Personal Data Protection and Privacy
Detech Cybersecurity Technologies
1. PURPOSE AND SCOPE
This Privacy and Personal Data Protection Principles (hereinafter referred to as “Principles”) sets out the principles adopted by Detech Bilişim Teknolojileri Sanayi ve Ticaret Anonim Şirketi (hereinafter referred to as the “Company”) regarding the protection of personal data and aims to inform all relevant groups of persons within the scope of the Personal Data Protection Law No. 6698 (hereinafter referred to as “KVKK No. 6698”).
2. PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
As the Company, we process your personal data in the capacity of Data Controller within the framework of the following principles.
2.1 Processing in accordance with the Law and Good Faith
In the processing of your personal data, we act in accordance with the principles introduced by legal regulations and the general rule of trust and honesty. In accordance with this principle, in particular, we take into account your interests and reasonable expectations while trying to achieve our personal data processing purposes, do not abuse our rights and act in accordance with the principle of transparency in our data processing activities.
2.2 Ensuring that Personal Data is Accurate and Up-to-Date When Necessary
In line with this principle, which emphasises the importance of the accuracy and timeliness of personal data, periodic checks and updates are made to ensure that the processed data are accurate and up-to-date, taking into account your legitimate interests, and necessary measures are taken accordingly. In this context, systems for checking the accuracy of personal data and making necessary corrections are established within the Company. In addition, the accuracy of the sources from which personal data are collected is checked and requests arising from inaccurate personal data are taken into consideration. Therefore, this principle is also applied in accordance with the right to request correction of personal data you have in accordance with KVKK No. 6698.
2.3 Processing for Specific, Explicit and Legitimate Purposes
Your personal data are processed based on clear, specific and legitimate data processing purposes. In this context, we ensure that our personal data processing activities are clearly understandable by the relevant persons, and we determine and clearly state which purposes and legal processing conditions are based on Article 3 of these Principles.
2.4 Being Relevant, Limited and Proportionate to the Purpose of Processing
Your personal data are processed in a measured, purpose-related and limited manner in order to achieve the prescribed purpose(s), and the processing of personal data that is not related to the realisation of the purpose or is not needed is avoided. Again, within the scope of this principle, personal data are not collected or processed for purposes that do not exist and are thought to be realised later.
2.5 Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed
Your personal data are retained only for the period stipulated in the relevant legislation or required for the purpose for which they are processed. In this regard, the Company takes and implements the relevant administrative and technical measures. In this context, firstly, it is determined whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period is determined, this period is acted in accordance with this period, if a period is not determined, personal data is stored for the period required for the purpose for which they are processed. In the event that the necessity of the relevant processes disappears, access to your personal data by unrelated departments is prevented within the scope of the deletion action specified in KVKK No. 6698. In the event that the period expires or the reasons for processing disappear, your personal data are destroyed or anonymised in accordance with the personal data protection legislation, unless there is a legal reason that allows them to be processed for a longer period of time.
3. CONDITIONS FOR PROCESSING PERSONAL DATA
Your personal and sensitive personal data may be processed within the scope of the KVKK numbered 6698 within the framework of the conditions stipulated below.
3.1 Explicitly Stipulated by Laws
The basic rule is that personal data cannot be processed without the explicit consent of the persons concerned, and according to this exception, your personal data may be processed in cases where personal data processing is explicitly stipulated in the laws.
3.2 Failure to Obtain Explicit Consent of the Data Subject Due to Actual Impossibility
Your personal data may be processed if it is mandatory to process personal data in order to protect the life or physical integrity of the person concerned or another person who is unable to disclose his consent due to actual impossibility or whose consent cannot be recognised as valid.
3.3 Direct Relevance to the Establishment or Performance of the Contract
Provided that it is directly related to the establishment or performance of the contract, your personal data may be processed if it is necessary to process personal data belonging to the parties to the contract.
3.4 Fulfilment of Legal Obligations by the Company
Your personal data may be processed if the processing is mandatory in order to fulfil the legislation, contract and similar legal obligations to which the Company is bound and responsible.
3.5 Publicisation of Personal Data
In the event that your personal data has been made public by you, i.e. shared with the public by you, it may be processed in connection with and in proportion to the purpose of publicisation.
3.6 Data Processing is Mandatory for the Establishment or Protection of a Right
Within the scope of the execution and management of the processes related to the legal and commercial rights of the Company, your personal data may be processed if data processing is mandatory for the establishment, use or protection of the right in question.
3.7 Processing of Data Based on Legitimate Interest
Your personal data may be processed if data processing is necessary for the legitimate interests of the Company. In the event that data processing is required depending on the aforementioned processing condition, our Company makes an evaluation by considering your fundamental rights and freedoms and decides according to the result of the evaluation.
3.8 Processing Based on Explicit Consent
Although the processing of personal data based on explicit consent is the main rule, the explicit consent of the data subjects is not relied upon in the presence of other conditions specified in this article. Otherwise, abuse of right may be mentioned. In this context, in cases where your personal data is not processed based on any of the conditions specified in these Principles, it is processed based on your explicit consent.
3.9 Processing of Special Categories of Personal Data
We process your sensitive personal data based on your explicit consent in accordance with Article 6 of the KVKK No. 6698. In the same article, we can process your sensitive personal data other than health and sexual life only in cases stipulated by law, and your sensitive personal data related to health and sexual life only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorised institutions and organisations under the obligation of confidentiality, without seeking your explicit consent.
4. TRANSFER OF PERSONAL DATA
Your personal and sensitive data may be transferred to our domestic business partners, public institutions and organisations and the like or to our business partners abroad within the scope of Article 2 of these Principles. While making such transfers, compliance with Articles 8 and 9 of the KVKK No. 6698 is observed. If necessary, your explicit consent is obtained and the transfer is provided within this framework.
5. SECURITY OF PERSONAL DATA
The Company takes all reasonable administrative and technical measures to prevent unauthorised access risks, accidental data loss, deliberate deletion of data or damage to data in order to ensure the security of personal data and to prevent unlawful processing.
All reasonable technical and physical measures are taken to prevent access to personal data by persons other than those authorised to access it. In this context, especially the authorisation system is designed in such a way that it is not possible for individuals and systems to access more personal data than necessary.
The Company carries out the necessary audits and has them carried out in order to ensure the implementation of the provisions of KVKK No. 6698 in its own institution or organisation.
The measures taken are as follows.
There are disciplinary regulations that include data security provisions for employees.
Training and awareness activities are carried out periodically for employees on data security.
Corporate policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
Confidentiality undertakings are made.
Extra security measures are taken for personal data transferred via paper.
Personal data security policies and procedures have been determined.
Personal data security problems are reported quickly.
Personal data security is monitored.
Necessary security measures are taken for entry and exit to physical environments containing personal data.
Security of environments containing personal data is ensured.
Personal data is minimised as much as possible.
User account management and authorisation control system is implemented and these are also monitored.
Internal periodic and/or random audits are carried out and carried out.
Existing risks and threats have been identified.
Protocols and procedures for the security of special categories of personal data have been determined and implemented.
Cyber security measures have been taken and their implementation is constantly monitored.
Data processing service providers are periodically audited on data security.