PROTECTION AND PROCESSING OF PERSONAL DATA POLICY
As Namdaris Teknoloji Tasarım ve Danışmanlık Ltd. Şti. (Namdaris Technology Ltd.) company - registered in Turkey -; to be processed of personal data of natural persons’, including our employee candidates’, our users’, members’, customers’, visitors’ and employees’ in accordance with the relevant legislation of the Constitution of the Republic of Turkey and the international conventions to which the parties of the country on human rights and 6698 numbered Law on the Protection of Personal Data ( "GDPR or KVKK") and ensuring the effective use of the rights of the persons whose data is processed is our priority.
For this reason, we perform, without limitation, the processing, storage, transfer of all personal data we have acquired from our users, members, customers, visitors, employees and employee candidates in accordance with this Personal Data Protection and Processing Policy ("Policy").
The protection of personal data and the observance of fundamental rights and freedoms of natural persons whose personal data is processed is the basic principle of our policy on the processing of personal data. For this reason, we carry out all activities in which personal data are processed by pursuing of the protection the privacy of private life, confidentiality of communication, freedom of thought and belief, and the right to use effective remedies.
For the protection of personal data, we take all administrative and technical protection measures required by the nature of the data in accordance with the legislation and current technology.
This Policy describes the methods we use to process, store, transfer and delete or anonymize personal data shared during our commercial or social responsibility and similar activities in accordance with the principles set forth in the GDPR.
This Policy covers all personal data, processed by our company, including our users, members, customers, business contacts, business partners, employees, employee candidates, consumers, potential customers, and third parties.
Our policy is applied in the activities for the processing of all personal data managed by our company and has been dealt with and prepared in accordance with GDPR and other relevant legislation on personal data and international standards in this field.
3. DEFINITIONS AND ABBREVIATIONS
In this section, special terms and expressions, concepts, abbreviations, etc. used in the Policy are briefly explained.
• Company: Namdaris Teknoloji Tasarım ve Danışmanlık Ltd. Şti. (Namdaris Technology Ltd.) company - registered in Turkey - (www.kulucka.io)
• Clear Consent: Consent given to a specific subject, based on information and free will, without any hesitation, limited to only that transaction.
• Anonymizing: Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.
• Employee: Company Personnel.
• Personal Data Owner (Data Subject): The natural person, whose personal data is processed.
• Personal Data: All the information relating to an identified or identifiable natural person.
• Sensitive Personal Data: Data and biometric and genetic data about persons’ race, ethnicity, political thought, philosophical belief, religion, sect, or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction, and security measures.
• Processing of Personal Data: Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.
• Data Processor: The natural or legal person who processes personal data on behalf of the controller upon his authorization.
• Data Officer: The natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.
• GDPR Board: Personal Data Protection Board.
• GDPR Institution: Personal Data Protection Authority.
• GDPR: Law No. 6698 on Personal Data Protection published in the Official Gazette dated April 7, 2016 and numbered 29677.
• Policy: Namdaris Teknoloji Tasarım ve Danışmanlık Ltd. Şti. (Namdaris Technology Ltd.) company - registered in Turkey - Company General Data Protection and Processing Policy.
4. LEGAL LIABILITIES
The legal obligations for the protection and processing of personal data as data officer in accordance with GDPR are as follows:
• When collecting personal data as Data Officer, we have an obligation to clarify the Data Subject as follows;
• The purpose of processing of your data,
• Information about our identity, our representative's identity, if any,
• To whom and for what purposes the processed data may be transferred,
• Our method and legal reason of collection of data,
• The rights and issues arising from the law.
• As "Company” we are attentive to make this Policy, which is open to the public, is clear, understandable and easily accessible.
• Our obligation to ensure data security
As data officer, we take administrative and technical measures stipulated in the legislation in order to ensure the security of the personal data that we have. Data security obligations and measures are detailed in sections 9 and 10 of this Policy.
5. CLASSIFICATION OF PERSONAL DATA
Personal data is any information related to an identified or identifiable natural person. The protection of personal data is only related to natural persons and the information of legal persons that does not contain any information about the natural person is excluded from personal data protection. Therefore, this Policy does not apply to data of legal persons.
Sensitive personal data
Data and biometric and genetic data about persons’ race, ethnicity, political thought, philosophical belief, religion, sect, or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction, and security measures.
Categories of personal data
We collect the following data for our purposes of membership in licensing and other services:
Legal reason for the collection of personal data
We are processing the data within the scope of personal data, services we provide, software licensing, file downloads and the employment we provide; with the legal reasons arising from our obligations in the relevant legislation, contractual relations and legitimate interests.
6. PROCESSING PERSONAL DATA
Our personal data processing principles
We process personal data in accordance with the following principles.
Processing in accordance with the law and honesty
We process personal data in accordance with the rules of honesty, transparency and within the framework of our obligation to enlighten.
Ensure that personal data is accurate and up-to-date when necessary
We take the necessary measures in our data processing procedures to ensure that the processed data is accurate and up-to-date. We also provide the Personal Data Holder with opportunity to contact us to update their data and correct any errors in the processed data.
Processing for specific, clear and legitimate purposes
We process personal data in accordance with our legitimate aims to maintain our activities within the framework of the legislation and the usual flow of business life, with clearly defined scope and content.
Personal data is linked, limited and measured for the purpose for which it is processed
We process personal data in a limited and measured manner in relation to the purpose we set, clearly and precisely. We avoid the processing of personal data that is not relevant or does not need to be processed. Therefore, we do not process sensitive personal data unless we have a legal obligation to do so, and we obtain explicit consent to the matter when necessary.
Storing personal data for the duration of our legitimate commercial interests and foreseen by statutory regulations
Many regulations in the legislation require that personal data be stored for a certain period of time. Therefore, we store the personal data that we process for a period of time required by the relevant legislation or for the purposes for which the personal data are processed. We will delete, destroy or anonymize personal data in the event that the storage period provided for in the legislation expires or the purpose of processing disappears. Our principles and procedures for storage periods are detailed in Article 8 of this Policy.
Our personal data processing purposes
We process personal data for purposes similar to, but not limited to, the following:
Carrying out our licensing activities,
Providing support services to customers within the scope of contract and service standards,
Determining the preferences and needs of our customers and shaping and updating the services to be provided to our customers in this context,
Fulfilling our legal obligations as required or necessitate by legal regulations,
Implementing the instructions and procedures within the "Company",
Improvement management and planning,
Following the approval of the applications made by seller,
Organisation of events and organisations,
Creation and management of visitor records,
Management of website and mobile applications,
Measuring customer satisfaction,
Carrying out market research and statistical studies,
Surveys, contests, promotions and sponsorships,
Evaluation of job applications,
Establishing contact with persons who are in business relationship with the “Company”
Vendor / supplier management,
Planning and carrying out risk management and quality improvement works,
Processing of sensitive personal data
Sensitive personal data are processed by us by taking administrative and technical measures stipulated in the laws and by the GDPR Board and if there is explicit consent or if required by the legislation. Sensitive personal data relating to health and sexual life, protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing could be processed with the obligation of secrecy of persons or authorised institutions and organisations without explicit consent.
Processing of personal data collected through cookies on our website
Processing of personal data collected on our website
Information below are collected, through communication and / or licensing, purchase forms through our website;
Name, surname and
E-mail and telephone information
Invoice information of purchaser/institution (Identity Number, Tax Number, and Tax Office)
Information below is collected through the application forms on our website. Applicants’;
Place of birth,
Date of birth,
Contact information and
Processing of your personal data for security purposes
We collect process and store your personal data to ensure the security of our electronic media (website, server and domain) systems. In this context;
Website visitor movements and transactions,
The information in the form filled out during the registration phase of the website,
Visitor (name-surname, identity number, tax number, tax office) information is collected.
Processing of personal data within the scope of suggestions, requests and complaints management
In order to improve our services, personal data are collected and processed through the forms available on our website within the scope of suggestions, requests and complaints. In this context;
The contents of the message are collected.
Processing of personal data through explicit consent
As per the legislation, personal data cannot be processed without the explicit consent of the person concerned. The explicit consent is defined in the law as the consent given to a certain subject based on information and free will. In the event of the processed data is of a sensitive personal nature, the explanations in section 6 are valid.
Exceptional cases where explicit consent is not sought in the processing of personal data
We may process personal data without explicit consent in the following exceptional circumstances arising from the law:
Clearly foreseen by law
The personal data of the data subject may be processed in accordance with the law, if it is clearly foreseen by law.
Failure to obtain explicit consent of the data subject due to actual impossibility
Personal data may be processed without explicit consent if it is compulsory for the protection of the life or physical integrity of the person who is unable to disclose his or her consent due to the impossibility or whose legal consent is not granted.
To be directly related to the establishment or execution of the contract
Processing of personal data is possible if it is necessary to process the personal data of the parties of the contract an on the condition that it is directly related to the establishment or execution of a contract.
To be obligatory for “Our Company” to fulfil its legal obligation
Our Company, as the data officer, will be able to process the data which is necessary for the fulfilment of its legal obligation, even without the explicit consent of the Data Subject.
The personal data owner has been publicised by himself/herself
Personal data publicised by the data subject, in other words, disclosed to the public in any way, may be processed without explicit consent.
Data processing is compulsory for the establishment, use or protection of a right
Personal data may be processed without explicit consent if data processing is compulsory for the establishment, use or protection of a right.
Data processing is compulsory for the legitimate interests of “Our Company”
Without prejudice to the fundamental rights and freedoms of the Data Subject, personal data may be processed without the need for explicit consent in the event that it is compulsory to process data for the legitimate interests of “Our Company”. For example; the employer has a legitimate interest in controlling the employee's entry and exit times.
There is no need to obtain the explicit consent of the Employee within this scope, on the condition that the practices performed by the employer are measured for these reasons. Exceptions to which sensitive personal data may be processed without the explicit consent of the Data Subject are set out in Article 6 of this Policy.
7. TRANSFER OF PERSONAL DATA
Transfer of personal data to the country
Our company acts in accordance with the decisions and regulations foreseen in GDPR and taken by the GDPR Board for the transfer of personal data. Without prejudice to the exceptional circumstances contained in the legislation, personal data and sensitive personal data are not transferred to other natural persons or legal persons without the explicit consent of the Data Subject. In exceptional cases foreseen by GDPR and other legislation, data may be transferred to the authorised administrative or judicial institution or organisation without the explicit consent of the Data Subject, depending on the boundaries and in the manner stipulated in the legislation.
In addition, in exceptional cases stipulated by the legislation;
In cases described in Article 6 of the Policy,
In the cases mentioned in Article 6 regarding sensitive personal data,
Personal data relating to the health and sexual life of the Data Subject with taking the measures stipulated by the Board of the GDPR and the relevant legislation could only be transferred without explicit consent to the persons under confidentiality obligation or authorised institutions and organisations on the purpose of the protection of public health, the execution of preventive medicine, medical diagnosis, treatment and care services, planning and managing of health services and financing.
Transfer of personal data abroad
As a rule, personal data is not transferred abroad without the explicit consent of the Data Subject. However, in cases of where only one of the exceptional cases referred to in Articles 6 of this Policy exists, third parties may transfer abroad personal data without explicit consent:
Where third parties are located in countries where there is adequate protection declared by the GDPR Board
In case of to take place in countries there is inadequate protection, when data officers in Turkey and in the subjected foreign country undertake sufficient protection in writing and have GDPR Board permission
Institutions and organisations where personal data are transferred
Personal data may be transferred to the below listed, without limitation according to the principles and rules described above.
Our business partners and business contacts,
Legally authorised public institutions and organisations,
Legally authorised private law persons.
Purpose of Transfer
Refers to the parties with which it has established business partnerships to obtain licenses, goods, services, etc. within the scope of our company's activities.
For the purpose of realising the activities planned within the scope of business partnership
Refers to the parties that provide services against the contract in accordance with the needs and instructions of our Company.
For the purpose of planning and carrying out the activities of our company
Legally Authorised Public Institutions and Organisations
For the purposes of subjected foreseen regulation
Legally Authorised Private Law Persons
For the purposes of subjected foreseen regulation
To protect personal data, but not limited to, our company perform;
In-house technical organisation for the processing and storage of personal data in accordance with the legislation,
Establishing the technical infrastructure to ensure the security of the databases where your personal data will be stored,
Following the processes and auditing of the technical infrastructure,
Determining the procedures for reporting the technical measures and audit processes we have taken,
Updating and renewing technical measures periodically,
Producing technological solutions through re-examining risky situations,
Using virus protection systems, firewalls and similar software or hardware security products and installing security systems in line with technological developments.
To protect personal data, but not limited to, our company perform;
Establishing policies and procedures for accessing personal data,
Informing and educating our employees and the persons we receive consultancy on business development about the legal protection and processing of personal data,
Recording the measures to be taken in case of unlawful processing of personal data by our employees and the persons we receive consultancy on business development in the agreements and / or the policies we have established with our employees and the persons we receive consultancy services on business development,
Auditing the processing of personal data of the data processors or partners of the data processors with whom we work.