- Definitions
Express Consent | The consent regarding a specific subject, based on informing, and explained with free will. | ||||||
Anonymization | Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data. | ||||||
Personal Data | All kinds of information belonging to an identified or identifiable natural person. | ||||||
Sensitive Personal Data | Data on race, ethnicity, political view, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal convictions and security measures and biometric and genetic data are sensitive personal data. | ||||||
Processing Personal Data | All kinds of transaction done on data such as obtaining personal data completely or partially automatically or non-automatically provided that it is a part of any data recording system, recording, storing, keeping, changing, rearranging, disclosing, transferring, taking over, making data available, classifying or preventing its use. | ||||||
Board | Board of Protecting Personal Data | ||||||
Policy | Hermes Global Lojistik A.S. Policy of Protecting and Processing Personal Data | ||||||
Data Processor | A natural or legal person who processes personal data on behalf of the data processor, based on the authority given by the data processor. | ||||||
Data Supervisor | The person who determines the purposes and means of processing the personal data and manages the place (data record system) where the data is kept in a systematic way is data supervisor. |
Purpose
This policy was issued for the purpose of determining the basic principles and application principles to be adopted in ensuring the compliance of Hermes Global Lojistik Anonim Sirketi (“Hermes Global Lojistik”) with the obligations to data supervisors within the scope of the Personal Data Protection Law (“KVKK”) numbered 6698 entered into force after being published in the Official Gazette dated 7 April 2016.
- Scope and Changes
This policy, prepared in accordance with the Personal Data Protection Law (KVKK), is about all the personal data regarding all personal data of current and potential customers, employees, shareholders and officials of the institutions we cooperate with, and third parties that are processed automatically or non-automatically, provided that they are part of any data recording system. Hermes Global Lojistik reserves the right to make changes in the Protocol in line with the changes to be made in the Personal Data Protection Law (KVKK) and the relevant regulation.
- Principles to be applied in processing personal data
Hermes Global Lojistik adopts the below principles in collecting, processing and analyzing personal data.
- Acting in accordance with the laws and the rules of honesty
Hermes Global Lojistik will collect and process the personal data in accordance with the laws and fairly, in order to protect personal rights of data holders. Commensuration and necessity principles will be considered in carrying out these activities
- Purpose-Specific Limitation
Personal data can only be processed for the purposes defined before collecting the data.
Further changes are possible only to a limited extent and with justification.
- Transparency and Clarification
Data holders should be informed in detail before collecting and processing the personal data. Right holders should be informed on below details before collecting the data.
- Identity of the data supervisor or, if there is, of the representative,
- Purpose of processing the personal data,
- To whom and for what purpose the processed personal data are transferred,
- Method and legal reason of collecting the personal data,
- Rights of the person whose personal data is processed according to article 11 of the Personal Data Protection Law (KVKK)
- Data Economy
Before processing the personal data, it should be determined whether the processing is necessary to achieve the purpose and to what extent. Anonymous or statistical data may be used in a situation where the purpose is acceptable and proportionate.
- Deleting the Personal Data
After the expiry of the periods predicted in the relevant laws for the obligation of keeping record and the procedures of keeping record required for proof, the personal data that are no longer necessary are deleted or destroyed or anonymized.
- Accuracy and Currency of Data
If personal data is accurate, complete and known, it must be current. Inaccurate or incomplete data should be deleted, corrected, completed or updated.
- Privacy and Data Safety
The personal data should be kept and preserved as confidential information. In order to prevent unauthorized access, illegal transactions, sharing, accidental loss, alteration or destroying of the Personal Data, they should be protected by taking the necessary administrative and technical measures and kept confidential at the personal level.
- Purposes of Processing Personal Data
Collecting and processing personal data shall be carried out within the scope of Clarification Text and the purposes stated below
- Data of Customers and Partners
- Data processing for contractual relation: : Personal data belonging to current and potential customer and business partners (if the business partner is a legal person, to the business partner’s representative) may be processed without further approval, for drawing up, execution and termination of a contract. Before the contract, during the beginning of the contract, the personal data may be processed in order to prepare offers, to issue a purchase form or to meet the requests of the data holder regarding the implementation of the contract. During the preparation of the contract, the data holders may be contacted in the light of the information they provide.
- Data processing for purposes of advertising: Personal data are processed for advertising or market and opinion researches only if the purpose for which this information is collected is appropriate for the said purposes. Data holders should be informed that the information will be used in relation to advertising. Data subjects may avoid of giving their data or consent to its processing, which is declared to be used for advertising purposes. For data to be processed for advertising purposes, the express consent of the data holder is required. Data supervisor can get the express consent of the data holder in this regard via electronic approval, mail, e-mail, sms or telephone. The use of personal data for advertising purposes is prevented without the express consent of the data holder.
- Data processing due to our legal obligations or expressly stipulated in the law:Personal data may be processed without further approval, for the purpose of expressly stating the processing in the relevant legislation or fulfilling a legal obligation determined by the legislation. The type and scope of data processing should be necessary for legally permitted data processing and must comply with relevant legal provisions.
- Legitimate interest principle in data processing:Personal data may be processed without further approval when it is necessary for a legitimate interest of Hermes Global Lojistik. Legitimate interests are usually legal interests.
- Processing sensitive personal data:Sensitive personal data are processed in the frame of Personal Data Protection Law (KVKK), provided that proper measures to be determined by the Board are taken. Sensitive personal data of the data holder, except from his/her health and sexual life, are processed with his/her express consent; if there is no express consent, they are processed within the scope of exceptions predicted in Personal Data Protection Law (KVKK).
Sensitive personal data regarding the health and sexual life of individuals, in cases where there is no express consent of the persons, may be processed by persons or authorized institutions and organizations under the confidentiality obligation, for the purpose of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing.
- Data processed through exclusively automatic systems:Processing personal data obtained by automatic systems will not make the use of this data in business and processing that adversely affects the personal data holder justified and in accordance with the law. The personal data holder has the right to object to the emergence of a result against his/her by analyzing the processed data exclusively through automated systems. Upon the request of the personal data holder, Hermes Global Lojistik will try to take the necessary measures..
- User information and internet: : In case of collecting, processing and using the data on website or applications, the users who are the data holders should be informed on the use of the information they save on the site, the privacy notice and cookies.
- Principles related to processing data belonging to employees
In the process until the drawing up, execution and termination of the labor contract, collecting and processing personal data of the employees are obligatory. Express consents of the employees may not be obtained for this. Personal data of the possible employee candidates are processed in the job applications. In case of rejection of the application of the candidate, the personal data obtained during the application are preserved for the appropriate data keeping period for a next selection stage and at the end of this period, they are deleted, destroyed or anonymized. The below principles should be considered for processing personal data regarding the employees.
- Data transactions that are clearly stipulated in the law and carried out due to legal obligations:Personal data belonging to the employees may be processed without further approval, for the purpose of expressly stating the processing in the relevant legislation or fulfilling a legal obligation determined by the legislation.
- Processing data according to legitimate interest:Personal data belonging to the employees may be processed without further approval when it is necessary for a legitimate interest of Hermes Global Lojistik. Legitimate interests are usually legal or economical interests. In situations where the interests of employees should be protected, the personal data are not processed for the purposes of legitimate interest. Before the data are processed, it is determined whether there is interest that requires special protection. If the data belonging to the employees are processed based on the legitimate interest of Hermes Global Lojistik, it should be examined whether this processing is measured and it should be checked that the legitimate interest of the employees do not violate a rights that need to be protected.
- Processing sensitive personal data:Sensitive personal data are processed only under specific conditions. It is defined as the data on race, ethnicity, political view, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal convictions and security measures and biometric and genetic data. Sensitive personal data may only be processed if there is a express consent of the employee and by taking the necessary administrative and technical measures. The below situations constitutes the exception of this term and the sensitive personal data may be processed in the stated situations even without the express consent of the employee.
-
- Sensitive personal data of the employees, except from their health and sexual life, in cases prescribed by the law,
- • Sensitive personal data of the employees regarding their health and sexual life may be processed by persons or authorized institutions and organizations under the confidentiality obligation, for the purpose of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing.
- Data processed through exclusively automatic systems:If the personal data of the employees are processed as a part of the business relationship, through automatic systems, employees have the right to object to the emergence of a result against them or to the result by using these data.
- Telecommunication and internet:: Intranet and internet together with telephone equipments, e-mail addresses, and internal networks are provided by Hermes Global Lojistik primarily for duties related to the business. These are working equipments and Hermes Global Lojistik sources. These equipments are used in accordance with legal regulations and internal regulations of Hermes Global Lojistik. There is no inspection for telephone and e-mail communications or use of intranet and internet. in order to prevent attacks against Computer Technology (BT) infrastructure and individual users, while transiting to the Hermes Global Lojistik network, protective measures are taken that block technically harmful content or analyze the modeling of attacks. Use of telephone equipments, e-mail addresses, intranet/internet and/or internal social networks is saved for a certain time due to security issues. Evaluations of these data about the person are made only if there is a concrete doubt. These controls are carried out by the relevant departments only if the principle of proportionality is preserved.
- Forbidden Access: Hermes Global Lojistik processing makes the maximum effort for preserving and keeping the personal data that it collects with legal liabilities, legitimate interests and with their express consents in accordance with the purpose of collecting and it only shares the personal data with the related employees. Personal responsibility of the relevant employee will be taken and therefore legal measures will be taken regarding the works performed by the employees within the scope of their job descriptions and all kinds of works and transactions they do in relation to the personal data without access permission or that is not required, in cases where the Hermes Global Lojistik does not have an express written authorization. Therefore, the employees should receive regular training on not revealing or sharing the personal data illegally and a disciplinary process that will become valid in case of the employees do not abide by the security policies and procedures should be arranged.
- Transfer of personal data
Transferring the personal data to a third person other than Hermes Global Lojistik is done under the purposes stated in the Clarification Text and below. Accordingly, Hermes Global Lojistik may transfer the personal data to a person or institution given below for certain purposes;
- To the partners of Hermes Global Lojistik, limitedly, in order to ensure the fulfillment of the purposes of establishing the business partnership,
- To its suppliers, which Hermes Global Lojistik outsources from the supplier and who provide the products and services necessary for carrying out the commercial activities.
- To the subsidiaries of Hermes Global Lojistik, limited to ensuring the carrying out the commercial activities that require the participation of subsidiaries of Hermes Global Lojistik,
- To the shareholders of Hermes Global Lojistik, limited to the purposes of designing and inspecting the strategies regarding the commercial activities of Hermes Global Lojistik according to the provisions of Personal Data Protection Law (KVKK),
- To the public institutions and organizations legally authorized limited to the purposes requested by the relevant public institutions and organizations within their legal authority,
- To private persons/entities legally authorized limited to the purposes requested by the relevant private persons/entities within their legal authority.
After the Board announces the foreign countries that have enough protection, your personal data processed by Hermes Global Lojistik will be transferred to these countries. Transferring personal data to the countries and regions announced to not having enough protection may only be done by the holder’s approval or in situations where the data supervisors in Turkey and in the related foreign country gives written commitment stating the enough protection and where the Board has permission. Hermes Global Lojistik may also use cloud storing in processing your personal data.
VII. Rights of Data Holder
Rights of Data Holder:
- To find out whether their personal data are processed or not,
- To request information if their personal data are processed,
- To find out the purpose of processing the personal data and whether these are used according to its purpose or not,
- To know the third persons to whom the personal data is transferred in domestic or abroad,
- if the personal data is processed incompletely or incorrect, to request these to be corrected and to request the notification of the transaction made in this regard to the third parties to whom the personal data has been transferred,
- To request the deletion or destroying of personal data if the reasons requiring processing disappear, although it has been processed in accordance with the provisions of Personal Data Protection Law (KVKK) and the other related law and to request the notification of the transaction made in this regard to the third parties to whom the personal data has been transferred,
- To object to the emergence of a result against them by means of analyzing the processed data through exclusively automatic systems,
- They have right and authority to request the compensation for the damage in case of damage due to the illegal processing of personal data and when this request reaches to Hermes Global Lojistik, Hermes Global Lojistik should respond to the request within the period.
The exceptions of the rights granted to the personal data holders by Personal Data Protection Law (KVKK) are listed below and Hermes Global Lojistik has no liability to respond to the requests from the personal data holders in these cases:
- Processing the personal data for the purpose of research, planning and statistics by anonymizing with official statistics,
- Processing the personal data in the scope of artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or personal rights or constitute a crime,
- Processing the personal data in the scope of preventive, protective and informative activities carried out by public institutions and organizations legally authorized to ensure national defense, national security, public security, public order, economic security,
- Processing the personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.
In accordance with the Personal Data Protection Law (KVKK), the related persons may not bring forward their rights other than the right to demand compensation for damage in these cases:
- Processing personal data being necessary for prevention of committing a crime or for criminal investigation.
- Processing the personal data made public by the personal data holder.
- Processing personal data being necessary for carrying out the works of inspection or regulation and disciplinary proceeding or prosecution, by competent and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law.
- Processing personal data being necessary for protection of economical and financial interests of the State regarding the budget, tax and financial issues.
Personal data holders, after they fill the Personal Data Application Form on our website www.hermesgloballojistik.com.tr can sign and send their above mentioned rights send the original to Fulya Mah. Prof. Dr. Bulent Tarcan Cad. No: 16 Sisli / Istanbul address together with the photocopies of their identity cards, by hand or by certified mail. For the applications to be made on behalf of the personal data holders, a power of attorney duly issued by the holder is required. Hermes Global Lojistik may request additional information from the related person in order to determine whether the applicant is the personal data holder and may ask questions to the personal data holder related to the application, in order to clarify the matters indicated in the application
Hermes Global Lojistik, according to the nature of the request, will conclude your request as soon as possible and within at the latest 30 (thirty) days for free.
VIII. Privacy
Personal data are subject to privacy. It is forbidden for the employees to collect, process or distribute the data without permission. Unauthorized use is the unauthorized data processing performed by employees outside of their legal duties. The know principle is applicable: Employees may reach personal data only if it is in accordance with the scope or nature of the subject task.
It is forbidden for employees to use personal data for private or commercial purposes, to distribute it to unauthorized persons or make it accessible in any other way. Managers should inform the employees regarding to the liabilities of data protection at the beginning of the business relationship. This liability continues after the business relationship ends.
- Security
Hermes Global Lojistik takes necessary precautions and checks regarding providing the proper security level for preventing the illegal processing of the personal data it processes, preventing illegal access to the data and ensuring the preservation of the data. This matter is applicable independent from processing the personal data electronically or in written. Especially, before starting new methods of data processing in the transition to new Computer Technology (BT) systems, technical and organizational measures for the protection of personal data are defined and implemented. These measures are based on the latest developments, risks of the transaction and the need for data protection as determined by the information classification process. Technical and organizational measures regarding the protection of personal data is a part of the company information security and they are constantly adapted to technical developments and organizational changes.
- Checks and Inspections
Compliance to the Personal Data Processing and Protection Policy and to Personal Data Protection Law (KVKK) is provided by regular inspection of data protection and by other checks.
- Data Violation Management
Hermes Global Lojistik will immediately take the necessary security measures for the protection of personal data obtained in violation of provisions of this Policy and Personal Data Protection Law (KVKK) and will notify the relevant person and the Board as soon as possible. In this regard, Hermes Global Lojistik is liable to constitute the system and application methods that will provide the requests and complaints of the personal data holders regarding their personal data to be conveyed to them the most effectively and as soon as possible. If it is required by the Board, this situation can be announced on the website of the Board or by another method.
XII. Liability of Registering to the Registry of Data Supervisors
Hermes Global Lojistik is exempt from the liability of registering to the Registry of Data Supervisors indicated in article 16 of Personal Data Protection Law (KVKK); when the liability of registering arises within the period to be determined and announced by the Board, it will register to the Registry of Data Supervisors by submitting the application information and documents mentioned in Personal Data Protection Law (KVKK). Accordingly, information and documents to be submitted to the Board for the registration are as below:
- Identity and address information of Hermes Global Lojistik, as the data supervisor, and if there is, of its representative,
- Purpose of processing the personal data,
- Explanations on the data subject group and groups and the data categories of these persons,
- Receiver or receiver groups to whom personal data can be transferred,
- personal data intended to be transferred to foreign countries,
- Measures taken regarding personal data security,
- The maximum period required for the purpose of processing the personal data.