Blockchain Lab Yazılım A.Ş. and its personnel undertake to comply with the principles and rules set by the Constitution of the Republic of Turkey, the Law on the Protection of Personal Data No. 6698 (“KVKK”), and other legislation regarding the protection of personal data and to protect the rights of individuals whose data is processed by Blockchain Lab Yazılım A.Ş. For this purpose, Blockchain Lab Yazılım A.Ş. has adopted a written personal data protection policy and system to be implemented and developed.
The purpose of the Personal Data Protection Policy is to ensure that Blockchain Lab Yazılım A.Ş. establishes and realizes its own standards in the management of personal data, determines and supports organizational goals and obligations, to establish control mechanisms in line with the acceptable risk level, to fulfill the obligations to which it is subject in accordance with international conventions, the Constitution, laws, contracts and professional rules in the field of personal data protection and to protect the interests of individuals in the best possible way.
Company: Blockchain Lab Yazılım A.S.
Law: Law on Protection of Personal Data No. 6698
Board: Personal Data Protection Board
Recording medium: The name given to any medium where the processed personal data is stored.
Destruction: Deletion, anonymization or destruction of personal data
Periodic destruction: The process of deletion, anonymization and destruction to be carried out at recurring intervals.
Explicit Consent: Consent about a specific subject, based on information and expressed with free will.
Anonymization: The irreversible change of personal data in such a way that it loses its quality as personal data. I.e. making personal data incapable of being associated with a real person by techniques such as masking, aggregation and data corruption etc.
Personal Data Owner: The real person whose personal data is processed.Personal Data: Any information that can be associated with an identified or identifiable real person.
Special Quality Personal Data: Data related to race, ethnicity, political opinion, philosophical belief, religion, sect, dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are special quality data.
Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making it available, classifying or preventing the use of personal data completely or partially automatically or by non-automatic means provided that it is a part of any data recording system.
Data Processor: The real or corporate entity who processes personal data on behalf of the data controller, based on the authority given by them.
Recipient group: The real or corporate entity to which personal data is transferred by the data controller.
Relevant user: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
Personal data processing inventory: The inventory created by data controllers by associating the personal data processing activities they carry out depending on their business processes with the purposes of processing the personal data, the data category, the transferred recipient group and the data subject group, and detailing by explaining the maximum period required for the purposes for which personal data is processed, the personal data foreseen to be transferred to foreign countries, and the measures taken regarding data security.
Personal data retention and destruction policy: The policy on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization.
Registry: The registry of data controllers kept by the Presidency of the Personal Data Protection Authority.
Data registration system: The registration system in which personal data is processed and structured according to certain criteria.
Direct identifiers: The identifiers that, by themselves, directly reveal, disclose and distinguish the person with whom they are in a relationship.
Indirect identifiers: The identifiers that combine with other identifiers to reveal and distinguish the person with whom they are in a relationship.
Relevant person: The real person whose personal data is processed.
Obfuscation: The process of scratching, painting and frosting all of the personal data in such a way that it cannot be associated with an identified or identifiable real person.
Masking: Processes such as erasing, scratching, painting and starring certain areas of personal data in a way that cannot be associated with an identified or identifiable real person.
Policy provisions cover all information systems and sub-information, contracts, environmental and physical areas, and systems and regulations produced for all these, which are involved in the processing of personal data in Blockchain Lab Yazılım A.Ş.’s fields of activity and work areas. This policy covers all units of Blockchain Lab Yazılım A.Ş., employees of the company providing support services, interns and contracted personnel. Any action that violates the KVKK or this policy is evaluated within the scope of the relevant legislation, and sanctions are applied accordingly
Blockchain Lab Yazılım A.Ş.’s solution partners, public institutions and all third parties working with Blockchain Lab Yazılım A.Ş. are invited to read and comply with this policy. No third party can access personal data processed by Blockchain Lab Yazılım A.Ş. without a written confidentiality agreement that includes obligations with standards as strong as Blockchain Lab Yazılım A.Ş.
Blockchain Lab Yazılım A.Ş is the data controller in accordance with KVKK.
Everyone who is a staff of Blockchain Lab Yazılım A.Ş is responsible for the development and promotion of good practices in the processing of personal data and other obligations within Blockchain Lab Yazılım A.Ş.
The KVK Committee is established as the committee in charge of managing the personal data protection system and ensuring and documenting compliance with KVKK and other relevant legislation, and is responsible to the board of directors in these matters.
KVK Committee: The members of the KVK Committee are appointed by the board of directors, taking into account their expertise and experience in personal data protection legislation and practices, and report directly to the board of directors.
KVK Committee Duties and Responsibilities:
· The Committee should inform the board of directors about the Personal Data Protection legislation and developments.
· The Committee is responsible for ensuring that Blockchain Lab Yazılım A.Ş.’s policies and procedures are up-to-date, data processing audits are carried out in accordance with the planned schedule, and that they comply with the relevant legislation.
· The Committee acts together with the relevant personnel in all matters of personal data protection.
· The Committee provides information and advice on personal data protection legislation and compliance to Blockchain Lab Yazılım A.Ş.’s relevant partners and support service suppliers.
· The Committee provides information and advice to Blockchain Lab Yazılım A.Ş. staff regarding their obligations under personal data protection legislation.
· The Committee monitors the compliance of Blockchain Lab Yazılım A.Ş.’s data processing activities with personal data protection legislation.
· The Committee contributes to Blockchain Lab Yazılım A.Ş.’s development and maintenance of its personal data protection policy and related procedures and processes.
· The Committee assigns responsibilities within Blockchain Lab Yazılım A.Ş. in the context of compliance with personal data protection legislation.
· The Committee provides necessary training and awareness for all personnel involved in personal data processing procedures.
· The Committee observes and reports compliance with Personal Data Protection Legislation by ensuring regular audits.
· The Committee provides information and advice for personal data protection impact analysis reports.
· The Committee acts in cooperation and communication with the KVK Board.
· Before the KVK Board, Blockchain Lab Yazılım A.Ş. functions as a point of contact and representative and provides information and advice to the Board as needed.
· The Committee ensures the operation of the process of reporting information security incidents and investigations to the Board.
· The Committee contributes to the business continuity plan process.
· The Committee provides information and advice on keeping corporate records.
· The Committee ensures the determination of the scale at which personal data is collected, kept, used and the storage conditions in accordance with information security standards within the Blockchain Lab Yazılım A.Ş.
· The Committee ensures that monitoring and evaluations are made regarding compliance with the protection of personal data, security practices and other controls that may be necessary.
· The Committee makes additional recommendations for the determination and implementation of controls to ensure the confidentiality, integrity and accessibility of personal data.
· The Committee presents the issues that pose a potential risk in terms of personal data within the Blockchain Lab Yazılım A.Ş. and their suggestions regarding this issue to the agenda of the Management Committee.
· The KVK Committee may request cooperation from all personnel, including access to systems and records, while performing the duties of Blockchain Lab Yazılım A.Ş. regarding the collection, processing and storage of personal data.
· All personnel of Blockchain Lab Yazılım A.Ş. who process personal data are responsible for complying with the Personal Data Protection legislation.
· Blockchain Lab Yazılım A.Ş. is responsible for carrying out the necessary notifications and trainings so that all personnel know their responsibilities in the field of personal data protection and have the necessary awareness.
· Blockchain Lab Yazılım A.Ş. personnel are obliged to ensure the accuracy and up-to-dateness of all personal data provided to Blockchain Lab Yazılım A.Ş.
5.1. Data Protection Principles
Blockchain Lab Yazılım A.Ş will comply with the personal data protection legislation and data protection principles.
The data protection principles adopted by Blockchain Lab Yazılım A.Ş. include:
· Processing personal data only if it is clearly necessary for legitimate corporate purposes,
· Processing personal data at the minimum required for these purposes and not to process more data than necessary,
· Providing clear information to individuals about how their personal data is used and by whom it is used,
· Processing only relevant and appropriate personal data,
· Processing personal data in accordance with the law and equity,
· Keeping an inventory of personal data categories processed by Blockchain Lab Yazılım A.Ş.,
· Keeping personal data accurate and up-to-date when necessary,
· Storing personal data only for as long as required by legal regulations, legal obligations of Blockchain Lab Yazılım A.Ş. or legitimate corporate interests,
· Respecting the rights of individuals regarding their personal data, including the right of access,
· Keeping all personal data safe,
· Transferring personal data abroad only in accordance with the explicit consent of the persons or in case of adequate protection,
· Applying the exceptions allowed in accordance with the legislation,
· Establishing and implementing the personal data protection system for the implementation of the policy,
· When necessary, determining the internal and external stakeholders who are parties to the personal data protection system and to what extent they are included in the personal data protection system of Blockchain Lab Yazılım A.Ş.
· Identifying personnel with special authorization and responsibilities regarding the personal data protection system.
All personal data processing activities must be carried out in accordance with the following data protection principles. Blockchain Lab Yazılım A.Ş.’s policies and procedures aim to ensure compliance with these principles:
· Compliance with the law and equity rules,
· Being accurate and up-to-date when necessary,
· Processing for specific, explicit and legitimate purposes,
· Being connected, limited and restrained with the purpose for which they are processed,
· Keeping for the period required by the relevant legislation or for the purpose for which they are processed.
Personal data is processed in a transparent and lawful manner.
In this direction, Blockchain Lab Yazılım A.Ş. includes privacy statements regarding the personal data processing activities it carries out, in the data collection channels and in the relevant forms. The areas where notifications containing clear and understandable information about who and for what purposes are processed by Blockchain Lab Yazılım A.Ş. are determined by conferring with the KVK Committee. These notifications include the following:
· Identity and contact information of Blockchain Lab Yazılım A.Ş. as data controller,
· Types of personal data processed,
· Purposes of processing personal data,
· Methods of collecting personal data,
· Based on which legal reason personal data is processed,
· Estimated storage period of personal data,
· Rights of the data owner,
· Third parties with whom the data may be shared.
Personal data may only be processed for specific, explicit and legitimate purposes.
The reasons/purposes for processing personal data are determined in the personal data inventory and personal data cannot be used for any other than the stated purpose without any other legal justification or the explicit consent of the data owner. If conditions arise that require the use of personal data for purposes other than those specified in the personal data inventory, this situation is reported to the KVK Committee by the relevant personnel/unit. The KVK Committee checks the suitability of the new purpose and, if necessary, ensures that the data owner is informed about the new purpose and new data processing activity.
Personal data should be processed appropriately, relevantly and to a limited extent for the purposes of processing.
The KVK Committee is obliged to ensure that personal data that is not clearly necessary for the purpose of processing is not collected and processed.
The KVK Committee is informed about all data collection channels.
The KVK Committee checks that the data processed is appropriate and relevant through the personal data inventory updated every year.
The KVK Committee checks that all data processing methods are appropriate and relevant with the internal audit/external audit that it will get done/will do on an annual basis.
The KVK Committee is responsible for stopping the data processing activity in terms of personal data that it determines to be inappropriate or not relevant or excessive in terms of the purpose of processing, and for the safe destruction of the processed data in accordance with the procedure in which the storage and destruction process is defined.
Personal data must be accurate and up-to-date.
The accuracy and up-to-dateness of data kept for a long time should be reviewed. Blockchain Lab Yazılım A.Ş. is responsible for educating all personnel about collecting and storing their data accurately and up-to-date.
The accuracy and up-to-dateness of the data kept regarding the personnel is the responsibility of the relevant personnel.
Employees/customers/institutions and other relevant persons should inform Blockchain Lab Yazılım A.Ş. to update the processed personal data.
The KVK Committee may instruct the relevant unit to evaluate the type, storage period and amount of the data processed through the data inventory, and to review the accuracy or timeliness of certain data.
Personal data should be processed in such a way that the data subject can only be identified if necessary for the purpose of processing.
In order to protect the rights and freedoms of individuals, in cases where personal data is kept beyond the specified period due to requirements such as backup or data security is compromised, secure destruction methods determined by the Board are applied for personal data.
Written approval of the KVK Committee is obtained when the processing of personal data is required for more than the specified periods in accordance with the procedure in which the storage and destruction process is defined.
Blockchain Lab Yazılım A.Ş. informs Personal Data Protection Board (“KVK Board”) about the fact that it is the data controller and which personal data categories are processed in this capacity. Blockchain Lab Yazılım A.Ş. identifies all categories of personal data it processes in its personal data inventory.
The notification is made in accordance with the procedure and method to be determined by the KVK Board and a copy of the notification is kept by the Compliance Unit.
If deemed necessary by the relevant legislation or the KVK Board, the notifications are repeated periodically.
The KVK Committee annually reviews the data processing activities of Blockchain Lab Yazılım A.Ş. and the changes in them in order to identify potential changes in the notification made to the KVK Board and informs the KVK Board when necessary.
5.3. Risk assessment
Blockchain Lab Yazılım A.Ş identifies the risks associated with the processing of certain types of personal data.
Blockchain Lab Yazılım A.Ş. has a procedure to assess the risks that the processing of personal information may pose on individuals. This evaluation is carried out by taking into account the third parties who process the data on behalf of the Blockchain Lab Yazılım A.Ş. Blockchain Lab Yazılım A.Ş. manages the risks identified as a result of the evaluation in a way that does not create non-compliance with this policy.
If a certain type of data processing is likely to pose a high risk to personal rights and freedoms due to its nature, context and purposes, Blockchain Lab Yazılım A.Ş. must manage potential risks by performing an impact analysis prior to data processing. A single assessment may be based on multiple data processing activities involving similar risks.
If at the end of the impact analysis it is understood that Blockchain Lab Yazılım A.Ş. is about to start a data processing activity that may pose a high risk to personal rights and freedoms, the approval of the KVK Committee is sought on this issue. If the KVK Committee deems it necessary, it receives the opinion of the KVK Board on the subject.
In risk management, systems and controls applied in accordance with the system that Blockchain Lab Yazılım A.Ş. has already adopted in accordance with its Information Security Policy and Risk Management Policy.
5.4. Obtaining Explicit Consent
Blockchain Lab Yazılım A.Ş. accepts the consent of the data owner as explicit consent, which is based on information regarding certain data processing activities, and which reveals the will for data processing with free will, expressed by a written/verbal statement or open affirmative action. Explicit consents are obtained in writing or systematically in a way that is suitable for proof. Explicit consent can always be withdrawn by the data owner.
In case the data processing activity based on explicit consent will be continuous or repeated, the explicit consents obtained are checked. The up-to-dateness and accuracy of these explicit consents is the responsibility of the relevant unit. Explicit consent forms or other relevant proof tools regarding data processing activity based on explicit consent are kept by the relevant unit.
5.5. Data security
All personnel are obliged to ensure that the data processed by Blockchain Lab Yazılım A.Ş. which are under their responsibility, are kept secure and not disclosed to third parties unless they sign a confidentiality agreement.
Only those who need access to personal data should be able to access them.
Information security incidents related to personal data are notified to the KVK Board and the relevant person as soon as possible and within 72 hours at the latest, after the KVK Committee has definitively determined.
5.6. Data Sharing
Personal data can only be shared with third parties in accordance with the law and equity. Accordingly, in order for personal data to be shared, one of the following conditions must be met:
· The explicit consent of the data owner is obtained,
· It is clearly stipulated in the laws,
· It is necessary for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid,
· It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract to which Blockchain Lab Yazılım A.Ş. is or will be a party,
· It is mandatory for Blockchain Lab Yazılım A.Ş. to fulfill its legal obligation,
· The person concerned has been made public by himself,
· Data processing is mandatory for the establishment, use or protection of Blockchain Lab Yazılım A.Ş.’s rights,
· Data processing is mandatory for the legitimate interests of Blockchain Lab Yazılım A.Ş. Provided that it does not harm the fundamental rights and freedoms of the person concerned,
Personal data can only be transferred abroad if the above conditions are met and adequate protection is available in the destination country or the explicit consent of the data owner is obtained for this transfer.
In the transfer of personal data abroad, the list of countries with adequate protection determined by the Board is taken into account.
When it comes to the transfer of personal data abroad, the KVK Committee provides the necessary permissions and notifications to the Board in accordance with KVKK and related legislation.
All transactions regarding the sharing of personal data must be recorded in writing with their justifications. These records are audited periodically by the KVK Committee.
In the event that there is a regular data sharing relationship without a legal basis or legal obligation, a KVK Contract is made with the said party that determines the conditions of data sharing. The KVK Contract includes the following as minimum:
· Purpose or purposes of sharing,
· Potential third party buyers or type of buyer and terms of access,
· What data is to be shared,
· General principles regarding the processing of data,
· Data security measures,
· Storage period of shared data,
· Data owner’s rights, access requests, procedures for responding to applications and complaints,
· Reviewing the expiry of the sharing agreement,
· Responsibility and sanctions for non-compliance with the contract or individual violation of the personnel.
5.7. Records Management
Personal data cannot be kept longer than necessary for the purposes of processing. It is determined in accordance with the classification of records containing personal data and their retention periods and related documents.
Personal data that are expired or that need to be destroyed upon the rightful request of the data owner are anonymized or deleted or destroyed in accordance with the procedure in which the retention and destruction process is defined.
5.8. Rights of Data Owners
Data owners have the following rights regarding data processing activities and records with Blockchain Lab Yazılım A.Ş.:
· Learning whether personal data is processed or not,
· If personal data has been processed, requesting information about it,
· Learning the purpose of processing personal data and whether they are used in accordance with the purpose,
· Knowing the third parties to whom personal data is transferred in the country or abroad,
· Requesting correction of personal data in case of incomplete or incorrect processing,
· Requesting the deletion or destruction of personal data for which there is no legal justification or basis for processing in accordance with KVKK or this policy,
· Requesting notification of corrections or deletions made upon request, to third parties to whom personal data has been transferred,
· Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
· Requesting the compensation of the damage in case of loss due to unlawful processing of personal data.
Application Procedure of the Data Owner
Data owners can apply to Blockchain Lab Yazılım A.Ş. for their requests regarding their rights listed above in accordance with the application procedures stipulated in the Annunciation on Application Procedures and Principles to the Data Controller.
In this case, Blockchain Lab Yazılım A.Ş. will conclude the request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on its nature. However, if the transaction requires an additional cost, Blockchain Lab Yazılım A.Ş. will be able to charge the fee in the tariff determined by the Personal Data Protection Board. The processes regarding the receipt, transmission and conclusion of requests are carried out in accordance with the relevant procedure.
In order for data owners to direct their requests, the right of access and contact information of the data owners are included in the privacy statements and the website of Blockchain Lab Yazılım A.Ş.
All personnel of Blockchain Lab Yazılım A.Ş., regardless of their job description, are responsible for guiding data owners regarding the correct application method for data subject access requests. Blockchain Lab Yazılım A.Ş. personnel should be informed by the KVK Committee on how to act on requests from data owners.
In this context, by filling out the “Data Owner Application Form” you can apply;
• With the personal application of the Data Owner, to the address “Blockchain Lab Yazılım A.Ş. Yazılım Anonim Şirketi”, “Fulya Mah. Buyukdere Cad. No:76 Quasar 34394 Şişli, Istanbul – TURKEY”,
• Through a notary,
• By authenticating your identity via certified mail, to the address “Blockchain Lab Yazılım A.Ş. Yazılım Anonim Şirketi”, “Fulya Mah. Buyukdere Cad. No:76 Quasar 34394 Şişli, Istanbul – TURKEY”,
• By using the e-mail address registered in the registered electronic mail (REM) system, to “[email protected]” or our Company’s “[email protected]” e-mail address with your e-mail address registered in our system.
Blockchain Lab Yazılım Anonim Şirketi
Fulya Mah. Büyükdere Cad. No:76 Quasar 34394 Şişli, istanbul – TÜRKİYE
Mersis no: 0178132817200001
VKN (Vergi Kimlik No): 4650883238
Vergi dairesi: HOCAPAŞA