The Law on the Protection of Personal Data No. 6698, which entered into force after being published in the Official Gazette dated 07.04.2016, regulates, privacy of private life being in the first place, the protection of the fundamental rights and freedoms of individuals, obligations of the data officers who collect and process the data, and the procedures and principles to which they are subject to. “Univera Bilgisayar Sistemleri Sanayi ve Tic. A.Ş. Personal Data Protection Policy” was created with the aim of implementing the Law and its implementing regulations and decisions of the Personal Data Protection Board of Turkey, and explaining the duties and responsibilities of public officials and Company employees.
Univera Bilgisayar Sistemleri Sanayi ve Tic. A.Ş. Personal Data Protection Policy was arranged to be implemented in conjunction with the "COMPANY", its administrators, employees, and all persons who establish a relationship with the "COMPANY".
This Policy sets out the rules and principles for the purpose of serving the right of privacy and the inviolability of private life of all real persons who are in contact with the COMPANY, and the right to protection of personal data which are under protection of the Law. Any breach of the policy means that the COMPANY is in breach of the Law as a Registered Data Officer; therefore, any breach of the Univera Bilgisayar Sistemleri Sanayi ve Tic. A.Ş. Personal Data Protection Policy by employees will be considered a disciplinary violation.
Within the scope of this POLICY and any and all documents and activities within the scope of the Personal Data Protection Law, expression below mean the following;
- Anonymization: The action of modification of the nature of personal data in such manner that they can no longer be associated to an identified or identifiable real person even by way of matching with other data,
- Board: Personal Data Protection Board of Turkey,
- Data officer: A real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,
- Data processor: A real or legal person who processes personal data on behalf of the data officer, based on the authority given by him,
- Express consent: Explicit consent regarding a specific issue, based on information given and expressed by free will,
- Person concerned: Real person whose data are being processed,
- Personal data: Any and all kinds of information belonging to a real person who is identified or identifiable,
- Processing of personal data: Any operation, which is performed on personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system.
Personal data will only be processed in accordance with the procedures and principles prescribed by the Law. Basic principles in the processing of personal data are; compliance with the rules of law and principles of honesty; being accurate and, where necessary, current; processing for specific, clear and legitimate purposes; being in relation to the purpose of processing, limitedness and proportionality of the data processed; to be retained for the period as prescribed by the applicable regulations or as necessary for the relevant purpose of processing.
COMPANY collects and processes personal data for the purposes of establishing business contracts and establishing relations with leasing customers and concluding leasing contracts. COMPANY's personal data processing reasons, processes, procedures and all other technical details are specified in "UNİVERA BİLGİSAYAR SİSTEMLERİ SANAYİ VE TİC A.Ş. PERSONAL DATA INVENTORY".
Personal data cannot be processed without the express consent of the person concerned. The express consent must be in written format or in a verifiable form and should be obtained after the person concerned has been informed of collection, use, transfer and disposal. However, the COMPANY may process personal data without express consent only in the following cases:
- If there is explicit contemplation by applicable laws,
- If the explicit consent of the person concerned is failed to be obtained on account of actual impracticability, where it is strictly obligatory for the processing of the data of a person, who is physically unable or incapable to express her/his consent or whose consent is legally not considered valid, in order for the protection of the life or physical integrity of such person or any other individuals,
- If processing of personal data being directly connected to the execution or the performance of a contract,
- If it is mandatory for the data officer to fulfill his/her legal obligations,
- If personal data are personally disclosed to public by the person concerned,
- If processing of data represents a strict requirement for the creation, exercise or the protection of a right,
- If processing of data represents a strict requirement for the preservation and maintenance of the legitimate interests of data officer, provided that the fundamental rights and freedoms of the person concerned not be prejudiced.
In the process of obtaining personal data, the COMPANY or the person authorized by it as the data officer shall be obliged to inform the persons concerned on the following subjects;
- The identity of the data officer and the representative, if any,
- The purpose for which personal data will be processed,
- To whom and for what purpose the personal data processed can be transferred,
- Method and legal reason for collecting personal data
As data officer, the COMPANY is obliged to take any and all technical and administrative precautions as necessary to ensure the appropriate level of security for the following purposes;
- Prevent the unlawful processing of the personal data,
- Prevent the unlawful access the personal data, and,
- Ensure the protection of the personal data.
Real and legal persons with whom the COMPANY establishes legal relations during its activities are those natural and legal persons classified within the scope of personnel service contracts; service procurement, supply and sales contracts; and contracts for the sale, installation and support of sales, logistics and service software produced by the COMPANY, with all intellectual and industrial rights in its possession:
- Personal data obtained by the COMPANY during the establishment of service contracts are mandatory data to fulfill the requirements of the Labor Law and other relevant legislation. Likewise, collection of personal data of employees in order to fulfill the employer’s legal obligations is stipulated by the Labor Law, Social Insurance and General Health Insurance Law and the Occupational Health and Safety Law and their implementing regulations. Therefore, the collection, processing and storage of personal data within the scope of the service contract is considered to be within the scope of the exception provided for by the Law. Following the termination of the service contract and expiry of subsequent legal retention periods, in cases where there is no express consent of the personnel for retention for a longer period, following periodic checks for that matter, instructions for the disposition of the data have been established and submitted to the relevant units.
- In commercial contracts to which the COMPANY is a party, personal data required to be obtained for the establishment and execution of the contract, although regarded to be within the exceptions stipulated by the Law, are collected and processed only after express consents of the persons concerned are duly received. In this context, the COMPANY concludes ancillary protocols in addition to all subcontractor and procurement contracts, with the statute as an integral part of them.
- The main business activity of the COMPANY is software sales and their support services; COMPANY enters into agreements for the transfer of licenses of the software it produces, and the main task it undertakes in those agreements is to ensure the software is installed properly by making it compatible with the needs and systems of the customer. During this process, which spans more than one-month, personal data of the personnel working on the relevant project are mutually submitted between the COMPANY and the customer. Names of the personnel to be involved in the installation project are written into the agreement and their express consents allowing sharing and transfer of their personal data are obtained. After the installation, the obligations of the COMPANY regarding support services it renders begin under the agreement; in all cases where access to the customer’s personal data is a requirement as per the execution of the support services, the existence of explicit consent is questioned in accordance with scope of the Law. Following the termination of the Sales or Support agreements, for the disposition or anonymization of the related personal data, instructions have been established and submitted to the relevant units, following periodic checks.
Owner of the personal data, by applying to the data officer, may exercise his/her following rights;
- Learn whether or not the personal data has been processed,
- Request information if the respective personal data has been processed,
- Learn the purpose of processing of the respective personal data and whether data are used in accordance with their purpose,
- Know the third parties based at home or in abroad, to whom the respective personal data have been transferred,
- Request notification of the operations performed as a consequence of such requests as rectification, deletion and disposal to third parties to whom the respective personal data have been transferred,
- In cases where the respective personal data have been processed incompletely or inaccurately, request those to be corrected,
- Request the respective personal data to be deleted or disposed of if there is a personal data in private nature,
- Object to occurrence of any result that is to her/his detriment by means of analysis of the respective personal data of the relevant personal data owner exclusively through automated systems;
- Request compensation in case the personal data owner incurs damages due to unlawful processing of the respective personal data.
Personal data may be transferred without the express consent of the person concerned, in the presence of any of the cases referred to in Article 5 above.
Personal data cannot be transferred abroad without the express consent of the person concerned. Nevertheless, the transfer of personal data abroad without the express consent of the person concerned may occur in the presence of one of the cases referred to in Article 5 above or in the following cases.
- In case the foreign country has been declared to have adequate protection,
- In case foreign countries, where adequate protection is not in place but in respect of which the data controllers in Turkey and in the such foreign countries have warranted to ensure adequate protection and transfer of personal data to which has been authorized by the Board,
- Foreign countries which have adequate protection are declared and announced by the Board.
- In case if Turkey’s or the concerned person’s interest is to suffer a serious damage, without prejudice to the provisions of international conventions, only after opinions of relevant public institutions or organizations are received, and with the permission of the Board.
- The provisions of other laws regarding the transfer of personal data abroad are reserved.
Personal data are not only stored in COMPANY’s existing and highly secure hardware and electronic media, but all possible and conceivable backup and protection measures available for the software industry are explicitly taken. The main activity of the COMPANY is software production; all data and records of its main activity are in digital format; additionally, in accordance with the acts and obligations undertaken in agreements, the COMPANY also stores the data of its customers on servers under its responsibility and makes them available to be accessed by the customer. For this reason, digital security is one of the most important component of the COMPANY’s daily and general business endeavors.
In this context, the COMPANY again complies with all data security practices; it employs competent and expert IT personnel. At the same time, COMPANY also ensures that the data are stored in a specially protected room for data security, provides the data to be backed up by all physical automatic backup systems and by cloud backups performed on servers abroad; for this purpose, the COMPANY invests significantly.
Data are classified according to their confidentiality levels and only data processors authorized by the COMPANY for this purpose are allowed access to these data. In this context the COMPANY ensures that;
- System, virus protection and firewall software are up-to-date and working uninterruptedly in terms of protection of the personal data, through its IT Department.
- Physical files are kept in locked file cabinets or safes, through its Administrative Affairs Department.
- Disposing of personal data whose purpose and duration of use expired in accordance with the instructions issued by the COMPANY administration and the trainings provided about the Law, through its competent and trained personnel.
- Any and all types actions can be taken in respect of the deletion, disposal and anonymization of personal data; in the process of disposing of personal data in all kinds of digital formats, in addition to deleting files permanently, the method of corrupting the data until it is rendered unreadable may be employed.
- If the reasons retaining personal data for processing no longer exists or if there is no express consent to its retention, the personal data shall be deleted, disposed of or anonymized.
- Despite the express consent given previously, upon the request of the relevant person, the personal data has to be disposed of or anonymized.
- Disposal of personal data has to be an action of rendering the personal data strictly and conclusively inaccessible, non-retrievable and non-reusable by relevant users.
- The data officer is obliged to carry out necessary audits personally or have them carried out in his/her own institution or organization in order to ensure the implementation of the provisions of this Law.
- Data officers and persons processing data may not disclose the personal data they have learned in contradiction to the provisions of this Law and may not use it for any purpose other than for processing purposes. This obligation persists even after their resignation.
- In the event if the processed personal data are captured and/or seized through illegal or unlawful means by others, the data officer fulfills its obligation to notify the respective data owner and the Board of such incident as soon as practicable. The Board may, if necessary, announce this on its website or in any other way it deems appropriate.
Your personal data that provided by you to our Companies present in applications you will place in order to obtain information, and/or contracts you will enter in order to receive services from our Companies will be processed by the relevant units of our Companies within the scope of the Law on the Protection of the Personal Data. During the legal relationship you will establish with our Companies, your personal data is being processed by our Companies for the purposes of providing healthy, fast and efficient services; making the necessary notifications in a safe and effective manner, establishing a healthy and secure relationship with you and your representatives during the contract process; all to be executed within the scope of the purpose and procedures as indicated in the Law on Protection of the Personal Data.
Due to legal obligations, your personal data may be transferred to administrative and governmental authorities, direct and indirect shareholders of our Companies as well as our domestic and foreign subsidiaries, business partners, suppliers, third parties in Turkey and abroad from which support or services are received by our Companies, and independent auditing firms, and but all to be executed within the framework of legal restrictions.
None the less, your personal data will either be deleted or made anonymous when the legal relationship between you and our Companies is terminated. In addition, within the scope of the Law on the Protection of the Personal Data, real persons have the right to request information about the processing of their personal data, to learn the purpose of processing, to know the third parties to whom it is transferred, if any, to request correction of the errors in the data, and if the conditions have been matured, to have it deleted or destroyed.
Univera Bilgisayar Sistemleri Sistemleri Sanayi ve Tic A.Ş