PROTECTION AND PROCESSING OF PERSONAL DATA POLICY
CHAPTER ONE
Introduction, Objective, Scope and Definitions
1. Introduction
Turkish Petroleum Off-Shore Technology Center Anonim Şirketi (“TP-OTC”), attaches great importance on the protection and processing of personal data, in accordance with the right to privacy and fundamental rights and freedoms guaranteed by the Constitution of the Republic of Türkiye.
2. Objective and Scope
The main purpose of TP-OTC’s Personal Data Protection and Processing Policy (“Policy”) is to provide explanations regarding the protection and processing of personal data carried out by TP-OTC in accordance with the Personal Data Protection Law No. 6698 (“Law”) and in line with the principles adopted, and to remind individuals whose personal data is processed of the rights granted by the Law and provide necessary information within this scope.
In relation to the issues specified in this Policy, necessary procedures are organised within TP-OTC and clarification texts are created in accordance with the Personal Data Processing Inventory, personal data protection and confidentiality agreements are made with TP-OTC employees and third parties, job descriptions are revised, necessary administrative and technical measures are taken for data security, and necessary audits are carried out and made within this scope.
This Policy is prepared for all personal data processed through automatic or non-automatic means within the scope of our current employees, employee candidates, visitors, and third parties with whom we cooperate, and it will be applied to the individuals specified.
3. Definitions
Herein in this Policy the following terms are defined as follows;
Explicit Consent: Consent relating to a certain subject which is based on information and taken at one’s free will,
Data Subject: The real person whose personal data is being processed,
Law: Personal Data Protection Law no. 6698,
Personal Data: Any kind of information relating to an identified or identifiable natural person,
Personal Data Processing Inventory: The inventory created by data controllers in accordance with their business processes, by associating personal data processing activities with the purposes and legal bases of processing, data categories, recipient groups to whom the personal data is transferred, data subject groups, and by disclosing the maximum retention period necessary for the purposes for which personal data is processed, as well as the personal data envisaged to be transferred to foreign countries and the measures taken for data security,
Anonymization of Personal Data: The process by which personal data is rendered in a way that it cannot be associated with a specific or determinable real person, even by matching it with other data,
Processing of Personal Data:Any operation carried out on personal data, either fully or partially, by automated means or non-automated means, which form part of any data recording system, including collection, recording, storage, retention, alteration, reorganization, disclosure, transferring, taking over, making retrievable, classifying, or preventing the use thereof, provided that it shall not be a process that changes the identity of personal data,
Deletion of Personal Data: Making personal data inaccessible and unavailable to relevant users,
Destruction of Personal Data: The process of making personal data inaccessible, irretrievable and irreversible and non-reusable by anyone in any way,
Board:The Personal Data Protection Board,
Institution: Personal Data Protection Agency,
Special Categories of Personal Data: Data on individuals’ race, ethnicity, political opinion, philosophical belief, religion, sect, appearance, membership of associations, foundations or trade-unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data,
Policy: TP-OTC Protection and Processing of Personal Data Policy,
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system,
CHAPTER TWO
General Principles
4. Implementation of the Policy and Relevant Legislation
The relevant legal regulations in force regarding the processing and protection of personal data will primarily apply. In case of any inconsistency between the current legislation and the Policy, TP-OTC acknowledges that the current legislation will prevail in its implementation.
5. For What Purposes Do We Process Your Personal Data
- Execution of Emergency Management processes
- Execution of Information Security Processes
- Execution of Employee Candidate / Intern / Scholarship Processes
- Execution of Employee Candidate Application Processes
- Fulfillment of The Obligations Arising From The Work Flow and Legislation
- Determining Equipment to be Provided to Employees
- Execution of Training Activities
- Execution of Access Authorisations
- Execution of Finance and Accounting Transactions
- Ensuring Physical Space Security
- Monitoring and Managing Legal Affairs
- Execution of Internal Audit / Investigation / Intelligence Activities
- Execution of Communication Activities
- Planning of The Human Resources Processes
- Execution of Occupational Health and Safety Activities
- Execution of Performance Evaluation Processes
- Execution of Storage and Archive Activities
- Execution of Travel Organizations
- Execution of Contract Processes
- Execution of Insurance Processes
- Foreign Personnel Work and Residence Permit Procedures
- Informing Authorized Persons, Institutions and Organizations
- Creating and Monitoring Visitor Records
- Other Activities That Will Be Included In Our Personal Data Processing Purposes
6. Issues Regarding the Protection of Personal Data
In accordance with Article 12 of the Law, TP-OTC is obliged to take necessary technical and administrative measures to prevent the unlawful processing of personal data, to prevent unauthorized access to data, and to ensure the security of data at an appropriate level, within this scope it is obliged to conduct or have conducted the necessary audits.
TP-OTC, in this context, takes and oversees the necessary technical and administrative measures to ensure the required security level in accordance with the guidelines published by the Personal Data Protection Board (“Board”).
6.1 Technical and Administrative Measures
The main technical and administrative measures taken by TP-OTC to ensure the lawful processing of personal data, prevent unauthorized access, and secure data in safe environments are outlined below.
- Network security and application security are ensured.
- Closed system networks are used for transferring personal data over the network.
- Security measures are taken within the scope of information technology system procurement, development, and maintenance.
- Necessary authorizations and role distributions exist for access to our information systems.
- Employees are required to sign confidentiality agreements, and the disciplinary process for employees who do not comply with security policies and procedures is implemented in accordance with TP-OTC’s Human Resources Directive.
- Access logs are regularly maintained.
- Access is recorded, and unauthorized accesses are controlled.
- Data masking measures are implemented when necessary.
- Employees who have changed their duties or left their jobs are de-authorised in this area.
- Current antivirus systems are used.
- Security vulnerabilities are monitored and appropriate security patches are installed, information systems are kept up-to-date, strong passwords are used in electronic media where personal data are processed, secure logging systems are used and backup programmes are used to ensure that personal data are stored securely.
- Firewalls are used.
- The signed contracts contain data security provisions.
- Necessary measures are taken for the physical security of TP-OTC’s information technology equipment, software, and data, risks related to preventing unlawful processing are identified, appropriate technical measures are taken to mitigate these risks.
- Security measures are also in place for entries and exits to physical environments containing personal data.
- The security of environments containing personal data is ensured.
- Personal data is backed up, and the security of the backed-up personal data is ensured.
- External backup applications with the necessary encryption standards are used to securely store personal data in electronic environments, and these applications are completely closed to external access.
- A user account management and authorization control system is implemented, and their monitoring is conducted.
- Log records are maintained in a way that prevents user intervention.
- Special category personal data is protected using secure encryption/cryptographic keys.
- Intrusion detection and prevention systems are used.
- Server cabinets in the server room are kept locked for physical security.
- Cybersecurity measures have been taken and their implementation is continuously monitored. The information technology network where our systems are located is protected with the highest level of security standards against external access.
- The main server room where our servers are located is equipped with a gas-based fire suppression system and has an air conditioning system inside.
- Our servers are protected by redundant firewalls, and we use specialized antivirus software, log recording software that tracks all activities, and a two-factor authentication system for server access and also there is a specific role and authorization distribution for server access.
- All our computer systems are regularly subjected to penetration tests to check for vulnerabilities and in case of vulnerabilities are identified, appropriate measures are taken, and the system is isolated from external access.
- All our computer systems operate with redundancy measures in place.
- Data loss prevention software is used.
7. Matters Regarding The Processing of The Personal Data
TP-OTC, processes personal data in accordance with Article 20 of the Constitution and Article 4 of the Law, in compliance with the law and principles of lawfulness and fairness, accurately and, up-to-date where necessary, for specified, explicit, and legitimate purposes, relevant to the purpose, in a limited, and proportionate manner and stores personal data for the duration required by the relevant legislation or the purpose of processing the personal data.
TP-OTC processes personal data based on one or more of the conditions specified in Article 5 of the Law on the grounds of Article 20 of the Constitution and Article 5 of the Law.
TP-OTC, in accordance with Article 20 of the Constitution and Article 10 of the Law, informs the data subjects and provides the necessary information when data subjects request it.
TP-OTC complies with the regulations stipulated in accordance with Article 6 of the Law regarding the processing of sensitive personal data.
TP-OTC complies with the regulations stipulated in accordance with Articles 8 and 9 of the Law regarding the transfer of personal data, as well as the regulations established by the Board.
7.1. Processing in Compliance with Lawfulness and Fairness
TP-OTC, acts in accordance with the principles set forth with legal regulations and the principle of general trust and good faith in the processing of personal data. In this scope, TP-OTC considers the principle of proportionality in the processing of personal data and does not use personal data for purposes other than those specified.
7.2. Ensuring that Personal Data is Accurate and Up-to-date Where Necessary
TP-OTC ensures that the personal data it processes is accurate and kept up-to-date, taking into account the fundamental rights and legitimate interests of the data subjects, and takes the necessary measures in this regard.
7.3. Processing of Data for Specified, Explicit and Legitimate Purposes
TP-OTC, clearly and precisely determines the legimate and lawful purposes for processing personal data. TP-OTC, processes personal data that is relevant and necessary for the services it provides.
7.4. Being Relevant, Limited and Proportionate to the Purpose for Processing
TP-OTC, processes the personal data in a manner that enables to carry out specified purposes and avoids the processing of personal data that is not relevant or takes maximum care to ensure that unnecessary for the purpose is not processed.
7.5. Storage of Data For a Period Stipulated by the Respective Legislation or Required For the Processing Purpose
TP-OTC retains personal data only for the period necessary to fulfill the purposes specified in the relevant legislation or for the purpose for which they were processed. In this scope, TP-OTC first determines whether there is a specified duration for the retention of personal data in the relevant legislation. If a duration is specified, TP-OTC acts in accordance with this duration, if no duration is specified, it retains personal data for the period necessary for the purpose for which they were processed. At the end of the specified period or when the reasons requiring processing cease to exist, TP-OTC deletes, destroys, or anonymizes personal data.
Even if the employment contract of personnel is terminated for any reason, personal data may be retained by TP-OTC for the period required by legal obligations, as long as required by the laws or necessary for the purpose of data processing, or in cases where TP-OTC’s legitimate interests are involved, provided that it complies with the periods specified in the laws.
8. Method of Personal Data Collection
Personal data is collected by TP-OTC through various channels, email, fax, career websites, social media, printed forms, consulting firms, camera recordings, and other channels. Personal data can be processed and transferred without obtaining explicit consent if one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 of the Law exists, in accordance with the principles set forth in the second paragraph of Article 4 of the Law.
9. Transfer of Personal Data
In accordance with the purposes of lawful personal data processing, TP-OTC can transfer the personal data and special categories of personal data of the data subject to third parties in compliance with Article 8 of the Law by taking the necessary security measures.
Personal data can be stored, processed, used and transferred within the joint database established by TP-OTC and/or the data processor designated by TP-OTC.
Personal data may be transferred to third parties, group companies, shareholders, affiliated companies, and subsidiaries to whom TP-OTC provides services or from whom it receives services, if necessary for the protection of personal data and/or upon the request of the personnel, and personal data may also be processed by these companies, banks, institutions, and organizations.
Personal data processed by TP-OTC in compliance with the law may be disclosed and transferred to companies providing support services for the purpose of conducting activities, independent audit firms, and other third parties due to various legal obligations.
For all these purposes, communication with the Personnel can be established through various communication methods such as text messages, phone calls, internet, email, and other communication channels, both domestically and internationally.
For the purpose of security, compliance with laws and regulations, and meeting the requirements of the ISO 27001 Information Security Management System, TP-OTC may record the time that the Personnel spends in the workplace using video camera systems in both indoor and outdoor areas.
10. Deletion, Destruction and Anonymisation of Personal Data
Under the scope of the law, personal data processed in accordance with relevant laws are automatically deleted, destroyed, or anonymized upon the expiration of the specified retention periods stipulated in the applicable laws. Moreover, in cases where the reasons necessitating processing cease to exist, TP-OTC may, upon its own decision or at the request of the Data Subject, delete, destroy, or anonymize personal data.
11. Rights of Personal Data Subject
11.1. Rights of Data Subject
As a data subject, in accordance with Article 11 of the Law, requests can be made regarding the following matters:
- To find out whether their personal data has been processed,
- Request information in case their personal data has been processed;
- To find out the purpose for processing of their personal data and to learn whether personal data is used in accordance with the purpose of processing,
- To know the third parties to whom personal data have been transmitted at home or abroad,
- Requesting the correction of personal data if they are incomplete or incorrect,
- Requesting for deletion or destruction of their personal data within the framework of the conditions set forth in the relevant legislation,
- Requesting that the correction, deletion, and destruction processes carried out in accordance with the relevant legislation be notified to third parties with whom their personal data has been shared,
- Object to occurrence of any result that is to their detriment by means of analysis of personal data processed exclusively through automated systems,
- To demand indemnification of losses suffered due to personal data being processed in breach of the law.
11.2. Situations where the Data Subject Cannot Assert His/Her Rights
Since the following matters are excluded from the scope of the Law in accordance with Article 28 of the Law, data subjects cannot assert their rights listed in Article 11.1 of this Policy regarding these matters.
- Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence provided that personal data are not disclosed to third parties and the obligations regarding data security are complied with.
- “Processing of personal data for the purposes of research, planning, and statistics by rendering them anonymous through official statistics.
- Processing of personal data for artistic, historical, literary, or scientific purposes or for the freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, the privacy of private life, or personal rights, or constitute a crime.
- Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security.
- Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial, or enforcement proceedings.
In accordance with the Article 28/2 of the Law; data subjects cannot exercise the other rights listed in this Policy under 11.1 except for the right to request compensation for damages in the following cases:
- The necessity of processing personal data for the prevention of crime or for the investigation of a crime.
- The processing of the personal data that has been made public by the data subject himself/herself.
- The processing of personal data by authorized public institutions and organizations, public institutions with regulatory duties, or professional organizations with the authority granted by the Law for the purposes of performing their supervisory or regulatory duties and conducting disciplinary investigations or prosecutions.
- The processing of personal data being necessary for the economical and financial interest of the State regarding budget, taxation, and financial matters.
11.3. Procedure and Period for Responding to Applications
Personal Data subjects can exercise their rights related to the rights listed under the title 11.1. of this Policy by filling out the Data Subject Application Form available at www.tp-otc.com, along with identity verification documents, and sending them in writing by hand to the address ‘İçerenköy Mahallesi, Askent Sokak, Kosifler Oto No: 3/A İç Kapı No: 7 Ataşehir/İSTANBUL’ or electronically to kvkk@tp-otc.com. TP-OTC will process application requests in accordance with Article 13 of the Law and will conclude them within a maximum of 30 (thirty) days, depending on the nature of the request, free of charge. However, if the process requires an additional cost, the fee specified in the tariff determined by the Board may be charged. If the request is rejected, the reasons for the rejection are reported to the personal data subjects in writing or electronically with justifications.
11.4. Information That Can Be Requested from the Personal Data Subject Making the Application
TP-OTC may request information from the relevant individual to determine whether the applicant is the data subject. To clarify the issues raised in the data subject’s application, TP-OTC may ask the data subject questions related to their application.
11.5. TP-OTC‘s Right to Refuse the Personal Data Subject’s Application
TP-OTC reserves the right to reject the data subject’s application in case of at least one of the following situations.
- Processing of personal data for the purposes of research, planning, and statistics by rendering them anonymous through official statistics.
- Processing of personal data for artistic, historical, literary, or scientific purposes or for the freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, the privacy of private life, or personal rights, or constitute a crime.
- Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security.
- Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial, or enforcement proceedings.
- The necessity of processing personal data for the prevention of crime or for the investigation of a crime.
- The processing of the personal data that has been made public by the data subject himself/herself.
- The processing of personal data by authorized public institutions and organizations, public institutions with regulatory duties, or professional organizations with the authority granted by the Law for the purposes of performing their supervisory or regulatory duties and conducting disciplinary investigations or prosecutions.
- The processing of personal data being necessary for the economical and financial interest of the State regarding budget, taxation, and financial matters.
- The possibility that the request of the personal data subject may prevent the rights and freedoms of other persons
- Demands that require disproportionate effort.
- Requested information is publicly available information.
- One of the conditions excluded from the scope according to the Law is present.
CHAPTER THREE
Final Provisions
12. Other Provisions
Hereby this Policy is published on TP-OTC’s website at www.tp-otc.com and disclosed to the public on the website.
Hereby this Policy may be updated in cases necessitating updates, such as changes in the law, decisions by the Board, or developments and changes in the industry, and/or when needed. You can send any questions and opinions regarding this policy to kvkk@tp-otc.com.
13. Validity
Hereby This Policy, becomes valid at the date of its approval by the TP-OTC Board of Directors.
14. Enforcement
The provisions of this Policy are administered by the TP-OTC Board of Directors.