1. 1. DATA PRIVACY UNDERTAKING

 

This Data Privacy and Security Policy (“Policy”) determines the principles to be followed within Kosmos Visa Services Limited Company and/or by Kosmos Visa Services Limited Company; whilst Kosmos Visa Services Limited Company (Kosmos) fulfils the data protection obligations imposed by Law No. 6698 and other related legislation and additionally processing personal data.

 

Kosmos Visa Services Limited Company undertakes to apply a sufficient and reasonable level of security for the personal data on-site, respect the confidentiality of personal data and comply with this Policy and tools, programs, and processes to be implemented in accordance with this Policy.

 

1. 2. PURPOSE OF THE POLICY

 

The main purpose of this Policy is to establish the principals of personal data processing and protection of personal data carried out by Kosmos Visa Services Company in accordance with the law, and to ensure transparency by enlightening and informing the persons whose personal data is processed by our company.

 

1. 3. THE SCOPE OF THE POLICY

 

This Policy includes all departments and employees of Kosmos Visa Services Limited Company.

 

This Policy will cover all activities in which personal data is processed by Kosmos Visa Services Limited Company and will be applied in all kinds of events and actions.

 

This Policy will not be applied to data that are anonymized or are non-personal data.

 

In case new legislations are set, Kosmos Visa Services will provide a higher level of security on personal data in accordance with the new legislation and comply with the regulatory requirements.

 

Where it is deemed to be a legal obstacle to the implementation of this Policy by Kosmos Visa Services Limited, Kosmos Visa Services Limited shall re-determine the steps to be applied, when deemed necessary, in consultation with the Board.

 

 

1. 4. DEFINITIONS

 

Definitions used here in this Policy are as follows:

 

 

1. 5. PERSONAL DATA INVENTORY AND CATEGORIZATION OF PERSONAL DATA

 

In care of Kosmos Visa Services Limited Company; for the legitimate and lawful personal data processing purposes of Kosmos Visa Services Limited Company, based on and limited to one or more of the personal data processing conditions set forth in Article 5 of the PDP Law, in particular the principles set out in Article 4 on the processing of personal data, complying with all the general principles set forth in the PDP Law and all obligations set forth in the PDP Law and limited to the personal data holders under this Policy (Customers, Employees, Employee Candidates, Visitors, Third Parties, Employees of the Supplier We Work with, Officials and Representatives of Supplier);

 

Are being processed by means of informing the concerned persons, in order to meet the provisions of relevant public institutions, supervisory and regulatory authorities, labour law and other relevant legislations, in our recruitment and human resources processes, in our business connections processes, technical processes, the demands of third parties, and also to meet and to continue the commercial activities of our company.

 

Kosmos Visa Services Limited Company has created a personal data inventory in accordance with the Data Responsible Registry Regulation issued by the Personal Data Protection Authority. Data categories, data sources, data processing purposes, data processing process, Receiver groups to whom the data is transferred and the retention times are found in this data registry.

 

Within this scope, the following types of data categories are included in Kosmos Visa Services Limited Company, but are not limited to these types;

 

Identity information, contact information, personnel information, legal transaction information, customer transaction information, physical space security information, transaction security information, financial information, professional experience information, marketing sales information, audio visual record information, race and ethnicity information, health information, biometric data, criminal conviction and security measures information and other information data category.

1. 6. GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

 

1. 6.1. Legal Compliance

 

Our company conducts its personal data processing activities in accordance with the law and honesty rules in accordance with the Constitution, PDP Law and related legislation.

1. 6.2. Data to be Accurate and Up-to-Date When Needed

 

Our company; taking into account the fundamental rights of the personal data owners and their legitimate interests, ensures that the personal data it processes is accurate and up-to-date, and takes the necessary measures accordingly. In this context, the data on all categories of persons is kept up to date, and all kinds of administrative and technical measures are taken to ensure accuracy and timeliness.

1. 6.3. Specific, Legitimate and Clear Purposes

 

Our company; processes personal data only for legitimate purposes that are clearly and precisely determined and does not engage in data processing other than those purposes. The purpose of the processing of personal data is determined by our company before the processing activity and is also recorded in the “Personal Data Inventory”.

 

1. 6.4. Data to be Relevant, Limited and Measured with the Purpose They Are Processed for

 

Personal data are processed by our company to the extent necessary to achieve the specified objectives. Data processing activity is not conducted with the assumption that it can be used later. Within this context, the processes are constantly reviewed and the principle of reducing personal data is tried to be implemented.

 

1. 6.5. Personal Data to be Retained for the Required Period and to be Deleted Afterwards

 

Our Company only maintains personal data for the period required for the purpose specified or processed in the relevant legislation. In this context, the Company first determines whether or not a period is stipulated for the storage of personal data in the relevant legislation, if a period is determined, acts in accordance with this period, and takes into account the statutory limitation periods and stores the personal data for the period required for the purpose for which they were processed. In the events of expiration of the deadline or discontinuation of the reasons for elimination of data, personal data is deleted, destroyed or made anonymous in accordance with our Company's “Data Destruction Policy”.

1. 7. CONDITIONS FOR PROCESSING PERSONAL DATA

 

Personal data may only be collected, processed or used under the legal basis specified below.

 

1. 7.1. Explicit Consent

 

The protection of personal data is a Constitutional right, and fundamental rights and freedoms may be restricted for the reasons specified in the relevant articles of the Constitution and only by law without prejudicing their essence. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may be processed only in cases provided for by law or with the explicit consent of the person. In personal data processing procedures within our company, personal data of a person is processed without seeking explicit consent of the person only if the conditions set forth below are present;

 

• Explicit consent must be given with free will, otherwise it is void.

 

• Explicit consent will be sought in writing or electronically from the person concerned. In addition to these situations, verbal consent may be accepted if recorded. In this way, explicit consent will be recorded in a demonstrable manner. People will be informed about their rights before explicit consent is obtained.

 

• In cases where sensitive personal data is needed to be processed, explicit consent will be obtained in writing.

 

• The departments that process personal data are obliged to ensure the existence and validity of the explicit consent of the relevant data owner when collecting the personal data, they process. Upon establishment of non-presence of explicit will, data processing activity will be stopped.

 

1. 7.2. Processing of Personal Data without Obtaining Explicit Consent

 

7.2.1 Where envisaged explicitly by Law,

7.2.2 When it is compulsory for the protection of the life or body integrity of a person himself/herself or of another person who is in a physically unable state to express consent, or where his/her consent is not acknowledged to have legal validity

7.2.3 Where processing of personal data of the parties to the contract is required, provided that it is directly related to the establishment or performance of a contract.

7.2.4 Where it is obligatory for the data officer to fulfil his legal obligation,

7.2.5 Where the data owner has publicized himself/herself,

7.2.6 Where data processing for the establishment, use or protection of a right is compulsory,

7.2.7 Where data processing is mandatory for the legitimate interests of the data officer; without prejudice to the fundamental rights and freedoms of the data owner.

 

1. 7.3. Processing of Sensitive Personal Data

 

1. 7.3.1 Sensitive personal data may only be processed if the data owner has explicit consent or is explicitly required by law.
2. 7.3.2 Personal data relating to health and sex can only be processed without explicit consent for the protection of public health, processing of preventive medicine, medical diagnosis, treatment and care services, planning and management of health care and financing. In the event of such processing, the data officer is subject to secrecy confidentiality.
3. 7.3.3 When processing sensitive personal data, adequate measures shall be taken by the Board.
4. 7.3.4 The PDP Committee shall be informed on each occasion where processing of sensitive personal data is necessary.

 

1. 7.4. Processing the Data of Employees

 

1. 7.4.1 All personal data processing principles set out above shall also apply to the personal data of employees.
2. 7.4.2 Personal data of applicants who have not applied via CV collection channels can be processed without explicit consent to initiate a business relationship. In the event that such an application results unfavourably after being considered for an appropriate position, the personal data of the concerned person will be deleted.
3. 7.4.3 Employee personal data linked to the business relationship and related to the performance of the contract may be processed without the express consent of the employee. In adverse conditions, employee consent, legal obligation, legitimate interest and a similar justification is needed. Legal approval will be obtained for the validity of the relevant justification.

 

 

1. 8. TRANSFERRING PERSONAL DATA

 

1. 8.1. Transfer to Third Parties in Turkey

 

1. 8.1.1. Personal data can only be transferred to third parties in Turkey in cases where the explicit consent of the person concerned has been obtained.
2. 8.1.2. In cases where at least one of the conditions specified in paragraph 2 of article 5 of personal data law applies, data can be transferred to third parties in Turkey without the explicit consent of the person.
3. 8.1.3. The relevant department processing the transfer is responsible to ensure compliance with the obligations to be abided when transferring personal data within Turkey.

 

 

 

1. 8.2 Transfer to Third Parties Abroad

 

1. 8.2.1. Regarding the transfer of personal data abroad, the explicit consent of the data owner is required in accordance with Article 9 of the PDPL.
2. 8.2.2. But, in case of presence of conditions which permit processing of personal data including sensitive personal data without explicit consent of the data owner, the personal data may be transferred abroad by Kosmos Visa Services Limited Company without seeking explicit consent of the data owner provided that adequate protection is available in the foreign country to which the personal data will be transferred.
3. 8.2.3. If the transfer country is not designated by the Board among the countries with sufficient protection, Kosmos Visa Services Limited Company and the data officer/data processing person in the relevant country will undertake adequate protection in writing and obtain permission from the Board.

 

1. 8.3. Transfer of Personal Health Data

 

1. 8.3.1. Personal health data cannot be transferred to third parties without being anonymized, without being in compliance with the legislation, without obtaining the necessary permissions and approvals.
2. 8.3.2. Personal data relating to health can be transferred to public institutions and organizations where protection of public health, preventive medicine, medical diagnosis, processing of treatment and care services are clearly envisaged within the framework of planning and management of health care services and by the Law.
3. 8.3.3. In case of a compulsory transfer of personal health data, approval must be obtained from the legal department.
4. 8.3.4. The relevant department is responsible for ensuring compliance with the obligations to be met during the transfer of health data.

 

1. 9. RIGHTS OF PEOPLE CONCERNED

 

1. 9.1. Kosmos Visa Services Limited Company will respond to the following requests of the relevant persons for whom it holds personal data within the periods specified in the law:

 

1. 9.1.1. Information on whether their personal data is processed or not,
2. 9.1.2. Knowledge of what personal data is processed,
3. 9.1.3. Whether their personal data is transferred or not,
4. 9.1.4. Information of third parties to whom personal data is transferred and of the contact persons of third parties,
5. 9.1.5. The purpose of processing personal data,
6. 9.1.6. Responding when a person asks for relevant personal data to be updated,
7. 9.1.7. Request of anonymizing, deleting, or destroying of personal data,
8. 9.1.8. Receive a copy of personal data from Kosmos Visa Services Limited Company

 

1. 9.2. In cases where data owners think that Kosmos Visa Services Limited Company is not acting within the scope of this Policy when processing their data, and/or when they exercise their rights; they can contact the below PDPL Responsible of Kosmos Visa Services Limited Company by using their contact information. (At the same time they can apply via PDPL application form found on the internet site within the scopes of the rights set out above.)

 

PDPL Responsible:Kosmos Visa Services Limited Company

E-mail:

Address:

Phone:

 

1. 10. CONFIDENTIALITY

 

All personal data processed in Kosmos Visa Services Limited Company, are confidential by law. Employees may carry out collection, processing, transfer, use, deletion, destruction, anonymization activities on personal data only within the authorization defined to them. Otherwise, employees are prohibited from carrying out these activities. In addition, employees may not use personal data for individual or commercial purposes.

1. 11. SECURITY

 

The security of personal data is under the responsibility of the employee, the department and Kosmos Visa Services Limited respectively. Personal data must be protected against loss, unlawful processing, abuse, any processing by unauthorized persons. These security measures cover all personal and electronically stored personal data.

Kosmos Visa Services Limited Company takes technical and administrative measures according to technological facilities and implementation costs to ensure that personal data is processed lawfully.

 

1. 11.1. Technical Measures Taken to Ensure the Legal Processing of Personal Data and Prevention of Unlawful Access to Personal Data.

 

 

Kosmos Visa Services Limited has taken all kinds of technical, technological security measures to protect your personal data and protects your personal data against possible risks. For Example;

1. 11.1.1 Cyber security measures have been taken and its implementation is continuously monitored.
2. 11.1.2 Licensed antivirus software is used and updates are made to ensure that information and information processing facilities are protected from malware.
3. 11.1.3 Firewalls are used for information technology systems containing personal data to be protected from unauthorized access threats over the internet.
4. 11.1.4 Employees are granted access authority to the extent necessary for their work and duties as well as their authorities and responsibilities. Entity owner users’ access rights are reviewed at regular intervals. Access rights of the files and folders which are in the file server/common area are periodically reviewed.
5. 11.1.5 Authentication, encryption and network connectivity checks are performed for the security of network services.
6. 11.1.6 Access logs are maintained regularly.
7. 11.1.7 Patch management and software upgrades are in progress.
8. 11.1.8 Personal data is backed up and the security of the backed up personal data is also ensured.
9. 11.1.9 Encryption is performed for systems and applications.
10. 11.1.10 Necessary physical security measures are taken for entering and exiting physical environments containing personal data and unauthorized entry and exit is prevented.
11. 11.1.11 Security of physical environments containing personal data's security against external risks (electric leakage, fire, flood etc.) is provided.
12. 11.1.12 Access to systems containing personal data is provided by means of using user name and password.
13. 11.1.13 No Sensitive Personal Data Transfer is made through the network. Procedures for the management of sensitive personal data are available.
14. 11.1.14 User authorizations of the software are carried out; security tests of this software are regularly performed/procured.
15. 11.1.15 Security measures are taken within the scope of procurement, development and maintenance of new information technology systems and maintenance, development and improvement of existing systems.

 

1. 11.2. Administrative Measures Taken to Ensure the Legal Processing of Personal Data and Prevention of Unlawful Access to Personal Data

 

1. 11.2.1 A management framework is established within the institution to initiate and control information security operation and practices.

 

1. a.A PDPL Committee and Contact Person are appointed and their job descriptions are defined.
2. b.PDPL Application channels are determined.
3. c.Violation, claim/complaint management workflows are identified.

1. 11.2.2 Main principles, policies and procedures for the processing and protection of personal data are determined.

 

1. a.Data Processing and Retention Policy is formed.
2. b.A Policy on Processing and Protection of Personal Data is formed.
3. c.Information Security Management Policy is formed.
4. d.Sensitive Personal Data Security Policy is formed.

 

1. 11.2.3. Existing risks and threats are identified within the scope of processed personal data.
2. 11.2.4. Training and awareness-raising activities are being carried out for employees on personal data security.
3. 11.2.5. Roles and responsibilities and job descriptions related to data security have been determined in order to ensure that employees and contractors are aware of and fulfil their information security responsibilities.
4. 11.2.6. There is a disciplinary process in place for employees if they do not comply with the security policies, principles and procedures.
5. 11.2.7. Confidentiality commitments are made.
6. 11.2.8. Clarification text is published for the employees, customers, suppliers, etc.
7. 11.2.9. Processes that require explicit consent are identified and implemented.
8. 11.2.10. Internal periodic and/or spot checks are conducted and are being conducted. Confidentiality and security vulnerabilities are eliminated according to the results of the audits.
9. 11.2.11. It is evaluated whether there is a need for personal data for the purpose of processing and personal data are reduced as much as possible.
10. 11.2.12. In the event of the data being attained by others via illegal means, necessary measures are taken by the employees to inform the relevant person and the Board as soon as possible.

 

 

 

1. 11.3. Measures to be Taken in Case of Unlawful Disclosure of Personal Data

In the event that the processed personal data is obtained by others by illegal means, Our Company will notify the relevant data owner and the Board as soon as possible (maximum 72 hours).

 

1. 12. PERSONAL DATA PROCESSING ACTIVITIES AT ENTRANCES AND WITHIN THE BUILDING

 

1. 12.1. In order for Kosmos Visa Services Limited Company to ensure security, Kosmos Visa Services Limited Company is engaged in personal data processing with security camera monitoring and monitoring of guest entrances and exits.
2. 12.2. Personal data processing activities are performed by Kosmos Visa Services Limited Company by means of security cameras and by recording guest entrances and exits.
3. 12.3. Within the scope of monitoring by means of security camera, Kosmos Visa Services Limited Company aims to protect the interests of the company and other persons in ensuring their safety.
4. 12.4. This monitoring activity is carried out in accordance with the Law on PDPL and Private Security Services and related legislation.
5. 12.5. In this context, the information that camera monitoring is performed is announced to all employees and visitors and people are enlightened. Notification letters are posted at the entrances of the monitored areas.
6. 12.6. In accordance with Article 12 of the PDP Law, necessary technical and administrative measures are taken by Kosmos Visa Services Limited Company to ensure the security of personal data obtained from camera monitoring.

 

1. 13. MONITORING VISITOR ENTRANCE AND EXITS WITHIN THE MANAGEMENT BUILDING, AND THE ESTABLISHMENT ENTRANCES AND IN THE ESTABLISHMENT

 

1. 13.1. For the purpose of ensuring security and other purposes specified in this Policy, personal data processing activities are followed by Kosmos Visa Services Limited Company at Kosmos Visa Services Limited's premises for the monitoring of guest entrances and exits.
2. 13.2. Personal data owners are enlightened whilst identity data of persons coming to Kosmos Visa Services Limited premises as a guest are obtained or are presented to the access of guests via texts that are hung in Kosmos Visa Services Company or by other means.
3. 13.3. The data obtained for the purpose of guest entry-exit tracking are processed only for this purpose and the related personal data are recorded to the data recording system in physical environment.
4. 13.4. Imaging is not performed in areas where privacy is high.

 

 

1. 14. STORAGE OF RECORDS FOR INTERNET ACCESS OFFERED TO OUR GUESTS WITHIN THE PREMISES OF KOSMOS VISA SERVICES LIMITED COMPANY

 

Aiming to ensure security by Kosmos Visa Services Limited and other purposes specified in this Policy, internet access can be provided by Kosmos Visa Services Limited Company to visitors who request it during their stay in our buildings and facilities. In this case, log records of your internet access are kept in accordance with the provisions of the Law No. 5651 and the provisions of the legislation regulated in accordance with this Law; these records can only be requested by authorized public institutions and organizations or are processed with the aim to fulfil our legal obligation during audit processes to be performed within Kosmos Visa Services Limited Company.

 

1.  15. CONDITIONS OF DESTRUCTION OF THE PERSONAL DATA (DELETION, DESTRUCTION AND ANONYMISING)

 

Pursuant to Article 7 of PDP Law No. 138 of the Turkish Penal Code, and according to “regulations about Deletion, Elimination and Anonymization of Personal Data''; personal data is deleted, destroyed or made anonymous based upon own discretion of Kosmos Visa Services Limited Company or at the request of the personal data owner, if the reasons that require processing cease to exist even though data is processed in accordance within the provisions of the law. Kosmos Visa Services Limited Company has created a Policy in accordance with the provisions of the regulation on this subject, and pursuant to this Policy destruction is being carried out according to the nature of the data. In accordance with this regulation, periodic destruction dates are determined, and with the commencement of the obligation a calendar for periodic destruction has been created at various intervals by Kosmos Visa Services Limited Company.

 

1. 16. INFRINGEMENT CASES

 

Each employee working for Kosmos Visa Services Limited Company is obliged to inform an action or event he/she thinks is incompatible with the restrictions mentioned in Personal Data Protection Law No. 6698 and within the scope of this Policy to the department managers.

 

As a result of notifications made, and considering the legislation, the PDPL committee of Kosmos Visa Services Limited Company is obliged to inform the relevant person or authorized institution (PDPL) regarding the infringement acts or incidents.

 

1. 17. RESPONSIBILITIES

 

The hierarchies of responsibilities within Kosmos Visa Services Limited are employee, and department respectively. In this context;

 

1. 17.1. Employees are responsible for all personal data located within their work area, whether printed or computerized, and shall comply with the terms set forth in the law and this Policy in any processing of this data.
2. 17.2. Department managers are responsible for all personal data processed by employees within their departments, whether printed or computerized, and guarantee that the department operates in accordance with the provisions of the law and this Policy for any processing of this data.
3. 17.3. Department managers will contribute to the implementation of this Policy in their respective departments by conducting checks and audits.
4. 17.4. Manager employees are responsible for personal data processing within their area and shall ensure that personal data is processed in accordance with the law and this Policy.
5. 17.5. Departments are obliged to inform the PDPL Committee of Visa Services Limited Company in all the cases of new data processing, data deletion, uncertainty and the like.

 

1. 18. EXECUTIVE POWER

 

In the implementation of this Policy, Kosmos Visa Services Limited has established a management structure to ensure compliance with the regulations of the PDP Law and the enforcement of the Standard for the Protection and Processing of Personal Data.

 

Within the Kosmos Visa Services Limited Company, in accordance with the decision of the top management of the company a Personal Data Protection Committee (“Committee”) is established to manage the Policy herein and other Policies linked to and associated with this Policy.

 

1. 19. EFFECTIVE DATE OF POLICY

 

This Policy came into force on 23 September 2019.