Terms of Use

Purpose

The purpose of this Law is to protect the fundamental rights and freedoms of individuals, especially the right to privacy, in the processing of personal data and to regulate the obligations of real and legal persons who process personal data and the procedures and principles they must comply with.

Scope

The provisions of this Law shall apply to real persons whose personal data are processed and real and legal persons who process these data, either fully or partially, by automatic means or non-automatic means, provided that they are part of any data recording system.

Definitions

In the implementation of this Law;

  • Explicit consent: Consent based on information and expressed with free will regarding a specific subject,
  • Anonymization: Making personal data in a way that it cannot be associated with an identified or identifiable natural person, even by matching it with other data,
  • President: President of the Personal Data Protection Authority,
  • Relevant person: Natural person whose personal data is processed,
  • Personal data: Any information related to an identified or identifiable natural person,
  • Processing of personal data: Any operation performed on data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, fully or partially by automatic means or, provided that it is part of any data recording system, by non-automatic means,
  • Board: Personal Data Protection Board,
  • Institution: Personal Data Protection Institution,
  • Data processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted to him,
  • Data recording system: The recording system in which personal data is structured and processed according to certain criteria,
  • Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

INFORMATION TEXT FOR VISITORS ON THE PROTECTION OF PERSONAL DATA IN ACCORDANCE WITH THE PROCEDURES AND PRINCIPLES OF THE LAW NO. 6698 ON THE PROTECTION OF PERSONAL DATA (GDPR)

IDENTITY OF THE DATA CONTROLLER

As Gevge Teknoloji (hereinafter referred to as “Gevge Teknoloji”), as the data controller;

  • in a limited and proportionate manner in connection with the purpose of processing,
  • in a limited and proportionate manner in connection with the purpose of processing,
  • will be recorded, stored, preserved, rearranged,

shared with institutions authorized by law to request this personal data, and will be transferred, assigned, classified to third parties in the country under the conditions stipulated by the GDPR, and in other ways listed in the GDPR We inform you that your personal data may be processed. The purpose of this Information Text is to explain to you how and for what purposes we will process your personal data. Please read this Information Text carefully.

INFORMATION TEXT ON THE PROTECTION OF PERSONAL DATA IN ACCORDANCE WITH THE PROCEDURES AND PRINCIPLES OF THE LAW NO. 6698 ON THE PROTECTION OF PERSONAL DATA ("GDPR")

IDENTITY OF THE DATA CONTROLLER

As Gevge Teknoloji (hereinafter referred to as "Gevge Teknoloji"), as the data controller;

  • your personal data, which we obtain in the following ways, depending on the situation,
  • within the scope of our commercial relations or within our business relationship with you;
  • within the framework of the purpose requiring processing and in a limited and proportionate manner in connection with this purpose,
  • by preserving the accuracy and most up-to-date form of the personal data you have notified or notified to us,
  • will be recorded, stored, preserved, rearranged, shared with institutions legally authorized to request this personal data, and transferred, assigned, classified and processed in other ways listed in the GDPR, to domestic or foreign third parties under the conditions stipulated by the GDPR.

INFORMATION TEXT FOR EMPLOYEE CANDIDATE ON THE PROTECTION OF PERSONAL DATA IN ACCORDANCE WITH THE PROCEDURES AND PRINCIPLES OF THE LAW NO. 6698 ON THE PROTECTION OF PERSONAL DATA ("GDPR")

IDENTITY OF THE DATA CONTROLLER

Gevge Teknoloji has prepared this Information Text in order to tell you which personal data we will process and for what purposes. We will process your personal data specified below under all circumstances;

  • In accordance with the law and the rules of honesty,
  • By maintaining the accuracy of the personal data you share and the most up-to-date version as you have notified us,
  • For specific, clear and lawful purposes,
  • In a way that is relevant, limited and proportionate to the purpose for which they will be processed,
  • We declare that we will process them by storing them for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.

PROCESSING OF PERSONAL DATA

GENERAL PRINCIPLES

The purpose of this Law is to protect the fundamental rights and freedoms of individuals, especially the right to privacy, in the processing of personal data and to regulate the obligations of real and legal persons who process personal data and the procedures and principles they will comply with.

The following principles must be followed in the processing of personal data:

  • Compliance with the law and the rules of honesty.
  • We declare that we will process the personal data you share by preserving its accuracy and the most up-to-date version as you have notified us,
  • For specific, clear and lawful purposes,
  • In a way that is related, limited and proportionate to the purpose for which they will be processed,
  • By storing it for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.

CONDITIONS FOR PROCESSING PERSONAL DATA

Personal data cannot be processed without the explicit consent of the relevant person.

If one of the following conditions is met, it is possible to process personal data without the explicit consent of the relevant person:

  • It is explicitly provided for in the laws.
  • It is necessary for the protection of the life or physical integrity of the person who is unable to give his/her consent due to a physical impossibility or whose consent is not legally valid.
  • It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
  • It is necessary for the data controller to fulfill its legal obligation.
  • It is made public by the relevant person.
  • Data processing is mandatory for the establishment, exercise or protection of a right.
  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.

CONDITIONS FOR PROCESSING SPECIAL NATURE PERSONAL DATA

Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures of individuals, as well as biometric and genetic data, are special nature personal data.

It is prohibited to process special nature personal data without the explicit consent of the relevant person.

Personal data other than health and sexual life listed in the first paragraph may be processed without the explicit consent of the relevant person in the cases provided for by law. Personal data related to health and sexual life can only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, by persons under a confidentiality obligation or by authorized institutions and organizations without the explicit consent of the person concerned.

In the processing of special personal data, it is also necessary to take adequate measures determined by the Board.

ERASING, DESTROYING OR ANONYMOUSING PERSONAL DATA

Although processed in accordance with the provisions of this Law and other relevant laws, if the reasons requiring processing are eliminated, personal data shall be erased, destroyed or anonymized by the data controller ex officio or upon the request of the relevant person.

The provisions in other laws regarding the erasure, destruction or anonymization of personal data are reserved.

The procedures and principles regarding the erasure, destruction or anonymization of personal data shall be regulated by regulation.

TRANSFER OF PERSONAL DATA

Personal data cannot be transferred without the explicit consent of the relevant person.

Personal data;

  • In the second paragraph of Article 5,
  • Provided that adequate measures are taken, in the third paragraph of Article 6, if one of the conditions specified is present, it can be transferred without the explicit consent of the relevant person.

The provisions of other laws regarding the transfer of personal data are reserved.

TRANSFER OF PERSONAL DATA ABROAD

Personal data cannot be transferred abroad without the explicit consent of the relevant person.

Personal data, if one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 exist and in the foreign country to which the personal data will be transferred;

  • Adequate protection is available,
  • In the absence of adequate protection, data controllers in Turkey and the relevant foreign country may be transferred abroad without the explicit consent of the relevant person, provided that the Board's permission is obtained and the data controllers in Turkey and the relevant foreign country undertake in writing to provide adequate protection.

Countries with adequate protection are determined and announced by the Board.

The Board shall decide whether there is adequate protection in the foreign country and whether permission will be granted in accordance with subparagraph (b) of the second paragraph;

  • International agreements to which Turkey is a party,
  • The status of reciprocity regarding data transfer between the country requesting personal data and Turkey,
  • The nature of the personal data, the purpose of processing, and the duration of each concrete personal data transfer,
  • The relevant legislation and practice of the country to which the personal data will be transferred,
  • It makes a decision by evaluating the measures undertaken by the data controller in the country where the personal data will be transferred and, if necessary, by also obtaining the opinions of the relevant institutions and organizations.

Personal data may be transferred abroad only with the permission of the Board after obtaining the opinion of the relevant public institution or organization, without prejudice to the provisions of international agreements, in cases where the interests of Turkey or the relevant person will be seriously harmed.

The provisions of other laws regarding the transfer of personal data abroad are reserved.

METHOD AND LEGAL REASON OF DATA COLLECTION

Gevge Teknoloji collects personal data directly from data owners verbally or physically and processes this personal data. You can access the table below regarding which personal data is collected and processed and how it is collected.

Visual Data

Security camera images

Obtained through cameras.

Other

Guest Network Log Records

Provided by you (data owner)

Gevge Teknoloji collects data for monitoring visitors' entries and exits with security cameras in order to ensure the security of the central location. In addition, if a visitor wants to receive internet service using the Gevge Teknoloji internet network, data is also collected to monitor and ensure the traceability and security of this service.

This data is collected in accordance with the law, through digital and technical channels, and by automatic or non-automatic means, and is processed within the scope of the personal data processing conditions and purposes specified in Article 5 of the GDPR.

YOUR PROCESSED PERSONAL DATA

Personal data provided to us by employees may be processed by us. Your personal data that may be processed are as follows:

Identity Data

Name, surname, date of birth, country of birth, city of birth, gender, marital status, TC identity card information (TCKN, serial number, wallet number, father's name, mother's name, place of birth, province, district, neighborhood, volume number, family sequence number, sequence number, household number, page number, registration number, place of issue, reason for issue, date of issue, previous surname), copy of identity card

Contact Data

Phone number, address information and e-mail address

Financial Data

Financial and salary details, payrolls, files and debt information regarding enforcement proceedings, bank account book, minimum living allowance information

Personal Data of Special Nature

Former convict status/criminal record, disability status/definition/percentage, health data, blood group, health reports, on-the-job health report, chest X-ray, employment entry and periodic examination forms signed by the workplace physician, pregnancy status, pregnancy report, health and maternity leave information,

Education Data

Education status, certificate and diploma information, foreign language information, education and skills, CV, courses taken

Visual and Audio Data

Photo of a real person

Employee Performance and Career Development Data

Education and skills, information on which training was received on which date, and signed participation form

Family and Relative Data

Name, surname and phone number of relatives

Work Data

Position name, department and unit, title, last employment date, employment entry and exit dates, insurance entry/retirement, social security number, tax office number, flexible working hours, travel status, number of working days, projects worked, severance pay base date, severance pay additional day,

Leave Data

Leave seniority base date, leave seniority additional day, leave group, exit/return date, day, reason for leave, address/phone number to be on leave

Other

Military postponement, height, weight, trainee status, shuttle, stop data, employee internet access logs, input and output logs, camera recordings

TERMS AND CONTIDIONS

DATA CONTROLLER'S OBLIGATION TO INFORM

During the collection of personal data, the data controller or their authorized representative is obligated to inform the data subjects about:

  • The identity of the data controller and their representative (if any),
  • The purpose of processing personal data,
  • To whom and for what purpose the processed personal data may be transferred,
  • The method and legal basis of personal data collection,
  • Other rights listed in Article 11.

RIGHTS OF THE DATA SUBJECT

Everyone has the right to request the following from the data controller regarding their personal data:

  • To learn whether their personal data is being processed, (1)
  • To request information if their data has been processed, (2)
  • To learn the purpose of processing and whether it is used appropriately, (3)
  • To know the third parties (domestic or foreign) to whom their personal data has been transferred, (4)
  • To request correction of incomplete or inaccurately processed data, (5)
  • To request deletion or destruction of personal data under the conditions specified in Article 7, (6)
  • To request that the actions taken under (5) and (6) be communicated to third parties to whom the data was transferred, (7)
  • To object to any adverse consequences resulting from the analysis of processed data exclusively through automated systems, (8)
  • To claim compensation for damages incurred due to unlawful processing of personal data. (9)

OBLIGATIONS REGARDING DATA SECURITY

The data controller must:

  • Prevent unlawful processing of personal data,
  • Prevent unauthorized access to personal data,
  • Ensure the safekeeping of personal data by taking all necessary technical and administrative measures to maintain an appropriate level of security.

If personal data is processed by another natural or legal person on behalf of the data controller, the data controller is jointly responsible with these parties for implementing the measures specified in the first paragraph.

The data controller is obligated to conduct or commission necessary audits to ensure compliance with the provisions of this Law within their organization.

Data controllers and data processors cannot disclose personal data they have learned to others or use it for purposes other than processing, in violation of this Law. This obligation continues even after their duties have ended.

If the processed personal data is obtained by others through illegal means, the data controller shall notify the relevant person and the Board of this situation as soon as possible. If necessary, the Board may announce this situation on its own website or by another method it deems appropriate.

PURPOSES OF PROCESSING YOUR PERSONAL DATA

Your personal data may be processed by the data controller or legal/natural persons it appoints in accordance with the GDPR in the following cases;

  • For the purpose of using the guest internet network,
  • For the purpose of detecting and controlling entries and exits,
  • Recording camera images due to Gevge Teknoloji privacy and security practices,
  • Fulfilling obligations regarding occupational health and safety,
  • The requirements determined by laws and regulations
  • To fulfill the requests of public institutions and organizations as required or made mandatory by legal regulations,
  • To fulfill the legal obligations specified in the GDPR,

PURPOSES OF PROCESSING YOUR PERSONAL DATA

  • To fulfill legal requirements and/or to fulfill the requests of official authorities, with public institutions and organizations,
  • In order to fulfill emergency medical interventions and occupational health and safety obligations, with occupational health and safety companies, hospitals and health institutions,

It may be shared within the framework of the conditions determined by the law.

PERSONAL DATA STORAGE PERIOD

Your Visual Data will be stored for 15 days in line with the above purposes. After the period has elapsed, your personal data will be deleted, destroyed and/or anonymized by Gevge Teknoloji or upon your request, using methods within the scope of the Personal Data Protection Law and relevant regulations.

YOUR RIGHTS

Within the scope of GDPR, you have the following rights regarding your personal data:

  • To learn whether personal data is being processed,
  • To request information regarding the processing of personal data,
  • To learn the purpose of processing personal data and whether they are being used in accordance with their purpose,
  • To know the third parties to whom personal data is transferred domestically or abroad,
  • To request correction of personal data if it is processed incompletely or incorrectly,
  • To request deletion or destruction of your personal data if the reasons requiring processing of your personal data are eliminated,
  • To request that your information corrected or deleted upon your request be notified to third parties to whom personal data has been transferred, if it has been transferred,
  • To analyze the processed data exclusively through automatic systems, object to the emergence of a result against him/her,
  • request compensation for damages in case of damages due to unlawful processing of personal data.

In order to exercise your rights specified above, you can send your written request with the necessary information to identify you and your explanations regarding the right you want to exercise to the address "Gevge Teknoloji ADRES", clearly stating that the subject is related to GDPR, with a wet signature, or by filling out the "Personal Data Application Form" published on our website, to our mailing address GEVGE-EMAIL. Applications must include your name, surname, and signature if the application is written, Turkish identity number for citizens of the Republic of Turkey, nationality for foreigners, passport number/identity number, place of residence or workplace address for notification, e-mail address for notification, telephone or fax number, if any, and the subject of the request. In the application that includes your explanations regarding the right you wish to exercise and request to exercise your rights specified above as the personal data owner; the subject you request must be clear and understandable, the subject you request must be related to you, or if you are acting on behalf of someone else, you must be specifically authorized in this matter and your authority must be documented, the application must include your identity and address information, and documents proving your identity must be attached to the application. Applications you make within this scope will be finalized as soon as possible and within 30 days at the latest. However, if the process requires an additional cost, the fee specified in the tariff determined by the Personal Data Protection Board may be charged. If the response to the application is given on a recording medium such as a CD or flash memory, the fee that Gevge Teknoloji may charge cannot exceed the cost of the recording medium.

METHOD OF DATA COLLECTION AND LEGAL REASON

As Gevge Teknoloji, in order to fulfill our legal obligations, to perform the employment contract between us, for the reasons stipulated in the laws and due to the legitimate interests of Gevge Teknoloji, we collect your personal data that we personally request from you, that we have previously requested during your job application through the job application form or other employment platforms, or that you prefer to share with us during your job application, or that are included in your CV or other texts you share regarding your application, by you sending them to us physically or electronically. In order to fulfill our legal obligations and as foreseen by the laws, we collect your health data physically and in order to ensure workplace safety through our workplace physician. We collect your personal data physically or electronically in order to fulfill our legal obligations. We collect your personal data through legal documents and notifications sent to us. Gevge Teknoloji collects your personal data through cookies used on our website, as detailed in our Cookie Policy, in accordance with its legitimate interest to develop its platform and make it more effective.

PURPOSES OF PROCESSING YOUR PERSONAL DATA

Your personal data is processed by Gevge Teknoloji for the following purposes and legal reasons. Fulfillment of the necessary purpose for the performance of the employment contract, in particular;

  • Approval of employees' leave, display of remaining leave, making leave arrangements
  • Carrying out employee termination procedures
  • Ensuring that payroll procedures are carried out
  • Making salary payments to employees

Labor Law, Occupational Health and Safety Law, Social Security Law and related legislation, other In order to fulfill the requirements under the laws and legislation, especially;

  • Creation of personnel personnel files
  • Providing information on SGK notifications, İŞKUR notifications, police station notifications and incentives and legal obligations
  • Ensuring the opening of a mandatory individual retirement insurance account
  • Control of employees' entry and exit records
  • Execution files, making payments for employees' wage garnishment deductions
  • Making legal notifications of work accidents
  • Carrying out occupational health and safety procedures
  • Complying with other information storage, reporting, and information obligations stipulated by legislation, relevant regulatory bodies, and other authorities
  • Fulfilling court decisions

In order to ensure security within Gevge Teknoloji, in particular;

  • Ensuring workplace safety
  • Ensuring employees' entry and exit to Gevge Teknoloji

For the purposes of managing Gevge Teknoloji, conducting business, implementing Gevge Teknoloji policies, in particular;

  • Making expense payments to employees
  • Ensuring communication with employees
  • Providing vehicles for employees
  • Providing business card printing
  • Ensuring that packages received via cargo and courier are delivered to the relevant employee
  • Monitoring the use of Gevge Technology tools for the safety of employees and the execution of work
  • Providing service and travel organization
  • Creating the employee's work e-mail by entering employee data into Outlook
  • Ensuring control of employees' entry and exit from work
  • Recording the documents collected during the job application and interview of employees
  • Providing communication for congratulatory purposes
  • Planning training, reporting training, preparing training certificates, tracking employees who participated in trainings, tracking development processes of employees as a result of the trainings they received
  • Providing communication with relevant persons in emergency situations

Your personal data will be stored for the maximum period specified in the relevant legislation or required for the purpose for which they are processed, and in any case, for the statutory limitation periods.

SHARING OF YOUR PERSONAL DATA WITH THIRD PARTIES IN THE COUNTRY

For your security and for Gevge Teknoloji to fulfill its obligations under the law, your personal data may be shared with public legal entities such as the Labor Law, the Labor Health and Safety Law, the Social Insurance and General Health Insurance Law, the Law on Regulation of Publications Made on the Internet and Combating Crimes Committed Through Such Publications, the Turkish Commercial Code, the Personal Data Protection Law No. 6698, the Identity Notification Law, and, but not limited to, the relevant institutions or organizations; the Personal Data Protection Authority, the Ministry of Finance, the Ministry of Customs and Trade, the Ministry of Labor and Social Security, the Turkish Employment Agency (İş-Kur), and the Information Technologies and Communication Authority. For example; employees' personal data is shared with the Social Security Institution for the purpose of payment of employee and employer premiums.
In addition, your personal data;
In order to fulfill the necessary purpose for the execution of the employment contract, in particular;

  • In order to carry out payroll transactions and update the relevant data, we can process it in the accounting program. This data is stored in the application's own data recording environment.

In order to fulfill the requirements within the scope of the Labor Law, Occupational Health and Safety Law, Social Security Law and relevant legislation, and other laws and legislation, in particular;

  • We can share it with consultancy firms and private employment agencies that we work with in order to receive consultancy on the determination and calculation of incentives.
  • We can share your health data with our workplace physician so that they can perform treatment and health checks.
  • We can transfer payroll information to Gevge Technology auditors so that they can perform audit activities.

In order to fulfill our legal obligations, in particular;

  • In order to exercise our right to defense, we can share it with our lawyers and relevant institutions within the framework of our obligation to fulfill legal requests such as court orders or requests for evidence, provided that it is in accordance with the law and procedure.

In order to manage Gevge Technology, conduct business, and implement Gevge Technology policies, in particular;

  • The necessary personal data can be transferred to the company we work with for reasons such as transportation, reservation, vehicle supply, visa services, business card printing, parking registration.

SHARING OF YOUR PERSONAL DATA WITH THIRD PARTIES ABROAD

If you consent, your personal data can be shared with third parties abroad for communication, travel organization, and travel arrangements during travels and trainings abroad.

YOUR RIGHTS

Within the scope of GDPR, you have the following rights regarding your personal data:

  • To learn whether personal data is being processed,
  • To request information about personal data if it is being processed,
  • To learn the purpose of processing personal data and whether they are being used in accordance with their purpose,
  • To know the third parties to whom personal data is transferred domestically or abroad,
  • To request correction of personal data if it is processed incompletely or incorrectly,
  • To request deletion or destruction of your personal data if the reasons requiring processing of your personal data are eliminated,
  • To request that your information corrected or deleted upon your request be notified to third parties to whom personal data is transferred, if it has been transferred,
  • To analyze the processed data exclusively through automatic systems, object to a result that is against him/her,
  • request compensation for damages in case of damages due to unlawful processing of personal data.

In order to exercise your rights specified above, you can send your written request with the necessary information to identify you and your explanations regarding the right you want to exercise to “Gevge Teknoloji Anonim Şirketi SahrayıceditMh. Atatürk Cd. Kaptan Metin İş Merkezi No:51 Kat:3, 34734 Kadıköyistanbul” by clearly stating that the subject is related to GDPR, with a wet signature or by filling out the “Personal Data Application Form” that we have published on our website, to our GEVGE-EMAIL e-mail address. Applications must include your name, surname and signature if the application is in writing, Turkish identity number for citizens of the Republic of Turkey, nationality, passport number/identity number, place of residence or workplace address for notification, e-mail address for notification, telephone or fax number if any, and the subject of the request. In the application that you will make to exercise your rights as a personal data owner and specified above and that includes your explanations regarding the right you request to exercise; the subject you request must be clear and understandable, the subject you request must be related to you or if you are acting on behalf of someone else, you must be specifically authorized in this regard and your authority must be documented, the application must include your identity and address information and documents proving your identity must be attached to the application. The applications you will make within this scope will be finalized as soon as possible and within 30 days at the latest. However, if the process requires an additional cost, the fee determined by the Personal Data Protection Board may be charged. If the response to the application is given on a recording medium such as a CD or flash memory, the fee that may be requested by Gevge Teknoloji cannot exceed the cost of the recording medium.

METHOD AND LEGAL REASON OF DATA COLLECTION

Within the framework of the legal relationship aimed to be established between you and Gevge Teknoloji Anonim Şirketi, we collect your personal data that we request from you because it is necessary for the establishment of the employment contract or that you personally provide during your application or prefer to share in other texts, through your verbal, physical or electronic transmission to us and if you indicate a reference person, for the legitimate interest of Gevge Teknoloji Anonim Şirketi, by obtaining information from these persons or by obtaining information from the representatives of the workplace you worked at before your application and/or through the e-mails of Gevge Teknoloji Anonim Şirketi employees and human resources consultancy firms. We collect your personal data that you share with private employment agencies and career network platforms through your job application to us through these platforms or through forms filled in through these platforms to share your information with third parties, because it is necessary for the establishment of an employment contract.
We collect your visual data through cameras we have installed due to the legitimate interest of Gevge Teknoloji Anonim Şirketi to ensure security.

PURPOSES OF PROCESSING YOUR PERSONAL DATA

Your personal data specified above are processed for the following purposes, as they are necessary for the establishment of the employment contract within the framework of the legal relationship between the candidate employee and the candidate employer between Gevge Teknoloji Anonim Şirketi and the Candidate Employee:

  • Recruiting new personnel, examining candidates and determining the new candidate to be employed
  • Confirming your data and information with the reference persons you have included in your CV or job application form
  • How much you match the position you are a candidate for for verification and future confirmation recording your resume information
  • Ensuring security within the company
  • Carrying out entry-exit registration procedures and informing the Human Resources Department

Your personal data will be stored for the maximum period specified in the relevant legislation or required for the purpose for which they are processed, and in any case for the legal limitation periods.

YOUR SPECIAL NATURE PERSONAL DATA

The information you share with us from time to time may include your personal data of a special nature. Within the scope of the GDPR, your race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, memberships in associations, foundations or unions, your health, sexual life, criminal convictions, if any, and data regarding security measures regarding you, as well as your biometric and genetic data, are your personal data of a special nature.
The information you share with us from time to time may include your personal data of a special nature. Within the scope of GDPR, your race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, association, foundation or union memberships, health, sexual life, criminal convictions, if any, and data regarding security measures regarding you, as well as your biometric and genetic data are your special data.
In this context, your special personal data;

  • Your special data such as disability status and blood type that may be included in your CV are used by our different units within Gevge Technology in accordance with the activities of the units in question in order to ensure that your application can be evaluated and are shared between departments in order to verify the information with the referenced persons and for the department managers to conduct interviews with the job candidates. Your personal data is processed for the purposes stated above.
  • When necessary, it can be shared with our lawyers so that we can exercise our right of defense and with the courts upon request. Your personal data will be stored for the periods specified in the relevant legislation or required for the purpose for which they are processed and in any case for the statutory limitation periods.

YOUR RIGHTS

Within the scope of GDPR, you have the following rights regarding your personal data:

  • To learn whether personal data is being processed,
  • To request information about personal data if it is being processed,
  • To learn the purpose of processing personal data and whether it is being used in accordance with its purpose,
  • To know the third parties to whom personal data is transferred domestically or abroad,
  • To request correction of personal data if it is processed incompletely or incorrectly,
  • To request deletion or destruction of your personal data if the reasons requiring processing of your personal data are eliminated,
  • To request that your information corrected or deleted upon your request be notified to third parties to whom personal data is transferred, if it has been transferred,
  • To request that the processed data is processed exclusively through automated systems object to a result that is against the person by analysis,
  • request compensation for damages in case of damages due to unlawful processing of personal data.

In order to exercise your rights specified above, you can send your written request with the necessary information to identify you and your explanations regarding the right you want to exercise to the address “Gevge Teknoloji Anonim Şirketi Sahrayıcedit Mh. Atatürk Cd. Kaptan Metin İş Merkezi No:51 Kat:3, 34734 Kadıköy İstanbul” with a wet signature, clearly stating that the subject is related to GDPR, or by filling out the “Personal Data Application Form” published on our website to our GEVGE-EMAIL e-mail address. Applications must include your name, surname and signature if the application is written, Turkish identity number for citizens of the Republic of Turkey, nationality, passport number/identity number for foreigners, residence or workplace address for notification, e-mail address for notification, telephone or fax number if any, and the subject of the request. In the application that includes your explanations regarding the right you wish to exercise and request to exercise your rights specified above as the personal data owner; the subject you request must be clear and understandable, the subject you request must be related to you, or if you are acting on behalf of someone else, you must be specifically authorized in this matter and your authority must be documented, the application must include your identity and address information, and documents that prove your identity must be attached to the application. Applications you make within this scope will be finalized as soon as possible and within 30 days at the latest. However, if the process requires an additional cost, the fee specified in the tariff determined by the Personal Data Protection Board may be charged. If the response to the application is given on a recording medium such as a CD or flash memory, the fee that may be requested by Gevge Teknoloji Anonim Şirketi cannot exceed the cost of the recording medium.

APPLICATION, COMPLAINT AND DATA CONTROLLER REGISTRY

APPLICATION TO DATA CONTROLLER

The relevant person shall submit his/her requests regarding the implementation of this Law to the data controller in writing or through other methods determined by the Board.

The data controller shall finalize the requests included in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.

The data controller accepts the request or rejects it by explaining the reason and notifies the relevant person of its response in writing or electronically. If the request in the application is accepted, the data controller fulfills the requirements. If the application is due to the data controller's mistake, the fee received is returned to the relevant person.

COMPLAINT TO THE BOARD

In cases where the application is rejected, the response given is found insufficient or the application is not responded to in a timely manner; the relevant person may complain to the Board within thirty days from the date of learning the response of the data controller and, in any case, within sixty days from the date of application.

A complaint cannot be filed without exhausting the application remedy in accordance with Article 13.

Those whose personal rights have been violated are entitled to compensation in accordance with general provisions.

PROCEDURES AND PRINCIPLES OF INVESTIGATION UPON A COMPLAINT OR EXEMPLARY

The Board shall conduct the necessary investigation on matters falling within its scope of duty upon a complaint or upon learning of an alleged violation.

Notifications or complaints that do not meet the conditions specified in Article 6 of the Law No. 3071 on the Use of the Right to Petition dated 1/11/1984 shall not be taken into consideration.

Except for information and documents that are state secrets; The data controller must send the information and documents requested by the Board regarding the subject of the investigation within fifteen days and, if necessary, provide an opportunity for an on-site investigation.

Upon the complaint, the Board examines the request and provides a response to the relevant parties. If no response is provided within sixty days from the date of the complaint, the request is deemed to have been rejected.

If the existence of a violation is determined as a result of the investigation conducted upon the complaint or ex officio, the Board decides that the illegalities it has identified must be remedied by the data controller and notifies the relevant parties. This decision shall be implemented without delay and at the latest within thirty days from the notification.

If it is determined that the violation is widespread as a result of the investigation conducted upon complaint or ex officio, the Board shall take a principle decision on this matter and publish this decision. Before taking a principle decision, the Board may also obtain the opinions of the relevant institutions and organizations if necessary.

The Board may decide to stop data processing or transferring data abroad in the event of irreparable or impossible damages and a clear violation of law.

REGISTRY OF DATA CONTROLLERS

The Board shall conduct the necessary investigation on the issues within its scope of duty, upon complaint or upon learning of the alleged violation.

Notifications or complaints that do not meet the conditions specified in Article 6 of the Law No. 3071 on the Use of the Right to Petition dated 1/11/1984 shall not be taken into consideration.

Except for information and documents that are state secrets; the data controller shall send the information and documents requested by the Board regarding the subject of the investigation within fifteen days and shall provide the opportunity for on-site investigation when necessary.

Upon complaint, the Board shall examine the request and provide a response to the relevant parties. If no response is given within sixty days from the date of the complaint, the request shall be deemed to have been rejected.

If the existence of a violation is determined as a result of the investigation conducted upon the complaint or ex officio, the Board shall decide that the illegalities it has identified shall be remedied by the data controller and notify the relevant parties. This decision shall be implemented without delay and within thirty days at the latest as of the notification.

If the widespread nature of the violation is determined as a result of the investigation conducted upon the complaint or ex officio, the Board shall take a principle decision on this matter and publish this decision. The Board may also obtain the opinions of the relevant institutions and organizations before taking a principle decision, if necessary.

The Board may decide to suspend data processing or transfer of data abroad in the event of irreparable or impossible damages and a clear violation of law.

DATA CONTROLLERS REGISTRY

The Data Controllers Registry is kept publicly by the Presidency under the supervision of the Board.

Natural and legal persons who process personal data must register with the Data Controllers Registry before starting data processing. However, the Board may grant an exception to the requirement to register with the Data Controllers Registry by taking into account objective criteria to be determined by the Board, such as the nature and number of personal data processed, whether the data processing is due to law or whether it is transferred to third parties.

The application for registration with the Data Controllers Registry is made with a notification that includes the following:

  • The identity and address information of the data controller and its representative, if any.
  • The purpose for which personal data will be processed.
  • Explanations regarding the data subject group or groups and the data categories belonging to these persons.
  • Recipients or recipient groups to whom personal data may be transferred.
  • Personal data intended to be transferred to foreign countries.
  • Measures taken regarding personal data security.
  • Maximum period required for the purpose for which personal data is processed.

Any changes in the information provided in accordance with the third paragraph shall be immediately notified to the Presidency.

Other procedures and principles regarding the Data Controllers Registry are regulated by the regulation.

CRIMES AND MISDEMEANORS

CRIMES

The provisions of Articles 135 to 140 of the Turkish Penal Code No. 5237 dated 26/9/2004 shall apply to crimes related to personal data.

Those who do not delete or anonymize personal data contrary to the provisions of Article 7 of this Law shall be punished in accordance with Article 138 of Law No. 5237.

MISCONDITIONS

This Law;

  • Those who do not fulfill the disclosure obligation stipulated in Article 10, from 5,000 Turkish lira to 100,000 Turkish lira,
  • Those who do not fulfill the data security obligations stipulated in Article 12, from 15,000 Turkish lira to 1,000,000 Turkish lira,
  • Those who do not fulfill the decisions given by the Board in accordance with Article 15, from 25,000 Turkish lira Up to 1,000,000 Turkish lira,
  • Those who act contrary to the obligation to register and notify the Data Controllers Registry stipulated in Article 16 shall be subject to an administrative fine of 20,000 Turkish lira to 1,000,000 Turkish lira.

The administrative fines stipulated in this article shall be applied to real persons and private law legal entities who are data controllers.

If the actions listed in the first paragraph are committed within public institutions and organizations and professional organizations with the status of a public institution, upon notification by the Board, disciplinary action will be taken against the civil servants and other public officials working in the relevant public institutions and organizations and those working in professional organizations with the status of a public institution, and the results will be reported to the Board.

PERSONAL DATA PROTECTION AGENCY AND ORGANIZATION

PERSONAL DATA PROTECTION AGENCY

The Personal Data Protection Agency, which has administrative and financial autonomy and is a public legal entity, has been established to fulfill the duties assigned by this Law.

The institution is related to the minister to be assigned by the President.

The institution's headquarters is in Ankara.

The institution consists of the Board and the Presidency. The decision-making body of the institution is the Board.

THE DUTIES OF THE INSTITUTION

The duties of the institution are as follows;

  • Within the scope of its duties, to follow the practices and developments in the legislation, to make evaluations and suggestions, to conduct research and examinations or to have them conducted.
  • If necessary, to cooperate with public institutions and organizations, non-governmental organizations, professional organizations or universities on issues within its scope of duty.
  • To monitor and evaluate international developments regarding personal data, to cooperate with international organizations on issues within its scope of duty, to participate in meetings.
  • To submit the annual activity report to the Presidency and the Human Rights Investigation Commission of the Turkish Grand National Assembly.
  • To fulfill other duties assigned by law.

PERSONAL DATA PROTECTION BOARD

The Board shall independently fulfill and use the duties and authorities assigned by this Law and other legislation under its own responsibility. No organ, authority, office or person may give orders or instructions to the Board, or make recommendations or suggestions regarding matters falling within its scope of duty. (1)

The Board consists of nine members. Five members of the Board are elected by the Turkish Grand National Assembly, and four members by the President.

The following conditions are required to become a member of the Board:

  • To have knowledge and experience in matters falling within the scope of the institution's duties.
  • To have the qualifications specified in subparagraphs (1), (4), (5), (6) and (7) of paragraph (A) of the first paragraph of Article 48 of the Civil Servants Law No. 657 dated 14/7/1965.
  • Not to be a member of any political party.
  • To have at least a four-year undergraduate degree.

(Repealed: 2/7/2018-KHK-703/163 art.)

The Turkish Grand National Assembly elects members to the Board in the following manner:

  • For the election, candidates are nominated twice the number of members to be determined in proportion to the number of members of the political party groups, and the Board members are elected by the General Assembly of the Turkish Grand National Assembly from among these candidates, based on the number of members for each political party group. However, no discussions can be held or decisions can be made in the political party groups regarding who to vote for in the elections to be held in the Turkish Grand National Assembly.
  • The election of the Board members is carried out within ten days after the candidates are determined and announced. A combined ballot paper is prepared as separate lists for the candidates nominated by the political party groups. Votes are cast by marking the special place opposite the names of the candidates. Votes cast in excess of the number of members to be elected to the Board from the quotas determined in accordance with the second paragraph of the political party groups shall be deemed invalid.
  • Provided that there is a quorum, the number of candidates who receive the most votes in the election shall be elected.
  • Two months before the end of the members' terms of office; in the event of a vacancy in the membership for any reason, an election shall be held within one month from the date of the vacancy or, if the Turkish Grand National Assembly is in recess on the date of the vacancy, from the end of the recess, using the same procedure. In these elections, the distribution of vacant memberships to political party groups shall be made by taking into account the number of members elected from the quota of political party groups in the first election and the current ratio of political party groups.

In case of termination of the term of office of one of the members elected by the President (…) (1) forty-five days before the end of his/her term or for any reason, the situation shall be notified to the Presidency (…) (1) by the Institution within fifteen days. A new member election shall be held one month before the end of the term of office of the members. In case of a vacancy in these memberships for any reason before the end of the term of office, the election shall be held within fifteen days from the notification. (1)

The Board shall elect the President and Vice President from among its members. The President of the Board shall also be the President of the Institution.

The term of office of the Board members shall be four years. The member whose term has expired may be re-elected. The person elected to replace the member whose term of office has expired for any reason before the end of his/her term of office shall complete the remaining term of the member he/she was elected to replace.

The elected members swear before the First Presidency of the Supreme Court of Appeals, "I swear on my honor and dignity that I will perform my duties in accordance with the Constitution and the laws, with complete impartiality, honesty, fairness and justice." Applications to the Supreme Court of Appeals for an oath are considered urgent matters.

Board members cannot take on any official or private duty, be a manager in associations, foundations, cooperatives and similar places, engage in trade, engage in freelance activities, act as arbitrators and experts, unless based on a special law, other than the performance of their official duties on the Board. However, Board members may publish for scientific purposes, give lectures and conferences, and receive royalties and lecture and conference fees arising from these.

Investigations into crimes that members are alleged to have committed due to their duties are conducted in accordance with the Law No. 4483 on the Trial of Civil Servants and Other Public Officials dated 2/12/1999, and permission for investigations is granted by the President. (1)

The provisions of Law No. 657 shall apply in disciplinary investigations and prosecutions regarding Board members.

Board members cannot be dismissed from their duties for any reason before their terms expire. Board members;

  • It is later understood that they do not meet the requirements for election,
  • The conviction decision given against them for crimes they committed in relation to their duties becomes final,
  • It is definitely determined by a health board report that they cannot perform their duties,
  • It is determined that they have not attended their duties for a period of fifteen days without permission, without excuse and without interruption, or for a total of thirty days in a year,
  • If it is determined that they have not attended a total of three Board meetings within a month without permission and excuse, or a total of ten Board meetings within a year, their membership will be terminated by the Board's decision.

Those who are elected as Board members will have their ties with their previous positions terminated as long as they serve on the Board. Those who are elected as members while they are public servants will be appointed to a position suitable for their qualifications by the competent authority within one month, provided that they do not lose the conditions for entering the civil service, if their term of office expires or they request to resign and apply to their former institution within thirty days. Until the appointment is made, all kinds of payments they receive will continue to be paid by the Institution. Those who are not employed in a public institution and whose duties are terminated as stated above, shall continue to be paid all kinds of payments by the Institution until they start any duty or job, and the payment to be made by the Institution to those whose memberships are terminated in this manner shall not exceed three months. The periods they spend in the Institution shall be deemed to have been spent in their previous institution or organization in terms of their personal rights and other rights.

PERSONAL DATA PROTECTION BOARD

The duties and authorities of the Board are as follows:

  • To ensure that personal data is processed in accordance with fundamental rights and freedoms.
  • To decide on the complaints of those who claim that their rights regarding personal data have been violated.
  • To examine whether personal data is processed in accordance with the law upon complaint or upon learning of an alleged violation, and to take temporary measures in this regard when necessary.
  • To determine the adequate measures sought for the processing of special personal data.
  • To ensure that the Data Controllers Registry is maintained.
  • To carry out necessary regulatory procedures regarding the Board's area of ​​responsibility and the operation of the Institution.
  • To carry out regulatory procedures in order to determine the obligations regarding data security.
  • To carry out regulatory procedures regarding the duties, authorities and responsibilities of the data controller and its representative.
  • To decide on the administrative sanctions provided for in this Law.
  • To express opinions on draft legislation prepared by other institutions and organizations that include provisions regarding personal data.
  • To decide on the institution's strategic plan, determine its goals and objectives, service quality standards and performance criteria.
  • To discuss and decide on the budget proposal prepared in accordance with the institution's strategic plan and goals and objectives.
  • To approve and publish draft reports prepared on the institution's performance, financial status, annual activities and necessary issues.
  • To discuss and decide on proposals regarding the purchase, sale and rental of real estate.
  • To fulfill other duties assigned by law.

BOARD WORKING PRINCIPLES

The Chairman determines the meeting days and agenda of the Board. The Chairman may call the Board to an extraordinary meeting when necessary.

The Board meets with at least six members, including the Chairman, and makes decisions with the absolute majority of the total number of members. Board members cannot abstain from voting.

Board members cannot participate in meetings and votes on issues concerning themselves, their relatives by blood up to the third degree and their in-laws up to the second degree, their adopted children, and their spouses, even if the marriage bond between them has been terminated.

Board members cannot disclose the secrets they learn about the relevant persons and third parties during their work to anyone other than the authorities authorized by law on this matter, and cannot use them for their own benefit. This obligation continues after they leave office.

The work discussed in the Board is recorded in the minutes. Decisions and the reasons for dissenting votes, if any, are recorded within fifteen days from the date of the decision. The Board announces the decisions it deems necessary to the public.

Unless otherwise agreed, the discussions at the Board meetings are confidential.

The working procedures and principles of the Board, the writing of decisions and other matters are regulated by the regulations.

CHAIRMAN

The President is the highest authority of the Institution as the head of the Board and the Institution, and organizes and executes the Institution's services in accordance with the legislation, the Institution's objectives and policies, strategic plan, performance criteria and service quality standards, and ensures coordination between service units.

The President is responsible for the general management and representation of the Institution. This responsibility includes the duties and authorities of organizing, executing, auditing, evaluating the Institution's activities and announcing them to the public when necessary.

The President's duties are as follows:

  • To manage the Board meetings.
  • To ensure the notification of Board decisions and the announcement of those deemed necessary by the Board to the public and to monitor their implementation.
  • To appoint the Vice President, department heads and Institution personnel.
  • To finalize the suggestions from the service units and present them to the Board.
  • To ensure the implementation of the strategic plan, to establish human resources and work policies in line with service quality standards.
  • To prepare the annual budget and financial tables of the Institution in accordance with the determined strategies, annual goals and objectives.
  • To ensure coordination so that the board and service units work in a harmonious, efficient, disciplined and orderly manner.
  • To manage the Institution's relations with other organizations.
  • To determine the duties and authority of the personnel authorized to sign on behalf of the Institution President.
  • To perform other duties related to the management and operation of the institution.

In the absence of the Institution President, the Vice President shall act as the President.

FORMATION AND DUTIES OF THE PRESIDENCY

The Presidency consists of the Vice President and service units. The Presidency shall perform the duties listed in the fourth paragraph through service units organized as department heads. The number of department heads shall not exceed seven.

A Vice President shall be appointed by the President to assist in the duties related to the Institution.

The Vice President and department heads are appointed by the President from among those who have graduated from at least a four-year higher education institution and have been in public service for ten years.

The duties of the Presidency are as follows:

  • To maintain the Data Controllers Registry.
  • To carry out the office and secretarial operations of the Institution and the Board.
  • To represent the Institution through lawyers in lawsuits and enforcement proceedings to which the Institution is a party, to follow up on lawsuits or have them followed up, to provide legal services.
  • To carry out the personnel procedures of the Board members and those working in the Institution.
  • To perform the duties assigned to financial service and strategy development units by law.
  • To ensure the establishment and use of the information system for the execution of the institution's work and transactions.
  • To prepare and submit draft reports on the annual activities of the Board or on the required issues to the Board.
  • To prepare the strategic plan draft of the institution.
  • To determine the institution's personnel policy, to prepare and implement the career and training plans of the personnel.
  • To carry out the appointment, transfer, discipline, performance, promotion, retirement and similar procedures of the personnel.
  • To determine the ethical rules to be followed by the personnel and to provide the necessary training.
  • To carry out all kinds of purchasing, renting, maintenance, repair, construction, archive, health, social and similar services required by the Institution within the framework of the Public Financial Management and Control Law No. 5018 dated 10/12/2003.
  • To keep records of the movable and immovable properties of the Institution.
  • To perform other duties assigned by the Board or the President.

Service units and the working procedures and principles of these units are determined by the regulation put into effect by the President upon the proposal of the Institution in accordance with the field of activity, duties and authorities specified in this Law.

PERSONAL DATA PROTECTION EXPERT AND ASSISTANT EXPERTS

Personal Data Protection Expert and Assistant Personal Data Protection Expert can be employed in the Institution. Among these, a one-time promotion of one degree is applied to those appointed to the Personal Data Protection Expert cadre within the framework of additional article 41 of Law No. 657.

PROVISIONS RELATING TO PERSONNEL AND PERSONNEL RIGHTS

The institution's personnel are subject to Law No. 657, except for the matters regulated by this Law.

Payments made to the Board Chairman and members and the institution's personnel within the scope of financial and social rights determined in accordance with Article 11 of the Decree Law No. 375 dated 27/6/1989 shall be paid within the same procedures and principles. Payments made to the similar personnel that are not subject to tax and other legal deductions shall not be subject to tax and other deductions according to this Law.

The Board Chairman and members and the Institution personnel are subject to the provisions of Article 4, first paragraph, subparagraph (c) of the Social Insurance and General Health Insurance Law No. 5510 dated 31/5/2006. The Board Chairman and members and the Institution personnel are also considered equal to the personnel determined as peers in terms of retirement rights. Of those who were appointed as the Board Chairman and members while insured within the scope of Article 4, first paragraph, subparagraph (c) of Law No. 5510, whose duties have ended or who request to resign from these duties, the service periods spent in these duties are taken into account in determining their acquired rights, salaries, degrees and grades. Of these, the periods spent in these duties by those who fall within the scope of temporary Article 4 of Law No. 5510 during their duties are evaluated as the period for which the position compensation and representation compensation must be paid. In public institutions and organizations, those who are insured within the scope of Article 4, first paragraph, subparagraph (a) of Law No. 5510 and are appointed as Board Chair and members, shall not be required to pay severance pay or termination compensation if their ties with their previous institutions and organizations are terminated. In such cases, the service periods for which severance pay or termination compensation should be paid shall be combined with the service periods spent as Board Chair and Board member and shall be evaluated as the period for which retirement bonus will be paid.

Officers and other public officials working in public administrations within the scope of central government, social security institutions, local administrations, administrations affiliated to local administrations, local administration unions, revolving fund organizations, funds established by law, organizations with public legal personality, organizations with more than fifty percent of their capital belonging to the public, economic state enterprises and public economic organizations and their affiliated partnerships and institutions may be temporarily assigned to the Institution with the consent of their institutions, and judges and prosecutors with their own consent, provided that their salaries, allowances, all kinds of raises and compensations and other financial and social rights and aids are paid by their institutions. The Institution's requests regarding this matter are primarily finalized by the relevant institutions and organizations. Personnel assigned in this manner are considered to be on paid leave from their institutions. As long as these personnel are on leave, their civil service, interests and personal rights continue, and these periods are also taken into account in their promotions and retirements, and their promotions are made in due time without the need for any other procedure. The periods spent by those assigned within the scope of this article in the Institution are considered to have been spent in their own institutions. The number of those assigned in this manner cannot exceed ten percent of the total number of Personal Data Protection Specialists and Personal Data Protection Assistant Specialists, and the assignment period cannot exceed two years. However, this period can be extended in one-year periods in case of need.

The titles and numbers of positions for the personnel to be employed in the Institution are shown in the attached Table (I). Title and degree changes, addition of new titles and cancellation of vacant positions are made by the Board's decision, provided that they are limited to the positions listed in the annexed tables of the Decree Law No. 190 on General Positions and Procedures dated 13/12/1983, not to exceed the total number of positions.

MISCELLANEOUS PROVISIONS

EXCEPTIONS

The provisions of this Law shall not apply in the following cases:

  • Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not disclosed to third parties and that the obligations regarding data security are complied with.
  • Processing of personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.
  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy or personal rights or does not constitute a crime.
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
  • Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution procedures.

Article 10, which regulates the data controller's obligation to inform, excluding the right to demand compensation for damages, and Article 16, which regulates the obligation to register in the Data Controllers Registry, shall not apply in the following cases, provided that it is in accordance with and proportionate to the purpose and basic principles of this Law:

  • Personal data processing is necessary for the prevention of a crime or for the investigation of a crime.
  • Processing of personal data made public by the relevant person.
  • Personal data processing is necessary for the performance of audit or regulatory duties and disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institutions based on the authority granted by law.
  • Personal data processing is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial issues.

BUDGET AND REVENUES OF THE INSTITUTION

The budget of the institution is prepared and accepted in accordance with the procedures and principles determined in Law No. 5018.

The institution's revenues are as follows:

  • Treasury aids to be provided from the general budget.
  • Income obtained from movable and immovable properties belonging to the institution.
  • Donations and aids received.
  • Income obtained from the evaluation of its revenues.
  • Other income.

REGULATION

The regulations regarding the implementation of this Law shall be put into effect by the Institution.

TRANSITIONAL PROVISIONS

Within six months from the date of publication of this Law, the Board members shall be elected and the Presidency organization shall be established in accordance with the procedure stipulated in Article 21. (2)

Data controllers must register with the Data Controllers Registry within the period determined and announced by the Board. (3)

Personal data processed before the date of publication of this Law shall be brought into compliance with the provisions of this Law within two years from the date of publication. Personal data found to be in violation of the provisions of this Law shall be immediately deleted, destroyed or anonymized. However, consents obtained in accordance with the law before the date of publication of this Law shall be deemed to be in compliance with this Law unless a contrary declaration of intent is made within one year. (4)

The regulations foreseen in this Law shall be put into effect within one year from the date of publication of this Law. (5)

A senior manager shall be determined within one year from the date of publication of this Law to ensure coordination regarding the implementation of this Law in public institutions and organizations and shall be reported to the Presidency. (6)

The first elected President, the Second President and two members determined by lot shall serve for six years; the other five members shall serve for four years. (7)

Until the budget is allocated to the institution;

  • The institution's expenses are covered by the Prime Ministry's budget.
  • In order for the institution to perform its services, all necessary support services such as buildings, vehicles, equipment, furnishings and equipment shall be provided by the Prime Ministry.

Secretarial services shall be provided by the Prime Ministry until the institution's service units become operational.

TEMPORARY ARTICLE 2- (ANNEX: 28/11/2017-7061/120 MD.)

Graduates of at least four-year undergraduate programs in political science, economic and administrative sciences, economics, law and business administration, electronics, electrical-electronics, electronics and communication, computer, information systems engineering departments of engineering faculties, or domestic and foreign higher education institutions whose equivalence is accepted by the Council of Higher Education; Those who have been appointed to the positions of the central organizations of the institutions related to the titles specified in subparagraph (11) of paragraph (A) of the section titled “Common Provisions” of Article 36 of Law No. 657, after a special competitive exam and a special qualification exam, and who have been in these positions for at least two years, excluding unpaid leave periods, and those who are in faculty positions, may be appointed as Personal Data Protection Specialists within one year from the date of entry into force of this article, provided that they have received at least seventy points from the Foreign Language Proficiency Level Determination Exam and have not reached the age of forty as of the date of appointment. The number of those to be appointed in this manner cannot exceed fifteen.

IN EFFECT

This Law;

  • Articles 8, 9, 11, 13, 14, 15, 16, 17 and 18 shall enter into force six months after the date of publication,
  • Other articles shall enter into force on the date of publication.

EXECUTION

The provisions of this Law shall be executed by the Council of Ministers.