İletişim
ENGLISH
PERSONAL DATA PROTECTION AND PROCESSING POLICY

PERSONAL DATA PROTECTION AND PROCESSING POLICY

YILDIZLAR DENİZ İŞLETMECİLİĞİ A.Ş. PROTECTION OF PERSONAL DATA AND PROCESSING POLICY

1. DEFINITIONS

Data Controller

 

Yıldızlar Deniz İşletmecilik A.Ş. determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. It means .

 

Data Owner-Relevant Person

 

It refers to the real person whose personal data is processed.

 

    

Company

 

In accordance with this policy, Yıldızlar Deniz İşletmecilik A.Ş. It is expressed as .

 

Law

 

It refers to the “ Personal Data Protection Law No. 6698 ”.

 

Personal Data

 

It refers to any information regarding an identified or identifiable natural person.

 

BoardIt refers to the Personal Data Protection Board.
Policy

 

Personal Data Protection and Processing Policy is stated.

 

Processing of Personal Data

 

Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. It refers to all kinds of operations performed on data, such as blocking .

 

Explicit Consent

 

Consent regarding a specific issue is expressed based on informed consent and expressed with free will.

 

2. PURPOSE OF THE PERSONAL DATA PROTECTION AND PROCESSING POLICY

This policy is made by Yıldızlar Deniz İşletmecilik A.Ş. (Hereinafter referred to as " Yildizlar Deniz İşletmecilik " or " Company ".) aims to determine the procedures and rules regarding the protection and processing of personal data within its structure. Thanks to the policy and various regulations within the company, compliance with the requirements of the Personal Data Protection Law No. 6698 is ensured.

The Board of Directors is personally responsible for the monitoring and implementation of this policy. The policy is revised in accordance with company requirements . The Board of Directors has the authority to make changes to this policy ex officio .

 

3. SCOPE OF PERSONAL DATA PROTECTION AND PROCESSING POLICY

This Policy has been prepared in accordance with the Personal Data Protection Law No. 6698.

In the company, personal data is processed without explicit consent or based on some legal reasons within the scope of compliance with the law. The personal data in question;

-Improving Service Quality,

-Continuation of Commercial Activities,

-Improving our Services and Quality Policy,

-Quick resolution of your problems,

-To Fulfill Our Legal Responsibilities ,

It is used and processed for its purposes and when necessary, but not limited to these purposes.

At the end of their retention period, personal data is depersonalized, anonymized, deleted or destroyed. Data used for statistical purposes are not currently included in the regulation of the law and the scope of the policy.

 

4. BASIC PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

The following principles are respected when processing personal data.

- Being in compliance with the law                                     : Yıldızlar Marine Management questions the source and legality of the personal data it receives from real and legal persons and collects through various means . In this context, it is important for Yıldızlar Marine Management to obtain data in accordance with the law .

- Compliance with the Rules of Honesty                : Yıldızlar Marine Management questions the source of the personal data it receives from real and legal persons and collects through various means. In this context, the data is obtained within the framework of the rules of honesty. Yıldızlar Marine Management It is important for.

-Limited to the Purpose for which they are Processed, Measured

and its connection                                        : Yıldızlar Marine Management uses personal data obtained through various means in accordance with the purpose for which they are processed, limited and proportionate for the purpose of processing, and to the extent required by the performance of the service.

 

-Accuracy of Personal Data                                     : Yıldızlar Deniz İşletmecilik attaches importance to the fact that the personal data it receives from real and legal persons and collected through various means does not contain false information and is accurate.

-Keeping Up-to-Date When Necessary                               : If there has been a change in the personal data obtained by Yıldızlar Marine Management in various ways, the data is updated if the change in question is communicated to the company.

-Processing for Specific and Legitimate Purposes                        : Yıldızlar Marine Management processes personal data based on legal reasons within the framework of Article 5 of the Law. In this context, Yıldızlar Marine Management does not process personal data except for specific and legitimate purposes.

-Storage for the Period Envisaged in the Law and/or Necessary for the Purpose for which they are Processed                                                       : Yıldızlar Deniz İşletmecılık retains the personal data it obtains for the periods stipulated in the relevant Laws. In this context, it retains contractual personal data until the statute of limitations and the dispute arising periods stipulated by various laws are required by the Commercial, Obligations and Tax Law. When these purposes are terminated, the data is anonymized, destroyed or deleted .

 

5.PURPOSES AND LEGAL REASONS FOR PROCESSING PERSONAL DATA

Processing of personal data is carried out within the framework of the purposes specified in various Information Texts of Yıldızlar Deniz İşletmecılık . Purposes for processing personal data may vary according to each Clarification Text. Again, various policies and regulations put into effect within the company, especially the Information Texts for the processing of personal data, reveal the purposes of processing personal data.

Legal reasons for processing personal data vary depending on the nature of the legal relationship and the purpose of obtaining personal data. In this context, the company carries out data processing activities based on the legal reasons stipulated in Article 5 of the Law. However, in general terms, the legal reasons for processing personal data can be listed as follows, but are not limited to them.

-For electronic messages sent for advertising purposes, approval must be obtained from the recipient. In this context, electronic messages for advertising purposes can only be sent to individuals with prior approval. The issue in question is clearly regulated in the " Law on the Regulation of Electronic Commerce " and the " Regulation on Commercial Communication and Commercial Electronic Messages " .

Yıldızlar Marine Management Inc. It complies with the provisions of the above-mentioned Law when sending electronic commercial messages for advertising purposes. It also complies with the approval and details of the approval in accordance with the Law. The approval in question; It can be received in physical form through any electronic means of communication or in written form. The basis for approval is the existence of a positive declaration of intent by the recipient of the commercial electronic message that he/she accepts the sending of commercial electronic messages, and his/her electronic communication address and name-surname.

The approval received from the buyer is used to market and promote the company's goods and services, to promote its business, to ensure its recognition, to celebrate, wish and congratulate, etc. It should cover all commercial electronic messages sent to electronic communication addresses in order to increase recognition through content.

In addition to the consent obtained from the recipient in electronic messages, the Company obtains explicit consent from the relevant person regarding the information and, when necessary, the processing of personal data.

-If a contractual relationship has been established with customers or negotiations are being held with prospective customers to establish a contractual relationship, personal data collected or to be collected in accordance with the contract may be used by Yıldızlar Deniz İşletmecilik without explicit consent . The personal data in question is used within the framework of the performance of the service, execution of the contract, and execution of commercial activities. Therefore, this use is carried out in line with the purpose of the contract. This data can be updated by contacting customers.

-Data obtained from information obtained through automatic systems without the explicit consent of individuals cannot be used against individuals. Yıldızlar Maritime Management can only make decisions regarding the people it will transact with by using the data in its own system. With all this in mind, Yıldızlar Deniz İşletmecilik complies with the relevant legislation regarding personal data processed through automatic systems.

-Personal data of employees may be processed by Yıldızlar Deniz İşletmeliği without explicit consent . Processing of the data in question without explicit consent is limited to the cases in the 2nd paragraph of Article 5 of the Law.

In order to make the job easier, Yıldızlar Deniz İşletmecilik can allocate computers, phones, cars, applications, software and e-mail to its employees. Yıldızlar Maritime Management can control and audit personal data on the vehicles it has allocated . However, the employee cannot use the tools allocated to him for his private purposes. It is mandatory to use it only for the purpose of ensuring the performance of the job. The Company acts in accordance with the legal grounds in Article 5 of the Law within the scope of this data processing activity.

6. TRANSFER OF PERSONAL DATA

personal data, It may be shared with various real and legal persons in order to view the activities of Yıldızlar Deniz İşletmecılık . It can also be transferred abroad when necessary. Articles 8 and 9 of the Law are complied with regarding the transfer of personal data. In this context, explicit consent is obtained from the relevant person or pursuant to Art. Data transfer is made without explicit consent within the scope of Article 8/2 or Article 9/2. In addition to all these, the company has adopted the “ YILDIZLAR DENIZ MANAGEMENT” regarding data transfer. Inc. It also complies with the POLICY ON TRANSFER OF PERSONAL DATA AND SPECIAL PERSONAL DATA . Therefore, all detailed issues regarding the transfer of personal data are included in this policy.

7. DELETION, DESTRUCTION OR ANONYMIZATION OF PERSONAL DATA

In case of completion of judicial processes, expiry of the statute of limitations stipulated in the Laws, or the elimination of necessary circumstances, personal data is deleted, destroyed or anonymized by the company automatically or upon the request of the relevant person. Regarding the deletion, destruction or anonymization of personal data, the Company reserves the right to comply with the " Yıldızlar Deniz İşletmecilik A.Ş. It complies with the "Personal Data and /or Special Personal Data Storage and Destruction Policy " . Detailed information and company practice regarding the deletion, destruction or anonymization of data in this regard are regulated in this policy.

8. CONFIDENTIALITY AND SECURITY OF PERSONAL DATA

The company takes the necessary technical and administrative measures to protect personal data, to prevent it from falling into the hands of unauthorized persons, and to prevent third parties whose data are processed from being victimized. Software programs for the protection of personal data are selected in accordance with the company's capacity and the nature of the data it holds. Again, policies prepared in accordance with the provisions of the Law are followed. In this context, data protection is also requested from third parties with whom personal data is shared. All these personal data are confidential and the company respects this confidentiality.

9. UPDATE OF PERSONAL DATA

Up-to-dateness of personal data is among the basic principles for processing personal data. The company ensures that the personal data it obtains is up to date. It updates data in accordance with official documents or the request of the real person whose data is processed. Again, in cases where there is doubt about the up-to-dateness of the data, the person concerned confirms whether the personal data is up-to-date. In addition, if personal data has changed, the data is updated after the change is communicated to the company. Regarding the update of personal data, the company states “ Yıldızlar Deniz İşletmecilik A.Ş. It complies with the "Policy on Updating Personal Data and Special Personal Data" . Detailed information regarding the updating of data in this regard and the company practice are set out in this policy.

10. ACCURACY OF PERSONAL DATA

The Company attaches importance to the fact that the personal data it receives from real and legal persons and collects through various means does not contain false information and is accurate. It is not under any obligation to investigate whether the data in question is correct or not. Because it is not possible to investigate whether every data is correct in terms of working principle and legal aspects. The personal data declared in this bet is assumed to be correct.

11.TECHNICAL AND ADMINISTRATIVE MEASURES

The company takes the necessary technical and administrative measures to protect personal data. In this context, it is possible to list the technical and administrative measures taken by the company as follows.

11.1.Administrative Measures

-Necessary measures are taken to ensure physical location security for personal data stored in physical environments (device, records, etc.) within the company.

-Necessary measures are taken to protect the physical environments containing personal data against external risks.

-Physical location security measures are taken to protect personal data.

-System rooms where personal data are kept are kept locked and entry and exit to these rooms are restricted.

-Taking into account the jobs, duties, authorities and responsibilities of the employees, a limited number of people are allowed to enter and exit the rooms containing data, and the authorized persons are kept under record.

-The security of environments containing personal data is ensured.

-Personnel personal files are kept in locked cabinets and locked rooms. Entrance and exit to these rooms are restricted. In addition, considering the jobs, duties, authorities and responsibilities of the employees, a limited number of people are allowed to enter and exit the room, and those on leave are kept under record.

-Personal data kept on paper is kept in locked rooms. Entrance and exit to these rooms are restricted. In addition, considering the jobs, duties, authorities and responsibilities of the employees, a limited number of people are allowed to enter and exit the rooms, and those on leave are kept under record.

-Extra security measures are taken for personal data transferred on paper. These documents are sent in confidential document format.

-Devices such as servers, backup devices, CDs, DVDs and USBs containing personal data are taken to another room where security measures are taken and the rooms in question are kept locked. Again, a limited number of people are not allowed to enter and exit the rooms in question, and those with permission are kept under record.

-Environments containing personal data and storage-archive environments are kept locked. A limited number of people are allowed to enter and exit these locked environments, and those with permission are kept under record.

-Physical security of backed up personal data is ensured.

-Documents that are used in the current working process of the company but contain personal data are kept in locked cabinets. The keys to the cabinets in question are given to employees who have access to documents, taking into account their work, duties, authority and responsibility. These employees are also kept on record.

-Periodic and random audits are carried out regarding the protection of personal data.

-Personal data processing inventory is kept up to date.

-Corporate policies regarding the protection and processing of personal data are updated in accordance with company requirements.

- Confidentiality agreements and commitments are signed with third parties to whom the company transfers data.

-Risk analyzes are carried out periodically within the company.

-A disciplinary regulation has been created to determine the sanctions to be applied to company employees.

-Awareness and Cyber Security training on the protection of personal data is given to employees at regular intervals within the company.

-The roles, responsibilities and job descriptions of the employees regarding personal data security have been determined, taking into account their work, duties, authorities and responsibilities.

-Employees are required to sign a confidentiality agreement during the recruitment process.

-If there are significant changes in the company's policies and procedures regarding the processing of personal data, these changes are explained to employees through new training.

-All kinds of training given to employees are recorded in minutes.

-Employees' information about threats and risks related to personal data security is kept up to date.

-Policies regarding personal data processing are kept up to date in accordance with changing company requirements.

-Policies regarding personal data processing are appropriately integrated into the company.

- Periodic checks are carried out within the framework of the policies regarding the processing of personal data, the checks are documented, deficiencies are detected and periodic checks are continued after the deficiencies are completed.

-The risks that may arise for personal data categories and how security breaches will be managed are determined.

-Personal data is stored in an accurate and appropriate place.

-It is periodically evaluated whether personal data is still needed within the company in line with the processing purposes.

-Personal data that is not frequently needed and kept for archival purposes is kept in secure environments.

-Periodic destruction processes are carried out and the nature of the destroyed data is recorded in a report.

-Contracts with data processors are signed in writing.

-Data security provisions are included in the contracts signed within the company.

-In case of a data breach, the data controller fulfills its obligation to immediately notify the Personal Data Protection Board and the relevant person.

-The data controller carries out the necessary controls on systems containing personal data or has them carried out.

-Before each data processing activity, the real person whose data will be processed is informed by the data controller.

-Texts regarding the processing of personal data at points where the company indirectly contacts third parties are kept up to date in accordance with the Personal Data Protection Law and company activities, and updates are made when necessary.

-Processes regarding personal data are kept up to date.

-Relevant policies and procedures are followed in case of emergency.

- Theft, loss, etc. of company-owned electronic devices. Physical space security is ensured in certain situations.

-In order to ensure the security of the company's physical space, cameras are placed in relevant places and camera images are recorded.

 

11.2.Technical Measures

-The Company takes the necessary measures to ensure Cyber Security in accordance with the developing and changing technology and company requirements.

-Cyber Security measures taken within the company are comprehensive and complementary to each other in many ways to protect personal data.

-Technical measures taken within the company through software programs are frequently checked.

-Threats and attacks coming over the internet are constantly checked.

-The up-to-dateness of the software and hardware used within the company is periodically audited.

-Old versions or unused versions of software programs used within the company are removed and new or updated versions are used.

-The installation and configuration processes of the software and hardware used within the company are taken into consideration and reviewed frequently.

-Software programs with security vulnerabilities previously installed within the company are not used and are removed.

-The adequacy of the security measures taken within the company is regularly checked and inspected.

-Limited authority is given to access personal data, taking into account the work, duties, authority and responsibility of employees.

-Employees are allowed to access personal data by creating a username and password within the scope of their work, duty, authority and responsibility.

- Yıldızlar Deniz İşletmecilik A.Ş. as the data controller. creates an access authorization and control matrix for each employee .

-Necessary interfaces have been created for employees to change their passwords at regular intervals. Again, the number of password entry attempts is limited and when a certain number of password attempts are made, the relevant employee's entry to the system containing personal data is blocked.

-For employees whose relationship with the data controller is terminated, their access to all systems containing personal data, especially their e-mail accounts, is disabled.

-Anti-Virus and Anti-Spam Systems are kept up to date and are periodically checked to scan the necessary files.

-Which software and services are running in IT networks are periodically checked.

-It is periodically checked and detected whether there is any infiltration or any movement that should not occur in IT networks.

-It is ensured that transaction transactions and log records of all users within the company are kept regularly.

-Security issues are reported as soon as possible.

- System and security vulnerabilities and security threats within the company are officially reported and presented to the data controller.

-Security software messages, reporting tools, and access control records are checked regularly. Action is taken immediately upon receiving a warning from these systems.

-Periodical vulnerability scans are carried out based on vulnerabilities that may occur in information systems.

-Penetration tests are performed periodically.

-A closed system network is used for personal data transfers via the network.

-Securities that emerge within the company as a result of periodic tests are immediately closed and necessary actions are taken.

-Necessary measures are taken to ensure physical location security for personal data stored in physical environments (device, records, etc.) within the company.

-Necessary measures are taken to protect the physical environments containing personal data against external risks.

-Entrance and exit to physical environments containing personal data are limited and entry and exit are controlled.

-If personal data is sent via e-mail, necessary and sufficient security measures are taken by the data controller.

-Necessary and sufficient security measures are taken by the data controller to prevent data breaches when employees or third parties access the company's information system network through their personal electronic devices.

-Devices such as servers, backup devices, CDs, DVDs and USBs containing personal data are taken to another room where security measures are taken, and these rooms are kept locked.

-Access control authorization and/or encryption methods are used against situations such as theft or loss of devices containing personal data. In this regard, the password key is stored in an environment where only authorized people can access it and unauthorized access is prevented.

-Since there are multiple encryption methods, personal data is fully protected by the encryption method in question, regardless of which encryption method is used.

-If some or all of the personal data is stored in the cloud, the data controller checks whether the security measures taken by the cloud storage service provider are sufficient and appropriate. In this context, the data stored in the cloud is known and gradual authentication control is carried out to back up, synchronize and provide remote access to the data. Again, personal data stored and used in the cloud is encrypted with cryptographic methods during usage and storage activities, encrypted and sent to the cloud environment, and separate encryption keys are used for each cloud solution. In addition, when the cloud computing service terminates, all copies of the encryption keys that make personal data available are destroyed.

-The data controller takes security requirements into consideration when establishing new security systems or developing or improving existing systems.

-The data storage media containing personal data of the devices sent to third parties for malfunction or maintenance are removed and stored and only defective parts are sent.

-Necessary precautions are taken to prevent third parties coming from outside for maintenance, malfunction and repair activities from copying or duplicating personal data.

- Personal data is backed up to ensure personal data security. Backed up personal data is always kept outside the network. Again, backed-up personal data can only be accessed by the system administrator. Additionally, the physical security of backed up personal data is also ensured.

-It is checked that the necessary measures are taken within the framework of personal data processing activities for the tasks left to the data processor.

-It prevents third parties' personal external portable devices from working on company computers.

-It is checked whether the integrity of personal data is compromised.

-Security measures are taken within the scope of supply, development and maintenance of information technology systems.

-Personal data security is monitored.

-When processing sensitive personal data, secure encryption/cryptographic keys are used and managed by different units.

-Service providers that process personal data are audited periodically regarding data security and awareness of data security is ensured.

-Personal data security issues are reported quickly.

12.C IMRILIK PRINCIPLE

The principle of parsimony, also known as the principle of maximum savings. Personal data received through various means is transferred to the company system. In accordance with the said principle, data is processed into the system as much as necessary.

Yıldızlar Marine Management is determined according to the purpose and varies. In this context, data is collected in accordance with the purpose and data that is not parallel to the purpose is not collected. Excess data beyond its purpose is not recorded in the company system or is destroyed. However, the data in question can be used for statistical purposes.

13.PRIVACY POLICY

of employees, customers and other relevant persons whose personal data we hold at Yıldızlar Deniz İşletmecilik are confidential. No use, copying, duplication or transfer is made regarding these personal data that would prejudice Law No. 6698, and these data are not used for purposes other than their intended purpose.

1 4. NOTIFICATION OF VIOLATION

Yıldızlar Deniz İşletmecilik, when we are notified of any data breach, we take immediate action to eliminate the breach in question and do our best to minimize the damage that the relevant person may suffer. In addition, when a data breach is detected by our company, a data breach notification is immediately made to the Personal Data Protection Board.

15. RIGHTS OF THE PERSON INTERESTED

15.1 Yıldızlar Deniz İşletmecilik A.Ş. It respects the rights of the relevant person regulated in Article 11 of the Law. In this regard, the relevant person Yıldızlar Maritime Management 's With the application form specified on the website;

  1. Personal data is processed not processed learning ,
  2. Requesting information if personal data has been processed ,
  3. processing personal data and whether they are used for their intended purpose learning ,
  4. Where personal data is transferred domestically or abroad knowing third parties ,
  5. Requesting correction of personal data if they are incomplete or incorrectly processed ,
  6. Provided in Article 7 of the Law conditions Requesting the deletion or destruction of personal data within the scope of
  7. Transactions carried out in accordance with clauses (d) and (e) are those to which personal data is transferred. Requesting notification to third parties
  8. Objecting to the emergence of a result against the person by analyzing the processed data exclusively through automatic systems
  9. Damage due to illegal processing of personal data Request compensation for damage in case of

He has his rights.

15.2 . Relevant persons may make their requests regarding their above-mentioned rights by following the steps explained on the official website of Yıldızlar Marine Management . Applications of the relevant person are answered as soon as possible, depending on the content of the application, and within 30 days at the latest after it is received by the company .

16. UPDATE

Changes made to this Policy are shown in the table below.

Policy Update Date:

Changes:

YILDIZLAR DENIZ İŞLETMECİLİĞİ A.Ş.