PROTECTION OF PERSONAL DATA

1. POLICY, SCOPE AND PURPOSE

Agito Computer Software and Consulting Services Inc. (hereinafter referred to as the “Company”) (Board of Directors and management are responsible for complying with the principles and rules introduced by the Constitution of the Republic of Turkey on the protection of personal data, the Law on the Protection of Personal Data No. 6698 (KVKK) and other legislation, and to protect the rights and freedoms of individuals whose data are processed by the Company. For this purpose, the Board of Directors has adopted a written personal data protection policy and system to be implemented and developed.

1.1. Scope

Policy provisions cover all information systems and sub-information, contracts, environmental and physical areas involved in the processing of personal data in the Company's fields of activity and work areas, and the systems and regulations produced for all these.

This policy covers all units of the Company, personnel of the company providing support services, visitors, third parties, interns and contracted personnel.

1.2. Purposes of Personal Data Protection Policy and System

The purpose of the Personal Data Protection Policy and System is to enable the Company to establish and implement its own standards in the management of personal data; identifying and supporting organizational goals and obligations, establishing control mechanisms in line with the Company's acceptable level of risk; It is the fulfillment of the obligations that the company is subject to in accordance with international conventions, the Constitution, laws, contracts and professional rules in the field of personal data protection and the best protection of the interests of individuals.

1.3. Data Protection Principles

The company will comply with the personal data protection legislation and data protection principles. The data protection principles adopted by the company include:

a. Process personal data only if it is clearly necessary for legitimate corporate purposes;

b. To process personal data at the minimum required for these purposes and not to process more data than necessary;

c. To give clear information to individuals about who and how their personal data is used;

d. Process only relevant and appropriate personal data;

e. To process personal data fairly and lawfully;

f. To keep an inventory of the categories of personal data processed by the Company;

g. Keeping personal data accurate and up-to-date when necessary;

h. To store personal data only for as long as required by legal regulations, the Company's legal obligations or legitimate corporate interests;

i. To respect the rights of individuals regarding their personal data, including the right of access;

j. Keeping all personal data secure;

k. To transfer personal data abroad only if there is adequate protection;

l. To apply the exceptions permitted under the legislation;

m. To establish and implement the personal data protection system for the implementation of the policy;

n. Identifying internal and external stakeholders who are parties to the personal data protection system and the extent to which they are involved in the Company's personal data protection system, when necessary;

o. To identify the personnel(s) with special powers and responsibilities regarding the personal data protection system.

1.4. Notifications

a. The Company informs the Personal Data Protection Board (“KVK Board”) about which personal data categories it processes and in this capacity it is the data controller. The company determines all categories of personal data it processes in its personal data inventory.

b. The notification is made in accordance with the procedure and method to be determined by the KVK Board and a copy of the notification is kept by the Company's Personal Data Protection Committee (KVK Committee).

c. If deemed necessary by the relevant legislation or the KVK Board, the notifications are repeated periodically.

d. In order to identify potential changes in the notification made to the KVK Board, the KVK Committee reviews the data processing activities of the Company and the changes in them every six months and at the meetings to be held when needed, and informs the KVKK Board if necessary.

The Company's disciplinary legislation will be applied to any action of all units of the company, company personnel providing support services, interns and contracted personnel violating this policy, and if the violation in question constitutes a crime or misdemeanor, the relevant authorities are notified as soon as possible.

The Company's solution partners who have or may have access to personal data and all third parties working with the Company are invited to read and comply with this policy. No third party can access the personal data processed by the Company without a written confidentiality agreement, which includes obligations with at least as strong standards as the Company's regarding the protection of personal data and the Company's right to control them.

2. DEFINITIONS

Explicit consent: Consent on a specific subject, based on information and expressed with free will,

Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data,

Relevant person: The real person whose personal data is processed,

Personal data: Any information relating to an identified or identifiable natural person,

Sensitive personal data: Regarding the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures. data and biometric and genetic data,

Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, all kinds of operations carried out on the data, such as the classification or prevention of its use,

KVKK: Law on Protection of Personal Data No. 6698,

KVKK Board: Personal Data Protection Board,

KVKK Authority: Personal Data Protection Authority,

Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,

Data registration system: The registration system in which personal data is processed and structured according to certain criteria,

Data controller: It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

3. DUTIES AND RESPONSIBILITIES

3.1. The company is the data controller in accordance with KVKK.

3.2. All personnel, especially those in the positions of Senior Management, manager and auditor, are responsible for developing and promoting correct practices in the processing of personal data within the Company, as well as other obligations regarding this issue included in their individual job descriptions.

3.3. The KVK Committee was established as the unit in charge of managing the personal data protection system and ensuring and documenting compliance with the KVKK and other relevant legislation, and is responsible to the Board of Directors in these matters. 

3.4. KVK Committee

The members of the KVK Committee are appointed by the Board of Directors, taking into account their expertise and experience in personal data protection legislation and practices, and report directly to the Board of Directors.

structure of the KVK Committee is explained in detail in the Document of the Protection Duties and Responsibilities of Personal Data document.

The chairman of the committee is the Information Security Manager.

The committee meets regularly every two weeks or when deemed necessary.

The KVKK committee can be reached at kvkk@agito.com.tr.

3.4.1. KVK Committee Duties and Responsibilities

- The Committee should inform the Board of Directors about the Personal Data Protection legislation and developments.

- The Committee is responsible for ensuring that the Company's policies and procedures are up-to-date and data processing audits are carried out in accordance with the planned schedule and that they comply with the relevant legislation.

- The Committee acts together with all relevant personnel on personal data protection issues.

- The main duties and responsibilities of the committee are:

To provide information and advice on personal data protection legislation and compliance to the company, its relevant partners and suppliers providing support services.

To provide information and advice to company personnel regarding their obligations under personal data protection legislation.

To monitor the compliance of the company's data processing activities with personal data protection legislation.

To contribute to the development and maintenance of the company's personal data protection policy and related procedures and processes.

Assign responsibilities within the Company in the context of compliance with personal data protection legislation.

To provide the necessary training and awareness for all personnel involved in personal data processing processes.

Observing compliance with Personal data protection legislation by conducting regular audits and reporting to the Board of Directors.

To act in cooperation and contact with the KVK Board.

To determine the responsible persons who will act as the contact point and representative of the Company before the KVK Board.

Developing a formal procedure for reporting personal data breach incidents and investigations to the Board.

To provide information and advice on the storage of corporate records.

To ensure the extent to which personal data is collected, kept and used within the company and the conditions for their storage in accordance with the relevant legislation.

To oversee and evaluate the suitability, reasonableness, security practices and other controls that may be necessary regarding the protection of personal data.

To present the issues that pose a potential risk in terms of personal data within the company and related suggestions to the agenda of the Board of Directors.

- The KVK Committee has the authority to audit all systems related to the collection, processing and storage of personal data of the Company. While performing its duties, the KVK Committee may request cooperation from all personnel, including access to systems and records. If this cooperation is not achieved, the Committee reports the situation to the Board of Directors.

3.5. All personnel of the company who process personal data are responsible for complying with the Personal Data Protection legislation. 

3.6. The Human Resources Unit is responsible for carrying out the necessary notifications and trainings so that all personnel know their responsibilities in the field of personal data protection and have the necessary awareness.

3.7. Company personnel are obliged to ensure the accuracy and up-to-dateness of all personal data provided to the Company by them or pertaining to them.

4. DATA PROTECTION PRINCIPLES

All personal data processing activities must be carried out in accordance with the following data protection principles. The company's policies and procedures aim to ensure compliance with these principles:

Lawfulness and conformity with rules of bona fides..

Accuracy and being up to date, where necessary.

Being processed for specific, explicit and legitimate purposes.

Being relevant with, limited to and proportionate to the purposes for which they are processed.

Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed.

4.1. Personal data is processed in a transparent and lawful manner.

In this respect, the Company includes disclosure texts/confidentiality statements in data collection channels and related fields regarding the personal data processing activities it carries out. The areas where these notifications, which contain clear and understandable information about who and for what purposes are processed by the company, are determined by the KVK Committee. These notifications include the following:

Identity and contact information of the company as data controller,

KVK Committee and contact information,

Types of personal data processed,

Purposes of processing personal data,

The anticipated retention period of personal data,

Data owner's rights,

Third parties with whom the data may be shared.

4.2. Personal data may only be processed for specific, explicit and legitimate purposes.

The reasons/purposes for processing personal data are determined in the personal data inventory and personal data cannot be used for any other than the stated purpose without any other legal justification or the explicit consent of the data owner.

If conditions arise that require the use of personal data for purposes other than those specified in the personal data inventory, this situation is reported to the Liaison Officer/KVK Committee by the relevant personnel/unit. The KVK Committee checks the suitability of the new purpose and, if necessary, ensures that the data owner is informed about the new purpose and new data processing activity.

4.3. Personal data must be appropriate and relevant, and must be processed to a limited extent for the purpose. 

The KVK Committee is obliged to ensure that personal data that is not clearly necessary for the purpose of processing is not collected and processed.

All electronic and physical data collection forms and data collection mechanisms in information systems are implemented provided that they are approved by the KVK Committee.

The KVK Committee periodically checks that the data processed through the personal data inventory is appropriate and relevant.

The KVK Committee checks that all data processing methods are appropriate and relevant with the internal audit/external audit that it will/will do on an annual basis.

The KVK Committee is responsible for stopping the data processing activity in terms of personal data that it determines to be inappropriate or not relevant or excessive in terms of the purpose of processing, and for the safe destruction of the processed data in accordance with the storage and destruction procedure.

4.4. Personal data must be accurate and up-to-date. 

The accuracy and up-to-dateness of data kept for a long time should be reviewed.

Human Resources is responsible for educating all personnel on the correct and up-to-date collection and retention of personal data.

The accuracy and up-to-dateness of the data kept regarding the personnel is the responsibility of the relevant personnel.

Personnel/customers and other relevant persons should inform the Company to update the processed personal data. After such a notification is made, it is the responsibility of the relevant unit to correct and update the record in question.

The KVK Committee may instruct the relevant unit to evaluate the type, storage period and amount of the data processed through the data inventory, and to review the accuracy or timeliness of certain data.

4.5. Personal data should only be processed if necessary for the purpose of processing.

Back-up of personal data etc. In case of data security weakness, personal data should be encrypted or anonymized/masked in order to protect the state and freedoms of individuals.

It is subject to the written approval of the KVK Committee for the processing of personal data after the periods determined in accordance with the Retention and Disposal Policy.

5. THE RIGHTS OF DATA SUBJECT

Data subject have the following rights regarding data processing activities and records with the Company :

Learning whether personal data is processed or not,

If personal data has been processed, requesting information about it,

Learning the purpose of processing personal data and whether they are used in accordance with the purpose,

Knowing the third parties to whom personal data is transferred at home or abroad,

Requesting correction of personal data in case of incomplete or incorrect processing,

Requesting the deletion or destruction of personal data for which there is no legal justification or basis for processing in accordance with KVKK or this policy,

Requesting notification of corrections or deletions made upon request, to third parties to whom personal data has been transferred,

Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,

To request the compensation of the damage in case of loss due to unlawful processing of personal data.

Data Subejct may request access to their personal data and use their rights listed above. These requests are forwarded to the Contact Person/KVK Committee and the Committee responds within 30 days. The processes regarding the receipt, transmission and conclusion of requests are carried out in accordance with the Demand Management Procedure.

Data subject can send their requests to “ İTÜ Ayazağa Kampüs Reşitpaşa Mah. Katar Cd., Arı Teknokent2 Sitesi No:4/2 D:401, 34390 Sarıyer/İstanbul” by means of a notary public or by registered letter with return receipt confirmation of identity or via the e-mail address registered to “ agito@hs03.kep.tr ” they can transmit.

company , regardless of their job description, are responsible for guiding data subject regarding the correct application method for data subject access requests. Company personnel should be informed and trained on how to act on requests from data subject.

In order for data subject to direct their requests, the contact information of the Contact Person/Committee is included in the disclosure texts/confidentiality statements and the Company's web address.

 

6. OBTAINING EXPRESS CONSENT

The Company accepts the consent as express consent, which is expressed by the data owner regarding certain data processing activities, which is based on information, and which reveals the will for data processing with free will, expressed by a written/oral statement or an open affirmative action . In terms of sensitive data, explicit consent must be obtained in writing. Explicit consent can always be withdrawn by the data owner.

Explicit consent can be obtained by having the data subject sign the explicit consent form template or by including the elements in this template in the contract to be made with the data subject or in the electronic form. In terms of routinely processed personal data regarding personnel, personnel candidates and customers, explicit consent is obtained through the relevant contract or forms.

In the event that the data processing activity based on explicit consent will be continuous or repeated, the relevant unit keeps a list of people whose explicit consent has been obtained as a single list. The up-to-dateness and accuracy of this list is the responsibility of the relevant unit. Explicit consent forms or other relevant proof tools regarding data processing activity based on explicit consent are kept by the relevant unit.

7. DATA SECURITY

All personnel are obliged to ensure that the personal data processed by the Company, which is under their responsibility, is kept securely.

Only those who need access to personal data should be able to access them. Access is provided in accordance with the Access Control Procedure.

security of personal data is ensured in accordance with the Company's KVK Policy and related documents.

Information security incidents regarding personal data are notified to the KVK Board and the relevant person as soon as possible by the KVK Committee.

 

8. DATA SHARING

Personal data can only be shared with third parties in accordance with the law and equity. Accordingly, in order for personal data to be shared, one of the following conditions must be met:

Obtaining the explicit consent of the data subject.

expressly stipulated by law.

It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid.

It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract to which the company is or will be a party.

It is mandatory for the company to fulfill its legal obligations.

Being made public by the person concerned.

Data processing is mandatory for the establishment, exercise or protection of the company's rights.

Data processing is mandatory for the Company's legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject.

Personal data can only be transferred abroad, provided that the above conditions are met, adequate protection is available in the destination country, and the explicit consent of the data owner is obtained for this transfer.

In the transfer of personal data abroad, the list of countries with adequate protection determined by the KVK Board is taken into account.

When it comes to the transfer of personal data abroad, the KVK Committee provides the necessary permissions and notifications to the KVK Board in accordance with the KVKK and related legislation.

In the event that there is a regular data sharing relationship without a legal basis or legal obligation, a KVKK Commitment is made with the said party that determines the conditions of data sharing. The KVKK Commitment includes at a minimum:

The purpose or purposes of the sharing;

Potential third party buyers or type of buyer and terms of access;

What categories of data will be shared (this should be kept to the minimum necessary for your purposes);

General principles of data processing;

Data security measures;

Retention period of shared data;

Data subject's rights, access requests, procedures for responding to applications and complaints;

Reviewing the expiration of the sharing agreement and

Liability and sanctions for non-compliance with the contract or individual violation of personnel.

9. MANAGEMENT OF RECORDS

Personal data cannot be kept longer than necessary for the purposes of processing. The classification of records containing personal data and their retention periods are determined in accordance with the Retention and Disposal Policy.

Personal data, which have expired for the purposes of processing or upon the rightful request of the data owner, are anonymized or deleted or destroyed in a way that the natural person who is the data owner cannot be identified and in accordance with the Storage and Disposal Policy.

10. KEEPING THE POLICY UPDATED

The current version of this document has been made available to all Company personnel over the file server and is available at http://www.agito.com.tr . Published on.

This policy 15.10.2021 It was approved by the Board of Directors on ] and published with the signature of the General Manager .

Contact