Turmobil | Personal Data Protection And Processing Policy
info@turmobil.com /turmobil

PERSONAL DATA PROTECTION AND PROCESSING POLICY

Last update date: (16)/ (07)/ (2020)

1.INTRODUCTION

1.1. Objective and Scope of the Policy

The Personal Data Protection Law No. 6698 (“the Law”) entered into the force on 7 April 2016; and this TurMobil® Rent A Car Taş. Ve Nak. San. Tic. Ltd. Sti. Personal Data Protection and Processing Policy (“the Policy”) aims to ensure that TurMobil® Turizm Rent A Car Taş. Ve Nak. San. Tic. Ltd. Sti. (“TurMobil” or “the Company”) complies with the Law and to determine the principles to be observed in the fulfillment of the obligations for protection and processing of personal data by the Company.

The Policy determines the personal data processing conditions and sets forth the main principles adopted by the Company in the processing of personal data. Within this framework, the Policy covers all the personal data processing activities within the scope of the Law by the Company, all the personal data subjects whose personal data are processed by the Company and all the personal data processed by the Company.

The matters related to the processing of the Company employees’ personal data are not included in the scope of the Policy and are regulated separately in the Policy for the Protection and Processing of the Personal Data of TurMobil® Turizm Rent A Car Taş. Ve Nak. San. Tic. Ltd. Sti. Employees.

The definitions of the terms used in the Policy are provided in the Appendix-1.

1.2. Effectiveness and Amendments

The Policy is published and made public by the Company on its website. The provisions of the legislation shall apply in case of a contradiction between the provisions contained in the Policy and the provisions contained in the applicable legislation, particularly the Law.

The Company reserves its right to make amendments to the Policy in parallel to the legal arrangements. The recent version of the Policy is accessible on the Company’s website and through the following link: ………………………………………………………………………………………

  1. DATA SUBJECTS, DATA PROCESSING PURPOSES AND DATA CATEGORIES FOR THE PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT BY THE COMPANY

2.1. Data Subjects

The Data Subjects included in the scope of the Policy are all the real persons -other than the Company employees- whose personal data are processed by the Company. Within this framework, the data subject categories are mainly as follows:

DATA SUBJECT CATEGORY DESCRIPTION
1 Customer Refers to all the real persons who make use of the products and services offered by the Company.
2 Potential Customer Refers to the real persons who take an interest in using the products and services offered by the Company and have the potential to turn into customers.
3 Visitor Refers to the real persons who visit the Company, its store, its premises or its website.
4 Employee Candidate Refers to the real persons who apply to the Company for a job by sending their CVs to the Company or through other methods.
5 Third Parties Refers to the real persons other than the Company employees and the above data subject categories.

The Data Subject Categories are specified for general information sharing purposes. In case a Data Subject does not fall within the scope of any of these categories, this shall not eliminate his/her capacity of being a data subject as specified by the Law.

2.2. Personal Data Processing Purposes

The Company may process your personal data and special categories of personal data for the following purposes, in compliance with the Personal Data Processing Conditions specified by the Law and the relevant legislation:

MAIN PURPOSE SUB-PURPOSE
Conduct of the Company Internal Operations 1. Planning, Control and Execution of Information Security Processes

2. Creating and Managing Information Technology Infrastructure

3. Planning and Execution of Employees’ Authorities to Access Information Systems

4. Operation Management

5. Following-up of Finance and Accounting Affairs

6. Planning and Execution of Efficiency/Productivity and Appropriateness Analysis of Business Activities

7. Planning and Execution of Business Activities

8. Planning and Execution of Business Partners’ and Suppliers’ Authorities to Access Information Systems

9. Planning and Execution of Business Continuity Activities

10. Planning and Execution of Corporate Communication Activities

11. Planning and Execution of Corporate Sustainability Activities

12. Planning and Execution of Corporate Governance Activities

13. Planning and Execution of Logistics Activities

14. Planning and Execution of Production and Operation Processes

15. Planning and Following-up of Building and Construction Works

Activities with Legal, Technical and Administrative Consequences 1. Planning and Execution of Emergency Management Processes

2. Planning and Execution of Occupational Health and Safety Processes

3. Realization of Risk Management for Credit Processes

4. Calculation of Persons’ Insurance Policy Premiums and Creation of Insurance Policies

5. Management and Control of Relations with Affiliates

6. Initiation of Damage Processes and Completion of Damage Files

7. Following-up of Legal Affairs

8. Group Companies IT and Operational Audit Studies

9. Providing Authorized Entities with Information arising from the Legislation

10. Creation and Tracking of Visitor Records

11. Planning and Execution of the Company’s Production and Operational Risk Processes

12. Realization of Corporate and Partnership Law Transactions

13. Ensuring the Safety and Security of the Company Operations

14. Ensuring the Safety and Security of the Company Premises and Facilities

15. Planning and Execution of the Company’s Financial Risk Processes

16. Ensuring the Safety and Security of Company Fixtures and Resources

17. Planning and Execution of the Company Audit Activities

18. Preparation of Insurance Policies

19. Various Transaction Applications by the Shareholders, by First Degree Relatives of the Shareholders and by the Board Members

20. Planning and Execution of the Operational Activities Required to Ensure the Conduct of the Company Activities in Compliance with the Company Procedures and the Relevant Legislation

21. Ensuring Data Accuracy and Up-To-Dateness

Processes and Operations Touching Upon Customers 1. Following-up of Credit Repayment Transactions

2. After Sales Support Services

3. Planning and Execution of the Sales Processes of Products and Services

4. Following-up of Contract Processes and Legal Claims

5. Planning and Execution of Customer Relationship Management Processes

Financial Operations 1. Banking Transactions

2. Making Damage Payments

3. Making Persons’ Damage Payments

4. Collection of Persons’ Insurance Policy Premiums

5. Collections Pertaining to Insurance Policies

6. Pricing of Insurance Policies

Strategy Planning & Business Partners / Supplier Management 1. Management of Relations with Business Partners and/or Suppliers

2. Planning and Execution of External Training Activities

3. Execution of Strategic Planning Activities

Marketing Operations 1. Planning and Execution of the Processes for Creating and Enhancing Loyalty to the Products and Services Offered by the Company

2. Planning and Execution of Market Research Activities for the Sales and Marketing of Products and Services

3. Planning and Execution of Marketing Processes for Products and Services

4. Planning and Execution of Customer Satisfaction Activities

 2.3. Personal Data Categories

Your personal data categorized below are processed by the Company in compliance with the personal data processing conditions specified by the Law and the relevant legislation:

PERSONAL DATA CATEGORIZATION DESCRIPTION
Identity Information All information regarding the identity of the persons, contained in the documents such as driver’s license, identity card, certificate of residence, passport, lawyer identity certificate, marriage certificate
Contact Details Details for contacting the data subjects, such as phone number, postal address, e-mail address
Customer Information Information obtained and generated about the data subjects in result of our commercial activities as well as the operations carried out by our business units within this framework
Family Members and Relatives Data Information about the family members and relatives of the personal data subject, processed in order to protect the legal interests of the Company and the data subject or related to the products and services offered by the Company
Customer Transaction Information Information such as the customers’ instructions and requests for the use of the Company’s products and services, and records regarding the use of the Company’s products and services
Physical Location Security Information Personal data in the documents and records such as camera records, fingerprint records taken while entering a physical location or while staying in a physical location
Transaction Security Information Your personal data processed in order for the Company to ensure technical, administrative, legal and commercial security while conducting its commercial activities
Financial Information Personal data processed in relation to the information, documents and records indicating any financial consequences, created depending on the type of the legal relationship established with a personal data subject by the Company
Employee Candidate Information Personal data processed in relation to the individuals who are in an employment relationship with the Company or assessed as an employee candidate in line with the Company’s needs for human resources by virtue of the rules of objective good faith or who have applied in order to be an employee of the Company
Legal Transaction and Compliance Information Personal data processed within the scope of determining and following-up of the Company’s legal receivables and rights, paying the Company’s debts and compliance with the Company’s procedures and statutory obligations
Audit and Inspection Information Personal data processed within the scope of the Company’s compliance with its statutory obligations and the Company policies
Special Categories of Personal Data Data related to individuals’ race, ethnicity, political opinions, philosophical opinions, religion, sect or other beliefs, appearance; association, foundation or trade union memberships; health, sexual life, criminal convictions and security measures, and biometric and genetic data
Marketing Information Personal data processed for the marketing of the Company’s products and services through customization in line with the usage habits, inclinations and needs of the personal data subjects, and the assessments and reports created as a result of such processing
Request/Complaint Management Information Personal data regarding the receipt and evaluation of any requests or complaints directed at the Company
Reputation Management Information Information collected for the purpose of protecting the Company’s commercial reputation, and the information in the relevant evaluation reports, and information about the actions taken in this regard
Incident Handling Information In order to protect the commercial rights and interests of the Company and the rights and interests of the Company’s customers, the personal data processed to take necessary legal, technical and administrative measures against incidents that develop

3.PERSONAL DATA PROCESSING PRINCIPLES AND CONDITIONS

3.1. Personal Data Processing Principles

The Company processes your personal data in compliance with the personal data processing principles specified by article 4 of the Law. With regard to each personal data processing activity, it is mandatory to comply with these principles:

Processing of personal data lawfully and in compliance with the rules of objective good faith: In the processing of your personal data, the Company acts in compliance with the laws, the secondary legislation and the general principles of law and attaches importance to the processing of personal data limited to the purpose of processing, and considering the reasonable expectations of data subjects.

Accuracy and up-to-dateness: Attention is paid to ensure that your personal data processed by the Company are up-to-date and that the relevant checks are conducted. Within this context, the data subjects are granted the right to request for correction or erasure of their data which are inaccurate and not up-to-date.

Processing of personal data for certain, clear and legitimate purposes: Prior to each personal data processing activity, the Company determines the data processing purposes and pays attention to the requirement that these purposes are not unlawful.

Compliance with the principle of proportionality, and being limited to and in connection with the processing purposes:  The data processing activities carried out by the Company are limited to the personal data necessary for the achievement of the data collection purposes, and necessary steps are taken to prevent the processing of personal data not associated with these purposes.

Retention of personal data until expiration of the period prescribed by the relevant legislation or necessary for the processing purposes: After the purpose of personal data processing by the Company ceases to exist or upon expiration of the period prescribed by the legislation, the personal data are erased, destroyed or anonymized.

3.2. Personal Data Processing Conditions

The Company processes your personal data in case of existence of at least one of the personal data processing conditions specified by article 5 of the Law. Explanations regarding these conditions are as follows:

In case the personal data subject grants his/her explicit consent: In the absence of the other data processing conditions, the Company may process a data subject’s personal data in compliance with the general principles specified under the heading 3.1, but in case the data subject grants his/her consent with his/her free will, by having sufficient information about the personal data processing activity, in such a degree that leaves no room for doubt and limited to that processing only.

In case the personal data processing activities are expressly permitted by the laws: If these processing activities are expressly permitted by the laws, the Company may process such personal data in the absence of the data subject’s explicit consent. In this case, the Company shall process the personal data within the framework of the relevant legal arrangements.

In case it is not possible to obtain the data subject’s explicit consent and it is mandatory to process personal data:  The personal data, which belong to a data subject who is incapable of giving his/her explicit consent or whose consent is not deemed legally valid, will be processed by the Company in case it is mandatory to process the personal data in order to protect the life or physical integrity of the data subject or a third party.

In case the personal data processing activity is directly related to the conclusion or performance of a contract:  The personal data processing activity will be performed, if it is necessary to process the personal data pertaining to the parties of a contract already signed, or concluded between the data subject and the Company.

In case it is mandatory to carry out a personal data processing activity in order for the data controller to fulfill its legal obligations: The Company processes the personal data in order to fulfill its legal obligations prescribed under the applicable legislation.

In case the data subject has made his/her data public: The personal data, which have been disclosed to the public in any way by the data subject or have become knowable by everyone in consequence of making them public, may be processed by the Company, limited to the purpose of making public, even if the data subjects do not grant their explicit consents.

In case it is mandatory to process personal data for establishment, exercise or protection of a right: The Company may process the data subjects’ personal data within the scope of this necessity, without obtaining the data subjects’ explicit consents.

In case it is mandatory to process data for the data controller’s legitimate interests, provided that the fundamental rights and freedoms of the data subject are not harmed:  The personal data may be processed by the Company on the condition that the balance of interests of the Company and the data subject is observed. Within this scope, in the processing of data on the basis of legitimate interest, the Company shall primarily determine the legitimate interest which the Company will obtain in result of the processing activity. The Company shall assess the possible impact of the personal data processing on the rights and freedoms of the data subject. The Company will carry out the processing activity, if the Company is of the opinion that the balance is not disturbed.

3.3. Conditions for Processing of Special Categories of Personal Data

Article 6 of the Law specifies special categories of personal data on a numerus clausus basis: The data related to individuals’ race, ethnicity, political opinions, philosophical opinions, religion, sect or other beliefs, appearance; association, foundation or trade union memberships; health, sexual life, criminal convictions and security measures, and biometric and genetic data, are special categories of personal data.

The Company may process special categories of personal data in the following circumstances, by ensuring that the additional measures determined by the Personal Data Protection Board are taken:

Processing of special categories of personal data other than health and sexual life: They may be processed in case the data subject grants the relevant explicit consent or in the cases expressly allowed by the laws.

The personal data related to health and sexual life may, without the requirement of the data subject’s explicit consent, be processed by competent institutions and organizations or persons who are under the confidentiality obligation, only for the purposes of protecting the public health, conducting preventive medicine, medical diagnosis, treatment and nursing services and for the planning and management of healthcare services and their financing.

  1. TRANSFER OF PERSONAL DATA

In compliance with the provisions contained in articles 8 and 9 of the Law and the additional legal arrangements determined by the Personal Data Protection Board, the Company may transfer personal data in the Country or abroad, in case the conditions for transfer of personal data have taken place.

Transfer of personal data to third parties in the Country: Your personal data may be transferred by the Company in the existence of at least one of the data processing conditions specified by articles 5 and 6 of the Law and explained under the heading 3 of this Policy and on the condition that the fundamental principles of data processing are observed.

Transfer of personal data to third parties abroad:  In the absence of the data subject’s explicit consent, his/her personal data may be transferred by the Company in the existence of at least one of the data processing conditions specified by articles 5 and 6 of the Law and explained under the heading 3 of this Policy and on the condition that the fundamental principles of data processing are observed.

In case the country to which the data will be transferred is not among the safe countries that will be declared by the Personal Data Protection Board, the personal data may be transferred to such third parties abroad, upon the Company and the data controller in the relevant country make the written commitment for the provision of adequate protection, in case the Personal Data Protection Board grants permission for this transaction and in the existence of at least one of the data processing conditions specified by articles 5 and 6 of the Law (see the heading 3 of the Policy).

Within the general principles of the Law and articles 8 and 9 of the Law specifying the data processing conditions, the Company may carry out data transfers to the categorized parties in the following table:

SHARED PARTY CATEGORIZATION SCOPE TRANSFER PURPOSE
Business Partner The parties with which the Company establishes a business partnership while conducting its commercial activities Transfer of data, limited to the purpose of ensuring the fulfillment of the establishment objectives of the business partnership
Supplier The parties that provide services for the Company to continue its commercial activities based on the contract they conclude with the Company and in line with the instructions they receive from the Company Transfer of data, limited to the procurement of outsourced services from the Supplier
Affiliate Companies that are the affiliates of the Company Transfer of data, limited to the purpose of conducting the commercial activities requiring participation of the affiliates
Legally Authorized Public Institution Public institutions and organizations that are legally authorized to receive information and documents from the Company Transfer of data, limited to the purpose of information requests by the relevant public institutions and organizations
Legally Authorized Private Entity Private law persons that are legally authorized to receive information and documents from the Company Transfer of data, limited to the purpose of request by the relevant private law persons within their legal authority

 

  1. PROVISION OF INFORMATION TO DATA SUBJECTS, AND RIGHTS OF DATA SUBJECTS

In accordance with article 10 of the Law, it is necessary to inform data subjects about the processing of their personal data, prior to the processing of their personal data, or at the time of processing their personal data at the latest. By virtue of the relevant article, the necessary structure has been established within the body of the Company in order to ensure that the data subjects are informed in every situation where a personal data processing activity is carried out by the Company in its capacity as data controller. Within this context:

  • For the purposes pertaining to the processing of your personal data, please review the section 2.2 of the Policy.
  • For the parties to whom your personal data are transferred, and for the purposes pertaining to the transfer, please review the section 4 of the Policy.
  • To review the conditions for the processing of your personal data collectable through different channels in physical or electronic environments, please see the sections 3.2 and 3.3 of the Policy.
  • We would like to state that you, as a data subject, have the following rights as per article 11 of the Law:
  • To learn whether or not your personal data are processed;
  • To request for relevant information, if your personal data have been processed;
  • To learn the purposes of processing your personal data and whether or not those data are used in compliance with the purposes;
  • To know the third parties in the Country or abroad, to whom your personal data are transferred;
  • To request for rectification in case your personal data have been processed incompletely or inaccurately, and to request that the operation carried out within this context be notified to the third parties to whom your personal data are transferred;
  • In case the causes requiring the processing cease to exist, although your personal data have been processed in compliance with the provisions of the Law and the other relevant legislation, to request for erasure or destruction of your personal data and to request that the operation carried out within this context be notified to the third parties to whom your personal data are transferred;
  • To object to occurrence of any results that are to your detriment through analysis of your processed data exclusively by automated systems;
  • To request for compensation of the damages in case you incur damages due to the unlawfully processing of your personal data.

You can transmit your applications for your above-listed rights to our e-mail address info@turmobil.com.  Your applications shall be concluded free of charge as soon as possible or within thirty (30) days at the latest, depending on the characteristics of your request. However, in case the relevant transaction additionally requires a cost, the Company may request you to pay the fee as per the tariff to be determined by the Personal Data Protection Board.

While evaluating the applications, the Company primarily determines whether or not the person who submits the request is the actual right holder. However, where deemed necessary by the Company, the Company may request for detailed and additional information in order to better understand the request.

Replies to the data subjects’ applications are communicated to the data subjects in writing or in electronic environment by the Company. In case the application is rejected, the data subject shall be informed about the grounds of the rejection, along with the justifications.

In case the personal data are not obtained directly from the data subject, the activities for informing the data subject shall be carried out by the Company (1) within a reasonable period from the acquisition of the personal data, (2) at the time of the first communication, if the personal data will be used for communication with the data subject, (3) at the latest when transferring the personal data for the first time, if the personal data will be transferred.

6.DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

As per article 7 of the Law, in case the causes requiring the processing of personal data cease to exist although they have been processed lawfully, the Company shall erase, destroy or anonymize those personal data on its own motion or upon the data subject’s request, in compliance with the guidelines published by the Personal Data Protection Authority.

7.RESTRICTIONS ON THE SCOPE AND IMPLEMENTATION OF THE LAW

The following cases are excluded from the scope of the Law:

  • In case personal data are processed by real persons in the context of the activities merely related to those real persons or related to their family members staying at the same house, provided that the data are not transferred to third parties and that the data security-related obligations are complied with.
  • In case personal data are processed for the purposes of official statistics and for the purposes such as research, planning and statistics through anonymization.
  • In case personal data are processed for the purposes of art, history, literature or science or in the context of the freedom of expression, provided that the data do not violate the national defense, the national security, the public safety, the public order, the economic security, the privacy of private life or personal rights or that they do not constitute an offense.
  • In case personal data are processed in the context of preventive, protective and intelligence-related activities carried out by public institutions and organizations to which the laws make the assignment and grant the authorization for ensuring the national defense, the national security, the public safety, the public order or the economic security.
  • In case personal data are processed by judicial or execution authorities in relation to investigation, prosecution, judicial or execution proceedings.

In the below-listed cases, it is not necessary for the Company to inform the data subjects, and the data subjects will not be allowed to exercise their rights specified by the Law, with the exception of their right to request for compensation of the damages:

  • In case personal data processing is necessary to prevent commission of an offense or necessary for a criminal investigation.
  • In the case of processing of personal data made public by the relevant person.
  • In case personal data processing is necessary for the assigned and competent public institutions and organizations and public professional organizations to carry out supervision or regulatory duties or to conduct disciplinary investigations and prosecutions, by virtue of the authorization granted by the laws.
  • In case personal data processing is necessary for the protection of the State’s economic and financial interests related to budgetary, taxation and financial matters.

APPENDIX-1 DEFINITIONS

TERM DEFINITION
Explicit Consent Consent which is related to a specific matter, based on information and expressed with free will.
Anonymization To render personal data in such a way that it can no longer be associated with an identified or identifiable real person, even by matching the personal data with other data.
Employee Real persons who are the Company employees.
Employee Candidate Real persons who are not employees of the Company, however, are in the status of the Company employee candidate through various methods.
Personal Health Data All kinds of health data related to an identified or identifiable real person.
Personal Data All kinds of information related to an identified or identifiable real person.
Data Subject A real person whose personal data are processed.
Personal Data Processing All kinds of transactions carried out on the data, such as obtaining, saving, storing, protecting, modifying, editing, describing, transferring, receiving, making available, classifying or blocking the use of the data automatically, completely or in part, or non-automatically provided that they constitute a part of any data recording system.
Law The Personal Data Protection Law No. 6698 published in the Official Gazette dated 7 April 2016 and issue no. 29677.
Special Categories of Personal Data Data related to race, ethnicity, political opinions, philosophical opinions, religion, sect or other beliefs, appearance; association, foundation or trade union memberships; health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Policy The TurMobil® Turizm Rent A Car Taş. Ve Nak. San. Tic. Ltd. Sti. Personal Data Protection and Processing Policy
Company / TurMobil TurMobil® Turizm Rent A Car Taş. Ve Nak. San. Tic. Ltd. Şti.
Business Partners Parties with which the Company establishes a business partnership within the scope of contractual relationships within the framework of its commercial activities.
Relevant Person A real person whose personal data are processed.
Data Processor A real or legal person who processes personal data on behalf of a data controller, by virtue of the authority granted to that real or legal person by that data controller.
Data Controller A person who determines the processing purposes and means of personal data and manages the location where the data are kept systematically.
©️ 2020 Turmobil. Tüm hakları saklıdır. Tasarım & Uygulama: