PROCESSING AND PROTECTION OF PERSONAL DATA POLICY
We have prepared this Personal Data Processing and Protection Policy (“Policy”) to explain how we, as Limlapp Mobil Teknoloji Anonim Şirketi (“Limlapp” or “Company”), process and protect personal data.
As Limlapp, we process personal data in accordance with the Personal Data Protection Law No. 6698 (“KVKK”) and the secondary legislation on the protection of personal data and the decisions of the Personal Data Protection Board (“Board”) (collectively referred to as the “KVK Legislation”). We act in accordance with the principles of the KVK Legislation in the processing of personal data and take all necessary technical and administrative measures to ensure the security of personal data.
1. PURPOSE AND SCOPE OF THE POLICY
This Policy covers all personal data that Limlapp processes as a data controller, including personal data of its users, employees, employee candidates, officials/representatives, real person business partners/suppliers, employees of business partners/suppliers, website visitors and workplace visitors. covers.
As Limlapp, we act in accordance with the KVK Legislation and the principles and rules contained in this Policy in all personal data processing activities.
2. OUR RESPONSIBILITIES UNDER THE POLICY
As Limlapp, we aim to comply with applicable laws, rules, regulations and accepted good practices in all personal data processing activities we carry out. For this reason, all employees and other persons involved in the processing of personal data at Limlapp are obliged to comply with this Policy and the principles and rules set by this Policy. In this framework, we take the necessary measures to ensure that our employees and third parties, who are data processors, who take part in the processing of personal data about us, act in accordance with this Policy.
3. DEFINITIONS INCLUDED IN THE POLICY
We have listed the definitions and their explanations in the policy below:
Recipient Group: The natural or legal person category to which personal data is transferred by Limlapp
Explicit Consent: Consent about a specific subject, based on information and expressed with free will
Employee: Limlapp employee
Electronic Recording Media: Recording environments where personal data can be created, read, changed and written with electronic devices
Non-Electronic Recording Media: All written, printed, visual, etc. other than electronic media. recording media
Service Provider: Natural or legal persons providing services within the framework of a certain contract with Limlapp
Relevant Person: The natural person whose personal data is processed
Relevant User: Persons who process personal data within the Limlapp organization or in line with the authorization and instruction received from Limlapp, excluding the person or unit responsible for technical storage, protection and backup of personal data
Destruction: Deletion, destruction or anonymization of personal data
Recording Environment: Any environment in which personal data is fully or partially automated or processed by non-automatic means provided that it is part of any data recording system
Personal Data: Any information relating to an identified or identifiable natural person
Personal Data Processing Inventory; Inventory: Personal data processing activities carried out by Limlapp in connection with its business processes; The inventory, which is created by associating the personal data with the processing purposes, data category, the transferred recipient group and the data subject group, by explaining the maximum period required for the purposes for which the personal data is processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.
Personal Data Retention and Destruction Policy: The policy on which Limlapp bases for the process of determining the maximum period required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization.
Processing of Personal Data: Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system all kinds of operations performed on the data, such as preventing its use or use.
User or Customer: The person who is a member of the Limlapp application and/or benefits from the Limlapp services
Institution: Personal Data Protection Authority
Sensitive Personal Data: Personal data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric data and genetic data
Data Recording System: The recording system in which personal data is structured and processed according to certain criteria
Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authorization given by Limlapp
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system; Within the framework of this Policy, Limlapp
For the definitions not included in this Policy, the definitions in the KVK Legislation are valid.
4. OUR LEGAL OBLIGATIONS REGARDING THE PROCESSING OF PERSONAL DATA
As the data controller, we have explained our legal obligations arising from the KVK Legislation in this section of the Policy.
4.1. Lighting Obligation
As Limlapp, we fulfill the obligation of disclosure in accordance with the Communiqué on the Procedures and Principles to be Complied with the Fulfillment of the Obligation of Illumination in the processes where we obtain and process personal data, specific to the relevant processes and at the latest when the personal data is obtained. In this context, we take care to inform the relevant persons on the following issues:
• For what purpose the personal data of the persons concerned will be processed
• Company information (trade name, address, communication channels), if any, information on the identity of the Company representative(s)
• To whom and for what purpose the processed personal data can be transferred
• Method and legal reason for obtaining personal data
• Rights of the relevant persons arising from KVKK
As Limlapp, we take all necessary technical and administrative measures in our personal data processing processes, in order to ensure the confidentiality and security of personal data, and to prevent personal data from being accessed or accessed by unauthorized third parties. We have detailed the technical and administrative measures we have taken regarding these obligations in section 10 of this Policy. We act in accordance with the KVK Legislation regarding the deletion, destruction or anonymization of personal data. We have included our processes regarding the destruction of personal data in the 9th section of the Policy.
4.3. Obligation to Respond to Related Person Applications
As Limlapp, we carry out our processes of resolving all requests and applications of the related persons as soon as possible and responding to the relevant person within the framework of the Limlapp Related Person Application Management Procedure. If the persons concerned apply with one of the methods described in Article 11 of this Policy, we finalize the requests of the persons concerned free of charge within thirty (30) days at the latest, by explaining the reasons for acceptance and rejection of the application, together with their reasons, in accordance with the relevant article of the KVKK.
4.4. Obligation to Register in the Data Controllers Registry Information System
We fulfill our company's obligation to register with the Data Controllers Registry Information System ("VERBIS") in accordance with Article 16 of the KVKK and the Regulation on the Data Controllers Registry. Within the scope of our company's data processing activities, we keep the VERBIS record up-to-date and present the details of our data processing activities to the public.
4.5. Obligation to Fulfill the Decisions of the Personal Data Protection Board
As Limlapp, we show maximum sensitivity to comply with the Board decisions, which are an important and integral part of the KVK Legislation. We use all means to implement all technical and administrative measures foreseen by the Board for the protection of personal data by closely following all the decisions of the Board, especially the policy decisions that are binding for all data controllers published on the website of the Agency.
5. PROCESSING PERSONAL DATA
5.1. Personal Data Processing Processes
We process the personal data of the relevant persons that we collect within the framework of our operations, based on the legal reasons explained in the continuation of this Policy. We have included examples of our personal data processing processes in the tables below.
5.2. Personal Data Processing Principles
As Limlapp, we comply with the following data processing principles when processing the personal data we obtain as a data controller:
• Compliance with the law and the rules of honesty: All data processing activities are carried out transparently in accordance with the legislation and goodwill principles.
• Being accurate and up-to-date when necessary: Channels to ensure that personal data are correct and up-to-date are always kept open, and effective application methods are offered to relevant persons to correct inaccuracies and deficiencies in their processed personal data.
• Processing for specific, clear and legitimate purposes: The purposes for which personal data will be processed are determined in accordance with the legislation and the ordinary course of life, and these purposes are submitted to the information of the relevant persons in a transparent and understandable manner.
• Being connected, limited and measured with the purposes of processing: Personal data that is not relevant or needed for the purpose of processing personal data is not processed, and personal data processing activities are not carried out to meet possible needs. If the need to use the obtained data for other purposes arises, a new data processing process comes to the fore; the said process is carried out within the scope of the processing conditions stipulated in the KVKK as if the data processing is started for the first time.
• Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed: If there is a period stipulated in the legislation for the storage of personal data, this period shall be complied with; If such a period is not stipulated in the legislation, personal data is stored only for the period required for processing purposes.
5.3. Processing of Personal Data
As Limlapp, we process the personal data we obtain as the data controller if there is one of the legal compliance reasons specified in the 2nd paragraph of Article 5 of the KVKK, in the absence of these reasons, we apply for the express consent of the relevant persons in accordance with the 1st paragraph of the 5th article of the KVKK. The legal compliance reasons we rely on when processing personal data are explained below:
• The processing of personal data is clearly stipulated in the law
• Processing of personal data in order to protect the life and bodily integrity of the person or another person who is unable to express his or her consent due to actual impossibility or whose consent is not legally valid.
• Personal data processing is necessary for the establishment or performance of a contract between Limlapp and related persons.
• Processing of personal data in order to fulfill our legal obligations
• The personal data has been made public by the person concerned.
• Processing of personal data for the establishment, exercise or protection of a right
• The processing of personal data is necessary for our legitimate interests.
In cases where at least one of the reasons for compliance with the law explained above is not available for the processing of personal data, we act in accordance with the express consent of the person concerned for the processing of personal data.
Explicit consent is defined in the KVKK as “consent related to a certain subject, based on information and expressed with free will”. As Limlapp, we consider the following three factors when asking for the explicit consent of the persons concerned:
• Being related to a specific subject: The explicit consent of the relevant persons is asked for specific data processing activities/activities and the consent texts are ensured to be comprehensible.
• Being based on information: Consent texts and clarification texts are presented together/on the same channel, it is ensured that the data subject understands the results of the data processing activity. In this context, firstly, the relevant persons are informed, and then they are asked whether they have express consent.
• Being disclosed with free will: While asking for the explicit consent of the persons concerned, misleading statements that would injure their will are avoided; Alternatives/right of refusal are given to the persons concerned who do not want to give express consent.
5.4. Processing of Private Personal Data
As Limlapp, we process special quality personal data by taking the administrative and technical measures stipulated in the KVK Legislation, especially the Decision of the Board dated 31.01.2018 and numbered 2018/10. We have included the rules and principles in the Limlapp Personal Data Processing Policy, which we have prepared in this direction, and we act in accordance with them.
5.5. Use of Cookies and Cooking Technologies
We process a number of personal data by using various cookies in order to increase the experience of the persons visiting the Limlapp website (www.limosago.com) on the website and to ensure that the website works in the best possible way. By using cookies, we aim to provide the best experience to our website visitors and users. Regarding the personal data we process through the said cookies, we enable the relevant persons to manage their preferences regarding cookies by making the necessary clarifications at the time of first login to the Limlapp website. You can find detailed information about cookies and personal data we process through cookies in our Cookie Policy.
5.6. Notifications Sent from Limlapp Application
As Limlapp, in accordance with the purpose and legal reasons explained in the Passenger Personal Data Disclosure Text, we can send instant notifications through the application to our users who give their explicit consent, and communicate via telephone and e-mail. Our users can manage their communication preferences for instant notifications sent by Limlapp from the "My Account Settings" page in the "My Account" tab of the Limlapp mobile application.
5.7. Updating Personal Data
Within the scope of our obligation to keep the personal data arising from the KVK Legislation complete, accurate and up-to-date, we provide mechanisms that will allow the relevant persons to change and correct their personal data. For example, our users always have the opportunity to update their personal data, except for their phone number, through the "My Profile Information" page in the "My Account" tab of the Limlapp application.
As Limlapp, we confirm the phone number by sending an SMS OTP (one-time password) to the phone numbers of the relevant people in order to ensure the security of the personal data of the relevant people during the membership and login stages. Accordingly, it is not possible to change the phone numbers registered to Limlapp accounts in accordance with our measures within the scope of privacy and security of personal data.
6. TRANSFER OF PERSONAL DATA
As Limlapp, we work with infrastructure and information service providers in Turkey and abroad in order to provide the services we provide. In this context, the personal data of the persons concerned, in the presence of any of the reasons for compliance with the law in Article 8 of the KVKK titled transfer of personal data and Article 9 titled transfer of personal data abroad, and if not, in accordance with the express consent of the persons concerned for the transfer, in the country and abroad. transfer it to third parties.
7. STORAGE OF PERSONAL DATA
As Limlapp, we keep the personal data we process for as long as required by the purpose of processing personal data and within the scope of Limlapp Personal Data Retention and Destruction Policy, without prejudice to the storage periods stipulated in the legislation.
In this direction, within the scope of processes that require personal data processing, it determines a storage period for the data processed by the unit performing the activity; In the event that personal data is processed for more than one purpose, we destroy (delete, destroy or keep anonymized) the data if all the purposes for processing the personal data disappear or there is no legal obstacle to the deletion of the data upon the request of the person concerned. We act in accordance with the KVK Legislation in terms of deletion, destruction or anonymization.
8. DISPOSAL OF PERSONAL DATA
We destroy personal data at the request of the person concerned or ex officio, provided that the period stipulated in the relevant legislation or required for the purpose for which it is processed has expired. We carry out such destruction (deletion, destruction and anonymization) operations within the scope of Limlapp Personal Data Retention and Disposal Policy, without prejudice to the provisions of the relevant legislation.
Unless otherwise specified by the Board, it chooses the appropriate method of deleting, destroying or anonymizing personal data; If the person concerned has a request for the destruction of his personal data, after determining the appropriate method for the destruction of personal data, we explain this situation to the person concerned with the justification.
9. SECURITY OF PERSONAL DATA
As Limlapp, we take the necessary technical and administrative measures to ensure the protection of personal data. For example, we use intrusion detection and prevention software and data loss prevention software to detect and prevent possible cyber attacks, and we define and limit our employees' access to personal data. In this section, we have detailed the measures we have taken to ensure the confidentiality and security of personal data.
9.1. Administrative Measures
The administrative measures taken by Limlapp for the protection of personal data are given below:
• Institutional policies on access, information security, use, storage and destruction regarding the processing and protection of personal data have been prepared and implemented.
• Personal data security policies and procedures have been determined.
• Existing risks and threats regarding personal data have been determined.
• Access to personal data of employees who have a change of job or quit their job is revoked.
• Signed contracts contain data security provisions.
• There are disciplinary regulations regarding data security for employees.
• Personal data processing inventory has been prepared.
• Employees are provided with training on data security-related issues such as not unlawful disclosure and sharing of personal data, and awareness raising activities for employees.
• Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in confidential document format.
• Necessary security measures are taken regarding entry and exit to non-electronic media containing personal data.
• The security of non-electronic media containing personal data against external risks (fire, flood, etc.) is ensured.
• The security of environments containing personal data is ensured.
• Confidentiality commitments are made to ensure the confidentiality of personal data.
• Data transfer agreements are signed with data controllers and processors to whom personal data is transferred, and awareness of data processors is ensured.
• In the event that personal data is obtained by third parties unlawfully, the procedures to be applied are determined to notify the relevant persons and the Board.
• Policies and procedures for the security of sensitive personal data are determined and implemented.
• Awareness of service providers processing personal data on data security is ensured.
In-house periodic and/or random audits are conducted and made.
9.2. Technical Measures
The technical measures taken by Limlapp for the protection of personal data are given below:
• Network security and application security are provided.
• Closed system network is used for personal data transfers via network.
• Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
• The security of personal data stored in the cloud is ensured.
• An authorization matrix has been created for the employees.
• Personal data is backed up and the security of the backed up personal data is ensured.
• Personal data security issues are reported quickly.
• Personal data security is monitored.
• User account management and authorization control system is implemented and these are also followed.
• Access logs are kept regularly.
• Log records are kept without user intervention.
• Secure encryption/cryptographic keys are used for sensitive personal data and are managed by different units.
• Encryption method is used.
• Data masking is applied when necessary.
• Penetration test is applied.
• Cyber security measures have been taken and their implementation is constantly monitored.
• Intrusion detection and prevention systems are used.
• Current anti-virus systems are used.
• Data loss prevention software is used.
9.3. Employee Responsibilities
Employees who process data in data processing activities carried out within the scope of Limlapp's activities are obliged to pay attention to the following matters, within the scope of the procedures and principles mentioned in this Policy, in such personal data processing processes:
• All employees who have access to personal data must act in accordance with the procedures and principles set forth in this Policy and other relevant policies and procedures regarding the protection of personal data.
• Employees must perform data processing activities in accordance with the principles of protection of personal data specified in the KVKK.
• While the employees obtain the personal data of the person concerned;
◦ For what purpose personal data will be processed
◦ Information on the identity of the data controller and its representative, if any
◦ To whom and for what purpose the processed personal data can be transferred
◦ Method and legal reason for obtaining personal data
◦ Rights of the relevant persons arising from KVKK should make sure that the relevant person is informed about the issues.
• Employees should ensure that their explicit consent is obtained before processing personal data of the data subject, unless one of the cases where personal data is processed without the need for explicit consent.
• Employees must ensure that all technical and administrative security measures are taken to prevent the unlawful processing of personal data.
• Employees must ensure that data transfer is carried out in accordance with the purpose of transfer and not exceeding the purpose of transfer.
• Employees must ensure that personal data is not accessed by unauthorized persons during data transfer.
• Employees should not access or copy personal data except as required by their authorization, role definitions and performance of their duties.
• Employees should not transfer personal data to unauthorized third parties inside or outside of Getir and should ensure that personal data is not accessed by unauthorized third parties.
• Employees must be involved in data processing within the scope of the purposes necessitating data processing and without exceeding their limits.
• If employees become aware of a personal data breach, they must immediately notify authorized persons within the Company.
10. RELATED PERSON RIGHTS
Article 11 of the KVKK regulates the rights of the persons concerned regarding their personal data. These rights are as follows:
1. Learning whether Limlapp processes your personal data
2. If Limlapp processes personal data, requesting information on data processing
3. To learn the purposes of processing personal data of Limlapp and whether it uses personal data in accordance with its purpose
4. Learning whether personal data is transferred to third parties; If it is transferred, to learn the third parties to which it is transferred, in the country or abroad.
5. To request correction of personal data in case of incomplete or incorrect processing and to notify third parties, if any, of the transaction carried out in this context.
6. Requesting the deletion or destruction of personal data in the event that the reasons requiring the processing of personal data processed in accordance with the KVKK and relevant legislation disappear, and requesting that the third parties, if any, be notified of the transaction carried out within this scope
7. Objecting to situations where a result against the person concerned arises by analyzing the processed personal data exclusively through automated systems.
8. In case the person concerned suffers damage due to unlawful processing of personal data, requesting the compensation of the damage
11. UPDATING THE POLICY
This Policy is reviewed by Limlapp as needed and updated when necessary.
Apart from this, if changes are made in the KVK Legislation, the changes in the relevant legislation will be implemented immediately, even if the Policy has not been updated.