ÇÖZÜMTEK BİLGİ TEKNOLOJİLERİ A.Ş.
PRIVACY POLICY
Table of Contents
PURPOSE OF PREPARATION OF THE POLICY.. 2
DEFINITIONS.2
PRINCIPLES FOR PROCESSING PERSONAL DATA.. 4
DATA SUBJECTS.. 6
METHODS FOR COLLECTING PERSONAL DATA.. 6
PURPOSES OF PROCESSING PERSONAL DATA.. 7
PRIVACY POLICY FOR SENSITIVE DATA .. 6
SPECIAL CATEGORIES OF PERSONAL DATA..9
OBLIGATION TO INFORM… 10
RIGHTS OF THE DATA SUBJECT.. 11
METHOD OF EXERCISING THE RIGHTS OF THE DATA SUBJECT..12
CONTACT INFORMATION..13
MEASURES FOR THE PROTECTION OF PERSONAL DATA.. 13
Technical Measures. 13
Organizational Measures 13
STORAGE OF PERSONAL DATA 15
TRANSFER OF PERSONAL DATA 15
INTERNATIONAL TRANSFER OF PERSONAL DATA 16
VALIDITY.. 117
1. PURPOSE OF PREPARATION OF THE POLICY
As the Data Controller, Çözümtek Bilgi Teknolojileri A.Ş., located at Kozyatağı, Özce Center İş Merkezi İçerenköy Mah. Çayır Cad. No:3 Kat: 8, 34752 Ataşehir, aims to fully comply with the requirements of the relevant legislation and to establish a data protection and processing policy at international standards with the awareness of the importance of the privacy and security of personal data obtained under the personal data protection legislation.
This Personal Data Protection Policy (“Policy”) of our Company sets forth the principles of legality, transparency, and honesty adopted by the Company in the protection and processing of personal data. The Policy also provides information about the purposes for which the Company processes personal data, the method of collecting personal data, the legal reason and purpose for processing, the persons to whom the data may be transferred, and the rights and application methods of the data subjects.
2. DEFINITIONS
| Anonymization | : | The process by which personal data can no longer be associated with an identifiable or identified individual, even when matched with other data. |
| Clarification Text | : | Information provided to the data subject regarding the purpose, duration, method, storage, and sharing of personal data with third parties. |
| Inventory | : | A detailed record created by data controllers linking personal data processing activities to business processes, including the purpose, category, recipient group, and data subject group, maximum retention period, foreign transfers, and security measures taken. |
| Data Subject | : | The natural person whose personal data is processed. |
| Destruction | : | The deletion, destruction, or anonymization of personal data. |
| Processing | : | Any operation performed on personal data as defined in the personal data protection legislation, including recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data. |
| Personal Data | : | Any information relating to an identified or identifiable natural person, such as name, identity number, email, address, date of birth, bank account number, etc. Information related to legal entities is not within the scope of the personal data protection legislation. |
| Personal Data Processing | : | The total or partial automated processing of personal data or any operation performed on personal data within a data recording system, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data. |
| Special Categories of Personal Data | Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health, sex life, criminal convictions, and security measures, as well as biometric and genetic data. | |
| VERBIS | : | The information system accessible online, created and managed by the authorized institution, used for applications to the relevant authority by data controllers and related transactions. |
| Data Processor | : | A natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller. |
| Data Controller | : | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
| Data Controllers Registry | : | The Data Controllers Registry maintained by the authorized institution. |
| Data Controller Contact Person | : | The natural person notified to the relevant authority during the registration of data controllers and the representatives of data controllers for communication purposes with the relavant authority concerning the obligations within the scope of relevant regulation. |
| Deletion | : | The process of making personal data inaccessible and unusable for relevant users in any way. |
| Destruction | : | The process of making personal data completely inaccessible, irretrievable, and unusable by anyone. |
3. PRINCIPLES FOR PROCESSING PERSONAL DATA
Our company ensures compliance with the general principles and conditions specified in the legislation regarding the protection and processing of personal data and ensures that personal data are processed in accordance with the personal data protection legislation by adhering to the following principles:
3.1. The Prohibition of Processing Personal Data as a Rule
Our Company processes personal data only within the limits provided by the legislation, based on the following reasons, recognizing that processing personal data is generally prohibited:
- Existence of Explicit Consent of the Data Subject
One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject must be given for a specific issue, based on information, and with free will. Data is processed within the scope of the explicit consent and for the purposes stated in the explicit consent. As a rule, the explicit consent of the data subject is not required if the conditions listed in subparagraphs b, c, d, e, f, g, and h of this article exist.
- Clearly Provided by Laws
If it is explicitly provided by law, personal data of the data subject are processed in accordance with the law. When data processing is permitted by the law, data are processed limited to the reason and data categories specified in the relevant legislation.
- Failure to Obtain the Explicit Consent of the Data Subject Due to Actual Impossibility
If it is necessary to process personal data to protect the life or physical integrity of the data subject or another person who is unable to give consent due to actual impossibility or whose consent cannot be validated, personal data of the data subject can be processed.
- Being Directly Related to the Establishment or Performance of a Contract
If it is necessary to process the personal data of the parties to the contract provided that the data processing is directly related to the establishment or performance of a contract (provided that the person whose data will be processed based on the establishment or performance of the contract is one of the parties to the contract), personal data can be processed.
- Fulfillment of a Legal Obligation
If data processing is necessary for the Company to fulfill its legal obligations, the personal data of the data subject can be processed.
- Public Disclosure of Personal Data by the Data Subject
If the data subject has made their personal data public, the relevant personal data may be processed limited to the purpose of public disclosure.
- Necessity of Data Processing for the Establishment or Protection of a Right
If data processing is necessary for the establishment, exercise, or protection of a right, the personal data of the data subject may be processed.
- Necessity of Data Processing for Legitimate Interests
Provided that it does not harm the fundamental rights and freedoms of the data subject, the personal data of the data subject may be processed if data processing is necessary for the legitimate interests of our Company.
If the processed data are defined as special categories of personal data under the personal data protection legislation and if the explicit consent of the data subject is not available, personal data can only be processed in the following cases, provided that adequate measures to be determined by the relevant regulation are taken:
3.2. Compliance with the Relevant Regulation and the Principle of Honesty
Our Company processes personal data in accordance with the law and the principle of honesty as per the personal data protection legislation, aiming to balance conflicting interests by considering “legitimate interests”. Transparency and honesty are essential in informing the data subjects, providing clear information about the purpose of use of the collected personal data, and processing the data accordingly.
3.3. Being Connected with, Limited to and Proportional to the Purpose
Our Company determines the purposes for which it will process the data of the relevant person in line with their explicit consent. In this context, it avoids processing personal data that is not related to or necessary for the processing purpose, and it collects the minimum amount of data required during data processing activities.
3.4. Ensuring the Accuracy and Updating of Personal Data when Necessary
Our Company ensures the accuracy of the personal data it processes, relying on the declarations of the relevant person and obtaining confirmation of its up-to-dateness when necessary.
3.5. Processing Personal Data for Specific, Explicit, and Legitimate Purposes
Our Company collects and processes personal data for legitimate and lawful reasons. It processes personal data in connection with its activities, within a reasonable framework, and to the extent necessary, and retains it for the period required by the relevant legislation or for the purpose for which it is processed.
3.6. Data Security Principle
Our Company is aware that data security is not limited to legal methods and that technology-supported methods are also essential. In this context, it endeavors to take all necessary measures to ensure data security.
4. DATA SUBJECTS
The Data Subject is defined by the personal data protection legislation as the person whose personal data is obtained. Within the scope of our Company’s activities, the personal data of the persons listed below are obtained and processed in accordance with the relevant legislation:
- Employee Candidate
- Employee
- Foreign Employee
- Individual Receiving Products or Services
- Supplier Representative
- Potential Product or Service Recipient
- Intern
- Visitor
5. METHODS FOR COLLECTING PERSONAL DATA
The personal data of the relevant persons listed in Article 4 of this Policy can be collected by our Company verbally, in writing, or electronically through automated or non-automated methods and similar means. In this context, the channels for obtaining personal data are provided below:
| Data Collection Method |
| Physically (in person) |
| Written Form |
| Written |
| Applications |
| Phone |
| Company Website |
| Electronic Form (in-house application screen) |
| Zoom, Teams etc. Applications |
| Cameras |
| GPS Tracking App |
| Kariyer.net |
| Internet |
| CRM |
| Company Applications – CRM |
6. PURPOSES OF PROCESSING PERSONAL DATA
In accordance with the personal data protection legislation, the purposes of processing are detailed in the disclosures prepared for the relevant persons and activities. However, in general terms, the purposes for which personal data are processed in our Company are as follows:
| Purpose of Processing |
| Execution of Application Processes for Employee Candidates |
| Execution of Employee Candidate/Intern/Student Selection and Placement Processes |
| Execution of Communication Activities |
| Planning of Human Resources Processes |
| Execution of Side Rights And Benefits Processes For Employees |
| Fulfillment of Employment Contracts and Statutory Obligations for Employees |
| Execution of Retention and Archiving Activities |
| Execution of Activities in Compliance with Legislation |
| Providing Information to Authorized Persons, Institutions, and Organizations |
| Execution of Occupational Health and Safety Activities |
| Execution of Emergency Management Processes |
| Execution of Employee Satisfaction and Engagement Processes |
| Execution of Finance and Accounting Activities |
| Execution of Contract Processes |
| Execution of Goods/Services Sales Processes |
| Execution of Access Authorization Processes |
| Execution of Information Security Processes |
| Ensuring the Security of Movable Property and Resources |
| Ensuring the Security of Data Controller Operations |
| Tracking of Requests/Complaints |
| Execution of Activities Aimed at Customer Satisfaction |
| Execution/Auditing of Business Activities |
| Execution of Marketing Processes for Products/Services |
| Execution of Advertising/Campaign/Promotion Processes |
| Execution of Business Continuity Activities |
| Organization and Event Management |
| Execution of Marketing Analysis Activities |
| Execution of After-Sales Support Services for Goods/Services |
| Execution of Customer Relationship Management Processes |
| Execution of Loyalty Processes for Company/Products/Services |
| Ensuring the Security of Physical Premises |
7. SPECIAL CATEGORIES OF PERSONAL DATA
In accordance with the personal data protection legislation, special categories of personal data are protected by our Company based on special security measures. In this context, a Special Categories of Personal Data Policy has been prepared and implemented in our Company.
The principles adopted by our company for the protection and processing of sensitive personal data are established in accordance with the principles of legality, integrity, and transparency. An Access Authorization Matrix has been prepared to ensure the security of sensitive data within our company and to authorize access to the platforms where this data is processed.
8. OBLIGATION TO INFORM
Within the scope of the personal data protection legislation, data subjects must be informed before or at the latest during the acquisition of personal data. Within the framework of this obligation to inform, the following information should be provided to data subjects:
- The identity of the data controller and, if any, its representative,
- The purpose for which personal data will be processed,
- To whom and for what purpose the processed personal data can be transferred,
- The method of personal data collection and its legal basis,
- Other rights specified in the personal data protection legislation.
In order to fulfill the obligation to inform, our company has prepared information notices to be presented to data subjects, based on the processes and individuals whose data are processed. Following the presentation of the information notices to data subjects, explicit consent declarations have been prepared for data processing activities and data categories that require the explicit consent of the data subject for our company to carry out its commercial activities.
Our company is not subject to the obligation to inform under the personal data protection legislation in the following cases:
- Processing of personal data within the scope of activities related to real persons or family members living in the same household, provided that they are not transferred to third parties and provided that the obligations regarding data security are complied with,
- Processing of personal data for research, planning, and statistical purposes by anonymizing personal data with official statistics,
- Processing of personal data for artistic, historical, literary, or scientific purposes or for the purpose of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, the privacy of private life, or personal rights, or constitute a crime,
- Processing of personal data by public institutions and organizations authorized by law to carry out preventive, protective, and intelligence activities aimed at ensuring national defense, national security, public security, public order, or economic security,
- Processing of personal data by judicial authorities or enforcement authorities for investigation, prosecution, trial, or execution processes.
Within the framework of the personal data protection legislation, the obligation to inform will not be applicable in the following cases:
- Processing of personal data for the prevention of crime or for the investigation of crime,
- Processing of personal data that has been made public by the data subject,
- Processing of personal data by public institutions and organizations authorized and authorized by law, or by professional organizations that have the characteristics of public institutions, for the conduct of supervisory or regulatory duties or for the conduct of disciplinary investigations or prosecutions,
- Processing of personal data for the protection of the State’s economic and financial interests regarding budget, tax, and financial matters.
9. RIGHTS OF THE DATA SUBJECT
In accordance with the personal data protection legislation, everyone has the right to apply to our Company, which is the data controller, regarding the following matters:
(1) Everyone, by applying to the data controller, has the right to:
a) Learn whether personal data is being processed,
b) Request information if personal data has been processed,
c) Learn the purpose of processing personal data and whether they are used appropriately for their purpose,
d) Know the third parties to whom personal data is transferred, whether domestically or abroad,
e) Request the correction of personal data if it is incomplete or incorrectly processed,
f) Request the deletion or destruction of personal data within the framework of the personal data protection legislation,
g) Object to the occurrence of a result against oneself by means of analysis of processed data exclusively through automated systems,
h) Request compensation for damages in case of damage due to the unlawful processing of personal data.
10. METHOD OF EXERCISING THE RIGHTS OF THE DATA SUBJECT
In accordance with the the personal data protection legislation, applications regarding these rights to be made to our company as the data controller must be submitted in writing or through other methods determined by the relevant regulation.
The data subject, may apply:
- In writing,
- Using a secure electronic signature,
- Using a Registered Electronic Mail address,
- Using a mobile signature,
- Sending from the e-mail address previously notified by the data subject and registered in the system of the data controller.
For a request, the following information must be provided:
- Name, surname, and signature if the request is in writing,
- For citizens of the Republic of Turkey, identity number, for foreigners, nationality, passport number, or if any, identification number,
- Residential or workplace address for notification,
- If any, electronic mail address, telephone and fax number for notification,
- Subject of the request.
If there is relevant information and documentation available, they should be attached to the application.
In written applications, the date on which the document is served to the data controller or its representative will be considered the application date.
For applications made through other methods, the date on which the application reaches the data controller will be considered the application date.
Requests will be processed and responded to within the shortest time possible and no later than thirty days, free of charge, depending on the nature of the request. However, if the process requires additional costs, a fee may be charged according to the tariff determined by the relevant regulation.
Applications must be made by the data subject themselves. An application on behalf of another person can only be made with a power of attorney, provided that it meets the criteria for requesting information under the personal data protection legislation. If our company has doubts about the identity of the applicant, verification information may be requested from the relevant person.
11. CONTACT INFORMATION
Title: Çözümtek Bilgi Teknolojileri A.Ş.
Address: Kozyatağı, Özce Center İş Merkezi İçerenköy Mah. Çayır Cad. No:3 Kat: 8, 34752 Ataşehir
Contact Link: https://cozumtek.com/en/relevant-person-application-procedure/[A1]
Email Address: kvkk@cozumtek.com
KEP Address: cozumtekbilgi@hs06.kep.tr
12. MEASURES FOR THE PROTECTION OF PERSONAL DATA
In accordance with the personal data protection legislation, our Company takes necessary administrative and technical measures and performs or ensures necessary audits to prevent the unlawful processing or access to personal data processed by our Company and to ensure the secure storage of personal data. While measures appropriate to the nature of personal data are taken, sensitive personal data are protected with stricter security measures.
1. Technical Measures
| Measure |
| Network security and application security are ensured. |
| Closed system (VPN) network is used for personal data transfers through the network. |
| Asymmetric encryption, cryptography and similar key management methods are applied. |
| Security measures are taken within the scope of procurement, development and maintenance of information technology systems. |
| The security of personal data stored in the cloud is ensured. |
| Access logs are kept regularly. |
| Up-to-date anti-virus systems are used. |
| User account management and authorization control system are implemented and monitored. |
| Intrusion detection and prevention systems are used. |
| Penetration test is applied. |
| Cyber security measures have been taken and their implementation is constantly monitored. |
| Encryption is used when accessing computers, applications, servers and similar information technology systems. |
| Data loss prevention software (DLP – Data Loss Prevention) is used. |
| Firewalls (Firewall etc.) are used. |
| Personal data is backed up and backups are also secured. |
| Awareness was raised among employees on Information Security policies and trainings were provided. |
| There is a two-stage verification, SMS confirmation and similar process to ensure the accuracy and timeliness of the processed data. |
2. Organizational Measures
| Measure |
| Personal data security is monitored. |
| Internal periodic and/or random audits are conducted. |
| Employees who are reassigned or leave their jobs are de-authorized in this area. |
| Necessary security measures are taken regarding entry and exit to physical environments containing personal data. |
| Data processing service providers are periodically audited on data security. |
| Personal Data Inventory was prepared. |
13. STORAGE OF PERSONAL DATA
Personal data obtained by our Company is securely stored physically or electronically within an appropriate timeframe to fulfill our Company’s commercial activities. Within the scope of these activities, our Company acts in compliance with the personal data protection legislation. In the event of deletion of personal data through these methods, such data will be permanently destroyed and rendered irretrievable. However, in cases where there is a legitimate interest of the data controller, personal data may be stored until the expiration of the general statute of limitations regulated in the relevant regulation even after the processing purpose has ended and the specified periods in the relevant laws have expired, provided that it does not harm the fundamental rights and freedoms of the data subjects.
In accordance with the relevant legislation, except for exceptional cases where personal data are allowed or obliged to be stored for a longer period, personal data will be deleted, destroyed, or anonymized by our Company upon the request of the data subjects through the data subject application form available on our website or through other technical means.
You can find the conditions and periods related to storage, destruction, and anonymization in our Storage and Destruction Policy, created in accordance with the relevant legislation.
14. TRANSFER OF PERSONAL DATA
Our Company carefully complies with the conditions regulated in the personal data protection legislation regarding the sharing of personal data with third parties, subject to the provisions of other laws.
In this context, personal data is not transferred to third parties by our Company without the explicit consent of the data subject. However, personal data may be transferred by our Company without obtaining the explicit consent of the data subject in the presence of one of the following conditions regulated by the personal data protection legislation:
- Explicitly prescribed by laws,
- Necessary for the protection of life or bodily integrity of the data subject or another person who is unable to disclose his/her consent due to physical impossibility or whose consent is not legally valid,
- Necessary for the conclusion or performance of a contract, provided that it is directly related to the parties of the contract,
- Necessary for the fulfillment of the legal obligations of the data controller,
- Already made public by the data subject,
- Necessary for the establishment, exercise, or protection of a right,
- Necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Personal data, within the scope of the processing conditions and purposes specified in the personal data protection legislation, is processed by relevant units of our Company and shared with the following parties for our Company to sustain its commercial existence and achieve the purposes mentioned above:
| Buyer Group | 3rd Party | Transfer Purpose |
| Natural Persons or Private Law Legal Entities | Certified Public Accountant, joint Health and Safety Unit, Insurance Brokerage, Related Customer, Manufacturer, Law Firm | Execution of Finance and Accounting Activities, Execution/Auditing of Business Activities, Execution of Occupational Health and Safety Activities, Execution of Customer Relationship Management Processes, Execution of Contract Processes, Monitoring and Execution of Legal Affairs |
| Suppliers | Consulting Firm, Insurance Firms, Bank, Archive Company, Payment Processing Company, Leasing Company, Oil and Gas Company, Telecommunications Company, Related News Channel, Consulting and Technology Solutions Company, Supplier Company | Execution of Finance and Accounting Activities, Fulfillment of Employment Contracts and Statutory Obligations for Employees, Execution of Processes for Employee Benefits and Entitlements, Execution of Contract Processes, Execution of Marketing Analysis Activities, Execution of Marketing Processes for Products/Services, Execution of Supply Chain Management Processes |
| Official Public Institutions and Organizations | Authorized Institutions and Organizations | Providing Information to Authorized Persons, Institutions, and Organizations |
15. INTERNATIONAL TRANSFER OF PERSONAL DATA
In accordance with the personal data protection legislation, explicit consent of the data subject is required for the transfer of personal data abroad. However, personal data, including sensitive personal data, may be transferred abroad by our Company without the explicit consent of the data subject if the conditions allowing the processing of personal data without the explicit consent of the data subject are present, provided that adequate protection exists in the country to which the personal data will be transferred.
If the country to which the transfer will be made is not determined among the countries where adequate protection is recognized, our Company will obtain permission by applying to the relevant authority, providing written assurances of adequate protection both by our Company and the data controller/data processor in the relevant country.
16. VALIDITY
This Policy entered into force on 2024. Updates to the Policy, either in whole or in part, will take effect upon their publication. The Policy is published on our https://cozumtek.com/en/personal-data-protection-policy/ website in its most current version.
In case of any inconsistency between the personal data protection legislation and this Policy, the provisions of the personal data protection legislation will prevail.