THE CORPORATE PERSONAL DATA PROTECTION POLICY


1.    PURPOSE

The right of every individual to request the protection of personal data concerning them is a sacred right arising from the Constitution. Elit Elektronik Pazarlama San. ve Tic. Ltd. Sti. considers fulfilling the requirements of this right as one of our most valuable duties. For this reason, we attach importance to the processing and protection of your data by the law.

 

The Corporate Personal Data Protection Policy has also been prepared to determine the principles we base and the procedures we apply when processing and protecting personal data due to the importance we attach to protecting personal data.

 

2.    SCOPE

At Elit Elektronik Pazarlama San. ve Tic. Ltd. Sti. all personal data managed by includes any operation performed on the data such as obtaining, recording, storing, preserving, changing, rearranging, disclosure, transferring, taking over, making available, classifying or preventing the use of the data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

 

Elit Elektronik Pazarlama San. ve Tic. Ltd. Sti. partners, officers, customers, employees, supplier officials and employees, and third parties about all processed personal data.

 

Elit Elektronik Pazarlama San. ve Tic. Ltd. Sti. may change the Policy to comply with the legislation and the decisions of the Personal Data Protection Authority and better protection of personal data.

 

3.    DEFINITIONS

ABBREVIATION

DEFINITION

Recipient Group

The category of natural or legal person to whom the data controller transfers the personal data.

Explicit Consent

Consent related to a specific subject is based on being informed and explained with free will.

Anonymisation

 It makes personal data so that it cannot be associated with an identified or identifiable natural person under any circumstances, even by pairing it with other data. 

Contact Person

The natural person whose personal data is processed.

Related User

Except for the person or unit responsible for the technical storage, protection and backup of the data, the data controller is the person who processes the personal data within the organisation or by the authorisation and instruction received from the data controller.

Annihilation

Deletion, destruction or anonymisation of personal data.

Law/KVKK

Law No. 6698 on the Protection of Personal Data.

Recording Media

Any medium in which personal data is processed by fully or partially automated means or by non-automated means, provided that it is part of any data recording system.

Personal data

Any information relating to an identified or identifiable natural person.

Data Inventory

 

The personal data processing activities carried out by the data controllers depend on their business processes: The inventory they create by associating the personal data with the purposes and legal reason for processing, the data category, the group of recipients transferred and the group of persons who are the data subject, and detailing the maximum retention period required for the purposes for which the personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.

 

Your Data

Processing

Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosure, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Board

Personal Data Protection Board.

Soot

Personal Data Protection Authority

Personal Data of Special Nature

Race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing and clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and data on security measures, and biometric and genetic data.

Periodic Destruction

If all of the conditions for processing personal data in the Law disappear, the deletion, destruction or anonymisation process specified in the personal data retention and destruction policy must be carried out ex officio at recurring intervals.

Politics

Personal Data Protection Policy

Data Processor

The natural or legal person who processes personal data on behalf of the data controller based on the authorisation given by the data controller.

Data Controller

The natural or legal person determining the purposes and means of processing personal data is responsible for establishing and managing the data recording system.

 

4.    GENERAL PRINCIPLES

Elit Elektronik Pazarlama San. ve Tic. Ltd. Sti. preparation phase of each new personal data processing workflow checks that the data to be processed complies with the following principles. Workflows that are not eligible need to be implemented.

 

Elit Elektronik Pazarlama San. ve Tic. Ltd. Sti. when processing the personal data:

(I) Complies with the law and good faith.

(II) Ensure that personal data is accurate and, where necessary, up to date.

(III) Ensure that the purpose of the processing is specific, explicit, and legitimate.

(IV) Checks that the processed data is related to the purpose for which it is processed, that it is processed limited to the extent that it should be processed and is proportionate.

(V) Keeps the data only as long as stipulated in the relevant legislation or is necessary for the purpose for which it is processed and destroys it when the purpose of the processing ceases to exist.

 

5.    MEASURES TAKEN FOR DATA SECURITY

Elit Elektronik Pazarlama San. ve Tic. Ltd. Sti. It takes all necessary technical and administrative measures to ensure an appropriate level of security to (i) prevent unlawful processing of personal data, (ii) prevent unlawful access to personal data, and (iii) ensure the retention of personal data.

 

5.1. Technical Measures

·         Network security and application security are ensured.

·         Security measures are taken to supply, develop and maintain information technology systems.

·         Access logs are kept regularly.

·         Up-to-date anti-virus systems are used.

·         Firewalls are used.

·         Necessary security measures are taken regarding the entrances and exits to physical environments containing personal data.

·         The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.

·         The security of environments containing personal data is ensured.

·         Personal data is backed up, and the security of the backed-up personal data is also ensured.

·         User account management and authorisation control systems are implemented, and these are also monitored.

·         Log records are kept so that there is no user intervention.

·         Intrusion detection and prevention systems are used.

·         Encryption is performed.

 

5.2. Administrative Measures

·         Disciplinary regulations with data security provisions are in place for employees.

·         Training and awareness activities are regularly carried out for employees on data security.

·         Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.

·         Data masking measures are applied when necessary.

·         Confidentiality undertakings are made.

·         An authorisation matrix has been created for employees.

·         The authorisations of employees who have a change of duty or have left their jobs in this field are removed.

·         The signed contracts contain data protection provisions.

·         Personal data security policies and procedures have been determined.

·         Personal data security issues are reported quickly.

·         Personal data security is monitored.

·         Personal data is reduced as much as possible.

·         In-house periodic and/or random audits are carried out.

·         Existing risks and threats have been identified.

·         Protocols and procedures for securing personal data of a unique nature have been determined and implemented.

·         If personal data of a unique nature is to be sent via electronic mail, it is transmitted in encrypted form and using a KEP or corporate mail account.

·         Service providers that process data are made aware of data security.

 

6.    RIGHTS OF THE DATA SUBJECT REGARDING PERSONAL DATA

Contact Person, Elit Elektronik Pazarlama San. ve Tic. Ltd. Sti. can request for:

·         To learn whether their data is processed or not,

·         If their data has been processed, request information about it,

·         To learn the purpose of processing personal data and whether their definition uses them,

·         To learn the third parties to whom personal data are transferred domestically or abroad,

·         In case the personal data are processed incompletely or incorrectly, request their correction and request that the transaction carried out within this scope be notified to the third parties to whom the personal data are transferred,

·         Requesting the deletion, destruction or anonymisation of personal data if the reasons requiring the processing of personal data disappear even though they have been processed by the provisions of the law (KVKK) and other relevant laws, and requesting that the transaction carried out within this scope be notified to the third parties to whom their data has been transferred,

·         To object to the occurrence of a result against the processing of the processed data exclusively by analysing it employing automated systems,

·         Requesting compensation in case of damage due to unlawful processing of their personal data.

 

7.    NOTICES OF INFRINGEMENT

Elit Elektronik Pazarlama San. ve Tic. Ltd. Sti.  employees report to the Commission any work, action or fact they consider violating the provisions of the law (KVKK) and/or the Policy. Following this violation notification, the Committee shall convene, if necessary and formulate an action plan for the breach.

If the breach has occurred through the acquisition of personal data by unlawful means to others, the Management shall ensure that the Board ............  ..................  within the scope of its decision, it shall notify the relevant person and the Board within 72 hours.

 

8.    CHANGES

Amendments to the Policy are prepared by the Management and are approved by Elit Elektronik Pazarlama San. ve Tic. Ltd. Şti. It is submitted for the approval of the Board of Directors. The updated Policy can be sent to employees via e-mail or published on the website.

 

9.    EFFECTIVE DATE

This version of the Policy is ....................... It was approved by the Board of Directors and entered into force.