Sistem Patent

Personal Data Protection and Processing Policy

1. Introduction, Scope and Definitions

  1. With the entry into force of Law No. 6698 on the Protection of Personal Data ("KVK Kanunu" / the Law), published in the Official Gazette on 07.04.2016, the protection of individuals' personal data has been placed under a unified legal framework. Within that framework, this Personal Data Protection and Processing Policy (the "Policy") sets out how SISTEM PATENT (the "Company" / "our Company") will concretely apply the rules established by the Law and related legislation. Our Company will make the arrangements required for compliance with the Policy within its organization and will keep that compliance current by running periodic internal audits.
  2. Scope: This Policy covers all personal data that the Company processes by automated means or by non-automated means as part of any data filing system, relating to Employees, Former Employees, Job Candidates, Interns, Group Employees, Employee Relatives, Company Shareholders/Partners, Company Officers, Product or Service Recipients (Customers), Potential Product or Service Recipients, Visitors, Supplier Officers, and Supplier Employees, as further defined in section 1.3.
  3. Definitions: Definitions set out in the Law and its secondary legislation are not repeated in this section and, unless otherwise defined in this Policy, are used with the meaning given in those regulations.

Company Shareholder/Partner: Natural persons who are shareholders or partners of the Company.

Supplier Employee:

Employee: Natural persons in an employee-employer relationship with our Company under an employment contract signed with us.

Job Candidate: Natural persons who have applied to our Company for employment in any manner, or who have made their resume and related information available for our Company to review.

Intern: Persons working at our Company to gain experience, learn the work carried out, or develop their professional knowledge.

Former Employee: Natural persons whose employment contract with our Company has ended for any reason.

Company Shareholder/Partner:

Company Officers: Board members of our Company and other authorized natural persons.

Employees of suppliers, business partners, and third parties who provide services to our Company, either under a contract or without a contractual relationship, in line with our Company's instructions while carrying out its commercial activities.

Supplier Officer: Board members, general managers, and other authorized natural persons of third parties (business partners, suppliers, and similar) that carry out commercial activity with our Company.

Product or Service Recipient (Customer): Natural persons whose personal data is obtained through the business relationships carried out by our Company's business units in the course of their operations, whether or not there is a contractual relationship with our Company.

Potential Product or Service Recipient: Persons to whom the products and services of our Company are promoted and marketed.

Visitor: Natural persons who have entered the physical premises owned by our Company for various purposes, or who visit our websites.

2. Principles Applicable to the Processing of Personal Data

To achieve and maintain compliance with the Law and its secondary legislation, our Company adopts the following core principles:

  • Processing in Compliance with the Law and Good Faith: Our Company carries out personal data processing in compliance with the law and in line with the principle of good faith, in accordance with the Constitution of the Republic of Turkey and the personal data protection legislation.
  • Keeping Personal Data Accurate and Up to Date Where Necessary: Our Company takes the necessary measures to keep the personal data it processes accurate and up to date, taking into account the fundamental rights of data subjects and its own legitimate interests.
  • Processing for Specified, Explicit, and Legitimate Purposes: Our Company determines the purpose of personal data processing clearly and precisely and in a way that is legitimate and lawful. Our Company processes personal data to the extent connected with and necessary for the commercial activity it carries out.
  • Being Connected With, Limited To, and Proportionate To the Purpose of Processing: Our Company processes personal data in a manner suitable for achieving the specified purposes and avoids processing personal data that is not relevant to or needed for the purpose.
  • Retention for the Period Set Out in Relevant Legislation or Required by the Purpose of Processing: Our Company retains personal data only for the period set out in relevant legislation or required by the purpose of processing. To that end, our Company first determines whether the relevant legislation sets a retention period for the personal data; if so, it acts in accordance with that period; if not, it retains the personal data for the period required by the purpose of processing. When the period expires or the grounds requiring processing cease to exist, the personal data is deleted, destroyed, or anonymized by our Company.

3. Conditions for Processing Personal Data

Our Company processes personal data in accordance with one or more of the conditions set out in Article 5 of the Law, without prejudice to cases where the data subject has given explicit consent. Where the data processed is special-category personal data, the conditions set out in section 5 of this Policy ("Processing and Transfer of Special-Category Personal Data") will apply.

  • Explicit Consent of the Data Subject: The explicit consent of the data subject must be given in relation to a specific matter, based on information, and by free will. Where one of the personal data processing conditions set out below exists, personal data may be processed without needing the explicit consent of the data subject.
  • Expressly Stipulated by Law: Where there is an express provision in the laws relating to the processing of the personal data of the data subject, this processing condition is deemed to exist.
  • Inability to Obtain the Data Subject's Explicit Consent Due to Actual Impossibility: Where it is necessary to process personal data of a person who is unable to express consent due to actual impossibility or whose consent is not legally valid, to protect the life or bodily integrity of that person or another person, the personal data of the data subject may be processed.
  • Direct Relation to the Conclusion or Performance of a Contract: Where the processing of personal data is necessary and directly related to the conclusion or performance of a contract to which the data subject is a party, this condition is deemed to be met.
  • Compliance With the Company's Legal Obligation: Where processing is required for our Company to fulfill its legal obligations, the personal data of the data subject may be processed.
  • The Data Subject Making the Personal Data Public: Where the data subject has made his or her personal data public, that personal data may be processed to the extent limited to the purpose of being made public.
  • Necessity of Processing for the Establishment or Protection of a Right: Where data processing is necessary for the establishment, exercise, or protection of a right, the personal data of the data subject may be processed.
  • Necessity of Processing for the Legitimate Interests of Our Company: Where processing is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the data subject, the personal data of the data subject may be processed.

4. Transfer of Personal Data

In line with legitimate and lawful purposes of personal data processing, and taking the necessary security measures and confidentiality conditions set out in this Policy, our Company transfers the personal data and special-category personal data of data subjects within Turkey to:

  • Legally authorized public institutions and organizations, limited to the purpose for which they request the data within the scope of their legal authority;
  • Company Shareholders/Partners, limited to the purposes of carrying out our Company's commercial activities and audit purposes under the provisions of applicable legislation;
  • Suppliers, limited to the purpose of ensuring that services required to carry out commercial activities and obtained from the supplier are provided to our Company;
  • Legally authorized private-law persons, including in particular banks within the Banks Association of Turkey for payments and the Company's independent auditors, limited to matters covered by the activities of the relevant private institutions and organizations, and for the purpose of providing fringe benefits offered to our employees.

5. Processing and Transfer of Special-Category Personal Data

Special-category personal data is processed and transferred by our Company in accordance with the principles set out in this Policy, taking all necessary administrative and technical measures (including the methods the Personal Data Protection Authority (the "Authority") determines) and provided that the following conditions are met:

  • Special-category personal data other than health and sexual life may be processed without requiring the explicit consent of the data subject where this is expressly provided for by law (that is, where there is an express provision on the processing of personal data in the law governing the relevant activity). Otherwise, the explicit consent of the data subject will be obtained to process such special-category personal data.
  • Special-category personal data on health and sexual life may be processed without requiring explicit consent by persons under a confidentiality obligation or authorized institutions and organizations, for purposes of public-health protection, preventive medicine, medical diagnosis, the conduct of treatment and care services, and the planning and management of health services and their financing. Otherwise, the explicit consent of the data subject will be obtained to process such special-category personal data.

6. Categorization and Purposes of Personal Data Processed by Our Company

In accordance with Article 10 of the Law, our Company informs data subjects when their personal data is collected. Within that scope, our Company provides notice regarding the identity of its representative (if any), the purposes for which the personal data will be processed, the persons to whom the processed data may be transferred and for what purpose, the method and legal basis of collecting personal data, and the rights the data subject holds.

The categories of personal data processed within the purposes and conditions stated in this Policy, and detailed information about those categories, are available in Annex 1 to the Policy ("Personal Data Categories"). Detailed information on the purposes of processing that personal data is set out in Annex 2 to the Policy ("Personal Data Processing Purposes").

Within our Company, personal data in the categories specified in Annex 1 ("Personal Data Categories") is processed in line with our Company's legitimate and lawful personal data processing purposes, based on and limited to one or more of the processing conditions set out in Article 5 of the Law, in accordance with the principles set out in Article 4 of the Law and all obligations under the Law, limited to the periods set in our Company's Personal Data Retention and Destruction Procedure, and with the data subjects informed in accordance with Article 10 of the Law.

7. Specific Cases of Personal Data Processing

  • Video Surveillance Within Company Premises and Facilities: Within the scope of security camera monitoring in its work areas, our Company aims to protect its own interests and those of others, including ensuring the security of the Company and of other persons. The data subjects are informed in this regard through notices posted in visible areas of our Company premises or otherwise made available to visitors and employees.
  • Retention of Records Relating to Internet Access Provided to Visitors on Company Premises and Facilities: For security reasons and for the purposes set out in this Policy, internet access may be provided on request to Visitors during their stay within our Company's premises and facilities. In that case, log records relating to your internet access are kept under the binding provisions of Law No. 5651 on the Regulation of Broadcasts Made on the Internet and Combating Crimes Committed Through Such Broadcasts, and the legislation issued pursuant to that law. These records are processed only when requested by legally authorized public institutions and organizations, or for the purpose of fulfilling our legal obligations during internal audit processes. Access to the log records obtained in this scope is limited to a restricted number of authorized persons. Our Company employees with access to those records only access them for use in requests from legally authorized public institutions and organizations or in audit processes and share them with legally authorized persons.

8. Measures Regarding the Protection of Personal Data

  • Technical Measures Taken to Ensure the Security of Personal Data: In accordance with Article 12 of the Law, our Company takes the necessary technical measures, in line with the regulations of the Authority, to prevent unlawful processing of the personal data it processes, prevent unlawful access to the data, and ensure the appropriate level of security for the retention of the data, and carries out the related work within that scope.
  • Administrative Measures Taken Regarding the Protection of Personal Data:
  • Within our Company, a "Personal Data Protection Committee" is established to manage, apply, and carry out the actions set out by this Policy and other related policies and procedures, and responsible persons are assigned for that purpose.
  • All activities carried out by our Company are analyzed on a business-unit basis; on the basis of that analysis, the personal data processing activities specific to the commercial activities carried out by each business unit are set out, and the necessary confidentiality agreements are signed.
  • Awareness is raised within the relevant business units and the rules of application are determined. The necessary administrative measures to audit these matters and ensure the continuity of application are put into effect through in-company policies, procedures, instructions and notifications, awareness training, and warning mechanisms (bulletin boards, announcements, orientation, and so on).
  • To verify that the processes of collection, processing, classification, deletion, destruction, removal of access rights, and anonymization of personal data are applied effectively, annual audits are planned within the framework of internal audit and quality-management practices, using internal and external (supplier) resources.
  • Protection of Special-Category Personal Data: The Law attaches particular importance to certain personal data because its unlawful processing poses a risk of causing victimization or discrimination. These data are: data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance and dress, membership of associations, foundations, or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. Our Company acts with care in protecting special-category personal data that the Law defines as "special-category" and that is processed lawfully. Within that scope, the technical and administrative measures taken by our Company for the protection of personal data are applied with care for special-category personal data, and the necessary audits are carried out within our Company.

9. Deletion, Destruction, and Anonymization of Personal Data

Notwithstanding that personal data has been processed in accordance with the provisions of the relevant law, where the grounds requiring processing cease to exist, our Company deletes, destroys, or anonymizes personal data in line with the practices set out in its Personal Data Retention and Destruction Policy, or on the request of the data subject. Our Company continues to use personal data after deleting or anonymizing it using one or more of the deletion and anonymization methods set out in the Authority's guidance on the deletion, destruction, or anonymization of personal data that are most suitable for its business processes and activities.

10. Rights of the Data Subject

In accordance with Article 10 of the Law, our Company informs the data subject of the rights the data subject holds, and guides the data subject on how to exercise those rights. Our Company runs the necessary channels, internal procedures, and administrative and technical arrangements, in accordance with Article 13 of the Law, for evaluating the rights of data subjects and providing them with the required information.

  • Rights of the Data Subject

Data subjects have the following rights:

  • To learn whether their personal data is being processed;
  • To request information if their personal data has been processed;
  • To learn the purpose of processing the personal data and whether it is used in line with that purpose;
  • To know the third parties to whom the personal data is transferred within Turkey or abroad;
  • To request that the personal data be corrected if it has been processed incompletely or inaccurately, and that the correction be notified to the third parties to whom the personal data has been transferred;
  • To request that the personal data be deleted or destroyed where the grounds requiring processing cease to exist, even though it has been processed in accordance with the Law and other relevant provisions, and that this action be notified to the third parties to whom the personal data has been transferred;
  • To object to a result that arises against the data subject as a consequence of the processed data being analyzed exclusively by automated systems;
  • To claim compensation for any damages suffered as a result of the unlawful processing of the personal data.
  1. Exercising the Rights of the Data Subject

The data subject may submit requests relating to the rights listed under section 9.1 of this section to our Company by completing and signing the application form available at https://sistempatent.com.tr/sistempatent-kvkk-veri-sahibi-basvuru-formu.pdf on our Company website, together with identifying information and documents, through the methods determined by the Authority.

  1. Response to Requests by Our Company

Our Company takes the administrative and technical measures required to conclude applications made by the data subject in accordance with the Law and secondary legislation. Where the data subject submits a request relating to the rights set out in section 9.1 in accordance with the procedure, our Company will conclude the request free of charge within the shortest time possible and in any event within 30 (thirty) days, depending on the nature of the request. However, where the transaction requires a separate cost, a fee may be charged in accordance with the tariff determined by the Authority.

10. Data Controller Information

SISTEM PATENT A.S.

Address: Adalet Mah. Sht. Polis Fethi Sekin Cad. No:6 Ventus Tower Floor:18 D:184 Bayrakli-IZMIR

Email: [email protected]

Annex 1: Personal Data Categorization

Annex 2: Purposes of Processing Personal Data

Need help?

Our expert team is ready to answer your questions.

Contact Us 444 22 41