Privacy Policy

PROCESSING AND PROTECTION OF PERSONAL DATA POLICY

Within the scope of KVKK

              i.   Learning whether your Personal Data is processed or not,
             ii.   If your Personal Data has been processed, requesting information about it,
            iii.   Learning the purpose of processing your Personal Data and whether they are used in accordance with its purpose,
           iv.   Knowing the third parties to whom your Personal Data is transferred, at home or abroad,
             v.   Requesting correction of your Personal Data if it is incomplete or incorrectly processed,
           vi.   Requesting the deletion or destruction of your Personal Data within the framework of the conditions stipulated in the KVKK legislation,
          vii.   v. and vi. Requesting notification of the transactions made within the scope of the articles to the third parties to whom your Personal Data has been transferred,
         viii.   Objecting to the emergence of a result against you by analyzing the processed data exclusively through automated systems,
           ix.   If you suffer damage due to the unlawful processing of your Personal Data, you have the right to demand the removal of this damage.
 
How Can You Exercise Your Rights?
             You can fill in the "application form", which you can download using the https://rootcodes.com/kvkk-application-form.pdf link , in line with your request/complaint, send the said form to us via kvkk@rootcodes.com or physically fill out the form to " Rootcodes LTD. STI. Tokat Teknopark, Tokat, Merkez 60150, TR” address by courier/mail.
            If you submit your request to us using one of the methods shown above, KVKK art. In accordance with 13/2, your request will be evaluated within 30 days at the latest and you will be informed about the subject. If your request is accepted, the necessary actions will be carried out immediately by the data controller COMPANY.
            As a rule, requests are met free of charge ; As stipulated in article 7 of the Communiqué; “If the application of the person concerned is to be answered in writing, up to 10 pages are not charged. A transaction fee of 1 TL may be charged for each page over 10 pages. If the response to the application is given in a recording medium such as CD or flash memory, the fee that may be requested by the data controller cannot exceed the cost of the recording medium. In accordance with its provisions, a fee may be requested by the COMPANY.

APPENDIX 1 – Definitions

 

is among the most important priorities of ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ (“ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ” or “Company”) , as it is a fundamental human right . In order to secure the right to personal data protection, the company makes the utmost effort to comply with all applicable legislation in this regard. shows. herein ROOTCODES SOFTWARE TECHNOLOGIES LIMITED Company Personal of data Protection and Processing The principles adopted in the conduct of personal data processing activities carried out by our Company within the framework of the Policy (“ Policy ”) and the basic principles adopted in terms of compliance of our Company's data processing activities with the regulations in the Law on the Protection of Personal Data No. provides the necessary transparency. With full awareness of our responsibility in this context, your personal data is processed within the scope of this Policy and is protected.

 

ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ (“COMPANY”) Personal Data Processing and Protection Policy (“Policy”), with the aim of disciplining the processing of personal data within the framework of the legislation on personal data and protecting fundamental rights and freedoms, especially the privacy of private life, as stipulated in the Constitution. has been prepared.

While preparing the "Policy", it was determined as the basic principle to determine which data the working units collect, why and why they need to transfer this data to third parties within the "COMPANY" organizational chart, and to understand the personal data processing method of the COMPANY . While transferring the requirements of the relevant legislation to the " Policy" , it has been privatized to explain which data the " COMPANY" provides and why it processes these data in a simple and understandable language, within the framework of the sensitivity felt within the scope of the need to protect personal data. In addition, it is aimed to take the necessary administrative and technical measures for the protection of data confidentiality within and outside the organization of the "COMPANY" and to inform and enlighten the individuals whose data is processed.

All real persons whose data are processed by the "COMPANY" are within the scope of the "Policy".

Within the scope of this "Policy", customized information about the data processed within the framework of the transactions and activities in the "COMPANY" organization, the categorization of the data, the data recipient groups, the legal reason and method of data collection, the third party groups to which the data is transferred, the processing times of the data, the data deletion periods. tried to be given. However, in the event that data processing is/will be done by the "COMPANY" apart from the current processing activities, it is possible to carry out processing and lighting within an external lighting text, provided that the basic principles and principles set forth in this policy are complied with. In this case, the clarification will constitute an inseparable part of this "Policy" and it cannot be claimed that it is not included in this "Policy" . As a matter of fact, within the scope of Article 5 of the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Liability of Illumination, it is possible to provide verbal, written, audio recording, physical or electronic media such as a call center.

Regarding the processing and protection of personal data, the relevant legal regulations in force will be applied first. In case of inconsistency between the current legislation and the Policy, our Company accepts that the applicable legislation will find an area of application . The policy regulates the rules set forth by the relevant legislation by embodying them within the scope of Company practices.

 

This Policy is 28.09.2022. The version, which was issued by ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ, entered into force on 28.09.2022 and was updated on 28.09.2022, has been renewed as of the effective date of this Policy on the website of ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ [https:// https://rootcodes.com/ ] is published.

In accordance with Article 12 of the Law, our company takes the necessary measures according to the nature of the data to be protected in order to prevent the unlawful disclosure, access, transfer or security deficiencies that may occur in other ways. In this context, our Company takes administrative measures to ensure the required level of security in accordance with the guidelines published by the Personal Data Protection Board (“ Board ”), carries out inspections or has them made.

When certain personal data are processed unlawfully by the law, it is subject to victimization or discrimination. reason being risk because of special importance attributed. This data; race, ethnic origin, political Data on thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic are data.

ROOTCODES YAZILIM TEKNOLOJILERI LIMITED SIRKETI acts sensitively in the protection of special quality personal data, which is determined as "special quality" by the Law and processed in accordance with the law. In this context, the technical and administrative measures taken by ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ to protect personal data are carefully implemented in terms of special quality personal data, and necessary audits are provided within the body of ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ.

Note: Detailed information on the technical and administrative measures taken in the processing of personal data is given in section "8" of this policy.

ROOTCODES YAZILIM TEKNOLOJILERI LIMITED COMPANY organizes trainings at regular intervals in order to increase awareness to prevent unlawful processing of personal data, illegal access to personal data, and to ensure the protection of personal data.

ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ establishes necessary systems to raise awareness of its employees on the protection of personal data, and works with consultants if needed. In this direction, our Company participates in the relevant trainings, seminars and information sessions , especially those prepared by the Personal Data Protection Authority, through its employees, and renews its trainings in parallel with the updating of the relevant legislation.

  

3.1.1.        Compliant with Law and Integrity Processing

ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ acts in accordance with the principles brought by legal regulations and the general rule of trust and honesty in the processing of personal data. In this framework, personal data is processed to the extent and limited to the business activities of our Company.

ROOTCODES SOFTWARE TECHNOLOGIES LIMITED COMPANY, personal data processed duration along TRUE and current to be for   necessary measures and the necessary mechanisms to ensure the accuracy and up-to-dateness of personal data for certain periods. is establishing.

ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ clearly reveals the purposes of processing personal data and processes it within the scope of purposes related to these activities in line with its business activities.

ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ collects personal data only in the quality and extent required by its business activities and processes it limitedly for the determined purposes.

3.1.5.       Relating to in legislation envisaged or  They are processed Aim for   Necessary The one which Duration Until Casing don't

ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ, the period required for the purpose for which personal data is processed and the legal legislation to which the relevant activity is subject. envisaged minimum duration until casing is doing. This in scope, Our company Firstly determines whether a period is foreseen for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period necessary for the purpose for which they are processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the data owner application and with the determined destruction methods (deletion and / or destruction and / or anonymization). is being done.

Personal data owner open  consent to give not including personal data processing of your activity base below It may be only one of the conditions specified, or more than one condition may be the basis of the same personal data processing activity. processed data special qualified personal data to be in case of, herein of Policy 3.3 title Conditions contained in (“ Processing of Special Quality Personal Data ”) will be applied. 

If the personal data of the data owner is expressly stipulated in the law, in other words, if there is a clear provision in the law regarding the processing of personal data, the existence of this data processing condition may be mentioned.

actual impossibility or whose consent cannot be validated, in order to protect the life or bodily integrity of himself or another person.

Data owner side is a of the contract establishment or  with the performance directly Oh right relating to provided that the processing of personal data is necessary, this condition may be deemed to have been fulfilled.

The personal data of the data owner may be processed if the processing is necessary for our company to fulfill its legal obligations.

If the data owner has made his personal data public, the relevant personal data may be processed for the purpose of making it public.

If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.

Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company.

 

Special categories of personal data are processed by our Company in accordance with the principles set forth in this Policy , by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:

 

(i)            Special categories of personal data other than health and sexual life, which are expressly stipulated in the law, are another matter . expression with relating to your activity subject to is in law personal data to the processing related clearly a In case of a provision, it can be processed without the explicit consent of the data owner. Otherwise, the explicit consent of the data owner for the processing of such sensitive personal data. will be taken.

 

(ii)           Special quality personal data related to health and sexual life , protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning of health services and financing and management, by persons or authorized institutions and organizations under the obligation to keep secrets, without seeking explicit consent. Otherwise, the explicit consent of the data owner for the processing of such sensitive personal data. will be taken.

 

ROOTCODES YAZILIM TEKNOLOJILERI LIMITED COMPANY enlightens the personal data owners in accordance with Article 10 of the Law and secondary legislation. This in scope ROOTCODES SOFTWARE TECHNOLOGIES LIMITED COMPANY, personal data data in charge aspect who by, It informs the relevant persons about the purposes for which it is processed, for what purposes it is shared with whom, by what methods it is collected, and the legal reason and the rights of the data subjects within the scope of the processing of their personal data.

 

 

Our company can transfer the personal data and sensitive personal data of the personal data owner to third parties (third party companies, public and private authorities, third real persons) by taking the necessary security measures in line with the personal data processing purposes in accordance with the law. Accordingly, our company acts in accordance with the regulations stipulated in Article 8 of the Law. Detailed information on this subject can be found in the APPENDIX 1 (“ ANNEX 1- Third Parties to which Personal Data Transferred and Purposes of Transfer ”) document of this Policy .

 

Even without the explicit consent of the personal data owner, in case one or more of the following conditions are present, personal data may be transferred to third parties by taking all necessary security measures, including the methods prescribed by the Board, by taking due care by our Company.

 

·         The relevant activities regarding the transfer of personal data are clearly stated in the laws. forecasting,

·         Personal data Company by transfer of a of the contract establishment or  with the performance directly relevant and necessary to be,

·         The transfer of personal data is mandatory for our Company to fulfill its legal obligation. to be,

·         Personal data data owner by publicized to be provided that, publicization for the purpose of limited by our Company. transfer,

·         Personal data Company by transfer of Company's or  data owner or  third obligatory for the establishment, exercise or protection of the rights of persons to be,

·         It is mandatory to carry out personal data transfer activities for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data owner. to be,

·         Mandatory for the protection of life or bodily integrity of himself or another person, who is unable to express his consent due to actual impossibility or whose consent is not given legal validity. to be.

 

to the above additional aspect personal data, Board by sufficient to protect owner is advert  will be to foreign countries (“ Foreign Country with Sufficient Protection ”) in case of any of the above conditions . In the absence of adequate protection, the data transfer conditions stipulated in the legislation in line with in Turkey and relating to foreign in the country data of those responsible sufficient a to protect to foreign countries to which it has committed in writing and to which the Board has permission (“ Foreign Country with Data Controller Undertaking Adequate Protection ”) can be transferred.

 

Special categories of personal data are collected by our Company in accordance with the principles set forth in this Policy and by the Board. will determine methods also including be about to necessary each kinds administrative and technical measures and if the following conditions are met can be transferred:

 

(i)      Health and sexual life other than special qualified personal data, in laws clearly predicting other In case there is an express provision in the relevant law regarding the processing of personal data, a statement may be processed without the explicit consent of the data owner. Otherwise, the explicit consent of the data owner will be taken.

 

(ii)    Special categories of personal data related to health and sexual life, for the purpose of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without the explicit consent of persons or authorized institutions and organizations under the obligation of keeping confidentiality. can be processed. Otherwise, the explicit consent of the data owner will be obtained.

 

In addition to the above, personal data may be transferred to Foreign Countries with Sufficient Protection in the presence of any of the above conditions. In the absence of sufficient protection, it can be transferred to Foreign Countries where the Data Controller Undertaking Adequate Protection is in line with the data transfer conditions stipulated in the legislation .

 

 

Before our company, by informing the relevant persons in accordance with Article 10 of the Law and secondary legislation, in line with the personal data processing purposes of our Company, based on and limited to at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law, primarily the processing of personal data. of the Law 4. in the article stated principles be about to in Law stated general to the principles appropriate a personal data is processed. Within the framework of the purposes and conditions specified in this Policy, detailed information about the personal data categories and categories can be obtained from the ANNEX 3 (“ ANNEX 3- Personal Data Categories ”) document of the Policy. will be reachable.

Detailed information regarding the processing purposes of the said personal data is given in Annex 1 of the Policy (“ ANNEX 1- Personal Data Processing Purposes ”).

Our company preserves personal data for the period required for the purpose for which they are processed and in accordance with the minimum periods stipulated in the legal legislation to which the relevant activity is subject. In this context, our Company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period necessary for the purpose for which they are processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the application of the data owner and with the determined destruction methods (deletion and / or destruction and / or anonymization).

 

By ROOTCODES SOFTWARE TECHNOLOGIES LIMITED COMPANY your safety providing for the purpose of, ROOTCODES SOFTWARE TECHNOLOGIES LIMITED COMPANY'S buildings and in the premises Personal data processing activities are carried out for monitoring with security cameras and tracking guest entries and exits.

ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ on Private Security Services in order to ensure security in its buildings and facilities . Law and relating to to legislation appropriate aspect camera with tracing activity is being carried out. ROOTCODES SOFTWARE TECHNOLOGIES LIMITED COMPANY, building and in the premises your safety providing for the purpose of, in force found relating to in legislation envisaged It carries out security camera monitoring activities for the purposes and in accordance with the personal data processing conditions listed in the Law.

 

By ROOTCODES SOFTWARE TECHNOLOGIES LIMITED COMPANY of the Law 10. to the article appropriate aspect, camera with tracing to its activity related more than one method with personal data owner is illuminated. Moreover, ROOTCODES SOFTWARE TECHNOLOGIES LIMITED COMPANY, of the Law 4. to the article in a limited and measured way, in connection with the purpose for which personal data is processed. is working.

 

The purpose of maintaining video camera monitoring by ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ is limited to the purposes listed in this Policy . In this direction, the monitoring areas, the number of security cameras and when they will be monitored are sufficient to achieve the security purpose and are implemented in a limited manner for this purpose. Areas (for example, toilets) that may result in interference with the privacy of the person exceeding the security objectives are not subject to monitoring.

 

Live camera images with digital in the environment recorded and casing made to the records Only annoyed number of ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ employees have access. A limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality agreement. is doing.

 

carries out personal data processing activities for tracking guest entries and exits in ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ buildings and facilities , to ensure security and for the purposes specified in this Policy .

 

The personal data owners are informed in this context, when obtaining the names and surnames of the people who come to ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ buildings as guests, or through texts posted by ROOTCODES YAZILIM TEKNOLOJİLERİ LİMİTED ŞİRKETİ or made available to the guests in other ways. The data obtained for the purpose of tracking guest entry-exit is processed only for this purpose and the relevant personal data is recorded in the data recording system in the physical environment.

 

 

 8. MEASURES RELATED TO THE SECURITY OF PERSONAL DATA

The “COMPANY” provides all reasonable care and attention to ensure the confidentiality and security of the personal data it processes, with the awareness of its responsibility as a well-established Company. In addition to the requirements of the relevant legislation, the “COMPANY” takes reasonable technical and administrative measures to ensure data confidentiality and security within the framework of Article 12 of the KVKK . Along with the said administrative and technical security measures, it is aimed to prevent the unlawful processing of personal data, to prevent illegal access to personal data, and to preserve personal data at an appropriate level of security .

In the event that personal data is processed by another natural or legal person (data processor) on its behalf, the “COMPANY” will take the necessary measures to ensure that the above-mentioned measures are also taken by the relevant data processors.

In the event that personal data is unlawfully obtained by third parties, it will notify the data owners, the Board and other relevant public institutions and organizations in accordance with the provisions of the relevant legislation.

The Personal Data Security Guide (Technical and Administrative Measures) published by the Board is taken into consideration when taking measures regarding the security of personal data.

 

Administrative Measures

·         Establishment and operation of the information security management system within the company,

·         Signing undertakings and confidentiality agreements with company personnel and related parties,

·         Performing risk analyzes on business processes,

·         Creating personal data inventories,

·         Operation of information security policies and procedures,

·         Organizing and evaluating trainings on information security and personal data processing activities,

·         Working computer etc. In order to prevent unauthorized access to the equipment, only authorized persons should use the said tools and equipment,

·         Reviewing activities with internal or independent audits,

·         Creating records that will produce objective evidence for the transactions,

 

Technical Measures

·         With penetration tests, risks, threats, vulnerabilities and vulnerabilities, if any, regarding the Company's information systems are revealed and necessary precautions are taken.

·         As a result of real-time analyzes with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.

·         Access to information systems and authorization of users are made through security policies through the access and authorization matrix and the corporate active directory.

·         software changes and/or updates are to be made on the systems, tests are made in the test environment, security vulnerabilities are detected, if any, necessary measures are taken, and the final version of the changes to be made is given after these processes .

·         Necessary measures are taken for the physical security of the company's information systems equipment, software and data.

·         In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, physical security of the edge switches that make up the area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, etc.) network access control, systems that prevent malicious software, etc.) measures are taken.

·         Risks to prevent unlawful processing of personal data are determined, appropriate technical measures are taken against these risks, and technical controls are carried out regarding the measures taken.

·         Access procedures are established within the company, and reporting and analysis studies are carried out regarding access to personal data.

·         The Company takes the necessary measures to make the deleted personal data inaccessible and reusable for the relevant users.

·         In the event that personal data is unlawfully obtained by others, the Company has made appropriate preparations to notify the relevant person and the Board.

·         Security vulnerabilities are followed and appropriate security patches are installed and information systems are kept up-to-date.

·         Strong passwords are used in electronic environments where personal data is processed.

·         logging ) systems are used in electronic environments where personal data is processed .

·         Data backup programs are used to keep personal data safe.

·         Access to personal data stored in electronic or non-electronic media is limited according to access principles.

·         Access to the company website is encrypted with SHA 256 Bit RSA algorithm using secure protocol (HTTPS).

·         A separate policy has been determined for the security of sensitive personal data.

·         Special quality personal data security trainings have been provided for employees involved in special quality personal data processing, confidentiality agreements have been made, and the authorizations of users who have access to data have been defined.

·         Electronic environments in which sensitive personal data are processed, stored and/or accessed are preserved using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged , security updates of the environments are constantly monitored, necessary security tests are regularly carried out/performed, test results are recorded. to be taken under,

·         Adequate security measures are taken for physical environments where sensitive personal data is processed, stored and/or accessed, and unauthorized entry and exit is prevented by ensuring physical security.

·         If sensitive personal data needs to be transferred via e-mail, it is transferred in encrypted form with a corporate e-mail address or by using a KEP account. If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment.

·         If transferring is carried out between servers in different physical environments, data transfer is carried out by establishing a VPN between servers or using the sFTP method.

·         paper media, necessary precautions are taken against risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in a "confidential" format.

 

 

 

 

APPENDIX 2 – Purposes of Personal Data Processing