ARTICLE 1 – PURPOSE
ORTEM ELEKTRONİK A.Ş. (“ORTEM”) undertakes to comply with personal data protection, processing and destruction regulations in accordance with its social and legal responsibilities. This Personal Data Protection and Processing Policy (“Policy”) applies to ORTEM as a whole within the framework of the applicable legislation and is based on nationally recognized basic principles regarding personal data destruction. It includes the framework and principles for carrying out the necessary destruction activities within the scope of the relevant legislation.
Article 7, paragraph 3 of the Law on the Protection of Personal Data (“Law”) stipulates that “The procedures and principles regarding the deletion, destruction or anonymization of personal data shall be regulated by regulation”. Based on this provision and subparagraph (e) of the first paragraph of Article 22 of the Law, the Regulation on Deletion, Destruction or Anonymization of Personal Data (“Regulation”) was prepared by the Personal Data Protection Board (“Board”) and published in the Official Gazette dated October 28, 2017 and numbered 30224.
Based on the above regulation, the purpose of this Policy is to determine the procedures and principles regarding the deletion, destruction or anonymization of personal data collected by ORTEM in the conduct of its activities in accordance with the Regulation.
ARTICLE 2 – SCOPE
This Policy relates to the personal data of ORTEM board of directors and general assembly members, ORTEM employees, employee candidates, customers, interns, the educators, trainees, third parties with whom we cooperate, employees of third parties and real persons who are in contact with ORTEM in any way, which are processed in whole or in part automatically or non-automatically, provided that they are part of any data recording system, and the storage and destruction of such data.
ARTICLE 3 – DEFINITIONS
Recipient Group: The category of natural or legal person to whom personal data is transferred by the data controller.
Explicit Consent: Consent regarding a specific subject, based on information and expressed with free will.
Electronic Media: Media where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Media: All written, printed, visual, etc. media other than electronic media.
Data Subject: The real person whose personal data is processed.
Destruction: Deletion, destruction or anonymization of personal data.
Law/KVKK: Law No. 6698 on the Protection of Personal Data.
Recording Medium: Any medium in which personal data processed by fully or partially automated or non-automated means, provided that it is part of any data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Board: Personal Data Protection Board
Sensitive Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive personal data.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.
Data Recording System: The recording system in which personal data is structured and processed according to certain criteria.
Data Controller: The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system) is the data controller.
Deletion of Personal Data: Deletion of personal data; making personal data inaccessible and non-reusable in any way for the Relevant Users.
Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.
Destruction of Personal Data: Deletion, destruction or anonymization of personal data.
Anonymization: Making the data previously associated with a person impossible to be associated with an identified or identifiable real person under any circumstances, even by matching with other data.
ARTICLE 4 – RECORDING MEDIUM
ORTEM securely stores Personal Data in the environments listed below in accordance with the law.
|Electronic Media||Non-Electronic Media|
|Servers (domain, backup, e-mail, database, web, file sharing, etc.)
Software (office software, portal, EBYS, VERBIS.)
Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)
Personal computers (desktop, laptop)
Mobile devices (phones, tablets, etc.)
Optical disks (CD, DVD, etc.)
Removable memories (USB, Memory Card, etc.)
Printer, scanner, photocopier
Manual data recording systems (survey forms, visitor logbook)
Written, printed, visual media
ARTICLE 5 – ISSUES REGARDING THE PERSONAL DATA PROCESSING POLICY
5.1. General Principles for Processing Personal Data
ORTEM processes and protects the personal data of the persons listed in Article 2 of this text within the scope of the Constitution of the Republic of Turkey, the Law on the Protection of Personal Data and other relevant legislation.
In this context, ORTEM acts in accordance with the following principles
- In the processing of personal data, it acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty,
- It ensures that the personal data, its processes is accurate and up-to-date, taking into account the fundamental rights and legitimate interests of personal data owners within the scope of the Law on the Protection of Personal Data, together with other laws that it must comply with within the scope of its activities,
- It clearly and precisely determines the legitimate and lawful purpose of personal data processing. In this context, personal data is processed limited to the services provided or to be provided and legal obligations. The purpose for which personal data will be processed is determined before the personal data processing activity begins,
- It processes personal data in a manner that is conducive to the realization of the specified purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed,
- It retains personal data only for the period specified in the relevant legislation that it is obliged to comply with or for the period required for the purpose for which they are processed.
5.2. Conditions for Processing Personal Data
Protection of personal data is a constitutional right. Fundamental rights and freedoms may be restricted without prejudice to their essence only for the reasons set out in the relevant articles of the Constitution and only by law. Pursuant to the Constitution, personal data may only be processed in cases stipulated by law or with the consent of the individual.
In this respect and in accordance with the Constitution, ORTEM processes personal data only in cases stipulated by law or with the explicit consent of the data subject. The explicit consent of the personal data subject is only one of the legal grounds that make it possible to process personal data in accordance with the law.
Apart from explicit consent, personal data may also be processed in the presence of one of the other conditions listed below. The basis of the personal data processing activity may be only one of the following conditions, or more than one of these conditions may be the basis of the same personal data processing activity.
- The personal data of the data subject may be processed in accordance with the law without obtaining his/her explicit consent if it is expressly stipulated in the law.
- The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect his/her or another person’s life or physical integrity.
- Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process the personal data of the parties to the contract.
- Personal data may be processed if the personal data has been made public by the data subject himself/herself.
- Personal data of the data subject may be processed if data processing is mandatory for the establishment, exercise or protection of a right.
ORTEM sensitively complies with the regulations stipulated in the Law on the Protection of Personal Data in the processing of personal data determined as “special quality” by the Law on the Protection of Personal Data.
In Article 6 of the Law on the Protection of Personal Data, a number of personal data that, when processed unlawfully, may cause victimization or discrimination of persons are defined as “special categories”.
These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
In accordance with the Law on the Protection of Personal Data, ORTEM processes personal data of special nature in the following cases, provided that adequate measures to be determined by the Personal Data Protection Board are taken:
If there is explicit consent of the personal data owner or If there is no explicit consent of the personal data owner; personal data of special nature other than the health and sexual life of the personal data owner can be processed, in cases stipulated by law, and personal data of special nature related to the health and sexual life of the personal data owner, only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, health services and for the planning and management of its financing, by persons or authorized institutions and organizations under the obligation of confidentiality.
Although it has been processed in accordance with the provisions of the Law of Protection of Personal Data and other relevant laws, personal data is deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject if the reasons requiring its processing disappear.
When the retention periods stipulated in the relevant legislation or required by the purpose of processing expire; ORTEM deletes or anonymizes the personal data, it processes by using one or more of the deletion and anonymization methods specified in the guide on Deletion, Destruction or Anonymization of Personal Data published by the PDP Board, using one or more techniques that are most appropriate for business processes and activities.
ARTICLE 6 – DISCLOSURE OBLIGATION
According to the Constitution of the Republic of Turkey, everyone has the right to be informed about personal data concerning him/her. Accordingly, Article 11 of the Law on the Protection of Personal Data lists “requesting information” among the rights of the personal data owner.
In this context, ORTEM provides the necessary information in case the personal data subject requests information in accordance with the Constitution and KVKK.
In accordance with Article 10 of the LPPD, ORTEM also informs personal data subjects about the purpose for which personal data will be processed during the acquisition of personal data, to whom and for what purpose the processed personal data may be transferred, the method and legal reason for collecting personal data, and the rights of the personal data subject under Article 11 of the LPPD.
In addition, ORTEM ensures informing and transparency in its personal data processing activities by announcing to the personal data owners and those concerned that it carries out personal data processing activities in accordance with all the matters in the KVKK and the “law and the rule of honesty” through various public documents, especially this Policy.
ARTICLE 7 – TRANSFER OF PERSONAL DATA
Personal data held by ORTEM is securely stored and not disclosed to third parties outside the legal framework. ORTEM may disclose personal data to persons, institutions and/or organizations required/permitted by the applicable legislation, to all authorities and channels necessary for the performance of the company in line with the written objectives of the company and the activities of the established economic enterprises, to public legal entities and authorities authorized to receive personal data such as Courts, Public Prosecutor’s Offices, Ministry of Interior, to our domestic/foreign affiliates; To companies that have a relationship with ORTEM, to third parties from whom and to whom services are received and provided to carry out company activities, to cooperating and program partner institutions, organizations, domestic/foreign banks, funds, cooperating organizations, domestic/foreign/international organizations from which service/support/consultancy is received or which are project/program/financing partners, and to organizations from which independent audit and support services are received, due to legal obligations but within the framework of legal limitations.
ARTICLE 8 – RIGHTS OF THE DATA SUBJECT PURSUANT TO ARTICLE 11 OF THE KVKK NUMBERED 6698
Pursuant to Article 11 of the KVKK No. 6698, personal data owners are entitled to receive personal data related to them,
- To learn whether personal data is being processed,
- Requesting information if their personal data has been processed,
- To learn the purpose of processing personal data and whether they are used for their intended purpose,
- To know the third parties to whom personal data are transferred domestically or abroad,
- To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
- Although it has been processed in accordance with the provisions of the KVKK and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
- To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
- In case of damage due to processing in violation of the KVKK, to demand the compensation of the damage
ARTICLE 9 – DATA CONTROLLER UNDER THE LAW
In order to exercise your rights set forth in Article 11 of the LPPD, you may contact ORTEM in writing or through other means determined by the Personal Data Protection Board by using the contact information provided below.
ORTEM ELECTRONICS A.Ş.
Address: Muallimköy Mah. Deniz Cad. No: 143/6, Gebze, Kocaeli, Turkey
Call Center +(90) 262 644 10 00
ARTICLE 10 – FINAL PROVISIONS
In the event of any incompatibility between the provisions of the LPPD and other relevant legislation and this Policy, the provisions of the LPPD and other relevant legislation shall prevail.
ORTEM may change the content of this Policy whenever it deems necessary. The updated Policy will enter into force on the date of publication. The last update date is at the end of the text.
In case of any dispute, ORTEM’s records alone shall be valid and binding on the parties.
Date of last update: