Türkiye Muhasebe Kongresi
Etkinlik sertifikanızı almak için aşağıdaki kutucuğa bilgilerinizi giriniz. (To receive your event certificate, please enter your information in the box below.)
PERSONAL DATA PROCESSING, STORAGE AND DESTRUCTION POLICY
VALOR TURIZM KONGRE ORGANIZASYONLARI TIC. LTD. STI
PERSONAL DATA PROCESSING, STORAGE AND DESTRUCTION POLICY
Document Name:
VALOR TURIZM KONGRE ORGANIZASYONLARI TIC. LTD. STI
PERSONAL DATA PROCESSING, STORAGE AND DESTRUCTION POLICY
Approved By:
BOARD OF DIRECTORS OF VALOR TURIZM KONGRE ORGANIZASYONLARI TIC. LTD. STI
Version:
1.0 (English)
Effective Date:
30.06.2020
TABLE OF CONTENTS
a..... Owners of Personal Data
b..... Categories of Personal Data
IV....... PROCESSING OF PERSONAL DATA
a..... Personal Data is Processed Pursuant to the Principles Foreseen in the Legislation
i...... Compliance with Laws and Good Faith
ii..... Ensuring the Personal Data to be Correct and up to Date when Necessary
iii....... To Process with Specific, Explicit and Legitimate Causes
iv.... To be Related, Limited and Restrained with the Processing Purpose
b..... Conditions of Processing Personal Data
i...... The Personal Data Owner's Explicit Consent
ii..... To be Foreseen Clearly in the Legislation
iii....... Inability to Obtain the Explicit Consent due to Actual Impossibility
iv.... To be connected to the contract or to be directly connected to the execution
v..... To Perform the Company's legal Obligations
vi.... Release of Personal Data by the Personal Data Owner
vii....... It is Mandatory to Process Personal Data to Establish or Protect a Right
viii...... Processing Personal Data should be Mandatory for the Company's Legitimate Interest
V.... PROCESSING PERSONAL DATA OF PRIVATE NATURE
VI....... TO PERFORM THE OBLIGATION OF CLARIFICATION TOWARDS THE PERSONAL DATA OWNER
VII...... SPECIAL CONDITIONS ON WHICH PERSONAL DATA IS PROCESSED
VIII..... PURPOSE FOR PROCESSING PERSONAL DATA AND PERSONAL DATA OF PRIVATE NATURE
IX....... TRANSFER OF PERSONAL DATA
a..... People whom Personal Data can be Transferred
b..... Conditions to Transfer Personal Data
c..... ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN FOR PERSONAL DATA SECURITY
X..... STORAGE AND DESTRUCTION OF YOUR PERSONAL DATA
XI....... YOUR RIGHTS AND REQUESTS
Pursuant to Act on Protection of Personal Data numbered 6698 (APPD) which entered into effect on 07.04.2016, all information pertaining to the identified or identifiable real person is defined as personal data and necessary steps for protection of personal data and legal processing have to be taken.
Lawful processing and protection of personal data, as well as ensuring full compliance with the Act on Protection of Personal Data numbered 6698 (APPD) are among our priorities as Valor Turizm Kongre Organizasyonlari Tic. Ltd. Sti. (The Company).
All activities of the Company, regardless of whether it pertains to the processing of personal data, are performed in full awareness of the Company responsibilities against our customers, but at the same time, the Company and the Customers as a whole need to comply with the Personal Data Processing, Storage and Destruction Policy of Company, and to show due care.
This Policy has been drawn up for informing our customers on the Company's personal data processing activities and to carry out our clarification obligation. The Company Policy, is drawn up to embody and to transparently share the rules regulated by the legislation in the frame of Company practices.
This Policy pertains to personal data that are processed automatically or partially automatic or processed manually with the condition of being a part of recording system.
Subject personal data owners are stated below in the table.
Personal Data Owners |
Explanation |
Employees, Interns |
Besides our personnel that currently have an employment relationship between the Company; personal data that is processed/stored pertains to our former employees; interns which have worked in our company to gain experience or interns which are continuing their internship |
Employee candidates, Intern Candidates
|
Real persons whom have applied and submitted their curriculum vitae and other relevant information to the Company's examination for a job/internship for employment or to gain experience |
Shareholder Authorities which are in cooperation (See Suppliers) |
Real persons; employees, shareholders and the authorities of associates and institutions as suppliers (including without limitation) which are in any kind of business relationship with the company. |
Customers |
Real persons whom their personal data have been acquired due to purchasing product or service from the company |
Participants |
Real persons who have attended to activities, conferences, online educations organized by the company |
Company Shareholder |
Real person who is a shareholder |
Company Authority |
Company's board of directors and other Authorized Real persons |
Suppliers |
Legal persons whom are the authorized official or shareholder of the party which provides service to the company; in accordance with the company's instructions; while the Company conducts its activity. |
Third Party |
Real persons who are not included in the categories of employee, former employee, supplier, customer, visitor categories |
Visitors |
Real persons who physically visit the company or the company's workplaces for various purposes or people who visit the company's websites |
Data categories processed in the scope of the company's actions the data categories which are processed are stated below in the table, and also has been declared on VERBIS.
Identity |
Name surname, Mother - Father name, Mother's maiden name, date of birth, place of birth, marital status, identity card item serial no, TR identity number and etc. |
Communication |
Address no, E-mail address, Communication address, registered e-mail address, telephone no and etc. |
Location |
Location Information |
Personnel Register |
Payroll information, disciplinary proceedings, statement of employment records, declaration of property information, curriculum vitae, performance evaluation reports and etc. |
Legal Proceedings |
Information on correspondence with judicial authorities, information in case files and etc. |
Customer Transaction |
Call center records, receipt, bill, cheque information, counter receipt information, order information, demand information and etc. |
Physical Place Security |
Employee and visitors entrance and exit record information, camera records and etc. |
Process Security |
IP address information, Website entrance and exit information, code and password information and etc. |
Risk Management |
Data processed to manage commercial, technic, administrative risks and etc. |
Finance |
Balance sheets information, financial performance information, credit and risk information, property holding information and etc. |
Professional Experience |
Diploma information, Courses attended, vocational retraining information Certificates, transcript information and etc |
Marketing |
Shopping past information, survey, cookie records, information obtained by a campaign study |
Association Membership |
Association Membership information |
Medical Records |
Health report, Ä°ncapacity to work report, information regarding disability situation, blood type, personal health information, used device and prosthesis information |
Criminal Conviction and security measures |
Information on convictions, information on security measures and etc. |
For further information on obtaining processed data and processing purposes may be acquired on; VERBÄ°S or Valor Turizm Konge Organizasyonlari Tic. Ltd. Sti. clarification text for customers and participants in terms of protection and processing of personal data, Website Visitor clarification text and employee clarification text.
This policy can be updated in order to comply with the changes in the legislation or the conditions and to accurately reflect the implementations on protection and processing of personal data.
The policy is published in our website; it is available for access of personal data owners in line with their demands and complaints.
IV. PROCESSING OF PERSONAL DATA
a. Personal Data is Processed Pursuant to the Principles Foreseen in the Legislation
i. Compliance with laws and good faith
ii. Ensuring the Personal Data to be Correct and up to Date when Necessary
iii. To process with specific, explicit and legitimate causes
iv. To be related, limited and restrained with process purpose
v. Storage Throughout the Time Foreseen in the Relevant Legislation or the Purpose of the Process
b. Conditions of Processing Personal Data
i. The personal data owner's explicit consent
ii. To be foreseen clearly in the legislation
iii. Inability to Obtain the Explicit Consent due to Actual Impossibility
iv. To be Connected to the Contract or to be Directly Connected to the Performance
v. To Perform the Company's Legal Obligations
vi. Release of Personal Data by the Personal Data Owner
vii. It is Mandatory to Process Personal Data to Establish or Protect a Right
viii. Processing Personal Data Should be Mandatory for the Company's Legitimate Interest
V. PROCESSING OF PERSONAL DATA OF PRIVATE NATURE
Personal data of private nature is defined as; data on race, ethnic origin, political opinion, philosophical belief, religion, sect, clothing, association membership, foundation membership, union membership, health, sexual life, criminal conviction - security measures, biometric and genetic data.
Our Company does not process personal data of private nature unless it is required by the legal obligation or nature of the work or security. In some situations, within the scope of the organizations held by the associations, for their members, association membership data can be processed in line with the legislation.
The company, as per the principles within this policy and including the procedures determined by the committee, by taking all kinds of administrative and technical precautions if the conditions stated below is present the company may process personal data of private nature:
(a) Personal data of private nature, except for health and sexual life, may be processed if it is clearly foreseen in the legislation without the data owner's explicit consent. If it is not clearly foreseen in the legislation, to process personal data of private nature, the personal data owner's explicit consent must be received.
Personal data of private nature regarding health and sexual life, may be processed by people who are under confidentiality obligation or by the authorized body or institution under the purpose to protect public health, preventive medicine, to run medical diagnosis, treatment and care services, medical services and financial planning and managing. Otherwise, to process relevant personal data of private nature the personal data owner's explicit consent must be received. Personal data of private nature that needs to be processed; as per the applicable law and Company Policy; can be processed in line with legal persons or institutions legal person authorities explicit consent and limited with the purpose of processing.
VI. TO PERFORM THE OBLIGATION OF CLARIFICATION TOWARDS THE PERSONAL DATA OWNER
VII. SPECIAL CONDITIONS THAT PERSONAL DATA IS PROCESSED
VIII. PURPOSE FOR PROCESSING PERSONAL DATA AND PERSONAL DATA OF PRIVATE NATURE
The main purposes of processing personal data for categories listed above, are as follows.
- To plan and manage the company's human resources process
- To plan and execute the Company's commercial and/or work strategies
- To undertake the Company's development activities and to strengthen corporate identity
- To preserve the trust gained by the Company's commercial reputation
- To plan and execute the Company's administration and supervision activities
Personal data, for the stated purposes, by observing the rights and freedoms; in line with the Company's legitimate interests; being limited and proportionate, with the related purposes; is processed in electronic and physical environments in writing, with automatic or manual procedures.
- To create visitor records and track
- To conduct management actions
- To conduct investment processes
- To conduct Product/Service marketing processes
- To conduct supply chain management
- To procure movable property and resource safety
- To procure the safety of data controller's operations
- To follow-up on demands/complaints
- To conduct strategic planning actions
- To conduct social responsibility and civil society activities
- To conduct storing and archive activities
- To conduct risk management processes
- To conduct product/service production and operation processes
- To conduct product/service sales processes
- To conduct product/service after sales processes
- To conduct product/service purchase processes
- To conduct logistic activities
- To conduct Company/Product/Service commitment processes
- To ensure physical place safety
- To conduct emergency management processes
- To conduct assignment processes
- To conduct actions compliant with the legislation
- To conduct information assurance processes
- To inform authorized person, institutions, and organizations
- To conduct capability / carrier development action processes
- Foreign employee work and residence permit proceedings
- To conduct contract processes
- To conduct performance evaluation processes
- Organization and event management
- To conduct occupational health safety action processes
- To receive and evaluate advice regarding the enhancement of business processes
- To conduct/supervise business operation
- To conduct business continuity ensuring processes
- To conduct human resources processes
- To conduct communication activities
- To conduct internal audit/investigation/intelligence activities
- To follow and process legal affairs
- To conduct Finance and Accounting operations
- To conduct educational activities
- To conduct supervision/ethical activities
- To conduct the additional benefits and interests processes for the employees
- To conduct employee satisfaction and commitment activities
- To conduct employee applicant application processes
- To conduct employee applicant / intern / student selection and placement processes
- To conduct Advertisement / Campaign / Promotion processes
- To conduct sponsorship activities
a. People to whom Personal Data can be Transferred
Limited to perform the purpose of establishing the partnership |
||
Limited to the legal persons purpose demanded within their legal authority |
b. Conditions to Transfer of Personal Data
Personal data may be transferred based on the explicit consent of the data subject.
· The relevant activity regarding the transfer of personal data is clearly foreseen in the law,
· The transfer of personal data is mandatory for the Company to fulfil its legal obligations,
As a result of the direct instructions of the data subject and sharing the relevant data, personal data obtained for organization of the relevant event and the travel arrangements, the personal data can be transferred to service providers in country and abroad, in order to manage the travel organization in country or abroad.
Relevant personal data can also be stored in secure servers located around the world, because of the software and operating systems used, including the Company's corporate accounts.
Third persons to which personal data can be transferred, can process your personal data, unless otherwise is foreseen by the applicable legislation; and in relation and limitation with the share/transfer purpose. In such case, these persons are obliged to ensure protection of the personal data they obtained within the body of the contractual relation they entered into with the Company.
The personal data of the customers can also be shared with the official institutions, organizations, and judicial authorities, in order for us to carry out our legal responsibilities and obligations.
c. Conditions for the Transfer of Personal Data of Private Nature
(i) Personal data of private nature other than health and sexual life , may be transferred without the explicit consent of the data owner, provided that it is expressly stipulated in the law. Otherwise, the explicit consent of the data owner will be obtained.
(ii) Personal data of private nature regarding health and sexual life , for the purpose of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without the explicit consent of persons or authorized institutions and organizations under the obligation of keeping confidentiality can be processed and transferred to these persons. Otherwise, the explicit consent of the data owner will be obtained.
X. ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN FOR PERSONAL DATA SECURITY
The company takes all necessary administrative and technical measures, in line with the applicable legislation, in order to prevent the personal data to be seized by unauthorized persons, faulty processing against the law, exposure, change, prevention of deletion, ensuring storage and security; and the measures taken are shown in VERBIS.
XI. STORAGE AND DESTRUCTION OF YOUR PERSONAL DATA
The Company, for the period necessary for the purpose for which personal data is processed; It preserves it for the minimum periods stipulated in the legislation to which the relevant activity is subject.
Personal data obtained within the scope of the online organizations, are stored for the periods stated in VERBIS for the relevant category.
Physical security of premises records are stored for 1 month maximum, depending on the technology used and storage capacity.
The personal data within the body of the Company, can be stored
Electronically, in company computers, phones and tablets, portable memories (CD, DVD, USB, External harddrive), corporate e-mail accounts, secure electronic systems of the Company, data base and information security systems, and servers located abroad; which can be accessed by the authorized persons as appropriate in proportion with the nature of the activity performed,
Physically, in the locked cabinets located within the center of the company, that can be accessed by the authorized persons and relevant units such as accounting and finance, congress.
The company determines the period stipulated for the storage of personal data in the relevant legislation and acts in accordance with the determined period. If there is no legal period, personal data is stored for the period necessary for the purpose for which they are processed.
In the event that the period stipulated in the legal regulation regarding each personal data category, or the period required for the purpose for which the personal data is processed expires; Personal data is deleted or destroyed from the relevant electronic or physical media in accordance with the legislation. Anonymization may also be applied to the extent appropriate in accordance with the legislation.
While deleting personal data The company follows the steps below.
The personal data subject to deletion is determined.
Access authorities are determined for each personal data.
The scope of authority of the access authorities is determined.
While the personal data is destroyed, all copies of the data are detected. The method of destruction is determined according to the type of systems in which the data is located. The available methods are as follows:
You have the right to apply to the Company, in its capacity as Data Controller, pursuant to Article 11 of the Act, and to
Learn whether or not your personal data have been processed,
Request information as to processing if your data have been processed,
Learn the purpose of processing of the personal data and whether data are used in accordance with its purpose,
Know the third parties in the country or abroad to whom your personal data have been transferred,
Request rectification in case personal data is processed incompletely or inaccurately,
Request deletion or destruction of personal data within the framework of the conditions set forth under Article 7 of the APPD,
Request notification of the operations such as deletion or destruction or incomplete or faulty processing, made under Article 7 of the APPD, to third parties to whom your personal data have been transferred,
Object to occurrence of any result that is to your detriment by means of analysis of personal data exclusively through automated systems,
Request compensation for the damages in case you incur damages due to unlawful processing of personal data.
Within the scope of Article 11 of the Act, by indicating your name-surname, ID no, address, telephone and e-mail you can forward your relevant requests, in accordance with Circular on The Procedure and Principle of Application to the Data Controller in writing to
- VALOR TURIZM KONGRE ORGANIZASYONLARI TIC. LTD. STI, in person, or through regular mail,
- To the e-mail address of [email protected] via electronic mail.
The information applications and requests conveyed to the Company, are resulted in 30 days at the latest, pursuant to Article 13 of the Act, in consideration of the nature of the request; in the event of rejection, the notification shall indicate the grounds.
The costs of such application, if any, may be charged, pursuant to the official tariff determined by the Personal Data Protection Board.
VALOR TURIZM KONGRE ORGANIZASYONLARI TIC. LTD. STI