General Data Protection Regulation (Personal Data Protection Law)
As Referans Fuarcılık Organization and Trade A.Ş. (“Company”), protection of personal data is one of our values that we attach importance to. Our company carries out all its efforts to process all personal data processed within the scope of business activities carried out by our company in accordance with the legislation. In this text, the principles adopted by our Company in the execution of personal data processing activities and detailed information regarding the compliance with the General Data Protection Regulation No.6698 (“GDPR”) are explained, thus our Company provides the necessary transparency by informing the personal data owners.
This General Information Text is about all data owners whose personal data are processed by our Company. However, information regarding the personal data of our Company employees is not considered within this text. The table with the aforementioned data owners is given below.
PERSONAL DATA OWNER CATEGORY DESCRIPTION
Employee / Trainee Candidate: It refers to real persons who have applied for a job or have opened their CV information to our Company.
Authority / Shareholder: It refers to real persons who are shareholders, officials or employees of the companies with which our company has partnered for purposes such as the sales, promotion and marketing of our company’s products and services, after-sales support, and the execution of joint customer loyalty programs while conducting the commercial activities of our company.
Costumer: It refers to real persons who use, have used or applied for the purpose of using the products and services offered by our company, or whose application is at the stage of evaluation, or who are employees, officials or shareholders of real persons or legal entities.
Supplier Employee / Officer / Shareholder: It refers to real persons who are shareholders, officials or employees of companies that provide goods and / or services to our Company based on the existing and / or possible future contract with our Company.
Visitor: It refers to real persons who visit our Company’s premises, websites or who have joined our Company’s guest internet network.
3.CONDITIONS OF PROCESSING PERSONAL DATA
In accordance with GDPR, the processing of personal data is considered in accordance with the law under certain conditions. The first of these is the explicit consent of the personal data owner, and in the event of one of the following conditions, personal data are processed by our Company without the explicit consent of the data owner. Apart from explicit consent, the basis of the personal data processing activity can be only one of the conditions stated below, and more than one condition can be the basis of the same personal data processing activity.
3.1 Being Explicitly Stipulated in Laws
If it is clearly stipulated in the law, in other words, if there is an explicit provision in the law regarding the processing of personal data, the personal data of the data owner may be processed by our Company within the framework stipulated in the legislation.
3.2. Failure to Obtain Explicit Consent of the Relevant Person Due to Actual Impossibility
Personal data of the data owner may be processed if it is necessary to process the personal data of the person who is unable to disclose his/her consent due to the actual impossibility or whose consent cannot be validated, or to protect the life or body integrity of another person.
3.3. Directly Related to the Establishment or Execution of the Contract
Provided that it is directly related to the establishment or performance of a contract to which the data owner is a party, this condition may be deemed fulfilled if it is necessary to process personal data.
3.4. Fulfilling the Company’s Legal Obligation
Personal data of the data owner may be processed if data processing is mandatory for our company to fulfill its legal obligations.
3.5. Making Personal Data Public by Personal Data Owner
If the data owner has made his/her personal data public, the relevant personal data may be processed in a limited way for the purpose of making it public
3.6. When Data Processing is Mandatory for the Establishment or Protection of a Right
In the event that data processing is mandatory for the establishment, use or protection of a right, the personal data of the data owner may be processed.
3.7. When Data Processing is Mandatory for the Legitimate Interest of Our Company
Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if it is necessary for the legitimate interests of our Company.
- Processing of Special Quality Personal Data
Within the scope of the law, special importance is attached to personal data that are sensitive. “Special quality” personal data defined by the Law; Biometric and genetic data regarding race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures.
(i) Personal data of special nature other than health and sexual life can be processed without the explicit consent of the data owner, in other words, if there is an explicit provision in the law regarding the processing of personal data. Otherwise, the explicit consent of the data owner will be obtained.
(ii) Special quality personal data regarding health and sexual life, for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, without seeking express consent by persons under the obligation of secrecy or authorized institutions and organizations. can be processed. Otherwise, the explicit consent of the data owner will be obtained.
- Processing of Personal Data in Compliance with the Principles Prescribed in Legislation
5.1. Processing in accordance with the Law and the Rules of Honesty
Personal data are processed in accordance with the general trust and honesty rule so that the fundamental rights and freedoms of the persons are not harmed. In this context, personal data are processed to the extent and limited to the business activities of our Company.
5.2. Ensuring that Personal Data is Accurate and Updated when Required
Our company takes the necessary measures to ensure that personal data are accurate and up-to-date during the processing of personal data, and establishes the necessary mechanisms to ensure the accuracy and currency of personal data for certain periods of time.
5.3. Processing for Specific, Clear and Legitimate Purposes
Our company clearly reveals the purposes of processing personal data and processes it within the scope of the purposes related to these activities in line with its business activities.
5.4. Being Related, Limited and Measured for the Purpose of Processing
Our company only collects personal data in the nature and extent required by business activities and processes it limited to the specified purposes.
5.6. Retaining for the Period Stipulated in the Relevant Legislation or Required for the Purpose for Which They are Processed
Our company keeps personal data for the time required for the purpose for which they are processed and for the minimum period stipulated in the relevant legal legislation. In this context, our Company first determines whether a period is stipulated for the storage of personal data in the relevant legislation, and if a period is specified, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed. Personal data are destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or the data owner application and by the determined destruction methods (deletion and / or destruction and / or anonymization).
6.Categories of Processed Personal Data and Processing Purposes
The purposes of processing personal data and special quality data, which are processed in accordance with the provisions of the Law and the relevant legislation within the scope of the business activities carried out by our company, are listed below:
- Ensuring the business continuity of our company,
- Ensuring the security of our company’s premises,
- Carrying out information security processes of our company,
- Carrying out risk measurement processes of our company,
- Carrying out processes related to product and service procurement by our company,
- Presenting products and services by our company to the relevant persons and carrying out the related marketing processes,
- Carrying out human resources policies regarding the recruitment processes of our company,
8.Ensuring the commercial, legal and technical security of the parties that have a business relationship with our company
- Determining the strategies of our company,
- Management of the financial / accounting values of our company,
- Fulfilling the legal obligations of our company.
- Transfer of Personal Data
Our company is able to transfer personal data and special quality personal data to third parties by taking the necessary security measures in line with the regulations stipulated in the 8th and 9th articles of the Law and the principles and procedures stipulated in the secondary legislation.
Personal data may be transferred to third parties by our Company in accordance with the principles and procedures stipulated in the Law and secondary legislation, without the need for explicit consent of the data owners in the following cases:
- The relevant activities regarding the transfer of personal data are clearly stipulated in the laws,
- The transfer of personal data by the Company is directly related and necessary with the establishment or performance of a contract,
3.Transfer of personal data is mandatory for our Company to fulfill its legal obligation,
4.Limited transfer of personal data by our Company for the purpose of publicization, provided that it is made public by the data owner,
- Transferring of personal data by the Company is mandatory for the establishment, for usage or protection of the rights of the Company or right of the data owner or rights of the third parties,
- Provided that it does not harm the fundamental rights and freedoms of the data owner, it is necessary to carry out personal data transfer activities for the legitimate interests of the Company,
- It is obligatory for the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid, to protect himself/herself or someone else’s life or physical integrity.
In addition to the above-mentioned conditions, if the personal data is to be transferred abroad, the personal data will be transferred to the foreign countries that the Personal Data Protection Board (“Board”) declared to have sufficient protection or; in the case of inadequate protection, the personal data will be transferred to the foreign countries that have permission of Board or have adequate protection which is a commitment that written by the responsible data protection officers in Turkey and in related foreign country .
The table below includes the parties to whom personal data is transferred and the purposes of the transfer by our company.
TRANSFERED PARTY TRANSFER PURPOSE
Our company only shares personal data that is limited to the purpose of providing the service in question with the suppliers from whom it receives services in a number of issues within the scope of the execution of business activities.
In accordance with the provisions of the relevant legislation about legally Authorized Public Institutions and Private Institutions, Personal data are shared with the public institutions and organizations authorized to receive information and documents from our Company.
Personal data are shared with independent auditors working with the aim of performing the audits required by our legal obligations.
- Fulfilling the Disclosure Obligation
In accordance with the “Communiqué on the Principles and Procedures to be followed in Fulfilling the Obligation of Disclosure”, our Company, as data controller, fulfills the disclosure obligation in article 10 of the law by informing personal data owners about with whom their personal data is processed for what purposes, about with whom they are shared, about with what methods, and about the legal reason and about the rights data owners have within the scope of processing personal data of data subjects.
9.Storage and Disposal of Personal Data
Our company keeps personal data for the time required for the purpose for which they are processed and for the minimum period stipulated in the relevant legal legislation. In this context, our Company first determines whether a period is stipulated for the storage of personal data in the relevant legislation, and if a period is specified, it acts in accordance with this period. If there is no legal period, personal data are stored for the time required for the purpose for which they are processed. Personal data are destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or the data owner application and by the determined destruction methods (deletion and / or destruction and / or anonymization).
- Personal Data Security
Our Company fulfills the obligation stipulated in article 12 of the Law to take the necessary measures according to the nature of the personal data in order to prevent the unlawful disclosure, access, transfer of personal data or security deficiencies that may occur in other ways. In this context, it takes administrative measures to ensure the required security level, gives trainings to employees on this subject, performs inspections or have them done.