GDPR - Living & Investing in Turkey

Turkey's Basics

Important Things You Need to Know Before Living in Turkey

GDPR

Under the Law No. 6698 on Protection of Personal Data

Outlook Turkey

Illumination Text for the Processing of Personal Data

1. Purpose and Scope of Illumination Text

This statement prepared with MGC Consulting A.P.’s (Outlook Turkey) personal information principle of our customers, potential customers, suppliers and employees and third parties of personal data protection law (“KVKK”) under the protection and processing of data to illustrate the approach and in this regard the relevant person intended to inform.

The data included in the disclosure text for the processing of personal data is related to all personal data of the person concerned which is automated or processed in non-automated ways, provided that it is part of any data recording system.

This text edited by our company at 04/08/2020. The effective date and version of the text will be updated if the whole text or certain articles are renewed. The text is published on our company’s website https://www.outlookturkey.com/ and the personal data is made available to the contacts at the request of the contact.

2. Principles Regarding Personal Data

a. Processing of Personal Data

Our company reserves your data in accordance with article 20 of the Constitution and article 4 of KVKK.

In accordance with the law and the rules of honesty,

Accurate and up to date as needed,

For specific, clear and legitimate purposes,

Purpose-linked,

In a limited and measured manner,

By maintaining the amount of time required by law or for the purpose of processing personal data,

It is processed on the basis of one or more of the conditions stated in the article 5 of KVKK. During the acquisition of such personal data, our company fulfils its obligation to provide information in accordance with article 20 of the Constitution and article 10 of KVKK on the following issues below:

The purpose for which personal data will be processed,

To whom the processed personal data can be transferred and for what purpose,

The method and legal reason for collecting personal data

Rights owned by the person concerned

b. Legal Reasons for Processing Personal Data

Personal data that processed for the purposes stated by our company in accordance with article 5 of KVKK is listed below:

The processing of personal data by our company is directly related to the establishment or execution of a contract and is necessary,

The processing of personal data is mandatory for our company to fulfill its legal obligation,

The processing of personal data by our company is mandatory in order to establish, use or protect the rights of our company or its data contact or third parties,

It is mandatory to perform personal data processing activities for the legitimate interests of our company, provided that it does not harm the fundamental rights and freedoms of the data contact person,

A number of personal data have been designated as “specially qualified” if processed unlawfully, pose a risk of victimization or discrimination in accordance with article 6 of KVKK. These data are ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, costume and dress, association or trade union membership, health, sexual life, criminal convictions and security measures with biometric data and genetic data. Personal data is processed by our company in the following cases, provided that adequate measures are taken to be determined by the Personal Data Protection Board below:

Personal data of special quality other than the health and sexual life of the person concerned, where required by law,

Qualified personal data about health and sexual life of a special personal contact, however, Public Health Protection, preventive medicine, medical diagnosis, treatment and care in the execution of services, for the purposes of financing the planning and management of health services, or persons under the obligation of confidentiality by the authorized institution

In the absence of the above-mentioned data processing requirements, consent is obtained from the relevant person for the data processing by our company.

c. Transfer of Personal Data

Our company will be able to transfer the personal data specified in Section 2.b of the text in the same section within the purposes stated below,

To the public institutions and organizations legally authorized for the purpose they demand within the legal authority of the relevant public institutions and organizations.,

Persons data to legally authorized private legal persons limited to the purpose requested by the relevant private legal persons within the legal authority of the relevant private legal persons,

Again, your personal data may be transferred abroad within the framework of the execution of our company’s commercial activities and the fulfillment of its operational activities within the conditions stated in the article 9.

d. Purpose of Collecting Personal Data

Your personal data is collected in accordance with the purposes stated above to provide, improve, and carry out our business activities, products and services we offer. During this process, your personal data is collected through our employees and representatives or through public databases under relevant legislation, through business cards, through e-mails which sent to our company’s “info” extension for legal reasons to conduct our business activities.

Your personal data collected for this legal reason may also be processed and transferred for the purposes specified in articles (b) and (c) of this disclosure text within the scope of the personal data processing requirements and purposes specified in Articles 5 and 6 of the Law No. 6698.

Personal data is processed by our company within the scope of the above-mentioned conditions and in accordance with local legislation, for the purposes stated below:

With the aim of ensuring the execution of our company’s human resources policies, providing personnel suitable for open positions in accordance with HR policies,

In line with the provision of realization of legal and commercial obligations with our company and persons in business relations with our company; Administrative operations related to communication, legal and commercial risk analysis, legal compliance process, financial operations carried out by our company

The products and services offered by our company are customized according to the likes, usage habits and needs of our customers in line with the purpose of making the necessary studies to be offered to our customers; one-to-one and/or integrated marketing activities, sales and after-sales operations carried out by our company in line with the aim of making the necessary studies to be proposed for our future,

In line with the aim of determining and implementing the commercial and business strategies of our company; financial operations, communication, market research and social responsibility activities, purchasing operations (demand, offer, evaluation, order, budgeting, contract), determination and implementation of commercial and business strategies of our company,

the personal data processed under this text and the data contact are categorically classified by our company and shown in KSV1 list.

e. Storing and Deleting Data

Our company stores personal data for periods determined by legislation and, if no further period is specified in the legislation, personal data is stored for the period required to be processed in accordance with the practices and practices of our company’s business life, depending on the services that our company provides when processing that data, and for the period after which it is Such personal data is deleted, destroyed or made anonymous after the expiration of the specified periods.

3. Rights of the Person Concerned

In the Article 20 of the Constitution, everyone has the right to be informed about personal data relating to him/her. In the Article 11 of the KVKK, the rights of the individual concerned include the right to “request information”.

In this context, our company makes the necessary information when the person concerned requests information; with this statement, our company gives information to the person concerned about how to use the right to request information and how to evaluate the matters related to the request. The personal data owner has the following rights:

Learning whether personal data is processed,

Request information if personal data has been processed,

Learning the purpose of processing personal data and whether they are used in accordance with their purpose,

To know the third parties from which personal data is transferred at home or abroad,

Request that personal data be corrected if it is incomplete or improperly processed, and request that the transaction made in this context be notified to third parties to whom the personal data was transferred,

To request the deletion or destruction of personal data in case the reasons for its processing are eliminated, even though it has been processed in accordance with the provisions of KVKK and other relevant laws, and to request that the transaction made in this context be notified to third parties to whom the personal data was transferred.,

Objecting to the emergence of an outcome against the person himself by analyzing the processed data exclusively through automated systems,

Claim to recover damages if personal data is damaged due to illegal processing.

Due to Article 28 of the KVKK, the following cases are excluded from the scope of KVKK; the person concerned may not assert the rights mentioned above in these matters:

Processing of personal data for purposes such as research, planning and statistics by making it anonymous with official statistics.

Personal data of National Defense, National Security, Public Safety, Public Order, economic security, not to violate privacy or personal rights or did not constitute a crime, provided that art, history, literature, or may be processed for scientific purposes or under freedom of expression.

The processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations mandated and authorized by law to ensure national defense, national security, public security, public order or economic security.

Processing of personal data by judicial authorities or execution authorities in relation to investigations, prosecutions, trials or executions.

Due to Article 28/2 of the KVKK, in the following cases, the personal data person may not assert the rights mentioned above in these matters except the right of the personal data person to request the removal of the damage.:

Processing personal data is necessary to prevent or investigate a crime.

Processing of personal data made public by a personal contact.

Personal data processing is required by the competent public institutions and organizations and professional organizations of the nature of public institutions, based on the authority given by the law, for the execution of supervision or regulation duties and for disciplinary investigation or prosecution.

Personal data processing is essential for protecting the economic and financial interests of the state in relation to budget, tax and fiscal matters.

Personal data owner requests regarding the rights of the person mentioned above by filling out the form at the address and signing it with a wet signature to our company by delivering it to address in person, by notarizing it or by sending it by registered letter with return. In order for a person other than the person concerned to make a claim, a special power of attorney must be issued by the person concerned on behalf of the person applying for the matter.

The duly submitted requests to our company will be finalized within thirty days. If the conclusion of such requests requires a further cost, the fee will be charged by the applicant at the tariff determined by the board.

Our company may request information from the person concerned to determine whether the applicant is a personal contact person and may ask the person concerned about the application in order to clarify the issues stated in the application. Our company may reject the application of the applicant by explaining its reasons in the following cases:

Processing of personal data for purposes such as research, planning and statistics by making it anonymous with official statistics.

The processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations mandated and authorized by law in order to ensure national defense, national security, public security, public order or economic security.

Processing of personal data by judicial authorities or execution authorities in relation to investigations, prosecutions, trials or executions.

Processing personal data is necessary to prevent or investigate a crime.

Processing of personal data made public by a personal contact.

Personal data processing is essential for protecting the economic and financial interests of the state in relation to budget, tax and fiscal matters.

The possibility that the request of the individual concerned impedes the rights and freedoms of other persons

Claims that require disproportionate effort

The requested information is public information.

In cases where the application is rejected in accordance with Article 14 of the KVKK, the response is insufficient or the application is not answered within the period, the person concerned may make a complaint to the board within thirty days from the date of the company’s response and probably sixty days from the date of the application.

4. Security of Personal Data

Security measures

Our company, due to Article 12 of the KVKK, which unlawful processing of personal data and prevent unlawful access to data and prevent data necessary to achieve the appropriate level of security to ensure the safekeeping of the measures and controls located in this context, make the necessary controls or has outsourced. The measures and controls taken by our company are given below,

Employment of knowledgeable personnel in establishing and operating systems in accordance with the principles and relevant legislation related to the processing of personal data,

To provide training for the personnel to be informed about personal data, to include provisions related to compliance with personal data protection legislation and company code of practice in personnel contracts,

Use of regulatory-compliant backup programs that ensure secure storage of personal data,

For a service that covers the processing of personal data provided as the external source in the case of contracts with outsourcing firms will take the necessary security measures for the protection of personal data and that these measures will be provided in their own organizations to be included in the provisions are complied with,

Our company in all activities conducted by KVKK held under conditions of data processing the processing of personal data with the evaluation process to be maintained in accordance with the provisions of technical and organizational measures necessary for KVKK,

Determining and implementing rules for managing personal data processing processes and compliance structure, including measures and controls

Maintaining and controlling personal data processing processes and systems related to these processes with management systems having technical and organizational characteristics.

Control

Our company conducts the necessary audits within its own in accordance with Article 12 of KVKK. The results of this audit are reported to the relevant department within the scope of the internal functioning of the company and necessary activities are carried out to improve the measures taken.

The systems are established to raise awareness of the existing employees of the company’s business units and newly incorporated employees about the protection of personal data and training is provided to the employees.

Data Breaches Management

Our company operates a system that ensures that the personal data processed in accordance with Article 12 of KVKK will be reported to the relevant person and the board as soon as possible if it is obtained by others by illegal means. If required by the board, this may be announced on the board’s website or by any other method.

MGC Consulting

Location provider:  MGC Danışmanlık A.Ş.

Postal Address:  Büyükdere Cad. No:127, Astoria B Kule 5. Kat 34394, Şişli, İstanbul

Telephone: +90 850 333 86 60

Web: https://www.mgc.com.tr/