Institution : RAYTA ENTERTAINMENT CENTERS MANAGEMENT VISUAL ARTS COMMUNICATION AND ORGANIZATION
INDUSTRY AND TRADE JOINT STOCK COMPANY (Mersis No: 0734-2552-7820-0001)
Law: Personal Data Protection Law No. 6698.
Policy: Personal Data Processing and Protection Policy.
Personal Data: Any information relating to an identified or identifiable natural person.
Special Categories of Personal Data: Data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller.
Explicit Consent: Consent given freely, based on information and related to a specific subject.
Anonymization: Making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching with other data.
Data Subject: The natural person whose personal data is processed.
Destruction: Deletion, destruction or anonymization of personal data.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, acquiring, making available, classifying or preventing use, either fully or partially by automatic means or by non-automatic means provided that it is part of a data recording system.
The Personal Data Processing and Protection Policy (“Policy”) has been prepared to determine the procedures and principles regarding the processing and protection of personal data carried out within the Institution in accordance with the Law.
The Institution prioritizes processing personal data of job applicants, employees, supplier employees and their representatives, employees of supplier companies working at the workplace, visitors/customers, website visitors and other relevant persons in compliance with the Constitution of the Republic of Turkey, international agreements, the Personal Data Protection Law No. 6698 (“Law”) and other relevant legislation, and ensuring that data subjects can effectively exercise their rights.
This Policy is applied together with relevant personal data policies, procedures and plans in all activities carried out by the Institution regarding the processing and protection of personal data.
• Identity
(Name, surname, mother’s/father’s name, mother’s maiden name, date of birth, place of birth, marital status, ID card serial number, Turkish ID number, etc.)
• Contact
(Address information, e-mail address, contact address, registered electronic mail (KEP), phone number, etc.)
• Personnel Records
(Payroll information, disciplinary investigation records, employment entry documents, CV information, performance evaluation reports, etc.)
• Legal Transaction
(Information in correspondence with judicial authorities, information in case files, etc.)
• Supplier Transaction
(Invoice information, payment information, order information, etc.)
• Physical Security
(Employee entry-exit records, camera recordings of employees, candidates, visitors/customers, etc.)
• Transaction Security
(IP address information, website access logs, username and password, system logs, etc.)
• Finance
(Bank account information, payment details, accounting records, financial transaction data, etc.)
• Professional Experience
(Diploma information, courses attended, in-service training, certificates, transcripts, etc.)
• Visual and Audio Records
(Photographs, video recordings, etc.)
• Other Information
(Family information, relatives, military status, driver’s license information, signature, etc.)
• Special Categories of Personal Data
(Employee health data, disability information, criminal conviction and security measure data)
The Institution processes personal data within the scope of its activities for the following purposes and retains them for the necessary period.
• Execution of Product / Service Marketing Processes
• Execution of Goods / Service Sales Processes
• Execution of Operational Processes Related to the Provision of Goods / Services
• Execution of Goods and Service Procurement Processes
• Ensuring Communication with Supplier Companies
• Execution of Organization and Event Management Processes
• Execution of Contract Processes
• Execution and Supervision of Business Activities
• Execution of Finance and Accounting Processes
• Execution of Communication Activities
• Execution of Management Activities
• Execution of Job Application Processes of Employee Candidates
• Fulfillment of Obligations Arising from Employment Contracts and Legislation for Employees
• Execution of Salary, Benefits and Financial Processes
• Making Tax and Social Security Notifications
• Execution of Working Hours, Leave and Payroll Processes
• Execution of Recruitment and Termination Processes
• Execution of Assignment Processes
• Execution of Inventory and Equipment Assignment Processes
• Execution of Disciplinary Processes
• Execution of Performance Evaluation Processes
• Execution of Employee Satisfaction and Engagement Processes
• Execution of Occupational Health and Safety Activities
• Execution of Work Accident Processes
• Execution of Emergency Management Processes
• Preparation and Implementation of Emergency Plans
• Ensuring Order and Security in the Workplace
• Ensuring Physical Environment Security
• Controlling Entry and Exit to the Workplace
• Ensuring Security of Movable Property and Resources
• Supervision of Subcontractor Obligations
• Execution of Personnel Health Services Required by Legislation
• Monitoring and Execution of Legal Affairs
• Fulfillment of Legal Obligations
• Ensuring Compliance of Activities with Legislation
• Execution of Audit Activities
• Providing Information to Authorized Persons, Institutions and Organizations
• Execution of Information Security Processes
• Management of Access Authorizations
• Protection of Systems and Prevention of Unauthorized Access
• Ensuring Website Security
• Ensuring Continuous and Secure Operation of the Website
• Detection and Resolution of Technical Issues
• Creation of Records That May Serve as Evidence in Possible Legal Disputes
• Receiving and Evaluating Communication Requests
• Contacting You
• Execution of Request and Complaint Processes
• Providing Information About Services
• Execution of Visitor / Customer Relations Processes
All units and employees of the Institution actively support the responsible units regarding the processing and protection of personal data within the scope of this Policy.
The distribution of titles, units and job descriptions of those involved in the processing and protection of personal data is as follows.
|
Title |
Duty |
|
Board of Directors |
Approves the Policy and ensures its entry into force. Responsible for ensuring that senior management and employees act in accordance with the Policy. Provides support and resources by establishing the necessary budget for the implementation of the Policy. |
|
Senior Management |
Responsible for monitoring the activities carried out within the scope of the execution and implementation of the Policy. Carries out decision-making and implementation activities required for the execution of the Policy. |
|
KVKK Officer |
Responsible for the creation of the Policy and its publication in relevant environments after approval. Carries out the implementation of technical solutions decided and supported by senior management in the implementation of the Policy. |
|
Accounting and Finance Leasing Services |
Responsible for the execution of the Policy in accordance with their duties. |
|
Information Systems Officer |
Responsible for ensuring the technical security of systems where special categories of personal data are processed, implementing access controls, and executing data security measures. |
Conditions for Processing Personal Data
In accordance with Article 5 of the Law, personal data are processed within the Institution only in the presence of the following conditions.
The purposes for which personal data may be processed within the Institution are specified in the Personal Data Retention and Destruction Policy under Article 4 titled ‘Data Processing Purposes’.
Conditions for Processing Special Categories of Personal Data
In accordance with Article 6 of the Law, special categories of personal data are processed within the Institution only in the presence of the following conditions.
Deletion, Destruction or Anonymization of Personal Data
Although personal data have been processed in accordance with the Law and other relevant legal provisions, if the reasons requiring their processing cease to exist, they are deleted, destroyed or anonymized by the Institution ex officio or upon the request of the data subject.
The procedures and principles regarding the deletion, destruction and anonymization of personal data are specified in the Personal Data Retention and Destruction Policy.
Transfer of Personal Data
In accordance with Article 8 of the Law, personal data may be transferred within the Institution only in the presence of the following conditions.
The recipient groups to which personal data may be transferred include authorized public institutions and organizations, suppliers and business partners, financial advisors and accounting service providers, banks, contracted law firms, insurance and private pension companies, and these recipient groups are included in the Data Controllers Registry (“VERBIS”).
In accordance with Article 10 of the Law, during the collection of personal data, the Institution is obliged to inform the data subjects about the following matters.
The Institution informs all data subjects whose personal data are processed in a manner consistent with the records included in the Personal Data Processing Inventory.
According to Article 11 of the Law, the data subject has the following rights regarding the processing of their personal data.
The Institution establishes the necessary channels for the data subject to submit requests and complaints regarding the exercise of their rights, informs the data subject in this regard, and manages the applications received in accordance with the Personal Data Applications Management Procedure.
In accordance with Article 12 of the Law, the Institution takes all necessary technical and administrative measures to ensure an appropriate level of security in order to prevent unlawful processing of personal data, prevent unlawful access to personal data, and ensure the safeguarding of personal data.
The technical and administrative measures taken by the Institution for the security of personal data are specified in the Personal Data Retention and Destruction Policy.
The technical and administrative security measures taken by the Institution in the processing of special categories of personal data are specified in the Special Categories of Personal Data Security Policy.
The Institution carries out activities to increase the awareness of employees regarding policies published and processes implemented for compliance with the Law in accordance with the Personal Data Protection Awareness Plan. Provisions regarding IT risk management, including the management of personal data risks, are determined in the IT Risk Management Policy. Personal data risk records and risk actions are recorded in the Personal Data Risk Catalogue and necessary actions are taken to mitigate risks.
If personal data are processed by another natural or legal person on behalf of the Institution, the Institution is jointly responsible with such persons for taking necessary security measures. The Institution regulates its contracts with data processors or data controllers in accordance with the obligations set forth in the Law.
The Institution conducts or commissions necessary audits to ensure the implementation of the Law.
Employees of the Institution, data processors and their employees are prohibited from disclosing personal data to third parties or using them outside their intended purpose in violation of the Law. This obligation continues even after termination of employment.
If processed personal data are obtained unlawfully by others, the Institution shall notify the relevant person and the Personal Data Protection Board as soon as possible. The data breach notification process is carried out in accordance with the Data Breach Response Plan.
According to Article 16 of the Law, the Data Controllers Registry is maintained publicly by the Personal Data Protection Authority, and natural and legal persons who process personal data are required to register with the Registry before starting data processing.
The application for registration in the Data Controllers Registry is made through a notification including the following matters:
The Institution creates a personal data processing inventory for the personal data it processes. According to the definition in Article 4 of the Regulation on the Data Controllers Registry, the personal data processing inventory is defined as an inventory where data controllers detail their personal data processing activities based on business processes, including processing purposes and legal grounds, data categories, recipient groups, data subject groups, maximum retention periods, transfers abroad, and security measures.
In accordance with the Regulation on the Data Controllers Registry published by the Authority, the process of managing the Institution’s personal data processing inventory and the Data Controllers Registry Information System (“VERBIS”) registration is carried out in accordance with the relevant management procedures.
Any changes in the information declared during the Institution’s registration application to the Data Controllers Registry are immediately notified to the Personal Data Protection Board.
The Institution reviews the Policy when necessary and updates the relevant sections.
The Policy shall be deemed to have entered into force upon approval by the Board of Directors. The Policy is announced to employees.
Principles to Be Followed in the Processing of Personal Data
Personal data are processed only in accordance with the procedures and principles set forth in the Law and other relevant legislation.
The following principles must be complied with in the processing of personal data:
TR
EN
DE