1. INTRODUCTION Being open to signature by any country, “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data - No. 108” issued by the Council of Europe in Strasbourg, 28th day of January in 1981, has been carefully studied for many years pursuant to complying with all the EU's standards and rules and entered into force with the title “Personal Data Protection Law (“KVKK”)” after being promulgated in Official Gazette dated 07.04.2016. Personal Data Protection Law No. 6698; is intended to protect fundamental rights and freedoms of persons, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data. After entering into force, KVKK has taken the personal data of individuals under the protection of legal regulations. The Law regulates issues such as the definition and classification of personal data, processing of personal data, determination of the obligations of natural and legal persons who process personal data, and complaint procedures. The legal obligation to protect the personal data of individuals under the law is a highly respected priority at KTO Karatay University with use of all technical facilities in line with high quality standards. With the purpose of the harmonization to the Law in the most successful way, this policy has been adopted and entered into force. 2. OBJECTIVE and SCOPE In terms of processing and protection of personal data, any and all administrative and technical measures will be adopted, necessary internal procedures will be established, all necessary trainings will be provided to raise awareness, and all kinds of activities necessary for the compliance of employees and business partners with KVKK will be enforced. An IT infrastructure shall be built for the purpose of adopting these measures. This policy serves as a reference guide to all employees of the university in the matter of taking all necessary measures in conformity with KVKK, applying internal procedures in the most efficient way and organizing all harmonization activities. All employees of the university are obliged to follow the rules specified herein this policy. The scope of the Personal Data Protection Law has been defined under the title "Scope” in Article 2. Therefore, the provisions of Personal Data Protection Law “shall apply to natural persons whose personal data are processed and to natural or legal persons processing such data wholly or partially by automated means or by non-automated means which provided that form part of a data filing system.” As per the law’s preamble, the provisions of this law shall apply to natural persons whose personal data are processed and to natural or legal persons processing such data. No distinction is in fact introduced between the public and private sectors in respect of the implementation of the law, and the procedures and principles governed apply to all sectors. 3. DEFINITIONS 3.1. Explicit Consent: As per the Directive 95/46/EC of the European Parliament and of the Council, explicit consent has been defined as follows: “any freely given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” As per the law’s preamble, the data subject agrees to the processing of personal data relating to him or her and use of the data cannot go beyond what is specified in the consent agreement. As per this consent agreement, personal data must be collected and stored in accordance with KVKK procedures of the university. 3.2. Anonymization: As per the law, anonymization of the personal data means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data. In other words, anonymization is to prevent the singling out of individual data subjects, the linking of records or matching of data between data sets, and inference of any information about individuals from a data set. KTO Karatay University takes the necessary measures to this end. 3.3. Data Subject: Data subject (natural person concerned) means the natural person, whose personal data are processed. The processing and protection of personal data as well as special categories of personal data of university students, administrative and academic staff, managers, board of trustees, academic consultants and solution partners, guests shall be managed within the framework of the KVKK and the well-prepared procedures. 3.4. Personal Data: Personal data means any information relating to an identified or identifiable natural person. According to the law, Personal Data is defined as any information relating to an identified or identifiable natural person. Thereby, any information that would allow the exact identification of an individual such as first name, last name, date and place of birth, as well as information on the physical, familial, economic and social characteristics of the person shall be considered as personal data. As per the law’s preamble, the identification or identifiability of a person is defined as " identification of a natural person by linking available data to a natural person in any way that could result in the identification of that person". Therefore, any information such as name, telephone number, motor vehicle license plate, social security number, passport number, CV, picture, image, and voice records, fingerprints, genetic information that can be associated with a natural person. In the light of this definition, within the scope of KTO Karatay University business process; any information provided by the student while enrolling at the university regarding his/her identity register, contact details, diploma is considered to be personal data. Any information related to the scholarship and grade point average of the student also falls under this scope. Personal details of the employees, including administrative and academic staff, processed by Human Resources Directorate is deemed to be personal data as well. 3.5. Processing of Personal Data: As per the Law that is broad in scope, processing of personal data means; “any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.” As it is specified in the law’s preamble, processing of personal data means any operation which is performed on personal data since the first time the data is collected. Processing of Special Categories of Personal Data: Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data. Data Processor: Data Processor means the natural or legal person who processes personal data on behalf of the data controller upon its authorization. The employees authorized to access and process personal data in accordance with the KVKK, the extent of their access to the data, the purpose and duration of their access, and the operations they can perform on the data have been determined with internal procedures across departments. 3.8. Data Controller: Data Controller means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system. Under KVKK, KTO Karatay University is officially registered as a data controller in the VERBIS system. By resolution of the Board of Trustees, a three-member team (Team of Data Controller) was appointed within the University, and this team is in charge of tracking and coordinating all work and processes within the framework of the KVKK and the Data Protection Commission. In cases where a decision has to be made, the team of intra-university data controllers submits an advisory decision to the university management after consulting the legal office and implements the decisions after approval by the university management. 4. EXECUTION OF KVKK POLICY AND RELEVANT RESPONSIBLITIES 4.1. The university, acting in the capacity of data controller, is responsible for the organization and implementation of all processes and internal procedures pertaining to this policy. 4.2. The Data Controller Team is responsible for and authorized to implement the regulations, procedures, guidelines, standards and training activities to be conducted under this policy at the University, with the support of the Legal Office and Internal Audit Unit. 4.3. All employees, departments, organizations of the university and all of the relevant third parties must fulfill the obligations specified in the policy and take the proper actions in line with its provisions. The university co-operates with Data Controller Team in order to prevent the occurrence of all legal liabilities, risks and dangers that may arise from the relevant legal provisions of Personal Data Protection Law. 4.4. This policy will be issued to all University staff on a signatory basis and any amendments to the policy will be uploaded to the University's website and information systems ensuring that updates can be easily monitored by the Data Controller Team and are always up to date and accessible. 4.5. In the event of a conflict between the applicable legislation and the Regulations, the University shall apply the provisions of the legislation. The conflicting policy shall be resolved by the Data Controller Team by conforming it to the legislation. 5. BASIC PRINCIPLES RELATED TO THE PROCESSING OF PERSONAL DATA 5.1. The Principle “Lawfulness and Fairness” Fairness principle, as regulated in Article 2 of the Turkish Civil Code, is the obligation to act in accordance with the principles brought by laws and other legal regulations while processing personal data and the data processing activity in question must also be transparent for the data subject. 5.2. The Principle “Being accurate and kept up to date where necessary” In the interest of the relevant person, this principle emphasizes the importance of the accuracy of personal data that is stored for a specific purpose. Keeping the personal data inaccurately is not only cause a loss or damage in the interests of the data controller, but also in terms of protecting the fundamental rights and freedoms, moral integrity and economic benefits of the data subject. 5.3. The Principle “Being processed for specified, explicit and legitimate purposes” The principle “Being processed for specified, explicit and legitimate purposes” obliges the data controller to determine explicitly and precisely the purpose of data processing and that this purpose is legitimate. In the event that data controllers process data for purposes other than those specified to the data subject, they will be liable for their actions. The fact that the purpose is legitimate means that the data processed by the data controller is related to and necessary for the work he/she has done or the service he/she has provided. 5.4. The Principle “Being relevant, limited and proportionate to the purposes for which they are processed” The data controller must avoid processing of personal data that is not related to the realization of the his/her purpose or that is not needed. 5.5. The Principle “Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed” Personal data must be kept for the period required for the purpose for which they are processed or for the period determined within the scope of the relevant legislation. In case the storage periods are determined within the scope of the relevant legislation these periods shall be valid. If such a period is not foreseen, it will be able to store the data only for the period necessary for the purpose for which they are processed. At the end of the storage period, that data must be erased, destructed or anonymized. 6. CONDITIONS FOR PROCESSING PERSONAL DATA Conditions for processing personal data are specified in Article No. 5 of KVKK. Conditions for processing personal data as follows: 6.1. Explicit Consent: Explicit consent as the main principle in processing of personal data is defined as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The university shall process the personal data limited to the consent that is explicitly given. 6.2. Conditions for processing personal data without seeking the explicit consent of the data subject Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met: • It is expressly provided for by the laws, • It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid, • Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract, • It is necessary for compliance with a legal obligation to which the data controller is subject, • Personal data have been made public by the data subject himself/herself, • Data processing is necessary for the establishment, exercise or protection of any right, • Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject. 7. CONDITIONS FOR PROCESSING of SPECIAL CATEGORIES of PERSONAL DATA Conditions for processing personal data are specified in Article No. 6 of KVKK. The university process the special categories of personal data in accordance with the conditions specified in KVKK. The conditions for processing personal data are as follows: Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data. It is prohibited to process special categories of personal data without explicit consent of the data subject. Personal data, except for data concerning health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. Adequate measures determined by the Board shall be also taken while processing the special categories of personal data. 8. OPERATIONS RELATING TO THE PERSONAL DATA 8.1. Erasure, Destruction or Anonymization of Personal Data Pursuant to Article 7 of the KVKK and By-Law on Erasure, Destruction or Anonymization of Personal Data despite being processed under the provisions of the Law, personal data shall be erased, destructed or anonymized by the controller ex officio or upon the request of the data subject. 8.2. Transfer of Personal Data in Türkiye 8.2.1 Explicit Consent of the Data Subject Under Article 8 of KVKK, the main condition for transferring personal data in Türkiye is the explicit consent of the data subject. However, Sub-Article 2 and 3 of the very same Law does make an exception for this matter. The university shall identify which personal data will be transferred to the third parties and, eventually, transfer the relevant data. 8.2.2 Conditions for transferring personal data without seeking the explicit consent of the data subject As per the Sub-Article 2 of the Article 5 in KVKK, personal data may be transferred without seeking the explicit consent of the data subject. Personal data may be transferred without seeking the explicit consent of the data subject only in cases where one of the following conditions is met: • It is expressly provided for by the laws, • It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid, • Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract, • It is necessary for compliance with a legal obligation to which the data controller is subject, • Personal data have been made public by the data subject himself/herself, • Data processing is necessary for the establishment, exercise or protection of any right, • Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject. 8.2.3 Conditions for transferring special categories of personal data without seeking the explicit consent of the data subject Personal data, except for the special categories of personal data concerning health and sexual life, may be transferred to the third parties without seeking explicit consent of the data subject, in the cases provided for by laws. In this respect, the University will be able to transfer special categories of personal data to third parties upon the determination of the fulfilment of the conditions set out in Article 7 of this policy. The obligation to take the necessary measures regarding the transfer of special categories of personal data will be followed by the Personal Data Controller Team. Third parties to whom special categories of personal data will be transferred must also be obliged to take the same necessary measures. The determination and coordination regarding the necessary measures to be taken shall be executed under the supervision of the Personal Data Controller Team and the relevant department. 8.3. Transfer of Personal Data Abroad 8.3.1 Explicit Consent of the Data Subject Under Article 9 of KVKK, the main condition for transferring personal data abroad is the explicit consent of the data subject. However, Sub-Article 2 of the very same Law does make an exception for this matter. 8.3.2 Conditions for transferring personal data without seeking the explicit consent of the data subject As per the Sub-Article 2 of the Article 5 in KVKK, personal data may be transferred without seeking the explicit consent of the data subject. Whereas, adequate protection must be provided in the country where personal data are to be transferred. In case adequate protection is not provided, it is laid down as a condition that there must be commitment for adequate protection in writing by the data controllers in Türkiye and in the relevant foreign country and authorization of the Board. The Board determines and announces the countries with adequate protection and these announcements are monitored by the Personal Data Controller Team and, subsequently, is included in the university's KVKK internal operation processes. The university transfers the personal data on the condition that there must be commitment for adequate protection in writing by the data controllers in the relevant foreign country. 9. OBLIGATIONS OF THE DATA CONTROLLER 9.1. Obligation of Data Controller to Inform The university, acting in the capacity of data controller, in accordance with Article 10 of KVKK, is obliged to inform the data subjects about; the identity of the data controller and of its representative, if any; the purpose of processing of personal data; to whom and for which purposes the processed personal data may be transferred; the method and legal basis of collection of personal data; other rights referred to in the articles in the Law. In order to fulfil this obligation, the University has reviewed its business processes and data collection methods, all identified data have been classified and transferred to the inventory, communication networks have been established and necessary arrangements and forms have been made in order for the data owners to exercise their rights to apply for their personal data in Article 11 of the KVKK. 9.2. Obligations concerning data security 9.2.1 Preventing unlawful processing of personal data The university, acting in the capacity of data controller, in accordance with Article 12 of KVKK, the data controller is obliged to take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of preventing unlawful processing of personal data, preventing unlawful access to personal data, ensuring protection of personal data. The University has established various systems to meet this obligation, informed all staff of this obligation in the KVKK, identified the staff responsible for auditing the systems and established procedures which are published on the University's quality website. The "Personal Data Inventory" was set up as part of the data processing activities carried out by the relevant units of the University. The necessary training for ISO 27001 certification has been organized, and the administrative structure and the necessary hardware and software infrastructure have been built up for all operations, from data collection to data erasure. The personal data controller team is responsible for all monitoring, updates, audits and reporting. The University will issue all the necessary documents to each staff member, organize the required training seminars and include the certificates of participation in their personal files. The University has stated with this policy and informed its staff that it will comply with the obligations under the KVKK to process all types of documents containing personal data in accordance with the law, that the data will not be disclosed, that the obligation to keep the data confidential will continue even after the employment relationship between the University and the staff has ended and that failure to comply with all these obligations may result in the termination of the employment relationship. 9.2.2 Preventing unlawful access to personal data 9.2.2.1. Technical Measures The University shall take technically appropriate measures, perform the regular necessary updates, renew and test the reliability of the system with penetration tests and all other required methods and carry out all relevant operations. Technical measures for access and authorization will be implemented in accordance with the legal compliance criteria to be determined by the University per unit. If the Data Protection Committee introduces technical standards, the University will implement software/hardware solutions that comply with these same technical standards. The University will install all necessary hardware and software systems in all authorized systems to access the data. The university shall ensure that the same security measures are taken with regard to the backups to be made in order to avoid any loss of data and shall enter into the necessary agreements with real and/or legal third parties working within the framework of risk planning in order to guarantee that the security measures put in place by this policy and the data are stored in accordance with the KVKK. All technical measures taken are regularly communicated to the data subject and the Data Controller Team. Technical solutions will be devised for risky issues. As part of the technical measures, the Data Controller Team, the Heads of Unit and the IT Directorate will jointly organize procedures for each unit and perform audits. 9.2.2.2. Administrative Measures Where necessary, trainings will be provided to prevent university staff from illegally accessing personal data. Access permissions are regulated in such a way that university staff do not have access to all personal data processed and the purpose of the operation is taken into account. The University has stated with this policy and informed its staff that it will comply with the obligations under the KVKK to process all types of documents containing personal data in accordance with the law, that the data will not be disclosed, that the obligation to keep the data confidential will continue even after the employment relationship between the University and the staff has ended and that failure to comply with all these obligations may result in the termination of the employment relationship. 9.2.3 Inspection of the Measures The university shall set up systems to enable the necessary technical and administrative audits to be performed and managed. The results are reported by the competent body of the university and the necessary measures are taken for any improvements. All personnel, regardless of their duties and authorizations, are obliged to report the faults they observe. The University shall design the necessary processes for raising awareness among units and stakeholders about the protection and processing of personal data, as well as for monitoring, regularly reporting and following up on the actions taken through reports, audits and controls. Pursuant to Article 12 of KVKK, third parties are also obliged to process, store and access data in accordance with the provisions of this Policy and KVKK, and are liable in the event of a breach. The University therefore shall both prepare commitments to third parties to ensure that these conditions are met and that the University is authorized to conduct audits. 10. RIGHTS OF THE DATA SUBJECT Pursuant to Article 11 of KVKK, each person has the right to request to the data controller university about him/her; to learn whether his/her personal data are processed or not; to demand for information as to if his/her personal data have been processed; to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose; to know the third parties to whom his personal data are transferred; to request the rectification of the incomplete or inaccurate data, if any; to request the erasure or destruction of his/her personal data and forwarding these requests to third parties; to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems; to claim compensation for the damage arising from the unlawful processing of his/her personal data. In the event that data subjects submit their requests regarding their aforementioned rights to the University in writing using a form prepared by the University in accordance with Article 13 of the KVKK, the University will respond to the request within thirty days at the latest, depending on the nature of the request. If the application requires a fee, it will be charged at the rate of the tariff determined by the KVK Board. If it is deemed that the written application is due to an error on the part of the university, the fee will be refunded to the applicant. Depending on the nature of the application, the University may accept or duly reject it. If the application is approved, the university will process it without delay. The applicant has the right to file a complaint with the KVK Board within 30 days if his/her application is rejected, or in case the answer to his/her application is not satisfactory, or if the application is not answered within the prescribed time limit. 11. ENFORCEMENT AND REVIEW OF THE POLICY This policy becomes effective on the date of approval by the Chairman of the Board of Trustees of KTO Karatay University. Any modifications to the policy and the tasks required to implement them shall be carried out by the Legal, Audit, and the Personal Data Controller Team, and the modifications shall take effect with the approval of the Rector of the University. The policy shall be reviewed once a year. However, university reserves the right to review this policy in accordance with amendments to the law, revisions to the technical standards referenced, the procedures and/or decisions of the Data Protection Committee and court decisions and to update, amend or delete the policy and to issue a new policy if necessary. The authority to decide on the revocation of the policy rests with the Chairperson of the Board of Trustees of KTO Karatay University.
