Policy on Protection and Processing of Personal Data - SSTTEK Academy

Policy on Protection and Processing of Personal Data

    1. Purpose
The main purpose of this Policy of Protection and Processing of Personal Data (“Policy”) is to make explanations about the activities of personal data processing carried out by SST Teknoloji A.Ş. (“theCompany“) in accordance with the law and the systems adopted for the protection of personal data and  to determine the procedures and principles to be followed by data controllers  due to their relationship with the Company and to ensure transparency towards the persons whose data is processed.

The Company maintains its activities in accordance with the provisions related to the protection and privacy of personal data laid down in particular in the Constitution of Republic of Turkey and the international conventions to which we are a party, as well as the Law on Protection of Personal Data (“KVKK“) and the relevant legislation. The Company approaches with maximum sensitivity to the protection of personal data and fundamental rights and freedoms, it focuses on fundamental human rights such as right to privacy and freedom of expession in all of its activities.
    2. Scope and Implementation
This Policy has been prepared in compliance with the applicable regulations and international standards. The Company will primarily implement this Policy in all data processing activities, such as processing, transferring, changing data.

The Company has also different policies addressing the protection of personal data and ensuring information security in relation to certain business activities and processes. This Policy does not override the data protection terms in the different policies of the Company, unless it includes additional terms or demands a higher standard for the protection of personal data. This Policy is implemented in conjunction with such other policies and procedures to the extent it is appropriate.   In case of a conflict between the provisions of the relevant applicable legislation on the protection and processing of personal data and the provisions of this Policy, the up-to-date legislation provisions will prevail.
    3. Definitions
KVKK:
Law on Protection of Personal Data numbered 6698
GDPR: General Data Protection Regulation of European Union
Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on authorization granted by him/her.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and manages the data filing system (the place where the data is kept systematically).
Data Owner/Data Subject: The natural person whose personal data are processed, including, but not limited to, employees, customers, business partners, shareholders, officials, potential customers, employee candidates, interns, visitors, suppliers of the Company and its affiliates, employees of the institutions with which the Company cooperates and third parties. Explicit Consent: Freely given, specific and informed consent.
Personal Data: Any information relating to an identified or identifiable natural person.
Special Categories of Personal Data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of associations, foundations or trade unions, health, sexual life, criminal conviction and security measuresand biometrics and genetics.
Processing of Personal Data: Any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.
Anonymization of Personal Data: Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data. Deletion of Personal Data: Making personal data inaccessible and unfit for re-use for relevant users.
Destruction of Personal Data: Making personal data refers to personal data inaccessible, unretrievable and unfit for re-use for anyone.
Board of PDP /Board: The Personal Data Protection Board.
PDP Authority /Authority: The Personal Data Protection Authority.

    4. Processing of Personal Data

a. Principles for Processing of Personal Data

The Company’s policies and procedures are implemented in parallel with the processing principles stipulated in the KVKK and relevant legislation. We know that these principles are vital to the exercise of the rights of the data subjects and their control over data and we are higly sensitive to emphasize these principles in all our processing activities. Our principles for protection of personal data are as follows:

* Personal data are processed lawfully, fairly and in a transparent manner. In data processing activities, the Company relies on the legal bases for processing of data laid down in the KVKK. In addition, it considers the reasonable expectations of the data subjects in accordance with the principle of honesty. The Company uses a clear and understandable language in its communication with the data subjects and it is always in an easily accessible position.
* Personal data are processed only for specified, explicit and legitimate purposes. The Company determines the purpose for processing before data processing activities. The data are processed only for additional purposes that are compatible with the initial purpose for processing. The compatibility of each additional purpose with initial purpose is determined in accordance with internationally recognized criteria. Our company informs the data subjects about the purposes of data processing taking into consideration the principle of transparency.
* Personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed Our Сompany processes data to the extent that is obligatory for the purpose of data processing. Data is obtained using the method most appropriate to ensure the privacy and security of the data. In our processing activities, the disproportionate interference with the rights, interests and freedoms of data subjects is avoided.
* Personal data are accurate and up to date, where necessary. The Company ensure that the data are up-to-date in all processing activities. Incomplete, incorrect or inaccuarte data are destroyed or corrected as soon as possible. The Company verifies the actuality of the data with regular intervals.
* Personal data are stored during time set forth in the relevant regulation and necessary for the purposes for which the personal data are processed. With the disappearance of purposes for data processing, the data are deleted, destroyed or anonymized as soon as possible.
* Personal data are processed in a manner that ensures appropriate security of the personal data Our Сompany implements the data security as the main principle. It takes the necessary administrative and technical measures by following the best practices in this direction.
* The Company demonstrates that it ensures compliance with other principles of KVKK and/or GDPR. Our Company adheres to the principle of accountability in all processing activities.  

b. Purposes for Processing of Personal Data

Purposes for processing of personal data processed by our Company are as follows:

* Conducting Employee Candidates’ Application Processes,
* Conducting Employee Candidate/ Intern/Student Selection and Placement Processes,
* Fulfilling Employees’ Obligations Arising From Employment Contract and Legislation,
* Planning Human Resources Processes,
* Providing Information to Authorized Persons, Institutions and Organizations,
* Conducting Occupational Health/Safety Activities,
* Conducting Training Activities,
* Conducting Performance Evaluation Processes,
* Conducting Financial and Accounting Affairs,
* Carrying Out/Auditing Business Activities,
* Conducting Contract Processes,
* Conducting Goods / Service Sale Processes,
* Conducting Wage Policy,
* Conducting Goods Service After Sales Support Services,
* Conducting Activities for Customer Satisfaction,
* Conducting Advertising /Campaign /Promotion Processes,
* Organization and Event Management,
* Conducting Strategic Planning Activities,
* Conducting Marketing Analysis Studies,
* Conducting Communication Activities,
* Conducting Goods/Service Production and Operation Processes,
* Conducting Product/ Service Marketing Processes,
* Ensuring the Security of Operations of Data Controller,
* Ensuring Physical Space Security.

c. Legal Bases for the Processing of Personal Data:

The Company relies on one of the legal conditions for processing laid down in Article 5 of the KVKK when processing personal data. The conditions for processing personal data, in other word, the cases of compliance with the law, are limited in the Law and these conditions cannot be expanded. The company relies on the following legal bases when processing personal data:

* Existence of explicit consent of the data subject,
* Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the drawing up or performance of the contract.
* It is necessary for compliance with a legal obligation to which the data controller is subject.Personal data have been made public by the data subject himself/herself.
* Data processing is mandatory for the establishment, exercise or protection of any right.
* Processing of data is mandatory for the legitimate interests of the data controller, provided that it does not violate the fundamental rights and freedoms of the data subject.

Our Company does not rely on the legal basis of explicit consent in the case of presence of another legal basis.

d.Legal Bases for Processing of Sensitive Personal Data

Sensitive personal data are data that will expose the person to discrimination in case of disclosure, such as religion, race, belief, health and sexual life of the person. Sensitive personal data can not be processed unless the presence of limited legal bases stipulated in the Article 6 of KVKK.

In this context, the Company processes sensitive personal data except the data concerning health on the legal basis of;

* Explicit consent

Data concerning health are processed by the persons subject to secrecy obligation;

* For the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.
    5. Disclosure Obligation
The Company is obliged to enlighten the data subjects in accordance with the KVKK and the Communiqué on the Procedures and Principles to be Observed in Fulfilling the Disclosure Obligation. If the personal data is obtained from the data subject, the Company informs the data subjects in person or by the persons authorized by the company at the time of obtaining the data. If the personal data are not obtained from the data subject, the disclosure obligation is fulfilled within a reasonable time, at the time of the first communication if the data is to be used for communication with the data subjectand at the latest when the first transfer is made if the data is transferred.

The Company informs the data subjects, as a minimum, about the legal entity and address details of the Company, for what purpose the personal data will be processed, to whom and why the processed data can be transferred, the method of collecting personal data and the legal basis for the rights stipulated in Article 11 of the KVKK.

When the purpose for personal data processing changes, the obligation to inform for this purpose is fulfilled before the data processing activity.
Data Security

Our Сompany, as a data controller, in the processing of personal data, are obliged to prevent and protect personal data from unlawful processing and access. For this reason, the Company has implemented all technical and administrative measures regarding data security, including additional measures necessary to protect sensitive personal data. The measures implemented by our Company in this famework are listed below.

The Company’s Technical Measures

* Network safety and application security are ensured.
* Security measures within the scope of procurement, development and maintenance of information technology systems are taken.
* Security of personal data stored in cloud is ensured. Disciplinary regulations including provisions of data security for employees are present.
* Training and awareness activities on data security are carried out periodically for employees. Access logs are kept on a regular basis.
* Corporate policies on access, information security, use, storage and destruction issues have been prepared and implemented.
* Employees who have a job change or leave their job are removed from their authority in this area.
* Up-do-date anti-virus systems are used.
* Firewalls are used.
* Additional security measures are taken for personal data transferred on paperand the relevant documents are sent in the format of a document with a degree of confidentiality.
* Necessary security measures are taken for entering and exiting physical environments containing personal data.
* Physical environments containing personal data are secured against external risks (fire, flood, etc.).
* Security of environments containing personal data is ensured.
* Personal data are reduced as much as possible.
* Personal data are backed up and the security of personal data backed up is also ensured.
* User account management and authorization control system is applied and their follow-up is also performed.
* Log records are kept without user intervention.
* Current risks and threats have been determined.
* Protocols and procedures for security of special categories of personal data have been determined and implemented.
* Encryption is performed.  

The Company’s Administrative Measures

* Awareness activities are carried out for senior management and department managers.
* Material regarding personal data privacy is shared during new recruitment.
* Contracts are made between the data controller and the data processor.
* Employees are provided with personal data privacy and security training.
* Confidential information identification and confidential information are determined by the company.
* File naming system is established.
* Document control system is established.
* Personal data transfer and confidentiality agreements are made.
* Corporate policies and procedures are established.Risk analysis is made.
* Signed contracts contain provisions on data security.
* A personal data inventory is created and the inventory is kept up to date.
* The security of information sources is ensured.
* Password policy and procedure is established.
* Personal data transfer and confidentiality agreements are made.
* Continuity of privacy-accessibility and integrity elements are ensured.
* Personal data security problems are reported quickly.
* There are disciplinary regulations that include data security provisions for employees.
* The signed contracts contain data security provisions.
* Protocols and procedures for security of special categories of personal data have been determined and implemented.  
    6. Transfer of Personal Data
a. Transfer within Country


Our Company transfers personal data to third parties relied on conditions for data processing stipulated in Articles 5 and 6 of the KVKK. The Company takes all necessary security measures for data transfer activities. The groups of recipients to which our Company transfer data in this context are as follows:

* Suppliers, for the purposes of Planning Human Resources Processes, Carrying Out Business Activities,
* Competent Institutions and Organizations, for the Purposes of Fulfilling the Obligations Arising from the Employment Contract and Legislation for Employees, informing Competent Persons, Institutions and Organizations,
* Public, for the purposes of Conducting Advertising/Campaign /Promotion Processes, Conducting Goods/Services Sale Processes, Organization and Event Management,

b. Transfer Abroad

The Company transfers data abroad by meeting one of the following conditions in accordance with Article 9 of KVKK.

* Existence of explicit consent of the data subject,
* The country to which personal data will be transferred having the status of “safe country”and   adequate protection is provided,
* Existence of their commitment for adequate protection in written form and authorization of the Board by regulating the rights and obligations of the Company and the recipient regarding data transfer.

The groups of recipients to which our Company transfer data in this context are as follows:

* Group Companies, for the purposes of Planning Human Resources Processes, Conducting Performance Evaluation Processes, Conducting Financial and Accounting Affairs, Carrying Out/ Auditing Business Activities, Conducting Contract Processes, Conducting Goods/Service Sale Processes, Conducting Wage Policy, Conducting Activities for Customer Satisfaction, Conducting Advertising/Campaign / Promotion Processes, Organization and Event Management, Conducting Strategic Planning Activities, Conducting Marketing Analysis Studies, Conducting Marketing Processes of Products / Services.
* Suppliers, for the purposes of Planning Human Resources Processes, Conducting Financial and Accounting Affairs, Conducting Goods/Services Sale Processes, Conducting Goods/Services Production and Operation Processes
* Public, for the purposes of Conducting Advertising/Campaign/Promotion Processes, Conducting Goods/Services Sale Processes, Organization and Event Management.  
    7. Inventory of Personal Data
The Company has established a data inventory with the details stipulated by the Law regarding the personal data processed within the scope of KVKK. The Company’s data inventory includes the following details:  

* Business processes using personal data, 
* Category of personal data, 
* Personal data processed, 
* Special categories of personal data processed, 
* The purpose and legal basis for the processing activity, 
* Domestic recipients of personal data, 
* Whether personal data is transferred abroad, 
* Personal data retention periods
    8. Roles and Responsibilities
The roles ans responsibilities of our Company regarding the processing of personal data are as follows:

* Marketing and Sales Department

The relevant department is responsible for informing this Policy to the data subject, whose data has been processed, such as customer, subcontractor and supplier.

* Human Resources Department

The relevant department is responsible for informing this Policy to the parties that process data on behalf of the Company, such as employees, shareholders and for implementing the Policy by said data processors through regular checks.

* Legal Department

The relevant department is responsible for updating this Policy. The Department makes the necessary improvements by considering the needs of the Company’s information processing systems and carries out the process of updating the Policy when necessary. The relevant department is the competent approval authority for approving the updates regarding this Policy. The relevant department is responsible for the determination and implementation of sanctions in violations of implementation of the Policy.
    9. Deletion, Destruction and Anonymization of Personal Data
* In accordance with Article 7 of the KVKK and provisions of other relevant legislation, in the event that the reasons for the processing of personal data no longer exist, the personal data are deleted, destrucred or anonymized upon the Company’s decision, periodic checks and /or upon the request of the data subject.
* The Company will not store personal data for longer than necessary in connection with the reason for obtaining of personal data. The Company deletes, destroys or anonymizes the personal data during the first periodic destruction process following the date when the obligation to delete, destroy or anonymize the personal data arises with the disappearance of the reasons for processing. Each periodic destruction process will be executed every 6 (six) months and the Company has determined these months to be May and November.
* The Company has prepared a Retention and Destruction Policy to determine the procedures and principles related thereto. The retention period for each category of personal data, the criteria used for the retention and desctruction periods, including the legal obligations that the Company has in relation the retention of data, are specified in this Retention and Destruction Policy.
* In the deletion, destruction or anonymization of personal data, the company complies with the principles set out in clause 4/a of this Policy, technical and administrative measures specified in Article 6, the Retention and Destruction Policy, the relevant legislation provisions and the decisions of the Board.
* Personal data will be destroyed securely and in the most appropriate way in accordance with provisions of the KVKK, relevant legislation and the Company’s Retention and Destruction Policy. Upon the request of the data subject, the Company chooses the appropriate method with the justification for its choice.  Destruction of personal data shall be recorded with a destruction form and such form shall be kept for at least 3 (three) years.
 
    10. Rights of the Data Subject and Exercise of the Rights
a. Rights of the Data Subject  


The data subjects have the following rights regarding their personal data processed in accordance with Article 11 of the KVKK:

To learn whether the personal data is processed or not,
If personal data has been processed, to request information about the structure of this information and to learn to whom it has been disclosed,
To learn the purpose of processing personal data and whether this data is used appropriately for intended purposes,
To know the third parties to whom personal data has been transferred within Country r abroad and to request the action performed in this direction to be notified to the third parites,
To request the rectification of personal data if it is processed incompletely or inaccuratelyand to request notification of third parties in connection thereunto,
To request the deletion or destruction of personal data in the event that the reasons requiring its processing no longer exist, although it has been processed in accordance with the provisions of the relevant law,
To object to any result, which occurs against person himself/herself,
To claim the compensation for the damage if he/she incurs any damage due to unlawful processing of personal data.

b. Exercise of the Rights

Applications and requests regarding personal data may be transmitted to SST Teknoloji A.Ş. Şirketi through the Data Subject Application Form: 

1. By sending the signed Application Kucukbakkalkoy Mah. Kayisdagi Cad. No:1 Allianz Tower K:28 Atasehir/Istanbul with a photocopy of you ID,
2. By sending the Application to [email protected] using your e-mail address registered in our system,
3. By sending the Application signed with your e-signature via registered e-mail (KEP) to [email protected],
4. By personally applying to SST Academy with a valid identity document and signed Application  

The data subject, within the scope of legal obligations regarding the procedures and principles of application to the data controller, must include in his/her application his/her name, surname, signature if the application is in written form, the Republic of Turkey Identity Number if the data subject is a Turkish citizen,  the nationality, passport (identity card, if any) number if the data subject is a foreigner,  the place of residence or business address,  e-mail address and fax number, if any, to be based on notificationsand lastly the subject of  request. In addition, the documents confirming the identity, as well as information and documents regarding the subject of the request must be attached to the application.  

In order to operate the process in the most effective way, the right is requested to be exercised and the details of the requested operation should be clearly and understandably specified in the subject of request.  

The subject of the request must be concern the data subject himself/herself. If the application is made on behalf of another person, the person making the request must rely on a specially documented authorization for the requested process (power of attorney). Applications made without authorization will not be considered.  

c. Consideration of the Application

Applications are considered and a response is made as soon as possible and no later than within 30 days from the date we receive the application.

During the consideration process, additional information and documents may be requested if requiredand a fee may be charged for fulfilling the request in cases where this is consistent with the relevant legislation.

The Company takes all necessary administrative and technical measures in order to conclude the applications made by the data subject effectively and in accordance with the law and the rules of good faith.

d. Rejection of Application

Any application is rejected in the events that:

* The application is not made in accordance with the above mentioned procedure,
* The application contains a request that is contrary to applicable legislation,
* The application is not justified or it is an abuse ofright,
* The personal data subject to application is processed for purposes such as research, planning and statistics by making them anonymous with official statistics.
* The personal data that is made public by the data subject is processed.
* Any of other circumstances within the scope of the Article 28 of the Law of the Protection of Personal Data is present.

If the application is rejected, the Company notifies the data subject about the rejection with explaining its reason.

e. Right to Complain

In the applications made to the Company, the data subject has the right to lodge a complain with the Board if his/her application is rejected, or the response given by the Company is found insufficient, or if the Company does not respond within 30 days.

The data subject may exercise his/her right to lodge a complain within 30 days from the date he/she learns about the response of the Company and within 60 days from the date of application, in any case.
    11. Entry Into Force
This Policy shall enter into force on 14/04/2023.  
    12. Updating the Policy
This Policy will be updated if necessary in accordance with the Law on the Protection of Personal Data and other legislation.

ANNEX-1 TABLE REGARDING STORAGE AND ANNIHILATION TERMS RELATING TO PERSONAL DATA

RELEVANT DEPARTMENTMAIN PROCESS STORAGE TERMANNIHILATION PERIOD
Human Resources Hiring Process2 years following the job interviewWithin 30 days of the data subject’s application regarding the request for annihilation OR 180 days following the expiry of the storage term
Human Resources Onboarding – Offboarding Processes10 years following termination of work contract of employees
Human Resources Payroll Transactions10 years following termination of work contract of employees
Human Resources Health and Safety Matters 15 years following termination of work contract of employees
AccountingMaking Payments (excluding Employees)10 years following the transaction date
AccountingObtaining Payments10 years following the transaction date
AccountingMaking Payments to Employees10 years following termination of work contract
LegalContracts10 years following termination/expiry of such contract
LegalGeneral Assembly, Board of Directors meetings10 years following date of the documents
LegalLitigation and Enforcement Proceedings10 years following the transaction date
ITCCTV25 days
ITLog Records2 years following the transaction date
AcademyTraining Activities10 years following the training date
Admin. AffairsObtaining Cards and Giving NumberplatesUntil the dismissal/resignation of employee
MarketingCustomer Data5 years
ProcurementProposals10 years following the request date