AFACANPARK CHILDREN’S PLAYGROUPS AND CENTERS LTD. ŞTİ.
PERSONAL DATA PROTECTION AND PROCESSING POLICY
ADDRESSEE:
All individuals whose personal data is processed by Afacanpark Children’s Playgroups and Centers Ltd. Şti., excluding employees of Afacanpark Children’s Playgroups and Centers Ltd. Şti.
PREPARED BY:
Afacanpark Children’s Playgroups and Centers Ltd. Şti. ……………………
APPROVED BY:
Approved by the Board of Directors of Afacanpark Children’s Playgroups and Centers Ltd. Şti.
© Afacanpark Children’s Playgroups and Centers Ltd. Şti., 2023
This document may not be reproduced or distributed without the written permission of Afacanpark Children’s Playgroups and Centers Ltd. Şti.
INTRODUCTION
Afacanpark Children’s Playgroups and Centers Ltd. Şti. (“Company”) places great importance on protecting individuals’ fundamental rights and freedoms, particularly the right to privacy regulated under Article 20 of the Constitution. In this context, the Company ensures the protection and processing of personal data in compliance with the Personal Data Protection Law No. 6698 (“Law” or “PDPL”) and operates its planning and activities in alignment with this approach.
The Company does not regard the protection and processing of personal data merely as a compliance requirement but as a fundamental principle reflecting the value it places on individuals. Acting with this awareness, the Company takes all necessary administrative and technical measures to ensure that personal data is protected and processed lawfully.
Purpose of the Policy
The aim of the Personal Data Protection and Processing Policy (“Policy”) is to maximize the protection of individuals’ fundamental rights and freedoms, especially the right to privacy regulated under Article 20 of the Constitution, in accordance with the objectives of the Law. The Policy also aims to inform data subjects about the procedures and principles the Company will comply with under the Law. Through this Policy, the Company targets full compliance with the law in its data protection and processing activities and aims to safeguard the data subjects’ right to privacy and data security.
Scope of the Policy
This Policy applies to the following individuals who are natural persons:
Job Applicants, Family Members of Job Applicants, Employees, Subcontractor Employees, Subcontractor Representatives, Company Shareholders/Partners, Company Officials, Interns, Family Members of Employees/Officials/Shareholders/Interns, Service Provider Employees, Service Provider Representatives, Scholarship Recipients, Customer Representatives, Customer Employees, Business Partners, Business Partner Representatives, Business Partner Employees, Supplier Employees, Supplier Representatives, Potential Customer Representatives, Potential Customer Employees, Visitors, Consumers, Participants, Jury Members, Auditors, Environmental Consultants, Students, and Third Parties.
The Company publishes this Policy on its website to inform personal data subjects about the Law. This Policy does not apply to legal entities regardless of their designation. A separate “Employee Personal Data Processing Policy” is applicable for the Company’s employees.
This Policy applies to the processing of personal data by the Company, whether wholly or partially through automated means or manually as part of any data recording system. If the data does not fall within the scope of “Personal Data” as defined below or if the Company does not carry out personal data processing activities as outlined above, this Policy shall not apply.
Definitions
The terms used in this Policy shall have the following meanings:
- Personal Data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on personal data, such as collection, recording, storage, alteration, retrieval, disclosure, transmission, or erasure.
- Data Controller: The natural or legal person who determines the purposes and means of processing personal data.
For further detailed definitions and explanations, please refer to the full Policy document available on our website.
Let me know if you’d like me to expand or adjust this translation!
Explicit Consent | It is consent that is specific to a particular matter, based on information, and freely expressed. |
Public Disclosure | The concept of “public disclosure,” meaning “making something known to everyone,” is listed as one of the exceptions to the requirement of obtaining “explicit consent of the individual whose personal data is being processed” under Article 5 of the Personal Data Protection Law No. 6698. |
Obligation to Inform | It is the obligation of the data controller to inform individuals whose personal data is being processed about who is processing their data, for what purposes, on what legal grounds, and to whom and for what purposes the data may be transferred. |
Relevant User | Individuals who process personal data within the data controller’s organization or under the authority and instructions of the data controller, excluding those responsible for the technical storage, protection, and backup of data. |
Destruction | It refers to the deletion, destruction, or anonymization of personal data. |
Processing of Personal Data | Processing of personal data refers to any operation performed on personal data, such as obtaining, recording, storing, retaining, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, whether wholly or partially by automated means or manually as part of a data recording system. |
KVK Board | Personal Data Protection Board (KVK Board) |
Data Subject / Personal Data Owner | It refers to individuals whose personal data (including sensitive personal data) is processed, such as Job Applicants, Family Members of Job Applicants, Employees, Subcontractor Employees, Subcontractor Representatives, Company Shareholders/Partners, Company Officials, Interns, Family Members of Employees/Officials/Shareholders/Interns, Service Provider Employees, Service Provider Representatives, Scholarship Recipients, Customer Representatives, Customer Employees, Business Partners, Business Partner Representatives, Business Partner Employees, Supplier Employees, Supplier Representatives, Potential Customer Representatives, Potential Customer Employees, Visitors, Consumers, Participants, Jury Members, Auditors, Environmental Consultants, Students, and Third Parties. |
Personal Data | It is any information relating to an identified or identifiable natural person. |
Institution | It is the Personal Data Protection Authority, consisting of the Board and the Presidency. |
Automated Data Processing | It is a processing activity performed by devices with processors, such as computers, phones, and watches, that occurs automatically without human intervention within the scope of pre-prepared algorithms through software or hardware features. |
Sensitive Personal Data | Data related to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance, membership in associations, foundations or unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data, are considered sensitive personal data. |
Registry | It is the Data Controllers’ Registry. |
Company / Our Company | It refers to Afacanpark Çocuk Oyun Grupları ve Merkezleri Ltd. Şti. |
Data Processor | It is the natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. |
Data Recording System | It refers to the recording system in which personal data is processed by being structured according to specific criteria. |
Data Category | It is the class of personal data that is grouped according to common characteristics and belongs to the group or groups of data subjects. |
Group of Data Subjects | It is the group of data subjects whose personal data is processed by the data controller. |
Data Controller | It is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
Effective Date of the Policy
The Policy, issued by Afacanpark Children’s Playgroups and Centers Ltd. Şti., entered into force on 22.22.2222. It is published on the Company’s website (www.afacanpark.com) to ensure accessibility for relevant individuals.
PROTECTION OF PERSONAL DATA
Security of Personal Data
Our Company takes all necessary administrative and technical measures to ensure an appropriate level of security for securely storing personal data, preventing the unlawful processing and access to personal data, as required by law. The administrative and technical measures taken regarding the security of personal data are detailed in our Company’s Personal Data Retention and Disposal Policy.
To ensure compliance with the Personal Data Protection Law and other related legislation, our Company has established a “Personal Data Protection Management System” and formed a Personal Data Protection Committee to implement this Policy and related policies.
Audits
Our Company conducts and commissions the necessary audits to ensure the establishment and continuity of the data security measures described above. The Personal Data Protection Committee supervises the measures taken to ensure the security of personal data.
Confidentiality
Our Company takes all necessary administrative and technical measures, considering technological capabilities and application costs, to prevent data controllers and processors from disclosing personal data unlawfully or using it for purposes other than its intended use. Accordingly, the Company conducts training and informational activities for employees about the Law and the Policy and ensures employees sign confidentiality agreements as part of the recruitment process.
Unauthorized Disclosure of Personal Data
If personal data processed by our Company is unlawfully obtained by others, our Company promptly notifies the data subject and the Personal Data Protection Board within the time limits set by the Board. If deemed necessary by the Board, this situation will be announced on the Board’s website or via another method deemed appropriate by the Board.
Protection of the Legal Rights of Data Subjects
Our Company respects the legal rights of data subjects in connection with the implementation of this Policy and the Law and takes all necessary measures to protect these rights.
Protection of Sensitive Personal Data
Sensitive personal data includes information regarding individuals’ race, ethnicity, political opinions, philosophical beliefs, religion, sect, or other beliefs, appearance, membership in associations, foundations, or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data. Recognizing the sensitive nature of such data and its potential to cause harm or discrimination if disclosed, our Company takes the necessary measures determined by the Board to ensure the lawful protection of such data. For this purpose, the Company has a dedicated policy and procedure (Sensitive Personal Data Security Policy) that is systematic, clearly defined, manageable, and sustainable.
PROCESSING AND TRANSFER OF PERSONAL DATA
General Principles in Processing and Transferring Personal Data
Our Company processes personal data in accordance with the procedures and principles set forth in the Law and this Policy. When processing personal data, the Company adheres to the following principles:
Compliance with the Law and the Principles of Integrity
The Company processes personal data in compliance with applicable legislation and principles of integrity, considering the interests and reasonable expectations of data subjects. It ensures transparency and fulfills its obligation to inform and warn data subjects.
Accuracy and Up-to-Date Data
The Company ensures the accuracy and timeliness of personal data, considering the fundamental rights and legitimate interests of data subjects. It keeps data collection channels open to maintain data accuracy and relevance.
Specific, Explicit, and Legitimate Purposes
The Company defines its data processing purposes clearly and ensures they are legitimate and connected to the services provided.
Relevance, Limitation, and Proportionality
The Company processes data that is relevant and necessary for the specified purposes, avoiding unrelated or excessive data processing.
Retention for the Necessary Period
The Company retains personal data only for the duration necessary to fulfill the processing purpose or as required by applicable legislation. If no valid reason for longer retention exists, the data is deleted, destroyed, or anonymized.
Conditions for Processing Personal Data
Our Company does not process personal data without the explicit consent of the data subject, except in the following cases:
When expressly permitted by law,
When it is necessary to protect the life or physical integrity of a person unable to give consent,
When data processing is directly related to the formation or performance of a contract,
When it is necessary for the data controller to fulfill legal obligations,
When data is made public by the data subject,
When data processing is required for the establishment, use, or protection of a legal right,
When processing is necessary for the legitimate interests of the Company, provided it does not harm the fundamental rights and freedoms of the data subject.
Conditions for Processing Sensitive Personal Data
Sensitive personal data is processed only under the explicit consent of the data subject unless one of the following conditions is met:
Explicit Legal Permission
Sensitive data, excluding health and sexual life data, can be processed without consent when explicitly permitted by law.
Health and Sexual Life Data
Such data can be processed by authorized persons or institutions for public health protection, preventive medicine, medical diagnosis, treatment, and care services, or health service planning and management, under confidentiality obligations.
Transfer of Personal Data
Our Company may transfer personal data to third parties, provided adequate security measures are in place and the conditions outlined in Articles 8 and 9 of the Law are met.
Identity | Data related to the identity of data subjects: Name-surname, national ID number, marital status, parents’ names, place and date of birth, and similar identity details, including copies of driver’s license, ID card, and passport; tax number, SGK number, signature information, etc. |
Contact | Contact details of data subjects: Phone number, address, email address, registered email (KEP), fax number, etc. |
Personnel | Data processed to establish and protect personnel rights: CV, title information, employment records, social security/retirement details, payroll information, asset declaration, disciplinary and performance evaluation reports, etc. |
Location | Data related to the location of data subjects: Location information obtained through company-owned vehicles or devices, or systems such as OGS, vehicle recognition, and meal cards. |
Legal Procedure | Data processed for determining, monitoring, or fulfilling the company’s legal claims and obligations: Power of attorney details, court and administrative decisions, correspondence with judicial authorities, lawsuit records, etc. |
Customer Transactions | Data related to company customers: Requests, order details, invoices, promissory notes, checks, receipts, etc. |
Physical Space Security | Data regarding entry and presence within company premises: Entry-exit records, magnetic card data, security camera recordings, vehicle license plates, etc. |
Transaction Security | Data processed to ensure the technical, administrative, legal, and commercial security of both the data subject and the company: IP address, website traffic logs, internet access logs, passwords, etc. |
Finance | Data reflecting the outcome of the company’s financial relationships with data subjects: Bank account details, credit information, balance sheets, financial profiles, assets, insurance details, etc. |
Professional Experience | Data related to hiring and employment processes: Diplomas, transcripts, education/course/certificate details, driver’s license information, foreign language proficiency, references, etc. |
Marketing | Data related to customer activities: Customer numbers, campaign details, order history, preference/behavior reports, cookie records. |
Visual and Audio Records | Visual and audio data collected outside the scope of physical security: Photographs, camera recordings, audio recordings, or other documents containing such data (e.g., attached photos in forms, video interviews, meeting recordings). |
Communication Records | Data obtained through company communication and IT systems: Corporate call records, emails, and email contents, etc. |
Special Categories of Personal Data | |
Health Information | Data regarding health status: Examination details, health reports, disability information, health leaves, blood type, etc. |
Criminal Record and Security Measures | Data related to criminal convictions and security measures: Criminal record documents. |
Biometric Data | Biometric information: Fingerprint records, facial recognition, retina scans, etc. |
Groups of Data Subjects
Only natural persons can benefit from the protection provided by this Policy and the Law. The personal data subjects within this scope are categorized as follows:
Job Applicant | Individuals who have applied for a job through any means or have made their CVs and related information available for review by the company. |
Family Members of Job Applicants | Family members of individuals who have applied for a job or have made their CVs and related information available for review by the company. |
Company Shareholder/Partner | Individuals who are shareholders/partners of Afacanpark Children’s Playgroups and Centers Ltd. Şti. |
Company Official | Officials of Afacanpark Children’s Playgroups and Centers Ltd. Şti. |
Intern | Individuals undertaking internships at the company. |
Customer Representative | Real persons or representatives of legal entities (e.g., dealers, distributors, sales points) responsible for delivering the company’s products to end consumers. |
Customer Employee | Identifiable employees of entities (e.g., dealers, distributors, sales points) responsible for delivering the company’s products to end consumers. |
Service Provider Representative | Representatives of independent entities providing services to the company but not classified as customers, subcontractors, or suppliers. |
Service Provider Employee | Employees of independent entities providing services to the company but not classified as customers, subcontractors, or suppliers. |
Subcontractor Representative | Representatives of entities subcontracted by the company under a principal employer-subcontractor relationship. |
Subcontractor Employee | Identifiable employees of entities subcontracted by the company under a principal employer-subcontractor relationship. |
Supplier Representative | Representatives of entities supplying inputs, raw materials, or products to the company. |
Supplier Employee | Identifiable employees of entities supplying inputs, raw materials, or products to the company. |
Business Partner | Independent entities with which the company has business relations but not classified as participants, subcontractors, or suppliers. |
Business Partner Representative | Representatives of independent entities with which the company has business relations but not classified as participants, subcontractors, or suppliers. |
Business Partner Employee | Identifiable employees of independent entities with which the company has business relations but not classified as participants, subcontractors, or suppliers. |
Scholarship Recipient | Individuals receiving scholarships from the company. |
Potential Customer Representative | Representatives of individuals or entities expressing interest in or evaluating the company’s products and services based on commercial customs and ethical rules. |
Potential Customer Employee | Employees of individuals or entities expressing interest in or evaluating the company’s products and services based on commercial customs and ethical rules. |
Consumer | Individuals using the company’s products and services, regardless of the presence of a contractual relationship. |
Participant | Individuals participating in design competitions organized by Afacanpark. |
Jury Member | Individuals evaluating submissions in design competitions organized by Afacanpark based on competition compliance and ranking criteria. |
Auditor | Individuals inspecting the company’s compliance with laws, regulations, and circulars, and preparing the necessary reports. |
Environmental Consultant | Individuals assessing compliance with environmental regulations and the effectiveness of implemented measures, conducting internal audits, or providing environmental management services. |
Student | Individuals requesting sponsorship for graduation projects or receiving academic support from the company. |
Family Members of Employees/Shareholders/Officials/Interns | Family members of Afacanpark employees, shareholders, officials, or interns. |
Third Party | Individuals not covered under any other defined data subject group in this Policy or the “Employee Personal Data Processing Policy.” |
Visitor | Individuals entering the company’s physical premises for various purposes or visiting the company’s websites for any reason. |
Method and Legal Basis for Collecting Personal Data
Method of Collecting Personal Data
Our Company collects personal data for the purposes outlined in section 6.1, either fully or partially automatically or manually, through various verbal, written, or electronic means, including but not limited to the following channels:
- Job application forms,
- Personnel information forms,
- Recruitment documents,
- Various documents submitted to the Company,
- Emails sent to the Company,
- Invoices and e-invoices,
- Internet platforms,
- Computers and servers, firewalls,
- Arvento,
- Telephone, PDKS system,
- Entry-exit records,
- Incident detection/disciplinary records,
- Judicial/administrative processes and legal cases,
- Health reports,
- Security cameras,
- Data subjects and third parties.
Legal Basis for Collecting Personal Data
Our Company collects personal data based on one or more of the following legal bases as specified in Articles 5 and 6 of the Law:
- The explicit consent of the data subject,
- Explicitly stipulated by law,
- The personal data is made public by the data subject,
- Processing is necessary for the establishment or execution of a contract, provided it is directly related to the contract,
- Processing is mandatory for the fulfillment of legal obligations by our Company,
- Processing is mandatory for the establishment, exercise, or protection of a legal right,
- Processing is mandatory for the legitimate interests of our Company, provided it does not harm the fundamental rights and freedoms of the data subjects.
Purposes for Processing Personal Data
Matching Purposes of Data Processing with Personal Data Categories of Data Subject Groups
Below is the alignment of the purposes of processing personal data for defined groups of data subjects with personal data categories:
Job Applicant
Data Categories: Identity, Contact, Professional Experience, Physical Space Security, Health Data, Criminal Conviction and Security Measure Data
Processing Purposes: Managing job application processes, selecting and placing candidates/interns, carrying out communication activities, ensuring physical space security, conducting audit/ethical activities, and managing emergency response processes.
Family Members of Job Applicants
Data Categories: Identity, Professional Experience
Processing Purposes: Managing candidate/intern selection and placement processes.
Company Shareholder/Partner
Data Categories: Identity, Contact, Personnel, Legal Transactions, Financial Data, Professional Experience, Physical Space Security, Health Data, Biometric Data
Processing Purposes: Managing emergency response processes, ensuring employee satisfaction and loyalty, fulfilling obligations arising from employment contracts, providing employee benefits, conducting audits/ethical activities, ensuring compliance with regulations, managing finance and accounting processes, ensuring physical space security, tracking and managing legal matters, conducting communication activities, overseeing business operations, ensuring occupational health and safety, organizing events, running advertising/campaign/promotional activities, managing contracts, sponsoring activities, conducting investment processes, providing information to authorized persons/institutions, and executing management operations.
Company Official
Data Categories: Identity, Contact, Personnel, Legal Transactions, Physical Space Security, Financial Data, Professional Experience, Health Data, Biometric Data
Processing Purposes: Managing emergency response processes, ensuring employee satisfaction and loyalty, fulfilling obligations arising from employment contracts, providing employee benefits, conducting audits/ethical activities, ensuring compliance with regulations, managing finance and accounting processes, ensuring physical space security, tracking and managing legal matters, conducting internal audit/investigations, managing communication activities, overseeing business operations, ensuring occupational health and safety, maintaining business continuity, organizing events, running advertising/campaign/promotional activities, managing contracts, sponsoring activities, conducting investment processes, providing information to authorized persons/institutions, and executing management operations.