Policy on the Protection and Processing of Personal Data
Protection and Processing of Personal Data
KAFTRANS ULUSLARARASI TASIMACILIK VE TIC. A.S.
CORPORATE POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
CONTENTS
- Introduction
- Purpose and Scope
- Definitions
- General Principles in the Processing of Personal Data
Lawfulness and Conformity with Rules of Bona Fides
Ensuring the Accuracy and Currency of Personal Data When Necessary
Processing for Specific, Explicit, and Legitimate Purposes
Being Relevant With, Limited to, and Proportionate to the Purposes for Which They Are Processed
Retaining For the Period Stipulated by Relevant Legislation or Required for The Purpose for Which They Are Processed
- Conditions of processing personal data
Explicit Consent of Personal Data Subject
Cases in which personal data can be processed without seeking explicit consent
Clearly Stipulated by Laws
Failure to Obtain the Explicit Consent of the Concerned Person Due to Actual Impossibility
Directly Related to Drawing up or Performance of the Contract
Legal obligation
Making Personal Data Public by the Personal Data Subject Himself/Herself
Mandatory Data Processing for the Establishment or Protection of a Right
Mandatory Data Processing for the Legitimate Interest of the Company
- Purposes of Processing of Personal Data
- Categorization of Personal Data and Group of Data Subjects whose Data is Processed
- Erasure, destruction, or anonymization of personal data
- Transfer of Personal Data
- Third Parties to which Personal Data is Transferred and The Purposes of Transfer of Personal Data
- Obligation to inform
- Ensuring the Security of Personal Data
- For what purpose Personal Data will be collected
- Rights of the Data Subject, modes of application, data retention periods and principles
- Data Retention Periods and Principles
- Data Destruction Process
- Enforcement of the Policy
- INTRODUCTION
KAFTRANS ULUSLARARASI TASIMACILIK VE TIC. A.S. displays the highest level of sensitivity necessary to ensure full compliance with Article 20 of the Constitution concerning the Privacy of Individual Life and the Law No. 6698 on the Protection of Personal Data (‘’KVKK”), which was adopted by the Grand National Assembly of Turkey on March 24, 2016, and entered into force after being published in the Official Gazette on April 7, 2016, and other regulations regarding the enforcement of this law, and acts with the awareness of protecting the rights of its customers arising from the Constitution and the Law in all its operations.
- PURPOSE AND SCOPE
The purpose of our Corporate Policy (“Policy”) is to ensure compliance with the obligations concerning the regulations on the protection of personal data, to evaluate the aspects related to processing and protecting the confidentiality of information collected within the scope of activities conducted by our Company with a risk-based approach, and to determine the strategies, internal controls and measures, operational rules and responsibilities and to raise the awareness of the personal data subjects.
- DEFINITIONS
The definitions used in this Policy are as follows:
Explicit Consent: refers to the consent concerning a specific subject that is based on the information and expressed with free will.
Constitution: refers to the Constitution of the Republic of Turkey.
Kaftrans: refers to KAFTRANS ULUSLARARASI TASIMACILIK VE TIC. A.S.
Personal Data: refers to any information relating to an identified or identifiable natural person (e.g. name-surname, Republic of Turkey Personal Identification Number, e-mail, address, date of birth, credit card number, bank account number (Thereby, the processing of information regarding legal persons is not within the scope of the Law).
Personal Data Subject: refers to a natural person whose personal data is processed.
Processing of Personal Data: refers to all kinds of operations performed on the data such as obtaining them by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, and recording, storing, maintaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying them and preventing their use.
Personal Data of Special Nature: refers to data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, conviction and security measures, and biometric and genetic data.
Data Controller: refers to the person who determines the purposes and means of the processing of personal data and manages the place where the data is kept systematically (data recording system), that is to say, KAFTRANS.
KVKK: refers to Law No. 6698 on the Protection of Personal Data.
- ISSUES CONCERNING THE PROCESSING OF PERSONAL DATA
4.1. General Principles in the Processing of Personal Data
KAFTRANS processes the data in line with the provisions of the Constitution, Law, and other legislations that it has to comply with within the scope of its activities, specifically the laws to which it is bound. In this context, the following principles are taken into account:
4.2. Lawfulness and Conformity with Rules of Bona Fides
KAFTRANS processes personal data per the procedures and principles stipulated in the KVKK and other relevant laws. In this regard, KAFTRANS shows an effort to fully comply with the following principles specified in the KVKK while processing personal data.
- Lawfulness and conformity with rules of bona fides: Per this principle, data processing processes of KAFTRANS are conducted within the limits required by all relevant legislation and rules of bona fides, specifically the Constitution and KVKK.
- Being accurate and up-to-date when necessary: Necessary measures are taken to ensure that the personal data processed by KAFTRANS are accurate and up-to-date, and necessary opportunities are provided to data subjects by informing them to ensure that the data being processed reflects the fact.
- Processing for specific, explicit, and legitimate purposes: KAFTRANS processes personal data only for legitimate purposes explicitly and precisely determined and does not process data other than these purposes. In this context, KAFTRANS processes personal data only in connection with the business relationship established with the data subjects and when necessary.
- Being relevant with, limited to, and proportional to the purpose for which they are processed: KAFTRANS processes the data in accordance with the KVKK and other relevant legislation conveniently to the realization of the purposes determined based on the data categories and in related and proportional way to the realization of the purpose and thus, avoids processing of personal data which is not required.
- Retention for the period stipulated by the relevant legislation or required for the purpose for which they are processed: The personal data processed by KAFTRANS are retained only for the period stipulated by the relevant legislation or required for the purpose for which they are processed. In this regard, KAFTRANS complies with this period if there is a period stipulated by the relevant legislation for data storage; If there is no such period, it retains the data only for the period necessary for the purpose for which it was processed. KAFTRANS does not retain any data based on the possibility of future use.
- CONDITIONS OF PROCESSING OF PERSONAL DATA
The conditions of processing the personal data are regulated with KVKK (Law on the Protection of Personal Data), and KAFTRANS processes the personal data per the conditions mentioned below. Except for the exceptions listed in the Law, KAFTRANS processes personal data only by obtaining the explicit consent of the data subjects. In the case of the following conditions listed in the KVKK, personal data can be processed even without the explicit consent of the data subject.
- It is clearly stipulated by the laws.
- It is mandatory for the protection of the life or physical integrity of the person or of any other person who is bodily incapable of giving his/her consent or whose consent is not deemed legally valid.
- When processing the personal data belonging to a contractual party, it is necessary provided that it is directly related to the drawing up or performance of that contract.
- When it is mandatory for the controller to be able to perform its legal obligations.
- When the data is made available to the public by the data subject himself/herself.
- When the data processing is mandatory for the establishment, exercise, or protection of any right.
- When it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
KAFTRANS displays special sensitivity in the processing of personal data of special nature, which is believed to be of more critical importance for data subjects from various aspects. Within this scope, such data are not processed without the explicit consent of the data subjects provided to take adequate measures determined by the Board.
- PURPOSE AND LEGAL REASONS OF PROCESSING OF PERSONAL DATA BY KAFTRANS
Your personal data obtained by KAFTRANS can be processed within the scope and legal reasons explained below.
The above-mentioned categories are the main categories for KAFTRANS to carry out its future commercial and operational activities, and new categories may be added if the activities and processing purposes change. In such cases, KAFTRANS will continue to inform its customers as quickly as possible.
- PERSONAL DATA CATEGORIZATION OF KAFTRANS and GROUP OF DATA SUBJECTS WHOSE PERSONAL DATA IS PROCESSED
The categories of personal data processed by KAFTRANS are as follows:
PERSONAL DATA CATEGORIZATION | DESCRIPTION OF PERSONAL DATA CATEGORIZATION | |
Identity Information | It is the data about the identity of the person and documents such as driver’s license, identity card, and passport containing information such as name-surname, Republic of Turkey national identification number, nationality, mother’s and father’s name, place of birth, date of birth, gender and information such as tax office, tax number, SSI number, etc. | |
Contact Information | Information such as phone number, address, e-mail address, IP address | |
User Transaction Information | Information such as records for the use of our products and services account login and logout records, and the customer’s instructions and requests for the use of products and services. | |
Financial Information | Personal data that is processed for information, documents, and records indicating all kinds of financial results. | |
Employee Candidate Information | Personal data processed about individuals who are in a working relationship | |
Employee Information | Personal data that is processed for all kinds of transactions carried out by employees or natural persons with whom they have a labour relationship | |
Legal Transaction Information | Determination and follow-up of legal claims and rights, the performance of obligations and legal obligations | |
Location Data | Location information of where the transfers are located |
The group of data subjects whose data is processed by KAFTRANS is as follows:
GROUP OF DATA SUBJECTS WHOSE PERSONAL DATA IS PROCESSED | DESCRIPTION OF THE GROUP |
Employee | Refers to natural persons working with Kaftrans within the framework of employment contract |
Employee candidate | Refers to personal data processed regarding individuals who have been evaluated as candidates/interns to be potentially employed in line with the needs of Kaftrans Human Resources |
Supplier | Refers to parties that supply goods and/or services on a contractual basis while carrying out the commercial activities of Kaftrans |
Potential product or service buyer | Refers to a natural person and/or legal entity employees and officials who request to or are considered to be able to request to use Kaftrans services these services |
Customer | Refers to natural persons who use the products and services offered by Kaftrans, regardless of whether they have a contractual relationship or not. |
Supplier Employee/Official | Refers to natural persons, drivers, officials, etc., working in legal entity companies that render supply services to Kaftrans. |
8- POLICY OF KAFTRANS ON ERASURE, DESTRUCTION, OR ANONYMIZATION OF PERSONAL DATA
Although it has been processed in accordance with the provisions of the Law and other relevant legislation, personal data is erased, destructed, or anonymized by KAFTRANS, ex officio or upon the request of the person concerned when the reasons for processing are no longer available.
9- TRANSFER OF PERSONAL DATA
KAFTRANS strictly complies with the provisions of KVKK (Law on the Protection of Personal Data) regarding the sharing of personal data with third parties, without prejudice to the provisions of other laws. In this regard, KAFTRANS does not transfer personal data to third parties without the explicit consent of the data subject. However, in the case of one of the following conditions stipulated by the KVKK, KAFTRANS may transfer personal data within the country and abroad without obtaining the explicit consent of the data subject, if:
- It is clearly stipulated by laws
- It is necessary to process the personal data of the contractual parties, provided that it is directly related to the drawing up or performance of a contract,
- It is mandatory for the data controller to fulfill its legal obligation,
- It is publicized by the data subject himself/herself
- Data processing is mandatory for the establishment, exercise, or protection of a right,
- Data processing is mandatory for the legitimate interests of the data controller, provided that this does not harm the fundamental rights and freedoms of the data subject.
- With explicit Consent
KAFTRANS does not transfer personal data of special nature to any third party, either in the country or abroad.
We may communicate with our customers and suppliers via their e-mail addresses. These e-mail addresses use g-mail, Office 365 and Yandex, and similar international e-mail service infrastructures. Since the e-mails sent and received are kept in data centers situated in various parts of the world, they are considered as the transfer of data abroad within the scope of Personal Data Legislation. However, since the use of e-mail addresses in many areas has almost become mandatory and various legislations require its use, it is not possible to abandon this mode of communication.
10- THIRD PARTIES TO WHOM KAFTRANS CAN TRANSFER PERSONAL DATA AND THE PURPOSE OF TRANSFER
KAFTRANS pays utmost care and attention to the sharing of personal data with domestic and/or abroad, in line with the provisions of the KVKK and other relevant legislation, primarily the Constitution.
KAFTRANS can transfer personal data to the following categories of parties, limited to the cases stipulated by the KVKK that allow data transfer, and when it is necessary. By taking the necessary measures for data transfer, necessary warnings and agreements concerning the processing of data within the scope of KVKK are made with the persons to whom the data is transferred.
- Legally Authorized Institutions
- Our Business/Project Partners
- Our legal advisors
Provided to take the necessary security measures, Kaftrans UluslararasıTaşımacılık ve Tic. A.S. can process, transfer and store your personal data to other electronic media such as servers, hosting companies, cloud companies, etc. from which storage, archiving, information technologies suppoer is received in Turkey and abroad, particularly EU states such as Italy, USA, England, OECD states.
11- OBLIGATION TO INFORM
Within the scope of Article 10 of the KVKK, KAFTRANS is aware of the requirement to inform data subjects before or at the latest during the collection of personal data. Within the framework of this obligation to inform, the information to be conveyed to the data subjects of KAFTRANS is as follows:
- Identity of the data controller and its representative, if any,
- For what purpose personal data will be processed,
- To whom and for what purpose the processed personal data can be transferred,
- Mode of and legal reason for collecting personal data,
- Other rights listed in Article 11 of KVKK.
To fulfill its obligation to inform, KAFTRANS has prepared notices based upon the process and the persons whose data is processed and it submits these notices to the data subjects within the scope of the above-mentioned provision of the KVKK. After the notices are submitted to the data subjects, explicit consent is also obtained for data processing activities and data categories that require the explicit consent of the data subject, for KAFTRANS to carry out its commercial activities.
12- ENSURING THE SECURITY OF PERSONAL DATA
KAFTRANS takes all necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data. The measures stipulated by Article 12(1) of KVKK are as follows:
- To prevent the unlawful processing of personal data,
- To prevent unlawful access to personal data,
- To ensure the protection of personal data. The measures taken by KAFTRANS in this regard are listed below.
Administrative Measures
- Training and awareness activities are organized periodically for employees on data security.
- Confidentiality commitments are made.
- The authorizations of employees whose positions have changed or who quit their job in this field are canceled.
- Signed contracts contain data security provisions.
- Extra security measures are taken for personal data transferred in paper and the relevant documents are sent in confidential document format.
- The security of physical and virtual environments or places containing personal data is ensured.
- Personal data is reduced as much as possible.
- Awareness of data processing service providers on data security is raised.
Technical Measures
- Network security and application security are ensured.
- Security measures are taken within the scope of supply, development, and maintenance of information technology systems.
- Data masking measure is applied when necessary.
- Up-to-date antivirus systems are used.
- Firewalls are used.
- Personal data security is followed up.
- User account management and authorization control system are implemented and these are also followed.
- Intrusion detection and prevention systems are used.
- Cyber security measures have been taken and their implementation is constantly monitored.
- Encryption is done.
- Data processing service providers are periodically audited on data security.
- Data loss prevention software is used.
13- FOR WHAT PURPOSE PERSONAL DATA WILL BE COLLECTED BY KAFTRANS AND THE LEGAL REASON
Kaftrans collects personal data, specifically through the applications you have made at https://kaftrans.com.tr/, your applications to our company personally and publicly available channels, member interviews, digital applications made over websites, telephone communication, and e-mail.
The personal data is collected based on a legal reason provided that it is mandatory for Kaftrans to fulfill its legal obligation as a data controller, expressly stipulated by the laws and directly related to drawing up or performance of a contract, and the processing of personal data of contractual parties is necessary and mandatory for the data controller to fulfill its legal obligation, there are legitimate interests of the data controller, the data subject has been made public by himself/herself, and there is explicit consent.
14- RIGHTS OF DATA SUBJECT, MODES OF APPLICATION, AND CASES WHERE RIGHTS CANNOT BE EXERCISED
If personal data subjects submit their requests regarding their rights listed below to KAFTRANS, the requests are concluded free of charge as soon as possible and within thirty days at the latest, depending on their nature. However, if the action requires an additional cost, KAFTRANS will charge fees in the tariff determined by the Personal Data Protection Board or other authorities. In this context, data subjects will be able to submit their requests to KAFTRANS in writing or by other methods to be determined by the Personal Data Protection Board.
The personal data subjects have the right:
- to learn whether his/her personal data are processed or not,
- to demand information as to if his/her personal data have been processed,
- to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,
- to know the third parties to whom his/her personal data are transferred in the country or abroad,
- to request the correction of the incomplete or inaccurate data, if any, and to request the reporting of this operation to the third parties to whom personal data is transferred,
- to request the erasure or destruction of personal data if the reasons requiring it to be processed are no longer available, even though it has been processed per the provisions of the law and other relevant laws, and to request the reporting of the operation to the third parties to whom the personal data has been transferred,
- to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,
- to claim compensation for the damage arising from the unlawful processing of his/her personal data.
The customers can make their claims at the addresses below.
For Written Applications: Kozyatağı Mahallesi Bayar Caddesi Gülbahar Sokak PS Plaza No:17 Flat:54 34742 Kadıköy, Istanbul
For Applications via E-Mail: info@kaftrans.com.tr
Applications via KEP: kaftrans@hs01.kep.tr
15- DATA RETENTION PERIOD AND PRINCIPLES
Although it has been processed in accordance with the provisions of the KVKK and other relevant laws, KAFTRANS as data controller erases, destructs, or anonymizes personal data ex officio or upon the request of the concerned person if the reasons requiring processing are no longer available.
KAFTRANS retains personal data for legal periods such as 6 months, 10 years, considering the data category, transaction security, periods stipulated by laws, timeouts related to legal processes, and whether it has an aspect that affects other transactions and then, erases, destructs or anonymizes them at the end of these periods.
16- DATA DESTRUCTION PROCESS
KAFTRANS destructs the personal data belonging to employees of third parties, institutions, or organizations that it is in a relationship as employees, employee candidates, visitors, and service providers per the Law.
KAFTRANS has determined the period of periodic destruction as 1 year. Accordingly, periodic destruction is carried out in January every year.
17– ENFORCEMENT OF THE POLICY
This Policy entered into force on 03/12/2021. In case of renewal of the entire or some part of the Policy, the versions of the Policy will be updated. The policy is published on the KAFTRANS website at www.kaftrans.com.tr.