Special Category Personal Data Processing Policy
| Document No | POL-13 |
| Publish Date | 04.01.2024 |
| Rev. No | -- |
| Rev. Date | -- |
1. PURPOSE
This Policy has been established to determine the processes related to the processing and security of special category personal data specified in the Personal Data Protection Law No. 6698 (Law).
2. SCOPE
With the 4th paragraph of Article 6 of the Law, data controllers are obliged to take adequate measures determined by the Board in the processing of special category personal data.
This Policy covers the processes for the processing and security of special category personal data in accordance with the Personal Data Protection Board decision regarding "Adequate Measures to be Taken by Data Controllers in the Processing of Special Category Personal Data" published in the Official Gazette dated 07.03.2018 and numbered 30353.
3. APPLICATION PRINCIPLES FOR PROCESSING SPECIAL CATEGORY DATA
In Article 6 of the Law, certain personal data that carries the risk of causing harm or discrimination to individuals when processed unlawfully are determined as "special category personal data."
In the Law, "special category personal data" are determined as data related to individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
3.1. PROCESSING OF SPECIAL CATEGORY PERSONAL DATA
In the processing of personal data determined as "special category" by the Law, our Company acts in strict compliance with the regulations foreseen in the Law.
• Special category personal data related to health and sexual life are processed only if the data subject has explicit consent.
• Special category personal data other than health and sexual life are processed in cases foreseen by laws or if the personal data subject has explicit consent.
| Nature of Data | Processing Condition | Example |
|---|---|---|
| Special category personal data related to health and sexual life | Explicit consent of the data subject must be obtained | Obtaining the explicit consent of the relevant person for the evaluation of maternity leave, fit/unfit reports, birth report, breastfeeding leave petitions specified in the Labor Law. |
| Special category personal data other than health and sexual life | Explicit consent of the data subject must be obtained or foreseen in laws (Tax Laws, Labor Law No. 4857, Turkish Commercial Code) | According to Labor Law No. 4857, the criminal record certificate of the employee must be in the personnel file. |
In our Company, special category personal data of our employees are processed by the unit providing Human Resources services. Special category personal data contained in identity documents of persons with whom our Company has contractual or commercial relations or their employees/representatives are processed. This data:
- Execution of processes dependent on obtaining health reports,
- Making position changes according to the detected health condition and thus providing job positions suitable for the health of employees,
- Being able to intervene immediately in case of situations that may affect the health of other employees,
- Complying with other information storage, reporting, and notification obligations foreseen by legislation, relevant regulatory institutions and other authorities,
- Creating personnel files,
are processed and stored in accordance with their purposes. This data:
- Special category personal data contained in identity documents,
- Laboratory Test Reports,
- Birth report,
- Sick leave and incapacity reports,
- Psychotechnical report,
- Disability report,
- SSI Report,
- SSI Leave Certificates,
- Blood Group Certificate,
- Health Report for Employment,
- Civil Society Organization Membership Certificate,
- Additional Health Screening Test Reports (Laboratory Findings, Physical Examination Results, Medical Anamnesis, etc.),
- Personal Health Information,
- Criminal Conviction Data (Criminal Record)
3.2. ENSURING THE SECURITY OF SPECIAL CATEGORY PERSONAL DATA
It is essential that our Company, as a data controller, takes the following measures regarding special category personal data:
A. This Policy is established for the security of special category personal data.
B. For Employees involved in the processing of special category personal data,
- Regular training is provided on the Law and related regulations and Special Category Personal Data security,
- Confidentiality agreements are made,
- The scope and duration of authority of users with access to data are defined,
- Periodic authority checks are carried out,
- The authorities of Employees who have job changes or leave the job are immediately removed.
C. If the environments where Special Category Personal Data are processed, stored and/or accessed are electronic environments,
- Personal Data are stored using cryptographic methods,
- Cryptographic keys are kept securely and in different environments,
- All actions performed on Personal Data are securely logged,
- Security updates of the environments where Personal Data are located are continuously monitored, necessary security tests are regularly performed, test results are recorded,
- If Personal Data are accessed through software, user authorizations for this software are made, security tests of these software are regularly performed, test results are recorded,
- If remote access to Personal Data is required, at least two-factor authentication system is provided.
D. If the environments where Special Category Personal Data are processed, stored and/or accessed are physical environments;
- Adequate security measures are taken according to the nature of the environment where Special Category Personal Data are located (against electrical leakage, fire, flood, theft, etc.),
- Unauthorized entry and exit are prevented by ensuring the physical security of these environments.
E. If Special Category Personal Data are to be transferred
- If Personal Data need to be transferred via email, they are transferred encrypted with corporate email address,
- If transfer through portable memory, CD, DVD etc. is required, they are encrypted with cryptographic methods and the cryptographic key is kept in a different environment,
- If transfer between servers in different physical environments is to be carried out, data transfer is performed by establishing VPN between servers or using FTP method,
- If Personal Data need to be transferred through paper environment, necessary measures are taken against risks such as theft, loss or viewing by unauthorized persons and the document is sent in "Confidential" format.
F. In addition to the measures mentioned above, the technical and administrative measures specified in our general policy for the Protection of Personal Data are also applied.
BILSOFT SOFTWARE COMPUTER INDUSTRY AND TRADE LIMITED COMPANY
Do you have a question?
We Are With You Every Moment!
Don't let your business stop, we provide solutions to all your questions. We are here for fast and reliable support!