1. Definition of “Personal Data”
In Article 3/I(d) of the PDP Law, "personal data" is defined as any information related to identified or identifiable real persons. In this context, anonymous data and data that cannot be associated with a specific person are not considered personal data under this Policy. Personal data is divided into two groups as general data and special data. Pursuant to Article 6 of the PDP Law, personal data related to a natural person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership to an association, foundation or trade union, health, sexual life, criminal conviction and security measures, and biometric and genetic data are considered as sensitive personal data. In the event that sensitive data is processed, the special rules stipulated in the PDP Law shall be complied with.
2. General Principles Regarding the Processing of Personal Data
Pursuant to Article 3/I(e) of the PDP Law, "data processing" refers to all kinds of transactions that can be carried out on personal data, such as obtaining, recording, storing, maintaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data in whole or in part by automatic means or non-automatic means, provided that they are part of any data recording system.
As İş Asset, we process personal data in accordance with the following principles within the framework of the purposes specified under the heading of "Purposes of Processing Personal Data" of this Policy:
- Processing in accordance with the rules of law and honesty,
- To be accurate and up-to-date when necessary,
- To be processed for specific, clear and legitimate purposes,
- To be connected, limited and measured with the purpose of processing,
- Retaining them for the period of time stipulated by the relevant legislation or the period deemed necessary for the purpose of the processing.
3. Data Processed by İş Asset
İş Asset may process general and special personal data without explicit consent with the explicit consent of the data owner or in cases stipulated in Articles 5 and 6 of the PDP Law. Which data will be processed by İş Asset for each data owner may vary depending on various factors such as the type and nature of the relationship between the data owner and İş Asset and the communication channels used. In this context, some of the general and special data processed by İş Asset are shown below, but not in limited number.
- Data such as name, surname, profession, title, institution/organization information, education history, employment history, gender, marital status, citizenship status, tax liability status and information about parents, guardians and attorneys, if any,
- Data such as date of birth, place of birth, identity number, blood type, religion and photo in documents for identification such as identity, passport, driver's license,
- Contact information such as address, telephone, electronic mail and fax number of home, workplace or temporary residence,
- Communication records such as phone calls, e-mail correspondence and other audio and video data made with İş Asset,
- Detailed financial data such as investment purposes, risk and return preferences, knowledge and experience on capital markets, the amount of savings that can be allocated/allocated to capital market transactions, products and services determined to be suitable for the data owner, investment services and ancillary services used by the data owner, domestic and foreign markets, investment institutions and account information registered on behalf of the data owner before these investment institutions, products traded, transaction frequency and volume,
- Internet protocol (IP) address, device ID, unique identifier information, device type, advertising ID, unique device icon, statistics on webpage views, incoming and outgoing traffic information, referral URL, internet log information, location information, information about transactions and actions performed through our websites, platforms, internet network and advertising and e-mail contents.
4. Purposes of Processing of Personal Data
As İş Asset, we may process personal data for the following purposes and may be retained for the period required for these purposes:
- Fulfillment of our legal obligations,
- Negotiation, establishment and execution of contracts,
- Settlement of Disputes,
- Promoting and marketing the company's services and products, determining the appropriate products, services and platforms for customers, customizing and developing them for customers,
- Ensuring and improving internal coordination, cooperation and efficiency,
- Ensuring the security and control of the website and other electronic systems and physical environments owned or used by the Company,
- Ensuring the legal and commercial security of our Company and the persons and institutions that have a business relationship with our Company,
- Investigating, preventing and reporting violations of the contract and the law to the competent authorities,
- Answering requests and questions and making notifications that concern the data owner,
- Realization of events, promotions and campaigns in favor of the data owner such as special day celebration, participation in sweepstakes or competitions, gifts, discounts,
- Obtaining the opinion of the data owner through surveys and votes,
- Realization of mergers, divisions, share transfers and other partnership law transactions,
- Establishment and development of the Company's human resources policies, provision of the Company's employee needs within the framework of these policies and execution and development of recruitment processes,
5. Persons and Organizations to whom Personal Data can be Transferred Domestic and Abroad
İş Asset may transfer personal data to third parties at home and abroad for the purposes shown under the heading of "Purposes of Processing Personal Data" of this Policy and store it on servers at home and abroad or in other electronic media, provided that it complies with the conditions stipulated in the PDP Law and takes the necessary security measures. Although the third parties to whom personal data may be transferred may vary depending on various factors such as the type, nature and markets in which the transaction is carried out, the relationship between the data owner and the İş Asset is generally as follows:
- Türkiye İş Bankası A.Ş., Anadolu Hayat Emeklilik A.Ş. and İş Yatırım Menkul Değerler A.Ş.,
- Capital Markets Board, İstanbul Stock Exchange, Settlement and Custody Bank, Merkez Kayıt Kuruluşu A.Ş., Investor Compensation Center and other regulatory authorities in Turkey and abroad, stock exchanges, central clearing and custody organizations, institutions and organizations with central counterparty and other authorized institutions and organizations and authorized third parties,
- Investment institutions, banks, custodians, platform owners, intermediary institutions, data broadcasting organizations, infrastructure providers and other business partners, suppliers and subcontractors of İş Asset in Turkey and abroad,
- Third parties to the relevant transactions, if necessary for the realization of mergers, divisions, share transfers and similar transactions. İş Asset does not share the personal data obtained with others for the promotion and marketing activities of third parties in any way without the explicit and specific consent of the data owner.
6. Method of Collecting Personal Data
İş Asset may collect personal data in written, verbal, audio or video recording or other physical or electronic forms for the purposes specified under the heading "Purposes of Processing Personal Data" of this Policy. Although the type of relationship between the data owner and İş Asset may vary depending on various factors such as the type, nature and markets traded, the methods used to collect personal data are generally as follows:
- By transferring data directly by the data owner or by using cookies, cameras or similar technologies to obtain data during face-to-face interviews with Company officials or contacting call centers, websites, mobile applications and similar electronic transaction platforms for the purpose of benefiting from the services or products offered by the Company or for any other purpose,
- Through İş Bankası Group Companies,
- Through the Capital Markets Board (CMB), the Capital Market Licensing Registry and Training Institution (SPL), the Public Disclosure Platform (KAP),
- Through the company's subcontractors, business partners or other contracted persons and organizations,
- Through social media or other public channels,
- Through persons, institutions and organizations that are shown as references in job applications or are included in the applicant's work and education history,
- Through the persons and institutions represented by the data owner/representing the data owner,
- Through research method.
7. Legal Reasons Regarding the Processing of Personal Data
As İş Asset, we process your personal data based on your explicit consent or the following legal reasons:
- Explicitly stipulated in the law,
- It is necessary to process your personal data because it is directly related to the establishment or performance of a contract with you,
- It is mandatory for the fulfillment of our legal obligation,
- The data has been made public by you personally,
- Data processing is mandatory for the establishment, exercise or protection of a right,
- Data processing is mandatory for our legitimate interests, provided that it does not harm your fundamental rights and freedoms.
8. Personal Data Retention Period
As İş Asset, we retain personal data only for the period necessary to achieve the purposes specified in this Policy, except where a longer period is legally required or permitted. Personal data whose retention period has expired is deleted, destroyed or anonymized by us within the framework of Article 7 of the PDP Law.
9. Security and Audit of Personal Data
İş Asset attaches importance to taking the necessary technical and administrative measures in order to prevent unlawful processing of personal data and unlawful access to data and to ensure their protection within the framework of Article 12 of the PDP Law. In this context, the measures taken by İş Asset are listed below, including but not limited to:
- Preparing internal policies and rules in order to carry out the Company's business processes and activities in accordance with the personal data protection legislation, in this context, informing the company's employees about the relevant legislation and internal policies and rules and organizing trainings,
- Determination and implementation of necessary organizational measures and information security measures to ensure the security of personal data inside and outside the company and to prevent unauthorized access to data,
- Auditing the compliance with the internal policies and rules created for the protection of personal data at certain periods,
- Obtaining necessary declarations and commitments from employees and persons and institutions processing data on behalf of the Company for the confidentiality and protection of data. The adequacy of the measures applied by İş Asset to ensure the security of personal data is checked at certain periods and it is aimed to continuously improve the existing data security system according to the needs and opportunities.
10. Data Owner's Rights
Pursuant to Article 11 of the PDP Law, personal data owners have the right to learn whether their personal data has been processed, to request information about it if it has been processed, to learn the purpose of processing their data and whether it has been used in accordance with its purpose, to know the third parties to whom their data has been transferred in the country or abroad, to request correction in case their data has been processed incompletely or incorrectly, to request deletion or destruction in case the reasons requiring the processing of their data have disappeared, and to request notification of correction and deletion to third parties to whom your data has been transferred, to object to the emergence of a result against you by analyzing the processed data exclusively through automated systems, to request compensation in case of damage due to unlawful processing of their personal data. As the data owner, if you want to exercise any of your rights specified in Article 11 of the PDP Law, you can send us the Data Owner Application Form that we have prepared in order to evaluate your requests more healthily. İş Asset shall evaluate and finalize the request of the data owners within thirty days at the latest, depending on the nature of the request, in accordance with Article 13 of the PDP Law. Although the requests of the data owners will be concluded free of charge as a rule, if the response to the request requires an additional cost, the data owner may be requested to pay the fee determined within the framework of the relevant legislation.
