PERSONAL DATA SHARING AND COMMUNICATION PERMISSION

Clarification Text for Processing of İstanbul Akvaryum Turizm Ticaret Limited Şirketi Personal Data Pursuant to Law 6698 on Protection of Personal Data

  1. Purpose and Scope of the Clarification Text

Hereby Statement was prepared for expressing the approach of our Company regarding the aspects of protection of personal data of our customers, potential customers, employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders, and officials of the organizations we work in cooperation with and the third parties (briefly "person related to the data") within scope of Law on Protection of Personal Data ("KVKK") and to inform the persons related to the data accordingly in line with the importance placed by İstanbul Akvaryum Turizm Ticaret Limited Şirketi (“Company”) on personal data.

Data which are included within the scope of Clarification Text ("Text") on Processing of Personal Data are related to any personal data of the person related to the data, processed through means which are automatic or, provided that it is a part of a data recording system, which are not automatic.

The present Text issued by our Company is dated 08.11.2018. In case of renewal of the entire text or certain articles, effective date and version of the Text will be updated. The Text is published on the website (www.istanbulakvaryum.com/kvkk) of our Company and provided to the access by respective persons upon request of the person related to the data.

  1. Principles Regarding Personal Data
    1. Processing of Personal Data

Our Company processes your personal data in compliance with article 20 of the Constitution and article 4 of KVKK according to the following principles:

  • In compliance with the law and rules of good faith,
  • Accurately, and up-to-date whenever necessary,
  • Specifically, with clear and legitimate purposes,
  • In connection with the purpose,
  • In a limited and deliberate manner,
  • By keeping data for the duration stipulated by the laws or as required by the purpose of processing personal data,
  • By taking one or multiple provisions of Article 5 of KVKK as basis,

Our Company provides information and fulfills the obligation to provide clarification regarding the following in the course of acquiring such personal data in compliance with article 20 of the Constitution and article 10 of KVKK:

  • The purpose of processing personal data,
  • To whom and for what purpose can the personal data be transferred,
  • Method of gathering personal data and its legal grounds and
  • Rights of the owner of the personal data

    1. Legal Grounds for Processing Personal Data

Our Company processes personal data in compliance with article 5 of KVKK and in accordance with the following purposes;

  • If the Laws expressly stipulate our Company to assume such action with regard to processing of personal data,
  • Processing of personal data by our Company being directly related to and required for acting or performing an agreement,
  • Processing of personal data being mandatory for the fulfillment of legal obligation of our Company,
  • Provided that the personal data is made public; processing of such by our Company in a limited manner in compliance with the purpose of making open to public,
  • Processing of personal data by our Company being mandatory for establishing, exercising or protecting the rights of our Company or person related to the data or the third parties,
  • Our Company requiring to assume act of processing personal data for its legitimate interests without prejudice to fundamental rights and freedoms of the person related to the data,
  • Act of data processing being mandatory for protecting the life or bodily integrity of the owner of the personal data or another person and the personal data owner not being in a condition to express consent due to physical inability or legal invalidity in such case.

Article 6 of KVKK specifies certain set of personal data which constitutes the risk of causing unjust treatment or discrimination of persons if processed illegally as "sensitive". Such data includes race, ethnical background, political opinion, philosophical belief, religion, sect or other beliefs, appearance, society, foundation or union membership, health, sexual life, conviction and data provided regarding security measures, biometric and genetic data. Sensitive personal data are processed by our Company in case of following conditions provided that sufficient measures to be established by Personal Data Protection Board (Board) are taken:

  • Sensitive personal data except for the health condition and sexual life of the owner of the personal data are processed if stipulated by the laws,
  • Sensitive data regarding health condition and sexual life of the owner of the personal data may only be processed for the purpose of protecting public health, performance of preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing by persons who are under confidentiality obligation or authorized institutions and organizations.

Our Company receives express consent from the data owner for processing data in the case that aforementioned data processing conditions do not exist.

    1. Transfer of Personal Data

Our Company may transfer personal data specified in part 2.b of the present Text in line with the purposes specified in the same part for the following purposes;

  • To legally Authorized government institutions and organizations limited to the purpose as requested by the government institutions and organizations within their legal authorities
  • To legally authorized private legal entities limited to the purpose as requested by the respective private legal entities.

ç. Purpose of Collecting Personal Data

Your personal data is being collected for providing, improving the products and services we offer and to carry out our commercial activities in line with the aforementioned purposes. Your personal data collected in this process are collected on the legal grounds of executing our commercial operations through our employees and agencies our through public databases within scope of the concerning legislation. Your personal data collected on these legal grounds can be processed and transferred pursuant to the conditions and for the purposes of data processing specified in articles 5 and 6 of the Law 6698 and also for purposes indicated in articles (b) and (c) of the present Clarification text.

Personal data is processed by our Company in line with the following purposes within scope of the aforementioned conditions and with the purpose of delivering services by our Company and pursuant to the national legislation.

  • In line with the purpose of ensuring exercise of human resources policies of our Company; execution of HR operations in compliance with HR policies of the Company, recruiting personnel suitable for the available positions in compliance with HR policies of the Company, fulfillment of obligations and taking required measures within scope of occupational health and safety
  • In line with the purpose of ensuring realization of legal and commercial obligations between our Company and the persons who are in business relationship with our Company; ensuring physical safety and inspection of the administrative operations intended for communication carried out by our Company, operations intended for service, locations owned by the Company, evaluation processes of business partner/customer/supplier/business partner (authorized officials or employees or partners), performance of legal and commercial risk analyses, legal compliance process, financial affairs
  • In line with the purpose of carrying out required studies for customizing the products and services offered by our Company to the like, utilization habits and necessities to our customers and offering such to the customers; one-to -one and/or integrated marketing operations, sales and after-sales operations carried out by our Company,
  • In line with the purpose of establishing and implementing commercial and business strategies of our Company; finance operations, communication, market research and social responsibility activities, purchasing operations (demand, offer, evaluation, purchase order, budgeting, contract) carries out by our Company, determination and implementation of commercial and business strategies of our Company,

Management of internal system and application management operations, legal operations.

Personal data which falls within scope of this text and person related to the data which is processed are categorized and classified by our Company and indicated in KSV1_LİST and KSV2_LİST, respectively.

    1. Retention and Deletion of Data

Our Company retains the personal data it processes for the periods specified in the legislation and if no additional period is specified in the legislation; the personal data is retained for the period required for processing such data pursuant to the practices and customs of the business life by our Company depending on the services delivered by our Company while processing such data, and only for periods which are demonstrated to be necessary in practice for constituting evidence in case of possible legal disputes following such period. Following end of the specified periods such personal data is deleted, destroyed or rendered anonymous.

  1. Rights of the Data Owner

Article 20 of the Constitution states that everyone is entitled to be informed regarding the personal data related to himself/herself, while article 11 of KVKK states that right of "requesting information" is among the rights of the owner of the personal data. Within this scope, our Company provides required information if requested by the owner of the personal data; and our Company informs the respective data owner regarding the manner of exercising such right of requesting information and the way of evaluating the aspects regarding the information request with the present Statement.

Persons related to the personal data have the following rights:

  • Being informed about whether personal data is being processed or not,
  • Requesting information whether personal data has been processed,
  • Learning the purpose of processing personal data and whether such is used according to its purpose,
  • Being informed about third parties that personal data has been transferred to domestically or internationally,
  • Requesting correction of personal data if such are processed incompletely or incorrectly and requesting notification to the third parties, to whom the personal data was transferred, about the procedures carried out within this scope,
  • Despite being processed in compliance with the provisions of KVKK and other concerning laws, requesting deletion or destruction of the personal data in the case that the grounds for processing no more exist and requesting notification to the third parties, to whom the personal data was transferred, about the procedures carried out within this scope,
  • Objecting to any consequence against the person himself/herself through analysis of the processed data exclusively by automatic systems,
  • Requesting indemnification of the loss in case of incurring loss due to illegal processing of the personal data.

Since the following circumstances are excluded from the scope of KVKK pursuant to article 28 of KVKK; the person related to the personal data may not claim the aforementioned rights in such circumstances:

  • Processing of personal data for purposes such as research, planning and statistics upon being rendered anonymous through official statistics.
  • Processing of personal data for artistic, historical, literary or scientific purposes or within scope of freedom of expression without violating national defense, national security, public security, public order, economic security, right of privacy or personal rights are or without constituting crime.
  • Processing of personal data within scope of preventive, protective and intelligence operations carried out by nominated and authorized government institutions and organizations for the purpose of ensuring national defense, national security, public security, public order or economic security.
  • Processing of personal data by judicial authorities or enforcement authorities with regard to investigation, prosecution, litigation and enforcement procedures.

Pursuant to article 28/2 of KVKK, in case of the following conditions; the person related to the personal data may not claim the aforementioned rights in such circumstances other than claiming indemnification of the damage:

  • Processing of personal data being mandatory for prevention of crime or for criminal investigation.
  • Processing of personal data made public by the owner of the personal data himself/herself.
  • Processing of personal data being required for execution of inspection or regulation duties, disciplinary investigation or prosecution by nominated and authorized government institutions and organizations and professional organizations having the quality of a government institution based on the authority granted by the law.
  • Processing of personal data being mandatory for safeguarding economic and financial interests of the State with regard to budget, tax and financial affairs.

Person related to the personal data may submit his/her claims regarding the aforementioned rights to our Company by fully completing found at the address of www.istanbulakvaryum.com/kvkk and undersigning it with wet signature and delivering it to the address of Şenlikköy Mah.Yeşilköy Halkalı Cad. No:93/1 Florya, Bakırköy/İstanbul either by hand or via notary public or return paid registered mail. In the case that a person other than the owner of the personal data would make a claim, such person shall have a special power of attorney issued by the owner of the personal data in the name of the person to make the application.

Requests duly submitted to our Company will be finalized within thirty days at the latest. In the case that finalization of such claims would require additional cost, our Company will charge a fee indicated in the tariff to be determined by the Board from the applicant.

Our Company may request information from the concerned person with the purpose of determining whether the applicant is the owner of the personal data and may ask question to the owner of the personal data regarding his/her application in order to clarify the aspects specified in the application. Our Company may reject the application of the application in the following cases by explaining the reason:

  • Processing of personal data for purposes such as research, planning and statistics upon being rendered anonymous through official statistics.
  • Processing of personal data for artistic, historical, literary or scientific purposes or within scope of freedom of expression without violating national defense, national security, public security, public order, economic security, right of privacy or personal rights are or without constituting crime.
  • Processing of personal data within scope of preventive, protective and intelligence operations carried out by nominated and authorized government institutions and organizations for the purpose of ensuring national defense, national security, public security, public order or economic security.
  • Processing of personal data by judicial authorities or enforcement authorities with regard to investigation, prosecution, litigation and enforcement procedures.
  • Processing of personal data being mandatory for prevention of crime or for criminal investigation.
  • Processing of personal data made public by the owner of the personal data himself/herself.
  • Processing of personal data being required for execution of inspection or regulation duties, disciplinary investigation or prosecution by nominated and authorized government institutions and organizations and professional organizations having the quality of a government institution based on the authority granted by the law.
  • Processing of personal data being mandatory for safeguarding economic and financial interests of the State with regard to budget, tax and financial affairs.
  • Claim of the owner of the personal data having the potential of hindering rights and freedoms of other people.
  • Requests which require disproportionate effort being made.
  • Requested information being already public.

If the application is rejected pursuant to article 14 of KVKK or the provided answer is deemed to be insufficient or no answer is provided within due time, the owner of the personal data may file a complaint to the Board within thirty days upon being informed about the answer by our Company and sixty days following the date of application in any case.

  1. Security of Personal Data

    1. Security Precautions

Our company takes measures and controls for ensuring the suitable security level pursuant to article 12 of KVKK in order to prevent processing of personal data it is processing, prevent access to data in an illegal way and to safeguard the data and to perform required inspections within this scope or cause such to be carried out. In this respect, measures and controls taken by our Company are provided below,

  • Recruitment of knowledgeable personal on establishing and operating systems in compliance with the concerning principles and concerning legislation on processing of personal data,
  • Provision of trainings to the personnel for informing them regarding personal data, including legislation on protection of personal data and provisions regarding compliance with Company's code of practice in the employment contracts.
  • Use of backup programs for ensuring secure storage of personal data in compliance with the legislation,
  • In case that a service which covers the personal data processing processes is outsourced, including provisions in the contracts drawn up with such external companies that stipulate taking required security measures for the purpose of protecting personal data and ensuring compliance with such measures in their organizations,
  • Evaluation of personal data processing processes in any operation carried out by our Company within scope of data processing conditions regulated by KVKK, taking required technical and organizational measures for maintaining such processes in compliance with the provisions of KVKK,
  • Establishment of rules of application regarding management of personal data processing processes and the compliance structure by giving place to measures and controls and implementation of such rules
  • Maintaining personal data processing processes and the systems pertaining to such processes and inspecting such through management systems which possess technical and organizational features,

    1. Inspection

Our Company carries out or causes to be carried out, required inspections within itself in compliance with article 12 of Law on Protection of Personal Data. Results of such inspection are reported to the department related to the subject within scope of the internal operation of the company and required activities are carried out in order to improve the measures that were taken.

Required systems are being established and employees are provided with necessary trainings in order to raise awareness of the current employees of the business units of the Company and to the ones who are recently recruited in such business unit, regarding protection of personal data.

    1. Management of data violations

Our Company operates a system which provides notification to the owner of the respective personal data and to the Board in the case that the personal data processed in compliance with article 12 of KVKK is acquired by other parties through illegal ways, If deemed necessary by the Board, such case can be announced on the website of the Board or through other methods.

Title : İstanbul Akvaryum Turizm Tic. Ltd. Şti.

Mersis No :……………….

Phone Number : ………………

Fax Number : ……………..

Mail Address :………………………

E-mail address : …………………………

KSV1_LİST Personal Data Categories

Identity Particulars

Any information included in documents such as Driver's License, Identity Certificate, Certificate of Residence, Passport, Lawyer's Identity Certificate, Certificate of Marriage

Contact Details

information such as phone number, address, e-mail

Customer Details

Information acquired and generated regarding the official or employee, concerned person of the customer as a result of our commercial activities and the operations carried out by business units in this respect

Customer Transaction Details

Records concerning use of our products and services, and information such as instructions and requests for the use of products and services by the customer

Physical Area Security Details

Personal data related to records and documents including the camera records taken at the entry to the physical area and throughout the staying period in the physical area

Transaction Security Details

Your personal data processed for the purposes of ensuring technical, administrative, legal and commercial liabilities in the course of performing our commercial activities

Financial Details

Personal data of the customer's official or employee with regard to customer's details, documents and records which indicate any kind of financial result

Employee Candidate Details

Personal data processed with regard to persons who have applied to our Company to become an employee or considered as employee candidate by the human resources department of our Company pursuant to commercial customer and rules of good faith

Legal Transaction and Compliance Details

Personal data processed within scope of determination, follow up of our legal receivables and rights, and execution of our liabilities and compliance with the policies of our Company

Sensitive Personal Data

Race, ethnical background, political opinion, philosophical belief, religion, sect or other beliefs, appearance, society, foundation or union membership, health, sexual life, conviction and data provided regarding security measures, biometric and genetic data as indicated in article 6 of the Law 6698.

Marketing Details

Personal data pertaining to the employee or official of the customer processed with the purpose of customizing our products and services according to the usage habits, like and needs of the customer and performing marketing in such manner and the reports and evaluations created as a result of processing such

KSV2_LİST Data Owner Categories

Customers Employee/Official

Employees and officials of our customers who use or have used the products and services offered by our Company

Potential Customers Employee/Official

Employees and officials of the legal entities who have made request for or are interested in the use of our products and services or who are considered to have such interest according to the commercial customs and rules of good faith

Supplier/Manufacturers

Real persons who supply products and services to our company,

Real persons who carry our production through use of the products of our Company or other companies

Visitor

Real persons who have physically accessed to the physical locations owned by our Company for various purposes or have visited our websites

Third Party

Real persons who are in relation with the persons for ensuring commercial transaction security between our Company and the aforementioned parties or to protect the rights of such persons or to ensure interest (e.g. Guarantor, Companion, Family Members and affinities)

Employee Candidate

Real persons who have made job application to our Company and have provided to our Company, their CVs and related particulars for consideration

Company Shareholder

Real persons who own the shares of our Company

Company Official

Members of the board of directors of our Company and other authorized real persons

Employees, Shareholders and Officials of the Institutions We are in Cooperation with

Real persons including employees of the institutions that our Company is in any kind of business relationship with, shareholders and officials of such institutions (including but not limited to business partner, supplier)

İSTANBUL AKVARYUM E - BÜLTEN