PARIWA TECHNOLOGY COMPANY
PERSONAL DATA PROTECTION AND PROCESSING POLICY
Document Name: Pariwa Teknoloji Anonim Şirketi Personal Data Protection and Processing Policy
Target Audience: All natural persons whose personal data are processed by Pariwa Teknoloji Anonim Şirketi
Prepared by: Pariwa Teknoloji Anonim Şirketi
Approved by: Board of Partners
© İzmir, 2024
The protection of personal data is a matter of great importance for Pariwa Teknoloji Anonim Şirketi (“Pariwa.com.com” or the “Company”). Due to the sensitive nature of the field in which it has operated to date, Pariwa.com.com has kept confidential the personal data obtained from all data subjects (natural persons whose personal data are processed / relevant persons) and has never unlawfully shared them with third parties. Even before the existence of any legal regulation, Pariwa.com.com adopted the confidentiality of personal data as a working principle and instructed its employees to work in line with this principle.
In order to ensure compliance with the Law No. 6698 on the Protection of Personal Data (“Law”), the Company adopts all principles envisaged by the Law and fulfills its obligations regarding the processing, deletion, destruction, anonymization, transfer of personal data, informing the data subject, and ensuring data security. This Personal Data Protection (“PDP”) Policy, prepared within this scope, is made available for access by natural persons whose personal data are processed.
This PDP Policy explains how personal data are collected, used, shared, stored, and protected by Pariwa.com.com, and clarifies the rights of data subjects in relation thereto.
This PDP Policy applies to the personal data of the following data subjects within the scope of the Law: employees, job applicants, Company shareholders, Company officials, visitors, employees of institutions with which the Company cooperates, those who access any application and service offered by the Company, and third parties.
Personal data collected either by obtaining the explicit consent of data subjects or based on other lawful grounds set out in the Law are processed for the fulfillment of Pariwa.com.com’s legal obligations, proper provision of its services, improvement of the quality of the services provided and enhancement of its quality policy, and for other purposes stated in this PDP Policy.
When carrying out personal data processing activities, Pariwa.com.com complies with the principles listed in Article 4 of the Law:
Compliance with law and the rules of good faith: Pariwa.com.com questions the source of personal data obtained from the data subject or third parties and attaches importance to obtaining and processing such data lawfully and in accordance with the rules of good faith. In this context, Pariwa.com.com provides necessary warnings and notifications to third parties to whom it transfers personal data for the purpose of protecting personal data.
Being accurate and, where necessary, up to date: Pariwa.com.com ensures that all data within its legal entity are accurate and do not contain incorrect information, and attaches importance to updating personal data when changes occur and such changes are communicated to it. Pariwa.com.com exercises reasonable care and diligence regarding the accuracy and currency of personal data declared by members, customers, or third parties who contact the Company.
Processing for specified, explicit, and legitimate purposes: Pariwa.com.com determines its legitimate and lawful purposes of processing personal data in a specified and explicit manner before commencing the processing activity. Personal data are not processed for purposes other than those determined.
Being relevant, limited, and proportionate to the purpose for which they are processed: Pariwa.com.com performs personal data processing activities only to the extent necessary for the relevant purpose. Personal data that are not relevant to the determined purpose are not processed by Pariwa.com.com.
Retention for the period stipulated in relevant legislation or required for the purpose for which they are processed: Pariwa.com.com retains personal data for the period stipulated by legislation or required by the purpose of processing. However, when the legal retention period expires and/or when all purposes of processing cease to exist, it deletes, destroys, or anonymizes the personal data.
These principles apply regardless of whether Pariwa.com.com processes personal data based on explicit consent or based on other data processing conditions set out in the Law. In this respect, Pariwa.com.com processes personal data in accordance with data processing conditions and general principles and fulfills its obligation to inform.
Pariwa.com.com processes personal data with explicit consent, or—where applicable—based on the other lawful processing conditions listed below:
Explicitly stipulated in laws;
Processing is mandatory for the protection of the life or physical integrity of the person who is unable to express consent due to factual impossibility or whose consent is not legally valid, or of another person;
Processing is necessary, provided that it is directly related to the establishment or performance of a contract, for the personal data of the parties to the contract;
Processing is mandatory for the data controller to fulfill its legal obligation;
Personal data have been made public by the data subject;
Processing is mandatory for the establishment, exercise, or protection of a right;
Processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Under the Law, data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, membership of an association, foundation or trade union, health data, sexual life, criminal convictions and security measures, and biometric and genetic data are special categories of personal data. Pariwa.com.com takes additional measures stipulated by the Law and the Personal Data Protection Board when processing special categories of personal data.
When processing special categories of personal data, the data processing conditions listed in Article 6 of the Law are complied with, and for health data, the provisions of the Regulation on the Processing of Personal Health Data and Ensuring Privacy, published in the Official Gazette dated 20 October 2016, are observed.
Accordingly, special categories of personal data are processed in the following cases:
The data subject’s explicit consent is obtained;
For special categories of personal data other than health and sexual life, where processing is stipulated in laws;
For health and sexual life data, where processing is carried out by persons under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing.
Pariwa.com.com processes the personal data of job applicants, employees, customers, Company shareholders/officials, visitors, and other persons based on the legal grounds in Articles 5 and 6 of the Law. The purposes of processing vary depending on the relevant data subject category, as follows:
Job Applicant Data: Pariwa.com.com processes personal data shared by job applicants when applying for a job at the Company, or obtained from online recruitment platforms, in accordance with its human resources policies and procedures, for the purposes of evaluating the candidate’s suitability for the position, conducting interview processes, and enabling re-evaluation of candidates with negative outcomes for potential future positions. Pariwa.com.com does not request any special categories of personal data at the application stage. However, if a job applicant shares special categories of personal data with explicit consent, such data are stored with additional measures if necessary; otherwise they are disposed of.
Employee Data: Pariwa.com.com processes employees’ personal data for purposes such as preparing and keeping a personnel file as required under Article 75 of the Turkish Labor Law; establishing rights and fulfilling obligations arising from employment contracts; implementing and improving human resources policies; ensuring occupational health and safety; planning and execution of fringe benefits; exercising supervisory authority and ensuring workplace discipline under the Labor Law; ensuring the Company’s physical, legal, and commercial security; and determining and implementing the Company’s commercial and business strategies.
Customer/User Data: Pariwa.com.com’s main field of activity is to mediate appointment and reservation requests made by customers for health and beauty facilities listed on its platform. The primary purpose of processing customer data is the proper provision of this service. In this context, customer personal data are processed for purposes such as completing and managing appointment transactions; improving the website and mobile application to provide customers with easier and higher-quality service; request and complaint management; resolution of potential and/or existing disputes; processing and storing online user data within the scope of fulfilling Pariwa.com.com’s legal obligations; conducting marketing, profiling, and advertising activities; and determining and implementing Pariwa.com.com’s commercial and business strategies.
Visitor Data: The personal data of individuals who visit Pariwa.com.com’s buildings and facilities are recorded via security cameras for the purpose of ensuring the Company’s physical security. Recorded images are stored in secure encrypted environments and are disposed of at the end of … days. In the event of any dispute, Pariwa.com.com may process the relevant personal data and share them with legal authorities.
Pariwa.com.com may also process the personal data of the data subjects in the above categories as well as suppliers, shareholders, and other third parties for purposes such as planning and execution of corporate sustainability activities; management of relationships with business partners or suppliers; continuation of ordinary corporate activities; execution/follow-up of financial reporting and risk management; execution/follow-up of legal affairs; planning and execution of corporate communication; execution of corporate governance activities; conducting company and partnership law transactions; activities aimed at protecting the Company’s reputation; management of investor relations; providing information to authorized institutions as required by legislation; determining and implementing the Company’s commercial and business strategies; responding to information requests from administrative and judicial authorities; managing legal processes and ensuring regulatory compliance; ensuring information and transaction security; and preventing malicious use.
If the data processing activity performed for the purposes stated above does not meet any of the other processing conditions set out in the Law, Pariwa.com.com obtains the data subject’s explicit consent for the relevant processing activity.
Pariwa.com.com collects personal data through contracts, digital channels, call centers, notifications received from administrative and judicial authorities, and other communication channels, in audio, electronic, or written form, in accordance with the personal data processing conditions set out in the Law and the legal grounds specified in this PDP Policy.
Such personal data are primarily processed within the scope of this PDP Policy for the establishment of a contract and provision of services to data subjects. Accordingly, personal data are obtained when Pariwa.com.com services are used, when a legal relationship is established with Pariwa.com.com (purchase, intermediation, employment, etc.), when a member account is created, when services are received without membership, or when Pariwa.com.com is contacted regarding services (via live support, email, etc.).
Where Pariwa.com.com users/customers share another person’s personal data, the relevant user/customer is responsible for informing the data subject that their personal data have been shared with Pariwa.com.com and obtaining consent where required.
Pariwa.com.com adopts compliance with law as a principle when obtaining personal data from both business partners and solution partners. Personal data are collected from business partners and solution partners based on confidentiality commitments and only to the extent required by the service, and measures are taken to ensure data security.
Pariwa.com.com transfers personal data to third parties only for the purposes stated in this PDP Policy and in accordance with Articles 8 and 9 of the Law. In this context, the Company may transfer personal data it collects to the following persons and institutions for specific purposes:
To the Company’s business partners, limited to ensuring fulfillment of the purposes of establishing the business partnership;
To the Company’s suppliers, limited to ensuring the provision of services required for the Company to perform its commercial activities, which the Company obtains through outsourcing;
To the Company’s customers;
To the Company’s solution partners.
The purpose of sharing personal data by Pariwa.com.com is to enable access to services, comply with legal obligations, ensure implementation of the contract executed with the data subject, perform purchase and sales transactions, or prevent and detect fraudulent or illegal activities related to the services.
Pariwa.com.com adopts lawful conduct as a principle in data sharing activities. Data are shared with third parties only to the extent required by the service, and such parties are required to take data security measures.
Personal data may also be shared with relevant solution partners—within the scope of the member’s commercial electronic communication consent—for the purposes of making promotions/advertisements and offering benefits and opportunities based on the member’s shopping preferences, likes, and habits.
Pariwa.com.com may share anonymous data of members/customers with market research companies in order to increase customer satisfaction and loyalty.
The personal data subject to domestic and international transfers as stated above are protected not only through technical measures ensuring data security but also legally through provisions included in data transfer agreements.
Pariwa.com.com may share personal data with public institutions and organizations legally authorized to request such information in order to fulfill its legal obligations (including, but not limited to, combating crime, threats to state and public security, etc., and cases where the Company has a legal or administrative notification or information obligation).
Pursuant to the Law, personal data are kept accurate and up to date and retained for the period stipulated in relevant legislation or required for the purpose of processing. This period is determined separately for each personal data category. After the expiry of the relevant period, personal data are deleted, destroyed, or anonymized at the end of the periodic disposal periods determined in accordance with the Regulation on Deletion, Destruction or Anonymization of Personal Data.
Deletion of personal data means rendering personal data inaccessible and unusable for the relevant users in any way;
Destruction of personal data means rendering personal data inaccessible, irretrievable, and unusable by anyone in any way;
Anonymization of personal data means rendering personal data incapable of being associated with an identified or identifiable natural person in any way, even if matched with other data.
Within this scope, Pariwa.com.com has determined the necessary periodic disposal periods and created a data disposal policy. The Company records all operations performed regarding deletion, destruction, and anonymization of personal data and stores such records for at least three years, except for other legal obligations.
When a data subject applies to Pariwa.com.com and requests deletion or destruction of their personal data, Pariwa.com.com:
If all conditions for processing personal data have ceased to exist, deletes, destroys, or anonymizes the personal data subject to the request;
Finalizes the request no later than thirty (30) days and informs the data subject;
If all processing conditions have ceased to exist and the personal data have been transferred to third parties, notifies the relevant third party and ensures that necessary actions are taken by such third party.
If not all conditions for processing personal data have ceased to exist, Pariwa.com.com may reject the request by explaining the reason pursuant to paragraph 3 of Article 13 of the Law and notifies the data subject of the rejection in writing or electronically within thirty (30) days at the latest.
Pariwa.com.com takes technical and administrative measures, depending on technological possibilities and implementation costs, to ensure lawful processing of personal data. The technical and administrative measures taken to protect personal data are implemented diligently and with additional precautions for special categories of personal data, and required audits are carried out periodically at the highest level within Pariwa.com.com.
Pariwa.com.com has taken all appropriate security measures to ensure that personal data are processed only for the purposes stated in this PDP Policy and to reduce risks such as malicious use, unauthorized access, sharing, destruction, or alteration of personal data. These security measures also include additional precautions regarding transfers of personal data to countries that may not provide an adequate level of data protection.
Personal data are confidential and Pariwa.com.com complies with this confidentiality. Only authorized persons within Pariwa.com.com can access personal data. In this framework, software compliance with standards, careful selection of third parties, and compliance with the data protection policy within the Company are ensured.
Within the scope of technical and administrative measures to ensure data security, Pariwa.com.com:
Conducts regular trainings and awareness activities for its employees on personal data protection;
Creates policies based on the personal data processing inventory and designs the necessary processes to implement such policies;
Identifies risks within the scope of personal data protection law and diligently carries out efforts to eliminate such risks;
Establishes active information and explicit consent channels;
Performs periodic internal audits to fulfill obligations under personal data protection law;
Continuously obtains legal consultancy services for compliance with updated legislation;
Creates a separate policy for the protection of special categories of personal data and implements additional measures determined by the Personal Data Protection Board;
Implements necessary measures such as data sharing agreements for managing relationships with data processors;
Uses widely accepted security technology standards such as firewalls and Extended Validation Secure Sockets Layer (EV SSL) encryption;
Transfers personal data sent to Pariwa.com.com via its website, mobile application, and mobile site using EV SSL;
Uses virus protection systems, secure databases, servers, and firewalls;
Takes the broadest and most appropriate preventive security measures by analyzing the value of information/data and risk conditions, in light of current technological developments, including encryption of email information;
Establishes a secure technical infrastructure to ensure the security of databases where personal data will be stored;
Determines procedures for reporting technical measures and audit processes;
Takes other administrative measures regarding personal data protection.
Security measures are periodically renewed and improved.
Although Pariwa.com.com takes necessary information security measures, in the event that personal data are harmed or obtained by unauthorized third parties as a result of attacks on the platforms operated by Pariwa.com.com or on Pariwa.com.com’s system, Pariwa.com.com immediately acts to remedy the breach and minimize the damage. Pariwa.com.com promptly notifies the data subjects and the Personal Data Protection Board and takes necessary measures.
According to the Constitution of the Republic of Türkiye, everyone has the right to request the protection of their personal data. Accordingly, the data subject’s rights over their personal data are as follows:
To learn whether their personal data are processed;
If processed, to request information regarding such processing;
To learn the purpose of processing and whether the data are used in accordance with such purpose;
To know the third parties to whom personal data are transferred domestically or abroad;
To request correction of personal data if they are incomplete or inaccurate;
To request deletion or destruction of personal data within the framework of the conditions set out in Article 7 of the Law;
To request notification of third parties to whom personal data have been transferred regarding deletion, destruction, or correction;
To object to the occurrence of a result against the data subject by analyzing the processed data exclusively through automated systems;
To request compensation for damages in the event of loss due to unlawful processing of personal data.
If data subjects submit their requests regarding the rights listed above to Pariwa.com.com in accordance with the application procedures set out in the Communiqué on the Procedures and Principles of Application to the Data Controller, Pariwa.com.com will finalize such request free of charge as soon as possible and in any case within thirty (30) days, depending on the nature of the request. However, if the operation requires an additional cost, Pariwa.com.com may charge the fee specified in the tariff determined by the Personal Data Protection Board.
The data subject may submit requests in writing, or via registered electronic mail (KEP), secure electronic signature, mobile signature, or using the email address previously notified to Pariwa.com.com by the data subject and registered in Pariwa.com.com’s system, or through software/application developed for the purpose of application.
In an application, it is mandatory to include:
Name and surname, and signature if the application is in writing;
Turkish ID number for Turkish citizens; nationality, passport number or ID number (if any) for foreigners;
Address of residence or workplace for notification;
If any, email address for notification, phone and fax number;
Subject of request; and relevant information and documents to be attached to the application.
Applications will be evaluated only if they are in Turkish. For third parties to apply on behalf of personal data subjects, a special power of attorney issued through a notary public in the name of the person who will apply must be provided by the data subject.
Pariwa.com.com may amend this PDP Policy at any time. Such amendments become effective on the date the amended PDP Policy is published. Necessary information will be provided to data subjects to ensure they are informed about changes to this PDP Policy.
You may submit your questions and requests regarding the Personal Data Protection and Processing Policy to Pariwa.com at: iletisim@pariwa.com
