OKTAY İNŞAAT
PERSONAL DATA PROTECTION POLICY
1) The Purpose
of the Personal Data Protection and Processing Policy
As a
requirement of its legal and social responsibility, OKTAY İNŞAAT has accepted and
undertook to act in accordance with all legal legislation related to data
protection laws and international standards. For OKTAY İNŞAAT (hereinafter referred to as the
“Company”), this is the provision of data protection, the basis of a trusting
business relationship, and the reputation of the Company.
2) Scope and
modification of the Personal Data Protection and Processing Policy
This Personal Data Protection and Processing Policy
covers the processing of all personal data together with the Clarification Text
(statements made for the purpose of fulfilling the clarification obligation in
the data collection channels) statements. Anonymized information for purposes
such as statistical evaluations or analyses is not subject to this Data Protection
and Processing Policy.
This Personal Data Protection and Processing Policy has
been prepared in accordance with the Law on the Protection of Personal Data No.
6698 dated April 7, 2016 (“KVKK”).
This policy is related to all personal data of our customers,
our potential customers, our employee candidates, our employees, the employees,
shareholders, and authorities of the institutions we cooperated with, and third
parties; processed through automatic means or provided that the process is a
part of any data registry system, through non-automatic means.
This Personal Data Protection and Processing Policy,
regulated by our Company, is dated October 07, 2016. In case of the renewal of
all or certain articles of the Policy, the effective date and version of the
Policy will be updated. The policy is published on the official website of our
Company and is made available to relevant persons at the request of personal
data owners.
3) General
Principles in the Processing of Personal Data
- Lawfulness
and conformity with rules of bona fides
Individual rights of the persons concerned must be preserved in the
processing of personal data. Personal data should be collected and
processed in accordance with the law and fairly.
- Specific
purpose limitation
Personal data may only be processed for the purpose defined prior to the
collection of the data. Additional modifications to the purpose are
possible only to a limited extent and with justification.
- Transparency
and illumination
The individual concerned should be informed about the use of their
information. Personal data is usually received directly from the
individual concerned. When data is collected, the individual concerned
should be aware of or informed of the following articles:
- The identity of the data controller and its representative, if any
- The purpose of processing personal data
- To whom and for what purposes the processed personal data is
transferred, or categories of third parties
- Method of and Legal Reason for Collecting Personal Data
- The rights of the person whose personal data is processed in
accordance with Article 11 of the KVKK
- Data
reduction and data economy
Whether the process is necessary to achieve the purpose, and in what scope
it is necessary is determined prior to the processing of personal data. In
the case where the purpose is acceptable and proportionate, anonymous or
statistical data is used.
- Erasure of
personal data
After the expiration of the periods related to the legal or business
process, including the record-keeping obligations and the registration
procedures required for proof, personal data that are no longer required
are erased, destroyed, or anonymized.
- Accuracy
and data actuality
The personal data in the file is kept up to date if it is accurate,
complete, and known. Appropriate measures have been taken by the Company
to ensure the erasure, correction, completion, or updating of the
inaccurate or incomplete data.
- Privacy and
data security
Personal data is subject to confidentiality. It must be protected by
appropriate organizational and technical measures to prevent unauthorized
access, illegitimate acts, sharing, accidental loss, modification, or
destruction, and is kept confidential at the personal level.
4) The Purpose
of Data Processing
The collection and processing of personal data will be
carried out within the scope of the Clarification Text and the purposes
specified below.
5) Data of
Customers and Business Partners
- Data
processing for the contractual relationship
The personal data belonging to the customer (customer and potential
customers) or business partner (if the business partner is a legal person,
then the authority of the business partner and its employees) can also be
processed for the establishment of a contract, its implementation, and its
discharge without consent. Before the contract – at the stage of starting
the contract, personal data may be processed in order to ensure customer
safety, customer satisfaction, the purpose and legal performance of contractual
actions, and the fulfillment of contractual requests in this context. In
the process of preparing a contract, data owners can be contacted in
consideration of the information they provide.
- Data
processing for advertising and informational purposes
If the data owner makes a request for information from the Company,
his/her personal data may be processed to meet this request.
Personal data are processed for advertising or market and public opinion
research only if the purpose of collecting this information is in
accordance with these purposes. The data owner is informed that his/her
information will be used for advertising purposes. If the information is
collected only for advertising purposes, the data owners may not provide
this information. The data subject is informed about his/her freedom to
provide his/her information for this purpose. The consent of the person is
obtained for the processing of the data subject's information for
advertising purposes. The data subject can choose between the appropriate
communication channels such as mail, electronic mail, or telephone call
within the scope of giving this consent.
When the data subject does not allow the use of his/her information for
advertising purposes, the data is no longer used for these purposes and
its use for these purposes is precluded.
- Data
operations made due to the legal obligation of the company or as expressly
stipulated in the law
Personal data may be processed without further approval in order to
clearly state the processing in the relevant legislation or to fulfill a
legal obligation established by the legislation. The type and scope of
data processing must be necessary for the legally permitted data
processing activity and must comply with the relevant legal provisions.
- Processing
of data in accordance with the legitimate interests of the company
Personal data may also be processed without prior approval when it is
necessary for a legitimate interest of the Company. Legitimate interests
are, in general, legal (e.g. avoidance of contract violations) or economic
(e.g. collection of receivables) interests.
- Processing
of sensitive data
Sensitive personal data are processed in the following cases, provided
that adequate measures are taken, which will be determined by the Personal
Data Protection Board (“Board”):
- Sensitive personal data other than the health and sexual life of
the person concerned, in cases stipulated by law;
- And the sensitive personal data relating to the health and sexual
life of the person concerned can only be processed for the purposes of
public health protection, preventive medicine, medical diagnosis,
treatment and care services execution, planning and management of health
care and its financing, by persons under the obligation of confidentiality
or authorized institutions and organizations.
In the absence of the above-mentioned data processing
conditions, explicit consent is obtained from the relevant person for data
processing by the Company.
- User
information and internet
The processing of personal data used exclusively through automated systems
for the purpose of determining a number of elements cannot solely be the
basis for decisions that have negative legal consequences and negatively
affect the person concerned. The person concerned has the right to object
to the emergence of a conclusion against the person himself by analyzing
the processed data exclusively through automated systems. To prevent
misjudgments, testing and reliability checks are carried out by the
Company's employee.
- Data
processed exclusively through automated systems
In case of collection, processing, and use of personal data on websites or
applications, the relevant persons should be informed with a privacy
statement and, if necessary, about cookies. The privacy statement and
cookie information are integrated in such a way that they are easily
identifiable, directly accessible, and constantly available to the person
concerned.
In the event that usage profiles are created to evaluate the use of
websites and applications, the person concerned is properly informed about
this issue in the privacy statement.
If websites or applications can access personal data in an area restricted
to registered users, identification and authentication of the relevant
person provide adequate protection throughout the access.
6) Employee Data
- Processing
of data for business relationship
In business relations, personal data is processed without further approval
if it is necessary for the establishment, implementation, and termination
of the employment contract. Personal data of candidates are processed when
starting a business relationship. If the candidate is rejected, the
information about the candidate is stored until the appropriate data
retention period for a later stage of the selection, and at the end of
which, it is erased, destroyed, or anonymized.
- Data
operations that are made due to the explicit provision in the law or to
the legal obligation of the Company
Personal data belonging to the employee can be processed without further
approval in order to clearly state the processing in the relevant
legislation or to fulfill a legal obligation established by the
legislation.
- Processing
of data in accordance with the legitimate interest
Personal data belonging to the employee can also be processed without
prior approval if there is a legitimate interest of the Company.
Legitimate interests are, in general, legal (e.g. filing, implementation,
or defense of legal rights) or economic (e.g. evaluation of the company)
interests.
In personal cases where the interests of employees need to be protected,
personal data is not operated for legitimate interest purposes. Whether
there are interests that require protection is determined before the data
are processed.
When the data belonging to employees is processed based on the legitimate
interest of the Company, it is examined whether the processing is measured
or not. It is checked that the legitimate interest of the company in
taking this control measure does not violate any right to be protected of
the relevant employee, and it is applied only if it is measured.
- Processing
of sensitive data
Sensitive personal data is processed only under certain conditions. Data
on race and ethnic origin, political opinion, religion, philosophical
belief, sects or other beliefs, clothing, association or union membership,
health, sexual life, criminal convictions and security measures, and
biometric and genetic data are defined as sensitive data.
Sensitive personal data can be processed with the explicit consent of the
employee. Explicit consent can be processed according to the nature of
sensitive personal data, taking into account the principles set out in
this policy and the necessary administrative and technical measures.
Sensitive personal data are processed in the following cases, provided
that adequate measures are taken that will be determined by the Board, in
cases where the employee does not give explicit consent:
- Sensitive personal data other than the health and sexual life of
the person concerned, in cases stipulated by law,
- And the sensitive personal data relating to the health and sexual
life of the person concerned can only be processed for the purposes of
public health protection, preventive medicine, medical diagnosis,
treatment and care services execution, planning and management of health care
and its financing, by persons under the obligation of confidentiality or
authorized institutions and organizations.
- Telecommunications
and internet
Telephone equipment, email addresses, intranet, and the Internet, as well
as internal networks, are provided by the Company primarily for
work-related tasks. They are working tools and Company resources. These
tools must be used in accordance with legal regulations and internal
regulations of the Company.
There is no general audit of telephone and email communication or intranet
and internet use. In order to prevent attacks against the IT
infrastructure or individual users, protective measures are taken during
transitions to the Company network that block technically harmful content
or analyze the modeling of attacks. The use of telephone equipment, email
addresses, intranet/internet, and/or on-premises social networks is stored
for a limited period of time for security reasons. Evaluations of these
data on an individual are carried out only if there is a concrete
suspicion of violation of legal regulations. These controls are carried
out by the relevant departments only on the condition that the principle
of proportionality is maintained.
7) Transfer of
Personal Data
The
transfer of personal data to third parties other than the Company will be
carried out within the scope of the purposes specified in the Clarification
Text and the purposes specified below.
The Company will be able to transfer personal data to the following persons and
institutions for certain purposes;
- To the suppliers of our company, limited to provide necessary
services that our company procured exogenously from the suppliers of our
Company and that are necessary for our Company to fulfill its commercial
activity, to our Company,
- To subsidiaries, limited to procuring the execution of commercial
activity of our Company, to which the participation of subsidiaries is
necessary,
- To legally authorized public institutions and organizations,
limited to the purpose requested by the relevant public institutions and
organizations within the scope of their legal authority,
- To legally authorized private entities, limited to the purpose
requested by the relevant private entities within the scope of their legal
authority.
After the Board declares foreign countries with
sufficient protection, personal data will be transferred by our Company only to
those countries. For countries that have been declared to lack adequate
protection; personal data will be transferred when data controllers in Turkey
and the relevant foreign country have committed to adequate protection in
writing and have the permission of the Board or when the data subject has given
their consent.
8) The Rights of
the Person Concerned
All data subjects have the following rights. In case of
exercising the rights given to the data subject and submitting a request to the
Company, the Company provides the necessary information; with this data privacy
regulation, the Company informs the data subject about how to use this right
and how to evaluate the issues related to the information request.
- The right to find out if personal data has been processed,
- To request information about his/her personal data in case it has
been processed,
- To find out the purpose of processing personal data and whether
they are used for their intended purpose,
- To request correction of personal data in case of incomplete or
incorrect processing, and to request reporting of the operation made in
this regard to the third parties to whom the personal data was
transferred,
- To request the destruction or erasure of his/her personal data and
to request the reporting of the operation made in this regard to the third
parties to whom the personal data were transferred, in cases where the
reasons requiring processing are no longer apparent, even though personal
data were processed under the provisions of the KVKK and other relevant
laws,
- To object to the emergence of a conclusion against the person
himself by analyzing the processed data exclusively through automated
systems,
- To request compensation for damages if personal data is damaged due
to unlawful processing.
For the cases that are excluded from the scope of the
KVKK listed below, the relevant persons cannot assert their rights mentioned
above in these matters, and therefore the Company is not under any obligation
to fulfill the requests submitted within this scope:
- Personal data is processed for the purpose of official statistics
and for research, planning, and statistical purposes after having been anonymized.
- Personal data is processed for artistic, historical, literary, or
scientific purposes, or within the scope of freedom of expression provided
that national defence, national security, public security, public order,
economic security, right to privacy, or personal rights are not violated
or they are processed so as not to constitute a crime.
- Personal data is processed within the scope of preventive,
protective, and intelligence activities carried out by public institutions
and organizations duly authorized and assigned to maintain national
defence, national security, public security, public order, or economic
security.
- Personal data is processed by judicial authorities or execution
authorities with regard to the investigation, prosecution, criminal proceedings,
or execution proceedings.
Under the KVKK, the persons concerned cannot assert their
other rights in the following cases, except for the right to demand
compensation for the damage in the following cases:
- The processing of personal data is necessary for the prevention of
a crime or criminal investigation.
- Processing of personal data made public by the personal data
subject himself.
- The processing of personal data is required by authorized public
institutions and organizations, as well as professional organizations of a
public institution nature, based on the authority granted by law, for the
performance of supervisory or regulatory duties, as well as for
disciplinary investigation or prosecution.
- The processing of personal data is necessary for the protection of
the economic and financial interests of the State concerning budgetary,
tax, and financial issues.
Personal data subjects can submit their requests
regarding the aforementioned rights by filling out the form which can be found
at the Company's official internet address www.oktayinsaat.com.tr, in full and
signing it with a wet-ink signature, and sending it to the address Gayrettepe
Mah., Barbaros Bulvarı Pınar Apt., No: 163/10 Beşiktaş / Istanbul, Turkey;
together with a registered and reply paid letter and copies of identity card
(only a front-facing copy for the identity card). In order for a person other
than the personal data subject to make a request, there must be a special power
of attorney issued by the personal data subject on behalf of the person who
will submit the request.
Duly submitted requests to the Company will be finalized
no later than thirty days. If the conclusion of these requests also requires a
cost, the applicant will be charged by the Company at the tariff established by
the Board.
The company may request additional information to
determine whether the person who made the request is the personal data subject,
and may pose questions to the data subject in order to clarify the issues
stated in the requisition, the owner can ask the questions on the application
of personal data.
9)
Confidentiality of the Operations
Personal data are subject to confidentiality. Employees
are prohibited from collecting, processing, or using data without permission.
Unauthorized use is an unauthorized data processing that employees perform
outside their legitimate duties. Employees can access personal data only if it
corresponds to the scope and nature of the task in question.
Employees are prohibited from using personal data for
private or commercial purposes, distributing it to unauthorized persons, or
making it accessible through different means. Managers should inform their
employees about the obligations related to data protection at the beginning
time of the employment relationship. This obligation continues also after the
termination of the employment relationship.
10) Operation
Security
The Company takes necessary measures and controls of
processed personal data, to prevent illegitimate data processing, prevent
illegitimate access to the data, and provide protection of the data and the
Company does inspections or provides inspections in this scope. This applies
regardless of whether the data processing is done electronically or in writing.
Especially before starting new methods of data processing in the transition to
new IT systems, technical and organizational measures for the protection of
personal data are defined and implemented. These measures are based on the
latest developments, the risks of the operation, and the need to protect the
data, determined by the information classification process. Technical and
organizational measures related to the protection of personal data are part of
the Company's information security management and are constantly being adapted
to technical developments and organizational changes.
11) Data
Protection Control
Compliance with the Personal Data Protection and
Processing Policy and KVKK is ensured by regular data protection inspections
and other controls. The company conducts or makes conducted the necessary
inspections within its system.
12) Data
Breaches Method
The Company operates this Personal Data Protection and
Processing Policy or a system that ensures that if personal data processed
under the KVKK is obtained by others through illegitimate means, it will be
notified to the relevant person and the Board as soon as possible. If deemed
necessary by the Board, this situation may be announced on the Board's website
or by any other means.
13) Definitions
- If no one can trace the personal data or if the personal identity
can be recreated at an unreasonable time, expense, and labor force, the
data is considered anonymized.
- Data breaches are incidents in which there are justified suspicions
of illegitimate seizure, collection, modification, copying, distribution,
or use of personal data. This may concern third parties and persons.
- A contact person is a natural person whose personal data has been
processed.
- Sensitive data are data on race and ethnic origin, political
opinion, religion, philosophical belief, sects or other beliefs, clothing,
association or union membership, health, sexual life, criminal convictions
and security measures, and biometric and genetic data.
- Personal data is any kind of information that determines the
identity of a real person or makes his/her identity identifiable. A person
can be identified, for example, if his/her personal relationship can be
determined using a combination of information, even with possible
additional information.
- Processing of personal data is any operation performed upon
personal data such as collection, recording, storage, retention,
alteration, re-organization, disclosure, transferring, taking over, making
retrievable, classification, or preventing the use thereof, fully or
partially through automatic means or provided that the process is a part
of any data registry system, through non-automatic means.
14) Privacy And
Consent
Your personal information will be used only for the
requirements of the service, to access personal information about you, or to
contact you. This information will not be shared with third parties or
published anywhere. Automatically Recorded Information (non-personal data) When
you enter the website, general non-personal information (Internet Browser used,
number of visitors, average time spent on site, pages viewed) is saved
automatically (as separate from membership registration). This information is
used to improve the overall quality of our site. Your information is not
further processed and it is not transmitted to third parties. In this sense,
please note that with your mentioned approval, you are approving the
processing, the use and sharing limited to the processing purpose in the scope
of the related period, storing for the necessary period of your sensitive
personal data (telephone, e-mail, address, and your other contact information)
by Oktay İnşaat Tur.İşl.San.ve Tic.A.Ş group companies, subsidiaries, and
affiliates, in accordance with the related provisions of the Law on the
Protection of Personal Data No. 6698 (“KVKK”), and approving to be contacted as
subject to activities in the scope of the electronic commerce legislation by
means of SMS, e-mail, and call. You also approve that the necessary
clarification was made to you in this regard, that you have read and understood
this text.
15) Scope
This Policy and all approvals and permissions within the
policy are applied to Oktay İnşaat Tur.İşl.San.ve Tic.A.Ş group companies,
subsidiaries, and affiliates, and these data may be processed by all of these
companies and are considered electronic commerce activities in the determined
scope.
Commercial Title: Oktay İnşaat Tur.İşl.San.ve Tic.A.Ş
Address: Gayrettepe Mah. Barbaros Bulvarı, Pınar Apt. No:
163/10 Beşiktaş / İstanbul
Central Registration System Number: 0638-0281-8210-0010
Telephone: +90 212 272 21 36
E-mail:
info@oktayinsaat.com.tr
Registered
E-mail Address: oktayinsaaturizm@hs01.kep.tr