1. Purpose 

The main objective of this Personal Data Protection and Processing Policy (the “Policy”) is to provide explanations regarding the personal data processing activities carried out by Ikon Informatics Consultancy Ltd (“Company”) pursuant to the law and the systems adopted for the protection of personal data and, in this context, to provide transparency by informing the people whose personal data is being processed by the company, primarily Employees and Employee Candidates, Company Shareholders, Company Officials, Guests; Employees, Shareholders, Officials of the companies that we cooperate with and third parties

Company carries out its activities in accordance the General Data Protection Regulation (“GDPR”) and relevant legislation regarding the protection and privacy of personal data. Company is sensitive to the protection of personal data, fundamental rights and freedoms and keeps fundamental human rights such as privacy of private life and freedom of thought in the focus in all its activities.

2. Scope and Application 

This Policy has been prepared in line with the regulations in force and international standards. Company will primarily apply this Policy in all its data processing activities such as data processing, transfer, and amendment. 

This policy is related to all personal data of the Company’s employees and employee candidates, company shareholders, company officials, guests; employees, shareholders, officials of the companies that we cooperate with and third parties which are being processed wholly or partially by automatic or non-automatic methods provided that they are a part of a data registration system. 

Company also has different policies that address the protection of personal data and ensuring information security in relation to certain business activities and processes. This policy does not override the data protection terms in different policies of the Company unless it contains additional terms or requires a higher standard for the protection of personal data. This Policy is implemented along with such other policies and procedures as appropriate. 

If there is a conflict between the provisions of the relevant legislation in force on the protection and processing of personal data and the provisions of this Policy, the provisions of the legislation in force will apply primarily.

3. Definitions 

GDPR: EU General Data Protection Regulation 

Authority: Relevant Data Protection Authority 

Data Processor: The natural person or legal entity that process data on behalf of the data controller with the authority given by the data controller 

Data Controller: The person who defines the purpose and the means of processing personal data and responsible of the data recording system management 

Joint Controller: Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers 

Data Subject: A natural person, includes but not limited to an employee, customer, business partners, stakeholders, authorities, leads, candidate for recruitment, intern, visitors, suppliers, employee of business partners, third parties of the Company and its affiliates with whom they have a commercial relationship, whose data is processed 

Explicit Consent: Consent that is related to a specific issue based on information and expressed with free will 

Personal Data: Any information related to a natural person whose identity is known or identifiable 

Sensitive Personal Data: Biometric and genetic information related with race, ethnicity, political or philosophical opinions, religion, sect or other believes, appearance, union memberships, health, sex life, convictions, and security measures etc. 

Processing of Personal Data: Any kind of operation performed on data such as obtaining, recording, storing, preservation, modification, reorganizations, disclosure, transfer, takeover, making available, classification or preventing the use of personal data in fully or partially automated or non-automated ways, provided that it is part of any data recording system 

Anonymization of Personal Data: Rendering the data in such a way that it can no longer be associated with an identified or identifiable person even when the personal data is matched with other data 

Deletion of Personal Data: Deleting or rendering the personal data in such a way that it is no longer accessible or reusable for the users 

Destruction of Personal Data: Rendering the personal data to make it inaccessible, unrecoverable and not useable by anyone 

Data Protection Authority: Data Protection Authority established in relevant country. 

Company Customer: Real persons whose personal data are obtained via business relations of Company under the operations conducted by Company business units, regardless of the contractual relationship with Company. 

Guest: Real persons visiting Company factory for various purposes 

Third-Party: Other real persons who do not fall under this policy and employees and employee candidates of the company. 

Company Shareholder: The shareholders of the Company are real persons. 

Company Official: Members of the Company board of directors and other authorized real persons with signature authority. 

Employees, Shareholders, and Representatives of the Institutions that we Cooperate with : Real persons, including shareholders and officials of these institutions, that are working in the institutions (such as but not limited to business partners, suppliers) with which Company has a business relationship. 

4. Processing of Personal Data 

a. The Principles to be Followed While Processing Data 

The policies and procedures of the Company are implemented in line with the processing principles in GDPR and relevant legislation. We know that these principles are of vital importance in the exercise of the rights of the data subject and their control over data, and we are extremely sensitive to make these principles our focus in all our processing activities. Our principles in our personal data processing activities are as follows;

• Personal data are processed in accordance with the law and the principle of honesty and transparently.

Company is based on the legal processing reasons included in data processing activities in GDPR. In addition, the Company takes the reasonable expectations of the data subject in consideration according with the principle of honesty. Company uses a clear and comprehensible language in its communication with the data subject and the Company is always in an easily accessible position.

• Personal data are processed only for specific, explicit and legitimate purposes.

Company determines the purpose of the processing activity before the data processing activities. The data are processed for additional purposes that are compatible with the initial processing purpose only. Being compatible with the first purpose for each additional purpose is determined according to internationally accepted criteria. Our Company informs the data subject about the purposes of data processing by considering the principle of transparency. 

• Personal data are relevant, limited and proportionate to the purposes for which they are processed. 

Our Company processes the data to an extent required for data processing purposes. Data is obtained through the most appropriate method for data privacy and security. In our processing activities, disproportionate interference with the rights, interests and freedoms of the data subject is avoided.  

• Personal data are accurate and up-to-date when required. 

Company ensures that the data is up-to-date in all processing activities. Missing, erroneous or incorrect data is destructed or corrected as soon as possible. Company regularly checks that the data is up-to-date. 

• Personal data are stored for the period stipulated in the relevant legislation or required for the purpose for which they are processed. 

With the disappearance of data processing purposes, the data is deleted, destructed or anonymized as soon as possible. 

• Personal data are processed to ensure the appropriate security. 

Our Company applies data security as the main principle. It takes the necessary administrative and technical measures by following the best practices in this direction. 

• Company shows that it has a compliance with other principles of GDPR.

Our Company acts with the principle of accountability in its all-processing activities 

b. The Purposes of the Company Processing Personal Data

The purposes of processing personal data processed by the Company are as follows: 

• Conducting Employee Candidate / Trainee / Student Recruitment and Onboarding Processes 
• Execution of the Application Process of Employee Candidates 
• Execution of Employee Satisfaction and Loyalty Processes 
• Fulfillment of Employment Contractual and Legislative Obligations for Employees 
• Execution of Compensation and Benefit Processes for Employees 
• Execution of Audit / Ethical Activities 
• Execution of Activities in Compliance with Legislation 
• Execution of Training Activities 
• Execution of Financial and Accounting Affairs 
• Assuring Physical Media Security 
• Monitoring and Execution of Legal Affairs 
• Execution of Internal Audit / Investigation / Intelligence Activities 
• Conducting Communication Activities 
• Planning of Human Resources Processes 
• Execution / Control of Business Activities 
• Receiving and Evaluating Suggestions for Improving Business Processes 
• Conducting Business Continuity Activities 
• Execution of Occupational Health / Safety Activities 
• Execution of After Sales Support Services for Goods / Services 
• Execution of Purchasing Processes for Goods / Services 
• Execution of Sales Processes for Goods / Services 
• Execution of Production and Operation Processes Goods / Services 
• Execution of Marketing Processes of Products / Services 
• Execution of Marketing Analysis Studies 
• Execution of Customer Relationship Management Processes 
• Execution of Activities for Customer Satisfaction 
• Execution of Risk Management Processes 
• Organization And Event Management 
• Execution of Agreement Processes 
• Execution of Retention and Archive Activities 
• Execution of Access Rights 
• Execution of Wage Policy 
• ​​Ensuring the Security of Data Controllers Operations 
• Tracking Requests / Complaints, Conducting Process Activities 
• Giving Information to Authorized Persons, Institutions and Organizations 

c. Company’s Legal Grounds for Processing Personal Data:  

Company acts in accordance with one of the legal processing conditions stipulated in the relevant articles of the GDPR when processing personal data. The conditions of processing personal data, that is, the conditions of being lawful, are listed in a limited number in the Law and these conditions cannot be expanded. Company acts in accordance with the following legal grounds for processing personal data:

• Existence of the explicit consent of the data subject, 
• Requirement on processing personal data of the parties subject to a contract / agreement, due to the execution of a contract / agreement. For example, obtaining the supplier’s bank account information so that payment can be made to the supplier for the performance of the purchase agreement concluded with the supplier, 
• Processing personal data for legitimate purposes without violating the fundamental rights and freedoms of the data subject. 
• It is mandatory for the protection of the life or body integrity of the person who is unable to disclose his or her consent due to actual impossibility or whose consent is not legally valid.  For example, providing the id information of an employee who fainted in the office to the doctor by a company employee. 
• Fulfillment of legal obligations. Sample: Submission of information requested by court order to the court. 
• Making personal data public by data subject. For example, A case where the Employee Candidate shares their contact information on websites that allow job applications. 
• If the data processing is mandatory for the establishment, exercise, or protection of a right. For example, storing proof data (e.g., an invoice) and using it when necessary. 

Our Company does not rely on the legal reason of the explicit consent in the presence of another legal reason. For example, name of the relevant person to be present on the invoice per article 230 of the Tax Procedure Law.  

5. Obligation to Inform 

Company is obliged to inform the data subjects in accordance with GDPR. If the personal data is obtained from the data subject, the Company informs the data subject in person or by the persons authorized by the Company at the time of obtaining the data. If the personal data are not obtained from the data subject, obligation to inform is fulfilled within a reasonable time; if the data will be used for communication with the data subject, obligation to inform is fulfilled once communicated; if the data is to be transferred, the obligation to inform is fulfilled at the latest when the first transfer is made. 

Company informs the data subjects at least about the legal entity and address information of the Company, for what purpose the personal data will be processed, to whom and for what purposes the processed data can be transferred, the method of personal data collection and the legal reason for the rights set forth in the GDPR. 

When the purpose of personal data processing changes, the obligation to inform is fulfilled for that purpose before the data processing activity. 

6. Data Security  

As the data controller, the Company is obliged to prevent and protect personal data from being illegally processed or accessed when processing personal data. For this reason, the Company has taken all technical and administrative measures regarding data security, including the additional measures required to protect sensitive personal data. In this context, the measures taken by our Company are listed below. 

Technical Measures Taken 

• Network security and application security are provided. 
• Key management is implemented. 
• Security measures are taken within the scope of procurement, development, and maintenance of information technology systems. 
• … 
• … 

Administrative Measures Taken 

• The signed contracts contain data protection provisions. 
• Additional security measures are taken for personal data transferred via paper, and the relevant documents are sent in a document with confidentiality labels. 
• … 
• … 

7. Personal Data Inventory in Line with The Record Keeping 

Company has established a data inventory with the details stipulated by the Law regarding the personal data processed within the scope of GDPR. Company’s data inventory contains the following:

• Business processes where personal data is handled, 
• Category of personal data, 
• Processed personal data 
• Category of sensitive personal data, 
• The purpose and legal reason for the processing activity, 
• Recipients of personal data in the country, 
• Whether personal data is transferred abroad, 
• Retention periods of personal data 

In case of a change in the processing activities of the Company, the Personal Data Inventory shall be updated. 

8. Roles and Responsibilities 

The roles and responsibilities of our Company regarding the processing of personal data are as follows: 

• [….] 

The relevant department shall be liable to notify the data subjects such as customer, subcontractor, and supplier about this Policy.  

• [….] 

The relevant department shall be liable to inform the parties about this Policy who process data on behalf of the Company, such as employees, suppliers, and regularly check that the Policy is implemented by the aforementioned data processors. 

• [….] 

The relevant department shall be liable for updating this Policy. The relevant department makes the necessary improvements by considering the needs of the Company’s information processing systems and carries out the process of updating the Policy when necessary. 

• [….] 

The relevant department is the authorized body for approving the updates regarding this Policy. 

• [….] 

The relevant department shall be liable for the determination and implementation of sanctions in violations of the implementation of the policy. 

9. Deletion, Destruction and Anonymization of Personal Data 

• In accordance with the GDPR and provisions of other relevant legislation, when the reasons for the processing of personal data disappear, the personal data are deleted, destructed or anonymized upon the Company‘s decision, periodic control and / or the request of the data subject.
• Company will not keep personal data for longer than necessary in line with the reason for obtaining personal data. Company deletes, destructs, or anonymizes personal data in the first periodic destruction process following the date of the obligation to delete, destruct or anonymize the personal data when the reasons for processing disappear. 
• Company has prepared a Retention and Destruction Policy to determine the procedures and principles in this direction. The retention period for each category of personal data has been set out in the Retention and Destruction Policy along with the criteria used to specify this period including any statutory obligations that the Company has to retain the data. This Retention and Destruction Policy has been prepared in accordance with the Personal Data Inventory specified in the Article 8 of this Policy.  
• Company acts in accordance with the principles set out in Section 4/a of this Policy, the technical and administrative measures set out in the Article 6, the Retention and Destruction Policy, the provisions of the relevant legislation and the decisions of the Authority in the deletion, destruction or anonymization of personal data. 
• Personal data will be destructed securely in accordance with the provisions of GDPR and related laws in accordance with the Retention and Destruction Policy. Upon the request of the data subject, the Company chooses the appropriate method with justification.

10. Rights and Exercises of Rights of the Data Subject 

a. Rights of the Data Subject 

Data subjects have the following rights regarding their personal data processed in accordance with the GDPR:

• Right to be informed, 
• Right to access, 
• Right to rectification 
• Right to erasure, 
• Right to restrict processing 
• Right to data portability, 
• Right to object, 
• Right to withdraw a consent if given, 
• Right to not to be subject of a decision based on solely automated decision making and profiling. 

b. Exercises of Rights of the Data Subject 

Applications and requests regarding personal data can be sent via the Data Subject Application Form, 

1. By sending your signature and photocopy of identity to the address or  
2. By signing with a secure electronic signature or mobile signature and sending it to the Company‘s GDPR E-Mail Address (e.g. [email protected]), 
3. By signing with a secure electronic signature or mobile signature, sending it to the Şirket‘s KEP Address via registered [email protected] (KEP) or,
4. By applying in person to the Şirket address with a valid identity document, 

to the Company. 

In order to operate this process in the most effective way, it should be clearly and understandably indicated in their request which right is wished to be used and the details of the requested transaction.  

The subject of the request should be about the data subject itself. If the application is made on behalf of someone else, the person making the request should rely on a specially documented authorization for the requested transaction (power of attorney). Unauthorized applications will be ignored.  

c. Evaluation of the Application   

Applications are evaluated as soon as possible, and at the latest within 30 days from the date of receipt of the application.  

During the evaluation process, additional information and “ can be requested if required, and a fee may be charged for fulfilling the request in cases that comply with the relevant legislation. 

Company takes all necessary administrative and technical measures in order to conclude the applications made by the data subject effectively and in accordance with the law and the principle of honesty. 

d. Non-Eligibility of Application Right  

Data Subject cannot use application rights in Article 11 of this Policy against the Company in the following matters, which are outside the scope of;

• Processing of personal data for the purposes of official statistics and, through anonymization, research, planning, statistics, and similar.  

• Processing of personal data for the purposes of art, history, and literature or science, or within the scope of freedom of expression, provided that national defense, national security, public safety, public order, economic safety, the privacy of personal life or personal rights are not violated.  

• Processing of personal data within the scope of preventive, protective, and intelligence-related activities by public institutions and organizations who are assigned and authorized for providing national defense, national security, public safety, public order, or economic safety.  

• Processing of personal data by judicial authorities and execution agencies concerning the investigation, prosecution, adjudication, or execution procedures. 

11. Issuing and Enforcement of the Policy 

This Policy enters into force on …(insert date)… 

The current version of this Policy is accessible at …(insert address)…. 

12. Updating the Policy 

This Policy is updated for [… months or… year/s],  as per the [… procedure]. 

The abolished old copies of this Policy are canceled with the approval of [… (department, person status, e.g. quality department manager)] and kept by [… (department, person status, e.g. archive officer)] [for […] year/s.] Policies with expired retention periods are destructed by preparing a report by [… (department, person status).]