PERSONAL DATA PROTECTION AND PROCESSING POLICY
Personal Data Protection and Processing Policy
1. INTRODUCTION
1.1. Generally
Ensuring the confidentiality and security of personal data and compliance with relevant legal regulations, is among the most important priorities of Sunseeker Turkey Yatçılık Hizmetleri Limited Şirketi (‘‘Company’‘) and maximum care is taken in this regard. In this context, this Personal Data Protection and Processing Policy regarding the processing and protection of personal data (‘‘Policy’‘) and the process managed by other written policies within the Company and the targeted purpose is informing our employees, employee candidates, visitors, guests and other third parties (‘‘Related Persons‘‘) about processing, storing and protecting their personal data in accordance with the law and reflecting our corporate culture.
In the preparation of this Policy; we see the Constitution of Turkey and especially the regulations in the Law on Personal Data Protection No. 6698 (‘‘KVKK‘‘), the provisions of the relevant legal norms regarding the protection and processing of personal data and the decisions of the Personal Data Protection Board, as a guide to our company.
In this Policy, explanations regarding the following basic principles adopted by our Company for the processing of personal data will be made:
1.2. Purpose of the Policy
The main purpose of this Policy is, to make explanations about the personal data processing activities carried out by our Company in accordance with the law and the procedures adopted for the protection of personal data and the procedures adopted for the protection of personal data, and within this scope to provide transparency by informing Related Persons. In addition, this KVK Policy and other written policies aim to make our principle of compliance with KVKK and other relevant legal regulations regarding personal data security sustainable.
1.3. Scope of the Policy
The scope of this policy, Our Company It is aimed at natural persons whose personal data are processed by automatic means or by non-automatic means provided that they are part of any data recording system, and an Internal Directive on the Protection of Personal Data has been created within the scope of this Policy.
1.4 Implementation of the Policy and Relevant Legislation
This Policy has been concretized and arranged within the principles set forth by the relevant legislation. Our Companyundertakes and accepts that in the event of inconsistency between the current legislation and this Policy, the current legislation will find its application.
1.5. Enforcement of the Policy
This policy, enters into force after being approved by the board of directors of our Company, and it is published on the website (sunseekerturkey.com.) and in this way are made available to Related Persons.
2. DEFINITIONS AND ABBREVIATIONS
SUNSEEKER TURKEY YATÇILIK HİZMETLERİ LİMİTED ŞİRKETİ PERSONAL DATA PROTECTION AND PROCESSING POLICY 1. INTRODUCTION 1.1. Generally Ensuring the confidentiality and security of personal data and compliance with relevant legal regulations, is among the most important priorities of Sunseeker Turkey Yatçılık Hizmetleri Limited Şirketi (‘‘Company’‘) and maximum care is taken in this regard. In this context, this Personal Data Protection and Processing Policy regarding the processing and protection of personal data (‘‘Policy’‘) and the process managed by other written policies within the Company and the targeted purpose is informing our employees, employee candidates, visitors, guests and other third parties (‘‘Related Persons‘‘) about processing, storing and protecting their personal data in accordance with the law and reflecting our corporate culture. In the preparation of this Policy; we see the Constitution of Turkey and especially the regulations in the Law on Personal Data Protection No. 6698 (‘‘KVKK‘‘), the provisions of the relevant legal norms regarding the protection and processing of personal data and the decisions of the Personal Data Protection Board, as a guide to our company. In this Policy, explanations regarding the following basic principles adopted by our Company for the processing of personal data will be made:
1.2. Purpose of the Policy The main purpose of this Policy is, to make explanations about the personal data processing activities carried out by our Company in accordance with the law and the procedures adopted for the protection of personal data and the procedures adopted for the protection of personal data, and within this scope to provide transparency by informing Related Persons. In addition, this KVK Policy and other written policies aim to make our principle of compliance with KVKK and other relevant legal regulations regarding personal data security sustainable. 1.3. Scope of the Policy The scope of this policy, Our Company It is aimed at natural persons whose personal data are processed by automatic means or by non-automatic means provided that they are part of any data recording system, and an Internal Directive on the Protection of Personal Data has been created within the scope of this Policy. 1.4 Implementation of the Policy and Relevant Legislation This Policy has been concretized and arranged within the principles set forth by the relevant legislation. Our Companyundertakes and accepts that in the event of inconsistency between the current legislation and this Policy, the current legislation will find its application. 1.5. Enforcement of the Policy This policy, enters into force after being approved by the board of directors of our Company, and it is published on the website (sunseekerturkey.com.) and in this way are made available to Related Persons. 2. DEFINITIONS AND ABBREVIATIONS
3. PRINCIPLES OF PROCESSING PERSONAL DATA 3.1. Processing of Personal Data According To The Principles Provided In The Legislation 3.1.1. Processing in Compliance with Law and Good Faith Rules Our Company has adopted the basic principle to comply with the law and the rules of honesty in all kinds of transactions to be carried out on personal data. In this context, by adopting the principle of transparency, it provides information through this Policy and other texts about the purpose of use of the personal data collected to the persons related.
3.1.2. Ensuring Personal Data is Accurate and Updated When Required Our Company has a system and process to ensure the accuracy and up-to-dateness of the personal data it processes while conducting its personal data processing activity. In this context Related Persons can make it possible to keep their personal data accurate and up to date by making an application to our Company 3.1.3. Processing for Specific, Clear, and Legitimate Purposes Our Company determines the purpose of personal data processing within legitimate and legal limits, and it provides the information of the Related Persons through this Policy and other texts before the personal data processing activity begins. 3.1.4. Being Related, Limited, and Proportional to The Purposes for Which They are Processed Our Company processes personal data for the purposes required for the execution of the activity in relation to and proportionate to the field of activity. In this context, while carrying out data processing activities, it carefully avoids processing personal data that are not related to the realization of the purpose and are not needed now / in the future. 3.1.5. Retaining Personal Data for the Period Required for the Purpose Stipulated in the Legislation or for the Purpose for Which They are Processed Our company preserves personal data only for the period specified in the relevant legislation or for the purpose for which they are processed. In this context, first of all, it is determined whether a period is determined in the relevant legislation for the storage of personal data, if a period is determined, the appropriate action is taken, and if a period is not specified, the time required for the purpose of processing each personal data is determined and kept for this period. In this context Our Company prepares and implements a policy and directive for the deletion, destruction or anonymization of personal data. 3.2. 5. Processing Personal Data in accordance with the in the Article 5th of the Personal Data Processing Conditions Specified and Limited to These Conditions Our Company processes personal data on the basis of explicit consent of the Related Person or in cases where explicit consent is not sought in the KVKK, and is limited to these conditions and conditions without express consent. 3.2.1. Explicit Consent Explicit consent is the statement made by the Related Person with free will on a specific subject and based on information. Pursuant to Article 5/1 of KVKK, our Company respects and abides by the explicit consent of the Related Person, if required in personal data processing. 3.2.2. Cases Where Explicit Consent is Not Required article 5/2 of KVKK, regulated the processing of personal data where some cases without the explicit consent of the Related Person. Obtaining explicit consent from the person concerned in the existence of any of the specified conditions,since obtaining explicit consent from the relevant person will be considered as misleading the Related Person, our Company does not apply for explicit consent in cases where data processing conditions exist. 3.3. Processing of Personal Data of Special Nature Our Company shows maximum sensitivity in the processing and protection processes of personal data determined as ‘‘special quality’‘ by the KVKK due to the risk of causing greater victimization or discrimination when processed, and the principles accepted for special quality personal data are is also discussed hereby in politics. If the person concerned does not have explicit consent Personal data of special nature can only be processed by our Company in the following cases, provided that adequate precautions to be determined by the Board are taken.
Our Company has set additional measures and processes regarding the processing of special quality data and accessing these data. In this context, the environments where private personal data are stored are protected by secondary lock and secondary passwords, and only processed by authorized persons within the framework of the authorization matrix. 3.4. Transfer of Personal Data Personal data, can be transferred in order to fulfill the purposes stated in this Policy, to supervisory institutions within the framework of audit activities, to our shareholders, legally authorized public institutions and organizations, domestic and / or abroad suppliers and to our business partners, to real persons to whom service is provided or to third persons to whom service is provided within the framework of the personal data processing conditions and purposes specified in Article 8 and Article 9 of KVKK. 4. PRINCIPLES ON THE PROTECTION OF PERSONAL DATA 4.1. Technical and Administrative Measures Taken by Our Company Regarding the Security of Personal Data 4.1.1. Technical Measures The main technical measures taken by Our Company to ensure the legal processing of personal data and to prevent unlawful access to personal data are as follows:
In this context, our Company conducts continuous and sustainable studies regarding the following technical measures determined by the Board:
4.1.2. Administrative Measures The main administrative measures taken by our Company to ensure the legal processing of personal data and to prevent unlawful access to personal data are as follows:
In this context, regarding the following administrative measures determined by the Board, Our Company conducts continuous and sustainable studies:
4.2. Raising Awareness of Our Employees in the Field of Personal Data Protection and Control Our Company provides necessary trainings and meetings to raise awareness to prevent unlawful processing of personal data, to prevent unlawful access to data, and to secure data preservation. In order to increase the awareness of the current employees of Our Company in the field of protection of personal data, we work with professional people in case of need. 4.3. Protection of sensitive personal data Personal data determined as special by KVKK and processed in accordance with the law are protected with precision by our Company. In this context the technical and administrative measures taken by our Company was determined on the basis of the relevant legal regulation and the decision of “Adequate Precautions to be Taken by Data Controllers in the Processing of Special Qualified Personal Data” published by the Personal Data Protection Authority and it is applied with care in terms of the protection of special quality personal data. 4.4. The Process to be Followed In Case Of Unauthorized Disclosure Of Personal Data In the event that the personal data it processes are illegally obtained by others, Our Company will notify the relevant person and the Board within 72 hours. If deemed necessary by the Board, this may be announced on the Board’s website or by any other method. 4.5. Personal Data Inventory Each unit of our Company creates an up-to-date personal data processing inventory. Unit manager is responsible for the accuracy, timeliness and submission of this inventory to the contact person when necessary. Up-to-date developments in keeping the inventories correctly, applying the current Company policy on the protection of personal data and and current developments in the protection of personal data are always followed. 5. APPLICATION OF RELATED PERSONS TO THE DATA CONTROLLER, OUR COMMUNICATION CHANNELS AND EVALUATION PROCESSES OF THE APPLICATION 5.1. Application Subject Our Company gives great importance and value to Related Persons’ rights and provides them with the opportunity to exercise these rights. An ‘‘Application Form for Data Supervisor’‘ was prepared by our Company and published on our website, by which the relevant persons can easily submit their requests. But It is not mandatory to use this form by Related Persons. Every application made in accordance with the Communiqué on Application Procedures and Principles to the Data Controller will be evaluated. Everyone, has right by applying to our company about themselves; a) Becoming aware of whether his/her personal data has been processed or not, b) To request information if his personal data are processed, c) Learning the purpose of processing the personal data and whether they are used for the purpose or not, ç) To know the third parties to whom his personal data is transferred at home or abroad, d) To request the rectification of the incomplete or inaccurate data, if any, e) to request the erasure or destruction of his personal data under the conditions specified in Article 7 of the KVK Law, f) to request notification of the operations carried out to third parties to whom his personal data has been transferred in compliance with subparagraphs (d) and (e), g) To object to consequences to her/his detriment, arising from the analysis of the processed data exclusively via automatic systems, ğ) To claim compensation in case of suffering loss due to illegal processing of the personal data. 5.2. Application Method and Address
5.3. Post-Application Process Applications submitted to us, depending on the nature of the request, are answered within 30 (thirty) days at the latest from the date it reaches our Company. Our responses are sent to the Data Supervisor based on the form of notification specified by the applicant in the Application Form. Related Persons; can make a complaint to the Board within thirty days from the date they learn our Company's answer, and in any case, within sixty days from the date of application in cases where the application is rejected, the response is found to be insufficient or the application is not responded in due time in accordance with Article 14 of the KVKK. 5. Application Fee Applications are made free of charge as a rule. However, if the transaction requested by the relevant persons requires an additional cost, will be charged the fee in the tariff determined by the Board of our Company. 6. ENLIGHTENING AND INFORMING RELATED PERSONS Our Company enlighten the relevant persons about the process of obtaining personal data through this Policy and the Clarification Text and other texts that are easily accessible on our website in accordance with the regulation in Article 10 of the KVKK. In this context Our Company informs the relevant persons about the identity of the data controller, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and other rights of the data subject. An Application Form for Data Supervisor has been created and published on the website of our Company in order for the relevant Person to use his / her rights stated in the KVKK more easily. The relevant section is explained in detail under the title number 5. 7. PURPOSE OF PROCESSING PERSONAL DATA AND RETENTION PERIODS 7.1 Purposes of Processing of Personal Data Our company, processes personal data limited to the purposes and conditions within the personal data processing conditions specified in Articles 5 and 6 of the KVKK. These terms and conditions are as follows:
7.2. Retention Times for Personal Data As Company, we keep personal data for the period specified in this legislation, in case it is stipulated in the relevant legislation. In addition, our obligations arising from the relevant contracts, our administrative and legal responsibilities / liabilities are also taken into account in determining the retention periods. When the purpose of processing personal data has expired and the retention period determined by the relevant legislation and the company has reached the end, these personal data are deleted and backed up only to provide evidence in possible legal disputes or to assert the relevant right related to personal data. In this case, access to personal data is not provided for any other purpose. Personal data, is destroyed or anonymized after the periods specified in our Company’s Personal Data Storage and Destruction Policy expire. The processed personal data and personal data inventories are reviewed in 6-month periods and the personal data that need to be deleted / destroyed are deleted / destroyed within these 6-month periodic destruction periods and the transaction is recorded. 8.PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT IN THE WORK AREAS 8 .1. Camera Monitoring Activities Conducted at the Entrances of the Work Areas and Inside By our company; in order to ensure the security of the relevant Persons and our Company, we perform personal data processing activities for the place where we serve and carry out these services, security camera monitoring activity at the entrance and inside of the work areas, and tracking the entrances / exits and overtime. In this context as Company, we act in accordance with KVKK and other relevant legislation. 8.1.1. Informing about Camera Monitoring Activity the relevant persons are enlightened by Our Company in accordance with Article 10 of the KVKK; in this way, it is aimed to prevent harm to the fundamental rights and freedoms of the persons concerned and to ensure transparency. For camera surveillance activities, the Company’s website provides illumination with this Policy (online Policy) and a notification letter stating that monitoring will be made at the entrances of the areas where monitoring is performed (on-site lighting / layered lighting). 8.1.2. The Purpose of Surveillance with Cameras and Limitation of Purpose As Company, we process personal data in connection with the purpose for which they are processed, in a limited and measured manner in accordance with KVKK. The purpose of the company in continuing the video camera recording and monitoring activity is limited to the purposes listed in this Policy. In this respect, security camera coverage, number of them and when to conduct surveillance are determined in a way that is sufficient enough to achieve the security purpose and limited for this purpose. 8.1.3. Ensuring the Security of Data Obtained by Camera Monitoring All necessary technical and administrative measures are taken by the Company to ensure the security of personal data obtained by camera recording. Detailed information is included in the section on measures regarding data security. 8.1.4. Who can Access to Information Obtained as a Result of Surveillance and To Whom This Information Is Transmitted Only authorized persons can access the information obtained as a result of monitoring and the storage environment. On the other hand, the live camera images can be watched by the security guards who are employees of the Company or outsourced. A limited number of people having access to the records declare, through the confidentiality commitment, that they will protect the confidentiality of the data they access. 8.2. Visitor Entry / Exit Tracking at the Entrances of the Work Areas and Inside By the Company and by the outsourced company; for ensuring security and for the purposes specified in this Policy,Personal data processing is carried out for tracking visitor entry and exit in work areas of the Company. While obtaining the names and surnames of the people who come to our work areas as visitors, the relevant persons are enlightened through the texts posted in the relevant areas or made available to the guests in other ways. The data obtained for tracking guest entrance and exits are processed for this purpose only, and the personal data are recorded in the data recording system in physical domains. 8.3. Recording of Information on Electronic Devices at the Entrances of Work Areas In connection with the care and sensitivity we show as a company to information security and protection of personal data; when our guests use their personal computers or similar electronic devices, we record the MAC addresses of computers or similar electronic devices. The reason for this is to ensure the security of our company and the people whose personal data are within our company. 9. REVISING This policy comes into effect after being approved by the Company’s board of directors. Regarding the changes to be made in the policy, the approval of the person (s) to be authorized by the board of directors is obtained. The issues regarding the implementation of this policy within the Company have been systematized with the internal policies, procedures and internal directives. The policy is reviewed every 6 months and, if necessary, revisions are made regarding the approval of the authorized person. 10.PERSONAL DATA PROTECTION COMMITTEE Company has appointed a contact person within the framework of personal data protection law. A Committee of 4 people was formed among the employees of the units of the Company. The Personal Data Protection Committee (‘‘Committee’‘) is chaired by the Company contact person. The contact person acts with the views and recommendations of the Committee on administrative and technical measures. With regard to administrative and technical measures, the principles determined by the Committee are taken into account. The Committee, strives to comply with personal data protection legislation of the Company. The contact person supervises the Company units for which she is responsible within the scope of personal data protection law. As a result of these audits, he/she warns the relevant units when necessary and informs the senior management about the situation. Contact person coordinates the contact person applications made to the company responses of the related person applications within the legal periods and in accordance with the procedure. Contact person, Manages Company’srelations with the Personal Data Protection Authority. 11. ENFORCEMENT: This Policy comes into force as of the date it is accepted and announced by the cCompany’s board of directors / authorized bodies. |