Policies

COOKIE POLICY

 

This cookie policy has been created to provide information about the use of cookies and the choices you can make regarding them, as part of privacy, personal data protection and processing policies.

Personalizing advertisements, providing social media features, analyzing traffic on the drserifeerdem.com website and applications operated by ŞERİFE ERDEM (hereinafter referred to as the “Company”) and other websites owned but not limited to these sites (hereinafter referred to as the “Site”). We may use cookies/cookies to be able to understand how you use our websites.

During your stay on the sites, cookies, also called “cookies”, and similar items may be placed on your browser. You can continue to use Site products without changing your cookie settings.

What is a cookie?

Cookies consist of simple text files placed on your browser by the websites you visit; It does not contain identity and other private information. Although cookies do not contain such personal information, session information and similar data can be stored anonymously and used for recognizing you and similar services.

What Types of Cookies Do We Use?

The company uses two types of cookies, “session cookies” and “persistent cookies”. Session cookies are cookies that stay in temporary memory while browsing the site, but are deleted when you close your internet browser. Persistent cookies, on the other hand, are cookies that are automatically deleted at the end of this date or period, which are limited to a certain date or period, or remain on your hard disk until they are deleted by you.

3. What types of cookies are used by individuals?

In addition to company cookies, 3rd party (also referred to as “3rd party”) suppliers and ad networks, social media platforms and our other business partners provide you with more information, including by serving advertisements based on your previous visits to the Site and other websites. They may place cookies on your browser to provide a better and more personalized service. Information about these 3rd parties and the cookies they use are given below.

• Google Analytics

Through the use of permanent, session and 3rd party cookies, site traffic is monitored and reported to better analyze the user experience.

For more information: http://www.google.com/policies/privacy/

To opt out of these cookies: https://tools.google.com/dlpage/gaoptout

• Doubleclick

By using permanent, session and 3rd party cookie types, the time you spend on the internet and your habits are analyzed to improve your online experience, and ads are displayed according to your interests.

For more information: http://www.google.com/policies/privacy/

to opt out of these cookies: https://www.google.com/…tings/u/0/ads/authenticated

• Facebook

3. By using the party cookie type, you can share the Site and its allowed contents and access Facebook more easily. For more information: https://www.facebook.com/policies/cookies/

• Twitter

3. By using the party cookie type, you can share the site and its allowed contents and access twitter more easily. For more information: https://support.twitter.com/…icles/20170528?lang=tr

• Linkedin

3. By using the party cookie type, you can share the site and its allowed contents and access LinkedIn more easily. For more information: https://www.linkedin.com/help/linkedin/suggested/5568/onbelleginiz-ve-cerezleri-temizleme? lang=tr

• Other Advertising Platforms

By using permanent, session and 3rd party cookie types, in order to improve your online experience, the time you spend on the internet and your habits are analyzed and ads are displayed according to your interests.

(The Company is not legally responsible for the reliability of the content you will access through the links of the 3rd parties given above.)

For what purposes are cookies used?

Cookies are generally used to provide you with a better and more personalized service and to help us improve the Site; Thanks to these cookies, the following goals can be achieved.

• Getting to know you after logging into the site
• By reaching the targeted audience for advertisements, to enable you to see advertisements suitable for your own interests.
• Personalizing content and ads,
• Providing social media features
• Analyzing the traffic of the site on the platforms under the domain name
• Understanding how you use platforms under the Site’s domain

How can you manage or delete cookies?

You can manage cookies by adjusting your browser settings, if your browser allows this. In this way, you can refuse all cookies, be warned before a cookie is saved on your hard disk, only accept cookies from the websites you specify, disable or delete cookies that you have previously accepted.

You can opt out of the cookies of the third parties on the platforms under the domain name of the site, if they offer the opportunity, by visiting the website of the relevant third party. However, the Company does not provide any assurance regarding this.

If you refuse cookies on the platforms under the domain name of the Site, you may not be able to use some of the features and functions on the Site. If you are accessing from different browsers and/or devices, you should check the compatibility of the cookie settings of each of these browsers and devices with your selection.

Our cookie policy may be updated due to changes in legal conditions in the future or our new cookie practices. For this reason, we recommend that you review this policy periodically.

Our cookie policy was edited and updated on 30.12.2021.

COOKIES

Cookie Type	Explanation	Control of Cookies
Session	Session cookies are used to ensure the continuity of the session.	Accept/reject via browser settings
Load Balancing	Load balancing cookies are used to reduce server load by distributing the load.	Accept/reject via browser settings
User ID	User ID cookies are used for users to see only their own information.	Accept/reject via browser settings
Security	Security cookies are used for security checks.	Accept/reject via browser settings

Preference Cookies

Preference cookies collect information about your preferences and allow us to remember your language or other locale settings and customize our Site to suit you.

Cookie Type	Explanation	Control of Cookies
Tongue	It saves the language selected by the user and offers options accordingly.	Accept/reject via browser settings
Location	Thanks to the latitude and longitude information of the user, the approximate address (city, county, zip code) is determined and the user automatically selects his own country in this way and displays the retailers and promotion days in that region.	Accept/reject via browser settings
mobile	It is used to display the main website if the user is visiting the Site from a mobile device.	Accept/reject via browser settings
source site	The source site is saved so that the user’s preferences can be better understood.	Accept/reject via browser settings
Last visit and departure	It is used to update users on what has changed since their last visit to our site and to better understand users’ preferences.	Accept/reject via browser settings
Recently watched videos	Watch dates and titles of recently watched videos are recorded so that the user’s preferences can be better understood.	Accept/reject via browser settings
Data cookies	Some content is saved in local storage to enhance user experience, speed up access, provide important user features such as favourites.	Accept/reject via browser settings
Page History	Page history cookies are used to keep track of which sites users visit in which order. If the user encounters an error when visiting the Site, the cookie information is recorded in the log file for error reporting and resolution.	Accept/reject via browser settings

Social Plugin Tracking Cookies

These types of cookies are used to track people who are members of social media networks or not, for market analysis and product development.

Cookie Type	Explanation	Control of Cookies
Facebook	Such cookies allow Facebook members (or non-members) to be tracked for market analysis and product development.	Accept/reject via browser settings

Analytics Cookies

Analytical cookies collect information about your use of the Site and help us improve the Site. For example, these types of cookies show which pages are visited the most on the Site, help record difficulties experienced within the Site, and show whether our advertisements are effective. This way, we understand the general trend, rather than how someone uses the Site.

Cookie Type	Explanation	Control of Cookies
Google analytics	Such cookies allow the collection of all statistical data, thereby improving the presentation and use of the Site. By adding social statistics and interest data to these statistics, Google helps us better understand users.	https://tools.google.com/dlpage/gaoptout
Fabric	These types of cookies enable the collection of all statistical data regarding the operation of the site, thus improving the presentation and use of the Site.	Accept/reject via browser settings

Marketing Cookies

Advertising cookies are used for marketing purposes.

Cookie Type	Explanation	Control of Cookies
Advertisement	Delivery of behavioral and target-oriented advertisements.	Accept/reject via browser settings
Market Analysis	Conducting market analysis	Accept/reject via browser settings
Campaign/ promotion	Calculating the impact of campaigns	Accept/reject via browser settings
Fraud Detection	Detecting click cheats	Accept/reject via browser settings

 

PROTECTION AND PROCESSING OF PERSONAL DATA, PERSONAL DATA STORAGE AND DISPOSAL POLICY

 

ABBREVIATIONS AND CONCEPTS

KVKK Law	Law on Protection of Personal Data No. 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677
GDPR	EU (European Union) General Data Protection Regulation
Constitution	The Constitution of the Republic of Turkey, dated 7 November 1982 and numbered 2709, published in the Official Gazette dated 9 November 1982 and numbered 17863
Data Processor	Except for the person or unit responsible for the technical storage, protection and backup of the data, the person who processes personal data outside the organization of the data controller and in line with the authorization and instruction received from the data controller.
Data Owner/Related	Employees, customers, business partners, shareholders, officials, potential customers, candidate employees, trainees, visitors, suppliers, employees of the institutions they work in cooperation with, third parties and A natural person whose personal data is processed like other persons, including but not limited to those listed here.
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Open Consent	Consent on a particular subject, based on information and expressed with free will.
Destruction	Deletion, destruction or anonymization of personal data.
Recording Media	Any environment where personal data is processed wholly or partially automatically or non-automatically, provided that it is a part of any data recording system.
Personal Data	Any information relating to an identified or identifiable natural person.
Special Qualified Personal Data	Data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data of individuals.
Processing of Personal Data	Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data completely or partially by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking.
Anonymization of Personal Data	Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Deletion of Personal Data	Deletion of personal data; making personal data inaccessible and unusable for the relevant users in any way.
Destruction of Personal Data	The process of making personal data inaccessible, irretrievable and unusable by anyone in any way.
Periodic Destruction	The deletion, destruction or anonymization process to be carried out ex officio at repetitive intervals in the event that all the conditions for processing personal data in the law are eliminated.
regulation	Regulation on the Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette dated 28 October 2017 and numbered 30224 and entered into force as of 1 January 2018.
KVK Board / Board	Personal Data Protection Board
KVK Institution	Personal Data Protection Authority
Policy	ŞERİFE ERDEM Company Personal Data Protection and Processing Policy
Turkish Penal Code	Published in the Official Gazette dated 12 October 2004 and numbered 25611; Turkish Penal Code dated 26 September 2004 and numbered 5237.

1. INTRODUCTION

1.1. Purpose – Scope

The purpose of this policy is to regulate the methods and principles to be followed in order to ensure that personal data is processed and protected in accordance with the Law on the Protection of Personal Data (KVKK) published in the Official Gazette dated 7 April 2016 and numbered 29677.

This policy; It includes natural persons whose personal data is processed by the Data Controller, especially the Person Group, by automatic or non-automatic means, provided that they are part of any data recording system.

1.2. Force

This Policy, issued by ŞERİFE ERDEM, is dated 30.12.2021. In case of renewal of all or certain articles of the Policy, the effective date of the Policy will be updated.

The policy is published on the bulletin board of the Data Controller and made available to the relevant persons upon the request of the personal data owners.

2. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

ŞERİFE ERDEM, in accordance with Article 12 of the KVK Law, takes the necessary technical and administrative measures to prevent the unlawful processing of the personal data it processes, to prevent illegal access to the data and to ensure the preservation of the data, to ensure the appropriate level of security, and in this context, it carries out the necessary audits. to make or to make.

2.1. Ensuring the Security of Personal Data

2.1.1. Technical and Administrative Measures Taken to Ensuring the Legal Processing of Personal Data, Preventing Unlawful Access and Storing in Secure Environments

The main technical measures taken by ŞERİFE ERDEM to ensure that personal data are processed in accordance with the law, to prevent unlawful access to these data and to store them in secure environments are listed below:

• Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
• Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
• Up-to-date anti-virus systems are used
• User account management and authorization control system is implemented and these are also followed.

2.1.2. Supervision of the Measures Taken for the Protection of Personal Data

The main administrative measures taken by ŞERİFE ERDEM to ensure that personal data are processed in accordance with the law, to prevent unlawful access to these data and to store them in secure environments are listed below.

• There are disciplinary regulations for employees that include data security provisions
• Training and awareness activities are carried out periodically on data security for employees.
• An authorization matrix has been created for employees
• Confidentiality commitments are made
• The authorizations of employees who have a change in duty or quit their job in this field are removed.
• Signed contracts include data security provisions
• Personal data security policies and procedures have been determined
• Personal data security is monitored
• The security of environments containing personal data is ensured
• Personal data is reduced as much as possible
• Protocols and procedures for special quality personal data security have been determined and implemented.

2.2. Protection of Private Personal Data

With the KVK Law, special importance is attached to certain personal data due to the risk of causing victimization or discrimination in case of unlawful processing. These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

ŞERİFE ERDEM acts sensitively in the protection of special quality personal data, which is determined as “special quality” by the KVK Law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Data Controller for the protection of personal data are carefully implemented in terms of special quality personal data and necessary controls are provided within the Data Controller.

The Data Controller, in the capacity of data supervisor, takes the following measures, in accordance with the Board’s decision dated 31.01.2018 and numbered 2018/10, in the processing of Special Quality Personal Data, which is included in Article 6 of the Law:

• This Policy has been determined to be systematic, clearly defined, manageable and sustainable for the security of sensitive personal data.
• For Employees who are involved in the processing of special categories of personal data,
  • Regular trainings are provided on the law and related regulations and on the security of Special Quality Personal Data,
  • Confidentiality agreements are made,
  • The scope and duration of authorization of users who have access to data are clearly defined,
  • Periodic authorization checks are carried out,
  • Employees who have a change of job or quit their job are immediately revoked in this field. In this context, it receives the inventory allocated to it by the Data Controller.
• Environments where Special Quality Personal Data are processed, stored and/or accessed, if electronic media,
  • Personal Data are stored using cryptographic methods,
  • Cryptographic keys are kept in secure and different environments,
  • Transaction records of all movements performed on Personal Data are securely logged,
  • Security updates of the environments in which Personal Data are stored are constantly monitored, necessary security tests are/are carried out regularly, test results are recorded,
  • If Personal Data is accessed through a software, user authorizations for this software are made, security tests of these software are/are conducted regularly, and test results are recorded,
  • If remote access to Personal Data is required, at least two-stage authentication system is provided.
• The environments in which Sensitive Personal Data are processed, stored and/or accessed, and the physical environment;
• Adequate security measures are taken (against electrical leakage, fire, flood, theft, etc.)
• By ensuring the physical security of these environments, unauthorized entries and exits are prevented.
• If Special Quality Personal Data is to be transferred
  • If Personal Data needs to be transferred via e-mail, it is transferred in encrypted form with a corporate e-mail address or by using a Registered Electronic Mail (KEP) account,
  • If it needs to be transferred via media such as Portable Memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment,
  • If transferring is carried out between servers in different physical environments, data transfer is carried out by establishing a VPN between the servers or using the SFTP method,
  • If Personal Data is required to be transferred via paper media, necessary precautions are taken against risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in a “Confidential” format.
  • In addition to the measures mentioned above, technical and administrative measures to ensure the appropriate level of security specified in the Personal Data Security Guide published on the website of the Personal Data Protection Authority should also be taken into account.

3. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA

3.1. Clarifying and Informing the Personal Data Owner

ŞERİFE ERDEM enlightens the personal data owners during the acquisition of personal data in accordance with Article 10 of the KVK Law. In this context, it clarifies the identity of the Data Controller and his representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the rights of the personal data owner for legal reasons.

Article 20 of the Constitution states that everyone has the right to be informed about their personal data. Accordingly, in Article 11 of the KVK Law, “requesting information” is also listed among the rights of the personal data owner. In this context, the Data Controller provides the necessary information in case the personal data owner requests information in accordance with the 20th article of the Constitution and the 11th article of the KVK Law.

3.2. Processed Personal Data and Person Groups

Personal Data Categorization	Data Owner Category to which the Relevant Personal Data is Related
Identity	Employee Candidate Employee Other – Contracted Institution Official Other – Bank Official Other – Employee Relatives Other – Doctor Other – Doctor (Employer / Employer’s Deputy) Other – Doctor (Employer / Employer’s Deputy) Other – Patient Other – Patient Parent / Guardian / Representative Other – Patient Relatives Other – Patient Relatives / 3rd Person Other – Supplier Potential Product or Service Purchaser Supplier Employee Supplier Authorized Product or Service Purchaser Visitor
Communication	Employee Employee Candidate Other – Contracted Institution Official Other – Bank Official Other – Employee’s Relative Other – Doctor Other – Doctor (Employer/Employer’s Deputy) Other – Patient Other – Patient’s Relative Other – Patient’s Relative / 3rd Person Other – Supplier Potential Product or Service Buyer Supplier Employee Supplier Official Person Receiving Product or Service Visitor
Personnel	Employee Employee Candidate
Legal action	Employee Other – Supplier Product or Service Receiver
Physical Space Security	Employee Other – Supplier Potential Product or Service Purchaser Supplier Employee Visitor
Health Information	Employee Employee Candidate Other – Patient Potential Product or Service Purchaser Supplier Employee Supplier Official Product or Service Purchaser Visitor
Criminal Conviction and Security Measures	Worker
Audio and Audio Recordings	Employee Employee Candidate Other – Doctor Other – Patient Potential Product or Service Recipient Product or Service Recipient
Customer Transaction	Employee Other – Patient Other – Supplier Product or Service Receiver
finance	Other – Doctor Other – Supplier Product or Service Recipient
Professional experience	Employee Employee Candidate
Working Family Member and Relatives Information	Worker
Transaction Security	Employee Other – Doctor Visitor
Sex Life	Other – Patient Receiving Product or Service
Genetic Data	Other – Patient Receiving Product or Service
Marketing	Visitor
Association Membership	Other – Patient Receiving Product or Service
Foundation Membership	Other – Patient Receiving Product or Service
Union Membership	Other – Patient Receiving Product or Service

3.3. Conditions of Processing of Personal Data and Purposes of Processing

ŞERİFE ERDEM processes personal data limited to the purposes and conditions within the personal data processing conditions specified in Articles 5 and 6 of the KVK Law. These terms and conditions;

• Obtaining Explicit Consent
• It is clearly stipulated in the Laws for the Data Subject to perform the relevant activity regarding the processing of your personal data.
• The processing of your personal data by the Data Controller is directly related to and necessary for the establishment or performance of a contract
• The processing of your personal data is mandatory for the Data Controller to fulfill his legal obligation.
• Provided that your personal data has been made public by you; limited processing of you by the Data Controller for the purpose of publicizing
• The processing of your personal data by the Data Controller is mandatory for the establishment, use or protection of the rights of the Data Controller or you or third parties
• It is mandatory to process personal data for the legitimate interests of the Data Controller, provided that it does not harm your fundamental rights and freedoms.
• Processing personal data by the Data Controller is necessary for the protection of the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to express his consent due to actual or legal invalidity.
• It is stipulated in the law in terms of special quality personal data other than the health and sexual life of the personal data owner.
• In terms of sensitive personal data regarding the health and sexual life of the personal data owner, persons or authorized institutions and organizations that are under the obligation of confidentiality for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. processed by.

In this context, the Data Controller processes your personal data for the following purposes:

PROCESSING OBJECTIVES

Fulfillment of Employment Contract and Legislative Obligations for Employees

Conducting Audit / Ethical Activities

Execution of Activities in Compliance with the Legislation

Follow-up and Execution of Legal Affairs

Conducting Business Continuity Ensuring Activities

Providing Information to Authorized Persons, Institutions and Organizations

Execution of Application Processes of Employee Candidates

Execution of Assignment Processes

Execution of Employee Candidate / Intern / Student Selection and Placement Processes

Execution of Benefits and Benefits Processes for Employees

Planning of Human Resources Processes

Execution / Supervision of Business Activities

Execution of Contract Processes

Execution of Occupational Health / Safety Activities

Execution of Finance and Accounting Affairs

Execution of Goods / Services Procurement Processes

Execution of Good / Service Sales Processes

Execution of Goods / Services Production and Operation Processes

Execution of Customer Relationship Management Processes

Execution of Management Activities

Carrying out Internal Audit / Investigation / Intelligence Activities

Execution of Emergency Management Processes

Execution of Information Security Processes

Providing Physical Space Security

Ensuring the Security of Movable Property and Resources

Other – Execution of Medical Diagnosis, Treatment and Care Services

Other – Health Service Delivery for the Relevant Person

Other – Planning and Management of Health Services and Financing

Other – Contracted Institutions Execution of Business Processes

Execution of Communication Activities

Execution of Supply Chain Management Processes

Receiving and Evaluating Suggestions for Improvement of Business Processes

Follow-up of Requests / Complaints

Execution of Access Authorizations

Creating and Tracking Visitor Records

Conducting Educational Activities

Execution of Marketing Processes of Products / Services

3.4. Recording and Storage of Personal Data

3.4.1. Recording and Storage Media

The personal data of the data owners are securely recorded and stored by the Data Controller in the environments listed in the table below, in accordance with the relevant legislation, especially the provisions of the KVKK:

Recording and Storage Media

Locked Archive Cabinet

Archive Cabinet

Computer

DVD

Access Restricted File

Flash drive

Business Server

Paper

Hard Disk

Telephone

3.4.2. Retention Periods of Personal Data

The Data Controller keeps personal data for the period specified in these legislations, if stipulated in the relevant laws and regulations. The storage, destruction and periodic destruction periods determined by the Data Controller are as follows:

Activity	Storage Time	Disposal Time
Discipline Management Process	Other – 15 Years From Termination Of Employment	At the time of the first Periodic Destruction as of the expiry of the 30 Days Retention Period at the latest, as of the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data
Litigation and Enforcement Follow-up Process	Other – 15 Years from Termination of Employment Other – 10 Years from Termination of Legal Relationship	From the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data , within a 30-day response period after the Deletion Request at the first Periodic Destruction time, as of the expiry of the 30-day Retention Period at the latest
Termination Procedures	Other – 15 Years from Termination of Employment Other – 15 Years from Termination of Employment Relationship	At the time of the first Periodic Destruction as of the expiry of the 30 Days Retention Period at the latest, as of the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data
Follow-up of Legal Processes and Representation of the Company	Other – 15 Years from Termination of Employment Other – 10 Years from Termination of Legal Relationship	From the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data , within a 30-day response period after the Deletion Request at the first Periodic Destruction time, as of the expiry of the 30-day Retention Period at the latest
Official Institution and Organization Transactions	Other – 15 Years From Termination Of Employment	At the time of the first Periodic Destruction as of the expiry of the 30 Days Retention Period at the latest, as of the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data
The Process of Conducting the Activities in Compliance with the Legislation	Other – 15 Years from Termination of Employment Other – 10 Years 1 Month from the End of Legal Relationship	From the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data , within a 30-day response period after the Deletion Request at the first Periodic Destruction time, as of the expiry of the 30-day Retention Period at the latest
Execution of Legal Actions	Other – 15 Years from Termination of Employment Other – 10 Years from Termination of Legal Relationship	From the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data , within a 30-day response period after the Deletion Request at the first Periodic Destruction time, as of the expiry of the 30-day Retention Period at the latest
Recruitment and Personal File Creation Process	Other – 15 Years from Termination of Employment Other – 15 Years from Termination of Employment Relationship	From the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data , within a 30-day response period after the Deletion Request at the first Periodic Destruction time, as of the expiry of the 30-day Retention Period at the latest
Travel Process	Other – 15 Years From Termination Of Employment	At the time of the first Periodic Destruction as of the expiry of the 30 Days Retention Period at the latest, as of the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data
Execution of Human Resources Activities	Other – 15 Years From Termination Of Employment	At the time of the first Periodic Destruction as of the expiry of the 30 Days Retention Period at the latest, as of the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data
Preparation of Payroll and Salary Files	Other – 15 Years from Termination of Employment Other – 15 Years from Termination of Employment Relationship	From the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data , within a 30-day response period after the Deletion Request at the first Periodic Destruction time, as of the expiry of the 30-day Retention Period at the latest
SGK Accrual and İşkur Transactions	Other – 15 Years from Termination of Employment Other – 10 Years from Termination of Legal Relationship	At the time of the first Periodic Destruction as of the expiry of the 30 Days Retention Period at the latest, as of the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data
Control of Incentives	Other – 15 Years From Termination Of Employment	At the time of the first Periodic Destruction as of the expiry of the 30 Days Retention Period at the latest, as of the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data
Purchasing and Procurement Activities	Other – 10 Years from the Termination of the Legal Relationship Other – 10 Years from the Termination of the Purpose of Data Processing	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Contract Management	Other – 10 Years from the Termination of the Legal Relationship Other – 10 Years from the Termination of the Purpose of Data Processing	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Execution of Procurement Activities	Other – 10 Years from the Termination of the Legal Relationship Other – 10 Years from the Termination of the Purpose of Data Processing	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Occupational Health and Safety Processes Management	Other – 6 Months as of the End of the Pandemic Other – 15 Years from the End of the Business Relationship Other – 15 Years and 1 Months from the End of the Employment Contract	From the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data , within a 30-day response period after the Deletion Request at the first Periodic Destruction time, as of the expiry of the 30-day Retention Period at the latest
Preparation of Financial Statements and Submission to Relevant Institutions	Other – 10 Years from the End of Legal Relationship	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Execution of Financial Activities	Other – 10 Years from the End of Legal Relationship	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Case Operation Process	Other – 10 Years from the End of Legal Relationship	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Payment Process (General)	Other – 10 Years from the End of Legal Relationship	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Bank and Payment Transactions	Other – 10 Years from the End of the Legal Relationship Other – 15 Years from the End of the Business Relationship Other – 15 Years from the End of the Employment Contract	As of the end of the Storage Period, at the latest 30 Days from the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data , within a 30-day response period after the Deletion Request at the first Periodic Destruction time
Ba/Bs Declaration Process	Other – 10 Years from the End of Legal Relationship	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Reconciliation Process	Other – 10 Years from the End of Legal Relationship	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Current Account Reconciliations	Other – 10 Years from the End of Legal Relationship	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Invoice Process	Other – 10 Years from the End of Legal Relationship	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Declaration Process	Other – 10 Years from the End of Legal Relationship	At the time of the first Periodic Disposal as of the expiry of the Storage Period
Audit Activities	Other – 15 Years from End of Processing Purpose	At the time of the first Periodic Disposal as of the expiry of the Storage Period
SSI-Accrual Transactions	Other – 15 Years from the Termination of the Employment Relationship	At the time of the first Periodic Disposal as of the expiry of the Storage Period
Payroll Process	Other – 15 Years from the Termination of the Employment Relationship	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Personnel File Creation Process	Other – 15 Years from the Termination of the Employment Relationship	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Rest Reports and Collection	Other – 15 Years from the Termination of the Employment Relationship	At the time of the first Periodic Disposal as of the expiry of the Storage Period
Occupational Accident, Occupational Disease Notification	Other – 15 Years from the Termination of the Employment Relationship Other – 15 Years from the Termination of the Employment Contract	At the latest 30 Days from the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data at the time of the first Periodic Destruction as of the end of the Storage Period
Personnel Time Tracking	Other – 15 Years from the Termination of the Employment Relationship	At the time of the first Periodic Disposal as of the expiry of the Storage Period
Creation of Personnel Name List	Other – 15 Years from the Termination of the Employment Relationship	At the time of the first Periodic Disposal as of the expiry of the Storage Period
Layoff Process	Other – 15 Years from the Termination of the Employment Relationship	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Recruitment Notifications	Other – 15 Years from the Termination of the Employment Relationship	At the time of the first Periodic Disposal as of the expiry of the Storage Period
Recruitment/Periodic Inspection Process	Other – 15 Years from the Termination of the Employment Relationship	At the time of the first Periodic Disposal as of the expiry of the Storage Period
Processing of Health Reports	Other – 15 Years from the Termination of the Business Relationship Other – 10 Years from the Termination of the Purpose of Data Processing	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Creating the Personnel File of the Employee	Other – 15 Years from the Termination of the Employment Relationship Other – 15 Years from the Termination of the Employment Contract	As of the end of the Storage Period, at the latest 30 Days from the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data , within a 30-day response period after the Deletion Request at the first Periodic Destruction time
Job Application Management	Other – 15 Years from the Termination of the Employment Relationship	At the time of the first Periodic Disposal as of the expiry of the Storage Period
Employee Employment	1 year	It is immediately deleted and destroyed by the Deletion/Destruction Request within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period .
Execution of Job Application Activities	Other – 15 Years from the Termination of the Employment Relationship	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Recruitment Process	Other – 15 Years from the Termination of the Employment Relationship Other – 15 Years from the Termination of the Employment Contract	As of the end of the Storage Period, at the latest 30 Days from the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data , within a 30-day response period after the Deletion Request at the first Periodic Destruction time
Assignment Activity	Other – 15 Years from the Termination of the Employment Relationship	At the time of the first Periodic Disposal as of the expiry of the Storage Period
Follow-up and Transactions of Personnel Leaves	Other – 15 Years from the Termination of the Employment Relationship	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Security Management	Other – 6 Months – 2 Years 1 Month	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Security of Information Systems	Other – 6 Months – 2 Years	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Office Equipment Records – Photocopy, Fax, Printer Etc. Usage Information Logging	Other – 6 Months – 2 Years	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Camera Recordings	1 Ay	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Execution of Health Service Activities	Other – 10 Years from the Expiration of the Purpose of Data Processing Other – 10 Years from the Termination of the Legal Relationship Other – 3 Months – 1 Year 2 Years	It is immediately deleted and destroyed by the Deletion/Destruction Request within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period .
Creating Patient File Records	Other – 10 Years from the Expiration of the Purpose of Data Processing Other – 3 Months – 1 Year	It is immediately deleted and destroyed by the Deletion/Destruction Request within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period .
Health Service Usage Data Collection Activity	Other – 10 Years from the Expiration of the Purpose of Data Processing	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Customer Communication Management	Other – 3 Months – 1 Year Other – 1 year from the Expiration of the Purpose of Data Processing Other – 1 Year 2 Years from the Expiration of the Purpose of Processing	As of the end of the Storage Period, it is immediately deleted and destroyed by the Deletion / Destruction Request for 30 days at the latest, as of the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data , within 30 days after the Deletion Request at the first Periodic Destruction time.
Creating Customer/Patient Appointment Records	1 year	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Processing of Medical Exam and Laboratory Results	Other – 10 Years from the Expiration of the Purpose of Data Processing Other – 3 Months – 1 Year	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Creating Patient File Records	Other – 10 Years from the Expiration of the Purpose of Data Processing	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Conducting Scientific Education and Research Activities	Other – 10 Years from the Expiration of the Purpose of Data Processing	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Continuing Patient Safety Monitoring Activities	Other – 10 Years from the Expiration of the Purpose of Data Processing	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Prescription Control Approval Process	Other – 10 Years from the Expiration of the Purpose of Data Processing	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Prescription Transactions Activity	Other – 10 Years from the Expiration of the Purpose of Data Processing	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Order Process	Other – 10 Years from the Expiration of the Purpose of Data Processing	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Supplier Communication Management	Other – 10 Years from the Expiration of the Purpose of Data Processing	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Patient Disclosure/Information Process	Other – 10 Years from the Expiration of the Purpose of Data Processing	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Approval Procedures	Other – 10 Years from the Expiration of the Purpose of Data Processing	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Audio Recording Process	Other – 3 Months – 1 Year	It is immediately deleted and destroyed by the Delete/Destroy Request at the first Periodic Destruction time as of the expiry of the Retention Period .
Emergency Management	Other – 3 Months – 1 Year Other – 15 Years from Termination of Employment Contract	As of the end of the Storage Period, at the latest 30 Days from the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data , within a 30-day response period after the Deletion Request at the first Periodic Destruction time
Customer Complaint Management	2 years	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Cookie Usage Process	Other – 6 Months – 2 Years	It is immediately deleted and destroyed by the Delete/Destroy Request at the first Periodic Destruction time as of the expiry of the Retention Period .
User Experience Improvement Activity	Other – 6 Months – 2 Years	It is immediately deleted and destroyed by the Delete/Destroy Request at the first Periodic Destruction time as of the expiry of the Retention Period .
Web Page Visitor Access Process	Other – 6 Months – 2 Years	It is immediately deleted and destroyed by the Delete/Destroy Request at the first Periodic Destruction time as of the expiry of the Retention Period .
Billing	Other – 10 Years from the End of Legal Relationship	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Provisioning Process	Other – 10 Years from the End of Legal Relationship	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Private Health Insurance Process	Other – 10 Years from the End of Legal Relationship	Within 30 days of response time after the Deletion Request at the time of the first Periodic Destruction as of the expiry of the Retention Period
Educational Activities	Other – 15 Years From Termination Of Employment	At the time of the first Periodic Destruction as of the expiry of the 30 Days Retention Period at the latest, as of the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data
Social media management	Other – 1 year from the Expiration of the Purpose of Data Processing	From the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data , it is immediately deleted and destroyed with the Deletion/Destruction Request within 30 days of the first Periodic Destruction Time following the expiry of the 30-day Retention Period .
Communication Management	Other – 1 Year from the Expiration of the Purpose of Data Processing Other – 1 Year from the Expiration of the Purpose of Processing	From the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data , it is immediately deleted and destroyed with the Deletion/Destruction Request within 30 days of the first Periodic Destruction Time following the expiry of the 30-day Retention Period .

The purpose of processing personal data has ended; if the storage periods determined by the relevant legislation and the Data Controller have also come to an end; Personal data can only be stored to provide evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. Despite the expiry of the statute of limitations for asserting the right mentioned in the establishment of the periods herein, the retention periods are determined based on the examples in the requests previously made to the Data Controller on the same issues. In this case, the stored personal data is not accessed for any other purpose, and only when necessary to use it in the relevant legal dispute, access to the relevant personal data is provided. Here, too, personal data is deleted after the aforementioned period expires,

3.5. Third Parties and Purposes of Transfer of Personal Data

ŞERİFE ERDEM notifies the personal data owner of the groups of persons to whom personal data is transferred in accordance with Article 10 of the KVK Law.

The Data Controller may transfer the personal data of data subjects managed by the Policy to the following categories of persons in accordance with Articles 8 and 9 of the KVK Law:

• Domestic Buyers: Authorized Public Institutions and Organizations, Real Persons or Private Law Entities, Suppliers, Open to Everyone
• Overseas Buyers: Natural Persons or Private Law Entities, Suppliers, Public

The scope of the above-mentioned persons to whom the transfer is made and the data transfer purposes are stated below.

Persons to whom Data Transfer can be made	Definition	Data Transfer Purpose
Authorized Public Institutions and Organizations	Public institutions and organizations authorized to receive information and documents from the Company in accordance with the provisions of the relevant legislation	Court Order Legal Obligation Administrative Request Server Usage Operational Operations Mandatory System-Infrastructure Usage Service Delivery for the Relevant Person Transmission to Data Processors
Natural Persons or Private Law Legal Entities	Private legal persons or natural persons authorized to receive information and documents from the Company in accordance with the provisions of the relevant legislation	Consultancy Follow-up of the Legal Affairs and Transactions of the Data Controller Scientific Research Activity Service for the Related Person Transmission to Data Processors Mandatory System-Infrastructure Use Ensuring Communication via Social Media
suppliers	It defines the parties that provide services to the Company on a contractual basis in accordance with the orders and instructions of the Company while carrying out the commercial activities of the Company.	Contract Signing Server Usage Mandatory System-Infrastructure Usage Service Delivery for Relevant Person Operational Operations Mandatory System-Infrastructure Usage
Open to everyone	All private law persons or natural persons to whom the company provides information	Ensuring Communication over Social Media
Other – Financial Advisor		Monitoring the Legal Affairs and Transactions of the Data Controller, Providing Services to the Relevant Person Legal Obligation
Other – Legal Advisor, Financial Advisor		Follow-up of Legal Affairs and Transactions of Data Controller Operational Transactions Legal Obligation
Other – Bank		Payment Transactions
Other – Legal Counsel		Following the Legal Affairs and Transactions of the Data Controller
Other – Contracted Institutions		Service Delivery for the Relevant Person

4. DELETING, DESTROYING AND ANONYMIZING PERSONAL DATA

ŞERİFE ERDEM, upon the decision of the Data Controller or upon the request of the personal data owner, in case the reasons requiring processing are eliminated, although it has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVK Law. deleted, destroyed or anonymized.

In this context:

• Change or repeal of the legislation,
• Termination or invalidity of the main contract for processing,
• The disappearance of the purposes and conditions of processing,
• Withdrawal of consent in processing activities based on explicit consent,
• Application of the Data Owner for deletion-destruction-anonymization and acceptance of this application,
• The decision regarding the necessity of meeting the request to be made by the Personal Data Protection Board as a result of the application of the Data Owner and the rejection of this application,
• expiration of the retention period,
• Periodic destruction processes carried out within the body of the Data Controller,

As a result, the Personal Data collected by the Data Controller is deleted, destroyed or anonymized.

Pursuant to Article 11 of the Regulation, the Data Controller has determined the period of periodic destruction as follows. According to this,

• 30 Days at the Latest from the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data
• At the time of the first Periodic Disposal as of the expiry of the Storage Period
• Within 30 days of response time after Request for Deletion
• Deleted and destroyed immediately by Deletion/Destruction Request

4.1. Deletion, Destruction and Anonymization Techniques of Personal Data

The Data Controller deletes, destroys or anonymizes the Personal Data it collects, automatically or upon the request of the Data Owner, in the event that the reasons for its processing disappear. Pursuant to Article 28 of the Law, anonymized personal data can be processed for purposes such as research, planning and statistics. Such processing after anonymization is outside the scope of the Law, and in this case, the explicit consent of the Personal Data Owner is not sought.

In this framework, one or more of the following deletion, destruction or anonymization methods are selected by the Data Controller, and the most appropriate method is followed:

4.1.1. Destruction of Physical Document

Personal Data collected by our company and which we process non-automatically, although they are part of our data recording systems, can also be destroyed by physically destroying the Personal Data on the medium (paper, microfiche) in a way that does not allow them to be used later.

4.1.2. Destruction of Digital Document

Digital Documents containing Personal Data produced or obtained in digital media within the Company are permanently deleted so that they cannot be accessed and reused in any way for Relevant Users.

4.1.3. Deletion from Used Software Programs

Personal Data stored in digital media within our company are deleted from the software in such a way that they cannot be accessed and reused in any way for the Relevant Users.

Deleting data by giving a delete command to electronic recording media such as Commercial Package Programs, Human Resources Programs, SQL databases we use, removing the access rights of the Relevant Users to the files on our central server or the directory where the files are located; Data can be deleted by deleting the relevant lines in databases with database commands or by deleting Personal Data on removable media (USB, HDD, etc.) using appropriate software.

However, in cases where access to other data is not possible in the system due to the deletion of some Personal Data, the Personal Data subject to deletion can be archived by making it impossible to associate with the relevant Data Owner; In this case, the relevant Personal Data is deemed to have been deleted. In such cases, our Company takes all necessary technical and administrative measures to ensure that only authorized persons can access Personal Data.

4.1.4. Deletion from Database

In our company, the Personal Data stored in the database is deleted from the relevant database in a way that makes it inaccessible and unusable in any way for the Relevant Users.

Deleting data by giving a delete command to electronic recording media such as Commercial Package Programs, Human Resources Programs, SQL databases we use, removing the access rights of the Relevant Users to the files on our central server or the directory where the files are located; Data can be deleted by deleting the relevant lines in databases with database commands or by deleting Personal Data on removable media (USB, HDD, etc.) using appropriate software.

However, in cases where access to other data is not possible in the system due to the deletion of some Personal Data, the Personal Data subject to deletion can be archived by making it impossible to associate with the relevant Data Owner; In this case, the relevant Personal Data is deemed to have been deleted. In such cases, our Company takes all necessary technical and administrative measures to ensure that only authorized persons can access Personal Data.

5. RIGHTS OF THE DATA SUBJECT AND THE USE OF THESE RIGHTS

5.1. Rights of Personal Data Owner

Personal data owners have the following rights:

• Learning whether personal data is processed or not,
• If personal data has been processed, requesting information about it,
• Learning the purpose of processing personal data and whether they are used in accordance with the purpose,
• Knowing the third parties to whom personal data is transferred at home or abroad,
• Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
• Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing have disappeared, although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
• Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
• To request the compensation of the damage in case of loss due to unlawful processing of personal data.

5.2. Circumstances in which the Personal Data Owner cannot assert his rights

Personal data owners cannot claim the rights of personal data owners listed in 10.1.1. in these matters, since the following cases are excluded from the scope of the KVK Law in accordance with Article 28 of the KVK Law:

• Processing personal data for purposes such as research, planning and statistics by making it anonymous with official statistics.
• Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime.
• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
• Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

Pursuant to article 28/2 of the KVK Law; In the cases listed below, personal data owners cannot claim their other rights listed in 10.1.1., except for the right to demand the compensation of the damage:

• The processing of personal data is necessary for the prevention of crime or for criminal investigation.
• Processing of personal data made public by the personal data owner.
• Personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority granted by the law.
• The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.

5.3. Exercise of Personal Data Owner’s Rights

Personal Data Owners will be able to submit their requests regarding their rights free of charge, with the information and documents that will identify them, and by filling out and signing the Application Form, using the following methods or other methods determined by the Personal Data Protection Board:

• After filling out the “Data Owner Application Form” that you can request physically, a wet signed copy can be sent to ALTUNİZADE MAH. KISIKLI CAD. To be forwarded to the address of BAŞARAN BUSINESS CENTER B BLOK NO:5 GROUND FLOOR,

In order for third parties to request an application on behalf of personal data owners, a special power of attorney issued by the data owner through a notary public on behalf of the person to apply must be present.

5.4. Personal Data Owner’s Right to Complain to the KVK Board

In cases where the application is rejected in accordance with Article 14 of the KVK Law, the response given is insufficient or the application is not answered in due time; He/she may file a complaint to the KVK Board within thirty days from the date of learning the answer of the Responsible Person and in any case within sixty days from the date of application.

5.5. Responding to Applications

5.5.1. Procedure and Time to Respond to Applications to the Data Controller

If the personal data owner submits his request to the Data Controller, he will conclude the relevant request free of charge, within thirty days at the latest, depending on the nature of the request. However, if a fee is foreseen by the KVK Board, the fee in the tariff determined by the KVK Board will be collected from the applicant by the Data Controller.

The Data Controller may request information from the data subject in order to determine whether the applicant is the owner of personal data. The Data Controller may ask questions about the personal data owner’s application in order to clarify the issues in the personal data owner’s application.

5.5.2. The Right to Refuse the Application of the Personal Data Owner

The Data Controller may reject the application of the applicant in the following cases by explaining the reason:

• Processing personal data for purposes such as research, planning and statistics by making it anonymous with official statistics.
• Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime.
• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
• The processing of personal data is necessary for the prevention of crime or for criminal investigation.
• Processing of personal data made public by the personal data owner.
• Personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority granted by the law.
• The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
• The possibility of the personal data owner’s request to prevent other people’s rights and freedoms
• Making demands that require disproportionate effort.
• The requested information is publicly available.

6. UPDATES, ADAPTATION AND CHANGES

The Data Controller reserves the right to make changes in this Policy and other policies related to this Policy, in line with the changes made in the Law, in accordance with the decisions of the KVK Board or in line with the developments in the sector or in the field of informatics. This policy and other relevant policies/regulations are reviewed and updated annually.

Changes made in this Policy are immediately processed in the text and explanations regarding the changes are explained at the end of the Policy.

ŞERİFE ERDEM (Data Controller)

ALTUNİZADE MAH. KISIKLI CAD. BAŞARAN BUSINESS CENTER B BLOCK NO:5 GROUND FLOOR ÜSKÜDAR/ İSTANBUL

 

POLICY ON THE PROTECTION AND PROCESSING OF PRIVATE PERSONAL DATA

 

1. SCOPE

In Article 6 of the Law on the Protection of Personal Data No. 6698 (“LAW”), certain personal data that carry the risk of causing victimization or discrimination when processed unlawfully are defined as “SPECIAL QUALIFIED PERSONAL DATA”.

Personal data of special nature include data on race, ethnic origin, political thought, belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and enters genetic data.

2. PROCESSING OF SPECIAL QUALITY PERSONAL DATA

ŞERİFE ERDEM (Data Controller) pays special attention to the processing of Special Quality Personal Data, the protection of which is believed to be of more critical importance for the Data Owner/Relevant Person in various aspects.

Special Quality Personal Data is processed by the Data Controller in accordance with the Law, provided that adequate measures to be determined by the Board are taken, in the presence of the following conditions:

• If the Data Owner/Relevant Person has express consent, or
• If there is no explicit consent of the Data Owner/Relevant Person; Special quality personal data other than the health and sexual life of the Data Owner/Relevant Person, in the cases stipulated by the laws, and sensitive personal data related to the health and sexual life of the Data Owner/Relevant Person only for the protection of public health, preventive medicine, medical diagnosis, treatment. It is processed by persons or authorized institutions and organizations under the obligation of secrecy, for the purpose of carrying out care and care services, planning and management of health services and financing.

3. MEASURES REGARDING THE PROCESSING OF SPECIAL QUALITY PERSONAL DATA

The Data Controller, in the capacity of data supervisor, takes the following measures, in accordance with the Board’s decision dated 31.01.2018 and numbered 2018/10, in the processing of Special Quality Personal Data, which is included in Article 6 of the Law:

• This Policy has been determined to be systematic, clearly defined, manageable and sustainable for the security of sensitive personal data.
• For Employee, Visitor, Potential Product or Service Buyer, Supplier Official, Supplier Employee, Product or Service User, Employee Candidate, Other – Patient, Other – Doctor person group(s) involved in the processing of special quality personal data,
  • There are disciplinary regulations for employees that include data security provisions
  • Training and awareness activities are carried out periodically on data security for employees.
  • An authorization matrix has been created for employees
  • Confidentiality commitments are made
  • The authorizations of employees who have a change in duty or quit their job in this field are removed.
  • Signed contracts include data security provisions
  • Personal data security policies and procedures have been determined
  • Personal data security is monitored
  • The security of environments containing personal data is ensured
  • Personal data is reduced as much as possible
  • Protocols and procedures for special quality personal data security have been determined and implemented.

The measures are implemented.

• For environments, physical and electronic environments where Sensitive Personal Data are processed, stored and/or accessed,
  • Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
  • Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
  • Up-to-date anti-virus systems are used
  • User account management and authorization control system is implemented and these are also followed.

The measures are implemented.

• If Special Quality Personal Data is to be transferred
  • by e-mail
  • Hard Copy
  • Notification
  • Declaration
  • Data Media
  • Data input
  • Sharing
  • Overseas data center operator
  • Overseas data processing service provider

Transfer methods are used.

• In addition to the measures mentioned above, technical and administrative measures to ensure the appropriate level of security specified in the Personal Data Security Guide published on the website of the Personal Data Protection Authority should also be taken into account.

4. TRANSFER OF SPECIAL QUALITY PERSONAL DATA

The Data Controller can transfer the Special Quality Personal Data of the Data Owner/Relevant Person to third parties by taking the necessary security measures for the purposes of data processing, the Special Quality Personal Data he has obtained in accordance with the law. Accordingly, the Data Controller will be able to transfer Sensitive Personal Data to third parties in the presence of one of the processing conditions specified in the above section and the conditions specified below.

• If the Data Owner/Relevant Person has express consent,
• If there is a clear regulation in the law regarding the transfer of Sensitive Personal Data,
• If it is necessary for the protection of the life or physical integrity of the Data Owner/Relevant Person or anyone else and the Data Owner/Relevant Person is unable to express his consent due to actual impossibility or if his consent is not legally valid;
• If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
• Data Controller, if personal data transfer is necessary to fulfill his legal obligation,
• If Private Personal Data is made public by the Data Owner/Relevant Person,
• If the transfer of Sensitive Personal Data is necessary for the establishment, exercise or protection of a right,
• If personal data transfer is necessary for the legitimate interests of the Data Controller, provided that it does not harm the fundamental rights and freedoms of the Data Owner/Relevant Person.

5. TRANSFER OF PRIVATE PERSONAL DATA ABROAD

The Data Controller undertakes to protect the Special Quality Personal Data of the Data Owner/Relevant Person with adequate protection in the following cases, in line with the legitimate and lawful Personal Data processing purposes, by taking due care, taking the necessary security measures and adequate measures prescribed by the Board. can transfer it to foreign countries where the data controller is located.

• If the personal data owner has express consent, or
• If the personal data owner does not have express consent;
  • Personal data of special nature (race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, criminal conviction and data related to security measures, biometric and genetic data), in cases stipulated by law,
  • Persons who are under the obligation to keep confidential personal data regarding the health and sexual life of the Data Owner/Relevant Person only for the purposes of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, or within the scope of processing by authorized institutions and organizations.

This policy is executed by ŞERİFE ERDEM.

Regards.

ŞERİFE ERDEM