PDPL

Home/PDPL

ece group logos ecesaray

CLARIFICATION TEXT

(Within the scope of PDPL numbered 10)

        A.

This is the clarification text regarding the processing of your personal data by the Ece Saray, business of Ecetaş Construction Industry and Trade Inc. (during the hotel-accommodation-marina services). The clarification text is compulsory in accordance with the Law No. 6698 on the Protection of Personal Data.

B.

Ecetaş Construction Industry and trade inc. is the data supervisor. Data supervisor’s address and contact number is Meşrutiyet Cad. No:28 İç Kapı No:11 Kızılay Çankaya ANKARA, official e-mail address with Kep extension is ecetas@hs02.kep.tr.These addresses will be used to exercise the rights in Article 11 of the PDPL.

C.

We process your personal data within the scope of the accommodation and marina services agreement you have made with Ece Saray Marina & Resort operating within Ecetaş inc. The data we need for establishing and maintaining the contractual relationship are listed below;

  • To complete reservations, transportations, payments, manage and settlement processes,
  • To communicate,
  • To provide information about our products, campaigns, promotions,
  • To privatize the services and offer them to you,
  • To analysis,
  • To ensure the legal and commercial safety of our company and persons in business,
  • To organize Administrative Operations,
  • To ensure the physical safety and supervision of the company’s departments,
  • To use in business partner/ customer / supplier evaluation processes,
  • To identify and apply the commercial work strategies of our company
  • To ensure the execution of our company’s human resources policy,
  • To fulfill the legal obligations determined by the relevant legislation and to give information,
  • To ensure the management and security of the Marina,
  • To establish and maintain the contractual relationship of the boat mooring,

Your data’s are collected and processed for the purposes above.

We need to process your data below to manage accommodation and marina services:

For accommodation services,

  • Personal identifying information:(Name – Surname, Place of birth and date, Nationality, T.R ID No, Passport No, Accompanying guest Name-Surname, Place of birth and date)
  • Contact Information: (Address, Phone Number, E-mail)
  • Financial information: (only bank account number, credit card information)
  • Vehicle license plate information: (Entry-Exit Registration)

For Marina service,

      • Personal identifying information
      • Contact information (address, phone number, email)
      • Property information (boat ownership) (boat mooring registration license, Transit log)
      • Crew information and documents (certificate of authority, SSI  Information, Certificate of competence)
      • Boat owner Vehicle License Plate No (for parking use)
      • Boat Insurance Information
      • Financial information (only bank account number, credit card information)

Your personal data is recorded. Your data described above is requested by you and processed within the framework of the contractual relationship.

D.

As stated above, your personal data collected and processed can be transferred between the data processors, accommodation and marina facilities, between the data officer and the data processor within the scope of mandatory notices arising from the law and the request of public institutions and organizations (Police Department, judicial authorities, relevant Ministry). The purpose of the transfer is that your personal data is required within the framework of the contractual relationship and the conduct of the services, as well as the fulfillment of the purposes stated in article C. There is no transfer of data to abroad in our facility.

E.

Our facility is monitored with camera recordings for your safety and the camera recordings are renewed periodically in every 15 days. If requested, only records of 15 days prior to the date of request can be accessed. Camera recordings are not recorded in any data or server. The areas monitored by the camera are indicated by warning signs.

F.

In accordance with the establishment of the contractual relationship as a data collection method, management and the legal reasons stated in Article C. and in line with the request of the relevant public institutions and organizations, we use the methods of filling in your booking information both from our web address and directly through the application, submitting the requested information and documents in accordance with our request, and obtaining it by e-mail and telephone.

G.

The person whose personal data is processed may exercise his / her rights under Articles 11 and 7 under the law numbered 6698. Please visit www.ecesaray.com.tr or the reservation desk for information. To find out the ways of deletion of your data and detailed information about our data deletion, destruction, anonymization policy visit www.ecesaray.com.tr and check out our policy entitled” Personal Data Protection Policy.”

ece group logos ecesaray

PERSONAL DATA PROTECTION POLICY

  1. GENERAL INFORMATION

The protection of your personal data is very important for our hotel and marina business and a high level of sensitivity is shown for the protection of your data. Apart from the data we process and need within the contractual relationship, your data is stored in a secure environment in order to provide you with a better quality service and to establish the specific standards mentioned below.

In accordance with the International Convention on the protection of individuals against the automatic processing of personal data, directive 96/45/AT, GDPR (General Data Protection Regulation) and the law on the protection of personal data No. 6698 which was published in the Official Gazette on 07.04.2016 your personal data are among our values and policies that are of importance to our company. Our purpose is to inform you about the privacy of your private life, to protect the fundamental rights and freedoms of persons and to inform you about the procedures and principles that the real and legal persons who process personal data must comply with. According to the article 20Th Of The Constitution Of The Republic, all real persons have the right to request the protection of personal data relating to them. Regarding the protection of personal data, which is a constitutional right, ECETAŞ construction industry and trade inc.’s business The Ece Saray Marina & Resort is managed by this policy, the utmost care is taken to protect your personal data and all precautions are taken.

In accordance with Article 7 of the Law on Protection of Personal Data No. 6698 and the Regulation on the Deletion, Destruction or Anonymization of Personal Data, the data officer is responsible for storing, deleting, destroying and anonymizing of your personal data for a certain period of time on request or ex officio. Storage, deletion, destruction and anonymity periods and administrative/technical measurement methods related to them are set out in our policy.

  1. BASIS

This text has been prepared in accordance with the Law No. 6698 on the protection of personal data, regulations and communiqué.

  1. DEFINITIONS

Data Supervisor           : ECETAŞ construction industry and trade inc. is responsible for the establishment and management of the data recording system, which determines the purposes and means of processing personal data.

  1. Personal Data : Any information that identifies or makes your identity identifiable.
  2. Person concerned :Real person whose personal data is processed
  3. Board : Personal Data Protection Board
  4. Application : Application made within the scope of the article 13 Of The Act. (Application form is attached.)
  5. Registered e-mail address (REM): A qualified form of e-mail that provides legal evidence for the use of electronic messages, including their sending and delivery,
  6. Secure electronic mail : Means an electronic signature which is exclusively attached to the signature holder, created by means of a secure electronic signature creation tool, which is only at the disposal of the signatory, which enables the identification of the signature holder based on a qualified electronic certificate, and whether any subsequent changes have been made to the signed electronic data.
  1. DATA SUPERVISOR

Data supervisor : ECETAŞ Construction Industry and Trade inc. (VKNO: 3240014910) (Ece Saray Marina & Resort Facility).

  1. WHY DO WE PROCESS YOUR PERSONAL DATA? WHICH PERSONAL DATA WE PROCESS?
    • To manage, complete the booking, transportation, payment and settlement processes,
    • To communicate
    • To provide information about our products, campaigns, promotions,
    • To privatize the services and offer them to you,
    • To analysis,
    • To ensure the legal and commercial safety of our company and persons in business,
    • To organize Administrative Operations,
    • To ensure the physical safety and supervision of the company’s departments,
    • To use in business partner/ customer / supplier evaluation processes,
    • To identify and apply the commercial work strategies of our company
    • To ensure the execution of our company’s human resources policy,
    • To fulfill the legal obligations determined by the relevant legislation and to give information,
    • To ensure the management and security of the Marina,
    • To establish and maintain the contractual relationship of the boat mooring,

For the purpose of;

For accommodation services,

  • Personal identifying information:(Name – Surname, Place of birth and date, Nationality, T.R ID No, Passport No, Accompanying guest Name-Surname, Place of birth and date)
  • Contact Information: (Address, Phone Number, e-mail)
  • Financial information: (only bank account number, credit card information)
  • Vehicle license plate information: (Entry-Exit Registration)

For Marina service,

  • Personal identifying information
  • Contact information (address, phone number, email)
  • Property information (boat ownership) (boat mooring registration license, Transit log)
  • Crew information and documents (certificate of authority, SSI  Information, Certificate of competence)
  • Boat owner Vehicle License Plate No (for parking use)
  • Boat Insurance Information
  • Financial information (only bank account number, credit card information)

Your personal data is recorded. Your data described above is requested by you and processed within the framework of the contractual relationship.

  1. CAMERA RECORDINGS

Our facility is monitored with camera recordings for your safety and the camera recordings are renewed periodically in every 15 days. If requested, only records of 15 days prior to the date of request can be accessed. Camera recordings are not recorded in any data or server. The areas monitored by the camera are indicated by warning signs.

  1. DATA SECURITY PROVISIONS.

The data supervisor is responsible for ensuring the security of the data and ensures that the data is processed in accordance with the following considerations.

  • Processing personal data in accordance with the law and integrity rules,
  • Keep personal data up to date with accurate and appropriate periods,
  • Processing personal data for specific, explicit and legitimate purposes,
  • Processing personal data in connection with the purpose for which they are processed, limited and measured,
  • To maintain personal data for the period of time required by the relevant legislation or for the purpose for which they are processed,
  • Enlighten and inform the owners of personal data,
  • To establish the system necessary for personal data owners to exercise their rights,
  • Taking necessary measures to protect personal data,
  • To act in accordance with relevant legislation and regulations of the PDP (PERSONAL DATA PROTECTION) board in the transfer of personal data to third parties in accordance with the requirements of the purpose of processing,
  • Demonstrate the necessary sensitivity to the processing and protection of personal data of special quality.
  1. TRANSFER OF PERSONAL DATA.

Our facility does not transfer data abroad.

  1. WHAT IS THE METHOD OF COLLECTING YOUR PERSONAL DATA AND THE LEGAL REASON?

Your personal data will be used for the purposes stated in Article B above and within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of PDPL No: 6698; All kinds of data stored in written, oral and electronic environment are stored during the reservation and sales process and after the entrance to the facility, and the personal data is archived by the data responsible or the person authorized by the data responsible to the files to be opened on your behalf by taking all necessary security measures.

In the processing of your personal data, the measures determined by the Personal Data Protection Board are meticulously carried out in addition to the security measures taken by us.

  1. RIGHTS OF REAL PERSONS WHOSE PERSONAL DATA IS PROCESSED

Everyone, by contacting the data supervisor can;

  1. Learn whether personal data is processed,
  2. Request information about personal data if it has been processed,
  3. Learn the purpose of processing personal data and whether they are used in accordance with their purpose,
  4. Know the third parties, from which personal data is transferred at home or abroad,
  5. Request that personal data be corrected if it is incomplete or improperly processed,
  6. Request the deletion or destruction of personal data under the conditions stipulated in the law,
  7. Request that such transactions be reported to third parties where the personal data is transferred, in case of incomplete and incorrect processing, deletion , and destruction.
  8. Object to the emergence of an outcome against the person himself by analyzing the processed data exclusively through automated systems,
  9. In the event that personal data is damaged due to illegal processing, it has the right to request the removal of the damage.

In order to use your above-mentioned rights, you can use your explicit credentials and the descriptions of your rights that you wish to use in clear and clear written form. Send it to Meşrutiyet Cad. No:28 İç Kapı No:11 Kızılay / Çankaya /ANKARA signed with wet signature or to our e-mail address ecetas@hs02.kep.tr signed with secure e- signature.

Your applications must be yours alone. For applications to be made on behalf of someone else, your legal documents stating that you represent the applicants must be added to the application petition. Applications made within this scope will be returned to you within 30 days at the latest. These applications are free of charge, but if the transaction requires an additional cost, the fee on the tariff set by the Personal Data Protection Board may be charged. For the tariff you can visit the address www.kvkk.org.tr.

  1. PRECAUTIONS TO BE TAKEN BY THE DATA SUPERVISOR.

The following are sufficient precautions that the data supervisor must take while processing the data:

  • To set a separate policy and procedure for the security of private data,
  • To provide regular training for employees who are involved in the processing of data in the category of special qualified personal data, to make confidentiality agreements and to define access powers,
  • To keep private personal data in electronic form by encrypting it and to log all transaction records performed on the data,
  • If private personal data is stored in a physical environment, to take adequate security measures (fire, flood, theft, etc.) and to keep entry and exit under control,
  • If the transfer of personal data of special quality will be done, this transfer will be done by using encrypted and secure transfer methods.
  1. DATA DESTRUCTION CHART AND ANONYMIZATION
DATA STORAGE PERIOD METHOD OF DESTRUCTION
For accommodation service;

Personal identifying information:(Name – Surname, Place of birth and date, Nationality, T.R ID No, Passport No, Accompanying guest Name-Surname, Place of birth and date)

Contact Information: (Address, Phone Number, e-mail. Province is a must for invoice)

Financial information: (only bank account number, credit card information)

Vehicle license plate information: (Entry-Exit Registration) (Optional)

For Marina service,

Personal identifying information

Contact information (address, phone number, email)

Property information (boat ownership) (boat mooring registration license, Transit log)

Crew information and documents

(Certificate of authority, SSI Information, Certificate of competence)

Boat owner Vehicle License Plate Number (for parking use)

Boat Insurance Information

Financial information (only bank account number, credit card information)

It cannot be processed without the express consent of the concerned person. If there is a clear consent the storage period is 10 years.

If certain regulations exist in the law, they may be processed without explicit consent.

Storage time, max. 10 years.

Masking, Dimming, Anonymizing, Destroying, Exterminating.
Name- Surname, ID Cart, Passport, ID No: TAX No: Max. 10 years Extraction and data preparation /sampling, anonymization
  1. ADMINISTRATIVE AND TECHNICAL MEASURES FOR DATA STORAGE

Ecetaş inc. will process, use and disclose your personal data only for the purposes described in this statement;

To make a contract, where necessary, by law or by competent government and judicial authorities, to make or submit a legal claim, defense or etc. and to prevent deliberate attacks, fraud or illegal activities on the Ecetaş digital security system.

All computers in our facility are protected by antivirus program and higher security antivirus programs are used in our server computers to protect your personal data.

Your data is stored in physical and digital media. Your data stored in the digital environment is masked and stored in the physical environment, and only the data manager and the data processor, when necessary, reach your data as limited.

Areas where your data is stored:

  • Unit cabinets
  • Archive Cabinets
  • File Server
  • Firewall
  • Printer Interface
  • Power Plant
  • Virtual Backup Space
  • Hotspot

For the security of our data storage program that keeps your data in a secure environment, our IT unit is working and our program is updated and interface maintenance is performed every day against all external attacks.

When your data is requested by the relevant units, the IT unit makes limited sharing and is only allowed for the required amount of time through the processors. Periodic password changes are made and the passwords of those who leave the job are canceled on the same day.

Your personal data will be anonymous and destroyed after the retention period has expired.

Different networks, Firewall and Hotspot secure internet conditions are provided in our facility. All your inputs and outputs are stored with log records by law numbered 5651.

DATA SUPERVISOR

ECETAŞ İNŞ. SAN. VE TİC. A.Ş.

ece group logos ecesaray

PERSONAL DATA STORAGE AND DESTRUCTION POLICY

Within the scope of Law No. 6698 on the Protection of Personal Data and the Deletion, Destruction or Anonymization of Personal Data, we would like to inform you about how long the data of the data holders whose personal data we process are kept on our site and the conditions and duration of destruction. The said destruction policy will be implemented at the data controller, ECETAS INSAAT SAN. VE TIC. A.S and its business, Ecesaray Marina & Resort.

Definitions

Recipient Group: Real or legal person category to which personal data is transferred by the data controller,

Explicit Consent: Consent on a particular subject, informed and expressed with free will.

Data Processor: Persons who process personal data within the organization of the data controller or in accordance with the authority and instruction received from the data controller, with the exception of the person or unit responsible for the technical storage, protection and backup of the data.

Data Recording System: The recording system in which personal data is processed according to certain criteria.

VERBIS: Data Controllers Registry Information System.

Destruction: Deletion, destruction or anonymization of personal data.

Recording Medium: Any media in which personal data are processed, which are either fully or partially automated or processed by non-automated means provided that they are part of any data recording system.

Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.

Policy: Personal Data Storage and Destruction Policy

Personal Data: All kinds of information about an identified or identifiable natural person.

Processing of Personal Data: Any operation which is performed upon personal data such as acquisition, recording, storage, preservation, modification, reorganization, disclosure, transfer, acquisition, making it available by means of wholly or partially automated or non-automated means as part of any data recording system, any action taken on data, including its classification or inhibition of its use.

Anonymizing Personal Data: Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching with other data.

Deleting Personal Data: Deleting personal data; making personal data inaccessible and unusable to relevant users in any way.

Destruction of Personal Data: The process of making personal data in no way accessible, retrieved and reusable by anyone.

Board: Personal Data Protection Board.

Periodic Destruction: The process of deleting, destroying or anonymizing the personal data, which will be performed ex officio at regular intervals specified in the policy of destruction, in the event that all the processing conditions of the personal data in the Law disappear.

Data Owner/Contact: Real person whose personal data is processed.

Personal Data Inventory: Personal data processing activities that data administrators carry out depending on their business processes; the inventory that they have created by associating the personal data with the purposes and legal reason, the data category, the group of recipients transferred and the group of data subject, and the details of the personal data that are intended to be transferred to foreign countries and the measures taken regarding data security.

Processing of Personal Data: Acquisition, recording, storage, storage, modification, reorganization, disclosure, transfer, acquisition, acquisition, classification of personal data in a fully or partially automated manner or non-automated provided that it is part of any data recording system. or any action taken on data, such as its inhibition of use.

Periodic Destruction: The process of deleting, destroying or anonymizing the personal data, which will be carried out automatically at regular intervals specified in the policy of destruction, in the event that all the conditions of the processing of personal data in the Law are eliminated.

Principles

First of all, we would like to state that we use a data storage method and tool that comply with the requirements as a company.

* A policy of destruction contrary to laws and regulations No. 6698 and 108+ contracts and Personal Data Protection Board Decisions should not be adopted.

* Firstly, appropriate security measures have been taken to protect personal data contained in automatic data files against accidental or unauthorized destruction, as well as unauthorized access, modification or publishing.

* Appropriate precautions have been taken to protect the files against both natural hazards and human-induced dangers such as accidental loss or destruction, and against unauthorized access, misuse of data for fraud or infection of computer viruses.

* Our personal data protection policy and personal data that we collect in the areas we have specified in the clarification text are recorded and stored in the secure area and are kept for at least 3 years, except for our storage activity due to legal obligations.

* Law and Regulation No. 6698 has given us the right to choose and manage the process of destruction of personal data. The data controller will determine the method of destruction according to the type of personal data, In case of the request of the person concerned, the appropriate method will be selected by explaining the reason why. Before the data controller destroys the data, he/she will notify the registered e-mail address or registered address of the person concerned and inform the method by which the data will be destroyed.

* While the personal data are destroyed, necessary administrative and technical measures will be taken in this process. Once destroyed, it will be recorded and kept for at least 3 years in a safe environment. Time provisions due to legal obligations to be kept are reserved.

* The data of the inactive customer, employee candidate, employee, subcontractor and supplier in our company will be destroyed immediately except for the periods of storage and information about the destruction and the method of destruction will be notified to the relevant person.

* In the event that all the conditions for the processing of personal data in the 5th and 6th articles of the Law disappear, the personal data are deleted, destroyed or anonymized by the Company ex-officio or upon the request of the person concerned.

* The person concerned may also request the deletion of their data from the company. In this case, the company responds to the application within 30 days at the latest and the groups to which the data is transferred will be informed about the application and if the deletion conditions have occurred, the data will be deleted. The relevant person will be responded as reasoned about why the personal data that are not deleted are not deleted and when they will be deleted.

Explanations on the Reasons Requiring Keeping and Destruction

Personal data of the person concerned is recorded in order to

  • To manage, complete the reservation, transportation, payment and settlement processes,
  • Being able to communicate,
  • Providing information about our products, campaigns, promotions,
  • To customize services and offer to you,
  • To analyze,
  • To ensure the legal and commercial security of our company and those who have a business relationship with our company,
  • Organizing administrative operations,
  • To ensure the physical security and control of the departments of the company,
  • To use in business partner/customer/supplier evaluation processes,
  • To determine and implement the commercial business strategies of our company,
  • To ensure the execution of our company’s human resources policy,
  • To fulfill the legal obligations determined by the relevant legislation and to provide information,
  • To ensure the management and security of the marina,
  • Establishing boat mooring contract relationship and maintaining contractual relations,

For the purpose of;

Related to accommodation service,

  • Identity information: (Name-surname, place and date of birth, nationality, Turkish ID number, passport number, accompanying guest name-surname, place and date of birth)
  • Contact Information: (Address, phone number, e-mail)
  • Financial information: (Bank account number only, Credit card information)
  • Vehicle License Plate Information: (Entry-exit registration)

Related to marina services,

  • ID information
  • Contact Information (Address, phone number, e-mail,)
  • Property Information (Boat ownership) (Boat mooring license, Transitlog)
  • Crew information and Documents (Authorization document, SSI information, qualification document)
  • Boat Owner Vehicle License Number (For parking use)
  • Boat Insurance Information
  • Financial Information (Bank account number only, Credit card information)

Your personal data is recorded. Your data defined above is requested and processed by you within the framework of the contractual relationship.

For these reasons;

  • Keeping personal data as it is directly related to the establishment and performance of contracts,
  • Keeping personal data for the purpose of establishing, using or protecting a right,
  • Keeping the personal data because of being mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the people,
  • Keeping personal data in order to fulfill any legal obligation of the Company,
  • Clearly anticipating the storage of personal data in the legislation,
  • In case of explicit consent of the data subjects in terms of custody activities that require the explicit consent of the data subjects.

The above issues are paid attention.

Your data;

* If the storage period of your personal data has expired or if the obligation has expired due to the changes in the storage conditions due to the legislation,

* The purpose of processing personal data disappears,

* The disappearance of the conditions that require the processing of personal data in Articles 5 and 6 of the Law,

* Retrieving the express consent of the person concerned in the personal data processed with the explicit consent of the person concerned,

* Acceptance of the application made by the relevant person under article 11 of the KVKK,

* In cases where the data controller rejects the application made by the person concerned with the request of deletion, destruction or anonymization of his personal data, the response he has given is inadequate or does not respond within the period stipulated in the Law; With complaints to the Board and with the Board’s recommendation,

  • If the maximum time that requires the storage of personal data has passed, it is deleted and destroyed.

Storage and Destruction Times

While determining the storage and destruction periods, the Company evaluates the following criteria within the scope of Law No. 6698 and the Regulation:

* The time accepted as a general practice in the relevant sector,

* The period that the legal relationship established with the relevant person, which requires processing, will continue,

* The period that the legitimate interest to be obtained by the data controller will be valid in accordance with the law and the rules of integrity,

* The period during which the risks, costs and responsibilities of hiding will continue legally,

* Whether the maximum period to be determined is suitable for keeping the relevant data category accurate and up-to-date when necessary,

* The period in which the data controller has to keep personal data in the relevant data category due to his legal obligation,

* The timeout period set for claiming a right connected to personal data.

Personal data, whose storage period has expired, is anonymized or destroyed in accordance with the procedures in this Policy for 6 months periods considering the destruction periods. All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least 3 (three) years except for other legal obligations.

Technical and Administrative Measures Regarding Storage and Destruction of Personal Data

Administrative Measures:

Within the scope of the company administrative measures;

  • The internal access to stored personal data is limited to the personnel required to access by job description. In limiting access, whether the data is of a special nature and its importance are also considered.
  • If the processed personal data is obtained by others in unlawful ways, it will notify the concerned and the Board as soon as possible.
  • Regarding the sharing of personal data, it ensures the data security with the persons who are shared with the personal data, the framework agreement regarding the protection of personal data and data security or the provisions added to the existing contract.
  • Employs knowledgeable and experienced staff on the processing of personal data and provides its staff with the necessary training within the scope of personal data protection legislation and data security.
  • It carries out the necessary inspections and makes it necessary for the implementation of the provisions of the Law before its legal entity. It addresses the confidentiality and security weaknesses that arise as a result of inspections.

It provides adequate security measures (against electricity leakage, fire, flood, theft, etc.) according to the environment in which the personal data is available and prevents unauthorized entry and exit to these environments.

Technical Measures:

Within the scope of the company administrative measures;

Necessary precautions are taken by penetration tests to reveal risks, threats, weaknesses and, if any, vulnerabilities in our institution’s information systems. As a result of real-time analysis with information security incident management, risks and threats that will affect the continuity of information systems are taken.

* To ensure the security of information systems against environmental threats, hardware (access control system that provides only authorized personnel access to the system room, 24/7 monitoring system, ensuring the physical security of the side switches forming the local area network, fire extinguishing system, air conditioning system etc.) and software (firewalls, attack prevention systems, network access control, systems that prevent harmful software, etc.) are taken.

* Risks to prevent illegal processing of personal data are identified, technical measures are taken to ensure compliance with these risks, and technical controls are made for the measures taken.

* By establishing access procedures within the institution, reporting and analysis studies on access to personal data are carried out.

* Access to storage areas with personal data is recorded and improper access or access attempts are kept under control. The institution takes the necessary precautions to make the deleted personal data inaccessible and reusable for the relevant users.

* An appropriate system and infrastructure have been established by the Authority to report this to the relevant person and the Board, in case personal data are obtained illegally by others.

* Appropriate security patches are installed by following security gaps and information systems are kept up to date.

* Strong passwords are used in electronic environments where personal data are processed.

* Secure logging systems are used in electronic environments where personal data are processed. Data backup programs are used, which ensure the safe storage of personal data.

* A separate policy has been determined for the security of personal data with special features. Special training on personal data security was given to employees involved in special quality personal data processing processes, confidentiality agreements were made, and the powers of users who have access to data were defined. Electronic environments where special personal data are processed, stored and/or accessed are kept using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of the environments are constantly monitored, regular security tests are performed/done, recording of test results, adequate security precautions are taken in physical environments where it is included, and where special personal data are processed, stored and/or accessed, unauthorized entries and exits are prevented by ensuring physical security. If special quality personal data should be transferred via e-mail, it is transmitted in encrypted form via corporate e-mail address or using KEP account

* If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in different media. If the transfer between servers in different physical environments is performed, data transfer is performed by installing VPN between servers or by sFTP method. If it is required to be transported through paper media, necessary precautions are taken against risks such as being stolen, lost or seen by unauthorized people and the document is sent in “confidential” format.

Duties and Powers of the Personal Data Protection Unit

The Personal Data Protection Unit announces the policies and other information regarding the Protection of Personal Data to the units and monitors their development in this regard. Plan the training processes periodically and have them inspected. It follows the legislative changes related to the subject and ensures that the policies and texts are updated according to the legislation. The Board follows its decisions regularly.

Policy Enforcement, States of Violation and Applicable Sanctions

* This Policy will be informed by announcing to all employees and will be binding for all business units, consultants, external service providers and anyone who processes personal data.

* In the case of those who act against the policy, the concerned supervisor directly informs the data controller and the contact person appointed by the data controller and takes the necessary measures to ensure the implementation of the policy.

* The Personal Data Protection Unit is also informed about any behaviors against the policy.

* Necessary action is taken on those who violate the policy in a short time.

ANNEX-1 Personnel Title, Unit and Positions List

ANNEX-2 Table Indicating Personal Data Keeping and Destruction Times

Personal data will be stored for the periods specified in the table below, taking into account the points specified in Article 4 of the policy, and will be anonymized or destroyed at the end of the period:

Process Keeping Term Destruction Term
Data stored under the Labor Law (e.g. performance records, etc.) For 5 years after the end of business relations Within 6 months after the end of the storage period
Data collected within the scope of occupational health and safety legislation (health reports etc.) For 15 years after the end of business relations Within 6 months after the end of the storage period
Data kept within the scope of SSI legislation For 10 years after the end of business relations Within 6 months after the end of the storage period
Documents that can be used in a claim/case related to work accident/occupational disease For 10 years after the end of business relations Within 6 months after the end of the storage period
Data collected in accordance with other relevant legislation For the time stipulated in the relevant legislation Within 6 months after the end of the storage period
Relevant personal data is subject to a crime within the scope of the Turkish Penal Code or other penal legislation. During limitation of actions Within 6 months after the end of the storage period
Customer data 10 years after being recorded Within 6 months after the end of the storage period

The Company reserves the rights regarding the data that should be kept longer than the periods set out above and explains the conditions for deletion along with its justification upon the request of the person concerned.

ece group logos ecesaray

APPLICATION TO DATA SUPERVISOR

GENERAL EXPLANATIONS

(Within the scope of PDPL numbered 13 and 22)

  1. YOUR RIGHTS ABOUT THE APPLICATION.

Your rights under Article 11 of the Act can be made in writing or by means of a registered electronic mail (REM) address, secure electronic signature, mobile signature or an electronic mail address that has been previously notified to the data officer and registered in the system or with software or applications created for the purposes of application.

Your rights under the PDPL numbered 11;

  • Learn whether personal data is processed or not,
  • Request information if personal data is processed,
  • Learn the purpose of processing personal data and whether they are used in accordance with their purpose,
  • Know the third parties to whom personal data is transferred at home or abroad,
  • Request correction of personal data in case of incomplete or incorrect processing,
  • Request the deletion or destruction of personal data in accordance with the conditions provided in the article 7,
  • Request the transactions made in accordance with paragraphs (d) and (e) be notified to third parties to whom personal data has been transferred,
  • Object to the occurrence of a result against the person by analyzing the processed data exclusively through automated systems,
  • Request compensation for the damages in case of any damage due to unlawful processing of personal data
  1. APPLICATION PROCEDURE

Application procedure pursuant to Article 13 of the PDPL and Article 5 of the Communiqué on the Procedures and Principles of Application to the Data Officer / Supervisor can be made via written form or registered e-mail address (REM), secure electronic signature or  with the e-mail previously reported to our company and registered.

Your application will be answered by our company in writing within the shortest period of time from the date of receipt of the notification and within 30 days at the latest. If your transaction requires a cost, you will be charged at the tariff set by the Personal Data Protection Board. Click here for the fare tariff.

  1. ADDRESS OF APPLICATION / REGISTERED E-MAIL ADDRESS

We kindly request you to send your application to ECETAŞ Construction Industry and Trade inc.’s adress in  Meşrutiyet Cad. No:28 İç Kapı No:11 Kızılay/Çankaya/ANKARA with wet signature or to ecetas@hs02.kep.tr mail adress signed with secure electronic mail. Applications other than these addresses will not be accepted by our company.

  1. Application

Name and Surname :    T.R ID No. / Passport No. / Blue Card No.

Address :

Registered Electronic Mail (REM) :

Subject to Demand :

Attached Documents :

  1. RIGHTS SUBJECT TO CLAIM IN THE APPLICATION.
Is my personal data being processed? PDPL Article 11 / a
I would like to be informed if my personal data is being processed. PDPL Article 11 / b
For what purpose is my personal data processed and used for processing purposes? PDPL Article 11 / c
To whom is my personal data shared with at home and abroad? PDPL Article 11 / ç
I request that my personal data be updated. PDPL Article 11 / d
I request that my personal data be deleted and anonymized / destroyed. PDPL Article 11 / e
I want, when my personal data updated, destroyed / deleted / anonymized to be notified to the transferred 3rd parties. PDPL Article 11 / f
I object to a negative result arise by analyzing my personal data through automated systems. I do not want it to be analyzed. PDPL Article 11 / g

Click here for the application form.