1.1. INTRODUCTION
With the Law on the Protection of Personal Data, the protection of the data of individuals whose information is processed has become a fundamental necessity for every company. For this reason, showing maximum diligence especially regarding access to the private lives and information of individuals, taking effective and deterrent measures in this regard, and additionally, being transparent towards our customers, potential customers, visitors, company officials, and all parties and institutions we cooperate with—in short, every person whose data we process, directly or indirectly connected to our company—forms the fundamental objective of our company data policy. With this Policy, our Company determines and implements our rules for the processing of personal data within the framework of the principles of transparency and openness.
1.2. PURPOSE AND SCOPE OF THE POLICY
The main purpose of this policy is to protect the fundamental rights and freedoms of individuals whose data is processed, primarily the privacy of private life, and in this sense, to ensure transparency of every activity carried out by our company through public disclosure. The scope of the provisions of this policy includes all personal data of persons whose data we process directly or indirectly.
1.3. APPLICATION OF LEGISLATION
Relevant legal regulations in force regarding the processing and protection of personal data shall primarily find a field of application. In case of inconsistency between the legislation in force and the Policy, our Company accepts that the legislation in force shall find a field of application. The Policy regulates the rules set forth by the relevant legislation by concretizing them within the scope of Company practices.
SECTION 2: DEFINITIONS AND ABBREVIATIONS
The terms used in the implementation of this Policy express the meanings given below:
Employees: Refers to the employees of our Company.
Contact Person: The person responsible for following the personal data processing activities within our Company and the implementation of LPPD (KVK) Policies and procedures on an individual basis. Acts as the contact person of our Company before the registry of data controllers within the scope of LPPD Legislation.
Personal Data: Refers to any information relating to an identified or identifiable natural person. For example; name, surname, address, telephone number, date of birth, place of birth, eye color, T.R. identity number.
Personal Data Owner or Relevant Person: The natural person whose personal data is processed. For example; employee, visitor.
Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, changing, or transferring, via fully or partially automated means or non-automated means provided they are part of any data recording system.
LPPD Law: Refers to the Law on Protection of Personal Data No. 6698.
LPPD Board: Refers to the Personal Data Protection Board. It is the decision-making body of the LPPD Authority.
LPPD Authority: Refers to the Personal Data Protection Authority established by the LPPD Law.
LPPD Legislation: Refers to legal regulations regarding the protection of personal data, primarily the Law on Protection of Personal Data No. 6698, and the decisions of the LPPD Board.
LPPD Policy and Procedures: Refers to the Policy on Protection and Processing of Personal Data, other policies and procedures of our Company regarding the protection and processing of personal data, and various documents prepared by our Company to which these refer.
Special Categories of Personal Data: Refers to data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Data Recording System: The recording system where personal data are structured and processed according to specific criteria. For example; archiving documents in folders or files.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. Unless otherwise specified, the data controller for processing activities within the scope of this Policy is our Company and our company brands (İnspera).
SECTION 3: MATTERS RELATING TO THE PROCESSING OF PERSONAL DATA
3.1. GENERAL PRINCIPLES IN THE PROCESSING OF PERSONAL DATA
3.1.1 Compliance with Law and Rules of Honesty While processing data of individuals, data should be obtained and processed in accordance with the law and rules of honesty during the processing stage. FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ processes data with maximum sensitivity and control in accordance with the law and rules of honesty.
3.1.2 Being Accurate and Up-to-Date When Necessary The processed data must be accurate and, when currency is required regarding the data of individuals, it must be up-to-date. FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ checks the accuracy of processed data at every processing level and makes necessary preparations for it to be up-to-date when necessary.
3.1.3 Processing for Specific, Explicit, and Legitimate Purposes During the processing of data, it must be clear which data is processed, clear how much of it is processed, and the purpose for which it is processed must be certain and in accordance with the law, i.e., legitimate. FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ processes data only for legitimate purposes and pays attention to the specificity of the data to be obtained during this processing. FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ processes data clearly and explicitly to ensure that obtained information is not used for different purposes and does not cause misunderstanding.
3.1.4 Being Relevant, Limited, and Proportionate to the Purpose for Which They Are Processed Data must be processed in a controlled manner, remaining faithful to the purpose of processing, relevant to the purpose, limited to that purpose, and proportionate. FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ processes data of data owners in a proportionate manner, being relevant and limited only to the purpose for which they are processed.
3.1.5 Retention for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose for Which They Are Processed Processed personal data must be handled with the intent of maximum protection in accordance with the period in the relevant legislation or the period specified for the relevant purpose. In this context, FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ primarily retains personal data limited to these periods if a period is envisaged in the relevant legislation for the storage of personal data. If a period is not determined in the legislation or if there is no legal reason requiring the data to be kept for a longer period, FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ stores personal data for the period necessary for the purpose for which they are processed. Thus, the security of data owners is ensured at the maximum level.
3.2. CONDITIONS FOR PROCESSING PERSONAL DATA
3.2.1 Conditions for processing personal data FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ processes the data of data owners in accordance with the law and legal rules and in accordance with the conditions of the relevant legislation listed below.
General Conditions for Processing Personal Data Concept of General Data: Every kind of personal data processed by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ that does not fall into the special category of data specified in this section constitutes the general category of personal data. General Condition: Personal data cannot be processed without the explicit consent of the relevant person. Exceptions: In the presence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the relevant person:
Explicitly provided for in the laws.
It is mandatory for the protection of the life or bodily integrity of the person or another person who is unable to express their consent due to actual impossibility or whose consent is not granted legal validity.
Processing of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the establishment or performance of a contract.
It is mandatory for the data controller to fulfill their legal obligation.
It has been made public by the relevant person themselves.
Data processing is mandatory for the establishment, exercise, or protection of a right.
Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.
Conditions for processing special categories of personal data Concept of Special Category Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are special categories of personal data. General Condition: It is prohibited to process special categories of personal data without the explicit consent of the relevant person. Exceptions and Special Cases: Personal data other than health and sexual life listed in the first paragraph may be processed without seeking the explicit consent of the relevant person in cases provided for in the laws. Our company obtains the explicit consent of the relevant data owners while processing and storing special category data regarding the recording of special health problems. Personal data relating to health and sexual life may only be processed without seeking the explicit consent of the relevant person by persons under the obligation of secrecy or authorized institutions and organizations for the purpose of protecting public health, operation of preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. LPPD Authority Board Conditions: In the processing of special categories of personal data, it is also mandatory to take adequate measures determined by the Board.
SECTION 4: PROTECTION OF PERSONAL DATA
4.1. SECURITY OF PERSONAL DATA
In accordance with Article 12 of the Law on the Protection of Personal Data, FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ takes all kinds of technical and administrative measures according to technological possibilities and implementation costs to ensure the lawful processing of personal data. Personal data learned by data controllers and persons processing data cannot be disclosed to others in violation of the provisions of this law and cannot be used for purposes other than processing. Necessary training has been given to FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ personnel regarding technical issues; awareness of employees is created in this regard and audits are carried out. The relevant accounting and human resources department of FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ and the contracted legal consultancy firm work in coordination in this regard.
4.1.1. Measures Taken to Ensure Lawful Processing of Data
The main technical and administrative measures taken by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ to ensure the lawful processing of personal data are:
Personal data processing activities carried out within FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ are audited by technical systems and reported to the relevant persons.
Personal data processing activities carried out by the business units of FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ; the requirements to be fulfilled to ensure compliance of these activities with the personal data processing conditions required by Law No. 6698 are determined specifically for the activities carried out by each department and relevant unit.
The continuity and audit of ensuring compliance with the law and following the procedures prepared for the relevant departments are implemented through administrative measures, in-company policies, and training.
4.1.2. Measures Taken to Prevent Unlawful Access
FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ takes technical and administrative measures according to the nature of the data to be protected in order to prevent imprudent or unauthorized disclosure, access, transfer, or any other forms of unlawful access to personal data. The main technical and administrative measures taken by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ to prevent unlawful access to personal data are:
Technical measures taken with access and authorization technical solutions are periodically reported, and issues posing risks are re-evaluated to produce the necessary technological solutions. Software and hardware including logging, virus protection systems, and firewalls are established.
Personnel knowledgeable in technical matters are employed.
Access and authorization processes for personal data within the company are designed and implemented in accordance with business unit-based legal compliance requirements.
Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the Law on Protection of Personal Data and all other relevant legislation, and cannot use it for purposes other than processing, and that this obligation will continue after they leave their positions; necessary undertakings are obtained from them accordingly.
Provisions stating that the persons to whom personal data are transferred will take the necessary security measures for the protection of personal data are added to the contracts concluded with the persons to whom personal data are lawfully transferred by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ, and/or mutual memorandum of understanding texts are signed.
4.1.3. Measures Taken Regarding the Storage of Personal Data in Secure Environments
FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ takes the necessary technical and administrative measures to store personal data in secure environments and to prevent their destruction, loss, or alteration for unlawful purposes. The main technical and administrative measures taken by our Company for storing personal data in secure environments:
Systems compatible with technological developments are used to store personal data in secure environments.
Expert personnel in technical matters are employed.
Technical security systems for storage areas are established, the technical measures taken are reported to the relevant person, and issues posing risks are re-evaluated to produce the necessary technological solutions.
Backup programs are used in accordance with the law to ensure the secure storage of personal data.
Non-digital data will be accessible only by authorized persons by being kept in locked cabinets.
4.2. AUDIT
In accordance with the 3rd paragraph of Article 12 of the Law on the Protection of Personal Data, the data controller is obliged to carry out or have carried out the necessary audits in their own institution or organization in order to ensure the implementation of the provisions of this law.
4.2.1. Audit of Measures to be Taken in the Protection of Personal Data
FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ and our contracted legal consultancy company perform and/or have performed the necessary audits to establish the data security explained above and to ensure the regularity and continuity of the measures taken. The results of these audits are reported to the relevant department or management within the scope of our company's internal operation, and the necessary activities for the improvement of the measures taken are carried out in accordance with the Law on the Protection of Personal Data, other legislation, and this company policy.
4.2.2. Audit of Increasing the Awareness of Business Units Regarding the Protection and Processing of Personal Data
FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ ensures the organization of necessary training for business units through training, seminars, and sessions conducted to increase awareness on preventing the unlawful processing of personal data, preventing unlawful access to data, and ensuring the protection of data. FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ updates and renews its training in parallel with the update of the relevant legislation. Necessary systems are established to create awareness on the protection of personal data, and audits on the subject are carried out by the relevant department of our company and our contracted legal consultancy company. The results of the training conducted to increase awareness on the protection and processing of personal data are reported to our company, and participation in the said training is made mandatory and controlled by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ.
4.3. CONFIDENTIALITY
FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ takes all kinds of necessary measures within its possibilities and according to the nature of the personal data to be protected, in order to prevent the disclosure and transfer of personal data in a way that violates the law and policy provisions, the provision of access to these data, and transactions arising from other security deficiencies that may occur. Necessary training has been given to FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ personnel in this regard, and personnel with knowledge in this regard have been employed. Personal data processing activities by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ are examined and audited in detail and periodically. If technology allows, necessary measures are taken in personal data processing activities, and it is essential to update and improve the measures taken. The relevant department of FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ and our contracted legal consultancy company work in a coordinated manner in the execution and audit of these activities.
4.4. UNAUTHORIZED DISCLOSURE OF PERSONAL DATA
Regarding crimes related to the unauthorized disclosure of personal data, the provisions of Articles 135 to 140 of the Turkish Penal Code No. 5237 and all relevant legislation shall apply. The provisions of all relevant legislation are notified by our company to employees and relevant persons. Natural persons who unlawfully record personal data, unlawfully give, distribute or seize personal data to another person, do not destroy data within the system despite the expiration of the periods determined by the laws, and who do not delete or anonymize personal data despite the disappearance of the reasons making the storage or processing of personal data legitimate in violation of the provision of Article 7 of the Law on Protection of Personal Data, shall be punished with imprisonment according to Article 138 of the Turkish Penal Code. The procedures and principles regarding the deletion, destruction, or anonymization of personal data are regulated by a regulation. According to the regulations made in the Turkish Penal Code, a person who unlawfully gives personal data to another person, spreads or seizes this data unlawfully, is punished with imprisonment from two to four years; moreover, a person who commits this crime by taking advantage of the convenience provided by a certain profession and art is punished for the qualified form of the punishment. A company employee who commits the crime of viewing, obtaining data or "hacking" without the authority to process personal data will be reported to the personal data owner, the prosecutor's office, and relevant authorities without delay, and necessary actions will be carried out against them, and they will be punished for the qualified form of the crime. In accordance with the provision regulated under the heading of Misdemeanors in the Law on the Protection of Personal Data, administrative fines are also applied to those who do not fulfill the obligation to inform or the obligations regarding data security, those who do not fulfill the decisions given by the Board, or those who act contrary to the obligation to register and notify the Registry of Data Controllers.
SECTION 5: ORGANIZATIONAL MEASURES OF THE COMPANY FOR THE PROTECTION OF PERSONAL DATA
FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ establishes a management structure to ensure the enforcement of the Personal Data Protection and Processing Policy. A committee is established within FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ to manage this Policy and other policies linked and related to this Policy. The duties of the committee to be established are stated below. The committee also performs other duties given by the senior management outside of these duties. The committee carries out all its activities with the approval of the senior management.
Preparing the fundamental policies related to the Protection and Processing of Personal Data and the changes to be made to these policies if necessary,
Deciding on how the implementation and monitoring of the policies regarding the Protection and Processing of Personal Data will be carried out,
Making in-company assignments and providing coordination,
Identifying the issues that need to be done to ensure compliance with the Law on the Protection of Personal Data and the relevant legislation and ensuring the implementation of these issues,
Creating awareness on the Protection and Processing of Personal Data within the Company and before the institutions with which the Company cooperates and organizing training in this context,
Identifying the risks that may occur in the company's personal data processing activities and ensuring that necessary measures are taken,
Resolving the applications of personal data owners at the highest level,
Following the developments and regulations on the protection of personal data and taking the necessary actions. The contact persons are natural persons reported by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ during registration to the registry for the communication to be established with the contracted legal consultancy company and the institution. This natural person or persons to be reported are from the members of our department assigned to perform this task within our company. According to the Regulation on the Registry of Data Controllers, FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ has limited the function of the contact person as a point of communication, ensuring that the requests addressed to the data controller by the relevant persons are answered quickly and effectively. In this way, it is aimed to answer the problems or questions of the data owners whose personal data are processed in the fastest and most descriptive way, but the contact officer is not legally authorized to represent the data controller. For this reason, other than providing information, they have no duty or authority other than answering the questions of the data owner or the relevant person contacting the contact officer in accordance with the law and informing our company in this regard. As soon as FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ is informed by the contact officer, the transactions related to the problem will be carried out and the necessary procedure will be executed by the authorized department or institution assigned by our company as soon as possible. During these transactions, the personal data owner or the relevant person will be informed about all these transactions and procedures and, if necessary, interviews will be conducted with the personal data owner or relevant persons by the authorized department or institution of our company.
SECTION 6: THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED AND PURPOSES OF TRANSFER
Our company informs the personal data owner of the groups of persons to whom personal data are transferred in accordance with Article 10 of the LPPD Law. In accordance with Articles 8 and 9 of the LPPD Law, FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ may transfer the personal data of data owners managed by the policy to the categories of persons listed below: Of the Company; (i) To its business partners, (ii) To its suppliers, (iii) To its group companies, (iv) To its shareholders, (v) To its officials, (vi) To legally authorized public institutions and organizations (vii) To legally authorized private law persons The scope of the above-mentioned persons to whom the transfer is made and the purposes of data transfer are stated below.
SECTION 7: DELETION OF PERSONAL DATA, RETENTION PERIODS AND DATA INVENTORY
7.1. Obligation of FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ
In accordance with the explanations in Article 7 of the Law on Protection of Personal Data No. 6698 and Article 138 of the Turkish Penal Code No. 5237, FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ deletes or destroys or anonymizes processed personal data whose purpose of processing and storage has subsequently disappeared, with the decision to be given based on the rights arising from the Turkish Commercial Code, the rights granted by all relevant legislation provisions and the principles determined in this policy, or upon the explicit request of the data owner in a way that will not harm the interests of our company in its commercial life, as stated in Article 7 of the Law on Protection of Personal Data.
7.2. Deletion, Destruction, or Anonymization of Personal Data
7.2.1. Deletion and Destruction of Personal Data
Deletion of personal data is defined in Article 8 of the regulation as "the process of making personal data inaccessible and unusable for the relevant users in any way." Destruction of personal data is defined in Article 9 of the regulation as "the process of making personal data inaccessible, irretrievable and unusable by anyone in any way."
7.2.2. Deletion Methods of Personal Data
a) Software as a Service Type Cloud Solutions Data in the cloud system are deleted by giving the delete command. While the mentioned transaction takes place, the relevant user does not have the authority to retrieve deleted data on the cloud system. b) Personal Data in Paper Environment Personal data in the paper environment are deleted using the blackout method. The blackout method is carried out by cutting the personal data on the relevant document where possible, and where it is not possible, by using permanent ink in a way that is irreversible and unreadable with technological solutions, making them invisible to the relevant users. c) Office Files Located on the Central Server It is the deletion of the file with the delete command in the operating system or the removal of the relevant user's access rights over the file or the directory where the file is located. d) Personal Data on Portable Media Personal data in flash-based storage environments are stored encrypted and deleted using software suitable for these environments. e) Databases The relevant rows where personal data are located are deleted with database commands. The relevant person performing the mentioned transaction is not the database administrator.
7.2.3. Destruction Methods of Personal Data
a) Physical Destruction Personal data can also be processed by non-automated means provided they are part of any data recording system. While such data are being destroyed, physical destruction is applied in a way that the personal data will not be used afterwards. b) De-magnetization It is the process of making the data on the magnetic media incomprehensible and unreadable by passing it through a special device and exposing it to a high-value magnetic field. c) Paper Environments The destruction processes in this environment are the method of destroying papers by turning them into incomprehensible sizes with destruction and shredding machines.
7.2.4. Anonymization of Personal Data
Anonymization of personal data is defined in Article 10 of the regulation as "making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if they are matched with other data."
7.2.4.1. Methods of Anonymizing Personal Data a) Masking Method It is an anonymization method provided by removing or deleting the distinctive attributes or characteristics of the data owners whose data are processed. Example: Preventing the identification of the data owner by removing information such as T.R. Identity No. etc., which allows the identification of the Personal Data Owner. b) Data Shuffling Method (Permutation) With this method, it is aimed to anonymize the data by changing the place of some of the information of the data owners who have data in the system. Example: Providing the non-recognition of the Personal Data Owner by changing the place of lower-value information alongside the data evaluated as main categories in employee information. c) Data Derivation Method By making additions or subtractions to a certain extent in the variables found in the data in the system, it is ensured that the information becomes unidentifiable or undefinable. Example: Stating the neighborhood or district where the personal data owner lives instead of explaining their residence in detail. d) Aggregation Method It is a method of converting the relevant personal data from a specific value to a general value. With this method, data are generalized and personal data are made impossible to be associated with any person. Example: Stating that Y number of employees live in X neighborhood instead of counting the neighborhoods where the employees live one by one.
7.2.4.2. Procedure of FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ for Selecting the Anonymization Method One or several of the anonymization methods explained above will be selected by the committee established by the company to ensure the enforcement of this policy, in line with all relevant legislation and the interests of FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ in business life. Detailed information about the committee is explained in the previous section. The anonymization method to be selected will be determined by the committee considering the matters listed below:
Nature of the data
Size of the data
Structure of the presence of data in physical environments
Diversity of the data
Purpose of processing the data Anonymization process will be carried out in parallel with the principles stated in the retention periods and personal data inventory sections of this policy.
7.3. RETENTION PERIODS
FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ stores personal data in the data inventory in accordance with the periods determined in all relevant legislation. In the absence of any period determined in the relevant legislation regarding these periods, FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ stores personal data within the periods determined in accordance with the interests of our company, provided that they comply with the customs arising from the sector it is in and the laws and legislation; in cases where storage is no longer necessary, they are deleted or destroyed or anonymized in the ways explained above. If the purpose of processing and storing personal data has disappeared and the periods determined based on the principles determined in all relevant legislation regarding personal data and by our company in this policy have passed, personal data may also be stored for use in any legal disputes that may arise in the future. The personal data specified in this part are stored only for use in legal disputes and cannot be used for any other purpose. In line with the explanations above, all measures and precautions that can be foreseen by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ are taken. For example, the use of information in the data system to determine the residential area of the employee in order to determine the authorized court in the lawsuit to be filed against the employee who left the workplace due to unfair termination of the contract can be evaluated in this context. (The scope of the explanations above is not limited to the example given.)
7.4. PERSONAL DATA INVENTORY
In accordance with the LPPD and the Regulation on the Registry of Data Controllers, it refers to the data (Word, Excel, etc.) in which the data processed separately in each department within FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ are collected, and the deletion, destruction, and anonymization processes are carried out in accordance with the legislation and company policy as explained above, and which can be submitted to the LPPD Authority when necessary. According to the definition in the Regulation, a personal data inventory must include: i. Personal data processing purposes ii. Data Category iii. Maximum periods required for the processing of personal data, established by associating them with the transferred recipient group and the data subject group iv. Personal periods envisaged for transfer to foreign countries v. Measures taken regarding data security Taking the criteria mentioned above into consideration, information regarding the operations to be performed with these data related to personal data will be collected in the relevant inventory. The inventory content may be stored in digital environments such as Word or Excel in accordance with the law and legislation and in line with our company's own interests, or contents that cannot be stored in digital environments may also be stored in paper environments. The deletion, destruction, and anonymization of personal data explained in Section 6 are performed in the personal data inventory by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ or by an official authorized by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ.
7.4.1. Preparation of the Personal Data Inventory
If there is a provision in the relevant legislation regarding the procedure for preparing the Personal Data Inventory, the personal data inventory shall be prepared by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ in line with these provisions. In cases where there is no provision in the relevant legislation regarding the procedure for preparing the Personal Data Inventory, our company is free to choose which procedure to select for preparing the personal data inventory, taking into account its own internal working discipline and business processes.
SECTION 8: RIGHTS OF THE DATA SUBJECT AND RULES FOR THE EXERCISE OF THESE RIGHTS
8.1. RIGHTS OF THE PERSONAL DATA SUBJECT
In accordance with Article 13 of the Law on the Protection of Personal Data, FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ carries out the necessary channels, internal procedures, and administrative and technical regulations for the evaluation of the rights of personal data subjects and for providing the necessary information to the personal data subjects. If personal data subjects submit their requests regarding the rights listed below to our company in writing, our company will finalize the request free of charge within thirty days at the latest, depending on the nature of the request. However, if a fee is envisaged by the Personal Data Protection Board, the fee in the tariff determined by the Personal Data Protection Board will be charged to the applicant by our company. Personal data subjects have the right to:
Learn whether personal data is processed,
Request information if personal data has been processed,
Learn the purpose of processing personal data and whether they are used in accordance with their purpose,
Know the third parties to whom personal data are transferred domestically or abroad,
Request correction of personal data if it is incomplete or incorrectly processed and request notification of the transaction made within this scope to third parties to whom the personal data has been transferred,
Request the deletion or destruction of personal data in the event that the reasons requiring its processing cease to exist, despite having been processed in accordance with the Law on the Protection of Personal Data and other relevant legal provisions, and request notification of the transaction made within this scope to third parties to whom personal data has been transferred,
Object to the occurrence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,
Request compensation for damages in case of loss due to unlawful processing of personal data.
In accordance with Article 13 of the Law on the Protection of Personal Data, personal data subjects may submit their requests regarding the exercise of the above-mentioned rights to our Company by filling out the "Law on the Protection of Personal Data Application Form" available on our Company's website through the methods specified therein.
8.1.1. Right of Access to Personal Data
Relevant persons have the right to access their personal data without being subject to a fee. The Company's interest and legitimate right to keep the data are protected within the scope of the Law on the Protection of Personal Data and relevant legislation; the right to change and delete is observed. FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ informs the relevant person of their rights to:
Learn whether their personal data is processed,
Request information if their personal data has been processed,
Learn the purpose of processing their personal data and whether they are used in accordance with their purpose,
Request to know the third parties to whom their personal data is transferred domestically or abroad.
8.1.2. Right to Request Correction or Deletion of Personal Data
Relevant persons have the right to change or delete their personal data without being subject to a fee. In this context, the relevant person has the right to:
Request the correction of personal data if it is incomplete or incorrectly processed,
Request the deletion or destruction of personal data if the reasons requiring the processing of personal data cease to exist,
Request notification of the aforementioned correction, deletion, or destruction processes to third parties to whom the personal data has been transferred, and
Object to the occurrence of a result against them by analyzing the processed data exclusively through automated systems.
8.1.3. Ensuring that Personal Data is Up-to-Date
Pursuant to the Law on the Protection of Personal Data, there is an obligation to ensure that personal data is accurate and up-to-date when necessary. Therefore, for personal data to be kept accurate and up-to-date, current status changes must be notified to our company by the relevant person. FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ is not responsible for any damage or sanction that arises or may arise due to the failure to update the data unless the change in data is notified in writing to FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ by the relevant person.
8.2. OBSERVANCE OF THE DATA SUBJECT'S RIGHTS
In accordance with Article 12 of the Law on the Protection of Personal Data, the data controller must take all kinds of necessary technical and administrative measures to provide the appropriate level of security for the purposes of:
Preventing the unlawful processing of personal data,
Preventing unlawful access to personal data, and
Ensuring the preservation of personal data. In the event that personal data is processed by another natural or legal person on its behalf, FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ is jointly and severally responsible with these persons for taking the measures specified in the first paragraph in accordance with the relevant article of the law. FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ carries out the necessary audits in its own institution or organization to ensure the implementation of the provisions of this law. This provision has been shared by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ with the persons to whom data transfer can be made in Section 5 of this policy by adding it to all contracts, undertakings, and memorandum of understanding texts; in cases where a contract or memorandum of understanding cannot be created due to actual impossibility or because it is not in line with the ordinary flow of life, this policy has been made public and visible to the relevant parties on the website www.insperabodrum.com.
8.3. CIRCUMSTANCES WHERE THE PERSONAL DATA SUBJECT CANNOT ASSERT THEIR RIGHTS
Pursuant to Article 28 of the Law on the Protection of Personal Data, personal data subjects cannot assert their rights mentioned above in the following cases as they are excluded from the scope of the relevant law:
Processing of personal data for purposes such as research, planning, and statistics by making them anonymous with official statistics,
Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights, or do not constitute a crime,
Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized and empowered by law to ensure national defense, national security, public security, public order, or economic security, and
Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial, or execution proceedings.
Pursuant to Article 28 of the Law on the Protection of Personal Data, personal data subjects cannot assert their other rights, except for the right to request compensation for damages, in the following cases:
Personal data processing being necessary for the prevention of a crime or for a criminal investigation,
Processing of personal data made public by the personal data subject themselves,
Personal data processing being necessary for the execution of auditing or regulatory duties and for disciplinary investigation or prosecution by authorized and empowered public institutions and organizations and professional organizations in the nature of public institutions, based on the authority given by the law.
SECTION 9: PERSONAL DATA PROCESSING ACTIVITIES CONDUCTED WITHIN THE FACILITIES OF FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ AND DATA PROCESSING ACTIVITIES CONDUCTED VIA THE WEBSITE
PERSONAL DATA PROCESSING ACTIVITIES CONDUCTED AT BUILDING AND FACILITY ENTRANCES AND WITHIN THE BUILDING FACILITIES
Personal data processing activities conducted by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ at building facility entrances and within the facilities are carried out in accordance with the Constitution, the LPPD Law, and other relevant legislation. For the purpose of ensuring security, FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ carries out monitoring activities with security cameras and personal data processing activities for tracking guest entries and exits in its buildings and facilities. Personal data processing activity is carried out by the Company through the use of security cameras and the recording of guest entries and exits.
CAMERA MONITORING ACTIVITIES CONDUCTED AT AND WITHIN THE ENTRANCES OF BUILDINGS AND FACILITIES BELONGING TO FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ
In this section, explanations regarding the camera monitoring system of FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ will be made, and information will be provided on how personal data, privacy, and fundamental rights of the person are protected. Within the scope of the surveillance activity with security cameras, FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ aims to protect interests related to ensuring the security of the company and other persons.
Legal Basis for Camera Monitoring Activity The camera monitoring activity carried out by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ is maintained.
Conducting Security Camera Monitoring Activity According to the LPPD Law In conducting monitoring activities with cameras for security purposes, FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ acts in accordance with the regulations in the LPPD Law. FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ carries out security camera monitoring activities for the purposes envisaged in the relevant legislation in force and in accordance with the personal data processing conditions listed in the LPPD Law to ensure security in its buildings and facilities.
Announcement of Camera Monitoring Activity In accordance with Article 10 of the LPPD Law, the personal data subject is informed by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ. FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ provides notification regarding the camera monitoring activity through more than one method in addition to the disclosure it makes regarding general matters. Thus, it is aimed to prevent damage to the fundamental rights and freedoms of the personal data subject and to ensure transparency and the enlightenment of the personal data subject. Regarding the camera monitoring activity by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ; this Policy is published on the FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ website (online policy regulation) and a notification text stating that monitoring will be carried out is hung at the entrances of the monitored areas (on-site disclosure).
Purpose and Limitation to the Purpose of Camera Monitoring Activity In accordance with Article 4 of the LPPD Law, FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ processes personal data in a relevant, limited, and proportionate manner for the purposes for which they are processed. The purpose of maintaining the video camera monitoring activity by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ is limited to the purposes listed in this policy. In this direction, the monitoring areas, number, and when the monitoring will be carried out by security cameras are implemented as sufficient for and limited to achieving the security purpose. Monitoring is not carried out in areas (e.g., toilets) that could result in interference with a person's privacy exceeding security purposes.
Ensuring the Security of Obtained Data In accordance with Article 12 of the LPPD Law, necessary technical and administrative measures are taken by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ to ensure the security of personal data obtained as a result of camera monitoring activities.
Retention Period of Personal Data Obtained through Camera Monitoring Activity Detailed information regarding the retention period of personal data obtained through camera monitoring activity by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ is included in article 7.3 of this Policy, titled "Retention Periods of Personal Data."
Who Can Access the Information Obtained as a Result of Monitoring and to Whom This Information is Transferred Only a limited number of employees of FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ have access to live camera images and recordings recorded and preserved in digital environment. A limited number of persons with access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.
TRACKING OF GUEST ENTRIES AND EXITS CONDUCTED AT AND WITHIN THE ENTRANCES OF THE COMPANY'S BUILDINGS AND FACILITIES
For the purposes of ensuring security and the purposes specified in this Policy, personal data processing activities are carried out by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ for tracking guest entries and exits in company buildings and facilities. While the names and surnames of persons coming to FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ buildings as guests are obtained, or through texts hung within FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ or offered to the access of guests in other ways, the personal data subjects in question are informed in this context. The data obtained for the purpose of tracking guest entry-exit are processed only for this purpose, and the relevant personal data are recorded in the data recording system in physical environment.
RETENTION OF RECORDS REGARDING INTERNET ACCESS PROVIDED TO THE COMPANY'S GUESTS AND WEBSITE VISITORS
For the purposes of ensuring security and the purposes specified in this Policy by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ; log records regarding the internet access of guests during their stay in our facilities are not recorded according to the mandatory provisions of Law No. 5651 and the legislation regulated according to this Law.
VISITORS OF THE COMPANY'S WEBSITE
On the websites owned by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ, the movements of persons visiting these sites are not recorded.
SECTION 10: ENFORCEMENT AND UPDATABILITY
It has been regulated and put into effect by FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ. Updates can be made to the whole or part of the Policy. This policy is published on the website of FRAME BODRUM İŞLETME YÖNETİM VE TİCARET AŞ (www.insperabodrum.com) and is made available to the relevant persons upon the request of the personal data subjects.