POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

TABLE OF CONTENTS

1. AIM
2. SCOPE
3. DEFINITIONS AND ABBREVIATIONS

4. LEGAL OBLIGATIONS

4.1. Clarification Obligation
4.2. Our Obligation to Ensure Data Security.

5. CLASSIFICATION OF PERSONAL DATA 5.1. Personal Data5.2. Sensitive Personal Dat5.3. Categories Regarding Personal Data

6. PROCESSING PERSONAL DATA

6.1. Principles of Personal Data Processing.
6.1.1. Legal and Integrity Processing.
6.1.2. Ensuring the Accuracy of Personal Data and Up-to-Date When Necessary.
6.1.3. Processing for Specific, Explicit, and Legitimate Purposes.
6.1.4. Relating to the Purpose for which Personal Data is Processed, Limited and Measured
6.1.5. Retention of Personal Data for the Periods Envisioned in Legal Regulations or Required by Our Legitimate Interests
6.2. Our Personal Data Processing Purposes.
6.3. Processing of Personal Data and Sensitive Personal Data
6.3.1. Processing of Personal Data by Obtaining Explicit Consent
6.3.2. Cases in which Explicit Consent is Not Required for the Processing of Personal Data
6.3.3. Processing of Sensitive Personal Data
6.4. Processing of Personal Data Collected through Cookies on Websites
6.5. Processing of Personal Data Collected within the Scope of Access to the Wireless Network
6.6. Processing of Personal Data Collected for Human Resources and Employment Purposes
6.7. Processing of Personal Data within the Scope of Ensuring General Security

7. TRANSFERRING PERSONAL DATA

7.1. Transfer of Personal Data Domestic
7.2. Transfer of Personal Data Abroad
7.3. Third Parties to whom Personal Data is Transferred by the Company
7.4. Measures We Take to Ensure Legal Transfer of Personal Data
7.4.1. Technical Measures
7.4.2. Administrative Measures

8. STORAGE OF PERSONAL DATA

8.1. Retention of Personal Data for the Period Envisioned in the Relevant Legislation or Necessary for the Purpose of Processing
8.2. Measures We Take Regarding the Storage of Personal Data
8.2.1. Technical Measures
8.2.2. Administrative Measures

9. DELETING, DESTROYING OR MAKING PERSONAL DATA ANONYMOUS

10. SECURITY OF PERSONAL DATA

10.1. Our Obligations Regarding the Security of Personal Data.
10.2. Measures We Take to Prevent Unlawful Processing of Personal Data
10.3. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data
10.4. Measures We Take in Case of Unlawful Disclosure of Personal Data

11. RIGHTS OF THE RELATED PERSON

11.1. Exercise of Rights Regarding Personal Data
11.2. Evaluation of the Application
11.2.1. Application Response Time
11.2.2. Our Right to Refuse the Application.
11.2.3. Application Evaluation and Response Procedure
11.2.4. Right to Complain to the Personal Data Protection Board


12. PUBLICATION AND STORAGE OF THE POLICY

13. UPDATE FREQUENCY
14. ENFORCEMENT AND ANNOUNCEMENT OF THE POLICY


1.AIM

As NTA Implant Industry and Trade Ltd. Co.(“Company”), it is our priority to ensure that the personal data of real persons, including our employees, business contacts, customers, employee candidates, visitors, service providers and other third parties is processed in accordance with the Constitution of the Republic of Turkey and international agreements on human rights to which our country is a party, and the Law on Protection of Personal Data No. 6698. And to ensure that the data subject is processed effectively use their rights.

For this reason, we process the personal data we obtain from our employees, business contacts, customers, employee candidates, visitors, service providers and other third parties during our activities in accordance with the Company's Personal Data Protection and Processing Policy ("Policy").

The protection of personal data and the certainty of the fundamental rights and freedoms of persons whose personal data are collected constitute the basic principle of our policy regarding the processing of personal data. For this reason, we take care to carry out all our activities in which personal data are processed, taking into account the protection of privacy, the confidentiality of communication, freedom of thought and belief, and the right to use effective legal remedies.

This Policy regulates the methods and principles we follow regarding the processing (for example, collection, storage, transfer, deletion or anonymization) of the personal data collected during the activities of our Company within the framework of the principles mentioned in the KVKK.


2.SCOPE

All personal data processed by our Company, including personal data of our employees, business contacts, customers, employee candidates, visitors, service providers and other third parties, are within the scope of this Policy.

Our policy is implemented for all processing activities related to personal data within the Company, and has been handled and prepared by considering the KVKK and other legislation regarding personal data. This policy is implemented by the Company together with the relevant detailed data procedures in the activities carried out for the processing and protection of all personal data.


3.DEFINITIONS AND ABBREVIATIONS

In this section, the technical and legal concepts in the Policy are briefly explained. According to this;

DEFINITION

EXPLANATION

Explicit Consent

Consent on a particular subject, based on information and freely expressed, giving permission and authority to the addressee on the permitted subject.

Recipient Group

Natural or legal person category to whom personal data is transferred by the data controller.

Anonymization

Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Employee

Personel of the company

Electronic environment

Environments where personal data can be created, read, changed and disseminated by electronic devices.

 

Non-Electronic environment

All written, printed, visual and other than electronic media environments.

Service provider

A natural or legal person providing services under a specific contract.

Related person

Natural person whose personal data is processed.

Related User

Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.

Disposal

The process of deletion, destruction or anonymization of personal data.

Law

Law on Protection of Personal Data dated 7/4/2016 and numbered 6698.

Obscuration

Processes such as scratching or painting the information of personal data in a way that will not be carried out in an identified or identifiable way.

Recording Media

Any environment where personal data is processed wholly or partially automatically or by non-automatic means provided that it is a part of any data recording system.

Personal Data

Any information relating to an identified or identifiable natural person.

Personal Data Processing Inventory

Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data with the processing purposes and legal reason, the data category, the transferred recipient group and the data subject group, explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.

Board

Personal Data Protection Board.

Processing of Personal Data

Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking.

Personal Data Retention and Disposal Policy

The policy on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization.

Anonymization of Personal Data

Making personal data cannot be associated with an identified or identifiable natural person, even by matching with other data.

Disposal of Personal Data

Making the personal data processed completely or partially by automatic means inaccessible and reusable by the relevant users.

Deletion of Personal Data

Making personal data inaccessible, irretrievable and unusable by anyone in any way.

Sensitive Personal Data

Data about race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Periodic Disposal

The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all of the personal data processing conditions in the law are eliminated

Policy

Personal Data Retention and Disposal Policy.

Data Processor

The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.

Data Recording System

The registration system in which personal data is processed and structured according to certain criteria.

Data Controller

The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data Controllers Registry Information System (VERBIS)

An information system created and managed by the Presidency, accessible over the internet, to be used by the data controllers in the application to the Registry and other related transactions related to the Registry.

 

Regulation

Regulation on the Deletion, Destruction or Anonymization of Personal Data, which entered into force by being published in the Official Gazette dated 28.10.2017 and numbered 30224.


4.LEGAL OBLIGATIONS

As a data controller, our legal obligations regarding the protection and processing of personal data are listed below:

4.1.    Clarification Obligation

Data owners should be informed before the collection and processing of their personal data. Before collecting data, right holders should be informed about the following:

  • For what purpose your personal data will be processed,
  • Our identity, information on the identity of our representative, if any,
  • To whom and for what purpose your processed personal data can be transferred,
  • The way we collect the data and the legal reason, and
  • Rights of the person whose personal data is processed pursuant to article 11 of the KVKK

As a company, we take care that this Policy, which is open to the public, is understandable and easily accessible.

4.2.    Our Obligation to Ensure Data Security

As the data controller, we take the administrative and technical measures stipulated in the legislation to ensure the security of the personal data in our responsibility. Obligations and measures regarding data security are detailed in the Personal Data Security section of this Policy.


5.CLASSIFICATION OF PERSONAL DATA

5.1. Personal Data

The protection of personal data is only related to real persons, and information belonging to legal entities that do not contain information about the real person is excluded from personal data protection. Therefore, this Policy does not apply to data belonging to legal entities.

5.2. Sensitive Personal Data

Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are of special nature. are personal data.

5.3. Categories Regarding Personal Data

We collect the following data within the scope of our company activities:

1. ID information
2. Contact Information
3. Financial Data
4. Personal Data
5. Legal Action
6. Customer Transaction
7. Data on Physical Space Security
8. Visual and Audio Data
9. Professional Knowledge
10. Health Information
11. Other Data


6. PROCESSING PERSONAL DATA

6.1. Our Personal Data Processing Principles

This Policy provides guidance on how our Company will implement the rules set forth by the KVKK and the relevant legislation. Based on this Policy, our company will analyze the personal data processing activities it carries out within its own body, determine the necessary actions to comply with this Policy, and take all kinds of technical and administrative measures. After the determined actions are implemented, internal control mechanisms will be operated and the continuity of compliance with the Policy will be ensured. In order to ensure compliance with the KVKK, personal data must be processed by our Company in accordance with the general principles and provisions stipulated in the legislation. In this context, the principles and conditions that must be taken into account by our Company in all personal data processing activities are discussed in this section; 6.1.1. Legal and Integrity Processing We process personal data in accordance with the rules of honesty, with transparent methods and within the framework of our disclosure obligation. In this context, our Company applies the principles of proportionality and necessity in the processing of personal data, and processes only as much personal data as necessary, in accordance with the purposes of data processing. 6.1.2. Ensuring the Accuracy of Personal Data and Up-to-Date When Necessary We take the necessary measures in our data processing procedures to ensure that the processed data is accurate and up-to-date. We also offer the relevant person the opportunity to apply to update their data and to correct any errors in their processed data, if any. 6.1.3. Processing for Specific, Explicit, and Legitimate Purposes As a company, we process personal data within the scope and content of which are clearly defined and for our legitimate purposes determined to continue our activities within the framework of the legislation and the ordinary course of life. 6.1.4. Relating to the Purpose for which Personal Data is Processed, Limited and Measured We process personal data in connection with the purpose we have clearly and precisely determined, in a limited and measured way.
We avoid the processing of personal data that is not relevant or does not need to be processed. For this reason, we do not process personal data of a private nature unless there is a legal requirement, or we obtain express consent on the subject when we need to process it. 6.1.5. KRetention of Personal Data for the Periods Envisaged in Legal Regulations or Required by Our Legitimate Interests Many regulations in the legislation require personal data to be kept for a certain period of time. For this reason, we keep the personal data we process for as long as required by the relevant legislation or for the purposes of processing personal data.
In the event that the storage period stipulated in the legislation expires or the purpose of processing disappears, we delete, destroy or anonymize personal data. Our principles and procedures regarding retention periods are detailed in the relevant article of this Policy. 6.2. Our Personal Data Processing Purposes As a company, we process personal data for the following purposes:

Making the right/unjust distinction of the customer in customer complaints, increasing customer satisfaction, understanding customer needs and improving customer-related processes,

  • Evaluating the service quality to the customer and training the personnel,
  • For the purpose of administering the company, conducting the business, implementing company policies,
  • Monitoring and reporting the sales performance of Company Personnel,
  • Making expense payments to the personnel,
  • Creation of personnel page by entering personnel data, updating existing data,
  • Confirmation that the personnel to whom a vehicle has been allocated or used is qualified to drive, and that they have not lost their license for any reason,
  • Ensuring the printing of business cards,
  • Ensuring that the packages incoming via cargo and courier are forwarded to the relevant Personnel,
  • Monitoring the use of Company vehicles for the safety of the personnel and the execution of the work,
  • Recording the documents collected during the job application and interview of the personnel,
  • Planning the training, reporting the trainings, preparing the training certificates, following the personnel participating in the trainings, Following the development processes of the personnel as a result of the trainings they received,
  • Entry and exit tracking of the workplace,
  • Establishing communication with relevant persons in emergencies,
  • Planning, auditing and execution of information security processes
  • Opening and authorizing e-mail accounts for personnel,
  • Ensuring record security and storage of data,
  • Establishing a telephone line and delivering telephone to the personnel,
  • Planning and carrying out risk management and quality improvement studies,

In the event that the data processing activity, including but not limited to the above-mentioned purposes, does not meet any of the reasons for compliance with the law stipulated within the scope of KVKK, express consent is obtained by the Company for the relevant processing process.


6.3.
Processing of personal data and sensitive personal data

6.3.1. Processing of personal data by obtaining express consent In accordance with the legislation, personal data cannot be processed without the explicit consent of the person concerned. Explicit consent is defined in the law as “consent on a certain subject, based on information and expressed with free will”. In case the processed data is sensitive personal data, the explanations in this Policy are valid. 6.3.2. Cases in which Explicit Consent is Not Required for the Processing of Personal Data In exceptional cases listed below and arising from the law, we may process personal data without express consent:

  • Expressly stipulated in the law

The personal data of the data subject may be processed in accordance with the law if it is expressly stipulated in the law

  • Failure to obtain the explicit consent of the person concerned due to de facto impossibility

Personal data may be processed without explicit consent if it is necessary for the protection of life or physical integrity of the person or another person, who is unable to express his or her consent due to actual impossibility or whose consent is not legally valid.

  • Being directly related to the establishment or performance of the contract

Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data without obtaining explicit consent, if it is necessary to process the personal data of the parties to the contract.

  • It is mandatory for the Company to fulfill its legal obligations.

The company, as the data controller, may process the data that is required to be processed in order to fulfill a legal obligation, even without the consent of the data subject.

  • The person concerned has been made public by himself/herself

Personal data made public by the person concerned, in other words, disclosed to the public in any way, may be processed without express consent.

  •  Data processing is mandatory for the establishment, exercise or protection of a right

In the event that data processing is necessary for the establishment, exercise or protection of a right, personal data may be processed without seeking explicit consent.

  • Obligatory data processing for the legitimate interests of the Company

Provided that it does not harm the fundamental rights and freedoms of the person concerned, personal data may be processed without requiring explicit consent, even if data processing is necessary for the legitimate interests of the Company.

6.3.3. Processing of Sensitive Personal Data Special categories of personal data (excluding data related to health and sexual life) are processed by us by taking the administrative and technical measures stipulated by the KVK Board, in the presence of the explicit consent of the Relevant Person or when required by the legislation. Private personal data regarding health and sexual life, for the purpose of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without the explicit consent of persons or authorized institutions and organizations under the obligation of keeping confidentiality, can be processed 6.4. Processing of Personal Data Collected through Cookies on Websites We use the cookies used on the website(http://www.ntaimplant.com) to improve the functioning and use of our website, and we try to make the time you spend on our website more productive and enjoyable. In addition to these, we use some cookies to remember the choices you make on our websites, thus providing you with an improved and personalized experience. We may collect, transfer, store and otherwise process your personal data through cookies on our website. If you do not want your personal data to be collected and processed through cookies, you can refuse cookies on our websites. We remind you that if you refuse cookies, our websites may not work as they should and disruptions may occur in the display or presentation of goods/services. 6.5. Processing of Personal Data Collected within the Scope of Access to the Wireless Network Wireless internet service is provided within the Company, and the Company is defined as "Internet Collective Use Provider" in accordance with the relevant legislation within the scope of the said service.
Access to the wireless network is possible within the company, and it is among the obligations of the Internet Collective Use Provider to define the users who want to benefit from the service in question, to record access records such as IP address information, start and end time of use, and destination IP information in the system electronically. In addition to these records, log information is also kept in accordance with the Law No. 5651 on Regulating Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts and relevant legislation. 6.6. Processing of Personal Data Collected for Human Resources and Employment Purposes We process your personal data, which you share with us during the application process as an employee candidate, for the purpose of examining your job application and, in case of your consent, we store them for the necessary period for evaluation in future positions within the Company. The processing of the personal data you share as an employee candidate is carried out in accordance with the principles and rules set forth in this Policy.

Personal data of employee candidates:

  • Evaluating the suitability of the employee candidate for the open position,
  • To confirm the accuracy of the information and documents given by the employee candidate or to conduct research on the employee candidate,
  • To contact the employee candidate regarding his/her application,
  • To meet legal obligations or requests of authorized institutions or organizations, and
  • Developing our Human Resources Policy

It can be collected for the following purposes and with the following tools, methods and channels:

  • Employee candidates to the Company by e-mail, mail, etc. résumés they have forwarded,
  • Interviews,
  • Controls and investigations carried out to confirm the accuracy of the information conveyed by the employee candidate, and
  • Recruitment tests.

Personal data of our employees and employee candidates are collected, processed and stored within the framework of the Company's Human Resources Policy, apart from this Policy. Our employees are also informed about the rules regarding the processing of their personal data.

6.7. Processing of Personal Data within the Scope of Ensuring General Security As a company, we collect, store and use the data of visitors and other third parties, especially our employees and customers, for general security purposes. In this context, we obtain the camera images of the people in our Company building and keep these records for the periods stipulated by the relevant legislation.

7. TRANSFERRING PERSONAL DATA

7.1. Transfer of Personal Data Domestic

As a company, we act in accordance with the regulations stipulated in the KVKK and the decisions made by the KVK Board regarding the transfer of personal data. Personal data and sensitive data of the persons concerned cannot be transferred by our company to other real persons or legal entities without the express consent of the person concerned. In so far, in cases where KVKK and other laws make it mandatory, the data may be transferred to private law legal entities, authorized administrative or judicial institution or organization in the manner and within the limits stipulated in the legislation, without the explicit consent of the person concerned. In addition, in cases stipulated in Articles 5 and 6 of the Law, transfer is possible without the consent of the person concerned. Our company may transfer personal data to third parties in accordance with the conditions stipulated in the Law and other relevant legislation and by taking all security measures specified in the legislation, if there is an existing contract signed with the data owner, unless otherwise regulated in the said contract and in the Law or other relevant legislation.

7.2. Transfer of Personal Data Abroad

As a rule, personal data cannot be transferred abroad without the explicit consent of the person concerned. However, in cases where one of the exceptional circumstances in this Policy exists, third parties abroad:

  • Located in countries where there is sufficient protection declared by the KVK Board, or
  • Being located in countries where there is no adequate protection, but the data controllers in Turkey and in the foreign country in question undertake an adequate protection in writing and have the permission of the KVK Board
    Provided that personal data can be transferred abroad without express consent.

Provided that personal data can be transferred abroad without express consent.

7.3. Third Parties to whom Personal Data is Transferred by the Company Information requested by public legal entities within the scope of their legislation is shared in accordance with Article 8 of the KVKK. In addition, Personal data may be transferred to the following categories of persons within the scope of the rules set forth in this Policy:

  • Company Business Partners,
  • Company officials,
  • Authorized Public Institutions and Organizations
  • Private Law Persons.

Person Category

Explanation

Transfer Purpose

Company Business Partners

Receiving services within the scope of the Company's activities, etc. means the parties with which it has established business partnerships for the purposes of

In order to realize the planned activity within the scope of the business partnership,

Officials

Represents the company's officials.

For the purposes of planning and executing the activities of the Company

 Authorized Public Institutions and Organizations

Refers to the public institutions and organizations authorized to receive information and documents from the Company within the scope of the relevant legal regulations.

For the purposes stipulated by the said legal regulation

Private Law Persons

Refers to private legal persons who are authorized to receive information and documents from the Company within the scope of relevant legal regulations.

For the purposes stipulated by the said legal regulation

 

7.4. Measures We Take to Ensure Legal Transfer of Personal Data

7.4.1. Technical Measures

In order to protect personal data, but not limited to those listed;

  • Makes the technical organization within the Company for the processing and storage of personal data in accordance with the legislation,
  • Establishing the necessary technical infrastructure to ensure the security of the databases where your personal data will be stored,
  • Follows and audits the processes of the technical infrastructure created,
  • Determines the procedures for reporting the technical measures and audit processes we take,
  • Periodically updates and renews the technical measures,
  • By re-examining the risky situations and producing the necessary technological solutions,
  • Uses virus protection systems, firewalls and similar software or hardware security products and establishes security systems in line with technological developments and
  • We employ specialists in technical matters or purchase services.

7.4.2. Administrative Measures

In order to ensure the security of personal data, we take various measures, including but not limited to the ones listed below. In this context;

  • Trainings are provided on prevention of unlawful processing of personal data, prevention of illegal access of personal data, protection of personal data, communication techniques, technical knowledge and skills, Law No. 6698 and other relevant legislation in order to improve the quality of employees.
  • Confidentiality agreements are signed by the employees regarding the activities carried out by the Company.
  • A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.
  • Before starting to process personal data, the Company fulfills its obligation to inform the relevant persons.
  • Personal data processing inventory has been prepared.
  • Periodic and random audits are carried out within the company.
  • It is ensured that our employees are trained and informed about the legal processing of personal data.
  • Unnecessary personal data is deleted, destroyed or anonymized.
  • All reasonable precautions are taken to prevent theft, loss or corruption of information.


8. STORAGE OF PERSONAL DATA

8.1. Retention of Personal Data for the Period Envisioned in the Relevant Legislation or Necessary for the Purpose of Processing We keep personal data for as long as required by the purpose of processing personal data and within the scope of the Company's Personal Data Retention and Disposal Policy, without prejudice to the storage periods stipulated in the legislation. In cases where we process personal data for more than one purpose, the data is deleted, destroyed or anonymized and stored if all the purposes of processing the data disappear or if there is no legal obstacle to the deletion of the data, upon the request of the person concerned. In matters of destruction, deletion or anonymization, the provisions of the legislation and the decisions of the KVK Board are complied with.

8.2.  Measures We Take Regarding the Storage of Personal Data

8.2.1. Technical Measures

  • Establishes technical infrastructures and related control mechanisms for the deletion, destruction and anonymization of personal data,
  • Takes the necessary measures for the safe storage of personal data,
  • Employs employees with technical expertise,
  • It creates business continuity and emergency plans against possible risks and develops systems for their implementation, and
  • We establish security systems in accordance with technological developments regarding the storage areas of personal data.

8.2.2. Administrative Measures

  • Raise awareness by informing our employees about the technical and administrative risks related to the storage of personal data, and
  • In case of cooperation with third parties for the storage of personal data, we include the provisions regarding the contracts made with the companies to which the personal data is transferred and the necessary security measures for the protection and safe storage of the transferred personal data.

For the administrative and technical measures we take within the scope of personal data, please review the Company's Personal Data Retention and Disposal Policy.


9. DELETING, DESTROYING OR MAKING PERSONAL DATA ANONYMOUS

Personal data collected within the scope of our processing purposes are processed and stored within the scope of our processing purposes and applicable laws. Personal data;

  • The complete termination of our processing purposes or
  • At the request of the relevant person

deleted, destroyed or anonymized. The aforementioned deletion, destruction and anonymization processes are carried out within the scope of the Company's Data Retention and Destruction Policy, without prejudice to the provisions of the relevant legislation.
While your personal data is being deleted, destroyed or anonymized, the security measures in this Policy are taken.
Unless otherwise specified by the Board, the Company chooses the appropriate method of deleting, destroying or anonymizing personal data.
Personal data is deleted or destroyed according to the method specified by the person concerned in the application form, without prejudice to the Board decisions and the provisions of the relevant legislation.

10. SECURITY OF PERSONAL DATA

10.1. Our Obligations Regarding the Security of Personal Data

As a company;

  • To prevent the unlawful processing of personal data,
  • To prevent unlawful access to personal data,
  • We take administrative and technical measures to ensure that personal data is kept in accordance with the law.

10.2. Measures We Take to Prevent Unlawful Processing of Personal Data

  • Carries out and has the necessary inspections made within the company,
  • To educate and inform our employees and related parties about the legal processing of personal data,
  • In cases where cooperation is made with third parties for the purpose of processing personal data, it includes provisions regarding taking the necessary security measures in the contracts made with companies that process personal data, and
  • In case of unlawful disclosure of personal data or data leakage, we notify the relevant person and the KVK Board, carry out the investigations stipulated by the legislation in this regard and take the relevant measures.

10.3. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

To prevent unlawful access to personal data;

  • Employs employees with technical expertise or purchases services in this regard,
  • Periodically updating and renewing the technical measures,
  • Establishes access authorization procedures within the company,
  • It determines the procedures regarding the reporting of the technical measures and audit processes we have taken,
  • Establishes the data recording systems used within the company in accordance with the legislation and conducts periodic audits,
  • Establishing emergency aid plans against possible risks and developing systems for their implementation,
  • Training and informing our employees about accessing and authorizing personal data,
  • In cases where cooperation is made with third parties for activities such as processing and storage of personal data, contracts made with companies providing access to personal data include provisions regarding the taking of necessary security measures by persons providing access to personal data, and
  • We establish security systems within the scope of technological developments in order to prevent unlawful access to personal data.

10.4. Measures We Take Against Unlawful Disclosure of Personal Data

We take administrative and technical measures to prevent the unlawful disclosure of personal data and update them in accordance with our relevant procedures. If we detect that personal data has been disclosed unauthorized and unlawful, we establish the necessary systems and infrastructures to notify the relevant person and the KVK Board. In case of an unlawful disclosure despite all the administrative and technical measures taken, this situation may be announced on the website of the KVK Board or by any other method, if deemed necessary by the KVK Board.


11. RIGHTS OF THE RELATED PERSON

Pursuant to Article 11 of the Law, whether or not there is a Statement of Express Consent; relevant persons may apply to our Company and exercise their existing rights regarding the following matters regarding their personal data. In this context, personal data owners have following;

  • Learning whether personal data is processed or not,
  • If personal data has been processed, requesting information about it,
  • To learn the purpose of processing personal data and whether they are used in accordance with the purpose,
  • Knowing the third parties to whom personal data is transferred in the country or abroad,
  • Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
  • Requesting the deletion or destruction of personal data in the event that the reasons requiring it to be processed disappear, despite the fact that it has been processed in accordance with the Law on the Protection of Personal Data No. 6698 and other relevant provisions of the law, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
  • Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
  • Requesting the compensation of the damage in case of loss due to unlawful processing of personal data,

rights.

11.1. Exercise of Rights Regarding Personal Data

If a separate method is determined by the KVK Board, the person concerned may submit their request regarding their personal data to Tahılpazarı Mh. İsmetpasa Cd. Zeynep Ertugrul Apt. No:43/3 Muratpaşa/ANTALYA by hand, you can send it via a notary public. In addition, in accordance with the 5th article of the "Communiqué on Application Procedures and Principles to the Data Controller", you can use the registered e-mail (KEP) address, secure electronic signature, mobile signature or the e-mail address you have previously notified to our Company and registered in our systems. You can forward it to info@ntaimplant.com. The person concerned must clearly and comprehensibly state the requested issue in the application, which includes explanations regarding the right to be exercised and requested to use the above-mentioned rights. Although the subject of the request must be related to the person of the applicant, if acting on behalf of someone else, the applicant must be specifically authorized in this regard and this authority must be documented (special power of attorney). In addition, the application must include identity and address information, and documents proving identity must be attached to the application.
Requests made by unauthorized third parties on behalf of someone else will not be considered.

11.2. Evaluation of the Application

11.2.1. Application Response Time

Requests regarding personal data are concluded as soon as possible and in any case within 30 (thirty) days at the latest, free of charge, or against the fee in the tariff if the conditions in the tariff to be published by the KVK Board are met. Additional information and documents may be requested during the application or while the application is being evaluated.

11.2.2. Our Right to Refuse the Application

Applications regarding personal data may be rejected in the following cases, including but not limited to:

  • Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,
  • Processing personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate the privacy or personal rights of the person concerned, or constitute a crime,
  • Processing of personal data made public by the person concerned,
  • The application is not based on a just cause,
  • The application contains a request contrary to the relevant legislation and
  • Failure to comply with the application procedure.

11.2.3.  Application Evaluation and Response Procedure

In order for the response period specified in the section titled “Response time to the Application” of this Policy to begin, the applications must be submitted in writing via the KVK Application Form, by hand delivery with wet signature or sent via a notary, electronically signed via KEP or by other methods determined by the KVK Board. If the request is accepted, the necessary procedures are applied and the applicant is notified in writing or electronically. In case of rejection of the request, the applicant is notified in writing or electronically by explaining the reason.

11.2.4.  Right to Complain to the Personal Data Protection Board

In cases where the application is rejected, the answer given is insufficient, or the answer is not given in a timely manner; The applicant has the right to complain to the KVK Board within 30 (thirty) days from the date of learning the answer and in any case within 60 (sixty) days from the date of application.


12. PUBLICATION AND STORAGE OF THE POLICY

The Policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website. The printed paper copy is stored in the Personal Data Protection file of the Human Resources Department.


13. UPDATE FREQUENCY

This Policy is reviewed once a year and updated as needed.


14. ENFORCEMENT AND ANNOUNCEMENT OF THE POLICY

The policy is deemed to have entered into force after its publication on the Company's website. In the event that it is decided to be repealed, old copies of the Policy with wet signatures are canceled and signed by the Board of Directors (with an annulment stamp or an annulment) and are kept by the Human Resources Department for at least 5 years.

Click to Download KVKK - Clarification Text (format docx)  

KVKK - Clarification Text

KVKK - Application Form