SİSEB
REPORT FRAUD!

Protection of Personal Data

1. PURPOSE

The Insurance Information and Monitoring Center and the Management Committee of the Insurance Information and Monitoring Center Commercial Enterprise (SBM) and all their personnel undertake in accordance with the Information Security Policy that they will comply with the principles and rules which are established with regard to the protection of personal data by the Constitution of the Republic of Turkey, the Personal Data Protection Law (KVKK) numbered 6698 and other legislation and that they will protect the rights of the individuals whose data are processed by the SBM. The Management Committee has adopted a written policy and system on the protection of personal data in order to be implemented and developed for this purpose.
The purpose of the Policy on the Protection of Personal Data is ensuring that SBM will establish and conduct its own standards with regard to the management of the personal data, determination and support of the organizational targets and obligations, establishment of the control mechanisms in compliance with the acceptable risk level of SBM, fulfillment of the obligations of SBM pursuant to the international conventions, Constitution, laws, contracts and codes of practice and protection of the interests of the individuals in the best manner.

2. SCOPE

This policy has been prepared for SBM (Insurance Information and Monitoring Center and the Insurance Information and Monitoring Center Commercial Enterprise) and it covers both Institutions and the services which are provided within both institutions. Both institutions shall hereinafter be referred to as “SBM” within the context of this policy text. The provisions of the policy cover all information systems and footers, contracts, environmental and physical areas which are included in the processes with regard to processing of personal data in the activity areas and working areas of SBM and the systems and regulations which are generated for all of them. This policy covers the Management Committee of SBM and all employees, interns and contracted personnel of the companies which provide support services to all units, headships and directorships of SBM. All kinds of actions which are in contravention of the Personal Data Protection Law or this policy shall be considered within the scope of the relevant legislation and the relevant sanctions shall be applied accordingly.
The solution partners of SBM, public institutions, insurance companies and all third parties which work with SBM that have access or which have the opportunity to have access to the personal data shall be invited to read this policy and to comply with this policy. No third parties shall have access to the personal data which are processed by SBM without the execution of a confidentiality agreement which comprises the obligations that stipulate the standards which are at least as powerful as the standards of SBM with regard to the protection of personal data and which include the right of inspection concerning these standards.

3. DEFINITIONS

SBM: Means the Insurance Information and Monitoring Center and the Insurance Information and Monitoring Center Commercial Enterprise,
Policy: Means the Policy on the Protection of Personal Data which has been established in order to ensure that SBM will establish and conduct its own standards with regard to the management of the personal data, determination and support of the organizational targets and obligations, establishment of the control mechanisms in compliance with the acceptable risk level of SBM, fulfillment of the obligations of SBM pursuant to the international conventions, Constitution, laws, contracts and codes of practice and protection of the interests of the individuals in the best manner,
Explicit consent: Means the consent regarding a specific subject on the basis of being informed which is disclosed with free will,
Anonymization: Means the rendering of personal data in a position in which they could not be associated with a real person whose identity is determined or determinable on any account even by matching them with other data,
Relevant person / Data owner: Means the real person whose personal data are processed,
Personal data: Means all kinds of information concerning the real persons whose identities are determined or determinable,
Specific (sensitive) personal data: Means the data regarding the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or trade union memberships, health, sexual life, criminal conviction and security measures and biometric and genetic data of the persons,
Processing of personal data: Means all kinds of transactions which are made with regard to the data as obtainment, recording, storage, maintenance, change, rearrangement, declaration, transfer, take over, make obtainable, classification or prevention of usage of personal data by completely or partly automated means or by nonautomated means provided that they will be a part of a data recording system.
Personal data inventory: Means the inventory which is created by the data controllers by associating the personal data processing activities which are conducted by the data controllers on the basis of the business processes with the personal data processing purposes, data categories and the recipient group to which the personal data are transferred and the group of persons that constitute the subject matter of the data and that is detailed by the data controllers by explaining the maximum period which is required for the processing purposes of the personal data, the personal data which are envisaged to be transferred to foreign countries and the measures taken with regard to the data security,
PDPL: Means the Personal Data Protection Law numbered 6698,
Board: Means the Personal Data Protection Board,
Personal Data Protection Authority: Means the Personal Data Protection Authority,
Personal Data Protection Committee: Means the structure which will ensure the required coordination within the scope of fulfillment, maintenance and continuance of compliance with the Personal Data Protection Legislation,
Letter of Undertaking With Regard to the Protection of Personal Data: Means the documents within the context of which the legal obligations of third parties with which data sharing activities are conducted,
Data processor: Means the real or legal person who processes the personal data on behalf of the data controller on the basis of the authority granted by the data controller,
Data recording system: Means the recording system by means of which the personal data are processed upon being configured pursuant to specific criteria,
Registry: Means the registry of data controllers which is kept by the Personal Data Protection Authority,Data controller: Means the real or legal person who determines the processing purposes and means of personal data and who is responsible for the establishment and management of the data recording system,
Contact Person: Means the real person who is notified in the course of recording in the Registry by the Data Controller with respect to the contacts to be made with the Personal Data Protection Authority concerning the obligations of the data controller.

4. RESPONSIBILITIES

SBM shall constitute the data controller pursuant to the Personal Data Protection Law.
All persons who constitute the personnel of SBM shall be responsible for the development and promotion of proper practices with respect to the processing of personal data within SBM and they shall also be responsible for other obligations.
The Personal Data Protection Committee was established as the committee commissioned with regard to the matters of management of the personal data protection system and ensuring and documentation of compliance with the Personal Data Protection Law and other relevant legislation and the Personal Data Protection Committee shall be responsible against the Management Committee with regard to these matters.
All personnel of SBM who process the personal data shall be responsible for acting in compliance with the personal data protection legislation. The SBM personnel shall be obliged to ensure the accuracy and up-to-dateness of all personal data which are provided to SBM by themselves or that are related with themselves.

Personal Data Protection Committee:
The members of the Personal Data Protection Committee shall be appointed by taking into consideration their specialties and experiences with regard to the personal data protection legislation and practices and they shall present their reports directly to the Management Committee.

Duties and Responsibilities of the Personal Data Protection Committee:

  • The Committee is required to inform the Management Committee regarding the Personal Data Protection Legislation and related developments.
  • The Committee shall be responsible for ensuring that the policies and procedures of SBM are up-to-date, the data processing inspections are conducted in accordance with the planned schedule and that they are in compliance with the relevant legislation.
  • The Committee shall act in company with the relevant personnel in terms of all personal data protection matters.
  • The Committee shall provide information and advice concerning the personal data protection legislation and compliance matters to SBM, its related partners and suppliers which provide support services.
  • The Committee shall provide information and advice to the SBM personnel regarding their obligations pursuant to the personal data protection legislation.
  • The Committee shall monitor the compliance of the data processing activities of SBM with the personal data protection legislation.
  • The Committee shall make contributions with respect to development and continuance of the personal data protection policy and relevant procedures and processes by SBM.
  • The Committee shall designate the responsible persons within SBM within the context of the personal data protection legislation.
  • The Committee shall ensure that the necessary trainings and awareness will be provided to all personnel who are involved in the processes with regard to personal data processing.
  • The Committee shall ensure the conduct of regular inspections and it shall observe and report compliance with the personal data protection legislation.
  • The Committee shall provide information and advice for the impact analysis reports with regard to the protection of personal data.
  • The Committee shall act in cooperation and communication with the Board.
  • The Committee shall perform its duties as the contact point ad representative of SBM before the Board and it shall provide information and advice to the Board when necessary.
  • The Committee shall observe the compliance with the Information Security Policy within SBM and it shall provide information and advice to the relevant persons when necessary.
  • The Committee shall ensure that the process with regard to notification of the information security incidents and investigations to the Board will be administered.
  • The Committee shall make contributions in the process of business continuity plan.
  • The Committee shall provide information and advice regarding the storage of the corporate records.
  • The Committee shall ensure the determination of the matters regarding at which scale the personal data are collected, kept, used within SBM and the storage conditions in compliance with the information security standards.
  • The Committee shall ensure the execution of monitoring and assessments regarding the compliance with the protection of personal data, security practices and other controls which may be necessary.
  • The Committee shall make additional recommendations with regard to the determination and implementation of controls aimed at ensuring the confidentiality, integrity and accessibility of the personal data.
  • The Committee shall present to the agenda of the Management Committee the matters which constitute potential risks in terms of personal data and its recommendations with regard to these matters.
  • In the course of fulfillment of the duties of SBM with regard to the collection, processing and storage of the personal data, the Personal Data Protection Committee may request the provision of cooperation by all personnel including access to the systems and records.
  • The Personal Data Protection Committee shall be responsible for the conduct of the notifications and trainings which are required in order for all personnel to be aware of their responsibilities in the area of the personal data protection and to possess the necessary awareness in this area.

5. IMPLEMENTATION PRINCIPLES

5.1. DATA PROTECTION PRINCIPLES

SBM shall comply with the personal data protection legislation and the data protection principles. The data protection principles which are adopted by SBM comprise the following:

  • Processing of the personal data only in the case where the processing is clearly required in terms of the legitimate corporate objectives,
  • Processing of the personal data at the amount which is required at the minimum scale in terms of these objectives and avoidance of processing of the personal data at a scale more than necessary,
  • Provision of clear information to the individuals regarding by whom and how their personal data are used,
  • Processing of only the relevant and appropriate personal data,
  • Processing of personal data in compliance with the equity and law,
  • Keeping of the inventory of the categories of personal data which are processed by SBM,
  • Keeping the personal data accurate and up-to-date when necessary,
  • Storage of the personal data only for the periods which are required by the legal obligations of SBM or the legitimate corporate interests,
  • Being respectful in terms of the rights of individuals regarding their personal data including their access rights,
  • Keeping all personal data under security,
  • Transfer of the personal data to foreign countries only in compliance with the explicit consent of the relevant persons or in the case where the sufficient protection is existent or if the sufficient protection is not existent, provided that the data controllers based in Turkey and the relevant foreign country undertakes in written form to provide the sufficient security and where the permission of the Board is available,
  • Application of the exemptions which are permitted pursuant to the legislation,
  • Establishment and implementation of the personal data protection system for the implementation of the policy,
  • Determination of the internal and external stakeholders which become parties of the personal data protection system when necessary and the extent of participation of these stakeholders in the personal data protection system of SBM,
  • Determination of the personnel possessing special authorities and responsibilities with respect to the personal data protection system.

All personal data processing activities must be conducted in compliance with the below stated data protection principles. The policies and procedures of SBM aim to ensure compliance with these principles.

  • Being in compliance with the law and honesty rules.
  • Being accurate and up-to-date when necessary.
  • Being processed for specific, clear and legitimate purposes.
  • Being connected, restricted and proportional with their processing purposes.
  • Being maintained for the period stipulated in the relevant legislation or required for their processing purposes.

The personal data shall be processed in compliance with the law and honesty rule and they shall be processed in a transparent manner.
Accordingly, SBM shall include in the data collection channels and relevant forms the confidentiality notifications with regard to the personal data processing activities conducted by it. The areas which will comprise the clear and comprehensible information regarding whose data are processed by SBM and the processing purposes of these personal data and the areas in which these matters will be announced shall be determined by receiving the opinion of the Personal Data Protection Committee. The following matters shall be comprised within the context of these notifications:

  • The identity and contact information of SBM as the data controller,
  • Types of processed personal data,
  • Processing purposes of personal data,
  • Methods with respect to the collection of personal data,
  • The legal reason which constitutes the basis for the processing of personal data,
  • Stipulated storage period with respect to the personal data,
  • Rights of the data owner,
  • Third parties with whom the data may be shared.

The personal data can only be processed for specific, clear and legitimate purposes.
The processing reasons/purposes with regard to the processing of personal data shall be determined in the personal data inventory and the personal data cannot be used apart from the stated purpose without the presence of another legal reason or the explicit consent of the data owner. In the case where the conditions which require the usage of any personal data apart from the purposes stated in the personal data inventory arises, this situation shall be notified to the Personal Data Protection Committee by the relevant personnel/unit/directorate. The Personal Data Protection Committee shall inspect the appropriateness of the new purpose and it shall ensure that the data owner will be notified regarding the data processing activity conducted for the new purpose and the Personal Data Protection Committee shall ensure that the personal data inventory will be updated.
The personal data are required to be processed in compliance with their processing purposes and in an appropriate, related and restricted manner.
The Personal Data Protection Committee shall be obliged to ensure that the personal data which are not clearly required in terms of the data processing purpose will not be collected and processed.
The notifications with regard to all data processing channels shall be made to the Personal Data Protection Committee.
The Personal Data Protection Committee shall inspect the appropriateness and relevance of the processed data via the personal data inventory which is updated every year.
The Personal Data Protection Committee shall inspect the appropriateness and relevance of all data processing methods with regard to the internal inspection/external inspection to be conducted/to be procured by it on the annual basis.
The Personal Data Protection Committee shall be responsible for the ceasing of the data processing activity in terms of the personal data which is determined to be inappropriate or irrelevant or excessive with respect to the processing purpose and for the destruction of these personal data in a secure manner pursuant to the procedure within the context of which the storage and destruction processes of the processed data are identified.
The personal data must be accurate and up-to-date when necessary.
The accuracy and up-to-dateness of the personal data which have been kept for a long period must be reviewed. SBM shall be responsible for the training of all personnel with respect to collection and storage of the personal data in an accurate and up-to-date manner.
The accuracy and up-to-dateness of the data which are kept with regard to the personnel shall be under the own responsibility of the relevant personnel.
The employees/customers/institutions with whom the relationships are existent and other relevant persons must notify SBM with respect to updating of the processed personal data.
The Personal Data Protection Committee may give instructions to the relevant unit via the personal data inventory with regard to the review of the accuracy and up-to-dateness of certain data through the assessment to be made by the Personal Data Protection Committee concerning the type, storage period and amount of the processed data.
The personal data should be processed in the manner which will identify the relevant person if only the processing is necessary in terms of the purpose of data processing.
In the cases where the personal data are stored for a period beyond the determined period due to back up, etc. requirements or in cases of data security weakness, the secure destruction methods which are determined by the Board shall be applied with respect to the personal data for the protection of the rights and freedoms of individuals.
In the case where the personal data are required to be processed for a period longer than the periods which are determined pursuant to the procedure in which the destruction process is identified, the written approval of the Personal Data Protection Committee shall be obtained and the identified procedure shall be updated when considered necessary.

5.2. NOTIFICATIONS

SBM shall notify the Board regarding that it is in the capacity of the data controller and the types of personal data categories which are processed by it in this capacity. SBM shall determine in its personal data inventory all personal data categories which are processed by it.
The notification shall be executed pursuant to the Regulation on the Registry of Data Controllers and a copy of the executed notification shall be kept by the Legislation and Compliance Unit.
If considered necessary by the relevant legislation or the Board, the notifications shall be repeated periodically.
The Personal Data Protection Committee shall review the data processing activities of SBM and the changes regarding them in order to determine the potential changes which may occur in the notification which was made to the Board and it shall inform the Board accordingly if necessary.

5.3. RISK ASSESSMENT

SBM shall determine the risks connected with the processing of certain types of personal data.
SBM shall have a procedure available in order to assess the risks which may be created in terms of the individuals due to the processing of personal data. This assessment shall be made by taking into consideration third persons who/which process the data on behalf of SBM as well. SBM shall manage the risks which are determined as a result of this assessment in the manner which will not be in noncompliance with this policy.
If it is probable that the data processing activity of certain type will create high risk in terms of the personal rights and freedoms in accordance with the structure, context and purposes of this data processing activity, SBM must manage the potential risks by conducting an impact analysis prior to the data processing activity. A single assessment can be relied on in terms of several data processing activities which comprise the similar risks.
If it is understood in consequence of the impact analysis that SBM is about to commence a data processing activity which may create high risk in terms of the personal rights and freedoms, the approval of the Personal Data Protection Committee shall be sought with regard to this matter. If it considers necessary, the Personal Data Protection Committee shall receive the opinion of the Board regarding this matter.
With respect to risk management, the systems and controls which have already been adopted by SBM pursuant to the Information Security Policy and Risk Management Policy shall be applied.

5.4. OBTAINMENT OF EXPLICIT CONSENT

SBM shall regard as explicit consent the consent which is based on notification made by the data owner with regard to certain data processing activities, that exhibits the intention concerning the data processing with free will and which is disclosed by means of written/verbal statement or explicit confirmatory action. Explicit consents shall be received in written form or in a manner convenient for substantiation on a systematical basis. The explicit consent can be withdrawn by the data owner at any time.
In the case where the data processing activity based on explicit consent will be continuous or it will be repeated, the obtained consents shall be checked. Checking the up-to-dateness and accuracy of these explicit consents shall be under the responsibility of the relevant unit. The written approval of the Personal Data Protection Committee shall be obtained prior to putting into use the explicit consent texts. The explicit consent forms or other relevant substantiation means with regard to the data processing activity based on explicit consent shall be kept by the relevant unit.

5.5. DATA SECURITY

All personnel shall be obliged to ensure that the data which are processed by SBM and that is under their own responsibilities will be kept in a secure manner and that they will not be disclosed to third parties unless a confidentiality agreement is signed.
Only the persons who access these information can access the personal data. The access shall be provided pursuant to the Information Security Policy and the Access Management Policy.
The data security shall be ensured pursuant to the Information Security Policy of SBM and the documents in connection with this policy.
The information security incidents with regard to the personal data shall be notified to the Board and the relevant person as soon as possible and within maximum 72 hours as from the definitive determination of these incidents by the Personal Data Protection Committee.

5.6. DATA SHARING

The personal data can only be shared with third persons in compliance with the law and equity. Pursuant thereto, the presence of one of the below stated conditions shall be sought for the sharing of personal data:

  • Obtainment of explicit consent of the data owner,
  • Explicit stipulation of this issue in the laws,
  • Existence of the fact that the processing of personal data is obligatory with regard to protection of the life or physical integrity of the relevant person or another person in the case where the relevant person is incapable of stating its consent due to actual impossibility or whose consent is not regarded to be legally valid,
  • Existence of the fact that the processing of personal data of the contracting parties is required provided that the processing is directly related with the drawing up or performance of a contract of which SBM constitutes a party or will constitute a party,
  • Existence of the fact that the processing of personal data is obligatory for the fulfillment of its legal obligation by SBM.
  • Existence of the fact that the relevant data has been anonymized by the relevant person,
  • Existence of the fact that the data processing is obligatory for the establishment, usage or protection of the rights of SBM,
  • Provided that the fundamental rights and freedoms of the relevant person are not harmed, the existence of the fact that the processing of personal data is obligatory for the legitimate interests of SBM.

The personal data can only be transferred to foreign countries provided that the above stated conditions shall be satisfied and the sufficient protection shall be available in the target country and in the case where the sufficient protection is not available, on condition that the data controllers based in Turkey and the relevant foreign country shall undertake in written form to provide the sufficient security and that the permission of the Board shall be available or the explicit consent of the data owner with respect to this transfer shall be available.
In terms of the transfer of personal data to foreign countries, the list of countries having sufficient protection which is determined by the Board shall be taken into consideration.
When the transfer of personal data to foreign countries is at stake, the Personal Data Protection Committee shall obtain and execute the necessary permissions and notifications before the Board pursuant to the Personal Data Protection Law and the relevant legislation.
All transactions with regard to the sharing of personal data must be recorded in written form along with the relevant reasoning. These records shall be inspected by the Personal Data Protection Committee in regular periods.
In the case where a regular data sharing relationship is existent without the presence of a legal basis or legal obligation, the Letter of Undertaking With Regard to the Protection of Personal Data which determines the conditions of data sharing shall be signed with the mentioned party. The Letter of Undertaking With Regard to the Protection of Personal Data shall comprise the following matters as a minimum:

  • Purpose or purposes of the relevant sharing,
  • Potential third party recipients or the types of recipients and the conditions with respect to the access right,
  • Content of data to be shared,
  • General principles with regard to the processing of personal data,
  • Data security measures,
  • Storage period with respect to the shared data,
  • Rights of the data owner, the procedures with respect to responding to the access requests, applications and complaints,
  • Consideration of the termination of the sharing contract and
  • Responsibilities and sanctions due to noncompliance with the contract or individual violations of the personnel

5.7. MANAGEMENT OF THE RECORDS

The personal data cannot be kept for periods longer than the period which is required for the personal data processing purposes. The classification of the records which comprise the personal data and the storage periods with respect to them shall be determined pursuant to the Information Security Policy and the relevant documents.
The personal data whose relevant periods expire or that are required to be destructed upon justified request of the data owner shall be anonymized or erased or destructed pursuant to the procedure in which the storage and destruction process is identified.

5.8. RIGHTS OF THE DATA OWNERS

The data owners shall have the following rights with regard to the data processing activities and records before SBM:

  • The right with respect to learning whether his/her personal data were processed or not,
  • The right with regard to requesting respective information in the case where his/her personal data are processed by us,
  • The right with respect to learning the processing purpose of his/her personal data and whether these data were used in accordance with this purpose or not,
  • The right with respect to knowing the third persons to whom the personal data were transferred, in the country and outside the country,
  • The right with respect to requesting correction in the cases where the personal data were processed deficiently or incorrectly,
  • The right to request the deletion or destruction of the personal data for which there is no justification or basis to process as per the Personal Data Protection Law or this policy,
  • The right with regard to requesting the notification to third persons of the correction or erasure transactions which are conducted upon his/her request,
  • The right with respect to objecting to occurrence of a result to the detriment of the relevant person through the analysis of the processed data exclusively via automated systems,
  • The right with respect to requesting the compensation of his/her loss in the case where he/she incurs any loss due to processing of his/her personal data in contravention of the law.

Procedure With Regard to the Application of the Data Owner
The data owners may submit to SBM their applications with respect to their above listed rights in accordance with the application procedures stipulated in the Communique Regarding the Procedures and Principles Concerning the Applications to be Made to the Data Controller.
In this case, SBM shall finalize free of charge the relevant request as soon as possible and in maximum 30 (thirty) days pursuant to the qualification of the request. However, in the case where the relevant transaction requires additional costs, SBM shall demand the fee which is stated in the tariff determined by SBM. The processes with respect to the receipt, communication and finalization of the requests shall be conducted pursuant to the relevant procedure.
In order for the data owners to submit their requests, rights of the data owners and the contact information of SBM shall be available in the confidentiality notifications and on the web site of SBM.
Regardless of their job definitions, all personnel of SBM shall be obliged to direct the data owners concerning the correct application methods with regard to the access requests of the data owners that have been channeled to themselves. The SBM personnel are required to be informed by the Personal Data Protection Committee with respect to the transactions to be executed concerning the requests to be received from the data owners.
Within this context, the Data Owners can submit their applications by filling in the “Data Owner Application Form” which is available below;

  • By means of application* of the Data Owner in person,
  • Through the notary*,
  • By executing the identity authentication via the return receipt requested mail*,
  • Via the Registered Electronic Mail**.

* The data owners can submit their applications by mailing these applications to the address of “Sigorta Bilgi ve Gözetim Merkezi Nida Kule Göztepe İş Merkezi Merdivenköy Mah. Bora Sok. No:1 Kat:21 34732 Kadıköy/Istanbul” upon including the following statement on the “Data Owner Application Form” envelope: “Information Request Within the Scope of the Personal Data Protection Law” or subsequent to inclusion of the following statement in the subject section via the address of ** sbm@hs03.kep.tr: “Personal Data Protection Law - Information Request”.

Benefiting from the application right pursuant to the second paragraph of article 4 of the Communique numbered 30356 Regarding the Procedures and Principles Concerning the Applications to be Made to the Data Controller can only be possible in the case where the relevant application is made in Turkish.
Therefore, the application form is required to be filled in Turkish.

Data Owner Application Form (PDF)

Sigorta Bilgi ve Gözetim Merkezi

Nida Kule Göztepe İş Merkezi
Merdivenköy Mah. Bora Sok. No: 1 Kat: 21
34732 Kadıköy / İSTANBUL
TIN (Tax Identification No): 859 040 17 41
Tax Office: Erenköy

Sigorta Bilgi ve Gözetim Merkezi İktisadi İşletmesi

Nida Kule Göztepe İş Merkezi
Merdivenköy Mah. Bora Sok. No: 1 Kat: 20-21
34732 Kadıköy / İSTANBUL
TIN (Tax Identification No): 859 052 85 33
Tax Office: Erenköy