Personal Data Processing and Protection Policy (“CookieSeal”)

Protection of personal data is an important subject for Doğuş Bilgi İşlem ve Teknoloji Hizmetleri A.Ş. (“DT”). DT adopts the principles stipulated by the Law no. 6698 on the Protection of Personal Data (“PDP Law”)to ensure compliance, and fulfills its obligations with respect to the processing, deletion, destruction, anonymization, transfer of personal data, providing clarification to the data subject and ensuring data security. The Personal Data Protection Policy created for this purpose is made available to the relevant natural persons whose data is processed (“Data Subject”).

1) Scope and Purpose of the Personal Data Protection Policy

This Personal Data Protection Policy details the following for DT;

  1. a)Methods and legal bases for the collection of personal data,
  2. b)The data subject groups whose personal data is processed (Data Subject Categorization),
  3. c)Categories of personal data prosessed with respect to such data subject groups (Data Categories) and examples of data types,
  4. d)The business processes and purposes for which the personal data is used,
  5. e)Technical and administrative measures taken to ensure the security of the personal data,
  6. f)The persons to and purposes for which the personal data may be transferred,
  7. g)Personal data retention periods,
  8. h)The rights of Data Subjects related to their personal data, and the means to exercise such rights,
  9. i)Sharing of personal data with official authorities.

a) What are the Methods and Legal Bases for Collecting Personal Data?

DT collects personal data through websites, social media accounts, cookies, notices sent by administrative and judicial authorities and other communication channels, using aural, electronic and print formats, in accordance with the personal data processing terms and conditions stipulated by the PDP Law and based on the legal grounds specified in this Personal Data Protection Policy.

b) Data Subject Group Categorization

DT categorizes the data subject groups whose personal data is processed in personal data processing procedures and operations related to such procedures, as follows. With this said, pursuant to the personal data processing conditions stipulated in article 5 and 6 to the PDP Law and based on the legal grounds specified in this Personal Data Protection Policy, personal data of other data subject groups can also be processed.

  1. Client
  2. Prospective Client
  3. Online Visitor
  4. Persons making claims/complaints

c) Data Categories and Examples of Data Types

  1. Client,· Identification: Name, surname, TR ID Number· Contact Information: mobile phone number, e-mail address, address,
  • Financial Information: Tax office, invoice information
  • Client/Member Information: Membership information,
  • Client/Member Transaction Information: Products purchased and amount,
  • Risk Management Information: IP address
  • Transaction Security Information: Password information
  • Marketing Information: Cookie records, targeting information, assessments showing habits and interests
  • Legal Procedure and Compliance Information: Starting and ending date of the service rendered, type of the service used, commercial electronic message consent given electronically by the Data Subject, distance sales agreement and other legal instruments and agreements that enable the user to take advantage of the services that are provided by DT
  1. Prospective Client
  • Identification: Name, surname
  • Contact Information: e-mail address, address,
  • Risk Management Information: IP address
  1. Online Visitor
  • Legal Procedure Information/Risk Management Information: IP address
  • Legal Procedure and Compliance Information: Starting and ending date of the service rendered, type of the service used, quantity of data transferred
  1. Persons making claims/complaints
  • Identification: Name, surname
  • Contact Information: e-mail address,
  • Transaction Information: Message subject, message contents

d) Business Processes and Purposes For Which The Personal Data Is Used

  • The personal data is used for CookieSeal operated by DT;· Processing online visitor data pursuant to the relevant legislation,· Carrying out client transactions,
  • Improving the services provided through the platforms, developing new services and providing information on these subjects,
  • Under the contractual relationship established, in terms of the client whose commercial electronic message consent was obtained; offering special promotions, opportunities and benefits,
  • Under the contractual relationship established, in terms of the client whose commercial electronic message consent was obtained; direct marketing, digital marketing, remarketing, targeting, profiling, promotional and marketing activities based on analyses performed,
  • Resolving client issues and complaints,
  • Creating client satisfaction, loyalty and engagement,
  • Carrying out statistical assessments and market research,
  • Determining and implementing DT’s commercial and business strategies,
  • Monitoring of accounting and purchasing transactions,
  • Compliance with legal procedures and legislation,
  • Responding to requests for information by administrative and judicial authorities,
  • Planning internal reporting and business development operations,
  • Ensuring information and transaction security, preventing malicious use,
  • Planning and executing the operational activities necessary to ensure that DT’s operations are conducted as per DT procedures and the policies prepared within the scope of the PDP Law,
  • Making the necessary adjustments to ensure that the processed data is up-to-date and accurate

and operations related to all the processess listed above.

e) Technical and Administrative Measures Taken to Ensure Personal Data Security

    1. DT is committed to take all the necessary technical and administrative measures and exercise due diligence in order to ensure the privacy, integrity and security of your personal data. DT takes the necessary measures to prevent unauthorized access to personal data and the misuse, unlawful processing, disclosure, alteration or destruction of personal data. In regards to preventing unlawful access to, unlawful processing of and the protection of the personal data it processes, DT:
    • Protects all the domains on the website from which the personal data is obtained with SSL,
    • In order to prevent the unlawful processing of the personal data collected from the website; creates and implements access authorization and control matrices for its employees,
    • In order to prevent unlawful access to the personal data; carries out regular leak testing and tests the resilience of the system against unauthorized access,

    In case the personal data are damaged or acquired by unauthorized third parties as a result of cyber attacks on platforms operated by DT or the DT system despite all the necessary information security measures having been taken by DT, DT immediately informs you and the Personal Data Protection Board and takes the necessary measures.

The Parties to and the Purposes for Which the Personal Data May be Transferred

DT only transfers the personal data to third parties according to the purposes specified in the Personal Data Protection Policy and the articles 8 and 9 to the PDP Law.

The client data is also shared with the intermediary service provider of the commercial electronic message in order to carry out promotions, advertising, offer benefits and advantages in relation to the client’s preferences, interests and habits based on their commercial electronic message consent.

The personal data specified above, which are subject to domestic or foreign-based transfers, are also protected legally by provisions in accordance with the PDP Law, included in our agreements, taking into consideration that the opposite side of the legal relationship is the data controller or the data processor; in addition to other technical measures that will ensure their security.

g) Personal Data Retention Periods

DT retains the personal data it processes for the periods stipulated by the relevant legislation or the periods required by the purpose of processing, in accordance with the PDP Law. These periods are listed as follows in our Personal Data Retention and Destruction Policy:

Client records 10 years Law NR. 6098
All records relating to accounting and financial transactions 10 years Law NR. 6102 , 213
Commercial electronic message consent records 1 year following the date on which the consent was withdrawn Law NR. 6563 and 2nd appendix
Traffic information relating to online visits 2 years Law NR. 5651
Personal data related to clients 10 years following the termination of the legal relationship; Law NR. 6098, 213, 6502

 

You may refer to our Cookie Policy for the retention periods of the personal data we obtain through cookies.

h) The Rights of Data Subjects Related to Their Personal Data and the Means to Exercise Such Rights

Pursuant to article 11 of the PDP Law, the rights of the Data Subjects related to their personal data processed by DT are listed below:

  • To learn whether his personal data are processed or not,
  • To request information if his personal data are processed,
  • To learn the purpose of his data processing and whether this data is used for intended purposes,
  • To know the third parties to whom his personal data is transferred at home or abroad,
  • To request the rectification of the incomplete or inaccurate data, if any,
  • To request the erasure or destruction of his personal data under the conditions laid down in article 7 to the PDP Law,
  • To request notification of the operations carried out in compliance with subparagraphs (d) and (e) to third parties to whom his personal data has been transferred,
  • To object to the processing, exclusively by automatic means, of his personal data, which leads to an unfavourable consequence for the data subject,
  • To request compensation for the damage arising from the unlawful processing of his personal data.

Pursuant to article 13 to the PDP Law, you may exercise your rights by sending an e-mail to kisiselverilerim@d-teknoloji.com.tr.

i) Sharing Personal Data with Official Authorities

DT will be entitled to share your personal data such as visits or membership and traffic information such as browsing activity on e-commerce platforms and mobile applications operated by DT; for the purpose of enabling DT to fulfill its obligations arising from the law (including but not limited to fighting crime, threats to government and public safety and other similar circumstances where DT is obligated to provide legal and administrative notifications or information), with public authorities and organizations that are legally entitled to request such information.

j) Cookie Use and Management

For more information regarding the cookies used by DT, you may refer to our Cookie Policy.

2) Conditions for the Deletion, Destruction and Anonymization of Personal Data

DT retains the personal data it processes through the mobile website, for periods stipulated by the relevant laws or periods required by the purpose of processing pursuant to article 7 and 17 to the PDP Law and article 138 to the Turkish Penal Code. Upon the expiration of such periods, DT will delete, destroy or anonymize the data as per the provisions of the Regulation on the Deletion, Destruction or Anonymization of Personal Data.

Deletion of personal data by DT refers to the process of rendering the personal data completely inaccessible or unusable by the relevant users. For this purpose, DT creates and implements an access authorization and control matrix at the user level and takes the necessary measures to carry out the deletion on the database.

Destruction of personal data by DT refers to the process of rendering the personal data completely inaccessible, irretrievable and unusable by any party.

Anonymization of personal data by DT refers to the process where the personal data is rendered so that it cannot be associated with any identified or identifiable natural person even in case the personal data is matched with other data.

DT explains the methods of deletion, destruction and anonymization and the technical and administrative measures it has taken for this purpose under the Personal Data Retention and Destruction Policy prepared pursuant to the Regulation on the Deletion, Destruction or Anonymization of Personal Data in detail. This Policy also defines the time period for the periodic destruction stipulated by the Regulation as 6 months.

3) Changes to the Privacy/Personal Data Protection Policy

DT may make changes to this Privacy/Personal Data Protection Policy at any time. These changes immediately take effect following the issuance of the new and amended Privacy/Personal Data Protection Policy. The necessary information will be provided to you, our members, to inform you of the changes made to this Privacy/Personal Data Protection Policy.