Privacy Policy

1.   WHAT’S THE PURPOSE

Personal Data Storage and Destruction Policy, personal data processed by our company; Personal data belonging to citizens, institution employees, employee candidates, service providers, visitors and other third parties It aims to comply with the principles and rules brought by the Constitution, international conventions, the Law on the Protection of Personal Data No. 6698 and other relevant legislation, and to determine and announce the business rules regarding the storage and destruction of individuals whose data are processed by the company while protecting their rights and freedoms.

2.  WHAT IT CONTAINS

Personal data belonging to citizens, institution employees, employee candidates, service providers, visitors and other third parties are covered by this policy. This policy is applied in all recording environments where personal data owned or managed by the institution are processed and in activities for personal data processing.

3.   AUTHORITIES AND RESPONSIBILITIES

All employees, consultants, external service providers and everyone else who store and process personal data within the institution are obliged to fulfill the requirements regarding the internal storage and destruction of the data specified in the Law, Regulation and Policy. Each business unit is responsible for the storage and protection of the data it generates in its own business processes.

The “Data Controller Contact Person” is responsible for the notification or acceptance and registration of the notifications or correspondence made to the KVKK Board on behalf of the data controller.

4.  DEFINITIONS AND ABBREVIATIONS

Recipient Group: The natural or legal person category to which personal data is transferred by the data controller.

Open Consent: Consent on a particular subject, based on information and expressed with free will.

Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Worker: Our company staff.

Electronic environment: Environments where personal data can be created, read, changed and disseminated by electronic devices.

Non-Electronic Media: All written, printed, visual etc. other than electronic media. other environments.

Service provider: A natural or legal person who provides services within the framework of a certain contract with our company.

Related person: The natural person whose personal data is processed.

Related User: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for technical storage, protection and support of the data.

Destruction: Deletion, destruction or anonymization of personal data.

The Law: 6698 Personal Data Protection Law.

Record Medium: Any kind of medium where personal data is processed, whether fully or partially automated or not, as long as it is part of any data recording system.

Personal Data: Any kind of information related to an identified or identifiable real person.

Personal Data Processing Inventory: Inventory that details the personal data processing activities that data controllers carry out as part of their business processes; by associating the processing purposes, data category, group of recipients transferred and group of data subject. It also specify the maximum duration required for the purpose of processing personal data, personal data to be transferred to foreign countries, and measures taken for data security.

Processing of Personal Data:Any kind of operation performed on data such as the obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, acquiring, making available, classifying or preventing the use of personal data, whether fully or partially automated or not, as long as it is part of any data recording system.

Board: The Personal Data Protection Board.

Special Qualified Personal Data: Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, conviction and security measures, as well as biometric and genetic data of individuals.

Periodic destruction: The process of deletion, destruction or anonymization of personal data carried out at specified and recurrent intervals as set out in the personal data retention and destruction policy, in the event that all the conditions for the processing of personal data specified in the law have ceased to exist.

Data Processor: A real or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Recording System: A record system in which personal data is processed in a structured manner according to specific criteria.

Data Controller: A real or legal person who determines the purposes and means of processing personal data, and is responsible for the establishment and management of the data recording system.

Data Controllers’ Record Information System (VERBIS): An information system created and managed by the DPA, accessible via the internet, which data controllers will use in applications to the Record and other relevant transactions related to the Record.

Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on October 28, 2017.

5. PERSONAL DATA RETENTION AND DESTRUCTION POLICY

Our company actively supports the responsible units in terms of the technical and administrative measures taken within the scope of the policy, the increase of the awareness and education of the unit employees, the prevention of the illegal processing of personal data by monitoring and continuous auditing, the prevention of illegal access to personal data, and ensuring the proper storage of personal data in all environments where personal data is processed.

The distribution of the titles, units and job descriptions of those who are involved in the retention and destruction processes of personal data is given in Table 1.

6. Record Media

Personal data is stored in a secure and legal manner on the platforms listed in Table 2 by our company.

7.   Storage of Personal Data

Our company stores and destroys personal data of citizens, employees, visitors, and third parties, organizations or institutions that are in relationships with our company, in compliance with the law. In this context, detailed explanations regarding storage and destruction are provided below.

The Personal Data Protection Law (KVKK) defines the concept of processing personal data in Article 3, and states that personal data should be limited, proportional and related to the purpose for which they were processed in Article 4. Article 5 and 6 sets out the conditions for the processing of personal data. Therefore, in accordance with the law, our company stores personal data for the time necessary for the purpose for which they were processed.

7.1.     Legal Reasons Requiring Storage

• 3194 Building Code,
• 4734 Public Procurement Law,
• 6183 Law on the Collection of Public Receivables,
• 5490 Population Services Law,
• 7201 Notification Law,
• 1319 Real Estate Tax Law,
• 2981 Building Permit Law,
• 2886 State Tender Law,
• 3071 Law on the Use of the Right to File a Complaint,
• 657 Civil Servants Law,
• 4904 Turkey Employment Agency Law,
• 2863 Law on the Protection of Cultural and Natural Assets,
• 213 Tax Procedure Law,
• 3195/3196/3197/3198/3199/3200/3201 Building Code,
• 3308 Vocational Education Law,
• 4483 Law on the Trial of Civil Servants and Other Public Officials,
• 4708 Building Inspection Law,
• 9464 Law on the Rights of Persons with Disabilities,
• 4857 Labor Law,
• 4982 Right to Information Law,
• 5393 Municipal Law,
• 5580 Private Education Institutions Law,
• 9207 Regulation on Opening and Operating Workplaces
• 5651 Publications on the Internet

LAW REGARDING THE FIGHT AGAINST CRIMES PROCESSED THROUGH ORGANIZATION AND THIS PUBLICATIONS

• LAW REGARDING THE CONVERSION OF AREAS UNDER DISASTER RISK NUMBER 6306,
• REGULATIONS REGARDING THE PROCEDURES AND PRINCIPLES TO BE APPLIED IN OFFICIAL CORRESPONDENCE NUMBER 6321,
• OCCUPATIONAL HEALTH AND SAFETY LAW NUMBER 6331,
• LOCAL ADMINISTRATION LAW NUMBER 5442,
• PUBLIC PROCUREMENT LAW NUMBER 4735,
• ANIMAL PROTECTION LAW NUMBER 5199,
• REGULATIONS REGARDING THE PROCEDURES AND PRINCIPLES FOR THE APPLICATION OF THE RIGHT TO INFORMATION LAW NUMBER 7189,
• HEALTH SERVICES BASIC LAW NUMBER 3359,
• GENERAL HEALTH LAW NUMBER 1593,
• LAW REGARDING THE PRACTICE OF MEDICINE AND SURGERY NUMBER 1219,
• CRIMES LAW NUMBER 5326,
• OTHER RELATED LEGISLATION.

7.2.    PROCESSING OBJECTIVES THAT REQUIRE STORAGE

• Fulfilling Obligations Arising from Employment Contracts and Legislation for Employees,
• Address Information Process,
• Execution of Information Activities,
• Çalışan Adayı / Stajyer / Öğrenci Seçme ve Yerleştirme Süreçlerinin Yürütülmesi,
• Execution of Employee Candidate / Intern / Student Selection and Placement Processes,
• Keeping employee records,
• Fulfilling Obligations Arising from Employment Contracts and Legislation for Employees,
• Conducting Audit / Ethical Activities,
• Execution of Petition Application Activities,
• Carrying out activities related to areas under the risk of Natural Disaster and Risky Buildings,
• keeping files,
• Real Estate and Zoning Debt Information,
• Execution of Real Estate and Expropriation Transactions,
• Property Tax Registration Number Inquiry Processes,
• Execution of Access Authorities,
• Execution of Marriage Transactions Activities,
• Execution of Document Registration Activities,
• Carrying out the Activities in Compliance with the Legislation,
• Providing Physical Space Security,
• Execution of Assignment Processes,
• Informing the Current Zoning Status,
• Execution of Patient Transport Ambulance Services,
• Follow-up and Execution of Legal Affairs,
• Execution of Communication Activities,
• Execution of the Rights and Interest Process Activities of the Related Person,
• Execution of Zoning Implementation and Regulation Partnership Share Activities,
• Execution of Zoning Implementation and Regulation Licensing Activities,
• Execution of Zoning Building License Process Activities,
• Execution / Supervision of Business Activities,
• Execution of Condominium Ownership Process Activities,
• Execution of Protection, Implementation and Inspection Repair Preliminary Permission Process Activities,
• Execution of Course Registration Activities,
• Execution of Library Registration Activities,
• Execution of Goods / Services Procurement Processes,
• Execution of Preliminary Investigation, Investigation, Investigation and complaint procedures,
• Execution of Planned Areas Reconstruction Process Activities,
• Execution of Risky Building Inspection Process Activities,
• Execution of License Application Process Activities,
• Execution of License Notification Processes,
• Carrying out the Information Process Activities of the License and Inspection Directorate,
• Carrying out the Information Process Activities of the License and Inspection Directorate,
• Execution of Social Aid and Organization Activities,
• Execution of Modification Licensing Process Activities,
• Follow-up of Requests / Complaints,
• Execution of Inspection Board Process Activities,
• Execution of Process Activities of Tax Transactions,
• Execution of Building Occupancy Permit Activities,
• Execution of Investment Processes,
• Creation of Visitor Records and Follow-up of Request Complaints,
• Creation and Tracking of Records, Complaints and Requests Received from the Call Center.

8.   REASONS FOR DISPOSAL

      Personal data;

1. Changing the provisions of the relevant legislation, which is the basis for processing,

2. The disappearance of the purpose requiring its processing or storage,
3. In cases where the processing of personal data takes place only on the basis of express consent, the data subject withdraws his explicit consent,
4. In accordance with Article 11 of the KVKK, the application made by the company regarding the deletion and destruction of personal data within the framework of the rights of the person concerned,
5. The company rejects the application made by the person concerned with the request for the deletion, destruction or anonymization of her personal data, finds the answer insufficient or does not respond within the time stipulated in the Law.

in cases; Making a complaint to the Personal Data Protection Board and this request being approved by the Board,

• In cases where the maximum period requiring the storage of personal data has passed and there is no condition to justify keeping the personal data for a longer period, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by the company upon the request of the person concerned.

9.   ENSURING THE SECURITY OF PERSONAL DATA

Our company takes all necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data.

As stipulated in the 1st clause of the 12th article of the KVKK;

• To prevent the unlawful processing of personal data,
• To prevent unlawful access to personal data,
• It takes the necessary measures to ensure the protection of personal data.

The measures taken by our company to ensure the security of personal data are detailed in the sub-clauses.

9.1.     TECHNICAL MEASURES

In order to ensure data security, the company coordinates the necessary activities for its personnel to be aware of the Law on the Protection of Personal Data. Operates data classification processes within the scope of established systems. In line with these processes, technical measures are taken in line with the developments in technology. Infrastructure investments are made in accordance with the developing technology. It enables the installation of software and hardware, including virus protection systems and firewalls. It uses the versions of the systems that have taken the necessary security measures against current and known vulnerabilities and log records of the systems are taken. It ensures that the access to personal data of the employees in the information technology units is kept under control. The company imposes restrictions on access to personal data according to the principle of least authority. It defines access and authorization in accordance with the department and process requirements. It checks the compliance of the accesses with the authorizations. It reports the information obtained as a result of controlling the security of the systems to the relevant parties. Risk points are identified and necessary technical measures are taken. It spreads awareness so that it becomes a part of the corporate culture with a model that constantly processes technical measures in order to maintain the security of Personal Data. It ensures that the measures taken are kept alive with controls. Physical security measures are kept at the highest level with camera systems within the institution. Environmental monitoring of digital environments where personal data is kept, automatic fire extinguishing systems and access authorization controls are provided.

9.2.     ADMINISTRATIVE MEASURES

The company takes the necessary administrative measures to ensure the security of personal data and supervises the work of the employees according to these measures. It defines access authorizations in accordance with the department and process requirements at a level that will not cause disruption of business processes. Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the Law, and that they cannot use them for purposes other than processing, and that this obligation will continue even after they leave their job. Necessary commitments are taken from the employees in this direction. Regarding the sharing of personal data with third parties, it signs a confidentiality agreement with the persons with whom the personal data is shared or provides personal data security with the provisions it will add to the agreements. Third parties to whom personal data are shared accept the provisions regarding that they will take the necessary security measures for the protection of personal data and ensure that these measures are complied with in their own organizations.

9.2.1.    AUDITS FOR THE SUSTAINABILITY OF PROTECTION OF PERSONAL DATA

The company performs or has it made the necessary inspections in accordance with Article 12 of the KVK Law. Systems are regularly monitored by data processing. Necessary technical and administrative measures are taken to eliminate the findings obtained after management systems audits and risk analysis.

9.2.2.     MEASURES APPLIED TO THIRD PARTIES TO ENSURE THE PROTECTION OF PERSONAL DATA

The company, in its contracts with third parties; mutually maintains the necessary sanction clauses to prevent the unlawful processing of personal data, to prevent unlawful access to the data, and to ensure the preservation of the data. Confidentiality agreements are signed before sharing information with third parties. Necessary information is given to third parties to raise awareness.

9.2.3.     MEASURES APPLIED FOR THE PROTECTION OF SPECIAL QUALITY PERSONAL DATA

Adequate precautions should be taken for sensitive personal data, both in terms of their qualifications and because they may lead to victimization or discrimination of individuals. In Article 6 of the KVK Law, personal data that carries the risk of causing victimization or discrimination when processed unlawfully are designated as “Special Quality”.

These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

The Company takes the necessary measures to protect the personal data of special nature, which is determined as “special quality” by the Law and processed in accordance with the law. In the technical and administrative measures taken to protect personal data, sensitivity is shown for special quality personal data.

9.2.4.     RAISING AWARENESS TO ENSURE THE PROTECTION OF PERSONAL DATA

Necessary information is provided to employees, trainings are organized and their effectiveness is measured in order to prevent the illegal processing of personal data, illegal access to data, and to raise awareness to ensure data protection. Other documents related to the “Personal Data Protection and Processing Policy” have been published on our institution’s website.

In case of changes in the relevant law, regulation or legislation, the policies are revised and re-announced to the relevant parties.

10.   PERSONAL DATA DISPOSAL TECHNIQUES

The company destroys the personal data it obtains upon the request of the personal data owners, provided that it is not required to be used due to legal obligations or for the protection of public order and does not affect the business processes. The personal data of the data owners are destroyed in accordance with the decision of the institution when the requirements for the continuation of the services, the fulfillment of the legal obligations, the planning of the employee rights and fringe benefits are eliminated. Personal data that do not need to be stored on the dates determined by the Data Controller Contact Person every year are destroyed with the following techniques in accordance with the legislation.

10.1.     DELETING PERSONAL DATA

The methods of deletion of personal data are specified in the table below.

10.2.     DESTRUCTION OF PERSONAL DATA

The destruction of personal data is indicated in the table below.

10.3.     MAKING PERSONAL DATA ANONYMOUS

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.

In order for personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning the personal data by the data controller or third parties and/or matching the data with other data.

11.   STORAGE AND DISPOSAL TIMES

Regarding the personal data being processed by the company within the scope of its activities;

• Personal data-based storage periods for all personal data within the scope of activities carried out in connection with processes are in the Personal Data Processing Inventory,
  • Storage periods on the basis of data categories are recorded in VERBIS,
  • On the said storage periods,

If necessary, updates are made by the Personal Data Contact Person.

For personal data whose storage period has expired, it is destroyed ex officio. The retention periods of personal data are given in the table below.