Privacy Policy

Privacy and Personal Data Protection Principles

1. Purpose and Scope

These Privacy and Personal Data Protection Principles (hereinafter referred to as the “Principles”) InfoSEC Information Technologies Joint Stock Company (hereinafter referred to as the “Company”) sets out the principles adopted by it regarding the protection of personal data and aims to inform all relevant groups of persons within the scope of the Personal Data Protection Law No. 6698 (hereinafter referred to as the “KVKK No. 6698”).

2. Principles Regarding the Processing of Personal Data

As a company, we process your personal data in the capacity of Data Controller within the framework of the following principles.

2.1 Processing in Accordance with the Law and the Rule of Good Faith

In the processing of your personal data, we act in accordance with the principles brought by legal regulations and the general rule of trust and honesty. In accordance with this principle, we take into account your interests and reasonable expectations while trying to achieve our personal data processing purposes, do not abuse our rights and act in accordance with the principle of transparency in our data processing activities.

2.2 Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

In line with this principle, which emphasizes the importance of the accuracy and up-to-dateness of personal data, periodic checks and updates are carried out to ensure that the processed data is accurate and up-to-date, taking into account your legitimate interests, and necessary measures are taken in this direction. In this context, systems for checking the accuracy of personal data and making necessary corrections are established within the Company. In addition, the accuracy of the sources from which personal data is collected is checked and requests arising from the inaccuracy of personal data are taken into consideration. Therefore, this principle is applied in accordance with the right to request the correction of your personal data in accordance with the KVKK No. 6698.

2.3 Processing for Specific, Explicit, and Legitimate Purposes

Your personal data is processed based on explicit, specific and legitimate data processing purposes. In this context, we ensure that our personal data processing activities are clearly understandable by the relevant persons, and we determine and clearly state the purposes and legal processing conditions on which they are based with Article 3 of these Principles.

2.4 Being Relevant, Limited and Proportionate to the Purpose for which they are Processed

Your personal data is processed in a measured, purpose-related and limited manner in order to achieve the envisaged purpose(s), and the processing of personal data that is not related to the realization of the purpose or is not needed is avoided. Again, within the scope of this principle, personal data is not collected or processed for purposes that do not exist and are considered to be realized later.

2.5 Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed

Your personal data is kept only for the period stipulated in the relevant legislation or required for the purpose for which they are processed. In this regard, the Company takes and implements the relevant administrative and technical measures. In this context, first of all, it is determined whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period is determined, this period is complied with, and if a period is not determined, personal data is stored for the period required for the purpose for which they are processed. In the event that the necessity of the relevant processes disappears, the access of your personal data by unrelated departments is prevented within the scope of the deletion action specified in the KVKK No. 6698. In the event that the period expires or the reasons requiring its processing disappear, your personal data is destroyed or anonymized in accordance with the legislation on the protection of personal data, unless there is a legal reason that allows them to be processed for a longer period of time.

3. Conditions for Processing Personal Data

Your personal data, personal and sensitive personal data within the scope of KVKK No. 6698 can be processed within the framework of the conditions stipulated below.

3.1 Explicitly Stipulated in the Laws

The basic rule is that personal data cannot be processed without the explicit consent of the persons concerned, and according to this exception, your personal data may be processed in cases where the laws clearly stipulate the processing of personal data.

3.2 Failure to Obtain the Explicit Consent of the Person Concerned Due to Actual Impossibility

Your personal data may be processed if it is necessary to process personal data in order to protect the life or physical integrity of the person concerned, who is unable to disclose his consent due to actual impossibility or whose consent cannot be validated, or another person.

3.3 Being Directly Related to the Establishment or Performance of the Contract

Provided that it is directly related to the establishment or performance of the contract, your personal data may be processed if it is necessary to process the personal data of the parties to the contract.

3.4 Fulfillment of the Company's Legal Obligation

Your personal data may be processed if processing is mandatory in order to fulfill the legislation, contract and similar legal obligations to which the Company is bound and responsible.

3.5 Publicization of Personal Data

If your personal data has been made public by you, that is, if it has been shared with the public by you, it may be processed in connection with the purpose of publicization and in a measured manner.

3.6 Data Processing is Mandatory for the Establishment or Protection of a Right

Your personal data may be processed if data processing is mandatory for the establishment, exercise or protection of the said right within the scope of the execution and management of the processes related to the legal and commercial rights of the Company.

3.7 Processing of Data Based on Legitimate Interest

Your personal data may be processed if data processing is necessary for the legitimate interests of the Company. In the event that our company is required to process data depending on the processing condition in question, it evaluates by taking into account your fundamental rights and freedoms and makes a decision according to the result of the evaluation.

3.8 Processing Based on Explicit Consent

Although the processing of personal data based on explicit consent is the main rule, in the presence of other conditions specified in this article, the explicit consent of the relevant persons is not relied upon. Otherwise, it may be mentioned that the right is abused. In this context, your personal data is processed based on your explicit consent, unless it is processed based on any of the conditions specified in these Principles.

3.9 Processing of Sensitive Personal Data

Your sensitive personal data must have your explicit consent in accordance with Article 6 of the KVKK No. 6698, it is clearly stipulated in the laws, it is related to the personal data made public by the person concerned and it is in accordance with the will to make it public, it is mandatory for the establishment, exercise or protection of a right, it is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance, We process it on the condition that it is processed.

4. Transfer of Personal Data

Your personal and sensitive data; Within the scope of Article 2 of these Principles, it can be transferred to our domestic business partners, public institutions and organizations and the like, or to our business partners abroad. While carrying out these transfers, compliance with Articles 8 and 9 of the KVKK No. 6698 is observed. If necessary, your explicit consent is obtained and the transfer is provided within this framework.

5. Security of Personal Data

In order to ensure the security of personal data and to prevent unlawful processing, the Company takes all reasonable administrative and technical measures to prevent unauthorized access risks, accidental data loss, deliberate deletion of data or damage to data.

All reasonable technical and physical measures are taken to prevent access to personal data by others from persons authorized to access it. In this context, the authorization system is designed in such a way that it is not possible for individuals and systems to access more personal data than necessary.

The Company carries out and has the necessary audits carried out in its own institution or organization in order to ensure the implementation of the provisions of the KVKK No. 6698.

The measures taken are as follows.

  • Network security and application security are ensured.
  • Closed system network is used for personal data transfers via the network.
  • Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
  • The security of personal data stored in the cloud is ensured.
  • There are disciplinary regulations with data security provisions for employees.
  • Training and awareness activities are carried out at regular intervals on data security for employees.
  • An authorization matrix has been created for employees.
  • Access logs are kept regularly.
  • Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
  • When necessary, data masking measures are applied.
  • Confidentiality commitments are made.
  • Employees who have a job change or leave their job are removed from their authority in this area.
  • Up-to-date anti-virus systems are used.
  • Firewalls are used.
  • The signed contracts contain data security provisions.
  • Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in confidential document format.
  • Personal data security policies and procedures have been determined.
  • Personal data security issues are reported quickly.
  • Personal data security is monitored.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
  • The security of environments containing personal data is ensured.
  • Personal data is reduced as much as possible.
  • Personal data is backed up and the security of the backed-up personal data is also ensured.
  • User account management and authorization control system are implemented and these are also followed.
  • Periodic and/or random audits are carried out and carried out in-house.
  • Log records are kept in such a way that there is no user intervention.
  • Existing risks and threats have been identified.

6. Rights of the Relevant Person, Application Procedures and Principles

As a data subject, if you have a request regarding your rights in Article 11 of Law No. 6698 and if you are a citizen of the European Union, within the scope of GDPR; By filling out the Application Form on the Protection of Personal Data, which you can obtain from our website or by filling out the Application Form on the Protection of Personal Data, which you can obtain your requests regarding your rights to withdraw your explicit consent, to receive information about your data and to access your data, to correct, delete or limit the processing of your personal data in certain cases, data portability under certain conditions, to object to the processing of your personal data and similar rights, or by the Communiqué on the Procedures and Principles of Application to the Data Controller, the minimum You can submit your application that meets the conditions to us by the following methods. As the Company, we will finalize your application free of charge as soon as possible and within thirty days at the latest, depending on the nature of your request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be charged by the Company. Upon your application to us, you can inform us if your application is rejected, if the response is insufficient or if the application is not answered in due time, and you as a data subject have the right to apply to the competent data protection authority in your country within thirty days from the date on which you learn of our response and in any case within sixty days from the date on which you duly submit your application.