Login
Demo—access
Tr
Login
Demo—access
Tr
Login
Demo—access
Tr

BOOSTFEEL TECHNOLOGY SOLUTIONS ANONİM ŞİRKIRKETI
PERSONAL DATA PROTECTION AND PROCESSING POLICY

1. INTRODUCTION
Pursuant to Article 20 of the Constitution of the Republic of Turkey, everyone has the right to demand the protection of personal data concerning him/her. This right includes the right to be informed about personal data concerning oneself, to access such data, to request their correction or deletion, and to learn whether they are used for their intended purposes.

Law No. 6698 on the Protection of Personal Data ("KVK Law") regulates the protection of fundamental rights and freedoms of individuals in the processing of personal data and the obligations of natural and legal persons who process personal data and the procedures and principles to be followed. The purpose of this Personal Data Protection and Processing Policy ("Policy") prepared in this direction is to ensure compliance with the obligations regarding the KVK Law regulations in our company Boostfeel Teknoloji Çözümleri Anonim Şirketi ("Company").

The subject of this Policy constitutes the principles of protection and processing of personal data of employees, employee candidates, company shareholders, company officials, customers, visitors, employees, shareholders and officials of the institutions we cooperate with and third parties.

In case of any conflict between the PDP Law and other relevant legislation and this Policy, the legislation in force shall apply.
2. PURPOSE
This Policy has been prepared in order to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data and to regulate the obligations of natural and legal persons who process personal data and the procedures and principles to be followed.

With this Policy, it is aimed to maintain and develop the activities carried out by the Company in accordance with the principles set out in the KVK Law and to inform the personal data owners.
3. DEFINITIONS
The definitions used in this Policy are given below:
4. GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
Pursuant to Article 3 of the KVK Law, all kinds of operations performed on personal data such as obtaining, recording, storing, maintaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system fall within the scope of processing personal data.

The following principles must be complied with in the processing of personal data:

  • Compliance with the law and good faith. Our Company carries out its personal data processing activities in accordance with the law and good faith and honesty rules in accordance with the PDP Law and the relevant legislation, especially the Constitution.
  • Being accurate and up-to-date. Necessary administrative and technical measures are taken by our Company to ensure the accuracy and timeliness of personal data while carrying out the processing of personal data.
  • Processing for specific, explicit and legitimate purposes. Our Company clearly and precisely determines its legitimate purpose for processing personal data before starting the processing of personal data.
  • Being relevant, limited and proportionate to the purpose for which they are processed. Personal data are processed by our Company as long as necessary to fulfill the specified purposes. Data processing activities are not carried out with the assumption that it can be used later.
  • Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed. Our Company stores personal data limited to the period stipulated in the KVK Law and the relevant legislation or as required by the purposes of the data processing activity.
5. CONDITIONS OF PROCESSING PERSONAL DATA
Our Company may process personal data and sensitive personal data with the explicit consent of the personal data owner or without explicit consent in cases stipulated in Articles 5 and 6 of the KVK Law.

5.1. Processing of Personal Data
As a rule, our Company processes personal data based on explicit consent. However, it carries out personal data processing activities without seeking explicit consent in accordance with the data processing conditions set forth in Article 5 of the KVK Law:

  • Explicitly stipulated in the law.
  • It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
  • Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract.
  • It is mandatory for our company to fulfill its legal obligations.
  • It has been made public by the personal data owner himself/herself.
  • Data processing is mandatory for the establishment, exercise or protection of a right
  • Data processing is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
5.1. Processing of Special Categories of Personal Data:
Our Company carries out the processing of personal data of special nature, which carries the risk of discrimination when processed unlawfully, in accordance with the data processing conditions set forth in Article 6 of the KVK Law. In addition, necessary measures determined by the PDP Board are also taken in the processing of special categories of personal data. It is prohibited to process sensitive personal data without the explicit consent of the personal data owner. However, in the following cases, special categories of personal data may be processed without the explicit consent of the personal data owner:

a. Processing of Personal Health Data:
Personal health data may be processed in the presence of one of the conditions listed below, provided that (i) adequate measures are taken as stipulated by the Ministry of Health, (ii) general principles are complied with, (iii) confidentiality is maintained:
  • Written explicit consent of the personal data subject
  • Protection of public health
  • Preventive medicine
  • Carrying out medical diagnosis, treatment and care services,
  • Planning and management of health services and financingö
b.Processing of Sensitive Personal Data other than Personal Health Data
Data within this scope will be possible with the explicit consent of the personal data owner or in cases stipulated by law.
6. ENSURING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA
In accordance with Article 12 of the KVK Law, our Company takes the necessary technical and administrative measures to prevent unlawful processing and access to the personal data it processes and to ensure the appropriate level of security to ensure the protection of personal data.

6.1. Technical Measures Taken to Ensure Lawful Processing of Personal Data and Prevent Unlawful Access
Our Company has taken the necessary technical and technological security measures to protect personal data and has taken personal data under protection against possible risks. Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed. In order to store personal data in secure environments, systems in accordance with technological developments are used and the following measures are taken:
  • Ensuring network and application security
  • Taking security measures within the scope of procurement, development and maintenance of information technology systems
  • Creating an authorization matrix for employees
  • Keeping access logs regularly
  • De-authorization of employees who have been reassigned or left their jobs
  • Use of up-to-date anti-virus systems
  • Use of firewalls
  • Monitoring personal data security
  • Backing up personal data and ensuring the security of backed up personal data
  • Implementation and monitoring of user account management and authorization control system
  • Keeping log records without user intervention
  • Use of intrusion detection and prevention systems

6.2. Administrative Measures Taken to Ensure Lawful Processing of Personal Data and Prevent Unlawful Access
  • Training and raising awareness of company employees regarding the PDP Law
  • In cases where personal data transfer is in question, ensuring that a record is added to the contracts concluded with the persons to whom personal data is transferred that the party to whom personal data is transferred will fulfill data security or signing additional protocols in this direction
  • Determining the requirements for compliance with the PDP Law and preparing internal policies for their implementation
  • Selecting a data controller representative and contact person who will be responsible for the protection of personal data within the company and who will observe the relevant rules
  • Restricting in-company access to stored personal data to only the personnel who are required to access it due to their job description
  • In the event that the processed personal data is obtained by others through unlawful means, notifying the relevant person and the Board as soon as possible, preparing an internal policy on this matter
  • Conducting the necessary internal audits to ensure the implementation of the provisions of the PDP Law, eliminating the privacy and security weaknesses that arise as a result of the audits
  • Signing a letter of undertaking containing confidentiality provisions with the personnel for the protection of personal data

6.3. Measures to be Taken in Case of Unlawful Disclosure of Personal Data
In the event that the processed personal data is obtained by others through illegal means despite the necessary security measures taken, our Company will notify the relevant data owner and the PDP Board as soon as possible.
7. PURPOSES OF PROCESSING AND STORAGE PERIODS OF PERSONAL DATA
7.1. Purposes of Processing Personal Data
Personal data are processed by our Company for the purposes listed below:
  • Execution of Employee Candidate Application Processes
  • Fulfillment of Employment Contract and Regulatory Obligations for Employees
  • Ensuring Physical Space Security
  • Execution of Communication Activities
  • Keeping Signature Circulars
  • Planning Human Resources Processes
  • Execution and Supervision of Business Activities
  • Execution of Goods and Service Procurement Processes
  • Execution of Goods and Service Sales Processes

7.2. Retention Periods of Personal Data
Our Company determines whether a period of time is stipulated in the relevant legislation for the storage of personal data. If a period is stipulated in the relevant legislation, it complies with this period, and if a period is not stipulated, it retains personal data for the period required for the purpose for which they are processed. If the purpose of processing personal data has expired and the retention periods determined by the relevant legislation and / or our Company have expired, it can only be stored for the purpose of constituting evidence in possible legal disputes, asserting the relevant right related to personal data or establishing a defense. Personal data are not stored by our Company based on the possibility of future use.
8. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
Pursuant to Article 7 of the KVK Law, personal data shall be deleted, destroyed or anonymized by our Company ex officio or upon the request of the personal data owner, if the reasons requiring the processing of personal data disappear, although the personal data has been processed in accordance with the relevant legislation.

The procedures and principles regarding this matter will be fulfilled in accordance with the KVK Law and the Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224.

Our Company deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which our obligation to delete, destroy or anonymize personal data arises.
The time interval for periodic destruction is six months.
When the deletion or destruction of personal data is requested by applying to our company;

  • If the conditions for processing personal data have completely disappeared, the personal data subject to the request shall be deleted, destroyed or anonymized. The request shall be finalized within thirty days at the latest and the requester shall be informed.
  • If the conditions for processing personal data have completely disappeared and the personal data subject to the request have been transferred to third parties, this situation is notified to third parties, and it is ensured that necessary actions are taken within the scope of the Regulation on Deletion, Destruction or Anonymization of Personal Data.
  • If all the conditions for processing personal data have not disappeared, the request may be rejected by explaining the reason in accordance with the third paragraph of Article 13 of the KVK Law and the rejection response shall be notified to the requesting party in writing or electronically within thirty days at the latest.

8.1.Techniques for Deletion and Destruction of Personal Data
Deletion of personal data is the process of making personal data inaccessible and non-reusable in any way for the relevant users.
Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.
For example: physical destruction, secure deletion from software, secure deletion by an expert.

8.2.Techniques for Anonymization of Personal Data
It means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Example: masking, data derivation, pseudonymization, aggregation, data hashing...
9. THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED AND PURPOSES OF TRANSFER
The procedures and principles to be applied in personal data transfers are regulated in Articles 8 and 9 of the KVK Law, and the personal data and sensitive personal data of the personal data owner can be transferred to third parties in Turkey and abroad. In order to fulfill the Company's activities, personal data may be processed by the Company within the scope of the KVK Law and other legislation and may be shared with infrastructure providers, third parties from whom it receives services, insurance companies, banks / financing companies and contracted institutions, real and legal persons with whom we have a proxy relationship, our business partners and other third parties. However, in any case, personal data cannot be transferred without the explicit consent of the personal data owner, except in exceptional cases.

9.1.Domestic Transfer of Personal Data
In accordance with Article 8 of the KVK Law, the transfer of personal data within the country will be possible provided that one of the conditions specified in section 6 of this Policy titled "Conditions for Processing Personal Data" is met.

9.2.Transfer of Personal Data Abroad
In accordance with Article 9 of the KVK Law, in case personal data is transferred abroad, in addition to the fulfillment of the conditions regarding domestic transfers, the existence of one of the following issues is sought:
  • The country to be transferred is counted among the countries with adequate protection announced by the PDP Board
  • If there is no adequate protection in the country of transfer, the data controllers in Turkey and the relevant foreign country undertake in writing to provide adequate protection and the permission of the PDP Board is obtained
10. DISCLOSURE OBLIGATION OF OUR COMPANY
In accordance with Article 10 of the KVK Law, personal data owners must be informed during the collection of personal data. In this context, our Company fulfills its obligation to inform on the following issues:

  • Title of our Company as the data controller
  • The purpose for which personal data will be processed
  • To whom and for what purpose the processed personal data can be transferred
  • The method and legal grounds for collecting personal data,
  • The rights of the personal data owner specified in section 12.1 of this Policy titled "Right to Apply"
11.RIGHTS OF PERSONAL DATA OWNERS AND EXERCISE OF THESE RIGHTS
In accordance with Article 13 of the KVK Law, the evaluation of the rights of personal data owners and the necessary information to personal data owners are carried out through the Data Owner Application Form as well as this Policy. Personal data owners may submit their complaints or requests regarding the processing of their personal data to us within the framework of the principles specified in the relevant form.

11.1.Right to Apply
Pursuant to Article 11 of the KVK Law, anyone whose personal data is processed may apply to our Company and make requests regarding the following issues related to him/her:
  • Learn whether their personal data is being processed,
  • Request information if their personal data has been processed,
  • To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
  • To learn the third parties to whom personal data are transferred domestically or abroad,
  • To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
  • To request the deletion, destruction or anonymization of personal data in the event that the reasons requiring the processing of personal data disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
  • To object to the occurrence of a result to the detriment of the data subject by analyzing the processed data exclusively through automated systems,
  • In case of damage due to the processing of personal data in violation of the KVK Law, to demand the compensation of the damage.

11.2.Situations Excluded from the Scope of the Right to Apply
Pursuant to Article 28 of the KVK Law, it will not be possible for personal data owners to assert their rights in the following cases:
  • Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that their personal data is not disclosed to third parties and the obligations regarding data security are complied with
  • Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
  • Processing of personal data by judicial or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

Pursuant to paragraph 2 of Article 28 of the KVK Law, data owners will not be able to assert the rights of personal data owners, except for the right to demand compensation for the damage:
  • Processing of personal data is necessary for the prevention of crime or criminal investigation.
  • Processing of personal data made public by the data subject himself/herself.
  • Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.
  • Processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters.

11.3.Situations Excluded from the Scope of the Right to Apply
In accordance with Article 13 of the KVK Law, our Company will finalize the application requests made by the personal data owner free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. In accordance with Article 13 of the KVK Law, the application must be submitted to our Company in writing or by other methods to be determined by the KVK Board.
  • The application of the personal data subject may be rejected in the following cases
  • Preventing the rights and freedoms of other persons
  • Requires disproportionate effort
  • The information is publicly available
  • Compromise the privacy of others
  • Existence of one of the situations excluded from the scope pursuant to the KVK Law
12.ADOPTION OF THE POLICY
This Policy is reviewed at least once a year and updated in case of changes in the Law and Regulation. This Policy is deemed to have entered into force upon its publication on the Company website.
Boostfeel is not just electronic cards.
This is a service for creating a full-fledged loyalty program
Knowledge base
PDF—Presentation
8 800 551 37 56
info@boost.discount
Privacy Policy
Membership-agreement
Service Cancellation and Refund
About us
Copyright © Boostfeel 2024. All Rights Reserved