1 Introduction As Vodatech, we are sensitive to the security of personal data and it is one of our priorities to process, store and protect all kinds of personal data belonging to all persons associated with our Company in accordance with the Personal Data Protection Law No. 6698 (“PDPL” and “Law”). With this “Personal Data Protection and Processing Policy” (“Policy”), the basic principles and principles adopted by Vodatech during the protection and processing of personal data are regulated and made sustainable by being implemented as Company policy”
“1.2 Objective The purpose of this Policy is to determine the procedures and principles regarding the processing, protection and storage of personal data carried out by Vodatech in accordance with the legal legislation underlying this Policy and to inform the natural persons whose data are processed by Vodatech.”
1.3 Scope This Policy relates to all personal data of our customers, employees, employee candidates, interns, supplier employees, company officials, visitors, business contacts (officials, shareholders and employees of suppliers, designers, manufacturers and similar organizations with which we have business relations), and third parties, which are processed automatically or non-automatically provided that they are part of any data recording system. In this context, all of this Policy may be applied to the relevant groups of persons mentioned above, or only some of its provisions may be applied.”
1.4 Definitions The definitions used in the implementation of this Policy are given below: For definitions not included in this Policy, the definitions in the Law shall apply.
2 GENERAL ISSUES REGARDING THE PROCESSING OF PERSONAL DATA Vodatech, while carrying out personal data processing activities General principles Personal data processing conditions It acts in accordance with the special categories of personal data processing conditions.”
2.1 Processing of Personal Data in Compliance with General Principles
2.1.1 Processing in Compliance with the Law and the Rule of HonestyVodatech; acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, our Company carries out its personal data processing activities in accordance with the law, honesty rules and transparently
2.1.2 Ensuring that Personal Data is Accurate and Up-to-Date When NecessaryVodatech; It makes the maximum effort to ensure that the personal data it processes is kept accurate and up-to-date, taking into account the fundamental rights of personal data owners and their legitimate interests. In this direction, it takes the necessary administrative and technical measures and provides opportunities for personal data owners to correct their personal data and confirm their accuracy
2.1.3 Processing Personal Data for Specific, Clear and Legitimate PurposesVodatech clearly and precisely determines the purpose of personal data processing and conducts data processing activities within clear, legitimate and lawful purposes.
2 .1.4 Personal Data Being Relevant, Limited and Proportionate to the Purpose for Which They are ProcessedVodatech processes personal data in connection with the purposes of data processing and to the extent required by these purposes. It avoids the processing of personal data that is not related to the purpose of data processing or is not needed.
2.1.5 Preservation for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are ProcessedVodatech retains personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed. In this context, it first determines whether a period is stipulated for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period, and if a period is not determined, it keeps personal data for the period required for the purpose for which they are processed. Personal data are deleted, destroyed or anonymized by us in the event that the period expires or the reasons requiring their processing disappear. Detailed information on this subject is provided within the scope of Vodatech Teknoloji Hizmetleri ve Ticaret Anonim Şirketi Personal Data Retention and Destruction Policy.
2.2 Processing of Personal Data in Accordance with the Processing ConditionsVodatech carries out personal data processing activities in accordance with the data processing conditions set forth in the personal data protection legislation. In this context; personal data processing activities are carried out only in the presence of the following data processing conditions:
2.2.1 Obtaining Explicit ConsentPursuant to the Law, personal data cannot be processed without the explicit consent of the person concerned. In order for Vodatech to carry out personal data processing activities, it is required that the person concerned gives explicit consent to the processing of data about him/her “freely, with sufficient information on the subject, with clarity that will not leave room for hesitation and limited to the purpose of data processing”.
2.2.2 Exceptional Circumstances Where Explicit Consent is Not Required in the Processing of Personal Data “Vodatech may process personal data without explicit consent in the presence of one of the following conditions in the Law: i. Explicitly Stipulated by Law The personal data of the data subject may be processed in accordance with the law, limited to the relevant legal regulation, if expressly stipulated in the law. ii.Failure to Obtain the Explicit Consent of the Data Subject Due to Actual Impossibility and Obligation to Process Personal Data Personal data may be processed without explicit consent if it is mandatory for the protection of the life or physical integrity of the person or another person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid. For example, in cases where the person’s explicit consent cannot be obtained due to unconsciousness, the personal data of the person concerned may be processed during medical intervention for the protection of life or physical integrity iii. The Personal Data Processing Activity is Directly Related to the Establishment or Execution of the Contract Provided that it is directly related to the establishment or performance of a contract, personal data may be processed if it is necessary to process personal data of the parties to the contract iv.Personal Data Processing is Mandatory for Vodatech to Fulfill its Legal Obligation Vodatech may process the personal data of the person concerned if it is mandatory to fulfill its legal obligation. v. Publicization of Personal Data by the Data Subject Personal data made public by the data subject himself/herself, in other words, personal data disclosed to the public in any way, may be processed without explicit consent. vi. Data Processing is Mandatory for the Establishment, Exercise or Protection of a Right If data processing is mandatory for the establishment, use or protection of a right, personal data may be processed without seeking explicit consent. vii. Processing of Personal Data is Mandatory for Vodatech’s Legitimate Interests Provided that it does not harm the fundamental rights and freedoms of the person concerned, personal data may be processed without the requirement of explicit consent if data processing is mandatory for the legitimate interests of Vodatech.” ”
2.3 Processing of Sensitive Personal Data in Compliance with the Processing ConditionsSensitive personal data may only be processed with the explicit consent of the data subject. However, special categories of personal data other than sexual life and personal health data may be processed without the explicit consent of the data subject in cases stipulated by law. Personal data relating to health and sexual life can only be processed without explicit consent for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. Therefore, until otherwise stipulated by the Law, personal health data can only be processed within the scope of explicit consent or by the Company physician who is under the obligation of confidentiality. Vodatech takes the measures determined by the Board regarding the processing and protection of sensitive personal data. Vodatech shows utmost sensitivity to the protection and security of sensitive personal data, and the technical and administrative measures taken regarding the protection of sensitive personal data are carefully implemented and necessary audits are carried out within Vodatech.
2.4 Processing of Personal Data in accordance with the Transfer ConditionsVodatech may transfer the personal and sensitive personal data of the person concerned to third parties in line with the purposes of personal data processing and with explicit consent, if any, or by taking necessary security measures limited to legal reasons. In this context, Vodatech acts in accordance with the personal data transfer conditions stipulated in Articles 8 and 9 of the Law.
2.4.1 Domestic Transfer of Personal DataVodatech carries out domestic data transfer activities in accordance with Article 8 of the Law in accordance with the data processing conditions.
2.4.2 Transfer of Personal Data Abroad In accordance with Article 9 of the Law, Vodatech carries out data transfer activities abroad in accordance with the data processing conditions (See Vodatech Personal Data Protection and Processing Policy – Part Two, Articles
2.1, 2.2 and 2.3). In cases where personal data is transferred without obtaining explicit consent in accordance with the Law, one of the following conditions must also exist in terms of the foreign country to which it will be transferred: The foreign country to which the personal data is transferred is in the status of countries with adequate protection by the Board, In the absence of adequate protection, the data controllers in Turkey and in the relevant foreign country undertake in writing to provide adequate protection and obtain permission from the Board”
2.4.3 Recipient Groups to which Personal Data is TransferredVodatech, in accordance with Articles 8 and 9 of the Law, transfers the personal data of data subjects to business partners, suppliers, banks and financial institutions, law, tax, etc. that provide services to Vodatech. In accordance with Articles 9 and 9, Vodatech may transfer the personal data of data subjects to its business partners, suppliers, banks and financial institutions, banks and financial institutions, consultancy and audit firms that provide services to Vodatech, Company officials, shareholders, legally authorized public institutions and private persons, domestic and / or foreign service providers that process personal data on behalf of the Company in the fields of storage, archiving, information technology support (server, hosting, software, cloud computing, etc.) in order to continue its commercial activities and business processes. The classification of the recipient groups to which personal data is transferred is included in Section 3 of this Policy. In case of personal data transfer, Vivense ensures that third parties to whom it transfers personal data also comply with this Policy. In this context, necessary protective regulations are added to the contracts concluded with the third party and technical measures are taken.
3 CATEGORIES OF PERSONAL DATA PROCESSED BY Vodatech, PURPOSES OF PROCESSING AND TRANSFER, RECIPIENT GROUPS TO WHICH TRANSFER IS MADE
3.1 Categories of Personal DataThe categories and descriptions of personal data processed within the scope of personal data processing activities carried out by Vodatech are set out below:
3. 2 Categories of Relevant PersonsThe following includes the definitions and explanations of our employees, employee candidates, customers, business contacts (officials, shareholders and employees of the institutions with which we have suppliers and similar business relations) and third parties within the scope of this Policy.Categories of Relevant Persons Description Employees are real persons who have a working relationship with our Company. Employee Candidates Real persons who have applied for a job to our Company by any means and submitted their CV and/or job application form and related information to our Company for review Interns Real persons who are doing their voluntary or compulsory internship within our Company. Customers Real persons who use or have used the products and services offered by our Company. Company Officials Real persons who are in the senior management of Vodatech and/or authorized to represent Vodatech and real person representatives of legal entities. Board members and shareholders are considered within this scope. Supplier Authorized and Employees Real persons with whom our Company has a service relationship while carrying out its activities and real person representatives of legal entity suppliers and all real persons working within this supplier. Other Third Parties Other real persons who do not fall into any category of data subjects.
3.3 Classification of Personal Data Processed by Vodatech According to Data SubjectsIn the table below, the categories of personal data subjects mentioned above and the categories of personal data within the scope of the processing activity are matched and detailed:
3.4 Purposes of Processing Personal Data “Vodatech carries out its personal data processing activity in line with the following purposes. Personal data processing purposes have been clearly and in detail determined on the basis of each business unit and process by associating business processes and personal data categories and recorded in the Vodatech Personal Data Inventory. Execution of Information Security Processes Execution of Employee Candidate / Intern / Student Selection and Placement Processes Execution of Employee Candidate Application Processes Execution of Employee Satisfaction and Loyalty Processes Fulfillment of Employment Contract and Regulatory Obligations for Employees Execution of Employee Benefits and Benefits Processes Conducting Audit / Ethics Activities Conducting Training Activities Execution of Access Authorizations Execution of Activities in Compliance with the Legislation Execution of Finance and Accounting Affairs Execution of Company / Product / Service Loyalty Processes Ensuring Physical Space Security Execution of Assignment Processes Monitoring and Execution of Legal Affairs Conducting Internal Audit / Investigation / Intelligence Activities Execution of Communication Activities Planning Human Resources Processes Execution / Supervision of Business Activities Execution of Occupational Health / Safety Activities Receiving and Evaluating Suggestions for Improvement of Business Processes Execution of Business Continuity Ensuring Activities Execution of Goods / Service Procurement Processes Execution of Goods / Services After Sales Support Services Execution of Goods / Service Sales Processes Execution of Goods / Services Production and Operation Processes Execution of Customer Relationship Management Processes Execution of Activities for Customer Satisfaction Organization and Event Management Conducting Marketing Analysis Studies Execution of Performance Evaluation Processes Execution of Advertising / Campaign / Promotion Processes Execution of Storage and Archive Activities Execution of Contract Processes Execution of Strategic Planning Activities Tracking Requests / Complaints Ensuring the Security of Movable Property and Resources Execution of Supply Chain Management Processes Execution of Wage Policy Execution of Marketing Processes of Products / Services Ensuring the Security of Data Controller Operations Execution of Investment Processes Providing Information to Authorized Persons, Institutions and Organizations” ”
3.5 Methods and Reasons for Collecting Personal Data Vodatech collects personal data of relevant individuals through the following methods: Via Vodatech’s website and platforms, various social media channels, emails, short messages (“SMS”), or multimedia messages (“MMS”) used within the scope of Vivense sales and marketing activities, Through printed and electronic forms, as well as other communication methods, Through contracts, policies, commercial offers, printed and electronic forms, documents, and correspondences signed within the scope of Vodatech’s business activities, Through business meetings, using collected business cards and other related documents, Through third parties such as Vodatech’s business partners, or firms from which services/products are procured; verbally, in writing, or electronically, using various methods, either fully or partially automated or by non-automated methods as part of a data recording system. The personal data collected through these methods are stored in compliance with the data processing conditions outlined in Section 2 of this Policy and for the purposes listed above, in accordance with the mandatory retention periods required by the Personal Data Protection Law (KVKK) and other relevant legislation, while taking all necessary administrative and technical measures.” ”
4. MATTERS REGARDING THE PROTECTION OF PERSONAL DATA In accordance with Article 12 of the Law, Vodatech takes the necessary technical and administrative measures to the extent possible and according to the nature of the data to ensure an appropriate level of security to prevent the unlawful processing of personal data, unlawful access to personal data, and to ensure the safeguarding of personal data. Within this scope, necessary audits are conducted or commissioned.
4.1 Ensuring the Security of Personal Data
4.1.1 Technical Measures The primary technical measures taken to prevent the unlawful processing of personal data, prevent unlawful access to data, and ensure the safeguarding of data are listed below: Network security and application security are ensured. A closed network system is used for transferring personal data via the network. Security measures are implemented within the scope of procurement, development, and maintenance of information technology systems. Access logs are maintained regularly. Data masking measures are applied when necessary. Up-to-date antivirus systems are used. Firewalls are utilized. Signed contracts include data security provisions. Additional security measures are taken for personal data transferred via paper, and such documents are sent in a classified format. Personal data security issues are promptly reported. Monitoring of personal data security is conducted. Necessary security measures are implemented for physical environments containing personal data. Security against external risks (e.g., fire, flood) is ensured for physical environments containing personal data. The security of environments containing personal data is ensured. Personal data is backed up, and the security of the backups is also ensured. User account management and authorization control systems are implemented and monitored. Log records are maintained in a manner that prevents user interference. Existing risks and threats are identified. Special categories of personal data sent via email are encrypted and transmitted using KEP (Registered Electronic Mail) or corporate email accounts. Secure encryption/cryptographic keys are used for special categories of personal data and managed by separate units. Intrusion detection and prevention systems are utilized. Penetration tests are conducted. Cybersecurity measures are taken and continuously monitored. Encryption is applied. Special categories of personal data transferred via portable devices such as USBs, CDs, and DVDs are encrypted. Data loss prevention software is used. ” ”
4.1.2 Administrative Measures The primary administrative measures taken to prevent the unlawful processing of personal data, prevent unlawful access to data, and ensure the safeguarding of data are listed below: Training sessions are provided to enhance employee qualifications, including the prevention of unlawful processing of personal data, prevention of unlawful access to personal data, ensuring the safeguarding of personal data, communication techniques, technical skills, and awareness of relevant legislation. Additional protocols have been prepared and implemented for cases where data transfer is required for Vodatech’s activities. Vodatech fulfills its obligation to inform relevant individuals before starting any personal data processing. A personal data processing inventory has been prepared. Compliance efforts with the principle of data minimization have been carried out during the KVKK compliance process. A Personal Data Protection Committee has been established to ensure compliance with the Law and maintain its continuity, and the group has been trained accordingly. Internal policies and procedures regarding the Retention and Disposal of Personal Data and the Protection of Special Categories of Personal Data have been prepared and implemented. Service providers processing data are made aware of data security. Confidentiality agreements are executed. An authorization matrix has been established for employees. The authorizations of employees undergoing role changes or leaving the organization are revoked. ” ”
4.1.3 Monitoring Measures Taken for the Protection of Personal Data Vodatech conducts or ensures the conduct of necessary inspections within its organization in accordance with the Law. The results of these inspections are reported to the Personal Data Protection Committee, senior management, and the relevant department within the scope of the Company’s internal processes. Actions are planned based on these results, and the implementation of measures to improve the safeguards is monitored and carried out by the respective process owners and the Personal Data Protection Committee.
4.1.4 Measures to Be Taken in Case of Unauthorized Disclosure of Personal Data In the event that personal data is obtained or disclosed by unauthorized means, Vodatech will notify the relevant data subject at the earliest opportunity and report the incident to the Board within 72 hours from the date of detection.
4.2 Protection of Special Categories of Personal Data The Law assigns special importance to certain categories of personal data due to their potential to cause harm and/or discrimination when processed unlawfully. These data include information regarding race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and attire, membership in associations, foundations or trade unions, health, sexual life, criminal convictions, security measures, and biometric and genetic data. Vodatech demonstrates utmost sensitivity in safeguarding special categories of personal data, which are designated as “”special categories”” under the Law, and ensures their protection in compliance with legal requirements. Vodatech has prepared a dedicated Policy for the Processing and Protection of Special Categories of Personal Data and conducts necessary audits within the Company to ensure compliance.
4.3 Protection of the Rights of Data Subjects Vodatech observes all legal rights of personal data owners under the Policy and the Law and takes all necessary measures to ensure the protection of these rights. Detailed information on the rights of personal data owners is provided in Section 5 of this Policy.
5 RIGHTS OF DATA SUBJECTS AND PROCEDURES FOR EXERCISING THESE RIGHTS
5.1 Rights of the Data Subject Pursuant to Article 11 of the Law, data subjects have the right to apply to Vodatech and: Learn whether their personal data has been processed, Request information if their personal data has been processed, Learn the purpose of the processing and whether the data is being used in accordance with this purpose, Know the third parties to whom personal data is transferred, either domestically or internationally, Request the correction of incomplete or inaccurate personal data and request notification of the corrections to third parties to whom the data has been transferred, Request the deletion or destruction of personal data in cases where the reasons for processing no longer exist, even if the data has been processed in accordance with the Law and other relevant legislation, and request notification of such actions to third parties to whom the data has been transferred, Object to any adverse outcome resulting from the analysis of processed data exclusively through automated systems, Request compensation for damages incurred due to the unlawful processing of personal data.” ”
5.2 Cases Where the Data Subject Cannot Exercise Their Rights Pursuant to Article 28 of the Law, the following cases are excluded from the scope of the Law. Therefore, data subjects cannot exercise the rights listed in Section 5.1 in these circumstances: Processing of personal data by natural persons exclusively within the scope of activities related to themselves or their family members living in the same residence, provided that such data is not disclosed to third parties and obligations concerning data security are complied with, Processing of personal data for purposes such as research, planning, and statistics, provided that the data is anonymized and used for official statistics, Processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that the processing does not violate national defense, national security, public safety, public order, economic security, privacy of private life, or personal rights, or constitute a crime, Processing of personal data within the scope of preventive, protective, or intelligence activities carried out by authorized public institutions and organizations to ensure national defense, national security, public safety, public order, or economic security, Processing of personal data by judicial authorities or execution agencies in relation to investigation, prosecution, trial, or execution procedures. Additionally, under the second paragraph of Article 28 of the Law, in the following cases, data subjects cannot exercise the rights specified in Section 5.1 of this Policy, except for the right to request compensation for damages: Where personal data processing is necessary for the prevention of a crime or for a criminal investigation, Where personal data has been made public by the data subject themselves, Where personal data processing is necessary for the supervision or regulation duties of public institutions and organizations, and professional organizations in the nature of public institutions, authorized by law, or for disciplinary investigation or prosecution, Where personal data processing is necessary for the protection of the State’s economic and financial interests related to budget, tax, and financial matters.” ”
5.3 Exercising the Rights of the Data Subject The data subject may exercise the rights specified in Article
5.1 of this Policy by filling out the application form available at https://www.Vodatech.com and submitting it with a wet-ink signature or via a registered electronic mail (KEP) address, secure electronic signature, mobile signature, or an email address previously notified to and registered in Vodatech’s systems. The method of application is explained in detail in the “Application Form Under the Law on the Protection of Personal Data,” the address of which is provided above. If the data subject wishes to exercise this right through their representative, identity documents authorized or approved by competent authorities, as well as any supporting documents related to the request, must be submitted to Vodatech along with the application form.
5.4 Vodatech’s Response to Applications Vodatech will finalize any requests submitted to it as soon as possible and no later than thirty days, free of charge, depending on the nature of the request. If the fulfillment of requests incurs a cost, fees determined by the Board’s tariff may be requested. Vodatech may accept the request or reject it by providing justification and notifies the response to the data subject either in writing or electronically. If the request is accepted, Vodatech will take the necessary actions to fulfill the request.
6 PUBLICATION AND RETENTION OF THE POLICY The Policy is published in two formats: a hard copy with a wet-ink signature and an electronic version, and it is made publicly available on the website. The hard copy is retained under the custody of the Personal Data Protection Committee.
7 POLICY UPDATE PERIOD The Policy is reviewed and updated by the Personal Data Protection Committee as needed. Necessary sections are revised whenever required.
8 ENFORCEMENT, REPEAL, AND EXECUTION OF THE POLICY The Policy is deemed effective upon publication on Vodatech’s website. If it is decided to repeal the Policy, the previously signed hard copies of the Policy are invalidated by stamping or marking them as canceled, signed by the Chair and members of the Personal Data Protection Committee, and retained for a minimum of 5 years under the custody of the Committee.”
WEBSITE VISITOR CLARIFICATION TEXT
This “Website Visitor Clarification Text” has been prepared by VODATECH CALL CENTER ANONİM ŞİRKETİ (“Company”) as the data controller, in order to fulfill the obligation to provide clarification regarding the processing of personal data, in accordance with Article 10 of the Personal Data Protection Law No. 6698 (“Law”) and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform.
Purpose and Identity of the Data Controller
Your personal data may be processed by the COMPANY located at Esentepe Mah. İnönü Cad. Erdoğan Sk. No:6, Kartal Istanbul, as the data controller, in accordance with the Law, within the scope of the following purposes and to the extent necessary and proportional to these purposes, using automated or non-automated methods, ensuring the accuracy and updating of personal data as provided to us.
Purposes of Processing Personal Data, Collection Method, Legal Grounds, and Recipients
Your personal data may be processed in accordance with the fundamental principles outlined in the Law and within the conditions for personal data processing set forth in Articles 5 and 6 of the Law. This may include recording and storing traffic information related to your visit to the COMPANY’s website, conducting statistical measurements regarding visits to the website and site usage, improving our website based on those measurements, personalizing your visit, and providing content tailored to your preferences.
The personal data processed under this Privacy Notice and the purposes of processing, as well as the categories of personal data, are outlined in the table below.
Your personal data will be deleted, destroyed, or anonymized when the purpose requiring processing under the KVK Law Article 7/1 ceases to exist and/or when the statutory retention periods we are obligated to process your data under expire.
Your Rights as a Data Subject and the Exercise of These Rights
In accordance with Article 11 of the Law, and with the exceptions specified in Article 28, we inform you that as data owners, you have the following rights:
To learn whether your personal data is processed,
To request information if your personal data has been processed,
To learn the purpose of processing your personal data and whether it is used in accordance with that purpose,
To know the third parties in Turkey or abroad to whom your personal data has been transferred,
To request the rectification of incomplete or inaccurate personal data and to request that the correction be communicated to third parties to whom your personal data has been transferred,
To request the deletion or destruction of personal data if the reasons for processing have ceased, even if the processing is in compliance with the Law and other relevant laws, and to request that this deletion or destruction be communicated to third parties to whom your personal data has been transferred,
To object to any result arising from the automatic analysis of your data,
To request compensation for damages if you suffer harm due to the unlawful processing of your personal data.
Regarding the above-mentioned rights, you may submit a request containing the minimum requirements as stipulated in the “Regulation on Procedures and Principles for the Application to the Data Controller” either in person at Esentepe Mah. İnönü Cad. Erdoğan Sk. No:6 Kartal İstanbul, by sending it via notary, electronically signed via vodatechcagri@hs01.kep.tr KEP address, or by submitting it through the email address registered in our systems at info@vodatech.com.tr.
| Explicit Consent | Consent based on information and free will on a specific subject |
| Anonymization | Making personal data incapable of being associated with an identified or identifiable natural person in any way, even when matched with other data. |
| Employee(s) | Workers who have an employment relationship with Vodatech in accordance with the Labor Law and students/graduates who are receiving internship (mandatory/optional) training |
| Electronic Environment | Environments where personal data can be created, read, changed and written using electronic devices. |
| Non-Electronic Environment | All written, printed, visual etc. media other than electronic environment. |
| Service Provider | A natural or legal person who provides services within the framework of a specific contract with Vodatech. |
| Related Person | Real person whose personal data is processed |
| Annihilation | Irreversible deletion, destruction or anonymization of personal data |
| Law / LPPD | Law No. 6698 on the Protection of Personal Data |
| Recording Environment | Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system |
| Processing of Personal Data | Any operation performed on personal data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system |
| Personal Data Inventory | Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes of processing personal data, data category, transferred recipient group and data subject group and by explaining the maximum time required for the purposes for which personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security |
| Personal Data Protection Committee | The committee, which is authorized by Vodatech to make decisions and present them to the senior management in order to ensure compliance with the legislation on the protection of personal data by Vodatech, to ensure compliance with the legislation on the protection of personal data, to maintain, maintain, manage and improve it, and to ensure the necessary coordination within Vodatech for this purpose, and with the participation of officials from different units |
| Committee | Personal Data Protection Committee |
| Institution | Personal Data Protection Institution |
| Special Qualified | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data |
| Policy | Vodatech tarafından kişisel verilerin işlenmesi, ve korunmasında benimsenen ilkelerin düzenlendiği işbu “Kişisel Verileri Koruma ve İşleme Politikası” |
| Data Processor | Natural and legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system |
| Data Registration System | Registration system where personal data is structured and processed according to certain criteria |
| Data Controllers Registry Information System | The registry of data controllers kept by the Personal Data Protection Authority and open to the public |
| VERBIS | Data Controllers Registry Information System |
| Personal Data Categories | Description |
| Identity Data | Data containing information about the identity of the person: name-surname, Turkish ID number, marital status, gender, nationality, parents’ name-surname, place-date of birth and other identity information and documents containing this information such as driver’s license, identity card, passport, birth certificate, tax number, Social Security Institution number and other information. |
| Contact Data | Information used for communication purposes such as phone number, address, e-mail address, and documents such as residence certificates containing this information. |
| Personnel Data | Within the scope of being in a working relationship with our Company, personal data processed for obtaining information that is the basis for the formation of personal rights of natural persons. |
| Legal Transaction Data | Personal data processed due to being in a legal relationship with our Company, such as information in correspondence with judicial authorities, information in the case file. |
| Client Transaction Information | Personal data obtained during the processes of receiving and evaluating all kinds of call center records, transaction history, order information and all kinds of requests or complaints regarding our customers. |
| Physical Space Security Data | Entry and exit registration information regarding visits to workplaces and showrooms, personal data obtained during the processes of taking camera recordings. |
| Professional Experience Data | Personal data relating to information such as diploma information, courses attended, vocational training information, certificates of our employees and supplier employees. |
| Marketing Data | Personal data processed such as shopping history information, surveys, cookie records in order to improve the activities offered by our company. |
| Audiovisual Records | Personal data processed such as recording phone calls made with our customers, supplier officials and other third parties, taking visual records during the activities in which employees within our Company participate. |
| Financial Data | Personal data related to information, documents and records showing all kinds of financial results that arise according to the legal relationship established by our company with the data subject. Example: Credit card information, income information, IBAN number, etc. |
| Special Categories of Personal Data | Personal data that is determined by limited enumeration in the law and that carries the risk of discrimination against data subjects if processed. Example: Health data including blood type, biometric data, criminal convictions and security measures, etc. |
| Transaction Security Data | Personal data processed to ensure the technical, administrative, legal and commercial security of both the data subject and our Company. |
| Personal Data Categories | Description |
| Kimlik Verileri | Employee, Employee Candidates, Potential Product or Service Buyer, Intern, Supplier Employee, Supplier Official, Our Customers |
| Contact Data | Employee, Employee Candidates, Potential Product or Service Buyer, Intern, Supplier Employee, Supplier Official, Our Customers |
| Personnel Data | Çalışanlar, Çalışan Adayları, Stajyer, Tedarikçi Çalışanı |
| Legal Transaction Data | Employees, Clients |
| Client Transaction Information | Müşteriler, Potansiyel Müşteriler |
| Physical Space Security Data | Employees, Customers, Potential Customers, Visitors |
| Professional Experience Data | Employees, Interns, Supplier Employees, Supplier Official |
| Marketing Data | Customers, Potential Customers |
| Financial Data | Employees, Interns, Supplier Officials |
| Audiovisual Records | Employee, Potential Product or Service Buyer, Supplier Employee, Customers |
| Special Categories of Personal Data / Health Information | Employee, Intern, Supplier Employee |
| Special Categories of Personal Data / Criminal Conviction and Security Measures | Employee, Supplier Employee |
| Biometric Data | Employees |
| Transaction Security Data | Customers, Employees, Supplier Employees |
| Personal Data Category | Transaction Security |
| Traffic Information (Your website entry-exit time, IP address information) | |
| Purpose of Processing of Personal Data | Execution of Company Business Processes in accordance with the Legislation, Fulfillment of Obligations Arising from the Laws, Recording and Storage of Personal Data Obtained in accordance with the Law, Providing Information to Authorized Institutions and Organizations |
| Collection Method | It is obtained through visits to the COMPANY’s website. |
| Legal Reason | Art. 5/2 (a) of the LPPD: Explicitly stipulated by law |
| The legitimate interest of our Company, provided that it does not harm your fundamental rights and freedoms in accordance with Article 5/2 (f) of the LPPD | |
| Domestic transmission | Natural Persons or Private Legal Entities to Business Partners, Authorized Institutions and Organizations |
| Transmission abroad | There is no transfer abroad. |
| Personal Data Category | Transaction Security |
| Cookie Records | |
| Purpose of Processing Personal Data | Execution of Processes such as Improvement of the Website, Operation of the Website within the Scope of the Data Collected by Visiting the Website of the COMPANY and Making Measurements through Statistical Cookies Based on the Consent of the Visitor |
| Collection Method | It is obtained by means of the visitor’s consent to visit the websites and also in respect of cookies that are not strictly necessary. |
| Legal Reason | LPPD Art. 5/1: Explicit Consent |
| Art. 5/2 (c) of the LPPD: Establishment or performance of the contract, | |
| Art. 5/2 (e) of the LPPD: Data processing is mandatory for the establishment, exercise or protection of a right | |
| Pursuant to Article 5/2 (f) of the LPPD, the legitimate interest of our Company, provided that it does not harm your fundamental rights and freedoms | |
| Domestic transmission | Natural Persons or Private Legal Entities to Business Partners, Authorized Institutions and Organizations |
| Transmission abroad | There is no transfer abroad. |