In accordance with the Article 20 of the Constitution titled "Privacy of Private Life", the Law on the Protection of Personal Data No. 6698 ("Law") and the applicable regulations and notifications, the processing of personal data obtained by Dizaynvip Teknoloji Bilişim Ve Otomotiv Sanayi Anonim Şirketi ("Company") protects the fundamental rights and fundamental rights of data owners (customer, potential customer, visitor, business partner, employee, employee candidate, former employee, third party company employee, etc.), especially the right to privacy. The purpose of this Policy is to protect their freedoms and ensure that the data controller who processes personal data carries out the data processing activity in accordance with the law, and to determine the principles regarding the protection, processing, storage and, when necessary, destruction of the personal data obtained.
Establishing the procedures and principles of the data processing activity carried out by the Company determines the scope of this Policy, considering that all kinds of operations such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of all kinds of information regarding an identified or identifiable natural person as personal data, by the data controller as personal data, by fully or partially automatic or non-automatic means, provided that it is part of any data recording system, are accepted as data processing activities.
This Policy, the Turkish Code of Obligations No. 6098, the Turkish Commercial Code No. 6102, the Law No. 6698 on the Protection of Personal Data, the Law No. 6563 on the Regulation of Electronic Commerce, the Regulation on the Registry of Data Controllers No. 30286, the Regulation on the Deletion, Destruction or Anonymization of Personal Data No. 30224, Personal Health It has been prepared in accordance with the relevant legislation, especially the Regulation on Processing of Data and Protection of Privacy, and the rules shown in the regulations, communiqués, decisions and guides published by the Board.
If there is a change in the Law or other relevant legislation after the date of publication of the Policy by the Company and the Policy becomes incompatible with such change, the amended provisions and rules will be applicable. All notifications, decisions and guides published by the Board are followed by the Company, and the rules stipulated by the Policy are kept up to date.
The Policy was published on the Company's website https://dtec.app/tr and entered into force on the date of its publication.
According to Article 12 of Law No. 6698, the data controller;
It is obliged to take all necessary administrative and technical measures to ensure the appropriate level of security for this purpose.
For the reasons explained above, the Company implements security measures to prevent unlawful processing of personal data, transfer and disclosure to third parties, unauthorized access and security deficiencies arising through other means. Explanations regarding the administrative and technical measures taken VI. It is included in the ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA section.
Data that is sensitive due to its nature and that may cause victimization or discrimination to data owners if it falls into the hands of third parties are accepted as special personal data within the scope of the Law. Special personal data consists of the person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. Processing of special categories of personal data is prohibited as a rule, and may be processed in limited cases by law.
All necessary measures are taken by the Company to protect sensitive personal data, and it is essential that such data is not obtained and processed as much as possible.
In accordance with Article 4 of the Law, the principles to be applied in the processing of your personal data are as follows:
Personal data obtained by the Company cannot be processed without the explicit consent of the relevant person, except for the exceptions stipulated in the Law.
a) It is clearly foreseen in the law
One of the conditions for data processing is that it is clearly prescribed by law. Provisions in the law regarding the processing of personal data may constitute a condition for data processing. In such a case, explicit consent of the relevant person is not required.
b) Actual impossibility
In cases where it is necessary to protect the life or physical integrity of a person who is unable to express his or her consent due to actual impossibility or whose consent is not legally valid, the personal data of the person concerned may be processed without his or her explicit consent.
c) It is directly related to the establishment or execution of the contract
If data processing is deemed mandatory during the establishment or execution of a contract to which the data owner is a party, personal data may be processed without explicit consent.
d) The Company's fulfillment of its legal obligations
Personal data may be processed without obtaining explicit consent in order to fulfill the legal obligations that the Company must fulfill as the data controller.
e) It has been made public by the relevant person
Personal data that has been made public by the data owner, in other words, personal data that has been disclosed to the public in any way, can be processed without explicit consent. Even in this case, personal data that has been made public cannot be used for purposes other than its intended purpose.
f) It is mandatory for the establishment, use and protection of a right.
In cases where it is mandatory for the establishment, exercise or protection of a right, it is possible to process the personal data of the relevant person without his or her explicit consent.
g) It is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
If the processing of personal data is mandatory for the data controller and the data processing activity will not harm the fundamental rights and freedoms of the relevant person, personal data may be processed without obtaining explicit consent.
The legitimate interest of the data controller is aimed at the interest and benefits that will be obtained as a result of the processing to be carried out. The benefit to be obtained by the data controller; It must be legitimate, related to a sufficiently effective, specific and existing interest that can compete with the fundamental rights and freedoms of the person concerned. It must be a transaction that is related to the current activities carried out by the data controller and will benefit him/her in the near future.
Processing of special categories of personal data is subject to Article 6 of the Law. Data regarding people's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data are special personal data. The data within this scope is limited and cannot be expanded through interpretation. Due to its nature, personal data of special nature are data that may cause discrimination and victimization of the relevant person if learned. For this reason, they need to be protected much more strictly than other personal data.
Special personal data; The relevant person must have explicit consent, it is clearly foreseen by law, it is necessary for the protection of the life or physical integrity of the person who is unable to express his consent due to actual impossibility or whose consent is not given legal validity, it is necessary for the protection of his own or someone else's life or physical integrity, it is related to the personal data that the relevant person has made public and is in accordance with the will to make it public, it is mandatory for the establishment, use or protection of a right, it is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services and planning of health services by persons who are under the obligation of confidentiality or authorized institutions and organizations, Provided that it is necessary for management and financing purposes, is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance, is in accordance with the legislation and purposes of foundations, associations and other non-profit organizations or entities established for political, philosophical, religious or union purposes, is limited to their fields of activity and is not disclosed to third parties; It may be processed if it is directed at current or former members and members or people who are in regular contact with these organizations and entities. In addition, it is essential to take adequate precautions determined by KVKK in the processing of special personal data.
During the collection of personal data, data owners are informed by the Company in its capacity as data controller or by persons authorized by it. The procedures and principles regarding the information provided are stated in the information texts regarding the processing of relevant personal data published by the Company, and the information briefly includes the following elements:
a) Purposes of processing personal data
Processing of personal data is carried out for specific, clear and legitimate purposes and is based on the principle of informing data owners. The purposes pursued in the processing of personal data obtained by the Company by data subjects are shown in the relevant sections of the information texts on our website for each category of relevant persons.
b) Persons to whom personal data are transferred and the purposes for which they are transferred
Within the framework of the data controller's obligation to inform the data owner, the persons to whom personal data is transferred and the purposes of transfer must be clearly stated. Personal data cannot be transferred to third parties without the explicit consent of the data owner. Recipient groups to which personal data is transferred by the Company and purposes of transfer IV. It is shown in the TRANSFER OF PERSONAL DATA section.
c) Method and legal reason for collecting personal data
In accordance with Articles 5 and 6 of the Law, the data controller must clearly state on which of the personal data processing conditions it is processed. Data collection method and medium are determined by the data controller. The conditions for processing personal data, that is, their compliance with the law, are listed in a limited number in the Law (Art. 5-6), and these conditions cannot be expanded.
The data controller Company evaluates whether the purpose of the personal data processing activity is primarily based on one of the processing conditions other than explicit consent. If this purpose does not meet at least one of the conditions other than explicit consent specified in the Law, in this case, the person's explicit consent is sought to continue the data processing activity.
Personal data cannot be transferred without the explicit consent of the relevant person. However, if one of the conditions specified in the second paragraph of Article 5 and in the third paragraph of Article 6 is met, provided that adequate precautions are taken, it may be transferred without the express consent of the relevant person.
Information about the recipient groups to which your personal data processed by the Company is transferred is included in ANNEX 4 - Third Parties to whom Personal Data is Transferred and Purposes of Transfer of this Policy.
a) Existence of an agreement that is not an international contract between public institutions and organizations or international organizations abroad and public institutions and organizations or professional organizations in the nature of a public institution in Turkey and the transfer is allowed by the Board.
b) The existence of binding company rules, which include provisions regarding the protection of personal data and are approved by the Board, that companies within the enterprise group engaging in joint economic activities are obliged to comply with.
c) Existence of a standard contract announced by the Board, which includes issues such as data categories, purposes of data transfer, recipient and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures taken for special personal data.
ç) The existence of a written undertaking containing provisions that will provide adequate protection and the transfer being authorized by the Board.
a) The relevant person gives explicit consent to the transfer, provided that he or she is informed about possible risks.
b) The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject.
c) The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.
ç) The transfer is necessary for a superior public interest.
d) It is mandatory to transfer personal data for the establishment, exercise or protection of a right.
e) It is necessary to transfer personal data in order to protect the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
f) Making a transfer from a registry that is open to the public or persons with legitimate interest, provided that the conditions required to access the registry in the relevant legislation are met and the person with legitimate interest requests it.
Personal data obtained by the company is processed in accordance with the law for the purposes specified in Articles 5 and 6 of the Law.
The Company takes administrative and technical measures to ensure that personal data is stored securely and to prevent unlawful processing and access to personal data.
Personal data must be accurate and up-to-date when necessary, in accordance with subparagraphs (b) and (d) of paragraph 2 of Article 4 of the Law, and must be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed. In this context, the data processed are processed in accordance with the principles and rules that must be observed in data processing activities and are retained for the period necessary for the purpose for which they are processed. Information regarding the storage and destruction procedure and retention periods of personal data processed by the Company is in VIII of this Policy. STORAGE AND DESTRUCTION OF PERSONAL DATA and ANNEX-4: Personal Data Storage Periods are shown in the sections.
In order to ensure personal data security, all personal data processed by the Company are determined and the likelihood of risks that may arise regarding the protection of this data is determined; When determining these risks, whether personal data is special personal data (1), what level of confidentiality it requires due to its nature (2), and the nature and quantity of damage that may occur to the relevant person in the event of a security breach (3) are taken into account.
After identifying and prioritizing these risks; control and solution alternatives to reduce or eliminate such risks; It is evaluated in line with the principles of cost, applicability and usefulness, and the necessary technical and administrative measures are planned and implemented within the framework of the Law.
In this context, for the protection of personal data by the Company; The following administrative and technical measures are taken:
Camera Monitoring Activity at Building Entrances and Inside
Camera monitoring is carried out to ensure security at the entrance to and within the Company and to protect the interests of the Company and other persons. Camera monitoring activity is carried out in accordance with the Law and is carried out within the scope of the data processing conditions listed both in the Law and in this Policy.
Your personal data held by the Company is kept for as long as the data processing activity is necessary; If an obligation to delete, destroy or anonymize personal data arises, it is deleted, destroyed or anonymized within the first periodic destruction period following the date on which this obligation arises. It acts in accordance with the general principles set out in Article 4 of the Law and the technical and administrative measures set out in Article 12 when deleting, destroying or anonymizing your personal data.
The time period for periodic destruction is limited to a maximum of 1 year. All transactions regarding the deletion, destruction or anonymization of personal data by the company are recorded and kept for at least 3 years in accordance with the legal obligation. The retention periods of personal data processed by the company are shown in ANNEX-4.
The personal data expert assigned by the Company regarding the storage and destruction of data is the person responsible for the execution and supervision of the personal data storage and destruction policy.
Personal data processed by the Company are deleted, destroyed or anonymized ex officio or upon the request of the relevant data owner, in case the reasons requiring processing are eliminated in accordance with Article 7 of the Law and the "Regulation on Deletion, Destruction or Anonymization of Personal Data" published in the Official Gazette dated 28 October 2017 and numbered 30224 prepared by the Personal Data Protection Board.
Deletion of personal data is the process of making personal data inaccessible and unusable for the relevant employees in any way.
All necessary technical and administrative measures are taken to ensure that deleted personal data are inaccessible and unusable.
Destruction of personal data is the process of making personal data inaccessible, irretrievable and unusable by anyone.
All kinds of technical and administrative measures are taken to make personal data inaccessible, irretrievable and reusable by anyone.
Anonymization of personal data means making it impossible to associate personal data with an identified or identifiable natural person in any way, even if it is matched with other data.
All kinds of technical and administrative measures are taken to anonymize your personal data, and it is anonymized by applying methods in accordance with our personal data storage and destruction policy.
Personal data recording environment refers to any environment where personal data is processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system.
Personal data regarding data subjects are stored securely by the Company in the following data recording mediums, in accordance with the relevant legislation, especially the provisions of the Law, and within the framework of international data security principles:
a) Technical recording environments: Computer environment, central servers, removable memories (USB, Memory Card, etc.), information security devices and software.
b) Non-technical data recording media: Papers, manual data recording systems, written, printed and visual media.
Personal data of the relevant data subjects are collected by the Company, including but not limited to;
It is destroyed for such purposes and reasons.
The techniques for deleting, destroying or anonymizing personal data processed by the Company are shown below, and which of the techniques will be applied may vary depending on the nature of the personal data processed.
During the deletion, destruction or anonymization of personal data; Necessary administrative and technical measures are taken, such as informing employees about information security and destruction processes, choosing the most appropriate method according to the nature of the data recording environment in which personal data is kept, carrying out regular and periodic maintenance and follow-up studies regarding data security, using the most technologically and technically necessary destruction systems, issuing automatic deletion commands, removing the authority to access deleted data and reuse and restore deleted data.
For this purpose, firstly, the methods of determining the personal data that are subject to deletion, destruction or anonymization (1), identifying the relevant employees for each personal data using an access authorization and control matrix or a similar system (2), determining the authorizations and methods of the relevant employees such as access, retrieval and reuse (3), closing and eliminating the access, retrieval and reuse authorizations and methods of the relevant employees within the scope of personal data (4) are applied.
In accordance with Law No. 6698, as the data owner;
As personal data owners, if you submit your requests regarding your rights through the methods specified in the "Communiqué on Procedures and Principles of Application to the Data Controller", which came into force after being published in the Official Gazette dated 10.03.2018 and numbered 30356, the Company will finalize the request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. This period cannot exceed 30 days from the notification of your application to the Company. Deficiencies in your application, unclear If additional information is requested due to the explanations, the response period does not start until the relevant additional information and documents are notified to us. If the transaction requires any cost, a fee may be charged according to the tariff determined by the Personal Data Protection Board.
Explicit Consent: Consent regarding a specific subject, based on being informed and expressed with free will,
Anonymization: Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data,
Recipient Group: The category of natural or legal person to whom personal data is transferred by the data controller,
Relevant person: The real person whose personal data is processed,
Destruction: Deletion, destruction or anonymization of personal data,
Law: Personal Data Protection Law No. 6698 dated 24/3/2016,
Blackening: Processes such as scratching, painting and icing all personal data in a way that cannot be associated with an identified or identifiable natural person,
Recording Medium: Any environment containing personal data processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system,
Personal Data: Any information regarding an identified or identifiable natural person,
Processing of Personal Data: All kinds of operations performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system,
Personal Data Protection Law (“KVKK”): Personal Data Protection Law No. 6698, which came into force by being published in the Official Gazette on April 7, 2016,
Board / Institution: Personal Data Protection Board and Personal Data Protection Authority,
Data Processor: The real or legal person who processes Personal Data on behalf of the data controller, based on the authority given by the data controller.
Data Recording System: The recording system in which personal data is structured and processed according to certain criteria,
Data Controller: It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Data Owner Categories
Explanation
Worker
It refers to the people working within the company.
Employee Candidate
It refers to real persons who apply for a job by sending a resume to the Company or by other methods.
Business Partners
It refers to real persons and legal entity employees with whom business, transactions and cooperation are carried out by the Company for the purpose of carrying out the activities of the Company.
Customer
It refers to real persons who purchase and benefit from the products and services offered by the Company.
Potential Customer
It refers to real people who show interest in purchasing the products and services offered by the Company and have the potential to become customers.
Supplier
It refers to real persons and legal entity employees from whom services are procured by the company.
Visitor
It refers to third parties who visit the workplace and the Company's website.
Other Relevant Third Parties
It refers to real persons other than the declared relevant persons, for whom personal data processing activities are carried out by the Company.
Transferred Person/Unit
Scope
Purpose of Transfer
Legal Advisors / Financial Advisors
Parties from whom services are provided for the purpose of support in legal and financial matters of the Company
Transfer of personal data on a limited basis for the purpose of receiving services within the scope of establishing, exercising and protecting the Company's legal and financial rights.
Business Partners
Local and foreign parties with whom business partnerships have been established within the scope of the activities carried out by the company
Transfer of personal data on a limited basis to ensure the fulfillment of activities with business partners and to carry out company activities.
Suppliers
Parties from whom services are provided in order to continue the activities of the Company
Server and hosting, cloud, information technologies, online communication, etc. Transfer of personal data on a limited basis for the purpose of providing services received from suppliers who provide services.
Authorized Public Institutions and Organizations
Legal relations between legally authorized public institutions and organizations and the Company
Sharing/transferring information and documents requested from the Company by relevant public institutions and organizations, limited to the purpose of request and the scope of commercial activities.
Personal Data Source
Duration
Legal Basis
Personal Data Processed in Contracts and Contractual Relationships
10 Years from the End of Legal Relationship
Law No. 6102, Law No. 6098, Law No. 6563 and Law No. 213
Special Personal Data
10 Years from the End of Legal Relationship
Law No. 6102, Law No. 6098, Law No. 6563
All Records Regarding Accounting and Financial Transactions
10 Years from the End of Legal Relationship
Tax Procedure Law No. 213, Law No. 6563
Personal Data Regarding Tax Records
5 Years
Tax Procedure Law No. 213
All Records Regarding Human Resources Processes, Including Personnel Files, Within the Scope of Labor Law
10 Years from the End of Legal Relationship
Labor Law No. 4857 and Related Legislation, Turkish Code of Obligations No. 6098
Data Collected Within the Scope of Occupational Health and Safety Legislation
10 Years from the End of Legal Relationship
Labor Law No. 4857 and Related Legislation, Occupational Health and Safety Law No. 6331, Occupational Health and Safety Services Regulation
Data Regarding Candidate Applications If the Job Application Is Not Accepted
2 Years
Sectoral Conventions Apply.
Commercial Electronic E-Mail Approval Records
1 Year from the Date of Withdrawal of Approval
Law No. 6563, Regulation on Commercial Communication and Commercial Electronic Messages Published in the Official Gazette No. 29417 dated 15.07.2015
Personal Data Processed for Security Purposes Pursuant to CCTV Cameras (Camera Recordings)
1 Month
Sectoral Conventions Apply.
Traffic Information and Log Records Regarding Online Visitors
6 Months – Maximum 2 Years
Internet Law No. 5651