1. Purpose
The purpose of this Privacy Policy (“Policy”) is to provide explanations regarding the personal data processing activities carried out lawfully by SESTEK SES VE İLETİŞİM TEKNOLOJİLERİ A.Ş (“Company” or “Sestek”) and the systems adopted for the protection of personal data. Within this scope, transparency is ensured by informing the data subjects whose personal data are processed by Sestek, including but not limited to our employees, job candidates, customers, visitors, suppliers, employees, and officials of institutions we cooperate with, and third parties.
2. Scope
This Policy covers all personal data processed by the Company, whether automatically or by non-automatic means as part of any data recording system, relating to our employees, job candidates, customers, visitors, suppliers, employees and officials of cooperating institutions, and third parties.
3. Definitions
Explicit Consent: Consent given freely, based on information, and expressed clearly on a specific subject.
Anonymization: The modification of personal data in such a way that it loses its personal data characteristics and cannot be reverted, e.g., masking, aggregation, data distortion, etc.
Data Subject: The real person whose personal data is processed.
Processing of Personal Data: Any operation performed on personal data, whether wholly or partly by automatic means or otherwise, including acquisition, recording, storage, retention, alteration, reorganization, disclosure, transfer, retrieval, classification, or prevention of use.
Personal Data: Any information relating to an identified or identifiable real person, e.g., Name-Surname, Turkish ID number, Email, Address, Date of Birth, Credit Card Number, etc.
Destruction of Personal Data: Deletion, erasure, or anonymization of personal data.
PDPL: Turkish Law No. 6698 on the Protection of Personal Data.
Deletion of Personal Data: The process by which personal data becomes inaccessible and unusable by the relevant users.
Erasure of Personal Data: The process by which personal data becomes inaccessible, unrecoverable, and unusable by anyone.
Board: Refers to the Turkish Personal Data Protection Board.
Authority: Refers to the Turkish Personal Data Protection Authority.
Special Categories of Personal Data: Data require stricter protection due to their nature, which may lead to discrimination or unfair treatment, including but not limited to racial or ethnic origin, political opinion, philosophical belief, religion, sect, dress code, membership of associations, health, sexual life, criminal convictions, biometric and genetic data.
Data Controller: The person who determines the purposes and means of processing personal data and manages the data recording system.
Data Processor: The real or legal person who processes personal data on behalf of the data controller based on an authorization.
4. Implementation
The applicable legislation concerning the processing and protection of personal data will primarily apply. The PDPL and related secondary legislation, guidelines published by the Authority, decisions and principles issued by the Board, etc. (collectively “Legislation”) will be evaluated within the scope of the relevant Legislation and will serve as a guide on personal data protection.
If there is a conflict between the current legislation and this Policy, Sestek accepts that the applicable legislation shall prevail.
4.1. General Principles Regarding the Processing of Personal Data
Sestek processes personal data in accordance with the procedures and principles stipulated by the PDPL and related secondary legislation. Within this framework, Sestek fully complies with the following general principles set forth in the PDPL when processing personal data as part of its business processes.
4.2. Conditions for Processing Personal Data
Except for the exceptions listed in the PDPL, Sestek processes personal data only by obtaining the explicit consent of the relevant individuals. However, in the presence of the following conditions specified in the PDPL, personal data may be processed without the explicit consent of the relevant individual:
4.2.1. Conditions for Processing Special Categories of Personal Data
Except for the exceptions listed in the PDPL, Sestek processes special categories of personal data only by obtaining the explicit consent of data subjects. However, in the presence of the following conditions specified in the PDPL, special categories of personal data may be processed without the explicit consent of the data subject:
4.3. Purposes of Processing Personal Data
Personal data obtained by Sestek may be processed within, but not limited to, the scopes described below:
4.4. Transfer of Personal Data
Sestek, regarding sharing personal data with third parties, considers the transfer conditions set forth in the PDPL, without prejudice to the provisions of other applicable laws, and carefully complies with these conditions. In line with its lawful personal data processing purposes, and by taking the necessary administrative and technical measures, Sestek may transfer personal and special categories of personal data of data subjects, when necessary, to third parties located within Turkey (e.g., authorized public institutions and organizations, third-party companies, or natural persons).
In this context, the Company transfers personal data within Turkey by obtaining the explicit consent of the data subjects, except in cases specified as exceptions under the PDPL. However, if one of the processing conditions specified in Article 5(2) or Article 6(3) of the PDPL is met, personal data may be transferred within Türkiye without the explicit consent of the data subject.
If it becomes necessary for our Company to transfer personal data abroad, the transfer conditions set forth in the PDPL are taken into consideration, and personal data may be transferred abroad accordingly. In this context, our Company may transfer personal data abroad under the following conditions:
(i) The existence of one of the data processing conditions specified in Articles 5 or 6 of the PDPL, and the presence of an adequacy decision for the country to which the personal data will be transferred, or for sectors within that country or international organizations;
(ii) In the absence of an adequacy decision, the existence of one of the data processing conditions under Articles 5 or 6 of the PDPL, along with the availability of mechanisms for the data subject to exercise their rights or seek legal remedies in the destination country, and the provision of the safeguards stipulated in the law.
(iii) In the absence of an adequacy decision or the provision of appropriate safeguards by the parties to the transfer, personal data may be transferred abroad only under exceptional circumstances.
4.5. Storage of Personal Data
Personal data is securely stored by Sestek in physical or electronic media for an appropriate period, to fulfill its business operations. Within the scope of these activities, Sestek complies with the obligations set forth in the PDPL and other applicable legislation regarding the storage of personal data.
Except for mandatory retention periods stipulated by relevant legislation or permissible regulations concerning the storage of personal data, personal data will be destroyed once the purpose for processing has ended, or in line with the data subject's request specified in the Data Subject Application Form, and in accordance with the "Personal Data Retention and Destruction Policy."
Depending on the data subject’s request or based on Sestek’s own decision, the appropriate method of destruction—anonymization, deletion, or destruction—will be selected in compliance with the nature of the data and applicable regulations.
4.6. Security of Personal Data
Sestek takes the necessary administrative and technical measures to ensure the secure storage of personal data, and to prevent unlawful processing and unauthorized access. These measures are reviewed periodically to maintain effectiveness. In addition to personal data, special categories of personal data are also safeguarded in accordance with Article 12 of the PDPL and the fourth paragraph of Article 6. The necessary administrative and technical measures are implemented in line with the precautions determined and announced by the Authority to ensure the security of such data.
Accordingly, the administrative and technical measures adopted by our Company include, but are not limited to, the following:
Administrative Measures
Technical Measures
4.7. Personal Data Breach Procedures
Sestek takes the necessary administrative and technical measures to ensure the secure processing and storage of personal data. However, in the event of a potential data breach within the Company, Sestek will carry out the notification procedures to inform the relevant data subjects and competent authorities within no later than 72 hours from the detection of the breach.
For more detailed information regarding the procedures in the event of a breach, you may contact: privacy@sestek.com.
4.8. Your Rights as a Data Subject
Under Article 11 of the PDPL, you have certain rights as a data subject. These rights are:
If you wish to exercise your rights under the PDPL, you may contact SESTEK using one of the methods listed below, in accordance with Article 11 and the first paragraph of Article 13 of the PDPL and the Communiqué on the Procedures and Principles of Application to the Data Controller:
4.9. Policy Updates
This Policy enters into force on the date of its publication. If SESTEK determines it is necessary to make changes to its business processes or the regulations specified within the scope of the policy, the required updates will be made and shared accordingly.