Policy on the Protection of Personal Data

1. PURPOSE

As Dubium Informatics Consultancy and Trade Ltd. Co. (“TEYİT”), we aim to protect the personal data of our members, visitors and other related natural persons, to process their data in accordance with Law no. 6698 on the Protection of Personal Data (“KVKK”) and other related legislation, and to protect the rights of those whose data has been processed within the scope of our Factory program.  

As such, we have drafted our Policy on the Protection and Processing of Personal Data (“Policy”). Through this policy, our objective is to protect all natural persons whose data is processed by our party, to ensure that they are able to enjoy their rights as defined by the laws, to protect their right to privacy, to safeguard the confidentiality of communications and to provide transparency. We explain the methods that we use in the processing of personal data and in ensuring the demands of the data owners are met.

2. SCOPE

All personal data processed by TEYİT as part of the Factory project falls under the scope of this Policy.

3. LEGAL OBLIGATIONS

As part of our activities in protection and processing of personal data as a data controller, in accordance with the KVKK, we have the following obligations:

3.1. Our obligation to inform

In collecting personal data in our capacity as the data controller, we are obliged to disclose to the Data Owner how we collect their data, for what purpose their personal data will be processed, our identity, the processed personal data, our methods and the legal justification for the collection of data, and legal rights.

We pay special attention to ensuring that our Policy, which is accessible by the general public, is clear, understandable and accessible.

3.2. Our obligation to provide data security

We take all measures stipulated by legislation aimed at the protection of the personal data under our responsibility. Article 7.2 of this Policy lists the measures we implement.

4. CLASSIFICATION OF PERSONAL DATA

4.1. Personal Data

Personal data is information that relates to an identified or identifiable individual.

By definition, personal data refers only to natural persons, and as such, legal persons are not covered under this policy.

4.2. Sensitive personal data

Sensitive personal data refers to data concerning the individual’s race, ethnicity, political opinion, philosophical belief, religion, sect or other belief, clothing, association, foundation or union memberships, health, sexual persuasion, criminal convictions and security measures, as well as biometric and genetic data.

5. PROCESSING OF PERSONAL DATA

5.1. The principles we apply to personal data processing

We process personal data in accordance with the following principles:

5.1.1. Processing pursuant to the law and good faith

5.1.2. Ensuring that personal data is accurate and updated as necessary

5.1.3. Processing for specific, clear and legitimate purposes

5.1.4. Ensuring that personal data is relevant, in connection with and limited to the purpose of processing

5.1.5. Storing personal data as part of our legitimate commercial interests, as stipulated by the legal regulations

5.2. Our objectives in personal data processing

TEYİT processes personal data collected from its Factory website to:

  • Carry out its activities;
  • Provide supportive services as part of the contract and service standards;
  • Identify the preferences and needs of members/visitors, and to reshape and update our services accordingly;
  • Fulfil our legal obligations as required by legal arrangements;
  • Conduct market research and statistical studies;
  • Perform legal reporting activities;
  • Facilitate corporate communication; and
  • To send bulletins or notifications via e-mail.

5.3. Processing of the personal data collected through cookies

We use cookies to improve the functioning and use of our websites and mobile applications.

Your personal data may be collected, processed, transferred and stored through cookies on the Factory website, in accordance with this policy.

For further information, please check our Cookie Policy.

5.4. Extraordinary circumstances that do not require explicit consent

In the extraordinary circumstances listed below as well as in legal situations, personal data may be processed without the explicit consent of the owner:

  • If it is clearly stipulated by the law;
  • If it is necessary to process the personal data of the parties of a contract, provided that the processing is related directly to the establishment or execution of the contract;
  • If data processing is required to establish, use or protect a right; or
  • If it is necessary for our party to process personal data as the data controller for our legitimate interests, provided that fundamental rights and freedoms are not harmed.

6. TRANSFERS OF PERSONAL DATA

6.1. Transfers of personal data in Turkey

We carry out our activities regarding the transfer of personal data in accordance with the provisions of the KVKK and decisions and regulations of the Personal Data Protection Authority.

Personal data cannot be transferred by our party to other natural or legal persons without the explicit consent of the data owner.

In extraordinary circumstances, as stipulated by the KVKK and in other legislation, personal data may be transferred to the related administrative or judicial institutions or organizations authorized in accordance with the legislation and its limitations, without the explicit consent of the data owner.

6.2. Transfer of personal data abroad

As a rule, personal data cannot be transferred abroad without the explicit consent of the data owner. In the event of extraordinary circumstances, personal data may be transferred abroad without explicit content if:

  • The third party is in one of the countries determined by the Personal Data Protection Authority as having adequate protection;
  • The third party is not in one of the countries with adequate protection, but guarantees adequate protection to the data controllers in Turkey and in the relevant county in writing, and possesses a permit from the Personal Data Protection Authority.

6.3. The institutions and organizations to which personal data is transferred

In line with the rules and principles described above, personal data may be transferred to:

  • Our suppliers,
  • Our partners and business contacts,
  • Authorized public organizations and institutions,
  • Authorized private legal persons,
  • Community companies, and
  • Our shareholders.

6.4. The measures we implement to ensure the legitimate transfer of personal data

6.4.1. Technical measures

The measures we implement for personal data protection include, but are not limited to, the following:

  • Establishing the technical organization required to process and store personal data in accordance with legislation;
  • Creating the technical infrastructure to ensure the security of the databases in which your personal data is stored;
  • Following the processes related to this technical infrastructure and carrying out audits;
  • Determining the procedures related to the reporting of our technical measures and audits;
  • Updating and improving our technical measures regularly;
  • Reviewing situations that pose a risk, and creating the required technological solutions;
  • Using virus protection systems, firewalls, and similar software and hardware products, and establishing security systems in line with technological developments; and
  • Employing technical experts.

6.4.2. Administrative measures

The measures we implement for personal data protection include, but are not limited to, the following:

  • Establishing policies and procedures governing access to personal data by the employees of the company and its subsidiaries;
  • Informing and training our employees on the legitimate protection and processing of personal data; and
  • Laying down the measures to be applied in the event of any illegitimate processing of personal data in our contracts with employees and/or in the application of the policies established by the company.

7. STORING OF PERSONAL DATA

7.1. The storing of personal data, as stipulated by the relevant legislation or for the period required for the purpose of processing

We store personal data for the period required for the purpose of processing, and for the storage durations stipulated by legislation.

In the event of the Company processing personal data for multiple purposes, the personal data concerned is erased, destroyed or stored anonymously upon the expiration of the said purposes, or upon the request of the data owner. The decisions of the Personal Data Protection Authority are followed regarding matters related to data destruction, erasure or anonymization.

7.2. The measures we implement regarding the storage of personal data

7.2.1. Technical measures

  • Establishing the necessary technical infrastructure and related auditing mechanisms for the erasure, destruction and anonymization of personal data;
  • Taking the necessary measures to ensure the security of the stored data;
  • Employing technical experts; and
  • Establishing security systems for the storage of personal data in line with technological developments..

7.2.2. Administrative measures

  • Creating awareness on the technical and administrative risks of personal data storage by informing our employees; and
  • Including provisions on the necessary security measures to be taken for the protection and storage of transferred data in contracts made with companies to which the personal data is transferred, in the event of the Company cooperating with third parties for the storage of personal data.

8. SECURITY OF PERSONAL DATA

8.2. The measures we implement to prevent the illegitimate processing of personal data

  • Carrying out or commissioning audits;
  • Informing and training our employees on the legitimate processing of personal data;
  • Evaluating all of the activities carried out by our Company in different work units, and processing the personal data specific to the commercial activities of the related units after evaluation;
  • Including provisions regarding the necessary security measures to be taken by persons involved in processing personal data in contracts made with companies that have access to personal data, in the event of the Company cooperating with third parties for the processing of personal data; and
  • Informing the Personal Data Protection Authority in the event of any illegitimate exposure of personal data or data breach, performing the related examinations as stipulated by legislation, and taking the necessary measures.

8.2.1. The technical and administrative measures we implement to prevent illegitimate access to personal data

We implement the following measures to prevent illegitimate access to personal data:

  • Employing technical experts; and
  • Updating and improving our technical measures regularly;
  • Establishing in-house access authorization procedures;
  • Determining the procedures related to the reporting of our technical measures and audits;
  • Establishing data recording systems in accordance with the legislation, and performing periodical audits;
  • Informing and training our employees on personal data access and authorization;
  • Including provisions on the necessary security measures to be taken by persons accessing personal data in contracts made with companies that have access to personal data in the event of the Company cooperating with third parties for such purposes as processing or storing personal data; and
  • Establishing security systems in line with technological developments to prevent illegitimate access to personal data.

9. RIGHTS OF THE DATA OWNER

We inform the Personal Data Owner as part of our obligation to inform and establish the related systems and infrastructure. We are making the necessary technical and administrative arrangements required for the Owner to access their rights related to their personal data.

The Data Owner has the right to:

  • Know whether their personal rights have been processed;
  • Request information if their data has been processed;
  • Learn about the purpose of processing, and whether their data has been used for the specified purpose;
  • Know the identities of the third parties in Turkey or abroad to which their personal data has been transferred;
  • Request the correction of personal data in the event of it being processed in a deficient or erroneous way.
  • Request the erasure or destruction of the personal data in the event of the situation requiring the processing of personal data ceasing to exist;
  • Requesting the third parties to which the personal data has been transferred to be notified of the said correction, erasure and destruction;
  • Object to results against themselves that are obtained by means of analysis exclusively through automatic systems; and
  • Request compensation in the event of any loss incurred due to

the illegitimate processing of personal data.

9.1. Using the rights regarding personal data

The Data Owner can send requests concerning their personal data in writing via e-mail to info@teyit.org or any other channel determined by the Personal Data Protection Authority.

9.2. Evaluation of the application

9.2.1. Response time for the application

Requests regarding personal data are concluded as soon as possible, and within 30 (thirty) days in any case, free of charge. In the event of certain conditions requiring a fee, as published by Personal Data Protection Authority, the evaluation shall be concluded for the fee as stated by the Authority.

During the application or its evaluation, supplementary information or documents may be requested.

9.2.2. Our right to reject the application

Applications regarding personal data may be rejected for the following reasons:

  • The application is not based on a valid reason;
  • The application includes a claim that is contrary to the related legislation; or
  • The application does not comply with the application procedure

. In such an event, the reasoning for rejection shall be explained.

9.3. Right to Petition the Personal Data Protection Authority

In the event of the application being rejected, the response provided by our party being deficient, or a timely answer not being provided, the applicant has the right to petition the Personal Data Protection Authority within 30 (thirty) days following the receipt of the response, or within 60 (sixty) days of the application date in any case.

10. ENFORCEMENT

This Policy enters into force upon its publication on the Factory website.