Information Security

Cyber Security Consultancy Solutions and Information Security Trainings for Institutions

Veri Güvenliği, Gizlilik ve Çerez Politikası

Quality and Data Security Policy

  • To provide awareness, training and encouragement of our employees to ensure their participation and compliance with the information security system as required by a holistic approach to data security,
  • To control, monitor and review the efficiency of our quality and information security systems with internal and external audits and to harmonize the system continuously, to continuously improve it;
  • Providing necessary resources for hardware, software, training and other controls necessary to reduce data security risks and ensure their continuity,
  • Protecting personal data used in our business processes in accordance with the legislation on protection of personal data,
  • To protect the confidentiality of data to our customers, to comply with the standard and legal regulations,
  • To provide new generation solutions to our customers by following technological developments,
  • To adopt providing customer satisfaction as a principle in all our business processes.

Data Security Policy

PRIVIA SECURİTY BİLİŞİM VE DANIŞMANLIK LTD. ŞTİ. PERSONAL DATA PROTECTION AND PROCESSING POLICY

Law No. 6698 on the Protection of Personal Data (the “Law”) entered into force on April 7, 2016 and includes regulations on the processing of all kinds of data regarding “identified or identifiable natural persons”.

This Privia Security Bilişim ve Danışmanlık Ltd. Şti. The Policy on Protection and Processing of Personal Data (“Policy”) contains the statements and explanations of Privia Security regarding the processing of personal data of natural persons in the categories listed below by Privia Security Bilişim ve Danışmanlık Ltd. Şti. (“Privia Security”) within the scope of the Law. In this context, the application area of the Policy is the processing of personal data belonging to the following data owners.

  • Real Customers
  • Potential Customers
  • Corporate Client Shareholders, Officials, Employees
  • Company Officials
  • Shareholders
  • Business Partner Shareholders, Officials, Employees
  • Supplier Shareholders, Officials, Employees
  • Employee Candidates
  • Visitors
  • Press Members
  • Third Parties

This Policy may be updated from time to time in order to adapt to changing conditions and legislation..

1. PRINCIPLES ON THE PROCESSING OF PERSONAL DATA

Privia Security, in the position of data controller, acts in accordance with the…

  • Compliance with the law and honesty rules,
  • Being accurate and up-to-date when necessary,
  • Processing for specific, explicit and legitimate purposes,
  • Being connected, limited and measured with the purpose of processing,
  • Being kept for the period stipulated in the relevant legislation or required for the relevant purpose,

Principles in accordance with Article 4 of the Law.

i. Compliance with the law and honesty rules

Personal data are processed in accordance with the law and honesty rules. Accordingly, Privia Security, as the data controller, acts in accordance with the legislation in force in all kinds of personal data processing processes and complies with the rules of honesty.

ii. Accuracy and up-to-dateness

Data controllers should set up the necessary processes to ensure that the personal data they process are accurate and up to date. Accordingly, Privia Security provides the data owners with the opportunity to update their data and takes the necessary measures to ensure the correct transfer of the data to the databases.

iii. Processing for specific, explicit and legitimate purposes

Data controllers are obliged to inform data owners about the purposes of processing personal data in line with the clarification obligations under the Law. In this respect, Privia Security, as the data controller, limits data processing activities to specific and legitimate purposes and informs data owners clearly within the scope of clarification texts regarding these purposes.

iv. Being connected, limited and measured with the purpose of processing

At the time of providing personal data by Privia Security, it is processed in connection and limited to this purpose to the extent necessary for the purpose notified to the data subject.

v. Being kept for the period stipulated in the relevant legislation or required for the relevant purpose

If a certain period of time is determined within the scope of the legislation in force, the data are stored for this period. If such a period is not specified in the legislation, reasonable retention periods are determined by considering the purpose of data use and company procedures, and the data is kept limited to this period. Following the expiry of the aforementioned periods, the data are deleted, destroyed or anonymized in line with company procedures.

2. PRIVIA SECURITY Bilişim ve Danışmanlık LTD. ŞTİ. PURPOSES OF PROCESSING PERSONAL DATA

Articles 5 and 6 of the Law set out the conditions for the processing of personal data and sensitive personal data. Sensitive personal data are limited in the Law, and it includes the persons’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, association, foundation or union membership, health, sexual life, conviction and security measures, biometric and genetic data. While Article 5 of the Law determines the processing conditions of non-sensitive personal data, the conditions for processing sensitive personal data are regulated in Article 6.

According to the aforementioned articles, non-sensitive personal data may be processed in the following cases.

  • The data subject has explicit consent.
  • Data processing is clearly stipulated in laws.
  • It is compulsory to process the relevant data for the protection of the life or body integrity of the person who is unable to disclose his consent due to the actual impossibility or whose consent is not legally valid, himself/herself or another person.
  • It is necessary to process personal data belonging to the parties of the contract, provided that it is directly related to the establishment or performance of a contract.
  • Data processing is mandatory for the data controller to fulfill its legal obligation.
  • The personal data are made public by the person concerned.
  • When data processing is mandatory for the establishment, use or protection of a right.
  • Data processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

Sensitive personal data can be processed subject to the conditions stipulated below.

  • The data subject has explicit consent.
  • Processing sensitive personal data (Individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and dress, association, foundation or union membership, criminal conviction and security measures, biometric and genetic data) other than health and sexual life data is stipulated by law.
  • Processing of health and sexual life data by persons or authorized institutions and organizations whose under the obligation of secrecy for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing.

In this context, Privia Security Bilişim ve Danışmanlık LTD. ŞTİ. Personal data regarding real persons included in the categories specified in Annex-1 are processed for the following purposes:

  • Designing and/or performing personalized marketing and/or promotional activities,
  • Planning and/or performing market research activities for the sales and/or marketing of products and services,
  • Planning and execution of event management processes,
  • Planning and managing the application processes for products and/or services,
  • • Planning and/or execution of the processes of accessing products and/or services and/or providing the tools and/or information appropriate to the channels the customer will use,
  • Follow-up of contract processes and/or legal requests,
  • Follow-up of customer demands and/or complaints,
  • Planning and/or execution of the operational activities required to ensure that the company activities are carried out in accordance with the Company procedures and/or the relevant legislation,
  • Execution of strategic planning activities,
  • Planning and/or execution of supply chain management processes,
  • Planning and execution of processes regarding the utilization of products and/or services,
  • Planning and/or conducting the application, selection and evaluation processes of employee candidates,
  • Creating and/or tracking visitor records,
  • Management of relations with business partners and/or suppliers,
  • Planning and/or execution of marketing processes of products and/or services,
  • Ensuring the security of company operations,
  • Follow-up of finance and/or accounting affairs,
  • Ensuring the security of company premises and/or facilities,
  • Establishing and/or managing information technology infrastructure,
  • Planning and/or execution of customer relationship management processes,
  • Designing and/or performing advertising and/or promotion and/or marketing activities in digital and/or other media,
  • Planning and/or execution of activities for customer satisfaction and/or experience,
  • Planning and/or execution of campaign and/or promotion processes,
  • Planning and/or execution of corporate communication activities,
  • Planning and/or execution of the sales processes of products and/or services,
  • Planning and execution of renewal processes for products and/or services,
  • Giving information arising from the legislation to authorized persons and/or organizations,
  • Planning and/or execution of the company’s audit and/or ethical activities,
  • Planning and/or execution of reference and/or intelligence activities for personnel recruitment and/or Company security processes,
  • Planning and/or execution of operations and/or efficiency processes,
  • Planning and/or execution of projects in line with the goals of our company,
  • Planning and/or execution of business continuity activities,
  • Identification and/or evaluation of people to be subject to marketing activities in line with consumer behavior criteria,
  • Planning and/or execution of post-sales support activities,
  • Planning and/or execution of business partners and/or suppliers’ access rights to information,
  • Planning, controlling and/or performing information security processes,
  • Planning and/or execution of cross-selling activities related to other products offered by our company,
  • Planning and/or execution of business activities.

3. TRANSFER OF PERSONAL DATA BY PRIVIA SECURITY

i. General Conditions for Transfer

Article 8 of the Law makes a distinction regarding the transfer of personal data according to whether the data is sensitive personal data. According to the aforementioned article, non-sensitive personal data may be transferred to third parties in the presence of one of the processing conditions specified in Section 2 above. Accordingly, personal data;

  • The data subject has explicit consent,
  • Data processing is clearly stipulated in laws,
  • It is compulsory to process the relevant data for the protection of the life or body integrity of the person who is unable to disclose her/his consent due to actual impossibility or whose consent is not legally valid, herself or someone else,
  • It is necessary to process personal data belonging to the parties of the contract, provided that it is directly related to the establishment or performance of a contract,
  • Data processing is mandatory for the data controller to fulfill its legal obligation,
  • The personal data are made public by the person concerned,
  • When data processing is mandatory for the establishment, use or protection of a right,
  • Data processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed,

can be shared with people other than their legal personality by Privia Security in cases of above.

Article 8 also refers to the processing conditions specified in Chapter 2 in terms of sensitive personal data, but foresees that adequate measures should also be taken for the transfer. A Accordingly, Privia Security shares sensitive personal data with third parties, subject to

  • Sensitive personal data (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, association, foundation or trade union membership, criminal conviction and security measures, biometric and genetic data) other than health and sexual life data is stipulated by laws,
  • Processing of health and sexual life data by persons or authorized institutions and organizations whose under the obligation of secrecy for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing

purposes, in any case, after taking adequate precautions.

ii. Transfer Abroad

Privia Security allows you to transfer personal data abroad;

  • If the data owner has explicit consent
  • In cases where the data owner does not have an explicit consent but one or more of the other conditions mentioned above are met;
    • Adequate protection exists in the country where the data is transferred
    • If there is not sufficient protection in the country where the data is transferred, it can be transferred provided that the relevant Privia Security undertakes sufficient protection in writing with the data controller in the relevant foreign country and the permission of the Personal Data Protection Board is obtained.

iii. Transferred Parties by Privia Security Bilişim ve Danışmanlık Hizmetleri LTD. ŞTİ.

Privia Security transfers personal data to the following parties within the scope of the above conditions:

  • Suppliers for the purpose of procuring services in the processes our company outsources.
  • Business partners in order to ensure that the objectives of the business partnership are fulfilled.
  • Limited to the information requested within the framework of their legal powers, legally authorized public institutions and legally authorized private persons or organizations,

4. PERSONAL DATA PROCESSED BY PRIVIA SECURITY

The categorization of personal data processed by Privia Security is included in Annex-1.

5. PROCESSING PROCEDURE OF PERSONAL DATA BY PRIVIA SECURITY BİLİŞİM ve DANIŞMANLIK LTD ŞTİ

Privia Security Bilişim ve Danışmanlık, during the acquisition of personal data as stipulated in the Law, informs the personal data owners about for what purpose they process the personal data as the data controller, to whom and for what purposes the processed personal data can be transferred, the method of personal data collection and the legal reason and the rights of the data owner.

If any process requires explicit consent pursuant to the Law, the explicit consent of the data owners is obtained after the aforementioned notification by Privia Security Bilişim ve Danışmanlık.

6. DETERMINATION OF THE STORAGE PERIOD OF PERSONAL DATA BY PRIVIA SECURITY BİLİŞİM ve DANIŞMANLIK LTD.

Privia Security Bilişim ve Danışmanlık determines the retention periods of personal data by considering the legislation in force and the purposes of processing the data subject to the process. In any case, Privia Security Bilişim ve Danışmanlık determines the retention periods in the light of legal obligations and the relevant time-out periods.

In case that the purpose of data processing disappears, the data are deleted, destroyed or anonymized unless there is another legal reason or basis that allows the data to be kept.

7. RIGHTS OF DATA OWNERS AND THE USE OF THESE RIGHTS

i. Rights of Data Owners

According to Article 11 of the Law, personal data owners have the following rights against the data controller:

  • Learning whether personal data related to him/her is being processed.
  • Requesting information if personal data about him/her has been processed.
  • Learning the purpose of processing personal data and whether they are used appropriately for their purpose.
  • To know the third parties in the country or abroad to whom personal data are transferred.
  • To request correction of personal data in case of incomplete or incorrect processing.
  • Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in the relevant legislation.
  • Request notification of the actions taken as a result of rectification, deletion and destruction requests to third parties to whom personal data have been transferred.
  • Object to the occurrence of a result against the person herself/himself by analyzing the processed data exclusively through automated systems.
  • To demand the compensation of the damage in case of damage due to the processing of personal data illegally.

Paragraph 2 of Article 28 of the Law has listed the cases where data owners do not have the right to request;

  • Processing of personal data is necessary for the prevention of crime or for a criminal investigation,
  • Processing of personal data made public by the person concerned,
  • Processing of personal data is necessary for the execution of supervision or regulation duties and for disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations that have the status of public institutions, based on the authority granted by the law,
  • Processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial issues,

in such cases, the rights specified above cannot be used for the data..

According to paragraph 1 of Article 28 of the Law, as the data will be outside the scope of the Law in the following cases, the requests of the data owners will not be processed in terms of these data:

  • Processing of personal data by real persons within the scope of activities related to her/him or her/his family members living in the same residence, provided that they are not given to third parties and obligations regarding data security are complied with.
  • Processing personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that they do not constitute a crime, violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights.
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
  • Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

ii. Exercise of Rights by Data Owners

Data owners will be able to use the “Form for Applications to be Made to the Data Controller by the Personal Data Owner” on the link (priviasecurity.com or priviahub.com) to use the abovementioned rights.

Applications will be made by one of the following methods, together with the documents that will determine the identity of the data owner:

  • Filling in the form and sending the wet signed copy by hand, through a notary public or by registered mail (M. Kemal Mah. Dumlupınar Bul. 274/6 Mahall Ankara E Blok No: 32 Çankaya/Ankara),
  • Following a method stipulated by the Personal Data Protection Board.

Privia Security Bilişim ve Danışmanlık responds to data owners who want to exercise these rights within the limits stipulated in the Law, within a maximum of thirty days as stipulated in the Law. In order for third parties to make an application request on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the applicant.

As a rule, data owner applications are processed free of charge, however, if a fee tariff is stipulated by the Personal Data Protection Board, charges may be made on this tariff.

Privia Security may request information from the relevant person in order to determine whether the applicant is the owner of personal data, and in order to clarify the matters specified in the application, it may ask questions the personal data owner about her/his application.

8. PROTECTION OF PERSONAL DATA BY PRIVIA SECURITY

Privia Security takes reasonable technical and administrative measures to prevent unauthorized access risks, accidental data loss, deletion or damage of data in order to ensure the security of personal data.

In this context, Privia Security;

  • Records access to personal data,
  • Ensures data security by using software and hardware including virus protection systems and firewalls,
  • Follows personal data processing activities on a business unit basis,
  • In accordance with Article 12 of the Law, ensures that the necessary inspections are made in order to ensure the implementation of the provisions of the Law,
  • Ensures compliance of data processing activities with the Law through company internal policies and procedures,
  • Gives authorizations in accordance with the nature of the data accessed within the company,
  • Subjects access to sensitive personal data to more stringent measures,
  • Passes individuals who have access to sensitive personal data through additional security checks,
  • In case that personal data is accessed from outside the company for reasons such as outsourcing, Privia Security takes commitments from the external service provider to ensure compliance with the Law,
  • Takes necessary actions to inform all employees, especially those who are authorized to access personal data, about their duties and responsibilities under the Law.