Pursuant to Article 20 of the Constitution of the Republic of Turkey, everyone has the right to demand the protection of their personal data. This right includes being informed about the personal data about the person, accessing these data, requesting their correction or deletion, and learning whether they are used for their purposes.
With the Law on the Protection of Personal Data No. 6698 (“PPD Law”), the protection of fundamental rights and freedoms of individuals in the processing of personal data, the obligations of natural and legal persons who process personal data, and the procedures and principles to be followed. The purpose of this Policy, prepared in this direction, is to ensure compliance with the obligations of the PDP Law regulations.
The purpose of this Policy is to protect the personal data of customers, visitors, suppliers, and third parties of DD Dynamics for Development Management Centre Inc. (hereinafter referred to as DD) governed by the Policy. The protection of the personal data of our employees, is managed under the Policy on the Processing of Personal Data of DD Employees, which was written in parallel with the principles in this Policy.
In the event that the section that refers to these RULES is approved, it will be deemed TO BE CONSIDERED that all of these rules are known, read and the data owner authorizes DD regarding this content.
DD has the right to update the regulations on the Protection of Personal Data, partially or completely, at any time within the framework of the changes that can be made in the current legislation, and the changes in the legal regulations will be considered binding for both DD and our followers.
Law No. 6698 on the Protection of Personal Data, published in the Official Gazette dated 7 April 2016 and No. 29677. The PPD Law is regulated to protect the fundamental rights and freedoms of natural persons, including the privacy of private life, which is also protected by the Constitution, and to determine the obligations of natural and legal persons who process personal data. In addition, the Law No. 6563 on the Regulation of Electronic Commerce includes a provision on the protection of personal data. Penal sanctions are envisaged in some cases for the protection of personal data through the provisions of the Turkish Penal Code No. 5237.
The Personal Data Protection and Processing Policy (“Policy”) has been prepared in order to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, and to regulate the obligations procedures and principles to be followed by real and legal persons who process personal data.
It has been adopted that the policy and the activities carried out by DD will be maintained and developed in accordance with the principles contained in the PPD Law.
With this Policy, it is aimed to inform DD employees and users on the following issues:
• Who collects personal data,
• For what purposes and how personal data are processed,
• DD transfers personal data to whom and for what purposes,
• What are the method and legal reasons for collecting personal data,
• What rights do DD employees have regarding the processed personal data,
• What are the administrative and technical measures taken to ensure data security.
Data owners whose personal data are processed within the scope of this Policy are categorized as follows:
Users
Regardless of whether there is any contractual relationship, natural persons whose personal data are obtained due to business relations within the scope of the activities carried out by DD.
Third Parties
Although not defined in the Policy, other natural persons, including but not limited to the supplier, prospective customer, candidate employee, complainant, intern, etc. whose personal data are processed within the framework of this Policy.
The definitions used in this Policy are as follows:
Explicit Consent
Consent on a particular subject, based on information and expressed with free will, giving permission and authority to the addressee on the permitted subject,
Anonymization
Making personal data incapable of being associated with an identifiable natural person in any way, even by matching with other data,
Employee
Dependent on DD, all natural persons who work for a definite or indefinite period,
User
All natural or legal persons who use DD or its affiliated applications for a definite or indefinite period,
Service Provider
Personnel of the companies (suppliers, subcontractors, etc.) from which DD receives and/or provides services,
Personal Data
Any information relating to an identified or identifiable natural person,
Processing of personal data
All kinds of operations performed on the data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making obtainable, classifying, or preventing the use of personal data completely or partially automatically or by non-automatic means provided that it is a part of any data recording system,
Personal Data Owner
The natural person whose personal data is processed and who is deemed to be the "relevant person" in the PPD Law
Personal Data Owner Application Form
The application form that DD employees will use when making their applications regarding their rights, described in Article 11 of the PPD Law,
PPD Law
Law No. 6698 on the Protection of Personal Data,
PPD Board
Protection of Personal Data Board,
Special Categories of Personal Data
Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, also biometric and genetic data,
Data Inventory
Personal data processing activities carried out by DD in connection with its business processes; the inventory created and detailed by associating with the personal data processing purposes, the recipient group to which the personal data is transferred, and the relevant personal data owner group.
Data Processor
The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Controller
The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry
The registry of data controllers kept by the Administration under the supervision of the Protection of Personal Data Board.
Pursuant to Article 3 of the PPD Law, all kinds of operations performed on the data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making obtainable, classifying, or preventing the use of personal data completely or partially automatically or by non-automatic means provided that it is a part of any data recording system, falls within the scope of processing personal data.
It is obligatory to comply with the following principles in the processing of personal data:
a) Compliance with the law and honesty rules
Our company, in accordance with particularly the Constitution, the PPD Law and the relevant legislation, carries out its personal data processing activities in accordance with the law and honesty rules.
b) Being accurate, and actual when necessary
All kinds of administrative and technical measures are taken to ensure the accuracy and actuality of personal data while processing personal data by our company.
c) Processing for specific, explicit and legitimate purposes
Before starting the processing of personal data, our company clearly and precisely determines the purpose of processing personal data.
d) Being connected, limited and restrained with the purpose for which they are processed
Our company to the extent necessary to achieve the determined purposes, processes personal data. Data processing is not carried out with the assumption that it can be used later.
e) Preservation for the period stipulated by the relevant legislation or for the purpose for which they are processed.
Our company stores personal data for a limited period stipulated by the PPD Law and the relevant legislation or for the purposes of data processing.
1. Terms of Processing of Personal Data
Our company can process personal data and sensitive personal data with the explicit consent of the personal data owner or without explicit consent in cases stipulated in Articles 5 and 6 of the PPD Law. In the presence of one of the following, DD will be able to process the personal data of the data owner without looking for explicit consent:
a) When it is clearly stipulated in the laws.
b) When it is compulsory for the protection of life or physical integrity of the person or another person, who is unable to express his or her consent due to actual impossibility or whose consent is not given legal validity.
c) When it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
d) When it is mandatory for our company to be able to fulfill its legal obligations.
e) When the personal data made public by the personal data owner.
f) When data processing is mandatory for the establishment, exercise, or protection of a right.
g) When data processing is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
2. Processing of Special Categories of Personal Data
Our company carries out the processing of special categories of personal data, which carries the risk of discrimination when processed unlawfully, in accordance with the data processing conditions set forth in Article 6 of the PPD Law. It is prohibited to process special categories of personal data without the explicit consent of the personal data owner. However, provided that adequate measures determined by the PPD Board are taken, special categories of personal data may be processed in the following cases, even without the explicit consent of the personal data owner:
a) Processing of Personal Health Data
Personal health data; It can be processed in the presence of one of the conditions listed below, provided that (i) to take adequate measures to be stipulated by the PPD Board, (ii) to act in accordance with general principles, (iii) to be under the obligation of confidentiality:
- Written explicit consent of the personal data owner
- Protection of public health
- Preventive medicine
- Execution of medical diagnosis, treatment and care services
- Planning and management of health services and financing
b) Processing of Special Categories of Personal Data other than Health and Sexual Life
The data within this scope will be possible with the explicit consent of the personal data owner or in cases stipulated by the laws.
Personal Data Category | Description | Data Owner Category to which the Relevant Personal Data is Related |
Prospective Customer Data | Information obtained and produced about the relevant person as a result of the operations carried out by our business units in this context, which is obtained in the first step to benefit from commercial activities. | Customer Data |
Dealer / Agent Data | Natural person who sells permanently on behalf of the Firm in a certain place or region based on the contract with the Firm using the Firm's practices, carries out the preparatory work before the conclusion of the contract and assists in the implementation of the contract and the payment of compensation. | Clients, Agents, Brokers, Agent Partners |
Customer Data | Information obtained and produced about the person concerned as a result of our commercial activities and the operations carried out by our business units in this context. | Customers |
Third Parties | Other natural persons, including but not limited to supplier, guarantor, victim/person entitled, family members etc. whose personal data are processed. | Suppliers |
Supplier Data | Information required to offer the product or service. | Suppliers |
In Terms of Employees;
Content of Personal Data | |
General | Name, surname, photo, gender, address, telephone number, date of birth, marital status, e-mail address, and for foreign employees, tax identification number, passport, work visa, etc. |
Personnel Family and Relatives Data | Marital status, In order to protect the legal and other interests of the personal data owner, the information of the family members of the personal data owner (e.g. spouse, mother, father, child), relatives and other persons who can be contacted in case of emergency (children of the personal data owner, identity information about their spouses, contact information, profession, educational information, etc.) |
Physical Space Security Data | Personal data regarding the records and documents taken at the entrance to the physical space, during the stay in the physical space; camera records, fingerprint records and records taken at the security point, etc. |
Personnel Data | All kinds of personal data processed to obtain the information that will form the basis for the personal rights of the personnel or natural persons who are in a working relationship with DD (ID information entered in the personnel file, job application form, passport photo, education information, etc.) |
Legal Transaction Data | Processed personal data within the scope of determination and follow-up of legal claims and rights, and discharge of debts along with legal obligations and compliance with our Company's policies (data in documents such as court and administrative authority decisions) |
Communication Data | Information such as phone number, address, e-mail address. |
Transaction Security Data | Processed personal data in order to ensure our technical, administrative, legal and commercial security while carrying out commercial activities (Information showing that the person is authorized to match the transaction associated with the personal data owner and that person and to perform that transaction (e.g. password information) |
Audio and Camera Recording Data | Photo and camera recordings (excluding recordings included in the Physical Space Security Information), audio recordings (e.g. phone conversation audio recording) |
Personnel Performance and Career Development Data | Processed personal data for measuring the performance of personnel or natural persons working with the Company and planning and carrying out their career development within the scope of human resources policy (performance evaluation reports, trainings for career development, etc.) |
Fringe Benefits and Benefits Data | Processed personal data (special health insurance, vehicle allocation, etc.) for planning fringe benefits and benefits that are or will be presented to the natural persons in the personnel or company in a business relationship, determination of objective criteria for entitlement to these, and follow-up of progress payments to these |
Identity and Residence Data | Documents such as driver's license, identity card, and passport that contain information such as name and surname, identity number, tax identification number, nationality information, mother's name and father's name, place of birth, date of birth, gender, signature/paraph information, vehicle license plate, residence information, etc. |
Military Status | The document that shows military status etc. |
Education Status | Education history, course / seminar certificates, graduation information, diploma, foreign language information, etc. |
Income / Finance | Processed personal data regarding information, documents, and records showing all kinds of financial results created according to the type of legal relationship the company has established with the personal data owner, bank account information, information on fringe benefits provided, salary information, information on severance and termination, bonus information, work advance and salary advance requests, credit card information, IBAN, etc. |
Other occupational information | Work experience information, shift information, grounds for dismissal, retirement status, reference information, reference letter, testimonial, CV, belongings given to the employee (telephone, computer, GSM line, etc.), and information on the vehicle, etc. |
Special categories of personal datas |
|
In accordance with the PPD Law, DD has legal obligations within the scope of protection and processing of personal data. These obligations are listed as follows:
8.1 Obligations to clarify
During the collection of personal data, DD is obliged to inform the person concerned and, in this context, to inform the relevant person on the following issues within the scope of the relevant legislation:
DD will inform the related persons about the processing of their personal data with different means within the scope of the obligation to clarify.
8.2 Obligations to inform
The rights regarding the protection of the personal data of the person from whom the personal data is provided, regulated in Article 11 of the PPD Law (Your Rights Section of this document) are as stated. Pursuant to the PPD Law, DD evaluates the requests regarding the rights in question; it is obliged to inform the Relevant Persons within the scope of the action to be taken in line with their requests, and this notification will be made within the period ordered by the legal legislation.
Such requests must be submitted to DD in writing by the Relevant Persons or by other methods to be determined by the PPD Board. DD works to provide the Related Person with more opportunities to utilize their application and rights, so as not to contradict the Board's decision on this matter.
8.3 Obligation to ensure data security and confidentiality
In accordance with Article 12 of the PPD Law, our company takes all necessary technical and administrative precautions to provide the appropriate level of security in order to prevent the unlawful processing of the personal data it processes and the unlawful access to personal data and to ensure the protection of personal data.
8.3.1 Technical Measures Taken to Ensure Legal Processing of Personal Data and to Prevent Unlawful Access to Personal Data
DD has taken all kinds of technical and technological security measures to protect your personal data and protects your personal data against possible risks.
8.3.2 Administrative Measures to Ensure Legal Processing of Personal Data and to Prevent Unlawful Access to Personal Data
- Training and raising awareness of company employees regarding the PPD Law,
- In cases where personal data transfer is in question, ensuring that a record is added to the contracts concluded with the persons to whom the personal data is transferred, indicating that the party to which the personal data is transferred will fulfill the data security,
- Determining what needs to be fulfilled in order to comply with the PPD Law and preparing internal policies for their implementation,
8.3.3 Measures to be Taken in Case of Unlawful Disclosure of Personal Data
In case the processed personal data is obtained by others illegally, our Company will notify the relevant data owner and the Board as soon as possible.
8.4 Obligation to register with the Data Controllers' Registry
DD declares that in accordance with Article 16 of the PPD Law, it will be obliged to register with the Data Controllers Registry within the period determined and announced by the PPD Board in the Regulation and other legislation.
9.1 Principles to be followed regarding the processing of personal data:
All collected personal data will be processed in accordance with the principles listed in Article 4 of the PPD Law and the conditions specified in Articles 5 and 6. In accordance with Article 4 of the PPD Law, DD is responsible for processing personal data in accordance with the law and the rules of honesty, accurate and when necessary, pursuant to current, specific, clear and legitimate purposes, in connection with the purpose, in a limited and measured manner.
In this context;
10.1 Purposes of Processing Personal Data
DD processes personal data, in accordance with Articles 5 and 6 of the PPD Law, for purposes similar to those stated below, by obtaining the consent of the data owner in cases where approval is required.
Personal and contact data: name, surname, e-mail address, physical address, web address, tax number, telephone number information; are processed by the Human Resources, Finance, Accounting, Business Development, IT and Customer relations departments for;
Supplier data: It is processed by the Purchasing and Administrative Affairs unit for maintaining relations and transactions with company suppliers.
It is processed by the accounting unit for carrying out the BA / BS reporting process and transferred to independent accountants, financial advisors and employees. It is processed by the administrative affairs unit for tracking the cargo operations.
10.2 Retention Periods of Personal Data
Our company determines whether a period is stipulated or not in the relevant legislation for the storage of personal data. If a period is stipulated in the relevant legislation, it complies with this period; if a period is not stipulated, it retains the personal data for the period necessary for the purpose for which they are processed. If the purpose of processing personal data has expired and the storage periods determined by the relevant legislation and/or our Company have come to an end, it can only be stored for the purpose of providing evidence in possible legal disputes, asserting the relevant right related to the personal data or establishing a defense. Personal data is not stored by our Company, based on the possibility of its use in the future.
The procedures and principles to be applied in personal data transfers are regulated in Articles 8 and 9 of the PPD Law, and the personal data and special categories of personal data of the personal data owner can be transferred to third parties domestic and abroad. In order to perform the services, your personal data may be processed by DD under the Law and other legislation (Including but not limited to, the Insurance Law, the Tax Procedure Law, the Attorneyship Law No. 1136 and other regulations related to these laws, the regulations of the supervisory and regulatory institutions and organizations, and the situations required by the public authorities) and may be shared with third parties that DD receives services, contracted institutions, lawyers for the resolution of legal disputes, natural and legal persons with whom we have a proxy relationship, our business partners, domestic/foreign persons and institutions from which we receive cloud data storage services, domestic/foreign organizations with which we have an agreement for sending commercial electronic messages, and other third parties. However, in any case, apart from exceptional cases, personal data cannot be transferred without the explicit consent of the personal data owner.
11.1 Domestic Transfer of Personal Data
In accordance with Article 8 of the PPD Law, the transfer of personal data domestically will be possible provided that one of the conditions specified in the 6th section of this Policy, titled "Personal Data Processing Terms", is met.
11.2 Transfer of Personal Data Abroad
In accordance with Article 9 of the PPD Law, in case personal data is transferred abroad, one of the following conditions is sought, in addition to fulfilling the conditions for domestic transfers:
- The country to be transferred is counted among the countries with adequate protection declared by the Board, or
- In the absence of adequate protection in the country to which the transfer is to be made, the personal data cannot be transferred without the explicit consent of the data owner, a written commitment of data controllers in Turkey and in the relevant foreign country to adequate protection and the permission of Board.
11.3 Person Groups to which Personal Data are Transferred by Our Company
Our company may transfer the personal data of personal data owners within the scope of this Policy, in accordance with Articles 8 and 9 of the PPD Law, to the following person groups for the purposes specified:
PERSON GROUPS | DESCRIPTION | PURPOSE OF TRANSFER |
Legally Authorized Public Institutions and Organizations | Public institutions and organizations authorized to receive the information and documents of our Company in accordance with the provisions of the relevant legislation | Limited to the purpose requested by the relevant public institutions and organizations within the framework of their legal authority. |
Legally Authorized Private Law Persons | Private legal persons authorized to obtain information and documents from our Company and service providers in cooperation in accordance with the provisions of the relevant legislation | Limited to the purpose requested by the relevant private legal persons within their legal authority. |
Pursuant to Article 7 of the PPD Law, although the personal data has been processed in accordance with the relevant legislation, in case the reasons for processing are no longer valid the personal data is deleted, destroyed or anonymized by our Company, ex officio or upon the request of the personal data owner.
The procedures and principles regarding this matter will be fulfilled in accordance with the PPD Law and the secondary legislation to be formed on the basis of this Law.
In accordance with Article 13 of the PPD Law, the evaluation of the rights of personal data owners and the information to be made to the personal data owners are carried out through the DD Personal Data Owner Application Form as well as this Policy. Personal data owners can send us their complaints or requests regarding the processing of their personal data within the framework of the principles specified in the relevant form.
13.1 Right to Apply
In accordance with Article 11 of the PPD Law, anyone whose personal data is processed can apply to our Company and make requests regarding the following issues:
In accordance with the PPD, the Data Owner, of the relevant person data;
a) Learning whether their personal data is processed or not,
b) If personal data has been processed, requesting information about it,
c) Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
d) Learning the third parties whose personal data is transferred in the country or abroad,
e) Requesting correction of personal data if it is incomplete / incorrectly processed or changed,
f) Requesting their deletion, destruction or anonymization in case the reasons requiring the processing of personal data are no longer valid,
g) Requesting notification of the transactions made in accordance with subparagraphs (e) and (f) above, to the third parties to whom it has been transferred,
h) Objecting to the emergence of a result against the data owner by analyzing the processed personal data exclusively through automated systems,
i) Requesting compensation for the damage in case of loss due to unlawful processing of personal data.
Relevant persons with personal data may submit their requests regarding their rights specified in the law to our Company in writing (by authenticating the documents received or through a notary public), using the PPD application form on the website, or by using Secure Electronic Signature, Mobile Signature or the e-mail address previously notified to the data controller by the relevant person and registered in the data controller's system.
Title: DD Dynamics for Development Management Centre Inc.
E-mail address: iletisim@dd.com.tr
Physical postal address: 29 Ekim Cad. Ladin Sok. No:36/35 Yenibosna / İSTANBUL – TÜRKİYE
Data controller: DD Değişim Dinamikleri Yönetim Merkezi A.Ş.
13.2 Situations Outside the Scope of the Right to Apply
Pursuant to Article 28 of the PPD Law, personal data owners will not be able to assert their rights in the following cases:
a. Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with,
b. Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,
c. Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime,
d. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security,
e. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.
Pursuant to paragraph 2 of Article 28 of the PPD Law, personal data owners will not be able to assert their rights (with the exception of the right to demand compensation):
a. The processing of personal data is being a necessity for the prevention of crime or for criminal investigation.
b. Processing of personal data made public by the relevant person.
c. Personal data processing is being a requirement by the official and authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority granted by the law.
d. The processing of personal data is being a necessity, for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
13.3 Reply Procedure
In accordance with Article 13 of the PPD Law, our Company will conclude the application requests made by the personal data owner as soon as possible and within 30 (thirty) days at the latest, free of charge, depending on the nature of the request.
The application of the personal data owner may be rejected in the following cases:
a. Preventing other people's rights and freedoms
b. Requiring disproportionate effort
c. Information being publicly available
d. Risking the privacy of others
e. Existence of one of the situations out of scope pursuant to the PPD Law
This data policy and rules, together with the obligation to inform within the scope of legal legislation, will be notified to users that have personal data and will also be published on DD's websites. This Policy may be revised by DD when deemed necessary. In case of revision, the most up-to-date version of the Policy will be posted on the Company's website.
© Copyright 2021. Değişim Dinamikleri. All rights reserved.