GDPR Compliance
PROTECTION AND PROCESSING OF PERSONAL DATA
ABOUT
Keyifli İsler Gida Turizm İç ve Dış Ticaret AŞ. (“Company”); It collects and processes the personal data of you that you have shared or that we have obtained during your visit to our website, if you register for our e-bulletins via the website at https://www.wannawell.com/ owned by us .
The Company is deemed to be the “Data Controller” in terms of the personal data it processes in accordance with the Law on the Protection of Personal Data No. 6698 and the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation of Clarification, and attaches importance to the security of the personal data collected.
- Processed Personal Data, Purposes of Processing and Legal Reason for Processing
By simply entering your e-mail address via our website, you can request that our newsletter be sent to your regular e-mail address with an “e-newsletter subscription”. If you send us your e-mail address via our website or your personal data that we obtain during your visit to our website, only with your explicit consent or in the presence of one of the conditions of compliance with the law specified in Article 5/2 of the KVKK, without your explicit consent, it is limited to the personal data processing purposes specified in the table below. is processed.
| Data Category | Personal Data Processing Purpose | Legal Reason for Personal Data Processing |
|---|---|---|
| Contact (Electronic Mail Address) | Sending the “e-bulletin” to be organized by our company at regular intervals, informing you about the campaigns upon request and with your explicit consent, Realizing our communication within the scope of the promotion of our products and our Company, conducting advertising, promotion and marketing processes, Planning and executing corporate communication activities, Accurate and up-to-date data ensuring that | Based on the legal reason that the personal data of the parties of the contract must be processed, provided that it is directly related to the establishment or performance of a contract, the personal data obtained through the website, within the framework of the “e-bulletin” membership, “preference information regarding campaign and announcement notifications” collects on the basis of express consent. |
| IP Address and Log Record | Since our company is the hosting provider of the website, log records of your access and log records regarding your use of the website and preference information regarding campaign and announcement notifications in case of your express consent. | Being obligatory to fulfill our legal obligation. |
2. To Whom The Processed Personal Data Can Be Transferred And For What Purpose
Your collected personal data; may only be shared with the following group of recipients for the above-mentioned purposes:
● Our Group Companies,
● Our Business Partners,
● Affiliates and subsidiaries,
● Suppliers,
● Authorized public institutions and organizations.
3. Transfer of Processed Personal Data Abroad
Due to the fact that the mail extensions (Gmail, Yahoo, Hotmail, Yandex, Outlook, etc.) used by companies and individuals are foreign extensions and data storage centers are established abroad;
● sending or receiving your personal data via an E-Mail;
● or keeping data in overseas storage centers (eg Google or Amazon data storage centres),
Such activities are defined as data transfer abroad according to the Personal Data Protection Law (“Law”). The article of the Law regarding the conditions for transferring personal data abroad is as follows:
Transfer of personal data abroad
ARTICLE 9-
(1) Personal data cannot be transferred abroad without the explicit consent of the person concerned.
(2) Personal data, the existence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6, and in the foreign country to which the personal data will be transferred;
a) The availability of adequate protection,
b) In the absence of sufficient protection, it can be transferred abroad without the explicit consent of the data subject, provided that the data controllers in Turkey and in the relevant foreign country undertake to provide adequate protection in writing and that the Board has permission.
The Company may transfer your personal data to third-party service providers such as Google Analytics, HubSpot, as reasonably necessary and in accordance with its purpose, for regulatory purposes and to provide services.
Since the current legislation has not yet declared a country with adequate protection and it is not possible to make a commitment with large mail companies or data storage companies, the transfer of your personal data abroad within the scope specified above and limited to the stated purposes is only possible if you have your Express Consent. Express consent can be withdrawn at any time.
4. Method and Legal Reason for Collecting Personal Data
Personal data provided by you in physical and digital media and processed for the purposes listed above are collected by automatic methods.
Collected personal data is kept in company and group companies e-mail archives, file storage server, ERP system server and user backups.
Your personal data, which we process for the above-mentioned purposes, are collected electronically. Your personal data is processed for the following legal reasons, and your explicit consent is sought when required by law:
● It is clearly stipulated in the laws,
● It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of the contract,
● It is compulsory in order to fulfill our legal obligation,
● The person concerned has been made public by himself,
● Data processing is mandatory for the establishment, exercise or protection of a right,
● It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject,
● Explicit consent of the person concerned
5. Rights of the Relevant Person
As the relevant person, by applying to us, about yourself;
● Learning whether personal data is processed or not,
● If personal data has been processed, requesting information about it,
● Learning the purpose of processing personal data and whether they are used in accordance with their purpose,
● Knowing the third parties to whom personal data is transferred at home or abroad,
● Requesting correction of personal data in case of incomplete or incorrect processing,
● Requesting the deletion or destruction of personal data in case the reasons requiring the processing of personal data disappear within the framework of Article 7 of the KVKK,
● Requesting notification to third parties to whom personal data has been transferred, that if personal data is incomplete or incorrectly processed, they are corrected or that personal data is deleted or destroyed within the scope of Article 7 of the KVKK,
● Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
● We inform you that you have the right to demand the compensation of the damage in case of loss due to unlawful processing of personal data.
In accordance with the “Communiqué on the Procedures and Principles of Application to the Data Controller”, through the “Application Form” in the link; in writing and with wet signature, “Maslak Mahallesi Ahi Evren Cad. Nazmi Akbac Trade Center No: 245 Sariyer / ISTANBUL “address may transmit the obtained personally, notary or through the [email protected] the caps address the secure electronic signature / as mobile signature can send your query or [email protected] My e-mail address before You can send it via your e-mail address notified and registered in the Company system.
The Company will conclude your requests within this scope free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request, and will deliver them to you in writing or electronically.
However, you can always notify your requests for changes and/or updates regarding your personal data via the same communication channels.
KVKK Personal Data Processing and Protection Policy
1.1. Login
Pleasant Jobs Tourism Food Health Construction Internal and Foreign Trade. Inc. (“Company”); In order to fulfill the obligation of disclosure within the scope of Article 10 of the Law in order to legally process and protect personal data in accordance with the Law on the Protection of Personal Data No. 6698 (“Law”), and to inform all administrative and technical measures we have taken within the scope of processing and protection of personal data, We present the Data Processing and Protection Policy (“Policy”) to your information.
1.2. Purpose of the Policy
The main purpose of this Policy is to make explanations about the systems for the processing and protection of personal data in accordance with the law and the purpose of the Law, in this context, personal data, especially our Company Business Partners, Employee Candidates, Visitors, Company Customers and Third Parties. to inform the persons whose data is processed by our Company. In this way, it is aimed to ensure full compliance with the legislation in the processing and protection of personal data carried out by our Company and to protect all the rights of personal data owners arising from the legislation regarding personal data.
1.3. Scope of the Policy and Personal Data Owners
This Policy; It has been prepared for persons whose personal data are processed by our Company, especially our Company Business Partners, Employee Candidates, Visitors, Customers and Third Parties, automatically or by non-automatic means provided that they are part of any data recording system and within the scope of these specified persons. will be applied. This Policy will in no way apply to legal entities and legal entity data.
Our company informs the Personal Data Owners about the Law by publishing this Policy on its website. For the employees of our company, the Personal Data Processing Policy for Employees will be applied. This Policy will not be applied if the data is not included in the scope of “Personal Data” within the scope specified below or the Personal Data processing activity carried out by our Company is not carried out in the above-mentioned ways.
In this context, the personal data owners within the scope of this Policy are as follows:
| Company Natural Person Partner | : | They are real persons with whom the Company has any business relationship. |
| Stakeholder, Official, Employee of Company Business Partners | : | Employees of real and legal persons (such as business partners, suppliers, etc.) with whom the Company has any business relationship, including their Stakeholders and officials. |
| Company official | : | They are the authorized real persons of the Company. |
| Employee Candidate | : | They are real persons who have applied for a job to the Company by any means or have opened their CV and related information to the Company’s review. |
| Company Customer | : | They are real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company. |
| Visitor | : | They are all natural persons who enter the physical premises of the Company for various purposes or visit the websites for any purpose. |
| Third Party | : | They are other natural persons who are not included in the scope of the Personal Data Protection and Processing Policy prepared for Company Employees and in any personal data owner category in this Policy. |
1.4. Definitions
The terms used in this Policy have the following meanings:
| Company/ Our Company | : | Pleasant Jobs Tourism Food Health Construction Internal and Foreign Trade. A.Ş. |
| Personal Data/Data | : | Any information relating to an identified or identifiable natural person. |
| Special Qualified Personal Data/Data | : | Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. |
| Processing of Personal Data | : | Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using Personal Data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. It is any operation performed on data such as blocking. |
| Personal Data Owner/Relevant Person | : | Company Stakeholders, Company Business Partners, Company Officials, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers, Third Parties and persons whose personal data are processed by the company. |
| Data Recording System | : | It refers to the registration request in which personal data is structured and processed according to certain criteria. |
| Data Controller | : | It is the natural or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system. |
| Data Processor | : | It is the natural and legal person who processes personal data on behalf of the data controller based on the authority given by the data controller. |
| Open Consent | : | It is the consent of a particular subject, based on information and expressed with free will. |
| Anonymization | : | It is to render the data previously associated with a person incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data. |
| Law | : | Refers to the Law on Protection of Personal Data No. 6698. |
| KVK Board | : | It is the Personal Data Protection Board. |
1.5. Enforcement of the Policy
This Policy, which has been issued and entered into force by the Company, is published on the Company’s website with the address https://wannawell.com/tr/ and is made available to the relevant persons upon the request of the Personal Data Owners.
PROCESSING AND TRANSFERRING PERSONAL DATA
2.1. General Principles in the Processing of Personal Data
Personal Data is processed by the Company in accordance with the procedures and principles stipulated in the Law and this Policy. The Company acts with the following principles when processing Personal Data:
● Personal Data is processed in accordance with the relevant legal rules and the requirements of the rule of good faith.
● Personal Data is ensured to be accurate and up-to-date. In this context, issues such as determining the sources from which the data is obtained, confirming its accuracy, and evaluating whether it needs to be updated are carefully considered.
● Personal Data; processed for specific, explicit and legitimate purposes. Being legitimate means that the Personal Data processed by the Company is related to and necessary for the work it does or the service it provides.
● Personal Data is related to the purpose in order to achieve the purposes determined by the Company, and the processing of Personal Data that is not related to the realization of the purpose or is not needed is avoided. It limits the processed data only to what is necessary to achieve the purpose. Personal Data processed in this context are related, limited and measured for the purpose for which they are processed.
● If there is a period foreseen for data storage in the relevant legislation, it complies with these periods; otherwise, it retains Personal Data only for as long as is necessary for the purpose for which they are processed. In the event that there is no valid reason for further preservation of Personal Data, the said data is deleted, destroyed or anonymized.
2.2. Personal Data Processing Conditions
The Company does not process Personal Data without the explicit consent of the data owner. In the presence of one of the following conditions, Personal Data may be processed without seeking the explicit consent of the data owner.
● The Company may process the Personal Data of Personal Data Owners in cases expressly stipulated in the law, even if there is no explicit consent. For example; In accordance with Article 230 of the Tax Procedure Law, the explicit consent of the person concerned will not be sought for the name of the person concerned to be included on the invoice.
● Personal Data may be processed without explicit consent in order to protect the life or physical integrity of the person or another person who are unable to express their consent or whose consent cannot be validated due to actual impossibility. For example, in a situation where the person’s consent is not valid due to unconsciousness or mental illness, the Personal Data of the Personal Data Owner may be processed during medical intervention in order to protect the integrity of life or body. In this context, data such as blood type, diseases and surgeries, and medications used can be processed through the relevant health system.
● Personal Data of the parties to the contract can be processed, provided that it is directly related to the establishment or performance of a contract by the Company. For example, according to a signed contract, the account number of the creditor can be obtained for the payment of money.
● The Company may process the Personal Data of the Personal Data Owners if it is necessary to fulfill its legal obligations as a data controller.
● Personal Data made public by the Personal Data Owners by the Company, in other words, disclosed to the public in any way, may be processed because the legal benefit to be protected is no longer valid.
● The Company may process the Personal Data of the Personal Data Owners without seeking explicit consent, in cases where data processing is necessary for the exercise or protection of a legally legitimate right.
● The Company may process the Personal Data of the Personal Data Owners in cases where it is necessary to process the Personal Data in order to ensure their legitimate interests, provided that the fundamental rights and freedoms of the Personal Data Owners are protected under the Law and Policy. The Company shows the necessary sensitivity to comply with the basic principles regarding the protection of Personal Data and to observe the balance of interests of the Personal Data Owners.
2.3. Conditions of Processing of Special Quality Personal Data
The Company does not process Sensitive Personal Data without the explicit consent of the person concerned. Personal Data related to health and sexual life are only processed by the Company for the purposes of protecting public health, performing preventive medicine, medical diagnosis and treatment and care services, planning and managing health services and financing, without seeking the explicit consent of the person concerned, under the conditions under which we are under a confidentiality obligation. The Company carries out the necessary actions to take adequate measures determined by the Board in the processing of Private Personal Data.
2.4. Terms of Transfer of Personal Data
Our company may transfer Personal Data of Personal Data Owners and Private Personal Data to third parties in accordance with the Law by creating the necessary confidentiality conditions and taking security measures in line with the purposes of processing Personal Data. Our company acts in accordance with the regulations stipulated in the Law during the transfer of Personal Data. In this context, our Company may transfer Personal Data to third parties, based on and limited to one or more of the Personal Data processing conditions specified in Article 5 of the Law, for legitimate and lawful Personal Data processing purposes:
● If there is express consent of the Personal Data owner;
● If there is a clear regulation in the law regarding the transfer of Personal Data, if it is necessary for the protection of the life or physical integrity of the Personal Data owner or someone else, and
● If the Personal Data owner is unable to express his/her consent due to actual impossibility or if his/her consent is not legally valid,
● If it is necessary to transfer the Personal Data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
● If Personal Data transfer is mandatory for our company to fulfill its legal obligation,
● If the Personal Data has been made public by the Personal Data owner,
● If Personal Data transfer is necessary for the establishment, use or protection of a right,
● Personal Data may be transferred if it is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the Personal Data owner.
2.5. Terms of Transfer of Special Quality Personal Data
The company, by showing due diligence, taking the necessary security measures and taking the adequate measures prescribed by the KVK Board; In accordance with the legitimate and lawful Personal Data processing purposes, it may transfer the Personal Data of the Personal Data Owner to third parties in the following cases.
- In case of explicit consent of the Personal Data Owner, or
- In the presence of the following conditions, without seeking the explicit consent of the Personal Data Owner;
● Sensitive Personal Data (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and dress, association, foundation or union membership, criminal conviction) excluding the health and sexual life of the Personal Data Owner. and security measures, and biometric and genetic data), in cases stipulated by law,
● Persons who are under the obligation to keep the Personal Data of the Personal Data Owner confidential for the purposes of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. or by authorized institutions and organizations.
PURPOSE OF PROCESSING AND TRANSFERRING PERSONAL DATA, PERSONS TO BE TRANSFERRED
3.1. Purposes of Processing and Transferring Personal Data
Personal Data; in accordance with the law and the purpose of the Law,
• Management of Emergency Processes
• Execution of Information Security Processes
• Execution of Employee Candidate, Intern, Student Selection and Placement Processes
• Execution of Application Processes of Employee Candidates,
• Execution of Obligations Arising from Employment Contracts and Legislation for Employees
• Execution of Benefits and Benefits Processes for Employees
• Execution of Training Activities
• Execution of Access Authorizations
• Execution of Activities in Compliance with the Legislation
• Ensuring Physical Space Security
• Execution of Company/Product/Services Loyalty Processes
• Execution of Finance and Accounting Affairs
• Execution of Assignment Processes
• Follow-up and Execution of Legal Affairs
• Execution of Communication Activities
• Execution / Supervision of Business Activities
• Execution of Occupational Health and Safety Activities
• Execution of Business Continuity Ensuring Activities,
• Planning of Human Resources Processes
• Execution of Goods / Services Procurement Processes
• Execution of Goods / Services After-Sales Support Services
• Execution of Goods / Services Sales Processes
• Execution of Goods / Services Production and Operation Processes
• Execution of Customer Relationship Management Processes
• Execution of Activities for Customer Satisfaction,
• Organization and Event Management,
• Execution of Marketing Analysis Studies
• Execution of Performance Evaluation Processes
• Execution of Advertising / Campaign / Promotion Processes,
• Execution of Storage and Archive Activities
• Execution of Contract Processes
• Follow-up of Requests and Complaints
• Execution of Supply Chain Management Processes
• Execution of Marketing Processes of Products and Services,
• Providing Information to Authorized Persons, Institutions and Organizations,
• Management of Management Activities
It is processed within the scope of personal data processing conditions specified in Articles 5 and 6 of the Law, limited to its purposes. If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated in the Law, your explicit consent is obtained by the Company regarding the relevant processing process.
3.2. Persons to whom Personal Data will be Transferred
Personal Data can be shared with our business and solution partners, banks and third parties who perform technical, logistics and other similar transactions on our behalf, in order to ensure that the services offered to you are complete and flawless, and only to the extent appropriate with the nature of the service. These third parties consist of persons who are obliged to have access to the relevant information in order to provide the relevant services completely and perfectly.
Apart from these, your Personal Data is also required in cases where data has to be shared with other third parties in order to provide the service fully and flawlessly, if it is necessary for the Company to fulfill its legal obligations, if it is expressly stipulated in the laws or if there is a judicial/administrative order given in accordance with the law. be transferred only to the person or institution concerned.
METHOD OF COLLECTION AND LEGAL REASON OF PERSONAL DATA, DELETING, DESTROYING AND MAKING ANNOUNCEMENT AND STORAGE PERIOD
4.1. Method and Legal Reason for Personal Data Collection
For the purpose of auditing compliance with Article 1, which regulates the purpose of the Law, and Article 2, which regulates the scope of the Law, Personal Data; in all kinds of verbal, written, electronic media; Fulfilling the responsibilities arising from the law completely and accurately within the framework of legal reasons based on legislation, contract, demand and request in order to realize the purposes stated in the Policy, through technical and other methods, through various means such as company workplace, dealer, Company website, mobile application. and processed by the Company or data processors appointed by the Company.
4.2. Deletion, Destruction or Anonymization of Personal Data
Without prejudice to the provisions in other laws regarding the deletion, destruction or anonymization of Personal Data, although the Company has processed it in accordance with the provisions of this Law and other laws, in the event that the reasons for its processing disappear, ex officio or the data owner. deletes, destroys or anonymizes upon request. With the deletion of Personal Data, these data are destroyed in such a way that they cannot be used again in any way and cannot be restored. Accordingly, Personal Data is deleted from the tools such as documents, files, CDs, floppy disks, hard disks in which they are registered, in a way that cannot be recycled. Destruction of Personal Data, on the other hand, means the destruction of materials suitable for data storage such as documents, files, CDs, floppy disks, hard disks, in which the data is recorded, so that the information cannot be retrieved or used again. By anonymizing data, it is meant that Personal Data cannot be associated with an identified or identifiable natural person, even if it is matched with other data.
4.3. Retention Period of Personal Data
The Company stores Personal Data for the period specified in this legislation, if it is stipulated in the legislation. If a period of time is not regulated in the legislation regarding how long personal data should be kept, Personal Data is processed for a period of time that requires it to be processed in accordance with the Company’s practices and commercial life practices, depending on the activity carried out while processing that data, and then deleted, destroyed or anonymized. is brought.
The purpose of processing personal data has ended; if the storage periods determined by the relevant legislation and the Company have also come to an end; Personal data can only be stored to provide evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. Despite the expiry of the statute of limitations and the statute of limitations for asserting the right mentioned in the establishment of the periods herein, retention periods are determined based on the examples previously submitted to the Company on the same issues. In this case, the stored personal data is not accessed for any other purpose, and only when necessary to use it in the relevant legal dispute, access to the relevant personal data is provided. Here, too, personal data is deleted, destroyed or anonymized after the aforementioned period expires.
Detailed regulations on Company techniques regarding the storage, deletion, destruction and anonymization of Personal Data are included in the Company’s Personal Data Retention and Destruction Policy.
MATTERS REGARDING THE PROTECTION OF PERSONAL DATA
In accordance with Article 12 of the Law, the Company takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the Personal Data it processes, to prevent illegal access to the data and to ensure the preservation of the data, and in this context, the necessary audits doing or making.
5.1. Ensuring the Security of Personal Data
5.1.1. Technical and Administrative Measures Taken to Ensure Legal Processing of Personal Data
The Company takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that Personal Data is processed in accordance with the law.
Technical Measures Taken to Ensure Legal Processing of Personal Data
The main technical measures taken by the Company to ensure the legal processing of Personal Data are listed below:
● Personal Data processing activities carried out within the company are audited by established technical systems.
● The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
● Personnel knowledgeable in technical matters are employed/advised.
Administrative Measures Taken to Ensure Legal Processing of Personal Data
The main administrative measures taken by the Company to ensure the legal processing of Personal Data are listed below:
● Employees are informed and trained about the law on the protection of Personal Data and the legal processing of Personal Data.
● Personal Data processing activities carried out by the Company’s business units; The requirements to be fulfilled in order to ensure that these activities comply with the Personal Data processing requirements sought by the Law are determined by each business unit and the detailed activity it carries out.
● In order to meet the legal compliance requirements determined on the basis of the business unit, awareness is created for the relevant business units and implementation rules are determined; Necessary administrative measures are implemented through in-house policies and trainings to ensure the supervision of these issues and the continuity of implementation.
● In the contracts and documents governing the legal relationship between the Company and the employees, except for the Company’s instructions and the exceptions brought by the law, records that impose the obligation not to process, disclose or use Personal Data are created, awareness of the employees is created in this regard, and obligations arising from the Law are carried out by conducting audits. is fulfilled.
5.1.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data
The Company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and the cost of implementation in order to prevent the reckless or unauthorized disclosure, access, transfer or any other unlawful access to Personal Data.
Technical Measures Taken to Prevent Unlawful Access to Personal Data
The main technical measures taken by the Company to prevent unlawful access to Personal Data are listed below:
● Technical measures are taken in line with the developments in technology, the measures taken are periodically updated and renewed.
● Access and authorization technical solutions are put into use in accordance with the legal compliance requirements determined on the basis of the business unit.
● Access authorizations are limited and authorizations are reviewed regularly.
● The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, the issues posing a risk are reevaluated and the necessary technological solution is produced.
● Software and hardware including virus protection systems and firewalls are installed.
● Personnel knowledgeable in technical matters are employed/advised.
● Regular security scans are made to detect security vulnerabilities in applications where Personal Data is collected. The vulnerabilities found are closed.
Administrative Measures Taken to Prevent Unlawful Access to Personal Data
The main administrative measures taken by the Company to prevent unlawful access to Personal Data are listed below:
● Employees are trained on technical measures to be taken to prevent unlawful access to Personal Data.
● Personal Data access and authorization processes are designed and implemented within the Company in accordance with the legal compliance requirements for the processing of Personal Data on a business unit basis.
● Employees are informed that they cannot disclose the Personal Data they have learned to others in violation of the provisions of the Law and that they cannot use it for purposes other than processing, and that this obligation will continue after they leave their job, and necessary commitments are taken from them in this direction.
● Contracts concluded by the Company with the persons to whom Personal Data is transferred in accordance with the law; Provisions are added that the persons to whom Personal Data are transferred will take the necessary security measures for the protection of Personal Data and ensure that these measures are complied with in their own organizations.
5.1.3. Storing Personal Data in Secure Environments
The Company takes the necessary technical and administrative measures according to the technological possibilities and implementation cost in order to keep the Personal Data in secure environments and to prevent its destruction, loss or alteration for unlawful purposes.
Technical Measures Taken for Storing Personal Data in Secure Environments
The main technical measures taken by the Company to store Personal Data in secure environments are listed below:
● Systems suitable for technological developments are used to store Personal Data in secure environments.
● Specialized personnel are employed/consulting on technical issues.
● Technical security systems for storage areas are established, security tests and research are carried out to detect security vulnerabilities on information systems, existing or potential risky issues identified as a result of the tests and researches are eliminated.
● Legal backup programs are used to ensure that Personal Data is kept securely.
● Access to the data is restricted to the environments where Personal Data is kept, and only authorized persons are allowed to access this data limited to the purpose of storing personal data. Accesses to the data storage areas where Personal Data are stored are logged and inappropriate accesses or access attempts are instantly communicated to the relevant persons.
Administrative Measures to Keep Personal Data in Secure Environments
The main administrative measures taken by the Company to store Personal Data in secure environments are listed below:
● Employees are trained to ensure that Personal Data is kept securely.
● Legal and technical consultancy services are obtained in order to follow the developments in the fields of information security, privacy and protection of personal data and to take necessary actions.
● In the event that an external service is received by the Company due to technical requirements regarding the storage of Personal Data, the contracts concluded with the relevant companies to which the Personal Data are transferred in accordance with the law; Provisions are included that the persons to whom Personal Data are transferred will take the necessary security measures for the protection of Personal Data and that these measures will be complied with in their own organizations.
5.1.4. Supervision of the Measures Taken for the Protection of Personal Data
In accordance with Article 12 of the Law, the Company carries out or has had the necessary inspections done within its own body. The results of these audits are reported to the relevant department within the scope of the internal operation of the Company and necessary activities are carried out to improve the measures taken.
5.1.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
The Company operates the system that ensures that the Personal Data processed in accordance with Article 12 of the Law are obtained by others unlawfully, and this situation is reported to the relevant Personal Data Owner and the KVK Board as soon as possible. If deemed necessary by the KVK Board, this situation may be announced on the website of the KVK Board or by any other method.
5.2. Observing the Legal Rights of Personal Data Owners
The Company observes all legal rights of Personal Data Owners through the implementation of the Policy and Law and takes all necessary measures to protect these rights. Detailed information on the rights of Personal Data Owners is given in the sixth section of this Policy.
5.3. Protection of Private Personal Data
The Company pays maximum attention to the protection of special quality Personal Data, which is determined as “special quality” by the law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company for the protection of personal data are also implemented with the utmost care in terms of Special Quality Personal Data, and the necessary audits are provided within the Company in this regard.
RIGHTS OF PERSONAL DATA OWNER, USE AND ASSESSMENT OF RIGHTS
6.1. Disclosure of Personal Data Owner
The Company informs the Personal Data Owners during the acquisition of the Personal Data in accordance with Article 10 of the Law. In this context, if any, it clarifies the identity of the Company representative, the purpose for which the Personal Data will be processed, to whom and for what purpose the processed Personal Data can be transferred, the method of collecting Personal Data and the legal reason, and the rights of the Personal Data Owner.
6.2. Rights of the Personal Data Owner in accordance with the KVK Law
The Company informs you of your rights in accordance with Article 10 of the Law; It provides guidance on how to exercise these rights and carries out the necessary internal functioning, administrative and technical arrangements for all these. The Company, in accordance with Article 11 of the Law, to the persons whose Personal Data is received;
● Learning whether Personal Data is processed or not,
● If Personal Data has been processed, requesting information about it,
● Learning the purpose of processing Personal Data and whether they are used in accordance with its purpose,
● Knowing the third parties to whom Personal Data is transferred in the country or abroad,
● Requesting correction of Personal Data if it is incomplete or incorrectly processed,
● Requesting the deletion or destruction of Personal Data within the framework of the conditions stipulated in Article 7 of the Law,
● Requesting notification of the transactions made pursuant to subparagraphs (d) and (e) of Article 11 of the Law to third parties to whom personal data has been transferred,
● Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
● Requesting the compensation of the damage in case of loss due to the illegal processing of Personal Data,
explains that they have rights.
6.3. Circumstances in which the Personal Data Owner cannot assert his rights
Since the following cases are excluded from the scope of the Law pursuant to Article 28 of the Law, Personal Data Owners cannot claim their rights listed in article (6.2.) of this Policy in the following cases:
● Processing of Personal Data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.
● Processing of Personal Data for purposes such as research, planning and statistics by anonymizing them with official statistics.
● Processing of Personal Data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
● Processing of Personal Data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
● Processing of Personal Data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.
Pursuant to article 28/2 of the Law; In the cases listed below, Personal Data Owners cannot claim their rights listed in article (6.2.) of this Policy, except for the right to demand the compensation of the damage:
● The processing of Personal Data is necessary for crime prevention or criminal investigation.
● Processing of personal data made public by the Personal Data Owner.
● The processing of Personal Data is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law.
● The processing of Personal Data is necessary for the protection of the economic and financial interests of the State with regard to budget, tax and financial matters.
6.4. Exercise of Personal Data Owner’s Rights
Personal Data Owners’ requests regarding their rights listed in article (6.2.) of this Policy; with the information and documents that will determine their identities and with the methods specified or other methods determined by the KVK Board; Via the “Application Form” in the link, the Company address, “Maslak Mahallesi Ahi Evren Cad. Nazmi Akbacı Ticaret Merkezi No: 245 Sarıyer/ISTANBUL” by hand, via a notary public or with a secure electronic signature/mobile signature to the address [email protected], or to the [email protected] e-mail address, to us for further information. via the e-mail address previously notified and registered in the Company system. The Company will conclude your requests within this scope free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request, and will deliver them to you in writing or electronically.
6.5. The Company reserves the right to make changes in this Personal Data Processing and Protection Policy or Personal Data Retention and Disposal Policy in line with the changes made in the Law, in accordance with the decisions of the Institution or in line with the developments in the sector or in the field of informatics.
Changes made in this Personal Data Processing and Protection Policy are immediately processed in the text and explanations regarding the changes are announced at the end of the policy.
Signature :
KVKK Personal Data Retention and Destruction Policy
- PURPOSE OF THE DISPOSAL POLICY
Our destruction policy is Pleasant Jobs Tourism Food Health Construction İç ve Dış Tic. Inc. (the “Company”), the personal data we hold in the capacity of data controller, has been prepared in order to determine the procedures and principles to be applied by the Company regarding the deletion, destruction or anonymization of personal data in accordance with the Law on Protection of Personal Data No. 6698 and other legislation.
In this context, the personal data of our employees, employee candidates, customers and all real persons who have personal data at the Company for any reason are managed in accordance with the laws within the framework of the Personal Data Processing and Protection Policy and this Personal Data Storage and Disposal Policy.
A.1. DEFINITIONS
| Direct identifiers | : | identifiers that, by themselves, directly reveal, disclose and distinguish the person with whom they are in a relationship, |
| Indirect identifiers | : | Identifiers that come together with other identifiers, revealing, disclosing and making distinguishable the person they are in a relationship with, |
| Related person | : | The real person whose personal data is processed, |
| Destruction | : | Deletion, destruction or anonymization of personal data, |
| Law | : | Law on Protection of Personal Data No. 6698 published in the Official Gazette dated 07.04.2016 and numbered 29677, |
| regulation | : | Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224 |
| Board | : | Personal Data Protection Board |
| recording media | : | Any environment where personal data is processed wholly or partially automatically or by non-automatic means, provided that it is a part of any data recording system, |
| Personal Data Processing and Protection Policy | : | The policy, which can be accessed at the ” https://wannawell.com/tr/ ” web address, which determines the procedures and principles regarding the management of personal data held by the Company, |
| data logging system | : | The registration system in which personal data is processed and structured according to certain criteria, |
means.
- ENVIRONMENTS AND SAFETY PRECAUTIONS
B.1. ENVIRONMENTS WHERE PERSONAL DATA IS STORED
Personal data stored with the company are kept in a recording environment in accordance with the nature of the data and our legal obligations.
The recording media used for the storage of personal data are generally listed below. However, some data may be kept in a different environment than the ones shown here, due to their special qualities or our legal obligations. In any case, the Company acts as a data controller and processes and protects personal data in accordance with the Law, the Personal Data Processing and Protection Policy and this Personal Data Retention and Disposal Policy.
| a) Printed media | : | They are media where data is kept by printing on paper or microfilms. |
| b) Local digital environments | : | Other digital media such as servers, fixed or portable disks, optical disks within the company. |
| c) Cloud environments | : | These are the environments where internet-based systems encrypted with cryptographic methods are used, which are not included in the Company but are used by the Company. |
B.2. SECURING ENVIRONMENTS
The Company takes all necessary technical and administrative measures in accordance with the characteristics of the relevant personal data and the environment in which it is kept, in order to keep personal data safe and to prevent unlawful processing and access. The measures taken include, but are not limited to, the following administrative and technical measures to the extent that they comply with the nature of the personal data and the environment in which it is kept.
B.2.1. Technical Measures
The Company takes the following technical measures in accordance with the characteristics of all environments where personal data is stored and the environment in which the data is kept:
● Only up-to-date and secure systems suitable for technological developments are used in environments where personal data is kept.
● Security systems are used for environments where personal data is kept.
● Security tests and research are carried out to detect security vulnerabilities on information systems, and existing or potential risky issues identified as a result of tests and research are eliminated.
● Access to the data is restricted to the environments where personal data is kept, and only authorized persons are allowed to access this data limited to the purpose of storing personal data, and all accesses are recorded.
B.2.2. Administrative Measures
The Company takes the following administrative measures in accordance with the characteristics of all environments where personal data is stored and the environment in which the data is kept:
● Efforts are made to raise awareness and raise awareness of all Company employees who have access to personal data on information security, personal data and privacy.
● Legal and technical consultancy services are obtained in order to follow the developments in the fields of information security, privacy and protection of personal data and to take necessary actions.
● In the event that personal data is transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties for the protection of personal data, and all necessary care is taken to ensure that the relevant third parties comply with their obligations in these protocols.
B.2.3. Internal Audit
In accordance with Article 12 of the Law, the Company conducts internal audits regarding the implementation of the provisions of the Law and the provisions of this Personal Data Retention and Disposal Policy and Personal Data Processing and Protection Policy. If deficiencies or defects regarding the implementation of these provisions are detected as a result of internal audits, these deficiencies or faults are immediately corrected. If, during the audit or otherwise, it is understood that the personal data that is under the responsibility of the Company has been obtained illegally by others, the Company will notify the relevant person and the Board as soon as possible.
SECTION C: DISPOSAL OF PERSONAL DATA
C.1. REASONS FOR STORAGE AND DISPOSAL
C.1.1. Reasons for Storage
Personal data held within the company are stored in accordance with the Law and our Personal Data Policy ( you can access the relevant policy at the website “ https://wannawell.com/tr/ ”), for the purposes and reasons stated here.
C.1.2. Reasons for Disposal
Personal data within the company are deleted, destroyed or anonymized ex officio in accordance with this destruction policy, upon the request of the person concerned or in case the reasons listed in Articles 5 and 6 of the Law are eliminated.
The reasons listed in Articles 5 and 6 of the Law consist of the following:
- expressly stipulated in the law
- It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his or her consent due to actual impossibility or whose consent is not legally valid.
- It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract
- Obligatory for the data controller to fulfill its legal obligation
- The person concerned has been made public by himself
- Data processing is mandatory for the establishment, exercise or protection of a right
- Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
C.2. DISPOSAL METHODS
The Company, in accordance with the Law and other legislation and the Policy on the Processing and Protection of Personal Data, may renew the personal data, upon the request of the person concerned or within the periods specified in this Personal Data Storage and Disposal Policy, in case the reasons requiring the processing of the data disappear you delete, destroy or anonymize.
The most used deletion, destruction and anonymization techniques by the company are listed below:
C.2.1.1 Methods of Deletion
| Deletion Methods for Personal Data Held in Printed Media | ||
| Blackout | : | Personal data in the printed media are deleted using the blackout method. The blackening process is done by cutting the personal data on the relevant document where possible, and making it invisible by using fixed ink in a way that it cannot be readable with technological solutions, in cases where it is not possible. |
| Deletion Methods for Personal Data Held in Cloud and Local Digital Environment | ||
| Secure deletion from software | : | Personal data kept in the cloud or local digital environments are deleted with a digital command, irrecoverably. Data deleted in this way cannot be accessed again. |
C.2.1.2 Methods of Extermination
| Destruction Methods for Personal Data Held in Printed Media | ||
| physical destruction | : | Documents kept in printed media are destroyed in a way that cannot be reassembled with document shredders. |
| Destruction Methods for Personal Data Held in Local Digital Environment | ||
| physical destruction | : | It is the process of physically destroying optical and magnetic media containing personal data, such as melting, burning or pulverizing. Data is rendered inaccessible by processes such as melting, incinerating, pulverizing, or passing through a metal grinder to optical or magnetic media. |
| De-magnetizing (degauss) | : | It is the process of unreadable corruption of the data on the magnetic media by exposing it to a high magnetic field. |
| overwrite | : | Random data consisting of 0s and 1s is written at least seven times on magnetic media and rewritable optical media, preventing reading and recovery of old data. |
| Destruction Methods for Personal Data Held in the Cloud | ||
| Secure deletion from software | : | Personal data kept in the cloud is irrecoverably deleted by digital command, and when the cloud computing service relationship ends, all copies of encryption keys required to make personal data usable are destroyed. Data deleted in this way cannot be accessed again. |
C.2.1.3. Anonymization Methods
Anonymization is making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching it with other data.
| Subtracting variables | : | It is the removal of one or more of the direct identifiers included in the personal data of the data subject and which will help to identify the person concerned in any way. This method can be used to anonymize personal data, or it can also be used for deletion of personal data if there is information that is not suitable for the purpose of data processing. |
| Regional hiding | : | It is the process of deleting the information that may be distinctive about the exceptional data in the data table in which the personal data is collected in an anonymous form. |
| Generalization | : | It is the process of bringing together the personal data of many people and turning them into statistical data by removing their distinctive information. |
| Lower and upper bound coding / Global coding | : | For a certain variable, the ranges of that variable are defined and categorized. If the variable does not contain a numeric value, then close data in the variable are categorized. Values within the same category are combined. |
| Micro-joining | : | With this method, all the records in the data set are first arranged in a meaningful order and then the whole set is divided into a certain number of subsets. Then, by taking the average of the value of each subset of the determined variable, the value of that variable of the subset is replaced with the mean value. In this way, since the indirect identifiers in the data will be corrupted, it is difficult to associate the data with the relevant person. |
| Data hashing and tampering | : | Direct or indirect identifiers in personal data are mixed with other values or their relationship with the person concerned is broken and they lose their descriptive qualities. |
<7div>
In order to anonymize personal data, the company uses one or more of these anonymization methods, depending on the nature of the data.
C.3. STORAGE AND DISPOSAL TIMES
C.3.1. Storage Times
| DATA OWNER | DATA CATEGORY | DATA STORAGE PERIOD |
| Employee, Shareholder, Intern, Supplier Employee, Supplier Official, Product or Service Purchaser, Potential Product and Service Buyer | ID | 10 years |
| Employee, Shareholder, Intern, Supplier Employee, Supplier Official, Product or Service Purchaser, Potential Product and Service Buyer | Contact | 10 years |
| Employee, Intern, Parent Guardian Representative | Personnel | 10 years |
| Employee, Trainee, Supplier Employee, Supplier Official, Product or Service Purchaser, Parent, Guardian Representative | Legal action | 10 years |
| Supplier Employee, Supplier Official, Product and Service User | Customer Transaction | 10 years |
| Employee, Intern, Visitor | Physical Space Security | 1 month |
| Employee, Trainee | Transaction Security | 3 years |
| Employee, Product or Service Recipient | finance | 10 years |
| Employee, Trainee | Professional experience | 10 years |
| Product or Service User, Visitor | Marketing | 10 years |
| Employee, Trainee | Audio and Audio Recordings | 10 years |
| Employee, Trainee | Health Information | 15 years |
| Employee, Shareholder, Intern, Product or Service User | Bank account information | 10 years |
| Employee, Trainee | Family Member and Relatives Information | 10 years |
| Employee, Shareholder Partner | Passport information | 10 years |
* If it has been issued for a longer period in accordance with the legislation or in accordance with the legislation, the statute of limitations, foreclosure period, retention periods, etc. If a longer period is foreseen for the storage period, the periods in the provisions of the legislation are considered as the maximum storage period.
C.3.2. Disposal Times
The Company deletes the personal data in the first periodical destruction process following the date of deletion, destruction or anonymization of the personal data for which it is responsible in accordance with the Law, the relevant legislation, the Personal Data Processing and Protection Policy and this Personal Data Retention and Disposal Policy. make it anonymous.
When the person concerned requests the deletion or destruction of his/her personal data by applying to the Company pursuant to Article 13 of the Law;
- If all the conditions for processing personal data have disappeared; The company deletes, destroys or anonymizes the personal data subject to the request with the appropriate destruction method, explaining the reason within 30 (thirty) days from the day it receives the request. In order for the Company to be deemed to have received the request, the person concerned must have made the request in accordance with the Personal Data Processing and Protection Policy. In any case, the company informs the person concerned about the transaction.
- If all the conditions for processing personal data have not been eliminated, this request may be rejected by the Company by explaining the reason in accordance with the third paragraph of Article 13 of the Law and the refusal is notified to the relevant person in writing or electronically within thirty days at the latest.
C.4. PERIODIC DISPOSAL
In the event that all the conditions for the processing of personal data in the law are eliminated; The company deletes, destroys or anonymizes the personal data whose processing conditions have been eliminated, through a process to be carried out ex officio at repetitive intervals and specified in this Personal Data Retention and Disposal Policy. Periodic destruction processes repeat every 6 (six) months.
C.5. AUDIT OF LEGAL COMPLIANCE OF DISPOSAL
The Company carries out the destruction processes, which it performs ex officio, on request and in periodic destruction processes, in accordance with the Law, other legislation, the Policy on the Processing and Protection of Personal Data and this Personal Data Retention and Destruction Policy. The Company takes a number of administrative and technical measures to ensure that the destruction processes are carried out in accordance with these regulations.
C.5.1. Technical Measures
● The company maintains technical tools and equipment suitable for each disposal method in this policy.
● The company ensures the safety of the place where disposal operations are made.
● The company maintains access records of the people who destroyed it.
● The company employs competent and experienced personnel to carry out the destruction process or receives service from competent third parties when necessary.
C.5.2. Administrative Measures
● The company works to increase the awareness and raise awareness of its employees who will carry out the destruction process on information security, personal data and privacy.
● The Company receives legal and technical consultancy services to follow the developments in information security, privacy, protection of personal data and safe destruction techniques and to take necessary actions.
● In cases where the company has third parties do the destruction due to technical or legal requirements, it signs protocols with the relevant third parties for the protection of personal data, and takes all necessary care to ensure that the relevant third parties comply with their obligations in these protocols.
● The Company regularly checks whether the destruction operations are carried out in accordance with the law and the conditions and obligations set forth in this Personal Data Retention and Destruction Policy, and takes the necessary actions.
● The Company records all transactions regarding the deletion, destruction and anonymization of personal data and keeps these records for at least three years, excluding other legal obligations.
SECTION D: PERSONAL DATA COMMITTEE
The Company establishes a Personal Data Committee. The Personal Data Committee is authorized and in charge of taking the necessary actions and supervising the processes for the storage and processing of the data of the persons concerned in accordance with the law, the Personal Data Processing and Protection Policy and the Personal Data Retention and Disposal Policy.
The Personal Data Committee consists of three people, a manager, an administrative expert and a technical expert. The titles and job descriptions of the Company employees working in the Personal Data Committee are as follows:
| Title | Job Description | |
| Personal Data Committee Manager | : | To direct all kinds of planning, analysis, research and risk determination studies in the projects carried out in the process of compliance with the law; It is obliged to manage the processes to be carried out in accordance with the Law, the Personal Data Processing and Protection Policy and the Personal Data Retention and Disposal Policy and to decide on the requests received by the relevant persons. |
| KVK Specialist (Technical and Administrative) | : | Reporting the requests of the persons concerned to the Personal Data Committee Manager for review and evaluation; Fulfilling the transactions regarding the requests of the persons evaluated and decided by the Personal Data Committee Manager in accordance with the Personal Data Committee Manager’s decision; auditing the storage and destruction processes and reporting these audits to the Personal Data Committee Manager; Responsible for the execution of storage and destruction processes. |
SECTION E: UPDATE AND COMPLIANCE
The Company reserves the right to make changes in the Processing and Protection of Personal Data Policy or this Personal Data Retention and Disposal Policy in line with the changes made in the Law, in accordance with the decisions of the Institution or in line with the developments in the sector or in the field of informatics.
Changes made in this Personal Data Retention and Disposal Policy are immediately processed in the text and explanations regarding the changes are announced at the end of the policy.
