KVKK POLICY
entry
Purpose and scope of the policy
The Law on the Protection of Personal Data No. 6698 (the “Law”) entered into force on April 7, 2016; this KEYA REAL ESTATE Personal Data Processing and Protection Policy (the “Policy”) aims to ensure compliance with the Law and to determine the principles to be followed by the Company in fulfilling the obligations related to the protection and processing of personal data.
The Policy defines the conditions for the processing of personal data and sets out the main principles adopted by the Company in the processing of personal data. Within this framework, the Policy covers all personal data processing activities carried out by the Company within the scope of the Law, the owners of all personal data processed by the Company and all personal data processed by the Company.
The issues related to the processing of the personal data of the Company’s employees are not covered by this Policy, but are regulated separately in the KEYA REAL ESTATE Personal Data Processing and Protection Policy.
Definitions for the terms used in the Policy are included in Oct-1.
Entry into Force and Amendment
The policy has been published by the Company on its website and presented to the public. In case of conflict between the current legislation, especially the Law, and the regulations contained in this Policy, the provisions of the legislation shall apply.
The Company reserves the right to make changes to the Policy in parallel with legal regulations. The current version of the Policy can be accessed from the Company’s website and ………………………………………………………………………………. it can be accessed from the link.
DATA OWNERS, DATA PROCESSING PURPOSES AND DATA CATEGORIES FOR THE PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT BY OUR COMPANY
2.1. Data Owners
The Data Subjects covered by the Policy are all real persons except the Company employees whose personal data are being processed by the Company. Within this framework, in general, the categories of data owners are as follows:
CATEGORIES OF DATA OWNERS | explanation | |
1 | Customer | It refers to real people who benefit from the products and services offered by the Company. |
2 | Potential Customer | Natural persons who show interest in using the products and services offered by the Company and have the potential to become customers. |
3 | Visitor | It refers to real persons who visit the Company, stores, premises and website. |
4 | Employee Candidate | Refers to real persons who apply for a job by sending a CV to the Company or by other methods. |
5 | Third Parties | The above-mentioned categories of data subjects refer to natural persons other than Company employees.Veri Sahibi Kategorileri genel bilgi paylaşımı amacıyla belirtilmiştir. Veri Sahibinin, bu kategorilerden herhangi birinin kapsamına girmemesi, Kanun’da belirtildiği şekilde veri sahibi niteliğini ortadan kaldırmamaktadır. |
2.2. Purposes of Processing Personal Data
Your personal data and sensitive personal data may be processed by the Company for the following purposes in accordance with the Personal Data Processing Conditions in the Law and the relevant legislation:
MAIN OBJECTIVES | SUB-OBJECTIVES |
Execution of Company Internal Operations | 1. Planning, Auditing and Execution of Information Security Processes 2. Establishment and Management of Information Technologies Infrastructure 3. Planning and Execution of Employees’ Authorisations to Access Information Systems 4. Event Management 5. Follow-up of Finance and Accounting Affairs 6. Planning and Execution of Activities for Performing Effectiveness/Efficiency and Relevance Analyses of Business Activities 7. Planning and Execution of Business Activities 8. Planning and Execution of Authorisations of Business Partners and Suppliers to Access Information Systems 9. Planning and Execution of Business Continuity Ensuring Activities 10. Planning and Execution of Corporate Communication Activities 11. Planning and Execution of Corporate Sustainability Activities 12. Planning and Execution of Corporate Governance Activities 13. Planning and Execution of Logistics Activities 14. Planning and Execution of Production and Operation Processes 15. Planning and Monitoring of Building and Construction Works |
Activities with Legal, Technical and Administrative Consequences | 1. Planning and Execution of Emergency Management Processes 2. Planning and Execution of Occupational Health and Safety Processes 3. Realisation of Credit Process Risk Management 4. Calculation of Insurance Policy Premiums of Persons and Creation of the Policy 5. Management and Supervision of Relations with Subsidiaries 6. Initiation of the Damage Process and Completion of the Damage File 7. Follow-up of Legal Affairs 8. IT and Operational Audit Activities of Group Companies 9. Providing Legislative Information to Authorised Institutions 10. Creating and Monitoring Visitor Records 11. Planning and Execution of the Company’s Production and Operational Risk Processes 12. Realisation of Company and Partnership Law Transactions 13. Ensuring the Security of Company Operations 14. Ensuring the Security of Company Campuses and Facilities 15. Planning and Execution of the Company’s Financial Risk Processes 16. Ensuring the Security of Company Fixtures and Resources 17. Planning and Execution of Company Audit Activities 18. Issuance of Insurance Policies 19. Various Transaction Applications of Shareholders, 1st Degree Relatives of Shareholders and Members of the Board of Directors 20. Planning and Execution of Operational Activities Required to Ensure that Company Activities are Carried Out in Accordance with Company Procedures and Relevant Legislation 21. Ensuring that the data is accurate and up-to-date |
Processes and Operations Touching the Customer | 1. Follow-up of Loan Payment Transactions 2. Planning and Execution of After Sales Support Services Activities 3. Planning and Execution of Sales Processes of Products and Services 4. Follow-up of Contract Processes and Legal Requests 5. Planning and Execution of Customer Relationship Management Processes |
Financial Operations | 1. Banking Transactions 2. Payment of Damage 3. Paying Damages to People 4. Collection of Insurance Policy Premiums of Persons 5. Policy Collection 6. Pricing of the Insurance Policy |
Strategy Planning & Business Partners/Supplier Management | 1. Management of Relations with Business Partners and/or Suppliers 2. Planning and Execution of External Training Activities 3. Execution of Strategic Planning Activities |
Marketing Operations | 1. Planning and Execution of the Processes for Creating and Increasing Loyalty to the Products and Services Offered by the Company 2. Planning and Execution of Market Research Activities for Sales and Marketing of Products and Services 3. Planning and Execution of Marketing Processes of Products and Services 4. Planning and Execution of Customer Satisfaction Activities |
2.3. Personal Data Categories
Your personal data categorised below are processed by the Company in accordance with the personal data processing conditions set out in the Law and the relevant legislation:
PERSONAL DATA CATEGORISATION | EXPLANATION |
Credentials | All information about the identity of the person in documents such as driving licence, identity card, residence card, passport, lawyer ID, marriage certificate |
Contact Details | Information for contacting the data subject such as telephone number, address, e-mail |
Customer Information | Information obtained and produced about the relevant person as a result of our commercial activities and the operations carried out by our business units within this framework |
Family Members and Relatives | Information about the family members and relatives of the personal data subject, which is processed in relation to the products and services we offer or to protect the legal interests of the Company and the data subject |
Customer Transaction Information | Records regarding the use of our products and services and information such as the customer’s instructions and requests required for the use of products and services |
Physical Space Security Information | Personal data related to records and documents such as camera recordings, fingerprint records taken at the entrance to the physical space, during the stay in the physical space |
Process Security Information | Your personal data processed to ensure our technical, administrative, legal and commercial security while conducting our commercial activities |
Financial Information | Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by our company with the personal data owner |
Employee Candidate Information | Personal data processed in relation to individuals who have applied to become an employee of our company or who have been evaluated as an employee candidate in line with the human resources needs of our company in accordance with the commercial custom and honesty rules or who are in a working relationship with our Company |
Knowledge of Legal Procedure and Compliance | Personal data processed within the scope of determination and follow-up of our legal receivables and rights and performance of our debts and compliance with our legal obligations and policies of our company |
Audit and Inspection Information | Personal data processed within the scope of our company’s legal obligations and compliance with company policies |
Special Categories of Data | Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data |
Marketing Information | Personal data processed for the marketing of our products and services by customising them in line with the usage habits, tastes and needs of the personal data owner, and the reports and evaluations created as a result of these processing results |
Request/Complaint Management Information | Personal data relating to the receipt and evaluation of any request or complaint addressed to our Company |
Reputation Management Knowledge | Information about the information collected for the purpose of protecting the commercial reputation of our company and the evaluation reports created in this regard and the actions taken |
Event Management Knowledge | Personal data processed in order to take necessary legal, technical and administrative measures against developing events in order to protect the commercial rights and interests of our company and the rights and interests of our customersKİŞİSEL VERİLERİN İŞLENMESİNE İLİŞKİN İLKELER VE ŞARTLAR |
3.1. Principles Regarding the Processing of Personal Data
Your personal data is processed by the Company in accordance with the personal data processing principles set out in Article 4 of the Law. These principles must be complied with for each personal data processing activity:
Processing of personal data in accordance with the law and good faith; The Company acts in accordance with the laws, secondary regulations and general principles of law in the processing of your personal data; attaches importance to processing personal data limited to the purpose of processing and taking into account the reasonable expectations of data subjects.
Accuracy and timeliness of personal data; The Company pays attention to whether your personal data processed by the Company is up to date and to carry out the relevant checks. In this context, data subjects are entitled to request correction or deletion of their inaccurate and outdated data.
Processing of personal data for specific, explicit and legitimate purposes; The Company determines the purposes of data processing before each personal data processing activity and ensures that these purposes are not unlawful.
Personal data being relevant, limited and proportionate to the purpose for which it is processed; The data processing activity by the Company is limited to the personal data required to fulfil the purpose of collection and necessary steps are taken to ensure that personal data not related to this purpose are not processed.
Retention of personal data for the period required by the legislation or processing purposes; Personal data are deleted, destroyed or anonymised by the Company after the purpose of processing personal data disappears or upon expiration of the period stipulated in the legislation.
3.2. Conditions Regarding the Processing of Personal Data
Your personal data is processed by the Company in the presence of at least one of the personal data processing conditions specified in Article 5 of the Law. Explanations regarding these conditions are given below:
In cases where the explicit consent of the personal data owner does not exist in the absence of other data processing conditions, in accordance with the general principles under the heading 3.1., the personal data of the data owner can be processed by the Company with the free will of the data owner, having sufficient information about the personal data processing activity, in a manner that leaves no room for doubt and limited to that transaction.
Personal data may be processed by the Company without the explicit consent of the data subject if the personal data processing activity is expressly stipulated in the laws. In this case, the Company will process personal data within the framework of the relevant legal regulation.
In the event that the explicit consent of the data subject cannot be obtained due to actual impossibility and personal data processing is mandatory, personal data belonging to the data subject who is unable to disclose his consent or whose consent cannot be validated by the Company will be processed in the event that personal data processing is mandatory to protect the life or physical integrity of the data subject or a third person.
If the personal data processing activity is directly related to the establishment or performance of a contract, personal data processing activity will be carried out if it is necessary to process personal data belonging to the parties of the contract established or already signed between the data subject and the Company.
In the event that it is mandatory to carry out personal data processing activities in order to fulfil the legal obligation of the data controller, the Company processes personal data in order to fulfil its legal obligations stipulated under the applicable legislation.
If the data owner has made his/her personal data public, personal data that have been disclosed to the public in any way by the data owner and made available to everyone as a result of publicisation may be processed by the Company limited to the purpose of publicisation, even without the explicit consent of the data owners.
In the event that personal data processing is mandatory for the establishment, exercise or protection of a right, the Company may process the personal data of the data subject without the explicit consent of the data subjects within the scope of the obligation.
Provided that it does not harm the fundamental rights and freedoms of the data subject, if data processing is mandatory for the legitimate interests of the data controller, personal data may be processed by the Company, provided that the balance of interests of the Company and the data subject is observed. In this context, in the processing of data based on legitimate interest, the Company first determines the legitimate interest to be obtained as a result of the processing activity. It evaluates the possible impact of the processing of personal data on the rights and freedoms of the data subject and carries out the processing activity if it is of the opinion that the balance is not disturbed.
3.3. Conditions for the Processing of Special Categories of Personal Data
In Article 6 of the Law, special categories of personal data are specified in a limited number. These are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
The Company may process special categories of personal data in the following cases by ensuring that additional measures determined by the Personal Data Protection Board are taken:
Processing of sensitive personal data other than health and sexual life can be processed if the data subject gives explicit consent or if it is explicitly stipulated in the laws.
In Article 6 of the Law, special categories of personal data are specified in a limited number. These are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
The Company may process sensitive personal data in the following cases by ensuring that additional measures determined by the Personal Data Protection Board are taken:
Processing of special categories of personal data other than health and sexual life can be processed if the data subject gives explicit consent or if it is explicitly stipulated by law.
Personal data relating to health and sexual life can only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons under the obligation of confidentiality or by authorised institutions and organisations without seeking the explicit consent of the data subject.
TRANSFER OF PERSONAL DATA
In accordance with the additional regulations listed in Articles 8 and 9 of the Law and determined by the Personal Data Protection Board, the Company may transfer personal data domestically or abroad in case the conditions for the transfer of personal data are met.
Your personal data may be transferred by the Company to third parties in the country, provided that at least one of the data processing conditions specified in Articles 5 and 6 of the Law and explained under Title 3 of this Policy exists and provided that the basic principles regarding the data processing conditions are complied with.
In cases where the transfer of personal data to third parties abroad does not have the explicit consent of the person, your personal data may be transferred abroad by the Company in the presence of at least one of the data processing conditions specified in Articles 5 and 6 of the Law and explained under Title 3 of this Policy and provided that the basic principles regarding the data processing conditions are complied with.
In the event that the country to which the transfer will be made is not one of the safe countries to be announced by the Personal Data Protection Board, personal data may be transferred to third parties abroad upon the Company and the data controller in the relevant country undertaking adequate protection in writing, upon the Personal Data Protection Board’s authorisation of this processing and in the presence of at least one of the data processing conditions specified in Articles 5 and 6 of the Law (see Policy Title 3).
Within the general principles of the Law and the data processing conditions in Articles 8 and 9, the Company may transfer data to the parties categorised in the table below
Your personal data may be transferred by the Company to third parties in the country, provided that at least one of the data processing conditions specified in Articles 5 and 6 of the Law and explained under Title 3 of this Policy exists and provided that the basic principles regarding the data processing conditions are complied with.
In cases where the transfer of personal data to third parties abroad does not have the explicit consent of the person, your personal data may be transferred abroad by the Company in the presence of at least one of the data processing conditions specified in Articles 5 and 6 of the Law and explained under Title 3 of this Policy and provided that the basic principles regarding the data processing conditions are complied with.
In the event that the country to which the transfer will be made is not one of the safe countries to be announced by the Personal Data Protection Board, personal data may be transferred to third parties abroad upon the Company and the data controller in the relevant country undertaking adequate protection in writing, provided that the Personal Data Protection Board authorises this processing and at least one of the data processing conditions specified in Articles 5 and 6 of the Law (see Title 3 of the Policy) exists.
Within the general principles of the Law and the data processing conditions in Articles 8 and 9, the Company may transfer data to the parties categorised in the table below:
:
SHARED PARTY CATEGORISATION | SCOPE | PURPOSE OF TRANSFER |
Business Partner | Parties with which the Company establishes business partnerships while conducting its commercial activities | Sharing of personal data limited to the purpose of ensuring the fulfilment of the purposes for which the business partnership was established |
Supplier | Parties that provide services for the Company to continue its commercial activities in line with the instructions received from the Company and based on the contract between the Company and the Company | Transfer limited to the receipt of outsourced services from the supplier |
Subsidiary | Şirket’in iştiraki olan şirketler | Transfer of personal data limited to the purpose of carrying out commercial activities requiring the participation of affiliates |
Legally Authorised Public Institution | Public institutions and organisations legally authorised to receive information and documents from the Company | Limited sharing of personal data by relevant public institutions and organizations for the purpose of requesting information |
Legally Authorised Private Institution | Private law persons legally authorised to obtain information and documents from the Company | Sharing of data limited to the purposes requested by the relevant private legal persons within the scope of their legal authority. |
According to Article 10 of the Law, data subjects must be informed about the processing of personal data before or at the latest at the time of processing personal data. Pursuant to the relevant article, the necessary internal structure has been established to ensure that data subjects are enlightened in all cases where personal data processing activities are carried out by the Company as the data controller. In this context;
For the purpose of processing your personal data, please refer to Section 2.2 of the Policy. check out the section.
For the parties to whom your personal data is transferred and for the purpose of transfer, please refer to Section 4 of the Policy. check out the section.
In order to review the conditions related to the processing of your personal data, which may be collected through different channels in physical or electronic environments, please refer to 3.2 and 3.3 of the Policy. see section.
11 Of the Law as a data owner. we would like to point out that you have the following rights in accordance with the article:
To learn whether your personal data has been processed or not,
If your personal data has been processed, requesting information about it,
To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
To know the third parties to whom your personal data is transferred at home or abroad,
To request correction of your personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to the third parties to whom your personal data are transferred,
Although it has been processed in accordance with the Law and other relevant provisions of the law, to request the deletion or destruction of personal data if the reasons requiring its processing disappear, and to request that the transaction made in this context be notified to the third parties to whom your personal data has been transferred,
To object to this if a result arises against you by analyzing the processed data exclusively through automated systems,
Do not request compensation for the damage if you suffer damage due to the unlawful processing of your personal data.
Your applications for your rights listed above info@keytowers.com you can forward it to our e-mail address. Depending on the nature of your request, your applications will be finalized free of charge as soon as possible and no later than thirty (30) days; however, if the transaction also requires a cost, you may be charged a fee according to the tariff to be determined by the Personal Data Protection Board.
During the evaluation of the applications, the company first determines whether the person making the request is the real right holder. However, the Company may request detailed and additional information in order to better understand the demand in cases where it deems necessary. Oct.
The company’s responses to data owner applications are notified to data owners in writing or electronically. If the application is rejected, the reasons for the rejection will be explained to the data owner with justification.
If personal data is not obtained directly from the data owner, activities are carried out by the Company to (1) within a reasonable period of time from the receipt of personal data, (2) if personal data will be used for communication purposes with the data owners, during the first communication, (3) if personal data will be transferred, at the latest during the first transfer of personal data, data owners will be informed.
DELETION, DESTRUCTION, ANONYMIZATION OF PERSONAL DATA
7 of the Law. although it has been processed in accordance with the law in accordance with the article, if the reasons requiring its processing disappear, the Company deletes, destroys or anonymizes the personal data ex officio or at the request of the data owner in accordance with the guidelines published by the Institution.
RESTRICTIONS ON THE SCOPE AND APPLICATION OF THE LAW
The following situations are outside the scope of the Law:
The processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same housing, provided that they are not given to third parties and that the obligations related to data security are complied with.
Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or do not constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations assigned duties and authorities by law in order to ensure national defense, national security, public security, public order or economic security.
Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution procedures.
In the following cases, it is not necessary to provide information to the data owners by the Company, and the data owners will not be able to exercise their rights specified in the Law, except for their rights to remedy their losses:
The fact that the processing of personal data is necessary for the prevention of the commission of a crime or for the investigation of a crime.
Processing of personal data made public by the data subject himself.
That the processing of personal data is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations, as well as professional organizations that are public institutions, based on the authority granted by law.
The fact that the processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and financial issues.
Oct-1: DEFINITIONS
definition | |
Explicit Consent | Consent related to a specific topic, based on information and explained by free will. |
Anonymization | Making the personal data unable to be associated with an identified or identifiable real person under any circumstances, even by matching it with other data. |
Employee | Real people who are employees of the company. |
Employee Candidate | Real persons who are not company employees but have the status of Company employee candidates by various methods |
Personal Health Data | Any kind of health information related to an identified or identifiable real person. |
Personal Data | All kinds of information about an identified or identifiable real person. |
The Owner Of The Data | The real person whose personal data is processed. |
Processing of Personal Data | All kinds of operations performed on the data, such as obtaining, saving, storing, storing, changing, rearranging, disclosing, transferring, inheriting, making available, classifying or preventing the use of personal data by means that are fully or partially automatic or non-automatic, provided that they are part of any data recording system. |
Law | The Law on the Protection of Personal Data numbered 6698, published in the Official Gazette dated April 7, 2016 and numbered 29677. |
Special Categories of Personal Data | Race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, disguise, association foundation or trade union membership, health, sex life, criminal convictions and security measures related data, as well as biometric and genetic data. |
Politics | KEYA REAL ESTATE Data Processing and Protection Policy |
Company / KEYA REAL ESTATE | KEYA REAL ESTATE |
Business Partners | Persons with whom the Company has established partnerships within the framework of contractual relations within the framework of its commercial activities. |
The Owner Of The Data | The real person whose personal data is processed |
Processing Data | A natural and legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. |
Data Controller | It is the person who determines the purposes and means of processing personal data and manages the place where the data is stored in a systematic manner. |