top of page
prodenta
  • Instagram
  • Facebook
  • Youtube
Sayfa Başlığı.png

PROTECTION OF PERSONAL DATA

Personal Data Protection and Processing Policy

Table of Contents
1. Purpose and Scope
2. Definitions
3. Policy
4. Principles to be Followed When Processing Personal Data
5. Collected Personal Data
6. Purposes of Processing Personal Data
7. Methods and Legal Grounds for Processing Personal Data
8. Retention and Disposal of Personal Data
9. Transfer of Personal Data
    a. Domestic Transfer
    b. International Transfer
    c. Institutions, Organizations, and Persons to Whom Data is Transferred
10. Measures for Ensuring Data Security
11. Data Protection Officer
12. Data Inventory
13. Rights of the Data Subject
14. Exercising the Rights of the Data Subject

1. Purpose and Scope
This website you are visiting belongs to PRODENTA AĞIZ VE DİŞ SAĞLIĞI HİZ. TİC. LTD. ŞTİ.

The main purpose of this Personal Data Protection Policy (the "Policy") is to provide explanations regarding the personal data processing activities lawfully carried out by the Company and the systems adopted for the protection of personal data, and in this context, to ensure transparency by informing the individuals whose personal data is processed by our company.

This Policy is applied in all activities carried out regarding the processing and protection of all personal data managed by the Company, along with relevant detailed data procedures.

2. Definitions
- KVKK: Personal Data Protection Law No. 6698.
- GDPR: European Union General Data Protection Regulation.
- Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by them.
- Data Controller: The person who determines the purposes and means of processing personal data and manages the place where the data is systematically kept (data recording system).
- Data Subject (Relevant Person): Employees, customers, business partners, shareholders, officials, potential customers, employee candidates, interns, visitors, suppliers, employees of institutions with which it cooperates, third parties, and natural persons whose personal data is processed, not limited to those listed herein, with whom the Company and its subsidiaries are in a commercial relationship.
- Explicit Consent: Consent relating to a specific subject, based on information and expressed with free will.
- Personal Data: Any information relating to an identified or identifiable natural person.
- Special Category Personal Data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and appearance, membership in an association, foundation or trade union, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data.
- Processing of Personal Data: Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making available, classification, or preventing its use, fully or partially through automatic means or provided that the process is a part of any data recording system, through non-automatic means.
- Anonymization of Personal Data: Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.
- Deletion of Personal Data: Making personal data completely inaccessible and non-reusable for the relevant users.
- Destruction of Personal Data: The process of making personal data inaccessible, irretrievable, and non-reusable by anyone in any way.
- Company: Data Controller PRODENTA AĞIZ VE DİŞ SAĞLIĞI HİZ. TİC. LTD. ŞTİ.
- PDP Board / Board: Personal Data Protection Board.
- PDP Authority / Authority: Personal Data Protection Authority.

3. Policy
The Company also has different policies addressing the protection of personal data and ensuring information security concerning specific business activities and functions. Unless this Policy contains additional conditions or demands a higher standard for the protection of personal data, it does not override the data protection terms in the Company's other distinct policies.

The provisions of the applicable legislation regarding the processing and protection of personal data shall have primary application; in the event of a conflict between the applicable legislation and the provisions of this Policy, the provisions of the current legislation shall prevail.

This Policy has been created in accordance with the rules and procedures stipulated in the KVKK and other relevant legislation provisions for the protection of personal data. In this sense, as the Data Controller is obligated under the KVKK to prevent unlawful processing of personal data, prevent unlawful access to personal data, and ensure its preservation, it must take all necessary technical and administrative measures.

4. Principles to be Followed When Processing Personal Data
Within the scope of all Personal Data Processing activities, our Company acts in accordance with the general principles explained below:
- Processing personal data lawfully, fairly, and transparently.
- Collecting personal data only for specified, explicit, and legitimate purposes.
- Ensuring personal data is relevant, limited, and proportionate to the purposes for which they are processed.
- Keeping personal data accurate and, where necessary, up to date; deleting or correcting them without delay.
- Retaining data for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
- Processing personal data in a manner that ensures appropriate security.

5. Collected Personal Data
The Personal Data collected by our Company varies depending on the nature of your relationship with our Company and legal obligations. Your collected Personal Data may be listed as follows:
- Identity Information: (Varying as necessary: T.R. identity number, first name, last name, passport number, information written on the ID card if shared, photograph, etc.)
- Contact Information: (E-mail address, phone number, mobile phone number, address, etc.)
- Customer Information: (Customer number associated with the person, customer income information, customer occupation information, vehicle license plate, education information, etc.)
- Family Members and Relatives Information: (Especially regarding employee candidates, identity information, contact information, and professional/educational information of the Data Subject's children, spouses, etc.)
- Customer Transaction Information: (Call center records, credit card statements, customer instructions tied to a request/instruction associated with the person, records logged in related channels, etc.)
- Physical Environment Security Information: (Entry-exit logs, visit information, camera recordings, etc.)
- Transaction Security Information: (Website username and password information, etc.)
- Risk Management Information: (Address registration system records associated with the Personal Data Subject, IP address tracking records, etc.)
- Financial Information: (In parallel with information from official authorities in case of legal follow-up: credit card debt, loan amount, loan payments, debt balance, receivable balance, etc.) and accounting information and related records.
- Employee Candidate Information: (Resume, interview notes, personality test results, etc.)
- Legal Action and Compliance Information: (Data contained in documents such as court and administrative authority decisions, etc.)
- Audit and Inspection Information: (All kinds of records and transaction information regarding legal follow-up and the assertion of our rights associated with the Data Subject, etc.)
- Special Category Personal Data: (Data related to health, data related to criminal convictions and security measures.)
- Request/Complaint Management Information: (Information and records collected regarding requests and complaints made to our Company concerning our products and services associated with the person, and information regarding reports evaluated by relevant business units regarding their outcomes, etc.)
- Reputation Management Information: (Information collected associated with the person to protect the commercial reputation of our company, etc.)
- Audio-Visual Data: (Photographs, camera recordings, audio recordings, etc.)

The listed Personal Data types do not encompass all your processed data, and Personal Data similar to the listed types may be processed by our company.

6. Purposes of Processing Personal Data
Our Company informs the relevant individuals during the collection of personal data in accordance with the KVKK and other relevant legislation. In this context, the Company provides clarification/information to the data subject about the purpose for which the personal data will be processed, to whom and for what purposes the processed data may be transferred, the method of personal data collection, and the legal ground for collecting personal data.

The purpose of personal data processing varies according to the relationship between the company and the personal data subject and the legal nature of the work.

The purposes of processing personal data by the Company are as follows:

Within the scope of planning and developing company-specific commercial activities and execution of work:
- Carrying out legally required transactions and fulfilling obligations.
- Making notifications to official institutions.
- Activities related to the establishment and execution of contracts.
- Activities relating to the execution, management, planning, and implementation of relations with customers.
- Activities towards realizing post-contract services.
- Tracking, planning, and executing consultancy activities.
- Planning, tracking, and executing finance and accounting activities.
- Planning and executing information technologies and data security activities.
- Planning and executing studies for the physical and electronic/network security of the Company.

Within the scope of increasing brand awareness:
- Planning and executing actions to increase the level of perception about the institution, corporate activities, and brand.
- Planning, managing, and executing organizations, meetings, invitations, and events.

Within the scope of managing and finalizing request and complaint processes after the service and while the service is ongoing:
- Activities towards receiving, evaluating, and finalizing requests and complaints.
- Executing and tracking transactions and activities towards fulfilling the obligations arising from the contractual relationship.

Within the scope of planning, executing, and managing corporate relations:
- Managing, developing, planning, and executing relationships with suppliers/business partners/customers.
- Designing and executing corporate governance and communication activities.
- Planning and executing activities such as receiving and providing external training.

Within the scope of ensuring the legal, technical, and commercial security of the Company and persons in a business relationship with the Company:
- Providing information to authorized institutions and organizations due to legal obligations and/or fulfilling activities and obligations related to audits.
- Ensuring the security of the physical and/or electronic environments of the Company, its campuses, and the parties with which the company is in a relationship.
- Keeping records regarding the parties the Company is in a business relationship with, organizing, executing, and auditing studies directed at commercial security.
- Carrying out activities to ensure that data is kept accurate and up to date.
- Planning and/or executing Occupational Health and/or safety processes.
- Processed for the purposes of lawfully fulfilling obligations relating to any visitor entering and exiting the Company.

7. Methods and Legal Grounds for Processing Personal Data
Personal data can be obtained from the personal data subject or from third parties to whom the personal data subject has given explicit consent. This obtained personal data can be processed by methods of collection, recording, organization, structuring, storage, adaptation, alteration, use, transfer, deletion, destruction, and anonymization.

Personal data may be processed without seeking the explicit consent of the data subject by one or more of the methods above in the presence of one of the legitimate reasons listed in Article 5 of the KVKK:
- It is explicitly provided for by the laws and any relevant legislation.
- It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to actual impossibility or whose consent is not deemed legally valid.
- Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
- It is necessary for compliance with a legal obligation to which the data controller is subject.
- Personal data has been made public by the data subject himself/herself.
- Data processing is necessary for the establishment, exercise, or protection of any right.
- Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

8. Retention and Disposal of Personal Data
Our Company determines the retention periods of personal data by taking into account the legislation in force and the processing purposes of the data subject to the process. In this context, legal obligations and statutes of limitations related to the Personal Data Processing activity are strictly taken into consideration. Pursuant to Article 7 of the KVKK and other relevant legislative provisions, upon the disappearance of the reasons requiring processing, personal data shall be deleted, destroyed, or anonymized by the decision of the Company, upon periodic control, and/or upon the request of the data subject.

Personal data transmitted to us erroneously by any means or transmitted in situations where it is understood that the will of the data subject is not directed towards giving explicit consent, are immediately destroyed by our Company through methods conforming to the Law.

Our Company will not retain personal data longer than necessary to allow the identification of the data subject in connection with the purpose of data collection.

Our Company may retain personal data for longer periods solely for public interest, scientific or historical research, or statistical purposes, provided that appropriate technical and organizational measures are taken to safeguard the rights and freedoms of the data subject and ensure data security.

The retention period for each category of personal data and the criteria used to determine this period, including the legal obligations for which the Company must retain the data, are specified in our Company's Personal Data Retention and Disposal Policy and shall be applied in all cases.

9. Transfer of Personal Data

a. Domestic Transfer
Without prejudice to the situations where the transfer of personal data to administrative and judicial institutions and organizations is mandated by the KVKK or relevant legislation, personal data belonging to relevant persons are not transferred by the Company to other persons without the explicit consent of the data subject. However, in cases where the matters listed in Articles 5 and/or 6 of the KVKK apply, due to the presence of legal grounds, your personal data will be transferred to the relevant institutions and organizations within the legal framework without seeking explicit consent.

Our Company also fulfills its obligation to inform the Data Subject regarding this transfer. Accordingly, the institutions, organizations, and/or persons to whom transfers may be made are listed below:
- PROVİTA GÜZELLİK SAĞLIKLI YAŞAM VE DANIŞMANLIK TİCARET LTD. ŞTİ.

b. International Transfer
The Company may transfer personal data abroad by taking the necessary security measures in compliance with the conditions stipulated in the KVKK and relevant legislation, and by obtaining the explicit consent of the data subject. In cases where the explicit consent of the data subject is not required, it is required that the country to which the personal data will be transferred holds the status of a "safe country" and provides adequate protection. For situations where the destination country is not deemed a safe country by the Board, a data transfer protocol committing to adequate protection is signed with the permission of the Board.

c. Institutions, Organizations, and Persons to Whom Data is Transferred
Pursuant to the applicable legislations including Labor Law, Code of Obligations, Income Tax Law, Commercial Code, Private Employment Agencies Regulation, and all other legislation related to our services, our Company may share personal data with:
- Relevant public institutions and organizations,
- Authorized bodies,
- Administrative institutions and organizations, primarily Tax Offices, workplace inspectors, İşKur (Turkish Employment Agency), Regional Labor, and SGK (Social Security Institution),
- Courts and other official-judicial authorities upon request.

Apart from these, our Company may transfer your personal data, provided that it does not violate Articles 8 and 9 of the KVKK and takes all security measures specified in the relevant legislation, to:
- Business partners, suppliers, and affiliates with whom we cooperate domestically and/or abroad,
- Outsourced law firms, and upon request, courts and other official-judicial authorities.

10. Measures for Ensuring Data Security
Our Company takes technical and administrative measures to prevent data breaches to ensure the security of personal data. In this context, our Company:

Administratively;
- Conducts risk audits to identify current risks and threats.
- Conducts awareness training for employees periodically.
- Possesses personal data security policies and procedures.

Technically;
- Ensures cyber security.
- Tracks personal data security.
- Ensures the security of environments containing personal data.
- Stores personal data in secure areas and cloud computing systems.
- Processes personal data under the conditions prescribed by the law by taking the necessary software and hardware measures for the procurement, development, and maintenance of information technology systems.

11. Data Protection Officer
The Data Protection Officer has specific responsibilities in terms of procedures. While being the primary channel of contact for Employees/Personnel seeking any clarification regarding data protection compliance, they are the direct contact person regarding the responsibility they take for your personal data.

In this context, the Data Protection Officer, deemed authorized and experienced by the Company's Board of Directors, has been appointed to take responsibility for the Company's day-to-day compliance with this Policy and, in particular, bears direct responsibility for ensuring the Company's compliance with the KVKK regarding data processing activities within their scope of responsibility, just as the Company Official does.

12. Data Inventory
Our Company has created a data inventory as part of its approach to identifying risks and opportunities throughout the KVKK compliance process. The Company's data inventory identifies:
- Business processes using personal data,
- Processed personal data,
- Processed special category personal data,
- Data subject,
- Method of collecting personal data - the source of personal data,
- Purpose of processing personal data,
- Legal ground for processing personal data,
- Retention period of personal data,
- Environments where personal data is processed,
- Method of destroying personal data,
- Any data transfers,
- Recipient/recipient group to whom data is transferred,
- Transfer method and purpose,
- Technical and administrative measures.

13. Rights of the Data Subject
Under Article 11 of the KVKK, the data subject has the following rights and may exercise them by contacting the data controller through methods determined by the controller whenever they wish:
- To learn whether their personal data is processed or not,
- If their personal data has been processed, to request information regarding its structure and to learn to whom it has been disclosed,
- To learn the purpose of processing their personal data and whether they are used in accordance with their purpose,
- To know the third parties to whom their personal data is transferred domestically or abroad and to request that this transaction be notified to the third parties,
- To request the correction of the personal data in case of incomplete or incorrect processing and to request that this be notified to third parties,
- To request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear, despite being processed in compliance with the provisions of the relevant law,
- To object to the occurrence of a result against the person themselves,
- To claim compensation for damages in the event that the personal data is damaged due to unlawful processing.

14. Exercising the Rights of the Data Subject
In accordance with KVKK regulations; if you convey your request to exercise your aforementioned rights by filling out the Data Subject Application Form and delivering it with documents identifying your identity personally by hand, or by sending it signed via mail to the address "KÜÇÜKBAKKALKÖY MAH. IŞIKLAR CAD. NO: 11 KARAAHMETOĞLU İŞ MERKEZİ ATASEHİR / İSTANBUL", or by sending an electronic mail to "info@prodenta.com.tr", your request will be finalized within 30 days at the latest.

If the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be charged.

bottom of page