Personal Data Protection Policy
The Data Controller is the FEYZİYE SCHOOLS FOUNDATION, which also includes the Feyziye Schools Economic Enterprise that is affiliated with the FEYZİYE SCHOOLS FOUNDATION and does not constitute a separate legal entity and hereinafter shall be referred to as the Foundation.
This Policy covers all the personal data processed, transferred, stored and retained within the Foundation, and the provisions and principles set out in the Policy are applicable to any sensitive information and documents that might be accessed physically or digitally in relation to identified or identifiable real persons.
2. Our Commitment
The Foundation gives utmost importance to protecting the privacy of personal data and undertakes to comply with the following principles:
• Processing personal data lawfully and in compliance with the principles of objective good faith,
• Ensuring that personal data are accurate and, if necessary, up-to-date,
• Processing personal data for specific, clear and legitimate purposes,
• Processing personal data to the extent it is relevant, limited and proportionate to the purposes for which they are processed,
• Retaining personal data for the period prescribed in the applicable legislation or the period required for the purpose of processing,
• Elucidating and informing data subjects,
• Establishing the necessary system to enable data subjects to exercise their rights,
• Taking necessary measures for the storage of personal data,
• Acting in compliance with the applicable legislation and the regulations of the Personal Data Protection Board (PDP Board) while transferring personal data to third parties in line with the requirements of the purpose of processing thereof.
3. Our Responsibilities within the Scope of the Law
They act in compliance with conditions specified in this Policy and attach importance to information security. They act in accordance with rules of privacy within the context of the Foundation. They immediately report all privacy-related known or suspected issues to the Data Committee.
3.2. Data Committee
It regularly organizes information security training seminars for the improvement of the qualifications and technical knowledge/skills of employees and to raise awareness under the Law. The Foundation has internal periodic or random inspections carried out. The Foundation ensures the implementation of disciplinary procedures applicable to employees who violate this Policy and privacy procedures. It immediately reviews notifications received from employees on suspected privacy issues, takes measures, and, in case of violation, notifies the Personal Data Protection Board as soon as possible.
3.3. IT Department
It is responsible for developing and implementing the appropriate administrative, technical and physical security controls within the context of information technologies in order to protect the privacy, integrity and accessibility of systems where personal data are processed and managed.
It provides the technological support required to ensure the security of personal data. It considers changes in the Foundation as part of privacy program and identifies the risks associated with such changes.
3.4. Foundation Management
It ensures that technical and administrative measures are taken to meet the conditions required for the processing and security of personal data, and that these measures are observed.
4. Personal Data Processing Rules within the Foundation
4.1. Personal Data are processed in a fair and legal manner, and the Foundation only processes and uses such data that serve its purposes within the scope of its legitimate business activities. In this context, it acts in an elucidative manner in its relations with students, parents, prospective students and their parents, third parties, suppliers and their employees, business partners, employees and employee candidates whose data are processed, and informs them as to what purposes it processes such data.
4.2. Personal data are used only for the purpose informed to the party whose personal data are processed. Within this scope, it only processes adequate, relevant and required personal “Data”.
4.3. Personal data are not collected or requested for any purposes other than this purpose, and unnecessary information is not recorded. The Foundation stores and retains personal data only to the extent that it needs them, and for the required purposes.
4.4. The Foundation ensures that personal data are accurate and up-to-date. It updates its records through its systems in line with a person’s request to change their data.
4.5. Personal data are retained only for the period prescribed in the applicable legislation or the period required for the purpose of processing thereof. First of all, the Foundation identifies whether the applicable legislation prescribes a period for the retention of personal data, and, if a period is prescribed, it acts in accordance with it, and in this context it takes the civil and criminal statute of limitations into account and retains the personal data for the period required for the purpose of processing thereof. Upon expiry of the specified period, or if the reasons requiring the processing of personal data cease to exist, the personal data are erased, destroyed or anonymized within the first periodic term.
4.6. The Foundation takes necessary administrative and technical measures to protect personal data against risks such as accidental/unauthorized disclosure, theft, damage, fire, natural disasters such as floods and earthquakes, loss, alternation, etc. It carries out the required system back-ups.
4.7. It instructs employees and parties about their information security, privacy principles and responsibilities, and makes them sign confidentiality agreements. It applies the necessary administrative and technical measures.
4.8. In case of transfer, it signs confidentiality agreements with its suppliers/business partners, ensures that its suppliers/business partners follow security measures in compliance with the procedures required by the Law, and, if data are processed by transferring through systems, conducts inspections on the relevant company.
5. Measures for the Security of Your Personal Data
Subject to the conditions set out in the Law No. 6698 and this Policy, the Foundation takes the necessary measures to satisfy the appropriate conditions and at least the minimum security level in order to ensure that personal data are not processed unlawfully, personal data are not accessed unlawfully, and personal data are protected, and the Foundation ensures the conduct of inspections in these respects. Within this context, personal data are protected by means of computer systems, and appropriate controls conducted at the operational, functional and strategic levels, to ensure the privacy, integrity and accessibility of personal data and protect them against risks such as unauthorized access, destruction, use, alternation, disclosure, loss, etc.
6. Sanctions in Case of Violation of the Policy
In case of a violation of this Policy, the Data Committee must be informed immediately. The Foundation reserves the right, at its sole discretion, to inflict disciplinary punishments on those who violate this Policy, terminate or suspend their employment contracts, or take judicial action and bring claims regarding those who violate the Policy or who fail to fulfill other requirements related to the protection of personal data.
The Foundation decides on the sanction by taking into account the Disciplinary Provisions of the Personnel Regulation, and the legal requirements.