Personal Data Security Policies

Personal data security policy
Special quality personal data security policy

Personal data security policy

 

  1. PURPOSE

Pursuant to the provisions of the relevant legislation, especially the Personal Data Protection Policy (“Policy”), Personal Data Protection Law No. 6698 (“KVKK”) and Electronic Communications Law No. 5809 (“Law No. 5809”), TurkNet Communication Services Inc. (“TurkNet” or the “Company”) explains the principles to be followed and the methods and processes to be followed while fulfilling its obligations to protect Personal Data.

 

  1. DEFINITIONS

According to the Law on the Protection of Personal Data No. 6698, the table below explains the definitions and abbreviations in this Policy.

 

Law No. 5809

 

Electronic Communications Law No. 5809

Express consent

This refers to freely expressed consent about a particular subject based on information.

 

Clarification text

TurkNet Clarification Text on the Processing and Protection of Personal Data

 

ISMS Procedures

Information Security Management System Policies and Procedures accepted by TurkNet; The Law No. 5809 refers to the obligations defined in the “Information and Network Security Regulation in the Electronic Communication Sector” published in the Official Gazette dated 13.07.2014 and numbered 29059 and the obligations defined in the relevant legislation.

 

Worker

It means the person who has an employment relationship with TurkNet within the scope of the employment contract.

Related person/data subject

Represents the real person whose personal data is processed

Personal data

It means any information relating to an identified or identifiable natural person.

Processing of personal data

It refers to any kind of processing carried out on personal data, either entirely or partially, by automated or non-automated means, as part of any data recording system or by non-automated means, including obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making obtainable, classifying, or preventing the use of data.

 

Corporation

Represents the Personal Data Protection Authority

KVKK

 

It means to the Law No. 6698 on the Protection of Personal Data.

Special categories of personal data

It means to data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Data processor

Refers to the natural or legal person who processes personal data on behalf of the data controller based on the authority given by her/ him.

Data controller

It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Committee

Refers to TurkNet Personal Data Security Committee

  1. SCOPE
  1. This Policy involves all activities and processes related to Personal Data that TurkNet processes.
  2. This Policy relates to the processing of Personal Data of TurkNet’s customers, prospects, employees, employee candidates, interns, suppliers of goods or services, subcontractors, visitors, website visitors, business partners and their employees and representatives.
  3. Under the scope of Law No. 5809 on Electronic Communications, Regulation on Information and Network Security in the Electronic Communications Sector published in the Official Gazette dated 13.07.2014 and numbered 29059, and other relevant legislation, TurkNet implements Information Security Management System Policies and Procedures consisting of 91 policies or procedures (ISMS Procedures). ISMS Procedures are revised and updated from time to time in line with legislative changes or new developments. The method and process details followed in the administrative and technical measures taken regarding Personal Data are defined in various ISMS Procedures and reference is made to the relevant ISMS Procedures in this Policy.

In this context, TurkNet has the following quality certificates:

 

– ISO 27001:2013 Information Security Management System Certificate

– ISO 9001:2015 Quality Management System Certificate

– ISO 20000-1:2011 Information Technologies Service Management System Certificate

– ISO 22301:2012 Business Continuity Management System Certificate

 

  1. PRINCIPLES

TurkNet complies with the following principles when processing Personal Data in accordance with Article 4 of the KVKK and Article 51 of Law No. 5809:

  • Compliance with the law and honesty rules,
  • To be accurate and up-to-date when necessary,
  • For certain explicit and legitimate purposes,
  • In connection with the purposes for which they are processed, limited and measured,
  • To be kept for the period required by the relevant legislation or for the purpose for which they are processed.
  1. PROCESSING PERSONAL DATA

 

  1. After providing information within the scope of the Obligation to Inform in accordance with Article 10 of the Law on the Protection of Personal Data (KVKK) and other relevant legislation, TurkNet processes Personal Data in compliance with the KVKK. The “TurkNet Clarification Text Regarding the Processing and Protection of Personal Data,” which is the information text, is publicly available on the TurkNet website and can be listened to verbally at the Call Center.
  1. TurkNet processes Personal Data by obtaining explicit consent from the Data Subject when it is required to do so under Article 5 of the Law on the Protection of Personal Data (KVKK). Personal Data is processed without obtaining explicit consent in the following cases where explicit consent is not required.
  2. a) It is clearly stipulated in the laws.
  3. b) It being necessary for the protection of the Data Subject’s or another person’s life or physical integrity when it is impossible to obtain consent due to physical impossibility or when the consent of the individual is legally invalid.
  4. c) It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.

ç) It is mandatory for the data controller to fulfil its legal obligation.

  1. d) It being made public by the related person themselves.
  2. e) Data processing is mandatory for the establishment, exercise or protection of a right.
  3. f) Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the related person.
  1. TurkNet processes Personal Data in accordance with Article 5 and Article 6 of the KVKK, limited to the following purposes:
  2. a) To offer, market, promote or provide value-added services of electronic communication products or services,
  3. b) Agreements regarding the products or services we offer or purchase (subscription,

device purchase/sale, consultancy, etc.) signing, execution of contract processes,

 

  1. c) Performing billing, conducting identity verification, activation processes, troubleshooting processes, cancellation processes, and handling all subscription-related transactions starting from contract signing until termination to fulfill our contractual commitments,
  2. d) Providing call center services, request and complaint management, measuring customer satisfaction, all kinds of customer relations activities,
  3. e) Measurement of the services we offer, improvement and diversification of services, strategic planning activities, marketing activities
  4. f) To inform you about our products and services in order to sign a subscription agreement upon your request,
  5. g) Management of internet traffic, interconnection, billing, irregularity/fraud detection and similar transactions or resolution of disputes, especially consumer complaints and interconnection and billing disputes.
  6. h) Carrying out the audit activities of the company
  7. i) Ensuring the company’s building, infrastructure, operation and network security
  8. j) Execution of finance and accounting works
  9. k) Within the scope of fixed telephone services, emergency calls and Disaster and Emergency No. 5902 In cases of disaster and emergency as defined in the Law on the Organization and Duties of the Presidency of Situation Management,
  10. l) Fulfilling reporting, informing, auditing and other obligations required by regulatory and supervisory institutions and legal regulations,
  11. m) Applying to legal or administrative proceedings.
  1. Special Category Personal Data is processed in compliance with Article 6 of the Law on the Protection of Personal Data (KVKK) and relevant legislation, either by obtaining explicit consent or by obtaining relevant employee undertakings without the need for explicit consent as stated in the KVKK. TurkNet Special Qualified Personal Data Security Policy is applied in this regard.
  1. DATA MANAGEMENT AND SECURITY
  1. Administrative Measures Taken for Personal Data Security
  • In order to fulfil TurkNet’s legal obligations regarding Personal Data, to ensure and supervise the implementation of this Policy, a Personal Data Security Committee (“Committee”), whose members and working style are determined by the Board of Directors, has been established. The Committee reports risks, developments and all other issues related to Personal Data security to the Risk Committee and the Board of Directors.
  • The inventory regarding Personal Data processed by TurkNet has been prepared in accordance with the legislation and is updated when necessary.
  • In cases where Personal Data is processed or transferred within the scope of any relationship with TurkNet employees, customers, suppliers, business partners and other third parties, the necessary obligations, commitments and penalties are imposed on the relevant contract in order to ensure that the relevant processing or transfer complies with the KVKK and relevant legislation or sign a separate contract in this regard.
  • If necessary, TurkNet keeps written confidentiality agreements signed by its employees, employees or representatives of its suppliers, business partners or subcontractors, as required by the relevant task, job or process, or ensures that they are kept by the supplier, business partners or subcontractors.
  • ISO27001 audits are carried out once a year. In this context, internal and external audits are carried out.
  • In terms of compliance with the KVKK and the relevant legislation, an internal audit is carried out or is done once a year.
  • There are articles on the protection of Personal Data in the employment contracts signed with the employees or, if necessary, undertakings are signed.
  • Sanctions regarding the processing of Personal Data in violation of the law and TurkNet Policies have been determined in the Disciplinary Regulation and employees are informed about these in trainings.
  • Personal Data Security Training is given to all employees once a year. In the trainings, general information on KVKK, examples of decisions made by the Personal Data Protection Authority and other regulatory organizations in the world, the measures to be taken for data security and the penalties regulated in the legislation are explained and an exam is held at the end of the training.
  1. Technical Measures Taken for Personal Data Security
  • ISO 27001 Information Management System is operated in our company. The measures mentioned below are discussed in detail within the scope of the relevant ISMS procedure.
  • Personnel knowledgeable in technical matters are employed in the relevant units.
  • Access to information systems and authorization of users are done through access authorization matrix and security policies over corporate applications. Necessary authorization definitions for new positions are made as the need arises. In addition, the authority matrix is reviewed once a year.
  • Network security and application security are provided.
  • Authorization definitions and trainings of employees are made in accordance with the principle of “prohibited unless allowed” and necessary commitments are taken.
  • As a result of real-time analysis with information security event management, informatics

the risks and threats that will affect the continuity of the systems are constantly monitored.

 

  • In order to protect information systems against known vulnerabilities, vulnerabilities and penetration tests are carried out regularly and emerging risks, threats, vulnerabilities and vulnerabilities, if any, are revealed and necessary measures are taken.
  • Security vulnerabilities are followed and appropriate security patches are installed and information systems are kept up-to-date.
  • Risks to prevent unlawful processing of personal data are determined, appropriate technical measures are taken against these risks, and technical controls are carried out for the measures taken.
  • Applications such as attack prevention systems, network access control, systems preventing malware, anti-virus and firewall are used to protect the confidentiality, integrity and accessibility of information and software in information systems.
  • Personal data is backed up and the security of the backed up personal data is also ensured.
  • Strong password algorithm is applied in all user accounts. The number of password entry attempts is limited. Password changes are provided at regular intervals. Administrator authority is available only to authorized users. The accounts of the users who left the job as soon as possible is being closed.
  • Disk encryption is used on personal laptop computers.
  • The servers where personal data are kept are encrypted.
  • The use of external memory is limited on the basis of employee roles, access to external memories is limited and controlled depending on.
  • Quarterly PCI scanning and vulnerability and security checks are performed via remote access.
  • Access logs are kept regularly.
  • Closed system network is used for personal data transfers via network.
  • Necessary measures for the physical security of information systems equipment, software and data is taken.
  • Security of the buildings (company headquarters and data center) used by TurkNet Personal Data is processed by taking camera recording in order to ensure. The number of cameras, location and recording times are determined in accordance with the principle of limitation with purpose in accordance with legal regulations.
  • Services are taken from the security firm for camera recordings. Access to the camera recordings is provided by authorized personnel who have signed a confidentiality agreement.
  • The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
  • Data masking is applied when necessary.
  • The authorizations of employees who have a change in duty or quit their job in this field are removed.
  • Data loss prevention software is used. In this context, data loss and data loss in systems DLP module is used to prevent hijacking.
  1. Website, Apps and Cookies

TurkNet carries out all kinds of subscription transactions, marketing and customer service activities with its website and OIM application over the internet, and the MOIM application over the mobile phone. In this framework, as security measures, periodic penetration tests are carried out, access is provided with a user name and password, secure software methods such as GUID use, and a Firewall system are used in front of the systems that the Web server system reaches. The cookie policy is published on the TurkNet website.

 

  1. VIOLATIONS

In case of data security weakness or breach, the relevant employee immediately reports the situation to a senior manager and ISMS Manager, first verbally and then by e-mail. Data security breach event is reported and resolved in accordance with P.16-1 and P.16-2 ISMS Procedures. In the Personal Data Trainings given to the employees, the procedures are explained in detail and the procedures are kept open to the access of the employees.

 

  1. RIGHTS OF THE PERSONAL DATA SUBJECT (RELATED PERSON)
  1. TurkNet informs the Data Owners (Relevant Persons) that they have the following rights regarding the protection of personal data in accordance with Article 11 of the KVKK:
  • Learning whether your personal data is processed,
  • If your personal data has been processed, requesting information about it,
  • To learn the purpose of processing personal data and whether they are used in accordance with the purpose,
  • Knowing the third parties to whom personal data is transferred in the country or abroad,
  • Correction of personal data in case of incomplete or incorrect processing.

requesting information to third parties to whom the data is transferred in case of correction,

  • Requesting the deletion or destruction of personal data within the framework of Article 7 of the Law, requesting information to third parties to whom the data is transferred in case of deletion or destruction,
  • Objection if a result arises against you as a result of the analysis of the processed data exclusively with automated systems,
  • Requesting the compensation of the damage in case of damage due to the illegal processing of personal data.
  1. Data owners can also submit a petition that they can fill in the application form on the website or prepare themselves in order to exercise the above-mentioned rights and make a request (This petition must contain: your name, surname, your TCKN information, the address to which you want a reply, your e-mail address or fax number, your application date, detailed explanations regarding your request) are informed that they can send it in signed form by the following methods:
 

APPLICATION METHOD

ADDRESS TO APPLY

ATTACHMENTS

1. Written Hand Delivery Application

Hand-deliver the signed application form

Fulya Mah. Buyukdere Cad. Torun Center A Blok Apt. No:74 A/89 Sisli/ ISTANBUL

A copy of the front of your identity card will be attached.

2. In Written Via Notary Public

Notarization

Fulya Mah. Buyukdere Cad. Torun Center A Blok Apt. No:74 A/89 Sisli/ ISTANBUL

 

3. Via Registered Electronic Mail (KEP)

With your registered e-mail (KEP) address

turknet@hs01.kep.tr

 

 

4. Application with your e-mail address registered in TurkNet System

By using your e-mail address registered in the TurkNet system.

kvkk@turknet.net.tr

 

 

5. Application with Another E-Mail Address Not Available in TurkNet System

There must be a written petition signed with your mobile signature/e-signature. This petition should contain the following information: (Name, surname, TCKN, the address or e-mail address you want to receive your answer from, your explanations regarding your request)

kvkk@turknet.net.tr

 

 
    
  1. TurkNet concludes the requests in the application free of charge as soon as possible, within thirty days at the latest, depending on the nature of the request. However, if the transaction in question requires an additional cost, the fee in the tariff determined by the Authority may be charged. The company may accept the request or reject it by explaining the reason; gives its answer in writing or electronically. In case the request in the application is accepted, the Company fulfils the requirements of the request.

ENFORCEMENT OF THE POLICY:

This policy is prepared by the Committee and approved by the Board of Directors. This Policy and the changes made in the Policy are announced to the employees via e-mail and published on the TurkNet website. This Policy is reviewed and updated if necessary, at least once a year, in line with legislative changes or the Company’s needs. Changes are indicated by date and number at the end of the Policy.

 

Effectiveness and Changes:

 

Effective date:

07.02.2020

Document number:

1

Change Date:

30.04.2021

Document number:

2

Special quality personal data security policy

 

  1. PURPOSE

    Hereby TurkNet’s Special Quality of Personal Data Security Policy (“Policy”), Personal Data Protection Law No. 6698 (“KVKK”) and Personal Data Protection Board dated 31.01.2018 and numbered 2018/10 “Data Controllers to Obtain Special Qualified Data Processing” The principles that Turknet İletişim Hizmetleri A.Ş. (“TurkNet” or the “Company”) must comply with while fulfilling its obligations to protect sensitive personal data, in accordance with the provisions of the relevant legislation, especially its decision on the “Adequate Measures Required” (“Board Decision”). describes the methods and processes to be followed.
  2. DEFINITIONS

    The table below explains the definitions and abbreviations in this Policy in accordance with the Law No. 6698 on the Protection of Personal Data.

Law No. 5809

Electronic Communications Law No. 5809

Express consent

Consent on a particular subject, based on information and expressed with free will

Illumination Text

TurkNet Clarification Text on the Processing and Protection of Personal Data

ISMS Procedures

Law No. 5809, Information Security Management System Policies and Procedures adopted by TurkNet within the scope of the Information and Network Security Regulation in the Electronic Communications Sector published in the Official Gazette dated 13.07.2014 and numbered 29059 and the obligations defined in the relevant legislation.

Worker

Person who is in employment relationship with TurkNet within the framework of employment contract

Relevant person/data subject

The real person whose personal data is processed

Personal data

Any information relating to an identified or identifiable natural person.

Processing of personal data

Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data completely or partially by automatic or non-automatic means provided that it is a part of any data recording system. all kinds of operations performed on the data, such as blocking

Organisation

Personal Data Protection Authority

KVKK

Law No. 6698 on the Protection of Personal Data

Special categories of personal data

Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data

data processor

The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.

data controller

TurkNet İletişim Hizmetleri A.Ş.

Committee

TurkNet Personal Data Security Committee

  1. SCOPE

    1. This Policy covers all activities and processes related to Special Quality Personal Data that TurkNet processes.
    2. This Policy relates to the processing of Sensitive Personal Data of TurkNet’s customers, prospects, employees, employee candidates, interns, suppliers of goods or services, subcontractors, business partners and their employees and representatives.
    3. Information Security Management System Policies and Procedures (“ISMS”), which consists of 91 policies or procedures, within the scope of the obligations defined in the Law No. procedures”). ISMS Procedures are revised and updated from time to time in line with legislative changes or new developments. The method and process details followed in the administrative and technical measures taken regarding Special Quality Personal Data are defined in various ISMS Procedures.
  2. PRINCIPLES

    TurkNet abides by the following principles when processing Personal Data in accordance with Article 4 of the KVKK and Article 51 of Law No. 5809: • Compliance with the law and the rules of honesty, • Being
    accurate and up-to-date when necessary,
    For certain clear and legitimate purposes,
    • For the purposes for which they are processed. in connection, limited and measured,
    • To be kept for as long as required by the relevant legislation or for the purpose for which they are processed.
  3. PROCESSING OF SPECIAL QUALITY PERSONAL DATA
    1. TurkNet KVKK art. 10 and in accordance with the other relevant legislation, after informing within the scope of the Disclosure Obligation, it processes Sensitive Personal Data in accordance with the KVKK. The informative text “ TurkNet Information on the Processing and Protection of Personal Data” is publicly published on the TurkNet website and can be heard orally in the Call Center.
    2. TurkNet processes data by obtaining Explicit Consent in cases where Explicit Consent is required.
    3. Pursuant to Article 6/(3) of the KVKK, Private Personal Data excluding health and sexual life may be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws. In this context, Turknet processes Special Quality Personal Data without express consent in the following cases by taking the measures specified in the aforementioned Board Decision: a

      ) It is expressly stipulated in the laws.
      b) It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally recognized.
      c) It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
      ç) It is mandatory for the data controller to fulfill its legal obligation.
      d) The person concerned has been made public by himself.
      e) Data processing is mandatory for the establishment, exercise or protection of a right.
      f) Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

    4. Again, as regulated in Article 6/(3) of the KVKK, personal data related to health are only those who are under the obligation to keep confidential for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. or by authorized institutions and organizations without seeking the explicit consent of the person concerned. In this context, TurkNet processes health data under the obligation to keep it secret.
  4. DATA MANAGEMENT AND SECURITYIn line with the Board Decision, protocols and procedures for special quality personal data security have been determined and implemented. In this context;
  1. For Employees who are involved in the processing of Sensitive Personal Data,

    Regular trainings are provided on data security issues, • Confidentiality agreements are made, •
    The scope and duration of authorization of users who have access to data are clearly defined,
    • Periodic authorization checks are carried out,
    • Job change The authorizations of the Employees who quit or leave the job in this field are immediately removed. In this context, documents and inventory allocated to it by TurkNet are returned.

  2. The environments in which Special Quality Personal Data are processed, stored and/or accessed are electronic media, • Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units, • Security updates regarding the environments where Special Quality Personal Data are located are constantly monitored,

    necessary security tests are/are carried out regularly, test results are recorded,
    If Private Personal Data is accessed via software, user authorizations for this software are made, security tests of these software are/are performed regularly, test results are recorded,

  3. The environments in which Sensitive Personal Data are processed, stored and/or accessed, and the physical environment;

    Adequate security measures are taken (against situations such as electricity leakage, fire, flood, theft, etc.) according to the nature of the environment where Private Personal Data is located, •
    Buildings used by TurkNet (Company headquarters building) in order to prevent unauthorized entry and exit by ensuring the physical security of these environments. and data center) are monitored by camera recording. The number of cameras, location and recording times are determined in accordance with the principle of limitation with purpose in accordance with legal regulations.

  4. When transferring Special Quality Personal Data; • If Private Personal Data needs to be transferred via e-mail, it is transferred in an encrypted form with a corporate e-mail address or by using a Registered Electronic Mail (KEP) account, • If it is required to be transferred via media such as Portable Memory, CD, DVD, it is encrypted with cryptographic methods

    . and the cryptographic key is kept in a different environment,
    If transferring is carried out between servers in different physical environments, data transfer is carried out by establishing a VPN between servers or by sFTP method,
    • If it is necessary to transfer Special Quality Personal Data via paper media, necessary precautions are taken against the risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in a “Confidential” format.

  1. VIOLATIONS

    In case of data security weakness or violation, the relevant employee immediately reports the situation to a senior manager and ISMS Manager verbally and then by e-mail. Data security breach event is reported and resolved in accordance with P.16-1 and P.16-2 ISMS Procedures. In the Personal Data Trainings given to the employees, the procedures are explained in detail and the procedures are kept open to the access of the employees.
  2. ENFORCEMENT OF THE POLICY

    This policy is prepared by the Committee and approved by the Board of Directors. The Committee is responsible for announcing the changes made in this Policy and the Policy to the employees via e-mail and publishing them on the TurkNet website. This Policy is reviewed by the Committee at least once a year in line with legislative changes or the needs of the Company, and updated if necessary. Changes are indicated by date and number at the end of the Policy.

    Effectiveness and Changes:

Effective date:

30.04.2021

Document number:

1

Change Date:

30.04.2021

Document number:

1

Bireysel
KOBİ
Kurumsal
Wholesale