Contact Us
Contact Us

VITELCO POLICY ON PROTECTION AND PROCESSING OF PERSONAL DATA OF EMPLOYEES

 

Protection of personal data is of great sensitivity for Vitelco Bilişim Hizmetleri Anonim Şirketi (“Vitelco” or “Company”) and is among the priorities of our Company. Our Company pays due attention to the protection of personal data of Company Shareholders, Company Representatives, Customers, Employees, Cooperating Institution Employees, Shareholders and Representatives, Third Parties and other relevant persons and these activities are managed by Vitelco Personal Data Protection and Processing Policy (“PDPP Policy”).

PURPOSE OF THE POLICY

The purpose of this Policy is to determine how the personal data of the Employees will be processed and to inform the Employees about the processing of their personal data.

SCOPE OF THE POLICY

This Policy covers all personal data processing activities regarding Employees carried out by Vitelco.

APPLICABILITY AND UPDATABILITY

This Policy may be updated from time to time in order to adapt to changing conditions and legislation. In case of an update, the updated Policy text will be sent to the corporate e-mail address of the Employees.

 

  1. PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA OF EMPLOYEES

 

  • Processing in accordance with the Law and good faith
  • Ensuring that personal data is accurate and up-to-date when necessary
  • Processing for specific, explicit and legitimate purposes
  • Being relevant, limited and proportionate to the purpose for which they are processed
  • Retention for the period stipulated in the legislation or required for the purpose for which they are processed

 

  1. CONDITIONS FOR PROCESSING PERSONAL DATA OF EMPLOYEES

 

2.1. Processing of personal data of employees based on explicit consent

2.2. Explicitly stipulated in the Law

2.3. Failure to obtain explicit consent of the data subject due to actual impossibility

2.4. Being directly related to the establishment or performance of the contract

2.5. Fulfilment of legal obligation by the Company

2.6. Publicization of personal data of the employee

2.7. Data processing is mandatory for the establishment or protection of a right

2.8. Processing of personal data based on legitimate interest

 

 

  1. SITUATIONS WHERE SENSITIVE PERSONAL DATA MAY BE PROCESSED

Some personal data are regulated separately as “sensitive personal data” and are subject to special protection. Due to the risk of causing victimization or discrimination when processed unlawfully, special importance has been attributed to these data.

3.1. Processing of sensitive personal data based on explicit consent

Sensitive personal data may be processed with the explicit consent of the Employees.

3.2. Cases where sensitive personal data can be processed without explicit consent

Sensitive personal data are processed in the following cases, provided that adequate measures to be determined by the Personal Data Protection Board (“Board”) are taken in the absence of the explicit consent of the Employees:

  1. In cases stipulated by law in terms of sensitive personal data other than the health and sexual life of the Employees,
  2. In terms of personal data of special nature related to the health and sexual life of the Employees, in case it is processed by persons or authorized institutions and organizations with confidentiality obligation for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

 

  1. CLARIFYING AND INFORMING THE EMPLOYEE

In this scope, the identity of the Company representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data and the rights of the Employees are notified to them.

  1. PURPOSES OF PROCESSING PERSONAL DATA

Personal data are processed limited to the following purposes and conditions:

 

  • The relevant activity regarding the processing of personal data is clearly stipulated by law,
  • The processing of personal data by the Company is directly related and necessary for the establishment or performance of a contract,
  • Processing of personal data is mandatory for the Company to fulfill its legal obligations,
  • Provided that the personal data has been made public by the relevant Employee; processing by the Company limited to the purpose of publicization,
  • Processing of personal data by the Company is mandatory for the establishment, use or protection of the rights of the Company, Employees or third parties,
  • It is mandatory to carry out personal data processing activities for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the Employees,
  • The processing of personal data by the Company is mandatory for the protection of the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to disclose his consent due to actual impossibility or legal invalidity.

 

In the event that the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated within the scope of the Law, the explicit consent of the Employees is obtained by the Company regarding the processing process.

  1. TRANSFER OF PERSONAL DATA TO THIRD PARTIES

As Vitelco, we act in accordance with the regulations specified in Articles 8 and 9 of the Law when transferring personal data to third parties. In this scope, your personal data may be transferred to third parties within the country without seeking your explicit consent if at least one of the following data processing conditions exists:

 

  • It is explicitly stipulated by Law,
  • If it is mandatory for the protection of the life or physical integrity of the personal data subject or someone else and the personal data subject is unable to disclose his/her consent due to actual impossibility or his/her consent is not legally valid,
  • The transfer of personal data of the parties to a contract is necessary, provided that it is directly related to the conclusion or performance of the contract,
  • Personal data transfer is mandatory for the Company to fulfill its legal obligations,
  • If the personal data has been made public by the personal data subject,
  • The transfer of a right for its establishment, exercise or protection,
  • Data transfer is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject.

If the above-mentioned transfer conditions are not applicable, it is asked whether there is explicit consent for the transfer of the personal data in question. In addition, sensitive data may also be transferred to third parties in accordance with the data processing conditions specified for sensitive data under the heading “3.situations where sensitive personal data may be processed”.

  1. TRANSFER OF PERSONAL DATA TO ABROAD

Transfer abroad can only be realized in accordance with the rules specified in Article 9 of the Law. Accordingly, personal data and sensitive personal data may be transferred abroad in cases where the data subject has given consent. In the absence of the explicit consent of the data subject, in cases where at least one of the data processing conditions specified under the headings “5. Processing of Personal Data” and “6. Processing of Sensitive Personal Data” is in question;

 

  • Countries with adequate protection declared to have adequate protection by the Board,
  • In the absence of adequate protection, data may be transferred abroad if the data controllers in Turkey and in the relevant foreign country undertake in writing to provide adequate protection and the Board grants permission.

 

 

  1. STORAGE PERIODS OF PERSONAL DATA

The obligations imposed by legal regulations are taken into consideration when determining the retention period of personal data. Except for legal regulations, the retention period is determined by taking into account the purposes of processing personal data. In the event that the purpose of data processing disappears, the data is deleted, destroyed or anonymized unless there is another legal reason that allows the data to be kept.

If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and the Company have come to an end; personal data can only be stored for the purpose of constituting evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. In the establishment of the periods here, the retention periods are determined based on the statute of limitations for the assertion of the right in question and the examples in the requests previously addressed to the Company on the same issues despite the expiration of the statute of limitations. In this case, the stored data is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. After the aforementioned period expires, personal data are deleted, destroyed or anonymized.

  1. SECURITY OF PERSONAL DATA

In order to ensure the security of personal data, reasonable measures are taken to prevent unauthorized access risks, accidental data loss, deliberate deletion of data or damage to data.

 

Company employees who process personal data comply with the following obligations in order to ensure the security of the processed data:

 

  • To act lawfully and honestly in matters related to the protection of personal data,
  • Accurate, complete and accurate processing of personal data,
  • Carrying out the necessary work to update outdated personal data,
  • Informing the relevant manager when it notices any unlawfulness in the processing of personal data,
  • Providing necessary guidance for the exercise of legal rights regarding personal data.

 

  1. SPECIAL RULES REGARDING PERSONAL DATA COLLECTED AND PROCESSED IN RELATION TO THE HEALTH OF EMPLOYEES

10.1. Separate storage of health data and employees authorized to process health data

The Company takes care to process health data in the narrowest possible scope. In cases where it is necessary to process health data, information is provided to ensure that the persons authorized to carry out this processing understand the sensitivity of this data and take the necessary measures.

 

 

10.2. Treatment of health data as sensitive personal data

Employees' health data is considered as sensitive personal data. All measures applied for sensitive personal data are also applied for health data.

10.3. Access to health data

Access to health data may only be granted, if necessary, by authorized Company employees. In addition, health data may be disclosed to managers to the extent necessary for them to fulfill their managerial roles.

  1. LEGAL RIGHTS OF EMPLOYEES AND METHODS OF EXERCISING THEM

11.1. Legal rights regarding personal data

The legal rights that Employees can use regarding personal data are listed below:

  1. To learn whether personal data is processed or not,
  2. To request information if his/her personal data has been processed,
  3. To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
  4. To know the third parties to whom personal data are transferred domestically or abroad,
  5. To request correction of personal data in case of incomplete or incorrect processing,
  6. To request the deletion or destruction of personal data within the framework of the conditions stipulated in the relevant legislation,
  7. To request notification of the transactions made pursuant to subparagraphs (e) and (f) to third parties to whom personal data are transferred,
  8. To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
  9. To demand the compensation of the damage in case of damage due to unlawful processing of personal data.

11.2. Principles on the exercise of legal rights regarding personal data

In order to exercise their rights regarding personal data, Employees can use the “Data Subject Application Form”. The applications will be responded within 30 days at the latest.

Employees can access detailed information to exercise their legal rights from the section of the PDPP Policy titled “Rights of Personal Data Owners; Methodology for the Exercise and Evaluation of These Rights”.