Skip links

Our KVKK Personal Data Policy

PERSONAL DATA POLICY

I. DEFINITIONS

Explicit Consent: Consent based on informed and freely given will regarding a specific subject.

Anonymization: Rendering personal data unidentifiable or untraceable to any identifiable natural person, even when matched with other data.

Personal Data: Any information related to an identified or identifiable natural person.

Special Categories of Personal Data: Personal data related to race, ethnic origin, political opinions, philosophical beliefs, religion, attire, association, foundation, union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

Processing of Personal Data: Any operation performed on personal data, including collection, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, takeover, making it obtainable, classification, or prevention of use.

Board: The Personal Data Protection Board.

Policy: Boğaziçi Customs Consultancy Inc. Personal Data Protection and Processing Policy.

Data Processor: Natural or legal person processing personal data on behalf of the data controller based on the authority granted by them.

Data Controller: The person determining the purposes and means of processing personal data and managing the place (data recording system) where the data is systematically kept.

II. PURPOSE

This Policy has been created to establish the fundamental principles and application principles to ensure compliance with the obligations imposed on data controllers under the Law on the Protection of Personal Data No. 6698 published in the Official Gazette on April 7, 2016, by Boğaziçi Customs Consultancy Inc. (“Boğaziçi Customs”).

III. SCOPE AND CHANGES

This Policy, prepared in accordance with the Law on the Protection of Personal Data (KVKK), is related to all personal data processed by Boğaziçi Customs, including current and potential customers and employees, as well as employees of the institutions we collaborate with, shareholders, officials, and third parties processed through automatic or non-automatic means as part of any data recording system. Boğaziçi Customs reserves the right to make changes to the Protocol in accordance with the KVKK and related regulations.

IV. PRINCIPLES APPLIED IN THE PROCESSING OF PERSONAL DATA

Boğaziçi Customs adheres to the following principles in the collection, processing, and analysis of personal data:

a. Acting in Compliance with Legal and Fairness Rules

Boğaziçi Customs will collect and process personal data in a lawful and fair manner to protect the rights of data subjects. In conducting these activities, the principles of proportionality and necessity will be taken into account.

b. Purpose Limitation

Personal data may only be processed for purposes defined before the collection of data.

Additional changes to the purpose can only be made to a limited extent and with justification.

c. Transparency and Information

Data subjects must be informed in detail before the collection and processing of personal data. Before the collection of data, data subjects should be informed about the following:

➢ Identity of the data controller and, if any, its representative
➢ Purpose of processing personal data
➢ To whom and for what purpose the processed personal data is transferred
➢ Method and legal basis of personal data collection
➢ Rights of the data subject under Article 11 of the KVKK

d. Data Economy

Before processing personal data, it must be determined whether the processing is necessary to achieve the purpose and to what extent. If the purpose is acceptable and proportionate, anonymous or statistical data may be used.

e. Deletion of Personal Data

After the expiration of the periods prescribed by law for record-keeping obligations and for evidence, personal data that is no longer necessary is deleted, destroyed, or anonymized.

f. Accuracy and Data Freshness

Personal data must be accurate, complete, and up-to-date when processed. Incorrect or incomplete data must be deleted, corrected, completed, or updated.

g. Privacy and Data Security

Personal data must be stored and preserved as confidential information. Adequate administrative and technical measures should be taken to protect personal data from unauthorized access, illegal processing, sharing, accidental loss, alteration, or destruction, keeping it confidential at a personal level.

V. PURPOSES OF PROCESSING PERSONAL DATA

The collection and processing of personal data will be carried out in accordance with the Disclosure Text and the purposes stated below.

a. Customer and Business Partner Data

➢ Processing of data for contractual relations: Personal data of existing and potential customers and business partners (in the case of a legal person, the authorized representative of the business partner) can be processed for the establishment, implementation, and termination of a contract without obtaining separate consent. Before the contract, personal data may be processed to prepare an offer, prepare a purchase form, or meet the requests of the data subject related to the implementation of the contract. During the contract preparation process, communication may be established based on the information provided by data subjects.

➢ Processing for advertising purposes: Personal data is processed for advertising or market and public opinion research only if the collection of this information is consistent with the stated purposes. Data subjects are informed about the use of their data for advertising purposes. Data subjects may refuse to provide or consent to the processing of data for advertising purposes. Explicit consent of the data subject is required for the processing of data for advertising purposes. The data controller may obtain the explicit consent of the data subject through electronic approval, mail, email, SMS, or phone. Personal data cannot be used for advertising purposes without the explicit consent of the data subject.

➢ Data processing due to legal obligations or explicitly foreseen in the law: Personal data can be processed without obtaining separate consent for the purpose of fulfilling legal obligations explicitly specified in the relevant legislation or for the fulfillment of a legal obligation specified by the legislation. The type and scope of data processing must be necessary for the legally permitted data processing activity and comply with relevant legal provisions.

➢ Processing based on the legitimate interest principle: Personal data may be processed without obtaining separate consent when it is necessary for Boğaziçi Customs’ legitimate interest. Legitimate interests are generally legal or economic interests.

➢ Processing of sensitive data: Sensitive personal data is processed within the framework of the measures to be determined by the Board and within the provisions of the KVKK. Sensitive personal data other than the health and sexual life of the data subject is processed under the exceptions specified in the KVKK, either with the explicit consent of the data subject or in the cases stipulated by law. Sensitive personal data related to the health and sexual life of individuals can only be processed in the absence of explicit consent for purposes such as protecting public health, carrying out preventive medicine, conducting medical diagnosis, treatment, and care services, planning and managing health services and financing, by persons or authorized institutions and organizations subject to the obligation of confidentiality.

➢ Data processed solely through automated systems: Processing of personal data obtained through automated systems will not justify the use of data against the data subject’s interest in a negative sense. The data subject has the right to object to the occurrence of an adverse result by exclusively analyzing the processed data through automated systems. Boğaziçi Customs will make efforts to take necessary measures in accordance with the data subject’s request.

➢ User information and the internet: If personal data is collected, processed, and used on the website or applications, data subjects using the site should be informed about the use of their registered information, privacy notice, and cookie information. The privacy notice and cookie information should be integrated in a way that is easily identifiable, directly accessible, and continuously appropriate for the individual.

b. Principles for the Processing of Personal Data of Employees

The collection and processing of personal data of employees during the period from the establishment to the termination of the employment contract are mandatory. Explicit consent may not be required for these, and the personal data of potential employee candidates is also processed in job applications. In case of rejection of the job application, personal data obtained during the application process is kept for an appropriate data storage period for the next selection stage, and is deleted, destroyed, or anonymized after this period. The following principles should be taken into account in the processing of personal data of employees:

➢ Data processing due to legal obligations and data processing performed due to legal obligations: Personal data of employees can be processed without obtaining separate consent for the purpose of fulfilling legal obligations explicitly specified in the relevant legislation or for the fulfillment of a legal obligation specified by the legislation.

➢ Processing of data in accordance with legitimate interests: Personal data of employees can be processed without obtaining separate consent when there is a legitimate interest of Boğaziçi Customs. Legitimate interests are generally legal or economic interests. In cases where the protection of the employee’s interests is required, personal data of employees is not processed for legitimate interest purposes. Before processing, it is determined whether the processing of employee data based on Boğaziçi Customs’ legitimate interest is proportional and does not violate the rights of the employee.

➢ Processing of sensitive data: Sensitive personal data can only be processed under certain conditions. Racial and ethnic origin, political opinion, religion, philosophical belief, sect or other beliefs, attire, association, foundation or union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data are defined as sensitive personal data. Sensitive personal data can only be processed with the explicit consent of the employee and by taking necessary administrative and technical measures. The following exceptions constitute an exception to this provision, and in the cases specified, sensitive personal data can be processed without the explicit consent of the employee:

o Sensitive personal data other than the health and sexual life of the employee, in cases specified in the laws,
o Sensitive personal data related to the health and sexual life of the employee can only be processed by individuals or authorized institutions and organizations subject to the obligation of confidentiality for the purposes of protecting public health, preventive medicine, conducting medical diagnosis, treatment and care services, and planning and managing health services and financing.

➢ Data processed solely through automated systems: If personal data of employees is processed exclusively through automated systems as part of the employment relationship, the employee has the right to object to the emergence of a result against them based on the analysis of this data. These controls are carried out only by the relevant departments, subject to the condition of maintaining proportionality.

➢ Telecommunications and the Internet: Telephone hardware, email addresses, intranet, and internet are provided primarily for work-related tasks by Boğaziçi Customs. These are working tools and resources of Boğaziçi Customs. These tools should be used in accordance with legal regulations and Boğaziçi Customs internal regulations. There is no general supervision of telephone and email communication or intranet and internet use. Protective measures are taken to prevent attacks on Boğaziçi Customs’ network by blocking technically harmful content or analyzing attack modeling. The use of telephone hardware, email addresses, intranet, and/or company internal social networks is limited for security reasons and stored for a limited period. Evaluations of this data regarding individuals are only made in the case of concrete suspicion. These controls are carried out only by the relevant departments, subject to the condition of maintaining proportionality.

➢ Access Prohibition: Boğaziçi Customs processes personal data collected with legal obligations, legitimate interests, and explicit consents, protecting, processing, and preserving them appropriately in line with the purposes of collection, and shares personal data only with the relevant employees. In cases where employees carry out any transaction with personal data or perform any operation related to personal data that is not explicitly authorized by Boğaziçi Customs and is not within the scope of their job descriptions, disciplinary action will be taken against them, and legal measures will be taken. Therefore, employees should receive regular training on not disclosing and sharing personal data unlawfully, and a discipline process should be established in case employees do not comply with security policies and procedures.”

Please note that this is a translation, and for legal or official documents, it is advisable to consult with a professional translator or legal expert to ensure accuracy and compliance with local regulations.

VI. Transfer of Personal Data

The transfer of personal data to a third party outside Boğaziçi Customs will be carried out within the scope of the purposes specified in the Information Text and as stated below. Accordingly, Boğaziçi Customs may transfer personal data to the individuals and institutions specified below for specific purposes:

➢ Limited to Boğaziçi Customs business partners to ensure the fulfillment of the purposes of establishing the business partnership,

➢ To suppliers from whom Boğaziçi Customs obtains products and services necessary to carry out its commercial activities from external sources,

➢ Limited to Boğaziçi Customs subsidiaries for the execution of commercial activities that also require the participation of Boğaziçi Customs subsidiaries,

➢ Limited to Boğaziçi Customs shareholders for the design and audit purposes of strategies related to Boğaziçi Customs’ commercial activities in compliance with the provisions of the Personal Data Protection Law (KVKK),

➢ With the purpose of complying with KVKK provisions, limited to legally authorized public institutions and organizations upon request within their legal authority,

➢ With the purpose of complying with KVKK provisions, limited to legally authorized private legal entities upon request within their legal authority.

After the personal data processed by Boğaziçi Customs is transferred to countries with sufficient protection declared by the Board, it will be transferred to countries and regions where adequate protection is not declared only if the data subject has given consent or if the data controllers in Turkey and the relevant foreign country have committed to providing adequate protection in writing, and with the permission of the Board. Boğaziçi Customs may also use cloud storage services in the processing of your personal data.

VII. Rights of the Data Subject

Data Subjects have the following rights:

➢ To learn whether personal data is being processed, ➢ To request information if personal data has been processed, ➢ To learn the purpose of the processing of personal data and whether they are used for their intended purpose,

➢ To know third parties to whom personal data is transferred within the country or abroad, ➢ To request the correction of personal data if it is incomplete or incorrect and to request notification of this correction to third parties to whom personal data has been transferred within the scope of this correction,

➢ To request the deletion or destruction of personal data if the reasons requiring its processing have disappeared, despite being processed in accordance with KVKK and other relevant laws, and to request notification of this deletion to third parties to whom personal data has been transferred within the scope of this deletion,

➢ To object to the emergence of a result against the individual by exclusively analyzing the processed data through automated systems, ➢ To request the compensation of damages in case of harm due to the processing of personal data unlawfully,

and have the right and authority to use these rights. In case of a request reaching Boğaziçi Customs regarding the exercise of these rights, Boğaziçi Customs must respond to the request within the specified period. Therefore, Boğaziçi Customs will provide data subjects with the necessary information about the use of the above-mentioned rights and the evaluation method of incoming requests.

Exceptions to the rights granted to data subjects by the KVKK are listed below, and in these cases, Boğaziçi Customs is not obliged to respond to requests from data subjects:

➢ Processing of personal data for research, planning, and statistics purposes by anonymizing personal data through official statistics, ➢ Processing of personal data for art, history, literature, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, the privacy of private life, or personal rights without constituting a crime, ➢ Processing of personal data by public institutions and organizations authorized by law for preventive, protective, and intelligence activities carried out within the scope of their duties and powers, without violating the rights of the data subject or constituting a crime, ➢ Processing of personal data by judicial authorities or execution authorities regarding investigation, prosecution, trial, or execution proceedings.

In cases where Boğaziçi Customs determines that any of the exceptions mentioned above apply, it may not respond to the relevant rights requests from data subjects, except for the right to request compensation for damages due to the processing of personal data unlawfully.

In accordance with the KVKK, individuals cannot assert their rights in the following cases, except for the right to request compensation for damages:

➢ Where the processing of personal data is necessary for the prevention of a crime or for the investigation of a crime, ➢ Where personal data is publicly disclosed by the data subject, ➢ Where personal data is processed by judicial authorities or enforcement authorities for the conduct of investigations, prosecutions, trials, or execution processes.

Data subjects can submit their requests related to the above-mentioned rights by filling out the Personal Data Application Form available on our website www.bogazicigumruk.com.tr, signing it, and submitting it to Boğaziçi Customs in person or by registered mail to the address Fulya Mah. Prof.Dr.Bülent Tarcan Cad. No:16 Şişli / Istanbul, along with a copy of their ID. In cases where the request is made on behalf of another person, the person making the request must have a power of attorney given by the data subject in accordance with the procedure. Boğaziçi Customs may request additional information from the data subject to determine whether the person making the request is the data subject and may ask questions related to the request to clarify the matters specified in the request.

Boğaziçi Customs will respond to the request within the shortest time and within a maximum of thirty (30) days free of charge.

VIII. Privacy

Personal data is subject to privacy. Unauthorized collection, processing, or use of employee data is prohibited. Unauthorized use is the unauthorized processing of data by employees outside their legitimate duties. The principle of need is valid: Employees may access personal data only if it is within the scope and nature of their duties.

The use of employee’s personal data for personal or commercial purposes, distributing it to unauthorized individuals, or making it accessible in any other way is prohibited. Managers must inform employees about data protection obligations at the beginning of the employment relationship. This obligation continues even after the termination of the employment relationship.

IX. Security

Boğaziçi Customs takes the necessary measures and controls to prevent the unlawful processing of personal data, prevent unauthorized access to data, and ensure the preservation of data. This applies regardless of whether data processing is done electronically or in writing. Especially when transitioning to new IT systems, technical and organizational measures for the protection of personal data are defined and implemented before starting new methods of data processing. These measures are based on the latest developments, the risks of the process, and the information classification process that determines the need for data protection. Technical and organizational measures for the protection of personal data are part of the company’s information security management and are continuously adapted to technical developments and organizational changes.

X. Controls and Audits

Compliance with the Personal Data Protection and Processing Policy and the KVKK is ensured through regular data protection audits and other controls.

XI. Data Breach Management

Boğaziçi Customs will promptly take the necessary security measures to protect personal data that has been unlawfully obtained in violation of this Policy and KVKK, and will report this situation to the relevant individual and the Board as soon as possible. For this purpose, Boğaziçi Customs is responsible