Cletech
00

Personal Data Protection and Processing Policy

Hiraş Halkla İlişkiler Reklam Ajansı Sanayi ve Ticaret Limited Şirketi

1. Purpose

Hiraş Halkla İlişkiler Reklam Ajansı Sanayi ve Ticaret Limited Şirketi (“Company” or “Hiraş”) considers the protection of personal data as one of the fundamental elements of the commercial activities it carries out and the business relationships it establishes.

The purpose of this Personal Data Protection and Processing Policy is to explain at a general level the principles under which personal data is processed, protected, retained, and, where necessary, transferred by the Company, and the framework within which data subject applications are evaluated.

This Policy is the high-level policy text expressing the Company’s corporate approach to data protection. It does not replace transaction-specific disclosure notices. With respect to customer transactions, website use, cookies, and application processes, separately published specific texts shall take precedence.

2. Scope

This Policy covers the personal data of customers, prospective customers, website visitors, persons who contact us via telephone or call centre, business partners, supplier representatives, consultants, visitors, job candidates, and other natural persons who establish a relationship with the Company for any reason.

The Policy applies to data processed in both digital and physical environments. Data processing areas such as website forms, e-mails, telephone calls, call centre processes, application records, contracts, operational records, log records, and similar are evaluated within this scope.

3. Data Processing Framework Within the Company’s Activities

The Company may process personal data in connection with promotion of the products it sells, customer communication, product guidance, request and complaint management, pre- and post-sales communication, evaluation of applications received via the website, and operation of telephone and call centre processes.

Within this framework, data processing activities are carried out only for the purposes of responding to the data subject, fulfilling the request, providing guidance, protecting transaction security, conducting commercial processes, providing technical or operational support, ensuring legislative compliance, and, where necessary, protecting legal rights.

The Company makes it a principle not to collect data that is unrelated to its field of activity, unnecessary, or disproportionate.

4. Fundamental Principles

The Company aims to act in accordance with the following fundamental principles when processing personal data:

  • acting in compliance with the law and rules of good faith,
  • ensuring data is accurate and, where necessary, up to date,
  • processing data for specific, explicit, and legitimate purposes,
  • conducting data processing in a manner connected with, limited to, and proportionate to the purpose,
  • retaining data only for the period necessary.

These principles are observed jointly across website use, customer communication, call centre processes, technical support, application management, and all other data processing areas.

5. Conditions for Processing Personal Data

The Company may process personal data based on the explicit consent of the data subject or based on one of the other legal grounds under which legislation permits processing without explicit consent.

In practice, the Company may process personal data based mostly on the following legal grounds:

  • direct relevance to the conclusion or performance of a contract,
  • fulfilling the Company’s legal obligation,
  • necessity for the establishment, exercise, or protection of a right,
  • necessity for processing for the legitimate interests of the Company, provided that this does not harm the fundamental rights and freedoms of the data subject,
  • existence of explicit consent of the data subject.

The Company evaluates separately a process requiring explicit consent and a process requiring only an information notice. Where explicit consent is required, this process is carried out separately and specifically.

6. Categories of Personal Data That May Be Processed

Personal data that may be processed by the Company varies according to the nature of the relationship and may generally be grouped under the following headings:

  • identity information,
  • contact information,
  • customer transaction information,
  • product or service request information,
  • quotation and guidance information,
  • request and complaint records,
  • website usage information,
  • transaction security and log records,
  • legal action and compliance information,
  • information that may be necessary within the scope of financial relationships,
  • visual or audio data,
  • job candidate information,
  • cookie and technical usage data.

Although the Company’s business model does not heavily require the processing of special-category personal data, in exceptional cases where such data is encountered, an approach in compliance with the relevant legislation and providing stricter protection is adopted.

7. Purposes of Processing Personal Data

Personal data may generally be processed by the Company for the following purposes:

  • conducting customer relationships,
  • providing information about products and services,
  • receiving and concluding requests and complaints,
  • evaluating applications received via the website,
  • conducting pre- and post-sales communication processes,
  • providing technical or operational guidance,
  • managing telephone and call centre processes,
  • planning and sustaining business activities,
  • ensuring information and transaction security,
  • conducting contract, accounting, audit, and compliance processes,
  • fulfilling legal obligations,
  • conducting processes for the protection of a right or for evidentiary purposes.

The Company makes it a principle that there be a reasonable, proportionate, and defensible link between the data used and the purpose of processing in every data processing activity.

8. Telephone and Call Centre Processes

The Company may communicate with its customers via telephone or call centre channels. Information shared in such processes may be processed for the purposes of providing customer support, providing product guidance, managing requests and complaints, ensuring transaction security, and conducting communication processes.

Where call recording is implemented in the Company’s infrastructure, voice recordings may be processed for the purposes of monitoring service quality, managing requests and complaints, ensuring transaction security, and, where necessary, conducting legal evidentiary processes. In this case, the data subject is separately informed at the start of the call.

Even where call recording is implemented, unlimited use of records, disproportionate retention, or leaving them open to unauthorised access is not accepted. This area is additionally managed within the framework of internal company processes.

9. Transfer of Personal Data

The Company may transfer personal data to third parties only to the extent necessary and to the extent there is a legal basis.

The parties to whom transfers may be made vary according to the specific situation, but generally include:

  • technical infrastructure and IT service providers,
  • website hosting and support providers,
  • telephone and call centre infrastructure providers,
  • persons and organisations from whom legal, advisory, audit, and accounting services are obtained,
  • suppliers and solution partners,
  • relevant business partners involved in product, support, or guidance processes,
  • legally authorised public institutions and organisations,
  • courts, notaries, enforcement offices, and other authorised bodies.

The Company applies the principle of “as much data as necessary” in data transfers. The need for transfer is evaluated separately for each transaction.

10. Cross-Border Transfer

Cross-border data transfer may arise due to the software, cloud services, call centre infrastructure, website tools, or third-party technical systems used by the Company. In such cases, the Company makes it a principle to act in accordance with the legal framework envisaged by the legislation in force.

11. Security of Personal Data

The Company aims to take appropriate technical and administrative measures for the security of personal data. Within this scope, tools such as authorisation limitation, access control, password security, log management, backup, network security, physical archive security, employee awareness, and contractual protection mechanisms may be used.

The security approach may differ according to the nature of the data and the environment in which it is processed. In particular, security sensitivity is additionally taken into account for the website, call centre, telephone infrastructure, and customer communication channels.

12. Retention and Disposal

The Company does not retain personal data indefinitely. Data is retained only for the period necessary for the purposes for which it is processed and for the minimum period stipulated by the relevant legislation.

When the need for retention ends or when the necessary conditions arise within the framework of relevant legislation, personal data is deleted, destroyed, or anonymised. In this process, the data category, legal basis, retention purpose, and evidentiary need are considered together.

13. Rights of the Data Subject

Data subjects have the following rights regarding their personal data:

  • to learn whether personal data relating to them is processed,
  • to request information if so,
  • to learn the purpose of processing and whether it is used in accordance with the purpose,
  • to know the third parties to whom data has been transferred,
  • to request rectification of incomplete or incorrectly processed data,
  • to request deletion or destruction if the conditions are met,
  • to request that the rectification or deletion be notified to third parties,
  • to object to a result arising against them due to analysis by automated systems,
  • to claim compensation for damages incurred due to unlawful processing.

14. Application Procedure

Data subjects may submit their requests regarding their rights in writing or by other means accepted by legislation. Within this scope, the KVKK Application Form published on the website may be used.

The Company evaluates and concludes applications submitted in compliance with the procedure within the legal period.

15. Relation of the Policy to Other Texts

This Policy is the high-level text expressing the Company’s general data protection approach. It has been prepared to set out the corporate approach and general principles of Hiraş Halkla İlişkiler Reklam Ajansı Sanayi ve Ticaret Limited Şirketi regarding personal data. However, the following texts also bear importance with respect to transaction-specific information needs:

  • Customer Disclosure Notice,
  • Cookie Disclosure Notice,
  • Website Privacy Policy,
  • KVKK Application Form.

If a more specific text exists for a concrete data processing activity, that text shall take precedence.

16. Update and Effectiveness

The Company may review and update this Policy in line with legislative changes, technical requirements, developments in the field of activity, and implementation needs.

The current version of the Policy shall be deemed effective from the date it is published on the website.