CONTENTS
• A. PURPOSE AND SCOPE
• B. DEFINITIONS
• C. IMPLEMENTATION OF THE POLICY AND RESPONSIBILITIES
• D. POLICY PRINCIPLES
•
1. BASIC PRINCIPLES ADOPTED BY
2. PERFORMING PERSONAL DATA PROCESSING ACTIVITIES IN ACCORDANCE WITH KVKK
3. PERFORMING PERSONAL DATA TRANSFER IN ACCORDANCE WITH KVKK
4. ENSURING THE SECURITY OF PERSONAL DATA
• a. Administrative Measures to be Taken
• b. Technical Precautions to be Taken
• c. Conducting Audit Activities Regarding the Protection of Personal Data
•    D. Precautions in Case of Illegal Disclosure of Personal Data
5. OBLIGATIONS RELATED TO PERSONAL DATA PROCESSING ACTIVITIES
• a. Registration Obligation to the Data Controllers Registry (VERBİS)
• b. Obligation to Inform the Data Owner
• c. Obligation to Collect and Transfer Personal Data in accordance with the Law
•    D. Obligation to Ensure the Security of Personal Data
• e. Obligation to Fulfill the Decisions Made by the KVK Board
• f. Obligation to Respond to Data Owner Applications
• E. PUBLISHING AND STORAGE OF THE POLICY
• F. UPDATE OF THE POLICY
A. PURPOSE AND SCOPE
Due to the fact that the legal order is one of the cornerstones of social life, TANGOTOCUP has been complying with general legal rules since its establishment and has been making maximum efforts to protect the rights and interests of people. With TANGOTOCUP Personal Data Processing, Protection and Privacy Policy (“TANGOTOCUP KVK Policy”). TANGOTOCUP determines the basic principles regarding the compliance of its activities with the regulations in the Personal Data Protection Law No. 6698 ("KVK Law") and within this scope. What TANGOTOCUP must fulfill is set out.
By implementing TANGOTOCUP KVK Policy regulations in all our activities, the data security principles adopted by TANGOTOCUP will be made sustainable.
TANGOTOCUP KVK Policy has been prepared as a guide for the implementation of the regulations set forth by the KVK Law and relevant legislation. Personal data of TANGOTOCUP employees, employee candidates, visitors and employees of third parties, institutions or organizations with whom TANGOTOCUP has relations as service providers, and personal data of other third parties are within the scope of this Policy, and all records where personal data owned by TANGOTOCUP or managed by TANGOTOCUP are processed. This Policy applies to activities related to environments and personal data processing.
B. DEFINITIONS
The terms used in the legislation and also in the TANGOTOCUP KVK Policy are listed below.
I. Personal Data: Any kind of data relating to an identified or identifiable natural person
II. Special Personal Data: Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. .
III. Personal Data Owner/Relevant Person: The real person whose personal data is processed. For example; employees. IV. Explicit Consent: Consent regarding a specific subject, based on prior information and expressed with free will,
V. Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any operation performed on data such as bringing, classifying or preventing its use,
VI. Data processor: Real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,
VII. Anonymization: Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.
VIII. KVK Law: Personal Data Protection Law No. 6698, dated 24 March 2016, published in the Official Gazette No. 29677, dated 7 April 2016.
IX. KVK Board: Personal Data Protection Board.
X. KVK Authority: Personal Data Protection Authority.
C. IMPLEMENTATION OF THE POLICY AND RESPONSIBILITIES
Our legal consultants will be a source of advice and guidance in the implementation of the procedures, standards and training activities prepared in accordance with the TANGOTOCUP KVK Policy within TANGOTOCUP. All personnel, visitors and relevant third parties throughout TANGOTOCUP are obliged to comply with the TANGOTOCUP KVK Policy and cooperate with the Legal Consultancy in preventing risks / dangers.
All personnel of TANGOTOCUP are responsible for ensuring compliance with the TANGOTOCUP KVK Policy.
D. POLICY PRINCIPLES
1. BASIC PRINCIPLES ADOPTED BY TANGOTOCUP
TANGOTOCUP adopts the following basic principles to comply with and maintain compliance with personal data protection legislation:
a. Personal data includes all kinds of information that belongs to a person and allows the person to be identified, and therefore it is the responsibility of the data owner to protect it.It constitutes a superior benefit. Data owner; One should act with the awareness that it is an obligation to pay attention to the right to know which data is processed for what purpose and whether the data is transferred or not.
b. It carries out data processing activities in accordance with the law and the rule of honesty.
c. It must be ensured that the personal data processed are accurate and up-to-date when necessary, and if the data is inaccurate, it must be corrected/updated.
D. Personal data is processed only for specific, explicit and legitimate purposes and to the extent necessary for the purpose of processing. Excessive data should not be processed with the assumption that it will be used in the future, and the rights of the data owner and the purpose of the processing should be taken into consideration.
to. Processed personal data are retained for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed. In particular, the time limit arising from Article 138 of the Turkish Penal Code and Articles 4 and 7 of the KVK Law is respected. TANGOTOCUP deletes, destroys or anonymizes personal data if the period stipulated in the legislation expires or if the reasons requiring the processing of personal data disappear.
2. PERFORMING PERSONAL DATA PROCESSING ACTIVITIES IN ACCORDANCE WITH KVKK
While carrying out their personal data processing activities, they must act in accordance with the data processing conditions specified in Articles 5 and 6 of the KVK Law and the Regulation on the Processing of Personal Health Data, provided that they comply with the basic principles. The following stages are followed in data processing activity:
1- The data owner must be informed. Clarification should be made before obtaining consent (signature) in cases where explicit consent is required to process data, before starting data processing in cases where explicit consent (signature) is not required, and it should be explained which data will be processed and why. If data is processed by taking camera images, written warning signs should be placed where necessary.
2- It should be determined whether the conditions for data processing are present. If the conditions are not met, personal data processing should not be carried out. In the following cases, the existence of data processing conditions is accepted and there is no need to obtain consent:
• It is clearly stipulated by law (for example, it is mandatory to obtain the employee's identity information due to the obligation to notify the Social Security Institution).
• It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract (for example, it is necessary to obtain the name, surname and bank account information of the seller in order to pay the price of the purchased product).
• It is mandatory for the data controller to fulfill its legal obligation, it has been made public by the data subject himself, data processing is mandatory for the establishment, exercise or protection of a right, data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. Personal data may be processed in such cases.
• EXPRESS CONSENT MUST BE OBTAINED, except in the above cases or when processing "special nature data".
3- It is necessary to limit the amount of data to be processed "as much as necessary" and not to process more data than necessary for each processing purpose.
4- TANGOTOCUP personnel must comply with the rules set forth in the Constitution of the Republic of Turkey, the Turkish Penal Code, the KVK Law and other relevant legislation and the TANGOTOCUP KVK Policy, within the scope of processing personal data. Within the scope of these explanations, at TANGOTOCUP, personal data processing will be carried out within the conditions and purposes specified in Article 5 and Article 6 of the KVK Law and for the purposes stated below;
Member and Business partners data;
• Data processing due to contractual relationship; Personal Data belonging to the Member or Business Partner (in case the business partner is a legal entity, the business partner representative) may be processed for the establishment, implementation and termination of the contract without the need for separate consent. Personal data before and during the contract initiation phase; It may be processed in order to prepare an offer, prepare a purchase form or meet the Personal Data Owner's requests regarding the implementation of the contract.
• Data processing due to TANGOTOCUP's legal obligation or as expressly provided for in the law; Personal data may be processed without obtaining separate consent in order to clearly state the processing in the relevant legislation or to fulfill a legal obligation determined by the legislation. The type and scope of data processing must be necessary for the legally permissible data processing activity and must comply with the relevant legal provisions.
• Processing data in accordance with TANGOTOCUP's legitimate interest; Personal data may be processed without the need for further consent when necessary for a legitimate interest of TANGOTOCUP. Legitimate interests are generally legal (e.g. collecting debts) or economic (e.g. avoiding breach of contract) interests.
Personnel data;
• Processing of Personal Data for business relationshipmesi; Personal Data is processed without further consent if necessary for the establishment, implementation and termination of the employment contract. Personal Data of candidates are processed when starting a business relationship. If the candidate is rejected, the candidate's information is kept for the appropriate data retention period for a later selection phase, and is deleted, destroyed or anonymized at the end of this period.
• Data processing is carried out due to the legal obligation of TANGOTOCUP or as expressly provided for in the law; Personal Data belonging to the employee may be processed without the need to obtain separate consent in order to clearly state the processing in the relevant legislation or to fulfill a legal obligation determined by the legislation.
• Processing of data in accordance with legitimate interest; Personal Data belonging to the Employee may be processed without further consent when necessary for a legitimate interest of TANGOTOCUP (e.g. filing, exercising or defending legal rights). In personal cases where the interests of employees must be protected, personal data is not processed for legitimate interest purposes. Before the data is processed, it is determined whether there are interests that require protection. When employee data is processed based on TANGOTOCUP's legitimate interest, it is examined whether the processing is proportionate. It is checked that TANGOTOCUP's legitimate interest in taking this control measure does not violate a right of the relevant employee that needs to be protected, and it is applied only if it is proportionate.
3. PERFORMING PERSONAL DATA TRANSFER IN ACCORDANCE WITH KVKK
In personal data transfers to be carried out by TANGOTOCUP (actively sharing personal data with third parties or making personal data accessible to third parties), the personal data transfer conditions set out in Articles 8 and 9 of the KVK Law must be complied with. Excluding individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. Other data may be transferred in the following cases:
• It is clearly prescribed by law (for example, due to SSI legislation, it is mandatory to notify the employee's identity information to SSI).
• It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract (for example, it is mandatory to transfer the name, surname and account information of the seller to the bank in order to pay for the product purchased).
• It is mandatory for the data controller to fulfill its legal obligation, it has been made public by the data subject himself, data processing is mandatory for the establishment, exercise or protection of a right, data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. personal data may be transferred (for example, data regarding the medications used by the employee or their diseases, if any, must be transferred to healthcare personnel when necessary).
• Personal data cannot be transferred abroad without the explicit consent of the relevant person.
4. ENSURING THE SECURITY OF PERSONAL DATA
TANGOTOCUP must take all necessary precautions, within the means possible, depending on the nature of the data to be protected, in order to prevent unlawful disclosure and transfer of personal data, unlawful access to personal data, or security deficiencies that may occur in other ways. In this context, administrative and technical measures should be taken, an audit system should be established within TANGOTOCUP, and in case of illegal disclosure of personal data, the process should be implemented in the KVK Law.
a. Administrative Measures Taken to Ensure Lawful Processing and Transfer of Personal Data and to Prevent Unlawful Access to Personal Data are as follows:
• Trains and raises awareness of its employees regarding the protection of personal data.
• In cases where personal data is subject to transfer, records are added to the contracts concluded with the persons to whom personal data are transferred, stating that the party to which personal data is transferred will fulfill its obligations to ensure data security. In this context, it is undertaken that the transferred party will take all necessary measures to protect personal data and ensure the implementation of these measures in their own organizations.
• The processes carried out by the personnel are examined in detail, and the personal data processing activities carried out within the scope of the process are determined for each unit. In this context, the steps to be taken to ensure that the data processing activities carried out comply with the personal data processing conditions stipulated in the KVK Law are determined.
b. To Ensure Lawful Processing and Transfer of Personal Data and to Prevent Illegal Access to Personal DataTechnical Measures taken are as follows:
• Regarding the protection of personal data, technical measures have been taken to the extent technology allows, and the measures taken should be updated and improved in parallel with developments.
• Inspections should be carried out at regular intervals regarding the implementation of the measures taken.
• Software and systems to ensure security are updated.
• Access authority to personal data being processed by personnel is limited to the relevant unit employee in line with the determined processing purpose.
c. Carrying out Audit Activities for the Protection of Personal Data: The compliance, functioning and effectiveness of the technical measures, administrative measures and practices taken by TANGOTOCUP within the scope of protecting and ensuring the security of personal data with the relevant legislation, policies, procedures and instructions are audited by Internal Audit Units. The audit may also be carried out by external audit firms, taking the opinion of the Board of Directors. The results of the audit activities performed are reported to the General Manager and relevant function managers. It is the primary responsibility of process owners to regularly monitor the actions planned regarding the audit results. Activities that will ensure the development and improvement of the measures taken regarding the protection of data, without being limited to the audit results, are carried out by the relevant unit.
D. Precautions to be Taken in Case of Illegal Disclosure of Personal Data; TANGOTOCUP must immediately notify the KVK Board and relevant data owners in case the personal data they process is obtained by unauthorized persons in violation of the law. The TANGOTOCUP Data Breach Notification Procedure must be implemented simultaneously.
5. OBLIGATIONS RELATED TO PERSONAL DATA PROCESSING ACTIVITIES
They must comply with the obligations stipulated by the TANGOTOCUP KVK Law for data controllers.
a. Registration Obligation to the Data Controllers Registry (VERBIS): VERBIS registration is required when the conditions specified in the legislation are met. The information that must be submitted to the Data Controllers Registry in the registration application is listed below:
1. Identity information and addresses of the data controller and his representative, if any,
2. Purpose of processing personal data,
3. Information about data subject groups and categories of personal data processed for these individuals,
4. Person or groups of people to whom personal data can be transferred,
5. Maximum retention period required by the purpose of processing personal data,
6. Measures taken to ensure the security of processed personal data.
b. Obligation to Inform the Data Owner: The information that must be provided to data owners within the scope of the disclosure obligation is listed below:
1. Identity of the data controller and his representative, if any,
2. For what purpose personal data will be processed,
3. To whom and for what purpose the processed personal data can be transferred,
4. Method and legal reason for collecting personal data,
5. Rights of the data owner listed in Article 11 of the KVK Law
c. Obligation to Collect and Transfer Personal Data in Compliance with the Law: It must be explained to the data owner which data is processed for what purpose and whether the data is transferred, and the collected data must be processed in accordance with the law and the rule of honesty. Personal data must be processed only for specific, clear and legitimate purposes and to the extent necessary for the purpose of processing, and must be kept accurate and up to date. If the reason for processing the processed data is no longer present, they must establish the necessary internal systems for deleting, anonymizing or destroying the data.
D. Obligation to Ensure the Security of Personal Data: In order for the data owner to avoid any loss of rights, TANGOTOCUP; All necessary technical and administrative measures must be taken to ensure the appropriate level of security in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data. It is obliged to carry out the necessary inspections or have them carried out within the scope of the operation of the mechanisms to ensure data security.
to. Obligation to Fulfill the Decisions Made by the KVK Board: TANGOTOCUP must act in accordance with the decisions made by the KVK Board, which operates to ensure that personal data is processed in accordance with fundamental rights and freedoms and is the executive body of the KVK Institution.
f. Obligation to Respond to Data Owner Applications: TANGOTOCUP, as the data controller, must finalize the written requests of data owners regarding their personal data as soon as possible and within thirty (30) days at the latest, depending on the nature of the request.
Personal data owners can contact the data controllers and request the following issues regarding themselves:
1. Learning whether personal data is processed or not,
2. Requesting information if personal data has been processed,
3. Learning the purpose of processing personal data and whether they are used for their intended purpose,
4. Personal data at home or abroad
​Knowing the third parties to whom it is transferred,
5. Requesting correction of personal data if they are incomplete or incorrectly processed,
6. Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVKK,
7. In case of correction or deletion/destruction of data, requesting notification of the situation to third parties to whom personal data has been transferred,
8. Objecting to the emergence of a result that is unfavorable to the individual by analyzing the processed data exclusively through automatic systems,
9. To request compensation for the damage in case of damage due to illegal processing of personal data.
PUBLISHING AND STORING OF THE E-POLICY
The policy document is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website. The printed paper copy is also kept in the file.
F- UPDATE OF THE POLICY
It enters into force from the moment it is approved by the Board of Directors. This Policy is reviewed as needed and necessary sections are updated. The General Manager has been authorized by the Board of Directors to determine the changes to be made within the policy and how they will be put into effect. Changes can be made and put into effect in this Policy with the approval of the General Manager. The implementation rules, which will be drawn up in accordance with this Policy and will specify how the matters specified in this Policy will be implemented on certain subjects, will be added to the relevant regulations. TANGOTOCUP KVK Policy has been published on the website and made available to the public. In case of conflict between the current legislation, especially the KVK Law, and the regulations contained in this Policy, the provisions of the legislation shall apply.