1. PURPOSE
In all kinds of activities carried out by UITSEC International as the data controller of this policy, it is necessary to describe the personal data processing activity and the methods adopted for the protection of personal data in accordance with the Personal Data Protection Law (Law) No. 6698 and it aims to fulfill the obligation of clarification specified in the article. The Personal Data Protection and Processing Policy includes the principles applied by UITSEC International in the collection, use, sharing, storage and destruction of personal data. It is aimed to inform our customers, employees of the institution, visitors, employees of the institutions we cooperate with and all persons whose personal data are processed by the institution, especially third parties.
2. SCOPE
With this Policy, our institution covers all personal data processed in the processes of our institution in automated or non-automated ways, provided that it is part of any data recording system.
3. AUTHORITIES AND RESPONSIBILITIES
All employees, consultants, external service providers and anyone who stores and processes personal data before the institution are responsible for fulfilling the requirements for the storage and destruction of personal data specified by Law, Regulation and Policy within the institution. Each business unit is responsible for storing and protecting the data it produces in its own business processes.
The responsibility for the notification or correspondence made with the KVK Board on behalf of the data controller such as notification or acceptance and registration in the registry is under the responsibility of the "Data Controller Contact Person".
4. DEFINITIONS AND ABBREVIATIONS
Explicit Consent; Consent on a specific subject, based on information and explained with free will.
Relevant User; These are the persons who process personal data within the organization of the data controller or in accordance with the authority and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.
Destruction; Deletion, destruction or anonymization of personal data.
Law; Personal Data Protection Law No. 6698.
Recording Media; All kinds of media containing personal data that are fully or partially automated or processed in non-automated ways provided that they are part of any data recording system.
Personal Data; All kinds of information related to the identified or identifiable real person.
Processing of Personal Data; All kinds of processes performed on personal data such as obtaining, recording, storing, keeping, changing, re-arranging, disclosing, transferring, taking over, making available, classifying or preventing their use in whole or in part, automatically or in non-automatic ways, provided that they are part of any data recording system.
Anonymization of Personal Data; Making personal data unlikely to be associated with an identified or identifiable real person in any way, even by matching it with other data.
Deletion of Personal Data; Deletion of Personal Data; making personal data inaccessible and unavailable to Related Users in any way.
Destruction of Personal Data; The process of making personal data inaccessible, recoverable and unusable by anyone in any way.
Board; Personal Data Protection Board.
Sensitive Personal Data; Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Periodic Destruction; In the event that all the conditions for processing personal data in the Law disappear, the process of deletion, destruction or anonymization of personal data to be carried out ex officio at repeated intervals specified in the personal data storage and destruction policy.
Data Owner/Relevant Person; The natural person whose personal data is processed.
Data Processor ; The natural or legal person who processes personal data on behalf of the data controller based on the authority given by him.
Data Controller; The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Regulation; Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on October 28, 2017.
5. POLICY ON THE PROCESSING AND PROTECTION OF PERSONAL DATA
UITSEC International concretely sets out the necessary measures and the process applied for the protection and processing of personal data with this policy. UITSEC International agrees that it will comply with the applicable legislation if this policy is incompatible with the applicable laws and regulations or if the policy is not up-to-date in accordance with the updated legislation. This policy is updated and revised in order for UITSEC International to fulfill legal requirements according to the changes in the law, regulations and legislation.
5.1 Processed Personal Data
UITSEC International processes the following personal data:
PERSONAL DATA
EMPLOYEE EMPLOYEE
CANDIDATE CUSTOMER CUSTOMER CANDIDATE CUSTOMER'S
RELEVANT PERSON POTENTIAL EMPLOYEE REFERENCE TRAINEE PARENT /TRUSTEE
/REPRESENTATIVE VISITOR
Biometric Data X X
Criminal Conviction and Security Measures X X X X
Sexual Life X
Association Membership X
Philosophical Belief, Religion, Sect and Other Beliefs X
Finance X X
Physical Space Security X X X X X
Genetic Data X
Audiovisual Recordings X X
Legal action X
Communication X X X X X X X X X
Race and Ethnicity X X X
Transaction Security X X
Dress X
Identity X X X X X X X X
Location X
Professional experience X X X X X
Customer Transaction ü
Personnel Information X X X X X X X
Marketing X
Risk Management X
Health Information X X X X
Union Membership X
Political Opinion Information X
Foundation Membership X X
5.2 Purposes of Processing Personal Data
UITSEC International processes personal data for the following purposes:
PURPOSE OF DATA PROCESSING EMPLOYEE EMPLOYEE
CANDIDATE CUSTOMER CUSTOMER CANDIDATE CUSTOMER'S
RELEVANT PERSON POTENTIAL EMPLOYEE
REFERENCE TRAINEE
PARENT /TRUSTEE
/REPRESENTATIVE VISITOR
Execution of Emergency Management Processes X
Execution of Employee Candidate / Intern / Student Selection and Placement Processes X X X X
Execution of Application Processes of Employee Candidates X
Fulfillment of Employment and Legislation Obligations for Employees X
Conducting Training Activities X X X
Execution of Access Authorizations X
Providing Physical Space Security X X X X
Execution of Communication Activities X X X
Planning of Human Resources Processes X
Execution / Supervision of Business Activities X
Execution of Goods / Services Procurement Processes X
Execution of Goods / Services After-Sales Support Services X
Execution of Goods / Services Sales Processes X X
Execution of Activities for Customer Satisfaction X X
Execution of Noc Services X
Execution of Penetration Processes X
Execution of Performance Evaluation Processes ü X
Potential Employee Detection Process X
Execution of Advertising / Campaign / Promotion Processes X X
Execution of SOC Services X
Execution of Contract Processes X X
Follow-up of Requests / Complaints X X
Execution of Wage Policy ü
5.3 Personal Data Collection Methods and Legal Reasons
• Data Collection Methods
UITSEC International's methods of obtaining personal data are as follows:
PERSONAL DATA EMPLOYEE EMPLOYEE CANDIDATES CUSTOMER CUSTOMER CANDIDATE CUSTOMER'S RELEVANT PERSON POTENTIAL EMPLOYEE
REFERENCE TRAINEE PARENT /TRUSTEE/REPRESENTATIVE VISITOR
Biometric Data Application Application
Ethical Hacking Method
Criminal Conviction and Security Measures By hand
In writing In writing
Mail Application
Ethical Hacking Method In writing
Mail
Sexual Life Application
Ethical Hacking Method
Association Membership Application
Ethical Hacking Method
Philosophical Belief, Religion, Sect and Other Beliefs Application
Ethical Hacking Method
Finance Mail
Phone Application
Ethical Hacking Method
Physical Space Security Application Application Application
Ethical Hacking Method Application Application
Genetic Data Application
Ethical Hacking Method
Audiovisual Recordings By hand
In writing Application
Ethical Hacking Method
Legal action Application
Ethical Hacking Method
Communication By hand
In writing or oral In writing
Mail Oral
Mail
Business Cart
Media By hand Application (Wep Portal) By hand
Oral Application (Wep Portal) Application
Ethical Hacking Method Portal
Mail In writing
Mail In writing
Mail In writing
Mail
In writing
Mail In Writing Mail
Race and Ethnicity In writing
Mail Application
Ethical Hacking Method In writing
Mail
Transaction Security Application Application
Ethical Hacking Method
Dress Application
Ethical Hacking Method
Identity By hand
In writing
Mail Phone In writing
Mail Oral
Mail
Business Card in writing
Hard Disk Application (Wep Portal) By hand
Oral Application (Wep Portal) Application
Ethical Hacking Method Portal
Mail In writing
Mail In writing
Mail In writing
Mail
Location Application
Ethical Hacking Method
Professional experience By hand
In writing In writing
Mail
Portal Application
Ethical Hacking Method Portal
Mail In writing
Mail
Customer Transaction Portal
Mail
Personnel Information
By hand
In writing
Mail
In writing
Mail
Portal
Mail
Excel
Hard Disk
Server Application (Wep Portal)
Application (Wep Portal)
Application
Ethical Hacking Method
Portal
Mail
In writing
Mail
Marketing Application
Ethical Hacking Method
Risk Management Application
Ethical Hacking Method
Health Information By hand
In writing In writing
Mail Application
Ethical Hacking Method In writing
Mail
Union Membership Application
Ethical Hacking Method
Political Opinion Information Application
Ethical Hacking Method
Foundation Membership Application
Ethical Hacking Method
• Legal Reasons for Data Processing
The legal bases for processing personal data of UITSEC International are as follows:
PURPOSE OF DATA PROCESSING EMPLOYEE EMPLOYEE
CANDIDATE CUSTOMER CUSTOMER CANDIDATE CUSTOMER'S
RELEVANT PERSON POTENTIAL EMPLOYEE
REFERENCE
TRAINEE
PARENT /TRUSTEE
/REPRESENTATIVE VISITOR
Execution of Emergency Management Processes Legitimate Interest
Execution of Employee Candidate / Intern / Student Selection and Placement Processes Explicit Consent Explicit Consent Explicit Consent Law
Legitimate Interest
Execution of Application Processes of Employee Candidates Law
Fulfillment of Employment and Legislation Obligations for Employees Law
Conducting Training Activities Legitimate Interest Explicit Consent Explicit Consent
Execution of Access Authorizations Legitimate Interest
Providing Physical Space Security Legitimate Interest Legitimate Interest Legitimate Interest Legitimate Interest
Execution of Communication Activities Explicit Consent Agreement
Explicit Consent Explicit Consent
Planning of Human Resources Processes Law
Execution / Supervision of Business Activities Agreement
Execution of Goods / Services Procurement Processes Law
Execution of Goods / Services After-Sales Support Services Agreement
Execution of Goods / Services Sales Processes Law
Agreement
Explicit Consent Explicit Consent
Execution of Activities for Customer Satisfaction
Explicit Consent
Explicit Consent
Execution of Noc Services Agreement
Execution of Penetration Processes Agreement
Execution of Performance Evaluation Processes Legitimate Interest Explicit Consent
Potential Employee Detection Process Explicit Consent
Execution of SOC Services Agreement
Execution of Contract Processes Legitimate Interest Agreement
Execution of Advertising / Campaign / Promotion Processes (34) Explicit Consent Explicit Consent
Follow-up of Requests / Complaints (41) Explicit Consent Explicit Consent
Execution of Wage Policy Law
Agreement
5.4 Ensuring the Security of Personal Data
• Administrative and Technical Measures
Administrative and technical measures taken to ensure the security of personal data are detailed in the “Personal Data Storage and Destruction Policy”.
5.5 Principles for the Processing of Personal Data
Principles for the processing of personal data are determined in paragraph 2 of Article 4 of the Law. UITSEC International processes personal data in accordance with the determined principles.
The processing of personal data is carried out in accordance with the following principles;
1. Compliance with the law and the rules of honesty,
2. Being accurate and up-to-date when necessary,
3. Processing for specific, explicit and legitimate purposes,
4. Being connected, limited and restrained with the purpose for which they are processed,
5. To be kept for the period required by the relevant legislation or for the purpose for which they are processed.
5.6 Conditions for Processing Personal Data
UITSEC International processes personal data due to legal obligations and to provide services to our customers. Processing of data in accordance with Article 5/2 of the Law, the full text of which you can access from www.mevzuat.gov.tr:
1. Expressly stipulated in the law.
2. The fact that the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid is mandatory for the protection of his/her life or body integrity or someone else's life.
3. The processing of personal data belonging to the parties to the contract is necessary, provided that it is directly related to the establishment or performance of the contract.
4. It is mandatory for the data controller to fulfill his/her legal obligation.
5. It is made public by the relevant person.
6. Data processing is mandatory for the establishment, exercise or protection of a right.
7. Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.
Except for the above-mentioned cases, UITSEC International processes personal data only by obtaining the explicit consent of the data owners.
5.7 Destruction of Personal Data
The destruction of personal data obtained by UITSEC International is detailed in the "Policy on Storage and Destruction of Personal Data".
5.8 Transfer of Personal Data to Domestic Persons
UITSEC International strictly complies with the requirements of the Law regarding the sharing of personal data with third parties, without prejudice to the provisions of other laws. In this context, personal data are not transferred to third parties without the explicit consent of the data owner. However, in the presence of one of the following conditions specified in the Law, personal data may be transferred without the explicit consent of the data owner:
• Expressly stipulated in the law,
• The fact that the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid is mandatory for the protection of his/her life or body integrity or someone else's life,
• The processing of personal data belonging to the parties to the contract is necessary, provided that it is directly related to the establishment or performance of the contract,
• It is mandatory for the data controller to fulfill his/her legal obligation,
• It is made public by the relevant person,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner.
Provided that adequate precautions are taken; it is stipulated in terms of personal data of special nature other than health and sexual life, in terms of personal data of special nature related to health and sexual life,
• Protection of public health,
• Preventive medicine,
• Medical diagnosis,
• Execution of treatment and care services,
• Your personal data may be transferred without obtaining explicit consent for purposes such as planning and management of health services and financing.
In the transfer of sensitive personal data, the conditions specified in the processing conditions of this data are complied with.
5.9 Transfer of Personal Data to Persons Abroad
UITSEC International does not transfer any data abroad.
5.10 Personal Data of Visitors
5.10.1 Camera Recording
It is monitored by UITSEC International with an in-office security camera in order to ensure security.
In this context, our Institution acts in accordance with the Constitution, Law and other relevant legislation.
Image recordings of our visitors are taken through the camera monitoring system at the office entrances and inside of all people visiting the office of our institution.
Our institution aims to ensure the security of the institution, employees, customers and visitors within the scope of security camera monitoring activity.
Our institution acts in accordance with the regulations in the Law in carrying out camera monitoring activities for security purposes.
Only a limited number of corporate employees have access to records recorded and stored digitally. Live camera images can only be monitored by the authorized personnel of the institution if necessary. A limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality commitment.
In accordance with Article 12 of the Law, our institution takes the necessary technical and administrative measures to ensure the security of the personal data obtained as a result of the camera monitoring activity.
5.10.2 Personal Data of Website Visitors and Personal Data Received for Internet Access Point Service
Our institution provides internet service to all its employees. Identity information and internet log records of the log records of the service provided are obtained and stored in accordance with the Law No. 5651 (Regarding the Regulation of Publications on the Internet and the Fight Against Crimes Committed Through These Publications). The processed personal data are kept for 2 years in accordance with the Law No. 5651.
5.11 Rights of Personal Data Owner
Your data subject rights arising from the Law are listed in Article 11 of the relevant Law and are as follows:
ARTICLE 11- (1) Everyone has the following rights regarding himself/herself by applying to the data controller:
• To learn whether your personal data is processed or not,
• If your personal data has been processed, requesting information about it,
• To learn the purpose of processing your personal data and whether they are used in accordance with the purpose,
• To know the third parties to whom your personal data is transferred, in the country or abroad,
• To request the correction of your personal data if it is incomplete or incorrectly processed,
• To request the deletion or destruction of your personal data,
• To request the notification of these transactions to third parties to whom your personal data has been transferred, in case of correction, deletion or destruction of your personal data,
• To object to the emergence of a result against you by analyzing your processed data exclusively through automated systems,
• If you suffer damage due to the unlawful processing of your personal data, you have the right to demand compensation for the damage.
You can access the application form at “http://uitsec-international.com/tr/hakkimizda/kisisel-veri-sahibi-basvuru-formu” or you can request it during your visit to our UITSEC International office.
In order for the applications made with the UITSEC International's KVKK Related Person Application Form to be accepted, the Personal Data Owner must pay attention to the following issues;
In the application, which includes the notification you have as the personal data owner and your explanations regarding the right you request to use in order to exercise your above-mentioned rights; you need to be clear and understandable about the subject you request, the subject you request must be related to you or if you are acting on behalf of someone else, you need to be specifically authorized in this regard and you need to certify your authority. In order to follow up your legal right for thirty days without any problems, your applications sent by courier must be notarized and sent by registered mail with return receipt. If you apply through a notary public, your thirty-day legal right will start following the notification of your application to our institution. Applications within this scope will be accepted following the identity verification to be made by us and the relevant persons will be answered in writing or electronically within the legal periods. Relevant persons will be replied in writing or electronically within legal time limits.
You can do your rights mentioned in the above articles by filling out the "Personal Data Owner Application Form" with the following methods:
Method Address Detail
Application made by hand to address Esentepe Mahallesi Büyükdere Cad. Levent 199 No:199/6 Şişli It is the application to be made by the relevant person to the above-mentioned address of the Data Controller, who will fill in the "Personal Data Owner Application Form" and request the processing of your Personal Data. You must present your identity card at the time of application.
Application via notary public Esentepe Mahallesi Büyükdere Cad. Levent 199 No:199/6 Şişli It is the application made by the relevant person by sending the "Personal Data Owner Application Form" approved by the notary public to the address specified with return/receipt or by sending to the address specified by the notary public. Applications within this scope will be accepted following the identity verification to be made by us and the relevant persons will be answered in writing or electronically within the legal periods.
Application with KEP (Registered Electronic Mail) [email protected] It is the application to be made by the relevant person by filling out and signing the "Personal Data Owner Application Form" and sending it to the Kep address of the Data Controller you want to apply for.
