PERSONAL DATA PROTECTION AND PROCESSING POLICY
1. PURPOSE
The purpose of this Policy is to establish the procedures and principles to which Yeditepe University is subject in the protection and processing of personal data; to ensure that the technical and administrative activities carried out for the purpose of protecting such data are conducted effectively and systematically by organizing them under a single policy; and to promote transparency by informing the data subjects whose personal data are processed (students, alumni, employees, prospective employees, authorized representatives, visitors, third parties with whom the University collaborates, etc.).
2. SCOPE
This Policy applies to all personal data of our students, alumni, interns, intern candidates, employees, prospective employees, visitors, business partners/supplier/subcontractor authorized representatives and their employees, and third parties, processed fully or partially by automated means or by non-automated means forming part of a data recording system.
The scope of application of this Policy with respect to the categories of data subjects listed above may extend to the Policy in its entirety (as in the case of alumni who are also employees) or may apply only to specific provisions thereof (as in the case of employees only).
3. DEFINITIONS
| Term | Definition |
|---|---|
| Yeditepe University | The Rectorate of Yeditepe University and the units and centers affiliated therewith |
| Explicit Consent | Consent that is specific to a particular subject, based on information, and expressed by free will |
| Subcontractor | The subcontractors of parties that are in a contractual relationship with Yeditepe University or its affiliated centers and units and that provide services to Yeditepe University or its affiliated centers and units |
| Application Form | The Application Form to be used by Data Subjects (Data Owners) in submitting applications to the Data Controller Yeditepe University pursuant to Law No. 6698 on the Protection of Personal Data |
| Employee | Personnel of Yeditepe University or its affiliated centers and units |
| Prospective Employee | Natural persons who have applied for a position at Yeditepe University or its affiliated centers and units, or who have made their curriculum vitae and relevant information available for review by Yeditepe University |
| Data Subject / Personal Data Owner | The natural person whose personal data are processed |
| Contact Representative | The Contact Representative of Yeditepe University, appointed pursuant to Article 11(4) of the Regulation on the Registry of Data Controllers, published in the Official Gazette dated 30 December 2017, No. 30286, and entering into force on 1 January 2018 |
| İstek Foundation | The Istanbul Education and Culture Foundation, of which Yeditepe University is the founder |
| Business Partners | The parties with which Yeditepe University or its affiliated centers and units establish a business partnership in the course of their activities |
| Personal Data | Any information relating to an identified or identifiable natural person. Accordingly, the processing of information relating to legal entities does not fall within the scope of the Law. For example: name and surname, Turkish ID number, email address, date of birth, credit card number, etc. |
| Anonymization of Personal Data | The rendering of personal data in a form in which it can no longer be associated with an identified or identifiable natural person by any means whatsoever, including masking, aggregation, data perturbation, and similar techniques, even when matched with other data |
| Processing of Personal Data | Any operation performed on personal data, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, receipt, making available, classification, or blocking, whether fully or partially by automated means or by non-automated means forming part of a data recording system |
| Deletion of Personal Data | The rendering of personal data inaccessible and unusable in any manner whatsoever for the relevant users |
| Destruction of Personal Data | The rendering of personal data inaccessible, irretrievable, and unusable in any manner whatsoever by any person |
| PDPL | The Law on the Protection of Personal Data No. 6698, dated 24 March 2016, published in the Official Gazette dated 7 April 2016, No. 29677 |
| Personal Data Protection Board | The Personal Data Protection Board |
| Personal Data Protection Authority | The Personal Data Protection Authority |
| Board of Trustees | The Board of Trustees of the Rectorate of Yeditepe University |
| Special Categories of Personal Data | Data relating to individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data |
| Policy | The Personal Data Protection and Processing Policy of Yeditepe University |
| Intern | Natural persons undertaking an internship at Yeditepe University or its affiliated centers and units |
| Intern Candidate | Persons who have applied for an internship at Yeditepe University or its affiliated centers and units and who have made their curriculum vitae and other relevant information available for review by Yeditepe University |
| Supplier | Parties that are in a contractual relationship with Yeditepe University or its affiliated centers and units and that provide services to Yeditepe University or its affiliated centers and units |
| Third Party | Natural persons whose personal data are processed and who are not otherwise defined within the scope of the Policy (e.g., guarantors, companions, family members) |
| Data Processor | A natural or legal person that processes personal data on behalf of the Data Controller based on the authority granted by the Data Controller. For example, a cloud computing company that stores the University's data |
| Data Recording System | A recording system in which personal data are structured and processed according to specific criteria |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system |
| Visitor | Natural persons who have entered the physical premises owned by Yeditepe University or its affiliated centers and units for various purposes, or who visit its websites |
4. ADMINISTRATION OF THE POLICY AND RESPONSIBLE PARTIES
4.1. Yeditepe University, in its capacity as "Data Controller," is responsible for the implementation of this Policy.
4.2. The Yeditepe University Data Controller Committee shall be authorized and responsible for the preparation, implementation, and updating of the Policy.
4.3. All departments and bodies of the University, together with the relevant data subjects, are obliged to act in accordance with the provisions of the Policy, to ensure compliance with such provisions, and to report any detected non-compliance to the University's Data Controller Committee.
4.4. The Policy is published on the website at www.yeditepe.edu.tr and is also accessible via shared information processing systems.
4.5. Updates made to the Policy shall be made accessible by the Data Controller Committee, both on the University's website and through upload to the shared information processing system.
4.6. In the event of any conflict between the Policy and the provisions of applicable legislation, the legislative provisions shall prevail.
4.7. The authority to decide on the revocation of this Policy belongs to the Board of Trustees.
5. PRINCIPLES OF PERSONAL DATA PROCESSING
5.1. General Principles Applicable to the Processing of Personal Data
Personal data are processed in accordance with Law No. 6698 and secondary legislation, as well as the procedures and principles set forth in this Policy.
5.2. Processing in Compliance with the Law and the Principle of Good Faith
Personal data are processed in compliance with applicable legislation and the principle of good faith. Yeditepe University observes the requirements of proportionality in the processing of personal data and does not use personal data for purposes other than those for which they are processed.
5.3. Accuracy and, Where Necessary, Up-to-Date Nature
Yeditepe University takes the necessary measures to ensure the accuracy of personal data in the course of their collection and processing, and enables data subjects to update their personal data.
5.4. Processing for Specified, Explicit, and Legitimate Purposes
Yeditepe University determines its personal data processing purposes precisely and explicitly, and processes such data within the periods stipulated in applicable legislation in connection with the University's activities.
5.5. Being Relevant, Limited, and Proportionate to the Purposes for which They Are Processed
Personal data and processing purposes are categorized in a "Data Inventory," and the processing of data that is not related to the achievement of the specified purpose is avoided.
5.6. Retention for the Period Stipulated in Relevant Legislation or for as Long as Necessary for the Purpose for which They Are Processed
Personal data are processed in accordance with the data processing and limitation periods set out in all applicable laws and secondary legislation to which Yeditepe University and its affiliated centers/units are subject.
6. CONDITIONS FOR THE PROCESSING OF PERSONAL DATA
Yeditepe University acts in compliance with the conditions for the processing of personal data set forth in Article 5 of Law No. 6698 on the Protection of Personal Data.
6.1. Existence of the Data Subject's Explicit Consent
Under Law No. 6698, the primary legal basis for the processing of personal data is "Explicit Consent." Explicit Consent means a person's consent specific to a particular subject, based on information, and expressed by free will.
6.2. Processing Being Expressly Provided for by Law
The personal data of data subjects may be lawfully processed where expressly provided for by law.
6.3. Inability to Obtain the Data Subject's Explicit Consent Due to Factual Impossibility
Where it is mandatory to process the personal data of a person who is unable to give consent due to factual impossibility or whose consent is not legally valid, personal data may be processed without explicit consent.
6.4. Necessity of Processing the Personal Data of the Parties to a Contract
In transactions directly related to the conclusion of a contract or the performance of the contractual obligation, personal data may be processed without explicit consent.
6.5. Processing of Personal Data Being Mandatory for the Data Controller to Fulfill its Legal Obligation
Where the processing of data is mandated by the legislation to which Yeditepe University or its affiliated centers/units are subject, personal data may be processed for the purpose of fulfilling that legal obligation.
6.6. Rendering of Personal Data Public by the Data Subject Themselves
Where the personal data of a data subject has been made public by the data subject themselves, such data may be processed by Yeditepe University.
6.7. Processing of Data Being Mandatory for the Establishment, Exercise, or Protection of a Right
Where the processing of personal data is mandatory for the establishment, exercise, or protection of a right, data may be processed without seeking the explicit consent of the data subject.
6.8. Processing of Data Being Mandatory for the Legitimate Interests of the Data Controller
Provided that the fundamental rights and freedoms of data subjects are not harmed, where the processing of personal data is mandatory for the legitimate interests of the Data Controller Yeditepe University, personal data may be processed.
7. PURPOSES FOR THE PROCESSING OF PERSONAL DATA
Personal data are processed by Yeditepe University for the following purposes:
- To enable the relevant business units to carry out the necessary work so that natural and/or legal third-party entities and organizations may benefit from the products and services of our University and/or of the Centers and units affiliated therewith;
- To ensure the safety of life and property, as well as legal, commercial, and occupational health and safety;
- To fulfill legal and regulatory requirements arising from applicable laws and secondary legislation;
- To conduct supervisory and/or regulatory activities to be carried out by authorized public institutions and organizations;
- To manage disciplinary investigation proceedings;
- To enable membership in student clubs and to benefit from related activities;
- To fulfill requests for information and documents made by judicial bodies and/or administrative authorities;
- To carry out listing, reporting, verification, analysis, statistical, and scientific data activities;
- To conduct market research, promotion, information, complaint and suggestion evaluation, and communication activities;
- To sustain academic training, scientific research, project applications, intellectual and industrial property transactions, publications, consultancy, and related activities;
- To implement Human Resources processes and policies;
- To determine, develop, and implement administrative and academic processes, business strategies, and legal compliance processes;
- To carry out accreditation and evaluation activities;
- To protect public order and public health;
- To conduct and manage health services;
- To plan and manage financing and invoicing;
- To train and develop employees;
- To fulfill participation requests for training, seminars, and similar events;
- To carry out risk management and quality improvement activities;
- To fulfill offers, promotions, exemptions, and other rights and obligations under relevant agreements;
- To take all necessary technical and administrative measures required for systems and applications within the scope of data security.
8. PURPOSES OF AND PROTECTION METHODS FOR THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
8.1. Purposes for the Processing of Special Categories of Personal Data
Special categories of personal data are processed, provided that the measures determined by the Personal Data Protection Board are taken, within the framework of the conditions set forth in Article 6 of Law No. 6698.
- Where the Explicit Consent of the Data Subject is present; or
- Where explicit consent is absent, in cases provided for by law or within the scope permitted by legislation.
8.2. Methods for the Protection of Special Categories of Personal Data
- A separate, systematic, clearly defined, manageable, and sustainable policy and procedure has been established.
- Regular training is provided for employees involved in processing special categories of personal data.
- Confidentiality agreements are concluded.
- Access authorizations are clearly defined and periodically reviewed.
- Authorizations of employees who change roles or leave employment are immediately revoked.
- Data stored electronically are protected using cryptographic methods.
- Transaction logs are securely maintained.
- Physical environments are protected against unauthorized access, fire, flooding, theft, and similar risks.
- Transfers are carried out using encrypted methods, VPN, sFTP, or classified document procedures where necessary.
9. TRANSFER OF PERSONAL DATA
9.1. Transfer of Personal Data within Türkiye
Personal data may be transferred within Türkiye where one of the processing conditions under Law No. 6698 exists, including explicit consent, legal obligation, contractual necessity, protection of rights, public disclosure by the data subject, or legitimate interests of the data controller.
9.1.9. Third Parties to whom Personal Data Are Transferred by Yeditepe University and the Purposes of Transfer
| Recipient Category | Definition of Persons to Whom Data May Be Transferred | Purpose of Data Transfer |
|---|---|---|
| Subcontractor | Natural persons who are authorized representatives of employers that have received work from Yeditepe University in ancillary activities or in a part of its principal work | Limited to enabling the subcontractor to fulfill the activities for which it is responsible |
| Legally Authorized Public Institutions and Organizations | Public institutions and organizations authorized to request information and documents from Yeditepe University pursuant to applicable legislation | Limited to the purpose requested within the legal authority of the relevant public institution or organization |
| Legally Authorized Private Law Persons | Private law persons authorized to request information and documents from Yeditepe University pursuant to applicable legislation | Limited to the purpose requested within the legal authority of the relevant private law person |
| Business Partner | Parties with which Yeditepe University establishes business partnerships for carrying out projects and receiving services | Limited to ensuring the fulfillment of the purposes for which the business partnership was established |
| Supplier | Parties that provide services to Yeditepe University on a contractual basis | Limited to enabling the provision of services necessary for carrying out outsourced activities |
9.2. Transfer of Personal Data Abroad
Personal data may be transferred abroad by Yeditepe University where explicit consent is obtained or where one of the processing conditions under Law No. 6698 exists and adequate protection is provided or the necessary authorization of the Personal Data Protection Board is obtained.
9.3. Transfer of Special Categories of Personal Data
Special categories of personal data may be transferred domestically or abroad by obtaining explicit consent or, where permitted by law, without explicit consent provided that adequate measures are taken.
10. CATEGORIZATION OF PERSONAL DATA PROCESSED BY YEDITEPE UNIVERSITY
| Personal Data Category | Description |
|---|---|
| Family Members and Close Associates Information | Personal data concerning family members, close associates, and persons reachable in emergencies |
| Prospective Employee Information | Personal data processed in relation to individuals who have applied for a position at Yeditepe University |
| Audit and Inspection Information | Personal data processed within the scope of legal obligations and compliance with University policies |
| Financial Information | Personal data relating to financial results, bank account number, IBAN number, credit card information, financial profile, asset data, and income information |
| Physical Premises Security Information | Camera recordings, fingerprint records, and records taken at security checkpoints |
| Visual/Audiovisual Information | Photographs, camera recordings, audio recordings, and data contained in document copies |
| Legal Proceedings and Compliance Information | Personal data processed within the scope of legal claims, rights, obligations, and compliance policies |
| Contact Information | Telephone number, address, email address, fax number, and IP address |
| Reputation Management Information | Personal data collected for the purpose of protecting the reputation of Yeditepe University |
| Identity Information | Name, surname, Turkish ID number, nationality, date of birth, gender, tax number, Social Security number, signature, vehicle licence plate number, etc. |
| Location Data | GPS location, travel data, and similar location-related data |
| Incident Management Information | Information and assessments collected in relation to events that may affect Yeditepe University employees and students |
| Special Categories of Personal Data | Health data, biometric data, religious affiliation, membership in associations, and other data under Article 6 of the PDPL |
| Personnel File Information | Personal data processed for the purpose of personnel rights of employees |
| Request/Complaint Management Information | Personal data relating to the receipt and evaluation of requests or complaints directed to Yeditepe University |
11. CATEGORIZATION OF DATA SUBJECTS WHOSE PERSONAL DATA ARE PROCESSED BY YEDITEPE UNIVERSITY
| Data Subject Category | Description |
|---|---|
| Subcontractor Authorized Representatives | Natural persons who are authorized representatives of subcontractor employers |
| Employee | A natural person employed in any unit of Yeditepe University |
| Prospective Employee | Natural persons who have applied for a position at Yeditepe University |
| Business Partners | Parties with which Yeditepe University establishes business partnerships |
| Employees of Business Partners / Suppliers / Subcontractor Authorized Representatives | Employees, shareholders, and authorized representatives of parties with which Yeditepe University maintains a business relationship |
| Alumni | Natural persons who have completed their education at Yeditepe University and received their diplomas |
| Student | Natural persons enrolled at Yeditepe University |
| Intern | Natural persons undertaking an internship at Yeditepe University |
| Intern Candidate | Natural persons who have applied for an internship at Yeditepe University |
| Supplier | Parties that provide services to Yeditepe University on a contractual basis |
| Third Party | Other natural persons not otherwise falling within the scope of this Policy |
| Visitor | Natural persons who have entered the physical premises owned by Yeditepe University or who visit its websites |
12. METHODS OF COLLECTING PERSONAL DATA
Personal data may be collected verbally, in writing, or electronically through Yeditepe University or its affiliated centers and units, websites, social media platforms, call centers, mobile applications, and similar channels.
13. OBLIGATIONS OF THE UNIVERSITY AS DATA CONTROLLER
Yeditepe University provides data subjects with information on:
- The identity of the data controller and, where applicable, its representative;
- The purposes for which personal data will be processed;
- The persons to whom the processed personal data may be transferred and for what purpose;
- The method of collecting personal data and its legal basis;
- Other rights of the data subject referred to in Article 11 of the PDPL.
14. RIGHTS OF DATA SUBJECTS
14.1. Disclosure to Data Subjects
Yeditepe University provides data subjects with information through the "Disclosure Text" on matters required under the PDPL.
14.2. Rights of Data Subjects under the PDPL
- To learn whether their personal data have been processed;
- To request information regarding the processing;
- To learn the purpose of processing and whether the data are being used accordingly;
- To know the third parties to whom the data have been transferred;
- To request correction of incomplete or inaccurate data;
- To request deletion or destruction of personal data;
- To request notification of such transactions to third parties;
- To object to results against them through automated systems;
- To claim compensation for damages in the event of unlawful processing.
14.3. Exercise of Rights by Data Subjects
Applications may be made in writing or electronically through the methods specified by Yeditepe University, following completion of the "Data Subject Application Form" available at www.yeditepe.edu.tr.
14.4. Period for the University to Respond to Applications
Applications submitted to Yeditepe University are responded to in writing or electronically as soon as possible and within a maximum of thirty days.
14.5. Cases in which Data Subjects Cannot Assert Their Rights
Data subjects may not assert their rights in cases that fall outside the scope of the PDPL or in exceptional cases provided under Article 28 of the PDPL.
15. ENSURING THE SECURITY OF PERSONAL DATA
15.1. Technical Measures Taken to Ensure the Lawful Processing of Personal Data
- Necessary technical measures and audits are carried out.
- A Data Controller Committee has been established.
- Technical personnel are employed.
- Data processing activities are audited through technical systems.
- Technical support agreements may be concluded where necessary.
- Internal procedures are established promptly.
15.2. Administrative Measures Taken to Ensure the Lawful Processing of Personal Data
- Employees are informed and trained.
- Undertakings are obtained from employees.
- Contracts with data processors include data protection obligations.
- Employee access to personal data is regulated through authorization restrictions.
- Administrative measures are taken for secure storage and lawful processing.
15.3. Technical Measures Taken to Prevent Unlawful Access to Personal Data
- Technical measures are taken, updated, and renewed periodically.
- Internal procedures are established and communicated.
- Software and hardware including anti-virus systems and firewalls are installed.
- Authorization restrictions are implemented.
15.4. Administrative Measures Taken to Prevent Unlawful Access to Personal Data
- Administrative decisions on access and authorization are implemented.
- Employees are informed regarding confidentiality obligations.
- Interns are informed and undertakings are obtained.
- Confidential documents are marked as "CONFIDENTIAL."
- Employment contracts include confidentiality obligations.
15.5. Technical Measures Taken for the Secure Storage of Personal Data
- Backup programs are used.
- Expert technical personnel are employed.
- Servers are housed in secure environments.
- Access is made through username and password.
- Software and security updates are ensured.
- Server logs are monitored.
- Critical access passwords are held by the IT Supervisor.
15.6. Measures to Be Taken in the Event of Unauthorized Disclosure of Personal Data
Yeditepe University takes the necessary administrative measures to ensure immediate notification of the Data Controller Committee, the relevant data subject, and the Personal Data Protection Board in the event of unlawful disclosure.
16. PERSONAL DATA PROCESSING ACTIVITIES AT BUILDING AND FACILITY ENTRANCES AND WITHIN FACILITIES, AND WEBSITE VISITORS
Personal data processing activities conducted by Yeditepe University at building and facility entrances and within facilities are carried out in compliance with the Constitution, the PDPL, and other applicable legislation.
17. CAMERA SURVEILLANCE ACTIVITIES AT YEDITEPE UNIVERSITY BUILDINGS AND FACILITIES
Camera surveillance activities conducted by Yeditepe University are carried out in compliance with the Law on Private Security Services and the relevant legislation. Surveillance is limited to security purposes and areas where privacy may be violated beyond security purposes are not monitored.
18. MONITORING OF VISITOR ENTRY AND EXIT AT YEDITEPE UNIVERSITY BUILDINGS AND FACILITIES
Yeditepe University conducts personal data processing activities in connection with the monitoring of visitor entry and exit at its buildings and facilities, limited to security purposes.
19. RETENTION OF RECORDS RELATING TO INTERNET ACCESS PROVIDED TO VISITORS WITHIN YEDITEPE UNIVERSITY BUILDINGS AND FACILITIES
Yeditepe University may provide internet access to visitors and may retain log records in accordance with Law No. 5651 and related legislation.
20. WEBSITE VISITORS
On its websites, Yeditepe University records internet movements through technical means such as cookies for visit management, customized content, and online advertising activities.
21. PERSONAL DATA RETENTION PERIODS
Personal data are processed and retained in compliance with data processing and limitation periods set out in applicable laws and secondary legislation. Where the purpose of processing has expired and retention periods have ended, personal data are deleted, destroyed, or anonymized.
22. DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA
Where the grounds requiring processing disappear or the statutory periods expire, Yeditepe University ensures the deletion, destruction, or anonymization of personal data, either ex officio or upon the request of the data subject.
23. UPDATE
The responsibility for updating this Policy belongs to the Data Controller Committee. Updates shall enter into force upon the University Rector's approval. The Policy shall ordinarily be reviewed and updated once a year in May.
24. RELATIONSHIP OF YEDITEPE UNIVERSITY'S PERSONAL DATA PROTECTION AND PROCESSING POLICY WITH OTHER POLICIES
Yeditepe University has established the principles set out in this document based on other policies relating to data assets within the University and on sub-procedures for internal use regarding the protection and processing of personal data.