Data Storage and Destruction Policy

  1. PREAMBLE

NEYİVAR TEKNOLOJİ VE TİCARET ANONİM ŞİRKETİ, with the registered address at Atatürk Mahallesi Ertuğrul Gazi Sokak A Blok No:2 E İç Kapı No:331 Ataşehir/ISTANBUL, Central Registration System (Mersis) No. 0631-1549-2590-0001 hereby commits to comply with the LPDP, applicable regulation and other personal data protection, processing and destruction regulations. The Company would like to inform the data subject about deletion, destruction or anonymization of personal data under Article 7 of the LPDP and Regulation on the Deletion, Destruction and Anonymization of Personal Data published on the Official Gazette on October 28, 2017, No. 30224. 

 

  1. PURPOSE OF THE POLICY

The purpose of this Personal Data Storage and Destruction Policy (Hereinafter referred to as “Destruction Policy”) is to regulate procedures and principles for the security, deletion, destruction and anonymization of personal data, regarding the personal data processed within the scope of various processes carried out by our Company. 

 

  1. SCOPE OF THE POLICY

This Destruction Policy applies to any personal data of our partners, customers, employees, prospective employees, Company officials, employees of affiliates, employees, shareholders, officials of the company we work with, our visitors and third parties, fully or partially processed by automated or non-automated means, provided that it is part of any data recording system.  

 

  1. DEFINITIONS

The following terms under this Policy shall have the meanings specified below: 

  1. Express consent:Freely given consent regarding a specific matter based on being informed; 
  2. Anonymization:To render it impossible for personal data to be associated in any manner with the identity of a real person who is identified or identifiable, even if they are matched with other data. 
  3. Data Subject:A real person whose personal data is processed, 
  4. Relevant UserThe persons, other than the person or department responsible for technical storage, protection and backup of data, that process personal data within the data controller’s organization or in line with the power and instructions given by the data controller, 
  5. Destruction:Refers to deletion, destruction or anonymization of personal data, 
  6. Law:Refers to the Personal Data Protection Law No 6698 dated 24/3/2016,
  7. Recording Medium:Any media containing personal data which are processed by fully or partly automated means, or by non-automated means provided that they are part of a data recording system. 
  8. Personal data:Any information relating to an identified or identifiable real person, 
  9. i. Processing of personal data:Any transaction carried out on the data, such as obtaining, recording, storage, preservation, alteration, reorganization, disclosure, transfer, takeover, making available or classifying the personal data or preventing its usage, by fully or partly automatic means, or by non-automatic means provided that they are part of a data recording system.
  10. Personal Data Processing Inventory:The inventory where data controllers give details of their data processing activities, which are carried out according to their business processes, by explaining the purpose of the personal data processing, the data categories, the recipient group and the data subject group, and the maximum period for which personal data will be processed for the required  purposes, the personal data to be transferred to foreign countries, and the measures taken regarding data security,
  11. Personal Data Storage and Destruction Policy:The policy on which data controllers rely on in the process of determining the maximum time limit required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization.
  12. Board:Law on Protection of Personal Data
  13. Authority:Personal Data Protection Authority 
  14. Periodic Destruction:Deletion, destruction or anonymization procedures specified in the personal data storage and destruction policy to be carried out ex officio at recurrent internals in case that all conditions on processing personal data specified under the Law have disappeared, 
  15. Register:Data controller register kept by the Personal Data Protection Authority. 
  16. Data processor:Real or legal person who processes the personal data on behalf of and based on the authority granted by the data controller, 
  17. Data recording system:Any recording system in which personal data are processed by being structured according to specific criteria; 
    1. Data controller:Real or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the data recording system.  

  18. . For the definition not contained herein, the definitions in the Law and Regulations shall apply. 

    1. RECORDING MEDIUM

    Recording Mediums in which the personal data is retained by the Company are computers used on behalf of the Company, Cloud systems, shared/unshared disk drives used to store data on the network, paper, unit cabinets and archive. The Company shall incorporate the other recording mediums that it may use in addition to the listed recording mediums into the Destruction Policy. 

    1. REASONS REQUIRING THE STORAGE AND DESTRUCTION OF PERSONAL DATA

    The Company may process your personal data if one or more of the below conditions are met: 

    - Explicit Consent of the Data Subject 

    - Clearly Provided for by the Laws, Inability to Obtain Explicit Consent Due to Actual Impossibility, Directly Related to the Establishment or Performance of the Agreement, 

    - Required for the Company to Fulfill its Legal Obligation. 

    - Made public by the data subject himself, 

    - Required for the Establishment, Exercising or Safeguarding of A Right. 

    - Required for the Legitimate Interests of the Company 

    . For detailed information about the processing of personal data, please refer to our Personal Data Protection Policy available on our website. 

    Personal data of the data subjects must be destructed at the first periodic destruction when the reasons for the processing of personal data listed above disappeared. All the transactions carried out in relation to deletion, destruction or anonymization of personal data are recorded, and the said records shall be kept for a period of at least three years. 

     

     

    1. SECURITY OF PERSONAL DATA

     

    The Company takes any technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data to be processed and unlawful access to data as well as to ensure proper security level for retaining data. 

     

    In this context, the Company has firstly conducted a study to identify the personal data that are processed by our Company, considering whether the personal data processed is special categories of personal data, the risks that may arise regarding the protection of this data have been identified and the required technical and administrative measures have been implemented to reduce or eliminate such risks. 

    Regular trainings are provided for employees and managers in order to ensure personal data security, to prevent the unlawful disclosure and sharing of personal data and to raise awareness about Law on Protection of Personal Data. 

     

    In addition, employees involved in personal data processing processes are asked to sign non-disclosure agreements as part of their business processes, and if it is discovered that employees have acted contrary to security policies and procedures, the necessary disciplinary process is initiated against them. 

     

    The technical systems have been established to monitor and supervise any processes related to the processing of personal data in order to prevent unlawful processing of and access to personal data. Regular internal audits are carried out to prevent unlawful processing of and access to personal data. 

     

    Any technical methods with the appropriate level of security are employed and these methods are updated in accordance with the developing technology in order to prevent unlawful access to personal data and to ensure that it is retained in secure mediums. 

     

    In the event of an internal or external attack on the company's data recording system, for early diagnosis and early response to the incident, it is regularly checked which software and services are running in the information networks and whether there is any infiltration or any movement that should not be in the information networks and log records of all users are kept regularly. 

  1. DESTRUCTION OF PERSONAL DATA

 

8.1. Reasons for Disposal of Personal Data 

 

The Company shall delete, destruct or anonymize personal data ex officio or upon the request of data subject in accordance with Article 7 of LPPD, although it has been processed in accordance with the legal legislation but the reasons for processing disappear or the period stipulated in the legislation expires. 

 

The company decides the appropriate method for the destruction of personal data, from the methods of deletion, destruction or anonymization takes all necessary technical and administrative measures to ensure that personal data is lawfully deleted, destroyed and anonymized. 

 

8.2. Deletion of Personal Data 

 

 

Deletion of personal data is the process of rendering personal data inaccessible and non-reusable by relevant users in any way whatsoever. The company takes any technical and administrative measures required to render the deleted personal data inaccessible and non-reusable by the relevant users. 

 

In the process of deletion of personal data, the personal data that will be subject to deletion are first determined. The relevant users who are authorized to access the personal data in question and the authorization of the users over the personal data are determined and related users' access, retrieval and reuse authorizations for the said personal data are removed and revoked. 

The personal data stored in printed media are deleted by using the blacking out method. The blacking out process is the process of making the personal data on the relevant document invisible to the relevant users by using fixed ink or by cutting it so that it cannot be recovered and read  with technological analysis. 

In databases containing personal data, the corresponding lines containing personal data are deleted with database commands (Delete etc.). For the personal data in file operating system, the deletion process is performed with the delete command on the operating system of the file, by deleting personal data or removing the access authorization of the relevant user on the file or directory where the file is located. 

 

8.3. Destruction of Personal Data 

 

Destruction of personal data is the process of rendering personal data inaccessible, non-recoverable and non-reusable by any person in any manner whatsoever. The Company takes any necessary technical and administrative measures in relation to destruction of personal data. 

 

In order to destroy personal data, all copies of the data are detected and, according to the type of systems in which the data is located, the convenient one of the following methods is used: de-magnetization method for the data contained in the magnetized medium; melting, burning or pulverizing optical media and magnetic media, or putting them in a metal shredder; for the personal data contained in hard copy, a paper shredder. 

 

8.4. Anonymization of Personal Data 

 

Anonymization of personal data is the process of rendering it impossible for personal data to be associated with any identified or identifiable natural person in any way, even if the personal data are matched with other data. 

 

The purpose of anonymization is to break the bond between the data and the person identified by such data. the methods either automatic or non-automatic such as grouping, masking, derivation, generalization, randomization, etc.  applied to the record system where personal data is retained are some of the anonymization methods. 

8.5 Employee Involved in the Personal Data Storage and Destruction Processes  

 

 

 

Title 

Position 

Responsibility 

Personal Data Protection Supervisor 

In charge of the compliance with the Law on the Protection of Personal Data and implementing the Personal Data Storage and Destruction Policy 

To ensure and audit compliance with the Law on the Protection of Personal Data, secondary legislation and Board decisions throughout the company, to ensure compliance with the Personal Data Storage and Destruction Policy and to manage personal data destruction process in accordance with the periodic destruction periods. 

Financial Advisor 

Responsible for the implementation of Personal Data Storage and Destruction Policy. 

To ensure compliance with the Personal Data Storage and Destruction Policy regarding the processes within their duties and to manage personal data destruction processes in accordance with periodic destruction periods 

IT Manager 

Responsible for the implementation of Personal Data Storage and Destruction Policy. 

To ensure compliance with the Personal Data Storage and Destruction Policy regarding the processes within their duties and to manage personal data destruction processes in accordance with periodic destruction periods 

Human Resources Officer 

Responsible for the implementation of Personal Data Storage and Destruction Policy. 

To ensure compliance with the Personal Data Storage and Destruction Policy regarding the processes within their duties and to manage personal data destruction processes in accordance with periodic destruction periods 

 

8.6. Personal Data Categories 

 

Personal Data Category 

Description on a Personal Data Category 

Identity Information 

The data of a real person that contains information about the person's identity. Documents such as identity card, driver's license, passport, professional card containing information such as Turkish ID no, parents name, date of birth, place of birth, marital status, gender, as well as tax number, signature information, SSI number and other data 

Contact Details 

Phone number, e-mail, address, fax number, IP address and other data 

Educational Information 

Graduated school details, diploma, course, seminar, conference participation certificate, exam result, foreign language skill and other information 

Health Information 

Blood type, occupational physician check-up, vaccination card, health reports of any kind 

Prospective Employee Information 

Personal data received by the company through resume and job application forms at the job application stage (identity and contact details, nationality, health, criminal conviction and security measures information, military service status, education and job experience, certificate, areas of interest, references, marital status, family and relative information, foreign language skill, private car information, driver's license status , resident status (rent - ownership), form of application to the company, salary from his last job) 

 

Personnel Information 

Data that is required by law to be in the personal file of the employees of the company and the data that will be the basis for the formation of personal rights (Copy of ID card, extract of identity register (from e-government and civil registry offices), residence and another address certificate (e-government), criminal record (e-government), diploma photocopy, blood type card, copy of driver's license, copy of marriage certificate, copy of spouse and child's ID cards, copy of military discharge certificate, photo, copy of bank account books, copies of previously received training and seminars, tetanus vaccination card, hemogram (as to blood count),  full urinalysis, audio, chest radiography 35 x 35, respiratory function test; for motorbikes: hunger blood sugar and ECG, src3 certificate for drivers (international freight, goods transportation) and/or src4 certificate (domestic freight, goods transportation) for drivers; psycho technical certificate) 
 

Special Categories of Personal Data 

Data relating to race, ethnic origin, political opinion, philosophic belief, religion, sect or other beliefs, appearance and dressing, membership to association, foundation or union, health, sexual orientation, criminal convictions and security measures as well as biometric and genetic data of people, 

Information on Legal Transactions 

Data processed by the Company to defend its rights and receivables, to collect its receivables, to pay its debt and for its legal obligations 

 

 

Financial Information 

Bank account number and account information, documents showing financial status, salary, payroll information, private health insurance amount, advance information and other data 

Physical Space Security Information 

Camera recordings at the entrance to the company's buildings and facilities and within the building and facilities, vehicle license plate information and recordings taken at check points  

Information on Family Members and Kith and Kin 

Data of the personal data subject's family members (spouse, mother, father and child), kith and kin and emergency contact persons 

Location Information 

GPS data that detects the location of the data subject during the use of company vehicles 

8.7. Contact Group of Personal Data Subject 

 

Contact Group 

Description on Contact Group 

Employees of Company, Affiliates and Business Partners 

All real persons, including the employees of our company, the real persons with whom our company’s affiliated companies and our company have a business relationship, and the shareholders and officials working in legal entities. 

Prospective Employee 

Real persons who have lodged a job application to our company in any way or have submitted their CVs for review. 

Company blue collar employee 

Company employee producing goods/products 

Employee of subcontractor company 

Employees of the subcontractor company having commercial relationship with our Company 

Shareholders of the Company 

Real persons who are a shareholder of the Company 

Company Customers 

Real person making use of the products and services offered by our Company 

Institution Official 

Authorized person who works for the relevant public/private institution. 

Company Leads 

Real persons making request to benefit from the products and services offered by our Company 

Visitors 

Real persons visiting company buildings and facilities and websites 

Supplier 

Parties providing contractual services in accordance with the company's orders and instructions to carry out its commercial activities 

Affiliate Companies 

 

Business Partners 

Parties with whom the company has established business partnerships in order to carry out its commercial activities 

Legally Competent Institution and Organization and legal Entities of Private Law  

Legally competent institution and organization and legal entities of private law to whom the company is obliged to share Company’s information and documents under the applicable legislation. 

Sayfa Sonu 

Company Official 

Members of the board of directors of the Company and other authorized persons 

 

8.8. Personal Data Category and Contact Group Matching 

 

Personal Data Category 

Contact Group 

Identity Information 

Employees of Company, Affiliates and Business Partners, Prospective Employee, Company Partners, Company Customers, Company Leads, Visitor, Supplier, Business Partners, Company Official 

Contact Details 

Employees of Company, Affiliates and Business Partners, Prospective Employee, Company Partners, Company Customers, Company Leads, Visitor, Supplier, Business Partners, Company Official 

Educational Information 

Employees of Company, Affiliates and Business Partners, Prospective Employee, Company Partners, Company Customers, Company Leads, Visitor, Supplier, Business Partners, Company Official 

Health Information 

Employees of Company, Affiliates and Business Partners, Prospective Employee, Company Partners, Company Official 

Prospective Employee Information 

Prospective Employees 

Personnel Information 

Company Employee, Company Official 

Special Categories of Personal Data 

Employees of Company, Affiliates and Business Partners, Prospective Employee, Company Partners, Company Customers, Company Leads, Visitor, Supplier, Business Partners, Company Official 

Information on Legal Transactions 

Employees of Company, Affiliates and Business Partners, Company Partners, Company Customers, Company Leads, Supplier, Company Official 

Financial Details 

Employees of Company, Affiliates and Business Partners, Prospective Employee, Company Partners, Company Customers, Company Leads, Supplier, Business Partners, Company Official 

Physical Space Security Information 

Employees of Company, Affiliates and Business Partners, Prospective Employee, Company Partners, Company Customers, Company Leads, Visitor, Supplier, Business Partners, Company Official 

Information on Family Members and Kith and Kin 

Employees of Company, Affiliates and Business Partners, Prospective Employee, Company Partners, Company Customers 

Location Information 

Employees of Company, Affiliates and Business Partners, Company Official 

8.9. Storage and Destruction Periods 

Business Process 

Contact Group 

Personal Data Category 

Storage Period 

Destruction Period 

Personal Procedure 

Company Employees 

Personnel Information 

15 years 

Within 180 days after the end of the storage period 

Recruitment Process 

Prospective Employee, Intern Prospective Employee 

Prospective Employee Details 

2 years 

Within 180 days after the end of the storage period 

Training Process 

Company Employees 

Credentials and Educational Information 

15 years 

Within 180 days after the end of the storage period 

Physical Space Security Process 

Company Employees, Company Prospective Employee, Company Partners, Company Customers, Company Leads, Visitor, Supplier, Business Partners, Company Official 

Physical Space Security Information 

1 years 

Within 180 days after the end of the storage period 

Defining process of a system account 

Company Employees 

Identity Information  

Contact Details 

10 years 

Within 180 days after the end of the storage period 

Sales Process 

Company Customers, Vendors 

Identity Information  

Contact Details, Financial Information, 

10 years 

Within 180 days after the end of the storage period 

Processing of the Employee Information of a Subcontractor Company 

Subcontractors, Subcontractor company employees 

Identity Information 

Contact Details 

10 years 

Within 180 days after the end of the storage period 

Salary Process 

Company Employees 

Identity Information  

Financial Information 

15 years 

Within 180 days after the end of the storage period 

Switchboard Process 

Visitors, Company Customers, Company Leads, 

Dealers, Suppliers 

Identity Information  

Contact Details 

1 years 

Within 180 days after the end of the storage period 

Visitors’ Records 

Visitors 

Identity Information,  

Physical Space Security Information 

2 years 

Within 180 days after the end of the storage period 

Legal Processes 

Company Employees, Company Partners, Company Official 

Identity information,  

Information on Legal Transactions 

15 years 

Within 180 days after the end of the storage period 

Internet Access Process 

Company Employees 

Identity Information,  

Contact Details 

2 years 

Within 180 days after the end of the storage period 

 Process for Debit of Goods to Employees 

Company Employees 

Identity information 

15 years 

Within 180 days after the end of the storage period 

Communication Process 

Company employees 

Identity information,  

Contact Details 

2 years 

Within 180 days after the end of the storage period 

Visitor’s Vehicles Recording Process 

Visitors 

Identity information,  

Contact details 

2 years 

Within 180 days after the end of the storage period 

Process of process documentation 

Company Employees, 

Company Official 

Identity Information 

15 years 

Within 180 days after the end of the storage period 

Data entry process into public institutions 

Company Employees, Company Official 

Identity information,  

Contact Details, Financial Information, 

15 years 

Within 180 days after the end of the storage period 

Visa-booking processes 

Company Employees 

Identity Information 

15 years 

Within 180 days after the end of the storage period 

Workflow Process 

Company Employees 

Identity information, 

Financial Information,  

Health Information 

15 years 

Within 180 days after the end of the storage period 

Payroll Distribution Process 

Company Employees 

Identity information, 

Personnel Information 

15 years 

Within 180 days after the end of the storage period 

Customer Portfolio Creating Process 

Company Customers, Company Leads 

Dealers 

Identity information,  

Contact Details 

2 years 

Within 180 days after the end of the storage period 

Export Shipments 

Employees of Business Partners 

Identity information,  

Contact details 

10 years 

Within 180 days after the end of the storage period 

Shipment Process 

Company Customers, 

Employees of Business Partners 

Identity Information,  

Contact Details 

10 Years 

Within 180 days after the end of the storage period 

 

Scholarship Process 

Scholar 

Identity Information,  

Contact Details:  

Educational Information:  

Special Categories of Personal Data  

Financial Information,  

Information on Family Members and Kith and Kin 

10 years 

Within 180 days after the end of the storage period 

Purchasing and Procurement Process 

Suppliers, 

Company Partners, Company Directors, 

Vendors 

Identity Information,  

Contact Details, Financial Information, 

10 years 

Within 180 days after the end of the storage period 

Occupational Health and Safety Processes 

Company Employees 

Identity Information, 

Contact Details:  

Health details 

15 years 

Within 180 days after the end of the storage period 

Payment Procedures 

Company Customers, Supplier,  

Vendors 

Identity Information,  

Contact Details, Financial Information, 

10 years 

Within 180 days after the end of the storage period 

Keeping log records, 

Guests 

Identity Information 

2 years 

Within 180 days after the end of the storage period 

Employee List and Contact Persons Identification Process  

Company Employees 

Identity Information,  

Contact Details 

10 years 

Within 180 days after the end of the storage period 

Logistics Operations Process 

Company Employees 

Identity information, 

Private Data 

15 years 

Within 180 days after the end of the storage period 

Process of shared information for events 

Company Employees, 

Customers 

Identity information, 

Contact Details 

10 years 

Within 180 days after the end of the storage period 

Collection Process 

Company Customers, 

Vendors 

Identity Information, 

Contact Details: 

Financial Information 

10 years 

Within 180 days after the end of the storage period 

Official Notice Process 

Employees of Business Partners 

Identity information 

10 years 

Within 180 days after the end of the storage period 

Agreement Process 

Company Customers 

Identity Information,  

Contact Details 

10 years 

Within 180 days after the end of the storage period 

Private Insurance Renewal Process 

Company Officials 

Identity information,  

Financial Information 

15 Years 

Within 180 days after the end of the storage period 

Invoice Process 

Vendors  

Company Customers 

Identity Information  

Contact Details 

10 years 

Within 180 days after the end of the storage period 

Quality Management Process 

Company Employees 

Identity Information 

Contact Details 

15 years 

Within 180 days after the end of the storage period 

 

 

 

8.10. Periodical Destruction Intervals 

 

In accordance with Article 7 of LPPD, personal data shall be destructed periodically upon the disappearance of reasons which require the process even if they are processed as per the legal legislation or the period stipulated in the legislation expires. In the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data has become due, our Company shall delete, destroy or anonymize personal data. Periodic destruction shall be carried out for all personal data, twice a year, at intervals of 6 months. 

All the transactions carried out  in relation to deletion, destruction or anonymization of personal data are recorded, and the aforementioned records are kept for a period of  three years, except for other legal obligations.

  1. Technical and Administrative Measures for Personal Data

In accordance with Article 12 of the LPPD, the obligation of the company in the capacity of data controller regarding data security: 

. 

  • toprevent unlawful processing of personal data,
  • toprevent unlawful access to personal data,
  • totake any technical and administrative measures to protect them,
  • To carry out or to have carried out any necessary audit for its company

The company exercises due care to data processing and data security in accordance with the above obligations. The company takes the necessary measures to prevent the personal data of its employees from being shared with third parties, and otherwise notifies the relevant person and the Board. 

 

In the Company; 

 

  • Network security and application security are ensured. 
  • A closed system network is used for personal data transfers over the network. 
  • Key management is applied. 
  • Security measures are taken within the scope of procurement, development and maintenance of information technology systems. 
  • The security of the personal data stored on the cloud is ensured. 
  • Disciplinary regulations containing data security provisions are in place with respect to the employees. 
  • Training and awareness-raising activities on data security are organized at regular intervals for the employees. 
  • An authorization matrix has been created for the employees. 
  • Access logs are regularly taken. 
  • Corporate policies have been prepared and started to be implemented on the topics of access, information security, usage, storage and destruction. 
  • Data masking measure is implemented when necessary. 
  • Letters of undertaking for confidentiality/privacy are obtained.
  • Relevant authorizations of the employees whose position has changed, or who have left their job, are revoked.
  • Up-to-date anti-virus systems are used.
  • Firewalls are used.
  • The executed agreements contain provisions on data security.
  • Additional security measures are taken for personal data that are transferred in hard copy and the relevant documents are sent after being marked as classified.
  • Personal data security policies and procedures have been determined.
  • Personal data security issues are reported forthwith.
  • Security of personal data is monitored.
  • Necessary security measures are taken regarding entry-to-exit from physical sites containing • personal data.
  • Security of physical sites containing personal data is ensured against external risks (fire, flood, etc.).
  • The security of media containing personal data is ensured.
  • Personal data are minimized to the maximum extent.
  • Personal data are backed up and the backed-up personal data are protected.
  • User account management and authorization control system are implemented and are monitored.
  • In-house periodic and/or random inspections are carried out and caused to be carried out.
  • Log records are kept in a way that will not allow user intervention.
  • Current risks and threats have been identified.
  • Protocols and procedures regarding security of special categories of personal data have been determined and are being implemented.
  • Special categories of personal data are always encrypted and sent with KEP(registered electronic mail)or corporate mail accounts, in the cases when they are sent by email. 
  • Secure encryption/cryptographic keys are used for special categories of personal data, which are managed by different departments
    • Intrusion detection and prevention systems are used. 
    • A penetration test is applied. 
    • Cyber-security measures are taken and their implementation is constantly monitored. 
    • Encryption is made. 
    • Special categories of personal data that are transferred on portable flash memory, CD and DVD are transferred by encryption. 
      • Audits are ensured at certain intervals to ensure data security of data processor service providers. 
      • Awareness-raising activities are carried out to ensure data security of data processor service providers. 
      • Data loss prevention software is used. 

       

      The Company adopts all technical and administrative measures regarding cyberattacks regarding personal data of third parties, as well as technical and administrative measures specified in the law and board resolutions and specified in the guidelines to prevent unlawful access to personal data. The Company audits the security of the data inventory it creates in accordance with the legislation, as well as system and software security; and reports to the authorized persons and board if so requested, ensures that personal data are protected as stipulated in the legislation. 

       

       

       

      1. Rights of Data Subject

       

      Article 11 of LPDP No. 6698 has come into force on October 7, 2016, and pursuant to relevant article, the rights of the Data Subject thereafter shall be as follows: 

      The Data Subject may apply to the Company and  

      1. a)learnwhether or not their personal data are being processed, 
      2. b)requestinformation if his personal data have been processed, 
      3. c)findout the purpose of processing the personal data and whether it has been used in accordance with its intended purpose. 
      4. d)findout third parties to which their personal data have been transferred at home or abroad 
      5. e)torequest the correction of personal data that may have been incompletely or inaccurately processed,  
      6. f)torequest deletion or destruction of personal data within the framework of the conditions set forth in Article 7 of the PDPL; 
      7. g)incase of correction, deletion or destruction of personal data, to request that such operations be reported to third parties to whom such personal data has been transferred, 
      8. h)toobject to the emergence of an outcome which is to the detriment of the person himself as a result of the analyzing of the processed data exclusively through automated systems, 
      9. i)to request indemnification for their damages caused by unlawful processing of their personal data. 
        1. Application to Data Controller and Application Method

         

        NEYİVAR TEKNOLOJİ VE TİCARET ANONİM ŞİRKETİ, in the capacity of data controller, with the registered address at Atatürk Mahallesi Ertuğrul Gazi Sokak A Blok No:2 E İç Kapı No:331 Ataşehir/ISTANBUL, Central Registration System (Mersis) No. 0631-1549-2590-0001 respects the rights of you, the valuable personal data subjects and strives to help fulfilling your requests in your application. The right to apply to our company with this form prepared as per article 11 of PDPL directly belongs to the personal data owner. In the case of applications filed on behalf of third persons, a proper power of attorney, including power to represent the relevant person, shall be presented. 

        Pursuant to paragraph 1 of Article 13 of the Law, applications to be made to our Company as data controller with regard to these rights should be forwarded to our Company in writing or by other methods determined by the Personal Data Protection Board ("Board”). 

         

        After you fill out and sign the PDP Application Form (“PDP Application Form”) in the Company in a complete and clear manner and send it to our address below in person or by registered mail, we will reply your application no later than 30 (thirty) days. The application regarding such rights must be filed in writing by other methods included in this Personal Data Subject Application Form or determined by the Personal Data Protection Board (“Board”). 

         

        In that regard, applications to be lodged in “writing” with our Company may be submitted as follows: by obtaining printout of this Form; 

        • By application in person by the applicant,
        • Through a Notary Public,
        • It can be provided by sending it to the registered e-mail address of our Company after signing by the Applicant with “secure electronic signature” in accordance with Electronic Signature Law No. 5070.

         

         

        Our Company Details 

        Trade Name  

        : NEYİVAR TEKNOLOJİ VE TİCARET ANONİM ŞİRKETİ 

        Address  

        : Atatürk Mahallesi Ertuğrul Gazi Sokak A Blok No:2 E İç Kapı No:331 Ataşehir/ISTANBUL 

        Mersis (central registration system) No.  

        : 0 0631-1549-2590-0001 

        Registered E-mail Address  

        : [email protected]

        E-mail Address  

        [email protected] 

        This Policy shall become effective upon publication and shall remain effective until removed from the website. Our Personal Data Storage and Destruction Policy is issued on 13.09.2021. In case of renewal of the entire Policy or its specific articles, the date of effectiveness of the Policy shall be updated.