UNDER THEPERSONAL DATA PROTECTION LAW, NO 6698PROTECTIONOF PERSONAL DATA AND PRIVACY POLICY
REA Consultancy Ltd. (REA/ “Company”) occasionally records and processes the data which is considered“personal” when the Company website is visited or in any written or electronic medium; within the scope of the Law on the Personal Data Protection No. 6698(“KVKK”).
Therefore, we would like to inform you about how and for whatpurposes our Company, which has the title of 'Data Controller,' processes suchpersonal data under KVKK and relevant legislation, and what technical andadministrative measures it takes to protect the personal data.
Our Personal Data Processing Principles
The personal data isprocessed considering the following principles:
· Compliance with the law andhonesty rules.
· Being accurate and up to datewhen necessary.
· Processing for specific,explicit, and legitimate purposes.
· Being relevant, limited, andrestrained for the purpose for which they are processed.
· To be kept for the periodrequired by the relevant legislation or for the purpose for which they areprocessed.
Obligation to Inform
Article 10 of the KVKK imposes the Data Controllers the obligation to inform and requests that therelevant persons be informed while obtaining the consent of them. At the timewhen personal data are obtained, the Data Controller or the person authorizedby it is obliged to inform the Data Subjects about the following:
· The identity of the DataController and its representative, if any,
· The purpose of processingpersonal data,
· To whom and for which purposesthe processed personal data may be transferred,
· The method and legal basis of thecollection of personal data,
· The Data Subject should beinformed about the other rights referred to in Article 11 of the KVKK.With this text, as Rea Consultancy Ltd. Sti. we inform all our visitors about the processing andprotection of personal data under the provision of Article 10 of the KVKK.
Identityof the Data Controller:
Clause 1 (i) of Article 3of the KVKK defines the Data Controller as “the natural or legal person whodetermines the purposes and means of processing personal data and isresponsible for the establishment and management of the data filing system” and within this framework, the Company carries the title of Data Controller.
Data Controller: REA Consultancy Ltd. Şti.
Aziziye Mah. Cinnah Cad. KırkpınarSok. 5/106690 Çankaya, Ankara, TÜRKİYE
Phone: +90 312 382 56 06
E-Mail: rea@consultancy.com
Processing of Personal Data and its Purposes:
REA Consultancy Ltd. Şti. only processes the personal data with explicit consent or in the presence of one ofthe following conditions:
· Explicitly stipulated inthe law.
· Being obligatory for theprotection of life or bodily integrity of himself or another person, who isunable to express his consent due to actual impossibility or whose consent isnot given legal validity.
· The necessity to process thepersonal data of the parties to the contract, if it is directly related to theestablishment or performance of a contract.
· Mandatory for the Data Controllerto fulfill its legal obligation.
· Being publicized by the personconcerned.
· Mandatory data processing for theestablishment, exercise or protection of a right.
The collected Personal Data is processed for the following purposes:
· Execution of obligations arisingfrom laws,
· Fulfilling legal obligations,
· Execution of Company activitiesand procedures,
· The necessity to process data forthe legitimate interests of the Data Controller if it does not harm thefundamental rights and freedoms of the Data Subject,
· Execution of human resourcesprocesses and policies,
· Creation of workplace personnelfiles and execution of business processes,
· Execution of job and internshipapplication and evaluation processes,
· Fulfillment of obligationsarising from employment contracts and legislation for employees,
· Ensuring occupational health andsafety,
· Establishment and performance ofthe contractual relationship,
· Carrying out financial andaccounting transactions,
· Conducting internal auditprocesses,
· Planning and monitoring of theworks carried out with the project/business partners, consortium members,sub-contractors,
· Ensuring business continuity,
· Determination and implementationof commercial and business strategies,
· Listing, reporting, verifying,and analyzing projects, producing statistical and scientific information, anddeveloping products and services accordingly,
· Ensuring legal and commercialsecurity,
· Follow-up and execution of legalprocesses and communication processes with official institutions,
· Fulfillment of information anddocument requests requested by judicial bodies and/or administrativeauthorities,
· Fulfillment of notificationobligation to relevant/authorized public institutions,
· Conducting training activities,
· Execution of physical securityprocesses,
· Planning information securityprocesses, establishing, and managing the infrastructure of informationtechnologies, taking all necessary technical and administrative measures forsystems and applications,
· Risk management,
· Execution and management ofpublic order and health protection services,
· Obligation to establish, use orprotect the rights.Following the aboveprinciples, the personal data is processed in cases where recruitment, performance evaluation, and exit interviews are carried out within the scope ofplanning and execution of the Company’s Human Resources processes, as well asduring the fulfillment of legal obligations such as creating and keeping thepersonnel file. Under Occupational Health and Safety Law No 6331 and therelevant legislation, the data is also processed to take the necessary securitymeasures in terms of KVKK and other laws within the Company and to carry outour other intra-Company operational activities.
Lastly, the data is processedfor determining the Company's commercial and project/business strategies andevaluating and resolving the requests and complaints within the measure andtime required by the relevant purposes.
Within the scope of Article 6 of the KVKK, data related to race, ethnicity, political thought,philosophical belief, religion, sect or other belief, costume, and dress,membership of associations, foundations or trade unions, health, sexual life,criminal convictions, and security measures, which are deemed to be special,biometric and genetic data, can only be processed with seeking explicitconsent.
Personal data other than health and sexual life may be processed without seeking the explicit consent of the person concerned, in casesstipulated by the laws.
To Whom and for What Purpose Processed Personal Data can be Transferred
The personal data processed by the principles and provisions of the KVKK; can only be shared inline with the above-mentioned purposes, proportionately and, if necessary, by ensuring that all necessary technical and administrative measures are taken toensure the appropriate level of security per the KVKK and relevant legislation,and within the framework of the conditions specified in Articles 8 and 9 of theKVKK, accompanied by the necessary confidentiality agreements.
· Company Officials and CompanyPartners,
· Persons/Institutions and/orOrganizations Allowed by Other Related Legislation Provisions,
· Private Insurance Companies,Banks, Travel Agencies and Accommodations, Funds, Foundations, Associations, Unions,
· Lawyers for the Pursuit of LegalAffairs,
· Financial Advisors for the Execution of Finance and Accounting Transactions,
· Companies to receive DigitalHuman Resources Services from,
· The consortium, Project Partners, and Beneficiary Organizations,
· Solution Partners,
· Auditors,
· Consultants,
· Other Legal Entities, Private and Official Institutions, and Organizations Required by the Project, Business, and Operation (Central Procurement and Finance Unit and EU Delegation and Ministries related to Projects, experts authorized with the project on behalf of the Ministry, etc.) Under Article 8 of the KVKK, personal data shall not be transferred without explicit consent of the Data Subject or may be transferred without seeking explicit consent of the Data Subject upon the existence of one of the conditions mentioned in the article titled ‘Processing of Personal Data and its Purposes’ above. Under Article 9 of the KVKK, for the transfer of personal data abroad, in addition to the above, adequate protection shall be provided in the foreign country where the personaldata will be transferred, and the countries with adequate protection will be determined and announced by the Personal Data Protection Board.
Personal Data Protection
All necessary technicaland administrative measures are taken by us to protect the personal datacollected and processed by our Company, not to fall into the hands of unauthorized persons, and to prevent the real and legal persons with whom we cooperate. It is ensured that the software we use in our activities complies with the standards, the third parties we work with are carefully selected, our employees receive training in this regard, and the Policy on the Processing and Protection of Personal Data and the Policy on Deletion, Destruction, andAnonymization of Personal Data is complied with.
Storage and Deletion of Data: According to the legislation, the relevant personal data must be kept for certain periods. Therefore, it is the Company's responsibility to keep personal data under the legislation and for the required time. These retention periods are defined indetail based on data in the prepared personal data inventory. Personal data isretained for the period stipulated in the legislation or required for its purpose. The data is stored physically or electronically. Necessary security measures have been taken for the storage and preservation of data and a secure environment has been provided by the Company. Personal data whose retention period has expired are destroyed in six (6) month periods. (delete/destroy/anonymize)
Rights of the Data Subject
Article 11 of the KVKK regulates certain rights for each natural person whose personal data isprocessed and requires that these rights be notified to the Data Subject within the scope of the disclosure obligation imposed on the Data Controller. Each person has the right to request the Data Controller about him/her;
· To learn whether his/her data areprocessed or not,
· To demand information as to if his/her data have been processed,
· To learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,
· To know the third parties to whom his data are transferred in the country or abroad,
· To request the rectification ofthe incomplete or inaccurate data, if any,
· To request the erasure ordestruction of his/her data under the conditions referred to in the KVKKlegislation,
· To request reporting of theoperations carried out according to incomplete or inaccurate data to third parties to whom his/her data have been transferred,
· To object to the occurrence of aresult against the person himself/herself by analyzing the data processed solely through automated systems,
· To claim compensation for the damage arising from the unlawful processing of his/her personal data.
Rights of Relevant Persons within the Framework of Article 11 of KVKK No. 6698: Requests can be made regarding the use of these rights in the form of the following:
· Written Application,
· Personal Application to the Company.
The written application can be prepared by;
· Filling out the “Personal DataApplication and Response Form” on our website
· Writing a petition following theprocedure.
Applications can be handed to the Company or;
· Mail your written application tothe Company’s “rea@consultancy.com” e-mail address,
· Ship to the Company’s address byregistered mail with a return receipt.
The following information must be specifiedin all applications:
· Name, surname, and signature ifthe application is written,
· For citizens of the Republic of Türkiye, national identity number; for foreigners, passport number oridentification number, if any,
· Domicile or workplace address fornotification,
· If available, the e-mail address,phone, and fax number for notification,
· The subject of the demand.In personal applications, it is obligatory togive the above-mentioned information to the relevant Company representative.
An application that does not contain the above information will not be considered valid.The subject you requestwill be related to yourself, If acting on behalf ofsomeone else, special authorization for the person will be needed along with anauthoritative document. Depending on the nature of the request, it will be finalized as soon as possible or within thirty (30) days at the latest free of charge according to the conditions in the fee schedule to be determined by the KVKK Board. In case the application isrejected, the response is found insufficient, or the application is notanswered in due time, under Article 14 of the Personal Data Protection Law 6698; a complaint can be filled to the Board within thirty (30) days from thedate of the answer or in any case within sixty (60) days from the date of application with the approval of the person.
Under Article 28/2 of KVKK 6698; excluding the right to claim compensation, claiming the rights mentionedabove shall not be applied to the Data Subjects in the following cases wherepersonal data processing:
· Necessary for the prevention ofcommitting a crime or for crime investigation.
· Carried out on the data which aremade public by the Data Subject himself/herself,
· Necessary for the performance ofsupervision or regulatory duties and disciplinary investigation and prosecutionto be carried out by the assigned and authorized public institutions andorganizations and by public professional organizations, following the powerconferred on them by the law,
· Necessary for the protection ofthe economic and financial interests of the State related to budget, tax, and financial matters.
OTHER CONSIDERATIONS
In the processes within the scope of the Information Text on the Protection and Processing of Personal Data, the relevant legal regulations in force on the processing and protection of personal data will be applied with priority. To adapt to the changing conditions and legislation, changes and updates can be made in the Information Text and can be presented to the relevant people via the above-written website.