GP&PARTNERS  

PERSONAL DATA PROTECTION AND PROCESSING POLICY 

 

1. PURPOSE 

The purpose of this policy is the personal data processing activities carried out by the Company in accordance with the Personal Data Protection Law dated 24 March 2016 and numbered 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677, and the relevant legislation and regulatory company decisions, and for the protection of personal data. making explanations about the systems adopted, ensuring the regulation and supervision of processes that require personal data processing within the company, raising the awareness of the legal processing of personal data in the units involved in the processing of personal data and placing a sense of responsibility in this context, our employees, employee candidates about our personal data processing processes, about our data processing processes by informing the persons whose personal data are processed by the Company, especially our officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties. a is to provide transparency. 

 

2. SCOPE 

This policy applies to automatic or any data recording of our employee candidates, employees, ex-employees, officials, visitors, participants, employees, shareholders and officials of various institutions/organizations such as supplier companies we cooperate with, and third parties within the scope of the activities carried out by the Company. It covers all personal data subject to processing by non-automatic means, provided that it is part of the system. 

The scope of the issues we have stated in this policy may cover all of these groups, which are counted according to the type of processing activity, or it may cover some groups, such as supplier company employees, wholly or partially. 

 

3. DEFINITIONS 

The terms used in this policy are used to have the following meanings, and if a different term is used instead of the related term or a different meaning is given to the related term in terms of the terms defined in the legal legislation or regulatory company decisions, the Company does not require a further change. shall be considered as amended in the application of this policy as of the effective date of the change: 

​

EU: European Union, 

Constitution: Published in the Official Gazette dated 9 November 1982 and numbered 17863; Constitution of the Republic of Turkey dated 7 November 1982 and numbered 2709

express consent: Consent on a specific subject, based on information and expressed with free will, 

Anonymization: Personal data will lose its quality as personal data and this situation cannot be undone, for example; blackout, masking, aggregation, data corruption etc. making it impossible to associate with a real person with techniques, 

Application form: It will include the application of personal data owners/relevant persons to exercise their rights, within the scope of the policy www.gppartners.org"Application Form for Applications to be Made by the Related Person (Personal Data Owner) to the Data Controller in accordance with the Law on Protection of Personal Data No. 6698", which explains the method of the application, which can be accessed from the website, 

Employee candidate: Real persons who have applied for a job or internship in any way or have opened their CV and related information to the Company's inspection, 

Destruction: Deletion, destruction or anonymization of personal data, 

Institutions/organizations with which we cooperate: The Company's employees, shareholders and officials, including the shareholders and officials of these institutions, working in the institutions with which it has all kinds of business relations (such as business partners, suppliers, but not limited to these),_cc781905-5cde-3194 -bb3b-136bad5cf58d_

Business partner: Parties with whom the company has established business partnerships while carrying out its activities, 

Participant: Person who attends any event, course or training organized by the company, 

Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system, any operation performed on the data, such as classification or preventing its use, 

Personal data: Any information relating to an identified or identifiable natural person. For example; name-surname, TCKN, mobile phone number, e-mail, contact address, etc., 

Personal data owner/relevant person: Natural person whose personal data is processed. For example; employees, visitors. 

Personal data retention and destruction policy: The policy on which data controllers base the process of determining the maximum period required for the purpose for which personal data is processed and the deletion, destruction and anonymization process, 

KVK Law: Law on Protection of Personal Data No. 6698, dated March 24, 2016, published in the Official Gazette dated 7 April 2016 and numbered 29677, 

KVK Commission: Company Personal Data Protection Commission, which is responsible for ensuring compliance with the Company Personal Data Protection Law, KVK Board decisions and the provisions of the relevant legislation, the implementation of the regulated policies and the realization of the necessary audits, 

KVK Board / Regulatory Board: Personal Data Protection Board, 

KVK Authority/Regulatory Authority: Personal Data Protection Authority, 

periodic destruction: The deletion, destruction or anonymization process that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy in case all the processing conditions of personal data in the law are eliminated, 

Policy: Company Personal Data Protection and Processing Policy, 

Special categories of personal data: Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress code, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data,_cc781905- 5cde-3194-bb3b-136bad5cf58d_

Company official: Beylikdüzü Municipality Personnel Inc. Company Representative, 

Instructions: Short, simple, understandable written documents that explain how to do the steps of an activity and/or job and support the procedures, 

supplier: Parties that provide services to the Company on a contractual basis in accordance with the Company's orders and instructions while carrying out the Company's activities, 

Turkish Code of Obligations: Published in the Official Gazette dated February 4, 2011 and numbered 27836; Turkish Code of Obligations dated 11 January 2011 and numbered 6098, 

Turkish Penal Code: Published in the Official Gazette dated 12 October 2004 and numbered 25611; Turkish Penal Code No. 5237 dated September 26, 2004, 

Turkish Commercial Code: Published in the Official Gazette dated 14 February 2011 and numbered 27846; Turkish Commercial Code No. 6102 dated January 13, 2011, 

Company: GP&PARTNERS 

Company Authorized: GP&PARTNERS Official 

third person: Natural persons whose personal data are processed within the scope of the policy, who are not defined differently within the scope of the policy (For example, companion, family members and relatives), 

data processor: The natural and legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller, 

data controller: Person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system), 

Visitor: Real persons who have entered the physical campuses owned by the company for various purposes or visited our websites. 

1. APPLICATION 

4.1. BASIC PRINCIPLES 

Although the protection of personal data is a human right protected at the Constitutional level, it is one of the most sensitive issues of the Company. Within the framework of its activities, the company collects personal data from a wide variety of data groups such as visitors, employees, business partners, suppliers, and the processing and storage of this personal data in accordance with the provisions of the current legislation and the decisions of the KVK institution, which is the regulatory body operating in this field, in this context, on our employees. and raising a permanent awareness within the framework of respecting the right of personal data protection, which is a human right of other persons related to the Company, is among our priority values. 

All of our personal data processing activities to be carried out within the company, 

1. Compliance with the law and the rules of honesty, 

1. Being accurate and up to date when necessary, 

1. Processing for specific, explicit and legitimate purposes, 

1. Being connected, limited and restrained with the purpose for which they are processed, 

1. Keeping for the period required for the purpose for which they are processed or stipulated in the relevant legislation, 

1. Taking the necessary administrative and technical measures for the storage of personal data, 

1. Ensuring that the necessary sensitivity is shown in line with the rules stipulated in the processing of special quality personal data, which is under special protection due to its nature, 

1. Informing the personal data owners/related persons when required by the legislation and obtaining their explicit consent when deemed necessary, 

1. Taking the necessary administrative and technical measures in the transfer of personal data, controlling the data processing of the third parties to whom the transfer is made in accordance with the relevant legislation and regulatory company decisions, 

We do this in accordance with all the terms and conditions stipulated in the legislation in force, especially its principles, and the general principles of law. 

While requesting the protection of personal data is a right granted to individuals by the Constitution of the Republic of Turkey, we, as the Company, have adopted the principle of showing the highest degree of care in order to ensure that this right can be exercised in accordance with its essence. 

4.2. LEGAL REASONS FOR THE PROCESSING OF PERSONAL DATA 

In accordance with Article 20 of the Constitution and Article 5 of the KVK Law, the company changes its personal data depending on the nature of the processed personal data and the data processing process, but in accordance with Article 5/2 of the KVK Law regarding the processing of personal data. It operates based on one or more of the following conditions specified in the article: 

1. a) expressly stipulated in laws, e.g. Keeping personal information of the employee as per the law, 

1. b) It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally recognized, eg. Location information of missing person, 

1. c) It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract, eg. For the delivery to be made, the company records the address information of the person concerned, 

ç) It is mandatory for the data controller to fulfill its legal obligation, eg. Sharing information on audits specific to areas such as banking, energy and capital markets, 

1. d) The person concerned has been made public, e.g. The person who wants to sell his house should include his contact information in the sales advertisement, 

1. e) Data processing is mandatory for the establishment, exercise or protection of a right, eg. Retaining necessary information about an employee who has left the job during the litigation timeout, 

1. f) Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject, eg. Data processing for the purpose of applying rewards and bonuses that increase employee loyalty. 

In cases where it is understood that our personal data processing activity does not fall into any of the situations mentioned here, but this personal data processing is considered necessary and proportionate, explicit consent is obtained. 

If it is understood that the personal data subject to processing is personal data of special nature, in accordance with Article 6 of the KVK Law, there is no regulation stipulated in the law in terms of personal data other than health and sexual life; Personal data related to health and sexual life are processed by persons or authorized institutions and organizations under the obligation of secrecy for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. If it cannot be processed, it is processed within the scope of the explicit consent of the person concerned, provided that it complies with the principles of necessity and proportionality. 

4.3. MATTERS REGARDING THE PROTECTION OF PERSONAL DATA 

Article 12 of the KVK Law, 

1. To prevent the unlawful processing of personal data, 

1. To prevent unlawful access to personal data, 

1. Ensuring the retention of personal data 

It has imposed obligations on the data controller to take all kinds of technical and administrative measures to ensure the appropriate level of security for its purpose. In accordance with the obligation set forth in this article, the Company takes the necessary legal, technical and administrative measures in order to ensure the security of personal data subject to processing activities. -5cde-3194-bb3b-136bad5cf58d_

4.3.1. The Company takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that personal data is processed in accordance with the law. Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the KVK Law and cannot use it for purposes other than processing, that they should not keep the personal data open to the access of others, and that these obligations will continue after they leave their job. commitments are taken from them accordingly. 

4.3.2. The Company acts sensitively in the protection of special quality personal data, which is determined as "special quality" by the KVK Law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company for the protection of personal data are carefully implemented in terms of sensitive personal data and necessary audits are provided. 

4.3.3. The Company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and the cost of implementation in order to prevent the imprudent or unauthorized disclosure, access, transfer or any other unlawful access to personal data. The company raises awareness among data processing institutions such as business partners and suppliers, to which personal data has been transferred, on the prevention of unlawful processing of personal data, preventing illegal access to data, and ensuring that data is kept in accordance with the law._cc781905- 5cde-3194-bb3b-136bad5cf58d_

4.3.4. The Personal Data Protection Commission has been established within the company in order to audit our personal data processing activities carried out in the company, to comply with the relevant legislation and regulatory company decisions and to ensure the continuity of this compliance, and to make the necessary updates. 

4.3.5. The company takes the necessary technical and administrative measures according to the technological possibilities and implementation cost in order to store personal data in secure environments and to prevent their destruction, loss or alteration for unlawful purposes, and the transactions are recorded. 

4.3.6. In accordance with Article 12 of the KVK Law, the company carries out or has had it done, within its own body. The results of these audits are reported to the relevant unit supervisors and the KVK Commission within the scope of the internal functioning of the company, and new measures are taken within the framework of the recommendations and instructions of the KVK Commission or necessary activities are carried out to improve the measures taken. 

4.3.7. The company implements the system in which data owners/related persons can use their rights in the most effective way and be answered in Article 11 of the KVK Law. 

4.3.8. The company operates the system that ensures that the personal data processed in accordance with Article 12 of the KVK Law is obtained by others illegally, and this situation is reported to the relevant personal data owner/relevant person and the KVK Board as soon as possible._cc781905-5cde-3194- bb3b-136bad5cf58d_

4.3.9. The Company has established a personal data storage and destruction policy in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224, with Article 7 of the KVK Law._cc781905-5cde- 3194-bb3b-136bad5cf58d_

4.4. INFORMING AND INFORMING THE PERSONAL DATA OWNER / RELATED PERSON 

In accordance with Article 10 of the KVK Law and Article 4 of the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Clarification Obligation, the Company provides information to the relevant persons through various means in accordance with the content of the data processing activity. The following issues are included in the lighting provided in the relevant articles: 

1. a) Identity of the company that is the data controller, 

1. b) For what purpose we process/can process personal data, 

1. c) To whom and for what purpose we may transfer personal data, 

ç) Our personal data collection methods and legal reasons, 

1. d) Data owner/Relevant person listed in Article 11 of the Law and 4.6 of this policy. Other rights specified in article. 

Obligation to inform In accordance with Article 10 of the KVK Law, at the latest at the time of obtaining personal data, in case the personal data is not obtained from the person concerned, and in accordance with Article 6 of the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform,_cc781905-5cde -3194-bb3b-136bad5cf58d_

1. a) Within a reasonable time from the receipt of the personal data, 

1. b) In case personal data will be used for communication with the person concerned, during the first communication, 

1. c) In case personal data is to be transferred, at the latest at the time of the first transfer of personal data, 

Fulfilled. 

This policy can be easily accessed by the relevant people www.gppartners.orgThe purpose of its publication on the website contributes to the transparency of the Company's personal data processing activities and thus to the protection of the right to personal data protection in accordance with the essence of the right. 

4.5. TRANSFERRING PERSONAL DATA 

The Company may transfer the personal data and sensitive personal data of the personal data owner/relevant person to third parties by taking the necessary security measures in line with the personal data processing purposes in accordance with the law. Accordingly, the company acts in accordance with the regulations stipulated in Article 8 of the KVK Law. 

In the transfer of personal data abroad by the company, the foreign countries with adequate protection have not yet been disclosed by the KVK Board, but in case of obtaining the explicit consent of the data owner/relevant person or in the absence of sufficient protection, the data controllers in Turkey and the relevant foreign country declare in writing an adequate protection. The appropriate method of approval of the KVK Board of the undertaking is used. In the event that the aforementioned safe country list is announced by the KVK Board, this option may also be preferred as a method, and the data owner/relevant person is informed about which method is preferred during the data collection phase as much as possible. In this context, the Company complies with the regulations stipulated in Article 9 of the KVK Law. 

4.6. FOLLOWING THE RIGHTS OF THE DATA SUBJECT/RELATED PERSON; CREATING CHANNELS TO CONSULT THESE RIGHTS TO THE COMPANY AND EVALUATION OF THE REQUESTS OF DATA OWNERS/ RELATED PERSONS 

The rights of the data owner/relevant person are regulated in Article 11 of the KVK Law, and the rights that can be exercised by applying to the data controller are as follows: 

1. a) Learning whether personal data is processed, 

1. b) If personal data has been processed, requesting information about it, 

1. c) Learning the purpose of processing personal data and whether they are used in accordance with its purpose, 

ç) Knowing the third parties to whom personal data is transferred in the country or abroad, 

1. d) Requesting correction of personal data in case of incomplete or incorrect processing, 

1. e) Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVK Law (even though it has been processed in accordance with the provisions of the KVK Law and other relevant laws, in case the reasons requiring it to be processed disappear), 

1. f) Requesting notification of the transactions made pursuant to subparagraphs (d) and (e) to third parties to whom personal data has been transferred, 

1. g) Objecting to the emergence of a result against the person by analyzing the processed data exclusively through automated systems, 

ğ) To request the compensation of the damage in case of loss due to the unlawful processing of personal data. 

It has established the necessary channels in accordance with Article 13 of the KVK Law in order to evaluate the requests to be sent to the company by the personal data owners or the related persons and to provide the necessary information to the personal data owners/related persons. technical arrangements are also carried out through the aforementioned commission. 

The remedies provided for in this article are organized as follows: 

• A signed copy of the application form of the person concerned is "Cumhuriyet Mahallesi Atatürk Blv. Adm Site. - Apt. No: 8/35 Beylikdüzü/Istanbul” in person or by a proxy authorized by a power of attorney with special authority, 

• A signed copy of the application form of the person concerned is "Cumhuriyet Mahallesi Atatürk Blv. Adm Site. - Apt. No: 8/35 Beylikdüzü/İstanbul” by registered letter with return receipt, 

• A signed copy of the contact application formkvkk@gppartners.org email address 

You can forward it. 

… 

In order to be able to apply to the remedies set forth herein, the applicant must submit the supporting documents supporting his/her identity to the company through the channel he/she prefers, as well as explaining what the claims are in the application document and which right is sought to be exercised. It has been announced on the website and brought to the attention of those concerned. 

The procedure to be followed by the company in case of a request within the scope described is as follows: 

In accordance with the legal regulations, the requests submitted to the company by one of the methods specified above by the data owners or related persons will be evaluated according to the nature of the request, and the requester will be answered free of charge as soon as possible and within 30 (thirty) days at the latest. In the first examination, if it is understood that the information and documents required for a sound evaluation can be made, the applicant will be informed in writing immediately. 

If it is understood that the transaction also requires a cost, as soon as this situation is understood, the requester will be informed about this issue immediately and it will be stated that the requester must cover this cost, taking into account the current tariffs published by the KVK Institution. If the requester does not cover this cost, the requests will be evaluated at the point of whether they can be discriminated against free of charge, and if it is understood that it is not possible, a written response will be given to the requester. 

If it is understood that the application is acceptable as a result of the evaluation of the requester's request, necessary arrangements will be made immediately and necessary measures will be taken to minimize the possible damages that may arise from the alleged violation. 

4.7. DISPOSAL OF PERSONAL DATA 

4.2 of this policy. In the event that the personal data processing conditions, which are processed within the framework of the legal reasons set forth in the article, are completely eliminated in terms of personal data, these personal data are destroyed ex officio or upon the request of the person concerned, by deletion, destruction or anonymization. 

In the deletion, destruction or anonymization of personal data, 4.1 of this policy. In accordance with the basic principles set forth in the article, the technical and administrative measures to be taken for the protection of this personal data, the provisions of the relevant legislation, the Board decisions and the personal data storage and destruction policy. Inspections are carried out within the Company within the framework of the calendar arranged by the KVK Commission, at the latest every 3 months by the Company. In the light of the reports prepared as a result of these regular audits, personal data that is determined to have no purpose of processing are destroyed periodically. 

In case the data subject has a request for destruction, the following audit period is not expected, the request is evaluated immediately and within 30 days at the latest, after the request is duly received by the Company, and if deemed necessary, destruction is carried out with the method deemed appropriate within the same period and the requester is informed._cc781905-5cde -3194-bb3b-136bad5cf58d_

If the data destroyed within the scope of this article is transferred to third parties at any time, these third parties are informed about the transaction and it is ensured that the third parties take the necessary actions. 

All transactions regarding the deletion, destruction and anonymization of personal data are recorded by the Personal Data Disposal report by the relevant unit, and these records are kept in the Legal Unit for at least three years, excluding other legal obligations._cc781905 -5cde-3194-bb3b-136bad5cf58d_

Unless a contrary decision is taken by the KVK Board, the company chooses the appropriate method of deletion, destruction or anonymization of personal data ex officio. In case of destruction based on the request of the person concerned, an explanation is given to the requester regarding the reason for choosing the appropriate method. If the conditions for the processing of personal data are not completely eliminated, the company may reject the request by explaining the reason to the requester, in which case the requester is informed through the appropriate means. 

Anonymous data obtained by the anonymization of personal data can be used by the Company for purposes such as using for statistical purposes stipulated by the KVK Law. 

In this context, the company takes the necessary technical and administrative measures within the company in order to fulfill its related obligation; has developed the necessary working mechanisms in this regard; In order to comply with these obligations, the relevant business units are trained, assigned and their awareness is increased within the framework of the planning and decisions taken by the KVK Commission. 

1. METHOD 

5.1. IMPLEMENTING POLICY AND LEGISLATION 

In the personal data processing activities carried out by the company, the provisions of the legislation in force and the regulatory company decisions are applied to the extent that they are suitable for their nature. In case of inconsistency with any of the provisions or decisions set forth in this policy, the rules most favorable to the personal data owners/relevant persons are taken into account. 

5.2. EFFECTIVE DATE 

This policy issued by the company entered into force on 01.01.2021. If some of the articles in this policy are changed partially or completely, the relevant change will be effective as of the date of publication of the change. 

This policy is published at www.gppartners.org, and changes are posted accordingly. If requested, a copy of the policy will be sent to the person concerned, either physically or electronically. 

5.3. THE RELATIONSHIP OF THE COMPANY'S PERSONAL DATA PROTECTION AND PROCESSING POLICY WITH OTHER POLICIES AND INTERNAL GUIDELINES 

The company, the principles set forth by this policy; ensures the implementation of the relevant principles within the Company with the policy it has set forth for the execution. In connection with the policy on the protection of personal data and other policies, procedures and internal directives carried out by the company in other fields, compatibility is also ensured between the processes operated by the Company for similar purposes with different policies, procedures and internal guidelines. This policy is primarily taken into account in the matters to be applied in relation to it. 

5.4. REVIEW 

This policy will be reviewed by the KVK Committee every year in January and July, and the changes and updates are published on the website with the approval of the Official. 

5.5. REVIEW AND CONFIRMATION TABLE 

Attachments: 

• Law No. 6698 on the Protection of Personal Data 

• Personal Data Processing and Protection Policy 

• Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Light 

• Communiqué on Application Procedures and Principles to Data Controller 

• Data Retention and Disposal Policy 

• Exercising the Rights of Related Persons 

• KVK Law Related Person Application Form