Beykoz University
Institutional Policy on the Protection and Processing of Personal Data
CONTENT
1. Introduction
2. Purpose and Scope
3. Definitions
4. General Principles for Processing Personal Data (4th Article)
5. Terms of processing personal data (5th Article)
6. Purpose of Processing Personal Data
7. Processing of Private Personal Data
8. Categorization of Personal Data
9. Deletion, destruction or anonymization of personal data
10. Transfer of Personal Data
11. Third Parties and Purposes of Transfer of Personal Data to Them
12. Obligation for Clarification
13. Ensuring Security of Personal Data
14. Purposes of Collecting Personal Data
15. Rights of Data Owner, Application Methods, Duration of Keeping Personal Data and Related Principles
16. Data Storage Periods and Principles
17. Data Disposal Process
18. Enforcement of the Policy
1-INTRODUCTION
BEYKOZ UNIVERSITY shows the highest level of sensitivity necessary to ensure full compliance with Article 20 of the Constitution on the Privacy of Private Life and the Law No. 6698 on the Protection of Personal Data (“KVKK”), which was accepted by the Parliament on March 24, 2016 and took effect after being published in the Official Gazette on April 7, 2016, besides other relevant regulations. The university acts with the awareness of protecting its rights arising from the Constitution and the Law in all its transactions.
2-PURPOSE AND SCOPE
The purpose of our Institutional Policy (“Policy”) is to ensure compliance with the obligations regarding the regulations on the protection of personal data, to process the information provided within the scope of the activities carried out by Beykoz University and to protect the confidentiality, by evaluating with a risk-based approach, and to ensure that strategies, internal controls and measures, and operational rules are implemented. and responsibilities, and raising the awareness of personal data owners.
3-DEFINITIONS
The definitions used in this Policy are as follows:
Explicit Consent: Consent on a particular subject, based on information and expressed with free will
Constitution: Constitution of Turkey
University/Our University: BEYKOZ UNIVERSITY
Personal Data: Any information relating to an identified or identifiable natural person (e.g. name-surname, TCKN, e-mail address, date of birth, credit card number, bank account number- Therefore, the processing of information regarding legal persons is not within the scope of the Law)
Personal Data Owner: Natural person whose personal data is processed
Processing of Personal Data: Actions taken on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or prevention of the use of personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system
Special Qualified Personal Data: Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data
Data Controller: It means the person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system), that is, our University.
KVKK: Law No. 6698 on the Protection of Personal Data
4-MATTERS REGARDING THE PROCESSING OF PERSONAL DATA
4.1. General Principles in the Processing of Personal Data
Our university processes data in accordance with the provisions of the Constitution, the Law and other legislation that it has to comply with within the scope of its activities, especially the laws to which it is bound. In this context, the following principles are taken into account:
4.2. Compliance with the Law and the Rule of Integrity
Our university processes personal data in accordance with the procedures and principles stipulated in the KVKK and other relevant laws.
5- Terms of processing personal data
The conditions for the processing of personal data are regulated by KVKK, and personal data is processed by our UNIVERSITY in accordance with the conditions mentioned below. Except for the exceptions listed in the Law, OUR UNIVERSITY processes personal data only by obtaining the explicit consent of the data owners. In the presence of the following conditions listed in the KVKK, personal data can be processed even without the explicit consent of the data owner.
Our UNIVERSITY pays special attention to the processing of personal data of special nature, the protection of which is believed to be more critical in various aspects for data owners. In this context, provided that adequate measures determined by the Board are taken, such data are not processed without the explicit consent of the data owners.
6- OUR UNIVERSITY’S PERSONAL DATA PROCESSING PURPOSE AND LEGAL REASONS
Your personal data obtained by OUR UNIVERSITY is processed for the purposes and legal reasons explained below.
Our student data processing purposes
• Execution of student placement processes
• Creating and updating student personal files
• Execution of student registration, application, request, complaint processes
• Execution of IT processes
• To provide information, guidance and continuation of the education process for the student/academician education-teaching processes.
• Execution of student disciplinary proceedings
• Creation of training certificate
• Maintaining student clubs/sports activities
• Student satisfaction tracking
• Follow-up of student education activities and attendance
• Planning and execution of research and development processes
• Academic event organization planning and execution
• Scientific Research and Publication Ethics Committee evaluation
• Execution of training activities
• Ensuring Physical Space Security
• Providing library services
• Student dismissal, diploma procedures and graduation procedures
• Execution of student internship processes
• Continuing distance education/training activities
• Ensuring internal and external information-document flow, archiving of documents
• Health status tracking
• Taking communicable disease precautions
• Academic publication award evaluation and award process
Our Legal Reasons for Processing Student Data
• Clearly stipulated in laws
• It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
• Obligatory for the data controller to fulfill its legal obligation
• Data processing is mandatory for the establishment, exercise or protection of a right
• It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
• Explicit consent
Our academic/administrative personnel data processing purposes
• Execution of academic/administrative personnel procurement processes
• Human resources processes in academic personnel recruitment
• Fulfillment of obligations arising from employment contract and/or legislation
• Creating personal files of Academic / Administrative Employees, providing fringe benefits and benefits
• Planning and Execution of Academic / Administrative Employee Resignation Processes
• Press Release creation
• Health Status Tracking
• Managing Beykoz University Publications processes
• Fulfillment of obligations arising from legislation
• Execution of IT processes
• Organization and management of Scientific Meetings
• Planning and execution of research and development processes
• Planning and execution of academic event organizations
• Scientific research and publication ethics committee evaluation
• Ensuring Physical Space Security
• Planning of performance evaluation processes
• Planning of training activities
• Execution of training activities
• Planning and monitoring of permit processes
• Providing library services
• Continuing distance education/training activities
• Execution of Communication Activities
• Taking communicable disease precautions
• Promotion of the university
• Academic publication award evaluation and award process
• Ensuring internal and external information-document flow, archiving of documents
Our legal grounds for processing academic/administrative personnel data
• Clearly stipulated in laws
• It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
• Obligatory for the data controller to fulfill its legal obligation
• Data processing is mandatory for the establishment, exercise or protection of a right
• It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
• Explicit consent
Our purposes for processing data of third parties
• Organization and management of scientific meetings
• Creation of training certificate
• Execution and execution of goods / services procurement processes and financial and accounting works
• Ensuring Physical Space Security
• Career follow-up of the student after graduation
• Execution of student internship processes
• Execution of Communication Activities
• Providing library services
• Employee/employee candidate reference check
• Promotion of the university
• Taking communicable disease precautions
Our legal grounds for processing data of third parties
• Clearly stipulated in laws
• It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
• Obligatory for the data controller to fulfill its legal obligation
• Data processing is mandatory for the establishment, exercise or protection of a right
• It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
• Explicit consent
Our purposes for processing Prospective Student data
• Ensuring Physical Space Security
• Promotion of the university
• Providing library services
• Execution of Communication Activities
• Taking communicable disease precautions
Our legal grounds for processing Prospective Student data
• Obligatory for the data controller to fulfill its legal obligation
• It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
• Explicit consent
Our purposes for processing visitor data
• Creation and tracking of visitor records
• Ensuring Physical Space Security
• Taking communicable disease precautions
Our legal grounds for processing visitor data
Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Our purposes for processing Parent/Guardian/Agent data
• Management of students' registration, education and graduation processes and communication activities
• Promotion of the university,
Our legal grounds for processing Parent / Guardian / Representative data
• When clearly stipulated in laws
• When it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
• When obligatory for the data controller to fulfill its legal obligation
• When data processing is mandatory for the establishment, exercise or protection of a right
Our purposes for processing Employee Candidate data
• Execution of the application processes of employee candidates
• Execution of employee candidate selection and placement processes
Our legal grounds for processing Employee Candidate data
• When clearly stipulated in laws
• When data processing is mandatory for the establishment, exercise or protection of a right
• When it is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Our purposes for processing Graduate Student data
• Career follow-up of the student after graduation
• Continuing communication activities with alumni
• Career planning and support of the student after graduation
• Alumni satisfaction tracking
• Execution of Communication Activities
Our legal grounds for processing Graduate Student data
• Clearly stipulated in laws
• Obligatory for the data controller to fulfill its legal obligation
• Data processing is mandatory for the establishment, exercise or protection of a right
• It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
7-OUR UNIVERSITY’S PRIVATE PERSONAL DATA PROCESSING POLICY
Our UNIVERSITY pays special attention to the processing of personal data of special nature, the protection of which is known to be more critical in various aspects for data owners. In this context, provided that adequate measures determined by the Board are taken, such data are not processed without the explicit consent of the data owners. However, special categories of personal data other than health-related data can also be processed without the explicit consent of the data owner in cases stipulated by law. However, health data can be processed without explicit consent, provided that adequate precautions are taken and in the presence of the following reasons:
• Protection of public health,
• Preventive medicine,
• Medical diagnosis
• Execution of treatment and care services
• Planning and management of health services and its financing.
Photograph data of student, employee, employee candidate, graduate student, parent/guardian/representative, which can be considered as special personal data (biometric) by OUR UNIVERSITY, for the purpose of planning or executing the processes specified in Article 6 of OUR UNIVERSITY, by taking necessary administrative and technical measures. is processed.
8-OUR UNIVERSITY PERSONAL DATA CATEGORY
The categories of personal data processed by OUR UNIVERSITY are as follows:
|
PERSONAL DATA CATEGORY |
PERSONAL DATA CATEGORY DISCLOSURE |
|
ID Info |
name, surname, mother-father's name, mother's maiden name, date of birth, place of birth, marital status, identity card serial no, tc identity no etc. |
|
Contact Info |
Address no, E-mail address, Contact address, Registered e-mail address (KEP), such as phone number |
|
Personnel Info |
Payroll information, Disciplinary investigation, Recruitment document records, Goods declaration information, CV information, Performance evaluation reports etc. |
|
Legal Action |
information in correspondence with linguistic authorities, Information in the case file etc. |
|
Customer Action |
Call center records, Invoice, promissory note, check information, Information on box office receipts, Order information, Request information etc. |
|
Physical Space Security |
Entry and exit registration information of employees and visitors, Camera recordings, etc. |
|
Transaction Security |
IP address information, Website login and exit information, Password and password info etc. |
|
Risk Management |
Information processed for the management of commercial, technical, administrative risks |
|
Finance |
Balance sheet information, Financial performance information, Credit and risk information, Asset information etc. |
|
Professional Experience |
Diploma information, Courses attended, In-service training information, Certificates, Transcript information |
|
Marketing |
shopping history information, survey, cookie records, campaign work information obtained etc. |
|
Audio and Audio Recordings |
Audio and Audio Recordings etc. |
|
Association Membership |
Association Membership |
|
Health Information |
Information on disability, Blood group information, Personal health information, Device and prosthesis information used VS |
|
Criminal Conviction and Security Measures |
Information on criminal convictions, Information on security measures |
|
Student Education and Process Data |
course grades, courses taken, attendance/absences, course selections, diploma and graduation data etc. |
9- GROUPS OF PERSONS THAT OUR UNIVERSITY PROCESSES DATA
People groups whose data are processed by OUR UNIVERSITY are as follows:
• Prospective Student
•Student
• Graduate Student
• Employee Candidate
•Worker
• Relatives of Employees
• Supplier Employee
• Supplier Official
• The person who buys the product or service
• Parent/Guardian/Representative
• Visitor
• Member of the Advisory Board
• Guest, Speaker, participant
10- OUR UNIVERSITY'S POLICY ON DELETING, DESTROYING OR MAKING PERSONAL DATA ANONYMOUS
Deletion, Destruction or Anonymization of Personal Data Although it has been processed in accordance with the provisions of the Law and other relevant legislation, personal data is deleted, destroyed or anonymized by OUR UNIVERSITY, ex officio or upon the request of the person concerned, in case the reasons requiring processing are eliminated. Our university has to be subject to these regulations in this process, especially since it operates under the legislation of YÖK.
11- TRANSFER OF PERSONAL DATA
OUR UNIVERSITY carefully complies with the conditions set forth in the KVKK regarding the sharing of personal data with third parties, without prejudice to the provisions of other laws. In this context, personal data is not transferred by OUR UNIVERSITY to third parties without the explicit consent of the data owner, only to the extent permitted by law. However, in the presence of one of the following conditions regulated by the KVKK, personal data may be transferred by OUR UNIVERSITY without obtaining the explicit consent of the data owner:
The legal reasons for the said transfer are that it is necessary to process the personal data of the parties to the contract, provided that it is expressly stipulated in the law, is directly related to the establishment or performance of a contract, that it is necessary for the data controller to fulfill its legal obligation, that the data owner himself has made it public, that a right has been made public. It is express consent if data processing is mandatory for its establishment, use or protection, and data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner.
OUR UNIVERSITY does not transfer sensitive personal data to any third party, either in the country or abroad.
OUR UNIVERSITY can be contacted via e-mail addresses for the execution, planning and execution of educational processes. The said e-mail addresses use g-mail, Office 365 and Yandex and similar international e-mail service infrastructures. For this reason, since e-mails sent and received are kept in data centers located in various parts of the world, they are considered as data transfer abroad within the scope of Personal Data Legislation. However, it is not possible to abandon this form of communication due to the fact that the use of e-mail addresses in many areas has become almost mandatory, platforms such as zoom are a necessity for processes such as distance education and meetings, and they are required to be used in various legislations.
12- THIRD PARTIES THAT OUR UNIVERSITY CAN TRANSFER PERSONAL DATA AND THE PURPOSE OF TRANSFERRING
In line with the provisions of the KVKK and other relevant legislation, OUR UNIVERSITY pays utmost attention to the sharing of personal data with domestic and/or abroad. All employees have received the necessary training in this regard, and they continue to do so.
Personal data may be transferred by OUR UNIVERSITY to the categories of parties listed below, limited to the cases that allow data transfer in the KVKK, and if necessary. Necessary precautions regarding data transfer are taken and necessary warnings and agreements are made with the persons to whom the data is transferred, regarding the processing of the data within the scope of KVKK.
OUR UNIVERSITY transfers personal data to the following persons.
• Authorized Public Institutions and Organizations
• Natural persons or legal entities of private law
•Work partners
• Suppliers
13- OBLIGATION for CLARIFICATION
OUR UNIVERSITY is aware of the necessity of informing the data owners before or at the latest during the acquisition of personal data, within the scope of Article 10 of the KVKK. Within the framework of the aforementioned disclosure obligation, the information that OUR UNIVERSITY must convey to the data owners is as follows:
• Identity of the data controller and its representative, if any,
• For what purpose personal data will be processed,
• To whom and for what purpose the processed personal data can be transferred,
• Method and legal reason for collecting personal data,
• Other rights listed in Article 11 of the KVKK.
In order to fulfill its obligation to inform, OUR UNIVERSITY has prepared disclosure statements on the basis of the process and the persons whose data is processed, to be submitted to the data owners within the scope of the above-mentioned KVKK provision. After the disclosure statements are submitted to the data owners, explicit consent statements have been prepared for data processing activities and data categories that require the explicit consent of the data owner in order for OUR UNIVERSITY to carry out its activities.
In the express consent statements prepared for the data owners, the right to choose whether or not their personal data can be processed by our UNIVERSITY based on the KVKK are given the right to choose and they are informed about the consequences that may occur if the explicit consent cannot be obtained. On the other hand, Article 28 (1) of the KVKK. In some cases, OUR UNIVERSITY has no obligation to inform.
14- ENSURING THE SECURITY OF PERSONAL DATA
OUR UNIVERSITY takes all necessary technical and administrative measures to ensure the appropriate level of administrative and technical security required for the protection of personal data. 12 (1) of KVKK. The measures envisaged in the article are as follows:
• To prevent the unlawful processing of personal data,
• To prevent unlawful access to personal data,
• To ensure the protection of personal data.
The measures taken by OUR UNIVERSITY in this context are listed below.
Administrative Measures
• There are disciplinary regulations that include data security provisions for employees.
• Training and awareness activities are carried out periodically for employees on data security.
• Confidentiality commitments are made.
• The authorizations of employees who have a change in duty or quit their job in this field are removed.
• Signed contracts include data security provisions.
• Extra security measures are taken for personal data transferred via paper, and the relevant document is sent in confidential form.
• The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
• The security of environments containing personal data is ensured.
• Personal data is reduced as much as possible.
• Existing risks and threats have been identified.
• Awareness of data processing service providers on data security is ensured.
Technical Measures
• Network security and application security are provided.
• Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
• The security of personal data stored in the cloud is ensured.
• Authorization matrices have been created for employees.
• Access logs are kept regularly.
• Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
• Current antivirus systems are used.
• Firewalls are used.
• User account management and authorization control system is implemented and these are also followed.
• Log records are kept without user intervention.
• Intrusion detection and prevention systems are used.
• Cyber security measures have been taken and their implementation is constantly monitored.
• Encryption is done.
14- FOR WHAT PURPOSE PERSONAL DATA WILL BE COLLECTED BY OUR UNIVERSITY AND THE LEGAL REASON
Personal data, notifications and documents sent by our UNIVERSITY, especially from https://www.beykoz.edu.tr/, electronic systems of public institutions and organizations, internet transactions, social media and other public channels, student interviews, digital applications to websites are collected through verbal, written, video, audio recording or electronic channels, with methods such as written/digital applications, call center service.
Personal data collected for these purposes, provided that it is necessary for our UNIVERSITY to fulfill its legal obligation as a data controller and/or it is expressly stipulated in the laws and/or it is directly related to the conclusion or performance of a contract, and/or It can be collected on the basis of a legal reason for express consent, in case it is necessary for the data controller to fulfill its legal obligation and/or data processing is mandatory for the legitimate interests of the data controller and there is explicit consent.
15-RIGHTS OF DATA OWNER, APPLICATION METHODS, CASES WHERE RIGHTS CANNOT BE USED
In case personal data owners submit their requests regarding their rights listed below to OUR UNIVERSITY, the requests are concluded free of charge as soon as possible and within thirty days at the latest, depending on their nature. However, if the action requires an additional cost, the fee in the tariff determined by the KVK Board or other authorities will be charged by our UNIVERSITY. In this context, data owners will be able to submit their requests to OUR UNIVERSITY in writing or by other methods to be determined by the KVK Board.
Personal data owners have the following rights:
· Learning whether personal data is processed or not ·
. If personal data has been processed, requesting information about it,
· Learning the purpose of processing personal data and whether they are used in accordance with the purpose.
- Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the action taken within this scope to third parties to whom personal data has been transferred
- Requesting the deletion or destruction of personal data in the event that the reasons requiring it to be processed disappear, even though it has been processed in accordance with the provisions of the law and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
16- STORAGE TERMS AND PRINCIPLES OF THE DATA
Despite the fact that our UNIVERSITY has been processed in accordance with the provisions of the KVKK and other relevant laws, in the event that the reasons requiring its processing are eliminated, the personal data is deleted, destroyed or anonymized, ex officio or upon the request of the person concerned, as the data controller.
|
PERSONAL DATA |
STORAGE DURATION |
|
ID Info |
101 YEAR(S) |
|
Contact Info |
101 YEAR(S) |
|
Personnel info |
101 YEAR(S) |
|
Legal Actions |
10 YEAR(S) |
|
Customer Actions |
10 YEAR(S) |
|
Physical Space Security |
1 YEAR(S) |
|
Action Security |
2 YEAR(S) |
|
Risk Management |
10 YEAR(S) |
|
Finance |
10 YEAR(S) |
|
Professional Experience |
101 YEAR(S) |
|
Marketing |
3 YEAR(S) |
|
Audio and Visual Recordings |
3 YEAR(S) |
|
Association Membership Info |
1 YEAR(S) |
|
Health Info |
15 YEAR(S) |
|
Criminal Convictions and Security Measures |
101 YEAR(S) |
|
Student Education and Process Data |
101 YEAR(S) |
17-DATA DESTRUCTION PROCESS
In OUR UNIVERSITY, the personal data is destroyed in accordance with the Law. OUR UNIVERSITY has determined the period of periodic destruction as 1 year. Accordingly, periodic destruction is carried out in January every year.
18-ENFORCEMENT OF THE POLICY
This Policy entered into force on 31/12/2021. In case of renewal of all or part of the Policy, the versions of the Policy will be updated.
The policy is published on our UNIVERSITY website https://www.beykoz.edu.tr and is shared with the Personal Data Owner/Relevant Person upon request.
This content was updated on 17/02/2022.
It is very easy to follow Beykoz University closely, all you have to do is share your e-mail address with us. With the weekly newsletter, you can be instantly informed about upcoming events, news and many more.