PRIVACY POLICY
EPISODE 1 - PERSONAL DATA PROCESSING POLICY INTRODUCTION
This Policy, Asırlar Gayrimenkul San. Ve Tic. A.S. (“Morpho"Or "Company, Firm" ) in order to clearly reveal the processes and methods of storing, processing or destroying all Personal Data that employees receive or include their information while working with the business and transactions related to the data controller title resulting from the processing, storage and destruction of personal data carried out by . This policy has been issued in accordance with the secondary legislation taking its legal basis from it, especially the Personal Data Protection Law numbered 6698, and the decisions of the Personal Data Protection Authority. The purpose of this policy is to comply with Morpho's Personal Data Protection Law published in the Official Gazette dated April 7, 2016 and numbered 29677 ("KVKK") to regulate and publicize the methods and principles to be followed in order to ensure that they are processed and protected in harmony.
This Policy applies to all employees who process Personal Data completely or partially by automatic means or means, or who process Personal Data (other than automatic means and means) by other means and tools that are part of a recording system or are intended to form a part of a recording system; It is applied in relation to the processing activities of personal data belonging to Morpho employees, employee candidates, service providers, visitors, Morpho candidates and other third parties.
Personal Data : Means any information regarding the Data Subject, such as name, address, telephone number, e-mail address, or similar identification information.
Processing of Personal Data : Obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or using personal data through fully or partially automatic means or non-automatic means provided that they are part of any data recording system Any action taken on the data, such as blocking.
Personal Health Data : All kinds of information regarding the physical and mental health of an identified or identifiable natural person and information about the health service provided to the person.
Buyer Group : The category of natural or legal persons to whom personal data is transferred by the data controller.
Open Consent : Consent on a specific subject, based on information and expressed with free will
Anonymization : Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching other data.
Special Quality Personal Data : A person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data
VERBIS : Data controllers (Morpho) data registry information system
Data Contact Person : Real person notified by Morpho Board of Directors during registration to VERBIS for communication with the personal data protection agency.
Data Processor : A natural or legal person who processes personal data on behalf of the data controller, based on the authority given by him.
Data Subject or Related Person : An identified or identifiable natural person to whom the data belongs.
Working : Persons employed in Morpho on the basis of an employment contract
Employee Candidate : Real persons who make their CV and related information accessible to Morpho by applying for a job or by any other means.
Client / Contractor Candidate : Regardless of any contractual relationship, real persons whose personal data are obtained due to business relations within the scope of the activities carried out by Morpho.
Visitors : Real persons who have entered Morpho's physical facilities for various purposes or visited its websites.
Destruction : Deletion, destruction or anonymization of personal data
Periodic Destruction : The deletion, destruction or anonymization process to be carried out ex officio at repetitive intervals specified in the personal data storage and destruction policy in case all of the personal data processing conditions included in the law are eliminated
Third Parties : Although not defined in the Procedure, suppliers, victims, family members, etc. whose personal data are processed within the framework of this Procedure. other natural persons, including but not limited to.
SECTION 2- PROCESSING AND STORAGE OF PERSONAL DATA
When processing personal data, Morpho receives personal data in accordance with the following issues, primarily due to the laws and the requirements of the business:
Personal data cannot be received without complying with these reasons. In cases where it is noticed that personal data is processed in this way, the data is destroyed. We will examine the processing considerations in detail below.
2.1. COMPLIANCE WITH GENERAL PRINCIPLES
Morpho also acts in accordance with the principles introduced by legal regulations in the processing of personal data and the general trust and honesty rule to which the processed data is subject. Morpho takes into account the interests of the person concerned when processing personal data in accordance with the principle of honesty. From the first moment when personal data is received, until the destruction of the data, Morpho data does not act against the person being processed. It cannot perform any data processing or transfer activity that the person concerned did not specify while processing the data and that the person concerned could not predict. Data processing activities carried out in accordance with the rules of law and honesty are clear, specific and transparent.
Morpho takes the necessary measures to ensure that personal data are accurate and up-to-date during the period of processing, and establishes the necessary mechanisms to ensure the accuracy and currency of personal data for certain periods of time. When it comes to data to be updated, it is important that the data in Morpho is not outdated. Morpho is aware of the damages that people may incur due to incorrect or incomplete personal data. For this reason, with the system created, Morpho updates the data of the relevant persons at 1-year intervals. Up-to-date data provisions are not applied, since data that are not updated at 1-year intervals can no longer be considered as up-to-date data. The request of the person who performs the data update is updated as soon as possible. The relevant person can access the updated version of their data by applying again.
Morpho sets a purpose when processing personal data. This goal is clear, precise and precise. The related data of Morpho is not only the purpose of processing, but also the purpose of obtaining and collecting it is legitimate, specific, clear and clear. It is understood from here that; Morpho will process this data for purposes compatible with the subject of activity while processing the data. Objectives are not separate or irrelevant from the operating framework. These determined purposes are explained in the Clarification Text on our Website. In cases where there is a new purpose other than the purpose of collecting data with a data, express consent is obtained from the person concerned, provided that the explicit consent of the relevant person is required.
Morpho processes the least amount of data that can serve the specified purpose while collecting personal data and that can be received for this purpose. The processed personal data are processed in a sufficient, relevant and limited manner for the purposes of processing. There is a connection between the personal data received and the data retrieval tool. Enetk cannot process or use the personal data it receives except for purposes that it does not clearly show. In the event that a new data processing purpose arises later or is not compatible with the specified purpose, the conditions to be met during the first collection of Morpho data are provided again for new purposes. In addition, Morpho determines the personal data it obtains according to the form of the contract, without prejudice to the Law regulations. Morpho firstly determines whether a period is stipulated for the storage of personal data in the relevant legislation, and if a period is specified, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed. Personal data are destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or the data owner application and by the determined destruction methods (deletion and / or destruction and / or anonymization).
2.2. COMPLIANCE WITH PERSONAL DATA PROCESSING CONDITIONS
In order to process personal data, some conditions are sought by the Law. These processing conditions listed in Articles 5 and 6 of the Law, exceptions to the prohibition of processing personal data, which constitute the basis of data protection law, are the reasons that make the processing legal. The reasons for processing personal data are limited in the law, and Morpho does not process data for any other purpose other than these.
One of the conditions for the processing of personal data is the explicit consent given by the person concerned. Morpho receives this statement for legitimate purposes. In order to obtain explicit consent from the relevant person, the person is first illuminated for the data to be given to Morpho by lighting. Data can be obtained from the relevant person regarding a specific subject limited to the purposes included in the disclosure statement.
Except for express consent, situations where the law can be processed without the need for explicit consent are enumerated in the law.
If the processing of Morpho is mandatory for the performance of a task performed for the public interest or is necessary in the context of the data controller's official authority, it can perform data processing without the express consent of the relevant person. In this way, Morpho processes data to the extent required by the articles of the law. For example Morpho; It does not obtain explicit consent to keep the data required to be kept within the scope of the Labor Law, Turkish Commercial Code, Social Security Law, Law of Obligations. It illuminates and processes data in accordance with the mandatory provisions within the scope of the law. For these reasons, the person concerned does not have the right to request the deletion or destruction of the data in accordance with the KVKK.
It is applied to people whose consent is not legally valid, and those whose explicit consent cannot be obtained due to actual impossibility. In cases where the life or body integrity of the relevant person or third person must be protected, this processing activity is carried out excluding health data.
It may process personal data within the framework of mandatory procedures for the execution of an existing and valid contract between Morpho and the person concerned or the establishment of a new contract. In general, data acquisition in contracts is an integral part of the contract. For this reason, since it is compulsory to process personal data for the establishment of the contract, Morpho processes the contract-related data of the persons with whom it has contracted without explicit consent. Even if it is not included in the contract from which personal data will be received, personal data directly required for the performance of the contract will be processed. Personal data not only in terms of the essential elements of the contract but also in terms of its secondary elements are evaluated within this scope. For example, in the sales contract made with Morpho, Morpho processes personal data according to the requirements of the contract.
Without prejudice to the conditions required by law and necessary for the execution of the contract, Morpho can process the data of individuals without explicit consent in order to fulfill its legal obligations. Morpho carries out data processing activities arising from legal regulations other than laws, court decisions and duly issued official authority instructions, without the need for explicit consent in this context. President's decree, regulation, communiqué etc. Regulatory procedures issued by judicial and administrative authorities such as the submission of security camera or fingerprint information to the court, recording the information requested by certain institutions in the specified database.
Morpho does not process data for legal obligation unless there is a legal obligation for data processing.
Personal data made public by the person concerned, in other words, disclosed to the public in any way, may be processed by Morpho without his express consent. However, in any case, it is not processed by Morpho in any way other than the reason of publicizing the data of the relevant person who has made his data public. For example, Morpho will be deemed to have made the photographs public if the participants have gone to the place where the photograph was taken, for example, in cases such as training or any social activity, Morpho will be able to process personal data without explicit consent.
Morpho does not obtain explicit consent from the person concerned while processing data that is obligatory for the establishment, protection or use of a legally protected right. In this respect, data may be stored to protect not only the rights of the concerned persons but also the rights of all three persons. For example, Morpho can store the data of the personnel who leave their jobs during the prescription period after the business relationship is over, to be used in the future, for example in case of a lawsuit.
In cases where Morpho is obliged to process the personal data of the relevant person for his legitimate interests, it may operate on the condition that it does not harm the fundamental rights and freedoms of the relevant person. This is not an unlimited authority for Morpho, but a power to be applied in cases where legitimate interests and interests prevail. This provision will be applied for specific, explicit and legitimate interests and interests.
2.3. PROCESSING SPECIAL QUALITY PERSONAL DATA
Morpho can process personal data of individuals with explicit consent, except for the cases listed in the law. Special Quality Personal Data can only be processed if the relevant person has the Explicit Consent or if it is explicitly required by law for Special Qualified Personal Data other than sexual life and personal health data. Personal data related to health and sexual life can only be used by persons (e.g. Company physician) or authorized institutions and organizations under the obligation of secrecy for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. can be processed by organizations without explicit consent. All administrative and technical measures stipulated by the Authority are taken in terms of processing and storing special personal data. The Company provides the necessary training for employees involved in the processing of Special Qualified Personal Data, makes confidentiality agreements, and informs the personnel working on this subject with information security commitments. Regarding the processing of sensitive personal data, authorization matrices have been greatly reduced. Only personnel who are directly related to their work with personal data of special nature have access to the relevant data. With the periodic destruction method, personal data of special nature whose storage period has expired are destroyed. These measures are explained in detail in the administrative and technical measures section that follows this policy.
2.4. TRANSFER OF PERSONAL DATA
The transfer of personal data to third parties is also a personal data processing activity. Morpho does not transfer personal data of individuals without express consent. It performs this transfer in accordance with the general and special quality personal data processing rules specified in the law in terms of the transfer to be made. Our company can transfer personal data to third parties when necessary.
Even if there is no express consent of the personal data owner, if one or more of the following conditions are present, personal data may be transferred to third parties by taking all necessary security measures, including the methods prescribed by the Board, by our Company.
2.5. DISCLOSURE TO RELATED PERSONS
Morpho enlightens personal data owners in accordance with Article 10 of the Law and secondary legislation. In this context, Morpho informs the relevant persons about who, as the data controller, for what purposes, for what purposes it is shared with whom, with what methods it is collected, the legal reason and the rights of the data owners within the scope of processing their personal data.
SECTION 3- MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA
Morpho pays attention to the processing of personal data as much as it does with its work in its field. The most important aspect of personal data processing is the storage and protection of the processed data. Morpho takes measures in accordance with the protection requirements arising from the law in terms of private and general personal data. Morpho does not keep these measures in relation to a specific data, but takes protection measures in terms of protection and storage of all data.
First of all, the most robust measure taken for personal data is about not keeping unnecessary data. Morpho determines the nature, importance, scope, context and purpose of the processing in accordance with the level of technology and scientific development and determines whether there are risks with various possibilities and seriousness in terms of the rights and freedoms of real persons who have personal data, and takes protective measures accordingly and determines the risks. .
Morpho takes all kinds of technical and administrative measures in order to prevent the unlawful processing of personal data, to prevent their access, to ensure the protection of personal data. It is the explanation of the data processed in the data inventory in terms of destruction of personal data, measures taken and protection. As stated below, Morpho has more comprehensive and broader security measures for personal data of special nature.
3.1 ENVIRONMENTS AND SAFETY PRECAUTIONS
Personal data received by Morpho are processed and stored in appropriate environments. The recording media used for the storage of personal data are generally printed media and local digital media.
Morpho takes all necessary technical and administrative measures in accordance with the characteristics of the environment in which it is stored with the relevant personal data in order to protect personal data safely and to prevent unlawful processing and access.
3.1.1. Technical Measures Taken to Prevent Unlawful Processing of Personal Data, To Prevent Unlawful Access to Data and to Ensure Data Preservation
3.1.2 Administrative Measures Taken To Prevent Unlawful Processing of Personal Data, To Prevent Unlawful Access to Data, and to Ensure Data Preservation
The main administrative measures taken to prevent unlawful processing of personal data, to prevent unlawful access to data and to ensure data preservation are listed below:
3.1.3 Internal Audit in Protection of Personal Data
Morpho, in accordance with the KVKK, performs the necessary audits with its personnel or receives services from outside. The results arising from this audit are reported to the senior management and the relevant department within the scope of the internal operation of the Company, the actions to be taken are planned and the actions planned for the improvement of the measures taken are followed up by the relevant process owners and the personnel who are interested in this business.
SECTION 4- STORAGE AND DISPOSAL OF PERSONAL DATA
4.1. STORAGE AND DESTRUCTION, REASONS FOR ANONYMIZING
4.1.1. Storage reasons
Personal data within the body of Morpho are processed and stored within the scope of the purposes included in the Illumination text, Inventory and Annex-1. Morpho carries out all the measures it takes to ensure that this custody activity is in accordance with the provisions of the Law.
4.1.2 Causes of Destruction
Morpho may destroy the data in its responsibility upon the conditions in KVKK Art.5-6 or the application of the relevant person. The reasons listed in Articles 5 and 6 of the Law consist of the following:
4.1.3 Disposal Methods
Our company preserves personal data in accordance with the time required for the purpose for which they are processed and the minimum periods stipulated in the legal legislation to which the relevant activity is subject. In this context, our company first determines whether a period is stipulated for the storage of personal data in the relevant legislation, and if a period is specified, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed. Personal data are destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or the data owner application and by the determined destruction methods (deletion and / or destruction and / or anonymization).
4.1.3.1. Deletion methods
For the data kept in the physical environment while destroying personal data, it is deleted by the paper cutting machine by grinding, burning, scratching and recycling methods.
Personal data kept in an automatic environment is irreversibly damaged by physical methods such as burning, drilling, data containing data such as hard disk or USB memory, Preventing access to the data by the relevant user by encrypting the data with encryption methods, The process of destroying the magnetic effect of ROM or USB memory etc.), preventing the relevant user from accessing the database by assigning roles and permissions in the databases where the data is located, and overwriting the existing data by means of software or by restoring the factory settings, Deletion is carried out by means of preventing access to the relevant data.
4.1.4 Anonymization Method
In the anonymization process, which is a safer way to protect personal data than deletion, the relevant personal data is disconnected from the relevant persons and in this way, it is removed from being personal data.
4.1.4.2 Masking
This method refers to the disconnection of an information that qualifies as personal data from the person concerned by removing or changing certain fields. As Entek, some parts of personal data such as name, surname and similar personal data will be stored by an asterisk if the storage period for the data we keep in its automatic environment expires. Subtracting variables or registers, randomizing, etc. With the method, personal data are removed from being systematic. By removing some variables from the data, it is brought into situations where it cannot be determined to whom the data belongs.
4.1.4.3. Adding Noise
With this method, the value in the data set is changed to a certain extent by adding or subtracting. For example, as a result of adding 5 to each age value in the data set, this age value was changed and new values were created.
CHAPTER 5 - RIGHTS OF DATA OWNERS UNDER THE LAW
Whenever you want, by applying Morpho to your personal data;
In order to take advantage of your rights under the law, you can submit your applications in writing to Morpho and visit the website of the Personal Data Protection Authority for detailed information.
In the application that you have as a personal data owner and that you will make in order to exercise your rights stated above and that you have requested to use; You will need to submit the subject you request to be clear and understandable, the subject you request is related to your person or if you are acting on behalf of someone else, you will need to submit your special power of attorney certified by a notary public in this regard.
In your applications, name-surname, signature, T.C. Identification number, residence or workplace address, e-mail address, telephone and fax number, the subject of the request are obligatory in accordance with the "Communiqué on the Principles and Procedures of Application to the Data Officer". Applications that do not contain the aforementioned elements will be rejected by Morpho.
Morpho always reserves the right to make changes due to reasons arising from the Law, secondary regulations and Board decisions. The changes to be made in the disclosure text and the updated text will become effective immediately as of the date of notification to you.
Annex-1 DISCLOSURE TEXT
DISCLOSURE STATEMENT UNDER THE PERSONAL DATA PROTECTION LAW
Asırlar Gayrimekul San. Ve Tic. A.S. (“Morpho Sleep”) uses its importance and attention in the field of business to protect personal data. Morpho Sleep collects, stores and deletes personal data when necessary, complying with all general and special legislation that regulate personal data, such as Article 20 of the Constitution, Personal Data Protection Law No. 6698 and all kinds of secondary regulations. morpho Sleep has prepared this text to inform and enlighten you, our valuable members, visitors and customers. Your Personal Data will be processed in the ways we describe below, and your data will not be stored in any matter not specified by us.
morpho Sleep, www. The membership relationship established with you by approving the membership or service agreement on our website where morphosleeğp.com.tr was created, the customer relationship established due to the purchase-sale relationship formed due to the order placed from this address, the visitor relationship created by visiting our website morpho With Sleep, you share your data.
morpho Sleep is a "Data Officer" within the scope of the Personal Data Protection Law No. 6698.
morpho Sleep saves your personal data with automatic or non-automatic systems. On the morpho Sleep website, lolan processes your data with automatic methods in its online store. With this form on this site, you share your name-surname, gender, date of birth, address, e-mail, phone number, purchased product information data with us. By us, your data are processed in accordance with the establishment or performance of the contract, the exercise or establishment of the right, our legitimate interests within the scope of the contract / membership you have established with us, the service or the obligations required by the membership agreement.
Morpho Sleep collects and processes your data with cookies due to the benefits of coupon privileges within the scope of the membership agreement you have made with us, discount checks, product descriptions to be made on your behalf in your next orders.
In addition, by using the session cookies specified in our cookie policy, the date and time you entered the www.morphosleep.com address, the website that enables you to connect to the site, the time you are on the site, the name of your internet service provider, your password if you are a member, and the reminder of your username. are logged.
Your data;
For such reasons, your data mentioned above are processed. morpho Sleep does not process or use this information contrary to the law, morality, etiquette and legislation.
Your Personal Data, within the scope of the above-mentioned purposes, to real and legal persons permitted in the legislation in accordance with the conditions specified in Article 8 and 9 of the Law, to other authorized public institutions and organizations, our third party service providers for the reasons stated above within the scope of the execution of the contracts made with you, and shared with our cloud service provider.
Your personal data are stored by taking all kinds of administrative and technical measures arising from the law. Our personnel are regularly trained on data protection and storage, secure payment (SSL) method, double-key payment system is used, unnecessary data is destroyed through periodic destruction, they do not process your personal data of special nature unless necessary, by having infiltration tests, logging your data, and backing up data. we provide security.
Whenever you want, by applying morpho Sleep, you can obtain your personal data;
It can learn whether it has been processed, the purpose of processing and whether it is used according to its purpose, and if it has been processed, it can request information on this subject
In order to take advantage of your rights under the law, you can send your applications in writing to morpho Sleep (see the Application Form at www. Morphosleep, com), you can visit the website of the Personal Data Protection Authority for detailed information.
In the application that you have as a personal data owner and that you will make in order to exercise your rights stated above and that you have requested to use; You will need to submit the subject you request to be clear and understandable, the subject you request is related to your person or if you are acting on behalf of someone else, you will need to submit your special power of attorney certified by a notary public in this regard.
In your applications, name-surname, signature, T.C. identification number, residence or workplace address, e-mail address, telephone and fax number, and the subject of the request are obligatory in accordance with the "Communiqué on the Principles and Procedures of Application to the Data Controller" under the Law on the Protection of Personal Data No. 6698. Applications that do not contain these elements will be rejected by morpho Sleep.
morpho Sleep always reserves the right to make changes in this illumination text due to reasons arising from the Law, secondary regulations and Board decisions. The changes to be made in the disclosure text and the updated text will become effective immediately as of the date of notification to you.
FACEBOOK DATA SHARING
Our website directly shares data from our servers to Facebook in order to use your information more effectively. Conversions API uses. By continuing to use our website, you agree to this data sharing. This data cannot be blocked by ad blockers.
ANNEX-2 STORAGE PERIODS
Data Type |
Storage Period |
Storage Start Date |
|
General Data of the Company |
10 years |
During the first periodic destruction period following the expiry of the storage period |
|
Records Regarding Financial Affairs and Taxes |
10 years |
During the first periodic destruction period following the expiry of the storage period |
|
Payroll and salary information |
10 years |
During the first periodic destruction period following the expiry of the storage period |
|
Recruitment Positive Process (HR file) |
10 years |
During the first periodic destruction period following the expiry of the storage period |
|
Recruitment Negative Process |
6 months |
During the first periodic destruction period following the expiry of the storage period |
|
HR, employment, retirement information for employees |
10 years |
During the first periodic destruction period following the expiry of the storage period |
|
Data kept on the employee who left |
10 years |
During the first periodic destruction period following the expiry of the storage period |
|
Employee health and safety records / data |
15 years |
During the first periodic destruction period following the expiry of the storage period |
|
Legal texts and contracts |
10 years |
During the first periodic destruction period following the expiry of the storage period |
|
Data on business contacts |
10 years |
During the first periodic destruction period following the expiry of the storage period |
|
Data of potential customers |
10 years |
During the first periodic destruction period following the expiry of the storage period |
|
Customer data |
10 years |
During the first periodic destruction period following the expiry of the storage period |
|
Security (CCTV, visitor recording, vehicle license plate and etc.) |
6 months |
During the first periodic destruction period following the expiry of the storage period |
|
Planning and Execution of Marketing Activities |
10 years |
Since the Termination of the Business Relationship |
|
Information Technologies Department Log / Record / Tracking Systems Website Visitor |
6 months |
During the first periodic destruction period following the expiry of the storage period During the first periodic destruction period following the expiry of the storage period |
|