DOCUMENT CODE |
: |
GM-P002 |
APPROVED BY |
: |
BOARD OF DIRECTORS |
DATE OF APPROVAL |
: |
05/01/2019 |
LAST REVISION DATE |
: |
00/0000 |
VERSION NO |
: |
01 |
RELATED DOCUMENTS |
: |
Personal Transactions Protection and Processing Policy Processing of Sensitive Personal Data Policy Personal Data Protection and Processing Enlightenment Text |
CONTENTS |
1. PURPOSE. 2
2. SCOPE. 3
3. RESPONSIBILITY. 3
4. DEFINITIONS. 3
5. RECORDING MEDIUMS. 5
6. LEGAL, TECHNICAL OR OTHER REASONS THAT REQUIRE THE RETENTION AND DESTRUCTION OF PERSONAL DATA. 5
7. MEASURES TO PROTECT PERSONAL DATA AND PREVENT İLLEGAL PROCESSİNG AND İLLEGAL ACCESS. 6
7.1 ADMINISTRATIVE MEASURES. 7
7.2 TECHNICAL MEASURES. 7
8. MEASURES TAKEN FOR LAWFUL DESTRUCTION PERSONAL DATA. 8
8.1. DELETION OF PERSONAL DATA. 8
8.2. DESTRUCTION OF PERSONAL DATA. 9
8.3. ANONYMIZATON OF PERSONAL DATA. 10
8.3.1 Anonymization Methods That Do Not Provide Value Irregularity: 11
8.3.2 Anonymization Methods That Provide Value Irregularity: 11
8.3.3 Statistical Methods to Strengthen Anonymization: 11
9. PERSONNEL INVOLVED IN PERSONAL DATA RETENTION AND DESTRUCTION PROCESSES. 11
10. PERSONAL DATA RETENTION AND DESTRUCTION TIMES. 12
10.1 DELETION, DESTRUCTION OR ANOYNMIZATION EX OFFICIO TIMES. 13
10.2 DELETION AND DESTRUCTION TIMES OF PERSONAL DATA UPON REQUEST OF THE PERSON CONCERNED.. 13
ANNEX 1 PERSONNEL INVOLVED IN PERSONAL DATA RETENTION AND DESTRUCTION PROCESSES. 13
The purpose of this policy is to define the procedures and principles, internal controls and precautions, operating rules and responsibilities regarding the retention and destruction of the ANEXSERVİCES TURİZM ORGANİZASYON TAŞIMACILIK TİCARET ANONİM ŞİRKETİ (Company) for the maximum time necessary for the purpose for which the personal data are processed in accordance to the Turkish Personal Data Protection Law no. 6698 (Law).
In line with the mission, vision and basic principles of the Strategic Plan, the company has adopted as a priority the processing of data of employees, employee candidates, service providers, visitors and other third parties in accordance with Turkish Basic Law, International Agreements, Turkish Personal Data Protection Law no. 6698 (Law) and other related consents and to effectively exercise the rights of the data owners. The work and procedures regarding the retention and destruction of personal data are carried out by the company in accordance with the Policy prepared in this policy.
These policy provisions are applied to customers, visitors, employees, employee candidates, shareholders, natural person authorities, shareholders, employees of the companies with which the Company has commercial relations (group companies, partners, suppliers, consultancies, etc.) and family members of data owners, whose personal data are processed by the Company in whole or in part, or non-automated provided that it is part of any data recording system. This policy has been prepared in accordance with the Company's "Personal Data Inventory".
This policy has been approved and implemented by the Company’s Board of Directors. Within the framework of the policy, all activities to be carried out in the company and the measures to be taken are defined by the appropriate procedures. The Company's management is responsible for preparing, updating and implementing these procedures.
All Company employees are responsible for performing their duties in accordance with this policy and all relevant procedures and regulations.
The important definitions in this policy are listed below.
Recipient Group |
The category of natural or legal persons to whom personal data is transferred by the data controller. |
Cloud Environments / Systems |
Systems where data such as Office 365, Salesforce, Dropbox can be stored and accessed on the internet. |
Direct identifiers |
Identifiers that directly reveal, disclose and distinguish the person they are in contact with. |
Indirect identifiers |
Identifiers that come together with other identifiers to reveal, disclose and distinguish the person they are in contact with. |
Data owner |
Natural person whose personal data are processed. |
Related user |
Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, with the exception of the person or unit responsible for the technical retention, protection and backup of the data. |
Destruction |
Deletion, Destruction, and Anonymization of Personal Data. |
Law |
Turkish Personal Data Protection Law no. 6698. |
Blackout |
Procedures such as scratching, painting and icing all of the personal data so that they cannot be associated with an identified or identifiable natural person. |
Recording Medium |
Any medium in which personal data are processed, which are fully or partially automated, or processed in non-automated ways, provided that they are part of any data recording system. |
Personal Data |
Any information relating to an identified or identifiable natural person; |
Personal Data Processing Inventory |
Inventory in which are described and detailed; personal data processing activities carried out depending on the business processes of data officers; personal data processing purposes, data category, transferred recipient group and the maximum amount of time required for the purposes for which the personal data is created and associated with the data owner group, personal data foreseen to be transferred to foreign countries and data security measures. |
Processing of personal data |
Any operation which is performed upon personal data such as collection, recording, retention, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system. |
Deletion of personal data |
Making personal data inaccessible and unusable to relevant users in any way. |
Destruction of personal data |
Making personal data inaccessible, retrievable and reusable by anyone. |
Anonymization of personal data |
Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching with other data. |
Board |
The Board of Protection of Personal Data. |
Authority |
The Authority of Protection of Personal Data. |
Magnetic Tape |
Media that stores the data with the help of micro magnet pieces on the flexible tape |
Magnetic Disc |
Media that stores data with the help of micro-magnet pieces on flexible (plate) or fixed media |
Masking |
Operations such as deletion, scratching, painting and starring certain areas of personal data in such a way that they cannot be associated with a specific or identifiable natural person. |
Periodic destruction |
In the event that all the conditions in the law for processing personal data disappear, the deletion, destruction or anonymisation will be carried out ex officio at regular intervals, as specified in the Personal Data Retention and Destruction Policy. |
Data processor |
Natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller. |
Data recording system |
Any recording system through which personal data are processed by structuring according to specific criteria. |
Data controller |
Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system. |
The personal data of the data owners are stored securely in the following recording mediums organized by the Company in accordance with the relevant legislation, in particular the provisions of the Law, and within the framework of data security principles:
Personal data collected by the Company are processed within the scope of the purposes set out in the Personal Data Protection and Processing Policy in accordance with the processing conditions specified in Articles 5 and 6 of the Law and stored for the following purposes:
Personal data processed within the framework of the Company's activities, is stored for the period of retention envisaged under the laws given below:
Although it has been processed in accordance with the provisions of the law and other relevant laws, in the event that the reasons requiring its processing disappear, the personal data is deleted, destructed or anonymized by the Company ex officio or upon the request of the person concerned.
Accordingly;
Technical and administrative measures are taken by the Company to ensure the appropriate level of security in order to prevent and protect the personal data from being illegally processed and accessed; Necessary audits are provided to ensure the enforcement of the provisions of the law.
Deletion of personal data is the process of making personal data inaccessible and reusable for the users concerned. All necessary technical and administrative measures are taken by the Company to make the deleted personal data inaccessible and reusable for the users concerned.
The process followed in the deletion of personal data is as follows:
Personal data are deleted by methods suitable for the recording media in which they are stored.
The destruction of personal data is to make the data inaccessible, retrievable and reusable for anyone. All necessary technical and administrative measures to destruct personal data are taken by the Company.
In order to destruct personal data, all copies of the data will be recognised and will be destructed in the following manner, one after the other, depending on the nature of the systems on which the data are available:
When personal data is made anonymous, personal data is under no circumstances associated with an identified or identifiable natural person, even if it is compared with other data. Anonymisation means that all direct and/or indirect identifiers in a data set are removed or changed in order to prevent the identity of the data owner from being identified or from losing their distinction in a group or set in a way that cannot be attributed to any natural person. Data that does not indicate a specific person due to the blocking or loss of these functions is considered anonymous data.
In determining the anonymisation methods to be used by the company, taking into account the following characteristics of the data set, one of the methods contained in the guidelines published by the Authority on the deletion, destruction or anonymisation of personal data shall be used:
• Extracting Variables
• Extracting Records
• Regional Hiding
• Generalization
• Lower and Upper Limit Coding
• Global Coding
• Sampling
• Masking
• Aggregation / Creating Cumulative Data
• Micro Joining
• Data Exchange
• Add Noise
• K-Anonymity
• L-Diversity
• T-Proximity
All units and employees of the Company, who are involved in the processing, retention and destruction of personal data, are responsible for the fulfilment of this Policy requirements, the proper implementation of the technical and administrative measures taken under the Policy, and for storing and protecting the data they produce in their own business processes.
Regular destruction that affects business processes and leads to data integrity, data loss and results that are contrary to legal requirements is carried out by the Information Technology Department, taking into account the nature of personal data, the systems in which it is stored and the business unit that owns the data.
The titles, units and job descriptions of those involved in the retention and destruction of personal data are included in the annex of this Policy.
The table showing the time of retention and destruction of personal data at the company is given below:
Data category |
Maximum retention time |
Destruction time |
Identity, Communication, Professional Experience, Personnel, Financial, Visual and Audio Information, Risk Management, Disability, Criminal Record Registration Information of Employee |
10 years after the end of the business relationship |
Within 180 days after the end of the retention period |
Health, Blood Group Information of Employee |
15 years after the end of the business relationship |
Within 180 days after the end of the retention period |
Transaction / Information Security Data of Employee |
During the business relationship |
Within 180 days after the end of the retention period |
Vehicle Data of Employee |
During the business relationship |
Within 180 days after the end of the business relationship |
Location Data of Employee |
1 month |
Within 180 days after the end of the retention period |
Identity, Communication and Professional Experience Information of Employee Candidate |
2 years |
Within 180 days after the end of the retention period |
Identity, Communication, Financial, Risk Management Information of Company Partner |
10 years after the end of the business relationship |
Within 180 days after the end of the retention period |
Identity, Communication, Financial, Visual and Audio, Risk Management Information of Supplier Authority/Employee |
10 years after the end of the business relationship |
Within 180 days after the end of the retention period |
Transaction Safety Information of Supplier Authority/Employee |
During the business relationship |
Within 180 days after the end of the business relationship |
Website Login - Logout Information of Visitors |
2 years |
Within 180 days after the end of the retention period |
Identity Information of Visitors |
2 months |
Within 180 days after the end of the retention period |
Physical Space Security Information |
2 months |
Within 180 days after the end of the retention period |
Contract |
10 years after the end of the business relationship |
Within 180 days after the end of the retention period |
Documents, Notebooks and Records |
10 years |
Within 180 days after the end of the retention period |
In the event that all the conditions for processing personal data disappear in the law, personal data will be regularly deleted, destructed or anonymize by the Company within a period of six months. In the first periodic destruction process following the date on which the obligation to delete, destruct or anonymize personal data occurs, the implementation of such transactions is ensured.
If the relevant personal data has been transferred to third parties, this is notified to the data transmitting parties and / or those who process data on behalf of the Company based on the authorization granted by the Company and necessary actions are taken before these persons.
In case the data owner requests the personal data to be deleted or destructed;
All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.
ANNEX 1 PERSONNEL INVOLVED IN PERSONAL DATA RETENTION AND DESTRUCTION PROCESSES
TITLE |
DEPARTMENT |
DUTY DEFINITION |
Senior Management |
Board of Directors, General Coordinator, General Manager |
Responsible for the preparation, publishing, updating of the policy and ensuring that the employees act in accordance with the policy. |
Department Manager |
All departments |
Responsible for the execution of the Policy in accordance with its duties and for its implementation in the unit it is responsible for. |
Information Technologies Manager |
Information Technologies |
Responsible for safely retention, processing, accessing and destructing of personal data, in accordance with the law and for the management of the personal data destruction process.
|
Human Resources Manager Finance Manager Accounting Manager Law Manager Quality Manager |
Human Resources Finance Accounting Law Quality |
Responsible for implementing personal data retention and destruction policy: Is responsible for the management of the personal data destruction process in accordance with the periodic destruction period, ensuring the compliance of the processes within its duty with the retention period. |
DOCUMENT NO |
: |
GM-P001 |
APPROVED BY |
: |
BOARD OF DIRECTORS |
DATE OF APPROVAL |
: |
05/01/2019 |
LAST REVISION DATE |
: |
00/0000 |
VERSION NO |
: |
01 |
RELATED DOCUMENTS |
: |
Personal Data Retention and Destruction Policy Personal Data Protection and Processing Enlightenment Text Explicit Consent Statement for Processing of Personal Data Processing of Sensitive Personal Data Policy Data owner Application Form |
CONTENTS |
1. PURPOSE. 3
2. SCOPE. 3
3. RESPONSIBILITY. 3
4. DEFINITIONS. 3
5. PROCESSING OF PERSONAL DATA. 5
5.1. GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA.. 5
5.2. CONDITIONS FOR PROCESSING OF PERSONAL DATA.. 6
5.3. CONDITIONS FOR PROCESSING OF SENSITIVE PERSONAL DATA.. 8
5.4. DATA OWNER, PERSON GROUP AND PERSONAL DATA CATEGORIES PROCESSED.. 9
5.5. PURPOSES OF PROCESSING PERSONAL DATA.. 11
5.6. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA.. 13
5.7. TRANSFER OF PERSONAL DATA.. 14
5.7.1. TRANSFER OF PERSONAL DATA DOMESTIC. 14
5.7.2. TRANSFER OF PERSONAL DATA ABROADI 15
5.7.3. TRANSFER OF DATA PROCESSED BY GROUP COMPANIES TO THE COMPANYI 15
6. DATA SECURITY ISSUES. 16
6.1 ADMINISTRATIVE MEASURES. 16
6.2 TECHNICAL MEASURES. 16
7. ENLIGHTENMENT. 17
8. RIGHTS OF THE DATA OWNER. 18
8.1 SITUATIONS OUTSIDE THE RIGHTS OF DATA OWNERS. 18
The purpose of this policy is to respect the fundamental rights and freedoms and privacy of individuals, especially the privacy of personal life, to ensure compliance with the obligations arising from the processing of personal data, to establish strategies, internal controls and measures, operational rules and responsibilities with regard to the processing and security of personal data, to make the data owner and the employees of the company aware while the processing of personal data by the company ANEXSERVİCES TURİZM ORGANİZASYON TAŞIMACILIK TİCARET ANONİM ŞİRKETİ (Company), in accordance with the Basic Law of the Turkish Republic and Law No. 6698 on the protection of personal data.
These provisions apply to natural persons whose personal data are processed wholly or partly by automatic means or to natural persons whose data are not processed by automatic means, provided that they are part of a data collection system. Data owner is given in the article 5.4.
This policy has been approved and implemented by the Company’s Board of Directors. Within the framework of the policy, all activities to be carried out in the company and the measures to be taken are defined by the appropriate procedures. The Company's management is responsible for preparing, updating and implementing these procedures.
All Company employees are responsible for performing their duties in accordance with this policy and all relevant procedures and regulations.
The important definitions in this policy are listed below.
Explicit Consent |
Consent on a specific subject, informative and explained by free will |
Anonymization |
Rendering personal data by no means identified or identifiable with a natural person even by linking with other data. |
Data owner |
Natural person whose personal data are processed. |
Related user |
Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, with the exception of the person or unit responsible for the technical retention, protection and backup of the data. |
Destruction |
Deletion, Destruction, and Anonymization of Personal Data |
Law |
Turkish Personal Data Protection Law no. 6698 |
Recording Medium |
Any medium in which personal data are processed, which are fully or partially automated, or processed in non-automated ways, provided that they are part of any data recording system. |
Personal Data |
Any information relating to an identified or identifiable natural person. |
Processing of personal data |
Any operation which is performed upon personal data such as collection, recording, retention, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system. |
Deletion of personal data |
Making personal data inaccessible and unusable to relevant users in any way. |
Destruction of personal data |
Making personal data inaccessible, retrievable and reusable by anyone. |
Anonymization of personal data |
Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching with other data. |
Board |
The Board of Protection of Personal Data. |
Authority |
The Authority of Protection of Personal Data. |
Sensitive Personal Data |
Race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and outfit, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data of persons. |
Periodic destruction |
In the event that all the conditions in the law for processing personal data disappear, the deletion, destruction or anonymisation will be carried out ex officio at regular intervals, as specified in the Personal Data Retention and Destruction Policy. |
Registry |
Register of Data Protection Officers of the Presidency of the Data Protection Authority |
Data processor |
Natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller. |
Data recording system |
Any recording system through which personal data are processed by structuring according to specific criteria. |
Data controller |
Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system. |
The Company processes personal data in accordance with the procedures and principles established by law and other legislation, and the following principles are taken into account when processing personal data:
The Company will act in accordance with the law, secondary legislation and general principles of law when processing personal data under this policy. During the processing of personal data by the company, the following transaction will be applied as a minimum;
In accordance with this principle, the following points are realized by the Company;
The company shall ensure that the activities relating to the processing of personal data are clearly understandable to the data owner and are processed within the framework of the clear and legitimate purposes established before the start of the processing of personal data.
The personal data will be processed by the company only in connection with the achievement of the established objectives and only with the personal data necessary to achieve the purpose. The personal data collected will not be unlawfully disclosed to third parties and will not be used for purposes other than processing.
The company stores personal data only for the period of time required by the relevant laws or for the purpose for which it is processed. If the reasons for processing cease to apply, the personal data will be deleted, destructed or made anonymous by the Company, either ex officio or at the request of the data owner.
Retention periods and retention principles for personal data are regulated in the Personal Data Retention and Destruction Policy.
Personal data are processed by the company in accordance with the processing conditions set out in Article 5 of the Law. In this context, the personal data processing activities carried out will be carried out in the presence of the personal data processing conditions set out below:
The Company evaluates whether the purpose of personal data processing is based on one of the processing conditions other than explicit consent. If it does not fulfil at least one of the conditions derogating from the law as the explicit consent, the consent of the person concerned shall be deemed to be given for the continuation of the data processing activity.
In this context, the relevant personal data will be processed by the Company if the data owner consents to the Explicit Consent Statement for Processing of Personal Data regard to the processing of the data concerning him/her, with knowledge of the Personal Data Protection and Processing Enlightenment Text provided by the company, freewill, without leaving room for hesitation and limited only by the relevant transaction.
Insofar as the laws contain provisions for the processing of personal data, personal data will only be processed by the Company within the framework of the relevant legal provisions.
If the data owner cannot give his/her consent or his/her consent is not valid, the data may be processed by the Company in this context if the personal data are necessary to protect the life or physical integrity of the persons.
If the processing of personal data of the parties to the contract is obligatory, insofar as it is directly related to the conclusion or performance of a contract, the personal data of the persons concerned will be processed by the company, limited for this purpose.
If data processing is required to fulfil the legal obligation, the personal data of the person concerned will be processed by the Company.
Personal data which are published by the person concerned himself or herself and which are made available to the public in any way, are processed by the company restricted to the purpose.
If the processing of personal data is necessary for the establishment, use or protection of a right, the processing of personal data is carried out by the Company in parallel with this obligation.
The processing of personal data is possible if the processing of data is required for legitimate reasons of the company, provided that the fundamental rights and freedoms of the data owner are not violated. A fair balance is struck between the benefits to the company from the data processing and the fundamental rights and freedoms of the data owner.
Processing conditions and examples of personal data, which are out of consent, are given in the table below:
Processing conditions |
Scope |
Example |
Provision of the law |
Tax Laws, Labour Law, Turkish Commercial Code, etc. |
Keeping employee personal information in accordance with the law. |
Conclusion of contract |
Employment Contract, Sales Contract, etc. |
Processing of personal data of employees in order to organize payroll. |
Actual Impossibility |
A person who cannot give consent due to de facto impossibility or is unable to distinguish. |
Personal health information of the unconscious person. Location information of a kidnapped or missing person. |
Legal Obligation of Data Controller |
Financial Controls, Security Legislation, Compliance with Regulations. |
Processing of data such as bank account number, marital status, existence of dependant, working situation of spouse, social insurance number in order to pay wages to the employee. |
Publicity |
The person concerned presents his information to the public. |
The person declares his / her contact information publicly in order to be contacted in certain situations. |
Establishment, use or protection of a right |
Opening lawsuits, registration procedures, any kind of title deed etc. mandatory data in jobs. |
Keeping the necessary information about an employee leaving the job during the trial timeout. |
Legitimate Interest |
The processing of data is compulsory for the legitimate interests of the controller, provided that the fundamental rights of the data owner are not violated |
Data processing for the purpose of applying rewards and premiums that increase employee loyalty. |
When the company processes sensitive personal data, it first determines whether data processing conditions exist, after ensuring that the legal compliance requirement that data be processed is met. In this context, and subject to appropriate measures being adopted by the Management Board, specific personal data shall be processed under the following conditions:
Processing conditions and examples of sensitive personal data, excluding explicit consent, are given in the table below:
Processing conditions |
Scope |
Example |
Provision of the law |
Personal data other than health and sexual life can be processed without the explicit consent of the person concerned. Tax Laws, Labour Law, Turkish Commercial Code etc. stricter sensitive data processing conditions. |
The union information of the employee should be kept in the personal file as required by the legislation. |
Protection of public health, preventive medicine, medical diagnosis, treatment and care, health care, and for the purpose of planning and management of health services and financing |
Processing of data for the protection of public health, preventive medicine, medical diagnosis, treatment and care, health care, and for the purpose of planning and management of health services and financing by persons under the obligation to keep secrets or by authorized institutions and organizations. |
Health data processed by the doctor about his patient. |
The measures taken for the processing of sensitive quality personal data are regulated in the "Processing of Sensitive Personal Data Policy".
The group of persons whose personal data are processed by our company are as follows:
Data owner person group |
|
Employee Candidates & Trainee Candidates |
Real persons who have applied for a job to the company by any means or who have opened their CV and related information for our company review |
Employees |
Company employees |
Trainees |
High school and university students intern at the company |
Family members |
Family members of data owners |
Visitors |
All natural persons who have entered the physical campuses owned by the company for various purposes or visit our websites for any purpose |
Partner Authorities & Employees |
Real person authorities, shareholders, employees of the companies with which the Company has commercial relations |
Group Company Authorities & Employees |
Real persons whose personal data are obtained through the business relations of the Group Companies within the scope of the operations carried out by the Company. |
Supplier Authorities & Employees |
Real persons or natural persons authorities, shareholders, employees of the company or the legal entities outsourcing the goods and services. |
Shareholders |
Company shareholder natural persons |
Company Authorities |
Company's board members and other authorized natural persons |
Potential Customers |
Real persons who are likely to buy / use the products and services offered by our company / group companies |
Customers / Guests |
Regardless of whether there is any contract with our Company / Group companies, real persons who buy / use or use the products and services offered by our Company / Group companies. |
Third Parties |
Third party natural persons (eg, those declared as references) or other natural persons not covered by the Personal Data Protection and Processing Policy in order to ensure the security of business transactions between our above mentioned parties, or to protect the rights of such persons and provide benefits. |
The data processed for these people are categorized as follows:
ID information |
Turkish ID No., Passport No., ID Card Serial no., Driving Licence No., Tax No., Name Surname, Name of Father, Name of Mother, Nationality, Place of Birth, Date of Birth, Age, Place of Registry, (Province, District, Neighbourhood-Village, Volume No, Family Sequence Number, Sequence Number) Issuing Authority of the Identity Card, Reason of Issue, Registration Number, Issue Date, Validity Date, Previous Surname, Marital Status, Gender, Religion, Photograph; Signature example, Military status, Parental Consent |
Education & Experience Information |
Educational status, certificate and diploma information, foreign language information, CV and references, work experience information, course, seminar internship information, other education and skills. |
Contact information |
Personal / Corporate mobile-landline phone number; Personal / Corporate e-mail address; residence address; contact name and surname and phone number in case of emergency |
Sensitive Personal Data |
Criminal record, criminal conviction information; disability; religion; health data; blood group; race information |
Family Information |
ID information of mother, father, spouse and children; telephone number, profession, educational status of their children; spouse's employment status and income information; Name-surname and age of persons responsible for caring, except for spouse and minors (under 18); child birth certificate; first degree family members death certificates. |
Working Information |
SSK Registration number; insurance entry / pension, allocation number; social security no; tax office and number; past workplace registration information, previous workplace wage and tax deduction information; work permit (for foreign employees); incentive status; business arrangement; confidentiality commitments; general health insurance information; job offer information; position name / task, department and unit, title; deadline for employment; the date of entry and exit of work; overwork information; fixture-tool-equipment delivery documents; partnership / additional work declaration form etc. |
Permission Information |
Leave request forms, leave exit / return date, number of leave days, reason for leave, address / phone to be tracked; rest and incapacity reports; annual paid leave schedule; Not to come to work without permission / to arrive late for work report-warning |
Performance Information |
Performance evaluation and goal achievement status, activity information, discipline records |
Education & Development Information |
Participated trainings, seminars, gained skills, training participation and information / forms |
Financial Information |
Bank account number, wallet; payrolls, wage compasses, premiums, bonuses etc. documents related to payments; file and debt information on enforcement proceedings; minimum subsistence information; private health insurance information; Personal data processed for information, documents and records showing any financial results created according to the type of legal relationship established with the personal data owner. |
Vehicle Data |
Vehicle / vehicle usage information (License plate number, license serial number, work start date, insurance-motor insurance start date, traffic fines, accident minutes, work accident notifications, vehicle embezzlement documents) |
Location Data |
Vehicle location data -GPS location |
Dismissal Information |
Letter of Resignation, Notice of Termination, Disclaimer, Notice, Contract of Employment, SSI Exit Declaration, Last Month Payroll, Work / Service Document, Severance and Notice Payrolls, Documents Proving the Reason for Termination of Service, Minutes Arranged for the Termination of the Service Contract |
Internet Access Information |
Personal / Company electronic devices and internet access log records over the Company's networks, related IP addresses |
System Access Authorization Information |
System login-logout and activity logs, username-password, IP addresses |
Audio / Visual Information |
Photographs and camera recordings (Except for records within the scope of Physical Space Security Information) |
Physical Space Security Information |
Image records, turnstile records, security records, etc., taken at the entrance to the physical space and during the stay at the physical space. |
Visit Information |
Entry and exit time to company facilities, vehicle brand and license plate, company information |
Marketing Information |
Satisfaction surveys that show the usage habits, likes and needs of customers with personal data, campaigns, reports and evaluations obtained as a result of direct marketing studies etc. |
Customer / Guest Information |
Records regarding the use of products and services and instructions and requests of the customer required for the use of products and services; professional knowledge, countries visited; training; height-weight |
Travel & Accommodation Information |
Travel and visa information, reservation / voucher number, flight information, hotel information, check-in, check-out dates, room number |
Request and Complaint Management Information |
Personal data regarding the receipt and evaluation of requests and complaints about customer satisfaction surveys, products and services. |
Personal data collected by the company are processed in accordance with the processing conditions specified in Articles 5 and 6 of the Law for the following purposes:
Main Purposes |
Sub Purposes |
Management of the Company, Execution and Control of the Activities, Physical, Legal and Commercial Security Supply |
Making and Implementing Emergency and Crisis Management Plans |
Managing Finance and Accounting Processes |
|
Provision of Physical Space Security |
|
Management of Relations and Related Processes with Group Companies, Partners and Suppliers |
|
Execution of Legal Processes |
|
Performance of Internal Audit and Internal Control Activities |
|
Business Continuity Management |
|
Ensuring Registration and Document Layout |
|
Planning and Execution of Corporate Management Activities |
|
Execution of Risk Management Processes |
|
Execution of Contract Processes |
|
Execution of Strategic Planning Activities |
|
Managing Process Management and Improvement Activities |
|
Ensuring Company Activities are Carried out in accordance with Company Policies and Procedures and / or Relevant Legislation |
|
Ensuring the legal and commercial security of the company, personnel and people who have a business relationship with the Company |
|
Securing the Company's Assets |
|
Fulfilling our legal obligations and exercising our rights arising from the applicable legislation in accordance with the applicable legislation. |
|
Execution of Supply Chain Management Processes |
|
Execution of Investment Processes |
|
Giving Information to Authorized Persons, Institutions and Organizations |
|
Creating and Tracking Visitor Records |
|
Management of Human Resources Processes |
Execution of candidate application processes |
Execution of candidate selection and evaluation processes |
|
Carrying out activities for employee satisfaction and loyalty |
|
Managing processes regarding employee benefits and rights |
|
Follow-up and control of employees' business activities |
|
Conducting occupational health and safety processes |
|
Establishment, performance and fulfilment of the obligations assumed. |
|
Recruitment, personal and discharge procedures |
|
Career planning, execution of promotion-appointment processes |
|
Fulfilment of performance management processes |
|
Execution of Personnel Assignment and Authorization Processes |
|
Planning and Implementing Training and Orientation Programs |
|
Management of Wage Policy |
|
Foreign Personnel Work and Residence Permit Procedures |
|
Information Systems & Information Security Management |
Planning and Execution of Information Security Processes |
Information Systems Risk Management |
|
Fulfilling Legal Obligations Regarding Internet Traffic Monitoring |
|
Management of User Access and Authorization Processes |
|
Creating Log Records |
|
Planning and Implementation of Communication and Marketing Activities |
Planning and Implementation of Events and Organizations |
Execution of Loyalty Processes for Firms / Products / Services |
|
Execution of Communication Activities |
|
Statistical Analysis and Market Research |
|
Execution of Activities like Campaign, Promotion, Advertisement, Promotion, etc. |
|
Customer Relations Management |
|
Customer Satisfaction Management |
|
Planning & Management of Marketing Activities |
|
Execution of Sponsorship Activities |
|
Planning and Serving Products and Services |
Execution of Logistics Activities |
Execution of Goods / Services After Sales Support Services |
|
Execution of Operation Processes |
|
Communication with Customers Regarding the Products and Services Offered |
|
Performance of Product / Service Conditions and Fulfilment of Obligations |
|
Establishment and Management of Processes Regarding Planning and Sales of Products / Services |
|
Demand and Complaint Management |
Personal data may be processed with the explicit consent of the data owner in the following cases where the conditions for processing personal data laid down in Article 5(2) and (3) of the Law are not met;
Processed Personal Data |
Purpose of processing |
Health and Blood Group Information and Disability Status |
Compliance with occupational health and safety regulations; Recruitment and periodic inspections and examinations within the scope of health surveillance of the workplace doctor, health report, e-reçete (prescription), health screening processes and corporate health insurance processes, execution of visa processes. |
Religion (obtained by obtaining a copy of the old identity card) and Nationality Information; criminal conviction information |
Management of human resources processes; Creation of the personal file within the scope of the Labour Law; Visa processing of employees, company authorities, employees and guests limited to certain tours. |
Audiovisual Data (Photos & camera recordings) |
Planning and implementation of corporate communication activities; management of corporate social media accounts; execution of visa procedures |
Birthday Information; Birth and death information of 1st degree relatives |
Celebrating the birthday of employees and sharing their families' death information within the scope of internal communication activities |
Although it has been processed in accordance with the provisions of the law and other relevant laws, in the event that the reasons requiring its processing disappear, the personal data is deleted, destructed or anonymized by the Company ex officio or upon the request of the person concerned.
Accordingly;
The rules for the deletion or anonymisation of personal data are laid down in the Personal Data Retention and Destruction Policy.
The transmissions of personal data to be carried out by the Company will comply with the conditions of transmission of personal data laid down in Articles 8 and 9 of the Law.
The parties to whom personal data may be transferred and the purposes of transfer are as follows:
Parties, to whom personal data may be transferred |
Transfer purposes |
Legally Authorized Institutions |
Meeting the information-document request within the legal authority of authorized public institutions and organizations and private law persons. |
Shareholders |
Corporate law, commercial activities, event management and execution of corporate communication processes. |
Company Authorities |
Designing, implementing and managing strategies regarding the commercial activities of the Company; carrying out monitoring, risk management and audit activities. |
Work partners |
Fulfilment of the purposes of establishment of business partnership and commercial activities. |
Group Companies |
Carrying out processes and commercial activities that also require the participation of group companies. |
Suppliers |
Managing processes regarding outsourced goods and services, receiving support, supervision and consultancy services, benefiting from the benefits of the personnel. |
Third Parties |
Information sharing within the scope of reference verification / inquiry processes for employee candidates and leaving employees. |
Personal data may be transferred by the company if one of the following conditions exists:
Sensitive personal data can be transferred by taking sufficient precautions determined by the Board and if one of the following conditions exists:
The measures taken for the transfer of sensitive personal data are regulated in the " Processing of Sensitive Personal Data Policy".
Personal data may be transferred abroad by the company if one of the following conditions exists:
In the event that Turkey or the interest of the person concerned suffers serious harm, personal data may be transferred abroad with the permission of the Executive Board, without prejudice to the provisions of the international treaty, but only with the opinion of the competent public institution or organization.
The measures taken for the transfer of sensitive personal data abroad are regulated in the " Processing of Sensitive Personal Data Policy".
The Company's personal data, which are processed by the Group Companies, in order to carry out the activities of the Group Companies in accordance with the Company's principles, targets and strategies, and to protect the rights, interests and reputation of the group, can also be processed by the Company. G In the event that the personal data sharing between the Group Companies and the Company takes place within the scope of the Law within the scope of the personal data transfer from the data controller to the data controller, the relevant Group Company enlightens the person that the personal data can be sent to the Company at the stage of collecting the personal data of the relevant person.
Any necessary technical and administrative measures are taken by the Company to ensure the appropriate level of security in order to prevent and protect the personal data from being processed and accessed unlawfully; Necessary audits are provided to ensure the enforcement of the provisions of the law.
The processed personal data cannot be disclosed to anyone else in violation of the provisions of the Law and cannot be used for purposes other than processing. During the acquisition of personal data, the Company informs the relevant people about the following subjects with the "Personal Data Protection and Processing Enlightenment Text".
The “Personal Data Protection and Processing Enlightenment Text" is also provided on the Company website.
If personal data cannot be obtained directly from the person due to the actual impossibility or inaccessibility of the person concerned;
• Within a reasonable time from the acquisition of personal data,
• In case personal data will be used for communication with the person concerned, during the initial communication,
• If personal data is to be transferred, the obligation to enlighten the relevant person is fulfilled at the latest when personal data is transferred for the first time.
There is no obligation of illumination if personal data that is publicized by the person concerned is processed.
The data owner has the following rights about him/her by applying to our Company;
a) Find out if personal data is processed,
b) If personal data is processed, requesting information about it,
c) Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
ç) To know the third parties to whom personal data are transferred domestically or abroad,
d) Requesting correction of personal data if it is incomplete or incorrectly processed,
e) Request personal data to be deleted or destructed,
f) to request notification of transactions made in accordance with clauses (d) and (e) to third parties to whom personal data are transferred,
g) To object to the emergence of a result against the person by analysing the processed data exclusively through automated systems,
ğ) In the event that personal data is damaged due to illegal processing, the data owner has the right to demand the removal of the damage.
The company has established the operation and necessary communication channels for the management, fulfilment and recording of personal data owners’ applications.
The data owner conveys his requests regarding the implementation of the Law to the Company by filling out the "Data owner Application Form" at www.a-energy.com.tr with the information and documents that will determine his/her identity and by the following methods or other methods determined by the Board.
The company concludes its requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires a separate cost, the fee at the tariff determined by the Board may be charged.
The company accepts the request or rejects it by explaining its reason and informs the person in writing or electronically. In case the request in the application is accepted, the Company fulfils the requirement. In case the application is caused by the Company's error, the fee collected is returned to the concerned person.
In case the application is rejected, the answer is insufficient or the application is not answered in due time; the person concerned may complain to the Board within thirty days from the date when the Company has learned the answer, and within sixty days from the date of application.
Personal data owners will not be able to assert their rights in case of the following situations where the provisions of the law are not applied:
Except for the obligation of illumination and the right to demand compensation, provided that it complies with the purpose and basic principles of the Law, personal data owners will not be able to assert their rights if:
DOCUMENT NO |
: |
GM-P003 |
APPROVED BY |
: |
BOARD OF DIRECTORS |
DATE OF APPROVAL |
: |
05/01/2019 |
LAST REVISION DATE |
: |
00/0000 |
VERSION NO |
: |
01 |
RELATED DOCUMENTS |
: |
Personal Data Protection and Processing Policy Personal Data Retention and Destruction Policy Personal Data Protection and Processing Enlightenment Text Personal Data Processing Explicit Consent Statement |
CONTENTS |
1. PURPOSE. 3
2. SCOPE. 3
3. RESPONSIBILITY. 3
4. DEFINITIONS. 3
5. PROCESSING OF SENSITIVE PERSONAL DATA. 5
5.1. GENERAL PRINCIPLES REGARDING THE PROCESSING OF SENSITIVE PERSONAL DATA.. 5
5.2. CONDITIONS FOR PROCESSING OF SENITIVE PERSONAL DATA.. 5
5.3. DATA OWNER, PERSON GROUP AND PERSONAL DATA CATEGORIES PROCESSED.. 6
5.4. PURPOSES OF PROCESSING SENSITIVE PERSONAL DATA.. 7
5.5. DELETION, DESTRUCTION AND ANONYMIZATION OF SENSITIVE PERSONAL DATA.. 8
5.6. TRANSFER OF SENSITIVE PERSONAL DATA.. 8
5.6.1. TRANSFER OF SENSITIVE PERSONAL DATA DOMESTIC. 8
5.6.2. TRANSFER OF SENSITIVE PERSONAL DATA ABROAD.. 9
6. DATA SECURITY ISSUES. 9
6.1 ADMINISTRATIVE MEASURES. 9
6.2 TECHNICAL MEASURES. 10
7. RIGHTS OF DATA OWNER. 11
The purpose of this policy is to ensure compliance with the obligations within the scope of processing sensitive personal data, determination of controls and precautions, rules and responsibilities related to processing and security of sensitive personal data and to make the data owner and the employees of the company aware, in addition to the regulations within the scope of the "Protection and Processing of Personal Data Policy" (law) while the processing of personal data by the company ANEXSERVİCES TURİZM ORGANİZASYON TAŞIMACILIK TİCARET ANONİM ŞİRKETİ (Company), in accordance with the Basic Law of the Turkish Republic and Law No. 6698 on the protection of personal data.
These policy provisions apply to customers, employees, family members of employees, trainees, customers, shareholders whose data are processed by the Company wholly or partly by automatic means or who are processed automatically by being part of a data collection system.
This policy, which is an annex to the Company's Personal Data Protection and Processing Policy, has been approved by the Company's Board of Directors and came into force. All activities and measures to be taken within the framework of policies and within the Company are determined by relevant procedures. The Company's Senior Management is responsible for the preparation, updating and implementation of these procedures.
All Company employees are responsible for performing their duties in accordance with this policy and all relevant procedures and regulations.
The important definitions in this policy are listed below.
Explicit Consent |
Consent on a specific subject, informative and explained by free will |
Anonymization |
Rendering personal data by no means identified or identifiable with a natural person even by linking with other data. |
Data owner |
Natural person whose personal data are processed. |
Related user |
Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, with the exception of the person or unit responsible for the technical retention, protection and backup of the data. |
Destruction |
Deletion, Destruction, and Anonymization of Personal Data |
Law |
Turkish Personal Data Protection Law no. 6698 |
Recording Medium |
Any medium in which personal data are processed, which are fully or partially automated, or processed in non-automated ways, provided that they are part of any data recording system. |
Personal Data |
Any information relating to an identified or identifiable natural person. |
Processing of personal data |
Any operation which is performed upon personal data such as collection, recording, retention, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system. |
Deletion of personal data |
Making personal data inaccessible and unusable to relevant users in any way. |
Destruction of personal data |
Making personal data inaccessible, retrievable and reusable by anyone. |
Anonymization of personal data |
Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching with other data. |
Board |
The Board of Protection of Personal Data. |
Authority |
The Authority of Protection of Personal Data. |
Sensitive Personal Data |
Race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and outfit, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data of persons. |
Periodic destruction |
In the event that all the conditions in the law for processing personal data disappear, the deletion, destruction or anonymisation will be carried out ex officio at regular intervals, as specified in the Personal Data Retention and Destruction Policy. |
Registry |
Register of Data Protection Officers of the Presidency of the Data Protection Authority |
Data processor |
Natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller. |
Data recording system |
Any recording system through which personal data are processed by structuring according to specific criteria. |
Data controller |
Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system. |
Processing of personal data |
Any operation which is performed upon personal data such as collection, recording, retention, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system. |
The personal data at the company are processed in accordance with the procedures and principles stipulated in the Law and other laws, and the principles set out in the "Personal Data Protection and Processing Policy" are taken into consideration in the processing of personal data.
When the company processes sensitive personal data, it first determines whether data processing conditions exist, after ensuring that the legal compliance requirement that data be processed is met. In this context, and subject to appropriate measures being adopted by the Management Board, specific personal data shall be processed under the following conditions:
During the acquisition of sensitive personal data, the Company informs the data owner about the following issues with the "Protection and Processing of Personal Data Enlightenment Text":
The relevant personal data will be processed by the Company if the data owner consents to the Explicit Consent Statement for Processing of Personal Data regard to the processing of the data concerning him/her, with knowledge of the Personal Data Protection and Processing Enlightenment Text provided by the company, freewill, without leaving room for hesitation and limited only by the relevant transaction.
Insofar as the laws contain provisions for the processing of personal data, personal data will only be processed by the Company within the framework of the relevant legal provisions.
The processed personal data cannot be disclosed to anyone else in violation of the provisions of the Law and cannot be used for purposes other than processing.
Processing conditions and examples of sensitive personal data, excluding explicit consent, are given in the table below:
Processing conditions |
Scope |
Example |
Provision of the law |
Personal data other than health and sexual life can be processed without the explicit consent of the person concerned. Tax Laws, Labour Law, Turkish Commercial Code etc. stricter sensitive data processing conditions. |
The union information of the employee should be kept in the personal file as required by the legislation. |
Protection of public health, preventive medicine, medical diagnosis, treatment and care, health care, and for the purpose of planning and management of health services and financing |
Processing of data for the protection of public health, preventive medicine, medical diagnosis, treatment and care, health care, and for the purpose of planning and management of health services and financing by persons under the obligation to keep secrets or by authorized institutions and organizations. |
Health data processed by the doctor about his patient. |
The group of persons whose personal data are processed by our company are as follows:
Data owner person group |
|
Employees |
Company employees |
Trainees |
High school and university students intern at the company |
Family members |
Family members of data owners |
Shareholders |
Company shareholder natural persons |
Customers |
Regardless of whether there is any contractual relationship with our company, real persons who have purchased / used our products and services. |
The sensitive personal data processed for these people are as follows:
Sensitive Personal Data |
Nationality, religion, criminal record, disability, health and blood group information |
The personal data collected by the company are processed in accordance with the processing conditions specified in Article 6 of the Law for the following purposes:
Main Purposes |
Sub Purposes |
Management of the company, performing the activities in accordance with the law, Company policies and procedures |
Fulfilling our legal obligations and exercising our rights arising from the current legislation in accordance with the applicable legislation. |
Establishment and management of processes related to the planning and sales of products / services; performance of product and service conditions and fulfill the obligations assumed completely and correctly |
|
Providing accommodation, tour and visa services to customers |
|
Follow-up of contract processes and / or legal transactions |
|
Execution of the operational processes |
|
Risk management, auditing and control activities |
|
Arrangement of all records and documents that will be based on transactions |
|
Providing information from the legislation to public / private institutions and organizations authorized to receive information and documents in line with the relevant legislation provisions. |
|
Providing information to audit companies in accordance with the Law to ensure compliance with legal obligations and company policies |
|
Ensuring the physical, legal and commercial security of the company, personnel and people who have business relations with the Company |
|
Execution of human resources policies; planning and execution of human resources processes |
Establishment, performance and fulfilment of the obligations assumed. |
Conducting recruitment and personal processes |
|
Establishment, use or protection of processes related to benefits and interests such as corporate health insurance and private pension |
|
Compliance with occupational health and safety regulations; Recruitment and periodic inspections and examinations within the scope of health surveillance of the workplace doctor, health report, e-reçete (prescription), health screening processes. |
|
In cases where the personal data processing conditions specified in Article 6 (3) of the Law are not met, personal data may be processed on the explicit consent of the data owner.
Although it has been processed in accordance with the provisions of the law and other relevant laws, in the event that the reasons requiring its processing disappear, the personal data is deleted, destructed or anonymized by the Company ex officio or upon the request of the person concerned.
In terms of deletion, destruction or anonymization of personal data, it is complied with the general principles in article 4 of the Law and the technical and administrative measures to be taken within the scope of article 12, the relevant legislation provisions, Board decisions and Personal Data Retention and Destruction Policy.
In the case of sensitive personal data transfers to be carried out by the company, it will act in accordance with the sensitive personal data transfer conditions arranged by the Board Decision.
The parties to which sensitive personal data can be transferred and the transfer purposes are as follows:
Parties, to whom personal data may be transferred |
Transfer purposes |
Legally Authorized Institutions |
Meeting the information-document request within the legal authority of authorized public institutions and organizations and private law persons. |
Work partners |
Fulfilment of the purposes of establishment of business partnership and commercial activities. |
Group Companies |
Carrying out processes and commercial activities that also require the participation of group companies. |
Suppliers |
Managing processes regarding outsourced goods and services, receiving support, supervision and consultancy services, benefiting from the benefits of the personnel. |
Sensitive personal data can be transferred by taking sufficient precautions determined by the Board and if one of the following conditions exists:
Adequate measures taken for the transfer of personal data of special nature are regulated in Article 6 of this Policy.
Personal data may be transferred abroad by the company if one of the following conditions exists:
Without prejudice to the provisions of international conventions, where the interest of Turkey or the data owner will be seriously damaged personal data can only be transferred abroad with the permission of the Board, by obtaining the opinion of the relevant public institution or organization.
Adequate measures taken for the transfer of sensitive personal data abroad are regulated in Article 6 of this Policy.
Any necessary technical and administrative measures are taken by the Company to ensure the appropriate level of security in order to prevent and protect the personal data from being processed and accessed unlawfully; Necessary audits are provided to ensure the enforcement of the provisions of the law.
The rights of the data owner under the Law, the methods of transmitting their requests regarding the implementation of the Law, and the provisions regarding the finalization of the requests by the Company are regulated in the Protection and Processing of Personal Data Policy.
The purpose of this Cookie Policy is to provide information to you regarding processing of personal data which are obtained because of the usage of cookies by Platform users/members/visitors (Data Owner’) while running the mobile application and the web-page (‘Website’) www.a-energy.com.tr (all together hereinafter referred to as ‘Platform’), which are operated by ANEXSERVİCES TURİZM ORGANİZASYON TAŞIMACILIK TİCARET ANONİM ŞİRKETİ (the ‘Company’). The expression of ‘personal data’ included in this policy covers the information listed below:
• Customer Information
• Device Information
• Behaviours
• Demographic Information
• Marketing Information
• Behavioural Advertising
You may visit the Platform without giving any personal information. Cookies are used during your visit in order to collect information about Platform usage, to ensure that our visitors benefit from the Platform in the most efficient manner and to improve user experience.
By visiting the Platform, you are deemed to have approved the use of the information, collected thanks to cookies, in compliance with the Policy of Protecting and Processing Personal Data which is presented in the following address: https://www..... If you do not want the cookies to be used in such manner, you must adjust the settings of your browser or abstain from using the Platform. Deactivating the cookies that we use may affect your user experience in the Platform.
What are the Cookies and why are the Cookies used?
Cookies are the text files with small sizes which are stored in your device or the network server through the browsers by websites you visit. Cookies cannot collect any information, including your personal information stored in your computer or files. In order to receive more information about cookies please visit the following websites: www.aboutcookies.org and www.allaboutcookies.org. The purposes of using cookies in the Platform are listed below:
Categories of the Cookies Used in the Platform
(Technical Cookies) |
Thanks to technical cookies running of the Site is ensured and pages and areas of the website that do not run or respond are determined. |
(Authentication Cookies) |
In case the visitors log in the Site by entering their passwords, Authentication Cookies detects the visitor as the user of the website in each page visited by the visitor so that, visitors do not have to enter their passwords in each page. |
(Flash Cookies) |
These are the cookies that are used to activate the image or audio contents present in the Site. |
(Customization Cookies) |
Customization Cookies are used to remember the preferences of users while visiting different pages of a different website. For instance, it remembers the language preference that you have previously selected. |
(Analytical Cookies) |
Analytical Cookies make it possible to generate the analytical results such as number of visitors who visit the Site and the pages displayed in the Site, the time when the Site is visited and scrolling motions between different internet sites. |
Cookies Used in the Platform
Cookie Type |
Explanation, Duration and Preferences |
Analytical Cookies |
|
For Advertisement |
It is used in order to display behavioural or target-oriented advertisements to visitors. It is possible to accept or reject them through browser settings. |
Market Analysis |
It is used in order to conduct a market analysis. It is possible to accept or reject them through browser settings. |
Campaign/Promotion |
It is used in order to calculate the effect of campaigns. It is possible to accept or reject them through browser settings. |
|
These kinds of cookies makes it possible to monitor Facebook members (or non-members) with the intent of market analysis and product development. It is possible to accept or reject them through browser settings. |
|
These cookies are used to monitor members or non-member visitors of social media networks with the intent of market analysis and product development. It is possible to accept or reject them through browser settings. |
Google Analytical |
These kinds of cookies ensures collecting all statistical data and thus improving the presentation and usage of the Site. Google enables us to have a better understanding on the users by adding data regarding societal statistics and interests to such statistics. Our website uses Google Analytical cookies. Data that are collected by means of such cookies are transmitted to Google servers located in USA and these data are preserved in compliance with the data protection principles of Google. In order to receive further information about principles of Googles regarding the analytical data processing activities and protection of personal data please click here. Controlling the Cookies |
Technical Cookies |
|
Session |
Session cookies are used in order to maintain the continuity of the session. It is possible to accept or reject them through browser settings. |
Load-Balancing |
Load Balancing Cookies are used in order to reduce the load on server by dispersing the load. It is possible to accept or reject them through browser settings. |
Security |
Security cookies are used for the security controls. It is possible to accept or reject them through browser settings. |
Fraud Detection |
These kinds of cookies are used in order to detect clicking tricks. It is possible to accept or reject them through browser settings. |
Authentication Cookies |
|
User ID |
User ID cookies are used in order to display to users only their own information. It is possible to accept or reject them through browser settings. |
Customization Cookies |
|
Language |
It memorizes the language selected by user and offers options in accordance with the selection of language. It is possible to accept or reject them through browser settings. |
Mobile |
It is used to display the main website if the user visits the Site through a mobile device. (For example, the device activated the flash or user is in a mobile site which do not require a Flash.) The From Site is recorded in order to comprehend the user preferences better. It is possible to accept or reject them through browser settings. |
Flash Cookies |
|
Flash Cookies |
It activates the audio and video contents to be played. It is possible to accept or reject them through browser settings. |
Is It Possible to Avoid the Usage of Cookies by Data Owners?
Data owners have the ability to customise their preferences regarding cookies by changing their browser settings. If the browser, which is used, provides the user with such opportunity then, it is possible to change the preferences regarding Cookies through the browser settings. Thus, while it may vary across the possibilities offered by the browser used data owners have the opportunity to block usage of cookies or to receive a warning before using cookies or deactivate or delete only the certain Cookies.
Preferences regarding cookies may be required to be determined and adjusted separately for each different device through which the user gain access to the Platform.
Adobe Analytics |
|
AOL |
https://help.aol.com/articles/restore-security-settings-and-enable-cookie-settings-on-browser |
Google Adwords |
|
Google Analytics |
|
Google Chrome |
http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95647 |
Internet Explorer |
https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies |
MozillaFirefox |
|
Opera |
|
Safari |
DATA OWNER APPLICATION MANAGEMENT POLICY
DOCUMENT NO |
: |
GM-P004 |
APPROVED BY |
: |
BOARD OF DIRECTORS |
DATE OF APPROVAL |
: |
05/01/2019 |
LAST REVISION DATE |
: |
00/0000 |
VERSION NO |
: |
01 |
RELATED DOCUMENTS |
: |
Personal Data Retention and Destruction Policy Data Owner Application Form |
CONTENTS |
1.& PURPOSE. 2
2.& SCOPE. 3
3.& RESPONSIBILITY. 3
4.& DEFINITION.. 3
5.& APPLICATION RIGHT. 4
6.& APPLICATION PROCEDURES. 5
7.& APPLICATION RECORDING. 6
8.& APPLICATION EVALUATION.. 7
8.1. PERSONAL DATA DETECTION.. 7
8.2. INFORMATION REQUEST FOR PERSONAL DATA PROCESSED.. 7
8.3. CORRECTION REQUEST FOR PERSONAL DATA PROCESSED.. 7
8.4. DELETION/ DESTRUCTION REQUEST FOR PERSONAL DATA PROCESSED.. 7
8.5. REQUEST FOR NOTIFICATION OF CORRECTION / DELETION / DESTRUCTION REQUESTS REGARDING THE PROCESSED PERSONAL DATA TO THE DATA TRANSMITTED PARTIES. 8
8.6. OBJECTING TO THE EMERGENCE OF A RESULT AGAINST THE PERSON HIMSELF/HERSELF. 8
8.7. REQUEST TO ELIMINATE THE LOSS, IN CASE THE PERSONAL DATA IS DAMAGED DUE TO UNLAWFUL PROCESSING OF PERSONAL DATA.. 8
9.& RESPONDING APPLICATION.. 8
10. FEE. 9
The purpose of this policy is to explain the operation and communication channels established regarding the management, execution and recording of the applications of the data owners with the implementation of the Law by the company ANEXSERVİCES TURİZM ORGANİZASYON TAŞIMACILIK TİCARET ANONİM ŞİRKETİ (company) in the capacity of data controller in accordance with Personal Data Protection Law No. 6698 (Law).
These policy provisions apply to natural persons who have personal data processed by the Company in full or partial automation, or non-automated means provided that they are part of any data recording system.
This policy has been approved and implemented by the Company’s Board of Directors. Within the framework of the policy, all activities to be carried out in the company and the measures to be taken are defined by the appropriate procedures. The Company's management is responsible for preparing, updating and implementing these procedures.
Contact Person
Department Managers
Anonymization |
Rendering personal data by no means identified or identifiable with a natural person even by linking with other data. |
Application |
Application made under Article 13 of the Law |
Secure Electronic Signature |
The electronic signature, which is linked exclusively to the signer and is created using the secure electronic signature creation tool available only to the signer, identifies the signer using the qualified electronic certificate and ensures that changes have been made to the signed electronic data. |
Data owner |
Natural person whose personal data are processed. |
Destruction |
Deletion, Destruction, and Anonymization of Personal Data |
Contact Person |
Legal person reported to the Registry by the data officer for communication with the institution during registration, regarding the obligations of its representative under the Law and secondary regulations to be issued based on this Law of the legal person representative of data controller not residing at Turkey with legal persons residing at Turkey. |
Law |
Turkish Personal Data Protection Law no. 6698 |
Recording Medium |
Any medium in which personal data are processed, which are fully or partially automated, or processed in non-automated ways, provided that they are part of any data recording system. |
Registered e-mail (REM) address |
Qualified form of electronic mail that provides legal evidence regarding the use of electronic messages, including their delivery and delivery. |
Personal Data |
Any information relating to an identified or identifiable natural person. |
Anonymization of personal data |
Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching with other data. |
Processing of personal data |
Any operation which is performed upon personal data such as collection, recording, retention, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system. |
Deletion of personal data |
Making personal data inaccessible and unusable to relevant users in any way. |
Destruction of personal data |
Making personal data inaccessible, retrievable and reusable by anyone. |
Board |
The Board of Protection of Personal Data. |
Authority |
The Authority of Protection of Personal Data. |
Mobile signature |
Electronic signature created using a mobile device |
Data controller |
Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system. |
Pursuant to Article 11 of the Law, the data owner has the right to apply to our Company to
request the following:
Find out if personal data is processed,
b) If personal data is processed, requesting information about it,
c) Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
ç) To know the third parties to whom personal data are transferred domestically or abroad,
d) Requesting correction of personal data if it is incomplete or incorrectly processed,
e) Request personal data to be deleted or destructed,
f) to request notification of transactions made in accordance with clauses (d) and (e) to third parties to whom personal data are transferred,
g) To object to the emergence of a result against the person by analysing the processed data exclusively through automated systems,
ğ) In the event that personal data is damaged due to illegal processing, the data owner has the right to demand the removal of the damage.
The data owner can benefit from this right provided that the application is made in Turkish.
Personal data owners will not be able to assert their rights in case of the following situations where the provisions of the law are not applied:
Except for the obligation of illumination and the right to demand compensation, provided that it complies with the purpose and basic principles of the Law, personal data owners will not be able to assert their rights if:
The data owner may submit his or her requests to the Company for the implementation of the law by filling in the data owner application form at www.a-energy.com.tr with the information and documents that determine his or her identity, using the methods indicated below.
•& After the application form has been filled in, the data owner signed it with the “secure electronic signature” within the scope of Electronic Signature Law No. 5070 and sent it to [email protected] address by writing “Personal Data Protection Law Information Request” to the subject part by registered e-mail.
In written applications, the date when the document is notified to the Company is the application date. For applications made with the other method, the date the application reaches the Company is the application date.
If the Application Form is submitted by hand, the identity of the person concerned is determined by checking the identity document (Name-Surname, Identity Number).
In order for a person other than the personal data owner to make a request, the original power of attorney issued on behalf of the person to apply by the personal data owner must be submitted. A copy of the power of attorney is kept in the annex.
The application for personal data of persons under the age of 18 can be made by their legal representative. In this case, copies of the documents that determine the authority of the legal representative are requested and a copy of it is kept in the application annex.
In applications made with secure electronic signature, the identity of the applicant can be legally determined with a qualified electronic certificate based on e-signature.
Applications made in writing by the data owner in person or through a notary are recorded in the Documents Registry by the Correspondent and delivered to the Contact Person against the signature.
Applications made to the registered e-mail address are sent to the Contact Person by e-mail by the Financial Advisor or authorized person.
The Contact Person checks whether the application is in accordance with the procedures set out in this Policy and whether the information and documents required to be included in the application form are complete. For applications that are not in accordance with the procedure, they contact the person concerned to provide the necessary information. Nevertheless, applications that are inappropriately and incomplete information / documented are rejected after being notified in writing to the person concerned.
Applications received in accordance with the procedure are forwarded by the Contact Person to the relevant department manager listed below, according to the category of the applicant.
• Candidate employee, former employee: Human Resources
• Supplier: Accounting / Purchasing
• Customer / Guest: Related Department
• Visitor: Security
• Other: Information Technologies / Law
In order to evaluate the requests of the data owners, firstly, it should be determined by the relevant department whether the personal data of the applicant is processed before the Company.
For this purpose, firstly, the relevant process, data category, recording medium and storage location in the Personal Data Inventory are determined based on the information in the Application Form. In addition to the review made on the Data Inventory, the data owner information on the application form is checked by searching on the Company databases.
If the personal data specified by the relevant person in the application form are not found in the relevant processes and systematic testing, the Contact Person is informed by e-mail.
If personal data specified by the relevant person in the application form are encountered in the relevant processes and systematic testing, one of the following steps is carried out in accordance with the request of the personal data owner and the requirement is fulfilled.
In line with the request of the person concerned, specified in the 11/1 of the Law and in the in the clause (a) (b) (c) and (ç) of article 5 of this Policy, personal data processed in the Personal Data Inventory, the data processing purpose, the transmitted party and the transfer purpose information are sent to the Contact Person by e-mail.
In line with the request of the relevant person specified in the 11/1 of the Law and in the clause (d) of article 5 of this Policy, the personal data provided by the data owner and the documents proving them and the information in the Company records are compared. The data determined to be processed as defective or incomplete at the company are forwarded to the relevant department where the data is recorded together with the proving documents for correction and updated.
Information regarding the updated data is sent to the Contact Person by e-mail.
In line with the request of the relevant person specified in 11/1 of the Law and in the clause (e) of article 5 of this Policy, it is determined in which processes that the Personal Data Inventory should be stored and processed due to legal obligation.
If there is no obligation to store and process due to legal obligation, related personal data will be deleted and destroyed in accordance with the Personal Data Retention and Destruction Policy. Upon completion of the deletion / destruction process, the information that the relevant personal data has been deleted and destructed is shared with the Contact Person.
If there is an obligation to process and store due to legal obligation, the Contact Person is informed that his request could not be fulfilled because the legal obligation, which is the basis for personal data processing, has not disappeared.
In line with the request of the person concerned specified in the 11/1 of the Law and in clause (f) of article 5 of this Policy, The categories of people whose data are transferred from the Personal Data Inventory are determined.
If the person's request for correction / deletion or destruction has been fulfilled, the parties whose data are transferred are asked to carry out the same transactions and to confirm in writing that the request has been fulfilled.
Information about the request of the person's correction / deletion or destruction has been fulfilled by the third parties to whom the personal data is transferred is sent to the Contact Person by e-mail.
In line with the request of the relevant person specified in the 11/1 of the Law and in the clause (g) of article 5 of this Policy, the process alleged to have a result against the data subject is examined.
If it is determined that there is no deficiency and error in the personal data processed in the process or during the process, it is informed to the Contact Person in this direction.
If any deficiencies or errors are detected in the process or in the personal data processed during the process, the information that the change made has been in favor of the person and the systems have been updated in this way is sent to the Contact Person via e-mail.
In accordance with the request of the relevant person specified in the 11/1 of the Law and in the clause (ğ) article 5 of this Policy, the loss request is examined with the participation of the Legal Advisor and the relevant departments. The action to be taken as a result of the examination and the response to the application are determined and processed through Legal Counseling.
Elimination of the damage caused by the person concerned due to the processing of personal data in violation of the Law is carried out with the approval of the Senior Management (Board of Directors / General Coordinator).
Data Owner requests must be evaluated and finalized by the Company as soon as possible and within 30 days at the latest.
Examination of the applications submitted to the relevant departments should be finalized within 1 week from the date of receipt and notified to the Contact Person.
The Contact Person sends the information and documents related to the application to the Legal Advisor in order to examine the answers and actions taken from the relevant departments in terms of compliance with the legal order and the Law.
The letter prepared by the legal advisor according to the approval of the law and the result of the examination in response to the application is sent to the data owner by the Contact Person within thirty (30) days at the latest. The reply letter should include at least the following information;
Personal data of third parties may not be included in the responses to the application. In cases where the application cannot be responded without including the personal data belonging to third parties, the information of the third party is concealed / anonymized or shared by the relevant person.
The responses given to the applications made through the notary public are printed on the company letterhead and signed in two copies by the signatory authorities of the Company. The reply letter is recorded in the Document Registry and given to the correspondent to be sent to the applicant by mail.
The responses given by electronic signature are signed by the signature officers of the Company with electronic signature using a secure electronic signature. The reply is sent to the applicant's electronic mail account.
All the records, examination results, inquiries, correspondence, legal opinions and responses regarding the relevant application, written in the electronic directory created by the Contact Person, are stored in the archive.
The company concludes the requests in the application free of charge. However, if the transaction requires additional cost, the following tariff determined by the Board with the approval of the senior management may be applied:
In case the application is caused by the Company's fault, the fee collected is returned to the relevant person.
Some rights are granted to owners of personal data pursuant to the Law and in accordance with the 11th Clause of Personal Data Protection Law numbered 6698 (the Law). In order to exercise your rights within the scope of the Law, please submit your requests to the Company, which is your data supervisor, to the following addresses by filling out this application form clearly and fully pursuant to first subparagraph of the 13th clause of Law:
We will reply your application as promptly as practicable or within 30 days at the latest. In the case that the information and documents you submitted to us are incomplete or incomprehensible, we will get in contact with you in order to clarify your application.
Name-Surname |
|
Republic of Turkey Identity Number (For the citizens of Republic of Turkey) |
|
Nationality and passport/Identity Number (For foreigners) |
|
Phone Number |
|
Residential Address/Workplace Address
|
|
E-mail Address |
☐ Customer ☐ Visitor |
☐ Business Partner ☐ Employee |
☐ Other (please specify) |
In accordance with the requests I specified above, I kindly request my application that I submitted to your company to be evaluated within the scope of 13th clause of the Law and to be informed in this regard. I hereby declare and undertake that the information and document which I provided to you through this application and your Company may demand additional information in order to complete my application and that I have been informed about the fact that I may be required to pay the amount determined by the Board in case any additional cost arises.
Notification Method of the Application Response (Please select one of the following)
☐ I want it to be sent to the address that I stated via mail.
☐ I want it to be sent to my e-mail address that I stated.
Applicant/Owner of Personal Data
Name and Surname :
Application Date :
Signature :