Privacy Policy


Meccti group Global Privacy Policy

Effective Date: Monday, 16 Nov 2018

  1. ARTICLE 1 – INTRODUCTION

Protection of personal data is among the most important priorities of MECCTİ HAVACILIK İSTİHDAM DANIŞMANLIK HİZMETLERİ LTD. ŞTİ. (“Company” or “MECCTİ HAVACILIK”).  Protection and processing of personal data of our customers, potential customers, employee candidates, company shareholders, company executives, visitors, and employees, shareholders and executives of the partner organizations, and of the third parties; which is managed by this Policy, constitutes the most important stage of this matter.

Pursuant to the Turkish Republic Constitution; everyone is entitled to request the protection of their personal data. With respect to the protection of personal data, which is an Constitutional right, MECCTİ HAVACILIK, exercises due care on protection and processing of personal data of its customers, potential customers, employee candidates, company shareholders, company executives, visitors, and employees, shareholders and executives of the partner organizations, and of the third parties; which is managed by this Policy and makes this a Company policy.

Within this scope, the necessary administrative and technical measures are taken by MECCTİ HAVACILIK and Foreign Shareholders in order to protect the processed personal data, pursuant to the relevant legislation.

This Policy shall provide detailed explanations on the basic principles, which MECCTİ HAVACILIK adopts on processing the personal data and which are listed below

  • To process the personal data according to the law and in good faith,
  • To keep the personal data correct and updated, when required,
  • To process the personal data for certain, explicit and legal purposes,
  • To process the personal data in connection with the processing purposes, limitedly and prudently,
  • To keep the personal data for a period stipulated in the relevant legislation or required for the processing purpose,
  • To notify and inform the owners of personal data,
  • To establish the required system in order to enable the owners of personal data to exercise their rights,
  • To take the required measures in respect to keeping the personal data,
  • To comply with the relevant legislation and regulations of the Board of PDP (Personal Data Protection) with respect to transferring them to the third parties in line with the requirements of processing purposes of personal data,
  • To be sensitive on processing and protection of private qualified personal data.

 

 

1.2.     PURPOSE OF THE POLICY

The main purpose of this Policy is to explain the systems adopted by MECCTİ HAVACILIK for personal data processing activity and personal data protection performed in accordance with the law; within this scope, to ensure transparency by informing the persons, whose data is processed by our company, primarily our customers, potential customers, employees, employee candidates, company shareholders, company executives, visitors, and employees, shareholders and executives of the partner organizations, and of the third parties.

 

1.3        SCOPE

 

This Policy is related to all personal data of our customers, potential customers, employees, employee candidates, company shareholders, candidate job applicants, company executives, visitors, and employees, shareholders and executives of the partner organizations, and of the third parties, which are processed automatically or in un-automatic ways for being a part of any data recording system.

The scope of implementation of this Policy may be either the whole Policy (e.g. such as our Active Customers who are also our visitors) or only some provisions of it (e.g. only our visitors) with respect to the personal data owners’ groups in the abovementioned categories.

 

1.4        IMPLEMENTATION OF THE POLICY AND THE RELEVANT LEGISLATION

The relevant legal regulations in force on processing and protection of personal data shall have the priority in implementation. In case there are discrepancies between the legislation in force and the Policy, our Company acknowledges the implementation of the effective legislation.

The Policy is generated by embodying and arranging the rules, which are revealed by the relevant legislation, within the scope of MECCTİ HAVACILIK applications. Our Company carries out the required system and preparations in order to act in compliance with the enforcement periods stipulated in the PDP Act.

 

1.5         ENFORCEMENT OF THE POLICY

This Policy, which has been issued by our Company is dated on 16/11/2018. In case the whole of the Policy or the certain articles are replaced, the effective date of the Policy shall be updated.  The Policy is published on our Company’s web sites addressed as www.inflightcrewjobs.com and www.mecabincrew.com and is made accessible to the relevant persons upon the request of the owners of personal data.

Our Company takes the necessary technical and administrative measures for ensuring the suitable safety level in order to prevent the processed personal data from being processed unlawfully, to prevent unlawful access to the data, and to provide protection of the data, and performs or have the necessary audits performed by purchasing domestic audits and with our technical IT team.
  1. ARTICLE 2 – PROVISIONS OF THE PERSONAL DATA PROTECTION

 

2.1.       ENSURING THE SAFETY OF PERSONAL DATA

2.1.1.   The Technical and Administrative Measures Taken in Order to Ensure Lawful Personal Data Processing

Our Company takes technical and administrative measures according to the technological possibilities and implementation costs in order to provide lawful personal data processing.

  • The Technical Measures Taken in Order to Ensure Lawful Personal Data Processing

The primary technical measures were taken in order to ensure lawful personal data processing are listed below:

  • The personal data processing activities which are performed within our Company are audited.
  • The technical measures taken are reported to the concerned person pursuant to the internal audit mechanism periodically.
  • The Administrative Measures Taken in Order to Ensure Lawful Personal Data Processing

The primary administrative measures are taken in order to ensure lawful personal data processing are listed below:

  • The employees are informed and trained about the law on personal data protection and lawful processing of personal data.
  • All activities performed by the Company are analyzed as specific to all business units in detail, and the personal data processing activities are revealed as specific to the commercial activities performed by the relevant business units as a result of this analysis.
  • With respect to the personal data processing activities carried out by our Company’s business units; the requirements to be met in order to ensure the compliance of these activities with the personal data processing terms sought by the Act No. 6698, are determined specific to each business unit and the detailed activity performed by it.
  • In order to ensure the determined legal compliance requirements of our business units, the awareness is raised specific to the relevant business units and implementation rules are determined. The administrative measures required for ensuring the continuity of auditing these matters and implementation are put into practice through In-Company policies and training.
  • Records, which impose an obligation on not processing, disclosing and using the personal data, except the Company instructions and the exemptions specified by law, are included in the contracts and documents which governs the legal relationship between our Company and the employees, and the awareness arises in respect of the employees and audits are carried out.

2.1.2.   The Technical and Administrative Measures Taken in Order to Prevent Unlawful Access to the Personal Data

Our Company takes technical and administrative measures according to the quality of the data to be protected, technological possibilities and implementation costs in order to prevent imprudent or unauthorized disclosure, access, transfer of or otherwise all unlawful access to the personal data.

  • The Technical Measures Taken in Order to Prevent Unlawful Access to the Personal Data

The primary technical measures taken by our Company in order to prevent unlawful personal data access are listed below:

  • The technical measures suitable for technological developments are taken; the measures are updated and renewed periodically.
  • Based on the business unit, technical access and authorization solutions are initiated according to the legal compliance requirements
  • The implemented technical measures are reported to the concerned person periodically pursuant to the internal audit mechanism, the issues which pose a risk are reassessed and the necessary technological solution is produced.
  • The software and hardware covering the virus protection systems and firewall are installed.
  • Entire data management is made central.
  • The Administrative Measures Taken in Order to Prevent Unlawful Access to the Personal Data

The primary administrative measures taken by our Company in order to prevent unlawful personal data access are listed below:

  • The employees are trained on the technical measures to be taken in order to prevent unlawful access to personal data.
  • Access and authorization processes of personal data are designed and implemented within the Company in accordance with the legal compliance requirements based on the business unit.
  • The employees are informed that they may not disclose the personal data which they have learned to the third parties unlawfully and use it with purposes other than processing and this obligation survives even after resigning, and the necessary commitments are obtained from them accordingly.
  • The provisions stating that the persons whom the personal data is transferred to shall take the necessary safety measures in order to protect the personal data and shall ensure that these measures shall be followed within their own organizations are included in the lawful contracts executed with the relevant persons that the personal data is transferred to.

 

2.1.3.   Keeping the Personal Data in Safe Environment

Our Company takes technical and administrative measures according to the technological possibilities and implementation costs in order to ensure the personal data is kept in a safe environment and to prevent the unlawful destruction, loss or alteration.

  • The Technical Measures Taken in Order to Keep the Personal Data in Safe Environment

The primary technical measures taken by our Company in order to keep personal data in a safe environment are listed below:

  • In order to keep personal data in a safe environment, the systems suitable for technological developments, are used.
  • The technical safety systems are installed in the storage areas, the technical measures taken are reported to the concerned person periodically pursuant to the internal audit mechanism, and the issues which pose a risk are reassessed and the necessary technological solution is produced.
  • Backup programs are used according to the laws in order to ensure the personal data are kept safely.
  • The Administrative Measures Taken in Order to Keep the Personal Data in Safe Environment

The primary administrative measures taken by our Company in order to keep personal data in a safe environment are listed below:

  • The employees are trained on ensuring the personal data is kept in a safe environment.
  • In case an external service is provided to our Company due to the technical requirements on the storage of the personal data, the provisions stating that the persons whom the personal data is transferred to shall take the necessary safety measures in order to protect the personal data and shall ensure that these measures shall be followed within their own organizations, are included in the lawful contracts executed with the relevant firms that the personal data is transferred to.

2.1.4.   Audit of the Measures Taken on the Protection of Personal Data

Our Company performs or have the necessary audit performed within its structure in accordance with Article 12 of the PDP Act.  The results of these audits are reported to the relevant department within the scope of the internal operation of the Company, and the necessary activities are carried out to improve the measures taken.

2.1.5.   Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

Our Company operates a system, which enables to notify the situation to the relevant personal data owner and the Board of PDP as soon as possible, in case the personal data, which is processed according to the Article 12 of the PDP Act, is obtained by other persons unlawfully. In case the Board of PDP deems necessary, this situation may be announced on the internet site of the Board of PDP or otherwise.

2.2.    PROTECTION OF THE DATA OWNERS’ RIGHTS; COMMUNICATION CHANNELS OF THE DATA OWNERS’ WITH THE COMPANY AND CLAIMS EVALUATION

Our Company executes the necessary channels, internal operations, administrative and technical arrangements in accordance with the Article 13 of the PDP Act, in order to assess the rights of the owners of personal data and to give the necessary information to the personal data owners.

In case that the personal data owners forward their written claims on their rights which are listed below to MECCTI HAVACILIK, Our Company concludes the claim as soon as possible and at the latest within thirty days free of charge according to the qualification of the claim. However, in case the process requires an additional cost, a fee, which is in the tariff specified by the Board of PDP, shall be charged by our Company. Personal data owners have the following rights:

  • To learn whether the personal data is processed or not,
  • If the personal data is processed, to request information in relation to this subject,
  • To learn the aims of processing their personal data and investigating if their personal data were used relevantly,
  • To learn the third parties to whom the personal data is transferred to inland or abroad,
  • To ask for corrections if their personal data were processed incompletely or inaccurately, and within this scope to request the transaction be notified to the third parties whom the personal data has been transferred to,
  • To ask for canceling or deleting their personal data in case the reasons for processing personal data no longer exists, and within this scope to request the transaction be notified to the third parties to whom the personal data has been transferred to,
  • To object to a negative outcome for them in case their personal data are exclusively analyzed via automatic systems
  • In case suffering a loss due to the unlawful processing of personal data, to request for compensation. Detailed information related to the rights of the data owners is provided in Section 10 of this Policy.

2.3.    PROTECTION OF PRIVATE QUALIFIED DATA

Some of the personal data has been given a special attention by the PDP Act, due to the risk of causing unjust treatment of the persons or discrimination in case of unlawful processing.

This data is information about race, ethnic origin, political opinion, philosophic belief, religion, communion or other beliefs, appearance, membership of the association, foundation or union, health, sexual life, punishment sentence and safety measures, and biometric and genetic data.

Our Company acts sensitively on the protection of specific personal data which is specified as “private qualified” in the PDP Act and processed lawfully. In this context, the technical and administrative measures taken to protect the personal data are applied by our Company with caution with respect to private qualified personal data, and required audits are maintained within MECCTİ HAVACILIK.

The detailed information related to processing the private qualified personal data is provided in Article 3 of this Policy.

 

2.4.    INCREASING AWARENESS OF PROTECTION AND PROCESSING OF PERSONAL DATA AMONG BUSINESS UNITS

Our Company provides the necessary training to its business units in order to raise awareness to prevent unlawful processing of the personal data and unlawful access to the same, and to ensure the protection of data.

MECCTİ HAVACILIK establishes the systems required for creating awareness of the protection of personal data among its existing and new employees and works with professionals in case of need related to the matter.

2.5.   INCREASING AWARENESS OF PROTECTION AND PROCESSING OF PERSONAL DATA AMONG BUSINESS PARTNERS AND SUPPLIERS

Our Company provides the necessary training and seminars for the business partners in order to raise awareness to prevent unlawful processing of the personal data and unlawful access to the same, and to ensure the protection of data.

MECCTİ HAVACILIK establishes the systems required for creating awareness of the protection of personal data among its existing and new employees and works with professionals in case of need related to the matter.

All activities performed in order to raise awareness of the protection and processing of personal data for MECCTİ HAVACILIK business partners and our candidates, who made job applications, are reported to the MECCTİ HAVACILIK management and shareholders. Our Company executes confidentiality agreements with all business partners and maintains its sensitivity on Protection of Personal Data with its business partners pursuant to the relevant provisions of the agreement.

Our Company engages with processing activity of the personal data in compliance with law and good faith rules, corrected and updated when required, related with the purpose, limited and prudently, by pursuing certain, explicit and legal aims, in accordance with the Article 4 of PDP Act with regards to the processing of the personal data.  Our Company keeps the personal data for a period stipulated in the law or required by the personal data processing purpose.

Our Company processes the personal data based on one or more terms on processing personal data in the Article 5 of the PDP Act, pursuant to the Article 5 of the PDP Act.

Our Company notify the personal data owners and gives the necessary information in case they request information, in accordance with the Article 10 of the PDP Act.

Our Company acts in compliance with the regulations stipulated on processing the private qualified personal data, according to the Article 6 of the PDP Act.

Our Company acts in compliance with the regulations stipulated in law and set forth by the Board of PDP on transferring the personal data, according to the Articles 8 and 9 of the PDP Act.

 

  1. ARTICLE 3 – PROVISIONS OF PERSONAL DATA PROCESSING

 

3.1.       PROCESSING OF PERSONAL DATA IN COMPLIANCE WITH THE PRINCIPLES STIPULATED IN THE LEGISLATION

 

3.1.1.   Processing in Compliance with Law and Good Faith Rule

Our Company acts in compliance with the principles brought by legal regulations on protection of personal data, general trust, and good faith rule. In this context, while processing personal data our Company pays attention to the proportionality necessities and does not use the personal data for other purposes than required by its purpose.

 

3.1.2.   Ensuring the Personal Data Are Correct and Updated When Necessary

Our Company ensures the processed personal data are corrected and updated, taking into consideration the basic rights of the personal data owners and its own legal interests. A system that enables the personal data owners to correct and verify their personal data, is established by MECCTİ HAVACILIK. Detailed information related to this subject is provided in Article 10 of this Policy.

 

3.1.3.   Processing for Certain, Explicit and Legal Purposes

Our Company determines the legal and lawful purpose of personal data processing explicitly and exactly. Our Company processes the personal data in connection with the service it renders, and in the amount required for these. The purpose of personal data processing is set forth by our Company before the personal data processing activity begins.

 

3.1.4.   Being Related with the Processing Purpose, Limited and Prudent

Our Company processes the personal data adequate to accomplish the specified purposes and avoids processing the personal data which are not related to accomplishing the purpose or not needed. For instance, personal data processing activity intended for meeting the subsequent possible needs.

 

3.1.5.   Maintaining Data for a Period Stipulated in the Relevant Legislation or Required by the Processing Purpose

            Our Company maintains the personal data only for a period stipulated in the relevant legislation or required by its processing purpose. In this context, we first determine whether the period for keeping personal data is stipulated in the relevant legislation. In case a period is specified, we act in compliance with this period. In case a period is not specified, we keep personal data for a period required by its processing purpose. In the case of expiration of the period or the reasons which require processing of data, then the personal data is deleted, destroyed or anonymized by our Company. The personal data are not kept by our Company for the future using possibilities. Detailed information related to this subject is provided in Article 9 of this Policy.

 

3.2.       PROCESSING OF PERSONAL DATA BASED ON ONE OR MORE PERSONAL DATA PROCESSING TERMS SPECIFIED IN ARTICLE 5 OF THE PDP ACT

 

Protection of personal data is a Constitutional right. The basic rights and freedoms may be limited only by law and depending on the causes specified in the relevant articles of the Constitution. As per the third paragraph of Article 20 of the Constitution, the personal data may only be processed in cases stipulated in the law or with the explicit consent of the person. In accordance and compliance with the Constitution, our Company only processes the personal data in case of the situations stipulated in the law or with the explicit consent of the person. Detailed information related to this subject is provided in Article 7 of this Policy.

 

3.3.       NOTIFYING AND INFORMING THE OWNER OF PERSONAL DATA

 

Our Company notifies the personal data owners at the time of acquiring their personal data in accordance with Article 10 of the PDP Act. Within this scope, MECCTİ HAVACILIK makes notifications on the identity of itself and its representative if any, the purpose for which the personal data shall be processed, to whom and for what purpose would the processed personal data be transferred, personal data collection method, and legal purpose, and rights of the personal data owner. Detailed information related to this subject is provided in Article 10 of this Policy.

In Article 20 of the Constitution, it is set forth that everyone has a right to being informed on the personal data related with him/her. In this respect, “to request information” is also listed among the rights of personal data owner in Article 11 of the PDP Act. In this context, our Company provides necessary information according to Article 11 of the PDP Act, in case that the personal data owner requests for information. Detailed information related to this subject is provided in Article 10 of this Policy.

 

3.4.       PROCESSING THE PRIVATE QUALIFIED PERSONAL DATA

 

Our Company acts sensitively and in compliance with the regulations stipulated in the PDP Act, on processing the private qualified personal data which is specified as “private qualified” in the PDP Act.

In Article 6 of the PDP Act some of the personal data, which pose a risk for causing unjust treatment or discrimination of the persons when processed unlawfully, is identified as “private qualified”. This data is information on race, ethnic origin, political opinion, philosophic belief, religion, communion or other beliefs, appearance, membership of the association, foundation or union, health, sexual life, punishment sentence and safety measures, and biometric and genetic data.

Our company may process the private qualified personal data of the personal data owner in the line with the legal and lawful personal data processing purposes by exercising due diligence, by taking the necessary safety measures and by taking the adequate measures stipulated by the board of PDP, in the following cases

  • If the personal data owner gives explicit consent, or
  • If the personal data owner does not give explicit consent;

– The private qualified personal data, except the ones on health and sexual life of the personal data owner, is processed in cases stipulated in laws,

– The private qualified personal data on health and sexual life of the personal data owner are only processed by persons or authorized institutions and organizations subject to confidentiality obligation in order to protect public health, to carry out preventive medicine, medical diagnosis, treatment, and care services, plan and manage the health services and its financing.

 

3.5.       TRANSFERRING PERSONAL DATA

           

Our Company may transfer personal data and private qualified data of the personal data owner to the third parties (to the third companies, business partners, third-party real persons) by taking the necessary measures in line with the lawful personal data processing purposes. In this direction, our Company acts in compliance with the regulations stipulated in Article 8 of the PDP Act. Detailed information related to this subject is provided in Article 6 of this Policy.

 

 

3.5.1.   Transferring Personal Data

 

Our Company may transfer the personal data to the third parties as limited and based on one or more personal data processing terms stated in the Article 5 of the PDP Act, which is listed below, in line with the legal and lawful personal data processing purposes pursuant to the Article 5 of the PDP Act:

  • If the personal data owner gives explicit consent;
  • If there is a clear regulation on the transfer of the personal data in the law;
  • If it is mandatory to protect the life or physical integrity of the personal data owner or others, and if the personal data owner is not able to express its consent due to actual impossibility, or the legal validity of its consent is not recognized;
  • If the transfer of personal data of the contractual parties is required, providing to be directly related to the establishment of the contract or its implementation;
  • If the transfer of personal data is mandatory for our Company to fulfill its legal obligation;
  • If the personal data are made public by the personal data owner;
  • If the transfer of personal data is mandatory to establish, exercise or protect a right;
  • If the transfer of personal data is mandatory for our Company’s legal interests, provided not to give harm to the basic rights and freedom of the personal data owner;

3.5.2.   Transferring the Private Qualified Personal Data

Our Company may transfer the private qualified data of the personal data owner to the third parties in line with the legal and lawful personal data processing purposes by exercising due diligence, by taking the necessary safety measures, and by taking the adequate measures stipulated by the Board of PDP, in the following cases:

  • If the personal data owner gives explicit consent, or
  • If the personal data owner does not give explicit consent;

– In cases stipulated by the law, the private qualified personal data, except the ones on health and sexual life of the personal data owner, (data related with race, ethnic origin, political opinion, philosophic belief, religion, communion or other beliefs, appearance, membership of association, foundation or union, punishment sentence; and safety measures, and biometric and genetic data)

– Private qualified personal data on health and sexual life of the personal data owner; only by persons or authorized institutions and organizations subject to confidentiality obligation in order to protect public health, to carry out preventive medicine, medical diagnosis, treatment, and care services, plan and manage the health services and its financing.

 

 

3.6.       TRANSFERING PERSONAL DATA ABROAD

 

Our Company may transfer the personal data and private qualified personal data of the personal data owner to the third parties in line with the lawful personal data processing purposes by taking the necessary safety measures. The personal data are transferred by our Company to the foreign countries, which are announced by the Board of PDP as having sufficient protection (ANNEX – 3 “ A Foreign Country With Sufficient Protection”) or in case there is not sufficient protection, to the foreign countries which the Board of PDP gives permission and which the data supervisors in Turkey and relevant foreign country undertake a sufficient protection in writing (“ A Foreign Country undertaking a Sufficient Data Protection by Data Supervisor”). In this direction, our Company acts in compliance with Article 9 of the PDP Act. Detailed information related to this subject is provided in Article 6 of this Policy.

 

3.6.1.   Transferring Personal Data Abroad

Our Company may transfer the personal data to the Foreign Countries with Sufficient Protection or Which Have A Data Supervisor Undertaking a Sufficient Protection, in line with the legal and lawful personal data processing purposes, if the personal data owner gives explicit consent or if the personal data owner does not give explicit consent in case of the presence of the following situations:

  • If there is a clear regulation on the transfer of personal data in the law,
  • If it is mandatory to protect the life or physical integrity of the personal data owner or others,

and if the personal data owner is not able to express its consent due to actual impossibility, or

the legal validity of its consent is not recognized,

  • If the transfer of personal data of the contractual parties is required, providing to be directly

related to the establishment or performance of the contract,

  • If the transfer of personal data is mandatory for our Company to fulfill its legal obligation,
  • If the personal data are made public by the personal data owner,
  • If the transfer of personal data is mandatory to establish, exercise or protect a right,
  • If the transfer of personal data is mandatory for our Company’s legal interests, provided not to give harm to the basic rights and freedom of the personal data owner.

 

 

 

3.6.2.   Transferring the Private Qualified Personal Data Abroad

However, although our Company does not transfer the private qualified personal data to our foreign shareholders or third parties, it may transfer the private qualified personal data to the Foreign Countries With Sufficient Protection or Which Have A Data Supervisor Undertaking a Sufficient Protection, in line with the legal and lawful personal data processing purposes, by exercising due diligence, by taking the necessary safety measures, and by taking the adequate measures stipulated by the Board of PDP, in the following cases, when it is forced to do so:

  • If the personal data owner gives explicit consent, or
  • If the personal data owner does not give explicit consent;

– In cases stipulated in the law, the private qualified personal data, except the ones on the health and sexual life of the personal data owner, (data related with race, ethnic origin, political opinion, philosophic belief, religion, communion or other beliefs, appearance, membership of association, foundation or union, punishment sentence; and safety measures, and biometric and genetic data),

–   Special quality personal data on health and sexual life of the personal data owner; only by persons or authorized institutions and organizations subject to confidentiality obligation in order to protect public health, to carry out preventive medicine, medical diagnosis, treatment , and care services, plan and manage the health services and its financing.

  1. ARTICLE 4 – CLASSIFICATION, PROCESSING PURPOSES AND PRESERVATION PERIOD OF THE PERSONAL DATA PROCESSED BY OUR COMPANY
Our Company notifies the personal data owner on the classification of personal data of the personal data owner, the processing purposes of personal data of the personal data owner, and preservation period of personal data, in accordance with the Article 10 of the PDP Act

 

 

4.1.       CLASSIFICATION OF PERSONAL DATA

 

Within our Company the personal data is processed in the following categories, limited by the periods within the scope of this Policy, by informing the relevant persons pursuant to the Article 10 of  the PDP Act, in line with our Company’s legal and lawful personal data processing purposes, as limited and based on one or more personal data processing terms specified in the Article 5 of the PDP Act, and by complying with general principles specified in the PDP Act, in particular with the principles specified in the Article 4 of the PDP Act related with processing the personal data, and all obligations regulated by the PDP Act. In Article 5 of this Policy, it is indicated the connection of the personal data owners with the personal data classification regulated within the scope of this Policy.

 

 

PERSONAL DATA

 

DESCRIPTION OF PERSONAL DATA CLASSIFICATION

 

 

 

Identity Information

All information on the documents such as Driving License, Identity Card, Residency Certificate, Passport, Attorney Identity, Marriage Certificate which is clear to be a belonging of a physical person whose identity is determined or determinable and processed automatically or non-automatically as a part of a data record system in whole or part.
 

 

Contact Information

Information such as telephone number, address, e-mail which is clear to be a belonging of a physical person whose identity is determined or determinable and processed automatically or non-automatically as a part of a data record system in whole or part.
 

 

 

Location Data

 

Information which is clear to be a belonging of a physical person whose identity is determined or determinable and processed automatically or non-automatically as a part of a data record system in whole or part; which determines the location of the personal data owner during its use of our products and services or while our employees and the employees of the establishments which we cooperate with use our Company’s tools.
 

 

 

Job Applicants Information

Information which is clear to be a belonging of a physical person whose identity is determined or determinable and processed automatically or non-automatically as a part of a data recording system in whole or part; and which is obtained and produced by a relevant person as a result of our business activities and the operations performed by our business units within this framework.
 

 

 

Information on Family Members and Relatives

Information about the family members and relatives of the personal data owner in relation with the products and services that we provide and which are intended for protecting the legal interests of the Company and personal data owner; which is clear to be a belonging of a physical person whose identity is determined or determinable and existing in a data recording system.
 

 

Information on Customer Transaction

Records intended for using our products and services and information such as the instructions and requests necessary for the use of our products and services, which is clear to be a belonging of a physical person whose identity is determined or determinable and existing in a data recording system.
 

Security Information on   Physical Location

Data on records and documents taken during entering into a physical place and staying in a physical place, which is clear to be a belonging of a physical person whose identity is determined or determinable and existing in a data recording system.
 

Information on Transaction Security

           Personal data which is processed in order to protect our technical, administrative, legal and commercial security while performing our commercial activities; which is clear to be a belonging of a physical person whose identity is determined or determinable and existing in a data recording system.
 

 

Information on Risk Management

Personal data which can be processed via methods used according to the approved legal, commercial practice and good faith rule in order to manage our commercial, technical and administrative risks; which is clear to be a belonging of a physical person whose identity is determined or determinable and existing in a data recording system.
 

 

 

Financial Information

Processed personal data in relation with the information, document and records showing all kinds of financial results created according to the legal relation type established by our Company with the personal data owner; which is clear to be a belonging of a physical person whose identity is determined or determinable, and processed automatically or non-automatically as a part of a data record system in whole or part.
 

 

 

 

 

Personnel Information

All kinds of personal data processed while obtaining information which shall lay the foundation of formatting the personnel rights of our employees and of the physical persons who are in a work relationship with our Company; which is clear to be a belonging of a physical person whose identity is determined or determinable and processed automatically or non-automatically as a part of a data record system in whole or part.
 

Information on Employee Transaction

 

 

 

 

 

 

Information on Employee Candidate

Personal data which is processed in relation with all kinds of transactions performed by our employees or of the physical persons who are in a work relationship with our Company; which is clear to be a belonging of a physical person whose identity is determined or determinable and processed automatically or non-automatically as a part of a data record system in whole or part.

Personal data which is processed in relation with the persons who applied to be an employee of our Company or assessed as an employee candidate in line with the human resources needs of our Company as per the commercial practice and good faith rule or in relation with the persons who are in a work relationship with our Company; which is clear to be a belonging of a physical person whose identity is determined or determinable and processed automatically or non-automatically as a part of a data record system in whole or part.

 

 

Information on Employee’s Performance and Career Development

Personal data which is processed in order to measure the performance of our employees or of the physical persons who are in a work relationship with our Company and to plan and implement their career development under our company’s human resources policy; which is clear to be a belonging of a physical person whose identity is determined or determinable and processed automatically or non-automatically as a part of a data record system in whole or part.
 

 

 

 

Information on Reward Benefits

Personal data which is processed in order to plan the reward benefits which we offer or shall offer to the employees or to the physical persons who are in a working relationship with our Company, to determine the objective criteria related with being entitled to them and to follow up allowances;  which is clear to be a belonging of a physical person whose identity is determined or determinable and processed automatically or non-automatically as a part of a data record system in whole or part.
 

 

 

Information on Legal Acts and Compliance

Personal data which is processed within the scope of determining and pursuing our legal receivables and rights, and discharging of our debts, and our legal liabilities, and complying with our company’s policies; which is clear to be a belonging of a physical person whose identity is determined or determinable and processed automatically or non-automatically as a part of a data record system in whole or part.
 

 

Audit and Investigation Information

Personal data which is processed within the scope of complying with legal liabilities and company policies; which is clear to be a belonging of a physical person whose identity is determined or determinable and processed automatically or non-automatically as a part of a data record system in whole or part.
 

Personal Qualified Personal Data

Data specified in Article 6 of the No. 6698 Act; which is clear to be a belonging of a physical person whose identity is determined or determinable and processed automatically or non-automatically as a part of a data record system in whole or part.
 

 

 

 

 

Marketing Information

Personal data which is processed for customizing and marketing our products and services in line with the habits, admiration and needs of the personal data owner, and the reports and evaluations produced as a consequence of these processing results; which is clear to be a belonging of a physical person whose identity is determined or determinable and processed automatically or non-automatically as a part of a data record system in whole or part.
 

Claim/Complaint Management Information

Personal data received with all kinds of requests or complaints directed to our Company; which is clear to be a belonging of a physical person whose identity is determined or determinable and processed automatically or non-automatically as a part of a data record system in whole or part.

 

4.2.       PURPOSES OF PROCESSING PERSONAL DATA

According to the categorization prepared by Our Company, major purposes on personal data processing are shared below:

  • To carry out the necessary business activities by our relevant business units and to implement the work processes related to this in order to realize the commercial activities implemented by Our Company,
  • To plan and to execute our Company’s trade and/or work strategies,
  • To carry out the necessary business activities by our relevant business units and to implement the work processes related with this in order to enable the relevant persons to benefit from the products and services offered by Our Company,
  • To plan and to execute Our Company’s human resources policies and processes,
  • To provide legal, technical and commercial transaction safety support to the persons who are in a business relationship with our Company.

The purposes of personal data processing within the scope of the above listed superior purposes:

  • Activity Management
  • To Plan and to Execute Research and Development Activities
  • To Plan and To Execute Business Activities
  • To Plan and To Execute Corporate Communication Operations
  • To Plan and To Execute Secure Information Processes
  • To Establish and to Manage the Infrastructure of Information Technologies
  • To Plan and to Execute the Access Authorization of the Business Partners and/or Suppliers to the Information and Facilities
  • To Plan and to Execute the Reward Benefits and Interests of the Employees of Supplier and/or Business Partner
  • To Pursue the Finance and/or Accounting Transactions
  • To Create Service Planning for the Candidates Who Made Job Applications
  • Management of the Relations with the Business Partners and/or Suppliers
  • To Manage, to analyze and to execute personal background, CV and other necessary private qualified data of the candidates who made job applications
  • To Perform Activities Intended for Determining the Financial Risks of the Customers
  • To Plan and to Execute the Information Management Processes for Customer Relations / Candidates Who Made Job Application
  • To Pursue the Contract Processes and/or Legal Request
  • To Pursue the Requests and/or Complaints of the Customers / Candidates Who Made Job Application
  • To Plan the Human Resources Processes
  • To Execute the Staff Procurement Processes
  • To Plan and to Execute the Market Research Activities for Sales and Marketing of the Services
  • Legal Pay rolling Process
  • To Plan and to Execute the Marketing Processes of the Services
  • To Plan and/or to Execute the Customer Satisfaction Activities
  • To Pursue Legal Affairs
  • To Plan and to Execute the Operational Activities Necessary to Ensure the Company Activities Are Carried Out According to the Company Procedures and/or Relevant Legislation
  • To Collect the Entry-Exit Records of the Employees of the Business Partner / Supplier
  • To Collect the information about the candidates who made a job application
  • To Plan and to Execute the Company’s Auditing Activities
  • To Plan and/or to Execute the Occupational Health and/or Safety Processes
  • To Manage and/or to audit the Relations with the Affiliates
  • To Ensure the Safety of Company Compounds and/or Facilities
  • To Ensure the Safety of Company’s Assets and/or Resources
  • To plan and/or to execute the Financial Risk processes

Our Company refers to the explicit consent of the personal data owners to perform personal data processing activities under the personal data processing purposes out of the abovementioned situations; the below mentioned personal data processing activities are performed by the relevant business units depending on the mentioned explicit consent of the personal data owners. Within this framework; in case that the abovementioned conditions are not present, personal data processing purposes which the explicit consent of the personal data owners are referred to may be listed as follows;

  • To Plan and to Execute the Access Authorization of the Business Partners and/or Suppliers to the Information and Facilities
  • To manage, to Analyse and to Execute the personal background, CV and other necessary private qualified data of the candidates who made job applications
  • To Manage the Relations with the Business Partners and/or Suppliers
  • To Plan and to Execute the Sales Processes of the Services
  • To Collect the information of the candidates who made a job application
  • To Plan and to Execute the Customer Relations Management Processes
  • To Pursue the Contract Processes and/or Legal Request
  • To Plan the Human Resources Processes
  • To Execute the Staff Procurement Processes
  • To Execute the Legal Pay Rolling Processes
  • To Plan and to Execute the Market Research Activities for Sales and Marketing of the Services
  • To Plan and/or to Execute the Processes of Creating and/or Increasing Loyalty for the Products and/or Services Provided by the Company
  • To Plan and to Execute the Marketing Processes of the Products and/or Services
  • To Plan and/or to Execute the Customer Satisfaction Activities
  • To Plan and to Execute the Operational Activities Necessary to Ensure the Company Activities Are Carried Out According to the Company Procedures and/or Relevant Legislation
  • To Collect the Entry-Exit Records of the Employees of the Business Partner / Supplier
  • To Plan and To Execute the Company’s Auditing Activities
  • To Plan and/or to Execute the Occupational Health and/or Safety Processes
  • To Ensure the Safety of Company Compounds and/or Facilities.

 

4.3.       PRESERVATION PERIOD OF PERSONAL DATA

In case it is stipulated in relevant law and legislation, our Company keeps the personal data for a period specified in this legislation.

In case that the necessary period for keeping the personal data is not specified in the legislation, then our Company keeps the personal data for a period required by the processing purpose. In the case of expiration of the period or the reasons, which require processing are no longer present, then the personal data is deleted, destroyed or anonymized by our Company. Detailed information related to this subject is provided in Article 9 of this Policy.

If the processing purpose is ended, and the preservation period specified by the relevant legislation and company is also expired; the personal data may be kept only for constituting evidence in case of legal disputes or to be able to claim for the right connected with the personal data or to establish defense. In establishing the periods herein, the period of limitation in order to be able to claim the mentioned right, and although the period of limitation is expired, the preservation period is set based on the previous similar requests directed to Our company. In this case, the preserved personal data is not accessed with a different purpose, however, access to the relevant data is provided when the use of them is needed for legal disputes. After the period mentioned herein, the personal data is deleted, destroyed or anonymized.

  1. ARTICLE 5 – PERSONAL DATA OWNERS CATEGORIZATION

While our company processes personal data listed in the below personal data owners’ categories, the scope of application of this Policy is limited with our customers, our potential customers, our employee candidates, our shareholders, company executives, our visitors; the employees, shareholders and executives of the partner organizations, and third parties.

Protection and data processing activities of our employees’ personal data, shall be evaluated under MECCTİ HAVACILIK Policy of Protection and Processing Employees’ Personal Data.

Although the categories of the owners of the personal data which are processed by our Company are within the above context, the persons out of these categories may also direct their requests to our Company under the PDP Act, and the requests of these persons shall be evaluated under this Policy.

In the scope of this Policy, the customers, potential customers, employee candidates, shareholders, company executives, visitors, the physical persons in the partner organizations and third parties in relation with these persons are classified as below

Personal Data Category Description

Customer

Regardless of whether they have any contractual relationship with our Company, the physical persons who use or used the products and services offered by our Company

Potential Customer

The physical persons who requested or had an interest in using our products and services or may have interest according to the commercial practices and good faith rule

Visitor

The physical person who entered to the Physical Compounds owned by our Company for various reasons, or visited our web sites
Third Party The physical persons who are related with these persons to ensure the safety standard of the commercial procedures between our Company and abovementioned persons or to protect the rights of the abovementioned persons and establish interests (e.g., Warrantor, Companion, Family Members and Relatives or the physical persons who are not covered by MECCTİ HAVACILIK Policy of Protection and Processing Employees’ Personal Data)

Employee Candidate

The physical persons who made job applications to our Company by any method, or made available their backgrounds and related information to be assessed by our Company
Company Shareholder The physical persons and legal entities who are shareholders of our Company
Company Executive The physical persons who are members of our Company’s Executive Board and the other authorized physcial persons
Employees, Shareholders, and Executives of the Partner Companies The physical persons who work in the organizations which our Company has all kinds of business relationship with (including, but not limited with business partner, suppliers, etc.), including the employees, shareholders, and executives of these organizations

The below table enlarge upon the abovementioned categories of the personal data owners and which type of personal data is being processed based on these categories.

PERSONAL DATA CATEGORIZATION DATA OWNER CATEGORY RELATED WITH THE RELEVANT PERSONAL DATA
Identity Information Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Executive, Visitors; the Employees, Shareholders, and Executives of the Partner Organizations, Third Party
Contact Information Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Executive, Visitors; the Employees, Shareholders, and Executives of the Partner Organizations, Third Party
Location Data Customer, Employee, Employees of the Partner Organizations
Customer Information Customer
Information on Family Members and Relatives Customer, Visitor, Employee Candidate, Third Party, The Employees, Shareholders and Executives of the Partner Organizations
Candidate Job Applicant Candidates who apply for finding a job, and share personal data
Physical Space Security Information Visitor, Company Executives, the Employees, Shareholders, and Executives of the Partner Organizations
Process Security Information Customer, Visitor, Third Parties, Company Executives, the Employees, Shareholders, and Executives of the Partner Organizations
Risk Management Information Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Executive, Visitor, the Employees, Shareholders, and Executives of the Partner Organizations, Third Party
Financial Information Customer, Employee, Company Shareholder, Company Executive, the Employees, Shareholders, and Executives of the Partner Organizations
Personnel Information the Employees, Shareholders, and Executives of Partner Organizations
Information on Candidate Employee Employee Candidate, the Employees of the Partner Organizations
Information on Employees’ Transactions Employees of the Partner Organizations
Information on Employee Performance and Career Development Employees of the Partner Organizations
Information on Reward Benefits Employees of the Partner Organizations
Information on Legal Action and Compliance Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Executive, Visitor, the Employees, Shareholders and Executives of the Organizations that We Cooperate with, Third Party
Information on Audit and Investigation Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Executive, Visitor, the Employees, Shareholders, and Executives of the Partner Organizations, Third Party
Private Qualified Personal Data Customer, Employee Candidate, Company Shareholder, Company Executive, Employees, Shareholders and Executives of the Partner Organizations
Marketing Information Customer, Potential Customer
Information on Claim / Complaint Management Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Executive, Visitor, the Employees, Shareholders, and Executives of the Partner Organizations, Third Party

 

 

  1. ARTICLE 6 – THE THIRD PARTIES WHOM THE PERSONAL DATA ARE TRANSFERRED TO BY OUR COMPANY AND TRANSFERING PURPOSES

Our Company notifies the personal data owner on the groups of entities whom the personal data are transferred to, in accordance with Article 10 of the PDP Act.

Our Company may transfer the personal data of the customers to the persons in categories listed below, in accordance with the Articles 8 and 9 10 of the PDP Act (Section 3 /Caption 3.5):

  • MECCTİ HAVACILIK business partners,
  • MECCTİ HAVACILIK suppliers,
  • MECCTİ HAVACILIK affiliates,
  • MECCTİ HAVACILIK and its Foreign Shareholders,
  • Legally competent public institutions and organizations,
  • Legally competent private legal entities.

The extent of the abovementioned entities whom the transfer is made to, and the data transferring purposes are stated below:

The receiver of Data (Person or Entity) Definition Purpose of Data Transfer
Business Partner It defines the parties that our Company establishes a partnership with purposes such as sales, promotion, and marketing, after sales support of our company’s products and services, implementing the joint customer loyalty programs while our company performs its commercial activities. Limited with ensuring the satisfaction of the purposes of Establishment of the business partnership, Limited within the extent of the legal requirement, with the purpose of ensuring the pay rolling service by providing the information required by Law for Received Pay rolling Service, Limited with the relevant banks for the collections,

Supplier

It defines the parties who provide service based on the contracts, according to our Company’s orders and instructions, while our company performs its commercial activities. Limited with the purpose of ensuring the services, which are required for performing our Company’s commercial activities, for the services outsourced from the supplier
Our Affiliates The companies where our Company is a shareholder at Limited with ensuring the performance of commercial activities which require the participation of our Company’s affiliates
Our Shareholders As per the relevant legislation provisions, our shareholders which are authorized in designing the strategies and auditing activities in relation to our Company’s commercial activities Limited with the purposes of designing the strategies and auditing in relation to our Company’s commercial activities, as per the relevant legislation provisions
Legally competent public institutions and organizations The public institutions and organizations entitled to receive information and documents from our Company, as per legislation provisions Limited with the purpose requested by the relevant public institutions and organizations within their legal authorization
Legally competent private legal entities Private legal entities entitled to receive information and documents from our Company, as per legislation provisions Limited with the purpose requested by the private legal entities within their legal authorization

The transfers carried out by our Company are in accordance with the principles regulated in Section 2 and 3 of this Policy.

 

Our Company notifies to the personal data owners about the personal data being processed in accordance with the Article 10 of the PDP Act.
  1. ARTICLE 7 – PERSONAL DATA PROCESSING AND LIMITED DATA PROCESSING BASED ON THE LAWFUL PROCESSING TERMS

 

 

7.1.       PROCESSING OF PERSONAL DATA AND PRIVATE QUALIFIED PERSONAL DATA

7.1.1.    Personal Data Processing

The explicit consent of the personal data owner is the only legal means which enables to process the personal data lawfully. Except for the explicit consent, the personal data may also be processed in case of presence of the conditions listed below. The grounds of personal data processing may be only one or multiple conditions listed below. In case the processed personal data are the private qualified personal data, the terms specified under section 7.1.2 in this article, apply.

Although the legal basis for the personal data processing differs, Our Company acts in accordance with the general principles specified in the Article 4 of No. 6698 Act (see section 3.1) for all kinds of personal data processing activities.

A – Explicit Consent of the Personal Data Owner

One of the conditions of personal data processing is the explicit consent of the data owner. The explicit consent of the personal data owner should be expressed in relation to a subject, upon notification and of one’s free will.

 

Apart from the processing purpose for reasons of obtaining the personal data (primary processing), for the personal data processing activities (secondary processing), at least one of the terms provided in caption (ii), (iii), (iv), (v), (vi) and (vii) is sought. if any one of these terms does not exist, personal data processing activity is performed based on the explicit consent of the personal data owner for these processing activities.

In order to process the personal data based on the explicit consent of the personal data owner; explicit consents of the customers, potential customers and visitors are obtained by the relevant methods.

B –    Being Explicitly Stipulated by the Law

The personal data of the data owner may be processed, in case it is explicitly stipulated by the law.

 C – Not Being Able to Obtain the Explicit Consent of the Relevant Person Due to Physical Impossibility

If processing the personal data mandatory to protect the life or physical integrity of the personal data owner or others, and if the personal data owner is not able to express the consent due to actual impossibility, or the legal validity of the consent is not recognized, the personal data of the data owner may be processed.

E.g.: Information about blood group of the patient in coma, informed to doctor by his/her friend

 

D –   Being Directly Related with the Establishment or Performance of the Contract

 

In case of being directly related to the establishment or performance of a contract, processing the personal data is possible in case that processing of personal data of the contractual parties is required

E.g. Providing name and address of a customer who purchased a product to a courier company.

E – Performing Company’s Legal Obligation

 

The personal data of the

E.g. Submitting the information to the court, if requested by a court order.

data owner may be processed, in case processing is mandatory for our Company to fulfill its legal obligations as the data supervisor.

 

F-   If the Personal Data is made public by the Personal Data Owner

E.g. The data of a person, who states that he/she wants to purchase a car with certain features on a public website and writes his/her telephone number, may be processed without the explicit consent of his/her within this scope. In this direction, the persons who want to sell a car with the relevant features, may contact with this person without a need for explicit consent.

The relevant personal data may be processed, in case the personal data is made public by the personal data owner himself/herself.

G – Mandatory Data Processing for Establishing or Protecting a Right

E.g. Keeping the data which have proof characteristics (sales contract, invoice) and using them when required.

The personal data of the data owner may be processed, in case the processing is mandatory for establishing, using or protecting a right.

H – Mandatory Data Processing for Our Company’s Legal Interest

On condition that the basic rights and freedoms of the personal data owner are not harmed, the personal data of the data owner may be processed in case the processing is mandatory for the legal interests of the Company.

E.g. Processing the personal data in order to make in-company calculations by the accounting department.

7.1.2.    Processing the Personal Qualified Personal Data

 

In case the personal data owner does not give explicit consent, the private qualified personal data are only processed by our Company in the below situations, provided that appropriate measures are taken as determined by the Board of PDP:

  • The personal qualified personal data, except the ones on health and sexual life of the personal data owner, in cases, stipulated in laws,
  • The personal qualified personal data on health and sexual life of the personal data owner, only by persons or authorized institutions and organizations subject to confidentiality obligation in order to protect public health, to carry out preventive medicine, medical diagnosis, treatment, and care services, plan and manage the health services and its financing.
  1. ARTICLE 8 – WEBSITE VISITORS

On the websites owned by our company, we ensure that the visitors to these sites perform their visits on the sites in a manner appropriate for the visit objectives. For this purpose, the websites may show their customized content and engage in online advertising activities, however, they do not record any internet movements by technical means.

  1. ARTICLE 9 – TERMS OF ERASING, DESTROYING AND ANONYMIZATION OF PERSONAL DATA
The personal data are erased, destroyed or anonymized upon our Company’s decision or the request of the personal data owner, in case the reasons which require data processing do not persist, although they are processed by our Company as per the relevant law provisions regulated in the Article 138 of Turkish Criminal Code and the Article 7 of the PDP Act.

 

 

9.1. OBLIGATION OF MECCTİ HAVACILIK TO ERASE, DESTROY AND ANONYMIZE

 

The personal data are erased, destroyed or anonymized upon our Company’s decision or the request of the personal data owner, in case the reasons which require data processing no longer exist, although they are processed by our Company as per the relevant law provisions regulated in the Article 138 of the Turkish Criminal Code and Article 7 of PDP Act. Within this scope, our Company fulfills its relevant obligation with the methods explained in this section.

9.2. METHODS OF ERASING, DESTROYING AND ANONYMIZING THE PERSONAL DATA

9.2.1.    Methods of Erasing and Destroying the Personal Data

Our Company may erase or destroy the personal data, at our Company’s own discretion or upon the request of the personal data owner, in case the reasons which require data processing no longer exist, although they are processed by our Company as per the relevant law provisions. The most common erasing techniques are listed below:

  • Physical Destruction

The personal data may be processed by non-automatic ways, provided being a part of a data recording system. When erasing/ destroying these types of data, physical destruction system is applied for the purpose of not being able to reuse the data.

  • Secure Deletion in Software

When deleting/destroying the data processed by wholly or partially automatic ways and stored in a digital medium, methods related with deleting data on the relevant software is applied for the purpose of not being able to reuse the data.

  • Sending to a Specialist for Secure Deletion

In some cases, MECCTİ HAVACILIK may have an agreement with an expert to delete the personal data on behalf of the company. In this case, the personal data is erased/ destroyed by the expert safely for the purpose of not being able to recover the data in the future.

9.2.2.    Methods of Anonymizing the Personal Data

Anonymization of personal data implies that personal data can never be associated with a specific or identifiable physical person even when matched with other data. Our company may anonymize personal data when the reasons for the processing of personal data no longer exists.

 

As per Article 28 of the PDP Act, the anonymized personal data may be used for purposes such as research, planning, and statistics. These kinds of processes are under the PDP Act, and the explicit consent of the personal data owner shall not be sought. As the personal data is processed by anonymizing, the rights regulated in Article 10 of this Policy shall not apply to these data.

The most common anonymizing methods are listed below:

  • Masking
E.g. personal data of the data provider enabeling his identification, such as name, identification numbet etc. are removed while identification of the data holder becomes impossible from the data set.

Masking is an anonymizing method which anonymizes the personal data by subtracting the indicative information from the data set.

  • Aggregation
E.g. Setting forth that there are Z customers with X age, without showing the ages of the customers separately.

With data aggregation method, various data is aggregated, based on that it can not be associated with a physical person

  • Data Derivation

With the data derivation method, a more general content is created from the content of personal data, therefore the personal data cannot be associated with any physical person.

E.g. replacing date of birth with age or replacing residency address with region.

Data Shuffling, Permutation

  • With the data shuffling method, the figures within the personal data set are mixed, thus the connection between the physical person and the figures is broken.
E.g. Changing quality of the voice record.

 

  1. ARTICLE 10 – RIGHTS OF THE PERSONAL DATA OWNERS; METHODOLOGY OF EXERCISING AND ASSESSING THESE RIGHTS

MECCTI HAVACILIK notifies the personal data owners on their rights, instructs the personal data owners on exercising these rights as per the Article 10 of the PDP Act, and operates necessary channels, internal operation and administrative and technical settings essential as per the Article 13 of the PDP Act in order to assess the personal data owners’ rights and notify them when required.

10.1 RIGHTS OF THE DATA OWNERS AND EXERCISING THESE RIGHTS

 

10.1.1. Rights of Personal Data Owner

 

The personal data owners are entitled to the below rights:

(1)        To learn whether the personal data has been processed or not,

(2)        If the personal data has been processed, to request information in relation to this subject,

(3)     To learn the aims of processing the personal data and to investigate if the personal data were used relevantly

(4)        To learn the third parties operating domestically and abroad who have gathered the personal data

(5)        To ask for corrections if the personal data were processed incompletely or inaccurately, and within this scope to request the transaction be notified to the third parties who have gathered the personal data

(6)        To ask for canceling or deleting the personal data in case the reasons for processing personal data no longer exists, and within this scope to request the transaction be notified to the third parties to who have gathered the personal data,

(7)        To object to a negative outcome for them in case their personal data are exclusively analyzed via automatic systems,

(8)        To demand for recovery of damages and losses if the personal data were processed against the law.

10.1.2. Conditions under Which the Personal Data Owner Cannot Claim for his/her Rights

 

Pursuant to article 28 of the PDP Act, the personal data owner cannot claim their rights in the following situations listed in section 10.1.1. under the following terms:

(1)   Processing the personal data for research, planning and statistical purposes by anonymizing the personal data via official statistics.

(2)    Processing the personal data for art, history, literature, and scientific purposes, or within the scope of freedom of expression; provided not breaching the national defense, national security, public security, public order, economic safety, the right of privacy or personal rights, or constituting a crime.

(3)    Processing the personal data for ensuring the national defense, national security, public security, public order, or economic safety, within the scope of preventive, protective and informative activities performed by public institutions and organizations authorized and commissioned by law.

(4)   Processing the personal data required by judicial authorities or execution authorities in relation to the investigation, prosecution, adjudication or execution activities.

Pursuant to the article 28/2 of the PDP Act; except the claims for loss recovery, other claims listed in 10.1.1. can not be made by data owner in the following situations:

(1)   If personal data processing is required to prevent committing a crime or for a criminal investigation.

(2)   Processing the personal data which is made public by the personal data owner.

(3)  If personal data processing is required in order to carry out audits or arrangements for the authorization of disciplinary investigation or prosecution by the public authorities and bodies authorized by law.

(4)   If personal data processing is required for protecting the economic and financial interests of the State in relation to the budget, tax and financial matters.

10.1.3. Exercising the Rights by Personal Data Owner

The personal data owners may communicate their requests in relation to the rights listed under section 10.1.1 of this article through the following methods:

1 – In person to the address of Meccti Havacılık İstanbul A.H.L Serbest Bölgesi Yeşilköy Sb. Mah. Havalimanı cad. No:1 Plaza Sok. No: 931 Bakırköy, Istanbul, by submitting a petition stating the requests expressly or by completing a form which is provided and with original signature

2 – By submitting a petition stating the requests expressly or by completing a form which is available at www.inflightcrewjobs.com. The document with the original signature of the personal data owner may be submitted through a public notary office to the address of Meccti Havacılık İstanbul A.H.L Serbest Bölgesi Yeşilköy Sb. Mah. Havalimanı cad. No: 1 Plaza Sok. No: 931 Bakırköy, Istanbul.

3 – By submitting a petition stating the requests expressly or by completing a form which is available at www.inflightcrewjobs.com. The document with the original signature of the personal data owner or with a safe electronic signature, under the Electronic Signature Act No. 5070, may be submitted via e-mail to mecctihavacilik@hs03.kep.tr.

It is not possible to communicate requests of the personal data owners through third parties.
In order to a person other than the personal data owner to make a request, a special power of attorney issued by the personal data owner on behalf of the applicant must be available.

Pursuant to the No. 6698 PDP Act, the personal data owner may only use the above 3 methods for communicating their requests to the Data Supervisor of MECCTI HAVACILIK while exercising their rights

10.1.4. Right to Complain to the Board of PDP

Pursuant to the Article 14 of the PDP Act, in case that the application is rejected, finding the response insufficient or failing to respond the application within the period; personal data owner may make a complaint to the Board of PDP within thirty days from the date he/she learns the company’s response and within sixty days from the date of application in any event.

 

10.2.   MECCTİ HAVACILIK RESPONSE TO APPLICATIONS

 

10.2.1. Our Company’s Procedures and Duration of Response to Applications

In case that he personal data owner submit the request according to the procedure listed in section 10.1.3 of this article, our Company shall conclude the claim as soon as possible and at the latest within thirty days free of charge according to the qualification of the claim.

However, if the transaction requires an additional cost, a fee may be charged by the Company from the applicant according to the tariff determined by the Board of PDP.

10.2.2. Information Which May Be Requested by Our Company from the Applying Personal Data Owner

 

Our Company may request for information from the relevant person in order to determine whether the person submitting the request is the personal data owner or not.

Our Company may pose questions to the personal data owner in order to clarify the matters in the application of the personal data owner.

 

10.2.3. The Right of Our Company to Reject the Application of the Personal Data Holder

 

In the following cases, our company may refuse the application of the applicant by explaining the reasons:

(1)   Processing the personal data for research, planning and statistics purposes by anonymizing them via official statistics.

(2)   Processing the personal data for art, history, literature, and scientific purposes, or within the scope of freedom of expression; provided not breaching the national defense, national security, public security, public order, economic safety, the right of privacy or personal rights, or constituting a crime.

(3)    Processing the personal data for ensuring the national defense, national security, public security, public order, or economic safety, within the scope of preventive, protective and informative activities performed by public institutions and organizations authorized and commissioned by law.

(4)    Processing the personal data if required by judicial authorities or execution authorities in relation to the investigation, prosecution, adjudication or execution activities.

(5)   If the personal data processing is required to prevent committing a crime or for a criminal investigation.

(6)   Processing the personal data which is made public by the personal data owner.

(7)   If personal data processing is required in order to carry out audits or arrangements for the authorization of disciplinary investigation or prosecution by the public authorities and bodies authorized by law.

(8)   If personal data processing is required for protecting the economic and financial interests of the State in relation to the budget, tax and financial matters.

(9)   The request of the personal data owner is likely to prevent the rights and freedoms of other persons

(10)  Requests that require a disproportionate effort.

(11)  The information requested is publicly available

 

  1. ARTICLE 11 – THE RELATION BETWEEN THE COMPANY’S PERSONAL DATA PROTECTION POLICY AND OTHER POLICIES

The basic policies regarding the protection and processing of personal data related to the principles set forth by this Policy are listed below. These policies are also linked to the basic policies carried out by the Company in other areas and harmonization is ensured between the processes operated by the company with different policy principles for similar purposes. Some of the policies listed in the table below are for internal use. The principles of the Company’s internal policies are reflected in the publicly-open policies, informing its stakeholders in this context and ensuring transparency and accountability of the Company’s personal data processing activities  

Our Company has established a governance structure to ensure compliance with the regulations of the PDP Act and the enforcement of the Personal Data Protection Policy.

12.  ARTICLE 12 – COMPANY PERSONAL DATA PROTECTION AND PROCESSING POLICY GOVERNANCE STRUCTURE

 

The “Personal Data Protection Commission” is established in the Company pursuant to the decision of Company’s executives in order to manage this policy and the other policies connected and related with this policy (see Article 11). The tasks of this commission are listed below:

  • Preparing and enforcing the basic policies related to the Protection and Processing of Personal Data by submitting them for approval to the senior management.
  • Deciding how to implement and supervise the policies related to the Protection and Processing of Personal Data, and to make in-company assignment and coordination within this framework.
  • Identifying the issues to be taken to ensure compliance with the Personal Data Protection Act and the relevant legislation and to submit to the senior management the requirements for implementation; supervising and ensuring coordination
  • Raising awareness of the protection and processing of personal data within the Company and during cooperation with other companies
  • Identifying the risks that may occur in the Company’s personal data processing activities and ensuring that necessary measures are taken; presenting the improvement proposals for approval to the senior management
  • Designing and implementing training on the protection of personal data and the policies implementation.
  • Deciding the maximum number of applications of the personal data owners.
  • Coordinating and executing of information and training activities to ensure that the personal data owners are notified about personal data processing operations and their legal rights.
  • Preparing and submitting amendments to the key policies related to the Protection and Processing of Personal Data for approval of the senior management and enforcing the amendments.
  • Following developments and regulations of the Protection of Personal Data; advising the senior management on the necessary actions to be taken within the Company in accordance with these developments and regulations.
  • Coordinating the affairs with the PDP Board and its Agency.
  • Executing other tasks by the Company’s senior management to protect personal data

ANNEX – 1 DEFINITIONS

 

Explicit Consent: Consent on a specific subject, subject to the information and expressed by the free will

Anonymizing:  Changing the personal data in such a way as to lose the quality of personal data which cannot be recovered. E.g.: Masking, consolidation, data corruption, etc. methods that make impossible to correlate personal data with any physical person.

Employee Candidate:  The physical persons who made job applications to our Company by any method or made available their backgrounds and related information to be assessed by our Company, The Employees of the Partner Organizations.

Shareholders and Executives:  Physical persons, including the shareholders and authorities of these companies, who work in all kinds of business relationships with our company (including but not limited to business partners and suppliers)

Processing the Personal Data: All kinds of data processing being fully or partially automated or being non-automated as a part of data recording systems such as obtaining, recording, storing, keeping, changing, rearranging, disclosing, transferring, taking over, making available, classifying and preventing from using

Personal Data Owner:  The physical person whose personal data is being processed.

E.g.: Customers and employees. Any information on any physical person whose identity is determined or may be determined. Hence, processing of information on legal entities is not within the scope of the Law. For example; name-surname, identity number, e-mail, address, date of birth, credit card number and so on.

Customer: Physical persons who have used or used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company

Personal Qualified Personal Data:  Information on race, ethnic origin, political opinion, philosophic belief, religion, communion or other beliefs, appearance, membership of the association, foundation or union, health, sexual life, punishment sentence and security measures, and biometric and genetic data are the private qualified personal data.

Potential Customer: Physical persons, who have requested or are interested in using our products and services, or who may be interested in this practice and evaluated in accordance with the honesty principles, in other words, applicant to our company.

Company Shareholders: The physical persons who are our company’s shareholders

Company Executive: The physical persons who are members of our Company’s Executive Board and the other authorized physical persons

Third Party: Third party physical persons who are associated with these persons to ensure the security of the commercial procedures between our Company and abovementioned persons or to protect the rights of the abovementioned persons and establish interests (e.g., Warrantor, Companion, Family Members and relatives)

Data Processor: The physical persons or legal entities who process the personal data on behalf of the data supervisor based on the authorization given by the supervisor.

Data Supervisor: The person who determines the personal data processing purposes and tools and manages the location (data recording system) where the personal data are kept systematically.

Visitor:  The physical person who entered to the Physical Compounds owned by our Company for various reasons or visited our websites.

ANNEX – 2 IMPORTANT DATES FOR IMPLEMENTATION OF THE PDP ACT

7 April 2016

Our Company acts in compliance with the following obligations as of 7 April 2016:

(i)             General rules and principles for the processing of personal data

(ii)            Obligations of notifying the personal data owner

(iii)          Data security liability

7 October 2016

As of 7 October 2016, the below-listed regulations came into force, and Our Company acts in compliance with these regulations:

–  Provisions relating to the transfers of personal data to third parties and abroad

– Provisions giving rights to the personal data owner to apply for information to our Company (to learn whether the personal data has been processed or not, to learn the third parties operating domestically and abroad who have gathered the personal data, to ask for corrections) and to make a complaint to the Board of PDP.

7 April 2017

(v)

(vi)           The consents received in accordance with the law before 7 April 2016 shall be deemed in accordance with the PDP Act unless otherwise stated by the personal data owner as of 7 April 2017.

(vii)          As of 7 April 2017, the Legislation on the PDP Act has come into force and our company has complied with the regulations.

7 April 2018

Personal data processed before April 7, 2016, shall be deleted or anonymized by our Company before 7 April 2018, in accordance with the PDP Act

ANNEX – 3 PERSONAL DATA PROCESSING OF EMPLOYEES AND BUSINESS PARTNERS EMPLOYEES

(viii)         PERSONAL DATA OWNER (ix)

(x)            COLLECTING AND PROCESSING PERSONAL DATA

(xi)           EXERCISING THE RIGHTS AND APPLICATION
(xii)

(xiii)         Employee Candidates

(xiv)         The personal data of the employee candidates which are collected during the recruitment process, and the private qualified personal data which are collected in accordance with the qualification of the work are processed by our Company for the purposes specified in Section 4.2 and Article 7 of the Policy and listed below:

(xv)          •   To assess the candidate’s qualification, experience and interest, and eligibility for the vacant position,

(xvi)        • When required, to check the correctness of the information provided by the candidate or take a reference on the candidate by contacting third persons,

(xvii)        • To contact the candidate regarding the application and recruitment process, or when applicable, to contact the candidate regarding a subsequent vacancy inland or abroad,

(xviii)      • To satisfy the requirements of the relevant legislation or requests of authorized institutions or organizations,

(xix)         • To develop and improve recruitment principles used by our Company. Personal data of the employee candidates may be collected by the following methods and tools:

(xx)          • Digital application form published in written or in an electronic environment;

(xxi)         • Backgrounds sent by the candidates via e-mail, courier, reference and similar methods,

(xxii)        •   Employment or consultation companies;

(xxiii)       • Via tools such as video conference, telephone, or during an interview in case it is made face to face,

(xxiv)      • Checks performed in order to verify the correctness of the information given by the candidate, and researches made by our Company,

(xxv)       • Recruitment tests which determine the skills and personality characteristics, performed and assessed by the experienced experts.

(xxvi)       Employee candidates may also direct their requests related to their rights, which arise from being a data owner to our Company through the method explained in Article 10 of this Policy.

Business Partners Employees

Within the scope of fulfilling the commercial activities established with the business partners; personal data of the employees of business partners may be processed by the Company with purposes explained in Section 4.2 and Article 7 of this Policy.

Employee candidates may also direct their requests related to their rights, which arise from being a data owner to our Company through the method explained in Article 10 of this Policy.