PERSONAL DATA PROTECTION AND PROCESSING POLICY
- Purpose and scope of the policy
This Personal Data Protection and Processing Policy (”Policy") is intended to provide information about the personal data processing activities carried out by Ünsped Gümrük Müşavirliği ve Lojistik Hizmetleri A.Ş. (“UGM” or “company”) within the scope of its operations and the set of rules and principles on which it is based within the scope of these activities.
This policy covers all natural persons whose personal data is processed by UGM, except employees of the company. Legal entities and information about legal entities is not included in the policy.
- Definitions Contained In The Policy
"Explicit Consent” | Consent about a particular subject, based on information and explained by free will. |
“Employee” | A natural person who has an employee-like relationship with the company and its subsidiaries depending on an employment contract or proxy agreement. |
"Electronic Media” | Environments where personal data can be created, read, modified and written using electronic devices. |
"Non-Electronic Media” | All written, printed, visual, etc. mediums other than electronic media. |
"Contact Person” | A natural person whose personal data is processed. |
“Destruction” | Deletion, destruction or anonymization of personal data. |
“Law” | Personal Data Protection Law No. 6698. |
"KVKK” | Personal Data Protection Law No. 6698. |
"Recording Media” | Any environment in which personal data is processed by non-automatic means, whether fully or partially automated or as part of any data recording system. |
"Personal Data” | Any information about identified or identifiable natural persons. |
"Personal Data Processing Inventory” | personal data processing activities performed by data officers depending on the business processes; and the legal reason for processing personal data, purpose of the data category, the inventory that they create by associating the transferred recipient group and the data subject group with the maximum storage time required for the purposes for which personal data is processed, the personal data that is supposed to be transferred to EU countries, and the measures taken related to data security. |
"Anonymization of Personal Data” | In accordance with this policy, the process of anonymizing personal data, even matching personal data with other data, including changes that may be made to the regulation from time to time, that it is in no way associated with an identified or identifiable natural person. |
"Processing Of Personal Data” | Personal data completely or partially automated, or any data recording system to be part of the record with non-automatic ways of obtaining, recording, storage, preservation, modification, re-regulation, disclosure, transfer, acquisition, prevention of the use, classification or any operation that is performed on the data. |
"Deletion Of Personal Data” | Deletion of personal data in accordance with this policy, including changes that may be made to the regulation from time to time, the process of making personal data that is in no way accessible and reusable for the relevant users. |
"Destruction Of Personal Data” | Destruction of personal data under this policy is the process of making personal data inaccessible, irreversible and reusable by anyone, including changes that may be made to the regulation from time to time. |
“Board” | Personal Data Protection Board. |
“Entity” | Personal Data Protection Agency. |
"Specially Qualified Personal Data” | Race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs of persons, biometric and genetic data with data on clothing, membership in associations, foundations or trade unions, health, sex life, criminal convictions and security measures. |
"Periodic Destruction” | In the event that all the terms of processing of personal data contained in the law are eliminated, the deletion, destruction or anonymization process that will be performed at repeated intervals specified in the policy of storing and destroying personal data. |
“Policy” | This policy and all other policies that may be adopted in the future. |
"Data Officer” | A natural or legal person responsible for establishing and managing a data recording system that determines the purposes and means of processing personal data. |
"Data Officer Contact Person” | In order to ensure communication with the institution regarding its obligations under the law and the secondary regulations to be issued by the data responsible company based on this law |
“Regulation” | A natural person reported at the time of registration in the registry of data officers. As of the effective date of this policy, Serkan Ayverdi has been selected to be registered with Verbis as the Data Officer Contact person. |
The definitions contained in this policy are used as follows. It will be assumed that the definitions not mentioned here are used as defined in the Personal Data Protection Law No. 6698 and the secondary regulations established under this law.
- Execution and update
This policy was put into effect on [12.09.2019]. The company is entitled to update the policy by publishing the latest version on the website at any time it deems necessary, especially legislative updates. For this reason, interested persons should check the most current version of the policy by entering the website when they want to get information about the policy.
- Data Officer within the Scope of Personal Data Processing Activities
In accordance with the law, Ünsped Gümrük Müşavirliği ve Lojistik Hizmetleri A.Ş., determines the purposes and means of data processing related to the personal data processed while carrying out its operations and activities. In this context, the company provides information about the purposes and how it processes personal data by disclosing to the relevant people in the channels through which it collects personal data.
Similarly, the company is responsible for the establishment and management of the data recording system in which such personal data is processed. Therefore, the company acts as a data controller in terms of many of the personal data it processes under the law.
In some cases, the company does not specify the purposes and means of processing personal data; it may process personal data on the instructions of another company. In this case, the company is acting as a data processor under the law, and this policy is intended only to inform the relevant persons in relation to the personal data processing activities in which the company acts as a data controller.
- Personal data processing activities and objectives
1 Processing Of Visitor Personal Data
Personal data processing activities are carried out in order to ensure the security of the building, to keep records of visitors properly, to prevent and detect crime, and to provide information to authorized institutions and organizations if necessary.
These personal data processing activities are carried out:
- By keeping camera records within the scope of camera (CCTV) monitoring activities inside and outside the building,
- As part of ensuring internet access for visitors, by keeping internet access records,
- By keeping entry and exit records of visitors.
- a) Keeping camera records
Surveillance activities are carried out with cameras inside and outside the company. These cameras are located in the security office where you can see the turnstiles at the entrance, in some locations inside and outside the building. In these areas, people concerned with monitoring warning signs are informed.
The company carries out monitoring activities with the camera for the following purposes and keeps the necessary records:
- Assisting in the prevention and detection of crime;
- Facilitate the identification, arrest and trial of those who commit crimes and violate public order;
- To help ensure the security of Public Safety and buildings;
- Help identify actions that may result in the launch of a disciplinary investigation against employees.
Images recorded through the camera system in question will be kept for a maximum of 3 months from the date they are received, unless they are required to be kept as evidence or for a longer period of time to investigate the crime or are required under legal legislation.
Camera footage may be shared with authorized institutions and organizations in order to help prevent and identify crimes, facilitate the identification, arrest and trial of those who commit crimes and disrupt public order, and fulfill our legal obligations, if necessary or if there is a legal request. Responsibility for the operation of cameras within the company, management and all other issues related to the camera operating system are followed by the Procurement and Administrative Affairs Directorate.
Processing of personal data by keeping the camera records is carried out on the basis of company's legal obligations to fulfil the activities of processing personal data be required in order for the company to protect the legal rights of use and processing personal data in the provision of security and crime prevention, implementation of the activities, legitimate interests of company and on the basis of the legal causes.
- b) Keeping records of Internet access
Some personal data is processed when it comes to connecting visitors to the company's internet network as guest users.
These personal data are the person's first and last name, internet usage log records, MAC ID, IP information, mobile phone number, user name, password information. This information is not disclosed to any third party outside the company, except that it is shared with authorized institutions and organizations to fulfill our legal obligation in the event of a legal request.
Personal data specified activities must be performed in compliance with the legislation in cases where a legal claim or if you have authorized the person/institution giving information to visitors as a guest user and grant access to the network for internet with the aim of ensuring the security of information processed.
Personal data is processed electronically based on legal reasons by keeping Internet access records according to the Law No. 5651 on the regulation of publications made on the Internet and the fight against crimes committed through these publications wherever personal data processing activity is clearly allowed, for fulfillment of our legal obligations according to Regulation On Internet Mass Use Providers (Official Gazette date and number: 11.04.2017, 30035) and as a visitor, providing you with internet access and providing you with the right to access.
Personal data processed in this context is kept for two years, which is the legal period.
- c) Keeping visitor entry and exit records
If people come to the company as visitors, some personal data is processed.
These personal data are first name, last name, company name, reason for visit and visit information in the form of the person visited. This information is not disclosed to any third party outside the company, except that it is shared with authorized institutions and organizations to fulfill our legal obligation in the event of a legal request.
The specified personal data is processed for the purposes of carrying out the activities in accordance with the legislation, creating and tracking visitor records, ensuring physical space security, ensuring the company's fixtures, employees, building security, providing information to authorized persons/institutions and organizations.
Keeping visitor entry and exit records, personal data is processed in a physical environment based on legal reasons that the company has a legitimate interest in fulfilling our legal obligations and ensuring the safety of the company's buildings and employees.
Personal data processed in this context is stored for six months from the end of the visit.
2 Processing Personal Data of Candidates in Recruitment Processes
As a candidate, personal data can be processed in order to apply for an announcement that we have published or to carry out recruitment processes within the scope of information provided for applying for a job in areas such as İŞKUR candidate database, career sites.
Personal data can be transmitted directly to our company by you, as well as to the company in electronic or physical environments through candidate applications career sites, İŞKUR candidate database, our business partners with whom we receive support in recruitment processes.
According to the position referenced in this context, information given in application, interviews and recruitment process, first name, surname, contact information, military status, gender, date of birth, educational information, past work experiences, certificates owned, driver's license information, foreign language references, computer programs, scholarships and participation in seminars and courses that you have taken and all the information in the resume given by the candidate, form of projects, work preferences and information about company intended to do the work, the earliest date to start work, salary expectations, whether or not previously apply for any position in the company, whether he makes overtime work, hobbies, why he left previous work, availability of any relative in our company, ability to travel, information about departments he wants to work and such personal data given by the candidate in the job interview are processed.
In the recruitment processes related to some positions, only health information and criminal conviction/criminal record information can be processed in order to determine whether the candidate is physically fit for the job and whether there is a legal obstacle to his or her work in this position. This data is processed only for the specified purposes and is not used for other purposes.
In recruitment processes, the processing of personal data of candidates is carried out on the basis of legal reasons to ensure that the candidate can use the right to apply and have a legitimate interest in creating the necessary human resources for the company to continue its activities. In the absence of these legal reasons, personal data is processed based on the legal reason of “explicit consent” if the candidate has explicit consent to the personal data processing activity.
3 Processing of personal data of suppliers and partner employees and officials
Since data belonging to legal entities is not considered personal data, this data is not included in the scope of this policy. However, the personal data of the supplier companies receiving services within the scope of the supply of goods and services and the employees and officials of the business partners and group companies that we cooperate with in order to carry out the company's activities/operations are processed within the scope of our usual operational processes.
Supplier and business partner personal data of employees and officials, execution of ordinary operational processes within the scope of the provision of the supply of goods and services, accommodation and company visits can be made before transportation plans necessary for the organization and event management, occupational health and safety, planning and execution of the process, ability to evaluate compliance with business processes, establishment of communication in order to execute business activities planning and execution, communication with vendors, execution, finance and accounting for the conduct of business, execution of the sales process of products and services, shipment of the products, process execution, execution of the import and export of products, processes, contract execution, audit, investigations and intelligence operations planning and execution, and the execution of the tendering process and supplier research, for supplier registration to make risk query, suppliers and business partners reporting to be made regarding the relevant authorities, activities are carried out in accordance with the legislation and are processed for the purposes of fulfilling obligations arising from the legislation.
As part of the process of signing contracts with suppliers and business partners, personal data belonging to the signatory authorities are also processed in the company's signature circulars.
- Principles of Personal Data Processing
The company informs its employees and takes all necessary administrative/technical measures in order to comply with the five main principles set out below in all transactions carried out on personal data from the moment of collection of personal data to the moment of destruction in accordance with the law:
- Compliance with the law and the rules of honesty,
- Being accurate and up-to-date when needed,
- Processing for specific, explicit and legitimate purposes,
- Be bound, limited and restrained for the purpose for which they are processed,
- Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
In this context, when processing personal data as a company, we act in accordance with the legislation and in accordance with the rules of good faith. In this context, relevant persons are informed about personal data processing activities with disclosure texts in the relevant channels, ensuring compliance with the principles of processing personal data for certain clear and legitimate purposes and being bound, and limited and measured for these purposes. Personal data is deleted, destroyed or anonymized when the purpose of processing disappears.
- Terms of Personal Data Processing
It is contained in Terms of personal data processing Act articles 5th and 6th. The company takes into account the data processing requirements contained in Article 5 of the law when processing non-special personal data and when processing special personal data Article 6 of the law.
1 Condition for Processing Non-Special Qualified Personal Data
Requirements for processing non-special personal data are stated in the 5th article of the law as follows:
- Explicit provision in laws,
- For a person who cannot disclose his consent due to actual impossibility or whose consent is not granted legal validity when it is mandatory for life or body integrity of himself or someone else,
- Processing of personal data belonging to the parties to the contract is necessary, provided that it is directly related to the establishment or execution of the contract,
- Data processing activities are mandatory for the company to fulfill its legal obligations,
- Disclosure of personal data by the person concerned,
- Data processing is mandatory for the establishment, use or protection of a right,
- Data processing is mandatory for the legitimate interests of the company,
- In cases where at least one of the above-mentioned data processing conditions is not present, but the person concerned approves processing
Examples of the specified data processing requirements are included in the table below : | |
---|---|
Data Processing Requirement | Example |
Explicit provision in laws | Keeping employee's personal information within the scope of Labor Law. |
De facto impossibility | Processing the credentials of an unconscious patient into the hospital system. |
Establishment or execution of the contract | Recording the person's address information so that the purchased product can be sent. |
Legal obligation of the data controller | Sharing information requested by the court. |
Publication | In order to be contacted, the person announces his contact information on the website. |
Establishment, protection and exercise of the right | Entering user name and password information into the system in order to provide internet access to guest users. |
Legitimate interest | For security purposes, visitors' first and last name information is checked and saved in a book. |
In cases where there is no one of the specified data processing requirements, the explicit consent of the persons concerned is obtained for the processing of personal data
2 Conditions for Processing Personal Data with Special Qualifications
Qualified special personal data are identified in the law as race, ethnic origin, political opinion, philosophical belief, religion, sect, and belief or other, clothing and dress, association or trade union membership, health, sexual life, criminal convictions and security measures, biometric and genetic data. Conditions required for the processing of such special personal data are stated in the following way in the article 6 of the law:
- Clear provision in the law for special qualified data other than health and sex life,
- Processing of information about health and sexual life, Public Health Protection, preventive medicine, medical diagnosis, treatment and care services, execution, planning and management of health services, financing purposes by the institutions or authorized persons under the obligation of confidentiality.
- In cases where at least one of the above-mentioned data processing conditions is not present, but the person concerned approves processing.
Examples of the specified data processing requirements are included in the table below : | |
---|---|
Data Processing Requirement | Example |
Explicit provision in laws | Keeping the employee's Union Information in the personal file in accordance with the relevant legislation . |
Processing of data for Public Health Protection, preventive medicine, medical diagnosis, treatment and care in the execution of services, health services planning and management purposes of financing persons or institutions authorized under the obligation of confidentiality of such data. | Keeping periodic health reports by the workplace physician. |
In cases where there is no one of the specified data processing requirements, the explicit consent of the persons concerned is obtained for the processing of personal data
- Personal Data Sharing
Personal data processed by the company may be transferred to third parties in accordance with the principles set out in the law. In this context, personal data is shared domestically with the parties and purposes mentioned below:
- The conduct of the reporting process, bid process and contract monitoring and management of products and services, ordering, production, inventory and the execution of operational processes, logistics and execution of monitoring activities, potential business partners and suppliers and in this context the execution of the evaluation process the selection of preliminary investigation, audit, legal and regulatory compliance for enforcement purposes and monitoring of the process with UGM,
- Procurement of goods and services to the company, with consultants, suppliers and business partners who purchases goods and services for the purpose of carrying out procurement processes,
- Carrying out activities in accordance with the legislation, monitoring and conducting legal affairs, providing information to authorized persons/institutions and organizations with legally authorized public institutions and organizations and persons.
Within the framework of such personal data sharing, personal data is shared with the specified parties on the basis of one or more legal reasons of establishment, protection, use of a right, legal obligation of the data controller, legitimate interest.
- Measures taken for the storage of personal data and Data Security
Your personal data may be stored by the company in accordance with the following periods:
- Periods stipulated in all legislation in force and subject to the company;
- Until the purposes of processing your personal data are eliminated;
- During the period necessary for us to provide our products and services.
If none of these periods are available, to continue the personal data processing activity personal data is deleted, destroyed or made anonymous by the company.
However, the company must take the necessary technical and administrative measures to prevent unlawful processing of personal data and unlawful access to data to ensure the safe storage of date.
Some main technical and administrative measures taken by the company regarding data security are given below:
- Network security and application security are provided.
- Closed system network is used for personal data transfers through the network.
- Key management is implemented.
- Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
- Disciplinary regulations are available for employees that include data security provisions.
- Training and awareness activities are carried out for employees on data security at regular intervals.
- Authorization Matrix has been created for employees.
- Access logs are kept regularly.
- Institutional policies on access, information security, use, storage and destruction have been prepared and implemented.
- Confidentiality obligations are made.
- Powers of employees who have changed their duties or left their jobs are cancelled.
- Current anti-virus systems are used.
- Firewalls are used.
- Signed contracts contain data security provisions.
- Personal data security policies and procedures have been established.
- Personal data security issues are reported quickly.
- Personal data security is monitored.
- Necessary security measures are taken for entering and exiting physical environments containing personal data.
- Physical environments containing personal data are subject to external risks (fire, flood, etc.) are provided against security.
- Security of environments containing personal data is ensured.
- Personal data is reduced as much as possible.
- Personal data is backed up and the security of the backed up personal data is also ensured.
- User account management and authority control system are implemented and their follow-up is also carried out.
- Periodic and/or random audits are carried out and carried out in-house.
- Log records are kept in such a way that there is no user intervention.
- If special personal data is to be sent via e-mail, it is necessarily sent encrypted and using a cap or corporate mail account.
- Secure encryption/cryptographic keys are used for special personal data and managed by different units.
- Intrusion detection and prevention systems are used.
- Cyber security measures have been taken and their implementation is constantly monitored.
- Encryption is performed.
- Specially qualified personal data transferred in portable memory, CD, DVD environment is encrypted and transferred.
- Additional security measures are taken for personal data transferred through paper, and the relevant documents are sent in the format of a document with a degree of confidentiality.
Apart from what is specified here, special additional technical and administrative measures are also taken by the company, taking into account the nature of personal data and the degree to which confidentiality is required.
- Rights Regarding Personal Data
The company has the title of data officer for the processing of your personal data. For this reason, interested persons may apply to the company for the following rights regarding the processing of their personal data:
- To learn whether your personal data is processed – you may receive information from us about whether we process your personal data.
- If we process your personal data, you have the right to request information about it – you have the right to receive information about how we process your personal data.
- To learn about the purpose of processing your personal data and whether it is used for its purpose – you have the right to receive information about whether we use your personal data for the purpose of obtaining it.
- To know the third parties with whom we transfer your personal data-if any - at home or abroad – if there are third parties with whom we transfer your personal data, you can get information about them from us.
- If your personal data is incomplete or incorrectly processed, you can contact us to correct the personal data that you believe is incomplete or incorrectly processed, and to request that we notify third parties with whom we transfer personal data, if any, of the transaction performed in this context. In this case, we will update your data at your request. In cases where we transfer personal data to third parties, we also notify third parties to correct the data.
- Although we process in accordance with the law and related legislation, you have the right to request the deletion or destruction of your personal data if the reasons that require it to be processed disappear, and to request that we notify third parties to whom we transfer your personal data, if any-to request the deletion or destruction of your personal data. Please inform us if the reason that requires us to process your personal data has disappeared. In cases where we cannot fulfill this request, we will inform you of the reason (for example, we have a legal obligation to store your personal data).
- If there are situations where a result against occurs for we process exclusively by analyzing your personal data through automated systems, you are entitled to refuse this- if your personal data exclusively are processed with automated systems and the result is against you have the right to contact us about it. We will ensure that the relevant result is corrected upon the positive assessment of his appeal.
- You are entitled to claim for damages if you suffer damages due to illegal processing of your personal data – if you suffer losses due to illegal processing of your personal data, you have the right to claim for damages.
You can always contact us to learn more about the scope of your rights and to exercise your rights. If you submit your request for your rights to us, we will conclude your application as soon as possible and no later than thirty days, taking into account the nature of your request. You can start this process with the link below.
https://ugm.com.tr/kvkk-basvuru-formu
11. Questions Regarding Policy This policy is intended to inform interested parties about all matters related to the processing of your personal data. However, it is one of the general principles of the company to answer all questions related to personal data in a transparent and understandable manner within the scope of this policy. So if you have questions about the policy, please send an e-mail to kvkk@ugm.com.tr address. |