Personal Data Protection and Processing Policy
1. Introduction
1.1 Purpose of the Policy
Within the scope of the Personal Data Protection Law No. 6698 (“Law”), as DIAVENUSTAS (“Company” and “Firm”), the processing and protection of personal data in accordance with the laws is among our most important priorities. We follow the same priority in all our planning and business activities. In this context, we present this Personal Data Processing and Protection Policy (“Policy”) to your information in order to inform you in accordance with Article 10 of the Law and to notify all administrative and technical measures we will implement within the scope of processing and protection of personal data.
1.2 Scope
This Policy determines the conditions for processing personal data and sets forth the principles adopted by the Company in processing personal data. In this context, the Policy covers all personal data processing activities within the scope of the Law carried out by the Company, all processed personal data, and the owners of such data.
1.3 Definitions
| Term | Definition |
|---|---|
| Explicit Consent | Consent that is related to a specific subject, based on being informed, and expressed by free will. |
| Anonymization | Making data that was previously associated with a person unable to be associated with any identifiable or identified real person under any circumstances, even when matched with other data. |
| Employee Candidate | Real persons who do not work within the Company but have the status of employee candidates. |
| Personal Data | Any information relating to an identified or identifiable real person. |
| Data Subject | The real person whose personal data is processed. |
| Processing of Personal Data | Any operation performed on data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of personal data, wholly or partially by automatic means or by non-automatic means provided that it is part of any data recording system. |
| Law | Personal Data Protection Law No. 6698 published in the Official Gazette dated April 7, 2016 and numbered 29677. |
| Special Category Personal Data | Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. |
| Policy | Personal Data Processing and Protection Policy |
| Company/Firm | DIAVENUSTAS |
| Data Processor | The real and legal person who processes personal data on behalf of the data controller based on the authority given by the data controller. |
| Data Controller | The person who determines the purposes and means of processing personal data and manages the place where the data is systematically kept. |
| Data Recording System | The registration system where personal data is processed by being structured according to certain criteria. |
| Business Partners | Persons with whom the Company has established partnerships within the scope of contractual relationships within the framework of its commercial activities. |
1.4 Effective Date of the Policy
This Policy prepared by the Company came into force on 31.12.2019 and was presented to the public. In case of conflict between the provisions of this Policy and the applicable legislation, especially the Law, the provisions of the legislation shall apply.
The Company reserves the right to make changes to the Policy in parallel with legal regulations. You can access the current version of the Policy from the Company’s website at https://diavenustas.com.
2. Information on Personal Data Processing Activities Carried Out by the Company
2.1 Data Subjects
Data subjects within the scope of the Policy are all real persons whose personal data is processed by the Company, excluding Company employees. In general, data subjects can be listed as follows:
| Data Subject Categories | Description |
|---|---|
| Customers | Refers to real persons who benefit from the products and services offered by the Company. |
| Potential Customers | Refers to real persons who show interest in the products and services offered by the Company and have the potential to become customers. |
| Employee Candidates | Refers to real persons who have applied for a job at the Company by sending a CV or by other methods. |
| Visitors | Refers to persons who visit the Company for any reason. |
| Third Parties | Refers to real persons other than the data subject categories listed above and Company employees. |
The data subject categories described in the table above are specified for general information sharing purposes. The fact that the data subject does not fall within the scope of any of these categories does not eliminate their status as a data subject as specified in the Law.
2.2 Purposes of Processing Personal Data
2.2.1 Conducting necessary work by relevant units to enable related persons to benefit from the products and services offered by the Company and executing business processes:
- Planning and executing sales processes of products and/or services
- Planning and/or executing after-sales support services activities
- Planning and executing customer relationship management processes
- Following up on contract processes and/or legal requests
- Following up on customer requests and/or complaints
2.2.2 Planning and executing Company human resources policies and processes:
- Planning and execution of talent-career development activities
- Fulfilling obligations arising from employment contracts and/or legislation for company employees
- Planning and executing fringe benefits and advantages for employees
- Planning and executing in-company orientation activities
- Planning and executing personnel exit procedures
- Salary management
- Planning human resources processes
- Managing personnel recruitment processes
- Planning and executing appointment-promotion and resignation processes for the company
- Planning and executing employee performance evaluation processes
- Monitoring and/or auditing employees’ business activities
- Planning and/or executing in-company training activities
- Planning and executing employee satisfaction and/or loyalty processes
- Planning and executing processes for receiving and evaluating employees’ suggestions for improving business and/or production processes
- Planning and/or executing intern and/or student recruitment, placement, and operation processes
2.2.3 Conducting necessary work by relevant business units for the realization of commercial activities carried out by the Company and executing related business processes:
- Event management
- Planning and executing business activities
- Planning and executing corporate communication activities
- Planning and executing supply chain management processes
- Planning and executing production and/or operation processes
- Planning, auditing, and executing information security processes
- Creating and managing information technology infrastructure
- Planning and executing business partners’ information access authorizations
- Following up on finance and/or accounting matters
- Planning and executing corporate sustainability activities
- Planning and executing corporate governance activities
- Planning and/or executing business continuity activities
- Planning and executing logistics activities
2.2.4 Planning and executing activities necessary for customizing and recommending and promoting products and services offered by the Company according to preferences, usage habits, and needs:
- Identifying and/or evaluating persons to be subject to marketing activities in line with consumer behavior criteria
- Designing and/or executing personalized marketing and/or promotional activities
- Designing and/or executing advertising and/or promotional and/or marketing activities on digital and/or other media
- Designing and/or executing activities to be developed for customer acquisition and/or creating value in existing customers on digital and/or other media
- Planning and/or executing data analytics studies for marketing purposes
- Planning and executing marketing processes for products and/or services
- Planning and/or executing processes for creating and/or increasing loyalty to products and/or services offered by the Company
2.2.5 Planning and executing the Company’s commercial and/or business strategies:
- Managing relationships with business partners
2.2.6 Ensuring the legal, technical, and commercial business security of the Company and related persons in business relationship with the Company:
- Following up on legal matters
- Planning and executing operational activities necessary to ensure that company activities are carried out in accordance with company procedures and/or relevant legislation
- Providing information to authorized organizations arising from legislation
- Creating and tracking visitor records
- Planning and executing emergency management processes
- Conducting corporate and partnership law transactions
- Planning and executing company audit activities
- Planning and/or executing occupational health and/or safety processes
- Conducting credit process risk management
- Ensuring the security of company premises and/or facilities
- Ensuring the security of company operations
- Planning and/or executing company financial risk processes
- Ensuring the security of company fixtures and/or resources
2.3 Personal Data Categories
Personal data categorized by the Company as follows is processed in accordance with the personal data processing conditions in the Law and relevant legislation:
| Data Category | Description |
|---|---|
| Identity Information | Information contained in documents such as driver’s license, identity card, residence permit, passport, attorney ID, marriage certificate. |
| Contact Information | Information used to contact the person (e.g., email address, phone number, mobile phone number, address). |
| Location Information | Information used to determine the location of the data subject (e.g., location information obtained during vehicle use). |
| Customer Information | Information belonging to customers who benefit from our products and services (e.g., customer number, profession information, etc.). |
| Customer Transaction Information | Information regarding any transaction performed by customers who benefit from our products and services. |
| Physical Space Security Information | Personal data relating to records and documents such as camera recordings and fingerprint records taken at the entrance to physical spaces and during stay in physical spaces. |
| Transaction Security Information | Personal data processed to ensure technical, administrative, legal, and commercial security while the Company conducts its commercial activities. |
| Financial Information | Personal data processed relating to information, documents, and records showing any financial result created according to the type of legal relationship established by the Company with the personal data owner. |
| Employee Candidate Information | Personal data processed relating to individuals who have applied to become employees of the Company or have been evaluated as employee candidates in line with human resources needs in accordance with commercial practice and honesty rules, or who are in a working relationship with the Company. |
| Legal Transaction and Compliance Information | Personal data processed within the scope of determining and following up the Company’s legal claims and rights, fulfilling its debts, and compliance with legal obligations and company policies. |
| Audit and Inspection Information | Personal data processed within the scope of the Company’s legal obligations and compliance with company policies. |
| Special Category Data | Data relating to persons’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. |
| Marketing Information | Personal data processed for marketing products and services offered by the Company customized according to the personal data owner’s usage habits, preferences, and needs, and reports and evaluations created as a result of this processing. |
| Request/Complaint Management Information | Personal data relating to receiving and evaluating any request or complaint directed to the Company. |
| Reputation Management Information | Information collected to protect the Company’s commercial reputation and information about evaluation reports created and actions taken in this regard. |
| Incident Management Information | Personal data processed for taking necessary legal, technical, and administrative measures against incidents that develop to protect the Company’s commercial rights and interests and the rights and interests of its customers. |
3. Principles and Conditions Regarding the Processing of Personal Data
In accordance with Article 4 of the Law, the Company processes personal data in a manner that is lawful and in accordance with the rules of honesty, accurate and up-to-date when necessary, for specific, clear, and legitimate purposes, connected to the purpose, limited and proportionate. The Company retains personal data for the period stipulated in the laws or required for the purpose of personal data processing.
3.1 Principles Regarding the Processing of Personal Data
The Company informs data subjects in accordance with Article 10 of the PDPL and, in cases where consent is required, requests consent from data subjects and processes this personal data based on the following principles.
3.1.1 Processing Data in Accordance with Law and Rules of Honesty
The Company acts in accordance with the principles brought by legal regulations and the general trust and honesty rule in the processing of personal data. In accordance with the principle of compliance with the rule of honesty, while the Company tries to achieve its goals in data processing, it takes into account the interests and reasonable expectations of the relevant persons.
3.1.2 Ensuring Personal Data is Accurate and Up-to-Date When Necessary
Keeping personal data accurate and up-to-date is necessary for the protection of the fundamental rights and freedoms of the relevant person from the Company’s perspective. The Company has an active duty of care in ensuring that personal data is accurate and up-to-date when necessary. For this reason, all communication channels are open for the Company to keep the information of the relevant person who is the data subject accurate and up-to-date.
3.1.3 Processing Data for Specific, Clear, and Legitimate Purposes
The Company clearly and precisely determines its legitimate and lawful personal data processing purpose. It processes personal data as much as is connected to and necessary for the commercial activities it conducts.
3.1.4 Data Being Connected to the Purpose for Which It Is Processed, Limited and Proportionate
The Company processes personal data within the purposes related to its field of activity and necessary for the conduct of its business. For this reason, it processes personal data in a manner suitable for achieving the determined purposes and avoids processing personal data that is not related to or not needed for the achievement of the purpose.
3.1.5 Retaining Data for the Period Stipulated in Relevant Legislation or Necessary for the Purpose for Which They Are Processed
The Company retains personal data only for the period specified in the relevant legislation or necessary for the purpose for which they are processed. In this context, it first determines whether a period is stipulated in the relevant legislation for the storage of personal data, acts in accordance with this period if a period is determined, and stores personal data for the period necessary for the purpose for which they are processed if no period is determined. After the personal data processing purpose ceases or the period stipulated in the legislation expires, personal data is deleted, destroyed, or anonymized by the Company.
3.2 Conditions for Processing Personal Data
Your personal data is processed by the Company if at least one of the personal data processing conditions set forth in Article 5 of the Law exists.
3.2.1 Existence of explicit consent of the personal data owner
One of the conditions for processing personal data is the explicit consent of the owner. The explicit consent of the personal data owner must be expressed in relation to a specific subject, based on being informed, and by free will.
For the processing of personal data subject to the explicit consent of the personal data owner, explicit consent is obtained from customers, potential customers, and visitors through relevant methods.
3.2.2 Personal data processing activities being explicitly stipulated in laws
The personal data of the data subject can be processed lawfully without the explicit consent of the data subject if it is explicitly stipulated by law.
3.2.3 Inability to obtain explicit consent due to actual impossibility
The personal data of the data subject can be processed if it is mandatory to process the personal data of a person who is unable to express consent due to actual impossibility or whose consent is not recognized as valid, in order to protect the life or bodily integrity of the person or another person.
3.2.4 Personal data being directly related to the establishment or performance of a contract
Personal data can be processed if it is necessary to process personal data belonging to the parties to a contract, provided that it is directly related to the establishment or performance of a contract.
3.2.5 The Company fulfilling its legal obligation
The personal data of the data subject can be processed if processing is mandatory for the Company to fulfill its legal obligations as the data controller.
3.2.6 Personal data of the data subject being made public
If the data subject has made their personal data public themselves, the relevant personal data can be processed.
3.2.7 Data processing being mandatory for the establishment or protection of a right
The personal data of the data subject can be processed if data processing is mandatory for the establishment, exercise, or protection of a right.
3.2.8 Data processing being mandatory for the Company’s legitimate interest
The personal data of the data subject can be processed if data processing is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
3.3 Processing of Special Category Personal Data
In the processing of personal data determined as “special category” by the PDPL Law, the Company acts sensitively in accordance with the regulations stipulated in the PDPL Law.
Special category personal data is processed by the Company in the following cases, provided that adequate measures determined by the PDPL Board are taken:
- If the personal data owner has explicit consent, or
- If the personal data owner does not have explicit consent:
- Special category personal data other than the health and sexual life of the personal data owner, in cases stipulated by law
- Special category personal data relating to the health and sexual life of the personal data owner, only by persons under the obligation of confidentiality or authorized institutions and organizations, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing
4. Transfer of Personal Data
The Company may transfer the personal data and special category personal data of the data subject to third parties domestically or abroad by taking necessary security measures in line with lawful personal data processing purposes. In this regard, the Company acts in accordance with the regulations stipulated in Article 8 of the PDPL Law.
4.1 Transfer of Personal Data to Third Parties Domestically
Your personal data may be transferred by the Company if at least one of the data processing conditions set forth in Articles 5 and 6 of the Law and explained under Section 3 of this Policy exists, and subject to compliance with the basic principles regarding data processing conditions.
4.2 Transfer of Personal Data to Third Parties Abroad
The Company may transfer the personal data and special category personal data of the personal data owner to third parties abroad by taking necessary security measures if at least one of the data processing conditions explained under Section 3 of this Policy exists. Personal data is transferred by the Company to foreign countries announced by the PDPL Board as having adequate protection (“Foreign Country with Adequate Protection”) or, in the absence of adequate protection, to foreign countries where data controllers in Turkey and the relevant foreign country have undertaken adequate protection in writing and where the PDPL Board’s permission exists (“Foreign Country with Data Controller Undertaking Adequate Protection”). In this regard, the Company acts in accordance with the regulations stipulated in Article 9 of the PDPL Law.
4.3 Third Parties to Whom Personal Data is Transferred and Transfer Purposes
Within the general principles of the Law and the data processing conditions set forth in Articles 8 and 9, the Company may transfer data to the parties categorized in the table below:
| Persons to Whom Data May Be Transferred | Definition | Purpose |
|---|---|---|
| Business Partner | Parties with whom the Company has established business partnerships while conducting its commercial activities | Limited sharing of personal data to ensure the fulfillment of the purposes for which the business partnership was established |
| Shareholders | Shareholders authorized to design strategies and audit activities related to the Company’s commercial activities according to the relevant legislation provisions | Limited sharing of personal data for the design of strategies related to the Company’s commercial activities and audit purposes |
| Company Officials | Board members and other authorized persons | Limited sharing of personal data for the design of strategies related to the Company’s commercial activities, ensuring the highest level of management, and audit purposes |
| Legally Authorized Public Institutions and Organizations | Public institutions and organizations legally authorized to obtain information and documents from the Company | Limited sharing of personal data for the purpose of information requests by relevant public institutions and organizations |
| Legally Authorized Private Law Persons | Private law persons legally authorized to obtain information and documents from the Company | Limited sharing of data for the purpose requested by relevant private law persons within their legal authority |
5. Rights of the Data Subject and Exercise of Related Rights
5.1 Rights of the Personal Data Owner:
- Learning whether their personal data is processed
- Requesting information about it if their personal data has been processed
- Learning the purpose of processing personal data and whether they are used in accordance with their purpose
- Knowing the third parties to whom personal data is transferred domestically or abroad
- Requesting correction of personal data if it has been processed incompletely or incorrectly and requesting notification of the transaction made in this scope to third parties to whom personal data has been transferred
- Requesting deletion or destruction of personal data if the reasons requiring its processing have ceased to exist despite being processed in accordance with the PDPL Law and other relevant law provisions, and requesting notification of the transaction made in this scope to third parties to whom personal data has been transferred
- Objecting to a result arising against the person through analysis of processed data exclusively by automatic systems
- Requesting compensation for damages if the person suffers damage due to unlawful processing of personal data
In cases where personal data is not obtained directly from the data subject, activities for informing data subjects are carried out by the Company (1) within a reasonable time after obtaining personal data, (2) during the first communication if personal data will be used for communication with data subjects, (3) at the latest at the time of the first transfer if personal data will be transferred.
5.2 Cases Where Personal Data Owners Cannot Assert Their Rights:
Personal data owners cannot assert their rights listed in 5.1 regarding the following matters, as they are excluded from the scope of the PDPL Law pursuant to Article 28 of the PDPL Law:
- Processing of personal data by real persons completely within the scope of activities related to themselves or family members living in the same residence, provided that they are not given to third parties and obligations regarding data security are complied with
- Processing of personal data for purposes such as research, planning, and statistics through official statistics and anonymization
- Processing of personal data for art, history, literature, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy, or personal rights or does not constitute a crime
- Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order, or economic security
- Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial, or enforcement proceedings
Pursuant to Article 28.2 of the PDPL Law, personal data owners cannot assert their other rights listed in 5.1, except for the right to request compensation for damages, in the following cases:
- Personal data processing being necessary for the prevention of crime or crime investigation
- Processing of personal data made public by the personal data owner themselves
- Personal data processing being necessary for the execution of auditing or regulatory duties and disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority given by law
- Personal data processing being necessary for the protection of the State’s economic and financial interests in matters related to budget, tax, and financial matters
6. Deletion, Destruction, and Anonymization of Personal Data
As regulated in Article 138 of the Turkish Penal Code and Article 7 of the PDPL Law, if the reasons requiring processing have ceased to exist despite being processed in accordance with the relevant law provisions, personal data is deleted, destroyed, or anonymized upon the Company’s decision or upon the request of the personal data owner. In this context, the Company has taken the necessary technical and administrative measures within the Company to fulfill the relevant obligation, has developed the necessary operational mechanisms on this subject, and is training, assigning, and ensuring awareness of the relevant business units to act in accordance with these obligations.