Home » Policy of Processing – Protection and Destruction of Personal Data

Policy of Processing – Protection and Destruction of Personal Data

[Validity Start Date: October 07, 2016]

 

Section 1: LEGISLATION, PURPOSE AND SCOPE

This Policy of Processing, Protection and Disposal of Personal Data has been prepared in accordance with the Law on Protection of Personal Data of the Constitution of the Republic of Turkey dated April 07, 2016 and numbered 6698 (hereinafter referred to as “Law”) and with other relevant legislation, and for determining and announcing the rules, principles and obligations of our University regarding all personal data processed all personal data of our students, potential students, student relatives, parents, employees, visitors, candidate employees, the employees, shareholders and officials of institutions that we are in cooperation and/or get service and all other third parties who share personal data with us and/or come into contact with us in any way that will result in personal data sharing, or that are processed automatically or by non-automatic means provided that they are part of any data recording system.

This Policy shall be published on the official website of our University.

 

Section 2:OUR FUNDAMENTAL PRINCIPLES ON THE PROCESSING OF PERSONAL DATA

In Article 4 of the Law, the procedures and principles regarding the processing of personal data are regulated in line with the European Convention on the Protection of Individuals against Automatic Processing of Personal Data No 108 and the European Union Data Protection Directive No 95/46/EC.

According to the Law, the general principles to be followed in the processing of personal data are as follows:

  • Compliance with the law and honesty rules,
  • Being accurate and up-to-date when necessary,
  • Processing for specific, explicit and legitimate purposes,
  • Being connected, limited and measured with the purpose for which they are processed,
  • Being stored for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

In this context, the principles regarding the processing of personal data by our University are taken into account in the essence of all personal data processing activities, and the performance of data processing activities in accordance with these principles is adopted as the University policy.

 

Section 3: PERSONAL DATA PROCESSING

Personal Data

Personal data is any kind of information relating to an identified or identifiable natural person.

The processing of personal data is possible if at least one of the conditions listed in Article 5 of the Law is present.

In accordance with this, it is possible to process the personal data of the relevant person in the presence of one of the following situations:

  • Existence of the explicit consent of the person concerned,
  • It is clearly stipulated in the laws,
  • It is compulsory for the protection of the life or physical integrity of the person who is unable to disclose their consent due to the actual impossibility or whose consent is not legally valid,
  • Provided that it is directly related to the establishment or performance of a contract, it is necessary to process personal data belonging to the parties to the contract,
  • It is mandatory for the data controller to fulfill their legal obligation,
  • It is made public by the person concerned,
  • Data processing is mandatory for the establishment, use or protection of a right,
  • It is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

The processing conditions of personal data, that is, the cases of compliance with the law, have been listed in a limited number in the Law and these conditions cannot be expanded.

If the personal data processing is based on one of the conditions shown above, then explicit consent from the person concerned is not required.

     Sensitive Personal Data

Sensitive personal data are data that, if learned, may cause discrimination or victimization about the person concerned.

Therefore, they need to be protected much more tightly than other personal data.

Sensitive personal data can be processed with the explicit consent of the person concerned or in limited cases listed in the Law.

In the Law, special quality personal data are determined through limited counting.

These are data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data of the persons.

It is not possible to expand sensitive personal data by comparison.

The law also makes a distinction between sensitive personal data. Accordingly, the processing of personal data related to health and sexual life and the conditions where sensitive personal data other than these can be processed without express consent are regulated differently.

According to the Law, the processing of special quality data is possible in the following cases, except for the express consent of the person concerned.

  • Sensitive personal data other than health and sexual life, only in cases stipulated by law,
  • Personal data related to health and sexual life can only be processed by persons or authorized institutions and organizations under the obligation of secrecy for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing.

In this context, the conditions regarding the processing of personal data by our University are taken into account in the essence of all personal data processing activities, and the performance of data processing activities in accordance with these conditions is adopted as the University policy.

 

Section 4: DATA TRANSFER 

  1. Domestic Transfer

It is stipulated that personal data obtained for processing within the framework of the general principles specified in the Law can be transferred to third parties by obtaining the express consent of the relevant person in accordance with Article 8 of the Law.

The Law seeks the same conditions in terms of processing personal data and transferring these data domestically.

This article also specifies the conditions under which personal data can be transferred to third parties without the explicit consent of the person concerned.

On the other hand, processing personal data domestically in accordance with the law does not mean that they can be transferred directly. In other words, the conditions in articles 5 and 6 of the Law should also be sought for transfer.

In this context, one of the following conditions must be found in order to transfer personal data. These conditions;

  • Obtaining the express consent of the relevant person,
  • It is clearly stipulated in the laws,
  • It is compulsory for the protection of the life or physical integrity of the person who is unable to disclose their consent due to the actual impossibility or whose consent is not legally valid,
  • Provided that it is directly related to the establishment or performance of a contract, it is necessary to process personal data belonging to the parties to the contract,
  • It is mandatory for the data controller to fulfill their legal obligation,
  • It is made public by the person concerned,
  • Data processing is mandatory for the establishment, use or protection of a right,
  • It is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

It is possible to transfer sensitive personal data within the country, if the explicit consent of the relevant person is obtained and / or if it is clearly stipulated in the laws in terms of private personal data other than health and sexual life and in terms of personal data related to health and sexual life, it is possible for persons or authorized institutions and organizations under the obligation of confidentiality to transfer sensitive personal data within the country for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing.

In contrast to the fact that personal data can only be data belonging to real persons, “data controller” and “data processor” can be both natural and legal persons.

Any natural or legal person performing transactions on personal data is either the data controller or the data processor, depending on the purpose and methods of data processing.

In this context, it is necessary to comply with the regulations in Article 8 of the Law for all kinds of data transfer between the persons in these two categories.

  1. Foreign Transfer

According to Article 9 of the Law, data transfer abroad can be carried out in the following cases:

  • Having the explicit consent of the person concerned,
  • Existence of circumstances specified in the Law in data transfer to countries with sufficient protection (countries deemed safe by the Board) (conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the Law)
  • In the presence of cases specified in the Law in data transfer to countries where there is not sufficient protection (conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the Law), sufficient protection is undertaken in writing and the Board’s permission is present.

The law seeks the same conditions in terms of processing personal data and transferring these data abroad. In addition, it is stipulated to take additional measures in the transfer of personal data abroad.

It is possible to transfer personal data abroad if the person concerned has explicit consent.

In cases other than explicit consent, the Law introduced different provisions for the transfer of personal data abroad, depending on whether there is sufficient protection in the country where the transfer will be made.

  1. In Case Sufficient Protection Is Available

Personal data can be transferred abroad in the following cases;

  • It is clearly stipulated in the laws,
  • It is compulsory for the protection of the life or physical integrity of the person who is unable to disclose their consent due to the actual impossibility or whose consent is not legally valid,
  • Provided that it is directly related to the establishment or performance of a contract, it is necessary to process personal data belonging to the parties to the contract,
  • It is mandatory for the data controller to fulfill their legal obligation,
  • It is made public by the person concerned,
  • Data processing is mandatory for the establishment, use or protection of a right,
  • It is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

For sensitive personal data, if there is sufficient protection in the country where the personal data will be transferred, personal data other than health and sexual life can be transferred abroad if explicitly stipulated by law, and in countries with adequate protection, personal data on health and sexual life can only be transferred abroad for the protection of public health, for the purpose of conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing, by persons under the obligation of secrecy or the authorized Institution organizations, without the express consent of the person concerned.

  1. For Data Transfer To Countries Without Sufficient Protection
  • At least one of the conditions listed in article 5 or 6 of the Law must be fulfilled,
  • Data controllers in Turkey and the relevant foreign country are required to undertake an adequate protection in writing,
  • Authorization of the board is required.

In this context, our University has determined to act in accordance with the provisions described above as the University policy, and provided that the personal data comply with the aforementioned conditions; Council of Higher Education (YOK), institutions or organizations permitted and / or required by the provisions of the legislation, domestic and international schools and universities, program partners, affiliates and / or direct / indirect affiliates, persons and organizations that we contractually serve, cooperate with, to carry out our activities are third parties who are responsible for taking data security measures such as preserving all kinds of personal data with our units, preventing unauthorized access and preventing unlawful processing.

 

Section 5: DATA CHANNELS 

Personal data can be collected by our University in verbal, written or electronic media in accordance with the processing conditions specified in Articles 5 and 6 of the Law, by student affairs and registration units and our other employees, administrative and academic units, secretariat, reception, security units, domestic and international schools and program partners and companies that we receive service, through channels such as dormitory and lodging registration and application forms, websites and e-mails, mobile applications, collected forms and minutes, our promotion unit employees, our promotional practices, health reports, HES (Hayat Eve Sığar – Life Fits Into Home) Codes, systems such as YOKSIS (Higher Education Information System), university and course management systems, distance communication platforms, educational software platforms, contracts, applications, proposals, audio and video recordings, sharing arising from academic requirements with domestic and foreign schools, cookies used on computers during website visits.

 

Section 6: DATA PROCESSING PURPOSES 

The purposes and legal reasons for processing and transferring personal data are carrying out university-student relations, updating contact information, opening and tracking the records of students and their relatives in the system, reporting and evaluating education, scholarship and job opportunities, fulfilling legal and contractual obligations, providing all services, carrying out registration and subsequent transactions, fulfillment of financial obligations, including invoicing procedures, enabling relevant units to communicate with relevant persons, making announcements and ensuring general satisfaction, maintaining graduate relations, determining the needs of the relevant people according to their tastes, habits and demands, ensuring the safety of our university and those concerned, protecting public health, determining our strategies, providing our services in accordance with the requirements of legislation, contract and technology, developing our services, conducting promotional activities, analyzing the needs, organizing all records and documents for the purpose of processing in electronic or physical environment, sharing with schools and universities in Turkey and abroad due to academic requirements such as student exchange programs, graduate programs, and fulfilling the obligations to keep, report and inform information stipulated by legislation, relevant regulatory institutions and other authorities.

 

Section7: OUR OBLIGATIONS

  1. Disclosure Obligation

The Law grants the data subjects the right to obtain information about by whom, for what purposes and legal reasons, and for what purposes it can be transferred, and deals with these issues within the scope of the data controller’s disclosure obligation.

Accordingly, our University, as the data controller, has adopted the obligation to clarify the following matters and has adopted the University policy to comply with the relevant obligation.

  • The identity of the data controller and, if any, its representative,
  • For what purpose personal data will be processed,
  • To whom and for what purpose personal data can be transferred,
  • The method and legal reason for collecting personal data,
  • Other rights listed in Article 11.

In this context, you can access our Clarification Text at https://w3.bilkent.edu.tr/bilkent/clarification-text-on-the-personal-data-protection-law/.

  1. Obligations Regarding Data Security

According to Article 12 of the Law on data security, our University is responsible for the following issues as a data controller:

  • To prevent unlawful processing of personal data,
  • To prevent unlawful access to personal data,
  • To ensure the protection of personal data.

In order to fulfill these obligations, the data controller has to take all necessary technical and administrative measures to ensure the appropriate level of security.

In the event that personal data is processed by another natural or legal person on their behalf, the data controller is jointly responsible with these persons for taking necessary measures.

The Law also imposes an audit obligation on the data controller regarding data security.

The data controller is obliged to carry out the necessary audits or have them done in their Institution or organization in order to ensure the implementation of the provisions of the Law.

Therefore, the data controller can perform this control by themselves or through a third party.

On the other hand, data controllers and persons who process data cannot disclose the personal data they have learned to anyone in violation of the provisions of the Law and cannot use them for purposes other than processing. This obligation continues even after they leave the job.

Finally, in case the processed personal data is obtained by others through illegal means, the data controller shall notify the relevant person and the Board as soon as possible. The Board, if necessary, may announce this situation on its website or by any other method it deems appropriate.

In this context, the principles of data security are taken into consideration in all our activities by our University, utmost care is taken to ensure data security, and the situation is determined as our University policy.

  1. Obligation of Answering the Applications Made by the Relevant Parties

Data controllers should conclude the requests regarding the implementation of the Law submitted to them in writing or by other methods determined by the Board, as soon as possible and within 30 (thirty) days at the latest, free of charge.

However, if the transaction requires an additional cost, the data controller may request the fees in the tariff determined by the Board from the applicant.

If the data controller accepts the request or rejects it by explaining the reason, it informs the relevant person in writing or electronically.

If the request in the application is accepted, the requirement of this request is fulfilled by the data controller.

If the application is caused by the error of the data controller, the fee received is returned to the person concerned.

In case the application is rejected, the response is found to be insufficient or the application is not answered in time; The person concerned can make a complaint to the Board within 30 (thirty) days from the date they learn the response of the data controller, and in any case within 60 (sixty) days from the date of application.

In this context, it has been determined as our University policy to comply with the obligations of answering the applications made by the concerned parties.

  1. Obligation to Deletion, Destroy or Anonymize Personal Data in Case that the Reasons Requiring its Processing No Longer Exist

Deletion of Personal Data is the process of making personal data inaccessible and unavailable for the relevant users in any way.

The data controller is obliged to take all necessary technical and administrative measures to make the deleted personal data inaccessible and unavailable for the relevant users.

Destruction of Personal Data is the process of making personal data inaccessible, irretrievable and non-reusable in any way.

The data controller is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.

Making Personal Data Anonymous is making personal data unidentifiable or unrelated to a natural person, even if it is matched with other data. In order for personal data to be anonymized, personal data must be rendered unrelated to an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording medium and the relevant field of activity, such as recycling by the data controller, recipient or recipient groups and matching the data with other data.

The data controller is obliged to take all necessary technical and administrative measures regarding the anonymization of personal data.

Although personal data has been processed in accordance with the law, in the event that the reasons for its processing disappear, it has been determined as our University policy to delete, destroy or anonymize these data, either ex officio or upon the request of the relevant person.

  1. Obligation to Fulfill Board Decisions

If the Board determines the existence of a violation upon the complaint or as a result of the examination of the issues that fall within its scope of responsibility, upon the complaint or if it finds out about the alleged violation, it decides that the illegality is remedied by the data controller and notifies the decision to the concerned parties. The data controller must fulfill this decision without delay and within 30 (thirty) days at the latest from the date of notification.

 

Section 8:RIGHTS OF THE RELEVANT PERSON

Within the framework of Article 11 of the Law, the person concerned always has the following rights regarding himself / herself by applying to the data controller:

  • To learn whether personal data is processed or not,
  • To request information if personal data has been processed,
  • To learn the purpose of processing personal data and whether they are used appropriately for their purpose,
  • To know the third parties to whom personal data are transferred domestically or abroad,
  • To request correction of personal data in case of incomplete or incorrect processing,
  • To request the deletion or destruction of personal data,
  • To request notification of the processes regarding the correction, deletion or destruction of personal data to third parties to whom personal data have been transferred,
  • To object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,
  • To request the compensation of the damage in case of damage due to the processing of personal data in violation of the Law.

Our University has accepted to act in accordance with the rights of the relevant persons as the University policy, and personal data owners will be able to submit their requests regarding the above-mentioned rights by filling out this form and signing with a wet signature by sending a registered letter to ” İhsan Doğramacı Bilkent Üniversitesi, 06800, Çankaya, ANKARA” address.

 

Section 9: DESTRUCTION OF PERSONAL DATA 

  1. Causes Requiring Destruction

Personal data are deleted, destroyed or ex officio deleted, destroyed or anonymized by our Institution at the request of the relevant person in the following cases,

  • The amendment or abolition of the relevant legislation provisions that form the basis of its processing,
  • The disappearance of the purpose requiring processing or storage,
  • In cases where the processing of personal data is only based on express consent, the person concerned withdraws their express consent
  • In accordance with Article 11 of the Law, acceptance of the application made by the University for the deletion and destruction of personal data within the framework of the rights of the person concerned,
  • In the event that our university rejects the application made by the person concerned with the request for deletion, destruction or anonymization of their personal data, finds the answer inadequate or does not respond within the period stipulated in the Law; making a complaint to the Board and approval of this request by the Board,
  • The maximum period for the storage of personal data has passed and there are no conditions to justify the storage of personal data for a longer period.
  1. Personal Data Destruction Techniques

2.1 Deletion of Personal Data

Personal Data on Servers

For personal data stored on the servers whose the period of storage has expired, the system administrator removes the access authorization of the relevant users and deletes them.

Personal Data in Electronic Environment

For the personal data stored in electronic environment whose period of storage has expired, they are made inaccessible and unavailable in any way for other employees (relevant users) except for the database administrator.

Personal Data in Physical Environment

For the personal data stored in physical environment whose period of storage has expired, they are made inaccessible and unavailable in any way for other employees, except for the department manager responsible for the document archive.

In addition, the blackening process is also applied by scratching/painting/striking it in an illegible way.

Personal Data on Portable Media

For the personal data stored on Flash-based storage media whose period of storage has expired, they are encrypted by the system administrator and the access authority is given only to the system administrator and stored in secure environments with encryption keys.

2.2 Destruction of Personal Data

Personal Data in Physical Environment

For the personal data stored on paper whose period of storage has expired, they are irreversibly destroyed in the shredders.

2.3 Making Personal Data Anonymous

The anonymization of personal data is to render personal data in no way associated with an identified or identifiable natural person, even if they are matched with other data.

In order for personal data to be anonymized, it must be rendered unrelated to a natural person whose identity is identified or identifiable, even by using appropriate techniques in terms of the recording medium and the relevant field of activity, such as the return of personal data by the data controller or third parties and/or matching the data with other data.

  1. STORAGE AND DESTRUCTION PERIODS

Our university retains personal data only for the period specified in the relevant legislation or for the purpose for which they are processed. In this context, our University first determines whether a period is stipulated for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period, if a period is not determined, it stores the personal data for the period required for the purpose for which they are processed. Personal data are deleted, destroyed or anonymized by our University in the event of the expiration of the period or the disappearance of the reasons for processing.

 

Section 10:

This policy has been prepared in order to determine and announce the norms, principles and obligations of our Institution.