Türkiye Youth and Education Service Foundation ("TÜRGEV" or "Foundation") fulfills its obligations under the Law No. 6698 on the Protection of Personal Data ("Law") regarding the processing, deletion, destruction, anonymization, transfer, informing of the data subject, and ensuring the security of personal data, within the principles set forth by the Law.
This Privacy and Protection of Personal Data Policy, prepared in accordance with the Law, is presented to the access of real persons whose personal data is processed ("data subject").
1. Scope and Purpose of the Privacy and Protection of Personal Data Policy
This Privacy and Protection of Personal Data Policy covers TÜRGEV's:
in detail.
a. Methods of Collecting Personal Data and Legal Grounds
TÜRGEV collects personal data in printed forms, electronic forms, websites, social media accounts, email, mail, CCTV, cookies, fax, notifications from administrative and judicial authorities, and other communication channels in audio, electronic or written formats, in compliance with the conditions for processing personal data specified in the Law and the legal grounds stated in this Privacy and Protection of Personal Data Policy.
b. Data Subject Categorization
TÜRGEV categorizes the data subjects whose personal data is processed as follows, with the possibility of expansion depending on the processes and legal grounds stated in this policy:
c. Data Categories and Sample Data Types
\[NOTE: The large table that follows (which contains detailed data types for each group) has also been translated fully above, preserving each HTML element.]d. Purposes of Using Personal Data
TÜRGEV uses personal data for the following purposes:
e. Technical and Administrative Measures Taken to Ensure the Security of Personal Data
TÜRGEV undertakes to take all necessary technical and administrative measures and to show due diligence to ensure the confidentiality, integrity, and security of your personal data. It takes necessary precautions to prevent misuse, illegal processing, unauthorized access, disclosure, alteration, or destruction of personal data.
To prevent unlawful access, processing, and ensure safe storage of personal data, TÜRGEV takes the following technical and administrative measures:
Anti-Virus
Firewall
Access authorization
Access password management etc.
All PCs and servers in TÜRGEV’s IT infrastructure have periodically updated antivirus software installed.
Firewall
The data centers and disaster recovery centers hosting TÜRGEV servers are protected by regularly updated firewall software. These next-generation firewalls control all personnel internet traffic and provide protection against threats such as viruses.
User Definitions and Need to Know
Access rights of TÜRGEV and its employees to foundation systems are limited to the extent required by their job descriptions and are immediately updated in case of any changes.
Information Security Threat and Incident Management
Events occurring on TÜRGEV servers and firewalls are transferred to the “Information Security Threat and Incident Management” system, which alerts responsible personnel and enables immediate response.
Penetration Testing
Periodic penetration testing of servers and computers is conducted manually by a contracted company. Security vulnerabilities identified are fixed and validated. Automated penetration testing is also conducted through the Information Security Threat and Incident Management system.
Training Portal
The Training Portal is actively used to raise employee awareness about information security breaches and minimize human error in such incidents. All employees have completed cybersecurity and information security training online.
Other
All areas of the website where personal data is collected are protected by SSL.
Personal data on paper is kept in locked cabinets and accessed only by authorized persons.
Personal data processed via cookies from third parties is deleted from their systems upon termination of membership.
Other Measures:
Mail gateway
Server room encryption systems
Physical security
Private security
Camera monitoring systems
Penetration tests
Two-level authorization control
SHA 256-bit encryption
GEO IP Restrictions
Email encryption methods
Despite TÜRGEV's security precautions, if personal data is compromised or accessed by unauthorized third parties due to an attack on TÜRGEV-operated platforms or systems, TÜRGEV will immediately notify affected individuals and the Personal Data Protection Board and take necessary measures.
f. To Whom and For What Purpose Personal Data May Be Transferred
TÜRGEV transfers personal data only for the purposes specified in this Privacy and Protection of Personal Data Policy and in compliance with Articles 8 and 9 of the Law.
Such data transfers are carried out through secure environments and channels provided by the third party. Where data transfer is not essential, pseudonymous data is used.
Transferred personal data is legally protected through appropriate contract provisions ensuring compliance with the Law, in addition to technical safeguards.
\[NOTE: The following table regarding data sharing has been fully translated above.]h. Retention Periods of Personal Data
TÜRGEV retains personal data in compliance with the Law, for durations prescribed by legislation or required by the purpose of processing. These durations are approximately as follows in the Personal Data Retention and Destruction Policy [insert link]:
\[NOTE: The detailed retention periods table has also been translated fully above.]j. Rights of the Data Subject Regarding Their Personal Data and How to Exercise Them
Under Article 11 of the Law, the data subject has the following rights:
(1) Learn whether personal data is being processed,
(2) Request information if personal data has been processed,
(3) Learn the purpose of processing and whether it is used appropriately,
(4) Know third parties to whom personal data is transferred domestically or abroad,
(5) Request correction of incomplete or inaccurate data,
(6) Request deletion or destruction of personal data under conditions stated in Article 7,
(7) Request that actions taken under (5) and (6) be notified to third parties,
(8) Object to decisions made solely by automated systems,
(9) Request compensation if personal data is processed unlawfully and causes damage.
To exercise these rights, you may use the "KVKK Application Form" available on the TÜRGEV website, or contact the official email address [email protected] or the official phone number 0 212 532 1996 to request changes, updates, or deletions.
2. Conditions for Deletion, Destruction, and Anonymization of Personal Data
TÜRGEV retains personal data collected through physical, electronic, website, or email channels for the duration required by relevant laws or processing purposes, in accordance with Articles 7 and 17 of the Law and Article 138 of the Turkish Penal Code. After this period, data is deleted, destroyed, or anonymized in line with the Regulation and Guide on the Deletion, Destruction, or Anonymization of Personal Data.
Deletion means rendering the data inaccessible and unusable for the relevant users.
Destruction means making the data inaccessible, irretrievable, and unusable for anyone.
Anonymization means making the data unidentifiable and unrelatable to any individual, even when matched with other data.
TÜRGEV explains in detail the methods and measures for deletion, destruction, and anonymization in its Personal Data Retention and Destruction Policy [insert link]. The periodic destruction interval is determined as 6 months.
3. Amendments to the Privacy and Protection of Personal Data Policy
TÜRGEV may update this Privacy and Protection of Personal Data Policy at any time. These changes become effective immediately upon publication of the updated version. You will be duly informed about any such changes.
