PRIVACY STATEMENT
Personal Data Protection Information within the Scope of Personal Data Protection Law No. 6698 by Deniz Ar Studio - Nazlı Deniz Bayraktaroğlu AR Individual Company
1. Purpose and Scope of the Information Statement
Deniz Ar Studio - Nazlı Deniz Bayraktaroğlu AR Individual Company ("DENIZ AR STUDIO") has prepared this Personal Data Protection Information Statement ("Statement") to demonstrate the Company's approach to the protection and processing of personal data of our customers, potential customers, employees, job applicants, company shareholders, company officials, visitors, employees of collaborating institutions, shareholders, and officials, as well as third parties (hereinafter referred to as "data subjects") within the scope of the Personal Data Protection Law ("KVKK") and to inform the data subjects accordingly.
This Statement, prepared by our company, is dated [03.05.2024]. In case the entire Statement or specific sections are revised, the effective date and version of the Statement will be updated. The Statement is published on our Company's website [www.denizar.com] and made accessible to the relevant individuals upon request.
2. Principles Regarding Personal Data
a. Processing of Personal Data
In accordance with Article 20 of the Constitution and Article 4 of the KVKK, our company processes your personal data:
• In compliance with the law and principles of honesty,
• Accurately and, when necessary, up-to-date,
• For specific, clear, and legitimate purposes,
• Related to the purpose,
• In a limited and proportionate manner,
• By preserving them for the period required by the purpose of personal data processing or as prescribed by the laws,
• Based on one or more of the conditions specified in Article 5 of the KVKK.
During the acquisition of such personal data, our company complies with Article 20 of the Constitution and Article 10 of the KVKK by informing the data subject about:
• The purpose of processing personal data,
• To whom and for what purposes the processed personal data may be transferred,
• The method and legal reason for collecting personal data, and
• The rights of the data subject.
b. Legal Grounds for Processing Personal Data
Our company processes personal data within the scope of purposes specified in Article 5 of the KVKK, as follows:
• Explicitly prescribed by the laws for our company to engage in the relevant activity,
• Directly related and necessary for the establishment or performance of a contract,
• Necessary to fulfill our legal obligations,
• Processed provided that it is made anonymous; for anonymization purposes by our company,
• Necessary for the establishment, exercise, or protection of our or the data subject's or third parties' rights,
• Necessary for our legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject,
• Necessary for the protection of life or physical integrity of the data subject or someone else, where the data subject is unable to express his/her consent due to actual impossibility or legal invalidity.
Under Article 6 of the KVKK, certain personal data that poses a risk of causing harm to individuals or discrimination when processed unlawfully has been defined as "sensitive personal data." These data include race, ethnicity, political opinion, philosophical belief, religion, sect, or other beliefs, clothing and appearance, association, foundation, or union membership, health, sexual life, criminal conviction, and security measures-related data, as well as biometric and genetic data. Our company processes sensitive personal data under the conditions specified by the Personal Data Protection Board (Board), provided that adequate measures are taken, in the following cases:
• Sensitive personal data other than the data subject's health and sexual life are processed in cases prescribed by the laws,
• Sensitive personal data related to the data subject's health and sexual life are processed by persons or authorized institutions or organizations under the obligation of confidentiality for purposes such as protecting public health, preventive medicine, medical diagnosis, treatment, and care services, planning and managing health services and financing, in compliance with the laws.
c. Transfer of Personal Data
Our company may transfer personal data within the scope of the purposes stated in section 2.b. of this Statement to the following recipients:
• Public institutions and organizations authorized by law for the purposes requested within their legal competence,
• Private legal entities authorized by law for the purposes requested within their legal competence.
• Your personal data may also be transferred abroad within the framework of carrying out our company's commercial activities and operational activities, subject to the conditions specified in Article 9 of the Law.
d. Purpose of Personal Data Collection
Your personal data is collected in accordance with the purposes stated above to provide, develop, and conduct our commercial activities for the products and services we offer. During this process, your personal data collected through our employees and representatives, or through public databases within the scope of relevant legislation, collected business cards, emails sent to our company's "info" email address, and collected for the purpose of conducting our commercial activities is processed in accordance with the legal basis. With this legal basis, your personal data collected can be processed and transferred for the purposes stated in paragraphs (b) and (c) of this Information Statement within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of Law No. 6698.
Personal data is processed by our company for the following purposes under the conditions specified above, in order to ensure the provision of our company's human resources policies, the execution of HR operations in accordance with the Company's HR policies, the supply of personnel suitable for open positions in accordance with the Company's HR policies, fulfillment of obligations within the framework of occupational health and safety, and taking necessary measures:
• Provision of our company's HR policies,
• Provision of HR operations in accordance with the Company's HR policies,
• Supply of personnel suitable for open positions,
• Fulfillment of obligations within the framework of occupational health and safety, and taking necessary measures.
• Provision of HR operations in accordance with the Company's HR policies,
• Provision of HR operations in accordance with the Company's HR policies,
• Supply of personnel suitable for open positions,
• Fulfillment of obligations within the framework of occupational health and safety, and taking necessary measures.
For the purpose of determining and implementing our company's commercial and business strategies, personal data is processed within the framework of financial operations, communication, market research, and social responsibility activities conducted by our company, purchasing operations (demand, offer, evaluation, order, budgeting, contract), internal system and application management operations, and legal operations management.
e. Storage and Deletion of Data
Our company stores the personal data it processes for the periods specified by the legislation, and if there is no period specified by the legislation; personal data is stored for the period required by our company's practices and commercial life in connection with the services provided by our company while processing the data, and after this period, it is stored only for the periods required for possible legal disputes and for being evidence. After the end of the specified periods, the personal data is deleted, destroyed, or anonymized.
3. Rights of the Data Subject
Article 20 of the Constitution states that everyone has the right to be informed about their personal data, and Article 11 of the KVKK regulates that among the rights of the data subject, there is also the right to "request information." Our company provides necessary information to the data subject if the data subject requests information, and with this Declaration, our company informs the data subject about how this right to request information will be used and how the issues related to the information request will be evaluated.
The data subject has the following rights:
• To learn whether personal data is processed,
• If personal data has been processed, to request information regarding this,
• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
• To know the third parties to whom personal data is transferred, whether domestically or abroad,
• If personal data is incomplete or incorrectly processed, to request correction of them and to request notification of the transaction made within this scope to the third parties to whom the personal data is transferred,
• To request deletion or destruction of personal data in case the reasons requiring the processing of personal data disappear despite being processed in accordance with the KVKK and other relevant laws, and to request notification of the transaction made within this scope to the third parties to whom the personal data is transferred,
• To object to the occurrence of a result against oneself by analyzing the processed data solely through automated systems,
• If personal data is processed unlawfully, to request compensation for any damages suffered.
KVKK Article 28 lists the situations where the rights of the data subject regarding their personal data are not applicable:
• Processing personal data for research, planning, and statistical purposes by anonymizing them through official statistics.
• Processing personal data for artistic, historical, literary, or scientific purposes, or for the freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy, or personal rights, or do not constitute a crime.
• Processing personal data by authorized public institutions and organizations for preventive, protective, and intelligence activities carried out by law for ensuring national defense, national security, public security, public order, or economic security.
• Processing personal data by judicial authorities or execution authorities for investigation, prosecution, trial, or execution procedures.
Under Article 28/2 of the KVKK, the data subject cannot assert their rights except for the right to request compensation in the following cases:
• Processing personal data to prevent a crime or for necessary investigations related to a crime.
• Processing personal data that has been made public by the data subject themselves.
• Processing personal data by public institutions and organizations authorized by law, or professional organizations having the status of public institutions, for the purposes of inspection or regulation tasks, or for disciplinary investigations or prosecutions.
• Processing personal data for protecting the economic and financial interests of the state regarding budget, tax, and financial matters.
Regarding these situations, the data subject can submit their requests by sending an email through the message section at www.denizar.com/contact. It may be necessary to request information to determine whether the applicant is the data subject and to clarify the issues mentioned in the application. Requests are processed within thirty days at the latest, and if necessary, fees determined by the Board are charged. Your company may reject the application in these cases, stating the reasons for rejection. The data subject can lodge a complaint with the Board within thirty days of learning about the company's response, and in any case, within sixty days of the application date.
4. Security of Personal Data
a. Security Measures
In accordance with Article 12 of the KVKK, our company takes necessary measures and controls to ensure an appropriate level of security to prevent unlawful processing of personal data, unauthorized access to data, and to ensure the protection of data. The security measures and controls taken by our company include:
Employing knowledgeable personnel to establish and operate systems compliant with the principles of personal data processing and relevant legislation.
Providing training to personnel to ensure their awareness of personal data protection and including provisions related to compliance with data protection legislation and company practice rules in personnel contracts.
Using backup programs compliant with regulations to securely store personal data.
Including provisions in contracts with external service providers for the protection of personal data and ensuring compliance with security measures in their organizations.
Evaluating personal data processing processes within the scope of data processing conditions regulated by the KVKK and taking necessary technical and organizational measures to ensure that these processes are carried out in accordance with KVKK provisions.
Establishing and implementing operational rules for managing personal data processing processes and compliance structures, including measures and controls.
Managing and auditing personal data processing processes and related systems with management systems possessing technical and organizational characteristics.
b. Audit
In compliance with Article 12 of the KVKK, our company conducts necessary audits internally or through external means. The results of these audits are reported to the relevant department within the company's internal functioning, and activities are carried out to improve the measures taken.
Systems are established to raise awareness among the company's departments' existing employees and newly joined employees regarding the protection of personal data, and necessary training is provided to employees.
c. Data Breach Management
Our company operates a system that ensures the prompt reporting of the unlawful acquisition of processed personal data, in accordance with Article 12 of the KVKK, to the relevant data subject and the Board. If deemed necessary by the Board, this situation may be announced on the Board's website or through another method.