INDUSTRY AND TRADE JOINT STOCK COMPANY (Mersis No: 0734-2552-7820-0001)
Law: Personal Data Protection Law No. 6698.
Policy: Special Categories of Personal Data Security Policy.
Personal Data: Any information relating to an identified or identifiable natural person.
Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Data Subject: The natural person whose personal data is processed.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying or preventing use, either fully or partially by automatic means or non-automatic means provided that it is part of a data recording system.
Personal Data Processing Inventory: An inventory in which data controllers detail their personal data processing activities based on their business processes by associating them with processing purposes and legal grounds, data categories, recipient groups and data subject groups, including the maximum retention periods, transfers abroad and data security measures.
The purpose of the Special Categories of Personal Data Security Policy (“Policy”) is to fulfill the legal obligations arising from the decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 regarding adequate measures to be taken by data controllers in the processing of special categories of personal data, and to set forth the technical and administrative measures taken in this context.
The scope of the Policy includes the technical and administrative measures taken by the Institution regarding the security of special categories of personal data.
All units and employees of the Institution actively support the responsible units in ensuring that technical and administrative measures taken within the scope of the Policy are properly implemented, increasing employee awareness and training, monitoring and continuous auditing, preventing unlawful processing and access, and ensuring lawful storage of special categories of personal data.
The distribution of titles, units and duties of those responsible for ensuring the security of special categories of personal data is as follows.
|
Title |
Duty |
|
Board of Directors |
Approves the Policy and ensures its entry into force. Responsible for ensuring that senior management and employees act in accordance with the Policy. Provides support and resources by allocating the necessary budget. |
|
Senior Management |
Responsible for monitoring activities carried out within the scope of the implementation and execution of the Policy. Carries out decision-making and implementation processes required for the execution of the Policy. |
|
KVKK Officer |
Responsible for the creation of the Policy and its publication in relevant environments after approval. Executes the implementation of technical solutions determined and supported by senior management. |
|
Accounting and Finance Leasing Services |
Responsible for the execution of the Policy in accordance with their duties. |
|
Information Systems Officer |
Responsible for ensuring the technical security of systems where special categories of personal data are processed, implementing access controls, and carrying out data security measures. |
According to Article 6/4 of the Law, “In the processing of special categories of personal data, adequate measures determined by the Board must also be taken.” Within this framework, the necessary measures are determined by the Board decision dated 31/01/2018 and numbered 2018/10.
The Institution takes all necessary technical and administrative measures to ensure that special categories of personal data are processed in compliance with the Law and relevant legislation and that their security is ensured. These measures are listed below:
Technical Measures
If the environments where special categories of personal data are processed, stored and/or accessed are electronic;
If the environments are physical;
If special categories of personal data are transferred;
Administrative Measures
For employees involved in processing special categories of personal data;
Activities involving special categories of personal data are labeled in the inventory.
Risk analyses related to special categories of personal data are conducted.
The Policy is reviewed when necessary and updated accordingly.
The Policy shall be deemed to have entered into force upon approval by the Board of Directors. The Policy is communicated to employees.
TR
EN
DE