Version 1.0
Last updated: September 14, 2018
1.1. Purpose and Scope of Policy
The Law No. 6698 on the Protection of Personal Data (“Law”) was put into force on April 7, 2016. The Personal Data Protection and Processing Policy of the PMC (“Policy”) aims to ensure the compliance of the Pension Monitoring Center (“PMC” or “Center”) with the Law, and to determine the principles to adopt for fulfilling the obligations of PMC regarding the protection and processing of personal data.
The Policy sets out the conditions of processing the personal data and the main principles adopted by the PMC on the processing of personal data. In this context, the Policy covers all the personal data processing activities undertaken by the PMC, as well as the data subjects and personal data processed by the Center.
Issues relating to the processing of personal data of PMC employees are not covered by this Policy and are regulated separately by the Pension Monitoring Center’s Policy on the Processing and Protection of Employees’ Personal Data.
Definitions related to the terms used in the Policy are provided in ANNEX-1.
1.2. Validity and Amendments
The Policy has been published and made public by the PMC on its Internet website. If the regulations contained in this Policy conflict primarily with the Law and the applicable legislation, then the provisions of the legislation shall prevail.
The PMC reserves the right to amend the Policy in line with the legal regulations. The updated version of the Policy is available on the PMC website egm.org.tr.
2.1. Data Subjects
Data subjects are all natural persons who are not PMC employees but whose personal data is processed by the PMC. In this context, the categories of data subjects are as follows:
DATA SUBJECT CATEGORIES |
DESCRIPTION |
|
1 |
Participant |
Refers to the natural persons who are currently a beneficiary of the services provided by the PMC. |
2 |
Prospective Participant |
Refers to the natural persons who are interested in using the services provided by the PMC and have the potential to become a participant. |
3 |
Visitor |
Refers to the natural persons who are visiting the PMC campus and the Internet website. |
4 |
Job Candidate |
Refers to the natural persons who have applied for a job with the PMC either by submitting a CV or through other channels. |
5 |
Solicitor |
Refers to the natural persons who solicit private pension contracts or do so on behalf of a Pension Company. |
6 |
Third Parties |
Refers to the natural persons who are not PMC employees or are not included in the categories of data subjects mentioned above. |
Data subject categories are provided to share general information. The fact that the data subject does not fall within the scope of any of these categories, does not nullify the nature of the data subject stated in the Law.
2.2. Personal Data Processing Objectives
Your personal data and your private personal data are processed by the PMC in accordance with the personal data processing requirements stipulated by the Law and the relevant legislation for the following purposes:
MAIN OBJECTIVES |
SUB-OBJECTIVES |
The Center’s “Contact Us” page on the Corporate Website |
1. Enter complaints, information requests, suggestions and notices, and follow-up on past requests |
Engage our business units in activities that will help you take advantage of the services provided by our Center (All secondary processing, outsourcing activities to procure services, product promotion/scientific meeting organizations, IT processes and so on). |
1. Ensure that activities are undertaken to inform the individuals about the PMC or legislation on digital or other media. |
Ensure implementation of the human resources policies of our Center (all HR processes, employee expenses and so on) |
1. Ensure employees have access to the contact information of their business partners; 2. Plan and implement job candidates’ application, selection and evaluation processes; 3. Plan and provide employee benefits; 4. Plan and implement the new-hire and personnel affairs procedures |
Determine and implement our Center’s commercial and business strategies (Data sharing with affiliates and foreign partnerships, financial reporting and so on). |
1. Manage the administrative processes related to the company operations, 2. Manage the finance/accounting processes related to the company operations, 3. Plan and implement the logistics operations, |
Ensure the legal and commercial security and safety of our Center and the persons who are in contact with our Center (Visitor records, audit, legal proceedings, commercial intelligence and risk analysis studies and so on). |
1. Ensure compliance with the company’s security and safety procedures, 2. Ensure compliance with the procedures on informing the participants, 3. Ensure compliance with the procedures on authorizing solicitors/pension company employees, 4. Ensure compliance with the data processing procedures required by the legislation, 5. Ensure the accuracy/validity of the data 6. Ensure compliance with the procedures on updating the solicitors’ registry records and verifying validity, 7. Ensure compliance with the procedures on replying and following-up the official letters received from authorized persons/institutions, 8. Follow-up the solicitation process, 9. Ensure the accuracy/validity of the data, 10. Complete the transactions related to the corporations law and legislation, 11. Create or track visitor records, 12. Handle legal affairs, 13. Plan and undertake the audit or ethics activities of the company, 14. Ensure compliance with the procedures on informing the participants, |
2.3. Personal Data Categories
Your personal data categorized below are processed by the PMC in accordance with the personal data processing requirements stipulated by the Law and the relevant legislation:
PERSONAL DATA CATEGORIZATION |
DESCRIPTION |
Identity Information |
All information about the identity of a person included in documents such as driver’s license, national identity card, certificate of residence, passport, attorney’s identity card, marriage certificate. |
Contact Information |
Means of communication, such as telephone number, address or e-mail, with the data subject. |
Participant Information |
Information obtained and produced about the related person, through our commercial activities and/or the operations carried out by our business units in this regard. |
Participant Transaction Information |
Information about the use of our products and services and the instructions and requests of the participants for the use of products and services. |
Information About the Security of Physical Space |
Personal data, such as camera recordings, fingerprint records taken at the time of entering into and/or during the stay inside the physical space, on the records and documents. |
Transaction Security Information |
Your personal data processed in order to ensure our technical, administrative, legal and commercial security and safety when conducting our business activities. |
Financial Information |
Personal data processed in relation to any information, documents and records that contain all financial outcome reached based on the nature of the legal relationship established by our center with the personal data subject. |
Job Candidate Information |
Personal data processed in relation to any individual who has applied for employment at our Center and/or has been evaluated as a job candidate in accordance with the commercial customs and practices and good faith, given our Center’s human resources needs, and/or has entered into an employment relationship with our Center. |
Legal and Compliance Information |
Personal data processed as part of our legal obligations, fulfillment of our debts, compliance with our Center’s policies, and the determination and follow-up of our legal rights and claims. |
Audit and Inspection Information |
Personal data processed as part of our Center’s statutory obligations and compliance with company policies. |
Private Personal Data |
Any data on an individual’s race, ethnic origin, political view, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data is private personal data. |
Call Monitoring System |
Personal data on any complaints, requests for information, notices and suggestions received and evaluated at our Center |
Incident Management Information |
Personal data processed to take the necessary legal, technical and administrative measures to protect the commercial rights and interests of our Center and the rights and interests of the participants. |
3.1. Personal Data Processing Principles
Your personal data is processed by the PMC in accordance with the personal data processing principles set forth in article 4 of the Law. These principles must be complied with in any personal data processing activity:
3.2. Requirements for Personal Data Processing
Your personal data is processed by the PMC only when at least one of the personal data processing requirements stipulated by article 5 of the Law is met. These requirements are explained as follows:
3.3. Requirements for Private Personal Data Processing
Private personal data is specified in article 6 of the Law, but in limited cases. These cases include the data on an individual’s race, ethnic origin, political view, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
The PMC can process the private personal data in the following cases, by taking the additional measures determined by the Personal Data Protection Board:
In accordance with the additional regulations set out in articles 8 and 9 of the Law and determined by the Personal Data Protection Board, the PMC is allowed to transfer personal data in or out of the country, if the requirements of personal data transfer are met.
In accordance with the general principles of the Law and the data processing requirements stipulated by articles 8 and 9 of the Law, the PMC is allowed to transfer data to the parties categorized in the following table:
SHARED PARTY |
SCOPE |
PURPOSE OF TRANSFER |
Legally Authorized Public Institution |
Public institutions and organizations authorized to obtain information and documents from the PMC |
Personal data sharing by the relevant public institutions and organizations for the purpose of requesting information |
Legally Authorized Private Institution |
Private legal persons authorized to obtain information and documents from the PMC |
Data sharing limited to the purpose requested by the relevant private legal persons within legal authority |
In accordance with article 10 of the Law, data subjects must be notified regarding the personal data processing before or during the processing at the latest. In accordance with the related article, the necessary structure has been formed within the company in order to ensure that the data subjects are notified by the data controller about every instance of personal data processing by the PMC. In this context,
You can submit your application to exercise the above listed rights by completing the Pension Monitoring Center Data Subject Application Form. Your application will be processed and concluded free of charge and you will be notified as soon as possible − within 30 days at the latest − depending on the nature of your request; however, if the transaction requires additional costs, you may be charged according to the tariffs set by the Personal Data Protection Board.
In evaluating the applications, the PMC determines first, whether the requesting party is the rightful data subject. However, if it deems necessary, the PMC may request additional information to better understand the request.
Responses to data subjects’ applications by the PMC are communicated to the data subjects in writing or via electronic media. In case the application is rejected, the reasons for rejection will be explained to the data subject.
In instances where the personal data is not obtained directly from the data subject, the necessary actions are undertaken to brief the data subjects (1) within a reasonable period of time from the acquisition of the personal data by the PMC, (2) at the time establishing the first contact (if the personal data is to be used to establish contact with the data subject), (3) at the time of effecting the first transfer at the latest (if the personal data is to be transferred).
The PMC will delete, destroy or anonymize the personal data in accordance with the guidelines issued by the Institution, on ex-officio basis or at the behest of the data subject, if the reasons for processing no longer apply to the personal data, which in any event, has been processed in accordance with article 7 of the Law.
The scope of the Law excludes the following cases:
In the cases listed below, the PMC will not be required to provide any explanation to the data subjects, and the data subjects will not be allowed to exercise their rights under the Law, except for their rights to seek legal remedies for the damages: