Personal Data Protection and Processing Policy

1. General Purpose

As CyberArts Bilişim Anonim Şirketi, we show utmost care and attention to the protection of all fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing and protection of personal data. In this context, we act in accordance with the principles of transparency and openness towards each person whose data we process.

This Personal Data Protection and Processing Policy (“Policy”) is CyberArts's responsibility for compliance with the personal data we process as CyberArts Bilişim Anonim Şirketi ("CyberArts"), with the relevant articles established in the Constitution and the Personal Data Protection Law No. 6698 and other relevant legislation provisions. It has been prepared for the purpose of transparently sharing the basic principles adopted in the activities it carries out with the public. 

Regarding the processing and protection of personal data, in case of conflict between the provisions of the applicable legislation and the provisions of this Policy, the provisions of the current legislation shall prevail.

2. Scope

The scope of this Policy; Company employees, employee candidates, customers, potential customers, service providers, visitors, employees and officials of cooperating institutions and all personal data processed automatically or non-automatically provided that they are part of any data recording system. relates to data. 

While sharing your data with us by filling out the forms on the contact and career pages, you will receive the offer on our site, subscribe to the newsletter, and you will be provided with the necessary information in the process, and you can reach detailed information through the business policy as the relevant person.

3. Definitions and Abbreviations

The definitions used in the implementation of this Policy are shown in the table below in accordance with the relevant legislation.

Open ConsentIt refers to the consent on a particular subject, based on information and expressed with free will.
AnonymizationIt means making the data previously associated with a person incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching them with other data.
WorkerIt refers to the persons working in the Company pursuant to the employment contract concluded with the Company.
Employee CandidateThe Company refers to the natural persons who have either applied for a job by any means or have opened their CV and related information to the review of the Company.
Related personRefers to natural persons whose personal data are processed.
Employees, Shareholders, Officials of the Institutions We Cooperate WithIt refers to the real persons, including the shareholders and officials of these institutions, who work in the institutions with which our company has all kinds of business relations (such as business partners, suppliers, but not limited to these).
Personal DataAny information relating to an identified and identifiable natural person
Personal Data OwnerThe natural person whose personal data is processed. For example; Refers to customers and employees.
CustomerIt refers to natural persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.
Potential CustomerIt refers to natural persons who have requested or been interested in using our products and services or have been evaluated in accordance with commercial practices and honesty rules that they may have.
Company officialMeans the member of the company's board of directors and other authorized natural persons.
Special Qualified Personal DataBiometric and genetic data, as well as data on people's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures. means personal data.
Company WebsiteRefers to CyberArts' website with the address "https://cyberartspro.com/".
Processing of Personal DataObtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. It refers to any operation performed on the data, such as blocking.
PolicyRefers to this Personal Data Protection and Processing Policy prepared by CyberArts.
Data ProcessorIt refers to the natural or legal person who processes personal data on behalf of the data controller based on the authority given by him.
Data ControllerIt refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
VisitorIt refers to natural persons who enter the physical premises of the company for various purposes or visit our websites.
LawRefers to the Law on Protection of Personal Data No. 6698, dated March 24, 2016, published in the Official Gazette dated 7 April 2016 and numbered 29677.
OrganisationPersonal Data Protection Authority.
BoardPersonal Data Protection Board.

4. Principles to be Followed When Processing Personal Data

At every stage of CyberArts personal data processing activity, listed in Article 4 of the Law and shown below;

  • “Being in compliance with the law and honesty rules,
  • Being accurate and up-to-date when necessary,Being accurate and up-to-date when necessary,
  • Processing for specific, explicit and legitimate purposes,
  • Being connected, limited and restrained with the purpose for which they are processed,
  • It will act in accordance with the principles of “preservation for the period required for the purpose for which they are processed or stipulated in the relevant legislation”.

5. Considerations Regarding the Processing of Personal Data

5.1. Personal Data Collected

Clearly belonging to an identified or identifiable natural person by CyberArts; The categorization and explanation of personal data processed partially or fully automatically or non-automatically as part of the data recording system is shown in the table below.

PERSONAL DATA CATEGORYPERSONAL DATA CATEGORY EXPLANATION
CredentialsIdentity information that clearly belongs to an identified or identifiable natural person. To vary as necessary; T.R. identity number, name, surname, passport number, photo, signature, mother/father name and other personal data contained in the identity card, identity card or passport.
Communication informationTo vary as necessary; residence, mobile phone number, address, e-mail, etc. datas.
Customer Transaction InformationCustomer request information, customer order history information, check, promissory note, invoice, receipt etc. personal data.
Physical Space SecurityEntry/exit records, visit information, camera records, etc. data.
Financial InformationFinancial personal data processed for information, documents and records that vary according to the type of legal relationship CyberArts has established with the personal data owner, bank account number, bank account information, (IBAN number, account holder, etc.), credit card information, etc. and financial and salary details of employees, payrolls, premium progress, premium amounts, file and debt information related to enforcement proceedings, bank passbook, minimum living allowance information, private health insurance amount, etc. data.
Legal Process and Compliance InformationPersonal data contained in documents obtained as a result of correspondence with processes in judicial authorities and administrative authorities.
Employee Candidate InformationPersons who have applied to be a CyberArts employee or who have been evaluated as an employee candidate in line with their human resources needs; CV, interview grade, certificate information, etc. data.
Contract InformationInformation about our business partners who have any commercial business relationship with CyberArts, contracts with these companies or information about company employees
Special Qualified Personal DataTo vary as necessary; Data specified in Article 6 of the Law. (eg: medical report, criminal record, etc.)
Personnel File InformationInformation that should be included in the personal files of real persons who are in a working relationship with CyberArts. (Educational status, certificate and diploma information, foreign language information, education and skills, CV, courses taken, leave seniority base date, leave seniority additional days, leave group, departure/return date, day, reason for leaving leave, address/ data such as phone, position name, department and unit, title, last employment date, entry and exit dates, etc.
Audio Visual DataClearly belonging to an identified or identifiable natural person; photographs and camera recordings, audio recordings, and data contained in documents that are copies of documents containing personal data.

5.2. Data Groups

Owners of personal data processed within the scope of this Policy are shown in the table below.

Personal Data Subject GroupsDescription
CyberArts Shareholder/AuthoritiesNatural persons who are shareholders and officials of CyberArts company.
Employees/InternsReal persons working or interning at CyberArts.
Employee CandidatesReal persons who have applied for a job in any way or have opened their CV and related information to CyberArts' review, but who do not work or do internships within CyberArts.
Relevant persons of Institutions/suppliers in cooperation (business partner) Real persons who take part in the cooperation activity, such as officials and employees of institutions that have any cooperation with CyberArts, such as purchasing/selling services.
VisitorsReal persons who physically come to CyberArts office for all kinds of purposes or log in to the internet sites and the WI-FI system.
CustomerNatural persons whose personal data are obtained within the scope of commercial activities carried out by CyberArts, regardless of whether they have any contractual relationship with CyberArts.

5.3. Purposes of Processing Personal Data

Personal data processed by CyberArts are processed in accordance with the Law for the following purposes. The purposes of processing personal data are shown in general and may vary according to the specifics of the concrete case.

Within the scope of planning and development of each commercial activity specific to CyberArts, execution of the work and providing legal and technical security;

  • Planning and execution of the company's physical and electronic / network security studies,
  • Notifications to official institutions,
  • Carrying out legally necessary actions, fulfilling obligations,
  • Activities related to the establishment and performance of contracts,
  • Activities related to the execution, management, planning and execution of relations with customers,
  • Follow-up of finance and accounting works,
  • Planning or execution of business continuity activities,
  • Event management,
  • Performing efficiency, productivity or appropriateness analyzes of business activities,
  • Execution of goods/service procurement processes,
  • Execution of sales or marketing processes of products/services,
  • Carrying out storage and archiving activities,
  • Fulfilling the obligations regarding all kinds of visitors entering and leaving the address where CyberArts resides, in accordance with the law,
  • Within the scope of management and concluding activities of request-complaint processes after and during the service,
  • To improve our website, to monitor its technical functionality and to ensure that it works properly,
  • Organization and event management,

Planning or Execution of Our Company's Human Resources Policies and Processes;

  • Carrying out the application processes of employee candidates,
  • Execution of employee satisfaction and loyalty processes,
  • Fulfillment of obligations arising from employment contracts and legislation for employees,
  • Planning of human resources processes,
  • Execution of fringe benefits and benefits processes for employees,
  • We process the data of the employees for the purposes of keeping their personal files in accordance with the relevant legislation.

5.4. Associating Data Groups with Data Categories

PERSONAL DATA CATEGORYData Owner Category to which the Relevant Personal Data is Related
CredentialsEmployee, employee candidate, other-commercial relationship established; legal entity employee, official, potential product or service buyer, product or service buyer, visitor
Communication informationEmployee, employee candidate, other-commercial relationship established; legal entity employee, official, potential product or service buyer, product or service buyer, visitor
Customer Transaction InformationPotential product or service buyer/recipient, visitor
Physical Space SecurityEmployee, employee candidate, Shareholder/authorised, relevant persons of the institutions in cooperation, visitor
Financial InformationEmployee, employee candidate, legal/real persons with whom cooperation is made
Legal Process and Compliance InformationEmployee, employee candidate, legal/real persons with whom cooperation is made
Employee Candidate InformationEmployees and employee candidates within CyberArts
Contract InformationLegal/real persons in cooperation with the employees of CyberArts
Special Qualified Personal DataAll data groups except visitors, to the extent necessary
Personnel File InformationRelevant persons of CyberArts employees and institutions that cooperate to the extent necessary
Audio Visual DataEmployee, employee candidate, shareholder/authorised, relevant persons of the cooperating institutions, visitors

5.5. Method of Obtaining Personal Data

By informing your personal data in accordance with the relevant legislation;

  • Through the cookies produced when you visit our website,
  • When you fill out the career, newsletter subscription, offer, contact forms on our website,
  • Through social media channels,
  • Through business card sharing,
  • Via visitor records,
  • By means of e-mails sent by the data owners and communication with the data owners over the box office, stands, telephone
  • We collect your personal data through contracts.

5.6. Processing Methods of Personal Data and Legal Reason

5/1 of the Law. CyberArts pays utmost attention to issues such as obtaining explicit consent and disclosure processes while processing personal data. CyberArts may process personal data based on one or more of the legitimate reasons listed in Article 5 of the Law, without relying on express consent. 5/2 of the Law. legitimate reasons listed in the article; 

  • Clearly stipulated in the law,
  • It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid,
  • Provided that it is directly related to the establishment or performance of a contract, it is necessary to process the personal data of the parties to the contract,
  • It is mandatory for the data controller to fulfill its legal obligation,
  • The person concerned has been made public by himself,
  • Data processing is mandatory for the establishment, exercise or protection of a right,
  • Provided that it does not harm the fundamental rights and freedoms of the data subject, it may be based on one or more of the legitimate reasons listed as the necessity of data processing for the legitimate interests of the data controller.

5.7. Processing of Private Personal Data

CyberArts, to the extent required by the Law, 6/1 of the Law. It also processes the special categories of personal data listed in the article. These processed personal data are processed in accordance with the Law, by obtaining express consent and by taking adequate precautions.

6. Matters Regarding the Transfer of Personal Data

6.1. Transfer of Personal Data

CyberArts pays the utmost care and attention to the fact that the data it processes is not transferred to the country and abroad, in cases where there is no explicit consent of the personal data owner in accordance with the Law and in cases where there is no legal compliance.

6.2. Domestic Transfer of Processed Personal Data

CyberArts will be able to transfer personal data domestically by acting in accordance with this Policy, on the condition of acting in accordance with the conditions in Article 8 of the Law, even in cases where the person concerned does not have express consent for the transfer of the personal data it processes to the country. 5/2 of the Law from these conditions. in the article;

  • The relevant activities regarding the transfer of personal data are clearly stipulated in the laws,
  • The transfer of personal data by the Company is directly related to and necessary for the establishment or performance of a contract,
  • The transfer of personal data is mandatory for our Company to fulfill its legal obligation, 
  • Transferring personal data by our Company in a limited manner for the purpose of making it public, provided that the personal data has been made public by the data owner, 
  • The transfer of personal data by the Company is mandatory for the establishment, exercise or protection of the rights of the Company or the data owner or third parties, 
  • It is mandatory to carry out personal data transfer activities for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data owner,
  • A person who is unable to express his or her consent due to actual impossibility or whose consent is not legally recognized may transfer normal personal data into the country without the explicit consent of the person concerned, if it is necessary for the protection of his or someone else's life or physical integrity, and if the conditions are met.

6.2.1 Domestic Transfer of Private Personal Data

CyberArts will be able to transfer personal data domestically by acting in accordance with the conditions in Article 8 of the Law, even in cases where the person concerned does not have express consent for the transfer of sensitive personal data to the country. It will be able to process the processed special quality personal data in accordance with the conditions listed below, together with taking all necessary administrative and technical measures in accordance with the methods and forms to be determined by the relevant legislation and the Board. 

  • Special categories of personal data other than health and sexual life may be processed without the explicit consent of the data owner, provided that it is expressly stipulated in the law, in other words, there is a clear provision in the relevant law regarding the processing of personal data. Otherwise, the explicit consent of the data owner will be obtained.
  • Special quality personal data regarding health and sexual life, for the purpose of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without the explicit consent of persons or authorized institutions and organizations under the obligation of keeping confidentiality. can be processed. Otherwise, the explicit consent of the data owner will be obtained.

CyberArts may process the sensitive data it processes without the explicit consent of the person concerned by providing the conditions listed above in accordance with Article 8 of the Law.

6.3. Transfer of Personal/Private Personal Data Abroad

CyberArts does not transfer the data it processes to abroad, in the absence of the express consent of the person concerned and the reasons for transfer listed in the legislation. However, the normal and special personal data processed can be transferred abroad without the explicit consent of the person concerned, provided that the provisions listed in Article 9 of the Law are followed.

6.2. and 9/2 of the Law, together with the conditions listed in 6.2.1. In the foreign country to which the transfer will be made as listed in the article;

  • “The availability of adequate protection,
  • In the absence of sufficient protection, it may transfer the data it processes abroad, provided that the conditions of “the data controllers in Turkey and the relevant foreign country undertake in writing to provide adequate protection and that the Board has the permission”.

6.4. Recipient Groups to be Transferred, Purpose and Definition of Transfer

CyberArts processes personal data in accordance with the relevant legislation, provided that the conditions listed in the above articles are met and in accordance with all other relevant legislation;

  • Business partner,
  • Supplier,
  • CyberArts Shareholder/Authorities,
  • Legally Authorized Public Institutions and Organizations,
  • Legally Authorized Private Law Persons,
  • Banks,

may share the personal data it processes with

RECIPIENT GROUPS THAT CAN BE TRANSFERRED TO DATADEFINITIONPURPOSE OF TRANSFER OF PROCESSED DATA
Business partnerIt defines the data controllers with whom CyberArts cooperates for purposes such as carrying out various projects and receiving services while carrying out its commercial activities.Limited to ensure the fulfillment of the purposes for which the business partnership was established.
Supplier,Within the scope of the commercial activities of CyberArts, your personal data is shared with the parties providing services to CyberArts in line with the data processing purposes and instructions of CyberArts.Limited to ensure that the services CyberArts obtains from the supplier and necessary to carry out its commercial activities are provided to CyberArts.
CyberArts Shareholder/AuthoritiesNatural persons who are CyberArts Shareholders / AuthoritiesLimited to the purposes of planning, management and auditing of strategies related to CyberArts' activities in accordance with the relevant legislation.
Legally Authorized Public Institutions and OrganizationsYour personal data is shared with public institutions and organizations authorized to receive information and documents from CyberArts in accordance with the provisions of the relevant legislation.Limited to the purposes requested by the relevant public institutions and organizations within their authority.
Legally Authorized Private Law PersonsEstablished in accordance with the conditions determined in the provisions of the relevant legislation and operating within the framework determined by the law; Private law persons authorized to obtain documents from CyberArtsLimited to the purposes requested by the relevant private legal persons within their legal authority.
Private and Public BanksYour personal data can be transferred to private and public banks working with CyberArts and working in various fields, including paying the monthly fee.Limited to the information that is mandatory to be shared in accordance with the Agreements, assignments and relevant legal legislation regarding the rights and receivables of CyberArts.

7. Storage and Disposal of Personal Data

CyberArts preserves the personal data it processes for the minimum period stipulated in the current legislation and for the period required for the purpose for which it is processed. In this context, personal data are deleted, destroyed or anonymized upon the request of the person concerned, by periodically checking the minimum period stipulated in the legislation and the expiration of the period related to the purpose for which they are processed.

The criteria used to determine this period, including the retention period for each category of personal data and the legal obligations that CyberArts has to keep the data, are specified in CyberArts' Personal Data Retention and Destruction Policy and will be applied in all cases.

8. Measures to Ensure Data Security

CyberArts shows the utmost care and diligence in taking all kinds of technical and administrative measures stipulated by the relevant legislation and the Board to ensure the appropriate level of security required for the protection of personal data. Within this scope, the measures taken by CyberArts to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the protection of personal data are listed below..

Administrative Measures Taken for Personal Data Security

  • CyberArts periodically performs/ has them do the necessary inspections in order to ensure the implementation of the provisions of the Law.
  • There are personal data security policies and procedures.
  • CyberArts employs knowledgeable and experienced personnel about the processing of personal data and provides the necessary training to its personnel. Awareness studies are carried out periodically.
  • By adopting the understanding of data minimization, it works to reduce personal data as much as possible.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
  • Personal data is backed up and the security of the backed up personal data is also ensured.

Technical Measures Taken for Personal Data Security

  • ISO 27001 Information Security Management System is operated in our company. 
  • The security of electronic media containing personal data is ensured.
  • Performs necessary internal controls within the scope of established systems.
  • CyberArts employs knowledgeable and experienced people in order to ensure data security and periodically gives the necessary training to its personnel.
  • Data Loss prevention software is used.
  • Current anti-virus systems are used.
  • Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
  • User account management and authorization control system is implemented and these are followed.
  • An authorization matrix has been created for employees.
  • Confidentiality commitments are made.
  • The signed contracts contain data security provisions.
  • Access logs are kept regularly.
  • The security of personal data stored in the cloud is ensured.
  • Cyber security measures have been taken and its implementation is constantly monitored.

9. Personal and Owners' Rights and the Exercise of These Rights

9.1. Rights of Personal Data Owners

Personal data owners in Article 11 of the Law;

a. “Learning whether personal data is processed or not

b. If personal data has been processed, requesting information on the nature of this information and learning to whom it has been disclosed

c. Learning the purpose of processing personal data and whether they are used in accordance with the purpose

d. Knowing the third parties to whom personal data is transferred, in the country or abroad, and requesting the notification of the transaction made in this direction to third parties

e. In case of incomplete or incorrect processing of personal data, requesting their correction and notification of this to third parties

f. Requesting the deletion or destruction of personal data in the event that the reasons for processing disappear, although it has been processed in accordance with the provisions of the relevant law

g. Objecting to the emergence of a result against the person himself

h. In the event that personal data is damaged due to unlawful processing, they have the right to demand the compensation of the damage.

9.2. Ability of Personal Data Owners to Use Their Rights

Data owners may submit their requests regarding their rights enumerated in the Law, together with information and documents to identify them, to CyberArts in accordance with the methods determined by the Law and the Board. In this respect, all necessary information can be accessed through the use of the KVKK application form prepared by CyberArtshttps://www.cyberartspro.com/wp-ontent/themes/upscale/KVKK/Veri_Sahibi_KVKK_Basvuru_Formu-cyberarts.pdf If the transaction also requires a cost, a fee may be charged based on the fee in the tariff determined by the Personal Data Protection Board.

10. Enforcement of the Policy

This policy prepared by CyberArts is deemed to come into force after it is approved by the General Manager and published on the website. This prepared policy is periodically reviewed by CyberArts and made compatible with possible changes in the Law or Board decision. Updates made are also tabulated at the end of the policy.

Update Date/ VersionScope of Updates
28.07.2022 /01Release of the New Policy with the Revocation of the Previous Policy.