1. BILGIN YACHTS - PERSONAL DATA PROTECTION LAW POLICY
Protection of personal data, BİLGİN YATÇILIK VE TURİZM İŞLT. TİC. LTD. ŞTİ (“Bilgin Yachts” or “Company”) is among the Values that our company places importance on. The most important parts of this law are protecting and processing of personal data of employees, Candidates, Shareholders and Shareholders, Potential Products or Service Persons, Interns, Supplier Employees, Supplier Authorities, Persons or Products and Service Visitors, and Persons Selling Products or Services, and Visitors who are liable to this policy.
Pursuant to Article 20 of the Constitution of the Republic of Turkey,all natural entities have the right to request protection of personal data related to themselves. Regarding the protection of personal data, which is a constitutional right, “Bilgin Yachts” complies to this Policy; It takes the necessary care to protect the personal data of our employees, Employee Candidates, Shareholders and Partners, Potential Products or Service Persons, Trainees, Supplier Employees, Supplier Authorities, Persons Who Offer Products or Services, Potential Products or Services Sellers, People Selling Products or Services, and Visitors and it makes it a company policy.
In this context, the necessary administrative and technical measures are taken by “Bilgin Yachts” to protect the personal data processed in accordance with the relevant legislation.
In this Policy, detailed explanations about the basic principles adopted by Bilgin Yachts and listed below will be made in the processing of personal data:
2.1.PURPOSE OF POLICY
The main purpose of this Policy is to make statements about personal data processing activities carried out in accordance with the law and the systems adopted for the protection of personal data and to ensure transparency by informing the persons whose data is processed by our personal data company such as Supplier Employees, Supplier Authorities, People Who Buy Products or Services, People Who Sell Potential Products or Services, People Who Sell Products or Services, and Visitors.
2.2.SCOPE OF THE POLICY
The provisions of this Law shall apply to natural persons (Employees, Employee Candidates, Shareholders and Partners, Potential Products or Service Persons, Interns, Supplier Employees, Supplier Authorities, Products or Services Persons, Potential Products or Services Sellers, Products or Services Sellers and Visitors) whose personal data are processed such data wholly or partly by automatic means or otherwise than by automatic means which form part of a filing system.
The scope of implementation of this Policy regarding the groups of personal data owners in the categories mentioned above may be the entire Policy; there may be only some provisions.
2.3.CODE OF PRACTICE IN REGARD WITH THE POLICY
The relevant legal regulations in force regarding the processing and protection of personal data will primarily be practiced. If there is a discrepancy between the current legislation and the Policy, our Company accepts that the current legislation will be valid.
The policy was created by embodying the rules laid down by PDP Law No. 6698 within the scope of “Bilgin Yachts” practices. Our company carries out the necessary systems and preparations to act in accordance with the enforcement periods stipulated in the PDP Law.
2.4.THE VALIDITY OF THE POLICY
This Personal Data Protection and Processing Policy, organized as the 1st version by our company, is dated 12.03.2018. In the event that all or certain articles of the Policy are renewed, the effective date and version of the Policy will be updated. The policy is published on the official website of our company (https://www.bilginyacht.com) or made available to the relevant persons upon the request of personal data owners from the company advisory unit.
3. CODE OF PRACTICES OF PERSONAL DATA PROTECTION
Our Company, in accordance with Article 12 of the Law on KVK, takes the necessary technical and administrative measures to ensure that the appropriate level of security is maintained so as to prevent illegal processing of personal data, to prevent illegal access to data, as well as to ensure data retention; within this scope, it performs required inspections or has these inspections done.
4. PROVIDING THE SECURITY OF PERSONAL DATA
Our company takes the necessary legal, technical and administrative measures regarding data security on the following issues, and shows the highest level of attention and care in this regard. Actions and measures taken by our company to ensure “data security” in accordance with Article 12 of the PDP Law are as follows.
4.1.LOOKING AFTER THE RIGHTS OF THE DATA OWNER AND EVALUATING THE DEMANDS
Our Company exploits required channels, internal working procedures, administrative and technical regulations in accordance with Article 13 of the PDP Law to evaluate the rights [and complaints] of personal data owners and to provide them with necessary information.
In case the personal data owners submit their requests in writing to our Company with regard to their rights listed below, their requests are finalized, depending on the nature of the request, within thirty days at the latest and free of charge. However, in case PDP Board requests fee, our Company shall charge the fee stated in the tariff to be determined by the PDP Board. Personal data owners have rights;
These are the legal rights.
In accordance with Paragraph 1 of Article 13 of LPPD, you can submit your requests to our company for using your above mentioned rights in written or through other methods determined by Personal Data Protection Committee. As the Board of Protection of Personal Data has not determined any method at this stage, applications must be submitted to our Company in writing as per the supervisory provision of the Law.
In order for the personal data owners to exercise their rights stated above, they must submit their requests to our Company, together with the necessary information to determine their identity and explanations regarding the rights they wish to use, by stating which of the rights specified in article 11 of the Law is related to the use; it will ensure that applications are responded more quickly and effectively.
In this context, the channels and procedures to which applications will be submitted in writing, within the scope of exercising the rights mentioned in Article 11 of the same Law, based on Article 13 of the Personal Data Protection Law, are explained below.
Once the application form given regarding the right of the personal data owner, who is intended to be used from the rights specified in Article 11 of the PDP Law; under the address of https://www.bilginyacht.com is filled in, a copy of the originally signed version of the same shall be submitted to the address located at BİLGİN YATÇILIK VE TURİZM İŞLETMECİLİĞİ TİCARET LİMİTED ŞİRKETİ Marmara Mahallesi, Ulusum Caddesi No: 28/1 West İstanbul Marina Beylikdüzü / İstanbul Türkiye in person or via notary or through other channels specified in the PDP Law.
In order for third parties to request an application in the name of personal data owners, a special power of attorney, issued by a notary public in the name of the person applying for the data owner and granted by the same, must be submitted.
4.2.PROTECTION OF SENSITIVE PERSONAL DATA
With the PDP Law, special importance has been attributed to the risk of causing personal injury or discrimination when certain data is processed illegally.
As stated in the definition section, information regarding the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, memberships to associations and foundations, health, sexual life, criminal convictions and security measures and the bio-metric and genetic data of persons.
Our company treats with utmost care the protection of sensitive personal data which is determined as “sensitive” and processed in accordance with the PDP Law. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of sensitive personal data and necessary controls are provided. In addition, within the scope of administrative measures, it is kept in lockers in the room of the workplace doctor by the workplace doctor, who is obliged to keep secrets.
4.3.INFORMING THE PERSONAL DATA OWNER
Our Company elucidates personal data subjects during the retrieving of personal data in accordance with Article 10 of the PDP Law. In this context, during the acquisition of personal data by our Company to the personal data holders, the identity of our Company, for what purpose the personal data will be processed, to whom and for what purpose the processed data can be transferred, the method and legal reason of the personal data collection, and that the personal data owner has within the scope of article 11 of the PDP Law.
Article 20 of the Constitution sets forth that everyone has the right to be informed about personal data concerning her/him. Accordingly, Article 11 of the PDP Law mentions the right to "request information" as one of the rights of the personal data owners. In this context, the necessary information will be provided in the event that the Personal Data Owner requests information in accordance with Articles 20 of the Constitution and Article 11 of the PDP Law.
In addition to this, our Company informs the related persons in personal data processing activities and accountability within this framework by informing all the subjects in the PDP Law and personal data owners and those concerned with personal data processing activities in accordance with the “Law and good faith” rule with various public documents. In addition, our Company is responsible for the relevant people; It also informs about its own activities and the issues in the law in many different ways, especially when people apply for “open consent”.
5. PROCESSING OF PERSONAL DATA
In accordance with article 20 of the Constitution and article 4 of the PDP Law, our company is responsible for processing personal data; in accordance with law and good faith rules; correct and up to date when necessary; by pursuing specific, clear and legitimate purposes; purpose-bound, limited and measured personal data processing activities. Our Company retains personal data as long as required by law or as required for personal data processing purposes.
In accordance with Article 20 of the Constitution and Article 5 of the PDP Law, our company processes personal data based on one or more of the conditions in the 5th article of the PDP Law.
Our Company complies with the regulations envisaged for the processing of data of special nature, pursuant to the provisions of Article 6 of the PDP Law.
Our Company, in accordance with the Articles 8 and 9 of the PDP Law, complies with the regulations stipulated by the Law and set forth by the PDP Board on the transfer of personal data.
In business relations, personal data is processed without further approval, if necessary, for the establishment, implementation and termination of the employment contract. Personal data of candidates are processed when starting a business relationship. If the candidate is rejected, the information of the candidate is kept for the appropriate data retention period for a subsequent election stage, at the end of this period, it is deleted, destroyed or anonymized.
Data transactions carried out explicitly in the law or due to the Company's legal obligation
Personal data may be processed without prior consent for the processing to be clearly stated in the relevant legislation or for the purpose of fulfilling a legal obligation set out in the legislation.
Employee personal data can also be processed without the approval of a legitimate interest of the Company. Legitimate interests are usually legal (eg filing, enforcement or defense of legal rights) or economic (eg. Evaluation of the company). In personal situations where the interests of employees need to be protected, personal data are not processed for legitimate interests. It is determined whether there are interests that require protection before the data is processed. When the data of the employees are processed based on the legitimate interest of the Company, it is examined whether the processing is measured. It is checked that the legitimate interest of the company in taking this control measure does not violate a right of the relevant employee that needs to be protected and is applied only if measured.
If personal data is processed exclusively through automated systems as part of the business relationship (eg, as part of personnel selection or evaluation of talent profiles), the Employee has the right to object to the emergence of a result against himself.
Telephone equipment, email addresses, intranet and internet, as well as internal networks, are provided by the Company primarily for business related tasks. These are working tools and Company resources. These tools should be used in accordance with legal regulations and the Company's internal regulations. There is no general control over telephone and email communication or intranet and internet use. In order to prevent attacks against the IT infrastructure or individual users, protective measures are taken in the transition to the Company network to block technically harmful content or to analyze the modeling of the attacks. The use of telephone equipment, email addresses, intranet / internet and / or social networks within the company is kept for a limited time for security reasons. Personal evaluations of this data are made only if there is a concrete suspicion about the legal regulations or violations of Bilgin Yachts regulations. These controls are carried out by the relevant departments only on condition that the principle of proportionality is preserved.
6. PROCESSING OF PERSONAL DATA ACCORDING TO THE PRINCIPLES PROVIDED IN THE LEGISLATION
Our company; acts in accordance with the general trust and honesty rule with the principles brought by legal regulations in the processing of personal data. In this context, our company takes into consideration the proportionality requirements in processing of personal data, and does not use personal data other than for its intended purpose.
Our company ensures that personal data it processed are accurate and up-to-date, taking into account the fundamental rights of personal data subjects and their legitimate interests. In this respect, our company takes necessary measures.
Our company clearly and accurately determines the legitimate and lawful personal data processing purpose. Our company is associated with the service that it provides personal data and processes as much as necessary for them. The purpose for which personal data will be processed by our company is determined before the personal data processing activity begins.
Our company processes personal data in a way to achieve the identified purposes, and avoids the processing of personal data that is not required or not related to the realization of the purpose.
Our company maintains personal data only for the time required by the relevant legislation or for the purpose for which it was processed. In this context, our company determines whether a period has been stipulated for the storage of personal data in the relevant legislation; if this is the case, it takes into account this period; otherwise it retains personal data for the time period required for the purpose for which they were processed. In the event that the reasons that require the expiration or processing of the period disappear, the personal data are deleted, destroyed, disposal processes or anonymized by our Company.
6.1.LIMITED PROCESSING OF PERSONAL DATA
Pursuant to the third paragraph of Article 20 of the Constitution, personal data can only be processed in cases stipulated by law or with the express consent of the person. Our company accordingly and in accordance with the Constitution, processes the personal data only in cases stipulated by law or with the express consent of the person.
The explicit consent of the personal data owner is only one of the legal bases that make it possible to process personal data in accordance with the law. Apart from explicit consent, personal data may also be processed in the presence of any of the other conditions written below. The basis of the personal data processing activity can be only one of the following conditions, and more than one of these conditions may be the basis of the same personal data processing activity. In the event that the processed data is sensitive, the following conditions apply.
Although the legal basis for the processing of personal data by our company varies, all kinds of personal data processing activities are taken in accordance with the general principles set out in Article 4 of the Law No. 6698.
One of the conditions for processing personal data is the explicit consent of the owner. The explicit consent of the personal data subject should be disclosed on a specific subject, based on information and free will. For the processing of personal data based on the explicit consent of the personal data owner, explicit consent of the customers, potential customers and visitors is obtained through relevant methods.
The personal data of the data subject can be processed in accordance with the law if clearly prescribed by law.
Personal data may be processed if the personal data of the person who is unable to disclose his consent due to de facto impossibility or whose consent cannot be validated is required to protect himself or another person's life or body integrity.
In case of the fact that it is required to process personal data of the parties to the contract, provided that the processing is directly related to the conclusion or fulfilment of that contract.
If processing is mandatory for our company to fulfill its legal obligations as the data collector, the personal data of the data subject can be processed.
If the data subject has his personal data publicized, the relevant personal data can be processed.
If it is necessary to process data for the establishment, use or protection of a right, the personal data of the data owner may be processed.
If the data processing is mandatory for our Company's legitimate interests, the personal data of the data subject can be processed, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
6.2.PROCESSING SENSITIVE PERSONAL DATA
In processing personal data designated as "data of special nature" by the PDP Law, our Company strictly adheres to the regulations stipulated in the Law.
In Article 6 of the PDP Law, a set of personal data, when illegally processed, which have the risk of causing unjust suffering or discrimination, are identified as "data of special nature". These data are the personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data.
In accordance with the PDP Law, our Company processes the sensitive personal data, provided that adequate measures are determined by the PDP Board:
6.3.TRANSFER OF PERSONAL DATA
Our company is able to transfer the personal data and the sensitive personal data of the data owner to third parties by taking the necessary security measures in accordance with the purposes of processing the personal data which is obtained and processed pursuant the law. In this respect, our Company acts in accordance with the provisions of Article 8 of the PDP Law.
Our Company may transfer personal data to third parties, in line with its purposes of legitimate and lawful processing personal data and in some circumstances in order to increase the data protection. Our Company transfers the personal data to foreign countries where PDP Board confirms their adequate protection ("Foreign Countries with Adequate Protection") or in case of the absence of adequate protection commits an adequate protection of responsible data in Turkey and in the foreign countries in writing and to foreign countries where the PDP Board's permission (“Foreign Country where the Data Supervisor Undertakes Adequate Protection is Located”). Accordingly, our company acts in accordance with the regulations stipulated in article 9 of the PDP Law.
7. PROCESSING PURPOSES AND STORAGE PERIOD OF PERSONAL DATA PROCESSED BY OUR COMPANY
In accordance with Article 10 of the PDP Law, our company reports to which personal data owner groups process which personal data, the purposes of personal data processing, and the retention periods of the personal data owner.
8. CATEGORIZATION OF PERSONAL DATA
Before our Company; personal data in the below given categorization is processed by informing the persons concerned as per Article 10 of the PDP Law, in line with the purposes of legitimate and lawful processing personal data of our Company, by basing on and within limits of one or more conditions of processing personal data stated under Article 5 of the PDP Law, by complying with general principles indicated under the PDP Law, in particular with the principles stated under Articles 4 regarding the processing personal data, and all obligations set forth in the PDP Law, and limited with the subjects within the scope of this Policy (our candidate personnel, company shareholders, company officials, our visitors, personnel, shareholders and officials of the institutions we cooperate with, our customers, our potential customers, our members, our visitors to our web site and mobile application and other third parties).
9. PURPOSES OF PERSONAL DATA PROCESSING
The Company processes personal data limited to the purposes and conditions within the personal data processing conditions specified in paragraph 2 of article 5 and paragraph 3 of article 6 of the PDP Law. These terms and conditions are as follows:
The event that personal data owner's health or sexual life are processed by the persons or authorized organizations obliged to protect privacy for the purpose of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
In this context, the “Company” processes your personal data for the following purposes:
The explicit consent of the personal data owner is provided by the “Company” regarding the relevant processing, if the processing carried out for the above-mentioned purposes does not meet any of the conditions stipulated under the PDP Law.
10. STORAGE PERIOD OF PERSONAL DATA
Our Company retains personal data for the required period stipulated by the PDP Law and the relevant legislation or for the purpose for which they are processed.
Unless a period of time has been regulated in the legislation regarding how long the personal data should be stored, the Personal Data is processed for a period that requires the processing of the "Company" in accordance with the practices and business practices of the "Company", and then deleted, destroyed. or anonymized.
If the purpose of processing the personal data expires, and the relevant legislation becomes obsolete, and the retention periods determined by the Company also comes to close, personal data can only be stored for the purposes of potential legal disputes, or claims on related rights linked to personal data, or preparations of statement of defense. In setting the time spans, retention periods are determined based on prescription periods for claiming the mentioned right, and even though the prescription periods expires, the examples of requests previously directed to our company on the same issues. In this case, retained personal data are not accessible for any other reason except for the requirements of legal disputes. Personal data is deleted, destroyed or anonymized once the mentioned period has expired. During this period, the access to the relevant Personal Data is only for those who regulate the user authorizations that act as Data Processors in Information Technologies by the Data Officer.
11. THIRD PARTIES THAT PERSONAL DATA IS TRANSFERRED BY BILGIN YACHTS AND PURPOSE OF TRANSFER
In accordance with Article 10 of the PDP Law, our Company informs the personal data subject of the groups to whom personal data are transferred.
In accordance with Articles 8 and 9 of the PDP Law, the “Company” may transfer the personal data of the data subjects managed by the Policy to the following categories:
12. CODE OF PRACTICE TO INFORM VISITORS ON PDP LAW,
12.1. PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT IN BILGIN YACHTS FACILITIES
Personal data processing activities carried out by the “Company” in the Center, Istanbul Branch are carried out in accordance with the Constitution, PDP Law and other relevant legislation.
In order to ensure security, our company conducts monitoring activities with security cameras in the buildings and premises, and data processing for tracking guest entrance and exits.
Our Company carries out personal data processing through the use of security cameras and recording of guest entrance and exits.
“Company” surveillance activity through security cameras, act in accordance with the Constitution, PDP Law and other relevant legislation with the aim to protect the interests of the company and other persons in order to ensure the safety of our company.
Image records of our visitors are taken through the camera monitoring system at the building, facility entrances and inside the facility. The objectives of our company in surveilling with security cameras are to improve the quality of the service provided, to ensure the reliability of the company, to deliver the security of the customers, the company and other people, to protect security of benefits of customers about the service they receive.
Our Company complies with the regulations of the PDP Law in conducting surveillance activities with security cameras.
Our company conducts camera surveillance activities in accordance with the Law on Private Security Services and related legislation. Only a limited number of Company employees have access to records that are stored digitally. In accordance with Article 12 of the PDP Law, technical and administrative measures are taken in order to ensure the security of the personal data obtained by the surveillance activities.
Apart from recording with the above camera, our Company carries out processing activities such as tracking guest entries and exits in order to ensure security and for the purposes specified in this Policy.
When the names and surname of the people who come to the premises of Our Company as a guest are obtained, those personal data subjects are informed through the texts. The data obtained for tracking guest entrance and exits are processed for this purpose only, and the personal data are recorded in the data recording system in physical domains.
For the purpose of ensuring company security and in line with the purposes of this Policy, our company provides Internet access to the guests who request so during their stay in our buildings and premises. In this case, log records of your internet access are saved in accordance with the Law No. 5651 and the imperative provisions of the legislation regulated by this Law; and these records are processed only if requested by authorized state institutions and organizations, or required for the audit process within the company in order to fulfill its legal obligation.
Only a limited number of Company employees have access to the log records obtained within this framework. Company employees having access to the mentioned records have access to these records only for use in the demand from the authorized state institutions and organizations, or for use in the audit processes, and they share the records with legally authorized persons. A limited number of people having access to the records declare, through the confidentiality commitment, that they will protect the confidentiality of the data they access.
12.2. VISITORS OF OUR WEBSITE
13. CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
Although Bilgin Yachts has been processed in accordance with the provisions of the relevant law, as stipulated in the 138th article of the Turkish Penal Code and the 7th article of the PDP Law, in case of the disappearance of the reasons requiring the processing, or upon the request of the personal data owner, data is deleted, destroyed or anonymized.
13.1. LIABILITY OF BILGIN YACHTS TO DELETE, DESTRUCT AND ANONYMIZE THE PERSONAL DATA
Although it has been processed in accordance with the provisions of the relevant law, as stipulated in Article 138 of the Turkish Penal Code and Article 7 of the PDP Law, personal data will be deleted based on the decision of “Bilgin Yachts” or upon the request of the personal data owner, are destroyed or anonymized. In this context, our Company taking the necessary technical and administrative measures within the Company to fulfill its related obligations; has developed the necessary mechanisms for this issue; In order to behave in compliance with these obligations, it trains relevant business units, provides them with their assignments and awareness.
13.2. CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
13.2.1. Techniques of Deleting and Destroying Personal Data
Although Bilgin Yachts has processed personal data in accordance with the provisions of the relevant law, in case the reasons for the processing disappear, it may delete or destruct the personal data on the basis of its own decision or at the request of the personal data owner. Within this scope, Bilgin Yachts deletes or destructs personal data by using the following techniques:
Personal data can also be processed in non-automated ways, provided that it is part of any data recording system. When deleting/destructing such data, the system of physical destruction of personal data is applied in a manner that it could not be used subsequently.
When deleting/destructing data processed in fully or partially automated ways and stored in digital media; the methods for deleting data from the related software in a manner that it cannot be recovered.
In some cases, "the company" may agree with an expert to delete personal data on its behalf. In this case, the personal data is safely deleted/destructed by the person who is skilled in this field in a manner that it cannot be recovered.
13.2.2. Techniques to Anonymize Personal Data
Anonymization of personal data refers to making personal data unlikely to be associated with any identifiable or unidentifiable real person in any way even when the personal data is paired with other data. Our company may anonymize personal data when the reasons for processing the personal data processed in accordance with the law are disappeared.
In accordance with Article 28 of the PDP Law; anonymized personal data can be processed for research, planning and statistics purposes. Such transactions do not fall under the scope of the PDP Law, the explicit consent of the personal data owner is not required. Since the personal data processed by making it anonymous shall fall outside the scope of the PDP Law, the rights regulated under Article 2 of the Policy shall not apply to such data. The most commonly used anonymisation techniques by Bilgin Yachts are listed below.
This is the method in which key determinant information of personal data is extracted from data set with data masking and personal data is anonymized.
Through data aggregation method, several data is aggregated and personal data is made in a manner that is not associated with any person.
Through data derivation, more general content is created from the content of the personal data and it is ensured that personal data is made in a manner that is not associated with any person.
Through data shuffling, the values in the personal data set are mixed and the connection between the values and the persons is broken down.