Menu

Protection Of Personal DATA

1. DATA PRIVACY COMMITMENT

1.1. This Protection of Personal Data Policy (“Policy”) determines the principles to be followed within and/or by Miller Carter Yazılım Anonim Şirketi (“Company”) while fulfilling its obligations to protect Personal Data and processing Personal Data in accordance with the provisions of the relevant legislation, particularly the Law No. 6698 on the Protection of Personal Data.

1.2. The Company undertakes to act in accordance with this Policy and the procedures to be implemented based on this Policy regarding the Personal Data held within its organisation.

 

2. PURPOSE OF THE POLICY

The main purpose of this Policy is to determine the principles regarding the methods and processes for the processing and protection of Personal Data by the Company.

 

3. SCOPE OF THE POLICY

3.1. This Policy covers all activities regarding the Personal Data processed by the Company and applies to said activities.

3.2. This Policy does not apply to data that does not have the nature of Personal Data.

3.3. This Policy may be amended from time to time with the approval of the Board of Directors if required by KVK Regulations or if deemed necessary by [the Company’s Data Controller Representative and/or the Committee]. In case of a discrepancy between the KVK Regulations and this Policy, the KVK Regulations shall prevail.

 

4. DEFINITIONS

The definitions used in this Policy have the following meanings:

Explicit Consent: Consent regarding a specific subject, based on information and expressed with free will.

Anonymisation: Making personal data impossible to associate with an identified or identifiable natural person, even if matched with other data.

Obligation to Inform: The obligation of the Data Controller or the person authorised by them to provide information to the Data Subject within the scope of Article 10 of the KVKK during the collection of Personal Data.

Personal Data: Any information relating to an identified or identifiable natural person (within the scope of this Policy, “Personal Data” shall also include “Special Categories of Personal Data” defined below, to the extent appropriate).

Processing of Personal Data: Any operation performed on data, such as obtaining, recording, storing, preserving, changing, reorganising, disclosing, transferring, taking over, making available, classifying, or preventing the use of Personal Data by fully or partially automatic means or non-automatic means, provided that it is part of a data recording system.

Committee: The committee responsible for the fulfilment of this Policy and the KVKK Procedures to be implemented based on the Policy.

Board: The Personal Data Protection Board.

Authority: The Personal Data Protection Authority.

KVKK: Law No. 6698 on the Protection of Personal Data.

KVK Regulations: Law No. 6698 on the Protection of Personal Data and other relevant legislation regarding the protection of Personal Data, binding decisions, principle decisions, provisions, instructions given by regulatory and supervisory authorities, courts, and other official authorities, and applicable international agreements and all other legislation regarding data protection.

KVK Procedures: Procedures determining the obligations to be followed by the Company, employees, [the Committee and/or the Data Controller Representative] within the scope of this Policy.

Special Categories of Personal Data: Data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Deletion: Making Personal Data inaccessible and unusable for relevant users in any way.

Data Processor: The natural or legal person who processes Personal Data on behalf of the Data Controller, based on the authority given by the Data Controller.

Data Subject: All natural persons whose Personal Data are processed by or on behalf of the Company.

Data Controller: The natural or legal person who determines the purposes and means of processing Personal Data and is responsible for the establishment and management of the data recording system.

Data Controller Contact Person: The natural person notified by the Data Controller during registration to the registry for communication with the Authority.

Data Controller Representative: The Company employee selected from within the Committee, who manages the Company’s relations with the Authority and is appointed by the decision of the Board of Directors.

Destruction: The process of making Personal Data inaccessible, unretrievable, and unusable by anyone in any way.

 

5. PRINCIPLES OF PERSONAL DATA PROCESSING

5.1. Processing in Accordance with Law and Good Faith The Company processes Personal Data in accordance with the law, rules of good faith, and based on the principle of proportionality.

5.2. Ensuring Accuracy and Being Up-to-Date The Company takes all necessary measures to ensure that Personal Data is complete, accurate, and up-to-date, and updates the relevant Personal Data if the Data Subject requests a change within the scope of KVK Regulations.

5.3. Processing for Specific, Explicit, and Legitimate Purposes. Before the processing of Personal Data, the purpose for which the data will be processed is determined by the Company. In this context, the Data Subject is informed within the scope of KVK Regulations, and Explicit Consent is obtained where necessary.

5.4. Being Relevant, Limited, and Proportionate to the Purpose The Company processes Personal Data only in exceptional cases (KVKK Art. 5.2 and Art. 6.3) or in line with the purpose within the scope of Explicit Consent obtained from the Data Subject (KVKK Art. 5.1 and Art. 6.2) and in accordance with the principle of proportionality.

5.5. Retention for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose. Personal Data is stored as long as required by the purpose. Once the period ends, the data is deleted or anonymised.

 

6. PROCESSING OF PERSONAL DATA

6.1. Explicit Consent: Data is processed after the Obligation to Inform is fulfilled and Explicit Consent is granted.

6.2. Processing Without Explicit Consent: Data may be processed without consent in specific legal instances (e.g., clearly prescribed by law, necessity for the protection of life, performance of a contract, legal obligations of the Company, data made public by the subject, or legitimate interests of the Company).

 

7. PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

Special categories (sensitive data) are subject to stricter rules.

Health and sexual life data can only be processed without explicit consent by persons under the obligation of confidentiality (e.g., Company doctor) for medical diagnosis, treatment, and planning of health services.

Technical measures include cryptographic storage, secure logging, two-factor authentication for remote access, and encrypted transfers (KEP, VPN, or SFTP).

 

8. & 9. RETENTION AND DESTRUCTION

The Company does not store data for potential future use without a legitimate purpose. Once the legal period or the processing purpose expires, data is destroyed according to the Personal Data Storage, Destruction, and Anonymisation Policy.

 

10. TRANSFER OF PERSONAL DATA

The Company may transfer data to third parties domestically or abroad, provided it complies with KVKK Articles 8 and 9. Protective clauses are added to contracts with third-party processors.

 

11. OBLIGATION TO INFORM

Data subjects are informed of:

Identity of the Data Controller.

Purpose of processing.

To whom and for what purpose may data be transferred

Method and legal reason for collection.

Rights listed in Article 11 of KVKK.

 

12. RIGHTS OF DATA SUBJECTS

Data subjects have the right to learn if data is processed, request information, learn the purpose, know third-party recipients, request correction, request deletion, and object to negative results from automated analysis.

Application Channels:

Postal Address: Yeşilce Mah. Emirşah Sok. No:21/2 Kağıthane/İSTANBUL

Email: support@millercartersoftware.com

KEP Address: millercarter@hs08.kep.tr

 

13. DATA MANAGEMENT AND SECURITY

The Company employs technical and administrative measures, including:

Technological monitoring of data activities.

Employee training and confidentiality agreements.

Access control and authorisation.

Encryption for common areas; prohibiting the transfer of data to personal USB devices.

 

14. & 15. TRAINING AND AUDIT

Regular training is provided to employees. The Company reserves the right to perform ex officio audits without prior notice to ensure compliance by departments and contractors.

 

16. VIOLATIONS

Employees must report any suspected breach to the Committee. The Data Controller Contact Person manages correspondence with the Personal Data Protection Authority.

 

17. AMENDMENTS

The Company may update this Policy with the Board of Directors’ approval. Updates are shared via email or via: https://millercartersoftware.com/

 

18. EFFECTIVE DATE

This version of the Policy was approved and entered into force on 21/09/2025.