KVKK Policy

KVKK PERSONAL DATA PROTECTION LAW

 

I. INTRODUCTION

Law No. 6698 on Protection of Personal Data (the "Law") entered into force on April 7, 2016. By defining personal data, the principles of the protection of personal data and the conditions to be followed by those who have the title of data controller in the processing of this data are included in the Law. According to the Law, personal data is "all kinds of information about real persons whose identity is known or can be determined. The processing of personal data refers to "all kinds of transactions carried out on personal data, including obtaining, recording, storing, changing, sharing with third parties and transferring them abroad, either automatically or non-automatically provided that it is a part of any data recording system. .

ÜZÜMCÜ TIBBI DEVICE VE MEDİKAL GAZ SİSTEMLERİ A.Ş. In order to ensure compliance with the law, it takes the necessary administrative and technical measures by adopting the principles regarding the protection and processing of personal data in the relevant legislation. For the scope of this Personal Data Protection and Processing Policy ("Policy"), see.

VI. DATA OWNER AND PERSONAL DATA CATEGORIZATION. The relevant legal regulations in force regarding the processing and protection of personal data will be applied with priority. In case of inconsistency between the current legislation and the Policy, ÜZÜMCÜ TIBBI CİHAZ VE MEDİKAL GAZ SİSTEMLERİ A.Ş. acknowledges that the current legislation will find application area. The policy entered into force on 26/07/2017. In case the whole or certain articles of the Policy are renewed, the effective date of the Policy will be updated. The policy is published on ÜZÜMCÜ's website (http://www.uzumcu.com/) and made available to personal data owners. Changes and updates can be made to the Policy in order to comply with the changing conditions and legislation and can be submitted to personal data owners via the relevant website.

1. PROCESSING OF PERSONAL DATA

II.I. PRINCIPLES ON THE PROCESSING OF PERSONAL DATA

Of the Constitution. 20 / III personal data can only be processed in cases stipulated by law or with the express consent of the person, and the protection of personal data is guaranteed. In line with this right granted to personal data owners, personal data are processed in accordance with the principles specified in the relevant legislation or in accordance with the following principles in cases where the person has express consent:

II.II. CONDITIONS AND PURPOSE OF PROCESSING PERSONAL DATA

In principle, personal data can only be processed in cases where the personal data owner has explicit consent. In the 5th article of the Law, the terms regarding the processing of personal data and article 6 of the special quality data are included. The Law defines personal data that, when unlawfully processed, have the risk of causing victimization or discrimination, as “personal data of special nature”. In Article 6 of the Law, personal data of special nature have been limited to a limited extent, and these are related to the individual's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or trade union membership, health, sexual It includes data on life, criminal conviction and security measures, as well as biometric and genetic data. As stated in the policy above, the customer / user etc. We do not process personal data of special nature. The explicit consent of the data owner should be explained on a specific subject, based on information and with free will. In the presence of one or more of the conditions mentioned below, personal data may be processed without the explicit consent of the owner. processes personal data in accordance with the general principles specified in Article 4 of the Law, in line with the purposes and conditions stated below. Regarding general personal data;

It is explicitly stipulated by the Laws that ÜZÜMCÜ's relevant activity regarding the processing of your personal data is·     

 

The personal data processing activity by ÜZÜMCÜ is mandatory for the protection of the life or body integrity of the personal data owner or another person, and in this case, the personal data owner is unable to explain his consent due to actual or legal invalidity.

• The processing of your personal data is directly related and necessary with the establishment or performance of a contract

• The processing of your personal data is mandatory for ÜZÜMCÜ to fulfill its legal obligation

• Provided that your personal data are made public by you; processing by you in a limited way for the purpose of publicizing

• The processing of your personal data is mandatory for the establishment, use or protection of the rights of ÜZÜMCÜ or your or third parties.

• It is mandatory to perform personal data processing for the legitimate interests of ÜZÜMCÜ, provided that it does not harm your fundamental rights and freedoms. In this context, personal data are processed by ÜZÜMCÜ for the following purposes:

Planning, auditing and execution of information security processes

• Establishing and managing information technology infrastructure

• Planning and execution of employees' access rights to user information

Follow-up of finance and / or accounting works

• Follow-up of legal affairs

• Planning and / or execution of activities for efficiency / productivity and / or appropriateness analysis of business activities

• Planning and execution of business activities

Planning and execution of corporate communication activities

Planning and execution of logistics activities

• Planning and execution of customer / user relationship management processes

Planning and / or execution of customer / user satisfaction activities

• Follow-up of customer / user requests and / or complaints

• Conducting activities to determine the financial risks of customers / users

Planning and / or execution of post-sales support activities

Planning and execution of company audit activities

Planning and execution of the operational activities required to ensure that the company activities are carried out in accordance with the company procedures and / or the relevant legislation.

• Ensuring the security of company operations • Planning and execution of relevant processes in order to obtain the highest benefit from the products or services offered by the company

• Follow-up of contractual processes and / or legal requests • Execution of strategic planning activities • Planning and execution of production and / or operation processes

Planning and execution of market research activities for the sales and marketing of products and services

Planning and execution of marketing processes of products and / or services

Planning and execution of the sales processes of products and / or services

• Ensuring that the data are accurate and up-to-date

• Giving information to authorized institutions based on legislation

 

III. TRANSFER OF PERSONAL DATA

III.I. GENERAL PRINCIPLES ON THE TRANSFER OF PERSONAL DATA

In the 8th and 9th articles of the Law, the issues regarding the transfer of personal data in the country and abroad are included. ÜZÜMCÜ is able to transfer the personal data / personal data of the data subject to third parties by taking the necessary security measures in line with the data processing purposes, which it has obtained in accordance with the law. In this direction, it will be able to transfer personal data to third parties in the presence of one of the processing conditions specified in Section II and the following conditions:

 - If the personal data owner has explicit consent,

 - If there is a clear regulation in the laws that personal data will be transferred,

 - If it is necessary for the protection of the life or body integrity of the personal data owner or someone else, and if the personal data owner is unable to disclose his consent due to actual impossibility or his consent is not legally valid;

- If it is necessary to transfer personal data belonging to the parties of the contract, provided that it is directly related to the establishment or performance of a contract,

- If personal data transfer is mandatory for ÜZÜMCÜ to fulfill its legal obligation,

- If the personal data are made public by the personal data owner,

- If personal data transfer is mandatory for the establishment, exercise or protection of a right,

- If personal data transfer is mandatory for the legitimate interests of ÜZÜMCÜ, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

 

III.II. TRANSFER OF PERSONAL DATA ABROAD
ÜZÜMCÜ will be able to transfer the personal data of the personal data owner abroad for legitimate and lawful personal data processing purposes in the following cases:
- If the data owner has explicit consent, or
- If the data owner does not have an explicit consent but one or more of the other conditions mentioned above exist; (i) If there is sufficient protection in the country where the data is transferred and (ii) If there is not enough protection in the country where the data is transferred, ÜZÜMCÜ's commitment to adequate protection in writing with the data controller in the relevant foreign country and the permission of the KVK Board.


III.III. THIRD PARTIES TO WHICH PERSONAL DATA IS TRANSFERED
ÜZÜMCÜ may transfer the personal data of data owners managed by the Policy in accordance with the above-mentioned conditions and in accordance with Articles 8 and 9 of the Law to the following parties:
- Anonymously to the business partners in order to ensure the fulfillment of the objectives of the establishment of the business partnership. (In case other data transfer is required, also express consent is obtained.
- To the shareholders, limited to audit purposes in accordance with the provisions of the relevant legislation regarding the design of strategies regarding the commercial activities of ÜZÜMCÜ and the provision of information in accordance with the company procedures,
- To the relevant public institutions and organizations and private law persons, limited to the purpose they request within their legal powers

 

1. PROTECTION OF PERSONAL DATA

ÜZÜMCÜ ensures that personal data is processed and protected in accordance with the law by taking other administrative and technical measures stipulated in accordance with the relevant legislation and to be notified by the KVK Board in order to ensure the security of the personal data it processes. In this context

 

Reasonable technical means and application costs are also addressed in order to process personal data in accordance with the law, to store them in secure environments, to prevent unauthorized access risks and any other unlawful access, to prevent incidental data loss, to prevent deliberate damage and deletion of data. and takes administrative measures. Namely;

 - Controlling the personal data processing activities of ÜZÜMCÜ with the established technical systems,

- Making periodic reports on the technical measures taken,

- Informing and educating employees who process personal data before ÜZÜMCÜ on the protection of personal data and the processing of personal data in accordance with the law,

- Creating awareness for relevant business units and determining implementation rules in order to meet the legal compliance requirements determined on the basis of business units, organizing internal policies and trainings to ensure the supervision and sustainability of these issues,

- Creating awareness of the contracts and documents that govern the legal relationship between ÜZÜMCÜ and the employees, the records imposing the obligation not to process, disclose and use personal data, except for the instructions and exceptions imposed by the law, and the awareness of the employees on this subject,

- Making access and authorizations in accordance with the legal compliance requirements determined on the basis of the business unit and limiting the access authorizations accordingly,

- Installing and operating software and hardware including virus protection systems and firewalls,

- Contracts concluded with persons to whom personal data is transferred in accordance with the law, including the parties from which the VIZUMCI receives an external service due to technical requirements regarding the storage of personal data; Adding provisions stating that the persons to whom the personal data are transferred will take the necessary security measures to protect the personal data and ensure that these measures are followed in their own organizations,

- Establishing technical security systems for storage areas by using legal backup programs, ÜZÜMCÜ, informing the relevant personal data owner and the KVK Board as soon as possible in case personal data processed in accordance with Article 12 of the Law are obtained by others illegally. carries out the system that provides. If deemed necessary by the KVK Board, this may be announced on the website of the KVK Board or by any other method.

 

INFORMATION, RIGHTS AND INFORMATION OF THE PERSONAL DATA OWNER

V.I. LIGHTING THE PERSONAL DATA OWNER

In Article 10 of the Law, it is stated that personal data owners should be enlightened during the acquisition of personal data. ÜZÜMCÜ, in accordance with the general principles of other personal data processing activities specified in the relevant legislation, during the acquisition of personal data of personal data owners; (i) the identity of its representative, (ii) the purpose for which personal data will be processed, (iii) to whom and for what purpose it may be transferred, (iv) the method and legal reason for collecting personal data, (v) the rights of the personal data owner.

 

V.II. RIGHTS OF PERSONAL DATA OWNERS

In the 11th article of the Law, the rights of the personal data owner are counted. That is to say, the data owner; - To learn whether your personal data is processed, - If personal data has been processed, to request information about it, - To learn the purpose of processing personal data and whether they are used for their purpose, - To know the third parties to whom personal data are transferred, - Personal data has been processed incompletely or incorrectly. To request the correction of these in case of occurrence and to notify the third parties to whom the personal data is transferred, - Despite the fact that it has been processed in accordance with the provisions of the law and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons for its processing disappear, and the transaction carried out within this scope Request notification of the third parties to whom the data is transferred, - Object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems, - If the personal data is processed illegally In case of damage with his baby, he has the right to demand the compensation of the damage. However, in accordance with Article 28 of the Law, the above-mentioned rights cannot be claimed in the following cases: - Processing personal data for purposes such as research, planning and statistics by anonymizing them with official statistics. - Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime. - Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security. - Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings. In accordance with the article 28/2 of the Law; In the following cases, personal data owners cannot claim their other rights as stated above, with the exception of the right to claim damages: - Personal data processing is necessary for the prevention of crime or for criminal investigation. - Processing personal data made public by the personal data owner himself. - The processing of personal data is necessary for the execution of supervision or regulation duties and disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations that have the quality of public institutions, based on the authority granted by the law. - Personal data processing is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial issues

V.III. INFORMING PERSONAL DATA OWNERS

In accordance with Article 20 of the Constitution, personal data owners have received information about their personal data and their requests for information in line with their right to "request information", which is listed among the above-mentioned rights, are met by ÜZÜMCÜ in accordance with the Law. ÜZÜMCÜ carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the Law in order to provide the necessary information to personal data owners. Accordingly, in case personal data owners submit their requests regarding their rights mentioned above to ÜZÜMCÜ, they report their justified positive / negative response to the request free of charge within thirty days at the latest. However, if the transaction requires an additional cost, ÜZÜMCÜ may receive the fee in the tariff determined by the KVK Board. Personal data owners will be able to submit their requests regarding their above-mentioned rights to ÜZÜMCÜ via the "Application Form" in Annex-1. Applications to be made by personal data owners will be made by one of the following methods, together with documents that will determine the identity of the personal data owner:

 

Filling in the form and sending the wet signed copy to his address by hand, through a notary public or by registered mail,

• Sending a request to the postal address of http://www.uzumcu.com/ (In this case, in order to determine whether the applicant is actually the right owner of personal data from the channel where the applicant applied; to identify his / her identity and to determine whether the applicant has actually made this application. In this context, the application will be evaluated if the last order information of the applicant is confirmed and the data owner and the person making the request are matched.)

• Following a method prescribed by the Personal Data Protection Board. In order for third parties to make an application request on behalf of personal data owners, a special power of attorney issued by the data owner through a notary public must be available on behalf of the applicant.

ÜZÜMCÜ may request information from the relevant person in order to determine whether the applicant is the owner of personal data, and in order to clarify the matters specified in the application, he may ask a question to the personal data owner about his application. In cases where the application is rejected, the response is found to be insufficient or the application is not responded in due time in accordance with Article 14 of the Personal Data Owner Law; It can apply to the KVK Board within thirty days from the date ÜZÜMCÜ learned its answer, and in any case within sixty days from the application date.

 

DATA OWNER AND PERSONAL DATA CATEGORIZATION

VI.I. DATA OWNER CATEGORIZATION

ÜZÜMCÜ has categorized the owners of the personal data it processes as follows. The data owner categorization created within the scope of this Policy is associated with the following personal data owners. Data owners outside of this scope will also be able to direct their requests to ÜZÜMCÜ in line with the Policy. Personal Data Owner Category Customer / User: Real persons who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with ÜZÜMCÜ. Real persons who have been evaluated as appropriate Corporate Customer Shareholder, Official, Employee: Regardless of whether they have any contractual relationship with ÜZÜMCÜ, the employees, shareholders and authorized persons of the legal person customers who have used or have used the products and services offered by ÜZÜMCÜ. Third Parties: This Policy and ÜZÜMCÜ Employees Other real persons who are not within the scope of the Personal Data Protection and Processing Policy, companies that have a contractual relationship with ÜZÜMCÜ and companies that send orders to users who have a contractual relationship with ÜZÜMCÜ Business Partner Natural persons, including those who work in the institutions they are in contact with, the shareholders and officials of these institutions. Partner Candidate: ÜZÜMCÜ real persons or real persons who are employees, shareholders and officials of real persons or legal entities with whom it intends to establish a business relationship.

 

VI.II. PERSONAL DATA CATEGORIZATION

Under this Policy, personal data processed by ÜZÜMCÜ are categorized. Personal data of personal data owners in the above-mentioned data owner categories are associated with the following personal data categories.

Personal Data Categorization

Identity Information: Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; data containing information about the identity of the person

Contact Information: Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Information such as phone number, address, e-mail address, fax number, IP address

Location Data: Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Within the framework of operations carried out by ÜZÜMCÜ business units of the personal data owner, information determining the location of the employees of the institutions we cooperate with ÜZÜMCÜ while using ÜZÜMCÜ vehicles

Customer Information: Clearly belonging to an identified or identifiable natural person and included in the data recording system; Information such as records for the use of our products and services and the instructions and requests of the customer for the use of products and services. Customer Transaction Information: It is clear that it belongs to an identified or identifiable natural person and is included in the data recording system; records for the use of our products and services, and information such as the customer's instructions and requests for the use of the products and services

Family Members and Relatives: Clearly belonging to an identified or identifiable natural person; Information about family members, relatives and other persons who can be reached in case of emergency in order to protect the legal and other interests of ÜZÜMCÜ and the personal data owner within the framework of the operations carried out by ÜZÜMCÜ business units, which are processed partially or completely automatically or as part of the data recording system.

Physical Space Security Information: Clearly belonging to an identified or identifiable real person; processed partially or fully automatically or non-automatically as part of the data recording system; Personal data regarding the records and documents received during the entrance to the physical space, during the stay in the physical space

Transaction Security Information: Clearly belonging to an identified or identifiable natural person and included in the data recording system; Personal data such as IP address, (system login information) log in credentials, logging of the resources accessed by suppliers while providing support services, user movements specific to the wallet system (password reset, password creation)

Incident Management Information: Information and evaluations collected about the events that are associated with the personal data owner and that have the potential to affect our company - employees - shareholders (e.g., reporting on the commercial activities of our company with a person who is prosecuted as a defendant in a criminal case and preventing negative communication about our company in this regard. the information gathered regarding the investigation of this person and the scope of the criminal investigation and the correct management of the public opinion that will develop in this direction

Financial Information: Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Data such as bank account number, IBAN number, credit card information, financial profile, assets data, income information and processed personal data regarding all kinds of financial results, documents and records that are created according to the type of legal relationship that ÜZÜMCÜ has established with the personal data owner.

Visual and Audio Data: Clearly belonging to an identified or identifiable real person; photo and camera recordings (excluding the records included within the scope of Physical Space Security Information), voice recordings and data contained in documents that are copies of documents containing personal data

Legal Procedure and Compliance Information: It is clear that it belongs to an identified or identifiable natural person and is included in the data recording system; Personal data processed within the scope of determination, follow-up of our legal receivables and rights and the performance of our debts and compliance with our legal obligations and our company's policies

Audit and Inspection Information: Audit and inspection records and reports associated with the personal data owner, and information regarding the examinations made in this context and the information and comments collected.

Marketing Information: Clearly belonging to an identified or identifiable natural person and included in the data recording system; Personal data processed for the customization and marketing of our products and services in line with the usage habits, tastes and needs of the personal data owner and the reports and evaluations created as a result of this processing

Reputation Management Information: Information associated with the person and collected for the purpose of protecting the commercial reputation of our company (for example, information from the complaint website, information collected on twitter and Facebook regarding the posts against our company, senior executives and shareholders, the evaluation reports and the related information about actions

Request / Complaint Management Information: Clearly belonging to an identified or identifiable real person; processed partially or fully automatically or non-automatically as part of the data recording system; Personal data regarding the receipt and evaluation of any request or complaint addressed to ÜZÜMCÜ.

VII. PRINCIPLES REGARDING THE STORAGE PERIOD OF PERSONAL DATA Personal data are stored by ÜZÜMCÜ for the periods stipulated in the relevant legislation and in accordance with its legal obligations. If a period of time is not regulated in the legislation regarding how long personal data should be stored, personal data are processed for a period that requires processing in accordance with ÜZÜMCÜ practices and commercial practices in connection with the activity that ÜZÜMCÜ carries out while processing that data, then they are deleted, destroyed or anonymized. If the personal data whose purpose of processing has expired and the personal data requested to be deleted / anonymized by the personal data owners, the retention periods determined by the relevant legislation and ÜZÜMCÜ have come to an end; It can only be stored for the purpose of providing evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. While determining the retention periods of personal data, ÜZÜMCÜ is based on the statute of limitations stipulated in the relevant legislation. Personal data stored for this purpose can only be accessed by limited persons when it should be used in the relevant legal dispute, and cannot be accessed for any other purpose other than this purpose. At the end of this period, personal data are deleted, destroyed or anonymized.

VIII. CONDITIONS OF DELETING, EXTINGUISHING AND ANONYMIZING PERSONAL DATA Although it has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the Law, in case the reasons for its processing are eliminated, upon the decision of ÜZÜMCÜ or upon the request of the personal data owner. personal data are deleted, destroyed or anonymized.

1. MANAGEMENT STRUCTURE RELATED TO THE PROTECTION AND PROCESSING OF PERSONAL DATA A Personal Data Protection Committee ("Committee") has been established within the company in order to manage this Policy, related policies and other outputs, follow up the process of compliance with the Law and ensure its continuity within the body of AYKİMSAN. The duties of this Committee are;

 

- Establishing, updating and enforcing basic policies regarding the protection and processing of personal data.

- To take actions regarding the implementation and supervision of policies regarding the protection and processing of personal data, and to ensure coordination by making internal assignments regarding this.

- To ensure compliance with the law and the relevant legislation and to follow the developments in the protection and processing of personal data and to take the necessary actions within this framework.

- To increase the awareness of the protection and processing of personal data within ÜZÜMCÜ and the institutions with which ÜZÜMCÜ cooperates.

- To evaluate the applications of personal data owners and to resolve them in accordance with the law.

- To determine the risks that may occur in ÜZÜMCÜ personal data processing activities and to ensure that the necessary measures are taken.

- Managing the relations with the KVK Board and Institution.