DISCLOSURE STATEMENT REGARDING THE PROCESSING OF PERSONAL DATA
The main purpose of this Disclosure Statement Regarding the Processing of Personal Data (“Disclosure Statement”) to provide you esteemed visitors and customers of us, Api Group İnşaat Turizm Sanayi Ticaret Ltd. Şti. (“the Company”), with the following statements as per the disclosure obligation arising from the Article 10 of Law No. 6698 on Protection of Personal Data (“LPPD”), which is the current legislation, Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Disclosure Obligation (“Communiqué “) and also the 13th article of General Data Protection Regulation, “GDPR (all together “Legislation”) Within this framework, this Disclosure Statement is only prepared for visitors of website and for informing the customer about the legislation, and doesn’t apply to processing the personnel data of employee, employee candidate, supplier and similar person groups.
The holder of the rights regarding the the software, design and any kind of picture, photograph, text and similar contents of the website named https://apiinvestment.com (“Website”) whose all contents belongs to the Company, is the Company and protected within the framework of the legislation in effect, except the all rights and parts where information can be added by the visitors.
This Disclosure Statement involves details about the personal data that is obtained from and/or regarding the relevant people on the Website of the Company but not limited to it, and the processing of it; Moreover, this Disclosure Statement also involves the details of the data controller and the rights of the relevant person under the legislation. Api Group İnşaat Turizm Sanayi Ticaret Ltd. Şti is a company under the “Api Group” This Disclosure Statement should be read before starting to use the Website or benefiting from the services provided by the Company in general.
- Principles Regarding the Processing of Your Personal Data and its Legal Causes
The personal data that you shared with the Company particularly via the forms on the Website can be processed as according to the legislation to which we are subject, in connection with the main area of activity and service objectives and continently, transferred to third parties, if necessary, and stored for periods in accordance with the legislation.
In this context, your personal data are processed; in accordance with the law and moral rules accurately and up-to-date, for specific, clear and legitimate purposes and in connection with the purposes of processing, in a limited and continently.
Your personal data is obtained for the purposes and by means set out in the Disclosure Statement, particularly for maintaining our activities, in full compliance with the legislation and policies of the Company, and obtained personal data is processed by the Conditions for Processing Personal Data on the Legislation.
- Methods Used to Obtain Your Personal Data and Obtained Personal Data
Your personal data is processed and stored for you to benefit from the offered services on the Website.
The Obtained personal data may vary depending on the product and the services being offered by the Company as well as it can be obtained verbally, in writing, or electronically, by automatic or non-automatic methods, by various means, primarily the Website.
Within this framework, your name, surname, e-mail address, phone number over the Website, details we obtain from your use of the Website, information about whether you read when you receive commercial electronic messages, your voice data that we obtain from our call center conversations, and other data that you provide by your comments and/or messages in the message box of the Website are obtained and processed.
- Causes and Purposes for Processing Your Personal Data
Your personal data is processed without explicit consent in cases stipulated in the law, that it is necessary for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid, that it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract, that it is mandatory for the data controller to fulfill its legal obligation, it is made public by the person concerned, that the data processing is mandatory for the establishment, exercise or protection of a right, that the data processing is mandatory for our legitimate interests, provided that it does not harm the fundamental rights and freedoms of the person concerned, and in other cases with explicit consent.
Your obtained personal data is processed according to the terms stated in LPPD for the purposes of carrying out the necessary works so that you can easily and reliably benefit from the products and services offered by our company; customizing our products and services to meet your demands, needs and usage habits; managing customer relations, maintaining sales and marketing activities, fulfilling the legal obligations of our company, execution of reporting processes, and to ensure that legal processes can be carried out quickly and effectively. Within this scope, your personal data are processed with the intention of identifying and confirming the information of the person using the Website, detecting the problems and errors as part of the services offered, assessing and solving customers’ requests, complaints and suggestions, and performing our rights and obligations arising from the legislation in effect.
Moreover, your personal data is also processed for execution of emergency management processes, carrying out activities in accordance with the legislation, execution of financial and accounting affairs, follow-up and execution of legal affairs, carrying out communication activities, execution and control of business activities, carrying out after-sales support services, execution of service procurement processes, service sales processes, service production and operation processes, carrying out customer relationship management processes, carrying out activities for customer satisfaction, organization and event management, conducting marketing analysis studies, execution of performance evaluation processes, execution of advertising and/or campaign and/or promotion processes, carrying out storage and archiving activities, execution of contract processes, carrying out sponsorship activities, follow-up of requests and/or complaints, execution of marketing processes, ensuring the security of data controller operations, execution of investment processes, providing information to authorized persons, institutions and organizations, carrying out management activities.
Sensitive personal data is not processed by our Company without the explicit consent of the person concerned.
- Personal Data Security
The Company moves accordingly with the obligations arising from the legislation to establish the necessary organization and to take and implement technical measures in order to protect the confidentiality and integrity of personal data under the current legislation. Your personal details will be processed within the subject of activity of the Company and by the purposes of the Disclosure Statement, can be stored for the periods required by the purposes of processing and/or for the period stipulated in the applicable legislation, and in cases that the reasons for processing disappear, they will be deleted, destroyed or will go anonymous ex officio or upon the request of the person concerned save the cases where there is a storage obligation arising from the current legislation. Processing and preserving of your personal data are performed by the personnel who are authorized and trained on this subject and in places where data security can be ensured.
Your personal data is processed within the framework of the services offered by the Company and its subject of activity; following the law and the good faith, accurately and as up-to-date; in respect to the intentions for which they are processed in this Disclosure Test, in a limited and prudent manner and by keeping them for the period required for the purpose for which they are processed or stipulated in the relevant legislation.
The following measure are taken by the Company for the processing the personal data:
- Network security and application security are provided.
- Closed system network is used for personal data transfers through the network.
- Key Management is applied.
- The Security measures have been taken within the scope of procurement, development and maintenance of the information technology systems.
- The security of the personal data preserved in cloud is provided.
- Disciplinary regulations including data security provisions for employees are available.
- Training and awareness activities on data security are conducted for employees at regular intervals.
- Authorization matrix has been established for employees.
- Access logs are kept regularly.
- Corporate policies on access, information security, usage, storage and disposal have been prepared and implemented.
- Data masking is applied, if required.
- Confidentiality undertakings are made.
- The authorizations in this field of the employees who have resigned or been assigned to another position are revoked.
- Updated anti-virus systems has been used.
- Firewall has been used.
- The contracts signed contain data security provisions.
- Extra security measures has been taken for personal data transferred via paper and related documents are sent in the format of confidential document.
- Personal data security policies and procedures have been determined.
- Personal data security issues are reported quickly.
- Personal data security is tracked.
- Necessary security measures are taken for entering and exiting physical environments containing personal data.
- Physical environments containing personal data are protected against external risks (fire, flood, etc.)
- The security of personal data environments is ensured.
- Personal data is reduced as much as possible.
- Personal data is backed up and the security of the backed up personal data is also ensured.
- User account management and authorization control system are applied and these are also followed up.
- Internal periodic and/or random audits are conducted and caused to be conducted.
- Log records are kept without user intervention.
- The current risks and threats are identified.
- Intrusion detection and prevention systems are used.
- Penetration test is applied.
- Cyber security measures have been taken and its implementation is continuously monitored.
- Encryption is made.
- Data processing service providers are periodically audited about data security.
- Data processing service providers are provided awareness about data security.
- Software for preventing the data loss is used.
- Transfer of Your Personal Data
Your personal data is not transferred to third parties by the Company without the explicit consent of the person concerned as a rule, within the scope of the rules stated in the Legislation and the purposes specified in this Disclosure Statement. On the other hand, for personal data processing purposes, personal data can be transferred to domestic and foreign third parties, business associates, persons offering assistance regulatory and supervisory institutions and official authorities in line with our purpose of service and activity or in cases stipulated by the relevant legislation by taking the necessary safety precautions. The sharing of personal data with third parties takes place within the framework of the consent of the customers and as a rule, personal data is not transferred to third parties without the explicit consent of the relevant customer.
Your personal data is transferred to the Company’s shareholders, affiliates and subsidiaries, group companies and authorized public institutions and organizations, and in addition, it can be shared with Company employees, suppliers, business partners, consultants and private individuals within the scope of the Legislation.
- Your Rights Regarding Your Personal Data
In terms of the processing of personal data, the data controller, in accordance with the definition in the current legislation is Api Group İnşaat Turizm Sanayi Ticaret Ltd. Şti.
Pursuant to LPPD, we hereby inform you that you have the right to be informed whether your personal data is processed or not; in case if your personal data is processed, to request information regarding the process, to be informed about the purpose of processing, and whether they are used in accordance to the stated purpose; to know the domestic and foreign parties, who received your personal data; To request the correction of personal data if it is incomplete or improperly processed, to request deletion or erasure of your personal data under the conditions laid down in Article 7 of Law, to request that the process carried out in this context be notified to third parties to whom personal data is transferred; to object to the processing, exclusively by automatic means, of your personal data, which leads to an unfavorable consequence for the data subject, to request compensation for the damage arising from the unlawful processing of your personal data against LPPD.
If you want to exercise your stated right, you can make an application for such requests by filing the Application Form in writing under the article 13 of LPPD to the Company’s address specified below by attaching your name, surname, and signature, your TR Id No., if you are a Turkish Citizen, or your nationality, passport number or identification number if you are not a Turkish Citizen, residence or workplace address for notification, your e-mail address and telephone number for notification and the necessary information and documents to determine the subject of the request and your identity, or you can apply by e-mail to get general information on LPPD.
Your requests regarding your rights listed above are concluded free of charge by our Company within 30 (thirty) days at the latest, when you submit your requests in writing to the Company. However, if the procedure requires an additional cost, the fee indicated in the price list determined by the Personal Data Protection Board will be charged by the Company.
If you want to exercise your stated right, you can deliver your such requests by hand or apply in writing through a notary public under the article 13 of LPPD to the Company’s address specified below by attaching your name, surname, and signature, your TR Id No., if you are a Turkish Citizen, or your nationality, passport number or identification number if you are not a Turkish Citizen, residence or workplace address for notification, your e-mail address and telephone number for notification and the necessary information and documents to determine the subject of the request and your identity.
You must use the email@example.com e-mail address for the applications other than the LPPD.
Data Controller: Api Group İnşaat Turizm Sanayi Ticaret Ltd. Şti.
Address: Barbaros Mahallesi Çiğdem Sokak No.: 1/63 Ataşehir / ISTANBUL