NEMA BASIM YAYIN SAN. VE TİC LTD. ŞTİ CORPORATE PERSONAL DATA PROTECTION POLICY
1. TARGET
Every individual’s right to demand the protection of his personal data is a sacred right arising from the Constitution. As Nema Basım Yayın San. Ve Tic Ltd. Sti. we consider fulfilling the requirements of this right as one of our most valuable duties. Therefore, we attach importance to the legal processing and protection of your personal data.
The Corporate Personal Data Protection Policy has been prepared in order to determine the principles and procedures we apply while processing and protecting personal data as a result of the importance we attach to the protection of personal data.
2. SCOPE
Policy covers all kinds of operations performed on data such as obtaining, recording, storing, preserving, modifying, rearranging, disclosing, transferring, taking over, making obtainable, classifying or preventing use of all personal data managed by Nema Basım Yayın San. Ve Tic Ltd. Şti., fully or partially automatically or by non-automatic means provided that it is a part of any data recording system.
Policy is related to all processed personal data of Nema Basım Yayın San. Ve Tic Ltd. Şti.’s partners, officials, customers, employees, supplier officials and employees, and third parties.
Nema Basım Yayın San. Ve Tic Ltd. Şti. may change the Policy in order to comply with the legislation and the decisions of the Personal Data Protection Authority and to better protect personal data.
3. DEFINITIONS
Abbreviation | Definition |
Receiver Group | The category of natural or legal person to whom personal data is transferred by the data controller. |
Open Consent | Consent on a particular subject, based on information and expressed with free will. |
Anonymization | Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data. |
Related Person | The natural person whose personal data is processed. |
Related User | Except for the person or unit responsible for technical storage, protection, and backup of the data, they are the persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller. |
Destruction | Deletion, destruction, or anonymization of personal data. |
Law/LPPD | Law No. 6698 on the Protection of Personal Data. |
Storing Environment | Any environment where personal data is processed wholly or partially automatically or non-automatically provided that it is a part of any data recording system. |
Personal Data | Any information relating to an identified or identifiable natural person. |
Data Inventory | The inventory formed by Data controllers by correlating the personal data processing activities they carry out in connection with their business processes; personal data processing purposes and legal reason, data category, transferred recipient group and data subject group and which they detailed by explaining the maximum retention period required for the purposes for which they are processed, the personal data envisaged to be transferred to foreign countries, and the measures taken regarding data security. |
Processing of Personal Data | Any operation performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. |
Commission | Personal Data Protection Commission established by the Nema Basım Yayın San. Ve Tic Ltd. Şti. to manage the Policy and other related procedures and to ensure the enforcement of the Policy. |
Board | Personal Data Protection Board. |
Authority | Personal Data Protection Authority |
Sensitive Personal Data | Data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data of individuals. |
Periodic Destruction | The deletion, destruction, or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all of the personal data processing conditions in the Law are eliminated. |
Policy | Personal Data Protection Policy |
Data Processor | The real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller. |
Data Controller | The real or legal person who determines the purposes and means of processing personal data and who is responsible for the establishment and management of the data recording system. |
4. GENERAL PRINCIPLES
Nema Basım Yayın San. Ve Tic Ltd. Şti. checks the compliance of the data to be processed with the following principles during the preparation phase of the workflow that requires each new personal data processing. Workflows that are not suitable will not be implemented.
While processing personal data, Nema Basım Yayın San. Ve Tic Ltd. Sti.;
1. Complies with the law and honesty rules.
2. Ensures that personal data is correct and up-to-date when necessary.
3. Takes care that the purpose of the processing is specific, clear, and legitimate.
4. Checks that the processed data is related to the purpose of processing, that it is processed limitedly to the extent that it needs to be processed, and that it is measured.
5. Preserves the data only as required by the relevant legislation or only for the purpose of processing and destroys it when the purpose of processing ceases.
5. DUTIES AND RESPONSIBILITIES
Personal Data Protection Commission under Nema Basım Yayın San. Ve Tic Ltd. Şti. has been established in order to manage this Policy and other related procedures regarding the processing of personal data and to ensure the enforcement of the Policy. The Commission consists of the Human Resources and Administrative Affairs Manager and the Finance Manager Responsible. In addition, Nema Basım Yayın San. Ve Tic Ltd. Şti., when necessary, receives LPPD consultancy support from Akkaş KVK (PPD) in order to comply with the Law on Protection of Personal Data No. 6698. If the Commission deems it necessary, it may invite the LPPD consultant to its meetings.
The duties and responsibilities of the Commission are set out below.
1. It normally convenes every 6 months. Extraordinary meetings may be held if the circumstances require it (for example, in the event of a possible data breach).
2. It discusses the issues that need to be changed/improved in the Policy.
3. It determines the issues that can be fulfilled for the legal processing and protection of personal data.
4. The Commission determines the steps that can be taken to increase LPPD awareness within the company and among business partners.
5. It determines the risks that may be encountered in the processing and protection of personal data and takes the necessary administrative and technical measures.
6. It provides communication with the institution and manages the relations.
7. It evaluates the requests from the Relevant Person.
8. It monitors the periodic destruction processes.
9. It updates the Data Inventory.
10. It makes assignments regarding the above-mentioned issues.
6. Measures Taken for Data Security
Nema Basım Yayın San. Ve Tic Ltd. Şti. takes all necessary technical and administrative measures(i) to prevent the unlawful processing of personal data, (ii) to prevent unlawful access to personal data, (iii) to ensure the appropriate level of security in order to ensure the protection of personal data.
1. Technical Measures
1. Network security and application security are provided.
2. Security measures are taken within the scope of procurement, development, and maintenance of information technology systems.
3. Access logs are kept regularly.
4. Updated anti-virus systems are used.
5. Firewalls are used.
6. Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
7. Physical environments containing personal data are secured against external risks (fire, flood, etc.).
8. The security of environments containing personal data is ensured.
9. Personal data is backed up and the security of the backed up personal data is also ensured.
10. User account management and authorization control system is implemented, and these are also followed.
11. Log records are kept in a manner without user intervention.
12. Intrusion detection and prevention systems are used.
13. Encryption is done.
2. Administrative Measures
1. There are disciplinary regulations that include data security provisions for employees.
2. Training and awareness activities are carried out periodically for employees on data security.
3. Institutional policies on access, information security, use, storage, and destruction have been prepared and started to be implemented.
4. Data masking is applied when necessary.
5. Confidentiality commitments are made.
6. An authorization matrix has been created for employees.
7. The authorizations of employees whose post have been shifted or who discharge from their posts in this field are removed.
8. The signed contracts contain data security provisions.
9. Personal data security policies and procedures have been determined.
10. Personal data security issues are reported quickly.
11. Personal data security is monitored.
12. Personal data is reduced as much as possible.
13. In-house periodic and/or random audits are conducted, and they are made done.
14. Existing risks and threats have been identified.
15. Protocols and procedures for special quality personal data security have been determined and implemented.
16. If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using a KEP or corporate mail account.
17. Awareness of data processing service providers on data security is ensured.
7. Relevant Person’s Rights Regarding Personal Data
Relevant Person, by applying to Nema Basım Yayın San. Ve Tic Ltd. Şti., might request the following matters:
1. Learning whether personal data is processed or not,
2. If personal data has been processed, requesting information about it,
3. Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
4. Learning the third parties whose personal data are transferred in the country or abroad,
5. Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to third parties to whom personal data has been transferred,
6. Requesting the deletion, destruction, or anonymization of personal data in the event that the reasons requiring processing are eliminated, although it has been processed in accordance with the provisions of the LPPD and other relevant laws, and requesting that the transaction carried out within this scope be notified to the third parties to whom the personal data has been transferred,
7. Objecting to the emergence of a negative result by analyzing the processed data exclusively through automated systems,
8. Requesting the compensation of the damage in case of loss due to unlawful processing of personal data.
8. VIOLATION NOTIFICATIONS
Nema Basım Yayın San. Ve Tic Ltd. Sti. employees report to the Commission the work, action, or phenomenon that they think violating the provisions of the LPPD and/or the Policy. After this violation notification, the committee convenes if it deems it necessary and creates an action plan regarding the violation.
If the violation has occurred through the unlawful obtaining of personal data to others, the Commission will notify this situation to the relevant person and the Board within 72 hours within the scope of the Board’s decision dated 24.01.2019 and numbered 2019/10.
9. CHANGES
Changes on the policy are prepared by the Commission and submitted to the approval of the Board of Directors of Nema Basım Yayın San. Ve Tic Ltd. Şti. The updated Policy can be sent to the employees via e-mail, or it is published on the website.
10. EFFECTIVE DATE
This version of the Policy was approved by the Board of Directors and entered into force on 15.2.2020.