This policy aims to describe the methods adopted for the processing, protection, storage, and destruction of personal data processed in any activity conducted by MessageGate Information Technologies Inc. (MessageGate) in its capacity as the data controller. The policy aims to detail the disclosure obligations specified in Article 13-14 of the European Union General Data Protection Regulation and the United Kingdom General Data Protection Regulation (referred to as GDPR) and Article 10 of the Personal Data Protection Law No. 6698 (KVKK). This policy includes the principles applied in the processes of collecting, using, sharing, storing, and disposing of personal data by MessageGate. It aims to inform individuals about the processing of personal data by MessageGate, including data of employees, candidate employees, employees' relatives, references, supplier employees, company partners, supplier and candidate supplier personnel, customer candidates, online visitors, outsourced employees, partner employees, partner company officials, customers, and relevant individuals.
This policy covers all record environments and activities related to the processing of personal data of employees, candidate employees, employees' relatives, references, supplier employees, company partners, supplier and candidate supplier personnel, customer candidates, online visitors, outsourced employees, partner employees, partner company officials, customers, and relevant individuals owned or managed by MessageGate.
All employees, external service providers, and any other individuals within the organization who store and process personal data are responsible for fulfilling the requirements related to the storage and destruction of personal data processed within the institution. Each business unit is obligated to store and protect the data it produces in its own business processes.
The responsibility for the notification or acceptance of notifications to the Personal Data Protection Board and correspondence on behalf of the data controller, as well as the registration of such processes in the registry, lies with the Data Controller Contact Person.
The titles, units, and job descriptions of those involved in the storage and destruction processes of personal data are detailed below:
Data Controller Contact Person: Designing, planning, implementing, and organizing the necessary tasks and processes specified in the Law on behalf of the data controller, ensuring audits.
Archivist: Managing the processes of processing, storing, deleting, organizing, destroying, and anonymizing personal data kept in the archive.
Information Security Committee Member: Supporting the Data Controller Contact Person by designing, planning, implementing, and ensuring relevant audits according to the procedures and principles specified in the Law, assisting in maintaining processes related to personal data security. They participate in the evaluation and response stages of personal data requests from data subjects. Additionally, the Information Security Committee Member is involved in ISO 27001 Information Security Management System, ISO 27701 Personal Data Management System, and ISO 9001 Quality Management System standard studies.
| Definition / Abbreviation | Description |
|---|---|
| Explicit Consent | Consent based on informed and freely given will regarding a specific subject. |
| Data Subject | An individual whose personal data is processed. |
| Data Controller | An individual or legal entity responsible for determining the purposes and means of processing personal data, and establishing and managing the data recording system. |
| Data Processor | An individual or legal entity that processes personal data on behalf of the data controller based on the authorization granted by the data controller. |
| Destruction | The process of deleting, destroying, or anonymizing personal data. |
| Periodic Destruction | The process of deletion, destruction, or anonymization to be carried out automatically at recurring intervals when all the processing conditions for personal data specified in the law cease to exist. |
| Law | Personal Data Protection Law |
| EU GDPR | European Union General Data Protection Regulation |
| UK GDPR | United Kingdom General Data Protection Regulation |
| Anonymization | Making personal data unidentifiable or not associable with any identified or identifiable natural person in any way, even by matching with other data. |
| Record Environment | Any environment where personal data, processed either entirely or partially automatically or non-automatically as part of any data recording system, is located. |
| Personal Data | Any information related to an identified or identifiable natural person. |
| Personal Data Inventory | An inventory created by data controllers, detailing the processing activities of personal data carried out according to their business processes. It includes personal data processing purposes, data categories, recipient groups to whom the data is transferred, and data subject groups related to the purposes for which personal data are processed. It also discloses the maximum period required for the purposes of processing personal data, personal data intended to be transferred to foreign countries, and security measures taken. |
| Processing of Personal Data | Any operation performed on personal data, whether entirely or partially automatic or non-automatic, including the acquisition, recording, storage, preservation, alteration, restructuring, disclosure, transfer, retrieval, making available, classification, or use that prevents the use of personal data. |
| Rendering Personal Data Anonymous | Making personal data unidentifiable or not associable with any identified or identifiable natural person in any way, even by matching with other data. |
| Deletion of Personal Data | Deletion of personal data involves making personal data inaccessible and unusable for data subjects. |
| Destruction of Personal Data | The process of making personal data inaccessible, irretrievable, and unusable by anyone in any way. |
| Board | Personal Data Protection Board and/or European and UK data protection supervisory authorities |
| Electronic Medium | Environments where personal data can be created, read, modified, and written using electronic devices. |
| Non-Electronic Medium | All written, printed, visual, etc., environments other than electronic environments. |
| Special Categories of Personal Data | Data related to an individual's race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, clothing and appearance, membership in associations, foundations, or unions, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data. |
| Regulation | Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017. |
| Data Recording System | A system where personal data is processed by being structured according to certain criteria. |
| Employee | Personnel of MessageGate. |
| Service Provider | An individual or legal entity providing services to MessageGate under a specific contract. |
| Online Visitor | Visitors to MessageGate's website from whom cookie information is obtained. |
| Customer | Legal and natural persons with whom MessageGate has an agreement and who benefit from MessageGate's services. |
| Customer's Data Subject | In cases where MessageGate is a data processor, individuals for whom the Customer is the data controller and who are the responsibility of the Customer. |
| SSL VPN | Secure access virtual private network technology. |
MessageGate explicitly outlines the necessary measures and the applied process for the protection and processing of personal data with this policy. In cases where this policy is incompatible with relevant laws and regulations or in the event of the policy not being up-to-date in accordance with updated legislation, MessageGate undertakes to comply with the current legislation. This policy will be updated and revised by MessageGate according to changes in the law, regulations, and legislation, and to fulfill the legal requirements of MessageGate.
MessageGate processes the following specified personal data:
| Data Subject | Data Categories |
|---|---|
| Employees | Criminal record, bank and salary information, visual and auditory recordings, legal files, contact information, identity information, log records, professional information, personal and health information |
| Employee Candidates | Photograph, identity information, contact information, professional and personal information |
| Employee Relatives | Name, surname, and telephone information |
| Online Visitors | IP address, browser information, website logs (anonymous), and cookie information |
| Customers | Bank and financial information, legal documents, identity information, contact information, log records, complaint and support records, company and tax office information, service and offer information |
| Customers' Related Person | Financial, visual and auditory recordings, communication, transaction security, identity, location, customer transaction, personal, cookie information |
| Partners | Bank and financial information, identity information, contact information, signature circulars, and powers of attorney |
| Outsource Employees | Bank and financial information, contact, log records, identity, personal and inventory information |
| Partner Employee | Identity, communication |
| Partner Authority | Identity, communication |
| Potential Customers | Identity, communication, log records, service content and offer information, company information |
| Potential Suppliers | Name, surname, title, communication, and offer information |
| References | Name, surname, title, communication, and company information |
| Supplier Employee | Name, surname, contact information |
| Supplier Authority | Identity information, contact information, log records, bank and financial information, legal files, tax office information |
MessageGate processes personal data for the following purposes:
| Data Processing Purpose | Data Subjects |
|---|---|
| Execution of Emergency Management Processes | Employee Relatives |
| Execution of Information Security Processes | Employees, Outsourced Employees |
| Execution of Job Application Processes for Job Candidates | Job Candidates, References |
| Fulfillment of Employment Contracts and Legal Obligations for Employees | Employees |
| Management of Discipline Processes | Employees |
| Execution of Training Activities | Employees, Outsourced Employees |
| Execution of Access Authorization | Employees, Customers, Outsourced Employees, Supplier Representative |
| Conducting Activities in Compliance with Legislation | Employees, Online Visitors, Customers, Outsourced Employees |
| Execution of Finance and Accounting Operations | Employees, Customers, Partners, Supplier Representative |
| Provision of Physical Space Security | Employees |
| Execution of Assignment Processes | Employees |
| Monitoring and Execution of Legal Affairs | Employees, Customers, Supplier Representative |
| Execution of Communication Activities | Employees, Job Candidates, Outsourced Employees, Supplier Employee |
| Planning Human Resources Processes | Employees, Employee Relatives, Outsourced Employees |
| Execution/Audit of Business Activities | Employees, Partners, Outsourced Employees, Partner Employee, Partner Representative |
| Execution of Occupational Health/Safety Activities | Employees |
| Receipt and Evaluation of Suggestions for Improving Business Processes | Partner Employee, Partner Representative |
| Execution of Business Continuity Activities | Employees, Outsourced Employees |
| Execution of Procurement Processes | Supplier Employee, Supplier Representative |
| Execution of After-Sales Support Services for Goods/Services | Customers |
| Execution of Sales Processes for Goods/Services | Customers, Partner Employee, Partner Representative |
| Execution of Production and Operations Processes for Goods/Services | Customers, Customer Contact Person |
| Execution of Marketing Analysis Studies | Online Visitors |
| Execution of Contract Processes | Employees, Outsourced Employees |
| Follow-up of Requests/Complaints | Customers, Potential Customers |
| Provision of Security for Movable Assets and Resources | Employees, Outsourced Employees |
| Execution of Supply Chain Management Processes | Potential Suppliers |
| Execution of Salary Policy | Employees |
| Execution of Marketing Processes for Products/Services | Customers, Potential Customers |
| Provision of Data Controller Operations Security | Employees |
| Providing Information to Authorized Individuals, Institutions, and Organizations | Employees |
MessageGate processes personal data based on the sub-processes outlined below:
| Unit | Process | Data Categories |
|---|---|---|
| IT Operations and Infrastructure | Access Authorization Controls | Communication, Identity |
| User Support | Identity | |
| Email Service | Communication, Identity | |
| Application Log Management | Communication, Log Records, Identity | |
| Remote Work | Communication, Log Records, Identity | |
| Collecting Cookie Information | IP Address, Browser Information, Website Logs (Anonymous) | |
| Customer Account Management Process | Communication, Log Records, Identity | |
| Application Activation Process | Communication, Identity, Personnel | |
| Software Distribution Process | Finance, Visual and Audio Records, Communication, Log Records, Identity, Location, Customer Transaction, Personnel, Marketing | |
| Software Support Process | Communication, Identity, Customer Transaction, Personnel | |
| Human Resources | Payroll Process | Finance, Communication, Identity, Personnel, Health Information |
| Creation of Personnel File Process | Criminal Record Information, Finance, Visual and Audio Records, Identity, Communication, Professional Experience, Personnel, Health Information | |
| Discipline Process | Identity, Personnel | |
| Training Process | Finance, Identity | |
| Legal Processes | Finance, Legal Transactions, Communication, Identity, Personnel | |
| Recruitment Candidate Selection | Visual and Audio Records, Communication, Identity, Professional Experience, Personnel | |
| Signing Exit Documents | Finance, Communication, Identity, Personnel | |
| Consent Process | Identity | |
| Outsourced Employees | Finance, Communication, Identity | |
| Contract Process | Finance, Communication, Identity | |
| Receipt of Commitments | Identity, Personnel | |
| Assignment Processes | Identity, Personnel | |
| Human Resources / Administrative Affairs | Procurement Processes | Finance, Communication, Identity, Personnel |
| Business Development | Business Development Process | Communication, Identity |
| Financial Affairs | Financial Process | Finance, Communication, Identity, Personnel |
| Customer Operations | Finance, Communication, Identity, Personnel | |
| Supplier Operations | Finance, Communication, Identity, Personnel | |
| Sales and Marketing | Sales and Marketing Process | Communication, Log Record, Identity, Personnel, Cookie Information |
| Collecting Cookie Information | IP Address, Browser Information, Cookie Information (Anonymous) | |
| Top Management | Execution of Legal Processes | Finance, Legal Transactions, Communication, Identity |
| Software Development and R&D | Development of Artificial Intelligence Models | Visual and Audio Records, Customer Transactions, Marketing |
| Software Analysis Process | Communication, Identity | |
| Software Development Process | Log Records, Identity | |
| Software Testing Process | Communication, Identity |
MessageGate employs the following methods to obtain personal data:
| Data Categories | Method of Acquisition |
|---|---|
| Criminal Record Records | Hand-delivered, paper format |
| Financial Information | Electronic records and paper format forms, customer and supplier current cards, email, e-archive, hand-delivered, invoice, stamp information, accounting program, execution declarations, verbal statements, salary slip, personnel file, SGK page, personnel employment contract, purchase contracts, customer contracts, written statements, software database |
| Visual and Auditory Records | Hand-delivered, job application site interface, email, customer data sources, software database, HR Company |
| Legal Transaction | Execution paper, customer and supplier current cards, contracts, personnel files |
| Contact Information | Electronic records and paper format forms, visual, verbal statement, IT application, customer and supplier current cards, support panel, email, hand-delivered, e-archive, invoice, job application site interface, stamp information, accounting program, discharge certificate, execution paper, personnel entry document list form, customer and supplier contracts, written statement, application panel, personnel files, personnel employment contract, project management application, social media platforms, software database, HR Company |
| Transaction Security Information | IT application, email, application panel, project management application, verbal statement, software database, website |
| Identity Information | Electronic records and paper format forms, visual, verbal statement, IT application, email, support panel, HR documents (disciplinary documents, defense writings, minutes, kvkk enlightenment and consents, pledge forms, discharge certificate, approval and contracts, expense form, personnel leave form, pledge forms), e-archive, hand-delivered, invoice, job application site interface, stamps, accounting program, personnel entry document list form, paper format, business card, customer and supplier contracts, application panel, customer and supplier current cards, personnel files, SGK portal, policy document, project management application, SGK information emails, social media platforms, software database, HR Company |
| Location Information | Software database |
| Professional Information | Hand-delivered, job application site interface, email, HR Company |
| Customer Transaction Information | Support panel, email, customer data sources, software database |
| Personal Information | Electronic records and paper format forms, visual, verbal statement, current card, email, contract, support panel, HR documents (disciplinary documents, defense writings, minutes, discharge certificate, resignation letter, job termination notice, personnel leave form, pledge forms), e-archive, hand-delivered, invoice, job application site interface, stamps, accounting program, application panel, personnel files, SGK portal, purchase contracts, SGK information emails, written statement, software database, HR Company |
| Marketing Information | Email, customer data sources, software database, website, electronic registration forms |
| Health Information | Hand-delivered, SGK interface |
MessageGate processes personal data due to legal obligations and for the sake of business continuity. Your personal data is processed in accordance with the principles set forth in Article 5 of the GDPR and Article 4(2) of the KVKK through obtaining explicit consent or in cases specified in Article 5 of the GDPR or in situations envisaged in Articles 5(2) and 6(3) of the KVKK. In cases where the data processing does not meet the requirements of Articles 5(2) and 6(3) of the Law, obtaining explicit consent is essential. The full text can be found on www.mevzuat.gov.tr. The processing can take place if the following conditions specified in Articles 5(2) and 6(3) of the Law occur;
The relevant laws regarding their prescription in the law are detailed in this policy.
Subject to taking sufficient precautions; for special categories of personal data other than health and sexual life, it is envisaged in the laws, and for special categories of personal data related to health and sexual life;
The legal bases used by MessageGate to process data are detailed in the "MessageGate KVKK Data Inventory" document.
Article 5 of the GDPR and Article 4(2) of the KVKK define the principles for processing personal data. MessageGate processes personal data in accordance with the specified principles. The processing of personal data is done in accordance with the following principles;
Personal data of customers, suppliers, and employees are processed in accordance with the fundamental principles stipulated in the GDPR and KVKK, considering public interest. Within the framework of the processing conditions and purposes of personal data specified in Articles 8 and 9 of the KVKK and Chapter V of the GDPR, personal data can be shared with the following domestic and/or foreign parties.
Regarding the sharing of personal data with third parties, MessageGate carefully complies with the conditions specified in the law, subject to the provisions in other laws. In this context, personal data is not transferred to third parties without the explicit consent of the data subject. However, personal data may be transferred without obtaining the data subject's explicit consent if one of the following conditions specified in the law exists:
With the condition of taking adequate measures; for special categories of personal data other than health and sexual life, as stipulated in the laws, and for special categories of personal data related to health and sexual life:
The conditions stipulated for the processing of special categories of personal data are also complied with in the transfer of these data.
The domestic parties to whom personal data is transferred are detailed below;
|
Related Party |
Transfer Reason |
Transfer Method |
Legal Basis According to GDPR |
|---|---|---|---|
|
Contracted Banks |
For the distribution of profits, execution of financial processes of partners and shareholders, depositing of employee salaries |
By mail, hand delivery, and mail using mass instructions |
Legal Requirement |
|
Contracted Law Firms |
Contract review, resolution of possible disputes; Sharing with contracted lawyers for the execution of employee and employer-related lawsuits and in case of a legal claim. Information may be provided to the corporate lawyer in case of termination of employment before the recovery of advances. Execution processes are shared with the enforcement office through contracted law firms. Shared for the evaluation of legal objections or complaints of employees. |
By cargo, mail, media device |
Legal Requirement Legitimate Interest Performance of a Contract Fulfillment of Legal Obligation |
|
Contracted Customers |
Personal data obtained within the scope of the Contract with the Contracted Customer, must be visible to the Customer |
Software provided to the Customer |
Explicit Consent obtained by the Contracted Customer who is the Data Controller Performance of a Contract |
|
Contracted Insurance Companies |
Shared with contracted insurance companies within the scope of the mandatory automatic enrollment |
Insurance Company Interface |
Legal Requirement |
|
Contracted Suppliers |
Shared for the fulfillment of agreement terms |
By mail, written statement |
Explicit Consent Performance of a Contract Legitimate Interest |
|
Contracted HR Companies |
Personal data sharing may be done for the outsourcing employee employment processes |
By mail |
Explicit Consent Public Disclosure Performance of a Contract Legitimate Interest |
|
Revenue Administration |
Shared with the Revenue Administration for declaration submission |
Declaration via Revenue Administration notification system |
Legal Requirement |
|
Social Security Institution |
Shared with SGK and Revenue Administration for the submission of tax declarations. Personal data transfer to SGK for monthly declarations and AGI declarations, which are legally mandatory. |
Declaration via SGK notification system |
Legal Requirement |
|
Execution Offices |
Execution processes are shared with the enforcement office through contracted law firms |
Hand-delivered through contracted law firm |
Fulfillment of Legal Obligation Legal Requirement |
|
Authorized Courts |
User access logs are shared with the court through contracted law firms in case of a legal problem related to employees and in case of a legal claim. Logs are shared with authorized courts through contracted law firms in case of possible disputes with customers, employees, and suppliers |
Hand-delivered or via media device through contracted law firm |
Legal Requirement Legitimate Interest Performance of a Contract Fulfillment of Legal Obligation |
|
Authorized Public Institutions and Organizations |
It may be shared with requesting individuals or institutions for the continuity of the institution's activities and operations |
Hand-delivered copy, mail |
Legal Requirement |
|
Advertising Publishers |
Cookie information and necessary personal data of the Customer's Relevant Person are shared with MessageGate and Advertising Publishers for the promotion of products or services on behalf of the Contracted Customer |
Cookie Redirect, Customer Software, Advertising Publisher API |
Explicit Consent Performance of a Contract |
Based on the agreements with its customers who are Data Controllers, MessageGate may transfer personal data to Advertising Publishers by processing them on servers abroad.
While managing customer accounts, performing application activation processes, and software distribution, development, and testing processes, MessageGate may conduct operations on cloud systems from abroad.
In cases where the use of overseas cloud is necessary; security measures specified by the cloud service provider are implemented. In addition, MessageGate has taken all necessary technical measures, including data masking, hashing, and authorization restrictions. The measures taken are detailed under the "Technical Measures" heading.
Cookie information is obtained on the websites owned by MessageGate. Detailed information can be found in the Cookie Policy document on the website. The information obligation and the purposes of processing the personal data obtained are detailed in the Cookie Policy.
MessageGate uses mobile internet for internet access. Therefore, MessageGate does not process internet access logs.
While managing customer accounts, software distribution, application log management, remote work, and software development processes, logs of customers, suppliers, and employees' system and application accesses can be processed. Authorization restrictions have been made to prevent unauthorized access to logs. Additionally, logs have a timestamp. Access is provided through VPN to ensure the security of remote access. In addition, checks are made for static IPs and MAC addresses. Detailed information can be found under the "Technical Measures" heading.
The rights of the data subjects as specified in KVKK 11 and GDPR III. Chapter are detailed below:
All employees of MessageGate actively participate in the implementation of technical and administrative measures taken within the scope of the Policy by responsible units to prevent the unlawful processing and access of personal data. Measures are taken to ensure data security in all environments where personal data is processed with the aim of increasing the training and awareness of unit employees, monitoring, and continuous auditing to prevent unlawful processing and access to personal data.
Personal data is lawfully and securely stored by MessageGate in the environments specified below:
| Electronic Environments | Non-Electronic Environments |
|---|---|
|
|
MessageGate stores and destroys personal data belonging to the following main categories of data subjects in accordance with the Law: employees, candidate employees, employees' relatives, references, supplier employees, company partners, supplier and candidate suppliers, prospective customers, online visitors, outsourced employees, partner employees, partner company officials, customers, and relevant individuals of customers.
The concept of processing personal data is defined in Article 3 of the Law. Article 4 of the Law stipulates that the processed personal data must be relevant, limited, and proportionate to the purposes for which they are processed and must be retained for the duration specified in the relevant legislation or as long as necessary for the purpose of processing. Articles 5 and 6 of the Law list the conditions for processing personal data. Accordingly, MessageGate stores personal data for the duration specified in the relevant legislation or for a period that is suitable for our processing purposes within the framework of its activities.
Your personal data may be processed without your explicit consent in the presence of the following laws approved by the Republic of Turkey:
Personal data may be erased in the following cases:
MessageGate takes all necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data.
In accordance with Article 12/1 of the Law;
MessageGate takes the necessary measures to fulfill these conditions.
The measures implemented by MessageGate to ensure the security of personal data are detailed in the sub-items below:
MessageGate conducts or ensures necessary audits for ensuring the security of personal data. Internal audits are conducted to ensure the sustainability of personal data security. MessageGate controls the effectiveness of internal audits according to ISO 27001 Information Security Management System and ISO 27701 Personal Data Management System standards. Regular penetration tests are carried out for potential technical vulnerabilities in the systems. The information systems are regularly monitored by the IT department. In case of detecting unauthorized access or processing of personal data during audits, the Data Controller Contact Person is informed.
MessageGate includes necessary sanction clauses in contracts with third parties to prevent the unlawful processing of personal data, unauthorized access to data, and to ensure data retention. Privacy agreements are signed before sharing information with third parties. Necessary information is provided to increase awareness among third parties. Access logs are maintained when third parties need access to systems.
Special precautions need to be taken for sensitive personal data due to its nature and its potential to cause harm or discrimination to individuals. The Law defines personal data that may risk causing harm or discrimination when processed unlawfully as "Sensitive." These data include information about race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
MessageGate takes necessary measures to protect sensitive personal data processed lawfully. Technical and administrative measures taken to protect personal data show sensitivity to sensitive personal data. Employees are informed through policies and procedures regarding the use of sensitive personal data. Sensitive personal data is not processed without the individual's consent or the conditions specified in Article 6 of the Law. When processing sensitive personal data is necessary, it is not shared with any third party or institution outside of informed and explicit consent.
Employees are informed to increase awareness for the prevention of the unlawful processing of personal data, unauthorized access to data, and ensuring data retention. Training sessions are organized, and their effectiveness is measured.
If there are changes in relevant laws, regulations, or legislation, policies are revised, and the changes are communicated to the staff.
MessageGate destroys personal data it obtains when it is not mandatory to use it for personal data owners' requests, legal requirements, or for the protection of public order, and if it does not affect business processes. Personal data of data owners are planned to be destroyed when the requirements for using the relevant data have disappeared, provided that the legal obligations for the storage periods determined by the relevant laws have expired. Each year, personal data that is deemed unnecessary to be stored on dates determined by the Data Controller Contact Person is destroyed in compliance with the legislation using the techniques outlined below. Destruction processes are carried out in three different methods: deletion, destruction, and anonymization.
The methods of deleting personal data are indicated in the table below;
| Data Recording Environment | Description |
|---|---|
| Personal Data on Servers | For personal data on servers whose storage period has expired, the system administrator removes access rights of relevant users and performs deletion. |
| Personal Data in Electronic Environment | For personal data in electronic environments with expired storage periods, personal data becomes inaccessible and unusable for all employees (except database administrators). File systems completed in operational processes are deleted in a way that only authorized administrators can access. |
| Personal Data in Physical Environment | For personal data in physical environments with expired storage periods, personal data becomes inaccessible and unusable for all employees (except the unit manager responsible for document archives). Additionally, a blackout process is applied by drawing/painting/deleting in a way that makes it unreadable. |
| Personal Data on Portable Media | For personal data stored on flash-based storage media with expired storage periods, the system administrator encrypts them. Access rights are granted only to the system administrator, and encrypted data is stored in secure environments with encryption keys. |
The destruction of personal data is outlined in the table below;
| Data Recording Environment | Description |
|---|---|
| Personal Data in Physical Environment | For physical personal data whose storage period has expired and is in paper form, they are destroyed in a way that cannot be reversed using paper shredders. |
| Personal Data on Optical / Magnetic Media | For personal data on optical and magnetic media with expired storage periods, they are physically made unreadable in a way that cannot be reversed. Disposals are carried out using the Destruction Record Form. |
Anonymization of personal data refers to rendering personal data incapable of being associated with the identity of a specific or identifiable natural person under any circumstances, even if matched with other data.
For personal data to be considered anonymized, appropriate techniques related to the recording environment and the relevant field of activity, such as the return of personal data by the data controller or third parties and/or the matching of data with other data, must be used to make it impossible to associate with the identity of a specific or identifiable natural person.
The storage periods for personal data processed within the scope of MessageGate's activities are detailed in the Data Inventory document, considering the activities performed depending on the processes.
The storage periods are determined, taking into account the laws applicable to MessageGate, contractual provisions with relevant parties, and the periods required for MessageGate's operational activities.
Upon necessity, updates to these storage periods are made by the Personal Data Contact Person.
Personal data for which the storage periods have expired is destructed ex officio. The maximum storage periods for personal data, categorized, are as follows;
|
Data |
Data Subject |
Retention Periods |
|
Judicial Records |
Employees |
10 Years from Termination of Employment Contract |
|
Financial Information |
Employees |
10 Years from Termination of Employment Contract |
|
Customers |
10 Years |
|
|
Customer's Relevant Person |
2 Years |
|
|
Partners |
10 Years |
|
|
Outsource Employees |
10 Years from Termination of Employment Contract |
|
|
Potential Supplier |
10 Years |
|
|
Supplier Representative |
10 Years |
|
|
Visual and Auditory Records |
Employees |
10 Years from Termination of Employment Contract |
|
Job Applicants |
1 Year |
|
|
Customer's Relevant Person |
10 Years |
|
|
Legal Transaction |
Employee |
10 Years |
|
Clients |
10 Years |
|
|
Supplier Representative |
10 Years |
|
|
Contact Information |
Employees |
10 Years from Termination of Employment Contract |
|
Employee Candidates |
1 Year |
|
|
Employee's Relative |
10 Years from Termination of Employment Contract |
|
|
Clients |
10 Years |
|
|
Client's Relevant Person |
2 Years |
|
|
Partners |
10 Years |
|
|
Outsourced Employees |
10 Years from Termination of Employment Contract |
|
|
Partner Employee |
10 Years |
|
|
Partner Representative |
10 Years |
|
|
Potential Customer |
5 Years |
|
|
Potential Supplier |
10 Years |
|
|
References |
1 Year |
|
|
Supplier Employee |
10 Years |
|
|
Supplier Representative |
10 Years |
|
|
Transaction Security Information |
Employees |
10 Years |
|
Online Visitors |
2 Years |
|
|
Clients |
10 Years |
|
|
Client's Relevant Person |
2 Years from Termination of Service Contract |
|
|
Outsourced Employees |
2 Years |
|
|
Potential Customer |
5 Years |
|
|
Supplier Representative |
2 Years |
|
|
Identity Information |
Employees |
10 Years from Termination of Employment Contract |
|
Employee Candidates |
1 Year |
|
|
Employee's Relative |
10 Years from Termination of Employment Contract |
|
|
Clients |
10 Years |
|
|
Client's Relevant Person |
2 Years |
|
|
Partners |
10 Years |
|
|
Outsourced Employees |
10 Years |
|
|
Partner Employee |
10 Years |
|
|
Partner Representative |
10 Years |
|
|
Potential Customer |
5 Years |
|
|
Potential Supplier |
10 Years |
|
|
References |
1 Year |
|
|
Supplier Employee |
10 Years |
|
|
Supplier Representative |
10 Years |
|
|
Location Information |
Client's Relevant Person |
2 Years from Termination of Service Contract |
|
Professional Information |
Employees |
10 Years from Termination of Employment Contract |
|
Employee Candidates |
1 Year |
|
|
Customer Transaction Information |
Clients |
2 Years from Termination of Service Contract |
|
Client's Relevant Person |
10 Years |
|
|
Personal Information |
Employees |
10 Years from Termination of Employment Contract |
|
Employee Candidates |
1 Year |
|
|
Clients |
10 Years |
|
|
Client's Relevant Person |
2 Years from Termination of Service Contract |
|
|
Partners |
10 Years |
|
|
Outsourced Employees |
10 Years |
|
|
Potential Customer |
5 Years |
|
|
References |
1 Year |
|
|
Supplier Representative |
10 Years |
|
|
Marketing Information |
Client's Relevant Person |
10 Years |
|
Customer |
5 Years |
|
|
Potential Customer |
5 Years |
|
|
Online Visitors |
2 Years |
|
|
Health Information |
Employees |
10 Years from Termination of Employment Contract |
You can exercise your rights regarding your personal data within the scope of GDPR and KVKK using the methods outlined below:
Data Controller: MessageGate Bilişim A.Ş. (Turkey)
Data Protection Officer and Contact Person for Data Controller: Selman Delil – [email protected]
When making your personal data requests, you can fill out the Personal Data Application Form. The application methods for information are as follows:
| Method | Contact Information | Description |
|---|---|---|
| Hand Delivery | Maltepe Piazza AVM Officelink Cevizli Mahallesi, Tugay Yolu Caddesi, Piazza Avm, No:69C, İç Kapı:222 Maltepe/İstanbul |
During the hand delivery of the Personal Data Application Form, please have an identification document such as a driver's license, ID card, passport, etc., that specifies your identity. |
| Notarized Courier | Maltepe Piazza AVM Officelink Cevizli Mahallesi, Tugay Yolu Caddesi, Piazza Avm, No:69C, İç Kapı:222 Maltepe/İstanbul |
In the case of sending the Personal Data Application Form with notarized documents, the date the courier reaches MessageGate is considered as the processing date. In this context, your couriers should be sent as registered mail with return receipt requested. |
| [email protected] | After sending the Personal Data Application Form by email, identity verification can be performed by checking the systems or contacting you for confirmation of your identity. |
Personal data requests will be accepted by us following the identity verification process, and responses will be provided to the relevant individuals in writing or electronically within the legal timeframes.
MessageGate Information Technologies Inc. (MessageGate) would like to inform and enlighten you about our personal data processing activities in accordance with Article 13-14 of the General Data Protection Regulation of the European Union and the Data Protection Act of the United Kingdom (hereinafter referred to as EU GDPR and UK GDPR) and Article 10 of the Law on the Protection of Personal Data numbered 6698 ("KVKK").
In accordance with EU GDPR, UK GDPR, and KVKK, your personal data may be processed by MessageGate, acting as the data controller, for the purposes described below; it may be processed, recorded, stored, classified, updated, and, where permitted by the legislation and/or limited to the purpose of processing, disclosed/transferred to third parties.
Within the scope of the services provided by MessageGate, personal data of employees, employee candidates, close relatives of employees, references, supplier employees, company partners, supplier and candidate suppliers, customer candidates, online visitors, outsourced employees, partner employees, authorized personnel of partner companies, and customers and related individuals are processed. The categories of personal data obtained are detailed in the Personal Data Protection and Destruction Policy document.
MessageGate processes your personal data for the detailed purposes outlined below:
For detailed information about the purposes of processing your personal data, you can refer to the Personal Data Protection and Destruction Policy published on the website.
For detailed information on the deletion of your personal data, you can refer to the Personal Data Protection and Destruction Policy published on the website.
Personal data of data owners may be shared by MessageGate with Customers, Contracted Banks, Contracted Law Firms, Contracted Suppliers, and Advertising Publisher Organizations in accordance with the fundamental principles specified in GDPR and KVKK, and within the scope of personal data processing conditions and purposes specified in Article 8 and 9 of KVKK and Chapter V of GDPR. In addition, personal data obtained may be shared with public institutions and other organizations due to legal obligations required by legislation.
Personal data within MessageGate may be processed on servers abroad, limited to contracts with data controller customers and the services provided.
Your personal data is collected through methods such as obtaining explicit consent in light of the principles specified in Article 5 of GDPR and Article 4(2) of KVKK, or in cases specified in Article 5 of GDPR or in situations envisaged in Articles 5(2) and 6(3) of KVKK; based on legal reasons, legitimate interests, fulfillment of the legal obligations of the data controller, establishment of a right, publicity, and performance of the contract. Collection methods include electronic (website, electronic registration forms, application interfaces, email, career websites, e-archive, social media platforms, interfaces of software produced by MessageGate, customer data sources, IT and project applications), written (contract, invoice, business card, written documents, company internal forms and documents, HR forms, training records, minutes, official documents), visual, oral statements, or hand-delivery methods. Details of the methods of collecting personal data and legal reasons are detailed in the Personal Data Protection and Destruction Policy document.
You can exercise the following rights regarding the processing of your personal data by submitting a request to MessageGate. Requests submitted within this scope will be concluded by MessageGate within thirty days at the latest and free of charge. However, if a fee is specified in accordance with GDPR and KVKK, a fee from the tariff determined by MessageGate may be charged. As a data subject, you have the following rights:
You can exercise your rights regarding your personal data within the scope of GDPR and KVKK using the methods specified below:
Data Controller: MessageGate Bilişim A.Ş. (Turkey)
Data Protection Officer and Contact Person for Data Controller: Selman Delil – [email protected]
When making your personal data applications, you can fill out the Personal Data Application Form. The methods for application are as follows;
| Method | Contact Information | Description |
|---|---|---|
| In Person Delivery | Maltepe Piazza AVM Officelink Cevizli Mahallesi, Tugay Yolu Caddesi, Piazza Avm, No:69C, İç Kapı:222 Maltepe/İstanbul | When delivering the Personal Data Application Form in person, please have an identification document such as a driver's license, ID card, passport, etc., indicating your identity. |
| Notarized Mail | Maltepe Piazza AVM Officelink Cevizli Mahallesi, Tugay Yolu Caddesi, Piazza Avm, No:69C, İç Kapı:222 Maltepe/İstanbul | In the case of sending the notarized documents with the Personal Data Application Form, the date of processing is considered the day the cargo reaches MessageGate. In this context, your shipments should be sent as registered mail with a return receipt. |
| [email protected] | After sending the Personal Data Application Form by email, identity verification can be done through system checks or communication for confirmation of your identity. |
Personal data applications, once verified through identity authentication by us, will be accepted, and responses will be provided to the relevant individuals in writing or electronically within legal timeframes.
As MessageGate, we commit to the following within the scope of Information Security, Quality, and Personal Data Management Systems to ensure customer satisfaction and to succeed in the competitively intense market with global development:
We commit to these principles.