JENGAL SOFTWARE JOINT STOCK COMPANY
PERSONAL DATA PROCESSING AND PROTECTION POLICY

DOCUMENT NAME  : Personal Data Processing and Protection Policy

APPROVED BY        : Jengal Software JSC


DATE : 01.06.2024


VERSION : 1


CONTENTS

INTRODUCTION

  1. PURPOSE
  1. SCOPE
  1. DEFINITIONS
  1. CLASSIFICATION OF RELATED PERSONS
  1. CLASSIFICATION OF PERSONAL DATA
  1. INFORMATION REGARDING THE DATA CONTROLLER
  1. ROLES AND RESPONSIBILITIES REGARDING THE PROTECTION OF PERSONAL DATA
  1. COLLECTION OF PERSONAL DATA
  1. PROCESSING OF PERSONAL DATA
    1. General Principles in the Processing of Personal Data
      1. Compliance with Law and Good Faith Principles
      2. Ensuring Personal Data is Accurate and Up-to-date When Necessary
      3. Processing Personal Data for Specific, Explicit, and Legitimate Purposes
      4. Processing Personal Data in Connection with, Limited to, and Proportional to the Purpose for Which They Are Processed
      5. Retaining Personal Data for the Period Stipulated in the Relevant Legislation or as Required for the Purpose for Which They Are Processed
    2. Conditions for Processing Personal Data
      1. Obtaining the Explicit Consent of the Relevant Person
      2. Cases Where Personal Data Can Be Processed Without Seeking Explicit Consent
      3. Processing of Special Categories of Personal Data
      4. Processing Personal Data Through Cookies
  1. PURPOSES OF PROCESSING PERSONAL DATA AND LEGAL BASIS
  1. TRANSFER OF PERSONAL DATA
    1. GENERAL PRINCIPLES REGARDING THE TRANSFER OF PERSONAL DATA
    2. TRANSFER OF PERSONAL DATA ABROAD
  1. INFORMING THE RELEVANT PERSON
  1. PROTECTION OF THE RIGHTS OF THE RELEVANT PERSON

RIGHTS OF THE RELEVANT PERSON

    1. CASES OUTSIDE THE RIGHTS OF PERSONAL DATA OWNERS AS PER LEGISLATION
    2. EXERCISING THE RIGHTS OF THE RELEVANT PERSON
  1. MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA

TECHNICAL MEASURES

    1. ADMINISTRATIVE MEASURES
    2. MEASURES TO BE TAKEN IN CASE OF UNLAWFUL DISCLOSURE OF PERSONAL DATA
  1. STORAGE AND DESTRUCTION OF PERSONAL DATA

EFFECTIVENESS AND ANNOUNCEMENT


INTRODUCTION


The Personal Data Protection Law No. 6698 (KVKK/Law) was published in the Official Gazette on April 7, 2016, with the aim of protecting the fundamental rights and freedoms of individuals, primarily the privacy of private life, in the processing of personal data belonging to real persons, and to regulate the obligations of real and legal persons who process personal data, as well as the procedures and principles to be followed. Additionally, this Policy has been prepared in accordance with the amendments made in Articles 6, 9, and 18 of Law No. 6698 published in the Official Gazette No. 32487. The organization and responsibilities of Jengal Software Joint Stock Company (“Company”) regarding the processing and protection of personal data within the scope of KVKK, the Constitution, and International Agreements are explained in the Policy.


  1. PURPOSE


The purpose of this Policy is to make explanations about systems for the processing and protection of personal data in accordance with the purpose of the Personal Data Protection Law No. 6698, to inform the real persons whose personal data are processed by the Company, including but not limited to Company stakeholders, Company officials, business partners, employees, employee candidates, suppliers, affiliates, customers, visitors, and third parties, to establish and implement the Company’s own standards in personal data management, to determine organizational goals and obligations, to establish control mechanisms, and to fulfill the Company’s obligations under international agreements, the Constitution, laws, and agreements in the field of personal data protection.

The organization specified in this Policy aims to ensure compliance with the legislation in the activities of processing, protection, storage, and destruction of personal data carried out by Jengal Software Joint Stock Company, to establish the necessary order to ensure compliance, to ensure transparency by informing the persons whose personal data are processed by the Company, and to protect the rights of personal data owners arising from the legislation.


  1. SCOPE


This Policy covers real persons whose personal data are processed by Jengal Software Joint Stock Company, including but not limited to Company stakeholders, Company officials, business partners, employees, employee candidates, suppliers, visitors, customers, potential customers, and third parties, whether processed automatically or by non-automatic means provided that they are part of any data recording system. Legal entities are not included in this Policy.

If the processed data is not considered "personal data" and if the personal data processing activity is not carried out by the methods mentioned above, this Policy will not apply.

Within the scope of this Policy, customized information about the data processed within the framework of the Company's organization, categorization of the data, related persons, data collection method, conditions for processing personal data, groups of third parties to whom the data is transferred, processing periods of the data, and destruction periods of the data are included.


  1. DEFINITIONS


Company : Jengal Software Joint Stock Company

Explicit Consent : Consent given for a specific matter, based on information and free will, clearly expressed, limited to that specific process only.

Anonymization : The process of rendering personal data unidentifiable with a specific or identifiable real person, even when matched with other data.

Obligation to Inform : The obligation of the data controller to inform the individuals whose personal data is being processed about who will process this data, for what purposes and on what legal grounds it can be processed, and to whom and for what purposes it can be transferred.

Cookie : Small files that help store user preferences and other information on their computers or mobile devices when they visit web pages.

Related Person : The real person whose personal data is processed.

Related User : Persons who process personal data within the data controller's organization or under the authority and instruction received from the data controller, excluding those responsible for technically storing, protecting, and backing up the data.

Destruction : Deletion, destruction, or anonymization of personal data.

Contact Person : The real person notified by the data controller during registration to VERBIS.

Registered Electronic Mail (REM) : A system that protects all kinds of commercial, legal correspondence and document sharing in the form sent, identifies the recipient with certainty, ensures that the content does not change, and makes the content legally valid and secure evidence.   


Personal Data : Any information relating to an identified or identifiable real person.

Processing of Personal Data : Any operation performed on personal data such as collecting, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing its use, fully or partially by automated means, or non-automated means provided that it is part of a data recording system.

Personal Data Storage and Destruction Policy : The process of determining the maximum retention period required for the purposes for which personal data are processed and the basis for deletion, destruction, and anonymization operations in accordance with the Regulation on the Deletion, Destruction, and Anonymization of Personal Data by the Company.

“Jengal Software Joint Stock Company Personal Data Storage and Destruction Policy”.

KVKK : The Personal Data Protection Law No. 6698, published in the Official Gazette dated April 7, 2016, and numbered 29677.

Board : Personal Data Protection Board

Institution : Personal Data Protection Authority

Automated Data Processing : Processing carried out by devices with processors such as computers and phones, within the scope of predefined algorithms without human intervention, through software or hardware features.

Special Categories of Personal Data : Personal data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association, foundation, or union membership, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data.

Policy : Jengal Software Joint Stock Company Personal Data Processing and Protection Policy

Periodic Destruction : Repeating deletion, destruction, or anonymization processes when all conditions for processing personal data in the law are eliminated.

VERBIS : Data Controllers Registry Information System

Data Processor : The real or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Controller : The real or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.



  1. CLASSIFICATION OF RELATED PERSONS 


The relevant persons whose personal data are processed by Jengal Software Joint Stock Company within the scope of the Personal Data Protection Policy are as follows:


Company Stakeholders

Real persons who are stakeholders of the Company.


Business Partners

Real persons who are officials, stakeholders, or employees of the organizations with which the Company has a commercial relationship.


Employee

SGK (Social Security Institution) registered employees of Jengal Software Joint Stock Company


Employee Candidates

Real persons who have applied for a job to Jengal Software Joint Stock Company in any way or have opened their CVs and information for the Company’s review.


Suppliers


Parties providing services to the Company based on contract and in accordance with the Company's orders and instructions within the scope of the Company's commercial activities.


Visitors

Real persons visiting Company buildings or websites operated by the Company.


Customers

Real persons using or having used the products and services offered by the Company, regardless of whether they have a contractual relationship with the Company.


Third Parties

Other real persons whose personal data is processed by the Company but do not fall under any specific category of related persons defined in this Policy.

  1. CLASSIFICATION OF PERSONAL DATA


Identity Data

Name, surname, date of birth, country of birth, city of birth, gender, marital status, nationality, Turkish ID card information (Turkish ID number, serial number, wallet number, father's name, mother's name, place of birth, province, district, neighborhood, volume number, family order number, order number, household number, page number, registration number, place of issue, reason for issue, date of issue, previous surname), full population registration record, population card copy, tax number, professional identity information.

Contact Data

Phone number, full address information, email address, intra-company contact information (extension number, corporate email address)

Financial/Fiscal Data

Bank account number information, IBAN number information, bank name and branch information, financial status report and salary details, payrolls, premium entitlements, premium amounts, and monthly premium service declaration, file and debt information related to enforcement follow-up files, bank account passbook, minimum living allowance information, private health insurance amount, temporary allowances paid by SGK and İŞKUR.

Special Categories of Personal Data

Blood type, chronic disease information, vaccination history, medical history information, past illnesses and surgeries, disability information, alcohol, substance, cigarette use, x-ray images, medications used, health complaints, all preventive medicine, diagnosis, and treatment procedures related to health, blood and urine tests, physiological analysis results, spirometry test, height, weight, physical examination results, private health insurance policy information, employment entry and periodic examination forms, pregnancy information, criminal record, and/or security measures information, criminal record.

Education Data

Education status, certificate and diploma information, foreign language information, education and skills, experience information, CV, courses attended, transcript information, national or international exam results.

Physical Space Security Information Data

Personal data related to records and documents obtained during physical entry to the premises and within the physical premises; records obtained by reading the employee entry card when entering the workplace, camera records, vehicle information records, and records taken at the security point.

Visual and Audio Data

Static or moving images and/or sounds of the event venue and participants for the purposes of promoting, announcing, and disseminating the event related to conferences, seminars, shows, exhibitions, debates, and fairs organized by our Company; visual/auditory information provided by cameras installed in Company headquarters, branches, and representative offices to ensure security. 

Visual and audio data related to promotion, meetings, training, information, and interviews conducted via digital platforms.

Passport photo, if included in the CV.

Transaction Security Data

IP address information, website login/logout information, log records, entry passwords, and password information to electronic systems and devices.

Family and Relative Data

Marriage certificate; spouse and children's name/surname/Turkish ID number/gender/date of birth/job/phone number, relatives' name/surname/phone number, reference information.

Work-related Data

Information related to your job status provided through application forms (job application, internship application), registration documents, or by sending job application forms to our official email address, [email protected], or through other online or physical application methods provided by our Company, such as Linkedin, Kariyer.net, Indeed, Yenibiris.com, Jooble, Youthall, Coensio websites; social security number, position, department and unit, title, internship location, internship duration, last entry date, entry/exit dates, social security entry/retirement, assignment number, social security number, tax office number, flexible working hours status, travel status, retirement fund, retirement fund entry date, retirement fund registry number, self-employed pension plan entry date, self-employed pension plan registry number, accounting code, working days, projects worked on, monthly total overtime information, severance pay base date, additional severance pay days, strike days.

Leave Data:

Leave base date, additional leave days, leave group, exit/return date, day, reason for leave, address/phone during leave, and signatures.

Cookie Data

Small files that help store users' preferences and other information on their computers or mobile devices when they visit web pages.

Other Processed Data

Military deferral, military status document, vehicle plate number, vehicle registration copy, vehicle mileage information, driver's license copy, traffic ticket inquiry result, clothing size, martyr relative status, bus service taken, bus stop data.

  1. INFORMATION ABOUT THE DATA CONTROLLER

Information about the data controller for personal data processing activities falling within the scope of this policy is provided below.

Data Controller:

Title   : Jengal Software Joint Stock Company

Address     : Örnek Mh. Semerkant Cd. Zemzeme Sk. No: 24/A Ataşehir, Istanbul 

Phone   :  0 216 341 05 70

Email address : [email protected]

KEP Address   : [email protected]

Website : www.jengal.com


  1. ROLES AND RESPONSIBILITIES RELATED TO THE PROTECTION OF PERSONAL DATA


The Company has organized a separate structure for personal data protection processes and has provided the necessary equipment to ensure the continuity of compliance with KVKK. In this context, a Contact Person has been appointed within the Company.


TITLE

DEPARTMENT

DUTY

Board of Directors

Members of the Company's Board of Directors 

Ensures that work and transactions are carried out in accordance with the Policy.

Senior Management

General Manager 

Responsible for the execution of activities regarding the protection of personal data.

KVKK Committee

Human Resources 

Develops policies, creates plans, evaluates requests, determines needs, and ensures compliance with the policies prepared within the framework of KVKK.

Information Technologies 

Human Resources 

Ensures the implementation and maintenance of necessary technical measures for data protection and compliance with KVKK requirements.

Contact Person

Information Technologies

Responsible for maintaining communication with the Institution and the Board of KVKK, ensuring the registration and updating of information in VERBIS.


  1. COLLECTION OF PERSONAL DATA


The Company, as a data controller, processes personal data through various means and channels, both fully or partially automated or non-automated provided that they are part of a data recording system, such as

  1. Forms filled in physical or electronic environment
  2. CVs sent via email or job application websites
  3. Business cards received during various events
  4. Information provided by Company employees
  5. Information and documents obtained within the scope of customer visits or meetings
  6. Information obtained during recruitment processes
  7. Information and documents obtained in accordance with the company activities and for the purpose of managing the process
  8. Camera recordings taken in areas belonging to the Company
  9. Information and documents obtained in accordance with legal obligations
  10. Forms filled in during the membership process to Company websites
  11. Information obtained through company websites
  12. Job applications sent to the Company
  13. Information provided in forms filled during visits to the Company
  14. Information and documents obtained through email or other communication channels during and after the employment relationship


  1. PROCESSING OF PERSONAL DATA

Personal data is processed by the Company within the scope of this Policy in accordance with the rules specified in the relevant legislation and within the framework of the following principles and procedures.


General Principles in the Processing of Personal Data

  1. Compliance with Law and Good Faith Principles: Personal data is processed in accordance with the law and the rules of good faith. The data is not used for any illegal purposes and the principles set out in the law are adhered to.
  2. Ensuring Personal Data is Accurate and Up-to-date When Necessary: The accuracy and up-to-dateness of personal data is ensured. In this context, the Company takes necessary measures to keep personal data accurate and up-to-date, provides the opportunity to correct errors, and enables individuals to update their personal data. The relevant person is responsible for the accuracy and up-to-dateness of the data provided.
  3. Processing Personal Data for Specific, Explicit, and Legitimate Purposes: Personal data is processed for specific, explicit, and legitimate purposes. The Company ensures that the personal data processed is necessary and directly related to the purpose for which it is processed.
  4. Processing Personal Data in Connection with, Limited to, and Proportional to the Purpose for Which They Are Processed: Personal data is processed in connection with, limited to, and proportional to the purpose for which it is processed. In this context, unnecessary and excessive personal data processing is avoided.
  5. Retaining Personal Data for the Period Stipulated in the Relevant Legislation or as Required for the Purpose for Which They Are Processed: Personal data is retained for the period stipulated in the relevant legislation or as required for the purpose for which they are processed. Personal data is destroyed in accordance with the Personal Data Storage and Destruction Policy upon the expiration of this period or the elimination of the necessity for processing.


Conditions for Processing Personal Data

  1. Obtaining the Explicit Consent of the Relevant Person: The Company may process personal data based on the explicit consent of the relevant person for one or more specific purposes, provided that the necessary conditions are met. Explicit consent must be freely given, specific, and informed.
  2. Cases Where Personal Data Can Be Processed Without Seeking Explicit Consent: The Company may process personal data without seeking explicit consent of the relevant person in the following cases:
    1. If it is expressly stipulated in the laws.
    2. If it is necessary to protect the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
    3. If it is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract.
    4. If it is necessary for the Company to fulfill its legal obligations.
    5. If the personal data is made public by the person concerned.
    6. If it is necessary for the establishment, exercise, or protection of a right.
    7. If it is necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the relevant person.
  3. Processing of Special Categories of Personal Data: The processing of special categories of personal data is carried out in accordance with the rules specified in the relevant legislation and the Personal Data Protection Law. Explicit consent of the relevant person is required for the processing of special categories of personal data, except in the cases stipulated in the law.
  4. Processing Personal Data Through Cookies: The Company may process personal data through cookies used on its websites in accordance with the principles specified in the relevant legislation and this Policy. Detailed information on the use of cookies is provided in the Cookie Policy published on the Company's website.


  1. PURPOSES OF PROCESSING PERSONAL DATA AND LEGAL BASIS


The Company processes personal data for the following purposes and in accordance with the legal basis specified in the Personal Data Protection Law and other relevant legislation:

  1. To fulfill the obligations arising from the law.
  2. To fulfill the obligations arising from the contracts and ensure the performance of the contracts.
  3. To fulfill the obligations arising from labor laws and other legislation and ensure the rights and obligations of the employees.
  4. To carry out Company activities and manage the business processes.
  5. To fulfill the obligations arising from tax legislation and other financial regulations and ensure financial management.
  6. To manage customer relationships and carry out marketing activities.
  7. To carry out human resources policies and practices.
  8. To manage recruitment processes and evaluate job applications.
  9. To manage supplier relationships and carry out procurement processes.
  10. To manage the physical security of the Company buildings and ensure the security of the information systems.
  11. To carry out Company communication activities and manage corporate communication.
  12. To manage legal processes and ensure legal compliance.
  13. To manage business continuity and emergency situations.
  14. To manage risk and ensure information security.
  15. To manage corporate governance and ensure corporate compliance.


  1. TRANSFERRING PERSONAL DATA

The Company may transfer personal data to third parties in accordance with the rules and principles specified in the relevant legislation and within the framework of the purposes specified in this Policy. The Company takes necessary measures to ensure the security of personal data during transfer and complies with the rules specified in the relevant legislation.


Transferring Personal Data within Turkey

  1. Personal data may be transferred to third parties within Turkey in accordance with the conditions and purposes specified in the relevant legislation.
  2. The Company ensures that the necessary security measures are taken during the transfer and compliance with the relevant legislation.
  3. Personal data may be transferred to third parties such as Company stakeholders, business partners, suppliers, and service providers in accordance with the purposes specified in this Policy.


Transferring Personal Data Abroad

  1. Personal data may be transferred abroad in accordance with the conditions and purposes specified in the relevant legislation.
  2. The Company ensures that the necessary security measures are taken during the transfer and compliance with the relevant legislation.
  3. Personal data may be transferred abroad to third parties such as Company stakeholders, business partners, suppliers, and service providers in accordance with the purposes specified in this Policy.


  1. RIGHTS OF THE RELEVANT PERSON

Relevant persons whose personal data is processed by the Company have the following rights in accordance with the Personal Data Protection Law:

  1. To learn whether personal data is processed or not.
  2. To request information if personal data has been processed.
  3. To learn the purpose of processing personal data and whether they are used in accordance with this purpose.
  4. To know the third parties to whom personal data is transferred within the country or abroad.
  5. To request correction of personal data if it is incomplete or inaccurately processed.
  6. To request the deletion or destruction of personal data within the framework of the conditions stipulated in the relevant legislation.
  7. To request notification of the correction, deletion, or destruction processes carried out in accordance with the relevant legislation to the third parties to whom personal data has been transferred.
  8. To object to the occurrence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems.
  9. To claim compensation for the damage arising from the unlawful processing of personal data.


Relevant persons may exercise their rights by submitting a request in writing to the contact addresses specified in this Policy or by using the application methods specified in the relevant legislation.


  1. DATA SECURITY AND STORAGE MEASURES

The Company takes necessary technical and administrative measures to ensure the security of personal data and to protect personal data against unauthorized access, alteration, disclosure, loss, or destruction.

These measures include but are not limited to:

  1. Using up-to-date antivirus software and firewalls to ensure information security.
  2. Implementing access control mechanisms to ensure that only authorized personnel have access to personal data.
  3. Conducting regular audits to ensure compliance with the information security policies and procedures.
  4. Providing training to employees on information security and personal data protection.
  5. Implementing data masking and encryption techniques to ensure the confidentiality of personal data.
  6. Using secure communication protocols and methods for the transfer of personal data.
  7. Ensuring the physical security of data storage areas and preventing unauthorized access.
  8. Conducting risk assessments and taking necessary measures to address identified risks.

The Company ensures that personal data is stored in accordance with the periods stipulated in the relevant legislation or as required for the purpose for which it is processed. Personal data is destroyed in accordance with the Personal Data Storage and Destruction Policy upon the expiration of this period or the elimination of the necessity for processing.


  1. PERIODIC DESTRUCTION

The Company conducts periodic destruction of personal data in accordance with the Personal Data Storage and Destruction Policy. Periodic destruction is carried out at intervals specified in the relevant legislation or at intervals determined by the Company, provided that it does not exceed six months.


  1. CHANGES AND UPDATES TO THE POLICY

The Company may make changes and updates to this Policy in accordance with the amendments made in the relevant legislation or the developments in the data protection field. Changes and updates to the Policy are published on the Company's website and communicated to the relevant persons.


  1. ENFORCEMENT OF THE POLICY

This Policy enters into force on the date of publication on the Company's website and remains in force until it is updated or replaced by a new policy.