SETCARD POLICY
SETCARD POLICY OF THE PROTECTION, PROCESSING, STORING AND PURGING OF THE PRIVATE DATA
1. AIM OF THE POLICY
The aim of this policy; The Act about the Protection of the Personal Data no. 6698 (“Act”) and the 5th and 6th articles of the regulation about the Purging, Disposal or the Anonymization of the Personal Data that is published in the Official Gazette dated 28.10.2017, which is predicated upon this act and in accordance with other legislations the storing and protection of the private data, the processing of the personal data in accordance with the law, is prepared particularly for the company personnel, officials, guests, users, institutions and officials that we are in cooperation; by informing/ maintaining them being informed the establishment of the transparency for the checking of the presence of the valid reasons for the storing of the processed private data and the responsibilities about the purging of private data of which valid reasons for their storage have disappeared and for determination of the rules and roles and responsibilities that will be applied within the general of the company for the miscellaneous responsibilities that are stated in the Legislation, by the SET CORPORATE SERVICES TRADE CORP. (“SETCARD” or “Company”) in the capacity of the data supervisor.
2. THE EXTENT OF THE POLICY
The policy includes the private data and the special quality private data that are held in the care of the company, identified by the Act, the whole company personnel, the executives, advisors and in all the situations in which private data share are the issue; group companies, its associates, outside service providers and with the users that benefit from the services such as the https://www.setcard.com.tr domain named website with its mobile application etc. the natural and legal persons that it set a legal relationship with miscellaneous reasons. This policy will be in force in the date when it is signed by the Board of Management. The policy might be updated from time to time with reasons that will come up in the SETCARD's processing periods of the private data or with miscellaneous reasons. The updates will be valid from the date of the publishing of the new Policy on the Website.
The policy, as stated within the Act, includes the private data that are in the systems in which the data are processed in totally or partially automatic ways or in non-automatic ways on the condition that they would be parts of any data registering systems. Unless indicated otherwise within the policy, the private data and the special quality data will be named as the “Private Data” together. The data that anonymized like the data that are acquired for statistical evaluations or studies and unidentified data and the data about the legal entities are not accepted as private data and hereby are not liable to this Policy.
3. RESPONSIBILITIES
The Board of Directors is responsible by the preparation, execution and updating of this document.
4. DEFINITIONS
Express Consent |
The consent about a specific subject, that is based on being informed and expressed with free will. |
Anonymization |
The making of the private data into a state in which they cannot be identified with a specific or a specifiable natural person's identity in no case even though the private data are matched with other data. |
Purge |
The purge of the private data, being deleted or being anonymized. |
Private Data |
All kinds of information about the identity of a natural person that can be specified or that is specifiable. |
Private Data Storage Table |
The table that shows the periods of which the private data will be held in the care of the company. |
Private Data Processing Inventory |
The Inventory, which the data supervisors detail the data processing activities that they realize depending upon their periods of operations; by explaining the reasons of processing private data, data category, which they formed by identifying for the shared receiver group and the data subject person group and the maximal time that is necessary, the private data that is foreseen to be transferred to foreign countries and the precautions that are taken about the data safety. |
The Deletion Of The Private Data |
The process of the private data to be unreachable in no case for the related users and to be unable to be reused. |
The Disposal Of The Private Data |
The process of the private data to be unreachable in no case by nobody, to ever be restored and to be unable to be reused. |
Special Quality Private Data |
The data of persons' race, ethnical backgrounds, political thoughts, philosophical beliefs, religious sects or other beliefs, appearance, membership to societies, foundations or syndicates, their health, sexual life, convictions and about their safety precautions with the biometrical and genetic data. |
Periodical Purge |
The deletion, disposal or anonymization process that will happen as designated in the private data storage and disposal policy in repeating interspaces ex officio in the state of the disappearance of the conditions of the process of the private data that takes places within the Act. |
Data Registry System |
The registration system in which the private data are processed by being configured according to specific criteria. |
Related User |
They are the persons who process the private data through the authorization and instruction they received within the data supervisor organization or by the data supervisor except person or the department responsible of the storage, protection and backup of the data. |
The Act/PPDA |
6698 No. Protection of the Personal Data Act |
Regulation |
The regulation about the Purging, Disposal or the Anonymization of the Personal Data that is published in the Official Gazette dated 28.10.2017 |
Committee |
The Committee of Protection of the Private Data. |
Registration Environment |
Any kind of environment in which the private data, which is processed with non-automatic methods on the condition that they are totally or partially automatic or they are a part of any data registration system, are found. |
The Processing Of The Private Data |
Any kind of processing which is realized over the data such as the acquirement private data, which is processed with non-automatic methods on the condition that they are totally or partially automatic or they are a part of any data registration system, storage, storing, protections, changing, reconfiguration, explanation, transferring, taking over, restoring, classification or blocking of use. |
The form that is prepared for the Data Owner to use their right they own as per the 11th Article of the Act about the Protection of the Personal Data Act and them to apply to the company for that purpose, by the SETCARD, published on the Website and also which takes place in the Appendix-1 of this Policy. |
|
Policy |
The Policy of SETCARD's Protection, Processing, Storage And Purging of the Private Data. |
Website |
www.setcard.com.tr website owned by SETCARD. |
Data Processor |
Natural or legal person that process the private data on behalf of the data supervisor based on the authorization given to them by the data supervisor. |
Data Supervisor |
Natural or legal person who determines the processing purposes and the means of the private data, who is responsible from the installment and management of the data registry system. |
Data Owner/Related Person |
The natural person whose private data is being processed. |
Personnel Candidate |
The natural persons who have applied for a job or an internship to our company in some way or who have opened up their curriculum vitae (cv) and related information to the examination of our Company. |
Guest |
Natural persons who visit our Company, its website and who use the mobile application of it. |
Building Guest |
Natural persons who come to the SETCARD head office or to its branches and who operate here and of whom their private data are received. |
Blanking |
Processes like deletion, scratching out, painting on and starring over in a way that totality of the private data cannot be identified with a specified or a specifiable identity of a natural person. |
Company/Our Company |
SET CORPORATE SERVICES TRADE CORP. |
Business Associate |
Natural or legal persons whom our Company setup business association while operating. |
Masking |
Processes like deletion, scratching out, painting on and starring over in a way that certain parts of the private data cannot be identified with a specified or a specifiable identity of a natural person. |
Customer |
Natural or legal persons who make their personnel use food card as a social right. |
User |
Natural persons that are card users, whose private data is collected through the website, mobile application, agreement and miscellaneous ways by the Company. |
5. GENERAL PRINCIPLES ABOUT THE PROCESSING OF THE PRIVATE DATA
5.1 The protection of the private data is among the most important priorities of our Company. According to the Constitution of the Turkish Republic, everyone has the right to demand the protection of the private data of themselves. In the subject of the private data protection which is a constitutional right, our Company, which is managed with the hereby policy; has been taking care of the subject necessarily and making it a Company policy of the protection of the customers/users, guests, the personnel, personnel candidates, our authorized personnel, the personnel, the shareholders and authorized personnel of the institutions that we are cooperating and the third parties' private data.
As per the 4th article of the Act, the Private Data can only be processed accordingly to the procedures and principles that are foreseen in the Act or in other acts. And the following of a group of principles during the processing of the private data has been made obligatory by the same article. Within this scope, for the protection of the private data in accordance with the legislation, all the administrative and technical precautions that are necessary are being taken by our Company. In the situations which a discrepancy arises between the Turkish form, in which the policy was prepared in, and it translated form, Turkish text should be taken into consideration.
In this policy, in processing of the private data, the detailed explanations about the main principles that are adopted by our Company and that are listed below will be found;
5.1.1. Processing the private data accordingly to law and rules of honesty,
5.1.2. Processing the private data correctly and keeping the private data updated when necessary,
5.1.3. Processing the private data for specific, open and legitimate purposes,
5.1.4. Processing the private data in connection with, limited to and measured to the purpose they are being processed,
5.1.5. Storing the private data within the period that is foreseen in the related legislation or for the purpose they are processed for,
5.1.6. Clarifying and informing the private data owners,
5.1.7. Setting up the necessary system for the private data owners to use their rights,
5.1.8. Taking the necessary precautions for in the protection of the private data,
5.1.9. Acting accordingly to the related legislation and PPD Committee in the transference to the third parties through the necessities of the purpose of the processing of the private data,
5.1.10. Displaying the necessary sensitivity upon the processing and protection of the special quality private data.
5.1.11. Disposal of the private data in the case of disappearance of the reasons of their storage accordingly to the legislation.
6. THE IMPLEMENTATION OF THE POLICY AND THE RELATED LEGISLATION
Firstly, the related legal regulations that are in effect in the subject of the processing, protection and disposal of the private data will find the scope of application. In the case of an incoordination will be found between the legislation in effect and the policy, our Company agrees that the legislation in effect will find the scope of application.
The policy has been constituted from the materialized regulation within the scope of the applications of our Company of the rules that are put forth by the related legislation. Our Company operates the necessary system and preparations to act accordingly to the validity periods foreseen in the PPDI.
7. VALIDITY OF THE POLICY
The policy regulated by our company is dated 01.01.2018. In case of the renewal of the totality or specific articles of the policy, the validity date of the policy will be updated. The policy is published on the Website and gets presented to the access to the related people over the requests of the private data owners.
8. PRIVATE DATA REGISTRY ENVIRONMENTS
Any kind of environment in which the private data are processed in totally or partially automatic ways or in non-automatic ways on the condition that they would be parts of any data registering systems is within the framework of registry environments.
The private data that are collected by SETCARD can be registered to various environments according to principals such as the characteristic of the data, purpose of their processing and frequency of usage. SETCARD private data are stored in a safe way accordingly to the related legislation and within the framework of international data safety principles.
Electronic environments: can be saved to environments such as software, cloud, server center, mobile media, database
Physical environments:
• Department Repositories
• Archive
• Paper
• Network device, flash based environments, magnetic band, magnetic disc, mobile phone, optical disc, printer, door/security systems.
9. METHODS OF COLLECTING PRIVATE DATA
SETCARD; collects and processes private data by means of written, verbal, electronic means, image/voice recording or by meeting with the Data Owner physically accordingly to the regulations of this Policy's, Act's and related miscellaneous legislations.
Collecting data period can be realized; i)through the digital environments of the third parties including Website, Applications, e-mail, recruitment portals or through a software; ii) by means of agreements, applications, forms, call center, remote support, department of sales and marketing, cookies at the Website, business card, telephone; or iii) by means of face to face meetings with the Data Owner.
10. THE PURPOSES OF PROCESSING OF THE PRIVATE DATA
SETCARD, processes the Private Data with open and legitimate purposes. Within this framework the Private Data can be processed with the purposes listed below:
- The presentation and changeability of the services that are provided over the Website, pos device and mobile application,
- The specification of the provided services accordingly to the demands; their updating and improvements for the customer needs, legal and technical improvements,
- Specific to the presented product and services, the operation of user identifications to the systems,
- Announcement of the new or available products' service and campaigns, the conduct of their sales and marketing operations,
- The making of the market research,
- The making of the statistics and analyzation of the uses,
- The payment, collection and the choosing of the collection method of the product, job and service prices,
- The execution of the informing responsibility that arise from the legislation of making of the services that are presented over the Website and the mobile application and the other services that are outside of those,
- The transmitting of the advertisements of the product and services that are appropriate to the procession of the Company website and data to the related person, the informing about the product, service and promotion and campaigns,
- To provide solution for the problems during the use of SETCARD products and services,
- Improving the experiences of visiting, use of the Website, transition between pages and buying, providing a more quality service
- Maintaining connection/communication with the user and/or the customers,
- Conducting the commercial relationships with the business associated companies, suppliers, resellers and companies which service is provided,
- Reporting within the framework of cooperation,
- Development of the commercial strategies of the company and making plans,
- Contacting for surveys to measure satisfaction by the company,
- In the activities/contests that are organized by SETCARD, the constitution of the participant registry, the determination of the award/gift owners and the admission of the awards/gifts,
- The management of the judicial/administrative processes, responding to the request that are received by the state institutions and organizations,
- Carrying out the responsibilities subject to the legal regulations, solving the legal disagreements,
- Merging of the Company with another, division of it, in the case of it being transferred totally or partially procurement of the results that arise from this legal transaction,
- The introducing of the Company personnel, Natural person customers, related people in the social media shares,
- The operation of the business meetings, the evaluation of the job applications,
- The setting up of the business relationship/agreement, its conduct and ending,
- Opening up user accounts to the personnel,
- In case of a participation to an organization on behalf of the company, the creation of a participant registry,
- The creation of participation of the personnel to the trainings and their certificate registries,
- Providing the security of the Company Website, food cards and mobile application,
- Analysis of the Website usage,
- Creation of the personal data inventory,
- Evaluation of, response to all the questions, requests, suggestions, complaints and applications including the ones that are about the private data.
11. CONDITIONS OF THE ACTIVITY OF PROCESSING PRIVATE DATA
Processing of the private data, represents all kinds of processes in which the data are processed in totally or partially automatic ways or in non-automatic ways on the condition that they would be parts of any data registering systems, over their procurement, being registered, stored, protected, changed, rearrangement, explanation, transfer, takeover, being made in a state they can be procured, classifications or them being blocked to be used.
Private Data, as per the 5th article of the Act, cannot be processed without the open consent of the Data Owner. But again by the regulation of the same article: in case of existence of one of the conditions below, the procession of the private data without the open consent of the Data Owner is possible:
- Openly set forth within the laws: For ex; Presentation of the information about the salaries of the personnel over the request of the SSI/Tax Department.
- For when it is requisite for the protection of the person who's in a state that they can't explain their acquiescence because of an actual impossibility or for the protection of the self or somebody else's life or body wholeness of the one whose acquiescence is not seen to be valid.
- For the processing of the private data is necessary on the condition that it is directly connected with setting up or execution of an agreement: For example; as per the agreement made, the getting of the bank and account information of the credit side for the payment of the money, sharing the name-surname of the recipient with the courier company for the delivery of the subject product to the distant sales agreement.
- For it to be requisite for the data owner to carry out their legal responsibility: For ex; getting the bank and account information of the personnel to pay the salary to them, asking them if they are married, if the people they are responsible for the cares of, their wives are working and their social security information.
- When the related person [Data Owner] is publicized by themselves.
- When data process is requisite for a right's establishment, use or protection:
For ex; for the performing of the block request of a user.
- On condition that the related person's [Data Owner] basic rights and freedom aren't violated:
For ex: on condition that the personnel's basic rights and freedoms aren't violated, processing of people's data predicating upon mission and roles are cast in the process of their promotions, raises in their salaries or in the regulations of their social rights or in the process of the reorganization of the management.
12. PROTECTION AND PROCESS OF THE SPECIAL QUALITY DATA
With the PPDA, special significance has been attributed to some of the private data for the risk when they are processed illegally they might cause victimization or segregation. These data; are the race, ethnical backgrounds, political thoughts, philosophical beliefs, religious sects or other beliefs, appearance, membership to societies, foundations or syndicates, their health, sexual life, convictions and about their safety precautions with the biometrical and genetic data.
In the protection of the special quality private data that are determined by the PPDA as ¨special quality¨ and that are processed accordingly to the law, it is operated very sensitively by our company. Within this framework, the technical and administrative precautions taken by our Company for the protection of the private data of special quality are applied with care and necessary inspections are made.
As per the 6th article of the Act, it is forbidden to process the special quality Private Data without the open consent of the related person. But besides data about health and sexual life listed above can be processed without the open consent of the Data Owner in set forth situations in the laws. And the Private Data about health and sexual life can only be processed for the protection of the public health, preventive medicine, medical diagnosis, treatment and care services, for the financial planning and management with the health services by the people who are under the confidentiality obligation or authorized institutions and organizations without the open consent of the related person.
Also, in the processing of the special quality Private Data, sufficient precautions that are determined by the Committee is required.
13. TRANSFERRING THE PRIVATE DATA
13.1. The Transfer of the Private Data Inside the Country
As per the 8th article of the Act, as a rule, the Private Data cannot be transferred to third parties without the Data Owner's open consent. But in case of one of the situations that is stated in the 11th article of the Policy is present in which the open consent of the Data Owner would not be searched for, the Private Data's transfer to the third parties without the open consent of the Data Owner is possible.
13.2. The Transfer of the Private Data Outside the Country
As per the 9th Article of the Act, as a rule, the Private Data cannot be transferred abroad without the Data Owner's open consent. But in case of one of the situations that is stated below is present in which the open consent of the Data Owner's open consent would not be searched for, the Private Data's transfer to abroad without the open consent of the Data Owner is possible:
- In the case of one of the situations in which the Data Owner's consent won't be looked for as defined in the 11th and 12th articles of this Policy,
- The existence of the sufficient security in the country which the Private Data will be transferred to,
- In case of the sufficient security wouldn't be found, the fact that the data supervisor's in Turkey and in the related foreign country guarantee of a sufficient security in writing and the Committee's authorization to be present.
The countries in which sufficient securities are present are announced by the Committee by determining them. Private Data, in situations that Turkey's or the Data Owner's interests would be damaged seriously, can only be transferred to abroad only by the view of the related public institution or organization so as to keep the international agreement clauses are reserved.
13.3. Third Parties That the Private Data Can Be Transferred To
SETCARD Private Data, for the sake of realizing the purposes that are defined in the 10th article of this Policy, accordingly to the Act's 8th and 9th articles, can be transferred to the third parties stated below who might be the natural or legal persons that are inside or outside the country:
- Advisors
- Audit Firms
- Firms that their services are bought
- Firms which cooperation is made with
- Customers
- Suppliers
- Teknopark Management (Administrator Company)
- Banks and Financial Institutions
- Legal Authorities and Public Authorities
14. PROCESSED PRIVATE DATA
The natural persons whose Private Data can processed by SETCARD is explained and categorized in details below.
Data Owner-Explanations
Applicant: Represents the natural person who share questions, requests, suggestions, complaints, applications to SETCARD as in writing, orally or electronically including the ones about the Private Data. In this categorization, other data owners that are defined can be applicants too.
Personnel: Represents the people who are under the payroll/who works for SETCARD no matter they are bound to a business contract or not.
Natural Person Customer: Represents the natural person who benefits from the products, services or employments or whose benefitting is evaluated or who has been met by SETCARD no matter they are bound to an agreement or not.
Card/Mobile Application/Website User: Represents natural person who benefits from the products, services or employments or whose benefitting is evaluated by SETCARD no matter they are bound to an agreement or not.
Natural Person Supplier: Represents the natural persons or private companies that provides a product or service for SETCARD to be able to present product, service and/or employments.
Natural Person Firm That Their Services Are Bought: Represents the natural persons who provides service to SETCARD no matter if it is within the scope of an agreement or not. Subcontractors are also evaluated within this framework.
Natural Person Firm That Are Cooperated with: Represents the natural person tradesmen who undertakes together with SETCARD in the conduct of a certain job.
Representatives of The Firm Which Cooperation is Made with: Represents the shareholders/partners, representatives and personnel of the natural or legal persons which SETCARD made cooperation with.
Participant: Represents the natural persons who participated to activities like events, contest, trainings that are organized by SETCARD.
Customer Associates: Represents the shareholders/partners' authorized personnel, workers; dealers and agencies; their dealer/agency personnel of the natural or legal person customers' of SETCARD.
Potential Personnel: Represents the people who has delivered their curriculum vitae (CV) to be employed or serve their internship (obligatory/optionally) within SETCARD structure.
Company Authorized Personnel: Represents the natural persons that take place in the senior management of SETCARD and/or the ones who are authorized to represent SETCARD.
Supplier Associates: Represents shareholders/partners, authorized personnel and personnel of the natural or legal persons' suppliers of SETCARD.
Visitor: Represents the natural person visitors who logs in to, uses, who records their data to the SETCARD website/mobile application, who presents their data through the Website and/or the mobile application or whose data is collected to accordingly to the terms of use of the Website.
Building Guest: Natural persons who come to the SETCARD head office or to its branches and who operate here and of whom their private data are received.
15. PRIVATE DATA CONFIDENTIALITY AND SECURITY
SETCARD, attached importance of the confidentiality and security of the Private Data and takes legal, technical and administrative precautions to protect the Private Data in the scale that the Act and the related legislation sets forth.
15.1. Reasons that Require the Storage and the Purge of the Private Data
15.1.1. Legal, Technical and Other Reasons that Require the Storage of the Private Data
In case of the disappearance of the purpose of collecting the private data or if available, secondary processing basis disappears as stated in this Policy, the Private Data;
• With the purpose of SETCARD to carry out its legal responsibilities that have arisen or can arise accordingly to the measure and/or periods that are dictated as set forth in the laws,
• And the data that are foreseen for deletion and/or anonymization; in the form that is not ready for access (“alive”) with the purpose of business continuity, prevention of data loss and data protection and in similar environments,
• And the data that will be purged by means of deletion, extermination or anonymization will continue to be stored until the next periodical purging date at the latest by SETCARD.
15.1.2. Legal, Technical and Other Reasons that Require the Purge of the Private Data
• The disappearance of the reasons that require the processing purposes and the reasons of the storage of the Private Data,
• In situations when the processing of the Private Data pursuing to the open consent condition, the related person taking back their consents,
• When the Data Owner requests the purge of their Private Data using their rights stated in the 11th article of the Act and 21st article of this Policy and SETCARD accepts the application or over the rejection of this application and following the approval of the application by the Committee over a complaint to the Committee,
• Even though the maximum time that the Private Data should be stored is due, inexistence of any condition that would justify the storage of the private data even longer.
16. TECHNICAL AND ADMINISTRATIVE MEASURES
With the aim of storing your private information in a secured way, processing it against the law, prevention of its accessibility and purging the data lawfully, all the technical and administrative measures taken by it within the framework of the principles in KVKK’s 12. Article1, are listed below:
a. Administrative Measures:
SETCARD within the administrative measures;
- Limits the intraco access to protected private data with the personnel who needs to access it due to the job definition. In limitation of the access, whether the data is of special quality or not and its importance level is taken into consideration.
- In the case that processed private data is obtained by others unlawfully, reports this situation to the related person and the Board in the earliest convenience.
- Concerning the sharing the private data, signs a framework contract with the persons to whom private data is transferred or ensures the data safety with added clauses to the current agreement regarding the protection private data and data safety.
- Employs personnel who is knowledgeable and experienced in processing private data and provides the necessary training for its personnel within the scope of the protection of private data legislation and data protection.
- At the care of its own legal personality, in order to enable the implementation of the acts of law, conducts the necessary inspections or has it conducted. Removes the privacy and safety weaknesses emerging as a result of the inspections.
- In the agreements which will be negotiated with the personnel and the third persons, besides the verdicts which take the privacy of the data under protection, processing purposes, scope and duration of Private Data are determined, responsibilities of the parties are clearly organised, clauses which impose sanction on processing activities against the law and agreement clauses are added.
b. Technical Measures:
SETCARD within the technical measures;
- Conducts necessary internal checks within the established systems.
- Within the scope of the established systems, conducts the actualization process of information technologies risk assessment and business impact analysis.
- Ensures the procurement of technical substructure which will observe or prevent the data from leaking outside the institution, and the creation of relevant matrixes.
- Regularly and when required, ensures the control of the system weaknesses by outsourcing penetration test service.
- Ensures the authority to access private data of personnel, who works in information technologies units, is kept under control.
- Keeps its systems closed to the access of any other institution, foundation or person.
- Purging of the private data is performed irrevocably and in a way which will not leave any trace.
- According to the 12th Article of the law, any kind of digital media where the private data is stored, is protected via the encoded or cryptographic methods ensuring the information safety necessities.
In order to prevent an unlawful intervention to Private Data both from inside and outside the company, data recording mediums, virus protection software being in the first place, are protected through various software/hardware and codes.
17. CONDITIONS AND METHODS OF PRIVATE DATA PURGING
In the 138. Clause of Turkish Penal Code, in the 7. Clause of KVK law and as organised in the 7th Clause of the regulation about Deleting, Purging or Anonymization of Private Data; although it is processed according to the related law clauses, in the case of the disappearance of reasons which require processing, based upon our Company’s own decision or on the demand of the owner of the private data, private data is deleted, purged or anonymized. Except for the situations in which the data that is anonymized upon customer’s demand and SETCARD’s legal responsibilities and fair advantage are present, all of the private data will be deleted within 30 days following the demand’s arrival.
17.1. Deleting the Private Data
Deleting the Private Data is the process of making Private Data inaccessible and non-reusable for related users in anyway.
1 Liabilities concerning the data security
ARTICLE 12 (1) Data supervisor is obliged to take all kinds of necessary technical and administrative measures oriented towards providing the suitable security level with the aim of:
- Preventing the processing of the personal data unlawfully,
- Preventing the access to the personal data unlawfully,
- Providing the storage of the personal data.
SETCARD, can use the methods mentioned below to delete the Private Data depending on the media in which data is recorded:
- Deletion from the Software Safely: While deleting the data which is processed with entirely or partially automatic methods and stored in digital media; methods concerning the deletion of the data from the software in a way which will make it inaccessible and non-reusable for related users, are used.
- Deletion of the Related Data from the Cloud System by Issuing an Delete Command: removal of the related user’s right of access to the file in central server or the folder which the file is in; deleting the related lines with database commands in databases or deleting the data which is in portable media, meaning flash media, by using suitable software will be able to be considered to be within this scope.
- Safely Deleting by an Expert: In some cases, it can agree with an expert to delete the private data on its behalf. In this case, private data is security deleted by a person who is expert at it in a way that makes it inaccessible and non-reusable anyways for Related Users.
- Blackening the Private Data on Paper: It is the method of removing the related private data physically from the document by cutting or making it invisible by using a constant ink in a way that cannot be recycled and cannot be read with technologic solutions in order to prevent the misuse of private data or to delete the data which is requested to be deleted.
- Issuing Delete Command
- Blackening
- Removing the Right of Access of the Related User on the Folder Which the File is in
- Deleting Through Software
- Deleting with Database Command
17.2. Purging of Private Data
Purging private data is the process of making private data inaccessible, irrevocable and non-reusable by anyone in any way.
SETCARD, can use one or a few of the methods listed below to purge private data depending on the media in which data is recorded:
- Demagnetization: It is the method of corrupting the data in it in an unreadable way by processing the magnetic media through special devices where it will be exposed to high magnetic areas.
- Physical Purging: Private data, on the condition of being a part of a data recording system, can also be processed with non-automatic ways. While these kinds of data are being purged, system of purging private data physically in a way that cannot be used later is applied. Purging of data which is in paper and microfiche media, since purging in another methods are not possible, should be performed in this method.
- Overwriting: Overwriting method is a data purging method which makes it impossible to for old data to be read and saved by writing random data which consists of 0’s and 1’s seven times through special software and via magnetic media and rewritable optical media.
- Purging with “Block Delete” Command
- Purging with Paper Shredder
- Purging all Copies of the Encryption Keys
17.3. Anonymization of Private Data
Anonymization of Private Data is turning Private Data into a state which cannot be related to a real person whose identity is definite or determinable in any way even though it is matched with other data. For Private Data to be anonymized; private data, by the third person or persons to whom the data transferred, by means of the techniques like reversing and matching the data with other data which are suitable in terms of recording medium and related activity area, it should be turned into a state which cannot be related with a real person whose identity is definite or determinable.
SETCARD can use one or a few of the methods listed below to anonymize Private Data:
- Removing Variables
- Removing Records
- Lower Bound and Upper Bound Coding
- Areal Hiding
- Exemplification
- Micro-Merging
- Data Exchange
- Noise Adding
- K-Anonymity
- L-Variety
- T-Proximity
18. PERIODS OF STORING AND PURGING PRIVATE DATA
SETCARD, stores Private Data as long as the agreement duration and as long as legitimate storing period continues for the purpose they are processed for.
In the case of deleting, purging or anonymization obligations arise due to the end of these periods SETCARD deletes, purges or anonymizes Private Data in the first periodic purging process following this date.
19. PERIODIC PURGING PERIODS
SETCARD’s periodic purging period is 12 months. SETCARD, in case of hard to recover or impossible situations arise and there is clearly illegality, can shorten this period.
20. Products and Services Belonging to Third Party Institutions
It may include product, service and duty which SETCARD provides and Websites and Applications which it owns; it may include website, product and service which SETCARD is not the owner of, does not control the administration of and are administered by third party institutions, and these can be provided with connection.
In the case you benefit from these websites, products and services, your private data can be transferred to third party institutions. SETCARD does not have any guarantee or liability for content, suitability, security, privacy policies regarding these SETCARD’s websites, products and services and regarding providing constant communication. Before taking any action, safety and privacy conditions belonging to the mentioned firms, should be read.
21. RIGHTS OF DATA USER AND MODES OF OPERATION OF THESE RIGHTS
21.1. Data Owner’s Rights
Data Owner, according to the 11th clause of the law, by consulting SETCARD, has a right, about him/herself, to
- Learn whether private data is processes or not,
- If his/her private data is processes, demand information about it,
- Learn the purpose of processing Private Data and if they are used suitably for the purpose,
- Know the third persons to whom private data is transferred at home or abroad,
- In the case that Private Data is processed deficient or wrong, want them fixed and want the taken action within this scope to be reported to the third persons to whom Private data is transferred,
- Want private data to be deleted or purged and want the taken action within this scope to be reported to the third persons to whom private data is transferred in the case of disappearance of the reasons which require it to be processed even though it is processed in accordance with the law and other related legislations,
- Object to a decision arising against the person him/herself by means of analysis of processed data exclusively through automatic system,
- Demand cover for the loss in the case that Private data is damaged because of unlawful processing.
21.2. Situations in which Law will not be Implemented and Data Owner cannot Use His/her Rights
According to the 1st sub-clause of the 28th clause of the law, provisions of the Law will not be implemented under the circumstances listed below:
• Processing of private data by real persons within the scope of activities regarding family members who live with them entirely or in the same dwelling on the condition that it will not be given to third persons and liabilities regarding data protection are followed,
• Processing of private data for purposes like research, planning and statistics by means of anonymizing with official statistics,
• Processing of private data for purposes like art, history, literature or scientific or within the scope of freedom of speech on the condition that it will not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or that it will not constitute a crime,
• Processing of private data within the scope of preventive, protective and informative activities which are conducted by public institutions and foundations which are granted mission and authority by law for establishing national defence, national security, public security, public order, economic security,
• Processing of private data regarding investigation, prosecution, judgement or execution actions by judicial office or execution authority.
According to 2th sub-clause of 28th clause of the Law, in situations listed below, except for the right of Data Owner’s demand for cover of loss, he/she cannot use his/her rights stated in clause 21.1:
- Processing data being necessary for preventing committing a crime or crime investigation.
- Processing of private data which is made public by the related person him/herself.
- By the authority given by the law, processing private data being necessary for attendant and authorized public institution and foundations and profession institutions which partakes of public institution, execution of supervision or regulation tasks and discipline investigation or prosecution.
- Processing private data being necessary regarding budget, tax and financial matters for the protection of the Government’s economic and assets profit.
21.3. Usage Methods of Using the Data Owner’s Rights
Data Owner may use his rights, stated in the 21.1 Article of this Policy, by means of filling the application form published in the SETCARD internet site, ending to the address of Kısıklı District, Alemdağ Avenue, No:34 Üsküdar/İstanbul or transmit it to the same address in person or by hand by means of his attorney or sending it to the setkurumsal@hs02.kep.tr mail address, as well.
In case of the Data Owner’s wanting to use this right of him by means of his attorney, the delivery of the documents which certify his identity, if available the supportive documents in the enclosure of a proxy letter copy involving a special authority in this subject, is obligatory.
21.4. Giving Answer to the Application of the Data Owner
Requests that are sent with form, shall be replied in the earliest convenience according to the character of the request and not later than in thirty days. However, in case of the transaction’s requiring an extra cost, the price in the tariff, which is determined by the Board, can be taken.
In the application; in cases such as sharing the information as deficit or incorrectly, the request’s not being expressed in an open and comprehensible way, none or not duly delivering the documents in the character of supporting the request, not enclosing the copy of the proxy letter in the applications made by means of attorney, SETCARD may experience difficulty in meeting the demands and delays may be lived in the investigating period. For this reason, complying with these issues in using the rights, stated in the Article 11 of the Law, has an importance. Otherwise, the delayed that are going to be experienced, SETCARD shall not be hold as responsible. Against the incorrect, against truth/law and/or malevolent applications, SETCARD’s legal rights are reserved.
21.5. The Petition Right of the Data Owner to the Board
In case of the rejection of the application, finding the given answer unsatisfactory or not answering the application in its time; the Data Owner has the petition right to the Board in thirty days since the date of its learning the answer of SETCARD and in any event, in sixty days beginning from the application date.