1. PURPOSE OF THE POLICY
Our company KAREL ELEKTRONİK SANAYİ VE TİCARET A.Ş. acts with the awareness of the importance of the confidentiality and security of personal data obtained within the scope of the Personal Data Protection Law No. 6698 (KVKK) and other relevant legislation in the capacity of data controller.
KAREL acts with the determination to comply with the laws arising from its capacity as a data controller and determines personal data processing processes in accordance with the Constitution of the Republic of Turkey and Law No. 6698 and related legislation. It is also processed in accordance with the law.
2. SCOPE
It covers all personal data processed by automatic means or non-automatic means, provided that it is part of the data recording system, to the real person who owns personal data defined as the person concerned in the KVKK and related legislation.
3. DESCRIPTIONS
Anonymization | Making Personal Data impossible to be associated with an identified natural person under any circumstances, even by matching with other data |
Personal Data | Any information relating to an identified or identifiable natural person |
Open Consent | The person whose personal data will be processed declares his/her consent to the transaction after being informed before the relevant transaction is carried out. |
Clarification Text | Explanation to the data subject about the purpose for which the personal data will be stored, how long it will be stored, how it is collected, how it is stored and whether it will be shared with third parties. |
Inventory | Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes of personal data processing, data category, transferred recipient group and data subject group and by explaining the maximum period required for the purposes for which personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security |
To Whom it may concern | Natural person whose personal data is processed |
Destruction | Deletion, destruction or anonymization of personal data |
Processing | In Article 3 of the KVKK, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification of personal data |
Law | Personal Data Protection Law |
Sensitive Data | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data |
Data Processor | A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller |
Sales Representative | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system |
Deletion | Deletion of personal data, the process of making personal data inaccessible and non-reusable in any way for the relevant users |
4. PERSONAL DATA COLLECTION CHANNELS
KAREL may collect personal data of data subjects verbally, in writing or electronically by automatic or non-automatic methods. Relevant persons are informed in accordance with the legislation based on the channels through which personal data are obtained.
5. TYPES OF PERSONAL DATA OBTAINED
Personal data obtained by KAREL, data categories, collection channels, processing purposes and legal grounds for processing, third parties to whom personal data are transferred and the purposes of transfer are also regulated in detail in the relevant person clarification text.
6. DISCLOSURE OBLIGATION
KAREL shall notify the relevant persons who have personal data obtained during the course of its activities in accordance with Article 10 of the Law. Pursuant to the Article, personal data are informed before they are obtained. The information that should be communicated to data subjects within the framework of the said disclosure obligation is given below with its main headings:
- Identity of the data controller and its representative, if any
- The purpose for which personal data will be processed,
- To whom and for what purpose the processed personal data will be transferred
- Method and legal grounds for collecting personal data
- Other rights of the person concerned listed in Article 11 of the law
In order to fulfill the disclosure obligation, our Company has disclosure texts on the basis of the process and the persons whose data are processed, to be presented to the data subjects within the scope of the above-mentioned legal provision. After the disclosure texts are presented to the data subjects, explicit consent declarations are obtained for data processing activities and data categories that require the explicit consent of the data subject in order for our Company to carry out its commercial activities.
7. SPECIAL CATEGORIES OF PERSONAL DATA POLICY
In accordance with the Decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 on Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Data within our Company, special categories of personal data are protected by us on the basis of special security measures. In this context, a Special Categories of Data Policy has been prepared and put into practice in our Company.
Article 6 of the Law on sensitive data is as follows:
- Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive personal data.
- Processing of sensitive personal data without the explicit consent of the data subject is prohibited.
- Personal data other than health and sexual life listed in the first paragraph may be processed without the explicit consent of the person concerned in cases stipulated by law. Personal data relating to health and sexual life can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without seeking the explicit consent of the data subject.
- In the processing of special categories of personal data, adequate measures determined by the Board must also be taken.
8. RIGHTS OF THE PERSONAL DATA OWNER
Within the scope of Article 11 of the Law, everyone has the right to apply to our Company as the data controller in the following matters:
Everyone can apply to the data controller;
a) Learn whether personal data is being processed,
b) Request information if personal data has been processed,
c) To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
d) To know the third parties to whom personal data are transferred domestically or abroad,
e) To request correction of personal data in case of incomplete or incorrect processing,
f) To request the deletion or elimination of personal data within the framework of the conditions stipulated in Article 7 of Law No. 6698,
g) To request notification of the transactions made pursuant to subparagraphs (d) and (e) to third parties to whom personal data are transferred,
h) To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
i) In case of damage due to unlawful processing of personal data, it has the right to demand compensation for the damage.
9. METHOD OF EXERCISING THE RIGHTS OF THE DATA SUBJECT
In accordance with paragraph 1 of Article 13 of the Law and within the scope of the Communiqué on the Procedures and Principles of Application to the Data Controller published in the Official Gazette dated 10.3.2018 and numbered 30356; applications to be made to our Company, which is the data controller, regarding these rights must be submitted to us in writing or by other methods determined by the Personal Data Protection Board ("Board").
The personal data owner "Data Subject" will be able to notify our Company of his/her rights and requests listed in subparagraph A. In this context, the relevant person may apply in writing within the following scope in order to use all other rights he/she has in accordance with Article 11 of the Law No. 6698 on the Protection of Personal Data:
- By personal application of the applicant,
- By post with signature affidavit attached,
- Through a notary,
- With secure electronic signature,
- By signing with the secure electronic signature defined on behalf of the applicant and sending it to the KEP address specified below,
- By sending from the e-mail address previously notified to the data controller by the data subject and registered in the system of the data controller,
The application form (application form link can be given) can be sent to our KAREL ISTANBUL OFFICE address. It can also be sent to karel.arge@hs03.kep.tr.
10. MEASURES TAKEN
In accordance with Article 12 of the Law, it takes the necessary administrative and technical measures to prevent unlawful processing and access to personal data processed by our Company and to ensure that personal data is kept securely and to carry out and/or have the necessary audits carried out within this scope. Although measures are taken in accordance with the nature of personal data, special categories of personal data are protected by more stringent security measures.
11. STORAGE OF PERSONAL DATA
Personal data obtained by our Company are securely stored in physical or electronic media for an appropriate period of time in order for our Company to continue its activities. Within the scope of the activities in question, our Company acts in accordance with the obligations stipulated in all relevant legislation, especially KVKK, regarding the protection of personal data.