Protection of Personal Data and Privay Policy

DATASIST POLICY OF PROCESSING AND PROTECTION PERSONAL DATA

Datassist Bilgi Teknolojileri A.Ş. (“Datassist”) cares for your personal data security. We are keen to process and protect all types of personal data, which belongs to persons in relation with and receiving services from Datassist, in line with Protection of Personal Data Law No. 6698.
Your personal data are being processed in the framework of the policy stated below and the governing legislation.
A. PURPOSE, SCOPE AND DEFINITIONS
1. PURPOSE OF POLICY
This Policy of Processing and Protection Personal Data (hereinafter called Policy) is the main text of the policy regulating the principles Datassist Bilgi Teknolojileri A.Ş. (“hereinafter called Datassist”) shall act in line with while fulfilling its obligation as regard to Protection of Personal Data Law No. 6698 and other related legislation.
2. POLICY SCOPE
Policy encompasses the personal data Datassist collects and processes or shared with Datassist during its activities as well as the data belong to Datassist employees, customers, website visitors and mobile application users.
3. DEFINITIONS

Personal Data: any information relating to an identified or identifiable natural person. It is the every kind of information that enables Datassist; single handedly or by linking other data, to determine the any data subject’s identity directly or indirectly.
Special Categories of Data: the data related to persons’ racial or ethnic origin, political opinions, religious, sect or other beliefs or philosophical beliefs, trade-union membership, and health or sex life, criminal convictions records and biometric and genetic information are deemed as Special Categories of Data.
Personal Health Data: any health information relating to an identified or identifiable natural person
Processing of personal data: any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Data Subject: the real person whose personal data processed by Datassist.
Explicit Consent: any freely given specific and informed indication of wishes by which the data subject signifies his agreement to personal data relating to him being processed.
Destruction: deletion or destruction of personal data.
Anonymized Data: the personal data put in a form that cannot be associated with any real person by any means even by linking with other data.

Data Processor: a natural or legal person, which processes personal data by authorization of and on behalf of and the controller. Data processor’s identity should be assessed for each cases of processing.
Data Controller: natural or legal person who determines the purposes, conditions and means of the processing of personal data and responsible for establishing and managing the data registry system. Data controller can be Datassist itself or a third party authorized by Datassist. Data controller’s identity should be assessed for each case.
Board: Personal Data Protection Board
B. PERSONAL DATA PROCESSING
1. PRINCIPLES
Datassist, in its all operations related to collecting and processing Personal Data, acts in compliance with following principles:
a) Compatible with law and rules of veracity
Personal data shall be collected and processed in compliance with law and rules of veracity (fair and lawful).
b) Accurate and, where necessary, kept up to date
Datassist, where it is necessary for the purpose of collecting and processing Personal Data, shall:
• take necessary reasonable precautions to keep Personal Data complete, accurate and up to date,
• update the Personal Data in case Data subject informs about any change relating is/her personal data,
• take necessary reasonable precautions to update, correct or delete the uncomplete or inaccurate data.
c) Having specified, clear and legitimate purposes
Datassist undertakes to collect and process the data which is relevant, limited and proportionate with the reason of their processing. Personal data, with the exception of permission of law and being legally necessary, shall not be collected and processed for anticipated purposes in the future. Personal data, with the exception of being legally possible or necessary, shall be processed only in line with the legal purposes clearly specified before the collection of the data and according to the approval or explicit consent when it is necessary.
Prior to collection of any data activity by Datassist, in case the explicit consent is necessary according to the method of collection or this Policy, approval form or online media shall be used.
Third parties who are processing personal data on behalf of Datassist must declare and undertake, in written or contractually, to act in compliance with the Policy prior to start processing,

d) Kept only for the time determined by relevant legislation or necessitated by the purpose the data were collected for
Personal data kept no longer than is necessary for the purposes for which the data were collected. Personal data can be kept longer for the purpose of fulfilling the legal obligations or safeguarding legal business benefits.
Upon expiration of legal and administrative periods and commercial necessities, the personal data which is no longer necessary for the purposes of processing shall be deleted, destroyed or anonymized in line with Datassist Policy of Storing and Destroying Personal Data (Destruction Policy).
Datassist is responsible for destroying all the personal data in its physical and electronic systems where the purpose of collecting data is no longer exist and/or legal storage periods end.
All transactions related to deletion, destruction or anonymization of personal data shall be recorded and the records shall be kept at least three (3) years, without prejudice to other legal obligations.
2. COLLECTİNG AND PROCESSING PERSONAL DATA
Datassist shall collect and process the personal data in compliance with the following legal provisions.
2.1 Approval
Personal data of data subject shall only be processed after he/she is informed as per the Policy and after his/her explicit consent received in written or in electronic environment. In case of processing Personal Health Data the explicit consent must be taken in written. Received explicit consent statements shall be kept in in physical or electronic environment.
Personal data can be processed without seeking the explicit consent of the data subject in the presence of the following conditions:
• where it is clearly specified by laws
• where processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent
• where processing is necessary for drawing up or for performance of a contract to which the data subject is party
• where processing is necessary for fulfillment of legal obligation of the controller
• where the related data are made public by the data subject
• where processing is necessary for acquisition of, exercising of, or protection of a specific right
• where processing is necessary for legitimate interests of controller, on condition that fundamental rights and freedoms of the data subject are not violated.

2.2 Special Categories of Data
Special categories of personal data can only be processed by explicit consent of data subject or (other than personal data relating to health and sexual life) may be processed without obtaining the explicit consent of the data subject if processing is clearly permitted by law. Personal data relating to health and sexual life may only be processed without obtaining the explicit consent of the data subject where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional and authorized institution and organizations subject to the obligation of professional secrecy.
3. TRANSFER OF PERSONAL DATA
3.1 Personal data can only be transferred with the explicit consent of the data subject. Also in case of the conditions specified in item 2.1 exist (where explicit concern is not necessary) personal data can be transferred to third parties in Turkey.
3.2 For transferring personal data to third parties abroad the following conditions in addition to conditions in item 3.1 must also be present;
• there is an adequate level of protection in the foreign country to which data is sent
• in case there is not adequate level of protection, data controllers in Turkey and in the concerned country should guarantee the adequate level of protection in writing, and also permission of the Data Protection Board is necessary.

4. RIGHTS AND OBLIGATIONS
4.1 Right of Data Subject
Real person whose personal data is collected or processed by Datassist is entitled to apply to the data controller.
Data subjects may forward their below requests regarding the right of application in written or by e mail to the contact information stated at the end of this Policy or to representative of Datassist
a) learn whether personal data concerning him has been processed,
b) request information as to processing if his/her personal data is processed,
c) learn the purpose of processing and whether personal data is processed as per their purpose,
d) learn the third parties in-country or abroad if the data transferred,
e) demand the rectification of the data content if there is incompleteness or inaccuracy in their processing,
f) demand deletion or destruction of data within the framework of Law,
g) demand notification of the operations made according to items (d) and (e) to third parties to whom personal data transferred,
h) Object to occurrence of any result that is to her/his detriment by analysis of personal data exclusively through automated systems;
i) Demand compensation for the damages caused due to unlawful processing of personal data,
4.2 Responsibilities of Data Controller
4.2.1 Obligation to Give Information
Datassist shall make a clear and comprehensible notice to inform data subjects during the collection of personal data about the process and purpose of processing of Personal Data. Data subject shall be informed about their rights as regard to their personal data, and also they may get access to their personal data within reason.
Notification to data subject shall cover the following points in minimum:
• the identity of data controller, or his/her representative if any,
• purposes, method and legal requirement of data processing,
• to whom the processed data will be given and for what purposes,
• legal rights of data subject specified in item 4.1 above.
4.2.2 Obligations as Regard to Data Security
It shall be for the Datassist;
• prevent unlawful process of personal data
• prevent unlawful access to personal data
• take every necessary technical and administrative precautions for safeguarding personal data, and prevent misuse, unlawful disclosure and destruction of personal data.
Datassist shall take all necessary technical and organizational measures for providing appropriate level of security.
a) Datassist shall carry out inspection in its establishment or have it done for ensuring personal data security.
b) Datassist shall guaranty that Personal Data collected and processed within the framework of its activities will be treated as follows (i) Personal data shall be kept confidential as per the provisions of Protection of Personal Data Law, (ii) Personal data shall not be used out of purpose, (iii) Only the authorized personnel can process the data and (iv) Personnel can get access to personal data within the limit of their authorization. This obligation shall carry on even after their employment is ended.
c) Datassist immediately informs the Board and the data subject in case of any unlawful breach.
4.2.3 Registering in Data Controller Registry
Datassist shall fulfill its obligation of register in Data Controller Registry set up by Precedency of Personal Data Protection Board as per Regulation On Data Controllers Registry. In this respect following information shall be revealed to public.
• Identity and address information of data controller or its representative, if any, and contact person. Also KEP (Registered Electronic Mail) if obtained.
• Purpose of processing personal data.
• Explanation related to data subject groups and categories.
• Personal data receivers or receiver groups.
• Personal data to be transferred abroad.
• Start and end date of registration
• Security measures taken
• Maximum duration the data will be kept.

AMENDMENTS ON POLICY AND DATE OF EFFECT
Provisions included in this Policy can be amended by Datassist if it is found necessary and shall be published in internet in line with related legislation.
In case of any amendment, changed provisions will enter into force at the date of publishing.
The Policy hereby is published and entered into force as of October 2016.

DATASSİST Bilgi Teknolojileri A.Ş.
e-mail: kvkk.bilgi@datassist.com.tr