Corporate Personal Data Protection Policy
Corporate General Clarification Text On Processing Of Personal Data
Application Form To Data Controller
Clarification Text On Security Cameras in the Service Area
Employee Candidate Clarification Text On Processing Of Your Personal Data
BARER CORPORATE YATIRIM HOLDING A.Ş.
CORPORATE PERSONAL DATA PROTECTION POLICY
The right of every individual to demand the protection of personal data about himself/herself is a sacred right arising from the Constitution. As Barer Corporate Yatırım Holding A.Ş., we consider fulfilling the requirements of this right as one of our most valuable duties. For this reason, we attach importance to the processing and protection of your personal data in accordance with the law.
As a result of the importance, we attach to the protection of personal data, Corporate Personal Data Protection Policy has been prepared in order to determine the principles and procedures we apply while processing and protecting personal data.
The Policy covers all kinds of processes to be performed on the personal data managed by Barer Corporate Yatırım Holding A.Ş. such as obtaining, saving, storing, retaining, modifying, revising, describing, transferring, taking over, making available, classifying or blocking the use of personal data by fully or partially automated means or by nonautomated means provided that they are a part of any data recording system.
The policy relates to all processed personal data of Barer Corporate Yatırım Holding A.Ş.'s partners, officials, customers, employees, supplier officials and employees, and third parties.
Barer Corporate Yatırım Holding A.Ş. may amend the Policy for the purposes of compliance with the applicable regulations and decrees of the Personal Data Protection Authority and improvement in protection of personal data.
|Recipient Group||The category of natural or legal persons to whom personal data is transferred by the data controller.|
|Explicit Consent||Consent that is related to a specific issue, based on information and expressed with free will.|
|Anonymization||Making personal data not to be associated with any identified or identifiable real person in any way, even when matched with other data.|
|Data Subject||Real person whose personal data are processed.|
|Related User||The persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except the person or unit responsible for the storage, protection and backup of the data technically.|
|Destruction||Deletion, destruction or anonymization of personal data.|
|Law / KVKK||Personal Data Protection Law no. 6698.|
|Recording Medium||Any media in which personal data are processed, which are fully or partially in automated ways or non-automated ways provided that being part of any data recording system.|
|Personal Data||All kinds of information related to an identified or identifiable person.|
|Data Inventory||The inventory created and elaborated by data controllers by associating personal data processing activities carried out by data controllers depending on the business processes and personal data processing purposes and the legal reason with the data category, the transferred recipient group and the data subject group, and where they explain the maximum retention period required for the purposes for which the personal data is processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.|
|Processing of Personal Data||The Policy covers all kinds of processes performed on personal data such as obtaining, saving, storing, retaining, modifying, revising, describing, transferring, taking over, making available, classifying or blocking the use of personal data by fully or partially automated means or by nonautomated means provided that they are a part of any data recording system.|
|Commission||Personal Data Protection Commission established by Barer Corporate Yatırım Holding A.Ş. to manage the Policy and other related procedures and ensure the enforcement of the Policy.|
|Board||Personal Data Protection Board.|
|Institution||Personal Data Protection Institution.|
|Sensitive Personal Data||Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership of associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data.|
|Periodic Destruction||The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data retention and destruction policy, in the event that all of the personal data processing conditions specified in the Law are eliminated.|
|Policy||Personal Data Protection Policy|
|Data Processor||Real or legal person who processes personal data on behalf of the data controller with the authorization invested by the data controller.|
|Data Controller||Real or legal person who determines the purposes and means of personal data processing and assumes responsibility for establishing and managing the data recording system.|
4. GENERAL PRINCIPLES
Barer Corporate Yatırım Holding A.Ş. checks the compliance of the data to be processed with the following principles at the preparation phase of each workflow which requires processing of new personal data. Workflows which are not compatible with the relevant principles are not implemented. When processing personal data, Barer Corporate Yatırım Holding A.Ş. shall;
(I) Comply with the law and principles of integrity.
(II) Ensure that personal data are accurate and up-to-date if and when necessary.
(III) Make sure that the purpose of processing is specific, explicit and legitimate.
(IV) Confirm that the data processed are relevant to the purpose of processing and the processing is restrained and limited to the extent required for the purpose.
(V) Ensure retention of personal data to the extent provided in the relevant regulation or required for the purpose of processing and destroy the personal data once the processing purpose is no longer applicable.
5. DUTIES AND RESPONSIBILITIES
The Personal Data Protection Commission has been established within Barer Corporate Yatırım Holding A.Ş. in order to manage the Policy and other related procedures and ensure the enforcement of the Policy. The Commission consists of the General Manager, Human Resources Officer, Administrative and Financial Affairs Chief and Company Lawyer. Barer Corporate Yatırım Holding A.Ş. also receives KVKK consultancy support when necessary, in order to comply with the Personal Data Protection Law No. 6698. The commission, if deems necessary, may call the KVKK consultant to its meetings.
The duties and responsibilities of the commission are specified below.
(I) It normally convenes every 6 months. Extraordinary meetings may be held if the circumstances require it (for example, in the event of an alleged data breach).
(II) It discusses the issues that need to be changed/improved in the Policy.
(III) It identifies the issues that can be fulfilled for lawful processing and protection of personal data.
(IV) The Commission determines the steps that can be taken to increase KVKK awareness within the company and among business partners.
(V) It identifies the risks that may be encountered in the processing and protection of personal data and takes the necessary administrative and technical measures.
(VI) It establishes communication with the institution and manages the relations.
(VII) It evaluates the requests from Data Subject.
(VIII) It monitors the periodic destruction processes.
(IX) It updates the Data Inventory.
(X) It makes the assignments regarding the above-mentioned issues.
6. MEASURES TAKEN FOR DATA SECURITY
Barer Corporate Yatırım Holding A.Ş. takes all kinds of technical and administrative measures necessary to ensure the appropriate level of security in order to (i) prevent unlawful processing of personal data, (ii) prevent unlawful access to personal data, (iii) ensure safekeeping of personal data.
6.1. Technical Measures
(I) Network security and application security are ensured.
(II) Security measures within the scope of procurement, development, and maintenance of information technology systems are taken.
(III) Access logs are kept regularly.
(IV) Current anti-virus systems are used.
(V) Firewalls are used.
(VI) Necessary security precautions are taken on the way in and out of the physical media containing personal data.
(VII) Physical media containing personal data are protected against external risks (fire, flood, etc.).
(VIII) The security of media containing personal data is ensured.
(IX) Personal data is backed up and the security of the backed-up personal data is also ensured.
(X) User account management and authorization control system are implemented and monitored.
(XI) Log records are kept without user intervention.
(XII) Intrusion detection and prevention systems are used.
(XIII) Encryption is done.
6.2. Administrative Measures
(I) There are disciplinary arrangements that include data security provisions for employees.
(II) Training and awareness activities on data security are conducted periodically for employees.
(III) Corporate policies regarding the access to, security, use, storage and destruction of information have been prepared and started to be implemented.
(IV) Data masking measures are applied when necessary.
(V) Confidentiality commitments are made.
(VI) An authorization matrix has been created for employees.
(VII) The authorizations of the employees who are assigned to another position or who left the job in this area are removed.
(VIII) The contracts signed contain data security provisions.
(IX) Personal data security policies and procedures have been established.
(X) Personal data security problems are reported promptly.
(XI) Personal data security is monitored.
(XII) Personal data is reduced to the extent possible.
(XIII) Periodic and/or random internal audits are conducted and have them conducted.
(XIV) Existing risks and threats have been identified.
(XV) Protocols and procedures for the security of sensitive personal data have been adopted and are being implemented.
(XVI) If sensitive personal data are to be sent via e-mail, they are necessarily sent in encrypted form and using registered e-mail or corporate e-mail account.
(XVII) Awareness of data processing service providers on data security is ensured.
7. RIGHTS OF DATA SUBJECT REGARDING PERSONAL DATA
Data Subject can apply to Barer Corporate Yatırım Holding A.Ş. and make a request in order to:
(I) Learn if his/her personal data is processed,
(II) Request information if his/her personal data has been processed,
(III) Learn the purpose of processing of the personal data and whether they are used for this purpose,
(IV) Learn the third parties to whom his/her personal data is transferred in the country or abroad,
(V) In the event that his/her personal data is incomplete or improperly processed, request correction and demand notification of the relevant process to the third parties to whom his/her personal data has been transferred,
(VI) Even though the processing has been performed accordance with the KVKK and other relevant legal provisions, if the reasons that require processing have been eliminated, request deletion, destruction or anonymization of his/her personal data and demand notification of the relevant process to the third parties to whom his/her personal data has been transferred,
(VII) Object to the emergence of any result to the detriment of him/her arising from analysis of his/her processed data exclusively by automated systems,
(VIII) Demand the compensation of the damage in case of loss due to processing of his/her personal data in violation of the law.
8. NOTIFICATION OF VIOLATIONS
Barer Corporate Yatırım Holding A.Ş. employees report to the Commission any work, action or event they consider to be in violation of the provisions of the KVKK and/or the Policy. If the commission deems it necessary following this reporting of violation, it convenes and creates an action plan against the violation.
If the violation has occurred through acquisition of personal data by third persons by unlawful means, the Commission shall communicate this situation to the data subject and the Board within 72 hours within the scope of the decision of the Board dated 24.01.2019 and numbered 2019/10.
The amendments to the Policy are prepared by the Commission and submitted to Barer Holding Board of Management for approval. The updated version of the Policy can be sent to employees via e-mail or posted on the website.
10. EFFECTIVE DATE
This version of the Policy has been approved by the Board of Management and entered into force on 02.11.2020.