DATA OWNER APPLICATION MANAGEMENT POLICY
DOCUMENT NO: GM-P004
APPROVED BY: BOARD OF DIRECTORS
DATE OF APPROVAL: 05/01/2019
LAST REVISION DATE: 00/0000
VERSION NO: 01
RELATED DOCUMENTS: Personal Data Retention and Destruction Policy
Data Owner Application Form
1.& PURPOSE. 2
2.& SCOPE. 3
3.& RESPONSIBILITY. 3
4.& DEFINITION.. 3
5.& APPLICATION RIGHT. 4
6.& APPLICATION PROCEDURES. 5
7.& APPLICATION RECORDING. 6
8.& APPLICATION EVALUATION.. 7
8.1. PERSONAL DATA DETECTION.. 7
8.2. INFORMATION REQUEST FOR PERSONAL DATA PROCESSED.. 7
8.3. CORRECTION REQUEST FOR PERSONAL DATA PROCESSED.. 7
8.4. DELETION/ DESTRUCTION REQUEST FOR PERSONAL DATA PROCESSED.. 7
8.5. REQUEST FOR NOTIFICATION OF CORRECTION / DELETION / DESTRUCTION REQUESTS REGARDING THE PROCESSED PERSONAL DATA TO THE DATA TRANSMITTED PARTIES. 8
8.6. OBJECTING TO THE EMERGENCE OF A RESULT AGAINST THE PERSON HIMSELF/HERSELF. 8
8.7. REQUEST TO ELIMINATE THE LOSS, IN CASE THE PERSONAL DATA IS DAMAGED DUE TO UNLAWFUL PROCESSING OF PERSONAL DATA.. 8
9.& RESPONDING APPLICATION.. 8
10. FEE. 9
The purpose of this policy is to explain the operation and communication channels established regarding the management, execution and recording of the applications of the data owners with the implementation of the Law by the company CEYLAN OTELCİLİK VE TURİSTİK İŞLETMELER A.Ş. (company) in the capacity of data controller in accordance with Personal Data Protection Law No. 6698 (Law).
These policy provisions apply to natural persons who have personal data processed by the Company in full or partial automation, or non-automated means provided that they are part of any data recording system.
This policy has been approved and implemented by the Company’s Board of Directors. Within the framework of the policy, all activities to be carried out in the company and the measures to be taken are defined by the appropriate procedures. The Company's management is responsible for preparing, updating and implementing these procedures.
is responsible for ensuring communication in responding to requests to be made by the data owners to the Company.
is responsible for ensuring that the applications of the data owner are answered within 30 days at the latest in line with the responses conveyed by the relevant departments.
is responsible for ensuring the communication between the Board and the Company and meeting the requests of the Board.
Department managers are responsible for ensuring that the contact applications received by them are examined and responsed within 1 week at the latest.
Rendering personal data by no means identified or identifiable with a natural person even by linking with other data.
Application made under Article 13 of the Law
Secure Electronic Signature
The electronic signature, which is linked exclusively to the signer and is created using the secure electronic signature creation tool available only to the signer, identifies the signer using the qualified electronic certificate and ensures that changes have been made to the signed electronic data.
Natural person whose personal data are processed.
Deletion, Destruction, and Anonymization of Personal Data
Legal person reported to the Registry by the data officer for communication with the institution during registration, regarding the obligations of its representative under the Law and secondary regulations to be issued based on this Law of the legal person representative of data controller not residing at Turkey with legal persons residing at Turkey.
Turkish Personal Data Protection Law no. 6698
Any medium in which personal data are processed, which are fully or partially automated, or processed in non-automated ways, provided that they are part of any data recording system.
Registered e-mail (REM) address
Qualified form of electronic mail that provides legal evidence regarding the use of electronic messages, including their delivery and delivery.
Any information relating to an identified or identifiable natural person.
Anonymization of personal data
Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching with other data.
Processing of personal data
Any operation which is performed upon personal data such as collection, recording, retention, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system.
Deletion of personal data
Making personal data inaccessible and unusable to relevant users in any way.
Destruction of personal data
Making personal data inaccessible, retrievable and reusable by anyone.
The Board of Protection of Personal Data.
The Authority of Protection of Personal Data.
Electronic signature created using a mobile device
Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.
Pursuant to Article 11 of the Law, the data owner has the right to apply to our Company to
request the following:
Find out if personal data is processed,
b) If personal data is processed, requesting information about it,
c) Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
ç) To know the third parties to whom personal data are transferred domestically or abroad,
d) Requesting correction of personal data if it is incomplete or incorrectly processed,
e) Request personal data to be deleted or destructed,
f) to request notification of transactions made in accordance with clauses (d) and (e) to third parties to whom personal data are transferred,
g) To object to the emergence of a result against the person by analysing the processed data exclusively through automated systems,
ğ) In the event that personal data is damaged due to illegal processing, the data owner has the right to demand the removal of the damage.
The data owner can benefit from this right provided that the application is made in Turkish.
Personal data owners will not be able to assert their rights in case of the following situations where the provisions of the law are not applied:
Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defence, national security, public security, public order, economic security, privacy or personal rights, or constitute a crime.
Processing personal data for purposes such as research, planning and statistics by anonymizing with official statistics.
Processing personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to provide national defence, national security, public security, public order or economic security.
Processing of personal data by judicial authorities or enforcement authorities regarding investigations, prosecutions, trials and execution proceedings.
Except for the obligation of illumination and the right to demand compensation, provided that it complies with the purpose and basic principles of the Law, personal data owners will not be able to assert their rights if:
Personal data processing is necessary for crime prevention or criminal investigation.
Processing of personal data personalized by the personal data owner.
In case that personal data processing is necessary for the disciplinary investigation or prosecution by the authorized public institutions and organizations and the professional institutions that are public institutions based on the authority given by the law.
Personal data processing is necessary to protect the state's economic and financial interests in relation to budget, tax and financial matters.
The data owner may submit his or her requests to the Company for the implementation of the law by filling in the data owner application form at www.verychic.com.tr with the information and documents that determine his or her identity, using the methods indicated below.
After the application form has been filled in, the data owner writes ‘“Personal Data Protection Law Information Request’’ on the envelope - the notification, and transmits it either manually or through a notary, to the address Very Chic, Zengin Huseyin sokak no 9 Gumbet Bodrum Mugla 48400 Turkey
•& After the application form has been filled in, the data owner signed it with the “secure electronic signature” within the scope of Electronic Signature Law No. 5070 and sent it to firstname.lastname@example.org address by writing “Personal Data Protection Law Information Request” to the subject part by registered e-mail.
In written applications, the date when the document is notified to the Company is the application date. For applications made with the other method, the date the application reaches the Company is the application date.
If the Application Form is submitted by hand, the identity of the person concerned is determined by checking the identity document (Name-Surname, Identity Number).
In order for a person other than the personal data owner to make a request, the original power of attorney issued on behalf of the person to apply by the personal data owner must be submitted. A copy of the power of attorney is kept in the annex.
The application for personal data of persons under the age of 18 can be made by their legal representative. In this case, copies of the documents that determine the authority of the legal representative are requested and a copy of it is kept in the application annex.
In applications made with secure electronic signature, the identity of the applicant can be legally determined with a qualified electronic certificate based on e-signature.
Applications made in writing by the data owner in person or through a notary are recorded in the Documents Registry by the Correspondent and delivered to the Contact Person against the signature.
Applications made to the registered e-mail address are sent to the Contact Person by e-mail by the Financial Advisor or authorized person.
The Contact Person checks whether the application is in accordance with the procedures set out in this Policy and whether the information and documents required to be included in the application form are complete. For applications that are not in accordance with the procedure, they contact the person concerned to provide the necessary information. Nevertheless, applications that are inappropriately and incomplete information / documented are rejected after being notified in writing to the person concerned.
Applications received in accordance with the procedure are forwarded by the Contact Person to the relevant department manager listed below, according to the category of the applicant.
• Candidate employee, former employee: Human Resources
• Supplier: Accounting / Purchasing
• Customer / Guest: Related Department
• Visitor: Security
• Other: Information Technologies / Law
PERSONAL DATA DETECTION
In order to evaluate the requests of the data owners, firstly, it should be determined by the relevant department whether the personal data of the applicant is processed before the Company.
For this purpose, firstly, the relevant process, data category, recording medium and storage location in the Personal Data Inventory are determined based on the information in the Application Form. In addition to the review made on the Data Inventory, the data owner information on the application form is checked by searching on the Company databases.
If the personal data specified by the relevant person in the application form are not found in the relevant processes and systematic testing, the Contact Person is informed by e-mail.
If personal data specified by the relevant person in the application form are encountered in the relevant processes and systematic testing, one of the following steps is carried out in accordance with the request of the personal data owner and the requirement is fulfilled.
INFORMATION REQUEST FOR PERSONAL DATA PROCESSED
In line with the request of the person concerned, specified in the 11/1 of the Law and in the in the clause (a) (b) (c) and (ç) of article 5 of this Policy, personal data processed in the Personal Data Inventory, the data processing purpose, the transmitted party and the transfer purpose information are sent to the Contact Person by e-mail.
CORRECTION REQUEST FOR PERSONAL DATA PROCESSED
In line with the request of the relevant person specified in the 11/1 of the Law and in the clause (d) of article 5 of this Policy, the personal data provided by the data owner and the documents proving them and the information in the Company records are compared. The data determined to be processed as defective or incomplete at the company are forwarded to the relevant department where the data is recorded together with the proving documents for correction and updated.
Information regarding the updated data is sent to the Contact Person by e-mail.
DELETION/DESTRUCTION REQUEST FOR PERSONAL DATA PROCESSED
In line with the request of the relevant person specified in 11/1 of the Law and in the clause (e) of article 5 of this Policy, it is determined in which processes that the Personal Data Inventory should be stored and processed due to legal obligation.
If there is no obligation to store and process due to legal obligation, related personal data will be deleted and destroyed in accordance with the Personal Data Retention and Destruction Policy. Upon completion of the deletion / destruction process, the information that the relevant personal data has been deleted and destructed is shared with the Contact Person.
If there is an obligation to process and store due to legal obligation, the Contact Person is informed that his request could not be fulfilled because the legal obligation, which is the basis for personal data processing, has not disappeared.
REQUEST FOR NOTIFICATION OF CORRECTION / DELETION / DESTRUCTION REQUESTS REGARDING THE PROCESSED PERSONAL DATA TO THE DATA TRANSMITTED PARTIES
In line with the request of the person concerned specified in the 11/1 of the Law and in clause (f) of article 5 of this Policy, The categories of people whose data are transferred from the Personal Data Inventory are determined.
If the person's request for correction / deletion or destruction has been fulfilled, the parties whose data are transferred are asked to carry out the same transactions and to confirm in writing that the request has been fulfilled.
Information about the request of the person's correction / deletion or destruction has been fulfilled by the third parties to whom the personal data is transferred is sent to the Contact Person by e-mail.
OBJECTING TO THE EMERGENCE OF A RESULT AGAINST THE PERSON HIMSELF/HERSELF
In line with the request of the relevant person specified in the 11/1 of the Law and in the clause (g) of article 5 of this Policy, the process alleged to have a result against the data subject is examined.
If it is determined that there is no deficiency and error in the personal data processed in the process or during the process, it is informed to the Contact Person in this direction.
If any deficiencies or errors are detected in the process or in the personal data processed during the process, the information that the change made has been in favor of the person and the systems have been updated in this way is sent to the Contact Person via e-mail.
REQUEST TO ELIMINATE THE LOSS, IN CASE THE PERSONAL DATA IS DAMAGED DUE TO UNLAWFUL PROCESSING OF PERSONAL DATA
In accordance with the request of the relevant person specified in the 11/1 of the Law and in the clause (ğ) article 5 of this Policy, the loss request is examined with the participation of the Legal Advisor and the relevant departments. The action to be taken as a result of the examination and the response to the application are determined and processed through Legal Counseling.
Elimination of the damage caused by the person concerned due to the processing of personal data in violation of the Law is carried out with the approval of the Senior Management (Board of Directors / General Coordinator).
Data Owner requests must be evaluated and finalized by the Company as soon as possible and within 30 days at the latest.
Examination of the applications submitted to the relevant departments should be finalized within 1 week from the date of receipt and notified to the Contact Person.
The Contact Person sends the information and documents related to the application to the Legal Advisor in order to examine the answers and actions taken from the relevant departments in terms of compliance with the legal order and the Law.
The letter prepared by the legal advisor according to the approval of the law and the result of the examination in response to the application is sent to the data owner by the Contact Person within thirty (30) days at the latest. The reply letter should include at least the following information;
Information about the company or its representative,
The applicant’s name and surname, for the citizens of the Republic of Turkey T. C. identity number, nationality for foreigners, passport number or identity number, if any, place of residence or workplace based on notification, e-mail address based on notification, telephone and fax number,
Company's explanations regarding the application
Personal data of third parties may not be included in the responses to the application. In cases where the application cannot be responded without including the personal data belonging to third parties, the information of the third party is concealed / anonymized or shared by the relevant person.
The responses given to the applications made through the notary public are printed on the company letterhead and signed in two copies by the signatory authorities of the Company. The reply letter is recorded in the Document Registry and given to the correspondent to be sent to the applicant by mail. (VERY CHIC ZENGİN HÜSEYİN SOKAK NO 9 GÜMBET BODRUM MUĞLA TURKEY)
The responses given by electronic signature are signed by the signature officers of the Company with electronic signature using a secure electronic signature. (email@example.com) The reply is sent to the applicant's electronic mail account.
All the records, examination results, inquiries, correspondence, legal opinions and responses regarding the relevant application, written in the electronic directory created by the Contact Person, are stored in the archive.
The company concludes the requests in the application free of charge. However, if the transaction requires additional cost, the following tariff determined by the Board with the approval of the senior management may be applied:
If the application of the person concerned is to be responded in writing, there is no fee for up to ten pages. 1 Turkish Lira transaction fee may be charged for each page above ten pages.
If the response to the application is given in a recording medium such as CD, flash memory, the fee that can be requested by the Company cannot exceed the cost of the recording medium.
In case the application is caused by the Company's fault, the fee collected is returned to the relevant person.