COMPANY POLICY
KVKK PERSONAL DATA STORAGE AND DESTRUCTION POLICY
INTRODUCTION
LUX PROPERTIES Real Estate Consultancy Car Rental and Construction Trade Ltd. Co. (“Company”) prioritizes the confidentiality and protection of personal data in its activities, adhering to all current regulations in this regard.
The Personal Data Storage and Destruction Policy (“Policy”) has been prepared to determine the procedures and principles regarding storage and destruction activities carried out by the Company. The Company, in line with its mission, vision, and fundamental principles outlined in the Strategic Plan, prioritizes the processing of personal data of its employees, employee candidates, service providers, visitors, and other third parties in accordance with the Constitution of the Republic of Turkey, international agreements, Law No. 6698 on the Protection of Personal Data (“Law”), and other relevant legislation, ensuring that the rights of the concerned individuals are effectively exercised.
The storage and destruction of personal data shall be carried out by the Company in accordance with this Policy.
This Policy aims to explain the principles of personal data protection and processing within the scope of Law No. 6698 on the Protection of Personal Data and related legislation (“Legislation”) and to inform data subjects.
This Policy has been prepared based on the current personal data inventory created in accordance with the business processes of our Company.
SCOPE
This Personal Data Protection and Processing Policy (“Policy”) applies to all personal data processed automatically or non-automatically, provided that it is a part of any data recording system, except for the personal data of our Company's employees, shareholders/partners, and officials.
Personal data of Company employees, employee candidates, service providers, visitors, and other third parties are within the scope of this Policy, and this Policy applies to all recording environments where personal data is processed and to personal data processing activities carried out by the Company.
DEFINITIONS
In this Policy:
Explicit consent: Consent on a specific subject, based on information and expressed with free will,
Anonymization: Making personal data impossible to relate to an identified or identifiable natural person, even by matching with other data,
Related person: The natural person whose personal data is processed,
Employee: Company employee,
Personal data: Any information relating to an identified or identifiable natural person,
Processing of personal data: Any operation performed on personal data, such as collection, recording, storage, retention, alteration, rearrangement, disclosure, transfer, takeover, making available, classification, or preventing the use thereof, fully or partially by automatic means or otherwise as part of any data recording system,
Special categories of personal data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, attire, association, foundation or trade union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data,
Data processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller,
Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,
GENERAL PRINCIPLES
Our Company processes personal data in accordance with the law and principles of honesty, ensures that personal data is accurate and, when necessary, kept up to date, processes personal data for specific, explicit, and legitimate purposes, conducts data processing activities in a manner relevant, limited, and proportionate to the purposes for which they are processed, and retains personal data for the duration required by relevant legislation or for the purposes for which they are processed. All business processes and policies are designed in compliance with these principles.
CONDITIONS FOR PROCESSING PERSONAL DATA
Personal Data
Our Company may process personal data in accordance with the relevant legislation based on the following legal reasons:
Explicit consent of the related person: Personal data may be processed with the explicit consent of the related person.
Explicitly provided by laws: Personal data may be processed if explicitly provided by laws.
Failure to obtain consent due to actual impossibility: If the data subject cannot express consent due to actual impossibility or if consent cannot be validated legally, personal data may be processed to protect the life or physical integrity of the data subject or another person.
Direct relation with the establishment or performance of a contract: Personal data may be processed if it is necessary for the establishment or performance of a contract.
Legal obligation: Personal data may be processed if it is necessary to fulfill the legal obligations of the data controller.
Publicized data: Personal data may be processed if the data subject has publicized them.
Establishment, exercise, or protection of a right: Personal data may be processed if it is necessary for the establishment, exercise, or protection of a right.
Legitimate interests: Personal data may be processed if it is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Special Categories of Personal Data
Special categories of personal data may be processed by our Company, in accordance with the principles specified in this Policy and by taking sufficient measures as determined by the Board,
Personal data excluding those related to health and sexual life: Special categories of personal data excluding those related to health and sexual life may be processed with the explicit consent of the data subject or in cases explicitly provided by law.
Personal data related to health and sexual life: Special categories of personal data related to health and sexual life may be processed with the explicit consent of the data subject or by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and their financing.
OUR PERSONAL DATA PROCESSING ACTIVITIES
Categories of Personal Data
The categories of personal data processed by our Company during its activities are specified in the table below (Table-1).
| Data Category | Description |
|---|---|
| Identity | Name-surname, mother’s name, father’s name, mother’s maiden name, date of birth, place of birth, marital status, identity card serial number, TC identification number, etc. |
| Contact | Address, email address, contact address, registered electronic mail address (KEP), phone number, etc. |
| Legal Process | Information in correspondence with judicial authorities, information in the case file, etc. |
| Customer Process | Invoice, promissory note, check information, counter transactions information, order information, demand information, etc. |
| Physical Space Security | Entry-exit records of employees and visitors, camera records, etc. |
| Finance | Balance sheet information, financial performance information, credit and risk information, asset information, etc. |
| Professional Experience | Diploma information, attended courses, in-service training information, certificates, transcript information, etc. |
| Visual and Audio Records | Visual and audio records, etc. |
Purposes of Processing Personal Data
The purposes of processing the categories of personal data mentioned in Table-1 during our Company's activities are specified in the table below (Table-2).
| Data Category | Purposes of Processing Personal Data |
|---|---|
| Identity | Conducting Employee Candidate / Intern / Student Selection and Placement Processes |
| Identity | Conducting Employee Candidate Application Processes |
| Identity | Ensuring Compliance with Legislation |
| Identity | Conducting Finance and Accounting Processes |
| Identity | Tracking and Conducting Legal Affairs |
| Identity | Conducting Communication Activities |
| Identity | Conducting Business Activities / Audits |
| Identity | Conducting Goods / Services Procurement Processes |
| Identity | Conducting Goods / Services Sales Processes |
| Identity | Conducting Customer Relationship Management Processes |
| Identity | Conducting Organization and Event Management |
| Identity | Conducting Advertisement / Campaign / Promotion Processes |
| Identity | Conducting Contract Processes |
| Identity | Providing Information to Authorized Persons, Institutions, and Organizations |
| Identity | Creating and Tracking Visitor Records |
| Identity | Conducting Secretariat Affairs |
| Identity | Conducting Customer Acquisition Activities |
| Identity | Conducting Site Visit Activities |
| Identity | Tracking and Conducting Land Registry Affairs |
| Contact | Conducting Employee Candidate / Intern / Student Selection and Placement Processes |
| Contact | Conducting Employee Candidate Application Processes |
| Contact | Ensuring Compliance with Legislation |
| Contact | Conducting Finance and Accounting Processes |
| Contact | Tracking and Conducting Legal Affairs |
| Contact | Conducting Communication Activities |
| Contact | Conducting Business Activities / Audits |
| Contact | Conducting Goods / Services Procurement Processes |
| Contact | Conducting Goods / Services Sales Processes |
| Contact | Conducting Customer Relationship Management Processes |
| Contact | Conducting Organization and Event Management |
| Contact | Conducting Advertisement / Campaign / Promotion Processes |
| Contact | Conducting Contract Processes |
| Contact | Providing Information to Authorized Persons, Institutions, and Organizations |
| Contact | Creating and Tracking Visitor Records |
| Contact | Conducting Secretariat Affairs |
| Contact | Conducting Customer Acquisition Activities |
| Contact | Conducting Site Visit Activities |
| Contact | Tracking and Conducting Land Registry Affairs |
| Legal Process | Tracking and Conducting Legal Affairs |
| Customer Process | Tracking and Conducting Legal Affairs |
| Customer Process | Conducting Communication Activities |
| Customer Process | Conducting Goods / Services Sales Processes |
| Customer Process | Conducting Customer Relationship Management Processes |
| Customer Process | Tracking and Conducting Land Registry Affairs |
| Physical Space Security | Ensuring Physical Space Security |
| Physical Space Security | Creating and Tracking Visitor Records |
| Finance | Ensuring Compliance with Legislation |
| Finance | Conducting Finance and Accounting Processes |
| Finance | Conducting Business Activities / Audits |
| Finance | Conducting Contract Processes |
| Finance | Providing Information to Authorized Persons, Institutions, and Organizations |
| Finance | Tracking and Conducting Land Registry Affairs |
| Professional Experience | Conducting Employee Candidate Application Processes |
| Visual and Audio Records | Conducting Employee Candidate / Intern / Student Selection and Placement Processes |
| Visual and Audio Records | Conducting Employee Candidate Application Processes |
| Visual and Audio Records | Conducting Goods / Services Sales Processes |
TRANSFER OF PERSONAL DATA
Personal Data
Our Company may transfer personal data with the explicit consent of the data subject or as required by laws. In addition, personal data may be transferred to protect the life or physical integrity of the person, establish or fulfill a contract, meet legal obligations, use publicized data, protect rights, or for legitimate interests. During the transfer, data security is ensured and necessary measures are taken. If personal data is to be transferred abroad, it may be transferred to countries with adequate protection levels or abroad with the necessary permissions.
Special Categories of Personal Data
Our Company may transfer special categories of personal data with the explicit consent of the data subject or by taking sufficient measures as determined by the Board, in accordance with the principles specified in this Policy.
Personal data excluding those related to health and sexual life: Special categories of personal data excluding those related to health and sexual life may be processed with the explicit consent of the data subject or in cases explicitly provided by law.
Personal data related to health and sexual life: Special categories of personal data related to health and sexual life may be processed with the explicit consent of the data subject or by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and their financing.
Special categories of personal data may be transferred to third parties with the explicit consent of the data subject or by taking sufficient measures as determined by the Board.
Our Company ensures the security of special categories of personal data during the transfer process by taking necessary technical and administrative measures to protect data and ensuring compliance with Legislation.
If special categories of personal data are to be transferred abroad, in addition to the measures specified above, our Company ensures that personal data is transferred to foreign countries with adequate protection as determined by the Board or to foreign countries where data controllers in Turkey and the relevant foreign country provide sufficient protection in writing and with the permission of the Board.
TRANSFERRED THIRD PARTIES
The recipient groups to whom personal data and special categories of personal data are transferred by our Company are specified in the table below (Table-3).
| Recipient Groups | Purposes of Transfer |
|---|---|
| Suppliers | Conducting Legal Processes |
| Suppliers | Conducting Business Partner Management Activities |
| Suppliers | Conducting Marketing Communication Processes |
| Suppliers | Conducting Accounting Processes |
| Suppliers | Tracking Recording and Payment Processes |
| Suppliers | Organizing Events and Organizations |
| Authorized Public Institutions and Organizations | Conducting Legal Processes |
| Authorized Public Institutions and Organizations | Conducting Accounting Processes |
| Authorized Public Institutions and Organizations | Tracking Land Registry Transactions |
| Authorized Public Institutions and Organizations | Sharing Camera Records upon Request within the Scope of Security Processes |
| Business Partners | Conducting Secretariat Activities |
| Business Partners | Conducting Communication and Site Visit Activities within the Scope of Customer Relationship Processes |
| Public | Conducting Announcement Creation and Publication Activities |
DATA SUBJECTS
Our Company informs data subjects about the identity of the data controller, the purposes for which personal data is processed, the third parties to whom personal data is transferred, the methods and legal reasons for collecting personal data, and the rights of data subjects regarding the processing of their personal data within the scope of Legislation.
The categories of data subjects whose personal data are processed by our Company are specified in the table below (Table-4).
| Data Subject Groups | Data Categories |
|---|---|
| Employee Candidate | Identity |
| Employee Candidate | Contact |
| Employee Candidate | Professional Experience |
| Employee Candidate | Visual and Audio Records |
| Product or Service Recipient | Identity |
| Product or Service Recipient | Contact |
| Product or Service Recipient | Legal Process |
| Product or Service Recipient | Customer Process |
| Product or Service Recipient | Finance |
| Product or Service Recipient | Marketing |
| Product or Service Recipient | Visual and Audio Records |
| Supplier | Identity |
| Supplier | Contact |
| Supplier | Legal Process |
| Supplier | Supplier Process |
| Supplier | Finance |
| Potential Product or Service Recipient | Identity |
| Potential Product or Service Recipient | Contact |
| Potential Product or Service Recipient | Customer Process |
| Potential Product or Service Recipient | Marketing |
| Visitor | Identity |
| Visitor | Contact |
| Visitor | Physical Space Security |
| Business Partner | Identity |
| Business Partner | Contact |
| Business Partner | Finance |
Rights of Data Subjects
Data subjects have the following rights under the Law:
- Right to learn whether personal data is processed,
- Right to request information if personal data has been processed,
- Right to learn the purpose of processing personal data and whether it is used in accordance with the purpose,
- Right to learn the third parties to whom personal data is transferred in the country or abroad,
- Right to request the correction of incomplete or incorrect personal data and to request notification of the corrections made to third parties to whom the personal data has been transferred,
- Right to request the deletion or destruction of personal data in accordance with the law if the reasons for processing personal data no longer exist, and to request notification of the transactions made to third parties to whom the personal data has been transferred,
- Right to object to any unfavorable outcome resulting from the analysis of personal data exclusively through automated systems,
- Right to claim compensation for damages arising from the unlawful processing of personal data.
Data subjects can apply to our Company to exercise the above rights. Applications should be submitted in writing or by other methods determined by the Personal Data Protection Board, such as registered electronic mail (KEP) address, secure electronic signature, mobile signature, or by using the email address previously notified to our Company and registered in our systems.
You can contact us using the following contact information:
LUX PROPERTIES Real Estate Consultancy Car Rental and Construction Trade Ltd. Co.
Address: Eski Büyükdere Caddesi, No:14, Park Plaza, Kat:7/19, Maslak, Sarıyer/İstanbul
Email: info@lp.com.tr
KEP: hasan.safak@hs01.kep.tr
We make every effort to ensure that personal data subjects can exercise their KVKK rights and that their data is kept secure.
SECURITY OF PERSONAL DATA
Our Company meticulously implements various technical and administrative measures to ensure the highest level of security for personal data. These security measures are detailed in Table-5.
Our Company informs its employees about the protection and security of personal data and provides the necessary training. In our internal systems, access rights are defined according to the purposes of using personal data, and necessary controls are implemented to prevent unauthorized access.
Regarding the persons to whom personal data is transferred, our Company uses audit and control authorities to ensure the security of personal data when necessary. This ensures that the data is kept secure and complies with current legal regulations.