Privacy Policy

PRIVACY POLICY

1. PURPOSE and SCOPE

Talya Informatics Trade and Industry Ltd. Sti. (“TALYA”, “Company”), we attach importance to the protection of your personal data and private information. For this reason, in accordance with the Law on Protection of Personal Data No. 6698 (“KVK Law”), by using, recording, storing, updating, transferring and/or classifying your personal data within the framework described below, depending on business purposes, by our Company, as Data Controller. We show all the necessary effort and care in processing.

In this context, in accordance with the Laws and Regulations issued by our Company to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, and to protect personal data, in order to prevent unlawful processing of your personal data, to prevent unlawful access and to ensure its preservation, we try to ensure the appropriate level of security. All technical and administrative measures are taken.

The target audience of this text is all real persons and our employees whose personal data are processed on our websites and in our corporate processes. As TALYA, our online software (“Web-Based Software”), desktop software (“Desktop”), websites (“Site”, “Sites”) and mobile applications (“Mobile Application”, “Mobile Application”), which serve over the internet via web-based and cloud We provide services through “Applications”). This Illumination Text covers all of the software, sites and applications in question.

Our Web-based Software: Elektraweb, Elektrawebmini, Elektraweb SPA, ElektraOtelimWebde

Desktop: Medisoft, Elektra

Our Websites: www.talyabilisim.com.tr, www.medisoft.com.tr, isafe.com.tr, www.elektraotel.com, www.elektraweb.com, spasatis.com, sparezervasyon.com

Our Mobile Applications: Medisoft Mobil, Medisoft Mobil Pro, e-Wallet Mobile, Elektra Pos Restaurant Manager

Personal information processed on our Software, Applications, Sites and Mobile Applications are processed in accordance with the legislation on the protection of personal data. Regarding our web-based, desktop and mobile applications, we are in the status of “data controller” only for those who open a user account and/or download mobile applications and use our websites, and this Privacy Policy is only valid for the processing of data belonging to these individuals.

Our Customers who process and save data using our web-based, desktop and mobile applications are data controllers independently of us. In these cases, since we are only in the status of “data processor” as the Company, we recommend that you consult our Customers’ own privacy policies, clarification text and similar documents that process your personal data when necessary.

On the other hand, we do not give any guarantee regarding the data security and data protection practices and policies of third party websites linked within our Sites. In this regard, we recommend that you review the data security and data protection policies of the relevant data controller separately.

3. IDENTITY OF THE DATA SPEAKER

TALYA BİLİŞİM (or the “Organization*) is in the status of “Data Controller” and is obliged to fulfill the obligations arising from the law against all real persons with whom it contacts and processes personal data, especially employees, employee candidates, customers, suppliers, supplier employees and visitors. . TALYA BİLİŞİM fulfills these obligations with the administrative measures it has taken through the compliance and control tools it has taken, and the technical measures at the appropriate and measured level.

TALYA BİLİŞİM processes your personal data as the “Data Controller” defined in Article 3 of the Personal Data Protection Law No. 6698, and the contact information is below:

Title : Talya Bilişim Ticaret ve Sanayi Ltd. Sti..

Address : Akdeniz University Antalya Technopolis, R&D 3 Building, Dumlupınar Boulevard, No:758/3 Campus ANTALYA

Our web addresses: www.talyabilisim.com.tr, www.medisoft.com.tr, isafe.com.tr, www.elektraotel.com, www.elektraweb.com, spasatis.com, sparezervasyon.com

Phone : + 90 (242) 227 91 00

You can send it to the correspondence address or [email protected] via e-mail

4. BASIC CONCEPTS

On ri za: for a given subject, which is based on informed consent and free will described

Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data.

Relevant person i: Natural person whose personal data is processed

Personal data: Any information relating to an identified or identifiable natural person.

Employee who touches personal data: Employees who process personal data of relevant persons on behalf of the organization as per their job description

Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, all kinds of operations carried out on the data, such as classification or prevention of its use.

Committee: Internal Committee formed within the organization in accordance with the “Directive on the Duties and Responsibilities of the KVK Committee”, which has duties such as monitoring all personal data processes carried out by the organization, its units and employees, controlling whether the policies are followed, and executing personal data processes on behalf of the organization.

Board: Personal Data Protection Board

Institution: Personal Data Protection Authority

KVK: Personal Data Protection Law No. 6698

Private Personal Data: Data about the race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, costume and clothing, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures. biometric and genetic data

Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.

Data registration system: The registration system in which personal data is processed and structured according to certain criteria.

Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Joint data controller: The other data controller with whom the  organization shares personal data within the scope of its commercial and corporate activities, and carries out processing activities on personal data jointly during this sharing.

Independent data controller: The other data controller that the organization shares personal data for once within the scope of its commercial and corporate activities.

5. PURPOSE OF PROCESSING PERSONAL DATA

Personal data belonging to the persons concerned in our organization, completely and directly related to the activities of the organization and the commercial, business or legal relationship with the person concerned;

1. Purposes of Management Processes:
   1. Execution of commercial activities,
   2. Ensuring business continuity, ensuring legal and administrative job security,
   3. Planning and execution of business and implementation strategies,
   4. Managing occupational health and safety processes,
   5. Making presentations, promotions and information about the establishment, services and products,
   6. Fulfillment of obligations arising from legislation and contracts,
   7. Ensuring physical space security in and around the establishment,
   8. Getting legal support,
   9. Using electronic and other social media tools and printed, periodic and non-periodical publications,
   10. Execution of dealership processes
   11. Establishing and maintaining communication with members of the press and press and media organs,
   12. Informing the public about the activities,
   13. Conducting business negotiations in a timely and effective manner,
   14. Completion of work in a timely and appropriate manner,
   15. Planning and execution of activities at local, national and international levels,
   16. Conducting relations with business partners and group companies at home and abroad,
   17. Execution of intellectual and industrial property transactions,
   18. Promotion, marketing and information about the establishment, products and services,
   19. Receiving notifications and feedback from customers and potential customers,
   20. Providing technical support to customers,
   21. Answering questions from customers and potential customers
   22. Providing support on electronic billing services,
   23. Participating in events such as fairs, seminars,
2. Employee Purposes:
   24. Creation and execution of employment contracts of employees,
   25. Fulfillment and implementation of services offered to employees,
   26. Providing socioeconomic benefits to employees,
   27. Execution of domestic and international assignment, travel and accommodation processes,
   28. Planning and execution of human resources processes,
   29. Recruitment, execution of business relationship, execution of performance evaluation processes,
   30. Creating personal files, storing them in physical and electronic media,
   31. Time tracking,
   32. Execution of exit procedures and interviews,
   33. Execution of performance and audit activities,
3. Information im S ureC related Objectives:
   34. Creation and updating of information and communication infrastructure,
   35. Managing users of information tools and systems,
   36. Managing corporate e-mail accounts,
   37. Managing corporate social media accounts,
   38. Managing, supervising and closing the e-mail accounts of employees leaving the job,
   39. Managing, monitoring, inspecting portable and/or desktop electronic devices,
   40. Execution of transactions belonging to mobile application users,
   41. Execution of transactions regarding website members,
   42. Ensuring data security and archiving data,
   43. Keeping internet access logs,
   44. Follow-up of vehicles and users belonging to the organization,
   45. Personal data is processed for the purposes of protecting and managing digital assets and rights of customers.

6. RELATED PERSONS whose PERSONAL DATA IS PROCESSED

TALYA BİLİŞİM processes the data of the persons concerned in general and intensively within the scope of this Privacy Policy and other administrative and technical measures. In the processing of personal data belonging to real persons outside these categories, the data processing policies of the organization, especially this Privacy Policy, will be complied with. The categories of natural persons whose personal data are being processed are as follows:

• employees,
• Employees with an indefinite-term employment contract,
• Those who are in charge of intern and İŞKUR on-the-job training programs,
• Job applicants,
• Customer representatives and employees,
• Supplier representatives and employees,
• Consultants and Auditors,
• Public officers,
• Our visitors,
• visitors of the Internet Sites,
• potential customers and users,
• Our Dealers

7. LEGAL REASONS AND CATEGORIES OF PROCESSED PERSONAL DATA

7.1. Personal Data of Our Employees and Employees and Interns Who Provide Service with Indefinite Term Employment Contracts

Personal data of organization employees, employee candidates and interns,

• Business arrangement,
• Labor Law No. 4857 ,
• Turkish Code of Obligations No. 6098 ,
• Social Insurance and General Health Insurance Law No. 5510 ,
• 6 331 numbered Occupational Health and Safety Law,
• 4632 Private Pension Savings and Investment System Law,
• Execution and Bankruptcy Law No. 2004,
• Law No. 4904 on Some Regulations Regarding the Turkish Employment Agency,
• Vocational Education Law No. 3308,
• Turkish Commercial Code No. 6102,
• Electronic Signature Law No. 5070,
• Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts,
• Social Insurance Operations Y d netmeliğ good,
• Identity Notification Law No. 1774,
• Ü wages, premiums, bonuses and All Forms of payment on the remuneration of the Bank in this Qualifications Through Y d netmelik

and similar laws, regulations and communiqués.

In this context, the organization includes the categories of employees’ identity, communication, personnel, finance, professional experience, physical space security, legal action, transaction security, risk management, audio-visual records and other information, belief, association membership, foundation membership, health information, criminal convictions. It processes special quality data such as security measures and security measures.

7.2. Personal Data of Job Applicants

Identity, personal, contact, family information, finance, education, vocational information, shared with us by online employment platforms and/or talent agents, which job applicants share with us voluntarily through tools such as CVs, letters of intent or forwarded to be shared with all relevant organizations at their own request. We process personal data such as experience, habits and special data that they share with their own will, such as association and foundation memberships that they record in their resumes.

7.3. Personal Data of Representatives of Our Customers and Suppliers

The personal data of the customer and supplier real persons, representatives of the customer and supplier institutions and real persons with whom the organization has relations while carrying out its commercial activities,

• Service Agreement,
• Turkish Code of Obligations No. 6098 ,
• Execution and Bankruptcy Law No. 2004,
• Turkish Commercial Code No. 6102,
• Tax Procedure Law No. 213,
• Tax Procedure Law General Communiqués

and similar laws, regulations and communiqués. The organization processes the personal data of real persons and representatives of customers and suppliers in the categories of identity, communication, finance, legal action and other information.

7.4. Personal Data of Auditors, Consultants and Public Employees

Personal data of auditors, consultants and public employees who carry out control and audit duties in order to carry out commercial and manufacturing activities of the organization and to ensure its sustainability and quality,

• Turkish Commercial Code No. 6102,
• Customs Law No. 4458,
• Tax Procedure Law No. 213,
• Labor Law No. 4857 ,
• Law No. 4904 on Some Regulations Regarding the Turkish Employment Agency,
• Social Insurance and General Health Insurance Law No. 5510 ,
• Tax Procedure Law General Communiqués,

and similar laws, regulations and communiqués.

In this context, the organization processes the personal data of auditors, consultants and public officials in the categories of identity, communication and personnel.

7.5. Personal data of our Application and Site Users

We process the personal data of users who use our own web-based, desktop and mobile applications on their own behalf or corporately in the categories of identity, personnel, communication, location.

In addition, a trial account is created for people who want to try applications and software, and their personal data in the categories of identity, personnel and communication are processed.

7.6. Personal Data of Our Visitors

Personal data of visitors in order to ensure information and facility security,

• Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts,

We process it within the scope of our legitimate interests.

In this context, personal data of visitors in categories such as Identity, Transaction Security, Physical Space Security are processed.

7.7 . Personal Data of Site Visitors and Members

In accordance with our legitimate interests, your personal data in categories such as transaction security and identity belonging to users who visit our websites and register as members are processed through forms and “cookies”. For more information about cookies, we ask you to refer to our “Cookies Policy” .

7.8. Personal Data of Our Potential Customers

Apart from the advertisements on our sites, we may inform our users, trial users, customers and potential customers about new products or services by e-mail, social media or telephone with their consent. The persons concerned may object to such promotional, advertising and promotional communications at any time. In addition, those who do not want to receive such e-mails and SMS messages can block the messages, use the cancellation option or request to be deleted from the lists by contacting us.

We also have a newsletter to inform those interested in our products and/or services. Each newsletter contains a link from our newsletter where you can unsubscribe. Those who want to cancel the subscription can do so through their account settings. Limited to this scope, we process the personal data of our potential customers in the categories of identity, personnel and communication.

7.9. Personal Data of Our Dealers

Identity, communication and personal data of the representatives of our dealers who take part in sales, marketing and after-sales support services of our products and services

• Dealership Agreement
• Turkish Code of Obligations No. 6098 ,
• Execution and Bankruptcy Law No. 2004,
• Turkish Commercial Code No. 6102,
• Tax Procedure Law No. 213,
• Tax Procedure Law General Communiqués

and similar laws, regulations and communiqués.

8. RIGHTS OF THE RELATED PERSON

The Organization accepts that, within the scope of the Law, the data subject has the right to obtain consent before the data is processed, and that it has the right to determine the fate of the data after the data is processed.

In this sense, the relevant persons apply to the Contact Person;

1. a) Learning whether your personal data is processed or not,
2. b) If your personal data has been processed, requesting information about it,
3. c) To learn the purpose of processing your personal data and whether they are used in accordance with the purpose,

ç) To know the third parties to whom personal data is transferred in the country or abroad,

1. d) Requesting correction of personal data in case of incomplete or incorrect processing,
2. e) Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
3. f) Requesting notification of the transactions made pursuant to subparagraphs (d) and (e) to third parties to whom personal data has been transferred,
4. g) Objecting to the emergence of a result against you by analyzing the processed data exclusively through automated systems,

ğ) In case you suffer damage due to unlawful processing of personal data, it can exercise its right to demand the compensation of the damage.

However, individuals do not have a right to anonymized data within the Company. Personal data may be shared with relevant institutions and organizations in case of legal authority by a judicial or public authority as a requirement of the business and contractual relationship.

Requests within the scope of the enumerated rights are made by filling in the Institution Application Form completely and submitting it to the Contact Person with your wet signature, registered letter with return receipt, and copies of your identity card (only the front page for the identity card). You can take a look at the Personal Data Applications Clarification Text regarding the application process .

9. BASIC RULES TO BE FOLLOWED IN PROCESSING PERSONAL DATA

TALYA BİLİŞİM units and employees will pay attention to the following basic rules, on which the Privacy Policy and other corporate policies are built, while processing the personal data of the persons concerned.

1. Compliance with the law and honesty rules: The organization checks and inquires whether the personal data collected by itself or shared with it by other parties are fulfilled, such as informing the relevant person specified in the KVK, and obtaining the explicit consent of the data subject for the processing of data when necessary. Acts in accordance with the rules of honesty when informing the relevant persons, obtaining their explicit consent or responding to their applications for information.
2. Being accurate and up-to-date when necessary: ​​The organization tries to ensure that the personal data it processes and keeps in its databases contains accurate information as far as control mechanisms allow. It takes care to keep the data as updated as possible. It encourages data sources to share accurate information and update on changes. It pays attention to check that the data is correct and up-to-date during the collection phase.
3. Specific, explicit and legitimate purposes, interior in good PROCESSED Views: Organization, but certain personal data defined in this Privacy Policy, open and work for legitimate purposes.
4. Purpose they are processed la ba Co nn ection, limited and d is the measure: organizations, to work for any purpose other than personal data in the limits of the purpose they are processed, the elucidation of the person concerned when such a need arises and takes care of receipt of the necessary explicit consent. It uses data only for the purpose for which it is processed and to the extent required by the service. It does not process, use and make use of data other than for business purposes. When personal data needs to be processed for another purpose, corrections are made in compliance and control tools under the supervision and approval of the Committee.
5. Loyalty to the Term: The organization takes care to preserve the personal data for the period required by the relevant legislation or for the purpose for which they are processed. It keeps the personal data arising from the contract within its body as long as the conflict periods in the relevant Laws, the requirements of the commercial and tax law. However, when these purposes disappear, the organization deletes or anonymizes personal data. How long the data in each category will be kept is determined in the Personal Data Inventory.
6. Data Reduction: The organization, its units and employees collect data in categories related to the purpose, except for the scope and periods required by the laws and relevant legislation, but in the amount required by the processing purpose, and takes care to process it in its systems as long as necessary.
7. Deletion and Disposal: The organization keeps the personal data it processes, limited to the periods stipulated in the relevant field legislation such as the laws, social security, debts, tax and commercial law and/or for the periods required by the processing purpose. In the event that these periods expire , it deletes, destroys or anonymizes the expired personal data in accordance with the Personal Data Retention, Deletion, Destruction and Transfer Policy and with the permission and supervision of the Committee .
8. Confidentiality and Data Security : In all processes of processing, transferring and storing personal data in the organization, care is taken to ensure general privacy rules and data security, and actions are taken in accordance with the policy documents and rules created for this purpose. Care is taken to take necessary administrative and technical measures.

10. TRANSFER OF PERSONAL DATA

TALYA BİLİŞİM makes use of domestic and international service and product suppliers in order to carry out production-oriented and commercial activities and to carry out the activities that require expertise as an institution, and according to their job descriptions, activities and the nature of the service they provide, they are “data processor”, “data controller” or ” These suppliers, who are considered to be the “joint data controllers”, may transfer personal data to their business partners or authorized institutions and organizations.

10.1. Matters to be Considered in Personal Data Transfer

1. During personal data sharing, data transfer is secured by signing a data transfer agreement, undertaking or similar documents with all parties to whom data is transferred.
2. Each unit and employee should take care of the risks that the addressee to whom personal data is transferred may pose in relation to personal data, and take care to avoid situations that may create risks.
3. In the use of applications and services originating abroad, care is taken to comply with the relevant legislation such as KVK and GDPR.
4. During data transfers to parties and suppliers, care must be taken to ensure data security with appropriate and secure means and channels, to monitor whether the real persons to whom personal data are transferred are authorized by the addressee, and to delete copies and copies of personal data, if any, from all channels as soon as their functions are terminated. .
5. Organizational units and employees are obliged to observe the sensitivity and practices of the parties and suppliers to whom they transfer data regarding personal data, and to notify their superiors in a timely manner of situations that may pose risks. Employees of the organization should request the necessary support from their superiors in a timely manner for the situations and problems they cannot resolve regarding personal data.

10.2. Situations to which Personal Data is Transferred and Parties to which Transfer is Made

Personal data is shared with the following parties for the following purposes:

1. To private institutions and organizations such as group companies, business partners, affiliates, consultancy firms, other service suppliers and public institutions and organizations in the country and abroad, when necessary for the planning and fulfillment of commercial activities carried out by the organization,
2. Real and legal persons serving in these fields and the third parties they work with, in order to ensure business continuity, to ensure legal, technical and commercial occupational safety, to plan and execute human resources, occupational health and safety and emergency processes and strategies;
3. Persons with whom the organization has signed a contract within the framework of the services provided and the third parties they work with,
4. The services provided by the organization or the suppliers that provide socio-economic benefits to the employee and the third parties they work with,
5. To internal departments, to our group companies, to previous or future employers during the recruitment and exit process,
6. To our business partners, consultants, suppliers, private institutions and organizations, courts, public institutions and organizations and competent authorities when necessary for the organization to fulfill its legal obligations,
7. To the relevant banks for the necessary payment and collection transactions within the scope of the establishment and performance of the contracts made by the institution,
8. Insurance agencies and insurance companies are required for employees to benefit from insurance and similar rights.
9. Legal, accounting/SMM offices, lawyers and other consultants in order to receive legal and financial support within the scope of establishment, use and protection of the rights of our organization
10. To domestic and foreign service providers that provide cloud services for the purpose of providing necessary infrastructure and services for corporate electronic communication channels and data security;
11. Instant messaging, file sharing, video conferencing, e-mail, etc. Platforms and applications of foreign origin, from which we provide services, in order to use online communication channels and tools,
12. To the supplier that we provide services for electronic signature procurement and authorization,
13. In order to increase the motivation of the employees, to strengthen the team spirit, to send support messages on their special days, to organize events and to reward the successful employees, with the supplier organizations that provide services in these areas,
14. Auditors and domestic or foreign-origin auditing companies, who conduct audits in order to carry out quality, social and other audits received by the organization or carried out at the request of customers,
15. Personal data is transferred to private and public institutions/organizations in order to carry out legal and technical processes related to works and transactions subject to intellectual and industrial property.

10.3. Transfer of Personal Data Abroad

It will be shared with the following parties residing abroad for the purpose of providing service via cloud, instant message or online communication channels, which are widely and inevitably used today. In this context,

1. With US-based Microsoft for office business and operations,
2. With Facebook from the USA via Whatsapp application as an instant messaging application in relations established between employees and customers for business purposes,
3. With US-based Google, Wetransfer and Microsoft for the sharing of large files for business purposes,
4. With US-based Microsoft via Azure, which provides data center, cloud server services,
5. With US-based Constant Contact for bulk email management,
6. In order to provide instant support to customers on the website and with Tawk.to, a US Origin,
7. With Ammy from the USA, Anydesk from Germany and Teamviewer, which provide remote access to provide technical support to customers,
8. US-based Microsoft via Skype application for video conferencing services,
9. With Google from the USA and Yandex from Russia for our corporate e-mail services, and with Twilio through the SendGrid application, which provides e-mail server service,
10. With US origin Apple, US origin Microsoft and Google, which provide mobile and desktop Operating systems for the execution of daily business activities,
11. It is shared with Google, which originates in the USA, via Facebook, Twitter, Instagram, Linkedin and Youtube originating in the USA, which provides social media services and provides services from abroad.

You can find the privacy policies of each service provider at the following links:

1. Microsoft (https://privacy.microsoft.com/en-us/privacystatement)
2. Whatsapp ( https://www.whatsapp.com/legal/client )
3. Google (https://policies.google.com/privacy?hl=en-US)
4. Wetransfer ( https://wetransfer.com/legal/privacy )
5. Constant Contact (https://www.endurance.com/privacy/privacy)
6. to (https://www.tawk.to/privacy-policy/)
7. Ammy ( https://www.ammyy.com/en/priv_policy.html )
8. Anydesk (https://anydesk.com/en/privacy)
9. Teamviewer ( https://www.teamviewer.com/en/privacy-policy/ )
10. Skype (https://support.skype.com/en/skype/all/privacy-security/)
11. Yandex ( https://yandex.com.tr/support/legal/confidential/01032016/index.html?lang=en )
12. Twilio ( https://www.twilio.com/legal/privacy )
13. Apple (https://www.apple.com/legal/privacy/en-ww/)
14. Facebook (https://www.facebook.com/policy.php)
15. Twitter (https://twitter.com/en/privacy)
16. Instagram ( https://help.instagram.com/519522125107875 )
17. Linkedin (https://www.linkedin.com/legal/privacy-policy)
18. Sharethis (https://sharethis.com/privacy/)
19. Cloudflare (https://www.cloudflare.com/privacypolicy/)

11. AUDIT, REFERENCES AND DATA VIOLATION NOTIFICATIONS

The organization can carry out the necessary internal and external audits on the protection of personal data.

Applications made by the relevant persons are answered by the Committee within 30 days at the latest, by taking the opinion of the relevant unit.

When the organization is notified of any violation of personal data, the KVK Board is notified without delay and within 72 hours at the latest from the date of learning of this situation. It also informs the relevant parties and persons in the same way.

12. UPDATE

This policy document is updated when the organization’s personal data processing conditions, tools, purposes and scope change and the parties to which personal data are shared change. Updates made in each item are kept in a separate table.