info@brdizayn.com.tr +90 222 236 16 10
  1. Home >
  2. Kvkk

Kvkk

BR DESIGN JOINT STOCK COMPANY

PERSONAL DATA PROTECTION AND PROCESSING POLICY

CONCEPTS

Processing of Personal Data Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Personal Data Owner/Related Person The natural person whose personal data si processed.
Personal Data Any information relating to an identified or identifiable natural person.
Sensitive Personal Data Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Data Controller The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system).
Deletion It is the process of making personal data inaccessible and non- reusable in any way for the relevant users.
Destruction It is the process of making personal data inaccessible, irretrievable and non-reusable by anyone ni any way.
Anonymization It is the process of making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data. With this method, personal data must be rendered unattributable to an identified or identifiable natural person, even through the use of techniques appropriate for the recording medium and the relevant field of activity, such as retrieval and matching of data with other data by the recipient or groups of recipients.
Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.

PART I

INTRODUCTION

The purpose of this regulation is to protect our customers, employee and/or intern candidates, employees, persons with whom we have business relations, visitors and all other personal data within the scope of the Law No. 6698 on the Protection of Personal Data.

With this Policy, the principles to be adopted by our Company regarding the processing, protection, deletion, destruction and anonymization of personal data and to be taken into consideration at the point of application have been set forth.

PURPOSE

The purpose of this Policy is to inform our above-mentioned target audience, whose personal data is processed, about the personal data processing activity carried out by our Company in accordance with the law and the processes adopted for the protection of personal data, and to determine the policy of protection and processing of personal data.

SCOPE

This Policy relates to all personal data of natural persons processed by our Company.

ENFORCEMENT OF THE POLICY

This policy, which is regulated and put into effect by us, is published on our Company's website and made accessible to personal data owners in this way.

PART II

PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE RELEVANT LEGISLATION

Our company, in accordance with Article 4 of the Law on the Protection of Personal Data, regarding the processing of personal data;

Carrying out personal data processing activities in accordance with the law and good faith

Ensuring that personal data is accurate and, where necessary, up to date

Processing for specific, explicit and legitimate purposes

Being relevant, limited and proportionate to the purpose for which they are processed

The principles of retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed are taken into consideration.

PROCESSING OF PERSONAL DATA

Our Company processes personal data only in cases stipulated by law or with the explicit consent of the person.

Apart from explicit consent, personal data may also be processed in the presence of one of the other conditions listed below;

  • Explicit consent of the personal data subject
  • Explicitly stipulated in the law
  • Failure to obtain the explicit consent of the person concerned due to actual impossibility
  • Direct relevance to the conclusion or performance of the contract
  • Fulfillment of a legal obligation
  • Publicization of personal data by the personal data subject
  • Data processing is mandatory for the establishment or protection of a right
  • Data processing is mandatory for the legitimate interest of the data controller

CLARIFICATION AND INFORMATION OF THE PERSONAL DATA SUBJECT

Our Company provides information on the purpose for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal reason for collecting personal data and the rights of the personal data owner. (See Clarification Text)

PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

Our Company acts in accordance with the regulations stipulated in the Law on the Protection of Personal Data in the processing of personal data determined as "special quality" by the Law on the Protection of Personal Data.

These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Special categories of personal data are processed by our Company in the following cases by taking necessary precautions:

  • Explicit consent of the person concerned,
  • Explicitly stipulated in the law,
  • It is necessary for the protection of the life or bodily integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not recognized as legally valid, himself/herself or someone else,
  • It is related to the personal data made public by the data subject and is in accordance with the will of the data subject to make it public,
  • Necessity for the establishment, exercise or protection of a right,
  • It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation to keep secrets or authorized institutions and organizations,
  • It is mandatory for the fulfillment of legal obligations in the areas of employment, occupational health and safety, social security, social services and social assistance,
  • Current or former members and members of foundations, associations and other non- profit organizations or formations established for political, philosophical, religious or trade union purposes, or persons who are in regular contact with these organizations and formations, provided that they comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties, is possible.

PART III

PERSONAL DATA PROCESSED BY OUR COMPANY, PURPOSES OF PROCESSING AND STORAGE PERIOD

The personal data processed by our Company are specified below. However, which data will be processed for each personal data subject may vary depending on various factors such as the type and nature of the relationship between the personal data subject and our Company and the communication channels used.

PERSONAL DATA EXPLANATION
Identity Information Data containing information about the identity of the person; documents such as driver's license, identity card and passport containing information such as name-surname, Turkish ID number, nationality, mother's name- father's name, place of birth, date of birth, gender, and information such as personnel registration number, signature information, etc.
Contact Information Information such as phone number, address, e-mail address, cap address, fax number, IP address
Family Members and Relatives Information on family members (e.g. spouse, children), relatives and other persons who can be reached in case of emergency, notified to our Company by the personal data owner within the framework of the operations carried out by the units of our Company
Safety Information Personal data related to the records and documents taken at the entrance to the facilities of our Company and during the stay in these places; camera recordings and records taken at the security point, etc.
Financial Information Personal data processed regarding all kinds of financial information, documents and records created according to the type of legal relationship established by our Company with the personal data owner, and data such as bank account number, IBAN number, income information
Audio/Visual Information Photographs, camera recordings
Personal Information Al kinds of personal data processed for obtaining information that will be the basis for the formation of the personal rights of natural persons who are ni a working relationship with our Company
Sensitive Personal Data Data specified in Article 6 of the Law on the Protection of Personal Data (e.g. health data including blood type, biometric data (fingerprints), body measurements, etc.)
Professional Knowledge Data on diploma and certificate information of employee candidates, employees and persons who have a business relationship with our Company

PERSONAL DATA OWNERS PROCESSED BY OUR COMPANY

Our Company's customers, subsidiaries, visitors, employee and/or internship candidates, employees, company shareholders, employees of companies with which we have a business relationship, employees of organizations with which we cooperate.

PURPOSES OF PROCESSING PERSONAL DATA

By our company;

  • Carrying out the application processes of employee candidates
  • Execution of human resources processes
  • Fulfillment of regulatory obligations for employees
  • Conducting social responsibility and civil society activities,
  • Conducting financial and accounting affairs,
  • Conducting communication activities
  • Execution of the procurement process of goods and services
  • Execution of the goods and services sales process
  • Execution of the remuneration policy
  • Execution of processes related to employee benefits and benefits
  • Execution of Storage and Archive Activities
  • Execution of Emergency Management Processes,
  • Execution of Business Activities
  • Execution of Business Continuity Ensuring Activities,
  • Ensuring the Security of Movable Property and Resources
  • Providing Information to Authorized Persons, Institutions and Organizations,
  • Conducting Training Activities
  • Execution of Activities in Compliance with the Legislation,
  • Ensuring Physical Space Security
  • Execution of Internal Audit Activities
  • Execution of Occupational Health / Safety Activities
  • Execution of Management Activities,
  • Execution of Goods / Services Production and Operation Processes
  • Execution of Goods / Services After Sales Support Services
  • Execution of Logistics Activities
  • Execution of Contract Processes
  • Execution of risk management processes
  • Fulfillment of our legal obligations,
  • It is necessary to process the personal data of the parties based on the established business relationship,
  • Provided for in the laws and
  • For legal reasons such as the protection of the legitimate interests of our Company, provided that the fundamental rights and freedoms of the person concerned are not harmed, and by obtaining the explicit consent of the person concerned

personal data specified in this policy are processed.

RETENTION PERIODS OF PERSONAL DATA

Our Company stores personal data for the period stipulated in the relevant legislation or for the period required for the purpose for which they are processed.

If a period of time is not regulated in the legislation regarding how long personal data should be kept, Personal Data is processed for the period required to be processed in accordance with the practices and customs of our Company's practices and commercial life, depending on the activity carried out by our Company while processing that data. After the aforementioned period expires, personal data are deleted, destroyed or anonymized.

IV . SECTION

CAMERA SURVEILLANCE ACTIVITIES CARRIED OUT AT THE ENTRANCES TO AND INSIDE OUR COMPANY'S BUILDINGS AND FACILITIES

Our Company, within the scope of security camera surveillance activity; In order to secure the interests of the Company and other persons in ensuring the security of the Company and other persons and provided that it is limited to this policy, certain areas are subject to camera surveillance in a manner that does not result in interference with the privacy of the person in excess of security purposes. Our Company acts in accordance with the LPPD in camera surveillance activities carried out for security purposes. Information regarding the camera surveillance activity is made by publishing this policy on the website and by hanging signs and signs and illumination text regarding the monitoring in the monitoring areas.

The monitoring areas, the number and the time of monitoring of the security cameras are sufficient to achieve the security purpose and are limited to this purpose. Necessary technical and administrative measures are taken to ensure the security of personal data obtained as a result of camera surveillance. Detailed information on the retention period of personal data obtained through camera surveillance is provided in the Personal Data Retention Periods section of this Policy.

Only a limited number of Company employees have access to the records recorded and stored digitally with live camera footage. The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.

MONITORING OF GUEST ENTRANCES AND EXITS CARRIED OUT AT THE ENTRANCES OF OUR COMPANY'S BUILDINGS AND FACILITIES AND INSIDE THEM

Personal data processing activities are carried out by our Company for the purposes of ensuring security and for the purposes specified in this Policy, for the tracking of guest entrances and exits in our Company's buildings and facilities.

While obtaining the names and surnames of persons who come to our Company's buildings as guests, personal data owners are enlightened in this context. The data obtained for the purpose of tracking guest entry-exit are processed only for this purpose and the relevant personal data are physically recorded in the data recording system.

V. SECTION

TRANSFER OF PERSONAL DATA

Although the third parties to whom personal data may be transferred may vary depending on various factors such as the type and nature of the relationship between the data subject and our Company and the markets where transactions are carried out, the third parties to whom the data may be transferred are generally as shown below:

Authorized public institutions

Private law legal entities limited to the purpose requested within its legal authority,

Domestic and/or foreign business partners of our Company,

Customers, Suppliers,

Our Shareholders are our Auditors.

CHAPTER VI

ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA

Our Company takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and conducts or has the necessary audits carried out within this scope.

The actions and measures taken by our Company to ensure "data security" in accordance with Article 12 of the KVKK are stated below.

Our Company takes technical and administrative measures to ensure that personal data is processed in accordance with the law, according to technological possibilities and the cost of implementation. Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the KVKK and cannot use them for purposes other than processing, and that this obligation will continue after they leave their duties, and necessary commitments are taken from them in this direction.

Our Company provides the necessary trainings to raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the protection of data. Our Company takes the necessary technical and administrative measures according to technological possibilities and implementation cost in order to store personal data in secure environments and to prevent the destruction, loss or alteration of personal data for unlawful purposes.

CHAPTER VII

CHAPTER VII CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Although it has been processed in accordance with the provisions of the relevant law as regulated in Article 7of the KVKK, personal data shall be deleted, destroyed or anonymized within 3months upon the decision of our Company if the reasons requiring its processing disappear. In the event that all the conditions for processing personal data disappear, our company deletes, destroys or anonymizes the personal data subject to the request upon the request of the person concerned. Our company finalizes the request of the person concerned within thirty days at the latest and informs the person concerned.

CHAPTER VIII

RIGHTS OF PERSONAL DATA OWNERS; METHOD OF EXERCISING AND EVALUATING THESE RIGHTS

Our Company carries out the necessary channels, internal operation, administrative and technical arrangements in accordance with Article 13 of the KVKK in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.

  • • Personal data subjects;
  • • Learn whether personal data is being processed,
  • Request information if their personal data has been processed,
  • To learn the purpose of processing personal data and whether they are used for their intended purpose,
  • To know the third parties to whom personal data are transferred domestically or abroad,
  • To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
  • Although it has been processed in accordance with the provisions of KVKK and other relevant laws, it has the right to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request that the transaction made within this scope be notified to third parties to whom personal data is transferred.

IX. SECTION

PERSONAL DATA PROTECTION AND PROCESSING POLICY MANAGEMENT STRUCTURE

Our Company establishes the necessary management structure to fulfill the obligations under the Law on the Protection of Personal Data and for the implementation of this Policy and to fulfill the following functions.

  • To prepare basic policies and amendments regarding the Protection and Processing of Personal Data and submit them to the senior management for approval to put them into effect,
  • To decide how the implementation and supervision of the policies on the Protection and Processing of Personal Data will be carried out and to submit the issues of making internal assignments and ensuring coordination within this framework to the approval of senior management,
  • To determine the matters to be done to ensure compliance with the Law on the Protection of Personal Data and related legislation and to submit the necessary actions to the senior management for approval; to oversee and coordinate their implementation,
  • To raise awareness within the Company and among the Company's business partners on the Protection and Processing of Personal Data,
  • To identify the risks that may arise in the personal data processing activities of the Company, to ensure that necessary measures are taken, and to submit improvement proposals to the senior management for approval,
  • Designing and implementing trainings on the protection of personal data and implementation of policies,
  • To respond to the applications of personal data subjects in due time,
  • Managing relations with the Personal Data Protection Board and the Authority.

While forming the management structure, a committee is established and the members of this committee and the distribution of duties are determined by the senior management of our Company. In addition to the above-mentioned duties, the Committee and the responsible person(s) to be appointed in this regard may be assigned other duties and responsibilities according to the needs of our Company and the nature of the activities it carries out.

X. SECTION

TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE SECURITY OF PERSONAL DATA

Our Company takes the necessary administrative and technical measures to ensure that personal data are stored lawfully and securely. For this

  • Disciplinary arrangements are in place for employees that include data security provisions
  • A personal data processing inventory is prepared and kept up to date
  • Contracts (between data controller and data processor)
  • Organizational policies (access, information security, use, retention and disposal)
  • Employment contract
  • Disciplinary regulation (adding provisions in accordance with the law)
  • Confidentiality commitments are made.
  • Internal periodic and/or random audits
  • Training and awareness activities
  • Ensuring the security of environments that provide personal data
  • Risk analyses are conducted and personal data is minimized as much as possible
  • Network security and application security are ensured,
  • Corporate policies on the use, storage and disposal of access information security have been prepared and implemented.
  • Confidentiality commitments are made.
  • Up-to-date anti-virus systems are used.
  • Personal data security policies and procedures have been determined.
  • Personal data security is monitored.
  • Security of environments containing personal data is ensured.
  • Personal data is backed up and the security of backed up personal data is also ensured.
  • Existing risks and threats have been identified.
  • Sensitive personal data is always sent encrypted and using a cap or corporate mail account.
  • Encryption is performed.
  • Closed system network is used for personal data transfers through the network.
  • Firewalls are used.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • Physical environments containing personal data are secured against external risks.
  • In the event that it is determined that the personal data processed or transferred by our Company is unlawfully accessed by unauthorized persons, the Personal Data Protection Board and the relevant data owner will be notified within 72 hours as soon as possible.