Purpose

The purpose of this Policy on the Protection and Processing of Special Categories of Personal Data is to fulfill the legal obligations arising from the Personal Data Protection Board’s decision dated 31/01/2018 and numbered 2018/10 on the Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data, and to set out the technical and administrative measures taken in the processing of special categories of personal data.

Processing of Special Categories of Personal Data

Personal data relating to individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, constitute special categories of personal data.

The Company complies with the Law and other applicable legislation in the processing of special categories of personal data. Accordingly, special categories of personal data are processed in line with the following principles:

  1. Processing in compliance with law and good faith
  2. Being accurate and, where necessary, kept up to date
  3. Being relevant, limited and proportionate to the purpose for which they are processed
  4. Being processed for specific, explicit and legitimate purposes
  5. Being retained for the period prescribed by legislation or required for the purpose for which they are processed

Special categories of personal data other than health and sexual life are processed by the Company where the data subject’s explicit consent has been obtained or where processing is permitted by law.

Data relating to health and sexual life are processed where the data subject’s explicit consent has been obtained, or for the purposes of protecting public health, carrying out medical diagnosis, treatment and care services, preventive medicine, and planning and management of healthcare services and their financing, in accordance with the procedures and principles set out in the Regulation on Personal Health Data.

Technical and Administrative Measures Taken to Protect Special Categories of Personal Data

The Company takes all necessary measures to ensure that special categories of personal data are processed in accordance with the Law and relevant legislation and to ensure the security of such data. The measures taken within this scope are listed below:

Administrative Measures

The Company provides regular training to employees involved in the processing of special categories of personal data on the protection and processing of such data.

The Company enters into confidentiality agreements with its employees to ensure data security.

The scope and duration of authorizations for users who have access to the data are clearly defined, and periodic authorization controls are carried out.

Access authorizations of employees whose duties change or who leave employment are immediately revoked. In this context, the Company promptly retrieves any inventory allocated to such employees.

Technical Measures

Technical Measures for Special Categories of Personal Data Stored and/or Accessed in Electronic Environments

All actions performed on special categories of personal data are securely logged based on transaction records and the user who last updated the data.

Security updates for environments where special categories of personal data are located are continuously monitored; necessary security tests are regularly performed/performed by third parties; and test results are recorded.

User authorizations are implemented for software through which special categories of personal data are accessed; security tests of such software are regularly performed/performed by third parties; and test results are recorded.

In cases where remote access to special categories of personal data is provided, at least two-factor authentication is used.

Technical Measures for Special Categories of Personal Data Stored and/or Accessed in Physical Environments

Adequate security measures are taken depending on the nature of the environment where special categories of personal data are located.

The physical security of these environments is ensured and unauthorized entry and exit are prevented.

Transfer of Special Categories of Personal Data

The Company transfers special categories of personal data within the framework of the data processing conditions set out in Articles 8 and 9 of the Law. In order to ensure data security, the following rules are applied during transfers and periodic audits are conducted within this scope.

Transfer via E-mail

Where special categories of personal data are transferred via e-mail, the transfer is carried out in encrypted form using a corporate e-mail address or by using a Registered Electronic Mail (KEP) account.

Transfer via Portable Media such as USB Drives, CD, DVD

Where special categories of personal data are transferred via portable media such as USB drives, CDs, DVDs, encryption is applied for security purposes.

Transfer Between Servers Located in Different Physical Environments

In transfers of special categories of personal data between servers located in different physical environments, data transfer is carried out by establishing a VPN between the servers or via sFTP.

Transfer via Paper Documents

If the transfer of special categories of personal data via paper documents is required, necessary measures are taken against risks such as theft, loss, or being seen by unauthorized persons, and the document is sent in the format of “confidential documents.”

Retention and Disposal of Special Categories of Personal Data

Special categories of personal data are retained by the Company in accordance with the Law, other applicable legislation, and the Board decision titled “Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data” under the following conditions:

  1. The data subject’s explicit consent has been obtained
  2. Retention of special categories of personal data other than health and sexual life is prescribed by law
  3. Retention of data relating to health and sexual life is necessary for the purposes of protecting public health, preventive medicine, carrying out medical diagnosis, treatment and care services, and planning and management of healthcare services and their financing

Special categories of personal data retained by the Company in accordance with the Law and other applicable legislation are deleted, destroyed or anonymized either ex officio or upon the data subject’s request if the following circumstances arise:

  1. In cases where the retention of special categories of personal data is based on the data subject’s explicit consent, the explicit consent is withdrawn
  2. The purpose for retaining the special categories of personal data has been fulfilled, becomes impossible, or otherwise ceases to exist
  3. The legal provisions forming the basis for the retention of special categories of personal data are amended or repealed
  4. All processing conditions set forth under Article 6 of the Law have ceased to exist
  5. The Company deems justified and approves the data subject’s duly submitted request for disposal of their special categories of personal data
  6. In cases where the Company rejects the data subject’s request for disposal of their special categories of personal data, where the response is found insufficient, or where the Company fails to respond within the statutory period; and a complaint is filed with the Board and the Board deems the request appropriate

Respectfully,

ADADÜNYA OPTİK TURİZM TİCARET LİMİTED ŞİRKETİ