The purpose of the Policy on Protection and Processing Private Personal Data is to perform legal liabilities arisen from the 31.01.2018 dated and 2018/10 numbered decision of Protection of Personal Data Board called as Sufficient Measures Which Should Be Taken By Data Responsible on Processing of Private Personal Data and technical and administrative measures taken in the processing of private personal data.
The race, ethnical origin, political view, philosophical belief, religion, and sect or other beliefs, clothing, membership to association, foundation or union, sexual life, criminal conviction and security measures related data and biometric and genetic data of persons are private personal data.
The Company observes the Law and provisions of other relevant legislation in processing private personal data. In this context, private personal data are processed in compliance with the principles below:
- Being in compliance with the law and rules of honesty
- Being accurate and when necessary updated
- Being processed for certain, express and legit purposes
- Being connected, limited and balanced with the purpose of processing
- Being kept for the period provided under relevant legislation or as required for the purpose of processing
Private personal data other than health and sexual life are processed in cases when express consent of the data owner has been obtained or in cases provided under the laws.
The data on health and sexual life are processed in cases express consent of the data owner is obtained or for the purpose of performing services of protection of public health, medical diagnosis, conducting treatment and care services, preventive medicine, planning, funding and management of health services and in accordance with the merits and procedures provided in the Regulation on Personal Health Data.
The Company takes any measure to process private personal data in compliance with the Law and relevant legislation and to ensure safety of private personal data. The measures being taken within such scope are listed below:
The Company gives regular training on the protection and processing of private personal data to employees working at the private personal data processing procedures.
The Company concludes confidentiality agreements with its employees to ensure data safety.
The users holding power of access to data, scope and terms of powers are clearly defined and periodical power checks are performed.
Access powers of employees, whose job is changed or who quits job are immediately removed. The Company immediately takes the delivery of inventories allocated to employees.
The transaction logs of all actions performed on private personal data are securely logged, on the basis of the persons establishing and updating the logs.
Security updates of electronic media where private personal data are kept, are regularly followed, necessary security tests are or have had performed and test results are recorded.
User authorisation is made for software, which access private personal data, security tests for such software are or have had performed and test results are recorded.
At least two phased authentication system is used in cases when private personal data are remotely accessed.
Sufficient security measures are taken depending on the nature of the environment where private personal data are kept.
Physical security of such environment are provided and unauthorised entry – exit are prevented.
The Company transfers private personal data within the framework of conditions of data processing provided under the Articles 8 and 9 of the Law. Rules below are applied for data transfer by the Company to ensure data safety and periodical audits are performed.
- Transfer Via e-mail
In cases private personal data are transferred via e-mail, the transfer is made via corporate e-mail address as encoded or by using Registered Electronic Mail (REM) account.
- Transfer Through Media Such As External Hard Disk, CD, DVD
Encoding is made for security purposes when private personal data are transferred via physical media such as external hard disk, CD or DVD.
- Transfer Between Servers At Different Physical Environment
Data transfer is performed by establishing VPN between servers or through sFTP method while transferring private personal data between serves at different physical environment.
- Transfer Via Paper
If transferring private personal data through paper is required then, necessary measures against risks such as thievery, loss or being seen by unauthorised persons are taken and documents are sent in the format of “documents holding confidentiality grade”.
Private personal data are kept by the Company under conditions below in compliance with the Law and other legislation and the decision being published by the Board titled as “Sufficient Measures Which Should Be Taken by Data Responsible in Processing Private Personal Data”:
- Obtaining express consent of the data owner,
- Stipulation under laws that private personal data other than health and sexual life should be kept,
- Health and sexual life related private personal data should be kept for the purpose of protection of public health, preventive medicine, medical diagnosis, conducting treatment and care services, planning and management of health services and their funding.
The private personal data being kept by the Company in compliance with the Law and other legislation are deleted, destructed or anonymised ex officio or based on the request of the data owner in case reasons below occur:
- Withdrawal of express consent where private personal data keeping activity is based on express consent of the data owner,
- The purpose of keeping private personal data has achieved, become impossible or revoked through any other way,
- Amendment or abrogation of the provisions of legislation, which establishes basis for keeping private personal data ,
- All conditions provided under the Article 6 of the Law have disappeared,
- The data owner’s request on destruction of private personal data, which have been submitted to the Company in compliance with the procedure, has been deemed appropriate and concluded positively by the Company,
- In cases the Company refuses the request on deletion of private personal data made by the data owner, the respond given is found insufficient or fails to respond within the period stipulated under the Law; a complaint has been made to the Board and such request has been found appropriate by the Board.
With due respect
EN GÜMRÜK MÜŞAVİRLİĞİ LOJİSTİK DEPOLAMA İTHALAT VE İHRACAT TİCARET A.Ş.