INFORMATION SECURITY POLICY

Introduction 

T.R. According to Article 20 of the Constitution, everyone has the right to demand the protection of their personal data. Regarding the protection of personal data, which is a constitutional right, Orientus uluslararasi ithalat ihracat ve ticaret limited sirketi (“Orientus”) with this personal data protection policy; Safe protection of the processed personal data of real persons such as company employees, job applicants, interns, suppliers, supplier employees, subcontractors, subcontractor employees, third parties and visitors will be managed. All necessary administrative and technical measures have been taken by Orientus for the protection of personal data processed in accordance with the Law on Protection of Personal Data No. 6698 and secondary legislation. 

Aim

The main purpose of Orientus in implementing this Policy is the administrative and technical measures taken within the scope of the personal data processing and data protection activity carried out in accordance with the law, and the automatic or any data processing of the natural persons listed above, especially the company employees, with whom they have legal and commercial relations. To ensure the security of personal data processed by non-automatic means, provided that it is part of the registration system. 

 Scope

All personal data processed in Orientus, primarily by employees, subcontractors, subcontractor employees, suppliers, supplier employees, job applicants, interns, third parties and visitors, automated or non-automatic, provided that they are part of any data recording system. relates to data.

Personal data processing purpose of the data controller 

In this context, Orientus processes personal data for the following purposes:

  • Carrying out corporate sustainability activities,
  • Management of relations with suppliers and subcontractors,
  • Execution of personnel procurement processes,
  • Carrying out internal audit and legal procedures,
  • Execution of corporate management and communication activities,
  • Request and complaint management,
  • Giving information to authorized persons or organizations based on legislation,
  • Creating and tracking visitor records,

If the processing activity carried out for the above-mentioned purposes does not meet any of the conditions stipulated under the Law No. 6698, express consent is obtained from the data owners by Orientus regarding the relevant processing process.

Principles of personal data processing

In Orientus, studies are carried out within the scope of the basic principles adopted in the processing of personal data within the scope of this Policy and listed below:

  • Processing personal data in accordance with the law and honesty rules,
  • Keeping personal data accurate and up-to-date when necessary,
  • Processing personal data for specific, explicit and legitimate purposes,
  • Processing personal data in connection with the purpose for which they are processed, limited and measured,
  • Keeping personal data for as long as required by the relevant legislation or for the purpose for which they are processed,
  • Enlightening and informing personal data owners,
  • Establishing the necessary system for personal data owners to exercise their rights,
  • Taking the necessary measures in the protection of personal data,
  • To act in accordance with the relevant legislation and the regulations of the
  • Personal Data Protection Board in the transfer of personal data to third parties in line with the requirements of the processing purpose,
  • Showing the necessary sensitivity to the processing and protection of sensitive personal data.

Conditions of personal data processing

Orientus processes personal data under the following conditions within the scope of this Policy:

  • In case the processing of personal data is expressly stipulated in the law,
  • If the processing of personal data is directly related and necessary to the conclusion or performance of a contract,
  • If it is necessary for Orientus to fulfill its legal obligation,
  • In case the personal data has been made public by the data owner,
  • In case the processing of personal data is necessary to establish, exercise or protect the rights of the data owner or third parties,
  • In the event that personal data processing is necessary for the legitimate interests of Orientus, provided that it does not harm the fundamental rights and freedoms of the data owner,
  • Personal data is processed in the event that personal data processing is necessary for the protection of the life or bodily integrity of the personal data owner or someone else, and the personal data owner in this situation is unable to express his consent due to actual or legal invalidity.

Ensuring the security of personal data

Orientus takes all kinds of technical and administrative measures necessary according to current technological possibilities and practices in order to ensure that personal data is processed in accordance with the law. In this context;

  • The system, which was established within the scope of personal data processing activities carried out within the company in order to ensure the legal processing of personal data by the IT experts assigned by Orientus, is audited by the
  • Information Processing Department and the technical measures taken are periodically reported to the top management of the company in accordance with the internal audit mechanism.
  • The level of knowledge and awareness of employees is increased and trained on the law of protection of personal data and the processing of personal data in accordance with the law.
  • By analyzing the business processes carried out by all units operating within Orientus, personal data were defined, data processors were identified, job descriptions were made, and a data processor contract was signed with each of them.
  • Personal data processing activities carried out by all units of Orientus; It has been determined in accordance with the personal data processing conditions sought by the Law No. 6698.
  • Documents that reveal the legal relationship between Orientus and its employees, interns, employee candidates, subcontractors and suppliers are placed under the obligation not to process, disclose, use or share personal data in violation of the law, and awareness of employees and other persons is increased and audits are carried out.
  • Technical measures are taken in accordance with the developments in Orientus technology, the measures taken are periodically updated and renewed.
  • Access to Personal Data is limited, authorization matrices are created and authorizations are regularly reviewed.
    Software and hardware including virus protection systems and firewalls are installed.
  • Security scans are regularly performed to detect security vulnerabilities in applications where personal data is collected.
  • Employees are informed that the personal data learned as a requirement of the job cannot be disclosed to others in violation of the provisions of the Law No. 6698 and cannot be used for purposes other than processing, and that this obligation will continue after they leave their job, and necessary commitments are taken from them in this direction.
  • Contracts (confidentiality agreement) concluded with subcontractors and suppliers with which Orientus has a business relationship; provisions are added to ensure that the necessary security measures will be taken and that these measures will be complied with in their own establishments.
  • In order to ensure the safe storage of personal data, backup programs are used in accordance with the law.
  • Accesses to data storage areas where personal data are stored are logged, and inappropriate accesses or access attempts are instantly communicated to the relevant parties.

Data owner’s rights and application process

The rights held in accordance with Article 11 of the Law No. 6698 on the personal data shared with the company within the scope of the purposes specified in this Policy of Orientus and the processing methods of personal data are listed below:

  • Learning whether personal data is processed or not,
  • If personal data has been processed, requesting information about it,
  • Learning the purpose of processing personal data and whether the data is used in accordance with its purpose,
  • Knowing the third parties that personal data is transferred at home or abroad,
  • Requesting correction of personal data in case of incomplete or incorrect processing,
  • Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in the Law No. 6698,
  • Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
  • In case of loss due to unlawful processing of personal data, it has the right to demand the compensation of the damage.

In order to exercise the rights listed above, our company can be contacted using the “Application Form” on our website https://orientus.com.tr/ and the methods specified in this form.

Orientus will conclude the requests of the personal data owner, which are submitted in accordance with the above application, free of charge, within thirty days at the latest, depending on the nature of the request.

Data storage periods and disposal method

Orientus keeps personal data for the periods stipulated in the relevant laws, regulations and the “Personal Data Retention and Destruction Policy”. If a period of time is not foreseen in the legislation regarding how long the personal data will be kept, the data is stored and subsequently deleted, destroyed or anonymized according to the activities and practices carried out by Orientus and the practices required by the commercial life of the company. However, although the purpose of processing personal data has ended; Data may be stored in order to provide evidence in possible legal disputes, to assert the relevant right related to personal data, or to establish a defense. Even in such cases, the stored personal data cannot be accessed for other purposes, only for use in the relevant legal disputes. In any case, at the end of the aforementioned period, personal data is fulfilled by using one or more of the technical methods specified in the Personal Data Retention and Destruction Policy, which are most suitable for the company’s business processes and activities. Records of camera monitoring are deleted every 20 days.

Person group and data categories whose data is processed

The data of the persons listed below are processed by Orientus within the scope of this Policy. These are real persons such as company employees, job applicants, interns, suppliers, supplier employees, subcontractors, subcontractor employees, third parties and visitors.

Orientus, pursuant to the Labor Law No. 4857, of persons whose personal data are obtained through employee and business relations based on an employment contract; It processes identity, communication, location, family and proximity, criminal record, visual, education, finance, personnel, health and biometric data. Within the scope of the Law No. 4857, real persons employed by sub-employers who are employed in a part of the main work or in auxiliary works, and employees employed by suppliers with whom a supplier contract is signed for the purpose of providing services; identity, communication, criminal record, visual, financial, personal and health information of subcontractors and suppliers; identity, communication, visual, signature and financial information of real persons who do internship within the scope of the Vocational Education Law No. 3308; Employee candidates who have applied for a job by any means or have opened their CV and related information to our company’s review; identity, contact, education, location information of third parties, such as family members, relatives and former employees who are not covered by this Policy; natural persons, who are visitors who have entered the physical premises of the company for various purposes; processes identity and visual information.

Transfer of personal data

Orientus may transfer the personal data of data subjects managed by this Policy to the following categories of persons in accordance with Articles 8 and 9 of Law No. 6698:

  • To the senior officials of Orientus,
  • To the officials of Orientus,
  • Legally authorized persons, institutions and organizations
  • Legally authorized private law persons

Orientus does not transfer the personal data it processes to abroad within the scope of this Policy.

The relevant legal regulations in force regarding the processing and protection of personal data are primarily applied. In case of inconsistency between the current legislation and the Policy, Orientus accepts that the applicable legislation will find an area of application.

It may make changes or updates in this Policy in line with new legal regulations and company policy. The new policy text reflecting all these changes and updates is announced to the relevant people on the website.

No cookies are used on the https://orientus.com.tr/ website, which aim to track the site usage habits of online visitors.

Camera monitoring activities in buildings and facilities

Orientus camera monitoring activities, Law on Private Security Services and related legislation, Law No. 6698 and “Orientus uluslararasi ithalat ihracat ve ticaret limited sirketi. It is carried out in accordance with the personal data processing conditions listed in the Camera Monitoring Policy. Camera monitoring activity is carried out to ensure the safety of the company and the health and safety of other people. Data owners are informed about the camera monitoring activities carried out by Orientus in accordance with Article 10 of the Law No. 6698. Camera recordings are not shared with anyone other than authorized persons, institutions or organizations.

Force

Orientus uluslararasi ithalat ihracat ve ticaret limited sirketi, this Policy will come into effect on September 4, 2024.