PRIVACY AND PERSONAL DATA PROTECTION TERMS
1. PURPOSE AND SCOPE
These Privacy and Personal Data Protection Terms (“Terms”), which are accepted by Tahincioğlu Gayrimenkul Yatırım ve İnşaat A.Ş. and its group companies (“The Company”), determine the personal data processing principles adopted by the Company and aims to inform relevant data subject groups according to the Law on Protection of Personal Data Law No. 6698 (“KVKK No. 6698”).
2. PRINCIPLES REGARDING PROCESSING OF PERSONAL DATA
The Company as the Data Controller processes your personal data under the below principles.
2.1 Processing in accordance with Law and Rule of Fairness
The principles brought with legal regulations and the general reliability and fairness rule are complied with in respect of processing your personal data. According to this principle, while the Company as the Data Controller tries to reach its personal data processing purposes, the Company takes into consideration your interest and reasonable expectations, does not abuse its rights, and acts in compliance with the principle of transparency in respect of its actions.
2.2 Ensuring that the Personal Data Are Correct and, When Necessary, Up-to-Date
In line with this principle, which emphasizes the importance of the accuracy and up-to-dateness of your personal data, periodical controls, and updating are made to ensure that the personal data, which is processed, is accurate and up-to-date, and in this respect necessary measures are taken by taking into consideration your legitimate interests. To this effect, systems, which are aimed to check the accuracy of the personal data and to make the necessary corrections, are established within the Company. Furthermore, the accuracy of the resources, from which the personal data are collected, is checked and requests, which arise due to inaccuracy of personal data, are taken into consideration. Therefore, this principle is applied in harmony with your right to request correction of the personal data, to which you are entitled under the KVKK No. 6698.
2.3 Being Processed for Specified, Explicit, and Legitimate Purposes
Your personal data are processed based on explicit, specified, and legitimate data processing purposes. In this respect, the Company ensures that its personal data processing activities are clearly comprehensible by the data subject, and determines, and explicitly sets forth the purposes of the personal data processing activities in clause 3 of this Terms.
2.4 Being Relevant, Limited, and Proportioned to the Purposes for Which They Are Processed
Your personal data is processed in a manner, which is proportioned, relevant, and limited to the envisioned processing purpose(s), and the processing of personal data, which is not relevant to achieving the(se) purpose(s) or is not needed, is avoided. Again, under this principle, personal data is not collected or processed for purposes, which do not exist and are deemed to occur later.
Being Stored for the Period Set Forth by the Legislation or the Period Required for the Purpose for Which They Are Processed
Your personal data is stored only for the period, which is set forth by the relevant legislation or is required for the purpose for which it is processed. For this, the Company, as the Data Controller, takes and applies the organizational and technical measures. In this respect, the Company firstly determines whether a period is foreseen by the relevant legislation for the storing of personal data and if a period is determined, the Company complies with such period of time and if a period is not determined, personal data is stored for the period, which is required for the purpose, for which it is processed. In case the necessity of the relevant processes disappears, access to your personal data by unrelated departments is prevented within the scope of the deletion action specified in the KVKK No. 6698. In the event of expiry of the period or that the reasons for processing cease to exist if there is not any legal basis, which allows for data to be processed for a longer period, your personal data is erased, destructed, or anonymized according to the personal data protection legislation.
3. CONDITIONS FOR PROCESSING PERSONAL DATA
Your personal data may be processed by the Company under the conditions set forth below.
3.1 Being Explicitly Stipulated for in Laws
The fundamental rule is that the personal data shall not be processed without the explicit consent of the data subject, but according to this exception, your personal data may be processed without seeking the explicit consent of the data subject only in cases provided for in laws.
3.2 Explicit Consent of the Data Subject Cannot Be Taken Due to Actual Impossibility
Your personal data may be processed to protect the life or physical integrity of the data subject or any other person, if the data subject is unable to express his/her consent due to an actual impossibility or the data subject’s consent cannot be deemed valid.
3.3 Being Directly Related to the Establishment or Performance of a Contract
On the condition that it is directly related to the establishment or performance of a contract, your personal data may be processed if the processing of the personal data of the parties to the contract is required.
3.4 Compliance with any Legal Obligation of the Company
Your personal data may be processed if it is necessary for compliance with a legal obligation to which the data controller is subject.
3.5 Publicizing of Personal Data
Your personal data may be processed if your personal data has been made public by the data subject himself/herself; in other words, if they are disclosed to the public by you may be processed in connection with the purpose of making it public and in a measured manner.
3.6 Data Processing is Mandatory for Establishment, Exercise, or Protection of Right
Your personal data may be processed if data processing is mandatory for establishment, exercise or protection of any right.
3.7 Processing Based on Legitimate Interests
Your personal data may be processed if processing of data is necessary for the legitimate interests pursued by the Company as data controller. If the Company is required to process personal data depending on the processing condition in question, an evaluation is made by considering your fundamental rights and freedoms, and a decision is made according to the result of the evaluation.
3.8 Processing Based on Explicit Consent
Although the main rule is that the personal data is processed based on explicit consent, in the event the other conditions outlined in this clause exist, the explicit consent of the data subject is not sought. Otherwise, it will be an abuse of rights. In this respect, your personal data is processed based on explicit consent if they are not processed based on one of the conditions, which are set forth in this Terms.
3.9 Processing of Special Categories of Personal Data
The Company processes your special categories of personal data based on your explicit consent in accordance with Article 6 of the KVKK No. 6698.In the same article, special categories of personal data other than health and sexual life may only be processed in cases stipulated in the laws without your explicit consent. Special categories of personal data regarding health and sexual life may only be processed for the protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of healthcare services as well as their financing without your explicit consent by paying attention to the issues regarding the processing by persons or authorized institutions and organizations under the obligation of confidentiality.
4. TRANSFER OF PERSONAL DATA
Your personal data may be transferred to the Company’s domestic business partners, public institutions, organizations etc.within the scope of principles and purposes forth outlined in clause 2 of these terms under the conditions. During such transfers compliance with Article 8 of the KVKK No. 6698 is observed. If necessary, your explicit consent is obtained, and the transfer is provided within this framework.
5. SECURITY OF PERSONAL DATA
The Company takes reasonable measures to prevent unauthorized access risks, data losses by accident, deliberate deletion of data, or data from being damaged for the purpose of ensuring the security of the personal data and prevention of unlawful processing thereof.
All reasonably required technical and physical measures are taken to prevent persons other than those who are authorized to access personal data from accessing personal data. In this context, especially the authorization system is set up in a way which makes it impossible for persons and systems to access more personal data than it is necessary.
The Company carries out the required audits and has such audits carried out in its institutions and establishments for the purpose of execution of the provisions of the KVKK No. 6698. The measures taken are as follows:
- Network security and application security are provided.
- Closed system network is used for personal data transfers via network.
- Key management is implemented.
- Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
- There are disciplinary regulations that include data security provisions for employees.
- Training and awareness activities are carried out periodically on data security for employees.
- Authorization matrix has been created for employees.
- Access logs are kept regularly.
- Institutional policies on access, information security, use, storage, and destruction have been prepared and started to be implemented.
- Confidentiality commitments are made.
- The authorizations of employees who have a change in duty or quit their job in this field are removed.
- Current anti-virus systems are used.
- Firewalls are used.
- Signed contracts include data security provisions.
- Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in confidential document format.
- Personal data security policies and procedures have been determined.
- Personal data security issues are reported quickly.
- Personal data security is monitored.
- Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
- The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
- The security of environments containing personal data is ensured.
- Personal data is reduced as much as possible.
- Personal data is backed up and the security of the backed up personal data is also ensured.
- User account management and authorization control system is implemented, and these are also followed.
- In-house periodic and/or random audits are conducted and made.
- Log records are kept without user intervention.
- Existing risks and threats have been identified.
- Protocols and procedures for special quality personal data security have been determined and implemented.
- If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using REM or corporate mail account.
- Intrusion detection and prevention systems are used.
- Penetration test is applied.
- Cyber security measures have been taken, and their implementation is constantly monitored.
- Data processing service providers are periodically audited on data security.
- Awareness of data processing service providers on data security is ensured.
- Data loss prevention software is used.
6. PROCEDURES AND PRINCIPLES FOR APPLICATION
6.1 Right of the Data Subject
The rights of the data subject are regulated in Article 11 of the KVKK No. 6698. In this context, as the data subject, you have the following rights;
- To learn whether your personal data is processed or not,
- To demand information as to if your personal data have been processed,
- To learn the purpose of the processing of your personal data and whether these personal data are used in compliance with such a purpose,
- To know the third persons to whom personal data were transferred in the country or abroad,
- To request the rectification of the incomplete or inaccurate data, if any,
- To request the erasure or destruction of your personal data,
- To request the notification to third persons to which personal data were transferred,
- To object to the occurrence of a result against himself/herself by analyzing data processed solely through automated systems,
- To claim compensation for the damage arising from the unlawful processing of your personal data.
6.2 Application Procedures and Principles
As the data subject, you can make your requests relating to the rights outlined in article 11 of KVKK No. 6698 by filling out the Data Subject Application Form, which you can get from the Company’s website or with your application that meets the minimum conditions stipulated in the Communiqué on Application Procedures and Principles to the Data Controller by the following methods. The Company shall conclude demand in the request within the shortest time by taking into account the nature of the demand and at the latest within thirty days and free of charge. However, if the action requires an extra additional costs, a fee in the amount determined by the Turkish Personal Data Protection Board shall be charged by the Company.
|Electronic message you will send with REM
|The message you will send with your e-mail address registered in the system or with secure electronic signature and mobile signature
|Yazılı olarak şahsen veya noter kanalı ile ileteceğiniz başvuru
||Palladium Tower Kardelen Sokak No:2 Kat 41 Ataşehir/ İstanbul