General Data Protection Regulation
Purpose
The purpose of this Law is to protect the fundamental rights and freedoms of individuals, especially the right to privacy, in the processing of personal data and to regulate the obligations of real and legal persons who process personal data and the procedures and principles they must comply with.
Scope
The provisions of this Law shall apply to real persons whose personal data are processed and real and legal persons who process these data, either fully or partially, by automatic means or non-automatic means, provided that they are part of any data recording system.
Definitions
In the implementation of this Law;
INFORMATION TEXT FOR VISITORS ON THE PROTECTION OF PERSONAL DATA IN ACCORDANCE WITH THE PROCEDURES AND PRINCIPLES OF THE LAW NO. 6698 ON THE PROTECTION OF PERSONAL DATA (GDPR)
IDENTITY OF THE DATA CONTROLLER
As Gevge Teknoloji (hereinafter referred to as “Gevge Teknoloji”), as the data controller;
shared with institutions authorized by law to request this personal data, and will be transferred, assigned, classified to third parties in the country under the conditions stipulated by the GDPR, and in other ways listed in the GDPR We inform you that your personal data may be processed. The purpose of this Information Text is to explain to you how and for what purposes we will process your personal data. Please read this Information Text carefully.
INFORMATION TEXT ON THE PROTECTION OF PERSONAL DATA IN ACCORDANCE WITH THE PROCEDURES AND PRINCIPLES OF THE LAW NO. 6698 ON THE PROTECTION OF PERSONAL DATA ("GDPR")
IDENTITY OF THE DATA CONTROLLER
As Gevge Teknoloji (hereinafter referred to as "Gevge Teknoloji"), as the data controller;
INFORMATION TEXT FOR EMPLOYEE CANDIDATE ON THE PROTECTION OF PERSONAL DATA IN ACCORDANCE WITH THE PROCEDURES AND PRINCIPLES OF THE LAW NO. 6698 ON THE PROTECTION OF PERSONAL DATA ("GDPR")
IDENTITY OF THE DATA CONTROLLER
Gevge Teknoloji has prepared this Information Text in order to tell you which personal data we will process and for what purposes. We will process your personal data specified below under all circumstances;
PROCESSING OF PERSONAL DATA
GENERAL PRINCIPLES
The purpose of this Law is to protect the fundamental rights and freedoms of individuals, especially the right to privacy, in the processing of personal data and to regulate the obligations of real and legal persons who process personal data and the procedures and principles they will comply with.
The following principles must be followed in the processing of personal data:
CONDITIONS FOR PROCESSING PERSONAL DATA
Personal data cannot be processed without the explicit consent of the relevant person.
If one of the following conditions is met, it is possible to process personal data without the explicit consent of the relevant person:
CONDITIONS FOR PROCESSING SPECIAL NATURE PERSONAL DATA
Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures of individuals, as well as biometric and genetic data, are special nature personal data.
It is prohibited to process special nature personal data without the explicit consent of the relevant person.
Personal data other than health and sexual life listed in the first paragraph may be processed without the explicit consent of the relevant person in the cases provided for by law. Personal data related to health and sexual life can only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, by persons under a confidentiality obligation or by authorized institutions and organizations without the explicit consent of the person concerned.
In the processing of special personal data, it is also necessary to take adequate measures determined by the Board.
ERASING, DESTROYING OR ANONYMOUSING PERSONAL DATA
Although processed in accordance with the provisions of this Law and other relevant laws, if the reasons requiring processing are eliminated, personal data shall be erased, destroyed or anonymized by the data controller ex officio or upon the request of the relevant person.
The provisions in other laws regarding the erasure, destruction or anonymization of personal data are reserved.
The procedures and principles regarding the erasure, destruction or anonymization of personal data shall be regulated by regulation.
TRANSFER OF PERSONAL DATA
Personal data cannot be transferred without the explicit consent of the relevant person.
Personal data;
The provisions of other laws regarding the transfer of personal data are reserved.
TRANSFER OF PERSONAL DATA ABROAD
Personal data cannot be transferred abroad without the explicit consent of the relevant person.
Personal data, if one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 exist and in the foreign country to which the personal data will be transferred;
Countries with adequate protection are determined and announced by the Board.
The Board shall decide whether there is adequate protection in the foreign country and whether permission will be granted in accordance with subparagraph (b) of the second paragraph;
Personal data may be transferred abroad only with the permission of the Board after obtaining the opinion of the relevant public institution or organization, without prejudice to the provisions of international agreements, in cases where the interests of Turkey or the relevant person will be seriously harmed.
The provisions of other laws regarding the transfer of personal data abroad are reserved.
METHOD AND LEGAL REASON OF DATA COLLECTION
Gevge Teknoloji collects personal data directly from data owners verbally or physically and processes this personal data. You can access the table below regarding which personal data is collected and processed and how it is collected.
Visual Data
Security camera images
Obtained through cameras.
Other
Guest Network Log Records
Provided by you (data owner)
Gevge Teknoloji collects data for monitoring visitors' entries and exits with security cameras in order to ensure the security of the central location. In addition, if a visitor wants to receive internet service using the Gevge Teknoloji internet network, data is also collected to monitor and ensure the traceability and security of this service.
This data is collected in accordance with the law, through digital and technical channels, and by automatic or non-automatic means, and is processed within the scope of the personal data processing conditions and purposes specified in Article 5 of the GDPR.
YOUR PROCESSED PERSONAL DATA
Personal data provided to us by employees may be processed by us. Your personal data that may be processed are as follows:
Identity Data
Name, surname, date of birth, country of birth, city of birth, gender, marital status, TC identity card information (TCKN, serial number, wallet number, father's name, mother's name, place of birth, province, district, neighborhood, volume number, family sequence number, sequence number, household number, page number, registration number, place of issue, reason for issue, date of issue, previous surname), copy of identity card
Contact Data
Phone number, address information and e-mail address
Financial Data
Financial and salary details, payrolls, files and debt information regarding enforcement proceedings, bank account book, minimum living allowance information
Personal Data of Special Nature
Former convict status/criminal record, disability status/definition/percentage, health data, blood group, health reports, on-the-job health report, chest X-ray, employment entry and periodic examination forms signed by the workplace physician, pregnancy status, pregnancy report, health and maternity leave information,
Education Data
Education status, certificate and diploma information, foreign language information, education and skills, CV, courses taken
Visual and Audio Data
Photo of a real person
Employee Performance and Career Development Data
Education and skills, information on which training was received on which date, and signed participation form
Family and Relative Data
Name, surname and phone number of relatives
Work Data
Position name, department and unit, title, last employment date, employment entry and exit dates, insurance entry/retirement, social security number, tax office number, flexible working hours, travel status, number of working days, projects worked, severance pay base date, severance pay additional day,
Leave Data
Leave seniority base date, leave seniority additional day, leave group, exit/return date, day, reason for leave, address/phone number to be on leave
Other
Military postponement, height, weight, trainee status, shuttle, stop data, employee internet access logs, input and output logs, camera recordings
TERMS AND CONTIDIONS
DATA CONTROLLER'S OBLIGATION TO INFORM
During the collection of personal data, the data controller or their authorized representative is obligated to inform the data subjects about:
RIGHTS OF THE DATA SUBJECT
Everyone has the right to request the following from the data controller regarding their personal data:
OBLIGATIONS REGARDING DATA SECURITY
The data controller must:
If personal data is processed by another natural or legal person on behalf of the data controller, the data controller is jointly responsible with these parties for implementing the measures specified in the first paragraph.
The data controller is obligated to conduct or commission necessary audits to ensure compliance with the provisions of this Law within their organization.
Data controllers and data processors cannot disclose personal data they have learned to others or use it for purposes other than processing, in violation of this Law. This obligation continues even after their duties have ended.
If the processed personal data is obtained by others through illegal means, the data controller shall notify the relevant person and the Board of this situation as soon as possible. If necessary, the Board may announce this situation on its own website or by another method it deems appropriate.
PURPOSES OF PROCESSING YOUR PERSONAL DATA
Your personal data may be processed by the data controller or legal/natural persons it appoints in accordance with the GDPR in the following cases;
PURPOSES OF PROCESSING YOUR PERSONAL DATA
It may be shared within the framework of the conditions determined by the law.
PERSONAL DATA STORAGE PERIOD
Your Visual Data will be stored for 15 days in line with the above purposes. After the period has elapsed, your personal data will be deleted, destroyed and/or anonymized by Gevge Teknoloji or upon your request, using methods within the scope of the Personal Data Protection Law and relevant regulations.
YOUR RIGHTS
Within the scope of GDPR, you have the following rights regarding your personal data:
In order to exercise your rights specified above, you can send your written request with the necessary information to identify you and your explanations regarding the right you want to exercise to the address "Gevge Teknoloji ADRES", clearly stating that the subject is related to GDPR, with a wet signature, or by filling out the "Personal Data Application Form" published on our website, to our mailing address GEVGE-EMAIL. Applications must include your name, surname, and signature if the application is written, Turkish identity number for citizens of the Republic of Turkey, nationality for foreigners, passport number/identity number, place of residence or workplace address for notification, e-mail address for notification, telephone or fax number, if any, and the subject of the request. In the application that includes your explanations regarding the right you wish to exercise and request to exercise your rights specified above as the personal data owner; the subject you request must be clear and understandable, the subject you request must be related to you, or if you are acting on behalf of someone else, you must be specifically authorized in this matter and your authority must be documented, the application must include your identity and address information, and documents proving your identity must be attached to the application. Applications you make within this scope will be finalized as soon as possible and within 30 days at the latest. However, if the process requires an additional cost, the fee specified in the tariff determined by the Personal Data Protection Board may be charged. If the response to the application is given on a recording medium such as a CD or flash memory, the fee that Gevge Teknoloji may charge cannot exceed the cost of the recording medium.
METHOD OF DATA COLLECTION AND LEGAL REASON
As Gevge Teknoloji, in order to fulfill our legal obligations, to perform the employment contract between us, for the reasons stipulated in the laws and due to the legitimate interests of Gevge Teknoloji, we collect your personal data that we personally request from you, that we have previously requested during your job application through the job application form or other employment platforms, or that you prefer to share with us during your job application, or that are included in your CV or other texts you share regarding your application, by you sending them to us physically or electronically. In order to fulfill our legal obligations and as foreseen by the laws, we collect your health data physically and in order to ensure workplace safety through our workplace physician. We collect your personal data physically or electronically in order to fulfill our legal obligations. We collect your personal data through legal documents and notifications sent to us. Gevge Teknoloji collects your personal data through cookies used on our website, as detailed in our Cookie Policy, in accordance with its legitimate interest to develop its platform and make it more effective.
PURPOSES OF PROCESSING YOUR PERSONAL DATA
Your personal data is processed by Gevge Teknoloji for the following purposes and legal reasons. Fulfillment of the necessary purpose for the performance of the employment contract, in particular;
Labor Law, Occupational Health and Safety Law, Social Security Law and related legislation, other In order to fulfill the requirements under the laws and legislation, especially;
In order to ensure security within Gevge Teknoloji, in particular;
For the purposes of managing Gevge Teknoloji, conducting business, implementing Gevge Teknoloji policies, in particular;
Your personal data will be stored for the maximum period specified in the relevant legislation or required for the purpose for which they are processed, and in any case, for the statutory limitation periods.
SHARING OF YOUR PERSONAL DATA WITH THIRD PARTIES IN THE COUNTRY
For your security and for Gevge Teknoloji to fulfill its obligations under the law, your personal data may be
shared with public legal entities such as the Labor Law, the Labor Health and Safety Law, the Social Insurance
and General Health Insurance Law, the Law on Regulation of Publications Made on the Internet and Combating
Crimes Committed Through Such Publications, the Turkish Commercial Code, the Personal Data Protection Law No.
6698, the Identity Notification Law, and, but not limited to, the relevant institutions or organizations; the
Personal Data Protection Authority, the Ministry of Finance, the Ministry of Customs and Trade, the Ministry of
Labor and Social Security, the Turkish Employment Agency (İş-Kur), and the Information Technologies and
Communication Authority. For example; employees' personal data is shared with the Social Security Institution
for the purpose of payment of employee and employer premiums.
In addition, your personal data;
In order to fulfill the necessary purpose for the execution of the employment contract, in particular;
In order to fulfill the requirements within the scope of the Labor Law, Occupational Health and Safety Law, Social Security Law and relevant legislation, and other laws and legislation, in particular;
In order to fulfill our legal obligations, in particular;
In order to manage Gevge Technology, conduct business, and implement Gevge Technology policies, in particular;
SHARING OF YOUR PERSONAL DATA WITH THIRD PARTIES ABROAD
If you consent, your personal data can be shared with third parties abroad for communication, travel organization, and travel arrangements during travels and trainings abroad.
YOUR RIGHTS
Within the scope of GDPR, you have the following rights regarding your personal data:
In order to exercise your rights specified above, you can send your written request with the necessary information to identify you and your explanations regarding the right you want to exercise to “Gevge Teknoloji Anonim Şirketi SahrayıceditMh. Atatürk Cd. Kaptan Metin İş Merkezi No:51 Kat:3, 34734 Kadıköyistanbul” by clearly stating that the subject is related to GDPR, with a wet signature or by filling out the “Personal Data Application Form” that we have published on our website, to our GEVGE-EMAIL e-mail address. Applications must include your name, surname and signature if the application is in writing, Turkish identity number for citizens of the Republic of Turkey, nationality, passport number/identity number, place of residence or workplace address for notification, e-mail address for notification, telephone or fax number if any, and the subject of the request. In the application that you will make to exercise your rights as a personal data owner and specified above and that includes your explanations regarding the right you request to exercise; the subject you request must be clear and understandable, the subject you request must be related to you or if you are acting on behalf of someone else, you must be specifically authorized in this regard and your authority must be documented, the application must include your identity and address information and documents proving your identity must be attached to the application. The applications you will make within this scope will be finalized as soon as possible and within 30 days at the latest. However, if the process requires an additional cost, the fee determined by the Personal Data Protection Board may be charged. If the response to the application is given on a recording medium such as a CD or flash memory, the fee that may be requested by Gevge Teknoloji cannot exceed the cost of the recording medium.
METHOD AND LEGAL REASON OF DATA COLLECTION
Within the framework of the legal relationship aimed to be established between you and Gevge Teknoloji Anonim
Şirketi,
we collect your personal data that we request from you because it is necessary for the establishment of the
employment contract or that you personally provide during your application or prefer to share in other texts,
through your verbal, physical or electronic transmission to us and if you indicate a reference person, for the
legitimate interest of Gevge Teknoloji Anonim Şirketi, by obtaining information from these persons or by
obtaining information from the representatives of the workplace you worked at before your application and/or
through the e-mails of Gevge Teknoloji Anonim Şirketi employees and human resources consultancy firms.
We collect your personal data that you share with private employment agencies and career network platforms
through your job application to us through these platforms or through forms filled in through these platforms to
share your information with third parties, because it is necessary for the establishment of an employment
contract.
We collect your visual data through cameras we have installed due to the legitimate interest of Gevge Teknoloji
Anonim Şirketi to ensure security.
PURPOSES OF PROCESSING YOUR PERSONAL DATA
Your personal data specified above are processed for the following purposes, as they are necessary for the establishment of the employment contract within the framework of the legal relationship between the candidate employee and the candidate employer between Gevge Teknoloji Anonim Şirketi and the Candidate Employee:
Your personal data will be stored for the maximum period specified in the relevant legislation or required for the purpose for which they are processed, and in any case for the legal limitation periods.
YOUR SPECIAL NATURE PERSONAL DATA
The information you share with us from time to time may include your personal data of a special nature. Within
the scope of the GDPR, your race, ethnic origin, political views, philosophical beliefs, religion, sect or other
beliefs, appearance and dress, memberships in associations, foundations or unions, your health, sexual life,
criminal convictions, if any, and
data regarding security measures regarding you, as well as your biometric and genetic data, are your personal
data of a special nature.
The information you share with us from time to time may include your personal data of a special nature. Within
the scope of GDPR, your race, ethnic origin, political views, philosophical beliefs, religion, sect or other
beliefs, appearance and dress, association, foundation or union memberships, health, sexual life, criminal
convictions, if any, and
data regarding security measures regarding you, as well as your biometric and genetic data are your special
data.
In this context, your special personal data;
YOUR RIGHTS
Within the scope of GDPR, you have the following rights regarding your personal data:
In order to exercise your rights specified above, you can send your written request with the necessary information to identify you and your explanations regarding the right you want to exercise to the address “Gevge Teknoloji Anonim Şirketi Sahrayıcedit Mh. Atatürk Cd. Kaptan Metin İş Merkezi No:51 Kat:3, 34734 Kadıköy İstanbul” with a wet signature, clearly stating that the subject is related to GDPR, or by filling out the “Personal Data Application Form” published on our website to our GEVGE-EMAIL e-mail address. Applications must include your name, surname and signature if the application is written, Turkish identity number for citizens of the Republic of Turkey, nationality, passport number/identity number for foreigners, residence or workplace address for notification, e-mail address for notification, telephone or fax number if any, and the subject of the request. In the application that includes your explanations regarding the right you wish to exercise and request to exercise your rights specified above as the personal data owner; the subject you request must be clear and understandable, the subject you request must be related to you, or if you are acting on behalf of someone else, you must be specifically authorized in this matter and your authority must be documented, the application must include your identity and address information, and documents that prove your identity must be attached to the application. Applications you make within this scope will be finalized as soon as possible and within 30 days at the latest. However, if the process requires an additional cost, the fee specified in the tariff determined by the Personal Data Protection Board may be charged. If the response to the application is given on a recording medium such as a CD or flash memory, the fee that may be requested by Gevge Teknoloji Anonim Şirketi cannot exceed the cost of the recording medium.
APPLICATION, COMPLAINT AND DATA CONTROLLER REGISTRY
APPLICATION TO DATA CONTROLLER
The relevant person shall submit his/her requests regarding the implementation of this Law to the data controller in writing or through other methods determined by the Board.
The data controller shall finalize the requests included in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.
The data controller accepts the request or rejects it by explaining the reason and notifies the relevant person of its response in writing or electronically. If the request in the application is accepted, the data controller fulfills the requirements. If the application is due to the data controller's mistake, the fee received is returned to the relevant person.
COMPLAINT TO THE BOARD
In cases where the application is rejected, the response given is found insufficient or the application is not responded to in a timely manner; the relevant person may complain to the Board within thirty days from the date of learning the response of the data controller and, in any case, within sixty days from the date of application.
A complaint cannot be filed without exhausting the application remedy in accordance with Article 13.
Those whose personal rights have been violated are entitled to compensation in accordance with general provisions.
PROCEDURES AND PRINCIPLES OF INVESTIGATION UPON A COMPLAINT OR EXEMPLARY
The Board shall conduct the necessary investigation on matters falling within its scope of duty upon a complaint or upon learning of an alleged violation.
Notifications or complaints that do not meet the conditions specified in Article 6 of the Law No. 3071 on the Use of the Right to Petition dated 1/11/1984 shall not be taken into consideration.
Except for information and documents that are state secrets; The data controller must send the information and documents requested by the Board regarding the subject of the investigation within fifteen days and, if necessary, provide an opportunity for an on-site investigation.
Upon the complaint, the Board examines the request and provides a response to the relevant parties. If no response is provided within sixty days from the date of the complaint, the request is deemed to have been rejected.
If the existence of a violation is determined as a result of the investigation conducted upon the complaint or ex officio, the Board decides that the illegalities it has identified must be remedied by the data controller and notifies the relevant parties. This decision shall be implemented without delay and at the latest within thirty days from the notification.
If it is determined that the violation is widespread as a result of the investigation conducted upon complaint or ex officio, the Board shall take a principle decision on this matter and publish this decision. Before taking a principle decision, the Board may also obtain the opinions of the relevant institutions and organizations if necessary.
The Board may decide to stop data processing or transferring data abroad in the event of irreparable or impossible damages and a clear violation of law.
REGISTRY OF DATA CONTROLLERS
The Board shall conduct the necessary investigation on the issues within its scope of duty, upon complaint or upon learning of the alleged violation.
Notifications or complaints that do not meet the conditions specified in Article 6 of the Law No. 3071 on the Use of the Right to Petition dated 1/11/1984 shall not be taken into consideration.
Except for information and documents that are state secrets; the data controller shall send the information and documents requested by the Board regarding the subject of the investigation within fifteen days and shall provide the opportunity for on-site investigation when necessary.
Upon complaint, the Board shall examine the request and provide a response to the relevant parties. If no response is given within sixty days from the date of the complaint, the request shall be deemed to have been rejected.
If the existence of a violation is determined as a result of the investigation conducted upon the complaint or ex officio, the Board shall decide that the illegalities it has identified shall be remedied by the data controller and notify the relevant parties. This decision shall be implemented without delay and within thirty days at the latest as of the notification.
If the widespread nature of the violation is determined as a result of the investigation conducted upon the complaint or ex officio, the Board shall take a principle decision on this matter and publish this decision. The Board may also obtain the opinions of the relevant institutions and organizations before taking a principle decision, if necessary.
The Board may decide to suspend data processing or transfer of data abroad in the event of irreparable or impossible damages and a clear violation of law.
DATA CONTROLLERS REGISTRY
The Data Controllers Registry is kept publicly by the Presidency under the supervision of the Board.
Natural and legal persons who process personal data must register with the Data Controllers Registry before starting data processing. However, the Board may grant an exception to the requirement to register with the Data Controllers Registry by taking into account objective criteria to be determined by the Board, such as the nature and number of personal data processed, whether the data processing is due to law or whether it is transferred to third parties.
The application for registration with the Data Controllers Registry is made with a notification that includes the following:
Any changes in the information provided in accordance with the third paragraph shall be immediately notified to the Presidency.
Other procedures and principles regarding the Data Controllers Registry are regulated by the regulation.
CRIMES AND MISDEMEANORS
CRIMES
The provisions of Articles 135 to 140 of the Turkish Penal Code No. 5237 dated 26/9/2004 shall apply to crimes related to personal data.
Those who do not delete or anonymize personal data contrary to the provisions of Article 7 of this Law shall be punished in accordance with Article 138 of Law No. 5237.
MISCONDITIONS
This Law;
The administrative fines stipulated in this article shall be applied to real persons and private law legal entities who are data controllers.
If the actions listed in the first paragraph are committed within public institutions and organizations and professional organizations with the status of a public institution, upon notification by the Board, disciplinary action will be taken against the civil servants and other public officials working in the relevant public institutions and organizations and those working in professional organizations with the status of a public institution, and the results will be reported to the Board.
PERSONAL DATA PROTECTION AGENCY AND ORGANIZATION
PERSONAL DATA PROTECTION AGENCY
The Personal Data Protection Agency, which has administrative and financial autonomy and is a public legal entity, has been established to fulfill the duties assigned by this Law.
The institution is related to the minister to be assigned by the President.
The institution's headquarters is in Ankara.
The institution consists of the Board and the Presidency. The decision-making body of the institution is the Board.
THE DUTIES OF THE INSTITUTION
The duties of the institution are as follows;
PERSONAL DATA PROTECTION BOARD
The Board shall independently fulfill and use the duties and authorities assigned by this Law and other legislation under its own responsibility. No organ, authority, office or person may give orders or instructions to the Board, or make recommendations or suggestions regarding matters falling within its scope of duty. (1)
The Board consists of nine members. Five members of the Board are elected by the Turkish Grand National Assembly, and four members by the President.
The following conditions are required to become a member of the Board:
(Repealed: 2/7/2018-KHK-703/163 art.)
The Turkish Grand National Assembly elects members to the Board in the following manner:
In case of termination of the term of office of one of the members elected by the President (…) (1) forty-five days before the end of his/her term or for any reason, the situation shall be notified to the Presidency (…) (1) by the Institution within fifteen days. A new member election shall be held one month before the end of the term of office of the members. In case of a vacancy in these memberships for any reason before the end of the term of office, the election shall be held within fifteen days from the notification. (1)
The Board shall elect the President and Vice President from among its members. The President of the Board shall also be the President of the Institution.
The term of office of the Board members shall be four years. The member whose term has expired may be re-elected. The person elected to replace the member whose term of office has expired for any reason before the end of his/her term of office shall complete the remaining term of the member he/she was elected to replace.
The elected members swear before the First Presidency of the Supreme Court of Appeals, "I swear on my honor and dignity that I will perform my duties in accordance with the Constitution and the laws, with complete impartiality, honesty, fairness and justice." Applications to the Supreme Court of Appeals for an oath are considered urgent matters.
Board members cannot take on any official or private duty, be a manager in associations, foundations, cooperatives and similar places, engage in trade, engage in freelance activities, act as arbitrators and experts, unless based on a special law, other than the performance of their official duties on the Board. However, Board members may publish for scientific purposes, give lectures and conferences, and receive royalties and lecture and conference fees arising from these.
Investigations into crimes that members are alleged to have committed due to their duties are conducted in accordance with the Law No. 4483 on the Trial of Civil Servants and Other Public Officials dated 2/12/1999, and permission for investigations is granted by the President. (1)
The provisions of Law No. 657 shall apply in disciplinary investigations and prosecutions regarding Board members.
Board members cannot be dismissed from their duties for any reason before their terms expire. Board members;
Those who are elected as Board members will have their ties with their previous positions terminated as long as they serve on the Board. Those who are elected as members while they are public servants will be appointed to a position suitable for their qualifications by the competent authority within one month, provided that they do not lose the conditions for entering the civil service, if their term of office expires or they request to resign and apply to their former institution within thirty days. Until the appointment is made, all kinds of payments they receive will continue to be paid by the Institution. Those who are not employed in a public institution and whose duties are terminated as stated above, shall continue to be paid all kinds of payments by the Institution until they start any duty or job, and the payment to be made by the Institution to those whose memberships are terminated in this manner shall not exceed three months. The periods they spend in the Institution shall be deemed to have been spent in their previous institution or organization in terms of their personal rights and other rights.
PERSONAL DATA PROTECTION BOARD
The duties and authorities of the Board are as follows:
BOARD WORKING PRINCIPLES
The Chairman determines the meeting days and agenda of the Board. The Chairman may call the Board to an extraordinary meeting when necessary.
The Board meets with at least six members, including the Chairman, and makes decisions with the absolute majority of the total number of members. Board members cannot abstain from voting.
Board members cannot participate in meetings and votes on issues concerning themselves, their relatives by blood up to the third degree and their in-laws up to the second degree, their adopted children, and their spouses, even if the marriage bond between them has been terminated.
Board members cannot disclose the secrets they learn about the relevant persons and third parties during their work to anyone other than the authorities authorized by law on this matter, and cannot use them for their own benefit. This obligation continues after they leave office.
The work discussed in the Board is recorded in the minutes. Decisions and the reasons for dissenting votes, if any, are recorded within fifteen days from the date of the decision. The Board announces the decisions it deems necessary to the public.
Unless otherwise agreed, the discussions at the Board meetings are confidential.
The working procedures and principles of the Board, the writing of decisions and other matters are regulated by the regulations.
CHAIRMAN
The President is the highest authority of the Institution as the head of the Board and the Institution, and organizes and executes the Institution's services in accordance with the legislation, the Institution's objectives and policies, strategic plan, performance criteria and service quality standards, and ensures coordination between service units.
The President is responsible for the general management and representation of the Institution. This responsibility includes the duties and authorities of organizing, executing, auditing, evaluating the Institution's activities and announcing them to the public when necessary.
The President's duties are as follows:
In the absence of the Institution President, the Vice President shall act as the President.
FORMATION AND DUTIES OF THE PRESIDENCY
The Presidency consists of the Vice President and service units. The Presidency shall perform the duties listed in the fourth paragraph through service units organized as department heads. The number of department heads shall not exceed seven.
A Vice President shall be appointed by the President to assist in the duties related to the Institution.
The Vice President and department heads are appointed by the President from among those who have graduated from at least a four-year higher education institution and have been in public service for ten years.
The duties of the Presidency are as follows:
Service units and the working procedures and principles of these units are determined by the regulation put into effect by the President upon the proposal of the Institution in accordance with the field of activity, duties and authorities specified in this Law.
PERSONAL DATA PROTECTION EXPERT AND ASSISTANT EXPERTS
Personal Data Protection Expert and Assistant Personal Data Protection Expert can be employed in the Institution. Among these, a one-time promotion of one degree is applied to those appointed to the Personal Data Protection Expert cadre within the framework of additional article 41 of Law No. 657.
PROVISIONS RELATING TO PERSONNEL AND PERSONNEL RIGHTS
The institution's personnel are subject to Law No. 657, except for the matters regulated by this Law.
Payments made to the Board Chairman and members and the institution's personnel within the scope of financial and social rights determined in accordance with Article 11 of the Decree Law No. 375 dated 27/6/1989 shall be paid within the same procedures and principles. Payments made to the similar personnel that are not subject to tax and other legal deductions shall not be subject to tax and other deductions according to this Law.
The Board Chairman and members and the Institution personnel are subject to the provisions of Article 4, first paragraph, subparagraph (c) of the Social Insurance and General Health Insurance Law No. 5510 dated 31/5/2006. The Board Chairman and members and the Institution personnel are also considered equal to the personnel determined as peers in terms of retirement rights. Of those who were appointed as the Board Chairman and members while insured within the scope of Article 4, first paragraph, subparagraph (c) of Law No. 5510, whose duties have ended or who request to resign from these duties, the service periods spent in these duties are taken into account in determining their acquired rights, salaries, degrees and grades. Of these, the periods spent in these duties by those who fall within the scope of temporary Article 4 of Law No. 5510 during their duties are evaluated as the period for which the position compensation and representation compensation must be paid. In public institutions and organizations, those who are insured within the scope of Article 4, first paragraph, subparagraph (a) of Law No. 5510 and are appointed as Board Chair and members, shall not be required to pay severance pay or termination compensation if their ties with their previous institutions and organizations are terminated. In such cases, the service periods for which severance pay or termination compensation should be paid shall be combined with the service periods spent as Board Chair and Board member and shall be evaluated as the period for which retirement bonus will be paid.
Officers and other public officials working in public administrations within the scope of central government, social security institutions, local administrations, administrations affiliated to local administrations, local administration unions, revolving fund organizations, funds established by law, organizations with public legal personality, organizations with more than fifty percent of their capital belonging to the public, economic state enterprises and public economic organizations and their affiliated partnerships and institutions may be temporarily assigned to the Institution with the consent of their institutions, and judges and prosecutors with their own consent, provided that their salaries, allowances, all kinds of raises and compensations and other financial and social rights and aids are paid by their institutions. The Institution's requests regarding this matter are primarily finalized by the relevant institutions and organizations. Personnel assigned in this manner are considered to be on paid leave from their institutions. As long as these personnel are on leave, their civil service, interests and personal rights continue, and these periods are also taken into account in their promotions and retirements, and their promotions are made in due time without the need for any other procedure. The periods spent by those assigned within the scope of this article in the Institution are considered to have been spent in their own institutions. The number of those assigned in this manner cannot exceed ten percent of the total number of Personal Data Protection Specialists and Personal Data Protection Assistant Specialists, and the assignment period cannot exceed two years. However, this period can be extended in one-year periods in case of need.
The titles and numbers of positions for the personnel to be employed in the Institution are shown in the attached Table (I). Title and degree changes, addition of new titles and cancellation of vacant positions are made by the Board's decision, provided that they are limited to the positions listed in the annexed tables of the Decree Law No. 190 on General Positions and Procedures dated 13/12/1983, not to exceed the total number of positions.
MISCELLANEOUS PROVISIONS
EXCEPTIONS
The provisions of this Law shall not apply in the following cases:
Article 10, which regulates the data controller's obligation to inform, excluding the right to demand compensation for damages, and Article 16, which regulates the obligation to register in the Data Controllers Registry, shall not apply in the following cases, provided that it is in accordance with and proportionate to the purpose and basic principles of this Law:
BUDGET AND REVENUES OF THE INSTITUTION
The budget of the institution is prepared and accepted in accordance with the procedures and principles determined in Law No. 5018.
The institution's revenues are as follows:
REGULATION
The regulations regarding the implementation of this Law shall be put into effect by the Institution.
TRANSITIONAL PROVISIONS
Within six months from the date of publication of this Law, the Board members shall be elected and the Presidency organization shall be established in accordance with the procedure stipulated in Article 21. (2)
Data controllers must register with the Data Controllers Registry within the period determined and announced by the Board. (3)
Personal data processed before the date of publication of this Law shall be brought into compliance with the provisions of this Law within two years from the date of publication. Personal data found to be in violation of the provisions of this Law shall be immediately deleted, destroyed or anonymized. However, consents obtained in accordance with the law before the date of publication of this Law shall be deemed to be in compliance with this Law unless a contrary declaration of intent is made within one year. (4)
The regulations foreseen in this Law shall be put into effect within one year from the date of publication of this Law. (5)
A senior manager shall be determined within one year from the date of publication of this Law to ensure coordination regarding the implementation of this Law in public institutions and organizations and shall be reported to the Presidency. (6)
The first elected President, the Second President and two members determined by lot shall serve for six years; the other five members shall serve for four years. (7)
Until the budget is allocated to the institution;
Secretarial services shall be provided by the Prime Ministry until the institution's service units become operational.
TEMPORARY ARTICLE 2- (ANNEX: 28/11/2017-7061/120 MD.)
Graduates of at least four-year undergraduate programs in political science, economic and administrative sciences, economics, law and business administration, electronics, electrical-electronics, electronics and communication, computer, information systems engineering departments of engineering faculties, or domestic and foreign higher education institutions whose equivalence is accepted by the Council of Higher Education; Those who have been appointed to the positions of the central organizations of the institutions related to the titles specified in subparagraph (11) of paragraph (A) of the section titled “Common Provisions” of Article 36 of Law No. 657, after a special competitive exam and a special qualification exam, and who have been in these positions for at least two years, excluding unpaid leave periods, and those who are in faculty positions, may be appointed as Personal Data Protection Specialists within one year from the date of entry into force of this article, provided that they have received at least seventy points from the Foreign Language Proficiency Level Determination Exam and have not reached the age of forty as of the date of appointment. The number of those to be appointed in this manner cannot exceed fifteen.
IN EFFECT
This Law;
EXECUTION
The provisions of this Law shall be executed by the Council of Ministers.