WORLD BROTHERHOOD UNION

MEVLANA SUPREME FOUNDATION

FILE ON THE PROTECTION OF PERSONAL DATA

INTRODUCTION :

Pursuant to the introduction and implementation of Law no. 6698 on the Protection of Personal Data it has become mandatory for our organization to prepare a file on the transactions covered by this law.

Purpose :

With a view to employing personnel and the recovery of debts as well as pursuing and protecting legal rights at our workplace it is mandatory to collect personal data of clients. In accordance with the provisions of the law the aim is to protect fundamental rights and the freedom of the individual on grounds of their right of privacy when registering, processing, storing, erasing, destroying their personal data.

Definitions :

  • a) Explicit Consent: consent that relates to a specified issue, declared by free will and based on information,
  • b) Anonymization: Personal data should be prepared in such a way that even if matched with other data they can under no circumstances be linked to any specific or identifiable natural person,
  • c) Data subject: natural person whose data is being processed,
  • d) Personal data: any kind of information pertinent to a specific identified or identifiable natural person,
  • e) Processing of personal data: Any processing carried out on the data such as collecting, recording, storing, maintaining, modifying, rearranging, disclosing, transferring, taking over, making retrievable, classifying or preventing the use of personal data by means that are completely or partially automated or not automated, provided that they are part of any data recording system,
  • f) Data processor: the natural or legal person authorized by the data controller to process personal data on his behalf,
  • g) Data controller: is the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data registry system.

Processing of Personal Data :

  • a) Complying with the Law and Integrity rules,
  • b) Being accurate and up-to-date when needed,
  • c) Processing for specific, clear and legitimate purposes,
  • ç) Data being relevant, limited and proportionate to the purposes for which they are processed,
  • d) Data being stored for the period stipulated in the relevant legislation or the period deemed necessary for the purpose of the processing.

Conditions for Processing Personal Data :

    (1) Data cannot be processed without the explicit consent of the data subject. (2) Personal data can be processed without the explicit consent of the data subject only in case one of the following provisions exist:
  • a) if it is explicitly stipulated in the law.
  • b) if it is mandatory for the protection of life or to prevent the physical injury of a person, in cases where that person cannot express consent or whose consent is not legally validated due to physical disability,
  • c) if processing of personal data belonging to the parties of a contract is necessary provided that it is directly related to the conclusion or fulfilment of that contract,
  • ç) if it is mandatory for the data controller to fulfil its legal obligation,
  • d) if the data is made manifestly public by the data subject,
  • e) if data processing is mandatory for the establishment, exercise or protection of any right,
  • f) if it is mandatory for the legitimate interests of the controller, provided that such processing shall not violate the fundamental rights and freedoms of the data subjects.

Processing of Sensitive Personal Data :

Sensitive personal data is data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership of associations, foundations or trade-unions, information relating to health, sexual life, convictions and security measures, and biometric and genetic data of a person.

It is prohibited by law to process sensitive personal data without the explicit consent of the data subject.

Deletion, destruction or anonymization of personal data :

Despite being processed under the provisions of the Law no. 6698 and other relevant laws and related regulations, personal data is delated, destructed or anonymized by the data controller on its own motion or upon demand by the data subject, upon disappearance of the reasons requiring its processing.

Transfer of Personal Data :

  • (1) Personal data cannot be transferred abroad without the explicit consent of the data subject.
  • (2) Personal data can be transferred internationally without the explicit consent of the data subject only in case one of the provisions in the second paragraph of Article 5 and the third paragraph of Article 6 of the Law no. 6698 exist and if in that foreign country;
  • a) there is an adequate level of protection,
  • b) in case there is not an adequate level of protection, if data controllers in Turkey and in the relevant foreign country commit in writing to provide an adequate level of protection and the Board has authorized this transfer.
  • (3) Countries with adequate level of protection are determined and announced by the Board.
  • (4) The Board evaluates and determines if in accordance with the second article clause (b) an adequate level of protection exists and authorizes the transfer considering;
  • a) the international conventions to which Turkey is a party,
  • b) the reciprocity status regarding data transfer between the country requesting personal data and Turkey,
  • c) the nature of personal data and the purpose and duration of the processing with regard to each concrete personal data transfer,
  • ç) the nature of personal data and the purpose and duration of the processing with regard to each concrete personal data transfer,
  • d) the measures undertaken by the data controller in the country where the personal data will be transferred,
  • if required also upon consulting with relevant institutions and organizations.
  • (5) Personal data can only be transferred abroad with the permission of the Board in cases where the interests of Turkey or of the data subject will be seriously harmed after taking the opinion of the relevant public institution or organization, with the provisions of the international convention reserved.
  • (6) The provisions of other laws regarding the transfer of personal data abroad are reserved.

The data Controller’s Obligation to Inform :

  • During the acquisition of personal data the data controller or the person authorized by him is obliged to inform the data subject of
  • a) the identity of the data controller and, if any, its representative,
  • b) for what purpose personal data will be processed,
  • c) to whom and for what purpose the processed personal data can be transferred,
  • ç) the method and legal reason for collecting personal data,
  • d) the rights of the data subject.

The Data Controller is the World Brotherhood Union Mevlana Supreme Foundation Board of Directors. You can send your applications within the framework of the Law of Protection of Personal Data through the email kvkk@dkb-mevlana.org.tr.


Rights of the Data Subject :


  • (1) Everybody has the right to apply to the data controller;
  • a) to find out if his or her personal data has been processed,
  • b) to request information related to it if his or her personal data has been processed,
  • c) to learn the purpose for which personal data has been processed and to find out whether they are used in accordance with this purpose,
  • ç) to know the third parties to whom personal data is transferred domestically or abroad,
  • d) to request correction of personal data if it is incomplete or inaccurately processed,
  • e) to request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law No. 6698,
  • f) to request notification of the transactions made in accordance with subparagraphs (d) and (e) to third parties to whom personal data has been transferred,
  • g) to object to the occurrence of a result against the person herself or himself by analyzing the processed data exclusively through automated systems,
  • ğ) to request compensation for damages due to unlawful processing of personal data.
  • Obligations Regarding Data Security :

    • (1) The data controller is obliged to take all necessary technical and administrative measures to ensure the appropriate level of security in order to;
    • a) prevent unlawful processing of personal data,
    • b) prevent unlawful access to personal data,
    • c) ensure the storage of personal data.
    • (2) Data controllers and data processors cannot disclose the personal data they have learned to others in violation of the provisions of this Law and cannot use them for purposes other than processing. This obligation continues even after their departure from office.
    • (3) In case the processed data are obtained unlawfully by others, the controller shall notify the data subject and the Board as soon as possible. Where necessary, the Board may declare this situation at its official website or by any other means it deems appropriate.

    Application to the Data Controller :

    • (1) Data subjects shall make their requests regarding the implementation of Law no. 6698 in writing or by any other method determined by the Board, to the data controller.
    • (2) The data controller shall conclude the requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, in case the transaction requires an additional cost, the fee may be charged at the tariff determined by the Board.
    • (3) The data controller shall accept the request or reject it with justified grounds and inform the data subject in writing or electronically. If the request in the application is accepted, the data controller shall fulfil the data subject’s request. In case the application is caused by an error of the data controller, the fee received will be refunded to the data subject.

    Complaint to the Board :

    • (1) In cases where the application is rejected, the answer is inadequate or the application is not answered in due time the data subject may file a complaint with the Board within thirty days from the date of learning the answer of the data controller and in any case sixty days from the date of application.
    • (2) Complaints cannot be filed without exhausting the application process to the data controller.
    • (3) Those whose personal rights are violated are entitled to compensation according to the general provisions.

    Cases Where the Provisions of the Law No 6698 do not Apply:

    • (1) The provisions of this Law shall not be applied in the following cases :
    • a) In case personal data is processed by natural persons entirely within the scope of activities related to themselves or family members living in the same residence, provided that they are not given to third parties and that obligations regarding data security are complied with.
    • b) In case personal data is processed by natural persons entirely within the scope of activities related to themselves or family members living in the same residence, provided that they are not given to third parties and that obligations regarding data security are complied with.
    • c) In case personal data is processed for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime,
    • ç) In case personal data is processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
    • d) In the event that personal data are processed by judicial authorities or execution authorities in relation to investigation, prosecution, trial execution proceedings.
    • (2) The 10th articles regulating the disclosure obligation of the data controller, the 11th regulating the rights of the person concerned and the 16th regulating the registration obligation to the Data Controllers Register, except for the right to claim the remedy of the damages, shall not be applied in the following cases, provided that they are in accordance with the purpose and basic principles of this Law :
    • a) In case the processing of personal data is necessary for the prevention of a crime or for a criminal investigation.
    • b) If the data processed was personally made public by the individual concerned.
    • c) If the processing of personal data is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law.
    • ç) If the processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budgetary, tax and financial matters.

    The above text is intended for the processing and protection of personal data in accordance with the Law no. 6698.

    World Brotherhood Union Mevlana Supreme Foundation