The Law on the Protection of Personal Data

I. GENERALLY

Safi Derince International Port Management Inc. (“Company”) has adopted the principle of acting diligently and in a principled manner regarding the processing and protection of all your personal data in accordance with the Constitution of the Republic of Turkey, international conventions on human rights to which our country is a party, the Personal Data Protection Law No. 6698 (“KVKK”) and relevant legislation.

The Company processes the personal data of its business partners, shareholders, customers, potential customers, visitors, employees, employee candidates, employees, shareholders and authorized representatives of institutions with which it cooperates, as well as other natural persons who establish a relationship with the Company through job applications, visiting its official website, or in any other way, and takes the necessary measures for the protection of such data. This Privacy and Personal Data Protection Policy has been prepared to inform you about the Company’s rules and policies regarding the processing of personal data under the KVKK.

The explanations made herein regarding your personal data also cover your sensitive personal data. When the retention period of personal data expires or the purpose of processing ceases, the Company deletes, destroys, or anonymizes such data within the scope of its periodic destruction procedure.

 

II. DEFINITIONS AND CATEGORIES OF PERSONAL DATA PROCESSED

 

Personal Data Any information relating to an identified or identifiable natural person. Special Categories of Personal Data Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, membership of associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. Processing of Personal Data Any operation performed upon personal data, wholly or partly by automatic means or by non-automatic means provided that it is part of a data recording system, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or preventing the use thereof. Data Subject Business partners, shareholders, customers, potential customers, visitors, employees, employee candidates, employees, shareholders and authorized representatives of institutions with which the Company cooperates, as well as other natural persons establishing a relationship with the group companies through job applications, website visits, or other means.

 

The Company, in line with its legitimate and lawful purposes, processes the following categories of personal data in compliance with the principles set forth under Article 4 of the KVKK and other legal obligations, provided that at least one of the conditions specified in Articles 5 and 6 of the KVKK is met. The obligation to inform is always fulfilled, and explicit consent is obtained only in cases not provided for by law.

 

Identity Data Name, surname, Turkish ID number, date and place of birth, gender, marital status, nationality, documents such as driver’s license, ID card, passport when required, social security number, signature. Contact Data E-mail address, residential address, province/district of residence, home and/or mobile phone number, IP address in case of visiting our websites. Special Categories of Personal Data Information contained in resumes, job applications, and personnel files, as well as information that may be included in contracts signed with the Company for the purpose of fulfilling legal obligations, such as membership of associations, foundations, trade unions, political parties, religious or philosophical beliefs, ethnic origin, race, health data, and criminal records. Education Data Education level, certificates and diplomas, expertise, foreign language proficiency, education and skills, participation in seminars and courses, computer skills. Location Data GPS location and travel data collected during the use of group company vehicles. Transaction Security Data Personal data processed with regard to technical, administrative, legal, and commercial security during the Company’s activities. Website/Application Usage Data Time and duration of visits to company websites, browser type (iOS/Android/mobile/web), IP address, cookies, log records. Personnel Data Any personal data processed to establish personnel rights for real persons who have an employment relationship with the Company. Physical Security Data Data obtained at the entrances and within physical premises of the Company such as camera recordings, visitor records, fingerprint, Wi-Fi access logs. Financial Data Bank account number, IBAN, income data, financial profile, and other financial information arising from legal, commercial, or financial relations with the Company. Legal Transaction Data Data processed within the scope of determining and following up legal receivables and rights of the Company, fulfillment of debts, and legal obligations. Risk Management Data Data processed by methods in accordance with legal, commercial customs and rules of integrity for the management of commercial, technical, and administrative risks. Request/Complaint/Survey Management Data Personal data obtained due to requests, complaints, and surveys directed to the Company.

 

Pursuant to Article 5/2 of the KVKK, personal data (excluding health and sexual life data) may be processed without explicit consent in cases where it is expressly provided by law, necessary for the protection of life or bodily integrity, necessary for the performance of a contract, mandatory for the controller to fulfill legal obligations, made public by the data subject, necessary for the establishment, exercise, or protection of a right, or necessary for the legitimate interests of the controller provided that it does not harm fundamental rights and freedoms. Health data may only be processed by persons under confidentiality obligation or authorized institutions/organizations.

III. PURPOSES OF PROCESSING PERSONAL DATA

The Company may process your personal data for the following purposes:
» Ensuring the security of the Company and related persons,
» Fulfillment of contracts and legal obligations, exercise or protection of rights,
» Provision of services in line with technological requirements, and development of products and services,
» Management and organization of all activities,
» Execution of human resources processes,
» Ensuring commercial and legal security, transparency, and compliance with laws,
» Management of financial processes,
» Ensuring corporate and administrative management,
» Other legal compliance reasons.

While processing data, the Company acts in accordance with the principles of lawfulness, fairness, accuracy, relevance, limitation, proportionality, and storage only for the period required by law or purpose.

 

IV. METHODS AND LEGAL GROUNDS FOR COLLECTING PERSONAL DATA

Your personal data may be collected verbally, in writing, or electronically through contracts, forms, business partners, institutions with contractual relations, request/complaint management systems, audio-visual recording systems, websites, cookies, e-mail, phone, SMS, market research firms, and references.

V.TRANSFER OF PERSONAL DATA

Your personal data may be shared within the Company and with business partners, cooperating institutions, banks, financial institutions, legal consultants, public authorities, regulatory bodies, and official authorities in Turkey or abroad in accordance with Articles 8 and 9 of the KVKK.

Transfer abroad is subject to the presence of:

• Explicit consent of the data subject, or
• Fulfillment of legal grounds provided under the KVKK,
• Adequate protection in the destination country, or, in the absence thereof, a written commitment to provide adequate protection with the foreign data controller and approval of the Personal Data Protection Board.

Transfers are carried out through methods determined by the Board such as adequacy decisions, standard contractual clauses, binding corporate rules, or undertakings.

VI. SECURITY AND CONFIDENTIALITY OF PERSONAL DATA

The Company takes necessary technical and administrative measures in accordance with Article 12 of the KVKK, including but not limited to:
» Training employees on data protection,
» Ensuring compliance with data protection policies,
» Incorporating data protection clauses in contracts with third parties,
» Preparing a personal data inventory,
» Protecting physical environments and controlling access,
» Employing technical experts and protective software,
» Backing up data,
» Conducting audits of security measures.

VII. RIGHTS OF DATA SUBJECTS UNDER THE KVKK

In accordance with Article 11 of the KVKK, data subjects have the right to:

• Learn whether personal data is processed,
• Request information on processing,
• Learn the purposes of processing and whether used accordingly,
• Learn the third parties to whom data is transferred domestically or abroad,
• Request correction of incomplete or inaccurate data,
• Request deletion or destruction of personal data,
• Object to outcomes against them resulting from automated systems,
• Claim compensation for damages arising from unlawful processing.

VIII. REQUESTS REGARDING YOUR PERSONAL DATA

Pursuant to Article 13 of the KVKK, you may submit your requests regarding your rights (except for the exceptions in Article 28) to the Company by:

• Registered mail or via notary public to the following addresses: “D-100 Karayolu Üzeri No:26/1 Safi Espadon Tower Kartal/Istanbul” or “Deniz Mah. Liman Yolu Caddesi No:21 Derince - Kocaeli / Turkey”
• Secure electronic channels such as KEP, secure e-signature, mobile signature, or by e-mail (kvkk@safiport.com.tr) from an address previously provided.

Requests will be answered within 30 (thirty) days at no cost, except for cases exceeding 10 pages or if a physical medium (CD, USB, etc.) is required, in which case the applicable fees will be charged as permitted by law.

If a request is rejected, inadequately answered, or not responded to in due time, the data subject may file a complaint with the Personal Data Protection Board within 30 (thirty) days of receiving the response, and in any case within 60 (sixty) days of the request date.

The Company reserves the right to update this Policy as required by legal regulations and legitimate interests.

Download KVKK Information Request Application Form