POLICY ON PROTECTION AND PROCESSING OF PERSONAL DATA OF THE EMPLOYEES OF NOON MARKETING E TRADE INCORPORATED COMPANY
(“POLICY”)
Data responsible: noonmar e-commerce logistics joint-stock company
Address: Şirinevler Kocasinan Cad. No:1 Kaman İş Merkezi Kat:1 D.5 Bahçelievler/İstanbul
1.1. This Policy arranges terms and conditions that will be followed by the Company during processing of Personal data of Employees. Thus, purpose of this Policy is to determine how Employees' personal data will be processed and to inform the Employees clearly about the condition of their personal data.
1.2. As noonmar, we are aware of our liability for the protection of personal data and providing legal assurance arranged as a constitutional right and we attribute significance to safely using of your personal data. The purpose of this Policy is to regulate the methods and principles to be followed in order to ensure that personal data of noonmar are processed and protected in accordance with the Law on Protection of Personal Data published in the Official Gazette April 7, 2016 dated and 29677 numbered.
1.3. This Policy finds an implementation area relevant to personal data of persons/employees who work with our company with business contracts either processed automatically or non-automatically as part of any data recording system. The scope of application of this Policy for the groups of Personal Data Owners in the categories listed below may be the entire Policy as well as only a number of provisions.
Definitions used in this Policy are as follows:
Express consent |
Consent to a specific issue, based onbeing informed and expressed with free will |
Anonymousization |
Making personal data that cannot be related with any identified or identifiable natural person, even by pairing it with other data |
Personal data |
Any information relating to an identified or identifiable natural person |
Special Data |
Any information that may cause discrimination or victimization of the person concerned |
Biometric Data |
Personal data deriving from specific technical processing related to the physical, physiological or behavioral characteristics of a real person, such as facial images or dactyloscopic data, that enable or confirm the unique identification of a natural person. |
Processing of personal data |
Obtaining, recording, storing, preserving, amending, reissuing, disclosure, transferring and taking over personal data in whole or in part either by automatic or non-automatic means provided that it is part of any data recording system. |
KVK Law |
Law on Protection of Personal Data 6698 numbered |
KVK Board |
Personal Data Protection Board |
KVK Authority |
Personal Data Protection Authority |
TCK |
Turkish Penal Code 5237 numbered |
Data processor |
Real or legal entity that processes personal data based on authorization and on behalf of data responsible |
Owner of personal data |
The real person whose personal data is processed and referred as "relevant person" in the Law on the Protection of Personal Data |
Personal Data Owner Application Form |
Application form for personal data owners, whose personal data is processed by noonmar, who may exercise their application rights relevant to article 11 of the Law |
Data Responsible |
Real or legal person that determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system |
Registry of Data Responsible |
Registry of data responsible held by the Presidency under the supervision of the Personal Data Protection Board |
Data Inventory |
Inventory that is being composed and detailed by noonmar’s personal data processing activities in connection with the business processes; through being related with recipient group to which the personal data is transferred and the related personal data owner group |
noonmar follows following principles in the processing of personal data:
noonmar complies with the general principles of the law and the code of honesty set out in the Turkish Civil Law while fulfilling its liabilities to process and protect personal data.
Our company carries out all kinds of administrative and technical measures to ensure that personal data is kept correct and updated during the processing of personal data.
Our company clearly and strictly determines the purpose of personal data processing before starting to process personal data.
Personal data are processed by our Company to the extent necessary to achieve the specified objectives. In this context, our Company takes into account the requirement of proportionality in processing of personal data and does not use personal data other than the purpose required.
Our Company retains personal data for a limited period of time as required by the Law on the Protection of Personal Data and related legislation or for a period necessary for the purposes data processing. In this context, our company firstly determines whether a period has been specified for retention of data in the relevant legislation, in case such period has been specified, behaves in accordance with relevant legislation, in case such period has not been specified, then retains data for a period necessary for the purposes for which such data had been processed. In the event that the period expires or elimination of the reasons of processing data, personal data is deleted, terminated or made anonymous by our Company. Data processing activity is not carried out with the assumption that they may be used in the future.
Our Company may process personal data with express consent of the personal data owner or without express consent in cases specified in Articles 5 and 6 of the Law on the Protection of Personal Data.
The express consent of the personal data owner is one of the legal basis that makes it possible to process personal data in accordance with the law. Other than from express consent, personal data may also be processed in the presence of any of the following conditions. The basis of the personal data processing activity may be only one of the following conditions, or more than one of these conditions may compose the basis of the same personal data processing activity. In the event that the processed data is special personal data, besides the rules written here; the conditions under the heading "Cases where special personal data can be processed" under this section apply below.
One or more personal data processing terms that make such personal data processing activity legal may apply at the same time.
4.2. CONDITIONS FOR PROCESSING SPECIAL PERSONAL DATA
Some of the personal data is organized separately as “special personal data" and is subject to special protection. Special attention has been attributed to such data due to the risk of victimization or discrimination of persons when they are processed illegally.
Personal data category |
Explanation |
Identification data |
Documents such as identification card and passport involving information on name-surname, TR ID No, tax ID no, nationality, mother name, father name, date and place of birth, gender and information like signature/initial, vehicle plate etc. |
Personal data |
Any personal data that is processed to obtain information that will be the basis for the creation of personal rights of personnel or real persons in working relationship with the Company (Identity information, job application form, passport photos, education information etc.) |
Audio / Visual Information |
Processing of identification data within the scope of pictures and video records shot during and after the seminar, training and maintenance services organized by our company. |
Physical Space and Safety Information |
Personal data relating to records and documents received during entry into the physical space, during the stay in the physical space; camera recordings, security point recordings, etc. |
Communication data |
Phone number, full address information, e-mail address, in-company contact information (internal phone number, corporate e-mail address). |
Financial data |
Financial and salary details, payrolls, premium remuneration, premium amounts, file and debt information related to enforcement proceedings, bank passbook, minimum living allowance information, private health insurance amount. |
Biometric Data |
Camera footage taken for security measures of persons and handprint data for overtime recording |
Employees Performance and Career Development Data |
Training and skills, information on which training at which date, e-mail, signed participation form, customer quality evaluation form, evaluation of monthly performance and target performing status, activity information. |
Working data |
Register number, position name, department and unit, title, last employment date, entry and exit dates, insurance entry / retirement, allocation number, social security number, TTF no, tax office number, flexible working hours, holding registration number, travel status, retirement fund, retirement fund entry date, retirement fund registration number, attachment date of social security organization for artisans and the self-employed, registration number of social security organization for artisans and the self-employed, accounting code, number of working days, projects worked, monthly total overtime working information, severance pay base date, severance pay additional day, on strike last day, |
Leave data |
Leave-of-employment base date, leave-of-employment additional days, leave group, leave / return date, day, leave reason, leave address / telephone |
Demand or Complaint Management Information |
Personal data relevant to taking and assessing all kinds of demands and complaints directed to our Company for data processed in part or completely automatically or non-automatically as part of the data recording system, which is clearly identifiable or identifiable to a natural person. |
In accordance with Article 12 of the KVK Law, our Company takes all necessary technical and administrative measures to prevent illegal processing and illegal access to personal data, to ensure protection for personal data and to ensure appropriate measures for safety of personal data.
The main administrative measures taken by our Company to prevent illegal access to personal data are as follows:
In case processed personal data is obtained by others through illegal means, our Company will promptly notify the relevant data owner and the Board.
noonmar performs personal data processing activities within the scope of the personal data processing conditions indicated in articles 5 and 6 of the KVK Law for the following purposes:
The fulfillment of the purpose for the performance of work contract, in particular;
In order to fulfill the requirements within the scope of Labor Law, Work Health and Safety Law, Social Security Law and related legislation and other laws and legislation, in particular;
In order to manage the company, conduct the business and implement the company policies, in particular;
In case processing performed for the mentioned purposes does not meet any of the conditions specified in KVK Law, noonmar provides the express consent of the personal data owner with respect to the relevant processing.
6.2. Retaining period for Personal Data
Our company determines whether a period of time is stipulated in the relevant legislation for retaining of personal data. In case a period is stipulaed in the relevant legislation, it shall comply with this period; in case a period is not specified, it will keep the personal data for the time required for the purpose for which it was processed. In case purpose of the processing of personal data has expired and the relevant legislation and / or the retention periods set by our Company have ended, they shall be kept only for the duration of the statutory limitation periods in order to provide evidence in case of possible legal disputes, to assert the right related to personal data or to establish the defense. Personal data is not stored by our Company based on the possibility to be used in the future.
All records related to accounting and financial transactions |
2 years |
Law numbered 6102, Law numbered 213 |
Commercial electronic message approval records |
2 years from date of revocation of approval |
Law numbered 6563 and secondary legislation |
Information and / or CVs received for job application |
12 months |
|
Image / video recording collected with the purposes pf protecting occupational health and safety, protection of the workplace and control of the production process |
2 months |
|
Biometric data obtained from employees during the entry-exit process through hand-print reading |
2 months |
|
Your data stored within the scope of Law, will be retained for maximum period indicated in relevant legislation of maximum period required for the processing purposes or in any case legal statutory limitation periods. As arranged in article 138 of Turkish Penal Code and article 7 of KVK, in case processing reasons of data which have been processed in accordance with relevant legislation have removed, either ex officio or upon your request, they will be deleted, terminated and made anonymous under the conditions of Regulation on Personal data being deleted, terminated and making anonymous that was published on Official Gazette 30224 numbered and 28.10.2017 dated.
Our Company may transfer personal data and special personal data with condition of taking legal personal data processing purposes and taking necessary measures to the third parties (“Third Parties”) both inside and/or outside the country. Our Company will behave in accordance with artices 8 and 9 of Law.
8.1 Transfer of personal data
Personal data may be transferred to third parties in case of express consent of data owner or without express consent of data owner in case of the conditions specified below by taking all necessary measures including the measures stipulated by the Board:
In case personal data will be transferred abroad by our Company, in addition to the aforementioned conditions, they will be transfererd to foreign countries which are declared by the Board that they have adequate protection (Foreign country with adequate protection) or in case of lack of adequate protection, to the foreign countries where both data responsible in Turkey and foreign country commits adequate protection in written form and Board gives consent (Foreign country where data responsible committing adequate protection exists).
8.2. Transfer of Special Personal Data
Our company attributes great importance to the confidentiality and security of your biometric data. noonmar undertakes that your fingerprint records will not be transferred to any third party in Turkey and / or abroad. However, your personal data can be transferred in Turkey or abroad in accordance with the legal data processing purposes, with the condition of showing necessary care, taking the necessary security measures including the methods stipulated by the Board and in the scope of below mentined conditions.
In case personal data can be transferred in Turkey or abroad, addition to the aforementioned conditions, they will be sent to foreign countries with adequate protection or foreign countries where data responsible commits adequate protection.
8.3. Person Groups where Personal Data have been transferred by our Company
In line with articles 8 and 9 of KVK Law, our Company may transfer the personal data of data owners within the scope of this Policy to person groups inside the country and abroad within the framework of specified purposes:
PERSON GROUPS |
DESCRIPTION |
PURPOSE OF TRANSFER |
Supplier
|
Describes the parties providing services to noonmar on a contract basis in accordance with the orders and instructions of our Company while noonmar conducts its commercial activities |
Personal data is shared on a limited basis in order to ensure that our Company outsources the supplier and provides the services for noonmar necessary to carry out the commercial activities of our Company |
Business/Solution partner |
Defines companies and other persons with whom our Company cooperates or will cooperate for the purpose of conducting commercial activities of our Company such as the sale, marketing and / or joint customer loyalty programs for the Company's products and services. |
In order to ensure the fulfillment of the purpose of establishing the business partnership, personal data are shared to a limited extend. |
Legally Authorized Public Institutions and Organizations |
Defines public institutions or organizations (ex courts, tax offices) that are legally authorized to request information and / or documents from our Company established for the purpose of performing a public service in line with the provisions of the relevant legislation. |
Personal data are shared in limited manner upon request of public institutions and organizations within their legal authorization. |
Legally Authorized Private Law Entities |
Defines institutions or organizations (ex. banks, insurance companies) established in accordance with certain conditions determined by the law in line with the provisions of the relevant legislation and which continue their activities within the framework determined by the law. |
Personal data are shared in limited manner on the subjects covered by the activities of the related private institutions and organizations. |
noonmar, in line with Article 10 of the KVK Law, demystify personal data owners when obtaining personal data. Thus, within this scope, demystifying is being performed by noonmar to personal data owners during obtaining of data on identification of our company, for which purposes personal data will be processed, to whom such personal data may be transferred for which reasons, method and reason of collecting personal data and rights of personal data owners according to article 11 of KVK Law. In accordance with article 11 of KVK Law, noonmar will inform personal data owners upon their request.
On the other hand, noonmar does not have such informing liability in conditions mentioned below according to article 28 of KVK Law:
In line with article 13 of KVK Law, evaluation of rights of personal data owners and information supposed to be made of data owners is being realized through this text as well as noonmar Personal Data Owner Application Form. Personal data owners may submit their requests regarding the processing of their personal data to us within the framework of the principles indicated in the relevant form.
Pursuant to Article 11 of the KVK Law, anyone whose personal data have been processed can apply to our Company and make requests for the following issues:
Personal data owners shall not be able to assert their rights (except the right to claim damages) in accordance with Article 28 (2) of the KVK Law:
In accordance with Article 13 of the KVK Law, our Company shall finalize the application requests submitted by the personal data owner as soon as possible and within 30 (thirty) days at the latest according to the nature of the request.
The application of the personal data owner may be rejected in the following cases: