Law No. 6698 on the Protection of Personal Data (“Law”) entered into force on April 7, 2016. The Law defines personal data and sets out the principles regarding the protection of personal data and the conditions to be complied with by those acting as data controllers in the processing of such data. According to the Law, personal data is “any information relating to an identified or identifiable natural person”. Processing of personal data, on the other hand, refers to “all kinds of operations performed on personal data, including the acquisition, recording, storage, alteration, sharing with third parties and transfer abroad of personal data by automatic means or by non-automatic means provided that it is a part of any data recording system”.
Digital art artificial intelligence technologies Ltd. Sti. Şti. takes the necessary administrative and technical measures by adopting the principles regarding the protection and processing of personal data in the relevant legislation in order to ensure compliance with the Law. For the scope of this Personal Data Protection and Processing (“Policy”) of the Company, see VI. DATA OWNER AND PERSONAL DATA CLASSIFICATION. The relevant legal regulations in force regarding the processing and protection of personal data will be applied primarily. In case of any incompatibility between the legislation in force and the Policy, Gizmorilla agrees that the legislation in force shall apply. In the event that all or certain articles of the Policy are renewed, the effective date of the Policy will be updated. The Policy is published on Gizmorilla’s website (www.gizmorilla.com.tr) and made accessible to personal data owners. In order to adapt to changing conditions and legislation, changes and updates may be made in the Policy and may be made available to personal data owners through the relevant website.
Pursuant to Article 20/III of the Constitution, the protection of personal data is guaranteed by stating that personal data can only be processed in cases stipulated by law or with the explicit consent of the person. In line with this right granted to personal data owners, Gizmorilla processes personal data in accordance with the relevant legislation, especially the Constitution, and in accordance with these principles or in accordance with the following principles in cases where the person has explicit consent:
In principle, personal data can only be processed with the explicit consent of the personal data subject. Article 5 of the Law sets forth the conditions for the processing of personal data and Article 6 sets forth the conditions for the processing of special categories of personal data. The Law defines personal data that has the risk of causing victimization or discrimination when processed unlawfully as “special categories of personal data”. Article 6 of Law No. 6698 provides a limited list of special categories of personal data and these include data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
We do not process special categories of personal data such as customer/user etc. as stated above within the scope of the policy. The explicit consent of the data owner must be related to a specific subject, based on information and free will. In the presence of one or more of the following conditions, personal data may be processed without the explicit consent of the owner. Gizmorilla processes personal data in accordance with the general principles set out in Article 4 of the Law in accordance with the purposes and conditions presented below. Regarding personal data of general nature; – It is clearly stipulated in the Laws for Gizmorilla to carry out the relevant activity regarding the processing of your personal data – It is mandatory for Gizmorilla to carry out personal data processing activities for the protection of the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to disclose his consent due to actual or legal invalidity – The processing of your personal data by Gizmorilla is directly related and necessary for the establishment or performance of a contract – The processing of your personal data is mandatory for Gizmorilla to fulfill its legal obligation – Provided that your personal data has been made public by you; The processing of your personal data by Gizmorilla is mandatory for the establishment, use or protection of the rights of Gizmorilla or you or third parties – It is mandatory to carry out personal data processing activities for the legitimate interests of Gizmorilla, provided that it does not harm your fundamental rights and freedoms In this context, personal data is processed by Gizmorilla for the following purposes:
Articles 8 and 9 of the Law include issues regarding the transfer of personal data domestically and abroad. Gizmorilla may transfer the personal data/special quality personal data of the data owner to third parties by taking the necessary security measures in line with the purposes of processing the personal data obtained in accordance with the law. In this direction, Gizmorilla may transfer personal data to third parties in the presence of one of the processing conditions specified in Section II and the following conditions:
Gizmorilla may transfer the personal data of the personal data owner abroad in the following cases in line with legitimate and lawful personal data processing purposes:
(i) There is adequate protection in the country where the data is transferred; and
(ii) In the event that there is no adequate protection in the country where the data is transferred, Gizmorilla undertakes adequate protection in writing with the data controller in the relevant foreign country and provided that the permission of the KVK Board is obtained
Gizmorilla may transfer the personal data of the data subjects governed by the Policy to the following parties in line with the above-mentioned conditions and in accordance with Articles 8 and 9 of the Law:
Gizmorilla ensures that personal data is processed and protected in accordance with the law by taking other administrative and technical measures stipulated in accordance with the relevant legislation and to be notified by the PDP Board in order to ensure the security of the personal data it processes. In this context, Gizmorilla takes reasonable technical and administrative measures, including technological possibilities and implementation cost, in order to process personal data in accordance with the law, to store them in secure environments, to prevent unauthorized access risks and any other unlawful access, to prevent incidental data loss, to prevent deliberate damage and deletion of data. These are as follows
Article 10 of the Law states that personal data subjects should be informed during the acquisition of personal data. In this direction, Gizmorilla, in accordance with the general principles of other personal data processing activities specified in the relevant legislation, during the acquisition of personal data; (i) the identity of the representative, if any, (ii) the purpose for which personal data will be processed, (iii) to whom and for what purpose it can be transferred, (iv) the method and legal reason for collecting personal data, (v) the rights of the personal data owner.
Article 11 of the Law lists the rights of the personal data subject. Namely, the data subject has the right to; – To learn whether his/her personal data has been processed, – To request information if his/her personal data has been processed, – To learn the purpose of processing his/her personal data and whether they are used in accordance with their purpose, – To know the third parties to whom personal data is transferred domestically or abroad, – To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred, – Although it has been processed in accordance with the provisions of the Law and other relevant laws, in the event that the reasons requiring its processing disappear, to request the deletion or destruction of personal data and to request notification of the transaction made within this scope to third parties to whom personal data is transferred, – Object to the occurrence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems, – In case of damage due to unlawful processing of personal data, it has the right to demand the compensation of the damage.
However, pursuant to Article 28 of the Law, the above-mentioned rights cannot be asserted in the following cases:
The information requests made by personal data owners in accordance with the right to have information about personal data about them in accordance with Article 20 of the Constitution and the right to “request information” listed among the rights mentioned above are met by Gizmorilla in accordance with the Law. Gizmorilla carries out the necessary channels, internal operation, administrative and technical arrangements in accordance with Article 13 of the Law in order to provide the necessary information to the personal data owners. In this direction, if personal data owners submit their requests regarding their above-mentioned rights to Gizmorilla, Gizmorilla notifies its reasoned positive / negative response to the request free of charge within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, Gizmorilla may charge the fee in the tariff determined by the PDP Board. Personal data owners will be realized by one of the following methods regarding their rights mentioned above:
In order for third parties to make an application request on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the person who will make the application.
Gizmorilla may request information from the relevant person in order to determine whether the applicant is a personal data owner or not, and may ask questions to the personal data owner about his/her application in order to clarify the issues specified in the application. In cases where the personal data owner rejects the application in accordance with Article 14 of the Law, finds the answer insufficient or does not respond to the application in due time; It can apply to the KVK Board within thirty days from the date of learning Gizmorilla’s response and in any case within sixty days from the date of application.
Gizmorilla has categorized the owners of the personal data it processes within its own organization as follows. The data owner categorization created within the scope of this Policy is associated with the following personal data owners. Data owners outside this scope may also direct their requests to Gizmorilla in accordance with the Policy.
Personal Data Subject Category
User/Customer or Service Recipient: Natural persons who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with Gizmorilla
Potential Customer: Real persons who have made a request or interest in using our products and services or who have been evaluated in accordance with the rules of commercial practice and honesty that they may have this interest
Third Parties: Other natural persons not covered by this Policy and Gizmorilla Employees Personal Data Protection and Processing Policy
Business Partner Shareholder, Officer, Employee: Natural persons, including employees, shareholders and officers of the organizations with which Gizmorilla has any kind of business relationship
Supplier Shareholder, Officer, Employee: Natural persons, including employees, shareholders and officers of the organizations with which Gizmorilla provides products or services and with which it has a business relationship
Business Partner Candidate: Natural persons who are employees, shareholders and officials of natural persons or legal entities with whom Gizmorilla envisages to establish any business relationship Visitors Natural persons who have entered the physical premises owned by Gizmorilla for various purposes or who visit our websites
Within the scope of this Policy, personal data processed by Gizmorilla are categorized. The personal data of the personal data owners in the above-mentioned data owner categories are associated with the personal data categories specified below.
Personal Data Categorization
Profile Information: Profile-specific information such as username.
Contact Information: Information such as telephone number, address, e-mail address, fax number, IP address, which clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system
Location Data: Information that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; information that determines the location of the personal data owner’s location within the framework of the operations carried out by Gizmorilla business units, the location of the employees of the institutions that Gizmorilla cooperates with while using Gizmorilla vehicles
Customer Transaction Information: Information that clearly belongs to an identified or identifiable natural person and is included in the data recording system; records for the use of our services and information such as the customer’s instructions and requests required for the use of products and services
Transaction Security Information: Personal data such as IP address, (system login information) log in credentials, logging of resources accessed by suppliers while providing support services, user movements (such as password reset, password creation) specific to the wallet system, which are processed in order to ensure our technical, administrative, legal and commercial security while conducting our commercial activities, which clearly belong to an identified or identifiable natural person and are included in the data recording system
Financial Information: Personal data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship Gizmorilla has established with the personal data owner and data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information
Legal Transaction Information: Personal data that clearly belongs to an identified or identifiable natural person and is included in the data recording system; personal data processed within the scope of determination, follow-up and fulfillment of our legal receivables and rights and compliance with our legal obligations and our company’s policies
Marketing Information: Personal data that clearly belongs to an identified or identifiable natural person and is included in the data recording system; personal data processed for the marketing of our products and services by customizing them in line with the usage habits, tastes and needs of the personal data owner, and the reports and evaluations created as a result of these processing results
Risk Management Information: Information associated with the person and collected for the purpose of protecting our company’s commercial reputation (for example, information from the Şikayetvar website, information collected from Twitter and Facebook about posts made against our company, senior executives and shareholders, evaluation reports created in relation to this, and information about the actions taken in this regard
Personal data are stored by Gizmorilla for the periods stipulated in the relevant legislation and in line with its legal obligations. If a period of time is not regulated in the legislation regarding how long personal data should be stored, personal data is processed for the period required to be processed in accordance with Gizmorilla’s practices and commercial practices in connection with the activity carried out by Gizmorilla while processing that data, and then deleted, destroyed or anonymized. Personal data whose purpose of processing has expired and personal data whose deletion/anonymization has been requested by the personal data owners, if the retention periods determined by the relevant legislation and Gizmorilla have come to an end; It can only be stored in order to constitute evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. While determining the retention periods of personal data, Gizmorilla is based on the statute of limitations stipulated in the relevant legislation. Personal data stored for this purpose is accessed only by limited persons when it is required to be used in the relevant legal dispute and is not accessed for any other purpose other than this purpose. At the end of this period, personal data are deleted, destroyed or anonymized.
Although it has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the Law, personal data shall be deleted, destroyed or anonymized upon the decision of Gizmorilla or upon the request of the personal data owner if the reasons requiring its processing disappear.
A Personal Data Protection Committee (“Committee”) has been established within Gizmorilla in order to manage this Policy, related policies and other outputs, to monitor and ensure the continuity of the compliance process with the Law. The duties of this Committee are; – To create, update and put into effect the basic policies regarding the protection and processing of personal data. – To take actions regarding the implementation and supervision of policies on the protection and processing of personal data, to ensure coordination by making internal assignments in this regard. – Ensuring compliance with the law and relevant legislation and following the developments regarding the protection and processing of personal data and ensuring that necessary actions are taken within this framework. – To raise awareness about the protection and processing of personal data within Gizmorilla and before the institutions with which Gizmorilla cooperates. – To evaluate the applications of personal data owners and to resolve them in accordance with the law. – To ensure that necessary measures are taken by identifying the risks that may occur in Gizmorilla’s personal data processing activities. – To carry out relations with the KVK Board and the Authority.