INVEON BİLGİ TEKNOLOJİLERİ DANIŞMANLIK VE TİCARET ANONİM ŞİRKETİ
PERSONAL DATA PROTECTION AND PROCESSING POLICY
We, as INVEON BİLGİ TEKNOLOJİLERİ DANIŞMANLIK VE TİCARET ANONİM ŞİRKETİ (“INVEON”) care about the protection of your personal data.
In this respect, INVEON; for the purpose of fulfilling the disclosure requirement (obligation to inform) that arises from article 10 of the law on the Protection of Personal Data No. 6698 (“KVKK”) proposes the following statements on the processing of personal data for the advertence of all those who use our website including you valuable clients, potential clients, our employees, our employee applicants, for our suppliers, business partners, the employees and administrators of the businesses we -collaborate with.
With this understanding, we shall execute all processes of data processing, protecting and transferring of, starting with, but not limited to, personal data of our suppliers, our business partners, our clients, our potential clients, our employees, our employee applicants, administrators or the administrators and employees of businesses we collaborate with and all users who use our website, gained during the process of a service required by law accordingly to the INVEON Personal Data Protection and Processing Policy (“Policy”).
PERSONAL DATA: Any information relating to an identified or identifiable natural person. (A particular person’s identity, address, e-mail, education, the status of employment, permanent address, etc.)
SPECIAL CATEGORIES OF PERSONAL DATA: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of an association, foundation or trade-union, health, sexual life, criminal conviction, and security measures, and biometrics and genetics are special categories of personal data.
EXPLICIT CONSENT: Freely given specific and informed consent on a particular topic.
BUSINESS PARTNERS: Parties with whom our company partners with
PROCESSING OF PERSONAL DATA: Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification, or preventing the use.
DATA SUBJECT: The natural person whose personal data is processed.
DATA CONTROLLER: Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for the establishment and management of the filing system.
DATA PROCESSOR: Natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller.
APPLICANT: Natural person who filed a job or internship application to our company by any means or allow resume and related information to be inspected by our company.
SUPPLIER: Parties who provide service to our company agreeable with our company’s orders and instructions in the scope of the agreement.
ANONYMIZATION: Rendering personal data impossible to link with an identified or identifiable natural person, even though matching them with other data.
Principles of Personal Data Processing
Pursuant to article 4 of KVKK, INVEON being in the position of the data controller, acts in such means in the processing of personal data:
Lawfulness and conformity with rules of bona fides:
Conforming to law and rules of bona fides addresses the obligation of acting according to principles of law and other legal regulations on the processing of personal data. In trying to reach the goals of data processing, the data controller, as per rules of bona fides, shall take related persons’ interests and reasonable expectations into consideration.
INVEON acts according to rules of bona fides and principles provided by the law and other legal regulations in the processing of personal data.
Accuracy and being up to date, where necessary:
In order to provide accurate and up-to-date personal data; sources of the personal data should be stated, the accuracy of the source should be tested, requests that may arise due to inaccurate personal data should be taken into consideration and necessary measures should be taken in this context.
INVEON, always take measures in order to provide the accuracy and up-to-datedness of data subject’s information.
Processing for specific, explicit and legitimate purposes:
Personal data processed by INVEON are related to and necessary for its business or provided services. In this respect, INVEON places importance on compliance with the principle of specificity and explicitness in the Statement of Disclosure Requirement where purposes of personal data processing are explained.
Personal data being relevant, limited to and proportionate to the purposes for which they are processed:
Data being proportionate to the purposes for which they are processed requires the avoidance of processing personal data that is not relevant and not needed for the purposes. In this respect, INVEON provides adequate data for the purposes and avoids processing data that is not needed for the purpose.
Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed:
According to the “being limited to purpose” principle of personal data, data should be retained for a period of time in accordance with the purpose for which they are processed. In this respect, if there is a stipulated period of time by relevant legislation INVEON complies with it. If there is no such stipulated period of time data is retained for the period that is needed for the purpose. In case of both exceeding the period of time stipulated in relevant legislation which INVEON is liable to due to legal obligations, and exceeding the period of time needed for the purpose, persona data is deleted, destroyed or anonymized by INVEON pursuant to Regulations on Deletion, Destruction, and Anonymization of Personal Data.
Hereby our Policy is indispensable to perpetuate our company’s pursuance.
Collection, Processing and Purpose of Processing of Personal Data:
Your personal data is collected by, apart from possible changes related to services provided by INVEON and commercial activities of INVEON, bodies of INVEON, the website, social media, client meeting and similar means, in verbal, written and electronic forms; and they are preserved pursuant to the applicable legislation, within the legally implemented period time and within the period of time that is needed for the purpose of data processing.
Moreover, when you use our call centers or website, visit our company or website, participate in training, seminars or organizations held by our company to benefit from the services, your personal data may be processed.
Personal data are processed by INVEON or natural or legal persons that will be appointed by INVEON, within the purposes stated below, pursuant to the applicable legislation, mainly article 5 and 6 of KVKK where obligations of data processing are stated:
- To offer, improve, develop and diversify our company’s products and services
- To fulfill our legal liabilities as it is obligated and necessitated by legal regulations
- To fulfill liabilities of the contract of employment for employees and/or applicable legislation, increase employees’ level of performance and employee satisfaction, determine training and career planning or provide job safety,
- To carry out recruitment and job applications processes in accordance with INVEON’s human resources policy
- To manage communication with suppliers and business partners
- To contact people who are in business alliance with the company
- To reassure the legal and commercial related safety of INVEON and person who is in business relations with INVEON
- Product advertising, marketing
- Customer satisfaction survey,
- Management of compliance
- Management of vendor/supplier
- Legal reporting
- Activity management
- Management of law, provision and financial affairs
- To give authorized institutions and organizations legal information
- Administration of processes of membership through social networks,
- Administration of processes of call centers,
- To provide an infrastructure of E-Commerce,
- To provide mobile applications related to mobile commerce
- Activities of R&D
- To provide corporate communication
- To send bulletins through e-mail or to send notifications
Conditions for Processing of Personal Data
Personal data shall not be processed without obtaining the explicit consent of the data subject. Personal data may be processed without obtaining the explicit consent of the data subject if one of the below conditions exists:
- Expressly permitted by law
Tax legislation, Labor Legislation, Commerce, E-commerce Legislation, Applicable Legislation of Research and Development Activities and applicable legislation, etc.
- Performance of the Agreement
Contract of Employment, Contract of Sales or Services, etc.
The person who is not capable of allowing consent or does not have the ability to distinguish, due to de facto impossibility. Contact or address information of an unconscious person. Location information of a kidnapped person.
- Data Controller’s Legal Liabilities
Financial audits, Conforming to sector-oriented regulations.
Related person releasing information about themselves to public.
- Establishing, Protecting, and Exercising the Right
Data are necessary to file a lawsuit, registration, etc.
Provided that the fundamental rights of the data subjects are not violated, data may be processed if necessary for the data controller’s legitimate interest.
Maintaining Data Security
To prevent illegally processing of personal data and accessing personal data legally, and to provide legal preservation of data we apply technical and administrative precautions that are both stipulated in law and stated below:
- Constituting procedures for authorization of access within INVEON,
- Constituting information security awareness programs to make sure that employees of INVEON have awareness of their responsibilities and roles regarding personal data security; granting access to personal data to people who need them for execution and performance of service and making sure your data are processed by authorized within confidentiality.
- When there are collaborations with third parties in order to process personal data, contracts signed by data processing parties include provisions related to confidentiality and persons processing data taking necessary measures.
- If a violation to Data Security is confirmed and under circumstances where we have a legal liability to report; procedures of notification to the Board of Relevant Person and Private Data Protection are constructed.
Processing of Special Categories of Personal Data.
Special categories of personal data are processed by us by taking necessary measures as determined by the Board of Protection of Personal Data and as stipulated in law, if there is explicit consent or under circumstances that are required by applicable legislation.
Health and sexuality involving special categories of personal data are not processed by our organization except for our employees’ data due to their processability by authorized institutions and organizations or persons who have confidentiality obligation for the purpose of protecting public health, performing protective medicine, diagnosis, treatment and care services and for the purpose of planning of financing with the health services.
Processing of Personal Data for the Purposes of Human Resources and Employment
We process, preserve and transfer your personal data that are in your resume, certificate, or within the professional knowledge of yours that you have provided for the purpose of consideration of your job application. The information you shared as job applicants are assessed, processed, and preserved both in the scope of this Policy and INVEON Employee Data Processing Policy.
To whom and under with what purposes processed personal data may be transferred;
Among the purposes stated above, personal data may be transferred to;
- Our suppliers and solution partners limited to the purpose of being able to supply external products and services
- Business partners and connections,
- Persons and institutions we receive service for preserving personal data on the cloud environment,
- Group companies,
- Legally authorized administrative and official authorities,
- Legally authorised private law persons,
- Our shareholders limited to purpose of designing strategies regarding commercial activity of our organization,
According to articles 8 and 9 of KVKK and the rules and principles stated above.
Transfer of Personal Data to Third Parties and/or Abroad
For the purposes of legal personal data processing stated in this policy, INVEON may take necessary technical and administrative measures and transfer personal data to third parties located domestically and abroad (storage, archiving, information technologies support (server, hosting, program, cloud informatics), third parties that provide us service, business partners with whom we collaborate and/or get service, supplier firms, banks, financial cooperations, consulting firms that provide support in law and taxes, and other related realms where the transfer is necessary for determining purposes (especially academics within R&D service) and authorized institutions and cooperation.
INVEON may transfer personal data to foreign countries that are declared to have sufficient security by the Board of Protection of Personal Data or under circumstances where no sufficient security exists, foreign countries that are given the allowance by the Board of Protection of Personal Data and written undertaking of sufficient security from data controllers in both Turkey and in the foreign country. Accordingly, INVEON acts in compliance with the stipulated regulations in article 9 of KVKK.
The method and legal cause of collection of personal data
Your personal data is gained through the website, various contracts, any kinds of information forms, job application forms, social media applications and not limited to stated here, all sorts of the verbal, written, or electronic environment by INVEON or data processing natural or legal persons working for INVEON, for the purpose of maintenance of INVEON’s commercial activities, for offering products and services according to laws and for fulfilling responsibilities arisen from laws completely and accurately.
The rights of personal data subject set forth under article 11
As personal data subjects, if you send your requests to INVEON regarding your rights, with the means that are regulated in this Policy, INVEON will conclude your request in thirty days at the latest, according to the content of the request, and free of charge. However, if the Board of Protection of Personal Data stipulates a cost, it will be charged according to determining rates by INVEON.
In accordance with Article 11 of KVKK, data subjects have the right to:
- Learn whether or not her/his personal data have been processed,
- Request information as to processing if her/his data have been processed,
- Learn the purpose of the processing of the personal data and whether data are used in accordance with their purpose,
- Know the third parties in the country or abroad to whom personal data have been transferred
- Request rectification in case personal data are processed incompletely or inaccurately,
- Request deletion or destruction of personal data that is processed by operation of Personal Data Protection Law no. 6698 and other relevant law, if causes of processing ceased to exist,
- Request notification of the operations made as per indents (e) and (f) to third parties to whom personal data have been transferred,
- Object to occurrence of any result that is to her/his detriment by means of the analysis of personal data exclusively through automated systems,
- Request compensation for the damages in case the person incurs damages due to unlawful processing of personal data.
The obligation of Deletion, Destruction, and Anonymization of Personal Data
Personal data that is processed in accordance with KVKK and other relevant laws shall be deleted, destroyed, or anonymized either ex officio or upon request by the data subject pursuant to article 7 of KVKK (pursuant to Regulation on Deletion, Destruction, and Anonymization of Personal Data) in case of conditions for the processing of personal data on articles 5 and 6 of KVKK cease to exist.
INVEON fulfills its obligation in this context, in accordance with the technical and administrative measures to be taken within the general principles of article 4 and in the scope of article 12, provisions of applicable legislation, and the Board of Protection of Personal Data.
According to paragraph 1 of article 13 of KVKK, Personal Data Subject can send their request regarding using the aforementioned rights above mentioned by filling out the APPLICATION FORM REGARDING PERSONAL DATA PROTECTION at www.inveon.com and sending it in “written” form to Inveon located at Nisbetiye Mahallesi Nisbetiye Caddesi No:24/18 Beşiktaş – Istanbul in person or through a notary public, or via registered and reply-paid letter or send an e-mail to firstname.lastname@example.org.
In your application which has the purpose of using the stated rights that you own as a personal data subject, it is required for the request to be explicit and understandable, that the subject is yourself and that you are authorized and have the authorization document if you are acting on behalf of another person, that the request should include information of identification and address and that documents enhancing your identification are added.
Applications in the scope of this context are concluded as soon as possible and within thirty days at the least. Applications are currently free of charge. However, if the transaction requires a cost, a fee may be charged according to determining rates by the Board of Protection of Personal Data..
Personal Data Acquired Prior to the KVKK’S Entry into Force
Legally acquired personal data via the purchase of a product/service and in other means prior to the effective date of KVKK, 7th of April 2016 are processed and preserved in accordance with the terms and conditions stated in this Policy.
In this context, INVEON takes necessary actions to information regarding all employees’ duties and responsibilities, especially employees who have access to personal data.
This Protocol herein is revised at least once per year and is shared with you if necessary as it is updated in accordance with the principles that would be determined.
INVEON BİLGİ TEKNOLOJİLERİ DANIŞMANLIK VE TİCARET ANONİM ŞİRKETİ
JOB APPLICANTS’ PERSONAL DATA PROCESSING POLICY
Personal data obtained during the recruitment process and job assigning of applicants and specific personal data obtained according to the job description (belongs to the person who shared his/her information for job application, personal data used during application consideration period), from INVEON or INVEON’s business alliances or natural or legal persons authorized from INVEON is processed accordingly purposes stated below and also stated at INVEON BİLGİ TEKNOLOJİLERİ DANIŞMANLIK VE TİCARET ANONİM ŞİRKETİ Personal Data Protection and Processing Policy:
- To measure the quality, experience, educational and job-related knowledge of the applicant, learn about his/her professional background and career and consideration of fitness to the available position,
- Considering subjects needed clarification from applicant according to the need for job qualification and practice
- Considering INVEON’S right to gain knowledge, if it is needed according to the qualification of the job applied or importance of the job applied, controlling the honesty of information shared by the applicant or communicating with third parties to gain knowledge on the applicant
- Communicating with the applicant about the application process and recruitment or communicating with the applicant for another open position if suitable
- Meeting the requirements applicable legislation or authorized institutions or organizations’ demands
- Improving Inveon’s recruitment policies
Applicants’ personal data shall collect with the methods stated below: These are the methods and the means of collecting Applicants’ personal data:
- Written application form or digital application form published electronically;
- Resumes that Applicants send to Inveon by e-mail, mail, reference and similar methods
- Employment and consultancy firms
- During interviews via video conferences, phone interviews and face-to-face interviews.
- Control and investigation made to test the honesty of information given by the applicant;
- Recruitment tests that are conducted and analyzed by experienced expert persons to assess talent and personality characteristics
Until the consideration of the applicant is completed, the applicant cannot demand his/her resume and information and documents about the job application back. Inveon only keeps personal data regarding applicants as long as the time needed for their purposes.
Applicants shall submit their requests regarding the rights of being data subjects by the means clarified in INVEON BİLGİ TEKNOLOJİLERİ DANIŞMANLIK VE TİCARET ANONİM ŞİRKETİ Personal Data Protection and Processing Policy.
INVEON BİLGİ TEKNOLOJİLERİ DANIŞMANLIK VE TİCARET ANONİM ŞİRKETİ Personal Data Protection and Processing Policy can be accessed at www.inveon.com