CONTENTS
PROCESSING OF PERSONAL DATA………………………………………………………………………………………………… 4
LEGAL BASIS AND OBJECTIVES OF THE PROCESSING OF PERSONAL DATA…………… 13
STORAGE, DELETING, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA……………………. 16
RIGHTS OF THE DATA SUBJECT ……………………………………………………………………………………………. 18
ENSURING THE SECURITY OF PERSONAL DATA……………………………………………….…………………..……..……20
LOGIN
Protection of personal data is a constitutional right and is within the scope of our Company’s priorities. As a matter of fact, for this purpose, it is aimed to establish a system that is constantly updated in our Company and this policy has been established. Within the scope of the Personal Data Protection Law No. 6698, as the Data Controller, “ENTO KULAK BURUN BOĞAZ ÖZEL SAĞLIK HİZMETLERİ A.Ş.” ( briefly “ENTOCBB” below) will be referred to as ), KAZIM DIRIK MAH 364/1 SOK. NO:36/A Bornova – İZMİR, this Policy is made in order to fulfill the general disclosure obligation and to determine the basic principles of our Company’s personal data processing rules, and within this scope, our customers, potential customers, employees, employee candidates, interns, supplier/subcontractor employees and officials. The basic principles regarding the protection of personal data of our company shareholders, company partners, visitors and third parties whose data we process are regulated.
Necessary procedures are organized within the company for the implementation of the subjects specified in this Policy, clarification texts are prepared in accordance with the Personal Data Processing Inventory specific to the categories of persons , personal data protection and confidentiality agreements are made with the company employees and third parties who have access to personal data, and job descriptions are revised, Necessary administrative and technical measures are taken by “ ENTO KBB ” for the protection of personal data , and necessary inspections are made or made to be done in this context. The issue of Protection of Personal Data is also embraced by the senior management, and a special committee should be formed on this subject ( ENTO KBBB KVKK Team List Ref: LS.01), personal data protection processes are managed.
The main purpose of this Policy is to set forth the principles of personal data processing and the protection of personal data, carried out in accordance with the law by “ ENTO KBB” , and to ensure transparency by enlightening and informing the persons whose personal data are processed by our company.
This Policy; The persons we have categorized under the headings of “our customers, potential customers, employees, employee candidates, interns, supplier/subcontractor employees and officials, our company shareholders, company partners, visitors and other third parties whose data we process” are automated or part of any data recording system. regarding all personal data we process by non-automatic means, provided that
Relevant legal regulations in force on the processing and protection of personal data will find application first. In case of inconsistency between the current legislation and the Policy, our Company accepts that the applicable legislation will find an area of application.
The Policy is published on the website of our Company at www.entokbb.com and is made available to the relevant persons upon the request of the personal data owners and is updated when necessary.
Ento ENT; acts in accordance with the principles brought by legal regulations and the rule of honesty in the processing of personal data. In this context, Ento KBB takes action by determining the legal grounds that will require the processing of personal data, takes into account the proportionality requirements, does not use personal data outside of what is required for the purpose, and does not perform any processing activities without the knowledge of individuals.
Ento ENT; It ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and their own legitimate interests, and takes the necessary measures in this direction. In this context, we try to keep the data on all categories of people up to date. In particular, customer and potential customer data are carefully updated, and marketing and promotional e-mails and offers are not sent to individuals against their consent.
Ento KBB clearly and precisely determines the legitimate and lawful purpose of processing personal data. Ento KBB processes personal data as much as necessary and in connection with the service it offers. The purpose for which personal data will be processed by Ento KBB is determined before the processing activity and is also processed in the ” Personal Data Inventory” .
Ento KBB processes personal data in a way that is suitable for the realization of the determined purposes and avoids the processing of personal data that is not relevant or needed for the realization of the purpose. In this context, processes are constantly reviewed and the principle of ” data minimanisation/reduction of personal data” is tried to be implemented.
The protection of personal data is a right defined in the Constitution, and fundamental rights and freedoms can only be limited by law, without affecting their essence, depending on the reasons specified in the relevant articles of the Constitution. Pursuant to the third paragraph of Article 20 of the Constitution, personal data can only be processed in cases stipulated by the law or with the explicit consent of the person. Our company processes personal data without seeking the explicit consent of the person concerned, only if the following conditions are met;
In the absence of the above conditions, our Company applies the explicit, free will and informed consent of the person concerned. Especially in the field of Human Resources and labor relations, taking into account the dependency relationship of the employee, it is essential that the data be based primarily on legal reasons other than consent, but in the absence of these reasons, explicit consent is applied. On the other hand, in activities such as marketing, processing is carried out based on the consent of the person concerned. However, in any case, in all cases where personal data is processed , data processing activities based on “ Employee Disclosure Statement ” are carried out.
By Ento KBB, with the KVK Law No. 6698, ” special qualityIn the processing of personal data determined as ”, the regulations stipulated in the KVK Law No. 669 are complied with. In Article 6 of the KVK Law No. 6698, a number of personal data that carry the risk of causing victimization or discrimination when processed unlawfully are designated as “special quality” and care and sensitivity should be shown in the processing of these data. These; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. By our Company in accordance with the KVK Law No. 6698; Special categories of personal data are processed in the following cases, provided that necessary precautions are taken: (Ref:
Regarding the protection of sensitive data, “KVKK-PO-03 Special Quality Personal Data Policy” has been put into effect in our company, and our business units act in accordance with the provisions of this policy and necessary measures are taken.
Ento KBB enlightens the personal data owners during the acquisition of personal data in accordance with Article 10 of the KVK Law No. 6698. In this context, information is provided to the person whose data is processed, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the rights of the person whose personal data is processed due to legal reasons. In Article 11 of the KVK Law No. 6698, “Requesting Information” is also listed among the rights of the data subject whose personal data is processed, and within this scope, Ento KBB, whose personal data is processed in accordance with Article 20 of the Constitution and Article 11 of the KVK Law No. 6698. If the person concerned requests information, necessary information is provided, and Ento ENT and our website https://entokbb.com/Transactions are made with the ” Application form” in .
Ento KBB can transfer the personal data and sensitive personal data of the person whose personal data is processed to third parties by taking the necessary security measures in line with the personal data processing purposes in accordance with the law. In this direction, Ento KBB acts in accordance with the regulations stipulated in Article 8 of the KVK Law No. 6698.
Ento KBB may transfer personal data to third parties based on one or more of the personal data processing conditions specified in Article 5 of the Law listed below for legitimate and lawful personal data processing purposes and in a limited manner:
If there is express consent of the person whose personal data is processed, based on this; or
Regardless of the reason, general data processing principles are always taken into account in the transfer processes and compliance with these principles is ensured (Article 4 of the KVK Law).
Ento KBB by showing due diligence, taking the necessary security measures and taking the technical and administrative adequate measures prescribed by the KVK Board; In accordance with the legitimate and lawful personal data processing purposes, it can transfer the sensitive data of the person whose personal data is processed to third parties in the following cases.
Regardless of the reason, general data processing principles are always taken into account in the transfer processes and compliance with these principles is ensured (Article 4 of the KVK Law).
Ento KBB can transfer the personal data and sensitive personal data it processes to third parties by taking the necessary security measures in line with the legal personal data processing purposes. Personal data by Ento KBB; The data controllers in Turkey and in the relevant foreign country undertake in writing to provide adequate protection to the countries that are compliant with GDPR by the KVK Board, to foreign countries that are declared to have adequate protection (“Foreign Country with Sufficient Protection”), or in the absence of sufficient protection, and It is transferred to foreign countries where the permission of the Board of Directors (“Foreign Country Where the Data Controller Undertaking Adequate Protection Is Located”). In this direction, Ento KBB acts in accordance with the regulations stipulated in Article 9 of the KVK Law No. 6698.
Ento KBB, in line with the legitimate and lawful personal data processing purposes, if there is an explicit consent of the person whose personal data is processed or there is no explicit consent of the person whose personal data is processed, in case of existence of one of the following situations, the personal data is “A Data Controller Who Has Sufficient Protection or Who Commits Adequate Protection”. It can transfer to “Foreign Countries” and “GDPR” complied countries:
Ensuring the fulfillment of Ento KBB’s activities and establishment purposes, Ento KBB outsourced services from the supplier and necessary to carry out Ento KBB’s commercial activities are provided to Ento KBB, Ento KBB’s human resources and employment policies are carried out, Ento KBB Data transfer is carried out for the purposes such as fulfilling the obligations of the KBB within the framework of occupational health and safety and ensuring that the necessary measures are taken.
Ento KBB Personal data may be transferred to the following categories of persons in accordance with Articles 8 and 9 of the KVK Law No. 6698 :
Authorized Public Institutions | Public institutions and organizations authorized to receive information and documents from Ento KBB | Data sharing is carried out in accordance with the provisions of the relevant legislation. |
Authorized Private Law Persons
|
Private law persons authorized to receive information and documents from Ento KBB |
Data sharing is limited to the purpose requested by the relevant private legal persons within their legal authority. |
Work partners |
Parties with whom Ento KBB has established business partnerships for purposes such as sales, promotion and marketing of Ento KBB’s products and services, after-sales support, and execution of joint customer loyalty programs | Limited data sharing is made in order to ensure that the purposes of the establishment of the business partnership are fulfilled. |
suppliers
|
Parties that provide services to or are served by our Company while carrying out the commercial activities of Ento KBB |
Data sharing is limited in order to ensure that the services that Ento KBB outsources from the supplier and that are necessary to carry out the commercial activities of our Company are provided to Ento KBB or by Ento KBB. |
Transfers made by Ento KBB are in accordance with the principles and rules set forth in this Policy.
PERSONAL DATA CATEGORIZATIONS
The persons whose data are processed in Ento KBB and the data processed in this context are categorized as follows;
Employee Candidate | Natural persons who have applied for a job to Ento KBB by any means or have opened their CV and related information to Ento KBB’s review. |
Worker | Natural persons working at Ento KBB |
Potential Customer |
Real persons who have requested or been interested in using our products and services, or who have been evaluated in accordance with the rules of commercial practice and honesty that they may have |
Supplier Employee |
Natural persons working in institutions (such as but not limited to business partners, suppliers) with which Ento KBB has any business relationship |
Supplier Official |
Shareholders and officials of institutions with which Ento KBB has business relations are natural persons |
Customer |
Real persons who use or have used the products and services offered by Ento KBB, regardless of whether Ento KBB has any contractual relationship or not. |
Visitor | Real persons who have entered the physical campuses owned by Ento KBB for various purposes or visited our websites |
OTHER |
Third-party real persons (e.g. Family Members and relatives) who are related to Ento KBB in order to ensure the security of commercial transactions between the above-mentioned parties or to protect the rights of the said persons and to obtain benefits. |
DATA CATEGORY
Identity Data |
Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Information contained in documents such as Driver’s License, Identity Card, Residence, Passport, Attorney’s Identity, Marriage Certificate |
Contact Data |
Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; information such as phone number, address, e-mail |
Location Data |
Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Information that determines the location of the personal data owner during the use of our products and services or the employees of the institutions we cooperate with our employees while using the vehicles of Ento KBB |
Personnel Data |
Clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of a data recording system; All kinds of personal data processed for the purpose of obtaining the information that will form the basis of the personal rights of our employees or real persons who have a working relationship with Ento KBB |
Legal Transaction and Compliance Data |
Clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of a data recording system; Your personal data processed within the scope of determination, follow-up and performance of our legal receivables and rights, and compliance with our legal obligations and our company’s policies |
Customer transaction Data |
Clearly belonging to an identified or identifiable natural person and included in the data recording system; Information such as records for the use of our products and services and the customer’s instructions and requests for the use of products and services |
Physical Space Security Data | Clearly belonging to an identified or identifiable natural person and included in the data recording system; Personal data regarding the records and documents taken at the entrance to the physical space, during the stay in the physical space |
Transaction Security Data |
Clearly belonging to an identified or identifiable natural person and included in the data recording system; Personal data processed to provide technical, administrative, legal and commercial security while carrying out activities. |
Risk Management Data |
Clearly belonging to an identified or identifiable natural person and included in the data recording system; Personal data processed through methods used in accordance with generally accepted legal, commercial practice and good faith in these areas so that we can manage our commercial, technical and administrative risks. |
Financial Data |
Clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of a data recording system; Personal data processed for information, documents and records showing all kinds of financial results created according to the type of legal relationship our company has established with the personal data owner |
Performance and Career Development Data |
Clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of a data recording system; Personal data processed for the purpose of measuring the performance of our employees or real persons who have a working relationship with our Company, and planning and carrying out their career developments within the scope of our company’s human resources policy |
Marketing Data |
Clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of a data recording system; Personal data processed for the marketing of our products and services by customizing them in line with the usage habits, tastes and needs of the personal data owner, and the reports and evaluations created as a result of these processing results |
Visual and Audio Data |
Clearly belonging to an identified or identifiable natural person; is personal data that is partially or fully processed automatically or non-automatically as part of a data recording system; For example: data contained in photographs and camera recordings (excluding the recordings included within the scope of Physical Space Security Information), audio recordings and documents that are copies of documents containing personal data |
Private Data
(Health, Sexual Life) |
Data on health and sexual life, Data on race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership in associations, foundations or unions, criminal convictions and security measures, and biometric and genetic data |
Although the legal grounds for the processing of personal data by Ento KBB differ, all personal data processing activities are carried out in accordance with the general principles in Article 4 of the KVK Law No. 6698. According to this; in any data processing
One of the conditions for the processing of personal data is the explicit consent of the owner. The explicit consent of the personal data owner should be disclosed on a specific subject, based on information and free will.
The personal data of the data owner can be processed in accordance with the law, if it is expressly stipulated in the law.
For example, reporting the identities of our Employees to the competent authorities in accordance with the Identity Reporting Legislation.
The personal data of the data owner may be processed if it is necessary to process the personal data of the person who is unable to express his or her consent due to actual impossibility, or whose consent cannot be validated, in order to protect the life or physical integrity of himself or another person. For example, sharing the health information of the employee with epilepsy with the physician.
It is possible to process personal data if it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract. For example, obtaining a CV from the candidate for the establishment of a Service (Business) contract, obtaining an address for notification within the scope of the contract.
Personal data of the data owner may be processed if processing is necessary for Ento KBB to fulfill its legal obligations as data controller. For example, processing family information of dependents to benefit the Employee from the Minimum Living Allowance.
If the data owner has made his personal data public by himself, the relevant personal data may be processed. For example, if the customers of our Company present their complaints, requests or suggestions on a public platform on the internet, these customers will make their relevant information public. In this case , it is possible to process the data by the Ento ENT officer, limited to responding to complaints, requests or suggestions.
If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed. For example, the storage of evidential data (sales contract, invoice) and their use when necessary.
Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if it is necessary to process the data for the legitimate interests of Ento KBB. For example, monitoring critical points against theft or for occupational safety with the security camera of Ento KBB .
Special categories of personal data can be processed by Ento KBB only if the personal data owner does not have express consent, provided that adequate measures to be determined by the KVK Board are taken, only in cases stipulated by the laws. Persons or authorized institutions and organizations that are under the obligation to keep confidential, only for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. can be processed by Regardless of the reason, general data processing principles are always taken into account in the processing processes and compliance with these principles is ensured (Article 4 of the KVK Law).
Ento KBB processes personal data limited to the purposes and conditions within the personal data processing conditions specified in paragraph 2 of Article 5 of the KVK Law No. 6698 and paragraph 3 of Article 6. In the data processing process, the above-mentioned legal bases are taken into account, and if there are no other legal compliance reasons, the consent of the person concerned is requested. Here, too, general principles control is carried out within the scope of Article 4, and above all, it is sought that the data processing activity is generally compatible with the principles of legality. The consent of the person concerned is obtained “in an open, informed and free-willed manner”. The purposes of processing personal data are also stated in our Company’s ” Personal Data Inventory “.
In Ento KBB, personal data is processed especially for the following purposes;
For the purposes of occupational health and safety, general security, product safety, camera monitoring at the workplace is carried out by taking into account the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of our visitors, the persons whose data is processed in this context, and especially the employees.
Although Ento KBB has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVK Law No. 6698, in the event that the reasons requiring its processing are eliminated, Ento KBB’s own decision or upon the request of the personal data owner. personal data is deleted, destroyed or anonymized.
Ento KBB keeps personal data for the period specified in the relevant legislation, if it is stipulated in the relevant laws and legislation. If a period of time is not regulated in the legislation regarding how long personal data should be stored, personal data is processed for the period that requires it to be processed in accordance with the practices of Ento KBB and the practices of its commercial life, depending on the services provided by our company while processing that data. It can be kept for the purpose of asserting the right or establishing the defense. Despite the expiry of the statute of limitations and the statute of limitations for the right to assert the aforementioned right in the establishment of the periods herein, the storage periods are determined on the basis of the examples previously submitted to Ento KBB on the same issues. In this case, the stored personal data is not accessed for any other purpose and access is provided only when it is required to be used in the relevant legal dispute. Here, too, personal data is deleted, destroyed or anonymized after the aforementioned period expires.
Personal data is processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVK Law No. 6698, in case the reasons requiring processing are eliminated, at the discretion of Ento KBB or upon the request of the personal data owner. deleted, destroyed or anonymized. In this context, Ento KBB fulfills its obligations with the methods described in this section.
Although Ento KBB has been processed in accordance with the provisions of the relevant law, it may delete personal data upon its own decision or upon the request of the personal data owner, in case the reasons requiring processing are eliminated. Deletion of personal data is the process of making personal data inaccessible and non-reusable for relevant users . All necessary technical and administrative measures are taken to ensure that the personal data deleted in Ento KBB is not accessible and reusable for the relevant users.
The process to be followed in the deletion of personal data is as follows:
Since personal data can be stored in various recording media, they are deleted by methods suitable for recording media.
Although Ento KBB has been processed in accordance with the provisions of the relevant law, it may destroy personal data at its own discretion or upon the request of the personal data owner, in the event that the reasons requiring its processing are eliminated. Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way . Ento KBB takes all necessary technical and administrative measures regarding the destruction of personal data.
In order to destroy personal data, all copies of the data are detected and the systems with the data are destroyed one by one.
Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching them with other data. Our company can anonymize personal data when the reasons that require the processing of personal data processed in accordance with the law are eliminated. Personal data is anonymized by making it impossible to associate with an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning it by the data controller or recipient groups and/or matching the data with other data. Ento KBB takes all necessary technical and administrative measures to anonymize personal data.
Personal data that has been anonymized in accordance with Article 28 of the KVK Law No. 6698 may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the KVK Law No. 6698, and the explicit consent of the personal data owner will not be sought.
Anonymization is the removal or alteration of all direct and/or indirect identifiers in a data set, preventing the identification of the data subject from being identified, or losing its distinctiveness in a group or crowd in a way that cannot be associated with a natural person. Data that does not point to a specific person as a result of blocking or losing these features is considered anonymized data. The purpose of anonymization is to break the link between the data and the person identified by this data. All of the bond breaking processes carried out by methods such as automatic or non-automatic grouping, masking, derivation, generalization, randomization applied to the records in the data recording system where personal data is kept are called anonymization methods.
Persons whose personal data are processed in Ento KBB have the following rights:
It is necessary and sufficient for the Relevant Persons to submit their requests regarding the exercise of the above-mentioned rights in accordance with the 1st paragraph of the 13th article of the KVK Law No. 6698 to our Company by the following methods;
Application Method |
Address to apply |
Information to be Specified in the Application Submission |
Personal Application |
ENTO EAR NOSE THROAT SPECIAL HEALTH HIZMETLERI INC. KazimDirik mah. 364/1 street no:36/ A Bornova / IZMIR |
|
(The applicant’s | “Personal” on the envelope | |
Coming in person | Data Protection Law | |
Proof of identity | Information Request within the Scope” | |
with the document | It will be written. | |
to apply) | ||
Notification via Notary Public |
ENTO EAR NOSE THROAT SPECIAL HEALTH HIZMETLERI INC. KazimDirik mah. 364/1 street no:36/ A Bornova / IZMIR | “Information Request Under the Law on Protection of Personal Data” will be written in the notification envelope. |
|
||
“Secure Electronic signature” | In the subject of the e-mail | |
By signing with | “Protection of Personal Data | |
Registered Electronics | Law Information Request” | |
Mail (KEP) | It will be written. | |
By |
In the application;
Name, surname and signature if the application is written, TR Identity Number for Turkish citizens, nationality, passport number or identification number, if any, settlement or workplace address for notification, e-mail address, telephone and fax number, if any, subject to notification, subject of request. , is mandatory. Information and documents related to the subject are also attached to the application.
It is not possible to make a request by third parties on behalf of personal data owners. In order for a person other than the personal data owner to make a request, there must be a special power of attorney issued by the personal data owner on behalf of the person to apply . In the application containing your explanations regarding the right you have as the personal data owner and you will make and request to use the above-mentioned rights; The subject you request must be clear and understandable, the subject you request is related to yourself or if you are acting on behalf of someone else, you must be specifically authorized in this regard and document your authority, the application must contain your identity and address information, and documents confirming your identity must be attached to the application.
It is not possible to make a request by third parties on behalf of personal data owners. In order for a person other than the personal data owner to make a request, there must be a special power of attorney issued by the personal data owner on behalf of the person to apply.
The application form for the data owners is available on the website of Ento KBB ( https://www.entokbb.com ).
If the personal data owner submits his request to Ento KBB in accordance with the prescribed procedure, Ento KBB will conclude the relevant request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires a separate cost, Ento KBB will charge the applicant the fee in the tariff determined by the KVK Board. Ento KBB may request information from the person concerned in order to determine whether the applicant is the owner of personal data. Ento KBB may ask questions about the personal data owner’s application in order to clarify the issues in the personal data owner’s application. Applications are managed within Ento ENT according to the “ Relevant Person Application ”.
Ento KBB takes all necessary technical and administrative measures within the scope of ISMS to ensure that personal data is processed in accordance with the law. In this context,
Within the scope of our company, a Data Inventory compatible with the VERBIS system is prepared (Data Mapping), where compliance with the law and purpose audits are carried out.
With the KVK Law No. 6698, special importance has been attached to certain personal data due to the risk of causing victimization or discrimination when processed unlawfully. These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Ento KBB acts sensitively in the protection of special quality personal data, which is determined as “special quality” by the KVK Law No. 6698 and processed in accordance with the law. In this context, technical and administrative measures taken by Ento KBB for the protection of personal data are carefully implemented in terms of special quality personal data and necessary inspections are provided. In this context;
Ento KBB takes technical and administrative measures within the scope of ISMS to prevent reckless or unauthorized disclosure, access, transfer or any other unlawful access to personal data.
The main technical measures taken by Ento KBB to prevent unlawful access to personal data are listed below:
In order to ensure personal data security, primarily cyber security products are used, but the measures are not limited to this, furthermore, measures such as firewall and gateway are taken within the scope of ISMS. Unused software and services are removed from devices.
With patch management and software updates, it is ensured that the software and hardware work properly and that the security measures taken for the systems are adequately checked regularly.
Access to systems containing personal data is also restricted. In this context, employees are granted access to the extent necessary for their jobs and duties, as well as their authorities and responsibilities, and access to the relevant systems is provided by using a user name and password. While creating the aforementioned passwords and passwords, it is ensured that combinations of upper and lower case letters, numbers and symbols are preferred instead of numbers or letter sequences associated with personal information that can be easily guessed. Accordingly, an access authorization and control matrix is created within the scope of ISMS.
In addition to the use of strong passwords and passwords, methods such as limiting the number of password attempts, ensuring that passwords and passwords are changed at regular intervals, opening the administrator account and admin authority for use only when necessary, and deleting the account or closing the logins without wasting time for employees who have been dismissed from the data controller. access is restricted.
In order to protect against malicious software, products such as antivirus and antispam, which regularly scan the information system network and detect dangers, are used, and the necessary files are regularly scanned by keeping these up-to-date. If personal data is to be obtained from different websites and/or mobile application channels, connections are made with SSL or a more secure way.
A formal reporting procedure is established within the scope of ISMS for employees to report security vulnerabilities in systems and services or threats using them.
Evidence is collected and securely stored in undesirable events such as the crash of the information system, malicious software, denial-of-service attack, incomplete or incorrect data entry, violations of confidentiality and integrity, abuse of the information system.
If personal data is stored on the devices of the data controllers at Ento KBB campuses or on paper media, physical security measures are taken against threats such as theft or loss of these devices and papers. Physical environments containing personal data are protected against external risks (fire, flood, etc.) with appropriate methods, and entry/exit to these environments is controlled.
If personal data is in electronic media, access can be restricted or separated between network components in order to prevent personal data security breach.
The same level of precautions are taken for paper media, electronic media and devices (laptop computer, mobile phone, flash memory) located outside the Ento KBB campus and containing personal data belonging to Ento KBB. Personal data to be transferred by e-mail or post are also sent carefully and by taking adequate precautions.
In case the employees access the information system network with their personal electronic devices, adequate security measures are taken for them as well.
In case of loss or theft of devices containing personal data, access control authorization and/or encryption methods are used. In this context, the encryption key is stored in an environment that only authorized persons can access, and unauthorized access is prevented.
Documents in paper media containing personal data are also stored in a locked way and in environments that can only be accessed by authorized persons, and unauthorized access to these documents is prevented.
Applications for storing personal data in the cloud can also be applied when necessary. In this case, Ento KBB should evaluate whether the security measures taken by the cloud storage service provider are also adequate and appropriate. In this context, the measures specified in the guidelines and recommendations of the KVK Board are taken into account.
Security requirements are taken into account by Ento KBB while determining the needs for the supply of new systems, development or improvement of existing systems within the scope of ISMS.
In cases where personal data is damaged, destroyed, stolen or lost for any reason, the Company uses the backed up data to take action as soon as possible. Backed up personal data can only be accessed by the system administrator, and data set backups are kept out of the network.
The main administrative measures taken by Ento KBB to prevent unlawful access to personal data are listed below:
Ento KBB takes the necessary technical and administrative measures according to the technological possibilities and implementation cost in order to store personal data in secure environments and to prevent their destruction, loss or alteration for unlawful purposes.
The main technical measures taken by Ento KBB for the storage of personal data in secure environments are listed below:
infrastructures are used.
The main administrative measures taken by Ento KBB for the storage of personal data in secure environments are listed below:
Ento KBB ensures that the necessary notifications are made to the business units in order to prevent the unlawful processing of personal data, to prevent illegal access to the data and to increase the awareness of data protection.
Ento KBB provides necessary information to its business partners in order to prevent unlawful processing of personal data, to prevent illegal access to data, and to increase awareness regarding data protection.
Ento KBB has the right to regularly and ex officio inspection, without any prior notice, that all employees, departments and contractors of Ento KBB act in accordance with this Policy and KVK Regulations, and in this context, it carries out or has the necessary routine inspections done. The results of these inspections are evaluated within the scope of the internal functioning of Ento KBB and necessary activities are carried out to improve the measures taken.
Measures to be Taken in Case of Unauthorized Disclosure of Personal Data Ento KBB ensures that the personal data processed in accordance with Article 12 of the KVK Law No. 6698 is obtained by others unlawfully, and that this situation is notified to the relevant personal data owner and the KVK Board as soon as possible. runs the system.
prepared | APPROVED |
IT Manager
ONUR BAYIR |
GENERAL COORDINATOR
KENAN KILIÇ |