PURPOSE
The purpose of this Policy is to ensure the lawful processing and protection of the personal data of our members, employees, job applicants, visitors, employees of companies and institutions we cooperate with suppliers, employees of other institutions with whom we conduct joint activities, and third parties.
SCOPE
This policy covers the activities related to the protection, processing, transfer, and destruction of personal data of members, employees, job applicants, visitors, suppliers, employees of companies and institutions we cooperate with, employees of other institutions with whom we conduct joint activities, and third parties.
DEFINITIONS
Explicit Consent: Consent that is based on information provided and freely expressed concerning a specific matter.
Anonymization: The process by which personal data is rendered in such a way that it cannot be associated with an identified or identifiable person, even when matched with other data.
Data Subject: The natural person whose personal data is processed.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, modifying, re-arranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, through automatic means or non-automated means as part of any data recording system.
Board: The Personal Data Protection Board.
Institution: The Personal Data Protection Authority.
Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data, and is responsible for establishing and managing the data recording system. For definitions not included in this document, the definitions in the Law, Regulation, and Notifications shall apply.
PROCESSING OF PERSONAL DATA
GENERAL PRINCIPLES
Aydın Commodity Exchange, personal data is processed in accordance with the procedures and principles stipulated in the "Law on the Protection of Personal Data" and other relevant laws.
The following principles are adhered to in the processing of personal data:
- Compliance with the law and principles of good faith.
- Accuracy and, where necessary, keeping data up to date.
- Processing for specific, explicit, and legitimate purposes.
- Processing in a manner relevant, limited, and proportionate to the purposes for which it is processed.
- Retaining for the period stipulated in the relevant legislation or as required for the purpose of processing.
CONDITIONS FOR PROCESSING AND RETAINING PERSONAL DATA
Aydın Commodity Exchange, personal data cannot be processed without the explicit consent of the data subject.
However, in the presence of one of the following conditions, personal data may be processed without the explicit consent of the data subject under the scope of the "Law on the Protection of Personal Data":
- When it is expressly provided for by law.
- When it is necessary to protect the life or physical integrity of a person who is unable to express their consent due to actual impossibility or whose consent is not legally valid.
- When it is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract.
- When it is necessary for the data controller to fulfill their legal obligation.
- When the personal data has been made public by the data subject.
- When data processing is necessary for the establishment, exercise, or protection of a right.
- When data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
SPECIAL CATEGORIES OF PERSONAL DATA
According to the "Law on the Protection of Personal Data," personal data concerning a person's race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, dress and appearance, membership in associations, foundations or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data, are considered special categories of personal data.
Aydın Commodity Exchange, the processing of special categories of personal data without the explicit consent of the data subject is prohibited.
Special categories of personal data are processed with the necessary measures determined by the Personal Data Protection Board.
PROCESSED AND STORED PERSONAL DATA
|
Data Category |
Description |
|
Identity |
Name-Surname, Mother’s Name, Father’s Name, Date of Birth, Place of Birth, Marital Status, Population Information, Turkish ID Number, Passport Information, etc. |
|
Contact |
Address, Email Address, Contact Address, Registered Electronic Mail (KEP) Address, Telephone Number, Fax, etc |
|
Personnal |
Payroll Information, Disciplinary Information, Entry-Exit Records, CV Information, Annual Leave, etc. |
|
Legal Process |
Correspondence with Judicial Authorities, Case Files. |
|
Transaction Security |
IP Address |
|
Customer/Supplier Transactions |
Invoice, Delivery Note, Check and Bill Information, Bank Receipts, Credit Card Information |
|
Physical Space Sucurity |
Employee Entry-Exit Records, Camera Recordings. |
|
Finance |
Bank Information |
|
Professional Experience |
Diploma Information, Attended Courses, In-Service Training Information, Certificates, etc |
|
Visual and Audio Recordings |
Photos |
|
Health Information (Special Categories) |
Blood Type, Health Reports, Disability Information |
|
Criminal Convictions and Security Measures (Special Categories) |
Criminal Record, Information on Enforcement Cases |
PURPOSE OF PROCESSING AND STORING PERSONAL DATA
|
1 |
Conducting Emergency Management Processes |
|
2 |
Conducting Information Security Processes |
|
3 |
Conducting Employee Candidate/Intern/Student Selection and Placement Processes |
|
4 |
Conducting Employee Candidate Application Processes |
|
5 |
Fulfilling Obligations Arising from Employment Contracts and Legislation for Employees |
|
6 |
Conducting Processes for Employee Benefits and Rights |
|
7 |
Conducting Audit/Ethical Activities |
|
8 |
Conducting Training Activities |
|
9 |
Managing Access Authorities |
|
10 |
Conducting Activities in Compliance with Legislation |
|
11 |
Conducting Finance and Accounting Operations |
|
12 |
Ensuring Physical Space Security |
|
13 |
Conducting Assignment Processes |
|
14 |
Following and Conducting Legal Affairs |
|
15 |
Conducting Internal Audit/Investigation/Intelligence Activities |
|
16 |
Conducting Communication Activities |
|
17 |
Planning Human Resources Processes |
|
18 |
Conducting/Controlling Business Activities |
|
19 |
Conducting Occupational Health and Safety Activities |
|
20 |
Gathering and Evaluating Suggestions for Improvement of Business Processes |
|
21 |
Conducting Business Continuity Activities |
|
22 |
Conducting Logistics Activities |
|
23 |
Conducting Purchase Processes for Goods/Services |
|
24 |
Managing Customer (Member) Relations |
|
25 |
Conducting Activities for Customer (Member) Satisfaction |
|
26 |
Managing Organization and Event Activities |
|
27 |
Conducting Performance Evaluation Processes |
|
28 |
Conducting Risk Management Processes |
|
29 |
Conducting Contract Processes |
|
30 |
Conducting Strategic Planning Activities |
|
31 |
Tracking Requests/Complaints |
|
32 |
Conducting Wage Policy |
|
33 |
Conducting Investment Processes |
|
34 |
Conducting Talent/Career Development Activities |
|
35 |
Providing Information to Authorized Persons, Institutions, and Organizations |
|
36 |
Creating and Tracking Visitor Records |
|
37 |
Other (Preparation of Activity Reports, Social Media News and Announcements, Activity Announcements, Press Releases and Announcements, Website News and Announcements) |
LEGAL BASIS FOR PROCESSING AND STORING PERSONAL DATA
Aydın Commodity Exchange retains personal data processed within the scope of its activities for the duration stipulated in the relevant legislation.
In this context, personal data are stored for the retention periods specified under the following laws:
- "Law on the Protection of Personal Data"
- "Law on the Union of Chambers and Commodity Exchanges of Turkey and Chambers and Commodity Exchanges"
- "Turkish Code of Obligations"
- "Capital Markets Law"
- "Social Insurance and General Health Insurance Law"
- "Law on the Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts"
- "Occupational Health and Safety Law"
- "Labor Law"
- "Tax Procedure Law"
- "Turkish Commercial Code"
- "Enforcement and Bankruptcy Law"
- "Law on the Collection of Public Receivables"
- "Licensed Warehouse Law for Agricultural Products"
- And other relevant laws, as well as secondary regulations enacted under these laws.
STORAGE MEDIUM FOR PERSONAL DATA
Personal data are stored in accordance with the law in the following environments, as indicated in the table below.
| Electronic Environment | Non-Electronic Environment |
|
Servers |
Paper |
| Software (Office Software, Accounting Software, Antivirus Software, etc.) | Manual Record Forms (Activity Participation Tracking, Surveys, etc.) |
| Personal Computers (Desktops, Laptops) | Written, Printed Materials |
| Mobile Devices (Tablets, Mobile Phones) |
|
| Optical Discs (CDs, DVDs, etc.) |
|
| Removable Disks (USB Flash Drives, External Drives, Memory Cards, etc.) |
|
| Printers, Scanners |
|
DELETION, DESTRUCTION, OR ANONYMIZATION OF PERSONAL DATA
Personal data shall be deleted, destroyed, or anonymized by Aydın Commodity Exchange under the following circumstances:
- When the relevant legal provisions forming the basis for the processing are amended or repealed.
- When the purpose requiring the processing or storage of the personal data ceases to exist.
- In cases where data processing relies solely on the explicit consent of the individual, if the individual withdraws their consent.
- If the Aydın Commodity Exchange accepts a request from the data subject under Article 11 of the “Law on the Protection of Personal Data” to have their data deleted or destroyed.
- If the data subject's request for deletion, destruction, or anonymization is rejected by Aydın Commodity Exchange, deemed insufficient, or not answered within the legally required timeframe, and the Personal Data Protection Board deems the complaint valid.
- When the maximum retention period for the personal data has expired, and there are no conditions justifying longer retention.
In these situations, personal data are deleted, destroyed, or anonymized either upon the data subject's request or ex officio by Aydın Commodity Exchange.
Other legal provisions regarding the deletion, destruction, or anonymization of personal data will also be considered.
These processes are carried out in accordance with the “Regulation on the Deletion, Destruction, or Anonymization of Personal Data.”
Deletion/destruction activities are conducted by personnel responsible for the deletion and destruction of data at the end of each year, based on a decision by the Board of Aydın Commodity Exchange.
Personal data are deleted or destroyed during the first destruction period following the expiration of the retention period.
|
Data Storage Medium |
Deletion and Destruction Method |
| Data Stored on Servers | Personal data stored on servers, whose retention period has expired, is deleted by the IT officer by revoking access rights of relevant users. |
| Personal Data in Electronic Media | Personal data stored in electronic media, whose retention period has expired, is made inaccessible and unusable for all users except the IT officer. |
| Personal Data in Physical Media | Personal data stored in physical media, whose retention period has expired, is made inaccessible and unusable for all employees except the person responsible for the document archive. Additionally, data is either redacted by crossing out/painting over/erasing so it cannot be read, or it is shredded or incinerated in a way that ensures it cannot be recovered. |
|
Personal Data in Portable Media |
Personal data stored in flash-based storage media, whose retention period has expired, is encrypted and securely stored with access rights limited to the IT officer. If the storage medium needs to be reused, measures are taken to prevent access to previously stored data. |
| Personal Data in Optical/Magnetic Media | Personal data stored in optical and magnetic media, whose retention period has expired, is physically destroyed by melting, burning, or pulverizing the media. |
TRANSFER OF PERSONAL DATA
According to Article 8 of the "Law on the Protection of Personal Data," personal data cannot be transferred to third parties without the explicit consent of the relevant individual.
In cases where personal data can be processed without the explicit consent of the data subject, the data can also be transferred to third parties without such consent. Similarly, as long as adequate measures are taken, personal data other than those related to health and sexual life may be transferred without explicit consent in cases stipulated by law. Personal data related to health and sexual life, however, may only be transferred without explicit consent for the protection of public health, preventive medicine, medical diagnosis, treatment, and care services, as well as for the planning and management of healthcare services and their financing by individuals or authorized institutions and organizations that are under the obligation of confidentiality.
The provisions of other laws regarding the transfer of personal data remain unaffected.
Personal data processed by Aydın Commodity Exchange may be transferred within the scope of fulfilling the purposes defined under the heading "Purpose of Processing Personal Data" to:
- Institutions or organizations permitted by relevant laws and regulations;
- Public legal entities such as the Personal Data Protection Authority, the Ministry of Treasury and Finance, the Ministry of Trade, the Ministry of Family, Labor and Social Services, and the Information and Communication Technologies Authority;
- Our subsidiaries and/or direct/indirect domestic and international affiliates;
- Domestic and international organizations and suppliers with which we cooperate, including those we contract with to carry out activities as Aydın Commodity Exchange, and which are jointly and severally responsible with us for workplace security measures such as the storage of your personal data, prevention of unauthorized access, and prevention of unlawful processing;
- Third parties, limited to the conditions and purposes for data processing specified in Articles 8 and 9 of the "Law on the Protection of Personal Data."
RIGHTS AND OBLIGATIONS
INFORMATION OBLIGATION
Aydın Commodity Exchange informs individuals whose data are processed under the "Law on the Protection of Personal Data" about the purpose of processing their data, how long it will be retained, its transfer to third parties, and their rights through an Information Notice.
The explicit consent of individuals informed by the Information Notice is recorded via an Explicit Consent Declaration Form.
The Information Notice is reviewed annually and revised according to changes in the processing of personal data. Furthermore, in cases of changes in laws and regulations or changes in practices, the Information Notice will be revised without waiting for the annual period.
The Information Notice is also shared through the Aydın Commodity Exchange website.
RIGHTS OF THE DATA SUBJECT
Data subjects have the right to apply to Aydın Commodity Exchange regarding their personal data to:
- Learn whether their data is being processed,
- Request information if it has been processed,
- Learn the purpose of processing and whether it is used in accordance with that purpose,
- Know the third parties to whom their data has been transferred domestically and internationally,
- Request correction if their data is processed incompletely or inaccurately,
- Request deletion/destruction in accordance with the conditions stipulated in Article 7 of the "Law on the Protection of Personal Data,"
- Request that the transactions made under (e) and (f) be notified to the parties to whom their personal data has been transferred,
- Object to the emergence of a negative consequence due to being analyzed exclusively by automated systems,
- Demand compensation for damages in case of unlawful processing of their data.
Data subjects may submit their requests to exercise the rights mentioned above to Aydın Commodity Exchange in writing or electronically via KEP with an electronic signature, as per the provisions of Article 13, paragraph 1 of the "Law on the Protection of Personal Data."
To exercise the rights mentioned above, requests including necessary identification information and explanations can be submitted by filling out the "Personal Data Application Form," signing a copy of the form, and delivering it personally along with identity verification documents to Aydın Commodity Exchange, Ata Mahallesi Denizli Bulvarı No: 18, Aydın, or sent securely via electronic signature to aydinticaretborsasi@hs01.kep.tr.
OBLIGATIONS REGARDING DATA SECURITY
Aydın Commodity Exchange takes all necessary technical and administrative measures to ensure an adequate level of security to:
- Prevent unlawful processing of personal data,
- Prevent unauthorized access to personal data,
- Ensure the preservation of personal data.
In the case that personal data is processed by another individual or legal entity on behalf of Aydın Commodity Exchange, necessary measures are taken, and their implementation is monitored.
Inspections regarding the application of legal provisions are conducted annually, and corrective actions are taken if any non-compliance is detected. If necessary, external service procurement may be implemented for these inspections.
Data processed within the activities of Aydın Chommodity Exchange cannot be disclosed to others or used for purposes other than the processing purpose by the data processors. This obligation continues even after the termination of the duties of the data processors.
If personal data is obtained unlawfully by others, Aydın Commodity Exchange will notify the relevant individual and the Board as soon as possible. The Board may announce this situation on its website or by any other method it deems appropriate.
To ensure data security, operational-level personal data inventories and applied protection methods are identified. Risk and Threat Identification studies are conducted to determine and evaluate protection methods, and methods are developed to eliminate any identified gaps.
The Personal Data Inventory, Applied Protection Methods, and the status of Risks and Threats are reviewed and revised through annual audits and evaluations. Additionally, if there is a situation that may affect information security, these audits are conducted without waiting for the completion of the annual period, and necessary measures are taken.
ADMINISTRATIVE MEASURES
The following administrative measures are implemented to protect personal data.
|
No |
Description |
|
1 |
There are disciplinary regulations containing data security provisions for employees. |
|
2 |
Training and awareness activities regarding data security are conducted at regular intervals for employees. |
|
3 |
An authority matrix has been established for employees. |
|
4 |
Corporate policies regarding access, information security, usage, retention, and destruction have been prepared and implemented. |
|
5 |
Confidentiality agreements are made. |
|
6 |
The contracts signed include data security provisions. |
|
7 |
Extra security measures are taken for personal data transmitted via paper, and the relevant documents are sent in a confidentiality-rated document format. |
|
8 |
Policies and procedures for personal data security have been established. |
|
9 |
Personal data security issues are reported promptly. |
|
10 |
Personal data security is monitored. |
|
11 |
Necessary security measures are taken regarding the entry and exit to physical environments containing personal data. |
|
12 |
Security against external risks (fire, flood, etc.) for physical environments containing personal data is ensured. |
|
13 |
Security for environments containing personal data is ensured. |
|
14 |
Personal data is minimized as much as possible. |
|
15 |
Periodic and/or random internal audits are conducted and carried out. |
|
16 |
Existing risks and threats have been identified. |
|
17 |
Protocols and procedures for the security of special categories of personal data have been established and implemented. |
|
18 |
Data security of data processors/service providers is audited at regular intervals. |
|
19 |
Awareness of data security among data processors/service providers is ensured. |
TECHNICAL MEASURES
The following technical measures are implemented to protect personal data:
|
NO |
Description |
|
1 |
Network security and application security are ensured. |
|
2 |
A closed system network is used for personal data transfers over the network. |
|
3 |
Security measures are taken in the procurement, development, and maintenance of information technology systems. |
|
4 |
Access logs are maintained regularly. |
|
5 |
Data masking measures are applied when necessary. |
|
6 |
The authorizations of employees who change roles or leave the job are revoked in this area. |
|
7 |
Up-to-date anti-virus systems are used. |
|
8 |
Firewalls are used. |
|
9 |
Personal data is backed up, and the security of the backed-up personal data is also ensured. |
|
10 |
User account management and authorization control systems are implemented, and their monitoring is conducted. |
|
11 |
Log records are kept in a way that user intervention is not possible. |
|
12 |
If special category personal data is to be sent via email, it is sent encrypted and using KEP or a corporate email account. |
|
13 |
Secure encryption/cryptographic keys are used for special category personal data and managed by different units. |
|
14 |
Encryption is performed. |
|
15 |
Special category personal data transmitted on portable media, CDs, or DVDs are encrypted during transfer. |