1. Introduction
The Turkish Constitution, with its many provisions, has ensured the protection of
individuals' fundamental rights and introduced new safeguards
over
time. With the amendment to the Constitution in 2010 through Law No. 5982, a paragraph was
added to Article 20 of the Constitution, providing
constitutional protection to personal data under the "right to privacy and protection of
personal data." According to the mentioned paragraph:
"Everyone has the right to demand the protection of their personal data. This right includes
being informed about personal data, accessing these
data,
requesting their correction or deletion, and learning whether they are used for their
intended purposes. Personal data can only be processed in
cases
prescribed by law or with the explicit consent of the individual. The principles and
procedures for the protection of personal data are regulated
by
law."
- Everyone has the right to demand the protection of their personal data.
- In this context, individuals primarily have the right to take necessary measures to
prevent their personal data from falling into the hands of
irrelevant third parties.
- This right includes being informed about personal data, accessing these data, requesting
their correction or deletion, and learning whether
they
are used for their intended purposes. Individuals have the right to know for what
purpose and which personal data of theirs is being used, and
if
there is any inaccuracy in this data, they also have the right to request correction or
deletion.
- Personal data can only be processed in cases prescribed by law or with the explicit
consent of the individual. Processing personal data is not
possible in the absence of a legal regulation or explicit declaration of intent by the
individual for the processing of their personal data.
2. Purpose and Scope
Within Polaris Human Resources, all necessary administrative and technical measures will be
taken for the processing and protection of personal
data,
employees and partners will be informed about GDPR processes, and an appropriate and
effective audit mechanism will be established.
3. Definitions
- 3.1. Explicit consent: Consent based on information on a specific subject and declared
with free will.
- 3.2. Anonymization: Making personal data unidentifiable or non-associable with a real
person by matching it with other data.
- 3.3. Data subject: The real person whose personal data is processed.
- 3.4. Personal data: Any information related to an identified or identifiable real
person.
- 3.5. Processing of personal data: Any operation performed on the data, including
obtaining, recording, storing, preserving, altering,
reorganizing,
disclosing, transferring, taking over, making obtainable, classifying, or preventing the
use of data, either completely or partially, through
automated or non-automated means, as part of any data recording system.
- 3.6. Data processor: The real or legal person who processes personal data on behalf of
the data controller based on the authority given by
them.
- 3.7. Data recording system: The record system where personal data is structured based on
specific criteria.
- 3.8. Data controller: The real or legal person who determines the purposes and means of
processing personal data, establishes and manages the
data
recording system.
- 4. Our Principles of Processing Personal Data Our company processes personal data in
compliance with GDPR and relevant legislation. The
fundamental
principles and principles we adopt in processing your personal data according to Article
4 of the GDPR are as follows: • Processing in
accordance
with the law and honesty rule • Ensuring that personal data is accurate and up-to-date
when necessary • Processing for specific, clear, and
legitimate purposes • Keeping personal data for the period required for the purposes for
which they are processed, as stipulated by the
relevant
legislation or required for the purpose they are processed •
5. Conditions for Processing Personal Data
Article 5 of the GDPR regulates the conditions for processing personal data. The processes
for processing personal data by our company are carried
out
in compliance with the conditions specified by the GDPR, even if explicit consent of the
relevant individuals is not obtained. In cases where the
processing of personal data is compulsory due to legal provisions or other criteria, data
processing activities will be considered legal with the
fulfillment of other necessary conditions.
- a) Clearly stated in the laws.
- b) It is mandatory for the protection of life or bodily integrity of the person who is
unable to express his/her consent due to actual
impossibility or whose consent is not legally valid.
- c) It is necessary to process personal data of the parties to the contract, directly
related to the establishment or performance of a
contract.
- ç) It is mandatory for the data controller to fulfill its legal obligation.
- d) It has been made public by the data subject himself/herself.
- e) Processing is mandatory for the establishment, exercise, or protection of a right.
- f) It is mandatory for the legitimate interests of the data controller, provided that it
does not harm the fundamental rights and freedoms of
the
data subject.
6. Conditions for Processing Sensitive Personal Data Special provisions for processing
sensitive personal data are regulated by the GDPR. In
accordance
with the provisions of this article, data such as ethnic origin, political opinion,
philosophical belief, religion, sect, or other beliefs,
appearance
and dress, association, foundation or union membership, health, sexual life, criminal
conviction, and security measures, as well as biometric and
genetic data, are considered as sensitive personal data, and processing these data without
the explicit consent of the data subject is prohibited.
Our
company meticulously identifies and classifies personal data falling under this category.
7. Transfer of Personal Data
- 7.1. Transfer of Personal Data within the Country Personal data cannot be transferred to
third parties within the country without the explicit
consent of the data subject. Various conditions must be met for the transfer of personal
data to third parties. The main rule is the explicit
consent of the data subject, but in cases where there is no clear consent of the data
subject for the transfer of personal data within the
country,
the transfer of personal data to third parties is possible under the conditions
regulated by Article 5, paragraph 2 of the GDPR.
- 7.2. Transfer of Personal Data Abroad According to Article 9 of the GDPR, personal data
cannot be transferred abroad without the explicit
consent
of the data subject. Therefore, the basic principle applied by our company for the
transfer of personal data abroad is to obtain the explicit
consent of the data subject. In cases where there is no explicit consent of the data
subject for the transfer of personal data abroad, the
transfer
of personal data to third parties abroad is possible under the conditions regulated by
Article 5, paragraph 2 of the GDPR. In addition, for
the
transfer of personal data abroad according to Article 9 of the GDPR, it is necessary to
consider the list of secure countries published by the
Personal Data Protection Board and ensure that there is sufficient protection in the
country where the data will be transferred.
8. Deletion of Personal Data Destruction or Anonymization of Personal Data Article 7 of the
Personal Data Protection Law No. 6698 states:
"Although
it
has been processed in accordance with this Law and other relevant laws, personal data are
deleted, destroyed, or anonymized by the data controller
upon
the elimination of the reasons requiring processing, either ex officio or upon the request
of the data subject." Accordingly; deletion,
destruction, or
anonymization of personal data is carried out by our company based on the situations of
personal data processing determined by the company's
personal
data processing inventory.
- 8.1. Methods for Deleting Personal Data
- 8.1.2. Personal Data in Paper Format Personal data in paper format is deleted
using the redaction method. The redaction process involves
cutting
the personal data to be redacted, or if that is not possible, making the relevant data
invisible to users by using permanent ink so that it
cannot
be read with technological solutions.
- 8.1.3. Office Files on Central Server The file is deleted with the delete command in the
operating system or by removing the access rights of
the
relevant user on the directory where the file or files are located.
- 8.1.4. Personal Data on Flash-Based Media Personal data on flash-based storage media is
deleted using appropriate software for these media.
- 8.2. Methods of Destroying Personal Data
- 8.2.1. Demagnetization The data in magnetic media is made unreadable and corrupted
by using the demagnetization method. This process is used
to
destroy personal data stored by the company on magnetic media.
- 8.2.2. Paper Formats Personal data in paper format is shredded into small pieces,
horizontally or vertically, making it incomprehensible,
non-reversible, and unrecognizable.
9. Rights of the Data Subject
According to Article 11 of the Law, everyone has the right to apply to the data controller
and request information about their personal data,
request
information if their personal data has been processed, learn the purpose of processing and
whether personal data are used for their intended
purposes,
know the third parties to whom personal data are transferred within or outside the country,
request correction of personal data if it is
incomplete
or
incorrectly processed, request the deletion or destruction of personal data within the
framework of the rights of the data subject specified in
Articles 11 and 12, request notification of the transactions made pursuant to subparagraphs
(d) and (e) of Article 11 to third parties to whom
personal
data are transferred.
- a) Learning whether personal data is processed or not,
- b) If personal data has been processed, requesting information regarding this,
- c) Learning the purpose of processing personal data and whether they are used in
accordance with their purpose,
- ç) Knowing the third parties to whom personal data are transferred domestically or
abroad,
- d) Requesting correction of personal data if it is incomplete or incorrectly processed,
- e) In cases where the reasons requiring the processing of personal data are eliminated,
although it has been processed in accordance with the
Law
and other relevant laws, requesting the deletion, destruction, or anonymization of
personal data by the data controller,
- f) (d) and (e) objects, processed data, or (d) and (e) notification of the transactions
made pursuant to the articles of this Law to third
parties
to whom personal data are transferred.
- g) Objecting to the occurrence of a result against the person himself by analyzing the
processed data exclusively through automated systems,
- ğ) In case of suffering damage due to the unlawful processing of personal data,
demanding the compensation of the damage, have these rights.