Privacy Policy

PERSONAL DATA PROTECTION POLICY (GENERAL)This policy determines the general framework of the data processing activities of EDB TURİZM ORGANIZATION VE DANISMANLIK HIZ LTD STI (hereinafter  referred to as “EDB LTD STI”).

1. Scope, Purpose and Users

EDB LTD STI  strives to comply with applicable laws and regulations regarding the protection of Personal Data in the countries in which EDB LTD STI operates.  This Policy determines the basic principles regarding EDB LTD STI’s  processing of personal data of its customers, suppliers, employees and other persons, and specifies the responsibilities of business departments and employees when processing personal data. This Policy applies to EDB LTD STI and its third parties that process the personal data of data subjects .Users of this document are all employees, permanent or temporary, and  all contractors working on behalf of EDB LTD STI.

2. Reference documents

    • EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) Directive 95/46/EC)
    • Türkiye Personal Data Protection Law Law No. 6698
    • Policy on Protection of Employee Personal Data
    • General Data Protection Notice
    • Data Storage Policy
    • Data Protection Impact Assessment Guidelines
    • Information Security Policy
    • Violation Notification Procedure.

3.Definitions

The following definitions of terms used in this document are taken from Article 4 of the General Data Protection Regulation of the European Union:

Personal Data:  Any information relating to an identified or identifiable natural person (“Data Subject”) who can be identified, directly or indirectly, from such data, in particular by reference to an identifier such as name, identification number, location data. , an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the Data Subject.

Sensitive Personal Data:  Personal data that is sensitive by its nature, especially in relation to fundamental rights and freedoms, deserves special protection as the context of their processing may pose significant risks to the fundamental rights and freedoms of the person concerned. This personal data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data intended to uniquely identify a natural person, health-related data or data concerning the gender of the data subject. Life or sexual orientation.

Data Controller:  Natural or legal person, public institution, institution or any other organization that alone or jointly with others determines the purposes and means of processing personal data.

Data Processor:  A natural or legal person, public authority, agency or any other body that processes personal data on behalf of a Data Controller.

Processing:  Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.

Anonymization:  Irreversibly de-identifying personal data in such a way that it cannot be detected by the controller or any other person using reasonable time, cost and technology to identify the person. Personal data processing principles do not apply to anonymized data because it ceases to be personal data.

Pseudonymisation:  Processing of personal data in such a way that they can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is subject to technical and organizational measures to keep and provide it separately. Pseudonymisation reduces, but does not completely eliminate, the ability to associate personal data with a data subject. Since pseudonymous data remains personal data, the processing of pseudonymous data must comply with the Personal Data Processing principles.

Audit Authority:  It is evaluated within the scope of Law No. 6698 of the Republic of Turkey.

4. Basic Principles Regarding the Processing of Personal Data

Data protection principles outline the basic responsibilities of organizations that process personal data. KVKK RELEVANT ARTICLEi states that “the controller must be responsible for compliance with the principles and must be able to demonstrate compliance with these principles”.

4.1 Legality, Fairness and TransparencyWe will only process personal data where we have one of the following “legal bases” (legal grounds) to do so under data protection law:

  • The data must be processed so that EDB LTD STI  can fulfill a contract with the person, i.e. we need the data to fulfill your instructions or the person  has asked EDB LTD STI to take certain steps before entering into a contract
  • Processing of data is necessary so that EDB LTD STI  can comply with a legal obligation, in particular legal requirements arising from Decree Law No. 663, the main legislation establishing us as a legal entity.
  • The data must be processed for the legitimate interests of EDB LTD STI  or a third party (provided that the rights and freedoms of the person are not overridden).
  • The individual has freely given express consent

4.2 Purpose LimitationWe will only collect personal data for specified, clear and legitimate reasons. In accordance with the General Data Protection (or Privacy) Notice, we explain these reasons to individuals when we first collect their data.If we wish to use personal data for reasons other than those stated when we first received it, we will inform the relevant persons before doing so and obtain their permission when necessary.EDB LTD STI  staff will only process personal data where it is necessary to perform their job. When staff no longer need the personal data they hold, they will ensure that it is deleted or anonymized or encrypted to make it inaccessible.  This  will be done in accordance with EDB LTD STI’s Data Retention Policy.

4.3 Data MinimizationAll Personal data processed is limited to what is adequate, relevant and necessary in relation to the purposes for which they are processed.  EDB LTD STI may,  where possible, apply anonymization or pseudonymization of personal data in order to reduce risks to the data subjects concerned.

4.4 AccuracyAll Personal data processed is accurate and kept up to date where necessary; Reasonable steps are taken to promptly delete or correct personal data that is inaccurate in terms of the purposes for which it is processed.

4.5 Storage Time LimitationPersonal data will be kept no longer than is necessary for the purposes for which the personal data are processed (or will be anonymised or pseudonymized so that it cannot be used to identify the individual, or encrypted so that it cannot be accessed). This may be referenced in our Data Retention Policy.

4.6 Integrity and confidentialityEDB LTD STI  implements appropriate technical and organizational measures to process Personal Data in a manner that ensures appropriate security of personal data, including safeguarding, taking into account the state of technology and other available security measures, the cost of implementation and the likelihood and severity of personal data risks. against accidental or unlawful destruction, loss, alteration, unauthorized access or disclosure.We will take measures to demonstrate that we integrate data protection into all our data processing activities, including:

  • Processing of personal data only what is necessary for each specific processing purpose and always in accordance with the data protection principles set out in applicable data protection law
  • Completing privacy impact assessments where EDB LTD STI’s  processing of personal data poses a high risk to the rights and freedoms of individuals and when new technologies are introduced (the DPO will advise on this process)
  • Integrating data protection into internal documentation, including this policy and all related policies and privacy notices
  • Regularly train staff members on data protection law, this policy, relevant policies and other data protection issues; We will also keep a record of attendance
  • Conducting regular reviews and audits to test our privacy measures and ensure we are compliant
  • Keeping records of our processing activities, including:
  • To provide the name and contact details of EDB LTD STI  and any information we need to share (via our Data Protection notices) about how we use and process their personal data for the benefit of data subjects 
  • For all personal data we hold, information on the type of data, the data subject, how and why we use the data, any third party recipients, how and why we keep the data, retention periods and how we keep the data secure

4.7 Liability EDB LTD STI  , as a Data Controller, is responsible for and able to comply with the principles set out above.

5. Establishing Data Protection in Business Activities

To demonstrate compliance with data protection principles,  EDB LTD STI  has incorporated data protection into its business activities.

5.1 Notification to Relevant Persons(See Fair Processing Guidelines section 6.1)

5.2 Data Owner’s Choice and Consent(See Fair Processing Guidelines section 6.2)

5.3 CollectionEDB LTD STI  strives to collect the least amount of personal data possible. If personal data is collected from a third party, we will ensure that personal data is collected in accordance with the law. We collect and use your personal data to manage our relationship with you, including responding to your inquiries or complaints, providing our Services to you, administering our Agreements with you, informing you about other services, partners, promotions and events. , to administer and improve our Website and Services, to respond to requests from authorities, to comply with our contractual and legal obligations, and for other legitimate business purposes.  EDB LTD STI  does not share, sell, rent or trade personal data with third parties for promotional purposes.When you express interest in obtaining additional information about the Services or registering for an event,   you provide personal contact information such as name, company name, address, telephone number and email address so that EDB LTD STI can contact you. Additionally, when you purchase the Services or register for an event,  EDB LTD STI  may also require you to provide the Company with financial qualification and billing information, such as billing name and address, and the number of employees in the organization. Using Services that are not considered personal data.In order to provide you with a Service, we may request information from you and collect this information in person or over the telephone, through written/digital correspondence or through the website. We use cookies and other technologies to track the use of our websites and services, subject to your consent where required by law.Subject to your consent where required by law, we may use your personal data to carry out marketing, promotional and information activities, and to conduct business analytics, satisfaction surveys or market research, and direct marketing.We may share your personal data with third party providers we engage to process data on our behalf where required by law or in other cases permitted by law. In accordance with applicable law, you have the right to access the personal data we hold about you, to correct, delete or delete inaccurate data, and to object to processing of your personal data for direct marketing purposes at any time and free of charge. , as well as any other rights under applicable law.

5.4 Use, Storage and DisposalThe purposes, methods, storage limitation and storage period of personal data are consistent with the information contained in the General Data Protection Declaration.  EDB LTD STI  will protect the accuracy, integrity, confidentiality and suitability of personal data depending on the purpose of processing. Adequate security mechanisms are used to protect personal data to prevent theft, misuse or misuse of personal data and to prevent personal data breaches.We will protect and keep secure personal data against unauthorized or unlawful access, alteration, processing or disclosure and against accidental or unlawful loss, destruction or damage. Especially:

  • Paper-based records containing personal data are kept under lock and key when not in use.
  • Portable electronic devices such as laptops and hard drives containing personal data are encrypted in a way that requires not only passwords to be accessible, but also secondary user consent (usually by requiring codes sent to mobile phones to be inserted into the device to secure the connection)
  • Paper containing confidential personal data should not be left on office desks, staffroom desks, posted on notice/display boards or any other place with public access.
  • Passwords consisting of letters and numbers at least 8 characters long are used to access EDB LTD STI  computers, laptops and other electronic devices. Staff are reminded to change their passwords regularly and that passwords should never be shared with others.
  • Staff storing personal information on personal devices   are expected to follow the same security procedures as on EDB LTD STI owned equipment (see our ICT policies)
  • Where we need to share personal data with a third party, we carry out due diligence and take reasonable steps to ensure that it is securely stored and adequately protected (see section 5.5)
  • Anonymizing or pseudonymizing data where possible

5.5 Disclosure to Third PartiesPersonal data is very rarely entrusted to third parties, but  where EDB LTD STI  uses a third party supplier or business partner to process personal data on its behalf, we will ensure that this processor will provide security measures appropriate to the risks involved to protect personal data. . We will enter into a data sharing agreement with the supplier or contractor to ensure that any personal data we share is treated fairly and lawfully.EDB LTD STI will contractually  require the supplier or business partner to provide the same level of data protection as EDB LTD STI provides.  The supplier or business partner must process personal data only  to fulfill its contractual obligations towards EDB LTD STI or  on instructions from EDB LTD STI  and for no other purpose.  Where EDB LTD STI  processes personal data jointly with an independent third party, EDB LTD STI  shall  clearly state the relevant responsibilities of the third party in the relevant contract or any other legally binding document.A list of such partners may be provided to Customers upon request, provided there is a legitimate reason to do so.

5.6 Access Rights of Data OwnersIndividuals  have the right to make an ‘Individual Access Request’ to gain access to personal information that EDB LTD STI holds about them. This includes:

  • Confirmation that personal data is being processed
  • Access to a copy of the data
  • Purposes of data processing
  • Relevant categories of personal data
  • Whether the data is shared, and if so, with whom it is shared
  • How long the data will be retained or, if this is not possible, the criteria used to determine this period
  • The source of the data, if not the person
  • Whether any automated decision-making has been applied to their data and what the significance and consequences of this might be for the individual.

5.7 Subject access requests must be submitted in writing to the DPO by letter or email. These should include:

  • person’s name
  • Correspondence address
  • Contact number and email address
  • Details of the information requested

A Data Owner Access Request Form will be sent to the person.

5.8 Data PortabilityData Subjects have the right to receive, upon request, a copy of the data they have provided to us in a structured format and to transmit this data to another controller.

5.9 Right to be ForgottenData Subjects  have the right to request the deletion of their personal data from EDB LTD STI upon request.  Where EDB LTD STI  acts as a Controller, we will take the necessary measures (including technical measures) to inform third parties using or processing this data in order to comply with the request.

6.Fair Processing Guidelines

Personal data must only  be processed when expressly authorized by EDB LTD STI.EDB LTD STI  will decide whether to carry out a Data Protection Impact Assessment for each data processing activity in accordance with the Data Protection Impact Assessment Guidelines.

6.1 Notifications to Data SubjectsAt the time of collection or before collecting personal data for any processing activity, including but not limited to the sale of services or marketing activities, we will inform data subjects about: the types of personal data collected, the purposes of processing, the processing methods, the rights of data subjects in relation to their personal data, the storage period , possible international data transfers, in case of sharing of data with third parties and EDB LTD STI’s   security measures to protect personal data. This information is provided through the General Data Protection (or Privacy) Notice.Where personal data is shared with a third party, we will ensure that Data Subjects are informed of this via a General Data Protection Notice.If personal data is transferred to a third country in accordance with the Cross-Border Data Transfer Policy, the General Data Protection Declaration will reflect this and clearly state where and to which institution the personal data will be transferred.Where sensitive personal data is collected, we will ensure that the purpose for collecting this sensitive personal data is clearly stated in the General Data Protection Declaration.

6.2 Obtaining ApprovalsWhere personal data processing is based on the consent of the Data Subject or on other legal grounds, we will keep a record of this consent. We will provide Data Subjects with options to consent and inform, and ensure that their consent can be withdrawn at any time.If correction, amendment or destruction of personal data records is requested, we will ensure that these requests are processed within a reasonable period of time. We will also record requests and keep a record of them.Personal data will be processed only for the purposes for which they were originally collected.  If EDB LTD STI  wishes to process the collected personal data for another purpose,  EDB LTD STI  will obtain the consent of the Data Owners in a clear and concise letter. Any such request shall include the purpose for which the data was collected as well as any new or additional purposes. The request shall include the reason for the change in purpose(s).Now and in the future, we will ensure that collection methods comply with relevant legislation, good practice and industry standards.

7. Organization and Responsibilities

Responsibility for ensuring appropriate personal data processing rests with anyone who works for or with EDB LTD STI and  has access to personal data processed by EDB LTD STI.The administrative board of EDB LTD STI  makes and approves decisions on EDB LTD STI’s general strategies for the protection of personal data.

  • Ensuring that all systems, services and equipment used to store data meet acceptable security standards.
  • Performing regular checks and scans to ensure security hardware and software are working properly.
  • To raise the awareness of all employees about the protection of users’ personal data.
  • Organizing personal data protection expertise and awareness training for employees working with personal data.
  • End-to-end employee personal data protection. It must ensure that employees’ personal data is processed based on the employer’s legitimate business purposes and necessity.
  • Delegating personal data protection responsibilities to suppliers and ensuring suppliers’ awareness levels of personal data protection as well as the flow of personal data requirements to any third parties or suppliers they use.
  • Confirm all data protection declarations included in communications such as emails and letters.

To handle data protection inquiries from the general public, journalists or media organizations such as newspapers.


8. Response to Personal Data Breach Incidents

When EDB LTD STI  learns of a suspected or actual personal data breach, an internal investigation should be conducted and appropriate corrective measures should be taken in a timely manner. In case of any risk to the rights and freedoms of Data Owners,  EDB LTD STI  must notify the relevant data protection authorities without delay and, if possible, within 72 hours.When a personal data breach or suspected data breach  affects personal data being processed by EDB LTD STI as Data Controller, the following actions are taken:EDB LTD STI  must determine whether the personal data breach will be reported to the Supervisory Authority.

  • An internal Data Protection Impact Assessment must be carried out on the processing activity affected by the data breach to determine the risk to the rights and freedoms of the affected data subject.
  • If the personal data breach is not likely to pose a risk to the rights and freedoms of the affected data subjects, no notification is required. However, the data breach must be recorded on the Data Breach Registry.
  • If the personal data breach is likely to pose a risk to the rights and freedoms of data subjects affected by the personal data breach, the Supervisory Authority must be notified without undue delay but within 72 hours at the latest. Possible causes of delay exceeding 72 hours must be reported to the Supervisory Authority.

Notifications to the Supervisory Authority, which may include:

  • Description of the nature of the violation
  • Affected categories of personal data
  • Approximate number of data subjects affected
  • Name and contact details of the Data Protection Officer
  • Consequences of personal data breach
  • Measures taken against personal data breach
  • Any information regarding the data breach

9. Audit and Accountability

The administrative board  is responsible for monitoring how well this Policy is implemented throughout EDB LTD STI.Any employee who violates this Policy will be subject to disciplinary action and may also be subject to civil or criminal liability if the employee’s conduct violates laws or regulations.

10. Legal Disputes

This Policy  aims to comply with the laws and regulations of the place where it was established and the countries in which EDB LTD STI operates. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.

11. Management of records kept based on this document

 The administrative board of directors is responsible for storing, updating and reviewing all records kept by EDB LTD STI .EDB LTD STI’s  authorized signatory …………………………….. has overall responsibility for this policy and its annual review.

Scroll to Top