Personal Data Protection Policy

The Law on the Protection of Personal Data No. 6698, which entered into force upon its publication in the Official Gazette dated 07.04.2016, regulates the obligations of data controllers who collect and process data, as well as the procedures and principles to which they are bound, with the aim of protecting the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data. The “Univera Bilgisayar Sistemleri Sanayi ve Tic A.Ş Personal Data Protection Policy” has been created for the purpose of implementing the Law, its application regulations, and the decisions of the Personal Data Board, and to clarify the duties and responsibilities of the public and the Company’s employees.

1. PURPOSE and SCOPE

The Univera Bilgisayar Sistemleri Sanayi ve Tic A.Ş Personal Data Protection Policy (“COMPANY”) has been established to be applied to managers, employees, and all persons who engage in a relationship with the COMPANY. This Policy sets forth the rules and principles to serve the purpose of ensuring the rights to privacy and the inviolability of private life, as well as the rights to the protection of personal data under the Law, for all natural persons who engage in a relationship with the COMPANY. Any violation of the Policy in any way means that the COMPANY, as a registered Data Controller, has violated the Law; therefore, a violation of the Univera Bilgisayar Sistemleri Sanayi ve Tic A.Ş Personal Data Protection Policy by employees will be considered a disciplinary offense.

2. DEFINITIONS

Within the scope of this POLICY and all documents and activities under the Law on the Protection of Personal Data;

Explicit consent: Freely given, specific, informed, and unambiguous indication of a data subject’s wishes.

Anonymization: Rendering personal data in such a manner that the data subject is not or no longer identifiable, even through matching with other data.

Data subject: The natural person whose personal data is being processed.

Personal data: Any information relating to an identified or identifiable natural person.

Processing of personal data: Any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transferring, taking over, making available, classification or preventing the use thereof.

Board: The Personal Data Protection Board.

Data processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data controller: A natural or legal person who determines the purposes and means of the processing of personal data and is responsible for the establishment and management of the data filing system.

3. GENERAL PRINCIPLES

Personal data shall only be processed in accordance with the procedures and principles stipulated by the Law. The fundamental principles in the processing of personal data are: being in compliance with the law and principles of fairness; being accurate and, where necessary, up-to-date; being processed for specified, explicit, and legitimate purposes; being relevant, limited, and proportionate to the purposes for which they are processed; being retained for the period stipulated by relevant legislation or the period necessary for the purpose for which they are processed.

4. COLLECTION and PROCESSING OF PERSONAL DATA

The COMPANY collects and processes personal data for the purposes of establishing employment contracts, establishing relationships with financial leasing customers, and concluding financial leasing agreements. The justifications, processes, procedures, and all other technical details of the COMPANY’s personal data processing are specified in the “UNİVERA BİLGİSAYAR SİSTEMLERİ SANAYİ VE TİC A.Ş PERSONAL DATA INVENTORY.”

5. EXPLICIT CONSENT IN THE PROCESSING OF PERSONAL DATA

Personal data cannot be processed without the explicit consent of the data subject. Explicit consent must be in writing or in a provable form and must be obtained after the data subject has been informed about the collection, use, transfer, and destruction of the data. However, the COMPANY may process personal data without explicit consent in the following cases:

  • It is expressly provided for by the laws.

  • It is necessary for the protection of life or physical integrity of the person or of any other person who is physically or legally incapable of giving consent.

  • Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of that contract.

  • It is necessary for compliance with a legal obligation to which the data controller is subject.

  • The data has been made public by the data subject himself/herself.

  • Data processing is necessary for the establishment, exercise, or protection of any right.

  • Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing does not violate the fundamental rights and freedoms of the data subject.

6. OBLIGATIONS OF THE DATA CONTROLLER

During the acquisition of personal data, the COMPANY as the data controller, or a person authorized by it, is obliged to inform the data subjects about:

  • The identity of the data controller and of its representative, if any.

  • The purpose for which personal data will be processed.

  • To whom and for what purpose the processed personal data can be transferred.

  • The method and legal basis of the collection of personal data.

The COMPANY, as the data controller, is obligated to take all necessary technical and administrative measures to provide a sufficient level of security in order to:

  • Prevent the unlawful processing of personal data.

  • Prevent unlawful access to personal data.

  • Ensure the preservation of personal data.

7. PROCESSING OF PERSONAL DATA IN OUR COMPANY’S ACTIVITIES AND COMMERCIAL PROCESSES

The natural and legal persons with whom the COMPANY establishes legal relationships during its activities are classified as parties to employment service contracts, service procurement, supply and sales contracts, and contracts for the sale, installation, and support services of sales, logistics, and service-related software produced by the Company, for which all intellectual and industrial property rights belong to it:

Personal data acquired during the establishment of service contracts are mandatory data for fulfilling the requirements of the Labor Law and other relevant legislation. Likewise, the collection of employees’ personal data to fulfill the employer’s legal obligations is stipulated by the Labor Law, the Social Insurance and General Health Insurance Law, the Occupational Health and Safety Law, and their implementing regulations. Therefore, the collection, processing, and storage of personal data within the scope of the service contract for legal periods are considered to be within the exception provided by the Laws. Following the termination of the service contract and the subsequent legal retention periods, in cases where there is no explicit consent from the personnel for longer storage, an instruction for the destruction of data through periodic checks has been created and given to the relevant departments.

In commercial contracts to which the COMPANY is a party, although the personal data necessary for the establishment and execution of the contract are counted among the exceptions provided by the Law, they are collected and processed by obtaining the explicit consent of the data subject. In this context, the COMPANY concludes additional protocols to all contractor and supply contracts, which shall be an integral part of those contracts.

The COMPANY’s main commercial activity is software sales and support services; the Company concludes contracts concerning the license transfer of the software it has produced, and as its primary duty undertaken with these contracts, it ensures the installation of the software by making it compatible with the customer. In this process, which spans more than one month, the personal data of the relevant project personnel are mutually delivered between the COMPANY and the customer. The names of the personnel who will take part in the installation project are written in the Contract, and their consent forms for the sharing and transfer of their data are obtained. After the installation, the COMPANY’s obligations regarding support services begin within the scope of the contract; in any case where access to the customer’s personal data is involved within the scope of support services, the existence of consent forms under the Law is questioned. After the termination of sales or support contracts, an instruction for the processing of the destruction or anonymization of the relevant personal data through periodic checks has been created and given to the relevant departments.

8. RIGHTS OF THE DATA SUBJECT

The data subject has the right to apply to the data controller and to:

  • Learn whether or not their personal data are being processed.

  • Request information if their personal data have been processed.

  • Learn the purpose of the processing of their personal data and whether they are used in compliance with the purpose.

  • Know the third parties to whom their personal data are transferred in-country or abroad.

  • Request the rectification of the incomplete or inaccurate data, if any.

  • Request the erasure or destruction of personal data if there is special category personal data.

  • Request notification of the operations carried out to third parties to whom their personal data have been transferred.

  • Object to the outcome of personal data analysis made solely by automated systems.

  • Request compensation for the damage arising from the unlawful processing of their personal data.

9. TRANSFER OF PERSONAL DATA

Personal data may be transferred without the consent of the data subject in the presence of one of the conditions specified in Article 5 above. Personal data cannot be transferred abroad without the explicit consent of the data subject. However, personal data may be transferred abroad without the explicit consent of the data subject in the presence of one of the conditions specified in Article 5 above and:

  • Existence of adequate protection in the foreign country.

  • In the absence of adequate protection, the data controllers in Turkey and in the relevant foreign country commit to adequate protection in writing and the Board’s permission is obtained.

  • The countries with adequate protection are determined and announced by the Board. Personal data may be transferred abroad, without prejudice to the provisions of international conventions, in cases where the interests of Turkey or the data subject will be seriously harmed, but only with the permission of the Board after obtaining the opinion of the relevant public institution or organization. Provisions in other laws concerning the transfer of personal data abroad are reserved.

10. MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA

While personal data is stored in existing and secure physical and electronic environments within the COMPANY, all possible and conceivable backup and protection measures related to the software business are taken. The COMPANY’s main activity is software; all data and records related to its main activity are digital; in addition, due to the acts and obligations it has undertaken with contracts, the COMPANY also stores customer data on servers under its own responsibility and makes it accessible to the customer. Therefore, digital security constitutes one of the most important elements of the COMPANY’s daily and general commercial life. In this context, the COMPANY also complies with tax security practices; it employs competent and expert IT personnel.

The Company also ensures that data is stored in a specially protected room for data security, that this data is backed up with all physical automatic backup systems, and that cloud backup is performed on its servers abroad; it makes serious expenditures for this purpose. Data is classified according to its degree of confidentiality, and only data processors authorized by the COMPANY for this purpose are allowed to access the data. In this context;

  • The Company’s Information Technology Department ensures that the system, virus protection, and firewall software are up-to-date and run uninterruptedly for the protection of personal data.

  • The Company’s Administrative Affairs Unit secures physical files in locked cabinets and safes.

  • Company employees ensure the destruction of personal data whose purpose and duration of use have expired, in accordance with the training they have received about the Law and the instructions given by the Company administration.

11. PRINCIPLES REGARDING THE DESTRUCTION OF PERSONAL DATA

Any kind of destruction procedure can be applied for the destruction of personal data; in the process of destroying data in any digital form, in addition to the permanent deletion of files, the method of corrupting the data in the digital environment in an unreadable way can be used.

  • If the reason for processing personal data has ceased and there is no consent for storage, it must be destroyed or anonymized.

  • Despite the existence of prior explicit consent, personal data must be destroyed or anonymized upon the request of the data subject.

  • The destruction process must be in a way that makes the data inaccessible and irretrievable.

  • The data controller is obliged to carry out or have carried out the necessary audits within his own institution or organization in order to ensure the implementation of the provisions of this Law.

  • Data controllers and data processors cannot disclose the personal data they have learned to others in violation of the provisions of this Law and cannot use them for purposes other than processing. This obligation continues after they leave their duties.

  • In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the data subject and the Board as soon as possible. If necessary, the Board may announce this situation on its own website or by any other method it deems appropriate.

Information on the Law on the Protection of Personal Data

The personal data you will provide to our Companies in your applications for information or services and in the contracts you will conclude will be processed by the relevant units of our Companies within the scope of the Law on the Protection of Personal Data. Your personal data is processed by our Companies within the scope of the purpose and procedure specified in the Law on the Protection of Personal Data, for purposes such as providing healthy, fast, and efficient service during the legal relationship you will establish with our Companies; making necessary notifications securely and effectively; establishing a healthy and secure relationship with you and your representatives during the contract process.

Your personal data may be transferred to administrative and official authorities, direct and indirect shareholders of our Companies and their domestic and international affiliates, our business partners, our suppliers, domestic and international third parties from whom our companies receive support services or services, and independent audit companies due to legal obligations, but within the framework of legal limitations.

However, personal data will be deleted or anonymized when the legal relationship between you and our Companies ends. In addition, within the scope of the Law on the Protection of Personal Data, natural persons have the rights to request information regarding the processing of their personal data, to learn the purpose of processing, to know the third parties to whom it has been transferred, to request the correction of errors in the data, if any, and to request its deletion or destruction if the conditions are met.

Univera Bilgisayar Sistemleri Sanayi ve Tic A.Ş