1. Purpose
This Policy has been established to define the processes relating to the processing and security of Special Categories of Personal Data specified in Law No. 6698 on the Protection of Personal Data (the “Law”).
2. Scope
Article 6(4) of the Law imposes on data controllers the obligation to also take the adequate measures determined by the Board when processing special categories of personal data.
In accordance with the decision of the Personal Data Protection Board on the “Adequate Measures to Be Taken by Data Controllers in the Processing of Special Categories of Personal Data,” published in the Official Gazette dated 07.03.2018 and numbered 30353, this Policy covers the processes relating to the processing and security of special categories of personal data.
3. Principles for Processing Special Categories of Data
In Article 6 of the Law, certain personal data that, when processed unlawfully, carry the risk of causing harm or discrimination to individuals are designated as “special categories of personal data.”
Under the Law, “special categories of personal data” are defined as data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
3.1. Processing of Special Categories of Personal Data
In processing personal data designated as “special categories” by the Law, our Company scrupulously complies with the regulations prescribed in the Law.
Special categories of personal data are processed in the following cases, provided that the adequate measures determined by the Personal Data Protection Board are taken:
- Special categories of personal data relating to health and sexual life, only if the data subject’s explicit consent has been given,
- Special categories of personal data other than health and sexual life, in cases prescribed by law or if the data subject’s explicit consent has been given.
| Nature of the Data | Processing Condition | Example |
|---|---|---|
| Special categories of personal data relating to health and sexual life | Obtaining the data subject’s explicit consent | Obtaining the data subject’s explicit consent to evaluate maternity leave, fit/unfit-for-work reports, birth reports, and breastfeeding leave petitions specified in the Labor Law. |
| Special categories of personal data other than health and sexual life | Obtaining the data subject’s explicit consent or being prescribed by law (Tax Laws, Labor Law No. 4857, Turkish Commercial Code) | Under Labor Law No. 4857, an employee’s criminal record certificate must be kept in their personnel file. |
In our Company, employees’ special categories of personal data are processed by the unit carrying out the Human Resources function; special categories of personal data contained in the identity documents of persons with whom our Company establishes a contractual or commercial relationship, or of their employees/representatives, are also processed. These data are processed and stored for the purposes of:
- Carrying out processes related to obtaining a health report,
- Making position changes according to the identified health status, thereby providing employees with job positions suitable for their health,
- Intervening without delay in the event of situations that may affect the health of other employees,
- Complying with other information-retention, reporting, and notification obligations prescribed by legislation, relevant regulatory bodies, and other authorities,
- Creating the personnel file.
These data are recorded as follows and stored by the unit carrying out the Human Resources activity:
- Special categories of personal data contained in identity documents,
- Laboratory test reports,
- Birth report,
- Rest and incapacity-for-work reports,
- Psychotechnical report,
- Disability report,
- SSI (SGK) report,
- SSI (SGK) leave certificates,
- Blood type certificate,
- Pre-employment health report,
- Non-governmental organization membership certificate,
- Supplementary health screening test reports (laboratory findings, physical examination results, medical history, etc.),
- Personal health information,
- Criminal conviction data (criminal record).
3.2. Ensuring the Security of Special Categories of Personal Data
It is essential that our Company, in its capacity as data controller, takes the following measures regarding special categories of personal data:
A. This Policy has been established for the security of special categories of personal data.
B. For employees involved in the processing of special categories of personal data:
- Regular training is provided on the Law and its related regulations and on the security of special categories of personal data,
- Confidentiality agreements are concluded,
- The scope and duration of authority of users with access rights to the data are defined,
- Authorization checks are carried out periodically,
- The authorities of employees who change duties or leave employment are removed immediately.
C. Where the environments in which special categories of personal data are processed, stored, and/or accessed are electronic:
- Personal data is stored using cryptographic methods,
- Cryptographic keys are kept securely and in separate environments,
- Transaction logs of all actions performed on personal data are securely logged,
- Security updates for the environments containing personal data are continuously monitored, necessary security tests are performed regularly, and test results are recorded,
- If personal data is accessed through software, user authorizations for that software are configured, its security tests are performed regularly, and test results are recorded,
- If remote access to personal data is required, an authentication system with at least two levels is provided.
D. Where the environments in which special categories of personal data are processed, stored, and/or accessed are physical:
- Adequate security measures are taken according to the nature of the environment in which the special categories of personal data are located (against situations such as electrical leakage, fire, flooding, theft, etc.),
- The physical security of these environments is ensured and unauthorized entry and exit is prevented.
E. Where special categories of personal data are to be transferred:
- If personal data needs to be transferred by e-mail, it is transferred in encrypted form using a corporate e-mail address,
- If it needs to be transferred via media such as portable memory, CD, or DVD, it is encrypted using cryptographic methods and the cryptographic key is kept in a separate environment,
- If transfer is carried out between servers in different physical environments, data transfer is performed by establishing a VPN between the servers or via the FTP method,
- If personal data needs to be transferred on paper, the necessary measures are taken against risks such as theft, loss, or viewing by unauthorized persons, and the document is sent in “Confidential” format.
F. In addition to the measures specified above, the technical and administrative measures set out in our general Personal Data Protection policy are also applied.
