INTRODUCTION
The Law on the Protection of Personal Data No. 6698, which entered into force after being published
in the Official Gazette dated 07.04.2016, regulates, privacy of private life being in the first place, the
protection of the fundamental rights and freedoms of individuals, obligations of the data officers
who collect and process the data, and the procedures and principles to which they are subject to.
“Univera Bilgisayar Sistemleri Sanayi ve Tic. A.Ş. Personal Data Protection Policy” was created with
the aim of implementing the Law and its implementing regulations and decisions of the Personal
Data Protection Board of Turkey, and explaining the duties and responsibilities of public officials and
Company employees.
1. PURPOSE AND SCOPE
Univera Bilgisayar Sistemleri Sanayi ve Tic. A.Ş. Personal Data Protection Policy was arranged to be
implemented in conjunction with the "COMPANY", its administrators, employees, and all persons
who establish a relationship with the "COMPANY".
This Policy sets out the rules and principles for the purpose of serving the right of privacy and the
inviolability of private life of all real persons who are in contact with the COMPANY, and the right to
protection of personal data which are under protection of the Law. Any breach of the policy means
that the COMPANY is in breach of the Law as a Registered Data Officer; therefore, any breach of the
Univera Bilgisayar Sistemleri Sanayi ve Tic. A.Ş. Personal Data Protection Policy by employees will be
considered a disciplinary violation.
2. DEFINITIONS
Within the scope of this POLICY and any and all documents and activities within the scope of the
Personal Data Protection Law, expression below mean the following;
- Anonymization: The action of modification of the nature of personal data in such manner
that they can no longer be associated to an identified or identifiable real person even by way of
matching with other data,
- Board: Personal Data Protection Board of Turkey,
- Data officer: A real or legal person who determines the purposes and means of processing
personal data and is responsible for the establishment and management of the data recording
system,
- Data processor: A real or legal person who processes personal data on behalf of the data
officer, based on the authority given by him,
- Express consent: Explicit consent regarding a specific issue, based on information given and
expressed by free will,
- Person concerned: Real person whose data are being processed,
- Personal data: Any and all kinds of information belonging to a real person who is identified or
identifiable,
- Processing of personal data: Any operation, which is performed on personal data such as
collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval,
making available for collection, categorization or blocking its use by wholly or partly automatic
means or otherwise than by automatic means which form part of a filing system.
3. GENERAL PRINCIPLES
Personal data will only be processed in accordance with the procedures and principles prescribed by
the Law. Basic principles in the processing of personal data are; compliance with the rules of law and
principles of honesty; being accurate and, where necessary, current; processing for specific, clear and
legitimate purposes; being in relation to the purpose of processing, limitedness and proportionality
of the data processed; to be retained for the period as prescribed by the applicable regulations or as
necessary for the relevant purpose of processing.
4. COLLECTION AND PROCESSING OF PERSONAL DATA
COMPANY collects and processes personal data for the purposes of establishing business contracts
and establishing relations with leasing customers and concluding leasing contracts. COMPANY's
personal data processing reasons, processes, procedures and all other technical details are specified
in "UNİVERA BİLGİSAYAR SİSTEMLERİ SANAYİ VE TİC A.Ş. PERSONAL DATA INVENTORY".
5. EXPRESS CONSENT ON THE PROCESSING OF PERSONAL DATA
Personal data cannot be processed without the express consent of the person concerned. The
express consent must be in written format or in a verifiable form and should be obtained after the
person concerned has been informed of collection, use, transfer and disposal. However, the
COMPANY may process personal data without express consent only in the following cases:
- If there is explicit contemplation by applicable laws,
- If the explicit consent of the person concerned is failed to be obtained on account of actual
impracticability, where it is strictly obligatory for the processing of the data of a person, who is
physically unable or incapable to express her/his consent or whose consent is legally not considered
valid, in order for the protection of the life or physical integrity of such person or any other
individuals,
- If processing of personal data being directly connected to the execution or the performance
of a contract,
- If it is mandatory for the data officer to fulfill his/her legal obligations,
- If personal data are personally disclosed to public by the person concerned,
- If processing of data represents a strict requirement for the creation, exercise or the
protection of a right,
- If processing of data represents a strict requirement for the preservation and maintenance of
the legitimate interests of data officer, provided that the fundamental rights and freedoms of the
person concerned not be prejudiced.
6. OBLIGATIONS OF THE DATA OFFICER
In the process of obtaining personal data, the COMPANY or the person authorized by it as the data
officer shall be obliged to inform the persons concerned on the following subjects;
- The identity of the data officer and the representative, if any,
- The purpose for which personal data will be processed,
- To whom and for what purpose the personal data processed can be transferred,
- Method and legal reason for collecting personal data
As data officer, the COMPANY is obliged to take any and all technical and administrative precautions
as necessary to ensure the appropriate level of security for the following purposes;
- Prevent the unlawful processing of the personal data,
- Prevent the unlawful access the personal data, and,
- Ensure the protection of the personal data.
7. PROCESSING OF PERSONAL DATA AS A PART OF BUSINESS AND COMMERCIAL ACTIVITIES OF THE COMPANY
Real and legal persons with whom the COMPANY establishes legal relations during its activities are
those natural and legal persons classified within the scope of personnel service contracts; service
procurement, supply and sales contracts; and contracts for the sale, installation and support of sales,
logistics and service software produced by the COMPANY, with all intellectual and industrial rights in
its possession:
- Personal data obtained by the COMPANY during the establishment of service contracts are
mandatory data to fulfill the requirements of the Labor Law and other relevant legislation. Likewise,
collection of personal data of employees in order to fulfill the employer’s legal obligations is
stipulated by the Labor Law, Social Insurance and General Health Insurance Law and the
Occupational Health and Safety Law and their implementing regulations. Therefore, the collection,
processing and storage of personal data within the scope of the service contract is considered to be
within the scope of the exception provided for by the Law. Following the termination of the service
contract and expiry of subsequent legal retention periods, in cases where there is no express consent
of the personnel for retention for a longer period, following periodic checks for that matter,
instructions for the disposition of the data have been established and submitted to the relevant
units.
- In commercial contracts to which the COMPANY is a party, personal data required to be
obtained for the establishment and execution of the contract, although regarded to be within the
exceptions stipulated by the Law, are collected and processed only after express consents of the
persons concerned are duly received. In this context, the COMPANY concludes ancillary protocols in
addition to all subcontractor and procurement contracts, with the statute as an integral part of them.
- The main business activity of the COMPANY is software sales and their support services;
COMPANY enters into agreements for the transfer of licenses of the software it produces, and the
main task it undertakes in those agreements is to ensure the software is installed properly by making
it compatible with the needs and systems of the customer. During this process, which spans more
than one-month, personal data of the personnel working on the relevant project are mutually
submitted between the COMPANY and the customer. Names of the personnel to be involved in the
installation project are written into the agreement and their express consents allowing sharing and transfer of their personal data are obtained. After the installation, the obligations of the COMPANY
regarding support services it renders begin under the agreement; in all cases where access to the
customer’s personal data is a requirement as per the execution of the support services, the existence
of explicit consent is questioned in accordance with scope of the Law. Following the termination of
the Sales or Support agreements, for the disposition or anonymization of the related personal data,
instructions have been established and submitted to the relevant units, following periodic checks.
8. RIGHTS OF THE PERSON CONCERNED
Owner of the personal data, by applying to the data officer, may exercise his/her following rights;
- Learn whether or not the personal data has been processed,
- Request information if the respective personal data has been processed,
- Learn the purpose of processing of the respective personal data and whether data are used in accordance with their purpose,
- Know the third parties based at home or in abroad, to whom the respective personal data have been transferred,
- Request notification of the operations performed as a consequence of such requests as
rectification, deletion and disposal to third parties to whom the respective personal data have been
transferred,
- In cases where the respective personal data have been processed incompletely or
inaccurately, request those to be corrected,
- Request the respective personal data to be deleted or disposed of if there is a personal data
in private nature,
- Object to occurrence of any result that is to her/his detriment by means of analysis of the
respective personal data of the relevant personal data owner exclusively through automated
systems;
- Request compensation in case the personal data owner incurs damages due to unlawful
processing of the respective personal data.
9. TRANSFERRING PERSONAL DATA
Personal data may be transferred without the express consent of the person concerned, in the
presence of any of the cases referred to in Article 5 above.
Personal data cannot be transferred abroad without the express consent of the person concerned.
Nevertheless, the transfer of personal data abroad without the express consent of the person
concerned may occur in the presence of one of the cases referred to in Article 5 above or in the
following cases.
- In case the foreign country has been declared to have adequate protection,
- In case foreign countries, where adequate protection is not in place but in respect of which
the data controllers in Turkey and in the such foreign countries have warranted to ensure adequate
protection and transfer of personal data to which has been authorized by the Board,
- Foreign countries which have adequate protection are declared and announced by the Board.
- In case if Turkey’s or the concerned person’s interest is to suffer a serious damage, without
prejudice to the provisions of international conventions, only after opinions of relevant public
institutions or organizations are received, and with the permission of the Board.
- The provisions of other laws regarding the transfer of personal data abroad are reserved.
10. PRECAUTIONS TAKEN FOR THE PROTECTION OF THE PERSONAL DATA
Personal data are not only stored in COMPANY’s existing and highly secure hardware and electronic
media, but all possible and conceivable backup and protection measures available for the software
industry are explicitly taken. The main activity of the COMPANY is software production; all data and
records of its main activity are in digital format; additionally, in accordance with the acts and
obligations undertaken in agreements, the COMPANY also stores the data of its customers on servers
under its responsibility and makes them available to be accessed by the customer. For this reason,
digital security is one of the most important component of the COMPANY’s daily and general
business endeavors.
In this context, the COMPANY again complies with all data security practices; it employs competent
and expert IT personnel. At the same time, COMPANY also ensures that the data are stored in a
specially protected room for data security, provides the data to be backed up by all physical
automatic backup systems and by cloud backups performed on servers abroad; for this purpose, the
COMPANY invests significantly.
Data are classified according to their confidentiality levels and only data processors authorized by the COMPANY for this purpose are allowed access to these data. In this context the COMPANY ensures that;
- System, virus protection and firewall software are up-to-date and working uninterruptedly in terms of protection of the personal data, through its IT Department.
- Physical files are kept in locked file cabinets or safes, through its Administrative Affairs Department.
- Disposing of personal data whose purpose and duration of use expired in accordance with
the instructions issued by the COMPANY administration and the trainings provided about the Law,
through its competent and trained personnel.
11. PRINCIPLES ON THE DISPOSAL OF PERSONAL DATA
- Any and all types actions can be taken in respect of the deletion, disposal and anonymization
of personal data; in the process of disposing of personal data in all kinds of digital formats, in
addition to deleting files permanently, the method of corrupting the data until it is rendered
unreadable may be employed.
- If the reasons retaining personal data for processing no longer exists or if there is no express
consent to its retention, the personal data shall be deleted, disposed of or anonymized.
- Despite the express consent given previously, upon the request of the relevant person, the
personal data has to be disposed of or anonymized.
- Disposal of personal data has to be an action of rendering the personal data strictly and
conclusively inaccessible, non-retrievable and non-reusable by relevant users.
- The data officer is obliged to carry out necessary audits personally or have them carried out
in his/her own institution or organization in order to ensure the implementation of the provisions of
this Law.
- Data officers and persons processing data may not disclose the personal data they have
learned in contradiction to the provisions of this Law and may not use it for any purpose other than
for processing purposes. This obligation persists even after their resignation.
- In the event if the processed personal data are captured and/or seized through illegal or
unlawful means by others, the data officer fulfills its obligation to notify the respective data owner
and the Board of such incident as soon as practicable. The Board may, if necessary, announce this on its website or in any other way it deems appropriate.
Information on the Law on Protection of Personal Data
Your personal data that provided by you to our Companies present in applications you will place in order to
obtain information, and/or contracts you will enter in order to receive services from our Companies will be
processed by the relevant units of our Companies within the scope of the Law on the Protection of the
Personal Data. During the legal relationship you will establish with our Companies, your personal data is
being processed by our Companies for the purposes of providing healthy, fast and efficient services;
making the necessary notifications in a safe and effective manner, establishing a healthy and secure
relationship with you and your representatives during the contract process; all to be executed within the
scope of the purpose and procedures as indicated in the Law on Protection of the Personal Data.
Due to legal obligations, your personal data may be transferred to administrative and governmental
authorities, direct and indirect shareholders of our Companies as well as our domestic and foreign
subsidiaries, business partners, suppliers, third parties in Turkey and abroad from which support or services
are received by our Companies, and independent auditing firms, and but all to be executed within the
framework of legal restrictions.
None the less, your personal data will either be deleted or made anonymous when the legal relationship
between you and our Companies is terminated. In addition, within the scope of the Law on the Protection
of the Personal Data, real persons have the right to request information about the processing of their
personal data, to learn the purpose of processing, to know the third parties to whom it is transferred, if
any, to request correction of the errors in the data, and if the conditions have been matured, to have it
deleted or destroyed.
Univera Bilgisayar Sistemleri Sistemleri Sanayi ve Tic A.Ş