Document Code: POL-DATA-PROTECTION
 Title: Data Protection Policy
 Version: v1.0
 Date: 2025-11-30
 Owner: Legal & Compliance / IT Security
 Approved By: CEO
 Classification: Internal

1. Purpose

The purpose of this policy is to establish the principles for collecting, processing, storing, transferring, and deleting personal data in compliance with applicable data protection regulations, including GDPR and KVKK.
It defines the organization’s obligations and the responsibilities of all personnel when handling personal data.

2. Scope

This policy applies to:

  • All employees, interns, contractors, and third parties
  • All personal data processed within company systems
  • Data belonging to employees, customers, partners, and end-users
  • Both automated and non-automated data processing
  • Storage systems including Google Workspace, Drive, databases, and cloud platforms

3. Data Protection Principles

The organization adheres to the following principles:

  1. Lawfulness, Fairness, Transparency – Data must be processed lawfully and transparently.
  2. Purpose Limitation – Data collected must be used only for explicit and legitimate purposes.
  3. Data Minimization – Only data strictly necessary for processing shall be collected.
  4. Accuracy – Personal data must be accurate and kept up to date.
  5. Storage Limitation – Data shall not be retained longer than necessary.
  6. Integrity and Confidentiality – Data must be protected against unauthorized access, alteration, or loss.
  7. Accountability – The organization is responsible for demonstrating compliance.

4. Categories of Personal Data

  1. Employee Data – HR records, contracts, contact details.
  2. Customer or Merchant Data – Contact information, billing details.
  3. System Access Data – Email, usernames, logs.
  4. Special Category Data – Only processed when legally required and with explicit safeguards.

5. Legal Basis for Processing

Processing activities must rely on one or more of the following legal bases:

  • Consent
  • Contract necessity
  • Compliance with legal obligations
  • Legitimate interest
  • Protecting vital interests (rare)

No processing may occur without an identified legal basis.

6. Data Subject Rights

Data subjects have the following rights:

  1. Right to access
  2. Right to rectification
  3. Right to erasure (“right to be forgotten”)
  4. Right to restrict processing
  5. Right to data portability
  6. Right to object
  7. Right not to be subject to automated decisions

The organization must respond to requests within legally required deadlines.

Data subjects have the following rights:

  1. Right to access
  2. Right to rectification
  3. Right to erasure (“right to be forgotten”)
  4. Right to restrict processing
  5. Right to data portability
  6. Right to object
  7. Right not to be subject to automated decisions

The organization must respond to requests within legally required deadlines.

  1. Personal data must be retained only as long as needed for operational or legal requirements.
  2. HR, Finance, and Legal define retention rules per category.
  3. Expired data must be securely deleted or anonymized.
  4. Backups containing personal data must follow the same lifecycle.

7. Data Storage Requirements

  1. All personal data must be stored in approved systems (Google Workspace, encrypted databases, secure cloud services).
  2. Storage in personal devices, local hard drives, USB drives, or unapproved cloud storage is prohibited.
  3. Access to personal data must follow PROC-ACCESS-CONTROL.
  4. Encryption must be used for data at rest and in transit when applicable.

8. Data Sharing and Transfers

  1. Personal data may only be shared with authorized internal teams or approved third parties.
  2. Third parties must sign data processing agreements.
  3. International data transfers must comply with GDPR adequacy rules or contractual safeguards.
  4. Personal data must never be shared via unauthorized channels (private email, messaging apps).

9. Personal Data in BYOD Devices

Employees using BYOD devices must:

  1. Ensure encryption, password protection, and antivirus are active.
  2. Not store personal data outside approved applications.
  3. Immediately report any device loss or compromise.
  4. Allow IT to remove company data during offboarding.

10. Data Breach Procedure

In case of suspected or confirmed data breach:

  1. Report immediately to IT Security.
  2. Follow PROC-INCIDENT-RESPONSE.
  3. Assess whether personal data was affected.
  4. Notify authorities and affected individuals where legally required.
  5. Document the breach and corrective actions.

11. Responsibilities

Employees:

  1. Process data only as required by their role.
  2. Report data breaches immediately.
  3. Follow all security policies.

IT Security:

  1. Implement technical and organizational safeguarding measures.
  2. Maintain secure storage systems.
  3. Support data subject request handling.

HR / Legal:

  1. Determine retention periods.
  2. Manage consents and contractual obligations.
  3. Maintain compliance documentation.

12. Related Documents

  • tPOL-INFORMATION-SECURITY
  • REF-DATA-CLASSIFICATION
  • PROC-ACCESS-CONTROL
  • PROC-PASSWORD-MANAGEMENT
  • PROC-INCIDENT-RESPONSE
  • PROC-ASSET-MANAGEMENT
  • PROC-OFFBOARDING
  • CH-OFFBOARD-IT

13. Revision History

v1.0 – 2025-11-30 – Initial version created