1.INTRODUCTION
The protection of personal data is among our Company’s top priorities, and we make every effort to act in full compliance with all applicable legislation in this regard. Within the scope of this Data Breach Response Policy (“Policy”), the procedure to be followed in the event of a potential data breach during the execution of personal data processing activities carried out by our Company is set forth. In doing so, our Company ensures the necessary transparency by informing the data subjects accordingly.
2.PURPOSE
Article 12(5) of Law No. 6698 on the Protection of Personal Data, titled “Obligations Regarding Data Security,” stipulates that: “In the event that personal data processed are obtained by others through unlawful means, the data controller shall notify the data subject and the Board of this situation as soon as possible. The Board may announce this situation on its own website or by any other method it deems appropriate, if necessary.”
This Data Breach Response Policy (“Policy”) has been prepared for the purpose of defining the actions to be adopted and taken into account by our Company in practice, in the event that personal data processed by our Company are obtained by others through unlawful means.
3.Scope
The provisions of this Policy cover all information systems and infrastructures involved in the processing of personal data within the scope of our Company’s business activities and fields of operation, including contracts, environmental and physical areas, as well as all systems and regulations established for these purposes. This Policy applies to all departments of the Company, personnel of support service providers, visitors, third parties, interns, and contracted staff.
4.RESPONSIBILITIES
All employees, stakeholders, guests, visitors, and relevant third parties across our Company are obliged to cooperate in the operation, activities, and implementation of this Policy, as well as in preventing legal risks and imminent threats. All bodies and departments of the Company are responsible for the implementation of the Company’s Data Breach Response Policy.
5.OBLIGATIONS REGARDING DATA SECURITY
According to the Personal Data Protection Law, the Data Controller is obliged to take all necessary technical and administrative measures to ensure an appropriate level of security with the aim of:
-
Preventing the unlawful processing of personal data,
-
Preventing unlawful access to personal data,
-
Ensuring the preservation of personal data.
6. DEFINITIONS AND ABBREVIATIONS
| ŞİRKET: | Aksiyon Teknoloji Hizmetleri Ticaret Limited Şirketi |
| AÇIK RIZA: | Belirli bir konuya ilişkin, bilgilendirilmeye dayanan ve özgür iradeyle açıklanan rıza. |
| ANONİM HALE GETİRME: | Kişisel verinin, kişisel veri niteliği kaybedecek ve bu durumun geri alınamayacağı şekilde değiştirilmesidir. Ör: Maskeleme, toplulaştırma, veri bozma vb. tekniklerle kişisel verinin bir gerçek kişi ile ilişkilendirilemeyecek hale getirilmesi. |
| İLGİLİ KİŞİ: | Kişisel verisi işlenen gerçek kişi. Ör: Müşteriler, ziyaretçiler, çalışanlar ve çalışan adayları. |
| KİŞİSEL VERİ: | Kimliği belirli ve belirlenebilir gerçek kişiye ilişkin her türlü bilgi. Dolayısıyla tüzel kişilere ilişkin bilgilerin işlenmesi Kanun kapsamında değildir. Örn: ad-soyad, TCKN, e-posta, adres, doğum tarihi, kredi kartı numarası, banka hesap numarası vb. |
| ÖZEL NİTELİKLİ KİŞİSEL VERİ: | Irk, etnik köken, siyasi düşünce, felsefi inanç, din, mezhep veya diğer inançlar, kılık kıyafet, dernek vakıf ya da sendika üyeliği, sağlık, cinsel hayat, ceza mahkûmiyeti ve güvenlik tedbirleriyle ilgili veriler ile biyometrik ve genetik veriler özel nitelikli verilerdir. |
| KİŞİSEL VERİLERİN İŞLENMESİ: | Kişisel verilerin tamamen veya kısmen otomatik olan ya da herhangi bir veri kayıt sisteminin parçası olmak kaydıyla otomatik olmayan yollarla elde edilmesi, kaydedilmesi, depolanması, muhafaza edilmesi, değiştirilmesi, yeniden düzenlenmesi, açıklanması, aktarılması, devralınması, elde edilebilir hâle getirilmesi, sınıflandırılması ya da kullanılmasının engellenmesi gibi veriler üzerinde gerçekleştirilen her türlü işlem. |
| VERİ SORUMLUSU: | Kişisel verilerin işlenme amaçlarını ve vasıtalarını belirleyen, verilerin sistematik bir şekilde tutulduğu yeri (veri kayıt sistemi) yöneten gerçek veya tüzel kişiyi ifade eder |
| VERİ SAHİBİ BAŞVURU FORMU: | İlgili Kişinin, KVK Kanunu’nun 11. maddesinde yer alan haklarına ilişkin başvurularını kullanırken yararlanacakları başvuru formu. |
| ANAYASA: | 9 Kasım 1982 tarihli ve 17863 sayılı Resmi Gazete’de yayımlanan;7 Kasım 1982 tarihli 2709 sayılı Türkiye Cumhuriyeti Anayasası |
| KVK KANUNU: | 7 Nisan 2016 tarihli ve 29677 sayılı Resmi Gazete’de yayımlanan, 24 Mart 2016 tarihli ve 6698 sayılı Kişisel Verilerin Korunması Kanunu. |
| POLİTİKA: | Veri İhlali Müdahale Politikası |
| AYDINLATMA YÜKÜMLÜLÜĞÜNÜN YERİNE GETİRİLMESİNDE UYULACAK USUL VE ESASLAR HAKKINDA TEBLİĞ: | 10 Mart 2018 tarihli ve 30356 sayılı Resmi Gazete’de yayımlanarak yürürlüğe giren Aydınlatma Yükümlülüğünün Yerine Getirilmesinde Uyulacak Usul ve Esaslar Hakkında Tebliğ. |
| KİŞİSEL VERİ SAKLAMA VE İMHA POLİTİKASI: | Kişisel Verilerin Silinmesi, Yok Edilmesi, Anonim Hale Getirilmesi Hakkında Yönetmelik gereğince, Şirket tarafından kişisel verilerin işlendikleri amaç için gerekli olan azami süreyi belirleme işlemi ile silme, yok etme ve anonim hale getirme işlemi için dayanak yapılmış olan politika |
| PERİYODİK İMHA: | Kanunda yer alan kişisel verilerin işlenme şartlarının tamamının ortadan kalkması durumunda tekrar eden aralıklarla gerçekleştirilecek silme, yok etme veya anonim hale getirme işlemi. |
| KAYITLI ELEKTRONİK POSTA (KEP): | Her türlü ticari, hukuki yazışma ve belge paylaşımlarınızı gönderdiğiniz biçimde koruyan, alıcının kim olduğunu kesin olarak tespit eden, içeriğin kesinlikle değişmemesini ve içeriği yasal geçerli ve güvenli, kesin delil haline getiren sistemdir. |
| VERİ SORUMLULARI SİCİL BİLGİ SİSTEMİ: | Veri sorumlularının Sicile başvuruda ve Sicile ilişkin ilgili diğer işlemlerde kullanacakları, internet üzerinden erişilebilen, Başkanlık tarafından oluşturulan ve yönetilen bilişim sistemi. |
7.PERSONAL DATA BREACH
A personal data breach occurs in situations such as the unlawful obtaining of personal data, unauthorized access to personal data in violation of the law, accidental or intentional disclosure of personal data to unauthorized persons, unlawful deletion, alteration, or compromise of the integrity of personal data.
The following scenarios are generally considered personal data breaches:
-
Theft or loss of physical documents or electronic devices containing personal data,
-
Unauthorized acquisition of user-specific usernames and passwords,
-
Unlawful disclosure of confidential information,
-
Accidental sending or transmission of emails containing personal data and/or confidential information to unrelated third parties outside the company,
-
Unauthorized access to personal data caused by viruses or other attacks (e.g., cyberattacks) on company equipment, systems, and networks.
In the cases mentioned above or in similar situations, actions must be taken in accordance with the procedures set forth in this Policy.
8.DATA BREACH RESPONSE TEAM
In the event of a personal data breach, a Crisis Response Team (“Team”) will be established to manage the arising or potential crisis situation and to fulfill the obligations stipulated by the Law. The Team will include designated participants from the following departments:
-
Data Controller Contact Person
-
Data Controller Senior Executive (General Manager)
-
Manager of the Department Where the Breach Occurred
9.DATA BREACH RESPONSE PROCEDURE
In the event that personal data processed are obtained by others through unlawful means, the Data Controller shall notify the affected data subjects and the Board as soon as possible. The Board may, if necessary, announce this situation on its own website or by any other method it deems appropriate.
Accordingly, when personal data are unlawfully obtained by others, the Company must report the data breach to the Board within the shortest possible time, no later than 72 hours, and notify the affected individuals within a reasonable time after identifying them.
If the contact information of the relevant data subject is available, notification must be made directly; if not, suitable methods such as publication on the Company’s website should be used.
The notification made by the Data Controller to the affected individuals must be clear and understandable, and shall include at least the following:
-
The time at which the breach occurred,
-
The categories of personal data affected by the breach (distinguishing between personal data and special categories of personal data),
-
The possible consequences of the personal data breach,
-
Measures taken or proposed to be taken to mitigate the adverse effects of the breach,
-
The names and contact details of the persons or departments to be contacted by the affected individuals for more information about the breach, or the full web address of the Data Controller’s website, call center, or other communication channels.
The notification to the Board shall be submitted using the “KVK Board Data Breach Notification Form” provided on the Board’s website.
If the Company fails to notify the Board within 72 hours due to justified reasons, the reasons for the delay must be explained to the Board along with the notification.
If it is not possible to provide all information required in the form simultaneously, such information should be provided in phases without delay.
The Company must keep records of data breaches, their effects, and the measures taken, and keep these records ready for the Board’s review.
In cases where personal data processed by a data processor are unlawfully obtained by others, the data processor must notify the Company without undue delay.
If a data breach occurs at a Data Controller established outside Turkey, but the consequences affect data subjects residing in Turkey or if those data subjects benefit from the products and services offered in Turkey, the Data Controller must notify the Board under the same principles.
In case of a data breach, the Data Controller must prepare a data breach response plan outlining who within the organization is responsible for reporting, notifications required under the Law, and the assessment of possible consequences of the data breach. This plan should be reviewed periodically.
10.IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION
The applicable legal regulations in force regarding the processing and protection of personal data shall take precedence. In the event of any conflict between the applicable legislation and this Policy, our Company acknowledges that the provisions of the applicable legislation shall prevail. This Policy concretizes and regulates the rules set forth by the relevant legislation within the scope of the Company’s practices.
11.EFFECTIVE DATE OF THE POLICY
This Policy shall be effective as of December 31, 2021. The Policy will be published on our Company’s website and made accessible to relevant data subjects upon request.
12.DISTRIBUTION
The Policy shall be published on the Company’s website and communicated to visitors, relevant third parties, shareholders, customers, and Company employees.