EN
TR
Corporate
E-Exam Services
Consumer Rights
Contact Us
Voluntary Participation (IPS) Auto Enrollment System (AES) Funds Legislation Data Center
Search
10 Good Reasons to Enter the IPS What is IPS? State Contribution Calculation Tools History of the IPS IPS Elements
What is AES? State Contribution AES – IPS Comparison History of AES AES Elements
Voluntary IPS Funds Auto Enrollment Funds Fund Performance Assessment System Fund Descriptions Fund and Comparison Bundles PMC IPS Indices IPS Mutual Funds and Their Returns Pension Fund Trading Platform (BEFAS)
Individual Pension Legislation
Access to Pension Companies Statistics Reports Academic Studies Glossary of Terms

Personal Data Protection and Processing Policy

Ana Sayfa Personal Data Protection and Processing Policy

Version 1.0
Last updated: September 14, 2018

  1. INTRODUCTION

1.1. Purpose and Scope of Policy

The Law No. 6698 on the Protection of Personal Data (“Law”) was put into force on April 7, 2016. The Personal Data Protection and Processing Policy of the PMC (“Policy”) aims to ensure the compliance of the Pension Monitoring Center (“PMC” or “Center”) with the Law, and to determine the principles to adopt for fulfilling the obligations of PMC regarding the protection and processing of personal data.

The Policy sets out the conditions of processing the personal data and the main principles adopted by the PMC on the processing of personal data. In this context, the Policy covers all the personal data processing activities undertaken by the PMC, as well as the data subjects and personal data processed by the Center.

Issues relating to the processing of personal data of PMC employees are not covered by this Policy and are regulated separately by the Pension Monitoring Center’s Policy on the Processing and Protection of Employees’ Personal Data.

Definitions related to the terms used in the Policy are provided in ANNEX-1.

1.2. Validity and Amendments

The Policy has been published and made public by the PMC on its Internet website. If the regulations contained in this Policy conflict primarily with the Law and the applicable legislation, then the provisions of the legislation shall prevail.

The PMC reserves the right to amend the Policy in line with the legal regulations. The updated version of the Policy is available on the PMC website egm.org.tr.

  1. DATA SUBJECTS, DATA PROCESSING OBJECTIVES AND DATA CATEGORIES FOR OUR PERSONAL DATA PROCESSING ACTIVITIES

2.1. Data Subjects

Data subjects are all natural persons who are not PMC employees but whose personal data is processed by the PMC. In this context, the categories of data subjects are as follows:

DATA SUBJECT CATEGORIES

DESCRIPTION

1

Participant

Refers to the natural persons who are currently a beneficiary of the services provided by the PMC.

2

Prospective Participant

Refers to the natural persons who are interested in using the services provided by the PMC and have the potential to become a participant.

3

Visitor

Refers to the natural persons who are visiting the PMC campus and the Internet website.

4

Job Candidate

Refers to the natural persons who have applied for a job with the PMC either by submitting a CV or through other channels.

5

Solicitor

Refers to the natural persons who solicit private pension contracts or do so on behalf of a Pension Company.

6

Third Parties

Refers to the natural persons who are not PMC employees or are not included in the categories of data subjects mentioned above.

Data subject categories are provided to share general information. The fact that the data subject does not fall within the scope of any of these categories, does not nullify the nature of the data subject stated in the Law.

2.2. Personal Data Processing Objectives

Your personal data and your private personal data are processed by the PMC in accordance with the personal data processing requirements stipulated by the Law and the relevant legislation for the following purposes:

MAIN OBJECTIVES

SUB-OBJECTIVES

The Center’s “Contact Us” page on the Corporate Website

1. Enter complaints, information requests, suggestions and notices, and follow-up on past requests

Engage our business units in activities that will help you take advantage of the services provided by our Center (All secondary processing, outsourcing activities to procure services, product promotion/scientific meeting organizations, IT processes and so on).

1. Ensure that activities are undertaken to inform the individuals about the PMC or legislation on digital or other media.

Ensure implementation of the human resources policies of our Center (all HR processes, employee expenses and so on)

1. Ensure employees have access to the contact information of their business partners; 2. Plan and implement job candidates’ application, selection and evaluation processes; 3. Plan and provide employee benefits; 4. Plan and implement the new-hire and personnel affairs procedures

Determine and implement our Center’s commercial and business strategies (Data sharing with affiliates and foreign partnerships, financial reporting and so on).

1. Manage the administrative processes related to the company operations,

2. Manage the finance/accounting processes related to the company operations,

3. Plan and implement the logistics operations,

Ensure the legal and commercial security and safety of our Center and the persons who are in contact with our Center (Visitor records, audit, legal proceedings, commercial intelligence and risk analysis studies and so on).

1. Ensure compliance with the company’s security and safety procedures,

2. Ensure compliance with the procedures on informing the participants,

3. Ensure compliance with the procedures on authorizing solicitors/pension company employees,

4. Ensure compliance with the data processing procedures required by the legislation,

5. Ensure the accuracy/validity of the data

6. Ensure compliance with the procedures on updating the solicitors’ registry records and verifying validity,

7. Ensure compliance with the procedures on replying and following-up the official letters received from authorized persons/institutions,

8. Follow-up the solicitation process,

9. Ensure the accuracy/validity of the data,

10. Complete the transactions related to the corporations law and legislation,

11. Create or track visitor records,

12. Handle legal affairs,

13. Plan and undertake the audit or ethics activities of the company,

14. Ensure compliance with the procedures on informing the participants,

2.3. Personal Data Categories

Your personal data categorized below are processed by the PMC in accordance with the personal data processing requirements stipulated by the Law and the relevant legislation:

PERSONAL DATA CATEGORIZATION

DESCRIPTION

Identity Information

All information about the identity of a person included in documents such as driver’s license, national identity card, certificate of residence, passport, attorney’s identity card, marriage certificate.

Contact Information

Means of communication, such as telephone number, address or e-mail, with the data subject.

Participant Information

Information obtained and produced about the related person, through our commercial activities and/or the operations carried out by our business units in this regard.

Participant Transaction Information

Information about the use of our products and services and the instructions and requests of the participants for the use of products and services.

Information About the Security of Physical Space

Personal data, such as camera recordings, fingerprint records taken at the time of entering into and/or during the stay inside the physical space, on the records and documents.

Transaction Security Information

Your personal data processed in order to ensure our technical, administrative, legal and commercial security and safety when conducting our business activities.

Financial Information

Personal data processed in relation to any information, documents and records that contain all financial outcome reached based on the nature of the legal relationship established by our center with the personal data subject.

Job Candidate Information

Personal data processed in relation to any individual who has applied for employment at our Center and/or has been evaluated as a job candidate in accordance with the commercial customs and practices and good faith, given our Center’s human resources needs, and/or has entered into an employment relationship with our Center.

Legal and Compliance Information

Personal data processed as part of our legal obligations, fulfillment of our debts, compliance with our Center’s policies, and the determination and follow-up of our legal rights and claims.

Audit and Inspection Information

Personal data processed as part of our Center’s statutory obligations and compliance with company policies.

Private Personal Data

Any data on an individual’s race, ethnic origin, political view, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data is private personal data.

Call Monitoring System

Personal data on any complaints, requests for information, notices and suggestions received and evaluated at our Center

Incident Management Information

Personal data processed to take the necessary legal, technical and administrative measures to protect the commercial rights and interests of our Center and the rights and interests of the participants.

  1. TERMS AND PRINCIPLES OF PROCESSING PERSONAL DATA

3.1. Personal Data Processing Principles

Your personal data is processed by the PMC in accordance with the personal data processing principles set forth in article 4 of the Law. These principles must be complied with in any personal data processing activity:

  • Personal data is processed in accordance with the rules of law and good faith: The PMC acts in accordance with the laws, secondary regulations and the general principles of law in processing your personal data. The Center is committed to processing personal data limited to the purpose of processing and by taking into account the reasonable expectations of the data subjects.
  • Personal data is accurate and valid/updated: The PMC ensures your processed personal data is up-to-date and the necessary checks are performed. Data subjects have the right to request any inaccurate or outdated data to be corrected or deleted.
  • Personal data is processed for specific, clear and legitimate purposes: The PMC determines the purposes of data processing prior to any personal data processing activity and ensures that these purposes are not in violation of the law.
  • Personal data is in line with, limited to and measured by the processing purpose: The data processing activity by PMC is limited to the personal data required for the purpose of collecting the data and the necessary steps are taken to prevent the processing of personal data that is not related to this purpose.
  • Personal data is stored for as long as it is required by legislation or processing purposes: Personal data is deleted, destroyed or anonymized by the PMC at the end of the period stipulated by the legislation, or if the reasons for processing the personal data no longer apply.


3.2. Requirements for Personal Data Processing

Your personal data is processed by the PMC only when at least one of the personal data processing requirements stipulated by article 5 of the Law is met. These requirements are explained as follows:

  • The data subject of the relevant personal data has given express consent: In the absence of other data processing requirements, the personal data of the data subject can be processed by the PMC in accordance with the general principles set out in Section 3.1, only at his/her own discretion by properly informing the data subject about the data processing activity and by obtaining unequivocal approval for the transaction with the approval being limited only to that specific transaction.
  • If the personal data processing activity has been explicitly stipulated by the law, then the personal data can be processed by the PMC without the express consent of the data subject. In this case, the PMC will process the personal data in accordance with the applicable legal regulations.
  • If the data subject’s express consent cannot be obtained due to physical impossibility and the personal data processing is compulsory, then the personal data of the data subject, who is unable to express his/her consent or whose consent cannot be validated, shall be processed by the PMC only in the event the personal data processing is imperative to protect the life or the physical integrity of the data subject or a third party.
  • If the personal data processing is directly related to the establishment or performance of an agreement, then the personal data processing activity shall be completed if it is necessary to process the personal data of the parties to the agreement entered by and between or already signed by the data subject and the PMC.
  • In the event it is mandatory to complete the personal data processing activity to fulfill the legal obligation of the data controller, the PMC shall process the personal data in order to fulfill the legal obligations stipulated by the applicable legislation.
  • In the event the personal data of the data subject has been publicly disclosed by the data subject, the personal data, which has been made public by the data subject in some way, or has become part of the public domain through public disclosure, may be processed by the PMC, subject to being limited to the purpose of public disclosure, even without the express consent of the data subject.
  • In the event the personal data processing is mandatory for the establishment, use or protection of a right, the PMC shall be allowed to process the personal data of the data subject without the express consent of the data subject.
  • In the event data processing is imperative for the legitimate interests of the data controller without compromising the fundamental rights and freedoms of the data subject, the personal data may be processed by the PMC on the condition that the remaining interests of the data subject and the PMC is observed. The PMC shall first determine the legitimate interest it obtains as a result of the processing activity when processing the data on this basis. The Center evaluates the potential impact of the personal data processing on data subject’s rights and freedoms, and completes the processing activity if it believes the balance is maintained.


3.3. Requirements for Private Personal Data Processing

Private personal data is specified in article 6 of the Law, but in limited cases. These cases include the data on an individual’s race, ethnic origin, political view, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.

The PMC can process the private personal data in the following cases, by taking the additional measures determined by the Personal Data Protection Board:

  • The private personal data other than health and sexual life may be processed if it is expressly stipulated by the law or an express consent is given by the data subject.
  • Persons or authorized institutions and organizations who have committed to observing confidentiality are allowed to process personal data relating to health and sexual life for the purposes of public health protection, preventive medicine, medical diagnosis, performance of treatment and care services, planning and management of healthcare services and their financing, without requiring data subject’s express consent.

 

  1. TRANSFER OF PERSONAL DATA

In accordance with the additional regulations set out in articles 8 and 9 of the Law and determined by the Personal Data Protection Board, the PMC is allowed to transfer personal data in or out of the country, if the requirements of personal data transfer are met.

  • Transfer of the personal data to the third parties in the country: The PMC is allowed to transfer your personal data, provided that at least one of the data processing requirements stipulated by articles 5 and 6 of the Law and explained in Section 3 of this Policy are met.
  • Transfer of the personal data to the third parties abroad: The PMC is NOT allowed to transfer your personal data to foreign countries.

In accordance with the general principles of the Law and the data processing requirements stipulated by articles 8 and 9 of the Law, the PMC is allowed to transfer data to the parties categorized in the following table:

SHARED PARTY

SCOPE

PURPOSE OF TRANSFER

Legally Authorized Public Institution

Public institutions and organizations authorized to obtain information and documents from the PMC

Personal data sharing by the relevant public institutions and organizations for the purpose of requesting information

Legally Authorized Private Institution

Private legal persons authorized to obtain information and documents from the PMC

Data sharing limited to the purpose requested by the relevant private legal persons within legal authority

 

  1. NOTIFYING THE DATA SUBJECTS AND THE RIGHTS OF DATA SUBJECTS

In accordance with article 10 of the Law, data subjects must be notified regarding the personal data processing before or during the processing at the latest. In accordance with the related article, the necessary structure has been formed within the company in order to ensure that the data subjects are notified by the data controller about every instance of personal data processing by the PMC. In this context,

    • Please refer to Section 2.2 of the Policy for the purpose of processing your personal data.
    • Please refer to Section 4 of the Policy for the purpose of transferring your personal data and the parties it was transferred to.
    • Please refer to Sections 3.2 and 3.3 of the Policy to review the requirements for the processing of your personal data, which can be collected through different channels in physical or electronic media.
    • Please note that you have the following rights as the data subject, in accordance with article 11 of the Law:
      1. Find out whether your personal data has been processed;
      2. Request information about your personal data if it has been processed;
      3. Find out the purpose of processing your personal data and whether it has been used in conformity with that purpose;
      4. Find out the third parties to whom your personal data has been provided in or out of the country;
      5. Request correction of your personal data if it has been processed with omissions or inaccuracies, and request notification of the third parties to whom your personal data has been provided about the transactions performed in this way;
      6. Request deletion or destruction of your personal data, and request notification of the third parties to whom your personal data has been provided, about the transactions performed in this way, if the reasons for processing no longer apply to your personal data, which in any event, has been processed in accordance with the provisions of the PPD Law and other applicable laws;
      7. Object to any outcome of an exclusively automated analysis of the processed data that has had a negative result for you;
        Request to be indemnified if you have incurred any losses due to any illegal processing of your personal data.


You can submit your application to exercise the above listed rights by completing the Pension Monitoring Center Data Subject Application Form. Your application will be processed and concluded free of charge and you will be notified as soon as possible − within 30 days at the latest − depending on the nature of your request; however, if the transaction requires additional costs, you may be charged according to the tariffs set by the Personal Data Protection Board.

In evaluating the applications, the PMC determines first, whether the requesting party is the rightful data subject. However, if it deems necessary, the PMC may request additional information to better understand the request.

Responses to data subjects’ applications by the PMC are communicated to the data subjects in writing or via electronic media. In case the application is rejected, the reasons for rejection will be explained to the data subject.

In instances where the personal data is not obtained directly from the data subject, the necessary actions are undertaken to brief the data subjects (1) within a reasonable period of time from the acquisition of the personal data by the PMC, (2) at the time establishing the first contact (if the personal data is to be used to establish contact with the data subject), (3) at the time of effecting the first transfer at the latest (if the personal data is to be transferred).

  1. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

The PMC will delete, destroy or anonymize the personal data in accordance with the guidelines issued by the Institution, on ex-officio basis or at the behest of the data subject, if the reasons for processing no longer apply to the personal data, which in any event, has been processed in accordance with article 7 of the Law.

  1. RESTRICTIONS ON THE SCOPE AND ENFORCEMENT OF THE LAW

The scope of the Law excludes the following cases:

    • If the personal data is processed by natural persons within the scope of activities that involve themselves or family members who live in the same house, provided that they are not given to the third parties and the obligations related to the data security are fully complied with.
    • If the personal data is processed for purposes such as research, planning and statistics, and anonymized through official statistics.
    • If the personal data is processed for the purposes of creating art, history, literature or scientific works, or is processed within the scope of freedom of expression, provided that it does not violate national defense, national security, public security and safety, public order and peace, economic security, the right to privacy or personal rights.
    • If the personal data is processed within the scope of preventive, protective and intelligence activities undertaken by public institutions and organizations commissioned and authorized to ensure national defense, national security, public security and safety, public order and peace or economic security.
    • If the personal data is processed by judicial authorities or enforcement authorities in relation to any investigation, prosecution, trial or enforcement procedures.

In the cases listed below, the PMC will not be required to provide any explanation to the data subjects, and the data subjects will not be allowed to exercise their rights under the Law, except for their rights to seek legal remedies for the damages:

    • If personal data processing is imperative for the prevention or investigation of crime.
    • If the processed personal data has been made public by the data subject himself/herself.
    • If the personal data processing is necessary for the successful performance of the supervisory and regulatory roles and for the disciplinary investigations or prosecutions to be conducted by the designated public institutions and organizations with vested authority granted by the law, and the professional organizations acting in their capacity as public/governmental institutions.
    • If the personal data processing is necessary to protect the economic and financial interests of the State in relation to the budget, tax and financial matters.