1. PURPOSE

As EFE PC BİLİŞİM VE YAZILIM SERVICE LTD. ŞTİ. (CCTV Burada), our priority is to ensure that the personal data of real persons, including our members, customers, visitors, suppliers, and employees, are processed in accordance with the Constitution of the Republic of Turkey, the international human rights agreements to which our country is a party, and the Personal Data Protection Law No. 6698 (“KVKK”), and that the data subjects whose data is processed are able to effectively exercise their rights.

For this reason, we process, store and transfer all personal data regarding our employees, suppliers, customers, visitors, members, stores, users of our website and mobile applications, in short, all the personal data we obtain during our activities, including but not limited to those listed above, in accordance with the EFE PC BİLİŞİM VE YAZILIM HİZ. LTD. ŞTİ. Personal Data Protection and Processing Policy (“Policy”).

Protecting personal data and safeguarding the fundamental rights and freedoms of individuals whose personal data is collected is a fundamental principle of our personal data processing policy. Therefore, in all our activities involving personal data processing, we uphold the protection of privacy, confidentiality of personal information, privacy of communication, freedom of thought and belief, and the right to effective legal remedies.

For the purpose of protecting personal data, we take all administrative and technical protection measures required by the nature of the relevant data in accordance with legislation and current technology.

This Policy explains the methods we follow for processing, storing, transferring and deleting or anonymizing personal data shared during our commercial, promotional-marketing or social responsibility and similar activities, within the framework of the principles referred to in the KVKK.

2. SCOPE

All personal data processed by the Company, including our visitors, business contacts, business partners, employees, suppliers, members, and third parties, are within the scope of this Policy.
Our policy is implemented in all activities related to the processing of personal data owned or managed by the Company, and has been prepared in accordance with the KVKK and other relevant legislation on personal data, as well as international standards in this field.

3. DEFINITIONS AND ABBREVIATIONS

In this section, special terms and expressions, concepts, abbreviations, etc. used in the Policy are briefly explained.

cctvburada.com: EFE PC INFORMATION AND SOFTWARE SERVICE LTD. CO.
Explicit Consent: Consent given on a specific subject, based on information and free will, with clarity that leaves no room for hesitation, and limited only to that transaction.
Anonymization: It is the process of making personal data incapable of being associated with an identified or identifiable natural person in any way, even when matched with other data.
Worker: Company Personnel.
Personal Data Owner (Relevant Person): The natural person whose personal data is processed.
Personal Data: Any information relating to an identified or identifiable natural person.
Special Personal Data: Data regarding individuals' race, ethnic origin, political views, philosophical beliefs, religion, sect, or other beliefs, health information, fingerprints, appearance and dress, membership in associations, foundations, or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Personal Data Protection Board: Personal Data Protection Board.
Personal Data Protection Authority: Personal Data Protection Authority.
KVKK: Personal Data Protection Law published in the Official Gazette dated April 7, 2016 and numbered 29677.
Policy: EFE PC INFORMATION AND SOFTWARE SERVICE LTD. Personal Data Protection and Processing Policy.

4. ROLES AND RESPONSIBILITIES

4.1. Board of Directors

The Board of Directors is responsible for overseeing the determination and operation of notification, investigation and sanction mechanisms in case of non-compliance with the Policy, rules and regulations.

The Personal Data Protection and Processing Policy has been approved by the Board of Directors.

It is the authorized approval mechanism for ensuring that the policy is created, implemented and updated when necessary.

4.2 Control Unit

The Audit Unit is responsible for taking the necessary measures to ensure compliance with the Policy by the companies from which external services are received, together with the employees working there, and for examining matters that are contrary to the Policy.

4.3 Information Systems Commission

The Information Systems Commission is responsible for the preparation, development, implementation, and updating of this Policy. It will evaluate this Policy for currentness and development needs as necessary.

The Information Systems Commission Manager is responsible for publishing the prepared document on the institution's portal.

5. LEGAL OBLIGATIONS

As a data controller, your legal obligations regarding the protection and processing of personal data in accordance with the KVKK are listed below:

5.1. Our obligation to inform

While collecting personal data as the data controller;

  • The purposes for which your personal data will be processed
  • Information regarding our identity and the identity of our representative, if any
  • To whom and for what purpose your processed personal data may be transferred
  • Our method of collecting data and its legal basis
  • We have the obligation to inform the Data Subject about the rights arising from the law.
  • As a company, we take care to ensure that this Policy, which is open to the public, is clear, understandable and easily accessible.

5.2. Our obligation to ensure data security

As the data controller, we take administrative and technical measures stipulated in the legislation to ensure the security of personal data in our possession.

Obligations and measures taken regarding data security are detailed in sections 9 and 10 of this Policy.

6. CLASSIFICATION OF PERSONAL DATA

6.1. Personal data

Personal data is any information relating to an identified or identifiable natural person.
Personal data protection applies only to natural persons. Information belonging to legal entities that does not contain information about a natural person is excluded from personal data protection. Therefore, this Policy does not apply to data belonging to legal entities.

6.2. Special personal data

Data regarding individuals' race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data are special personal data.

7. PROCESSING OF PERSONAL DATA

7.1. Our principles for processing personal data

We process personal data in accordance with the principles set out below.

7.1.1. Processing in accordance with law and principles of integrity

We process personal data in accordance with the rules of integrity, transparency and within the framework of our obligation to inform.

7.1.2. Ensuring that personal data is accurate and up-to-date when necessary

We take the necessary measures in our data processing procedures to ensure that the processed data is accurate and up-to-date. We also provide Personal Data Owners with the opportunity to contact us to update their existing data and correct any errors in their processed data.

7.1.3. Processing for specified, explicit and legitimate purposes

As a company, we process personal data for our legitimate purposes, the scope and content of which are clearly defined, to carry out our activities within the framework of legislation and the ordinary course of business life.

7.1.4. Personal data must be relevant, limited and proportionate to the purpose for which they are processed.

We process personal data in a limited and proportionate manner, in connection with the purpose we have clearly and precisely determined.
We avoid processing personal data that is not relevant or does not need to be processed. Therefore, we do not process special personal data unless legally required to do so, or when we do, we obtain explicit consent.

7.1.5. Storage of personal data for the duration prescribed by legal regulations and for our legitimate commercial interests.

Many regulations in the legislation require personal data to be stored for a certain period of time. Therefore, we retain the personal data we process for the period stipulated in the relevant legislation or as long as necessary to meet the purposes for which the personal data is processed.

We delete, destroy, or anonymize personal data when the retention period stipulated in the legislation expires or when the processing purpose ceases. Our principles and procedures regarding retention periods are detailed in Article 9.1 of this Policy.

7.2. Our purposes for processing personal data

We process personal data for the purposes listed below:

  • To conduct our commercial activities
  • Providing support services within the scope of the contract and service standards
    To determine the preferences and needs of our members/visitors and to shape and update the services we provide within this scope.
  • To ensure the fulfillment of our legal obligations as required or mandated by legal regulations.
  • Evaluating job applications
  • To contact people who have business relations with the company
  • Marketing
  • To support the training, development and career processes of our employees
  • Compliance management
  • Vendor/supplier management
  • Making legal reports
  • Billing
  • To run the EFE PC INFORMATION AND SOFTWARE SERVICE LTD. and cctvburada.com membership system.
  • CCTV is used to ensure communication between job candidates and employers.
  • Managing call center processes
  • Ensuring corporate communication
  • To personalize all CCTV Burada campaigns and make campaign and promotion suggestions based on your interests.
  • Providing communication between the company and the transportation or technical service after the product purchase, specifically for CCTV Burada
  • Sending newsletters, conducting marketing activities or making notifications via SMS or e-mail.

7.3. Processing of special personal data

Special personal data is processed by us by taking the administrative and technical measures prescribed by law and the Personal Data Protection Board, and if there is explicit consent, or in cases where it is mandatory under the legislation.

Since special personal data related to health and sexual life can be processed by persons or authorized institutions and organizations under a confidentiality obligation for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing, we do not process them except for the data of our employees.

Such data belonging to our employees may be processed by the persons specified in the law.

7.4. Processing of personal data collected through cookies

We use cookies to improve the functionality and usability of our websites and mobile applications, and to make the time you spend on our digital platforms more productive and enjoyable. Additionally, we use some cookies to remember your preferences on our websites and mobile applications, providing you with an enhanced and personalized experience.

We may collect your personal data through cookies on our digital platforms, process, transfer and store the data we collect.

You can find detailed information about the cookies we use in our “CCTV Burada Privacy Policy”.

7.5. Processing of personal data for recruitment and employment purposes

We process, store, and transfer your personal data, including your CV, diploma, photograph, and other documents, that you share with us during your application process as a prospective employee, for the purpose of evaluating your job application. The processing, transfer, and storage of the personal data you share as a prospective employee are covered by this Policy.

Personal data of the Employee is collected, processed and stored within the framework of CCTV Here Human Resources, outside of this Policy.

7.6. Processing of personal data collected within the scope of other memberships provided through the cctvburada.com membership system

To become a member of digital platforms via cctvburada.com system, visitors can;

  • Name - surname
  • Email address
  • Phone number
  • Date of Birth-Turkish ID

They create membership in the system by sharing their information with us.

Deletion, destruction or anonymization of personal data within the scope of this platform is within the scope of Article 9 of this Policy.

7.7. Processing of personal data collected within the scope of the Job Application

Personal data obtained through application forms, CVs and applications made to intermediary institutions will be recorded to be used for the evaluation of the job application.

It is recommended that you review the personal data processing and privacy policies. Those who apply using the application form;

  • Identity information (name, surname, date of birth, Turkish ID number)
  • Contact information (address, e-mail address, telephone number, etc.)
  • Educational information (schools graduated from, etc.)
  • Work experiences
  • Foreign language knowledge
  • Computer knowledge
  • Certificate
  • Reference
  • Photograph
  • Health data
  • General information such as driver's license/travel ability etc.

They create a resume by sharing their information. Depending on the nature of the application, the employer may request additional photograph and health data from the member creating the resume to assess their suitability for the job in question. The requested health information is processed solely for employment purposes within the scope of relevant legislation.

Information shared by applicants in their CVs can be viewed by employers. In accordance with applicable legislation, the applicant stores their identity, education, and professional information and may transfer this data to solution partners, public institutions, and organizations upon request.

The deletion, destruction, or anonymization of personal data within the scope of this platform is covered by Article 9 of this Policy. In the event of a negative job application process, the processing and security of personal data shared with the employer are the employer's responsibility.

7.8. Processing of personal data collected within the scope of Purchasing Transactions

When a purchase is made, CUSTOMER financial information is transferred to individuals and institutions, such as banks or credit card companies, in order to process the transaction. The transferred data;

  • Credit Card Number
  • Expiration date
  • CVV2

or data related to payment purposes, such as bank account information.

During a purchase, data is collected regarding the customer's invoice and payment information (name, surname, Turkish ID number, phone number, and invoice address), copies of receipts from invoices sent and payments received from members, payment number, invoice amount, invoice number, and invoice date. This data is processed within the scope of managing the billing process, accounting, after-sales services, communication, marketing, auditing, control, and processes conducted with payment service providers. When a purchase is made, customer financial information is transferred to entities such as banks or credit card companies for the purpose of processing the transaction. Credit card information is not stored in CCTV Here databases.

During purchases, video recording is performed in stores for security purposes and to monitor cash register transactions. For distance sales made by phone, audio recordings are also taken to ensure secure sales.

The above-mentioned data is transferred and shared with third parties in accordance with Article 8 of this Policy.
Deletion, destruction or anonymization of personal data within the scope of this platform is within the scope of Article 9 of this Policy.

7.9. Exceptional cases where explicit consent is not required for the processing of personal data

We may process personal data without explicit consent in the exceptional cases listed below and arising from the law:

  • Clearly provided for in the laws
  • The processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or execution of a contract.
  • Data processing is necessary for the establishment, exercise or protection of a right
    It is necessary for us to process your data for our legitimate interests as the data controller, provided that it does not harm fundamental rights and freedoms.

Exceptional cases where special personal data may be processed without the explicit consent of the Data Subject are specified in Article 7.3 of this Policy.

8. TRANSFER OF PERSONAL DATA

8.1. Transfer of personal data within the country

As a company, we act in accordance with the decisions and regulations stipulated in the KVKK and taken by the KVK Board regarding the transfer of personal data.

Save for the exceptional cases specified in the legislation, personal data and special data will not be transferred to other natural persons or legal entities without the express consent of the Data Subject.

In exceptional cases stipulated by the KVKK and other legislation, data may be transferred to the authorized administrative or judicial institution or organization in the manner and within the limits stipulated in the legislation, even without the explicit consent of the Data Subject.

In addition, in exceptional cases stipulated by legislation;

  • In the cases described in the Policy
  • In the cases listed in the Policy regarding special categories of personal data
  • In case the measures prescribed by the Personal Data Protection Board and the relevant legislation are taken, the health and special personal data of the Data Subject may be transferred to persons or authorized institutions and organizations under the obligation of confidentiality, without seeking explicit consent, only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing.

8.2. Transfer of personal data abroad

As a rule, personal data is not transferred abroad without the explicit consent of the Data Subject. However, in cases where one of the exceptional circumstances of this Policy exists, third parties located abroad may only:

  • Being in countries with sufficient protection declared by the Personal Data Protection Board
  • If the data controllers are located in countries where there is insufficient protection, they must undertake in writing to provide adequate protection and have the permission of the Personal Data Protection Board.

In such cases, personal data may be transferred abroad without explicit consent.

8.2.1. Transfer of personal data abroad for the purposes of providing our services and marketing activities

We work with service providers located abroad for purposes such as improving our website and digital platforms, conducting surveys, expanding the range of products and services based on visitor and member preferences, and measuring user experience. It is recommended that you review the relevant policies of the service providers we collaborate with regarding the processing and protection of personal data.

8.3. Institutions and organizations to which personal data is transferred

Personal data;

  • To our suppliers
  • To our business partners and business contacts
  • To technical services
  • To shipping companies
  • To cargo companies
  • Legally authorized public institutions and organizations
  • To legally authorized private law persons
  • It may be transferred to our partners in accordance with the principles and rules described above.
  • Independent audit firms


8.4. Measures we take regarding the legal transfer of personal data

8.4.1. Technical measures

To protect personal data, but not limited to the following;

  • To make internal technical organization to process and store personal data in accordance with the legislation.
  • We create the technical infrastructure to ensure the security of the databases where your personal data will be stored.
  • Monitors and audits the processes of the established technical infrastructure.
  • Determines the procedures for reporting the technical measures and audit processes we take.
  • Periodically updates and renews technical measures
  • Risky situations are re-examined and necessary technological solutions are produced.
  • We use virus protection systems, firewalls and similar software or hardware security products and establish security systems that are compatible with technological developments.
  • We employ employees who are experts in technical matters.


8.4.2. Administrative measures

To protect your personal data, but not limited to the following:

  • We create policies and procedures for accessing personal data, including company and affiliate employees within our company.
  • We inform and train our employees regarding the legal protection and processing of personal data.
  • In the contracts we make with our employees and/or the policies we create, we record the measures to be taken in cases where personal data is processed unlawfully by our company employees.
  • We audit the personal data processing activities of the data processors we work with or the partners of data processors.


9. STORAGE OF PERSONAL DATA

9.1. Personal data shall be stored for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.

We store personal data for the period required for the purpose of processing personal data, without prejudice to the retention periods stipulated in the legislation.
In cases where we process personal data for more than one purpose, the data will be deleted, destroyed, or anonymized and stored if the processing purposes no longer exist or if there is no legal impediment to deleting the data upon the Data Subject's request. Legislative provisions and the decisions of the Personal Data Protection Board will be complied with regarding destruction, deletion, or anonymization.

9.2. Measures we take regarding the storage of personal data

9.2.1. Technical measures

  • Creating technical infrastructures and related control mechanisms for the deletion, destruction and anonymization of personal data.
  • We take the necessary precautions to ensure the safe storage of personal data.
  • Employing employees with technical expertise
  • We create business continuity and emergency plans against possible risks and develop systems for their implementation.
    We establish security systems in accordance with technological developments regarding the storage of personal data.


9.2.2. Administrative measures

  • We raise awareness by informing our employees about the technical and administrative risks associated with the storage of personal data.
  • In case of cooperation with third parties for the storage of personal data, we include provisions in the contracts made with the companies to which personal data is transferred, regarding the persons to whom personal data is transferred and the necessary security measures to be taken to protect and securely store the transferred personal data.

10. SECURITY OF PERSONAL DATA

10.1. Our obligations regarding the security of personal data

Personal data;

  • To prevent unlawful processing,
  • To prevent unlawful access,
  • To ensure that it is stored in accordance with the law,

We take administrative and technical measures according to technological possibilities and implementation costs.

10.2. Measures we take to prevent the unlawful processing of personal data

  • We carry out and have carried out the necessary audits within our company,
  • We train and inform our employees about the legal processing of personal data,
  • The activities carried out by our company are evaluated in detail for all business units, and as a result of this evaluation, personal data is processed specifically for the commercial activities carried out by the relevant units.
  • In cases where cooperation is made with third parties for the processing of personal data, the contracts made with the companies processing personal data include provisions regarding the necessary security measures to be taken by the persons processing personal data,
  • In case of unlawful disclosure of personal data or data leakage, we notify the Personal Data Protection Board and carry out the investigations and take the measures prescribed by the legislation in this regard.


10.2.1. Technical and administrative measures taken to prevent unlawful access to personal data

To prevent unlawful access to personal data;

  • Employing employees with technical expertise,
  • Periodically updates and renews technical measures,
  • We create access authorization procedures within our company,
  • We determine the procedures for reporting the technical measures and audit processes we take,
  • We create and periodically audit the data recording systems used within our company in accordance with the legislation,
  • Creating emergency aid plans against possible risks and developing systems for their implementation,
  • We train and inform our employees about access to personal data and authorization,
  • In cases where cooperation is made with third parties for the purposes of activities such as processing and storing personal data, the contracts made with the companies that provide access to personal data include provisions regarding the necessary security measures to be taken by the persons who access personal data,
  • We establish security systems within the framework of technological advancements to prevent unlawful access to personal data.


10.2.2. Measures we take in case of unlawful disclosure of personal data

We take administrative and technical measures to prevent the unlawful disclosure of personal data and update them in accordance with our relevant procedures. If we detect unauthorized disclosure of personal data, we establish systems and infrastructure to notify the relevant person and the Personal Data Protection Board.

If an unlawful disclosure occurs despite all administrative and technical measures taken, this may be announced on the KVK Board's website or by another method, if deemed necessary by the KVK Board.

11. RIGHTS OF THE PERSONAL DATA OWNER

Within the scope of our obligation to inform, we inform the Personal Data Owner and establish systems and infrastructures regarding this information.

We make the necessary technical and administrative arrangements to enable Personal Data Owners to exercise their rights regarding their personal data. Personal Data Owners have the right to exercise their personal data;

  • Learning whether personal data is being processed
  • Requesting information regarding personal data processing
  • Learning the purpose of processing personal data and whether they are used in accordance with their purpose
  • Knowing the third parties to whom personal data is transferred, whether domestically or abroad
  • Request correction of personal data if it is processed incompletely or incorrectly
  • Requesting the deletion or destruction of personal data if the reasons requiring the processing of personal data are eliminated
  • Request that the above-mentioned correction, deletion or destruction be notified to third parties to whom personal data has been transferred.
  • Objection to any adverse results arising from the analysis of processed data exclusively through automated systems.
  • To request compensation in case of damage due to unlawful processing of personal data.
    has the rights.

11.1. Exercise of rights regarding personal data

Personal Data Owner, his/her request regarding his/her personal data

  • In writing and with a wet signature, addressed to Hasanpaşa Mahallesi, Lavanta Sokak, No:24/9001, Kadıköy, İstanbul Istanbul
  • For companies, please send an efepc@hs01.kep.tr to the kep account.
  • If your e-mail address is registered in your system, it can be forwarded to the e-mail account KVKK@cctvburada.com.


In the application,

a) Name, surname and signature if the application is in writing,
b) Turkish identity number for citizens of the Republic of Türkiye, nationality, passport number or identity number, if any, for foreigners,
c) Residence or workplace address for notification,
d) If available, the e-mail address, telephone and fax number for notification,
d) Subject of the request,
It is mandatory to have.


(3) Information and documents related to the subject are attached to the application.
(4) In written applications, the date of notification is the application date.
(5) For applications made by other methods, the date the application reaches us is the application date.

Such requests will be made individually, and requests made by unauthorized third parties regarding personal data will not be taken into consideration.

11.2. Evaluation of the application

11.2.1. Application response time

Requests regarding personal data are finalized as soon as possible, depending on their nature, and in any case within 30 (thirty) days at the latest, free of charge or against a fee specified in the tariff if the conditions specified in the tariff published by the Personal Data Protection Board are met.
Additional information and documents may be requested during the application or while the application is being evaluated.

11.2.2. Our right to reject the application

Applications regarding personal data;

  • Processing of personal data for purposes such as research, marketing, planning and statistics by making them anonymous with official statistics.
  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate the privacy of private life or personality rights or constitute a crime.
  • Processing of personal data made public by the Personal Data Owner
  • The application is not based on a justified reason,
  • The application contains a request that is contrary to the relevant legislation,
  • Failure to comply with the application procedure

In such cases, it is rejected with justification.

11.3. Application evaluation procedure

In order for the response period specified in this Policy to begin, you must send your requests using the methods specified in Article 11.1 and with information and documents proving the applicant's identity.
If the request is accepted, the relevant action will be taken, and a written or electronic notification will be provided. If the request is rejected, the reason will be explained and the applicant will be notified in writing or electronically.

11.4. Right to complain to the Personal Data Protection Board

In case the application is rejected, the response we provide is deemed insufficient or the response is not given in a timely manner, the applicant has the right to file a complaint with the Personal Data Protection Board within 30 (thirty) days from the date of learning the response and in any case within 60 (sixty) days from the date of application.

12. PUBLICATION AND STORAGE OF THE DOCUMENT

This Policy is stored in two different environments: printed paper and electronically.

13. UPDATE PERIOD

This Policy is reviewed at least once every two years and updated as needed.

14. ENFORCEMENT

This Policy is deemed to have entered into force after its publication on the Company's website.

15. REPEAL

If it is decided to be repealed, the old signed copies of this Policy will be cancelled and signed (by stamping or writing cancellation) by the Legal Department with the written approval of the Department Manager and will be kept by the Legal Department for a period of 5 years.