0216 545 05 05 – 0216 341 92 72
Web             : www.yasaholding.com

CONTENTS

1. INTRODUCTION
2. PURPOSE OF POLICY
3.  SCOPE OF POLICY
4. DEFINITIONS
5. KİŞİSEL VERİLERİN İŞLENME AMAÇLARI
6. PROCESSING PERSONAL DATA
6.1. Principles applicable to Personal Data Processing
6.1.1 Personal Data Processing in accordance with Law and with Good Faith
6.1.2 Assuring the Accuracy and Actuality of Personal Data when required
6.1.3. Processing Personal Data for Specific, Clear and Legitimate Purposes
6.1.4. Processing Personal Data as Purpose-related, on Limited Scale and Prudently
6.1.5. Personal Data Retaining Period as stipulated by Legislation or required for the intended Purpose
6.2. Processing Personal Data of General Nature
6.2.1. Getting Explicit Consent of Personal Data Owner
6.2.2 Explicit Stipulation by Laws
6.2.3. Failure to Obtain Explicit Consent due to Actual Impossibility
6.2.4. Direct Relation with Making and Performance of Contract
6.2.5. Mandatory for the Company to meet its Legal Liability
6.2.6. Data Publicised Personally by the Concerned
6.2.7. Mandatory for the Establishment, Exercise or Protection of a Right
6.2.8. Mandatory for the Company’s Legitimate Interests
6.3. Processing Sensitive Personal Data
6.4. Personal Data processed by YA-SA
6.5. Transfer of Personal Data
6.5.1. Transfer of Personal Data Domestically
6.5.2. K Transfer of Personal Data Internationally
7. PERSONAL DATA OF WEBSITE VISITORS
8. SECURITY OF PERSONAL DATA
10.  DELETING, DESTRUCTION AND ANONYMISING OF PERSONAL DATA
11. RIGHTS OF THE PERSONAL DATA OWNER AND ITS APPLICATION TO THE COMPANY
11.1. Rights of the Personal Data Owner
11.2. Exercising Rights by Personal Data Owner
11.3.  Exceptions to Personal Data Owner's Right of Application
11.4.  Responding the Applications of Personal Data Owner
12. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES
ANNEX-1: Personal Data Categories
ANNEX-2 Matching Personal Data Category and Group of People
ANNEX-3 Table on Persons eligible for Data Transfer and Purpose

 

Protecting personal data is among the most important priorities of YA-SA HOLDING A.Ş. (“YA-SA” or “Company”). We approach with great sensitiveness to protection of personal data of our shareholders, employees, trainees, suppliers, supplier employees/executives, customers, customer employees/executives, potential customers, business partners and their employees/executives, referees, family members and relatives of our employees, Claimer Third Parties and their Attorneys or Legal Representatives and of relevant persons.

 In line with its activities or requirements, YA-SA adopted the protection and development of the "Protection of Personal Data" right, a constitutional right, of  our shareholders, employees, trainees, suppliers, supplier employees/executives, customers, customer employees/executives, potential customers, business partners and their employees/executives, referees, family members and relatives of our employees, Claimer Third Parties and their Attorneys or Legal Representatives and of relevant persons, personal data of whom we are processing, as a corporate policy.

This Policy is prepared to ensure that companywide activities are carried out in compliance with the Law on Protection of Personal Data No 6698 ("LPPD"), the resolutions of the Personal Data Protection Board ("Board") and the secondary legislation in effect on the processing and protection of personal data.

This policy is about all kinds of processing made on data, including but not limited to obtaining data automatically, completely or partially, or via non-automatic means provided that they are part of any data recording system, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making accessible, classifying or preventing their utilisation, and administrative and technical measures taken for the security of personal data.

In this context,

  • Explicit Consent: shall mean consent on a specific subject, based on being kept informed and given on free will,
  • Recipient Group: shall mean the category of real or legal person to which personal data is transferred by the data supervisor,
  • Relevant Person: shall mean the real person whose personal data is processed,
  • Employee: shall mean YA-SA staff,
  • Potential Employee: shall mean real persons who filed a job application by YA-SA in any way, via either electronic or physical media or disclosed/conveyed its CV and relevant personal information to YA-SA for the Company’s review with the aim to join YA-SA.
  • Relevant User: shall mean the persons who process personal data within the data controlling body or based on the authority granted and instructions given by the data supervisor, except the person or unit being responsible for the technical storage, protection and backup of the data,
  • Business Partner: shall mean the parties with whom YA-SA established business partnership for the purposes such as to realise various projects, get services, and improve internal operational efficiency when conducting its commercial activities,
  • Visitor: shall mean real persons who enter the physical premises owned by YA-SA for various purposes or who visit our websites,
  • Company Executive: shall mean members of the YA-SA board of directors and other authorized persons,
  • Company Shareholders: shall mean real persons being YA-SA shareholder,
  • Supplier: shall mean real or legal persons to whom YA-SA gives orders and instructions, establishes a contractual relationship, who provide goods and/or services when YA-SA carries out its commercial and operational activities,
  •  Customers: shall mean real or legal persons utilising the products and services offered by YA-SA ,
  • Potential Customers: shall mean real or legal persons requesting to utilize the products and services offered by our company or to purchase relevant products and services or whose request would be considered in accordance with the rules of commercial customs  and honesty,
  • Destruction: shall mean deletion, destruction or anonymising of personal data,
  • Law:  shall mean Law on Protection of Personal Data (LPPD) No. 6698, dated March 24, 2016,
  • Recording Medium: shall mean any medium containing personal data that is fully or partially automatic or processed by non-automatic means provided that it is part of any data recording system,
  • Electronic Media: shall mean all kinds of media where non-automatic processed personal data are kept, provided that they are part of full automatic or semi-automatic or any other data recording system,
  • Non-electronic Media: shall mean the media where personal data can be created, processed, stored and transmitted using devices equipped with the relevant technological infrastructure,
  • Non-electronic Other Media: shall mean all kinds of written, verbal and similar media other than electronic media,
  • Service Provider: shall mean a real or legal person providing any service to YA-SA within the framework of applicable contract concluded,
  • Personal Data: shall mean all kinds of data relating to an identified or identifiable real person,
  • Sensitive Personal Data: shall mean the individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership of any association, foundation or union, health, sexual life, criminal conviction and security measures as well as biometric and genetic data,
  • Processing Personal Data:  shall mean all kinds of processes on data, such as obtaining, recording, storage, retaining, alteration, re-arrangement, disclosure, transfer, taking over, availability, classification or utilisation of personal data by non-automatic means, provided that they are part of full automatic or semi-automatic or any other data recording system,
  • Personal Data Processing: shall mean Personal data processing activities carried out by data supervisors depending on their respective business processes; maximum period defined by relation to the personal data processing purposes, the data category, the recipient group transferred and the data subject group and required for processing purposes and the inventory clarifying and detailing the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security,
  • Personal Data Retention and Destruction Policy (or “Destruction Policy” in brief): shall mean the policy used by data supervisors as basis for the process of determining the maximum time period required for the purpose for which personal data are processed, and for deletion, destruction and anonymisation thereof,
  • Board: shall mean Personal Data Protection Board,
  • Agency: shall mean Personal Data Protection Agency,
  • Periodical Destruction: shall mean the deletion, destruction or anonymisation process to be carried out ex officio at recurring intervals and as specified in the personal data storage and disposal policy, in the event that all the conditions for processing of personal data in the law are abrogated,
  • Registry (VERBIS): shall mean the Data Supervisors Registry Information System kept by the Personal Data Protection Agency,
  • Trainee: shall mean any person who works for applied career training,
  • Data Processor: shall mean the real or legal person processing personal data on behalf of data supervisor, based on the authority granted by data supervisor,
  • Data Recording System: shall mean the recording system where personal data are structured and processed pursuant to certain criteria,
  • Data Supervisor: shall mean any real or legal person who defines the purposes for and means of personal data processing and is responsible for set-up and management of data recording system

For the concepts not defined herein, the definitions in LPPD numbered 6698 and the relevant secondary legislation shall apply.

YA-SA processes personal data by meeting the relevant information obligation within the scope of article 10, LPPD, in accordance with YA-SA data processing purposes, in compliance with at least one of the provisions stipulated in article 5 and 6, LPPD and bounded by respective purposes.

The personal data processing purposes of YA-SA are in particular the following:

  • Conducting emergency management processes,
  • Planning and conducting YA-SA human resources operations,
  • Formulation and implementation the strategies for YA-SA business processes,
  • Ensuring the security of all YA-SA operational activities,
  • Managing the application, request and complaint processes,
  • Planning, conducting and controlling information security activities,
  • Conducting potential employee/trainee recruitment processes,
  • Meeting the obligations to employees arising out of the employment contract and legislation,
  • Conducting audit activities,
  • Carrying out financial and accounting transactions,
  • Supervision and follow-up of legal affairs,
  • Conducting administrative, technical and financial risk management processes,
  • Capability to meet the burden of proof in legal disputes that may arise in the future,
  • Planning human resources processes,
  • Undertaking activities to ensure business continuity,
  • Performing legal obligations,
  • Ensuring the accuracy and actuality of personal data,
  • Ensuring corporate communication,
  • Conducting logistics activities,
  • Managing the procurement processes of goods / services,
  • Managing product sale processes,
  • Managing goods production and operation processes,
  • Managing customer relations processes,
  • Managing performance evaluation processes,
  • Conducting custody and archive activities,
  • Conducting after sales support services,
  • Managing contract processes,
  • Capacity to conduct strategic planning activities,
  • Ensuring the security of movable property and resources,
  • Conducting business processes with suppliers, business partners and service providers and establishing communication with them,
  • Managing the processes on wage management, fringe benefits and benefits,
  • Solving problems in our products and services; detecting and fixing mistakes and problems,
  • Carrying out product and/or service procurement processes,
  • Ensuring the security of data supervisor operations,
  • Being able to meet legal and contractual obligations,
  • Informing the authorized institutions and organizations pursuant to the applicable legal regulation,
  • Conducting management activities
6. PROCESSING PERSONAL DATA

 

When processing the personal data of the concerned, YA-SA acts in accordance with LPPD and other relevant legal regulations. The principles set forth in Article 4, LPPD, their existence in the essence of all personal data processing activities as well as the performance of all personal data processing activities in accordance with these principles is the priority of YA-SA, and such principles taken into account in data processing processes are the following.

The principle of compliance with the law and the principle of honesty, adopted by YA-SA as a prerequisite for all data processing processes, imply the obligation to act in accordance with the principles set forth by laws and other legal regulations when processing personal data. Pursuant to this principle, A-SA takes into account the interests and reasonable expectations of those concerned and acts to prevent the emergence of any unexpected results, that should not be expected anyway, while striving to attain its aims for data processing.
Within the context of this principle, our Company aims to make data processing activity transparent for the respective person by duly informing the concerned about how and for what purpose the personal data will be processed.

Whenever YA-SA processes the personal data of any person concerned by objectives explained herein, it exercises due care to ensure that personal data are accurate and updated, when required. Apart from that, the Company keeps open the communication channels in order to enable the concerned to get into contact with YA-SA to ensure the accuracy and actuality of its personal data and offers opportunity to this end. Accordingly, the application form to be delivered to the data supervisor is published on the Company’s website.

YA-SA is sensitive to adhere to the principle of certainty and clarity regarding contracts, legal transactions and texts disclosing the objectives for personal data processing (including but not limited to Website Disclosure Text, Supplier Disclosure Text, Customer Disclosure Text, Employee and Potential Employee Disclosure Text, Form on Application to data Controller) and takes care to ensure that the data processing activity is clearly comprehensible to the person concerned. Personal data are processed within the framework of objectives defined, published, notified or stipulated in contract.

When conducting data processing processes, attention is paid for ensuring the suitability of processed data for achieving the specified objectives and processing of personal data that is irrelevant for achieving the purpose or unnecessary is avoided. The Company does not seek to process any data intended to meet any potential future needs.

The Company retains personal data for the period stipulated in the legislation, the Destruction Policy or set forth in VERBIS or for the intended processing purpose. Upon expiry of the period set forth in the legislation and/or Destruction Policy or achievement of purpose, personal data are deleted, destroyed and anonymised either ex officio or upon the request of the concerned. Regarding the destruction of personal data, "Personal Data Retention and Destruction Policy" has been prepared.

Pursuant to Article 20, Turkish Constitution and Article 5.1, LPPD, personal data shall not be processed without obtaining the express consent of the concerned subject. In line with these legal regulations, the Company pays strict attention to obtain the express consent of the relevant persons when processing respective data.
In line with these legal regulations, our company always takes care to obtain the express consent of the relevant persons in the processing of personal data.

However, in accordance with Article 5.2, LPPD, the company may also process personal data without seeking the express consent of the relevant person, under following circumstances.
a) If it is clearly stipulated in the laws.
b) If it is required to preserve the concerned person’s or any their party’s life or bodily integrity in case the concerned is unable to declare consent due to actual impossibility or its consent is without legal validity.
c) If it is necessary to process personal data of contractual parties, provided that it is directly related to the conclusion or performance of a contract.
d) If is mandatory for the data supervisor to fulfil its legal obligation.
e) If it is made public by the person concerned.
f) If data processing is mandatory for the establishment, exercising or protection of a right.
g) If data processing is mandatory for the legitimate interests of the data supervisor, provided that it does not impair the fundamental rights and liberties of the person concerned.
Your personal data can be processed by YA-SA on subsistence of one or more of the following conditions.

Obtaining explicit consent for processing of personal data is ranked in priority by the Company. To this end, necessary methods and systems obtain the explicit consent of the relevant persons in physical and / or electronic media have been developed.

The enlightenment requirement, specified in Article 10 of LPPD is fulfilled before obtaining the consent of the relevant persons on processing personal data, thus it is ensured that their express consent on a specific subject is obtained on the basis of information and with free will.

Attaching great importance to the fact that express consent by employees is given on free will, YA-SA clearly underlines the right of employees to refrain from giving express consent, thus ensures that certain data, not clearly consented for processing by the employee, are not processed, while such non-consenting employees are not subject to discrimination.

Processing of personal data is a lawful act, provided that it is stated by law and in such cases existence of Express consent of the data subject shall not be separately considered. In accordance with the Article 75 “Employee’s Personnel File” of the Labour Code No. 4857, the collection of employee data is assessed within this scope. In cases provided for by various laws, particularly Law on the Protection of Personal Data no 6698, Turkish Code of Obligations no 6098, Turkish Commercial Code no 6102, Law on Regulation of Publications made on the Internet and Suppression of Crimes Committed by means of these Publications no 5651, Law on Occupational Health and Safety no 6361, Social Security and General Health Insurance Law no 5510, Right to Information Act no 4982, Law on Exercising the Right to Petition no 3071 and related secondary legislation, YA-SA may process personal data of the concerned without express consent.

For cases where the consent cannot be given or is invalid, it is proposed to process data with the purpose of protecting the life or body integrity of the persons. For example, if a worker employed within hard labour group of a factory would have an occupational accident, it won’t be necessary to wait to obtain explicit consent of the worker for disclosing its blood group to health personnel.

If it is directly related to the making or performance of a contract, it is possible to process the personal data without express consent of the contractual parties. For example, the account number of the payee will be obtained for payment of the fee in accordance with the contract.

If it is mandatory for the company to fulfil its legal liabilities, it is possible to process personal data without obtaining express consent. As an example, the information required by court decree can be submitted to the court, even without express consent.

Personal data that is publicly disclosed by the person concerned may be processed without express consent for the publicising purposes. For example, the resume shared by any person in its account on websites created for employment opportunity purposes is considered as public data.

In the event that data processing is mandatory for the establishment, exercising or protection of a right, personal data may be processed without explicit consent. The foregoing includes the utilisation of some data by the company as evidence in a lawsuit filed by the employee.

Personal data may be processed without explicit consent if data processing is necessary for the legitimate interests of the data supervisor, provided that the fundamental rights and liberties of the related person are not impaired. The promotions, salary increases, or the personal data processing of employees for adjustment of their social rights are considered within this context, provided that the fundamental rights and liberties of the employees are not impaired. To give an example, YA-SA is inquiring whether male candidates have done their respective military duty, since it provides training to its employees within the scope of orientation and professional development and makes investments in this framework.

Along with the LPPD, particular importance is attached to certain personal data, taking into account that they contain potential for discrimination and may result in unjust suffering of individuals when processed unlawfully, thus such data are named as "sensitive personal data". (For definition see: 4. DEFINITIONS).

The company shows more sensitivity when processing "sensitive personal data" to which particular importance is given by LPPD. Employees involved in the processing of sensitive personal data undergo training on the Law and related regulations and sensitive personal data security issues, sign confidentiality agreements, their access to data gets restricted and the respective empowerment of those who are subject to change of duty or resign is immediately removed.

For transfer of sensitive personal data via e-mail, it should be sent only to the relevant person via the encrypted corporate e-mail account or Registered E-Mail (REM) account. Security tests are performed when deemed necessary. Adequate security measures are taken in physical spaces used for storage of sensitive personal data and unauthorized access to such locations is prevented. Measures are taken against fire, flood and similar risks that may happen in such physical spaces. It should also be noted that the distribution of roles and responsibilities regarding the processing and preservation of sensitive personal data has been made, the relevant persons have been warned about the sensitivity of the data and instructed to take the necessary measures.

VPN (virtual private network) is used for data conveyance between servers at different physical spaces. If data needs to be conveyed via printed media, all required measures against risks, including but not limited to theft, loss or accessibility by unauthorised persons are taken and the document is delivered in “classified documents” format.

YA-SA gives priority to explicit consent of the relevant persons for processing the aforesaid data. In the event explicit consent is not given by the subject, YA-SA shall be allowed to process sensitive personal data only in the following exceptional cases specified in LPPD;

Health Data
In cases stipulated by the law, personal data other than health and sexual life can be processed without the explicit consent of the person concerned.

  • Personal data related to health and sexual life can be processed by persons subject to confidentiality obligation or authorised organisations and institutions only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing without seeking explicit consent of the concerned.

Health reports were taken out from personal files and filed separately. Such files are kept in a cabinet accessible only for the on-site doctor to whom the key of the cabinet is delivered. Reports received from relevant health institutions by employees who fail to come to the job due to health problems are received by the Human Resources department in a sealed envelope, the CONFIDENTIAL stamp is affixed thereon and then delivered to the workplace doctor.

YA-SA processes data of private and general qualified persons within the scope of the principles and purposes listed above. Such data are given as example in Annex-1 and the data that can be processed specific to each data can be processed within the framework of the relationship established between YA-SA and the person concerned and in line with the principles set out in this Policy.

 

Obtaining explicit consent for personal data sharing is ranked in priority by YA-SA. To this respect, necessary methods have been developed to obtain the explicit consent of the relevant persons, whose personal data we share with third parties, via physical and/or electronic media.

6.5.1.1. Transfer of Personal Data of General Nature Domestically

YA-SA can transfer relevant persons’ personal data to third parties in compliance with the principles adopted for personal data processing. When transferring personal data to third parties, the Company acts responsibly towards obtaining the consent of the relevant person, whereas personal data may be transferred without getting express consent, if one or more circumstances mentioned in Article 5/2, LPPD occurs.

6.5.1.2. Transfer of Sensitive Personal Data Domestically

Our company can transfer sensitive personal data of relevant persons to third parties in accordance with the principles adopted for the processing of personal data.

The Company acts with utmost care when transferring sensitive personal data to third parties and such domestic transfer is realised upon taking adequate administrative and technical measures.  Nevertheless, it may be possible to transfer such data without express consent of the concerned, taking sufficient technical and administrative measures, if one or more of the following situations occur:

  • Data on individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership of any association, foundation or union, criminal conviction and security measures as well as biometric and genetic data, in cases stipulated by law
  • Personal data related to health and sexual life can be processed by persons subject to confidentiality obligation or authorised organisations and institutions only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing.
  6.5.2. Transfer of Personal Data Internationally

The Company pays great attention to obtain express consent of the related person when transferring such data abroad. To this end, necessary methods are developed to obtain express consent via physical and electronic media.

Our company can transfer personal data of the relevant persons abroad in accordance with the law and good faith and adhering to the data processing purposes.

When transferring personal data internationally, the Company acts in compliance with Article 9, LPPD and the principles and rules specified in Board’s resolution number 2019/125.

6.5.2.1. Transfer of Personal Data of General Nature Internationally

YA-SA can transfer the personal data of the relevant persons (such as identity, communication, customer transaction, finance, professional experience, representative, and similar) to third parties in accordance with the principles adopted in the processing of personal data. When transferring personal data to third parties abroad, the Company acts responsibly towards obtaining the consent of the relevant person.

Personal data can be transferred under any of the following circumstances and when data processing is required for legitimate interests of data supervisor, such data can be transferred internationally by applying the principles and rules adopted by the Board’s resolution number 2019/125, provided that sufficient level of protection is ensured the country where the data will be transferred or the receiving data supervisor guarantees adequate protection in writing and the Board's permission is obtained, on condition that the relevant person’s fundamental rights and liberties are not impaired, even though In case that explicit consent of the data owner is not available:

  • It is clearly stipulated in laws
  • It is required to preserve the concerned person’s or any their party’s life or bodily integrity in case the concerned is unable to declare consent due to actual impossibility or its consent is without legal validity.
  • It is necessary to process personal data of contractual parties, provided that it is directly related to the conclusion or performance of a contract.
  • It is required for data supervisor to fulfil its legal obligation
  • Data is publicised personally by the concerned
  • Data processing is required for establishment, exercising or protection of a right

 

By reason of the shareholders’ international operations, YA-SA is able to share personal data with its shareholders to the extent necessary for legitimate purposes by fulfilling the above-mentioned legal obligations.

6.5.2.2 Transfer of Sensitive Personal Data Internationally

YA-SA can transfer the personal data of the relevant persons abroad in accordance with the principles adopted for processing of personal data.

Personal data can be transferred under any of the following circumstances, personal data can be transferred internationally by applying the principles and rules adopted by the Board’s resolution number 2019/125, provided that sufficient level of protection is ensured the country where the data will be transferred or the receiving data supervisor guarantees adequate protection in writing, without the explicit consent of the concerned.

  • Individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership of any association, foundation or union, criminal conviction and security measures as well as biometric and genetic data, in cases stipulated in law,
  • Personal data related to health and sexual life can be transferred internationally by persons subject to confidentiality obligation or authorised organisations and institutions only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services.

Records kept can be shared with legally authorized institutions and organizations, upon requested, with the purpose to fulfil legal obligations.

7. PERSONAL DATA OF WEBSITE VISITORS

Within the context of Article 10 of LPPD, relevant information texts and policies are published on the company's websites clarifying how and for what purpose personal data are obtained, thus visitors are informed accordingly.

In addition, the website information text serves to direct the person concerned to the clarification texts and Company policies that provide more detailed information considering their relationship with the Company, in order to enable the related person to access to the most reliable information on the processing steps of respective personal data taken by the Company.

YA-SA takes all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data and illegal access to personal data and to ensure the safeguarding of personal data.
Within this context, first of all the Company performed studies to determine which personal data are processed and consequently potential risks with regard  to the protection of such personal data are determined and required technical and administrative precautions are taken to mitigate and eliminate risks, observing also whether the personal data processed are of sensitive nature.

Internal policies and procedures to regulate the processing, preservation, storage, destruction and other processes of personal data in accordance with the law, legislation and relevant security measures have been adopted.

With the aim to provide security, regular training sessions are organised for both employees and managers in order to prohibit illegitimate disclosure and sharing of personal data and to raise awareness about LPPD.

Furthermore, employees who are involved in personal data processing processes are required to sign confidentiality agreements and letters of commitments, as a part of their business process; while it is emphasised that necessary discipline process will be initiated upon detection of any conduct against the security procedures and policies.

Contracts concluded by and between YA-SA and data processor, employee, customer, supplier, business associates and others are reviewed, revisions are made under primarily LPPD and related secondary legislation and supplementary protocol are prepared.  

For personal data included in data processing processes, the Company introduced personnel-based access and authorisation restriction and access authorisation is granted to limited number of personnel with respect to personal data related to the business process they carry out. Data processing activities performed by the personnel are recorded. The authorisation of the personnel in this regard is removed withdrawn when they change their jobs or leave their jobs.

In order to prevent unlawful processing of personal data and illegal access to personal data, technical systems have been set up to monitor and control operations regarding personal data processing. Studies on network security and data flow security have been carried out, and existing software has been updated to prevent data loss. Besides, internal audits have been carried out in order to prevent unlawful processing of personal data and illegal access to personal data.

Penetration tests are carried out in line with the instructions of the board member responsible for information technologies and at specified intervals.

System security gaps are closely monitored and patches are installed to achieve the appropriate security level and information systems are kept updated.

Our website is protected by the https security protocol.

Immediately after the studies made on personal data held by YA-SA, personal data identified were analyzed and examined under the legislation. Within this framework, unnecessary data was deleted and the principle of reducing data as much as possible was adopted.

The Company uses technical methods equipped with proper security level for the purpose to prevent illegal access to personal data and to administer personal data storage in secure media and these methods are updated in compliance with the advancing technology.  

YA-SA built a system aiming to be ready and capable for early recognition of and early intervention to any internal or external attack to its data recording system, while regularly monitoring which software and services of information networks are running and whether there is any penetration or any unordinary activity and recording all users’ operations.

In order to be able to inform the person concerned and the Board in case personal data is illegally captured by any third party, the Company set up a suitable system and infrastructure and adopted accordingly an applicable procedure.

Within this context, YA-SA takes numerous measures, including but not limited to ensuring that only authorized personnel enter the system control room with the object to assure the security of data and information systems against environmental risks,

Having the keys of the data storage units under lock and with certain persons, ensuring the physical security of the edge switches that make up the local area network, providing the keys to data storage units under lock only to certain persons, ensuring the physical security of edge switches that make up the local area network, fire extinguishing system, cooling system required for proper operation of server, firewalls, attack prevention systems, network access control and antivirus systems.

YA-SA deletes, destroys or anonymises the personal data, ex officio or upon the request of the subject, in case cause for processing data ends or the period stipulated in the legislation expires, although it has been processed in accordance with the legal legislation, pursuant to Article 7 of LPPD.

Personal data retained by YA-SA on physical media and digital data recording systems are deleted, destroyed or anonymised, ex officio or upon the request of the subject, upon accomplishment of data processing purpose or expiration of the period stipulated in the legislation.

Anonymised personal data can be used for various purposes, such as research, statistics and planning, be retained for an unlimited time period and transferred domestically as well as internationally.

The Company has prepares “Personal Data Retaining and Destruction Policy” as regards to the destruction of personal data.

Our Company keeps the relevant persons whose personal data are processed, advised of their rights and the way of exercising them within the scope of Article 10 of LPPD.

In accordance with Article 11, Law on Protection of Personal Data, personal data owners have the following rights: 

  • To be informed about whether personal data is processed or not,
  • To request information if personal data is processed,
  • To be informed about the purpose of processing personal data and whether they are used suitable for the respective purpose or not,
  • To have knowledge about third parties receiving personal data domestically or internationally,
  • To request, in case personal data are processed incompletely or inaccurately, necessary corrections be made and such corrections be notified to third parties to whom personal data have been transferred,
  • To request deletion or destruction of your personal data under provisions of Article 7 of the Law, except for legal boundaries requesting such deletion and destruction be notified to third parties to whom personal data are transferred,
  • To appeal to the negative results against himself/herself arising from analysis of the data processed exclusively through automatic systems,
  • In case the personal data are damaged due to the processing thereof in contrary to the Law, to request that the damages are indemnified
  11.2. Exercising Rights by Personal Data Owner

To exercise the rights specified under Article 11 of the applicable Law, the person concerned shall send its request to the Company in written, as original signed document or using registered electronic mail (REM) address, secure electronic signature, online signature or the e-mail address previously notified to and recorded by our Company. Written applications shall be delivered to Küçük Çamlıca Mah. Üçpınarlar Cad. No: 40 - 34674 Üsküdar/ISTANBUL.

The application shall contain at least the following mandatory information on the person concerned:

  • Name, surname and signature, if application made in written,
  • Turkish Republic identity number for Turkish citizens and citizenship, passport number or identity number, if any, for foreigners,
  • Residential or office address for notification,
  • Notification e-mail address, telephone and fax number, if any,
  • Subject of request

 

In addition, information and documents concerning the subject should be attached to the application. An Application Form is prepared and published on the website for use of the applicants.

In order to enable a person, other than the personal data owner, to submit a request, a special power of attorney must be issued by the personal data owner in the name of the person filing the application.

Under following circumstances, excluded from the Law pursuant to its Article 28, the data owner shall not be entitled to claim any right:

  • Processing personal data by real persons within the scope of actions completely related to him/her or co-habitant family members, provided that such data are not disclosed to third parties and obligations regarding data security are complied with.
  • Processing personal data for purposes such as research, planning and statistics by anonymising them through official statistic.
  • Processing personal data for artistic, historical, literary or scientific purposes or as part of freedom of expression, provided that national defence, national security, public security, public order, economic security, privacy of private life or personal rights are not violated or it does not constitute a crime
  • Processing personal data within the context of preventive, protective and intelligence operations conducted by public institutions and organizations appointed and authorized by law to maintain national defence, national security, public security, public order or economic security,
  • Processing of personal data by judicial authorities or execution authorities as regards to investigation, prosecution, trial or execution proceedings.

Pursuant Article 28/2 of the Law, the Information Obligation of YA-SA shall not apply for cases mentioned below:

  • Processing of personal data is necessary for crime prevention or for a criminal investigation.
  • Processing of personal data made public by the person concerned
  • Processing of personal data is necessary for the execution of supervising or regulating duties as well as disciplinary investigation or prosecution by the appointed and authorized public institutions and organizations and public professional organizations, by the power vested therein by law,
  • Personal data processing is not applied in cases where it is necessary for the protection of the economic and financial interests of the state regarding budget, tax and financial issues.
11.4. Responding the Applications of Personal Data Owner

YA-SA takes all administrative and technical measures required to bring the applications to conclusion in an effective and lawful manner and in good faith, as per Article 11, LPPD.

Upon submission of any application according to the rules and procedures mentioned above, YA-SA shall conclude the application, free of charge, at the soonest possible date and within thirty days at the latest, depending on the essence of the request. If the response to application is longer than ten pages, a transaction fee of 1 Turkish Lira may be charged for each page over ten pages. For responses provided on a recording medium such as CD or flash memory, the cost of the data recording medium may be claimed.

YA-SA may request additional information if it deems necessary to determine whether the applicant is the owner of personal data and to consider requests, and pose questions to the personal data owner, in order to clarify the matters stated in the application.

YA-SA and all its departments and employees actively give support to departments in charge as regards to taking technical and administrative measures towards ensuring data security in all media where personal data are processed for the purpose of proper implementation of technical and administrative measures taken within the context of the Policy, preventing any unlawful processing of personal data through training of unit personnel and expansion of their awareness, monitoring and continuous controlling activities, preventing unlawful access to personal data and assuring the storage of personal data according to the law.

 

Personal Data Category

Personal Data Category Description

Identity Data

Data on a real person, containing information about the identity of the concerned – Documents such as identity card, driver's license, passport, occupation card containing information such as Republic of Turkey identity number, parent's name, date of birth, place of birth, marital status, gender as well as tax number, signature, Social Security Institution (SSI) number and other data

Contact Details

Phone number, e-mail address, address, facsimile number and other information

Information on Applicant

Personal data obtained by YA-SA at job application over resume and job application forms (identity and contact data, military service, educational background and professional experience, certificates, fields of interest, references, marital status, knowledge of foreign language, driver's license, means of application to the company)

Personnel Information

Data that are legally required to be included in the personal file of the company employees and data to be the basis for entitlement to personal rights (Identity card photocopy, identity register copy, place of residence and certificate of residence (e-state), criminal record (e-state), photocopy of diploma, bank pass book photocopy, photocopy of certificates for previous trainings and seminars attended, etc.)

Sensitive Personal Data

Individual’s data on religion, sect or other beliefs, health, sexual life, criminal conviction,  and security measures


Religious Data

This data is kept since old version identity cards contain religion box and accordingly, old version identity cards obtained recently are blackened.

Health Data

Within the scope of personal file, Occupational Health and Safety procedures and annual medical tests

Data on criminal convictions and security measures

Obtained at recruitment for personal file

Financial Information

Bank account number and account information, documents showing financial status, salary, payroll information, advance information and other data