Policy on Protection and Processing of Personal Data



The document herein is arranged by Novatel Haberlesme Cozumleri A.S ("Novatel"), and comprises the policy on protection and processing the personal data relating to the natural persons whose personal data is processed, except for the employees thereof.
The purpose of this policy is to be transparent on the personal data processing activities as well as the systems adopted concerning the protection of personal data and to inform the data subjects, whose personal data is processed by our company, on the methods utilized for the protection of personal data.

PURPOSE AND SCOPE

The protection of personal data is a priority of Novatel, which is approached with due diligence and significance.

Pursuant to the Constitution of the Republic of Turkey and the Law on Protection of Personal Data ("Law"), everybody is entitled to request the protection of the personal data relating to oneself.

For such purpose, under our principles of protecting personal data as it is a constitutional right, Novatel pays due diligence to protect the personal data of natural persons whose data is processed, including but not limited to Employee Candidates, Company Shareholders, Officials, Visitors, Employees, Shareholders and Officers of the Organizations with which our company is associated, and Third Persons, as well as the persons and customers who do business and transactions in our company.

Therefore, necessary legal, technical and organizational measures for the protection of personal data being processed are taken under the applicable legislation.

During the processing of personal data upholds the principles laid down below:

  • Processing the personal data lawfully and in conformity with rules of bona fides,
  • Keeping the personal data accurate and up to date,
  • Processing the personal data for specific, explicit and legitimate purposes
  • Processing the personal data in a manner relevant to, limited to and proportionate to the purposes for which they are processed
  • Retaining the personal data for the period stipulated by relevant legislation or the purpose for which they are processed

In accordance with the foregoing, Novatel complies with the applicable legislation, international legislation and the regulations set forth by the Personal Data Protection Authority ("Authority") for the purposes of below-listed processing activities:

  • Providing the data subjects with information and notices,
  • Establishing the necessary system for the data subjects to exercise their rights,
  • Taking the appropriate technical, organizational, and legal measures for the retention of personal data,
  • Transferring the personal data to third persons in accordance with the processing purposes thereof.
  • Novatel approaches the processing of personal data of special nature in a diligent manner and conformity with the principles regarding the processing of personal data, by taking all necessary measures for the processing and protection of personal data of special nature in compliance with the applicable legislation and regulations of the Authority.

PERSONAL DATA THAT ARE BEING PROCESSED

Pursuant to the Obligation of Controller to Inform, Novatel informs the related data subject groups that their personal data is being processed, the purposes of the processing, and the retention periods thereof.

As the categories of personal data being processed have been mentioned hereinbelow, the term "personal data" refers to any information, direct or indirect, processed through automatic means or provided that the process is a part of any data registry system, through non-automatic means, and that can identify an individual.

Identification Information: Information including but not limited to name-surname; T.R. identification number, nationality, name of the mother/father, place of birth, date of birth, gender, as well as the documents that contain the foregoing, such as identity card or passport, and other documents containing tax number, SSI (Social Security Institution) number, signature, vehicle plate number, and similar information

Contact information: Information such as phone number, address, email address, fax number, IP address

Location Data: Information such as GPS location

Information on Family Members and Relatives: Information regarding the family members of the data subject (e.g., spouse, mother, father, child), the relatives and other persons who can be contacted in case of emergency

Physical Environment Security Information: Personal data regarding records and documents obtained at the entry to and during the time spent in a physical environment, as well as camera recordings, fingerprint recordings, and records taken at the security point, and so forth, that are processed fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means

Financial Information: The processed data relating to any information, document, or record indicating financial results, as well as account numbers, IBANs, credit card information, financial profiles, assets data, income information, and similar data which is explicitly related to an identified or an identifiable natural person

Audio / Visual Information: Photographs and camera recordings (excluding recordings that are within the scope of Physical Environment Security Information), voice recordings, and data contained in documents that are copies of documents containing personal data.

Personnel Information: Any personal data processed to obtain information to set out the basis for the formation of personnel rights of natural persons in a working relationship

Personal Data of Special Nature: Race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data of persons

PROCESSING OF PERSONAL DATA

Novatel conducts personal data processing activities, lawfully and fairly, accurately and up to date, with specified, explicit and legitimate purposes, and in a manner relevant with, limited to and proportionate to such purposes, in accordance with the Constitution, Law and other legal and international regulations

Novatel carries out data processing activities where:

  • It is explicitly provided for by the laws.
  • It is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his/her consent or whose consent is deemed legally invalid.    
  • Processing of personal data belonging to the parties of a contract is necessary provided that it is directly related to the conclusion or fulfillment of such contract.
  • It is mandatory for the controller to be able to perform its legal obligations
  • The data concerned is made available to the public by the data subject himself.
  • Data processing is mandatory for the establishment, exercise, or protection of any right.

It is mandatory for the legitimate interests of the controller, or, where necessary, upon explicit consent of the concerned data subject, provided that such processing shall not violate the fundamental rights and freedoms of the data subject.

Concerning the personal data of special nature, personal data, excluding those relating to health and sexual life, are processed in the cases provided for by law. Personal data relating to health and sexual life are only processed, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services, as well as their financing.

Novatel, in accordance with the Constitution and the Law, informs the data subjects and provides necessary information where a data subject makes a request thereof.

a. Lawfulness and Conformity with Rules of Bona Fides

While processing personal data, Novatel acts in conformity with the legal regulations, principles, and rules of bona fides, and does not process personal data for purposes other than those notified to the data subjects pursuant to the obligation to inform.

b. Ensuring the Personal Data Be Accurate and up to Date

Novatel takes necessary measures and makes necessary arrangements to ensure that the processed personal data is accurate and up to date to the extent reasonable, by taking into account the rights and legitimate interests of data subjects.

c. Processing for Specific, Explicit and Legitimate Purposes, in Accordance with the Requested Services by Data Subjects

Novatel identifies the legitimate and lawful purpose of the data subject clearly and processes the personal data to the extent necessary for the business operation and the required services.

d. Being relevant, limited, and proportionate to the purposes for which they are processed.

Novatel processes the personal data to the extent necessary for the business operation and the required services by clearly identifying the legitimate and lawful purpose of the data subject. It avoids the processing of personal data, which is not relevant to the purposes to be carried out.

e. Retaining for the period stipulated by relevant legislation or the purpose for which they are processed.

Novatel retains the personal data for the period indicated in the applicable legislation or necessary for the purpose for which they are processed. At the end of such period, personal data is either being erased, destructed, or rendered in conformity with the legal regulation.

f. Informing the Data Subject

Novatel, while collecting personal data, informs the data subjects regarding its identity as the controller, the purpose of data processing it will conduct, to whom and for what purposes the processed data may be transferred, the method and legal reason relating to the collection of personal data, and the rights of the data subject.

The data subject has the right "to demand information". Novatel informs the data subject on the methods, rules, and procedures regarding the exercise of such rights.

g. Performing Due Diligence with Processing Personal Data of Special Nature

Novatel avoids to process the data determined as "of special nature" that might cause a risk of victimization or discrimination of persons if processed unlawfully, particularly by not collecting, and where it is mandatory to process such data, it performs with due diligence;

And it processes the aforementioned data:

-if data subject explicitly consents to or if it is mandatory for data processing or
-where the explicit consent of the data subject is not obtained it may process:

  • the personal data, excluding those relating to health and sexual life, in the cases provided for by laws, or
  • in the compulsory cases that the data subject will incur harm where obtaining explicit consent is not possible,
  • the personal data relating to health and sexual life, only for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services, as well as their financing.

PURPOSES OF PROCESSING PERSONAL DATA

Novatel processes personal data to the extent of the purposes and conditions of processing stipulated in the Law and other legislation. Such purposes and conditions are as follows:

  • The processing of personal data is explicitly provided for by the laws that Novatel is subject to,
  • The processing of the personal data by Novatel is necessary and directly related to the conclusion or fulfillment of that contract,
  • Processing of personal data is mandatory for Novatel to be able to perform his legal obligations,
  • The data concerned is made available to the public by yourself, provided that Novatel processes such data to the extent of the purposes for which you have made it public,
  • Processing of personal data by Novatel is mandatory for the establishment, exercise or protection of your or any other third person's rights,
  • It is mandatory for the legitimate interests of Novatel, provided that such processing shall not violate your fundamental rights and freedoms,
  • It is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid,
  • It is mandatory and stipulated by the law in terms of personal data of special nature other than the health and sexual life of the data subject,
  • In terms of personal data relating to health and sexual life, it is necessary for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing provided that processing is conducted by any person or authorized public institutions and organizations that have a confidentiality obligation.

Within the scope of the foregoing and the job, the personal data is being processed by Novatel for below-listed purposes:

  • Planning and execution of corporate and business activities
  • Event (organization) management
  • Management of relations with business partners, solution partners, suppliers or contracted units from which services are being received
  • Execution of Novatel personnel recruitment processes
  • Conducting and following-up of Novatel financial reporting and risk management processes
  • Execution and follow-up of Novatel legal requirements and legal affairs
  • Conducting accounting transactions,
  • Planning and execution of corporate communication activities
  • Execution of corporate management activities
  • Performing company and partnership law transactions
  • Request and complaint management
  • Planning and execution of the fringe benefits and benefits to be provided to the senior executives of Novatel and the company, and supporting the processes
  • Carrying out efforts to protect Novatel's reputation
  • Managing investor relations
  • Providing information to the authorized institutions pursuant to the legislation
  • Purchasing and acquiring services and ensuring continuity of the services,
  • Creating and tracking visitor records
  • Creating and tracking customer records
  • Retaining and tracking the records of the work carried out with the corporate partnership
  • Sharing and tracking information with the affiliated companies for the purpose of procuring or providing services in accordance with the contract to carry out the work and/or provide the services

Your explicit consent is obtained from you if the processing activity performed for the relevant purposes does not meet any of the purposes and conditions listed above.

TRANSFERRING PERSONAL DATA

Novatel may transfer the personal data or personal data of special nature of the data subject to third persons in accordance with the lawful personal data processing purposes by taking necessary security measures.

Novatel may transfer your personal data to third persons where:

  • explicit consent of the data subject is obtained,
  • it is explicitly provided in the laws that personal data will be transferred,
  • it is mandatory for the protection of life or physical integrity of the person or of any other person and if the data subject is bodily incapable of giving his/her consent or such consent is deemed legally invalid.
  • the transfer of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the conclusion or fulfillment of such contract,
  • the personal data transfer is mandatory for the controller to be able to perform its legal obligations
  • the personal data is made available to the public by the data subject.
  • the personal data transfer is mandatory for the establishment, exercise, or protection of any right.
  • the personal data transfer is mandatory for the legitimate interests of Novatel, provided that the fundamental rights and freedoms of the data subject are not violated, and necessary security measures are taken.

Concerning the personal data of special nature, personal data, excluding those relating to health and sexual life, are transferred in the cases explicitly provided for by law; whereas the personal data relating to health and sexual life are only transferred to the persons or authorized public institutions and organizations that have confidentiality obligation, for the protection purposes of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. 

Regarding the transfer of personal data abroad, in addition to the abovementioned principles and rules, it is necessary that:

  • sufficient protection is provided in such foreign country
  • the controllers in Turkey and in the related foreign country guarantee sufficient protection in writing, and the Board has authorized such transfer, where sufficient protection is not provided.

THE THIRD PERSONS WHO ARE TRANSFERRED PERSONAL DATA AND PURPOSES OF TRANSFERRING

Novatel informs the data subject on the recipient groups of personal data, under the legislation on protection of personal data to which Novatel is subject. Novatel may transfer the personal data of the data subjects to the recipient groups listed below.

To business partners, suppliers, shareholders, company officials, and employees who will carry out the work, legally authorized public institutions and organizations, legally authorized private law entities, to persons, institutions, and organizations authorized for auditing, to units necessary for the execution of accounting transactions, institutions and organizations that are required to be transferred in accordance with the business and work in which Novatel is engaged, domestic or foreign subsidiary and auxiliary service organizations and third persons required by the contract or the service that the data subject has received or wishes to receive

ISSUES REGARDING PROTECTION OF PERSONAL DATA AND PROVISION OF SECURITY

Novatel, pursuant to the provisions set for by the Law, has taken all necessary technical and administrative measures to provide a sufficient level of security in order to prevent unlawful processing of or access to personal data and to ensure the retention of personal data. It is conducting or having conducted the necessary inspections. For such purpose:

  • Personal data processing activities carried out within Novatel are audited by established technical systems.
  • The technical measures taken are periodically audited and reported by an internal mechanism.
  • Technical experts are being recruited.
  • Technical measures are taken in alignment with the developments in technology, and such measures are periodically updated and renewed.
  • Technical solutions on access and authorization are implemented in accordance with the legal compliance requirements depending on the business units.
  • Access authorizations are restricted, and all authorizations are reviewed on a regular basis.
  • Technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, and the necessary technological solutions are implemented by re-evaluating the risks.
  • Software and hardware, including virus protection systems and firewalls, are implemented.
  • Security scans are being performed regularly in order to detect vulnerabilities of the applications where personal data is stored, and such vulnerabilities are remedied.
  • Employees are informed and trained on the protection of personal data and the processing of personal data in accordance with the laws.
  • In order to ensure compliance of the personal data processing activities carried out by Novatel business units, with the personal data processing requirements of the Law, a business unit and its activities are established by the internal operation.
  • In order to ensure legal compliance as a requirement of the business, relevant business units are informed, and implementation guidelines are established; and necessary administrative and legal measures are taken to ensure the supervision of such issues and continuity of the application.
  • Obligations for not processing personal data, not disclosing, and not using unless otherwise instructed and except for the exceptions imposed by law,  are included in the contracts and documents between Novatel and the employees, and periodic inspections are carried out in such regard.
  • Employees are informed that they cannot disclose the personal data they have learned to anyone in violation of the provisions of the Law and cannot use them for purposes other than the processing purposes, and the necessary contract and administrative measures have been established.

RETENTION OF PERSONAL DATA IN A SECURE MEDIUM

Novatel has taken appropriate technical and administrative measures to ensure that personal data is retained in a secure medium and to prevent them from being unlawfully processes, destructed, lost, modified, or disclosed, taking into account the technologies and implementation costs.

  • Technologically appropriate systems are being utilized for the secure retention of personal data 
  • Technical experts have been recruited.
  • Technical security systems are being established in the retention mediums, and the measures that are taken are being periodically inspected with internal audit mechanisms, and where necessary, technological solutions are produced, and support is received from the solution partners.
  • In order to ensure the safe retention of personal data, programs are used lawfully.
  • Unauthorized access or access attempts to data storage areas where personal data is retained are communicated to the relevant persons, and where necessary, technological and legal solutions are produced.
  • Employees are trained to ensure that personal data is retained securely.
  • In case of receiving an outsource services due to technical requirements regarding the storage of personal data, in the contracts concluded with the relevant companies where personal data are transferred in compliance with the law, provisions are included stating that the necessary security measures will be taken to protect the personal data and that such measures will be monitored in their own organizations.

Novatel has taken the necessary measures to prevent personal data processed in compliance with the provisions of the Law from being unlawfully obtained by others. However, in the event that personal data is collected through unlawful means despite all kinds of measures taken, Novatel carries out the system that ensures that such incident is notified to the relevant personal data owner as well as to the Board and Legal Units as soon as possible.

Protection of the personal data determined as "of special nature" by the Law, which is being lawfully processed, is protected with particular attention, within the scope of the protection of personal data. Regarding such personal data of special nature, all of the abovementioned technical and administrative measures are taken particularly in order not to obtain or process, and where the collection is necessary and mandatory, to protect the personal data.

PROCESSING DATA OBTAINED THROUGH THE WEB SITE AND INTERNET

Novatel might record the activities and personal data of the persons visiting, making transactions on and receiving services from Novatel's websites by technical means to ensure processing of such personal data on the sites in accordance with the notification purposes, to display customized contents, and to conduct online marketing activities, and to enable the data subjects to access services and information as they wish.

Novatel processes personal data on the basis of its policy, principles as well as Website and General Privacy Policy. The employees who can access such information have declared and undertaken that they will protect the confidentiality of the data they accessed with the Non-Disclosure Agreement, by being informed on their legal and penal accountabilities. With the non-disclosure agreement, your personal data is also secured within the internal structure. Necessary legal, technical, and administrative measures have been taken for the security of personal data shared by Novatel via the website.

RIGHTS OF THE DATA SUBJECTS

Novatel, under the legislation regulating the personal data, provides guidance by informing the data subjects of their rights and carries out the necessary technical and administrative measures in terms of evaluating the data subject rights and serving necessary notifications.

Data Subject relating to Personal Data or Personal Data of Special Nature is entitled to:

  • learn whether his personal data are processed or not,
  • request information if his personal data are processed,    
  • learn the purpose of his data processing and whether this data is used for intended purposes,
  • know the third parties to whom his personal data is transferred domestically or abroad
  • request the rectification of the incomplete or inaccurate data, if processed by Novatel inaccurately or incorrectly, and request notification of such rectification to the third parties to whom his personal data has been transferred,
  • request the erasure or destruction of his personal data in the event that despite being processed under the provisions of the Law and other related laws, the reasons which require the process disappear, and request notification of the relevant action to the third parties to whom his personal data has been transferred,
  • object to the processing of his personal data exclusively by automatic means which leads to an unfavorable consequence for himself,
  • request compensation for the damage arising from the unlawful processing of his personal data.

Conditions That the Data Subject Cannot Claim Any Rights
In case of the following conditions, data subjects are not entitled to claim any rights to obtaining information, except for the compensation for damage:

  • Personal data processing is required for the prevention of a crime or criminal investigation,
  • Processing of personal data which is made public by the data subject himself,
  • Processing of personal data is required for inspection or regulatory duties and disciplinary investigation and prosecution to be carried out by the public institutions and organizations and by professional associations having the status of a public institution, under the power conferred on them by the law,
  • Processing of personal data is required for the protection of the State's economic and financial interests with regard to budgetary, tax-related, and financial issues, as well as the dangerous and mandatory conditions stipulated by the Law and practices.

APPLICATION RIGHT OF DATA SUBJECTS

Data subjects may exercise their rights to information, via Novatel's website, the official email address published on the site, or by delivering himself or through notary public, to "Oruç Reis Mh. Vadi Cd.İstanbul Ticaret Sarayı No.108/301 Esenler/İstanbul" address with the wet signed identification document.

In order for the third persons to make an application request on behalf of the data subjects, a particular power of attorney issued by the data subject through a notary public in the name of the applicant must be submitted, if the applicant is a guardian, the copy of the Court Order must be submitted.

If the data subject request is submitted duly, Novatel will finalize the request within thirty days at the latest depending on the nature of the request, free of charge up to the first ten pages and against a fee of 1 TL per page for the exceeding parts.

Novatel might reject the requests under the abovementioned circumstances where the data subject cannot request information, or in case that such request conflicts with the rules of proportionality, bona fides, and goodwill, or it is prohibited by laws, and/or where the applicant cannot be identified and/or the applicant is not authorized.

The data subject may file a complaint to the Personal Data Protection Board if such application is rejected, the provided answer is insufficient, or the application is not answered in time and/or within thirty days from the receipt date of the answer, and in any case within sixty days from the date of application.



Veri politikasındaki amaçlarla sınırlı ve mevzuata uygun şekilde çerez konumlandırmaktayız. Detaylar için veri politikamızı inceleyebilirsiniz. Kabul Ediyorum