Demande de Devis 
Demande de Devis

Policy on Protection and Processing of Special Personal Data

  • Home
  • Policy on Protection and Processing of Special Personal Data

I. SCOPE

This Policy on the Protection and Processing of Special Categories of Personal Data covers all departments, employees, and third parties involved in any process that handles personal data within Özgün Vergo Ticaret Limited Company, its group companies, subsidiaries, and affiliated companies.

This Policy shall define the rules for the security of Special Categories of Personal Data within the Company and encompass all activities that will ensure management in this area, being applied at every step to maintain it.

This Policy shall not be applied to data that does not qualify as Special Categories of Personal Data.

II. DEFINITIONS

Law: Law No. 6698 on the Protection of Personal Data
Regulation: Regulation on the Deletion, Destruction, or Anonymization of Personal Data
Board: Personal Data Protection Board
Personal Data: Any information relating to an identified or identifiable natural person
Policy: This Policy on the Protection and Processing of Special Categories of Personal Data
Personal Data Processing Inventory: An inventory created by data controllers associating their personal data processing activities with their business processes, indicating the purposes and legal grounds for processing, data categories, recipient groups, and data subject groups, also detailing the maximum retention periods, data transferred abroad, and security measures taken
Special Categories of Personal Data: Data concerning an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership of associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, and biometric and genetic data
Company: Özgün Vergo Ticaret Limited Company, including its group companies, subsidiaries, and affiliated companies
Data Subject: Individuals whose personal data is being processed
VERBIS: Data Controllers’ Registry maintained by the Authority

III. PURPOSE

This Policy has been established to determine the procedures and principles for the protection and processing of Special Categories of Personal Data held by the Company, which acts as the data controller pursuant to the Law.

As a data controller obliged to register with VERBIS, the Company is responsible for storing Special Categories of Personal Data in accordance with the Personal Data Processing Inventory, defining the rules for the security of such data, managing all related activities, and implementing this Policy in compliance with these rules.

The retention and destruction of personal data shall be governed by the conditions and principles set forth in the Law and applicable legislation.

IV. SPECIAL CATEGORIES OF PERSONAL DATA

1) General Principles Regarding the Processing of Special Categories of Personal Data

The Company takes all necessary technical and administrative measures to ensure the secure storage of Personal Data and to prevent unlawful processing and access.

The Company undertakes not to process Personal Data contrary to the provisions set out in the Law.

Unless the exceptions provided in Article 6, paragraph 3 of the Law apply, it is prohibited for the Company to retain Special Categories of Personal Data without the explicit consent of the Data Subject. If such data is retained, it shall be processed only with the explicit consent of the Data Subject and in compliance with relevant legislation.

2) Special Categories of Personal Data Processed by the Company

Special Categories of Personal Data other than those relating to health and sexual life—such as race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership of associations, foundations or trade unions, criminal convictions and security measures, biometric and genetic data—may be processed without the explicit consent of the Data Subject if stipulated by law.

Special Categories of Personal Data relating to health and sexual life may only be processed without the explicit consent of the Data Subject for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, or the planning and management of health services and financing, by persons or authorized institutions and organizations under a confidentiality obligation.

Special Categories of Personal Data are processed within the Company based on the explicit consent obtained from the Data Subjects and are processed only under the controls outlined in the section titled “General Principles Regarding the Processing of Special Categories of Personal Data” in this Policy. The type and nature of the relationship between the Company and the Data Subject, communication channels used, and the purpose of processing vary and differ accordingly.

3) Purposes of Processing Special Categories of Personal Data

Personal Data may be processed for the purposes specified in the Personal Data Processing Inventory and stored for the duration prescribed by these purposes and applicable legal periods.

4) Transfer of Special Categories of Personal Data

The Company transfers Personal Data domestically and internationally in accordance with the purposes exemplified in the “Purposes of Processing Special Categories of Personal Data” section of this Policy and Articles 8 and 9 of the Law. Personal Data may be processed and stored in servers and electronic media used for this purpose. Parties to whom data is transferred and the purposes of such transfers are detailed in the Company’s Personal Data Processing Inventory. The nature of the transfers and the parties involved vary depending on the nature of the relationship between the Company and the Data Subject, the purpose of transfer, and the relevant legal basis. Measures taken, implementation principles, and procedures under this scope are applied.

If the Company is to transfer Special Categories of Personal Data, it shall do so by taking the necessary precautions in accordance with the provisions and conditions stated in the Law and related legislation.

5) Termination of Data Processing Conditions

The Company is responsible for ensuring that the conditions for processing Special Categories of Personal Data remain valid and shares this responsibility with all its employees.

Employees must cease data processing when processing conditions no longer apply. The Company is obligated to eliminate such data upon request by the Data Subject or ex officio, in accordance with this Policy.

The Company considers the following situations as cases where the conditions for processing Special Categories of Personal Data no longer apply (also listed in the Regulation):

  • The purpose requiring data processing ceases to exist

  • Data processing is against the law or principles of good faith

  • If the processing was based solely on explicit consent and the Data Subject withdraws their consent

6) Security of Special Categories of Personal Data

As the data controller, the Company takes the following measures:

i) Administrative Measures:

  • Periodic training and awareness activities for employees are held regarding technical and legal aspects of preventing unlawful data processing, unauthorized access, and ensuring data security.

  • Disciplinary regulations include data security provisions.

  • A Personal Data Processing Inventory has been prepared.

  • Corporate policies on retention and destruction have been established.

  • Data Subjects are informed and their explicit consent is obtained before data processing begins.

  • The amount of personal data collected is minimized.

  • Periodic and random audits are conducted.

  • VERBIS registration is completed.

  • In addition to general administrative measures, a separate policy and procedure for Special Categories of Personal Data security is defined.

  • Regular training is provided on legal regulations and security of Special Categories of Personal Data.

  • Access authorizations, scopes, and durations for users are clearly defined.

  • Periodic authorization checks are conducted.

ii) Technical Measures:

  • Data security policies and procedures are established.

  • Data security incidents are promptly reported.

  • Data security is continuously monitored.

  • Deletion, destruction, or anonymization is regularly performed in accordance with the data retention and destruction policy.

  • Access rights are revoked for employees who change roles or leave the Company.

  • Physical access to environments containing personal data is secured.

  • The safety of environments where personal data is stored is ensured.

  • Risks of unlawful processing are identified, and appropriate technical measures are taken.

  • Procedures for role-based access control are created and enforced.

  • Network and application security is ensured.

  • Authorization matrices are implemented.

  • Access logs are kept regularly.

  • Data masking is applied when necessary.

  • Updated antivirus software is used.

  • Firewalls are employed.

  • A user account and access control system is implemented and monitored.

  • Personal Data is backed up, and the security of backups is ensured.

  • Special Categories of Personal Data are stored using cryptographic methods.

  • All actions performed on data are securely logged.

  • At least two-factor authentication is used for remote access.

  • Encrypted corporate email or Registered Electronic Mail (KEP) is used for data transfer via email.

  • Adequate security measures (against electrical failures, fire, flooding, theft, etc.) are taken for environments storing Special Categories of Personal Data.

  • Unauthorized access to such environments is prevented.

  • When data is transferred in paper form, precautions are taken against theft, loss, or viewing by unauthorized persons, and documents are sent in the format of “classified documents”.

7) Transfer of Special Categories of Personal Data

The Company may transfer Special Categories of Personal Data it lawfully obtains to third parties for the purposes of data processing, provided necessary security measures are in place. Accordingly, the Company may transfer such data to third parties under the conditions listed above and when:

  • The Data Subject has given explicit consent,

  • There is a clear legal provision for such transfer,

  • It is necessary for the protection of the life or physical integrity of the Data Subject or another person, where the Data Subject is incapable of giving consent,

  • It is necessary for the establishment or performance of a contract to which the Data Subject is a party,

  • It is necessary for the Company to fulfill a legal obligation,

  • The data has been made public by the Data Subject,

  • It is necessary for the establishment, exercise, or defense of a legal claim,

  • Provided that it does not harm the fundamental rights and freedoms of the Data Subject, data transfer is necessary for the Company’s legitimate interests.

8) Transfer of Special Categories of Personal Data Abroad

By showing due diligence and taking necessary security measures and additional precautions determined by the Board, the Company may transfer Special Categories of Personal Data to foreign countries with adequate protection or to countries that undertake adequate protection, under the following circumstances:

  • If the Data Subject has given explicit consent, or

  • If the Data Subject has not given explicit consent:

    • Special Categories of Personal Data excluding those related to health and sexual life (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership of associations, foundations or trade unions, criminal convictions and security measures, biometric and genetic data) may be transferred if legally permitted,

    • Data concerning health and sexual life may only be transferred for the purposes of public health protection, preventive medicine, medical diagnosis, treatment and care services, or the planning and management of health services and financing, by persons or authorized institutions and organizations under confidentiality obligations.

V. UPDATE

In the event of new regulations or updates to existing ones, the Company shall update its policy accordingly to ensure compliance with legal requirements.

Cart (0 items)