GREENLIVE
PERSONAL DATA PROTECTION AND PROCESSING POLICY
CONCEPTS
| Processing of Personal Data | Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any action performed on data, such as blocking. |
| Personal Data Owner/Relevant Person | The real person whose personal data is processed. |
| Personal Data | Any information regarding an identified or identifiable natural person. |
| Special Personal Data | Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. |
| Data Controller | The person who determines the purposes and means of processing personal data and manages the place where the data is systematically kept (data recording system). |
| Deletion | It is the process of making personal data inaccessible and unusable for the relevant users in any way. |
| Annihilation | It is the process of making personal data inaccessible, irretrievable and reusable by anyone . |
| Anonymization | It means ensuring that personal data cannot be associated with an identified or identifiable natural person in any way, even if it is matched with other data. With this method, personal data must be made incapable of being associated with an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording environment and the relevant field of activity, such as returning the data by the recipient or recipient groups and matching the data with other data. |
| Data Processor | Natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller. |
PART I
ENTRANCE
The purpose of this regulation is to protect our customers, prospective employees, employees, persons with whom we have business relations, visitors and all other data that has the nature of personal data, within the scope of the Personal Data Protection Law No. 6698.
This Policy sets out the principles that will be adopted by our Company and taken into account at the point of implementation regarding the processing, protection, deletion, destruction and anonymization of personal data.
AIM
The purpose of this Policy is to inform our above-mentioned target audience, whose personal data is processed, about the personal data processing activities carried out lawfully by our Company and the processes adopted for the protection of personal data, and to determine the policy for the protection and processing of personal data.
SCOPE
This Policy; It relates to all personal data of natural persons processed by our company.
ENFORCEMENT OF THE POLICY
This policy, which has been issued and entered into force by us, is published on our Company’s website and is thus made available to personal data owners.
PART II
1- PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH RELEVANT LEGISLATION
Our company, in accordance with Article 4 of the KVKK, regarding the processing of personal data;
1.1- Engaging in Personal Data Processing Activities in Compliance with Law and Honesty
In our company, the processing of personal data is carried out in accordance with legal regulations and rules of honesty. In this context, our Company processes only the necessary personal data at a level that is compatible with the data processing purposes.
1.2-Ensuring that personal data is accurate and up-to-date when necessary
Our company takes the necessary measures to ensure that personal data is up-to-date and accurate, taking into account the fundamental rights of personal data owners and their own legitimate interests.
1.3-Processing for Specific, Clear and Legitimate Purposes
The purposes for which personal data will be processed by our company are determined before the personal data processing activity begins.
1.4-Being Related to the Purpose for Processing, Limited and Proportionate
Our company processes personal data as much as is required by the business in the context of the requirements of the activities it carries out and within the scope and in line with the relevant legal regulations, and the processing of irrelevant or unnecessary personal data is avoided.
1.5- Preservation for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
Our company retains personal data only for the periods stipulated in the relevant legislation or limited to the purpose for which they are processed. In this context, if a period of time is specified in the relevant legislation for the storage of personal data, this period is complied with. If a period is not specified, personal data are retained for the period necessary for the purpose for which they are processed. If the period expires or the reasons requiring processing disappear, personal data is deleted, destroyed or anonymized by our Company. Personal data is not stored by our Company for possible use in the future. Detailed information on this subject is provided in section 7 of this policy.
2- PROCESSING OF PERSONAL DATA
Our company processes personal data only in cases stipulated by law or with the express consent of the person.
Apart from explicit consent, personal data may be processed if one of the other conditions listed below is met;
2.1- Explicit Consent of the Personal Data Owner
One of the conditions for processing personal data is the explicit consent of the owner. Explicit consent of the personal data owner must be expressed on a specific subject, based on informed consent and free will.
2.2- Explicitly Provided in Laws
The personal data of the data owner can be processed in accordance with the law if it is clearly provided for by law.
2.3- Failure to Obtain Explicit Consent of the Person Relevant Due to Actual Impossibility
If it is necessary to process the personal data of a person who is unable to express his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself or another person, the personal data of the data owner may be processed.
2.4- Directly Related to the Establishment or Performance of the Contract
It is possible to process personal data if it is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
2.5- Fulfillment of Legal Obligations
Our company may process the personal data of the data owner if processing is mandatory in order to fulfill its legal obligations as the data controller.
2.6- Publicization of Personal Data by the Personal Data Owner
If the data owner’s personal data is made public, it may be processed, provided that it is limited to the purpose.
2.7- Data Processing is Necessary for the Establishment or Protection of a Right
If data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.
2.8- Data Processing is Necessary for the Legitimate Interests of the Data Controller
Personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company, provided that the fundamental rights and freedoms of the personal data owner are not harmed.
3- CLARIFICATION AND INFORMATION OF THE PERSONAL DATA OWNER
Our company clarifies the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the personal data owner. (See Clarification Text)
4- PROCESSING OF SPECIAL PERSONAL DATA
Our company complies with the regulations stipulated in the KVKK in the processing of personal data determined as “special nature” by the KVKK.
These data; Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
By our company; Special categories of personal data are processed in the following cases by taking the necessary precautions:
If the personal data owner has explicit consent or
If there is no explicit consent of the personal data owner, it may be processed in cases stipulated by law.
Data regarding health and sexual life are processed only with the explicit consent of the data owner.
III. SECTION
PERSONAL DATA PROCESSED BY OUR COMPANY, PURPOSES OF PROCESSING AND STORAGE PERIOD
- Personal data processed by our company are stated below. However, which data will be processed for each personal data owner; It may vary depending on various factors such as the type and nature of the relationship between the personal data owner and our Company and the communication channels used.
| PERSONAL DATA | EXPLANATION |
| Identity Information | These are data containing information regarding the identity of the person; Documents such as driver’s license, identity card and passport containing information such as name-surname, TR ID number, nationality information, mother’s name-father’s name, place of birth, date of birth, gender, and personnel registry number, signature information, etc. informations |
| Communication information | Information such as telephone number, address, e-mail address, kep address, fax number, IP address |
| Family Members and Relative Information | Information about family members (e.g. spouse, child), relatives and other persons who can be reached in emergency situations, reported to our Company by the personal data owner, within the framework of operations carried out by our Company’s units. |
| Security Information | Personal data regarding records and documents received upon entry to our company’s facilities and during your stay in these places; camera recordings and records taken at security points, etc. |
| Financial Information | Personal data processed regarding all kinds of financial information, documents and records created according to the type of legal relationship our Company has established with the personal data owner, and data such as bank account number, IBAN number, income information. |
| Audio/Visual Information | Photographs, camera recordings |
| Personal Information | All kinds of personal data processed to obtain information that will be the basis for the formation of personal rights of real persons who have a working relationship with our company |
| Special Personal Data | Data specified in Article 6 of the KVK Law (e.g. health data including blood type, biometric data (fingerprint), body size, etc. |
| Professional Knowledge | Data regarding diploma and certificate information of employee candidates, our employees and people who have business relations with our Company |
- PERSONAL DATA OWNERS PROCESSED BY OUR COMPANY
Our company’s customers, subsidiaries, visitors, employee candidates, employees, company shareholders, employees of the companies we have business relations with, and employees of the institutions we cooperate with.
- PURPOSES OF PROCESSING PERSONAL DATA
By our company;
Carrying out the application processes of employee candidates
Execution of human resources processes
Fulfilling the obligations arising from the legislation for employees
Carrying out social responsibility and civil society activities,
Carrying out financial and accounting affairs,
Carrying out communication activities
Carrying out the goods and services purchasing process
Execution of the goods and services sales process
Execution of wage policy
Carrying out fringe benefits and benefits processes for employees
Carrying out Storage and Archive Activities
Execution of Emergency Management Processes,
Conducting Business Activities
Carrying out Business Continuity Ensuring Activities,
Ensuring the Security of Movable Goods and Resources
Providing Information to Authorized Persons, Institutions and Organizations,
Conducting Educational Activities
Conducting Activities in Compliance with Legislation,
Ensuring Physical Space Security
Conducting Internal Audit Activities
Carrying out Occupational Health / Safety Activities
Carrying out Management Activities,
Execution of Goods / Service Production and Operation Processes
Execution of Goods/Service After-Sales Support Services
Carrying out Logistics Activities
Execution of Contract Processes
For purposes such as carrying out risk management processes
- Fulfilling our legal obligations,
- It is necessary to process personal data of the parties based on the established business relationship,
- It is foreseen in the laws and
- Provided that it does not harm the fundamental rights and freedoms of the relevant person, for legal reasons such as protecting the legitimate interests of our Company and by obtaining the explicit consent of the relevant person.
III of this policy. Personal data specified in section 1 are processed.
- STORAGE PERIOD OF PERSONAL DATA
Our company stores personal data for the period required by the relevant legislation or the purpose for which they are processed.
If a period is not regulated in the legislation regarding how long personal data should be stored, Personal Data is processed for the period that requires processing in accordance with our Company’s practices and commercial life practices, depending on the activity carried out by our Company while processing that data.
The purpose of processing personal data has expired; If the storage periods determined by the relevant legislation or our Company have expired; Personal data can only be stored to serve as evidence in possible legal disputes or to assert the relevant right based on personal data or to establish a defense. In establishing the periods herein, the limitation periods for asserting the mentioned right and the retention periods are determined based on the samples in the requests previously directed to our Company on the same issues, even though the limitation periods have passed. In this case, the stored personal data cannot be accessed for any other purpose and the relevant personal data is accessed only when it needs to be used in the relevant legal dispute. Here too, after the mentioned period expires, personal data is deleted, destroyed or anonymized.
- SECTION
- OUR COMPANY MONITORING ACTIVITY WITH CAMERA CONDUCTED AT THE ENTRANCES AND INSIDE OF BUILDINGS, FACILITIES
Our company, within the scope of surveillance activities with security cameras; In order to secure the interests of the company and other people regarding the security of the company and other people, and limited to this policy, certain areas are subject to camera monitoring in a way that does not result in interference with a person’s privacy that exceeds security purposes. Our company complies with the KVKK in the camera monitoring activities carried out for security purposes. Information about camera monitoring activities is provided by publishing this policy on the website and by hanging signs, signs and lighting text stating that monitoring will be carried out in the monitoring areas.
The monitoring areas of security cameras, their number and when they will be monitored are implemented in a way that is sufficient to achieve the security purpose and is limited to this purpose. Necessary technical and administrative measures are taken to ensure the security of personal data obtained as a result of camera monitoring activities. Detailed information about the period during which our Company retains personal data obtained through camera monitoring activities is included in Article 3.4 of this Policy, titled Personal Data Storage Periods.
Only a limited number of Company employees have access to live camera images and records recorded and preserved digitally. A limited number of people who have access to the records declare with a confidentiality agreement that they will protect the confidentiality of the data they access.
- MONITORING OF GUEST ENTRANCES AND EXITS AT THE ENTRANCES AND INSIDE OF OUR COMPANY’S BUILDINGS, FACILITIES
By our company; Personal data processing activities are carried out to ensure security and to monitor guest entries and exits in our Company’s buildings and facilities for the purposes specified in this Policy.
While the names and surnames of people who come to our Company’s buildings as guests are obtained, personal data owners are informed in this context. The data obtained for the purpose of tracking guest entry and exit is processed only for this purpose and the relevant personal data is recorded in the data recording system in the physical environment.
CHAPTER V
TRANSFER OF PERSONAL DATA
Although the third parties to which personal data can be transferred may vary depending on various factors such as the type and nature of the relationship between the data owner and our Company and the markets where transactions are carried out, the third parties to which the data can be transferred are generally as shown below:
Authorized public institutions
Private law legal entities limited to the purpose requested within their legal authority,
Our company’s domestic and/or foreign business partners,
Customers, Suppliers,
Our Shareholders, Our Auditors
- SECTION
ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA
Our company takes the necessary technical and administrative measures to ensure the appropriate level of security to prevent the personal data it processes from being processed unlawfully, to prevent unlawful access to the data, and to ensure the preservation of the data, and carries out the necessary inspections or has them carried out in this context.
The actions and measures taken by our company to ensure “data security” in accordance with Article 12 of the KVKK are stated below.
Our company takes technical and administrative measures according to technological possibilities and implementation costs to ensure that personal data is processed in accordance with the law. Employees are informed that they cannot disclose the personal data they have learned to anyone else in violation of the provisions of KVKK or use it for purposes other than the purpose of processing, and that this obligation will continue after they leave office, and the necessary commitments are taken from them in this regard.
Our company provides the necessary training to raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the preservation of data.
Our company takes the necessary technical and administrative measures, according to technological possibilities and implementation costs, to store personal data in secure environments and to prevent their destruction, loss or alteration for unlawful purposes.
VII. SECTION
CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
Even though it has been processed in accordance with the relevant legal provisions as regulated in Article 7 of the KVKK, if the reasons requiring processing are eliminated, personal data will be deleted, destroyed or anonymized for 3 months, based on our Company’s decision. If all the conditions for processing personal data are eliminated, upon the request of the relevant person, our company deletes, destroys or anonymizes the personal data subject to the request. Our company finalizes the request of the relevant person within thirty days at the latest and informs the relevant person.
In accordance with Article 28 of the KVKK, anonymized personal data may be processed for purposes such as research, planning and statistics. Since such transactions are outside the scope of KVKK, explicit consent of the personal data owner is not required.
VIII. SECTION
RIGHTS OF PERSONAL DATA OWNERS; METHOD OF USING AND EVALUATING THESE RIGHTS
Our company carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the KVKK in order to evaluate the rights of personal data owners and provide the necessary information to personal data owners.
Personal data owners;
Learning whether personal data is processed or not,
Requesting information if personal data has been processed,
Learning the purpose of processing personal data and whether they are used for their intended purpose,
Knowing the third parties to whom personal data is transferred at home or abroad,
Requesting correction of personal data in case personal data has been processed incompletely or incorrectly and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,
Even though it has been processed in accordance with the provisions of KVKK and other relevant laws, it has the right to request the deletion or destruction of personal data in case the reasons requiring processing are eliminated and to request that the transaction carried out in this context be notified to third parties to whom the personal data has been transferred.
- SECTION
PERSONAL DATA PROTECTION AND PROCESSING POLICY MANAGEMENT STRUCTURE
Our company establishes the necessary management structure to fulfill the obligations under the KVK Law and to implement this Policy and to perform the following functions.
- To prepare the basic policies and changes regarding the Protection and Processing of Personal Data and submit them to the approval of the senior management in order to put them into effect,
- To decide how the policies regarding the Protection and Processing of Personal Data will be implemented and supervised, and to submit internal company assignments and coordination within this framework to the approval of the senior management,
- To determine the issues that need to be done to ensure compliance with the Personal Data Protection Law and relevant legislation and to submit the actions that need to be taken for the approval of the senior management; overseeing and coordinating its implementation,
- To raise awareness within the Company and among the Company’s business partners regarding the Protection and Processing of Personal Data,
- To identify risks that may occur in the company’s personal data processing activities and to ensure that necessary precautions are taken, to submit improvement suggestions to the approval of senior management,
- Designing trainings on the protection of personal data and implementation of policies and ensuring their implementation,
- To respond to applications of personal data owners within the time limit,
- To manage relations with the Personal Data Protection Board and Institution.
While establishing the management structure, a committee is established and the composition of this committee and the distribution of duties are determined by the senior management of our Company. In addition to the above-mentioned duties, the Committee and the responsible person(s) to be appointed in this regard may be assigned other duties and responsibilities depending on the needs of our Company and the nature of the activities it carries out.
- SECTION
TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE SECURITY OF PERSONAL DATA
Our company takes the necessary administrative and technical measures to store personal data legally and securely. For this;
- There are disciplinary regulations for employees that include data security provisions
- A personal data processing inventory has been prepared and is kept up to date.
- Contracts (between data controller and data processor)
- Corporate policies (access, information security, use, data retention and destruction)
- Business arrangement
- Disciplinary regulation (adding provisions in accordance with the law)
- Confidentiality commitments are made.
- Internal periodic and/or random audits
- Education and awareness activities
- Ensuring the security of environments that provide personal data
- Risk analyzes are carried out and personal data is reduced as much as possible
- Network security and application security are ensured,
- Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
- Confidentiality commitments are made.
- Up-to-date anti-virus systems are used.
- Personal data security policies and procedures have been determined.
- Personal data security is monitored.
- The security of environments containing personal data is ensured.
- Personal data is backed up and the security of the backed up personal data is ensured.
- Current risks and threats have been identified.
- Sensitive personal data must be sent encrypted and using a kep or corporate mail account.
- Encryption is done.
- A closed system network is used for personal data transfer via the network.
- Firewalls are used.
- Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
- The security of physical environments containing personal data against external risks is ensured.
- If it is determined that personal data processed or transferred by our company has unlawfully fallen into the hands of unauthorized persons, the situation will be notified to the KVK Board and the relevant data owner as soon as possible within 72 hours.