Privacy Policy

1. Purpose

The main purpose of this Policy of Protection and Processing of Personal Data (“Policy”) is to make explanations about the activities of personal data processing carried out by SST Teknoloji A.Ş. (“the Company“) in accordance with the law and the systems adopted for the protection of personal data and to determine the procedures and principles to be followed by data controllers due to their relationship with the Company and to ensure transparency towards the persons whose data is processed.

The Company maintains its activities in accordance with the provisions related to the protection and privacy of personal data laid down in particular in the Constitution of Republic of Turkey and the international conventions to which we are a party, as well as the Law on Protection of Personal Data (“KVKK“) and the relevant legislation. The Company approaches with maximum sensitivity to the protection of personal data and fundamental rights and freedoms, it focuses on fundamental human rights such as right to privacy and freedom of expession in all of its activities.

2. Scope and Implementation

This Policy has been prepared in compliance with the applicable regulations and international standards. The Company will primarily implement this Policy in all data processing activities, such as processing, transferring, changing data.

The Company has also different policies addressing the protection of personal data and ensuring information security in relation to certain business activities and processes. This Policy does not override the data protection terms in the different policies of the Company, unless it includes additional terms or demands a higher standard for the protection of personal data. This Policy is implemented in conjunction with such other policies and procedures to the extent it is appropriate.

In case of a conflict between the provisions of the relevant applicable legislation on the protection and processing of personal data and the provisions of this Policy, the up-to-date legislation provisions will prevail.

3. Definitions

KVKK: Law on Protection of Personal Data numbered 6698

GDPR: General Data Protection Regulation of European Union

Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on authorization granted by him/her.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and manages the data filing system (the place where the data is kept systematically).

Data Owner/Data Subject: The natural person whose personal data are processed, including, but not limited to, employees, customers, business partners, shareholders, officials, potential customers, employee candidates, interns, visitors, suppliers of the Company and its affiliates, employees of the institutions with which the Company cooperates and third parties.

Explicit Consent: Freely given, specific and informed consent.

Personal Data: Any information relating to an identified or identifiable natural person.

Special Categories of Personal Data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of associations, foundations or trade unions, health, sexual life, criminal conviction and security measuresand biometrics and genetics.

Processing of Personal Data: Any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.

Anonymization of Personal Data: Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.

Deletion of Personal Data: Making personal data inaccessible and unfit for re-use for relevant users.

Destruction of Personal Data: Making personal data refers to personal data inaccessible, unretrievable and unfit for re-use for anyone.

Board of PDP /Board: The Personal Data Protection Board.

PDP Authority /Authority: The Personal Data Protection Authority.

4. Processing of Personal Data

4.a. Principles for Processing of Personal Data

The Company’s policies and procedures are implemented in parallel with the processing principles stipulated in the KVKK and relevant legislation. We know that these principles are vital to the exercise of the rights of the data subjects and their control over data and we are higly sensitive to emphasize these principles in all our processing activities. Our principles for protection of personal data are as follows:

Personal data are processed lawfully, fairly and in a transparent manner.

In data processing activities, the Company relies on the legal bases for processing of data laid down in the KVKK. In addition, it considers the reasonable expectations of the data subjects in accordance with the principle of honesty. The Company uses a clear and understandable language in its communication with the data subjects and it is always in an easily accessible position.

Personal data are processed only for specified, explicit and legitimate purposes. The Company determines the purpose for processing before data processing activities. The data are processed only for additional purposes that are compatible with the initial purpose for processing.

Personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Our Сompany processes data to the extent that is obligatory for the purpose of data processing. Data is obtained using the method most appropriate to ensure the privacy and security of the data. In our processing activities, the disproportionate interference with the rights, interests and freedoms of data subjects is avoided.

Personal data are accurate and up to date, where necessary. The Company ensure that the data are up-to-date in all processing activities. Incomplete, incorrect or inaccuarte data are destroyed or corrected as soon as possible. The Company verifies the actuality of the data with regular intervals.

Personal data are stored during time set forth in the relevant regulation and necessary for the purposes for which the personal data are processed. With the disappearance of purposes for data processing, the data are deleted, destroyed or anonymized as soon as possible. Personal data are processed in a manner that ensures appropriate security of the personal data.

Our Сompany implements the data security as the main principle. It takes the necessary administrative and technical measures by following the best practices in this direction. The Company demonstrates that it ensures compliance with other principles of KVKK and/or GDPR. Our Company adheres to the principle of accountability in all processing activities.

4.b. Purposes for Processing of Personal Data

Purposes for processing of personal data processed by our Company are as follows:

4.c. Legal Bases for the Processing of Personal Data:

The Company relies on one of the legal conditions for processing laid down in Article 5 of the KVKK when processing personal data. The conditions for processing personal data, in other word, the cases of compliance with the law, are limited in the Law and these conditions cannot be expanded. The company relies on the following legal bases when processing personal data:

Our Company does not rely on the legal basis of explicit consent in the case of presence of another legal basis.

4.d. Legal Bases for Processing of Sensitive Personal Data

Sensitive personal data are data that will expose the person to discrimination in case of disclosure, such as religion, race, belief, health and sexual life of the person. Sensitive personal data can not be processed unless the presence of limited legal bases stipulated in the Article 6 of KVKK.

In this context, the Company processes sensitive personal data except the data concerning health on the legal basis of;

Explicit consent

Data concerning health are processed by the persons subject to secrecy obligation;

For the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

5. Disclosure Obligation

The Company is obliged to enlighten the data subjects in accordance with the KVKK and the Communiqué on the Procedures and Principles to be Observed in Fulfilling the Disclosure Obligation. If the personal data is obtained from the data subject, the Company informs the data subjects in person or by the persons authorized by the company at the time of obtaining the data. If the personal data are not obtained from the data subject, the disclosure obligation is fulfilled within a reasonable time, at the time of the first communication if the data is to be used for communication with the data subjectand at the latest when the first transfer is made if the data is transferred.

The Company informs the data subjects, as a minimum, about the legal entity and address details of the Company, for what purpose the personal data will be processed, to whom and why the processed data can be transferred, the method of collecting personal data and the legal basis for the rights stipulated in Article 11 of the KVKK.

When the purpose for personal data processing changes, the obligation to inform for this purpose is fulfilled before the data processing activity.

Data Security

Our Сompany, as a data controller, in the processing of personal data, are obliged to prevent and protect personal data from unlawful processing and access. For this reason, the Company has implemented all technical and administrative measures regarding data security, including additional measures necessary to protect sensitive personal data. The measures implemented by our Company in this famework are listed below.

The Company’s Technical Measures The Company’s Administrative Measures

6.Transfer of Personal Data

6.a. Transfer within Country

Our Company transfers personal data to third parties relied on conditions for data processing stipulated in Articles 5 and 6 of the KVKK. The Company takes all necessary security measures for data transfer activities. The groups of recipients to which our Company transfer data in this context are as follows:

Suppliers,for the purposes of Planning Human Resources Processes, Carrying Out Business Activities,

Competent Institutions and Organizations,for the Purposes of Fulfilling the Obligations Arising from the Employment Contract and Legislation for Employees, informing Competent Persons, Institutions and Organizations,

Public,for the purposes of Conducting Advertising/Campaign /Promotion Processes, Conducting Goods/Services Sale Processes, Organization and Event Management,

6. b. Transfer Abroad

The Company transfers data abroad by meeting one of the following conditions in accordance with Article 9 of KVKK.

Existence of explicit consent of the data subject,

The country to which personal data will be transferred having the status of safe country”and adequate protection is provided,

Existence of their commitment for adequate protection in written form and authorization of the Board by regulating the rights and obligations of the Company and the recipient regarding data transfer.

The groups of recipients to which our Company transfer data in this context are as follows:

Group Companies,for the purposes of Planning Human Resources Processes, Conducting Performance Evaluation Processes, Conducting Financial and Accounting Affairs, Carrying Out/ Auditing Business Activities, Conducting Contract Processes, Conducting Goods/Service Sale Processes, Conducting Wage Policy, Conducting Activities for Customer Satisfaction, Conducting Advertising/Campaign / Promotion Processes, Organization and Event Management, Conducting Strategic Planning Activities, Conducting Marketing Analysis Studies, Conducting Marketing Processes of Products / Services.

Suppliers,for the purposes of Planning Human Resources Processes, Conducting Financial and Accounting Affairs, Conducting Goods/Services Sale Processes, Conducting Goods/Services Production and Operation Processes

Public,for the purposes of Conducting Advertising/Campaign/Promotion Processes, Conducting Goods/Services Sale Processes, Organization and Event Management.

7. Inventory of Personal Data

The Company has established a data inventory with the details stipulated by the Law regarding the personal data processed within the scope of KVKK. The Company’s data inventory includes the following details:

8. Roles and Responsibilities

The roles ans responsibilities of our Company regarding the processing of personal data are as follows:

Marketing and Sales Department

The relevant department is responsible for informing this Policy to the data subject, whose data has been processed, such as customer, subcontractor and supplier.

Human Resources Department

The relevant department is responsible for informing this Policy to the parties that process data on behalf of the Company, such as employees, shareholders and for implementing the Policy by said data processors through regular checks.

Legal Department

The relevant department is responsible for updating this Policy. The Department makes the necessary improvements by considering the needs of the Company’s information processing systems and carries out the process of updating the Policy when necessary.

The relevant department is the competent approval authority for approving the updates regarding this Policy.

The relevant department is responsible for the determination and implementation of sanctions in violations of implementation of the Policy.

9. Deletion, Destruction and Anonymization of Personal Data

In accordance with Article 7 of the KVKK and provisions of other relevant legislation, in the event that the reasons for the processing of personal data no longer exist, the personal data are deleted, destrucred or anonymized upon the Company’s decision, periodic checks and /or upon the request of the data subject.

10.   Rights of the Data Subject and Exercise of the Rights

a. Rights of the Data Subject  

The data subjects have the following rights regarding their personal data processed in accordance with Article 11 of the KVKK:

b. Exercise of the Rights

Applications and requests regarding personal data may be transmitted to SST Teknoloji A.Ş. Şirketi through the Data Subject Application Form: 

  1. By sending the signed Application Kucukbakkalkoy Mah. Kayisdagi Cad. No:1/105 Allianz Tower K:28 Atasehir/Istanbul with a photocopy of you ID,
  2. By sending the Application to [email protected] using your e-mail address registered in our system,
  3. By sending the Application signed with your e-signature via registered e-mail (KEP) to [email protected],
  4. By personally applying to SST Academy with a valid identity document and signed Application

The data subject, within the scope of legal obligations regarding the procedures and principles of application to the data controller, must include in his/her application his/her name, surname, signature if the application is in written form, the Republic of Turkey Identity Number if the data subject is a Turkish citizen,  the nationality, passport (identity card, if any) number if the data subject is a foreigner,  the place of residence or business address,  e-mail address and fax number, if any, to be based on notificationsand lastly the subject of  request. In addition, the documents confirming the identity, as well as information and documents regarding the subject of the request must be attached to the application.

In order to operate the process in the most effective way, the right is requested to be exercised and the details of the requested operation should be clearly and understandably specified in the subject of request.

The subject of the request must be concern the data subject himself/herself. If the application is made on behalf of another person, the person making the request must rely on a specially documented authorization for the requested process (power of attorney). Applications made without authorization will not be considered.

c. Consideration of the Application

Applications are considered and a response is made as soon as possible and no later than within 30 days from the date we receive the application.

During the consideration process, additional information and documents may be requested if requiredand a fee may be charged for fulfilling the request in cases where this is consistent with the relevant legislation.

The Company takes all necessary administrative and technical measures in order to conclude the applications made by the data subject effectively and in accordance with the law and the rules of good faith.

d. Rejection of Application

Any application is rejected in the events that:

If the application is rejected, the Company notifies the data subject about the rejection with explaining its reason.

e. Right to Complain

In the applications made to the Company, the data subject has the right to lodge a complain with the Board if his/her application is rejected, or the response given by the Company is found insufficient, or if the Company does not respond within 30 days.

The data subject may exercise his/her right to lodge a complain within 30 days from the date he/she learns about the response of the Company and within 60 days from the date of application, in any case.

11. Entry Into Force

This Policy shall enter into force on 14/04/2023.

12. Updating the Policy

This Policy will be updated if necessary in accordance with the Law on the Protection of Personal Data and other legislation.

ANNEX-1 TABLE REGARDING STORAGE AND ANNIHILATION TERMS RELATING TO PERSONAL DATA

RELEVANT DEPARTMENT

MAIN PROCESS 

STORAGE TERM

ANNIHILATION PERIOD

Human Resources 

Hiring Process

2 years following the job interview

Within 30 days of the data subject’s application regarding the request for annihilation OR 180 days following the expiry of the storage term

Human Resources 

Onboarding – Offboarding Processes

10 years following termination of work contract of employees

Human Resources 

Payroll Transactions

10 years following termination of work contract of employees

Human Resources 

Health and Safety Matters 

15 years following termination of work contract of employees

Accounting

Making Payments (excluding Employees)

10 years following the transaction date

Accounting

Obtaining Payments

10 years following the transaction date

Accounting

Making Payments to Employees

10 years following termination of work contract

Legal

Contracts

10 years following termination/expiry of such contract

Legal

General Assembly, Board of Directors meetings

10 years following date of the documents

Legal

Litigation and Enforcement Proceedings

10 years following the transaction date

IT

CCTV

25 days

IT

Log Records

2 years following the transaction date

Academy

Training Activities

10 years following the training date

Admin. Affairs

Obtaining Cards and Giving Numberplates

Until the dismissal/resignation of employee

Marketing

Customer Data

5 years

Procurement

Proposals

10 years following the request date