KAYSERİ SPORTS EVENTS INC. TURKEY PERSONAL DATA STORAGE AND DISPOSAL POLICY
FIRST PART
GENERAL PROVISIONS
Article 1 Purpose The purpose of this Policy is to determine the procedures and principles regarding the processing and protection of personal data, which is carried out in accordance with the legal legislation on which this Policy is based, and the deletion, destruction and anonymization of the processed personal data.
Article 2 Scope This Policy is the personal data of the personnel, personnel candidates, managers, visitors, employees, managers and other third parties with whom we are in cooperation, fully or partially automatic or processed by non-automatic means provided that they are part of any data recording system. relates to data.
In this context, the above-mentioned groups of personal data owners can be applied as a whole, as well as only some provisions of this Policy.
Article 3 Basis This Policy has been prepared on the basis of the Law on the Protection of Personal Data No. 6698, the Regulation on the Data Controllers Registry No. 30286 and the Regulation on the Deletion, Destruction or Anonymization of Personal Data No. 30224.
Relevant regulations in force on the processing, protection and destruction of personal data will primarily find application. In case of inconsistency between the Legislation and the Policy, Kayseri Spor Sahneleri AŞ accepts that the applicable legislation will find an area of application.
Article 4 Definitions
In the implementation of this Policy;
a) Recipient group: The category of natural or legal person to whom personal data is transferred by the data controller;
b) Relevant user: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for technical storage, protection and backup of the data;
c) Destruction: Deletion, destruction or anonymization of personal data;
d) Law: Law on Protection of Personal Data No. 6698;
e) Recording medium: Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system;
f) Personal data: Any information relating to an identified or identifiable natural person;
g) Personal data owner: The real person whose personal data is processed;
h) Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available the personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system, all kinds of operations carried out on the data, such as the classification or prevention of its use;
i) Personal data processing inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data with the purposes of processing, the data category, the transferred recipient group and the data subject group, explaining the maximum period required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security;
j) Board: Personal Data Protection Board;
k) Institution: Personal Data Protection Authority;
l) Sensitive personal data: Data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures. with biometric and genetic data;
m) Periodic destruction: The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the conditions for processing personal data in the law are eliminated;
n) Policy: This Policy, on which data controllers base the process of determining the maximum period required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization;
o) Registry: The registry of data controllers kept by the Presidency of the Personal Data Protection Authority;
ö) Data processor: The natural and legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller;
p) Data recording system: The recording system in which personal data is processed and structured according to certain criteria;
r) Data controller: It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
For definitions not included in this Policy, the definitions in the Law are valid.
PART TWO PRINCIPLES TO BE APPLIED IN KAYSERİ SPORT EVENTS INC.
Article 5 Informing and Informing the Personal Data Owner
Kayseri Spor Event INC. enlightens the personal data owners during the acquisition of personal data. In this context, Kayseri Spor Sahneleri AŞ will explain to the personal data owners for what purpose the personal data will be processed, to whom and for what purpose the processed personal data will be transferred, the method of personal data collection and the legal reason, together with their rights in the Law.
Among the rights of the personal data owner is "requesting information". If the personal data owner requests information, Kayseri Spor Sahneleri AŞ will provide the necessary information.
By announcing that it is processing personal data in accordance with the law and the rule of honesty, with various documents open to the public, especially this Policy, Kayseri Sports Events Inc. provides accountability and transparency within this framework.
Article 6 Observance of Data Subject's Rights
Kayseri Sports Events Inc. carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with the Law in order to evaluate the rights of personal data owners and to provide necessary information to personal data owners.
In case the personal data owners submit their requests regarding the rights listed below in writing, Kayseri Sports Events Inc. will conclude the request free of charge as soon as possible and within 30 days at the latest, depending on the nature of the request. If the transaction requires a separate cost, the fee in the tariff determined by the Board will be charged by Kayseri Spor Sahneleri AŞ. Personal data owners;
Learning whether personal data is processed;
If personal data has been processed, requesting information about it;
Learning the purpose of processing personal data and whether they are used in accordance with the purpose;
Knowing the third parties to whom personal data is transferred at home or abroad;
Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred;
Requesting the deletion or destruction of personal data in the event that the reasons requiring the processing of the data disappear despite the fact that it has been processed in accordance with the provisions of the law and other relevant legislation, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred;
Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems;
In the event that personal data is damaged due to unlawful processing, it has the right to demand the compensation of the damage.
Article 7 Recording Medium in which Personal Data is Stored and Disposal
Any media that contains personal data acquired by Kayseri Sport Event INC., which is fully or partially automated or processed by non-automatic means provided that it is a part of any data recording system, is considered as a recording medium. All personal data within the body of Kayseri Sports Events Inc. are kept and stored in the maximum security in the systems below.
Personal data of data owners are securely stored by Kayseri Spor Event INC. in the environments listed in the table below, in accordance with the relevant legislation, especially the provisions of the KVKK, and within the framework of international data security principles:
Electronic media:
Exchange Server (Mail Server)
GymPro Automation System
Ofisnet Automation System
Zirve Accounting Automation System
Microsoft Office Software (World-Excel etc.)
PDF Files (AdobeReaderetc.)
Physical environments:
Unit Document Cabinet
Archive (Service procurement)
Server
Backup Units (Storage,QNap,Nas)
Article 8 Ensuring the Security of Personal Data
Considering the commercial activities carried out as Kayseri Sports Events Inc., the protection of personal data is among the top priorities for Kayseri Sports Events Inc. Kayseri Sports Events Inc. takes the necessary legal, technical and administrative measures regarding data security and shows the highest level of importance and care in this regard.
Kayseri Sports Activities Inc. personnel were informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the Law, cannot use the relevant data for other purposes other than processing, and that these obligations will continue in the same way in case they leave Kayseri Sports Activities Inc., and necessary commitments have been taken from them in this regard.
Kayseri Sports Events Inc. also raises the necessary awareness among business partners, suppliers and similar third parties on the prevention of illegal processing of personal data, the prevention of illegal access to personal data and their legal storage. The legal processing, protection and storage of personal data in the presence of third parties working with Kayseri Sports Events Inc. has also been contractually arranged with the relevant third parties, and the activity carried out with third parties has been harmonized due to the processing of the relevant personal data.
Kayseri Sports Events AŞ carries out all the necessary inspections within its own body and has them done. When it is determined that the measures taken as a result of the audit need to be improved, the necessary actions are taken immediately by Kayseri Sports Events INC.
In the event that personal data is learned and/or obtained by others through illegal means despite all the general, technical and administrative measures stated below, Kayseri Sport Activities INC. fulfills its obligation to notify the data owner and the Board as soon as possible.
Article 9 General Measures to be Taken for Safe Storage of Personal Data and Preventing Unlawful Processing and Access
Personal data is processed by Kayseri Spor Sahneleri AŞ only in accordance with the procedures and principles stipulated in the Law and other legal regulations. While processing personal data, Kayseri Sports Event INC. complies with the following principles:
a) Compliance with the law and honesty rules
Kayseri Sports Events Inc. acts in accordance with the principles and honesty rules brought by the relevant legislation in the processing of personal data. By taking into account the proportionality requirements in the processing of personal data, Kayseri Spor Sahneleri AŞ does not use personal data other than to the extent required for the realization of the relevant purpose.
b) Being accurate and up-to-date when necessary
Kayseri Sports Events AŞ considers the fundamental rights and interests of personal data owners, and ensures that the personal data it processes are accurate and up-to-date. For this purpose, Kayseri Sports Events Inc. also takes the necessary measures.
c) Processing for specific, explicit and legitimate purposes
Kayseri Sports Events AŞ defines the purpose of processing personal data, which is legitimate and lawful, precisely and clearly, and processes personal data in connection with the service it provides and to the extent required by the said service. Kayseri Sports Events Inc. reveals the purpose for which personal data will be processed, before the personal data starts to be processed.
d) Being connected, limited and restrained with the purpose for which they are processed
Kayseri Sports Events Inc. processes personal data in a way that is convenient for the realization of the determined purposes. In this context, it refrains from processing personal data that is not related to the realization of the purpose of processing personal data or that is not needed.
e) Preservation for the period required by the relevant legislation or for the purpose for which they are processed.
Kayseri Sport Event Inc. retains personal data for the period specified in the relevant legislation or for the period required for the purpose for which they are processed. In this framework, Kayseri Sports Events AS primarily acts in accordance with this period if it is stated in the relevant legislation how long the personal data should be kept, and if it is not expressed, it stores it for the period that requires processing. In the event that the period expires or the reason requiring its processing disappears, personal data is deleted, destroyed or anonymized by Kayseri Spor Event INC.
Article 10 Personal Data
Kayseri Sports Events Inc.;
To prevent the unlawful processing of personal data,
To prevent unlawful access to personal data,
To ensure the protection of personal data,
It knows that it has to take all kinds of technical and administrative measures to ensure the appropriate level of security for its purpose, and within this framework, it shows the utmost care and importance.
In the event that the personal data it owns is processed by another natural or legal person, Kayseri Sports Event INC. will be jointly responsible with these persons for taking the above-mentioned measures.
As a matter of fact, Kayseri Sports Events Inc. is aware of the fact that it has to make and have all the necessary inspections done in order to ensure the implementation of the Law and the provisions of the relevant legislation, and takes the necessary actions for this.
Article 11 Titles, Units and Job Descriptions of Persons in Charge on behalf of Kayseri Sports Event INC Turkey in the Processes of Storing and Destroying Personal Data
The titles of the personnel involved in the personal data storage and destruction process consist of Unit Managers and Facility Officers who are suitable for their units and job descriptions. The persons concerned shall fully fulfill all their obligations in the storage and destruction processes of personal data regulated in this Policy.
CHAPTER THREE PRINCIPLES ON PROCESSING PERSONAL DATA
Article 12 Conditions for Processing Personal Data
In order for personal data to be processed, the explicit consent of the person concerned is required. Express consent is only one of the legal bases for the processing of personal data. Apart from express consent, personal data may also be processed in case one or more of the following situations occur at the same time. Kayseri Sports Events Inc. Turkey will only be able to process personal data without seeking the explicit consent of the person concerned, in the presence of one of the following conditions.
a) Explicit consent: The explicit consent of the personal data owner should be disclosed on a specific subject, based on information and free will. In this context, Kayseri Spor Sahneleri AŞ will obtain the express consent of the personal data owner in order to process the personal data.
b) Explicitly stipulated in the laws: Personal data of the data owner may be processed by Kayseri Spor Sahneleri AŞ in accordance with the law, provided that it is clearly stipulated in the law.
c) Failure to obtain the explicit consent of the data subject due to actual impossibility: The personal data of the data subject may be processed if it is necessary for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not given legal validity. For example, notifying the blood type of the personnel of Kayseri Sports Events AS to the doctors in case of a heart attack.
d) Being directly related to the establishment or performance of the contract: Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process the personal data of the parties to the contract.
e) Kayseri Sports Events AŞ fulfilling its legal obligation: In case data processing is necessary for Kayseri Spor Events AŞ to fulfill its legal obligation, the data of the data owner may be processed.
f) Making the personal data public of the personal data owner: Personal data may be processed if the data owner has made his personal data public by himself.
g) If data processing is mandatory for the establishment or protection of a right: If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.
h) If data processing is mandatory for the legitimate interests of Kayseri Spor Sahneleri A.Ş.: Provided that the fundamental rights and freedoms of the personal data owner are not harmed, Kayseri Spor Üretimi A.Ş. will be able to process personal data if it is necessary to process the data for the legitimate interests of Kayseri Sports Event INC.
Article 13 Processing Conditions of Special Quality Personal Data
Kayseri Sports Events Inc. does not process sensitive personal data without the express consent of the personal data owners. Special categories of personal data other than health and sexual life may be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws. Personal data related to health and sexual life are only for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, by persons or authorized institutions and organizations under the obligation of secrecy without seeking the explicit consent of the person concerned. can be processed.
Kayseri Sports Events Inc. also takes the necessary measures determined by the Authority in the processing of personal data of special nature.
Article 14 Transfer of Personal Data
Considering the nature of the commercial activities it carries out, Kayseri Spor Sahneleri AŞ transfers the personal data and sensitive personal data of the personal data owners to third parties by taking the necessary security measures in line with the personal data processing purposes in accordance with the Law and the relevant legislation.
Article 15. Workplace Entrances and Personal Data Processing Activities in the Workplace and Website Visitors
In order to ensure security by Kayseri Spor Sahneleri AŞ, personal data processing activities are carried out for monitoring the entrance and exit of the guests with security cameras at the workplaces of Kayseri Sports Events AŞ. By using security cameras and recording guest entries and exits, personal data processing activities are carried out by Kayseri Spor Sahneleri AŞ. While processing data in this way, Kayseri Sports Events Inc. acts in accordance with the Law and all other legislation, especially the Constitution.
Kayseri Sports Events Inc. monitors the activity with a security camera in the workplace; It carries out the activities in order to increase the quality of the service it provides, to ensure its reliability, to ensure the safety of visitors and other persons, and to protect the interests of the visitors regarding the service they receive.
Only a limited number of Kayseri Spor Sahneleri AŞ employees have access to the records recorded and maintained in digital environment within Kayseri Sports Events AŞ. It declares that it will protect the confidentiality of the data it accesses, with a limited number of confidentiality commitments that have access to the records.
CHAPTER FOUR PRINCIPLES ON DELETING, DESTROYING OR MAKING PERSONAL DATA
Article 16 Principles Regarding the Deletion, Destruction or Anonymization of Personal Data
In the event that the conditions for processing personal data in Articles 12 and 13 cease to exist, Kayseri Spor Ürünleri AŞ fulfills its obligations regarding the deletion, destruction or anonymization of personal data ex officio or upon the request of the person concerned.
In the deletion, destruction or anonymization of personal data, Kayseri Spor Sahneleri AŞ acts in accordance with the general principles and technical and administrative measures set forth in Articles 9 and 10 of this Policy, the provisions of the relevant legislation, the Board decisions and the personal data retention and destruction policy. is doing.
Without prejudice to the provisions of other laws regarding the deletion, destruction or anonymization of Personal Data by Kayseri Spor Sahneleri AŞ, although the Company has processed it in accordance with the provisions of this Law and other laws, in the event that the reasons requiring its processing are eliminated, Personal Data It deletes, destroys or anonymizes i ex officio or at the request of the data owner. With the deletion of Personal Data, these data are destroyed in such a way that they cannot be used again in any way and cannot be recovered. Accordingly, Personal Data is deleted from the tools such as documents, files, CDs, floppy disks, hard disks in which they are registered, in a way that cannot be recycled. Destruction of Personal Data, on the other hand, means the destruction of materials suitable for data storage such as documents, files, CDs, floppy disks, hard disks, in which the data is recorded, so that the information cannot be retrieved or used again. By anonymizing the data, it is meant that the Personal Data cannot be associated with an identified or identifiable natural person, even if it is matched with other data.
Article 17 Deletion of Personal Data
Deletion of personal data is the process of making personal data inaccessible and non-reusable for the relevant users. Kayseri Sports Events Inc. takes all necessary technical and administrative measures to ensure that the deleted personal data cannot be accessed and reused for the relevant users.
Article 18 Destruction of Personal Data
Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. Kayseri Sports Events Inc. takes all necessary technical and administrative measures regarding the destruction of personal data.
Article 19 Anonymization of Personal Data
Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. In order for personal data to be anonymized; Personal data must be rendered incapable of being associated with an identified or identifiable natural person, even through the use of appropriate techniques for the recording medium and the relevant field of activity, such as returning the data by the data controller, recipient or recipient groups, and matching the data with other data.
Kayseri Sports Events Inc. takes all necessary technical and administrative measures regarding the anonymization of personal data.
Article 20 Methods to be Applied Regarding the Deletion, Destruction, Anonymization of Personal Data
Kayseri Sports Events Inc. will delete, destroy and/or anonymize the personal data within its body by using the methods set out below.
Article 21 Periods for Ex officio Deletion, Destruction or Anonymization of Personal Data
Kayseri Sports Event INC deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.
The period of time for periodic destruction will be carried out by Kayseri Spor Sahneleri AŞ within 30 days following the date on which the obligation to delete, destroy or anonymize personal data arises. In mandatory cases, this period can be extended for a maximum of 30 days.
Kayseri Sports Event INC accepts that the Board may shorten the periods specified in this article in case of irreparable or impossible damages and in case of a clear violation of the law.
Article 23 Periods of Deletion and Destruction of Personal Data in Case of Request by the Data Owner
When the Data Owner requests the deletion or destruction of his personal data by applying to Kayseri Spor Sahneleri A.Ş., pursuant to Article 22 of this Policy;
a) If all the conditions for processing personal data have disappeared; Kayseri Sports EventsAS request deletes, destroys or anonymizes personal data. Kayseri Sports Events AŞ Turkey finalizes the request of the person concerned within 30 days at the latest and informs the person concerned.
b) If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, Kayseri Spor Sahneleri AŞ notifies the third party; It ensures that the necessary actions are taken within the scope of the Regulation on the Deletion, Destruction or Anonymization of Personal Data before the third party.
c) If all of the personal data processing conditions have not disappeared, this request is made by Kayseri Spor Sahneleri AŞ in the 22/3 of this Policy. It can be rejected by explaining the reason, and the rejection is notified to the Data Owner in writing or electronically within 30 days at the latest.
SECTION FIVE OTHER PROVISIONS
Article 24 Enforcement
This Policy is dated 02 November 2020 and entered into force on the same date. The policy is published on the website of Kayseri Spor Sahneleri A.Ş and is made available to the relevant persons upon the request of the personal data owners.
Article 25 Acceptance and Commitment
A copy of this Policy is given to the Data Controller and all Kayseri Sports Events Inc. Managers. Signing the "Personal Data Retention and Disposal Policy" in order to be binding for the Data Controller; In order for it to be binding for the personnel of Kayseri Sports Events Inc, the "Personal Data Retention and Disposal Policy" must be signed and given to Kayseri Sports Activities Inc. Upon the signature of the Acceptance and Commitment Form by the Data Officer and Kayseri Sports Events Inc personnel, it becomes binding for the Data Officer and Kayseri Sports Activities Inc personnel.
Article 26 Other Regulations
This Policy supersedes the regulations and annexes that were in effect before (if any) regarding the storage and destruction of personal data.
