You can find detailed information about our work and the sectors in which we work in this section.
CENTER OFFICE
Nispetiye Mahallesi Nispetiye Caddesi.
No:24 İç Kapı No: 17 Beşiktaş
İstanbul Türkiye
PRODUCTION FACILITY
Köseköy, Çuhane Caddesi
No:181/4, 41250 Kartepe
Kocaeli Türkiye
1. Purpose and Scope
The main purpose of this Personal Data Protection Policy (“Policy”) is to make explanations about the personal data processing activity carried out by Coral (“Company”) in accordance with the law and the systems adopted for the protection of personal data, in this context, personal data is processed by our company. To ensure transparency by informing people.
This Policy is implemented together with the relevant detailed data procedures in the activities carried out for the processing and protection of all personal data managed by the Company.
2. Definitions
KVKK: Law on Protection of Personal Data No. 6698
GDPR: European Union General Data Protection Regulation
Data Processor: The natural and legal person who processes personal data on behalf of the data controller, based on the authority given to him
Data Controller: The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system)
Data Owner/Relevant Person: Employees, customers, business partners, shareholders, officials, potential customers, candidate employees, interns, visitors, suppliers, with whom the Company and its subsidiaries have commercial relations, in cooperation Employees of the institutions they work for, third parties and real persons whose personal data are processed, including but not limited to those listed here.
Explicit Consent: Consent on a specific subject, based on information and expressed with free will
Personal Data: Any information relating to an identified or identifiable natural person
Special Quality Personal Data: person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction and data on security measures and biometric and genetic data
Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring personal data completely or partially automatically or non-automatically provided that it is a part of any data recording system, all kinds of operations on data such as taking over, making it available, classifying or preventing its use
Anonymization of Personal Data: Making personal data not to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data
Deletion of Personal Data: making personal data inaccessible and unusable for the relevant users in any way
Destruction of Personal Data: The process of making personal data inaccessible, irretrievable and reusable by anyone
KVK Board/Board: Personal Data Protection Board
KVK Authority/Institution: Personal Data Protection Authority
3. Procedure
The Company also has different policies that deal with the protection of personal data and the provision of information security in relation to certain business activities and functions. This Policy does not override the data protection terms in these different policies of the Company, unless it contains additional terms or demands a higher standard for the protection of personal data.
The provisions of the applicable legislation on the processing and protection of personal data will be primarily applied; In case of conflict between the relevant legislation and the provisions of this Policy, the current legislation provisions shall prevail.
4. Matters Regarding the Protection of Personal Data
This Policy has been established in accordance with the rules and procedures stipulated in the KVKK and other relevant legislation for the protection of personal data. In this sense, the Data Controller is also obliged to take all necessary technical and administrative measures, as he is obliged to prevent unlawful processing and access of personal data and to ensure their preservation, pursuant to KVKK. The Company has taken all relevant technical and administrative measures, including the measures taken for the protection of sensitive personal data; The content of the technical and administrative measures taken are detailed in the Protection of Personal Data Legal Compliance Audit Report and D.17 Storage and Disposal Policy.
5. Personal Data Processing Policy
a. Principles to be Followed When Processing Personal Data
Personal data processed by the company are processed in accordance with the relevant legislation (KVKK and/or GDPR). The Company's policies and procedures are implemented in parallel with the processing principles in the KVKK and relevant legislation. As such;
• Personal data are processed in a transparent and lawful manner,
• Personal data is collected only for specific, clear and legitimate purposes,
• Personal data are linked, limited and measured for the purpose for which they are processed,
• Personal data is accurate and up-to-date when necessary, deleted or corrected without delay.
• It is kept for the period required by the relevant legislation or for the purpose for which it is processed,
• Personal data is processed to ensure appropriate security,
• The data controller shows that it complies with other principles of KVKK and/or GDPR. (To be held accountable).
b. Purposes of Coral to Process Personal Data
In accordance with the KVKK and other relevant legislation, the Company informs the relevant persons during the acquisition of personal data. In this context, the Company informs the relevant person about the purpose for which personal data will be processed, to whom and for what purposes the processed data can be transferred, the method of collecting personal data and the legal reason for collecting personal data.
The purposes of processing personal data processed by the company are as follows:
Providing the services offered by the Company to its customers under the best conditions, providing the services in a reliable and uninterrupted manner, ensuring the security of the Company, ensuring customer satisfaction and reliability, Fulfilling the transactions regarding the services offered by the Company, executing and developing the operations, promoting the services offered by the Company , marketing, advertising and campaign activities, execution of contracts signed with customers, realization of transactions requested by relevant public institutions and organizations, fulfillment of Company obligations arising from other relevant laws.
c. Coral's Legal Reasons for Processing Personal Data:
• Existence of the explicit consent of the person concerned,
• It is clearly stipulated in the laws,
• The person who is unable to express his or her consent due to de facto impossibility or whose consent is not given legal validity is compulsory for the protection of life or bodily integrity of himself or someone else,
• It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
• It is mandatory for the data controller to fulfill its legal obligation,
• The person concerned has been made public by himself,
• The necessity of data processing for the establishment, exercise or protection of a right,
• It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
The processing conditions of personal data, that is, the conditions of compliance with the law, are limited in number in the Law and these conditions cannot be extended.
6. Transfer of Personal Data
a. Domestic Transfer
Without prejudice to the situations where the transfer of personal data to administrative and judicial institutions and organizations is obligatory as per the KVKK or the relevant legislation, the personal data of the persons concerned are not transferred by the Company to other persons without the explicit consent of the person concerned, unless the issues listed in Article 5 and/or 6 of the KVKK Let it be the case.
The Company may transfer personal data to third parties in Turkey by taking all security measures specified in the KVKK and relevant legislation and in accordance with the Law and/or contract.
b. International Transfer
The Company may transfer personal data abroad by taking the necessary security measures and in accordance with the conditions stipulated in the KVKK and the relevant legislation, and by obtaining the explicit consent of the person concerned. In cases where the explicit consent of the data subject is not sought, the condition that the country to which the personal data will be transferred is in the status of a "safe country" and whether it provides adequate protection or not is required. In cases where the country to which data is transferred by the Board is not considered a safe country, a data transfer protocol is signed with the permission of the Board, which will undertake adequate protection.
Service providers and customers to whom data is transferred abroad are legal/real persons originating from ……..
c. Transferred Institutions and Organizations
The Company may share personal data with relevant public institutions and organizations in accordance with the following legislation:
• Law No. 6698 on the Protection of Personal Data,
• Labor Law No. 4857
• Turkish Code of Obligations No. 6098
• Turkish Commercial Code No. 6102
• Law No. 6361 on Occupational Health and Safety
• Acquisition of Information Law no.4982
• Retirement Health Law No. 5343
• The Social Services Law No. 2828
• The Tax Procedure Law No. 213 and other secondary regulations in effect in accordance with these laws.
7. Personal Data Processing Activities in Coral Service Building and Website Visitors
Personal data processing activities can be carried out in Coral service building in accordance with KVKK and other relevant legislation. Accordingly, in order to ensure security, monitoring with security cameras in the corridors and entrances and exits of the service building(s); There is a card pass system in the entry system. The system used for guest entries has been determined in accordance with the Company's Physical Security Procedure.
The records regarding the security measures recorded and stored in the digital environment are accessed by the personnel of the administrative and technical department, audit teams, the general manager and the managers directly reporting to the general manager, who are under the obligation to protect confidentiality.
8. Relevant Person's Rights and Exercise of Rights
Regarding the real persons whose personal data are processed by the Company, personal data processing and the data recorded about them, Nispetiye Mahallesi Nispetiye Caddesi. No: 24 Interior Door No: 17 Beşiktaş Istanbul Turkey or ………….. by applying via e-mail address, they can use the following rights:
a. Learning whether personal data is processed,
b. If personal data has been processed, requesting information about the structure of this information and learning to whom it has been disclosed,
c. Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
d. Knowing the third parties to whom personal data is transferred at home or abroad and requesting that the third parties be notified of the transaction made in this direction,
e. In case of incomplete or incorrect processing of personal data, requesting that they be corrected and notified to third parties,
f. Demanding the deletion or destruction of personal data in the event that the reasons requiring processing disappear, despite being processed in accordance with the provisions of the relevant law,
g. Objecting to the emergence of a result against the person himself,
h. Demanding the compensation of the damage in case of loss due to unlawful processing of personal data.
9. Deletion, Destruction and Anonymization of Personal Data
9.1. In accordance with Article 7 of the KVKK and the provisions of other relevant legislation, personal data is deleted, destroyed or anonymized upon the decision of the Company, its periodic control and/or the request of the person concerned, in case the reasons for processing the processed personal data disappear.
9.2. The Company has prepared a Personal Data Retention and Disposal Policy in this direction. For detailed information, see [D.17]: Personal Data Retention and Disposal Policy.
9.3. The company will not keep personal data longer than necessary, in connection with the main reason for which the data was collected, in a way that would allow the identification of the data subject.
9.4. The company may keep personal data for a longer period of time only for public interest, scientific or historical research or statistical purposes, by taking appropriate technical and organizational measures in order to protect the rights and freedoms of the data subject.
9.5. The criteria used to determine this period, including the retention period for each category of personal data and the legal obligations that the Company has to keep the data, are specified in [D.17]: Retention and Disposal Policy.
9.6. The company's data retention and destruction procedures ([D.17]: Retention and Destruction Policy) will be applied in all cases.
9.7. Personal data will be securely destroyed in line with the provisions of the KVKK and relevant legislation – proper processing in order to ensure security and thus protecting the “rights and freedoms” of the data owner. Any destruction of data will be made in accordance with the Retention and Destruction Policy.
10. Data Inventory
The company has created a data inventory as part of its approach to identify risks and opportunities throughout the KVKK and GDPR compliance process. The company's data inventory determines:
• Business processes using personal data;
• Source of personal data;
• Data subject volume;
• Definition of each element of personal data;
• Processing activity;
• The purpose and legal reason of the processing activity
• Management of data categories inventory of processed personal data;
• Filing the purpose(s) for each category of personal data used;
• Recipients and potential recipients of personal data;
• The Role of the Company during the data flow;
• Key systems and enclosure;
• All kinds of data transfer; and
• All storage and disposal requirements.