Urartu Göz Hizmetleri Limited Şirketi ("Urartu Göz") attaches importance to the protection of personal data in its activities and priorities Policy ("Policy") is the basic regulation for the compliance of Urartu Göz organization and business processes with the personal data processing procedures and principles determined by the Law on the Protection of Personal Data numbered 6698 ("Law"). Urartu Göz processes and protects this Policy with responsibility and awareness, and provides the necessary transparency by informing personal data owners.
The purpose of this Policy is to ensure that the procedures and principles stipulated by the Law and other relevant legislation are harmonized with Urartu Göz organization and processes and implemented effectively in its activities. Urartu Göz takes all kinds of administrative and technical measures for the processing and protection of personal data with this Policy, creates necessary internal procedures, raises awareness, and provides all necessary trainings to ensure awareness. All necessary measures are taken and appropriate and effective audit mechanisms are established for the compliance of shareholders, authorities, employees and business partners with the Law processes.
1.2. Scope
The Policy covers all personal data obtained by automatic means in Urartu Göz business processes or by non-automatic means provided that they are part of any data recording system.
1.Basis
The Policy is based on the Law and relevant legislation. Personal data are processed in order to fulfill the legal obligations arising from the Law on the Amendment and Adoption of the Decree Law on Supervision within the scope of the relevant legislation, Identity Notification Law No. 1774, Labor Law No. 4857, 6331 Occupational Health and Safety Law, Social Security and General Health Insurance Law No. 5510, Unemployment Insurance Law No. 4447, Turkish Commercial Code No. 6102, Tax Procedure Law No. 213 and other relevant legislation.
In cases of incompatibility between the applicable legislation and the Policy, the applicable legislation shall apply. The regulations stipulated by the relevant legislation are transformed into Urartu Göz practices with the Policy.
Explicit consent |
It refers to consent on a specific subject, based on information and expressed with free will. |
Application Form |
The application form for the applications to be made by the relevant person (Personal Data Owner) to the data controller, prepared in accordance with the Law No. 6698 on the Protection of Personal Data and the Communiqué on the Procedures and Principles of Application to the Data Controller issued by the Personal Data Protection Authority, which includes the application to be made by personal data owners to exercise their rights. |
Related user |
Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data. |
Destruction |
Deletion, destruction or anonymization of personal data. |
Recording media |
Any medium containing personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system. |
Personal data |
Any information relating to an identified or identifiable natural person. |
Processing of personal data |
Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system. |
Anonymization of personal data |
Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data. |
Personal data subject |
The natural person whose personal data is processed by or on behalf of Urartu Göz.. |
Deletion of personal data |
Deletion of personal data; making personal data inaccessible and non-reusable in any way for the Relevant Users Bringing |
Destruction of personal data |
The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way. |
Board |
Personal Data Protection Board |
Institution |
Personal Data Protection Authority |
Sensitive personal data |
Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. |
Periodic destruction |
In the event that all of the conditions for processing personal data specified in the Law disappear, the deletion, destruction or anonymization process to be carried out ex officio at recurring intervals specified in the personal data storage and destruction policy. |
Data Processor |
A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller. |
Data Recording System |
It is a recording system where personal data is structured and processed according to certain criteria. |
Data subject / Data subject |
The natural person whose personal data is processed. |
Data Controller |
The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
Data Representative |
A natural person appointed to fulfill the duties of the Data Controller within the scope of the relevant articles of law in accordance with the Law. |
Regulation |
Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on October 28, 2017 |
PERSONAL DATA PROTECTION ISSUES
1.Ensuring the Security of Personal Data
Urartu Göz takes the necessary measures stipulated in Article 12 of the Law, depending on the nature of the personal data, to prevent unlawful disclosure, access, transfer or other security problems that may arise in other ways. Urartu Göz takes measures and conducts audits to ensure the required level of personal data security in accordance with the guidelines published by the Personal Data Protection Authority.
Protection of Special Categories of Personal Data
Measures taken for the protection of data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions, security measures and biometric and genetic data of individuals, which are of a private nature, are carefully implemented and necessary audits are carried out.
Raising Awareness on Protection and Processing of Personal Data
Urartu Göz provides the necessary trainings to those concerned in order to ensure that personal data is processed and accessed in accordance with the law, and to raise awareness about the protection of data and the exercise of rights.
Urartu Göz establishes the necessary business processes to increase the awareness of employees on the protection of personal data and receives support from consultants if needed. Deficiencies encountered in practice and the results of trainings are evaluated by Urartu Göz management. New trainings are organized if needed depending on these evaluations and changes in the relevant legislation.
3. PROCESSING OF PERSONAL DATA
3.1. Processing of Personal Data in Compliance with the Legislation
Personal data are processed in accordance with the legislation in line with the principles listed below.
Processing in accordance with the Law and Good Faith
Personal data are processed to the extent required by business processes, limited to these, without harming the fundamental rights and freedoms of individuals, in accordance with the law and the rule of honesty.
Ensuring that Personal Data is Up-to-date and Accurate
Necessary measures are taken to keep the processed personal data up-to-date and accurate, planned and programmed.
Storage for the Required Period
Personal data are retained for the minimum period stipulated in the relevant legislation and required for the purpose of processing personal data. First of all, if a period of time is stipulated in the relevant legislation for the storage of personal data, it is kept for this period, and if not, personal data are kept for the period required for the purpose for which they are processed. At the end of the retention periods, personal data are destroyed by appropriate methods (deletion, destruction or anonymization) in accordance with periodic destruction periods or data owner application.
3.2. Conditions for Processing Personal Data
Personal data is processed based on the explicit consent of the owner or one or more other conditions specified below.
Explicit Consent of the Personal Data Owner
Processing of personal data is done with the explicit consent of the data subject. Explicit consent of the personal data owner: It is realized by being informed on a specific subject and by obtaining his/her free will.
Absence of Explicit Consent of the Personal Data Owner
Personal data may be processed without the explicit consent of the data subject if any of the conditions listed below are present.
Explicitly Regulated in Laws
In Laws .
Failure to Obtain Explicit Consent of the Relevant Person Due to Actual Impossibility
Direct Relevance to the Establishment or Performance of the Contract
Fulfillment of Legal Obligation
While Urartu Göz fulfills its legal obligations, the personal data of the data owner may be processed if the processing is mandatory.
Publicization of Personal Data by the Data Subject
Personal data belonging to data subjects who publicize their data may be processed limited to the purpose of publicization.
Mandatory Data Processing for the Establishment or Protection of a Right
If data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the data subject may be processed.
Mandatory Data Processing for Legitimate Interest
Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of Urartu Göz.
3.3. Processing of Special Categories of Personal Data
Urartu Göz processes special categories of personal data in accordance with the principles set out in the Law and the Policy, by taking all necessary administrative and technical measures with the methods determined by the Board, in accordance with the following procedures and principles:
3.4. Informing the Personal Data Owner
Urartu Göz informs personal data owners in accordance with the relevant legislation on the purposes for which their personal data is processed, for which purposes it is shared with whom, by which methods it is collected, the legal reason and the rights of data owners in the processing of their personal data. In this respect, the protection of personal data is carried out in accordance with other policy documents and clarification texts prepared within the framework of the principles in the Policy.
3.5. Transfer of Personal Data
Urartu Göz may transfer personal data and sensitive personal data to third parties (third party companies, group companies, third real persons) in accordance with the law by taking the necessary security measures in line with the purposes of personal data processing. Urartu Göz carries out the transfer transactions in accordance with the regulations stipulated in Article 8 of the Law.
Transfer of Personal Data
Although the explicit consent of the personal data owner is required for the transfer of personal data, personal data can be transferred to third parties by taking all necessary security measures, including the methods prescribed by the Board, based on one or more of the following conditions.
clearly stipulated in the law,
It is directly related to and necessary for the establishment or performance of a contract,
It is mandatory for Urartu Göz to fulfill its legal obligation,
Limited for the purpose of making the personal data public, provided that the personal data has been made public by the data owner,
It is mandatory for the establishment, use or protection of the rights of Urartu Göz or the data owner or third parties,
It is mandatory for the legitimate interests of Urartu Göz, provided that it does not harm the fundamental rights and freedoms of the data owner,
It is compulsory for the person or someone else, who is unable to express his consent due to actual impossibility, or whose consent is not legally valid, to protect his or her life or physical integrity.
Personal data related to any of the above-mentioned situations can be transferred to foreign countries that are determined to have adequate protection and declared as "Foreign Country with Sufficient Protection" by the Board. Personal data may be transferred to persons in the status of "Foreign Country with Data Controller Undertaking Sufficient Protection", who do not have sufficient protection, who undertake in writing to provide adequate protection in Turkey and abroad, and where the Board's permission is granted, in accordance with the conditions stipulated in the legislation.
ii. Transfer of Private Personal Data
Special categories of personal data may be transferred in accordance with the principles set forth in the Policy, by taking all necessary administrative and technical measures, including the methods to be determined by the Board, under the following conditions:
Special categories of personal data other than health and sexual life, without seeking the explicit consent of the data owner if there is an explicit provision in the law regarding the processing of personal data, otherwise, if the explicit consent of the data owner is obtained.
Private personal data related to health and sexual life, for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without seeking the explicit consent of persons or authorized institutions and organizations under the obligation to keep secrets, otherwise in case the explicit consent of the data owner is obtained.
Personal data can be transferred to those in the status of "Foreign Country with Sufficient Protection" in case of any of the above conditions, and in case of lack of sufficient protection, to those in the status of "Foreign Country with Data Controller Undertaking Sufficient Protection" in accordance with the data transfer conditions regulated in the legislation.
4. PERSONAL DATA INVENTORY PARAMETERS
In Urartu Eye management, human resources, financial affairs (accounting-finance), information processing, patient processing business processes, data categories and personal data of personal data owners consisting of employee candidates, employees, shareholders/partners, potential service buyers, interns, supplier representatives, service recipients, parents/guardians/representatives, visitors are processed depending on personal data processing purposes. The details of the data subject groups and the processing purposes according to the data categories are reported in the field of Urartu Göz “https://verbis.kvkk.gov.tr/Query/Details?q=pT3Yj5J4y4q6%2FyQL6tMd0g%3D%3D&isNeviChange=duu6TOm7jzzm1f64Dfp.
Personal data processing purposes are processed in accordance with the general principles set forth in the Law, in particular the principles set forth in article 4 of the Law on the processing of personal data, based on and limited to at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law, according to personal data categories, in accordance with Article 10 of the Law and other legislation.
Personal data Policy “3.5. It can be shared with real persons or private law legal entities, shareholders, business partners, affiliates and subsidiaries, suppliers, authorized public institutions and organizations, private insurance companies, auditors, consultants, domestic organizations with which we receive contracted services, cooperate with, and domestic organizations, with the principles set forth in the section "Transfer of Personal Data". There is no transfer of personal information with foreign countries.
5. MEASURES RELATED TO THE PROTECTION OF PERSONAL DATA
Urartu Göz takes the necessary technical and administrative measures to protect the personal data it processes in accordance with the procedures and principles determined in the Law, carries out the necessary inspections in this context, and carries out awareness-raising and training activities.
Urartu Göz does not comply with this situation in case the processed personal data is seized by third parties by unlawful means, despite the technical and administrative measures.