E-mail info@medetogullari.com.tr
Phone +90 216 661 62 71 +90 216 661 62 72
Contact
İletişim İletişim
Contact
Medetoğulları International Transportation and Logistics

Privacy Policy

Medetoğulları International Transportation and Shipping Co. Ltd.

PERSONAL DATA PROCESSING AND PROTECTION POLICY

  1. INTRODUCTION

Within the framework of this Personal Data Protection and Processing Policy (‘Policy’), the principles adopted by Medetoğulları International Transportation and Shipping Co. Ltd. for the processing of personal data activities and the fundamental principles adopted for the compliance of Medetoğulları International Transportation and Shipping Co. Ltd.‘s data processing activities with the regulations set forth in the Law on Protection of Personal Data No. 6698 (‘Law’) are explained. Thus, this document aims to inform data subjects about the legal provisions and general principles adopted by our Company.

We process your personal data within the scope of this awareness of responsibility and ensure that they are reasonably protected under this Policy.

  1. PURPOSE OF THE POLICY

The primary purpose of this Policy is to outline the principles and guidelines for the lawful processing of personal data and the protection of personal data carried out by Medetoğulları International Transportation and Shipping Co. Ltd. In this context, the Policy aims to ensure transparency by informing and enlightening individuals whose personal data is processed by our company.

  1. Scope of the Policy

This Policy covers the principles of processing personal data and personal health data, the purposes and conditions of processing such data, both domestically and internationally transferring, disposal, and the implementation and principles regarding your rights concerning the processed data, concerning your personal data processed by Medetoğulları International Transportation and Shipping Co. Ltd., as detailed below.

  1. ACCESS AND UPDATING

The Policy is published on our company’s website and made accessible to the relevant individuals upon their request, and is updated when necessary. (In accordance with Article 4 of the Law No. 6698 on Protection of Personal Data, the personal data we collect and process must be accurate and up-to-date. Therefore, if any changes occur in your personal data, you can notify us of the updated and accurate personal information through the methods explained in the Disclosure Text on our website.)

Our company reserves the right to make changes to the Policy in line with legal regulations.

In case of any contradiction between the provisions of the current legislation, including the Law, and the regulations stated in this Policy, the provisions of the legislation shall be applied.

  1. DEFINITIONS

The definitions used in this Policy are provided below:

Explicit Consent

Explicit consent is the consent given based on being informed about a specific subject, relying on free will, and being expressed voluntarily.

Anonymization

Rendering personal data in a way that the identity of a real person, either directly or indirectly, cannot be attributed, even through matching with other data.

Personal Data

Any kind of information related to an identified or identifiable natural person.

Processing of Personal Data

Any operation performed on personal data, whether wholly or partially by automatic means or non-automatic means that are part of a data recording system, including collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, retrieval, making available, classification, or prevention of its use.

Law on Protection of Personal Data

Law No. 6698 on Protection of Personal Data

Personal Data Protection Board

Personal Data Protection Board

Personal Data Protection Authority

Personal Data Protection Authority

Personal data of special nature

Data pertaining to an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, clothing and appearance, membership in associations, foundations or trade unions, health, sex life, criminal convictions, and security measures as well as biometric and genetic data.

Data subject

Data Subject” olarak da bilinen, KVK Kanunu’nda “data subject” olarak adlandırılan ve kişisel verisi işlenen gerçek kişi.

Data controller

The real or legal person who determines the purposes and means of processing personal data, establishes and manages the data recording system.

Data processor

The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data controllers’ registry

The Data Controllers’ Registry (VERBİS) maintained by the Presidency under the supervision of the Personal Data Protection Board.

Data Inventory

The inventory created and detailed by Medetoğulları International Transportation and Shipping Co. Ltd. in accordance with its business processes, associating personal data processing activities with their purposes, the recipient group of personal data, and the relevant data subject group.

  1. PERSONAL DATA INVENTORY AND CLASSIFICATION OF PERSONAL DATA

At Medetoğulları International Transportation and Shipping Co. Ltd., based on the legitimate and lawful purposes of personal data processing, and in accordance with the principles specified in Article 4 concerning the processing of personal data, the general principles stated in the Law on Protection of Personal Data (KVKK), and all obligations regulated in the KVKK, and relying on one or more of the conditions for processing personal data as stipulated in Article 5 of the KVKK, and limited to the data subjects within the scope of this Policy (Product and Service Recipients, Potential Product and Service Recipients, Employees, Job Applicants, Visitors, Supplier Employees, Supplier Representatives, References, Shareholders/Partners, Employees’ Relatives, Company Doctor, Reference Person), regardless of their number;

  • Ensuring the fulfillment of the operational requirements conducted by our company, and facilitating the utilization of the products and services provided by our company by the relevant individuals.
  • Execution of Goods / Service Production and Operation Processes
  • Execution of Goods / Service Sales Processes
  • Execution of Post-Sale Support Services for Goods / Services
  • Execution of Logistics Activities
  • Execution of Customer Relationship Management Processes
  • Execution of Marketing Analysis Studies
  • Execution of Product / Service Marketing Processes
  • Execution of Advertising / Campaign / Promotion Processes
  • Execution of Contract Processes
  • Tracking of Requests / Complaints
  • Execution of Supply Chain Management Processes
  • Providing Information to Authorized Individuals, Organizations, and Institutions
  • Execution / Supervision of Business Activities”
  • Execution of Communication Activities
  • Execution of Financial and Accounting Affairs
  • Tracking and Execution of Legal Affairs
  • Fulfillment of Information Sharing, Reporting, and Notification Obligations Prescribed by Public Institutions and All Authorities
  • In order to fulfill the obligations arising from legal regulations and for the purpose of fulfilling the obligations of information and document retention as stated in Articles 5 and 6 of Law No. 6698, personal data processing conditions and purposes specified in the same law will be processed.

Medetoğulları International Transportation and Shipping Co. Ltd. has created a personal data inventory in accordance with the Data Controllers’ Registry Regulation issued by the Personal Data Protection Authority. This data inventory includes data categories, data sources, data processing purposes, data processing processes, recipient groups to which the data is transferred, and retention periods.

In this context, within Medetoğulları International Transportation and Shipping Co. Ltd., the following types of data categories exist. However, this list is not exhaustive:

Identity Information

Refers to the details recorded on your identity card, including but not limited to your name, surname, mother’s name, father’s name, place of birth, date of birth, marital status, religion, blood type, registered city, district, and neighborhood, among others.

Contact Information

Refers to communication data provided by you or requested from you in order to establish communication, including but not limited to home phone number, mobile phone number, residential address or other address information, email address, and similar details required for communication with you.

Personnel Information

Copy of national ID card, Population registration certificate, Residence document, Health report, Copy of diploma, Criminal record, Passport-sized photograph, Document indicating family status, Military service status document, Employment Contract / Service Agreement, Social Security Institution (SGK) entry declaration, Your criminal record (criminal record), Information and documents related to your health condition.

Professional Experience

Diploma information, attended courses, in-service training details, certificates, and the like

Bank Account Information (Financial)

Bank Account Number, IBAN Number, and other information related to the bank card.

Curriculum Vitae Information

Curriculum vitae information, including education details such as school information, certificate details, educational background, and training; your work experience details, including location, dates, and duration of employment, along with information about previous job positions and responsibilities; all types of information related to your work experience; your photograph, as mentioned in your curriculum vitae or requested by Medetoğulları International Transportation and Shipping Co. Ltd.; your driver’s license and the information written on it, as stated in your curriculum vitae or requested by Medetoğulları International Transportation and Shipping Co. Ltd.; your references and the information related to them, as mentioned in your curriculum vitae or requested by Medetoğulları International Transportation and Shipping Co. Ltd.; information about smoking and alcohol use as stated in your curriculum vitae.

Physical Site Security (Visitor Information)

Camera recordings of visitors coming to the company, internet access information, the visited person, and other relevant details.

Health Data

Health information and data of all kinds obtained during the creation of personnel files (information about disabilities, blood type, personal health details)

Criminal Conviction Data

Along with the criminal record certificate obtained during the creation of personnel files,

Customer Transaction

Invoice, promissory note, check details, information on teller receipts, order information, request information, etc. in cashier receipts,

Legal Transaction

Information in correspondence with judicial authorities, details in the lawsuit files, etc.

Marketing

Past service information, survey data, cookie records, information obtained through campaign efforts.

Location Data

Location information of the place where it is situated

Other

In the SGK process, education status of the employee’s relative, smoking and alcohol use, professional qualification certificate number, financial account information, occupation information of the prospective employee’s relative, and the signature included in the signature circular.

  1. GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

  1. Legality

Our company conducts its personal data processing activities in accordance with the Constitution, primarily the Law on Protection of Personal Data (PDPA), and relevant regulations, in a lawful and fair manner. Within this scope, our company determines the legal grounds that necessitate the processing of personal data, takes into account the principles of necessity and proportionality, refrains from using personal data for purposes other than those required, and ensures that processing activities are carried out with the knowledge and consent of individuals.

  1. Ensuring Accuracy and Timeliness of Data

Our company takes necessary measures to ensure the accuracy and currency of the personal data processed, taking into consideration the fundamental rights and legitimate interests of the data subjects. In this regard, data for all categories of individuals are aimed to be kept up-to-date, and various administrative and technical measures are implemented to ensure accuracy and currency.

  1. Specific, Legitimate, and Transparent Purpose

Our company only processes personal data for clear and specific legitimate purposes, and does not engage in data processing activities beyond these purposes. The purposes for which personal data will be processed are determined before the processing activity and recorded in the “Personal Data Inventory.

  1. Data Processing Being Relevant, Limited, and Proportional to the Purpose

Personal data processed by our company is carried out to the extent necessary for the fulfillment of defined purposes. Data processing activities are not conducted under the assumption of potential future use. Within this scope, processes are constantly reviewed, and efforts are made to implement the principle of minimizing personal data.

  1. Personal data is retained only for as long as necessary and is subsequently deleted.

Our company retains personal data only for the period specified in the relevant legislation or for the time necessary for the purpose for which they were processed. In this context, our company first determines whether there is a specified period for the storage of personal data in the relevant legislation, and if a period is specified, it adheres to this period. Our company takes into account legal and statute of limitations periods, and retains personal data for the duration necessary for the purpose of processing. Upon the expiration of the period or the cessation of the reasons that require processing, personal data is deleted, destroyed, or anonymized in accordance with our company’s ‘Data Destruction Policy’.

  1. CONDITIONS FOR THE PROCESSING OF PERSONAL DATA

Personal data can only be collected, processed, or used within the scope of the legal bases specified below.

  1. Explicit Consent

Article 3 defines explicit consent as “consent on a specific subject, based on being informed, and declared with free will.” Furthermore, Article 20, paragraph 3 of the Constitution stipulates that personal data may only be processed by law or with the explicit consent of the individual, as provided by the law. Explicit consent is established as a fundamental legal basis for both sensitive and non-sensitive personal data under Law No. 6698. Therefore, according to the law,

• Article 5, paragraph 1 of the Law states: “Personal data cannot be processed without the explicit consent of the data subject.”

• Article 6, paragraph 2 of the Law states: “Processing of special categories of personal data without the explicit consent of the data subject is prohibited.”

• Article 8, paragraph 1 of the Law states: “Personal data cannot be transferred without the explicit consent of the data subject.”

• Article 9, paragraph 1 of the Law states: “Personal data cannot be transferred abroad without the explicit consent of the data subject.”

These regulations are present, and our company processes personal data in accordance with these regulations by obtaining explicit consents freely given and demonstrably obtained (in written, electronic, or recorded verbal form). In cases of processing sensitive personal data, explicit consents will be obtained in writing when necessary.

Personal data processing managers who process personal data are responsible for verifying the presence and validity of explicit consent from the relevant data subject when collecting the processed personal data. In cases where explicit consent is not present (excluding the exceptions below), data processing activities will not be carried out.

  1. Processing of Personal Data Without Obtaining Explicit Consent

In the presence of one of the following conditions, processing of personal data without obtaining explicit consent of the data subject is possible:

  1. Explicitly prescribed by the laws,
  1. Necessity arising from actual impossibility to express consent or the lack of legal validity attributed to one’s consent, for the preservation of one’s own or another person’s life or bodily integrity,
  1. The necessity of processing personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract.
  1. It being necessary for the data controller to fulfill their legal obligations.
  1. The data subject having made the data publicly available themselves.
  1. The necessity of processing data for the establishment, exercise, or defense of a legal right.
  1. Necessity of processing data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

In such cases, processing can be carried out without explicit consent.

  1. Processing of Special Categories of Personal Data

Our company demonstrates special sensitivity in processing special categories of personal data, which are believed to hold a more critical importance for data subjects in various aspects. Within this scope, such data is processed without the explicit consent of data subjects, provided that sufficient measures determined by the Authority are taken. However, special categories of personal data other than health and sexual life-related data can be processed without the explicit consent of the data subject in cases provided for by the law. Nevertheless, data related to health and sexual life can be processed without obtaining explicit consent, subject to the presence of the reasons listed below and the implementation of adequate measures:

  • Protection of public health,
  • Preventive medicine,
  • Medical diagnosis,
  • Execution of treatment and care services,
  • Planning and management of health services and financing.

In every instance where processing of special categories of personal data is required, the DPA Committee will be informed.

  1. TRANSFER OF PERSONAL DATA

Medetoğulları Ulus. Taş. ve Nakliyat Ltd.Sti. , veri sahiplerinin kişisel verilerini, 6698 sayılı KVK Kanunu’nun 5. ve 6. maddelerinde belirtilen kişisel veri işleme şartları kapsamında ve işbu Politika’da belirtilmiş amaçlarla sınırlı olarak, KVK Kanunu’nun 8. ve 9. maddelerine uygun olmak suretiyle 3. kişi ve kurumlara aktarabilecektir. 

The scope of the individuals to whom the transfer is made and the purposes of data transfer are specified above and in the information notice. The individuals and institutions to whom the transfer is made include:

Your personal data may be transferred to domestic and/or international service providers with whom we collaborate, such as business partners, consultants, suppliers, insurance companies, notaries, banks, financial institutions, consultancy firms providing support in legal, tax, and similar fields, legally authorized public institutions, and private individuals, for the purpose of sustaining our company’s activities and business processes. These transfers will be conducted in compliance with the personal data processing conditions specified in Articles 8 and 9 of Law No. 6698 and within the purposes mentioned above. These service providers include entities engaged in data storage, archiving, information technology support (servers, hosting, software, cloud computing, etc.), both within the country and abroad, who process personal data on behalf of our company.

  1. Domestic Transfer of Personal Data;

In accordance with Article 8 of the Law on the Protection of Personal Data (KVKK), the domestic transfer of personal data will be possible provided that one of the conditions specified in the 8th section titled ‘Conditions for Processing of Personal Data’ of this Policy (processing conditions) is met.

  1. Transfer of Personal Data Abroad;

In accordance with Article 9 of the Law on the Protection of Personal Data (KVKK), in the event of transferring personal data abroad without explicit consent, in addition to meeting the conditions for domestic transfers, one of the following conditions must be met:

  • The country to which the transfer will be made being among the countries deemed to have adequate protection by the Authority,

or

  • in case there is not sufficient protection in the country of transfer, obtaining written commitments of adequate protection from data controllers in Turkey and the relevant foreign country, and obtaining the permission of the Authority.

  1. Transfer of Special Categories of Personal Data Abroad

Our company, by taking necessary security measures and implementing sufficient precautions as prescribed by the Personal Data Protection Authority, can transfer the special category data of data subjects to foreign countries where there is either an Adequate Protection Country or a Data Controller Committing to Adequate Protection, in line with legitimate and lawful personal data processing purposes, under the following circumstances.

  • Kişisel veri sahibinin açık rızası var ise veya, 
  • If the data subject does not give explicit consent;
  1. Special categories of personal data other than health and sexual life-related data of the data subject (race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, clothing and appearance, membership in associations, foundations, or trade unions, data related to criminal convictions and security measures, as well as biometric and genetic data) can be transferred without the explicit consent of the data subject, in cases provided for by the law,
  1. However, special categories of personal data related to the data subject’s health and sexual life can only be processed within the scope of protecting public health, preventive medicine, conducting medical diagnosis, providing treatment and care services, planning and managing health services and financing, by individuals or authorized institutions and organizations subject to confidentiality obligations.

The compliance with the obligations during the transfer of special category data is the responsibility of the relevant employee conducting the transfer.

  1. RIGHTS OF DATA SUBJECTS

  1. Medetoğulları International Transportation and Freight Ltd. Co. will respond to the requests of data subjects, whose personal data it processes, within 30 days, regarding the rights listed below:
  1. Learning whether personal data is being processed or not,
  1. Requesting information if personal data has been processed,
  1. Learning the purpose of the processing of personal data and whether they are being used for their intended purpose,
  1. Knowing the third parties to whom personal data is transferred domestically or abroad,
  1. Requesting the correction of personal data if it is incomplete or inaccurate, and requesting that the correction process be communicated to third parties to whom the personal data has been transferred,
  1. Requesting the deletion or destruction of personal data if the reasons requiring its processing no longer exist, even if it has been processed in accordance with the Law on the Protection of Personal Data and relevant other laws, and requesting that the deletion or destruction process be communicated to third parties to whom the personal data has been transferred,
  1. Objecting to the emergence of an unfavorable result about the person by solely analyzing the processed data through automated systems,
  1. Requesting compensation for damages in case of suffering damage due to the unlawful processing of personal data.
  1. Data subjects can apply within the scope of the aforementioned rights by using the methods specified below or the KVKK application form on the website, accompanied by information and documents that identify their identity, as well as through the methods specified below or other methods determined by the Personal Data Protection Board.

  1. PRIVACY AND DATA SECURITY MEASURES;

All personal data processed within Medetoğulları International Transportation and Freight Ltd. Co. is confidential, as stipulated in Article 12 of the Law, and

a) To prevent the unlawful processing of personal data,

b) To prevent unauthorized access to personal data,

c) To ensure the protection of personal data,

takes all necessary technical and administrative measures to ensure an adequate level of security in line with the intended purpose.

  1. Technical Measures Taken to Ensure Lawful Processing of Personal Data and Prevent Unauthorized Access to Personal Data

In order to safeguard your personal data, Medetoğulları International Transportation and Freight Ltd. Co. has taken all necessary technical and technological security measures and is committed to protecting your personal data against potential risks. For instance,

  • Current antivirus systems are utilized.
  • Necessary security measures are taken for entry and exit to physical environments containing personal data.
  • The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
  • Personal data is being backed up, and the security of the backed-up personal data is also ensured.
  • Encryption is implemented. Access to systems containing personal data is granted using username and password.
  • Special categories of personal data transferred on portable storage devices, CDs, and DVDs are encrypted during transfer.

  1. Administrative Measures Taken to Ensure Lawful Processing of Personal Data and Prevent Unauthorized Access to Personal Data

  • An administrative framework has been established within the organization to initiate and oversee information security operations and implementation.
  1. A KVKK Committee and a Contact Person have been appointed, and their duties and responsibilities have been defined.
  1. KVKK application channels have been determined.
  1. Violation, request/complaint management workflows have been established.
  • The fundamental principles, policy, and procedures for the processing and protection of personal data have been established.
  1. A Data Processing and Retention Policy has been formulated.
  1. A Policy for the Processing and Protection of Personal Data has been created.
  1. A Policy for the Security of Special Categories of Personal Data has been established.
  • The current risks and threats within the scope of the processed personal data have been identified.
  • Training and awareness campaigns on personal data security are conducted for employees.
  • Roles, responsibilities, and job descriptions related to data security have been defined to ensure that employees and contractors are aware of their information security responsibilities and fulfill them.
  • There is a disciplinary process in place that will be activated in case employees fail to comply with security policies, fundamental principles, and procedures.
  • Confidentiality commitments are undertaken.
  • Information notices have been published for employees, customers, suppliers, etc.
  • The processes requiring explicit consent have been identified and implemented.
  • Internal periodic and/or random audits are conducted and commissioned. Privacy and security vulnerabilities identified during audits are addressed.
  • The necessity of processing the mentioned personal data is evaluated based on the processing purpose, and personal data is minimized whenever possible.
  • In case personal data is obtained by others through unlawful means, necessary measures are taken by employees to promptly inform the relevant individual and the Authority (Kurul) about the situation.

  1. Measures to Be Taken in Case of Unauthorized Disclosure of Personal Data

In case personal data processed by our company is obtained by others through unlawful means, our company will promptly notify the relevant data subject and the Authority (Kurul) about this situation within the shortest period (maximum 72 hours).

  1. DATA PROCESSING ACTIVITIES CONDUCTED FOR OUR GUESTS;

  1. Medetoğulları International Transportation and Freight Ltd. Co. provides internet access to visitors who request it while staying in our offices, buildings, and facilities for the purpose of ensuring security and other purposes specified in this Policy. Log records are kept during this period.
  1. For the purpose of ensuring security, Medetoğulları International Transportation and Freight Ltd. Co. conducts personal data processing activities related to monitoring guest entrances and exits through security cameras in Medetoğulları International Transportation and Freight Ltd. Co. buildings. Recording is not conducted in areas of high privacy.
  1. The data obtained for the purpose of tracking guest entrances and exits are processed solely for this purpose, and the relevant personal data is recorded in the data recording system in physical and electronic environments within the framework of legitimate interests.
  1. These monitoring activities are carried out in compliance with the relevant legal regulations.

  1. CONDITIONS FOR ERASURE (DELETION), DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

In accordance with Article 138 of the Turkish Penal Code, Article 7 of the Law on the Protection of Personal Data (KVKK), and the “Regulation on the Deletion, Destruction, and Anonymization of Personal Data” issued by the Authority (Kurum), even though personal data has been processed in compliance with the relevant legal provisions, if the reasons requiring its processing cease to exist, Medetoğulları International Transportation and Freight Ltd. Co. may decide, upon its own discretion or at the request of the data subject, to delete, destroy, or anonymize personal data. Medetoğulları International Transportation and Freight Ltd. Co. has created a Policy in accordance with these regulations, and based on this Policy, data is destroyed according to its nature. Pursuant to this regulation, Medetoğulları International Transportation and Freight Ltd. Co. has determined periodic destruction dates and has established a schedule for periodic destruction at various intervals starting from the obligation commencement date.

  1. EXECUTION

To ensure the implementation of this Policy in compliance with the regulations of the Law on the Protection of Personal Data (KVKK), a management structure has been established by Medetoğulları International Transportation and Freight Ltd. Co.

  1. EFFECTIVE DATE OF THE POLICY

This Policy has come into effect on November 23, 2020.

Address

Büyükbakkalköy Neighbourhood Kaşif Street No:29, Maltepe / İstanbul

Our Numbers

+ 90 216 661 62 71

+ 90 216 661 62 72

Fax

+ 90 216 661 62 74

Subscribe

    E-mail

    info@medetogullari.com.tr