OF PROTECTION AND PROCESSING OF SENSITIVE PERSONAL DATA
covers all departments, employees and 3rd parties involved in any
process that processes personal data within KRK Holding, group company,
affiliated companies and other companies within their partnerships.
Policy; It will define the dispositions for the security of the Company's
Sensitive Personal Data and cover all activities that will ensure management in
this area and will be implemented at every step to maintain this.
Policy will not be applied on data that are not Sensitive Personal Data.
Protection Law No 6698
Erasure, Destruction or Anonymization of Personal Data
All kinds of
information regarding an identified or identifiable natural person
This Policy of
Protection and Processing of Sensitive Personal Data
Personal Data Processing Inventory
processing activities carried out by data controllers depending on the
business processes; an inventory created by associating the recipient groups
and the group of data subjects, the personal data processing purposes and
legal basis with the data category and detailing the maximum storage period
required for the personal data processing, the personal data envisaged to be
transferred abroad and the measures taken regarding data security.
the scope of the personal data protection law, the data about the race,
ethnic origin, political opinion, philosophical belief, religion, sect or
other beliefs, appearance, membership to associations, foundations or
trade-unions, health, sexual life, criminal conviction and security measures,
and biometric-genetic data
Holding, group company, affiliates and other companies within its
Natural person whose
personal data are processed
Registry Information System (VERBIS):
Registry held by the Presidency
This Policy has
been created in order to determine the procedures and principles for the
protection and processing of sensitive data collected by the Company possessing
title of data controller pursuant to the Law.
The Company, as a data controller who has the
obligation to register with VERBIS, provides Sensitive Personal Data; It is
obliged to keep it in accordance with the Personal Data Processing Inventory,
to define the rules for the security of this data, to act in accordance with
this Policy by covering all the activities that it will manage and preparing a Policy
that it will implement to maintain this.
Conditions and principles
in the Law and related legislation will be valid for the storage and
destruction of Personal Data.
IV. SENSITIVE PERSONAL DATA
Principles Regarding Processing Sensitive Personal Data
The Company takes all necessary technical and administrative measures
regarding the safe storage of Personal Data and to prevent it from being
processed and accessed illegally.
The Company undertakes that it will
not process Personal Data contrary to the manner specified in the Law.
Except for the exceptions
specified in the Law, the company is prohibited from storing the Sensitive
Personal Data without explicit consent of persons unless there are exceptions
at the conditions of Sensitive Personal Data processing specified in 3 paragraph
of Article 6 of the Law. In cases
where the Company stores Sensitive Personal Data, it processes the data in
accordance with the relevant legislation, upon obtaining explicit consent.
Personal Data Processed by the Company
Sensitive Data other than health and sexual
life, people's race, ethnic origin, political opinion, philosophical belief,
religion, sect or other beliefs, appearance, membership to associations,
foundations or trade-unions, criminal conviction and security measures and
biometric data and genetic data may be processed without seeking explicit
consent of the data subject, in the cases provided for by laws.
Personal data concerning health and sexual
life may only be processed, without seeking explicit consent of the data
subject, by the persons subject to secrecy obligation or competent
public institutions and organizations, for the purposes of protection of public
health, operation of preventive medicine, medical diagnosis, treatment and
nursing services, planning and management of health-care services as well as
Sensitive Personal Data are processed within
the Company with the express consent of the data subjects, and these data are
processed only within the framework of the controls specified in the 'General
Principles Regarding the Processing of Sensitive Personal Data' section of this
Policy. It diversifies and differs
depending on the type and nature of the relationship between the Company and
the Related Person, the communication channels used and the purpose information
Purposes of Processing Sensitive Personal Data
Personal Data can be processed within the
scope of the purposes specified in the Personal Data Processing Inventory and
can be stored for as long as these purposes and the relevant legal periods
Transfer of Sensitive Personal Data
Within the scope of the purposes exemplified
in the 'Purposes of Processing Sensitive
Personal Data' section of this Policy and in accordance with Articles 8 and 9
of the Law, The Company transfer data in country and abroad and Personal Data
can be processed and stored in the servers and electronic media used in this
context. The recipients to whom the personal data is transferred and data
transfer purposes are detailed in the Personal Data Processing Inventory
prepared by the Company. The nature of these transfers and the recipients to
whom the personal data is transferred vary depending on the type and nature of
the relationship between the Data subject and the Company, the purpose of the
transfer and the relevant legal basis, and the measures taken within this
scope, the basic procedures of practice and the transactions to be taken within
this framework are valid.
If the Company will transfer Sensitive
Personal Data; It carries out the transfer by taking the necessary measures in
accordance with the terms and conditions specified in the law and relevant
legislation.5) Disappearance of Data Processing Conditions
The Company is responsible for currency of the Sensitive
Personal Data processing conditions and shares this responsibility with all its
Employees cannot continue data processing in cases where
data processing conditions no longer exist. Personal data shall be destructed in compliance with the provisions of this Policy by
the Company ex officio or on the request of the data subject, in
the event that the reasons for the processing no longer exist.
The Company accepts that the conditions for
the processing of Special Qualified Personal Data are no longer exist in the
relevant cases listed below as an example and specified in the Regulation:
- In case the purpose of
the processing of Personal Data is no longer exist,
- In case the processing of
Personal Data is against the law and the principle of honesty,
- If the processing of Personal
Data takes place only on the condition of explicit consent, in case of
withdrawal of explicit consent
6) Protection of Sensitive Personal Data
The company takes the following measures as a data controller:
i) Administrative Measures
- For employees, training and awareness activities are carried out periodically on improving the quality and technical knowledge / skills of employees, preventing illegal processing of Personal Data, preventing unlawful access to Personal Data, ensuring the preservation of Personal Data, communication techniques and relevant legislation.
- Disciplinary regulations that include data security provisions for employees.
- Personal Data Processing Inventory has been prepared.
- Corporate policies on storage and destruction issues have been prepared.
- Before starting to process Personal Data, the obligations of informing the data subjects and obtaining their explicit consent are fulfilled.
- Personal Data is reduced as much as possible.
- Periodic and random audits are made.
- VERBIS registration is made.
- In addition to the administrative measures taken for Personal Data; a separate systematic, clear, manageable and sustainable policy and procedure for the security of Sensitive Personal Data is determined.
- Regular trainings are given on the law and related regulations and Sensitive Personal Data security.
- Scope and duration of data access authorization of users are clearly determined.
Authorization controls are carried out periodically.
ii) Technical Measures
- Personal Data security policies and procedures have been determined.
- Personal Data security issues are reported directly.
- Personal Data security is monitored.
- Erasure, destruction or anonymization processes are applied periodically in accordance with the Personal Data storage and destruction policy.
- In case of a change of position or leaving the job, the employee is disempowered in this field.
- Necessary security measures are taken for entering and exiting physical platformes containing Personal Data.
- The security of platformes containing Personal Data is ensured.
- Risks to prevent illegal processing are identified, technical measures are taken in accordance with these risks.
- Procedures are established and implemented for distribution of access authorizations and roles.
- Network and application security is provided.
- Authorization matrix is made.
- Access logs are kept regularly.
- When necessary, data masking measures are applied.
- Current antivirus systems are used.
- Firewalls are used.
- User account management and authorization control system is applied and they are also monitored.
- Personal Data is backed up and the security of Personal Data backed up is also ensured.
- In addition to the technical measures taken for Personal Data; Sensitive Personal Data are stored using cryptographic methods.
- Records of all actions performed on the data are logged securely.
- When remote access to data is required, at least two-step identity validation system is applied.
- When data need to be transferred via e-mail, encrypted corporate e-mail address or Registered Electronic Mail account is used.
- In addition to the technical measures taken for Personal Data; adequate security measures (against electrical leakage, fire, flood, theft, etc.) are taken for the platforms where Sensitive Personal Data is available.
- Unauthorized entry and exit to the platforms where Sensitive Personal Data is available are prevented.
- In the transfer of Sensitive Personal Data with paper documents, necessary measures are taken against risks such as theft, loss or being seen by unauthorized persons and the document is sent in the format of "classified documents".
7) Transfer of Sensitive Personal Data
The Company may transfer Sensitive Personal Data, obtained in accordance with the law, to third parties, by taking all safety precautions in line with data processing purposes. Accordingly, the Company may transfer Sensitive Personal Data to third parties in case of meeting one of conditions for processing specified in the above section and the following conditions:
- with explicit consent of related person
- If there is an explicit regulation in the laws regarding the transfer of Sensitive Personal Data,
- If it is necessary for the protection of the Related Person's life or bodily integrity and
- In case the explicit consent of the related person cannot be obtained due to the factual impossibilty or his/her consent is not legally valid
- If it is necessary to transfer Personal Data belonging to the parties of the contract, provided that it is directly related to the conclusion or performance of a contract,
- In case the personal data processing activity is necessary for the company to fulfill its legal obligation
- In the sensitive personal data owner discloses his/her personal data
- If the transfer of Sensitive Personal Data is mandatory for the establishment, use and protection of a right,
- If the transfer of Personal Data is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the Related Person.
8) International Transfer of Sensitive Personal Data
The Company, taking the necessary security measures and adequate precautions stipulated by the Board, in line with the legitimate and lawful Personal Data processing purposes, can transfer to the data controller abroad who has adequate level of protection or who undertakes to protect the Sensitive Personal Data of the Related person in the undermentioned cases:
- with explicit consent of related person or
- without explicit consent of related person, Senitive Data other than health and sexual life, people's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership to associations, foundations or trade-unions, criminal conviction and security measures and biometric data and genetic data may be processed without seeking explicit consent of the data subject, in the cases provided for by laws; and Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.
In the event that new legislation on the subject is determined or the relevant legislation is updated, the Company will update its policy in line with the relevant legislation and comply with the legislation requirements.