PERSONAL DATA PROTECTION AND PROCESSING POLICY

I. INTRODUCTION

This Policy sets out the procedures and principles to be followed by Sorhan Law & Consultancy (hereinafter referred to as “Sorhan”) regarding the protection and processing of personal data.

The Policy aims to harmonize Sorhan’s operation with the Personal Data Protection Law No. 6698 on the protection and processing of personal data, to determine the framework of the compliance activities planned to be carried out by Sorhan and to ensure coordination. Pursuant to Law No. 6698 on the Protection of Personal Data, your personal data may be processed by Sorhan as the data controller within the scope described below.

In this context, it is aimed to ensure that the activities of our office are carried out in accordance with the law and legislation, within the framework of the principles of honesty, transparency and fairness.

This Policy comprehensively regulates the protection and processing of personal data of our current and potential clients, employee candidates, visitors, employees, shareholders and officials of the institutions we cooperate with and third parties, and aims to ensure transparency and accountability in data processing. All personal data and data owners processed by non-automatic means, provided that they are part of any data recording system, are covered by this Policy.

II. DEFINITIONS

 

CONCEPT DEFINITION
Open Consent It refers to consent on a specific subject, based on information and expressed with free will.
Anonymization It refers to making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Relevant person/Personal Data Owner Refers to the natural person whose personal data is processed. For example; customers, employees, candidate personnel.
Personal data It refers to any information relating to an identified or identifiable natural person. Therefore, the processing of information on legal entities is not covered by Law No. 6698.
Processing of personal data It refers to all kinds of operations performed on personal data such as obtaining, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Sensitive Personal Data Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive personal data.
Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller. For example, an IT company that stores a company’s customer data is considered within this scope.
Data Controller The data controller is the person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system).

III. SORHAN’S OBLIGATIONS REGARDING THE PROTECTION AND PROCESSING OF PERSONAL DATA

A.General Obligations of Sorhan

Sorhan’s obligations regarding the protection and processing of personal data are as follows:

  1. Sorhan’s Obligation to Inform the Personal Data Owner
  2. Obligation to Ensure the Security of Personal Data
  • Obligation to Comply with the Legislation on the Protection and Processing of Sensitive Personal Data
  1. Obligation to Comply with the Legislation in Case of Transfer of Personal Data
  2. Obligation to Process Personal Data Based on and Limited to the Processing Conditions in the Law

B.Disclosure Obligation

Sorhan aims to enlighten the personal data owner on the following issues;

  1. Identity of Sorhan as the data controller and its representative, if any,
  2. The purpose for which personal data will be processed,
  • To whom and for what purpose personal data may be transferred,
  1. The method and legal reasons for collecting personal data, the rights of the personal data owner

rights.

The rights of the personal data owner within the scope of Sorhan’s disclosure obligation are related to the following;

  1. To learn whether their personal data is being processed,
  2. To learn the purpose of processing and whether it is used for its intended purpose,
  • To know the persons to whom personal data are transferred,
  1. To request correction in case of incomplete or incorrect processing and to request the deletion of personal data if the conditions are met and to forward these requests to third parties,
  2. To object to the emergence of a result to his/her detriment by analyzing the processed data exclusively through automated systems,
  3. To claim damages in case of loss due to unlawful processing.

C. Obligation to Take Measures

Sorhan considers it a duty to take the necessary technical and administrative measures to ensure the appropriate and sufficient level of security in order to prevent unlawful processing of personal data and/or unlawful access to data and to ensure the protection of the relevant personal data within the scope of the Law No. 6698 on the Protection of Personal Data.

In terms of the technical and administrative measures to be prepared in this context, Sorhan establishes systems for conducting and enforcing the necessary audits regarding the functioning of the measures.

In the event that the personal data processed by Sorhan in accordance with Law No. 6698, legal legislation and even this Policy is obtained by others illegally; It is obliged to immediately notify this situation to the relevant personal data owner and, if required by the legislation, to the Personal Data Protection Board. In addition, if a situation that poses a security risk is detected by Sorhan, necessary measures should be taken immediately to eliminate the aforementioned risk.

The following measures must be taken by Sorhan for the processing of personal data in accordance with the law:

  1. All processes related to data processing activities within Sorhan should be analyzed.
  2. A personal data processing due diligence report should be issued in accordance with the analysis to be made.
  • They make the necessary arrangements to ensure compliance with the law in accordance with the personal data processing due diligence report.
  1. Personal data processing processes are audited by technical systems to be developed and these audits are reported.
  2. The internal functioning of Sorhan is carried out in accordance with the Personal Data Protection legislation and directives and regulations regarding its internal functioning are issued.
  3. Records regarding the protection of personal data shall be included in the documents related to the functioning of Sorhan and in the relations with clients, even in the form of informative information.

In addition, it is Sorhan’s obligation to take the following administrative and technical measures to prevent unlawful access to Personal Data.

IV. PURPOSES OF PROCESSING AND STORAGE PERIODS OF PERSONAL DATA

A.Data Processing Purposes

Sorhan’s data processing purposes are briefly stated as follows;

  1. Processing of personal data by our office is mandatory for the protection of the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to disclose his/her consent due to actual or legal invalidity,

In this context, Sorhan processes the personal data of those concerned for the following purposes: Execution of Emergency Management Processes, Execution of Employee Candidate / Intern / Student Selection and Placement Processes, Execution of Application Processes of Employee Candidates, Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees, Execution of Activities in Compliance with the Legislation, Ensuring Physical Space Security, Follow-up and Execution of Legal Affairs, Follow-up of Requests / Complaints, Execution of Contract Processes, Execution of Storage and Archive Activities, Providing Information to Authorized Persons, Institutions and Organizations, In the event that the data processing activity carried out for the aforementioned purposes such as Creating and Tracking Visitor Records, Ensuring the Security of Movable Goods and Resources, Execution of Business Continuity Activities, Execution of Finance and Accounting Affairs, Execution of Activities in Compliance with the Legislation, Execution of Audit / Ethical Activities does not meet any of the conditions stipulated under the KVK Law, the explicit consent of the relevant persons is obtained by our Office within the framework of this policy regarding the relevant processing process.

B. Personal Data Categorization

It is possible to categorize the personal data processed within Sorhan as follows:

Category Description
Employee Information/Personal Information All kinds of personal data regarding the information that will be the basis for the formation of the personal rights of our office personnel and / or real persons who are in a working relationship with our Office are within this scope.
Contact Information This includes information such as the phone number, address, e-mail of the person concerned.
Background Information Personal data related to photographs, educational information, school information, academic certificate information, work experiences, all kinds of information regarding work experience, which are written in the resume document or requested by Sorhan or provided by the relevant person are within this scope.
Identity Information Identity information of the relevant person is included in this category. Identity Card Information, Driver’s License Information, Passport information and/or information contained in such documents are within the scope of this category.
Venue Security Information This includes personal data relating to records and documents taken within the Office.
Client Information This includes the information processed about the person concerned as a result of the legal proceedings of our clients in the position of the person concerned.
Bank Account Information   Personal data related to bank account number, IBAN number, credit card and debit card are within this scope.
  1. Retention Periods of Personal Data

If stipulated within the framework of the relevant legislation, Sorhan retains personal data for the period specified in these regulations. In cases where a period of time is not regulated in the legal legislation, personal data is retained for the period required to be processed in accordance with the requirements of Sorhan’s applications, depending on the services provided by Sorhan when processing that data, and then deleted, destroyed or anonymized.

V. TRANSFER OF PERSONAL DATA TO THIRD PARTIES

In accordance with the legal legislation, Sorhan may transfer the personal data of its clients to the categories of persons listed below: Legally Authorized public institutions and organizations, Suppliers and legally authorized private law persons may be transferred within the framework of the relevant legislation. In this context;

PERSONS AND INSTITUTIONS THAT CAN BE TRANSFERRED EXPLANATION
Administration/Legally Authorized Public Institutions and Organizations Public institutions and organizations authorized to receive information and documents from our Office in accordance with the relevant legislation are within this scope. Data may be transferred to the aforementioned institutions and organizations within their legal authority, limited to the purpose requested.
Legally Authorized Private Law Persons Private law persons authorized to receive information and documents from our Office according to the provisions of the relevant legislation are within this scope. Data may be transferred to legally authorized private law persons limited to the purpose requested within the framework of their legal authority.
Suppliers While carrying out the activities of the Data Controller, data may be transferred to the parties providing services to the Data Controller on a contractual basis in accordance with the orders and instructions of the Data Controller, limited to the purpose requested within the framework of their legal authority.

VI. CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Although it has been processed in accordance with the provisions of the relevant law, personal data shall be deleted, destroyed or anonymized upon our Office’s own decision or upon the request of the personal data owner if the reasons requiring its processing disappear.

Our Office reserves the right not to fulfill the request of the data subject in cases where our Office has the right and/or obligation to retain personal data in accordance with the Law on the Protection of Personal Data. In accordance with the Law on the Protection of Personal Data, it is possible to process personal data without seeking the explicit consent of the data subject in the presence of one of the following conditions:

  1. Explicitly stipulated in the law.
  2. It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
  • Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract.
  1. It is mandatory for the data controller to fulfill its legal obligation.
  2. It has been made public by the person concerned.
  3. Data processing is mandatory for the establishment, exercise or protection of a right.
  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

 

VII. RIGHTS OF PERSONAL DATA SUBJECTS

A. Generally

Data subjects have the following rights in accordance with the relevant legislation:

  1. Learn whether personal data is being processed,
  2. Request information if their personal data has been processed,
  • To learn the purpose of processing personal data and whether they are used for their intended purpose,
  1. To know the third parties to whom personal data are transferred domestically or abroad,
  2. To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
  3. Although it has been processed in accordance with the relevant legislation, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
  • To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
  • In case of damage due to unlawful processing of personal data, to demand compensation for the damage.

B. Data Subject’s Right to Apply to Sorhan

If the data subjects wish to exercise any of the above-mentioned rights, they must fill out the application form attached to this Policy (See Annex) and

  • submit a wet signed copy of the form to Büyükdere Caddesi No:185, Kanyon Güney Lobi D Blok, No:23 Levent/ Şişli, Istanbul, Turkey in person or through a notary public or
  • They must send the form to info@sorhanconsultancy.com.tr electronic mail address with their secure electronic signature.

In the event that the Personal Data Protection Board decides to submit requests by methods other than those mentioned above, the ways in which applications can be submitted will be announced separately.

Sorhan will evaluate and finalize the requests from data owners within thirty days at the latest, depending on the nature of the request. Positive or negative responses to requests from data subjects may be notified to data subjects in writing or electronically.

Although the requests of the data subjects will be finalized free of charge as a rule, if answering the request requires an additional cost, a fee may be charged in the amounts determined within the framework of the relevant legislation. The procedures and principles regarding the deposit of this fee will be specified in the Application Form. It should be noted that if this fee is not deposited in accordance with the procedures and principles explained, the applications will not be taken into consideration. If the application is due to Sorhan’s error, the fee will be refunded to the person concerned.

C.Special Cases where Data Subjects cannot assert their rights

Personal data owners cannot assert the rights of personal data owners described above in these matters, since the following cases are excluded from the scope of the Law on the Protection of Personal Data:

  1. Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics,
  2. Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime,
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security,
  1. Processing of personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials or executions.

D. Sorhan’s Right to Reject the Personal Data Subject’s Application

Sorhan may reject the application of the applicant by explaining the grounds in the following cases:

  1. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security,
  2. Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics,
  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime,
  1. Processing of personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials or executions,
  2. The requested information is publicly available,
  3. Processing of personal data is necessary for the prevention of crime or criminal investigation,
  • Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law,
  • Processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters,
  1. Processing of personal data made public by the personal data subject himself/herself,
  2. The request of the personal data subject is likely to impede the rights and freedoms of other persons,
  3. Demands were made that required disproportionate effort.

 

E. Data Subject’s Right to File a Complaint to the Personal Data Protection Board

In cases where the personal data owner rejects the application, finds the answer insufficient or does not respond to the application in due time; He may file a complaint to the Personal Data Protection Board within thirty days from the date he learns the answer of Sorhan and in any case within sixty days from the date of application.