SINERJI GRUP ENDUSTRI OTOMASYON TIC. VE SAN. LTD. STI. PRIVACY POLICY (DATA SECURITY AND GENERAL ECOSYSTEM RULES)
This Privacy Policy has been prepared with the aim of ensuring full compliance of the personal data processing activities carried out by Sinerji Grup Endüstri Otomasyon Tic. ve San. Ltd. Şti. with the Personal Data Protection Law No. 6698, the relevant secondary legislation, and the provisions of the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Inform.
This policy aims to inform users transparently, based on the necessity that the obligation to inform must be fulfilled independently and separately from explicit consent. This text does not in any way substitute a declaration of explicit consent and is intended solely for informational purposes in accordance with legal regulations. Sinerji Grup bases its entire digital ecosystem on the principles of commercial honesty and transparency within the framework of the Law No. 6563 on the Regulation of Electronic Commerce and the Turkish Commercial Code No. 6102.
Sinerji Grup processes personal data in accordance with the law and the rules of good faith, for specific, explicit, and legitimate purposes, within the scope of Article 4 of Law No. 6698. Particular attention is paid to the principle of keeping data accurate and up-to-date when necessary.
In accordance with the principle emphasized in the decision of the Personal Data Protection Board dated 12.01.2023 and numbered 2023/67 that “the data controller must always keep the channels open to ensure that the information of the data subject is accurate and up-to-date”, infrastructures where our users can update their data are provided uninterruptedly on our website. Pursuant to the provision mandated in the same decision regarding “taking the necessary administrative and technical measures to create mechanisms that will confirm the accuracy of the contact numbers notified to the data controllers”, proactive security mechanisms such as e-mail and SMS verification codes are operated to confirm the accuracy of contact information during the registration phase to Sinerji Grup systems.
Sinerji Grup has built the highest level of protection shields to ensure the security of personal data processed in its digital infrastructure. The rule stipulated in the decision of the Constitutional Court dated 12.10.2023 and application number B. 2020/7518 that “Pursuant to Law No. 6698, the data controller […] is obliged to take all necessary technical and administrative measures.” forms the basis of our company’s cyber security policy.
In the decision of the Personal Data Protection Board dated 26.07.2018 and numbered 2018/91, it is clearly stated that data controllers are “obliged to take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the retention of personal data”. In line with this legal obligation, our company uncompromisingly applies the following measures:
A) Risk Analysis and Encryption:
In accordance with the principle stated in the decision of the Personal Data Protection Board dated 16.06.2020 and numbered 2020/465 that “In order to ensure the security of personal data, primarily, what all the personal data processed by the data controller are, the risks that may arise regarding the protection of these data… must be determined and appropriate measures must be taken accordingly”, our company conducts periodic risk analyses. The “encryption and data masking” methods pointed out in the decision of the Personal Data Protection Board dated 25.03.2021 and numbered 2021/311 are actively used in our systems. Furthermore, in light of the decision of the Personal Data Protection Board dated 30.06.2020 and numbered 2020/511, data is cryptographically secured in full compliance with the rule that “if it is an electronic environment, the data must be retained using cryptographic methods and cryptographic keys must be kept in secure and different environments”.
B) Penetration Tests and System Audit:
Our network security against cyber attacks is managed according to the standards mandated in the decision of the Personal Data Protection Board dated 16.06.2020 and numbered 2020/463 that “…security software messages, access control logs, and other reporting tools must be checked regularly, action must be taken upon warnings from these systems, vulnerability scans and penetration tests must be conducted regularly to protect information systems against known vulnerabilities, and evaluations must be made according to the results of the tests regarding the revealed security vulnerabilities…”. Web application firewalls and two-factor authentication systems have been made mandatory at all access points.
C) Data Backup Strategy:
Against ransomware and data loss risks, offline and isolated backup protocols are implemented in accordance with the instructions in the decision of the Personal Data Protection Board dated 16.06.2020 and numbered 2020/463 that “…there may be malicious software that forces the data controller to pay a ransom. It is recommended to develop data backup strategies to ensure personal data security against such malicious software. On the other hand, backed-up personal data should only be accessible by the system administrator, and data set backups must strictly be kept off-network. Otherwise, situations such as the use of malicious software on data set backups or the deletion and destruction of data may be encountered…”.
D) Access Authorizations and Personnel Training:
Internal access authorizations are structured with a minimized authorization model within the framework of the rule underlined in the decision of the Personal Data Protection Board dated 04.03.2021 and numbered 2021/190 that “…while granting access rights to environments containing personal data or creating a corporate culture in this regard, attention should be paid to acting in accordance with the ‘Everything is Forbidden Unless Permitted’ principle, not the ‘Everything is Permitted Unless Forbidden’ principle”. Our personnel are subjected to regular cyber security and privacy training as required by the warning in the decision of the Personal Data Protection Board dated 05.05.2020 and numbered 2020/345 that “…it is very important for ensuring personal data security that employees receive training on issues such as not unlawfully disclosing and sharing personal data, conducting awareness activities for employees, and creating an environment where security risks can be determined.”
E) Relations with Data Processors and Joint Liability
Sinerji Grup has subjected its relations with third-party data processors from whom it receives services to strict audit rules within the scope of Article 12, paragraph 2 of Law No. 6698. In accordance with the jurisprudence established in the decision of the Istanbul 4th Commercial Court of First Instance dated 14.06.2023, numbered E. 2022/100 and K. 2023/534 that “Taking appropriate security measures and applying all technical and administrative measures to prevent unlawful processing of personal data, to prevent unlawful access, and to ensure the retention of personal data is, as a rule, the obligation of the data controller. In the presence of a data processor who processes personal data on behalf of the data controller by a third party rather than by the data controller itself, the data controller (…) and the data processor (…) are jointly and severally liable in terms of the relevant legal obligations.”, the security infrastructures of our business partners are continuously audited by our company.
Pursuant to the rule mandated in the decision of the Personal Data Protection Board dated 16.06.2020 and numbered 2020/466 that “…data controllers, while receiving services, must ensure that the said data processors provide at least the level of security provided by themselves regarding personal data. Because, pursuant to the second paragraph of Article 12 of the Law, data processors are also jointly liable with the data controller for ensuring the security of personal data.”, high-level security commitments have been made mandatory in the contracts signed with the cloud computing, server, and infrastructure providers from whom services are received.
Your personal data is retained for the period necessary for the purpose for which they are processed, within the scope of Article 7 of Law No. 6698. The rule stated in the decision of the Personal Data Protection Board dated 26.07.2018 and numbered 2018/91 that “in the event that the reasons requiring its processing cease to exist, personal data shall be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject.” is the foundation of our company’s retention and destruction policy.
Furthermore, for our business partners in the position of data processors, the obligation specified in the decision of the Istanbul 4th Commercial Court of First Instance dated 14.06.2023, numbered E. 2022/100 and K. 2023/534 that “the defendant is required to delete the personal data belonging to the defendant’s customers in its possession upon the termination of the contract or following the disappearance of the legitimate reason, regardless of a request, and to keep the relevant destruction reports and similar records showing this deletion process and to be able to present them when necessary” is strictly applied, and the destruction processes are reported and recorded.
Sinerji Grup meticulously complies with the provisions of Article 9 of Law No. 6698 in cross-border data transfers that may occur within the scope of third-party analytical services and cloud infrastructures it uses. In accordance with the rule clearly stated in the decision of the Personal Data Protection Board dated 17.03.2022 and numbered 2022/249 that “personal data cannot be transferred abroad without the explicit consent of the data subject”, actively approved explicit consent is obtained from the data subjects for the transfer, or the conditions mentioned in the relevant decision that “the data controllers in Turkey and in the relevant foreign country undertake adequate protection in writing and the Board has permission” are fully fulfilled.
In the event that a data breach occurs despite all the technological and administrative measures taken, our company complies with the rule emphasized in the decision of the Constitutional Court dated 12.10.2023 and application number B. 2020/7518 that “In the event that the processed personal data is obtained by others through illegal means, the data controller shall notify this situation to the data subject and the Board as soon as possible.” Pursuant to Article 12, paragraph 5 of Law No. 6698, a transparent, fast, and complete notification process is carried out to the Personal Data Protection Board and the affected data subjects within the legal period of seventy-two hours from the moment the breach is detected.
Pursuant to Article 11 of Law No. 6698, data subjects have the right to learn whether their personal data is processed, to request information if it has been processed, to learn whether it is used in accordance with its purpose, to know the third parties to whom it is transferred domestically or abroad, to request correction if it is processed incompletely or incorrectly, and to request its deletion.
To exercise these rights, there is a specially designed Data Subject Application Form on our website. Requests submitted to our company in accordance with the Communiqué on the Procedures and Principles of Application to the Data Controller are concluded free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request.
Sinerji Grup provides uninterrupted access to corporate and commercial information that it is obliged to publish pursuant to Article 1524 of the Turkish Commercial Code No. 6102 via the Information Society Services tab on its website. In addition, pursuant to the Law No. 6563 on the Regulation of Electronic Commerce, commercial electronic message transmissions are carried out only through verifiable and free-will-based active approval mechanisms via the Message Management System (İYS). The cookies used on our website, excluding the mandatory ones, are managed through the Cookie Clarification Text and management panel entirely in line with the active preferences of the users, rejecting implied consent or pre-ticked boxes.
English 
Türkçe