Policies & Procedures
Turkiye Addendum to Toll Privacy Policy
1. INTRODUCTION
1.1. Purpose
This Turkiye Addendum to the Toll Privacy Policy on the Protection and Processing of Turkiye Sensitive Personal Data (“Addendum”) sets out the principles to be taken into account within the scope of the Turkish Personal Data Protection Law No. 6698 (“TDPL” or “Law”) in order to ensure the processing of sensitive personal data by Toll Remote Logistics Pty Ltd Merkezi Avustralya Ankara Merkez Şubesi (“Toll”), acting as the data controller, and the protection of such data.
Ensuring that the personal data processed by the Toll is processed in accordance with the Constitution of the Republic of Turkey, international conventions, TDPL and the other relevant legislation, ensuring the effective use of the rights by the Data Subjects and accordingly, providing transparency by informing the persons whose personal data is processed have been determined as priorities for the Toll. Special Categories of Personal Data (“SCPD”) has been regulated in the Law separately, and pursuant to Article 6 of the Law, a stricter protection has been provided for such data. Additionally, the measures to be taken to ensure such protection have been set out in the Board decision of the Personal Data Protection Board (“Board”) on “Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Personal Data” (“Decision”) dated 31 January 2018 and numbered 2018/10. The Toll undertakes to comply with this Addendum and the tools, programs and processes to be implemented in accordance with the Addendum in order to ensure the protection of SPDs that are fully or partially automated or processed through non-automatic means provided that they are part of any data registry system.
In this regard, all employees are responsible for the protection of sensitive personal data processed by the Toll. It is obligatory for the Toll to lawfully determine on which processing condition specified in the TDPL is based on the Toll’s business and processes, which include the processing of sensitive personal data. In this respect, it is necessary to act in accordance with this processing condition in the relevant works and processes. For this reason, all employees of Toll are expected to act in compliance with this Addendum in all processes concerning sensitive personal data within the Toll. In addition, they are expected to be aware of the purpose of collecting, processing, using or transferring sensitive personal data processed by Toll in the works and processes carried out by them.
1.2. Scope
This Addendum covers all sensitive personal data processed by the Toll, belonging to all employees, managers and all other relevant third-party individuals, and which are part of a data recording system; along with all kinds of collection, processing and transfer activities that the Toll will implement on the relevant data. This Addendum applies to all recording environments where sensitive personal data owned or managed by the Toll are processed, and to activities related to personal data processing. In the event of any discrepancy between this Addendum and the relevant legislation, the provisions of the legislation shall apply.
1.3. Definitions
The terms defined below have the meanings ascribed to them in the scope of this Addendum:
Explicit Consent
Consent that is freely given, specific to subject and based on information
Recipient Group
The category of natural persons or legal entities, to whom the personal data is transferred by the data controller
Anonymization
Rendering personal data impossible to be associated with an identified or identifiable natural person, even if handled in association with other data
Data Subject
Natural person whose personal data is processed
Destruction
Deletion, destruction or anonymization of personal data
Law/ TDPL
The Law on the Protection of Personal Data numbered 6698
Decision
The Board decision of the Personal Data Protection Board on “Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Personal Data” dated 31 January 2018 and numbered 2018/10
Personal Data
Any information relating to an identified or identifiable natural person
Personal Data Processing Inventory
The inventory prepared by data controllers that matches their business processes and personal data processing activities to the relevant data processing purposes, legal grounds for the processing, personal data categories, recipient groups and data subject categories, as well as including the maximum retention periods required for the relevant data processing purposes, the personal data contemplated to be transferred to foreign countries, and the data security measures
Processing of Personal Data
Any operation or set of operations on personal data such as collection, recording, storage, preservation, alteration, disclosure, transfer, acquisition, making available for collection, categorization or restriction by wholly or partly automatic means or any other means forming part of a data registry system
Anonymization of Personal Data
Rendering personal data impossible to be associated with an identified or identifiable natural person, even if handled in association with other data
Erasure of Personal Data
Rendering personal data inaccessible and non-reusable by any means for the Relevant Users
Destruction of Personal Data
Rendering personal data inaccessible, irretrievable and non-reusable by any means for everyone
Authority
The Personal Data Protection Authority
Board
The Personal Data Protection Board
Special Categories of Personal Data (Sensitive Personal Data) / SPD
Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade- unions, health, sexual life, convictions and security measures, and the biometric and genetic data
Data Registry System
The filing system where personal data are processed by being structured according to specific criteria
Data Controller
A natural or legal person, who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the data registry system
2. PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA
2.1. Fundamental Principles Followed in the Processing of Sensitive Personal Data
During the processing of the Data Subjects’ personal data, Toll acts in accordance with the fundamental rules and principles of data protection law.
2.1.1. Processing in Compliance with the Law and the Rule of Good Faith
Toll complies with the general principles of law and the rule of good faith in the processing of sensitive personal data. In this respect, personal data of individuals is processed in accordance with the provisions of the legislation, and the rule of faith is followed in personal data processing processes.
2.1.2. Ensuring the Accuracy and – When Necessary- Timeliness of Personal Data
The necessary measures for ensuring the accuracy and timeliness of the special categories of personal data processed by Toll are taken by Toll.
2.1.3. Processing for Specific, Explicit and Legitimate Purposes
Toll clearly and precisely determines the purposes of processing personal data that are legitimate and lawful, and sets out the purposes of processing the special categories of personal data to be obtained in accordance with the principle of certainty and clarity prior to the commencement of the data processing activity. The Toll follows principle of “transparency” towards data subjects.
2.1.4. Being Relevant with, Limited to and Proportionate to the Purposes for Which They are Processed
Sensitive personal data is collected and processed by Toll in accordance with the achievement of the purposes previously determined by Toll, and it avoids processing that is not related to the realization of this purpose or that is unnecessary. In this respect, the Toll processes sensitive personal data obtained by itself in connection with the data processing conditions and only as necessary. Accordingly, the data minimization principle is followed by not collecting, recording and using special categories of personal data more than required for data processing purposes; due care is exercised to ensure that the data processing purpose, the data used for this purpose and the rights of the Data Subject are balanced and proportionate.
2.1.5. Retaining for the Period of Time Set Forth Under the Relevant Legislation or Necessary for the Purpose for Which They are Processed
Sensitive personal data is retained by Toll only for so long as specified in the relevant legislation or required for the purpose for which they are processed. The Toll’s retention periods, and the method followed in determining these retention periods have been set out in Toll’s internal information handling standards and relevant personal data processing inventory.
Upon expiration of the period or elimination of the reasons that require the processing, the sensitive personal data is deleted, destroyed or anonymized by the Toll in accordance with the rules and principles of Toll’s internal information handling standards, in line with the TDPL and the relevant legislation.
2.2. Conditions for Processing of Special Categories of Personal Data
While the purpose of processing personal data means the necessity for which personal data is processed; the condition for processing personal data indicates the legal reason of which this purpose falls within the scope of the TDPL. To process special categories of personal data, it is necessary to rely on one of the processing conditions in Article 6 of the TDPL.
The special categories of personal data has been defined as “personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data” in Article 6 of the TDPL. Unless there is a change in the TDPL or the relevant legislation, special categories of personal data is limited to the data covered by this list.
As a rule, it is prohibited to process the SCPD and it is only possible to process them in the presence of one of the data processing reasons specified in paragraph 2 of Article 6 of the KVKK:
- Explicit consent of the data subject,
- Explicitly stipulated in the laws,
- It is necessary for the protection of the life or bodily integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
- It is related to the personal data made public by the data subject and is in accordance with the will of the data subject to make it public,
- Being compulsory for the establishment, use or protection of a right,
- It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation to keep secrets or authorised institutions and organisations,
- It is mandatory for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance,
- Current or former members and members of foundations, associations and other non-profit organisations or formations established for political, philosophical, religious or trade union purposes, or persons who are in regular contact with these organisations and formations, provided that they comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties,
3. SPECIAL CATEGORIES OF PERSONAL DATA TRANSFER
Transfer of special categories of personal data is considered as data processing in the scope of the TDPL. Therefore, the requirements to act in accordance with the above-mentioned principles and processing rules also apply to data transfer. It should be kept in mind that data transfer is not limited to a physical transfer only, and that storing sensitive personal data by the persons outside the Toll data on behalf of the Toll or access to such personal data by them for any reason within the scope of the Toll’s business processes are also considered as data transfer.
The transfer of sensitive personal data within the country or abroad is subject to different regulations in the legislation; therefore, the rules to be followed by Toll in the events of data transfer within the country and abroad are different; as explained below:
3.1. Domestic Data Transfer
Domestic data transfer for sensitive personal data has been set forth under Article 8 of the TDPL. According to this provision, sensitive personal data can be transferred within the country in line with the rules of processing such data.
In addition to the points above, adequate measures should be taken. The respective measures have been set out in the decision of the Board on “Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Personal Data” dated 31 January 2018 and numbered 2018/10.
In data transfers realized by Toll in Turkey, evaluation should be carried out on the purpose of data transfer, and compliance with the regulations in this Addendum, especially compliance with articles (2.1), (2.2) and (2.3) should be ensured. Data transfers which are not in line with the (i) principles, (ii) data processing conditions and (iii) adequate measures should not be realized.
3.2. Data Transfer Abroad
Pursuant to Article 9 of the TDPL, personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Articles 5 and 6 of the TDPL exists and there is a adequacy decision on the country, sectors within the country or international organisations to which the transfer will be made. However, at the date of revision of this Addendum, no adequacy decision has been announced for any country.
In the absence of an adequacy decision, data may be transferred abroad by data controllers and processors provided that (i) one of the conditions specified in Articles 5 and 6 of the TDPL exists, (ii) the data subject has the opportunity to exercise his/her rights and to apply for effective legal remedies in the country of transfer, and (iii) one of the following appropriate assurances is provided by the parties:
a. Existence of an agreement, which is not an international agreement, between public institutions and organisations or international organisations abroad and public institutions and organisations or professional organisations having the status of public institution in Turkey and the Board permits the transfer.
b. The existence of binding corporate rules approved by the Board containing provisions on the protection of personal data, which the companies within the group of undertakings engaged in joint economic
activities are obliged to comply with.
c. Existence of a standard contract announced by the Board, containing data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data.
d. Existence of a written undertaking containing provisions to ensure adequate protection and authorisation of the transfer by the Board.
In the event that any of the above-mentioned appropriate assurances cannot be provided, personal data may be transferred abroad only in the presence of one of the following cases, provided that it is incidental:
- Explicit consent of the Data Subject to the transfer, provided that the Data Subject is informed about the possible risks.
- The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject.
- The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.
- The transfer is mandatory for a superior public interest.
- The transfer of personal data is mandatory for the establishment, exercise or protection of a right.
- The transfer of personal data is mandatory for the protection of the life or physical integrity of the person himself/herself or of another person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
- Transfer from a registry open to the public or persons with legitimate interests, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it.
The safeguards specified in the TDPL will also be provided by Toll and data processors in terms of subsequent transfers of personal data transferred abroad and transfers to international organisations.
4. INFORMING THE DATA SUBJECT
Within the scope of Article 10 of the TDPL, data controllers are obliged to inform the Data Subjects as to the data processing activity during the collection of the data. Notifications to be made by Toll to the Data Subjects are made together for all personal data, both sensitive and non-sensitive data.
5. MEASURES SPECIFIC TO SENSITIVE PERSONAL DATA
Toll takes the administrative and technical measures necessary for the processing of sensitive personal data as specified in the Decision No. 2018/10 resolved by the Board, including maintaining appropriate administrative, technical, and physical safeguards designed to protect the personal data against accidental, unlawful, or unauthorised destruction, loss, alteration, access, disclosure, or use .
5.1. Administrative Measures
5.1.1. Providing Training to Employees
Periodic trainings are provided by the Toll to the employees taking part in the processes where SCPD is processed.
5.1.2. Obtaining Letter of Undertaking from Employees/Executing Non-Disclosure Agreement
An undertaking has been obtained from/non-disclosure agreement has been executed with Toll employees taking part in the processes where SCPD is processed, in which they accept their obligations regarding the protection of special categories of personal data.
5.1.3. Measures Taken in terms of Physical Environments
For events where special categories of personal data is kept in physical environments such as archives and in-office cabinets, the security of the environment has been ensured against situations such as electricity leakage, fire, flood, theft, etc. To prevent unauthorized access to these environments, control is provided through the card-pass system.
5.2. Technical Measures
5.2.1. Measures Taken in terms of Access Authorities
Authorities of the employees/users who are authorized to access systems containing special categories of personal data, and duration of such authorizations are specified in the job description/employment contracts /internal procedures. Periodic controls are carried out for the relevant access authorizations; and the authorizations of the former employees or the ones whose authorization to access the aforementioned systems have changed due to their duties are immediately revoked.
5.2.2. Electronic Media-Specific Measures
In electronic environments where special categories of personal data is accessible, such data is protected by encryption with appropriate technical methods. The keys of these passwords are kept in a different media than the personal data. The updates related to the security of the environment where the data is located along with the updates of the software and hardware itself are followed and regular tests are carried out.
5.2.3. Measures Regarding Transaction Security
A two-stage authentication system is used if the remote access to electronic environments where sensitive personal data is accessible granted. Regardless of the medium of access, records of all transactions carried out on SCPD in electronic environment are kept securely.
5.3. Transfer-Related Measures
Apart from the above, additional measures are taken in the event of data transfer in accordance with the Decision. These measures taken by Toll vary according to the transfer method of the data as summarized below:
• If the data is required to be transferred via e-mail, it is transferred in encrypted form with a corporate e-mail address or by using a Registered Electronic Mail (KEP) account.
• Data transfer via media such as Portable Memory, CD, DVD is a method used by TOLL only when necessary. In this case, the data is encrypted using cryptographic methods and the cryptographic key is kept in a different environment.
• During transfers between servers in different physical environments, data transfer is performed by establishing a VPN between servers or using the sFTP method.
• In the event that the data is transferred via hard copy documents, necessary measures are taken against the risks such as theft, loss or viewing of the document by unauthorized persons, and a confidentiality mark is stamped on the envelope in which the document is carried.
In accordance with Article 12 of the TDPL, Toll carries out internal audits regarding the implementation of the relevant legislation and the provisions of this Addendum either by itself through third parties.
6. MEASURES TAKEN IN THE SCOPE OF ARTICLE 12 OF THE TDPL
In order for the secure retention of, preventing unlawful processing of or access to personal data, within the scope of the principles in Article 12 of the TDPL1, the Toll takes all kinds of measures (i) required by the TDPL and relevant legislation and (ii) it deems necessary to ensure data security.
The respective measures are implemented without any change in terms of both sensitive data and non-sensitive data.
7. ENTRY INTO FORCE AND UPDATES
This Addendum has been entered into force on 12 June 2024.
The Addendum is reviewed as needed and the necessary sections are updated. Amendments made to this
1 Obligations Regarding Data Security
ARTICLE 12 – (1) Data controller shall take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of:
a)Preventing unlawful processing of personal data, b)Preventing unlawful access to personal data,
c)Ensuring protection of personal data.
Addendum have been set out in page 2.
In line with the relevant legislation, this Addendum will be adapted to the necessary updates and, when deemed necessary, in consultation with the relevant units, the steps to be taken by the Toll may be re-determined.
