Protection of Personal Data
PROTECTION OF PERSONAL DATA
Our company has the title of "Data Controller" in accordance with the "Personal Data Protection Law" No. 6998 published in the Official Gazette dated 07.04.2016. As Merto Company DOO (hereinafter referred to as "Merto"), we pay utmost attention to the security of your personal data. With this awareness, as the Company, we attach great importance to the processing and preservation of all personal data of all persons associated with the Company, including those who benefit from our products and services, in accordance with the Personal Data Protection Law No. 6698. With full awareness of this responsibility, we process your personal data as "Data Controller" as defined in the KVK Law, as explained and within the limits set by the legislation.
Definitions
Text: This refers to the clarification text.
Data: It refers to information stored electronically on a computer or in some paper-based filing systems.
Personal Data: It refers to all kinds of information regarding an identified or identifiable natural person. In order to understand customer preferences and provide better service and similar purposes, the Company collects data, generally called "web log information", through its websites (data about users' internet browsers, mobile devices, operating system, pages they visit, other websites they access from these pages, may collect information about the date and time visited on the relevant website, specific pages visited and more) and may use cookies if the pages on the website are visited. In this context, Personal Data may be obtained or collected in this way. If the data are processed together and point to a specific person, cookies and web registration information will also be subject to this Text.
Special/Sensitive Personal Data: Data on race, ethnic origin, political opinions, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union memberships, health, sexual life, criminal convictions and security measures and biometric data. It represents the relevant data. Sensitive data can only be processed under strict conditions and processing usually requires the explicit consent of the data subject.
Data Subject or Owners: Includes all natural persons, including employees, whose Personal Data is processed by Merto. The data owner does not have to be a Turkish citizen or reside in Turkey. All data subjects have legal rights regarding their personal data.
Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. These persons have responsibilities to determine practices and principles in accordance with the Law. The data controller for all personal data used in Merto's business processes is the relevant Merto.
Data Processor: Any person who processes data on behalf of and based on the authority granted by a data controller. Employees of the data controller are excluded from this definition, but, if applicable, suppliers, business partners and other third parties who process personal data on behalf of Merto may be included in this definition.
Data Processing/Processing: It covers all kinds of activities related to data use. It involves obtaining, recording or retaining data, or one or a set of operations performed on data, including editing, modifying, retrieving, using, disclosing, deleting or destroying data. Transferring data to third parties also means processing data.
Method
As Merto, as the data controller, through our call centers, written communication channels, social media pages, mobile communication channels, in-store communication channels and/or all kinds of channels, including but not limited to; Your personal and/or special personal data that we have obtained with your consent may be obtained, recorded, retained, stored, changed, updated, periodically checked, rearranged, classified, in whole or in part, for as long as necessary for the purpose for which they are processed or as stipulated in the relevant law. can be kept, in case of legal or service-related actual requirements, with private-legal persons with whom Merto works or with public institutions and organizations to which it is legally obliged and/or with relevant 3rd party natural persons/legal persons residing in Turkey or abroad. can be shared/transferred, transferred abroad in case of legal or service-related actual requirements. For purposes such as enabling Merto customers to benefit from our services, informing you about our campaigns upon your approval, recording your suggestions and complaints, creating better service standards for you, determining and implementing Merto commercial and business strategies, and in any case, in accordance with the Personal Data Protection Law No. 6698 and relevant legislation. We hereby inform you that we may process your personal data accordingly.
COLLECTION, PROCESSING AND PURPOSES OF PERSONAL DATA
As Merto, as the data controller, within the framework of our legal obligations arising from the legislation; long and short-term vehicle rental, sale, transfer, registration, loss, license renewal and issuance, license plate renewal and issuance, traffic consultancy services, second-hand vehicle sales and fulfillment of after-sales services, wholesale spare parts and accessories sales, insurance and provision of financial services etc. You may share your personal data verbally, on the website, social media channels, mobile applications and so on, for purposes such as enabling you to benefit from our services, informing you about our campaigns upon your approval, recording your suggestions and complaints, creating better service standards for you, determining and implementing Merto commercial and business strategies. We collect data through verbal, written or electronic methods. Personal Data is processed by Merto in accordance with the procedures and principles stipulated in the Law and this Text. Merto acts with the following principles when processing Personal Data:
- Personal Data is processed in accordance with the relevant legal rules and the requirements of the rule of honesty.
- Personal Data is ensured to be accurate and up to date. In this context, issues such as determining the sources from which the data is obtained, confirming its accuracy, and evaluating whether it needs to be updated are carefully taken into account.
- Personal Data; It is processed for specific, clear and legitimate purposes. A legitimate purpose means that the Personal Data processed by Merto is related to and necessary for the work it does or the service it offers.
- Personal Data is linked to the achievement of the purposes determined by Merto, and the processing of Personal Data that is not relevant or needed to achieve the purpose is avoided. It limits the data processed only to what is necessary to achieve the purpose. Personal Data processed in this context is limited and proportionate, in connection with the purpose for which they are processed.
- If there is a period stipulated in the relevant legislation for the storage of data, it complies with these periods; Otherwise, it retains Personal Data only for the period necessary for the purpose for which it is processed. If there is no valid reason to retain Personal Data any longer, the data in question will be deleted, destroyed or anonymized.
Conditions for Processing Personal Data
Merto does not process Personal Data without the explicit consent of the data owner. If one of the following conditions exists, Personal Data may be processed without the explicit consent of the data owner.
- Merto may process the Personal Data of Personal Data Owners in cases clearly stipulated by law, even without explicit consent. For example; In accordance with Article 230 of the Tax Procedure Law, the express consent of the relevant person will not be required to include the name of the relevant person on the invoice.
- Personal Data may be processed without explicit consent in order to protect the life or physical integrity of individuals or another person who are unable to express their consent due to actual impossibility or whose consent cannot be validated. For example, in a situation where the person's consent is not valid due to unconsciousness or mental illness, the Personal Data Owner's Personal Data may be processed during medical intervention to protect life or physical integrity. In this context, data such as blood type, diseases and surgeries, and medications used can be processed through the relevant health system.
- Personal Data of the parties to the contract may be processed by Merto, provided that it is directly related to the establishment or execution of a contract. For example, in accordance with a contract, the account number of the creditor party may be obtained for the payment of money.
- Merto may process the Personal Data of Personal Data Owners if it is mandatory to fulfill its legal obligations as the data controller.
- Personal Data made public by the Personal Data Owners themselves, in other words, disclosed to the public in any way by Merto, may be processed as the legal benefit to be protected has disappeared.
- Merto may process the Personal Data of Personal Data Owners without seeking explicit consent, in cases where data processing is mandatory for the exercise or protection of a legally legitimate right.
- Merto may process Personal Data of Personal Data Owners in cases where it is necessary to process Personal Data to ensure their legitimate interests, provided that it does not harm the fundamental rights and freedoms of Personal Data Owners protected under the Law and Policy. The Company shows the necessary sensitivity in complying with the basic principles regarding the protection of Personal Data and observing the balance of interests of Personal Data Owners.
Conditions for Processing of Special Personal Data
Merto does not process Special Personal Data without the express consent of the person concerned. However, Personal Data other than health and sexual life may be processed without the explicit consent of the relevant person in cases stipulated by law. Personal Data regarding health and sexual life are processed by Merto only for the purposes of protecting public health, preventive medicine, medical diagnosis and treatment and care services, planning and management of health services and their financing, without seeking the explicit consent of the relevant person, under conditions where we are under a confidentiality obligation. Merto carries out the necessary procedures to take adequate measures determined by the Board in the processing of Personal Data of a Special Nature.
SITUATIONS WHERE CONSENT IS NOT REQUIRED IN COLLECTING AND PROCESSING PERSONAL DATA
Pursuant to the 2nd paragraph of Article 5 of the Personal Data Protection Law No. 6698, it is necessary to process personal data of the parties to the contract, provided that it is clearly provided for in the law and is directly related to the establishment or execution of a contract, Merto, as the data controller, can fulfill its legal obligation. Merto is required to process data for the legitimate interests of the Company, which is the data controller, provided that it is mandatory for data processing, has been made public by the relevant person, data processing is mandatory for the establishment, exercise or protection of a right, provided that it does not harm the fundamental rights and freedoms of the relevant person. There is the right to process personal data without explicit consent. Data published or disclosed to the public, or included in official registers or balance sheets and activity reports in accordance with the principle of openness in the law, or which is obliged to disclose it for public disclosure in accordance with the provisions of the law, is used by Merto in order to fulfill its legal obligations arising from the legislation it is subject to and/or legal Data disclosure, use and transfers to be made to fulfill the obligation to transfer the Data to persons who may request secrets due to obligations and/or in law are not subject to Merto's obligation to keep secrets, and Merto will not disclose the Data in question to the relevant persons without the need to obtain a separate consent for this Data. is authorized to give, process and transfer.
TRANSFER OF PERSONAL DATA AND ITS CONDITIONS
Merto may transfer the Personal Data of Personal Data Owners and Special Personal Data to third parties in accordance with the Law, by creating the necessary confidentiality conditions and taking security measures in line with the purposes of processing Personal Data. Merto acts in accordance with the regulations stipulated in the Law when transferring Personal Data. In this context, Merto may provide Personal Data to third parties, based on one or more of the Personal Data processing conditions specified in Article 5 of the Law, listed below, in line with legitimate and lawful Personal Data processing purposes:
If there is explicit consent of the Personal Data owner;
If there is a clear regulation in the law regarding the transfer of Personal Data, if it is necessary to protect the life or physical integrity of the Personal Data owner or someone else, and
If the Personal Data owner is unable to express his/her consent due to actual impossibility or if his/her consent is not given legal validity,
If it is necessary to transfer the Personal Data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
If Personal Data transfer is mandatory for Merto to fulfill its legal obligation,
If Personal Data has been made public by the Personal Data owner,
If Personal Data transfer is mandatory for the establishment, exercise or protection of a right,
Provided that it does not harm the fundamental rights and freedoms of the Personal Data owner, if the transfer of Personal Data is mandatory for Merto's legitimate interests, it may be transferred.
Conditions for Transfer of Special Personal Data
Merto, by showing due care, taking the necessary security measures and taking adequate precautions prescribed by the KVK Board; In line with legitimate and lawful Personal Data processing purposes, the Personal Data Owner's Special Personal Data may be transferred to third parties in the following cases. (i) In case of express consent of the Personal Data Owner or (ii) Without the express consent of the Personal Data Owner in the presence of the following conditions;
Special Personal Data other than the Personal Data Owner's health and sexual life (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, criminal conviction and data regarding security measures and biometric and genetic data), in cases stipulated by law,
Personal Data of Special Nature regarding the health and sexual life of the Personal Data Owner can only be processed by persons who are under the obligation to keep confidentiality, for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, or by authorized institutions and organizations.
Purposes of Processing and Transfer of Personal Data
Personal Data; Merto in accordance with the law and the purpose of the Law,
Planning and implementing human resources policies in the best possible way,
Correct planning, execution and management of commercial partnerships and strategies,
Ensuring the legal, commercial and physical security of himself and his business partners,
Ensuring corporate functioning, planning and execution of management and communication activities,
To ensure that Personal Data Owners benefit from the products and services in the best possible way and to recommend them by customizing them according to their demands, needs and wishes,
Ensuring data security at the highest level,
Creation of databases,
Improving the services offered on the website and eliminating errors that occur on the website,
Communicating with Personal Data Owners who submit their requests and complaints to it and ensuring request and complaint management,
event management,
Management of relationships with business partners or suppliers,
Carrying out personnel recruitment processes,
Supporting Group Companies in their personnel recruitment processes and compliance with the relevant legislation,
Planning and execution of audit activities to ensure that the activities of the Group Companies are carried out in accordance with the relevant legislation,
Supporting Group Companies in carrying out corporate and partnership law transactions,
Execution/monitoring of financial reporting and risk management transactions,
Execution/follow-up of company legal affairs,
Carrying out work to protect its reputation,
Managing investor relations,
Providing information regarding legislation to authorized institutions,
Creating and tracking visitor records.
It is processed within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law, limited to its purposes. If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the Law, your explicit consent is obtained by Merto regarding the relevant processing process.
METHOD AND LEGAL REASON FOR COLLECTING PERSONAL DATA, DELETION, DESTRUCTION, STORAGE PERIOD
Method and Legal Reason for Collecting Personal Data
Personal Data, for the purpose of checking its compliance with Article 1, which regulates the purpose of the Law, and Article 2, which regulates the scope of the Law; in all kinds of oral, written and electronic media; It is collected through various means such as technical and other methods, call center, Merto website, mobile application, in order to fully and accurately fulfill the responsibilities arising from the law within the framework of legislation, contract, demand and optional legal reasons, and the Company or data processors assigned by the Company. It is processed by.
Deletion, Destruction or Anonymization of Personal Data
Without prejudice to the provisions of other laws regarding the deletion, destruction or anonymization of Personal Data, Merto may process Personal Data ex officio or as data, in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the provisions of this Law and other laws. deletes, destroys or anonymizes upon the owner's request. By deleting Personal Data, this data is destroyed in a way that cannot be used again and cannot be recovered. Accordingly, Personal Data is irreversibly deleted from the documents, files, CDs, floppy disks and hard disks in which they are recorded. Destruction of Personal Data refers to the destruction of materials suitable for storing data, such as documents, files, CDs, floppy disks and hard disks in which the data is recorded, so that the information cannot be retrieved or used again. By anonymizing data, it is meant to make Personal Data unable to be associated with an identified or identifiable natural person, even if it is matched with other data.
Storage Period of Personal Data
Merto stores Personal Data for the period specified in this legislation, if stipulated in the legislation. If a period of time is not regulated in the legislation regarding how long personal data should be stored, Personal Data is processed for a period of time that requires Merto to be processed within the framework of honesty rules, in accordance with Merto's practices and commercial life practices, depending on the activity carried out while processing that data, and then deleted. , destroys or anonymizes. The purpose of processing personal data has expired; If the retention periods determined by the relevant legislation and Merto have come to an end; Personal data can only be stored to serve as evidence in possible legal disputes or to assert the relevant right based on personal data or to establish a defense. In establishing the periods here, the limitation periods for asserting the mentioned right and the retention periods are determined based on the examples in the requests previously directed to Merto on the same issues, even though the limitation periods have passed. In this case, the stored personal data is not accessed for any other purpose and the relevant personal data is accessed only when it needs to be used in the relevant legal dispute. Here too, after the mentioned period expires, personal data is deleted, destroyed or anonymized.
CLARIFICATION OBLIGATION
Merto is obliged to inform the real persons whose data will be processed during the collection of Personal Data. The scope of this information obligation is as follows:
- Identity of the data controller and his representative, if any,
- For what purpose the Personal Data will be processed,
- To whom and for what purpose the processed Personal Data can be transferred,
- Management of Personal Data collection and its legal grounds and rights.
In this regard, Merto will provide the necessary information through means of obtaining data from Third Parties for processing in its systems and will obtain informed consent from Data Owners regarding data processing to prove that the obligation to inform is fulfilled. Personal Data may be collected verbally, in writing or electronically, automatically or non-automatically, through all sales channels of Merto, including electronic commerce, sales stores, branches, websites, call centers where service can be received from third parties and all other similar channels.
- Obtaining Personal Data in Written Form: While obtaining Personal Data in written form, Merto will fulfill its Disclosure Obligation regarding the processing of data, provided that the new relevant forms and information to be revised based on this Text are used. In addition, all forms and contracts, including Authorized Contact Forms, to be received from persons with whom customer relations have been established, will be revised to indicate the explicit consent of the Data Subject for the processing of Personal Data, even though the processing of the relevant data group may be considered within the scope of exception in accordance with the Law. In customer relations, new forms, documents and information that prove compliance with the Law will be used; All relevant employees will be trained to provide sufficient detailed information and show references to the real person on this subject. It will definitely be ensured that Personal Data is obtained through written forms containing informed consent.
- Obtaining Personal Data Verbally: Information will be given regarding the obligation to inform about the processing of Personal Data when obtaining new data that does not exist or in any way regarding existing customers processed in accordance with the Permitted Contact Forms already received, and when obtaining data through the Call Center. During the collection of verbal data, it will be reminded that the conversation has been recorded, provided that it is informed in advance, and it will be confirmed that consent has been given that the Personal Data will be processed in accordance with this Policy and the existing Authorized Contact Forms, if any. Employee and Call Center business processes will be re-evaluated and implemented within this framework.
- Obtaining Personal Data in Electronic Media: All contracts and documents / link addresses / web pages that require the acquisition and processing of Personal Data, including this Information Text, as well as data obtained through electronic commerce channels and other internet channels of Merto. It has been revised to fulfill the obligation to inform regarding processing. This Text will be available on Merto's websites so that it can be accessed from all websites, and systems will be established that require approval of data processing by Merto in order to obtain data at every connection address that may require data collection. Unless it is clearly marked that consent is given to the processing of Personal Data, any information and documents entered will not be automatically saved in any Merto system and will not be processed in any way.