1.1. INTRODUCTION

The personal data protection is among the values which our Company TURQUOISE YACHT INDUSTRY INC. (“TURQUOISE YACHT or Company”) pays attention in terms of the corporate. The protection and processing of personal data of our Customers, Customer Candidates, Trainers, Company Shareholders, Company Officials, Visitors, and Employees, Shareholders and Officials of our Business Partners managed with this Policy are constituted the most important part of this subject.

According to Article 20 of the Constitution of the Republic of Turkey, all real persons have right to requests the protection of personal data related to him/her. TURQUOISE YACHT exercises due diligence and for the protection personal data of our Customers, Customer Candidates, Traineers, Company Shareholders, Company Officials, Visitors, and Employees, Shareholders and Officials of our Business Partners managed with this Policy in terms of the protection of the personal data as constitutional right and makes it the company policy.

Within this scope, the necessary administrative and technical measures are taken by TURQUOISE YACHT to protect personal data in accordance with the relevant legislation.

This Policy will provide detailed explanations related to the basic principles listed below and adopted by TURQUOISE YATCH in the processing of personal data:

  • To process personal data in compliance with the law and good faith,
  • To keep personal data correctly and if required, to update,
  • To protect personal data for specific, clear and lawful purposes,
  • To process personal data connected with their purposes processed, limited and measuredly,
  • To protect personal data as long as the period foreseen in the relevant legislation or required for purpose which they processed,
  • To disclose and to inform the personal data owners,
  • To establish the necessary system in order to use the rights of personal data owners,
  • To take necessary measures in order to protect the personal data,
  • To behave accordingly in transfer to the third parties in line with the processing purpose requirements of personal data, relevant legislation and PDP Board (Personal Data Protection) regulations,
  • To exercise due diligence for processing and protecting of specific personal data,

1.2. PURPOSE OF THE POLICY

The main purpose of this policy is to make explanations regarding personal data processing activity carried out by TURQUOISE YACHT in compliance with the law and systems adopted by for personal data protection and within this scope, to provide clearness and transparency by informing the persons whom personal data are processed by our company mainly Customers, Customer Candidates, Trainees, Company Shareholders, Company Officials, Our Visitors, Employees, Shareholders and Officials of Our Business Partners and Third Parties.

1.3. SCOPE

This policy is related to all personal data of Customers, Customer Candidates, Trainees, Company Shareholders, Company Officials, Our Visitors, Employees, Shareholders and Officials of Our Business Partners and Third Parties which are processed manually provided that they are automatic or a part of any data entry system.

The scope of practice of this policy related to the personal data owners involved in aforementioned categories can be whole of the policy as well as only can be certain provisions of the policy.

1.4. PRACTICE PRINCIPLES RELATED TO THE POLICY

The relevant legal regulations in force regarding personal data processing and protection will be practiced primarily. In the event that there is noncompability between the legislation and the Policy in force, our Company accepts to practice legislation in force.

The policy is constituted of concretisation and regulation of rules set forth by Personal Data Protection Law (PDPL) numbered 6698 within the scope of TURQUOISE YACHT practices. Our Company is carried out the necessary system and preparations in order to behave in compliance with the validity period foreseen in the PDPL

1.5. VALIDITY OF THE POLICY

This Personal Data Protection and Processing Policy regulated by our Company as 1st version are dated as 15.January.2018. In case of the renewal of entire policy or certain articles, the validity date and version of the policy will be updated. The policy is published in official internet site (https://www.turquoiseyachts.com) of our Company and presented to the access of the relevant persons upon request of the personal data owners.

2. PRACTICE PRINCIPLES RELATED TO PERSONAL DATA PROTECTION

Our Company prevents illegal processing of personal data which it processes, illegal access to the data, takes necessary administrative and technical measures for providing the appropriate level of security in order to protect data and within this scope, makes or has made necessary audits in compliance with Article 12 of the PDPL.

2.1. PROVIDING OF PERSONAL DATA SECURITY

Our Company takes necessary legal, technical and administrative measures regarding the data security in below mentioned issues and show ultimate attention and diligence on this subject. The actions and measures taken by our Company in order to provide “data security” in accordance with the Article 12 of the PDPL are specified below.

  • Our Company takes technical and administrative measures according to the technologic facilities and practice costs in order to provide personal data in compliance with the law. The employees keep informed regarding the disclosing of the personal data which they learnt to the other persons contrary to the PDPL provisions and not to use except processing purpose and continuation this obligation after they resign and the necessary commitments are taken from them in this direction. The Explicit Consent Approval Form has been taken from all employees as wet signed.
  • Our Company takes technical and administrative measures according to the qualification of data to be protected, technological facilities and practice costs in order to prevent disclosing, access, transfer of personal data unconsciously or incompetently or access contrary to the entire law in another manner.
  • Our Company expand awareness at data processing institutions such as business partners and suppliers which it transfers personal data regarding prevention of personal data processing contrary to the law, prevention illegal access and protection of the data in compliance with the law; takes necessary measures for the execution of the personal data processing activities by business partners and suppliers in compliance with the PDPL.
  • The obligations of our Company which should be obeyed as data responsible when processing personal data and compulsion to comply with legal, administrative and technical measures developed in this subject is legally imposed to the institutions such as suppliers, business partners which it has relationship with various titles with updates made in the agreements in compliance with qualification of the activity carried out regarding data processing.
  • Our Company takes necessary technical and administrative measures according to the technological facilities and practice cost in order to protect personal data in safe environment and to prevent deletion, loss or changing for illegal purposes.
  • Our Company makes or has made necessary audits within its structure in compliance with the Article 12 of the PDPL. The results of this audit can be reported to the relevant section within the scope of internal operation of the Company and the necessary activities for improvement of the measures taken are carried out.
  • Our Company carries out a system providing to inform the situation to the relevant personal data owner and PDP Board in the event that the personal data processed in compliance with the Article 12 of the PDPL are obtained by the other persons illegally.

2.2. PROTECTION OF DATA OWNER RIGHTS AND EVALUATION OF REQUESTS

Our Company carries out necessary channels, internal operation, administrative and technical regulations in compliance with Article 13 of the PDPL in order to evaluate rights of personal data owners and to make necessary information to the personal data owners.

  • To learn whether the personal data is processed or not,
  • If the personal data was processed, to request information related to it,
  • To learn the purpose of personal data processing and whether they are used according to their purpose or not,
  • To know third persons who the personal data are transferred at home and abroad,
  • In the event that the personal data are processed incompletely or incorrectly, to request correction of them and to request informing the transaction made within this scope and personal data transferred to the third parties,
  • Although they are processed in compliance with PDPL and other relevant law provisions, to request deletion or destroying personal data in the event that the reasons required the processing has been removed and to request informing the transaction made within this scope and personal data transferred to the third parties,
  • To object occurrence of the result against him by analysing the processed data via automatic systems exclusively,
  • To request indemnification of loss in the event that the personal data are processed illegally,

In accordance with Sub Paragraph 1 of Article 13 of PDPL, the personal data owners should forward their requests related to use aforementioned rights to our Company in written or via other methods determined by Personal Data Protection Board. Due to the Personal Data Protection Board has not determined any method in this stage, it is required to forward the applications to our Company in written in accordance with the mandatory provision of the law.

In order to use aforementioned rights by the personal data owners, the forwarding of their requests with necessary information identifying their identities and the explanations related to the rights which they would like to use to our Company by specifying to which one of the rights specified in Article 11 of the law is related; will be provided to answer applications faster and effectively.

Within this framework, the channels and procedures which the applications to be forwarded to our Company in written within the scope of using rights specified in aforementioned Article 11 of same law based on Article 13 of PDPL are explained below.

The requests involving the explanations for right of personal data owner from the rights specified in the Article 11 of PDPL which will be requested to use; can be forwarded by filling form in www.turquoiseyachts.com address or forwarded a signed copy of the form to the Güzelyalı Mahallesi Malkoçoğlu sokak No:3/1 34903 Güzelyalı Pendik İstanbul Turkey with the documents identifying the identity of data owner by hand personally and can be sent via notary or other methods specified in the PDPL.

If the third persons would like to apply on behalf of personal data owners, there should be special power of attorney to be prepared by data owner via notary on behalf of the person who will apply.

2.3. PROTECTION OF SPECİFİC PERSONAL DATA

It is given particular attention to some of the personal data with PDPL due to that they can be caused to unjust treatment and discrimination of the persons when processing illegally.

These data are; race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other beliefs, appearance, association, foundation or trade union membership, health, sexual life, criminal conviction and data related to security measures and biometric and genetic data.

Our Company behaves sensitively in the protection of specific personal data determined as “specific” with the PDPL and processed legally. Within this scope; the administrative and technical measures taken by our Company for the protection of the personal data are practiced meticulously in terms of specific personal data and the necessary audits are provided.

2.4. DISCLOSURE TO THE PERSONAL DATA OWNER

Our Company discloses to the personal data owners during obtaining of personal data in compliance with the Article 10 of the PDPL. Within this scope, our Company discloses regarding identity of our Company, for which purpose the personal data will be processed, to whom and for which purpose the processed personal data will be forwarded, the method and legal reason of personal data collection and the rights of the personal data owner within the scope of Article 11 of the PDPL.

It is specified that everybody has right to informing regarding personal data related to him/her in Article 20 of the Constitution. Accordingly, the “information request” is considered among the rights of personal data owner in Article 11 of the PDPL. Within this scope, our Company makes necessary informing in compliance with Article 20 of the Constitution and Article 11 of the PDPL in the event that the personal data owner requests information.

In addition to this, our Company provides informing the relevant persons in personal data processing activities and the accountability and transparency within this frame by announcing to the personal data owners and relevant persons that it carries out the personal data processing in compliance with all issues in the PDPL and especially “Legal and Honesty” rule with various documents particularly this Policy document which are opened to the public. Also, our Company informs the relevant persons regarding its own activities and issues specified by law with many different methods especially when applying the “explicit consent” of the persons.

3. PROCESSING OF PERSONAL DATA

Our Company engages in the personal data processing activity in compliance with Article 20 of the Constitution and Article 4 of PDPL, law and honesty rules regarding personal data processing; true and when required, updated; limited and measuredly by pursuing a certain, clear and legal purposes. Our Company protects personal data as long as the period foreseen by laws or personal data processing purpose.

Our Company processes the personal data based on one or several conditions in Article 5 of the PDPL related to the personal data processing in accordance with Article 20 of the Constitution and Article 5 of the PDPL.

Our Company behave accordingly to the regulations foreseen in respect of the specific personal data in compliance with Article 6 of the PDPL.

Our Company behave accordingly to the regulations regarding personal data transfer foreseen by law and specified by the PDP Board in compliance with Article 8 and 9 of the PDPL.

Processing of Employee Data

Processing of data for employment relationship

The personal data are processed in the business relationship also without taking approval in the event that it is required for establishment, implementation and conclusion of business agreement. The personal data of the candidates are processed when starting the employment relationship. If the candidate is rejected, the information belonging to the candidate is protected as long as the data protection period for a later election stage of the candidate and at the end of this stage, they are deleted, disposed or anonymised.

Data transactions which made due to explicitly foreseen by law or legal obligation of the Company

The personal data belonging to the employee can also be processed without taking approval in order to explicitly specify the processing in the relevant legislation or to carry out legal obligation determined by the legislation.

Processing of data in compliance with legitimate interests

The personal data belonging to the employee can also be processed without taking approval for the legitimate interests of the Company when required. The legitimate interests are generally legal (for example, filing, implementing or defencing of the legal rights) or economical (for example, evaluation of the Company) interests. In the personal circumstances which are required the protection of the employee interests, the personal data are not processed for legitimate interests. It is determined whether there are interests required the protection before processing the data.

When the data belonging to the employees are processed based on the legitimate interests of the Company, it is examined whether the processing is measured or not. It is controlled whether the legitimate interest of the Company is violated a right of the employee which should be protected when taking of this control measures and it is implemented only if it is measured.

Data processed via automatic systems exclusively

If the personal data is processed as a part of employment relationship via automatic systems exclusively (for example, a part of personnel selection or evaluation of ability profile), the employee has right to object occurrence of result to him/her.

Telecommunication and internet

The telephone equipment, e-mail addresses, intranet and internet with the intracompany networks are provided by the Company principally for duties related to the work. These are work tools and Company sources. There is no general audit related to the telephone and e-mail communication or use of intranet or internet. In order to prevent attacks to the IT infrastructure or individual users, the protective measures blocked the harmful content or analysing the modelling of the attacks are taken in passing of the Company network. The uses of the telephone equipment, e-mail addresses, and intranet/internet or intracompany social networks are protected for a limited period due to security reasons. The evaluation of these data related to the person is made only if there is concrete suspicion related to the violation of legal arrangements or MB Holding or Turquoise Yacht regulations. These controls are carried out by the relevant departments only provided that the principle of proportionality is protected.

3.1. PROCESSING OF PERSONAL DATA IN COMPLIANCE WITH THE PRINCIPLES SUBJECT TO THE LEGISLATION

Processing In Compliance With the Law and Honesty Rules

Our Company behaves accordingly to the principles bringing with the legal arrangements in the personal data processing and general trust and honesty rules. Within this scope, our Company considers principle of proportionality in the personal data processing and does not use the personal data expect their purpose.

Providing Correctness of Personal Data and When required, Updating

Our Company provides the correctness and update of the personal data processed by considering the fundamental rights of the personal data owners and its own legitimate interests. It takes necessary measures accordingly.

Processing with Certain, Clear and Legal Purposes

Our Company determines the legal and lawful personal data processing purpose explicitly and definitely. Our Company processes the personal data connected with the services which it presents and as much as it is required for them. For which purpose the personal data will be processed by our Company is determined only before starting the personal data processing activity yet.

Being Connected, Limited and Measured with the Processing Purpose

Our Company processes the personal data in the manner that would be convenient to be able to realize the determined purposes and prevents the processing of the personal data which are not related to the realization of the purpose or not needed.

Protection As Long As the Period Required for the Processing Purpose or Foreseen in the Relevant Legislation

Our Company protects the personal data only as long as the period required for the processing purpose or specified in the relevant legislation. Within this scope, our Company determines primarily whether it is foreseen a period for the protection of the personal data in the relevant legislation, if this period has been determined, it behaves accordingly to this period, if this period has not been determined, it protects the personal data as long as the period required for processing purpose. In the event that the period has been ended or the reasons required to process has been removed, the personal data are deleted, disposed or by our Company, destroy processes are operated or anonymised.

3.2. LIMITED PROCESSING OF THE PERSONAL DATA

In accordance with Article 20 of the Constitution, the personal data can only be processed in cases foreseen by law or with explicitly consent of the person. Our Company processes the personal data in this direction and in compliance with the Constitution only in cases foreseen by law or with explicit consent of the person.

Giving the explicit consent of the personal data owner is only one of legal basis which enables processing of the personal data in compliance with the law. Except the explicit consent, the personal data can be processed in the event that there is other below mentioned conditions. As well, the basis of the personal data processing activity can be based on one of the below mentioned conditions; more than one of these conditions can be basis of the personal data processing activity. In the event that the processed data are specific personal data, the following conditions are implemented.

Even if the legal basis for processing of the personal data by our Company are differed, it is behaved in compliance with the general principles specified in Article 4 of the Law numbered 6698 in all kinds of personal data processing activity.

Gaining of Explicit Consent of the Personal Data Owner

One of the personal data processing conditions is the explicit consent of the owner. The explicit consent of the personal data owner should be explained related to the certain subject, based on informing and with his/her free will. The explicit consent of the customer, potential customers and visitors are taken with the relevant methods in the processing of the personal data depending on the explicit consent of the personal data owner.

Explicitly Foreseen by Laws

In the event that it is foreseen by law, the personal data of the data owner can be processed in compliance with the law.

Absence of Explicit Consent of the Relevant Person Due to Actual Impossibility

The personal data of the data owner can be processed in the event that the processing of the personal date is compulsory in order to protect life or body integrity of the person who cannot explain his/her consent due to actual impossibility or having invalid consent or of another person.

Directly Related With the Establishment or Execution of the Agreement

It is possible to process the personal data in the event the processing of the personal data belonging to the parties of the agreement is required provided that is related with the establishment or execution of the agreement directly.

Fulfilling the Legal Obligation by the Company

The personal data of the data owner can be processed in the event that the processing is mandatory in order to fulfil the obligations by our Company as data responsible.

Disclosure of the Personal Data of the Data Owner

In the event that the data owner disclosures the personal data by himself/herself; the relevant personal data can be processed.

Being Compulsory of Data Processing In Order to Establish or to Protect a Right

In the event that the data processing is compulsory in order to establish, use or protect a right, the personal data of the data owner can be processed.

Being Compulsory of Data Processing For Legitimate Interest of Our Company

In the event that the data processing is compulsory for legitimate interests of our Company, the personal data of the data owner can be processed provided that it is not damaged to the fundamental rights and freedoms of the personal data owner.

3.3. PROCESSING OF SPECIFIC PERSONAL DATA

Our Company behaves accordingly to the arrangements foreseen by the PDPL in the processing of the personal data determined as “specific” by the PDPL

The certain personal data bearing a risk that causes to unjust treatment or discrimination of the persons when processing illegally are determined as “specific” data in Article 6 of the PDPL. These data are race, ethnic origin, political party membership, philosophical belief, religion, religious sect or other beliefs, appearance, association, foundation or trade union membership, health, sexual life, criminal conviction and data related to security measures and biometric and genetic data.

  • If there is explicit consent of the personal data owner or
  • If there is not explicit consent of the personal data owner;
    • oSpecific personal data except health and sexual life of the personal data owner, in cases foreseen by laws,
    • oSpecific personal data related to the health and sexual life of the personal data owner only can be processed by the persons having confidentiality obligation and authorized institutions and organizations in order to protect public health, to carry out medical diagnosis, treatment and nursing services and to plan and to manage health care services and its financing.

3.4. TRANSFERRING OF PERSONAL DATA

Our Company can transfer the personal data of the data owner and specific personal data to the third parties (MB Holding, business partners and other third parties) by taking necessary security measures in line with the legal personal data processing purposes. Our Company behaves accordingly to the arrangements foreseen in Article 8 of the PDPL in this direction.

Transferring of Personal Data Abroad

Our Company can transfer the personal data of the data owner and specific personal data to the third parties abroad by taking necessary security measures in line with the legal personal data processing purposes. The personal data are transferred by our Company to the foreign countries (“Foreign Countries Having Sufficient Protection”) announced by the PDP Board that they have sufficient protection or if there is no sufficient protection, to the foreign countries which the data responsible in Turkey and the relevant foreign country commit the sufficient protection and to the foreign countries having the permission of PDP Board (“Foreign Countries Which the Data Responsible Committed the Sufficient Protection is Resided”). Our Company behaves accordingly to the arrangements foreseen in Article 9 of the PDPL in this direction.

4. PROCESSING PURPOSES AND STORAGE PERIOD OF THE PERSONAL DATA PROCESSED BY OUR COMPANY

Our Company informs to which personal data owner groups are processed which personal data, processing purposes and storage periods of the personal data of the data owner to the personal data owner within the scope of disclosure obligation in compliance with the Article 10 of the PDPL.

4.1. CATEGORIZATION OF THE PERSONAL DATA

The personal data (Customers, Customer Candidates, MB Holding Customer, Visitor, Third Party, Trainee, Company Shareholder, Company Official, Employees, Shareholders and Officials of the Institution which we are in cooperation) are processed before our Company; in line with legitimate and legal personal data processing purposes of our Company, based on and as limited one or a couple of personal data processing conditions specified in Article 5 of the PDPL and in compliance with the general principles specified in the PDPL especially the principles related to the personal data processing specified in Article 4 and all obligations regulated in the PDPL and as limited with the periods within the scope of this Policy by informing the relevant persons in accordance with article 10 of the PDPL.

4.2. PROCESSING PURPOSES OF THE PERSONAL DATA

The Company processes the personal data as limited with the purposes and conditions within the personal data processing conditions which specified in Sub Paragraph 2 of Article 5 and Sub Paragraph 3 of Article 6 of the PDPL. These purposes and conditions are to process the personal data;

  • Explicitly foreseen by laws that TURQUOISE YACHT engages in the relevant activity related to the personal data processing,
  • Processing of the personal data by TURQUOISE YACHT and being necessary related to the establishment or execution of the agreement directly,
  • Being compulsory of the personal data processing for fulfilment of the legal obligation of TURQUOISE YACHT,
  • Processing by TURQUOISE YACHT as limited in order to disclose by the data owner Provided that the personal data have been disclosed by the data owner,
  • Being compulsory of the personal data processing by TURQUOISE YACHT in order to establish, use or to protect the rights of TURQUOISE YACHT or data owners or third parties,
  • Being compulsory of personal data processing by TURQUOISE YACHT for its legitimate interests provided that it is damaged to the fundamental rights and freedoms of the personal data owner,
  • Being compulsory of personal data processing by TURQUOISE YACHT in order to protect life and body integrity of the personal data owner or another person and in this case, being unable to express the consent of the personal data owner due to actual or legal invalidity,
  • Being foreseen by laws in terms of specific personal data except health and sexual life of the personal data owner,
  • By the persons having confidentiality obligation and authorized institutions and organizations in order to protect public health, to carry out preventive medicine, medical diagnosis, treatment and nursing services and to plan and to manage health care services and its financing in terms of the specific personal data related to the health and sexual life of the personal data owner.

Within this scope, TURQUOISE YACHT processes your personal data for the following purposes:

  • To manage the relationships with business partners or suppliers,
  • To manage, report and analyse the Accounting and Purchasing records,
  • To carry out the employee procurement and Career Assessment Processes of TURQUOISE YACHT,
  • To perform the Port Declaration,
  • To create Distribution Forms,
  • To execute/follow up the financial reporting and risk management transactions of TURQUOISE YACHT,
  • To execute/follow up the legal affairs of TURQUOISE YACHT,
  • To plan and execute the corporate communication activities,
  • To execute the corporate management activities,
  • To perform companies and corporation laws transactions,
  • Claim and complaint management,
  • To give information based upon the legislation to the authorized institutions,
  • To create and follow up the visitor records,

In the event that the processing activity performed with the aforementioned purposes are not met any of the conditions foreseen within the scope of the PDPL, the explicit content of the personal data owner related to the relevant processing process are obtained by TURQUOISE YACHT.

4.3. STORAGE PERIOD OF THE PERSONAL DATA

In the event that it is foreseen in the relevant laws and legislations, TURQUOISE YACHT protects the personal data as long as the period specified in these legislations.

If any period related for how long they should be stored is not arranged in the legislation, the Personal Data is processed as long as the period required to process in accordance with the implementation of TURQUOISE YACHT related to the activity carried out when processing of that data by TURQUOISE YACHT and practices of commercial life, the is deleted, disposed and anonymized.

If the personal data processing purpose has been ended; and it has been come to the end of the storage period specified by the relevant legislation and TURQUOISE YACHT; the personal data can be stored only in order to constitute evidence in possible legal disputes or to claim the relevant right depending on the personal data or to constitute the defence. The storage period is determined by taking the period of limitation for claiming of aforementioned right in the constitution of the period here and examples in the claims directed to TURQUOISE YACHT in the same subjects before as a basis in despite of the period of limitation has been ended. In this case, it is not reached to the personal data stored for any other purpose and only it is reached to the relevant personal data if it is required to use in the relevant legal dispute. Also here, the personal data are deleted, disposed or anonymized after ending of the aforementioned period. The access permission to the relevant Personal Data is only belonging to the persons who perform duty by the Data Responsible in the capacity of Data Processor in the Information Technologies during this period.

5. THIRD PARTIES WHICH TURQUOISE YACHT TRANSFERS THE PERSONAL DATA AND TRANSFER PURPOSE

TURQUOISE YACHT informs the person group which the personal data are transferred to the personal data owner in compliance with Article 10 of the PDPL.

TURQUOISE YACHT IND. INC. can transfer the personal data of the data owner managed with the Policy in compliance with Article 8 and 9 of the PDPL:

  • To TURQUOISE YACHT’s business partners,
  • To TURQUOISE YACHT’s suppliers,
  • To MB Holding’s Companies and Representatives,
  • To TURQUOISE YACHT’s shareholders,
  • To the Company officials,
  • To legally authorized public institutions and organizations,
  • To legally authorized private person,

6. PERSONAL DATA PROTECTION LAW (PDPL) INFORMING PRACTICE PRINCIPLES RELATED TO THE VISITORS

6.1. PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT ON TURQUOISE YACHT LOCATIONS

The personal data processing activities made by TURQUOISE YACHT at General Directorate, Pendik Shipyard, Kocaeli Shipyard, Port and Shipyards are carried out in compliance with the Constitution, PDPL and other relevant legislation.

In order to provide security by our Company, it is engaged in a personal data processing activity intended to follow up of the entry and exits of the visitors via security camera at Istanbul and Kocaeli locations of our Company.

The personal data processing activity is carried out by our Company by using the security cameras and recording the entry and exits of the visitors.

TURQUOISE YACHT’s follow up activity via security camera has aim for protection of interests related to providing the security of the company and other persons and within this scope; our Company behaves accordingly to the Constitution, PDPL and other relevant legislation.

The image records of our visitors are taken via camera surveillance activity of our Company at the building, facility entrance and within the facility. Our Company has aims such as increasing the quality of service presented, providing the reliability, providing the security of the company, customers and other persons and protecting the interests of the customers related to the service get within the scope of monitoring with the security camera.

Our Company behaves accordingly to the arrangement in the PDPL in the execution of camera surveillance activity for security purpose.

The camera surveillance activity carried out by Our Company is continued in compliance with Law on Private Security Services and the relevant legislation. Only the limited numbers of Company employees have access to the records recorded and stored in the digital environment. Also, the security guard can watch the live camera images. The limited number of the persons having access to the records declares that will protect the privacy of the data reached with the non-disclosure commitment.

The necessary technical and administrative measures are taken by our Company in order to provide the security of personal data obtained as a result of camera surveillance activity in compliance with Article 12 of the PDPL.

Except the aforementioned camera records; our Company engages in personal data processing activity to follow up of visitor’s entry and exits at the building and facilities of our Company in order to provide the security and for the purposes specified in this Policy.

The said personal data owners are informed when taking the name and surnames of the persons who come to our Company building as visitor or via texts hanging in the Company or presented to the access of the visitors in other manners. The data obtained to follow up entry and exits of the visitors are only processed for this purpose or the relevant personal data are recorded into data recording system in the physical environment.

The internet access can be provided by our Company to the visitors who request as long as the period stayed in the locations of our institutions in order to provide security and for the purposes specified in this Policy. In this case, the log records related to your internet access are recorded in accordance with the Law numbered 5651 and mandatory provision of the legislation regulated according to this Law; these records are processed only in order to request by the authorized public institutions and organizations or to fulfil the our relevant legal obligations in audit processes to be carried out within the Company.

Only the limited numbers of the Company employees have access to the log records obtained within this framework. The Company employees having access to the said records reach to these records only in order to use claim and audit processes coming from the authorized public institutions and organizations and share with the legally authorized persons. The limited number of the persons having access to the records declares that will protect the privacy of the data reached with the non-disclosure commitment.

6.2. INTERNET SITE VISITORS

The internet movements of the visitors in the site are recorded via technical means (for example, cookies etc.) in the internet sites of our Company in order to ensure that the visitors of these sites carry out their visits in compliance with their visit purposes; to show them customized contents and to engage in online advertising activities. The approval information related to the cookies use is taken from all users at the entry of our Company’s internet site.

The detailed explanations related to these activities made by our Company and the protection and processing of the personal data are involved in “Privacy and Security” texts of our internet site.

7. DELETION, DISPOSAL AND ANONYMIZATION CONDITIONS OF THE PERSONAL DATA

The personal data are deleted, disposed or anonymized upon the own decision of the TURQUOISE YACHT or request of the personal data owner in the event that the reasons required their processing are removed in despite of they have been processed according to the relevant law provisions regulated in Article 138 of Turkish Criminal Law and Article 7 of the PDPL.

7.1. OBLIGATIONS OF TURQUOISE YACHT REGARDING DELETION, DISPOSAL AND ANONYMIZATION OF THE PERSONAL DATA

The personal data are deleted, disposed or anonymized upon the own decision of the TURQUOISE YACHT or request of the personal data owner in the event that the reasons required their processing are removed in despite of they have been processed according to the relevant law provisions regulated in Article 138 of Turkish Criminal Law and Article 7 of the PDPL. Within this scope, our Company develops the necessary operating mechanisms regarding this subject by taking necessary technical and administrative measures within the Company in order to fulfil the relevant obligations and trains, employs and provides awareness the relevant business unit in order to behave accordingly to these obligations.

7.2. DELETION, DISPOSAL AND ANONYMIZATION TECHNIQUES OF THE PERSONAL DATA

7.2.1 Deletion and Disposal Techniques of the Personal Data

TURQUOISE YACHT can delete or dispose the personal data upon the own decision of the TURQUOISE YACHT or request of the personal data owner in the event that the reasons required their processing are removed in despite of they have been processed according to the relevant law provisions. The deletion or disposal techniques commonly used by TURQUOISE YACHT are listed below:

Physically Disposal

The personal data can be processed manually provided that they are a part of any data entry system. When deleting/disposing such data, the physically disposal system is implemented in the manner that the personal data would not be used later.

Deletion Securely From the Software

When deleting/disposing of data processed automatic ways completely or partially and stored in digital environment; the methods related to deletion of the data from software are used in the manner that the data cannot recovered again.

Deletion Securely By an Expert

In some cases, TURQUOISE YACHT can agree with an expert to delete personal data on its behalf. In such situation, the personal data are deleted/disposed by an expert in the manner that cannot be recovered again.

7.2.2 Anonymization Techniques of Personal Data

The anonymization of the personal data is expressed that under no circumstances the personal data cannot be associated with a specific or identifiable real person even if it compares with another data. TURQUOISE YACHT can anonymise the personal data processed legally when the reasons required processing of them are removed.

The personal data anonymised can process due to reasons such as research, planning and statistics in compliance with Article 28 of the PDPL. Such processing is out the scope of the PDPL, there is no need to receive explicit consent of the data owner. Due to the personal data processed by anonymising are out of the PDPL, the rights regulated in Chapter 2 of the Policy will not be valid for these data. The anonymization techniques commonly used by TURQUOISE YACHT are listed below.

A-Data masking

The data masking is the anonymization method of the personal data by taking basic distinctive information of the personal data with data masking.

B- Data aggregation

Many data are aggregated with the data aggregation and it is not rendered that cannot associated with any person.

C-Data derivation

A content more general than the personal data is created with the data derivation method and it is not rendered that cannot be associated with any person.

D-Data mixing

It is provided to break the connection between the values and persons by mixing the values in the personal data set with data mixing method.

8. Definitions

  • If the track of the personal data cannot be traced or the personal identity can be created with unreasonable period, expense and labour, the data is considered as anonymized.
  • The data violations are the events where there are justifiable suspicion regarding obtaining, collecting, changing, copying, distributing or using of the personal data illegally. It can be related to the third parties or persons.
  • The relevant person is real person whose personal data is processed.
  • The specific data are race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other beliefs, appearance, association, foundation or trade union membership, health, sexual life, criminal conviction and data related to security measures and biometric and genetic data of the person.
  • The personal data are all kinds of information determined the identity of a real person or making his/her identity as specifiable. For example, if a person can be determined by using the combination of information even if it is additional information, it can be definable.
  • Provided that the processing of the personal data is when the personal data are completely or partially automatic or a part of data entry system, it is covered all kinds of transactions carried out on the data such as obtaining manually, recording, storing, keeping, changing, reregulating, disclosing, transferring, taking over, making obtainable, classifying or preventing their uses.
TURQUOISE YACHTS 2017. ALL RIGHTS RESERVED.