As the Rights, Justice, Solidarity, and Human Association (henceforth HADİ, per the Turkish name of the association), we consider the security of your personal data to be a matter of the utmost importance. In line with the tenets of Turkish Personal Data Protection Law no. 6698 (henceforth PDPL or the Law) which entered into effect on April 7, 2016, the aim of this HADİ Clarification Text Concerning the Protection and Processing of Personal Data is to ensure the fulfillment of the obligations of HADİ and the HADİ Platform, which is connected to HADİ and is not a legal person, concerning the protection and processing of personal data, specify the principles that will be followed, and clarify for every case the identity of the data subjects whose data is processed.
In line with that aim, we place great importance on processing the private and generally personal data of HADİ Platform Volunteers/Volunteer candidates, donors, scholarship recipients, aid recipients, website subscribers, and on a nondiscriminatory basis all applicants and members per the terms of the Law, secondary statutes that have been or will be put into place within the scope of the Law, and binding decisions that have been or will be made by the Personal Data Protection Board, and in parallel with the abovementioned criteria, we place equal importance on the retention of said data and its destruction in a manner that follows data destruction policies created following the Law.
You are hereby informed that within the scope of our role as “Data Controller,” which is delimited following the principles stipulated in the Law and all secondary statutes, your personal data shall be processed in the manner and under the conditions indicated in this clarification text, and in that regard, HADİ and the entities established in line with the relevant regulations under the auspices of the Association shall carry out all personal data processing activities that fall within the bounds of the Law. All of your personal data shall be processed under the conditions stipulated in this clarification text and within the bounds of the framework indicated by the relevant statutes.
In this document, the concept of “personal data” is also used in a manner that is inclusive of personal data of a private nature. We would like to make it clear that we will bear no responsibility with the scope of the PDPL and/or related statutes for any information and/or documents that you convey to us beyond the information that is requested from you during the application and/or registration process.
INFORMATION CONCERNING THE DATA CONTROLLER
HADİ, which has been registered following the law in the Registry of Associations at the address “Vişnezade Mah. Süleyman Seba Cad. No: 45 BEŞİKTAŞ/İSTANBUL,” is hereby identified as the Data Controller.
HADİ is the Data Controller concerning HADİ which was established under the legal person of HADİ and all entities which may be established as legal persons and/or as non-legal persons, including HADİ Financial Operations, and concerning all informatics systems established/administered by HADİ and hadihareketi.org and/or websites operating under the name of hadihareketi.org and all websites belonging to HADİ.
PERSONAL DATA PROCESSING POLICY
WHOSE PERSONAL DATA DO WE PROCESS?
This policy concerns all of the personal data of individuals that is processed either by automatic or non-automatic means. Within the scope of this policy, the personal data of the persons indicated below may be subject to being processed, but the list should not be taken to be comprehensive. All rights concerning the processing of personal data conveyed through direct contact with HADİ or by any other means are reserved.
HADİ Platform Volunteers/Candidate Volunteers
HADİ Official Website/Websites Members and All Users,
HADİ Financial Operations Users and Members,
Persons in need who apply through channels operated by HADİ
All-natural persons who share their personal data with HADİ either through legal or illegal means
THE PROCESSING OF PERSONAL DATA:
WHAT PERSONAL DATA DO WE PROCESS?
Personal Identity Information (Name, Surname, Turkish State ID Number, Date of Birth, Place of Birth)
Contact Information (Telephone Number, E-mail Address, Social Media Usernames, etc.)
Address (Home Address, Work Address, etc.)
Information Concerning Education and Work and Professional Life (Level of Education, Occupation, Employment Status)
Personal Information (Marital Status, Information about Children, Status as a Legal Guardian, etc.)
Bank Information (for sending scholarships to Scholarship Recipients, receiving donations from Donors, making payments to Aid Recipients, etc.)
Documentation Concerning Income (As regards applicants for financial aid: Income Statement, Poverty Certificate, Social Security Statement, Tax Statement, etc.)
Health Documents (As regards applicants for medical aid: Prescriptions, official documentation indicating medical conditions, reports from doctors and hospitals, etc.)
THE PROCESSING OF PERSONAL DATA OF A PRIVATE NATURE:
WHAT IS PERSONAL DATA OF A PRIVATE NATURE AND HOW DO WE PROCESS IT?
Because sensitive personal data can result in victimization when it is processed in a manner that contradicts the Law and pave the way for discrimination, it has been accorded special importance within the scope of the Law. This personal data “of a private nature” includes information about race, ethnic background, political beliefs, philosophical beliefs, religious/sectarian/other beliefs, clothing styles, memberships in associations/foundations, union memberships, health, sexual life, past convictions, and data concerning security measures such as biometrics and genetics.
Personal data of a private nature is processed by our association following the principles indicated in this Policy and by taking all necessary administrative and technical precautions, including those determined by the Personal Data Protection Board, when the conditions stated below are present. According to the relevant legal provisions, personal data of a private nature can only be processed with the open consent of the data owner. However, when other legal statutes apply, it can be processed without obtaining the data owner’s consent. In that regard, all of our legal rights are reserved.
THE AIM OF DATA PROCESSING:
WHAT ARE THE AIMS OF PROCESSING YOUR DATA?
HADİ processes your personal data in line with the following aims:
Recording your data following the Association Law and all related statutes,
Carrying out our activities in compliance with the aims stipulated in the HADİ Code,
Providing opportunities such as access to subscriptions, e-bulletins, and events made available on our websites and/or mobile applications and carrying out all operations needed to make them available for your use,
Maintaining the records of HADİ Platform Volunteers and/or Candidate Volunteers and maintaining lines of communication,
Planning and managing service-based activities,
Providing support for individuals in need who apply for aid and managing all of the relevant processes,
Securing scholarships for students applying for financial support and managing all of the relevant processes,
As regards the data of donors, being able to carry out all legal obligations and collect donations and establish communications, and fulfill the aim of offering thanks for donations,
Being able to organize activities,
Getting in contact with individuals in need within the scope of projects,
Sending out notifications concerning new projects and collaborations that will be carried out,
Maintaining relations with suppliers and other third parties,
Planning and implementing endeavors concerning risk management and quality development,
Implementing and following up on sponsorship programs,
Keeping track of your personal data in domains where your username and password are used,
Managing our applications/websites,
Ensuring that legal obligations are carried out in the manner required or necessitated by legal regulations,
Fulfilling all other aims stipulated in the PDPL.
PERSONAL DATA PROCESSING POLICY:
HOW DO WE PROCESS YOUR DATA?
HADİ collects your personal data in different ways such as forms that are filled out by e-mail, over the phone, on the website, and/or on paper by way of automated and/or non-automated means that are verbal, written, and electronic.
Within this scope, all personal data that is of a general and a private nature is processed based on legal grounds when it has been made public by the data owner following clauses 2/d-e-f of Article 5 of the Law and it must be processed by the data controller for lawful activities on the condition that the foundational rights and freedoms of the individual in question are not violated.
As regards documents that are not sent via the official HADİ website or physically delivered, just as HADİ bears no responsibility for personal data that is sent by the data owner by e-mail and/or other online channels of communication, likewise if the data provider is not in Turkey, HADİ shall not be held responsible for conveyances that may occur outside the country.
ACCESSING PERSONAL DATA:
WHO CAN ACCESS YOUR PERSONAL DATA?
WITHIN THE ASSOCIATION AND PLATFORM:
HADİ Association Administrative Board Members
HADİ Platform General Coordination Office
HADİ Platform Chairpersons and Members
HADİ Platform City Boards and Members
HADİ Association & Financial Operations Employees
OUTSIDE THE ASSOCIATION AND PLATFORM:
The Association’s Consultancy Firm
Employees of the Software Development Firm Under Contract by the Association
The Legal Consultancy Office & Lawyer Under Contract by the Association
The Accounting Consultancy Office & Social Media Marketing Firm Under Contract by the Association
THE TRANSFERENCE OF PERSONAL DATA:
TO WHOM AND WHY DO WE TRANSFER YOUR PERSONAL DATA?
DOMESTIC TRANSFERENCE OF PERSONAL DATA
On the issue of the transference of personal data, we as HADİ act following the regulations stipulated in the PDPL and the decisions made by the Personal Data Protection Board. Personal data that must be kept confidential to comply with legal stipulations in the statutes and data of a private nature cannot be shared with third parties without the open consent of the data owner.
THIRD PARTIES TO WHOM HADİ TRANSFERS PERSONAL DATA
Per the terms stipulated in this Policy, personal data may be transferred to the categories of persons indicated in the following list:
HADİ Business Partners,
HADİ Financial Operations Officers,
HADİ Partners Involved in Collaborations,
State Judiciary Institutions,
Natural/Legal Persons Involved in Private Law,
Third parties and institutions when it is permissible by law to transfer data to them.
TRANSFERENCE OF PERSONAL DATA ABROAD
As a rule, personal data may not be transferred abroad without the open consent of the data owner. However, if one of the causes for legality stipulated in this Policy applies, personal data may be transferred abroad without the open consent of the data owner on the condition that the third party is located in a country that the Personal Data Protection Board has declared to have sufficient measures of protection; if the data controller is located in a country that does not have sufficient measures of protection, personal data may be still be transferred abroad without the open consent of the data owner on the condition that the data controller pledges in writing in Turkey to institute sufficient protective measures and the Personal Data Protection Board grants permission for the transfer.
If none of the above conditions are present, a request for consent can be sent to the data owner, and if approval is given, personal data may be sent abroad. However, in situations in which personal data that is sent by e-mail and/or other online platforms is not under HADİ’s control and the aforementioned web hosting service providers are located abroad HADİ may not be held responsible.
RETENTION OF PERSONAL DATA
PERIOD OF RETENTION FOR PERSONAL DATA
FOR HOW LONG DO WE PROCESS/RETAIN YOUR PERSONAL DATA?
As HADİ, we retain your personal data for as long as is needed to achieve the intended aims and for as long as is stipulated by the legal regulations to which HADİ is bound. In that regard, our association first determines whether or not the relevant statutes stipulate a timeframe for the retention of personal data and if a timeframe is indicated, we act in accordance with it.
If no timeframe is indicated, we retain personal data for as long as is needed to achieve the intended aims of processing the data. At the end of the period of time stipulated for retention, personal data is destroyed in accordance with a periodic data destruction schedule, or upon the request of the data owner, utilizing the stipulated technique of destruction (erasure and/or destruction and/or anonymization).
THE PRESERVATION OF PERSONAL DATA:
HOW DO WE SAVE YOUR PERSONAL DATA?
If your personal data is the kind of data that is automatically processed:
It is saved on HADİ’s data server and database.
If your personal data is not the kind of data that is automatically processed but rather is physically processed:
It is stored in areas in HADİ’s association center that have been specially partitioned off for that purpose. In addition, personal data that is private is stored in a separate high-security area. The majority of physical documents are scanned and securely saved on HADİ’s data server.
PERSONAL DATA SECURITY:
WHAT PRECAUTIONS DO WE TAKE TO PROTECT YOUR PERSONAL DATA?
Following Article 12 of the PDPL, HADİ takes the appropriate precautions necessary to protect each kind of data to prevent it from being unlawfully released, accessed, or transferred and to avoid any other security failures that could occur. Within that scope, the association’s board and law team implement administrative safeguards and take precautions geared towards ensuring that the necessary security measures are put into place following the guidelines published by the Personal Data Protection Board, and they also do inspections or have inspections carried out.
Furthermore, the technical and administrative precautions that are taken to protect personal data are implemented with particular care for personal data of a private nature and all required inspections are performed.
Following Article 12 of the PDPL, HADİ takes the appropriate and necessary precautions to prevent the unlawful processing of personal data, ensure that personal data is not unlawfully accessed, and securely store such data. Those precautions include firewalls, two-step authentication, secure software systems, and physical security measures. In that way, we are able to prevent third parties from unlawfully processing personal data. In the case that personal data is obtained by third parties through illegal means, HADİ will implement the directive indicated in article 12 of the Law in line with the legal regulations.
DATA DESTRUCTION POLICY
The Data Destruction Policy is implemented following the Law and secondary legal statutes, and your personal data is destroyed in compliance with the legal stipulations. Data that is automatically processed and does not exist as a hard copy is destroyed through software, while data that is not automatically processed and does exist as a hard copy is destroyed through incineration.
DATA OWNERS’ RIGHTS AND RECOURSE TO REQUESTS
THE RIGHTS OF DATA OWNERS:
WHAT ARE YOUR RIGHTS?
Data owners have the right to:
Find out if their personal data has been processed or not,
Request information if their personal data has been processed,
Know the aims of the processing of their data and find out if their data is being used in line with those aims,
Know to whom as a third party their personal data has been transferred whether domestically or abroad,
Request that corrective action be taken if their personal data has been improperly processed or not processed in full and within that scope request that third parties to whom their personal data has been transferred be informed of the situation,
Request that their personal data be erased or destroyed if the reasons for the processing of their personal data are no longer valid or applicable even if the data was processed following the Law and other relevant statutes, and within that scope request that third parties to whom their personal data has been transferred be informed of the situation,
The object in the case that analyses of processed data solely by automatic means produce results that are detrimental to the data owner,
Request that corrective measures be taken in the case that the data owner suffers harm as the result of personal data being unlawfully processed.
MEANS OF MAKING REQUESTS
HOW CAN YOU EXERCISE YOUR RIGHTS?
Or by sending an e-mail to email@example.com via a Registered Electronic Mail (REM) account with your secure electronic signature or mobile signature, or via an e-mail address which you registered with HADİ and which is in HADİ’s records.
In the case that your request entails any additional costs, you will need to pay the fee indicated in the Notice Concerning the Procedures and Principles of Applying to Data Controllers, which was issued by the Personal Data Protection Board. If your request is responded to in writing, the first 10 (ten) pages will not incur any fees, but a processing fee will be applied for every page after 10 (ten) pages, the amount of which is determined by the Personal Data Protection Board. If the reply is in the form of a saved digital file, such as a CD or flash drive, the fee requested by HADİ shall not exceed the cost of the storage device.
In your application, which must contain an explanation concerning which of the aforementioned rights you would like to exercise as the personal data owner, the subject of your request must be clearly and intelligibly stated and the topic of your request must pertain directly to you; if you are applying on behalf of someone else, you will have to submit a statement of the power of attorney that has been certified by a notary.
Per the terms of the Notice Concerning the Procedures and Principles of Applying to Data Controllers your application must include your full name, Turkish state ID number, residence or work address, e-mail address, telephone and fax number, and the elements comprising your request. HADİ will reject any applications that do not specify the topic of the request.
Your application will be finalized as quickly as the nature of the request allows, up to a maximum of 30 (thirty) days.
EFFECTIVE DATE AND CHANGES
The original clarification text prepared by HADİ was first published on the official website within the period stipulated by the Law, and this clarification text was last updated on June 2, 2020, on which date it was released to the public on HADİ’s official website.
HADİ reserves the right to make changes to the clarification text and Personal Data Protection Policy in parallel with changes in legal regulations and changes/developments in actual conditions. Updated versions of the clarification text will go into effect the moment they are published on the official website.
THE HADİ ASSOCIATION
You may contact us by e-mail if you have any comments or suggestions or if you would like to request information.
Vişnezade Mah. Süleyman Seba Cad. No: 45 Beşiktaş / İstanbul