PERSONAL DATA PROTECTION AND PROCESSING POLICY
SECTION 1 – PURPOSE OF THE POLICY
The right to protection of personal data is included in ARTICLE 20 of the Constitution of the Republic of Turkey as follows.
“Everyone has the right to demand respect for their private and family life. Inviolable confidentiality of private life and family life. (Additional paragraph: 12/9/2010-5982/2 art.)
Everyone has the right to request the protection of personal data concerning him/her. This right; It also includes being informed about personal data about oneself, accessing this data, requesting its correction or deletion, and learning whether it is used for its purposes.
Personal data can only be processed in cases stipulated by law or with the express consent of the person.
"The principles and procedures regarding the protection of personal data are regulated by law."
Personal Data Protection Law No. 6698, which aims to protect the fundamental rights and freedoms of the individual during the processing of personal data, was referred to the Presidency of the Grand National Assembly of Turkey on January 18, 2016, with various amendments made on the previous texts, and was accepted by the General Assembly of the Turkish Grand National Assembly on March 24, 2016 and became law on April 7. It entered into force after being published in the Official Gazette dated 2016 and numbered 29677.
In paragraph (1) of Article 12 of the Personal Data Protection Law No. 6698 (Law), the Data Controller;
• To prevent unlawful processing of personal data,
• To prevent unlawful access to personal data,
• To ensure the protection of personal data;
It is obliged to take all necessary technical and administrative measures to ensure the appropriate level of security for this purpose,
In paragraph (5), if the processed personal data is obtained by others through illegal means, the data controller will notify this situation to the person concerned and the Personal Data Protection Board (Board) as soon as possible, and if necessary, the Board will notify this situation on its own website or in appropriate It is stipulated that the person may declare it by any other method he deems appropriate.
HAN-TUR TURİZM HOTEL TAŞ. CONS. GO. SAN VE TİC LTD ŞTİ. With this policy, it makes the protection of personal data, which is a constitutional right, a company policy and undertakes to comply with the Personal Data Protection Law and legislation and regulations within the scope of its legal and social responsibility.
With the Personal Data Protection Policy, HAN-TUR TURİZM OTELCİLİK TAŞ. CONS. GO. SAN VE TİC LTD ŞTİ. It is aimed to raise awareness about the legal processing and protection of personal data within the company and to establish a sustainable and auditable system to ensure compliance with the legislation in all processes.
The Policy also includes the principles adopted in the execution of personal data processing activities carried out by the company (HAN-TUR TURİZM OTELCİLİK TAŞ. İNŞ. GID. SAN VE TİC LTD ŞTİ.) and the data processing activities are included in the Personal Data Protection Law No. 6698 (“Law”). The basic principles in terms of compliance with the relevant regulations are explained and thus the Company provides the necessary transparency by informing personal data owners.
CHAPTER 2 - DEFINITIONS
Explanations of some definitions included in the Personal Data Protection Law and the company's Personal Data Protection and Processing Policy are given below.
Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system, Any action performed on data, such as classifying or preventing its use.
Personal Data Owner: Natural person customers, employees, employee candidates, suppliers and their employees, partners, other third party natural persons whose personal data is processed within the scope of the contract made with the Company.
Personal Data: Any information regarding an identified or identifiable natural person.
For example; name-surname, TR ID Number, e-mail, address, business address, date of birth, place of birth, credit card number, driver's license number, bank account number, passport number, license number, diploma, etc.
Special Personal Data: Data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. These are special quality data.
Data Controller: The data controller is the person who determines the purposes and means of processing personal data and establishes and manages the data recording system in which the data is systematically processed and stored.
Data Processor: Natural or legal person who processes data on behalf of the data controller within the scope of the authority given by him/her.
Explicit Consent: Consent regarding a specific issue, based on information and expressed with free will.
Deletion of Personal Data: It is the process of making personal data inaccessible and unusable for the relevant users in any way.
Destruction of Personal Data: It is the process of making personal data inaccessible, irretrievable and unusable by anyone.
Anonymization: Making personal data in no way associated with an identified or identifiable natural person, even if it is matched with other data.
KVKK: Personal Data Protection Law published in the Official Gazette dated 7 April 2016 and numbered 29677
KVK Board: Personal Data Protection Board
Personal Data Storage and Destruction Policy: In accordance with the Regulation on Deletion, Destruction and Anonymization of Personal Data, the Company determines the maximum period required for the purpose for which personal data are processed and the basis for deletion, destruction and anonymization of personal data. Personal Data Storage and Destruction Policy”.
Data Controllers Registry: Data Controllers Registry, which is kept under the supervision of the Personal Data Protection Authority under the supervision of the KVK Board and is open to the public.
Communiqué on the Procedures and Principles of Application to the Data Controller: Communiqué on the Procedures and Principles of Application to the Data Controller, which came into force after being published in the Official Gazette No. 30356 dated 10 March 2018.
CHAPTER 3 – GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
Personal Data Protection Law in 'General Principles' (LAW ARTICLE 4)
(1) Personal data can only be processed in accordance with the procedures and principles set forth in this Law and other laws.
(2) It is mandatory to comply with the following principles in the processing of personal data:
a) Compliance with the law and the rules of honesty.
b) Being accurate and up to date when necessary.
c) Processing for specific, clear and legitimate purposes.
ç) Being related to the purpose for which they are processed, limited and proportionate.
d) Stored for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
provisions are included.
In our company's practices; The purposes of processing personal data are clearly stated, and the purposes are included in the data inventory and information texts. The data is processed on a limited basis for purposes related to business activities.
Necessary precautions are taken to ensure that personal data is accurate and up-to-date throughout the period it is processed.
Our company retains personal data for the period necessary for the purpose for which they are processed and for the period stipulated in the legal legislation regarding the activity.
If there is no legal period, personal data is stored for the period necessary for the purpose for which they are processed.
SECTION 4 - PROCESSED PERSONAL DATA AND PURPOSES OF PROCESSING
In the Information Texts sent to the relevant persons, your processed personal data are included separately for each data category by matching them with the purpose of processing and legal reasons.
In order to provide information to all relevant people, separate information texts have been prepared and implemented for company customers, employees and employee candidates, consultants, service providers and suppliers, solution partners and visitors.
Data Category headings in the clarification texts are given below. The information processed in categories varies according to business processes and sectors, and the different information obtained is processed in the category fields.
Processed Data categories:
Identity Information; Information regarding the person's identity; Name-Surname, TR ID number, TR ID information, tax number, SSI number, signature information, vehicle license plate, driver's license, identity card and passport information.
Contact information; Telephone number, full address information, e-mail address, internal company contact information (internal telephone number, corporate e-mail address), fax information, registered e-mail address (KEP),
.
Information on Family Members and Relatives; Personal data about family members (spouse, mother, father, child) and relatives of the personal data owner.
Legal Transaction Information; Personal data processed within the scope of legal obligations in determining and pursuing the company's legal receivables and rights and fulfilling its debts.
Special Personal Data; Data specified in Article 6 of the KVK Law (health data of employees, including blood type, biometric data, disability status, device and prosthesis information used).
Financial Information; IBAN, card information, bank name, financial profile, mail order form, credit score, contract information, tax office number.
Employee Personal Information; Curriculum Vitae (CV), social security number, registration number, position name, department and unit, title, employment entry and exit dates, insurance entry/retirement allocation number, defense and warning documents/minutes, family relative data; marriage certificate; name and surname of spouse and children, AGI certificate, performance evaluation notes, name, surname and telephone number of relatives to be called in case of emergency,
Information Regarding Criminal Convictions; Information regarding security measures, Criminal record,
Legal documents; Information in correspondence with judicial authorities, information in the case file.
Professional experience information; Diploma information, course information, in-service training information, certificates, experience certificate, license certificate.
Financial Data; Bank account and Iban number, tax number, bank name, branch
Visual Data; Images obtained from camera recordings.
Your personal data obtained and processed in accordance with the Personal Data Protection legislation will be transferred to our Company's physical archives and/or information systems and will be preserved both in digital and physical environments. By taking security measures, it will be backed up in technological environments outside the company, with the control in our company.
CHAPTER 5 - CLARIFICATION AND INFORMATION OF THE PERSONAL DATA OWNER
One of the most important obligations imposed by the law on data controllers is the Disclosure Obligation.
This obligation is the most important indicator that the relevant persons have control and audit authority over their personal data.
The obligation to inform, imposed by Article 10, is an obligation for data controllers, but it is also a right for natural persons whose personal data are processed.
Our company informs personal data owners during the collection of personal data, in accordance with Article 10 of the Personal Data Protection Law.
In this context, it informs the relevant persons about the identity of the data controller, the identity of its representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the personal data owner.
The purpose for which personal data will be processed is determined before the personal data processing begins.
According to the first paragraph of Article 5 of the Communiqué; When fulfilling the obligation to inform, the purpose of processing must be specific, clear and legitimate.
In informing; Statements that are general, vague and suggest that they may be processed for other purposes that may come to the fore are avoided.
The company does not use personal data other than activities required for the purpose.
Processing of personal data that is not relevant or needed to achieve the purpose is avoided.
Purposes are determined on the basis of data category, and for each category, the information on which data is processed based on the legal conditions in Articles 5 and 6 of the Law, to whom the data can be transferred and the purposes of transfer are included in the clarification text.
In accordance with Article 11 of the Personal Data Protection Law, if the personal data owner requests information, the Company provides the necessary information to the relevant person within the time limit.
In order to ensure that the application is answered in a timely manner and in accordance with the law, an 'Application Response Procedure' has been prepared and responsible persons within the company have been determined and assigned.
CHAPTER 6 - METHOD OF COLLECTION OF PERSONAL DATA AND LEGAL REASON
Personal data in accordance with our fields of activity; information processed verbally, in writing, on paper or electronically, visual and audio data obtained through call center and camera recordings, website applications, information transmitted via e-mail and KEP, shared financial data, contract information, petitions, legal notifications, It is collected from physical and electronic environments through correspondence and information made public by you.
Your personal data,
Personal Data Protection Law Article. 5/2-a: "Prescribed by law",
Personal Data Protection Law Article. 5/2-c: “It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract”,
Article 5/2-d of the Personal Data Protection Law: "It is mandatory for the data controller to fulfill its legal obligation",
Personal Data Protection Law Article 5/2-d: "Having been made public by the relevant person himself"
Personal Data Protection Law Article 5/2-e: "Data processing is mandatory for the establishment, exercise or protection of a right"
Personal Data Protection Law Article 5/2-f: "It is mandatory for the legitimate interest of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person",
It is collected and processed based on at least one of the legal reasons and, when necessary, express consent.
Our company does not collect data without a valid purpose and a valid legal reason or explicit consent.
CHAPTER 7 - PROTECTION OF SPECIAL PERSONAL DATA
In Article 6 of the Personal Data Protection Law, certain personal data that pose the risk of causing victimization or discrimination when processed unlawfully are designated as "special nature" and special care must be taken in the processing of these data.
These data; 'data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic' data.
Within the scope of special nature data, health data and, in some cases, criminal record records are kept within the company with explicit consent.
Privacy training is provided to personnel who can access these special personal data, the scope and duration of access authorization are determined, periodic audits are carried out and confidentiality agreements are signed.
If the relevant personnel leaves the job, the access authorization is immediately revoked.
Physical files containing personal health data stored physically in employees' health files are locked and stored in areas that can only be accessed by the workplace physician.
Transaction records of all transactions performed on sensitive data are monitored, security updates of the environments where the data are stored are constantly monitored, and necessary security tests are carried out regularly.
CHAPTER 8 - TRANSFER OF PERSONAL DATA
The provisions of Article 8 of the Personal Data Protection Law regarding the transfer of personal data are given below.
(1) Personal data cannot be transferred without the explicit consent of the relevant person.
2) Personal data; a) In the second paragraph of Article 5, b) In case one of the conditions specified in the third paragraph of Article 6 is met, provided that adequate precautions are taken, it can be transferred without the express consent of the relevant person.
(3) Provisions in other laws regarding the transfer of personal data are reserved. Data is not transferred abroad without the express consent of the relevant person.
ARTICLE 5 - In case of the existence of one of the following conditions within the scope of paragraph 2), it will be possible to process and transfer personal data without seeking the explicit consent of the relevant person.
a) It is clearly prescribed by law.
b) It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
c) It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
ç) It is mandatory for the data controller to fulfill its legal obligation.
d) It has been made public by the person concerned.
e) Data processing is mandatory for the establishment, exercise or protection of a right.
f) It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.
In order to transfer private data, it is mandatory to obtain the explicit consent of the data owner, with the exceptions given below, pursuant to Article 6 of the Law. 'Special personal data regarding the health and sexual life of the personal data owner can only be used in the form of protection of public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing; It can be transferred without explicit consent by persons who are under the obligation of confidentiality or authorized institutions and organizations.
Your personal data may be processed for the limited purposes specified in the information texts in accordance with the provisions of Article 8 of the Personal Data Protection Law and the provision of explicit consent in Article 9 and the scope of Article 5/2 paragraph;
The Company complies with the provisions in Article 5 of the Law, the regulations regarding the processing of Special Personal Data in Article 6 and the transfer of personal data in Articles 8 and 9, and the decisions published by the Personal Data Protection Board.
Special categories of data are not processed or transferred without the explicit consent of the data owner.
Your personal data may be transferred to authorized and authorized public institutions and organizations in order to fulfill the obligations arising from the legislation within the scope of the Law and other legislation, to the General Directorate of Security, to supervisory and regulatory institutions in order to provide information in accordance with the legislation, to any judicial authority in order to be used as evidence in legal disputes that may arise between us. To your authorized representatives and lawyers, to banks and financial institutions for financing and payment transactions, to our business partners and group companies, and company partners for the purpose of carrying out our business activities. It may be transferred to goods and service suppliers for the purpose of carrying out goods / services and operation processes, and to third parties from whom we receive consultancy, including tax and financial consultants, for the execution of finance and accounting affairs.
When transferring data abroad, no data is transferred without obtaining the explicit consent of the relevant person.
CHAPTER 9 - ENSURING THE SECURITY OF PERSONAL DATA
Administrative and Technical Measures Taken to Prevent Unlawful Access to Personal Data and to Store Personal Data in Secure Environments:
The company has implemented a secure infrastructure and security controls that will protect the integrity of information and guarantee its constant accessibility. It has implemented the following technical and administrative measures to prevent reckless or unauthorized disclosure, access, transfer or other unlawful access of personal data and against other risks and threats that may arise.
Technical Measures
Security system is the protection of personal data against all threats while it is in personal information systems.
Among information security threats, internal threats, which we can define as conscious or unconscious threats that can be created by people working within the organization, have a very important place.
Necessary security controls have been implemented in all relevant areas to control access to information and prevent unauthorized access, taking into account the conscious or unconscious threats that may be posed by people working within the organization. The company regularly checks whether the daily activities of the employees comply with their authority profiles.
Access to information systems and authorization of users are made through security policies through the access and authorization matrix.
Passwords used by personnel or third parties to access personal data resources are arranged in accordance with the password determination rules defined for the relevant systems. Complex passwords, consisting of combinations of numbers, uppercase letters, lowercase letters and punctuation marks, that are memorable and unlike old passwords, are used.
As a result of real-time analysis with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.
Risks to prevent unlawful processing of personal data are identified, technical measures appropriate to these risks are taken, and technical controls are carried out for the measures taken.
The company has established layered network security measures against threats that may come from external networks. Layered network security measures have been installed on the servers in the Institution's computer systems against threats that may come from external networks. Anti-virus software, firewalls, central management and control software are used in company information systems.
In case personal data is obtained by others unlawfully, a Data Breach Response Plan has been prepared and an appropriate system and infrastructure has been established to prevent this situation and notify the relevant person and the Board.
Adequate security measures are taken in the physical environments where sensitive personal data are processed, stored and/or accessed, and unauthorized entries and exits are prevented.
For backup, backups of critical systems are taken periodically, and the backups are moved to the external environment at regular intervals.
The company takes the necessary measures to ensure that deleted personal data is inaccessible and unusable for relevant users.
Administrative Measures:
Employees are given training on the Personal Data Protection Law and other relevant legislation and on taking data security measures and are made to sign confidentiality agreements. A disciplinary procedure is implemented that includes penalties for employees who do not comply with security policies and procedures.
It is mandatory to obtain a commitment from data processors and suppliers of goods and services to ensure compliance with the Personal Data Protection Law, data confidentiality and compliance with security measures.
Before starting to process personal data, the company fulfills its obligation to inform the relevant persons and obtain explicit consent.
The 'Risk and Threat Table', which lists conscious or unconscious threats that may be posed by people working within the organization and dangers that may come from external networks, is periodically examined by the Data Protection Officer and the measures are updated.
Technical control systems have been established on applications. As the data controller, he carries out in-house systematic periodic audits through the Data Protection Officer.
When deemed necessary, audits will be carried out by expert companies or independent audit companies.
'Access and Authorization Procedure' and 'Personal Data Storage and Destruction Policy' have been prepared and implemented to control access to information and prevent unauthorized access, to ensure data security, and for legal storage and destruction.
SECTION 10 – STORAGE PERIOD OF PROCESSED PERSONAL DATA
In accordance with Article 4 of the Law, personal data are kept for the period stipulated in the relevant legislation or for the period required for the purpose for which they are processed, and if all the conditions for processing personal data in Articles 5 and 6 of the Law are eliminated, they are deleted or destroyed ex officio or upon the request of the data owner. or made anonymous.
If stipulated in the relevant laws and legislation, the company stores personal data for the period specified in the relevant laws and legislation.
If a period of time is not regulated in the legislation regarding how long personal data should be stored, personal data is processed for a period of time that requires proper processing for the purpose, depending on the services offered by the company while processing that data, and is then deleted, destroyed or anonymized.
The purpose of processing personal data has expired; If the retention periods determined by the relevant legislation and the company have expired, personal data can only be stored taking into account the legal periods to serve as evidence in possible legal disputes or to assert the relevant right based on personal data or to establish a defense. Personal data is not stored by the company for possible use in the future.
The 'Regulation on Deletion, Destruction or Anonymization of Personal Data', which came into force on 28 October 2017, determines the procedures and principles regarding the deletion, destruction or anonymization of personal data whose reasons for processing are eliminated.
Legal retention periods on a personal data basis for all personal data within the scope of activities carried out in accordance with the processes are included in the company's 'Personal Data Storage and Destruction Policy'.
CHAPTER 11 - OBLIGATION TO DELETE AND DESTROY AND ANONYMIZE DATA
Article 7 of the Law includes the principles of deletion, destruction and anonymization of personal data. Accordingly, even though personal data has been processed in accordance with the law, if the reasons requiring processing are eliminated, these data are deleted, destroyed or anonymized by the data controller ex officio or upon the request of the relevant person.
It is accepted that the processing conditions for personal data are eliminated, especially in the cases listed below.
Changing or removing the relevant legislative provisions that constitute the basis for processing personal data,
The contract between the parties has never been established, the contract is not valid, the contract terminates automatically, the contract is terminated or the contract is withdrawn,
Elimination of the purpose requiring the processing of personal data,
Processing personal data is against the law or the rule of honesty,
In cases where personal data is processed only on the basis of explicit consent, the relevant person withdraws his/her consent,
The data controller accepts the application made by the relevant person regarding the processing of personal data within the framework of his rights in paragraphs (e) and (f) of Article 11 of the Law,
In cases where the data controller rejects the application made to him by the data subject requesting the deletion or destruction of his personal data, his response is found insufficient, or he does not respond within the time period stipulated in the Law; Making a complaint to the Board and this request being approved by the Board,
Although the maximum period requiring personal data to be stored has passed, there are no conditions that justify storing personal data for a longer period of time,
Deletion of personal data; It is defined as "making the personal data in question inaccessible and unusable by the relevant users in any way."
In this context, if the reasons requiring the processing of data no longer exist and the legal period expires, the data in question is irreversibly deleted from all media, including backups.
The decision on which of the deletion and destruction techniques of personal data and anonymization of personal data will be applied is made by the Data Controller.
The personal data that will be subject to deletion is determined. Deletions are carried out by pre-determined personnel. The powers of these personnel are specially regulated. The access rights of the personnel who perform the deletion to retrieve and reuse the deleted data are removed.
The Data Protection Officer checks that the deletion, destruction or anonymization of the data that needs to be deleted is done in accordance with the law, regulation and company policies and procedures, and the accuracy of the information record created regarding the transactions.
CHAPTER 12 – DATA OWNER'S RIGHTS AND EXERCISE OF THESE RIGHTS
HAN-TUR TURİZM HOTEL TAŞ. CONS. GO. SAN VE TİC LTD ŞTİ. (Company) informs the personal data owner of his/her rights in accordance with Article 10 of the Personal Data Protection Law and guides the personal data owner on how to use these rights. The company has implemented administrative and technical regulations regarding internal operation in order to evaluate the rights of personal data owners and provide the necessary information to personal data owners.
Personal data owners have the following rights in accordance with Article 11 of the Personal Data Protection Law;
a) Learning whether personal data is processed or not,
b) Requesting information if personal data has been processed,
c) Learning the purpose of processing personal data and whether they are used for their intended purpose,
ç) Knowing the third parties to whom personal data is transferred domestically or abroad,
d) Requesting correction of personal data if they are incomplete or incorrectly processed,
e) Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7,
f) To request that the transactions carried out in accordance with paragraphs (d) and (e) be notified to third parties to whom personal data is transferred,
g) Objecting to the emergence of a result against the person by analyzing the processed data exclusively through automatic systems,
g) Requesting the compensation of the damage in case of damage due to the illegal processing of personal data.
Exercise of Personal Data Owner's Rights;
The data owner may exercise the rights specified in Article 11 above, in accordance with the 1st paragraph of Article 13 of the KVK Law.
It is not possible for third parties to make requests on behalf of personal data owners.
In order for a person other than the personal data owner to make a request, there must be a special power of attorney issued by the personal data owner on behalf of the person making the application.
Application to the data controller is regulated in Article 13 of the Law as follows.
ARTICLE 13- (1) The relevant person shall convey his/her requests regarding the implementation of this Law to the data controller in writing or by other methods determined by the Board.
(2) The data controller finalizes the requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request.
However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.
(3) The data controller accepts the request or rejects it by explaining the reason and notifies the relevant person in writing or electronically of his/her response.
If the request in the application is accepted, the data controller will fulfill it accordingly. If the application is due to the error of the data controller, the fee collected will be refunded to the relevant party.
Your requests in your application will be finalized free of charge within thirty (30) days at the latest, depending on the nature of the request. Application methods are included in the Information Texts sent to the relevant persons.
In order to determine whether the applicant is a personal data owner, the company may request additional information and documents from the relevant person and ask questions to the personal data owner about the issues included in the application.
In accordance with Article 14 of the KVK Law, in cases where the application is rejected, the answer given is found to be insufficient, or the application is not answered in time, the personal data owner may file a complaint with the KVK Board within thirty days from the date of learning the Company's answer, and in any case within sixty days from the date of application.
CHAPTER 13 - IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION
The relevant legal regulations in force regarding the processing and protection of personal data will primarily be applied. In case of incompatibility between the legislation in force and the Company Policy, our Company accepts that the applicable legislation will apply.
CHAPTER 14 - ENFORCEMENT
This Policy issued by the data controller is dated 1/1/2022. The Policy signed by the Management is published on the Company's website, and the Policy is reviewed at least once every year.
Review and updating of this policy is carried out by the Data Protection Officer.