Article version 2018.97.0

Privacy Notice and Data Policy Regarding the Protection and Processing of Personal Data

Effective from:

Published at:

Volvo Car Turkey Otomobil Ltd. Şti. (Hereinafter referred to as Volvo Car Turkey or the Company), located at "Fatih Sultan Mehmet Mah. Poligon Cad. Buyaka2 Sitesi No:8B Kule2 Kat:4 Tepeüstü Ümraniye – İstanbul" address, is committed to meticulously safeguarding the information of our valued members, users, customers, and anyone who has entrusted us with any personal data through any form of interaction. We have taken all necessary measures within the company to ensure the security of this information. You can conduct transactions with Volvo Car Turkey with confidence, knowing that your information is secure. We will respect your rights regarding your data, as protected by both the Turkish Constitution and laws. Below, we share our Privacy and Data Policy on the Protection and Processing of Personal Data that has been implemented within our company.

According to Article 20 of the Constitution of the Republic of Turkey, "Everyone has the right to demand the protection of their personal data." As a constitutional right, Volvo Car Turkey takes necessary precautions to protect the personal data of our job applicants, customers, shareholders, partners, members, dealers, potential product or service recipients, supplier employees, supplier officials, visitors, and other third parties, as well as our employees, who are the source of our existence, and has made it a corporate policy.

Within this context, Volvo Car Turkey takes the required administrative and technical measures to protect personal data processed in accordance with the relevant legislation. The processing of your personal information is a crucial part of providing products and services to you. We are grateful for the trust you place in us when sharing your personal information, and we prioritize your privacy, which is an essential part of the services we provide, while enhancing customer value and delivering improved and safer driving experiences. To this end, we adhere to the principles and data protection principles detailed in this privacy and data policy.

The data protection principles adopted by Volvo Car Turkey in the processing of personal data in this Policy include the following:

  • Processing personal data only when it is clearly necessary for legitimate corporate purposes.
  • Processing the minimum amount of personal data required for these purposes and not processing more data than necessary.
  • Providing clear information to individuals about who is using their personal data and how.
  • Processing only relevant and appropriate personal data.
  • Processing personal data in a fair and lawful manner.
  • Keeping an inventory of the categories of personal data processed by Volvo Car Turkey.
  • Keeping personal data accurate and up to date when necessary.
  • Retaining personal data only for as long as required by legal regulations, Volvo Car Turkey's legal obligations, or legitimate corporate interests.
  • Respecting individuals' rights concerning their personal data, including the right to access.
  • Keeping all personal data secure.
  • Transferring personal data abroad only when there is adequate protection.
  • Applying the exceptions permitted by law.
  • Establishing and implementing a personal data protection system for the application of the Policy.
  • Identifying internal and external stakeholders involved in the personal data protection system and determining the extent to which they are involved.

Rest assured that we will handle any improvement suggestions, applications, or potential complaints with the utmost sensitivity. Please do not hesitate to contact us with any concerns related to your personal data. Just as we do with all our services, we will treat your personal data protection with the same diligence and care.

1. Purpose

The primary purpose of this Policy is to provide explanations regarding the lawful processing of personal data and the systems adopted for the protection of personal data by Volvo Car Turkey, thereby ensuring transparency and transparency by informing individuals whose personal data are processed by the company, including job applicants, customers, shareholders, partners, members, dealers, potential product or service recipients, supplier employees, supplier officials, visitors, and other third parties, as well as our employees, who are the source of our existence.

Throughout our history as Volvo Car Turkey, personal data collected due to the sensitivity of the businesses we have been involved in has been kept confidential and has never been shared with third parties for purposes other than the intended ones. The protection of personal data is a fundamental policy of our company. Even before any legal regulations, our company has placed great importance on the privacy of personal data and has adopted it as a working principle. As Volvo Car Turkey, we also commit to complying with all the responsibilities introduced by the Personal Data Protection Law.

2. Scope and Amendments

This Policy, prepared by our company, complies with the Personal Data Protection Law No. 6698 and the guidelines and policies published by the Personal Data Protection Authority ("KVKK"). As of today, the Law is in effect with all its provisions.

Data obtained with your consent or through other lawful means specified in the Law will be used to improve the quality of the services we provide and enhance our quality policy. Furthermore, some of the data we possess is de-identified and anonymized, ceasing to be personal. These data are used for statistical purposes and are not subject to the Law or our Policy.

This Privacy and Data Policy aims to protect automatically collected data of our customers, members, users, suppliers, prospective job applicants, employees, and customers of companies collaborating with us, and other individuals, as well as the employees who are the source of our existence, and includes regulations related to these data.

Our company has the right to amend our policy to comply with the Law and ensure better protection of personal data.

3. Fundamental Rules Regarding the Processing of Personal Data

  • Compliance with the law and fairness: Volvo Car Turkey verifies the source of the data it collects or receives from other companies and emphasizes that they must be obtained lawfully and fairly.
  • Accuracy and timeliness when necessary: Volvo Car Turkey attaches importance to ensuring that all data within the organization are accurate, free from incorrect information, and updated when changes occur in personal data and are reported to the company.
  • Processing for specified, explicit, and legitimate purposes: Volvo Car Turkey processes data only within the limits of the purposes for which consent has been obtained from individuals during the provision of services, and does not process, use, or allow the use of data for purposes other than those specified.
  • Being related, limited, and proportionate to the purposes for which they are processed: Volvo Car Turkey uses data only to the extent necessary for the purposes for which they are processed and for the service required.
  • Retention for the period stipulated in the relevant legislation or required for the purpose for which they were processed: Volvo Car Turkey retains data sourced from contracts for the periods required by the Law, the conflict periods of the Law, trade law, and tax law. However, when these purposes cease to exist, the data are deleted, anonymized, or erased.

It is important to note that the principles listed above apply to data whether they are collected with consent or processed in accordance with the law.

4. Principle of Minimum Data Processing/Principle of Frugality

According to our principle called the Principle of Minimum Data Processing or Frugality Principle, data reaching Volvo Car Turkey is only entered into the system to the extent necessary. Therefore, the data to be collected are determined based on the purpose. Unnecessary data are not collected. Other data received by our company are also transferred to the company's IT systems in the same way. Redundant information is not recorded, but is deleted or anonymized. These data can be used for statistical purposes.

5. Deletion of Personal Data

When legally required storage periods expire, legal processes are completed, or other requirements cease to exist, personal data is deleted, destroyed, or anonymized by our company either automatically or upon the request of the relevant individual.

6. Accuracy and Data Currency

Data held within Volvo Car Turkey is processed as per the declarations made by the relevant individuals. Volvo Car Turkey is not required to verify the accuracy of the data declared by customers or individuals who have contact with Volvo Car Turkey, neither by law nor due to our working principles. The declared data is considered accurate. The principle of accuracy and currency of personal data has also been adopted by Volvo Car Turkey. Our company updates personal data processed from official documents received or upon the request of the data subject, taking necessary precautions.

7. Privacy and Data Security

Personal data is confidential, and Volvo Car Turkey respects this confidentiality. Only authorized individuals within the company can access personal data. Volvo Car Turkey takes all necessary technical and administrative measures to protect personal data collected by the company from being accessed by unauthorized individuals, ensuring that data subjects are not harmed. Within this framework, measures such as ensuring that software complies with standards, careful selection of third parties, and compliance with data protection policies within the company are taken. Companies with whom we share personal data in accordance with the law are also required to protect the data, and necessary audits are meticulously conducted within these companies.

8. Principles Regarding the Processing of Personal Data

Our company, in accordance with Article 12 of the Personal Data Protection Law, takes the necessary technical and administrative measures to prevent the unlawful processing of personal data it processes, to prevent unauthorized access to data, and to ensure the protection of data at the appropriate security level, and within this scope, conducts necessary audits or has them conducted.

9. Ensuring the Security of Personal Data

Our company takes legal, technical, and administrative measures in data security in the following areas, and pays the highest level of attention and care to this issue. The actions and measures taken by our company to ensure data security in accordance with Article 12 of the Personal Data Protection Law are as follows:

  • Our company takes technological and administrative measures to ensure that personal data are processed lawfully, according to technological possibilities and application costs. Our employees are informed that they cannot disclose the personal data they learn in violation of the provisions of the Personal Data Protection Law to others, cannot use them for purposes other than processing, and that this obligation will continue even after they leave their duties, and necessary commitments are obtained from them accordingly.
  • Our company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities, and application costs to prevent the disclosure, access, transfer, and all unlawful access to personal data.
  • Our company increases awareness among data processors such as business partners and suppliers about the protection of personal data to prevent the unlawful processing of personal data, unauthorized access to data, and to ensure the lawful preservation of data, and takes necessary measures to ensure that business partners and suppliers process personal data in compliance with the Personal Data Protection Law.
  • Our company is legally obliged to comply with the obligations it must comply with while processing personal data as the data controller and to comply with legal, administrative, and technical measures it has developed in this regard, and these obligations and the requirement to comply with them are legally imposed on business partners and suppliers, who are in various capacities with our company in terms of data processing, by updates made in contracts that are compatible with the nature of the activity carried out.
  • Our company, in accordance with Article 12 of the Personal Data Protection Law, conducts necessary audits or has them conducted. The results of these audits are reported to the relevant department within our company within the scope of internal operations, and activities necessary for the improvement of the measures taken are carried out.
  • Our company carries out the system that ensures that the situation is reported to the relevant personal data subject and the Personal Data Protection Board as soon as possible if personal data processed in accordance with Article 12 of the Personal Data Protection Law is unlawfully obtained by others.

10. Protection of Data Subject Rights and Processing of Requests

Our company operates the necessary channels, internal processes, administrative, and technical regulations in accordance with Article 13 of the Personal Data Protection Law to evaluate data subjects' rights and provide the necessary information to data subjects.

If data subjects submit their requests regarding the rights listed below to our company in writing, our company will conclude the request within thirty days at the latest, depending on the nature of the request. However, if a fee is stipulated by the Personal Data Protection Board, our company will charge the fee specified by the Board from the applicant. Data subjects have the following rights:

  • To learn whether personal data is being processed,
  • To request information if personal data has been processed,
  • To learn the purpose of processing personal data and whether they are used in line with their purpose,
  • To know the third parties in the country or abroad to whom personal data have been transferred,
  • To request correction of personal data if it is incomplete or inaccurate and to request notification of the transaction made within this scope to third parties to whom personal data have been transferred,
  • To request the deletion, destruction, or anonymization of personal data processed in compliance with the Personal Data Protection Law, in case the reasons requiring their processing cease to exist, and to request notification of the transaction made within this scope to third parties to whom personal data have been transferred,
  • To object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,
  • To request compensation for the damage suffered in case of unlawful processing of personal data, they have the right to do so.

In accordance with Article 13/1 of the Personal Data Protection Law, data subjects must submit their requests regarding the use of their rights mentioned above to our company "in writing" or through other methods specified by the Personal Data Protection Board.

To use their above-mentioned rights, data subjects should submit their requests to our company along with necessary information to identify their identity and explanations regarding the rights they want to use, specifying which of the rights mentioned in Article 11 of the Law their application is related to. This will ensure that the applications are responded to more quickly and effectively.

In this context, the channels and methods for making applications to our company regarding the use of the rights in Article 11 of the Personal Data Protection Law are explained below.

Requests for the use of the rights in Article 11 of the Personal Data Protection Law shall be transmitted in writing to our company with necessary information for identification, as well as explanations regarding the rights to be used by specifying which right mentioned in Article 11 of the Law the application is related to. Applications may be submitted to our company by filling out the "Data Subject Application Form" on the www.volvocars.com website or in writing to the address "Fatih Sultan Mehmet Mah. Poligon Cad. Buyaka2 Sitesi No:8B Kule2 Kat:4 Tepeüstü Ümraniye – İstanbul" with a signed copy of the form or via e-mail to kvkktr@volvocars.com.

You can use this document for your applications.

11. Customer, Potential Customer, and Business and Solution Partner Data

  1. Collection and Processing of Data for Contractual Relationship
    • If a contractual relationship has been established with customers and potential customers, the personal data collected can be processed and used within the scope of the explanations in the customer information text without the need for the customer's consent. However, this use takes place in line with the purpose of the contract. Data is used and, if necessary, updated by contacting customers when necessary for the better execution of the contract and the requirements of the service.
  2. Business and Solution Partner Data
    • Volvo Car Turkey adopts the principle of acting in accordance with the law while sharing data with business and solution partners. Data sharing with business and solution partners takes place only to the extent required by the service and it is mandatory for these parties to take measures to ensure data security.

12. Data Processing for Advertising Purposes

Electronic Commerce Regulation and Regulation on Commercial Communication and Commercial Electronic Messages stipulate that electronic commercial messages can only be sent to individuals who have given their prior consent in compliance with the regulations. The clear presence of the consent of the person to whom the advertisement will be sent is a requirement.

Likewise, Volvo Car Turkey complies with the details of the "consent" as defined by the same legislation. The consent to be obtained should cover all electronic commercial messages sent by the recipient's electronic communication addresses, which aim to promote your company's goods and services, market them, promote your business, or increase recognition with content such as celebration and good wishes. This consent can be obtained in writing, in physical form, or through any electronic communication tool. What matters is the affirmative declaration of the recipient that they accept the sending of commercial electronic messages and that their name, surname, and electronic communication address are available.

13. Data Processing Based on Company's Legal Obligations or Explicit Provisions in the Law

Personal data can be processed without obtaining additional consent when the processing is explicitly specified in the relevant legislation or for the fulfillment of a legal obligation determined by legislation. The type and scope of data processing must be necessary for data processing activities permitted by law and compliant with the relevant legal provisions.

14. Data Processing by the Company

Personal data may be processed by the company in line with the services it provides and its legitimate purposes. However, data must never be used for unlawful purposes.

Our company processes personal data in accordance with the general principles set forth in Article 4 of the Law, ensuring that personal data processing activities are lawful and fair, accurate, up-to-date when necessary, for specific, explicit, and legitimate purposes, relevant, limited, and proportionate to the purposes for which they are processed. Our company retains personal data for the duration required by other applicable regulations or the purpose of personal data processing.

Our company processes personal data based on one or more of the legal grounds specified in Articles 5 and 6 of the Law.

Our company transfers personal data in accordance with Articles 8 and 9 of the Law. When transferring personal data, our company complies with data protection legislation and adheres to the guidelines, documents, statements, and announcements issued by the Personal Data Protection Board.

15. Processing of Special Categories of Data

According to the Law, data related to individuals' race, ethnicity, political opinions, philosophical beliefs, religion, sect, or other beliefs, dress and clothing, association, foundation, or union membership, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data, are considered special categories of personal data.

Volvo Car Turkey takes all necessary measures specified by the Board when processing special categories of personal data.

Volvo Car Turkey may process special categories of personal data only with the explicit consent of the individuals concerned for the purposes for which they were collected, to provide better services.

16. Processing of Data through Automated Systems

Regarding data processed through automated systems, Volvo Car Turkey complies with the Law. Information obtained from these data cannot be used against individuals without their explicit consent. However, Volvo Car Turkey can make decisions regarding individuals based on data in its own systems.

17. User Information and the Internet

Individuals are informed about the collection, processing, and use of personal data on Volvo Car Turkey's websites, mobile applications, and other systems or applications, and if necessary, through a privacy notice.

Personal data will be processed in compliance with the law. For more information on the use of cookies, please visit https://www.volvocars.com/tr/v/legal/cerezler.

18. Data Relating to Employees

  1. Processing of Data for Employment Relationship
    • Personal data in employment relationships is processed without obtaining additional consent when it is necessary for the conclusion, execution, and termination of an employment contract. In the case of job candidates, personal data of candidates for whom a decision to hire is made are processed for the conclusion of the employment contract and the initiation of the employment relationship. If a decision is made not to hire a job candidate, the candidate's information is retained for a suitable data retention period for a subsequent selection process and is deleted, destroyed, or anonymized at the end of this period.
  2. Processing Based on Explicit Provisions in the Law and Legal Obligations
    • Volvo Car Turkey may process personal data related to employees without obtaining additional consent for the purpose of explicitly specified processing in relevant legislation or for fulfilling a legal obligation determined by legislation. This is limited to obligations arising from the law.
  3. Processing for Legitimate Interests
    • Personal data related to employees may be processed for legitimate interests of the company without obtaining additional consent when required. Legitimate interests are generally economic interests. Personal data is not processed for legitimate interest purposes when the protection of the interests of the employee is necessary. Before processing, it is determined whether there are interests that need protection. When personal data related to employees is processed based on the legitimate interests of the company, it is examined whether the processing violates any rights that need protection, and it is applied only if it is proportionate.
  4. Processing for the Benefit of Employees
    • Volvo Car Turkey may process personal data of employees without obtaining additional consent for operations that benefit company employees, such as private health insurance. Personal data of employees may also be processed for disputes arising from employment relationships.
  5. Processing of Special Categories of Data
    • Volvo Car Turkey takes all necessary measures specified by the Board when processing special categories of personal data. Special categories of personal data can be processed without the explicit consent of the individual only in cases explicitly allowed by the Law and within the limits of these cases.
  6. Processing of Data through Automated Systems
    • Data processed through automated systems concerning employees can be used in internal promotions and performance evaluations. Employees have the right to object to results that are disadvantageous to them and can exercise this right by following internal company procedures. Employee objections are also evaluated within the company.
  7. Telecommunications and the Internet
    • Computers, phones, email, and other applications provided to employees within the company are for business purposes only. Employees are not allowed to use these tools for personal purposes and all data on these tools can be monitored and controlled by the company. Employees commit not to keep any personal data or information on the computers, phones, or other tools allocated to them from the moment they start working for the company.

19. Limited Processing of Personal Data

According to Article 20/3 of the Constitution, personal data can only be processed with the explicit consent of the individual or in cases provided by law. In fact, Law No. 6698 on the Protection of Personal Data contains a similar but more detailed regulation. Our company processes personal data in accordance with these regulations and based on the data processing conditions specified in Law No. 6698.

Obtaining the explicit consent of the data subject is one of the legal grounds for processing personal data. Besides explicit consent, personal data may be processed if one of the other conditions listed below exists. If processing requires obtaining explicit consent, it cannot be based on other data processing conditions simultaneously. However, in cases where explicit consent is not required, one or more of the other data processing conditions can be relied upon. The following conditions apply when the processed data is special category personal data:

While the legal grounds for processing personal data may vary depending on the company's specific activities, our company always acts in accordance with the general principles set out in Article 4 of Law No. 6698 in all personal data processing activities.

  • Explicit Consent of the Data Subject: One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject must be based on information and given freely with regard to a specific subject. When personal data is processed based on the legal ground of explicit consent, the explicit consent of the data subjects is obtained.
  • Explicit Provisions in the Law: Personal data can be processed if it is explicitly provided for in the laws.
  • Impossibility of Obtaining Explicit Consent Due to Physical Impossibility: When personal data processing is necessary to protect the life or bodily integrity of the data subject or another person due to physical impossibility to obtain the consent of the data subject or the consent of the data subject cannot be validly obtained, personal data may be processed.
  • Directly Related to the Establishment or Performance of a Contract: Personal data of the parties to a contract can be processed if it is directly related to the establishment or performance of a contract, provided that it is necessary.
  • Fulfillment of a Legal Obligation by the Company: Personal data may be processed if it is mandatory for our company, acting as the data controller, to fulfill its legal obligations.
  • Data Subject's Disclosure of Personal Data: Personal data may be processed if the data subject has made the data publicly available.
  • Necessary for the Establishment, Exercise, or Protection of a Right: When it is necessary to establish, exercise, or protect a right, personal data may be processed.
  • Necessary for the Legitimate Interests of the Company: Personal data may be processed for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of the data subject.

20. Transfer of Personal Data Within and Outside the Country

Personal data may be shared with the dominant shareholder, as well as business and solution partners, by Volvo Car Turkey for the purpose of providing the service.

Volvo Car Turkey may transfer personal data to its suppliers, dealers, authorized service providers, and authorized dealers for the limited purpose of providing services necessary for the commercial activities of the company.

Volvo Car Turkey has the authority to transfer personal data abroad in accordance with the conditions determined by the Board, subject to the other conditions specified in the Law, and with the explicit consent of the data subject after informing them. Our company acts in accordance with the regulations stipulated in Article 9 of the Law in this regard.

21. Privacy Principle

Whether for employees or other individuals, data at Volvo Car Turkey is confidential. No one can use, copy, reproduce, transfer to others, or use this data for any purpose other than compliance with contracts or laws without justification.

22. Transaction Security

All necessary technical and administrative measures are taken by Volvo Car Turkey to protect personal data collected by the company and to prevent them from falling into the hands of unauthorized persons and to prevent our customers and prospective customers from being victimized. Within this framework, software compliance with standards, careful selection of third parties, and compliance with data protection policy within the company are ensured. Security measures are continuously renewed and improved.

23. Audit

Volvo Car Turkey conducts necessary internal and external audits for the protection of personal data.

24. Notification of Breaches

Volvo Car Turkey takes immediate action when notified of any breach related to personal data. It minimizes the damage to the data subject and compensates for the harm. When personal data is acquired by unauthorized individuals from outside, Volvo Car Turkey immediately reports the situation to the Personal Data Protection Board.

Protection and Processing Policy for Sensitive Personal Data

1. Purpose

The purpose of this Protection and Processing Policy for Sensitive Personal Data is to fulfill the legal obligations arising from the Decision on Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data, numbered 2018/10, dated 31/01/2018, by the Personal Data Protection Authority, and to set forth the technical and administrative measures taken in the processing of sensitive personal data.

2. Definitions

ABBREVIATION: DEFINITION

  • Explicit Consent: Consent based on informed and freely given will regarding a specific subject.
  • Destruction: The process of erasing, destroying, or anonymizing personal data.
  • Law: Law on the Protection of Personal Data, numbered 6698.
  • Personal Data: Any kind of information related to an identified or identifiable real person.
  • Anonymization of Personal Data: The process of rendering personal data in such a way that the data subject can no longer be identified, even when matched with other data.
  • Processing of Personal Data: Any operation performed on personal data, whether fully or partially automatic, or non-automatic means, including collection, recording, storage, retention, alteration, arrangement, disclosure, transfer, acquisition, making available, classification, or use of personal data.
  • Deletion of Personal Data: The process of making personal data inaccessible and unusable for relevant users.
  • Destruction of Personal Data: The process of making personal data inaccessible, irretrievable, and unusable by anyone.
  • Board: Personal Data Protection Board
  • Policy: Protection and Processing Policy for Sensitive Personal Data
  • Company: Volvo Car Turkey Automotive Ltd.
  • Data Owner: A real person whose personal data is processed.
  • Data Controller: A real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

3. Processing of Special Category Personal Data

While processing special category personal data, compliance is ensured with the decision of the Personal Data Protection Authority regarding "Adequate Measures to Be Taken by Data Controllers in the Processing of Special Category Personal Data," numbered 2018/10, dated 31/01/2018.

The following are considered as special category personal data: individuals' race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, clothing, membership in associations, foundations, or unions, health data, sexual life, criminal convictions, and data related to security measures, as well as biometric and genetic data.

The Company complies with the Law and other legislation in the processing of special category personal data. In this regard, special category personal data are processed in accordance with the following principles:

  1. Compliance with the law and fairness
  2. Accuracy and being up-to-date when necessary
  3. Being relevant, limited, and proportionate to the purposes for which they are processed
  4. Being processed for specific, explicit, and legitimate purposes
  5. Being retained for the period required by the relevant legislation or the purpose for which they are processed

Special category personal data, except for health and data related to sexual life, are processed by the Company only if the explicit consent of the data subject is obtained or in cases explicitly stated in the laws.

Data related to health and sexual life are processed with the explicit consent of the data subject or for purposes such as protecting public health, conducting medical diagnosis, treatment and care services, preventive medicine, planning and management of health services, and financing, in accordance with the Regulation on the Processing of Personal Health Data and Ensuring Privacy, published in the Official Gazette dated 20 October 2016 and numbered 29863.

4. Technical and Administrative Measures Taken for the Protection of Special Category Personal Data

The Company takes all necessary measures to ensure that special category personal data are processed in compliance with the Law and relevant legislation and to ensure the security of special category personal data. In this context, the measures taken are as follows:

5. Administrative Measures

  • A separate policy has been established for the systematic, clear, manageable, and sustainable protection and processing of special category personal data.
  • Employees involved in the processing of special category personal data receive training on the protection and processing of special category personal data.
  • Privacy agreements are signed with employees to ensure data security.
  • Users with access rights to data are clearly defined, along with the scope and duration of their authorization, and periodic authorization controls are performed.
  • Access rights of employees undergoing job changes or leaving the company are immediately revoked.

6. Technical Measures

  1. Technical Measures Taken for Special Category Personal Data Stored and/or Accessed in an Electronic Environment
    • Access to special category personal data is provided through cryptographic methods.
    • Cryptographic keys are securely stored in different environments.
    • All actions on special category personal data are securely logged.
    • Security updates for environments where special category personal data is located are continuously monitored, necessary security tests are regularly conducted or commissioned, and test results are recorded.
    • User authorizations for software used to access special category personal data are defined, and security tests for these software applications are regularly conducted or commissioned, and test results are recorded.
    • User authorizations are defined for software that assists in accessing special category personal data.
    • In cases where remote access is provided to special category personal data, a two-factor authentication system is used.
  2. Technical Measures Taken for Special Category Personal Data Stored and/or Accessed in a Physical Environment
    • Adequate security measures are taken depending on the nature of the environment where special category personal data is located.
    • Physical and environmental security measures are taken at facilities and environments where special category personal data is located.
    • Physical security of these environments is ensured, and unauthorized access is prevented.
    • If external services are procured for storing special category personal data due to technical requirements, contracts are concluded with companies to which personal data is lawfully transferred. These contracts include provisions that the recipients of personal data will take necessary security measures and ensure compliance with these measures within their organizations.

7. Transfer of Special Category Personal Data

The Company transfers special category personal data in accordance with the data processing conditions specified in Articles 8 and 9 of the Law. To ensure data security, the following rules are applied during data transfer by the Company, and periodic audits are conducted in this regard:

  • Transfer via Email When special category personal data is transferred via email, it is done encrypted with the corporate email address.
  • Transfer Between Servers in Different Physical Environments For the transfer of special category personal data between servers in different physical environments, data transfer is carried out using a Virtual Private Network (VPN), sFTP, or SSL-protected API method.
  • Transfer via Physical Documents If it is necessary to transfer special category personal data in physical format (paper documents), necessary precautions are taken against risks such as theft, loss, or unauthorized access to the documents.

Transfer of special category personal data in physical format is carried out considering privacy classifications, in "confidentiality-level documents" format, and with precautions for physical risks.

8. Storage and Destruction of Special Category Personal Data

Special category personal data is stored by the Company in accordance with the Law, other legislation, and the decision of the Authority regarding Adequate Measures to Be Taken by Data Controllers in the Processing of Special Category Personal Data. It is stored under the following circumstances:

  1. When explicit consent of the data subject is obtained.
  2. When the retention of special category personal data, except for health and data related to sexual life, is required by the laws.
  3. For health and data related to sexual life, when it is necessary for purposes such as protecting public health, preventive medicine, conducting medical diagnosis, treatment and care services, planning and management of health services, and financing.

Special category personal data stored by the Company in compliance with the Law and other legislation will be deleted, destroyed, or anonymized ex officio or upon the request of the data subject under the following circumstances:

  1. When the storage of special category personal data is based on the explicit consent of the data subject, and this consent is subsequently revoked.
  2. When the purpose of storing special category personal data has been fulfilled, becomes impossible to achieve, or in any other way, ceases to exist.
  3. When the legal provisions that form the basis for the storage of special category personal data change or are abolished.
  4. When all processing conditions specified in Article 6 of the Law no longer exist.
  5. When the data subject's request for the deletion of their special category personal data, submitted to the Company in accordance with the relevant procedures, is considered justified and is approved.
  6. When the Company rejects the request for the destruction of special category personal data made by the data subject, finds the response inadequate, or does not respond within the period specified in the Law, and the matter is reported to the Authority, and the Authority deems this request appropriate.

Other matters related to the storage and destruction of special category personal data are regulated in the Company's Personal Data Storage and Destruction Policy.