İzmir Metropolitan Municipality official facebook account İzmir Metropolitan Municipality official twitter account İzmir Metropolitan Municipality official instagram account İzmir Metropolitan Municipality Rss
İzmir Metropolitan Municipality Official Logo
Kapat

Right Menu

Personal Data Protection Page

Left Menu

Page Content

IZMIR METROPOLITAN MUNICIPALITY
PERSONAL DATA PROCESSING AND PROTECTION POLICY
 
INTRODUCTION
This Policy establishes the principles to be adopted by and taken into consideration in practice by Izmir Metropolitan Municipality for processing and protection of the personal data.
According to the Law Nr. 6698 on the Protection of the Personal Data (“the Law”), our organization prioritizes processing and protecting the personal data pursuant to the laws and complies with the Law in its plans and services. 
The key element of this topic is about processing and protection the personal data of our citizens, employees, employee candidates, visitors and organization, third parties cooperating with us.
Accordingly, our Organization takes necessary administrative and technical measures for protecting the personal data that has been processed pursuant to the related legislation.
 
DEFINITIONS
Explicit Consent: means consent about a specific topic based on being informed and given in freewill
Anonymization: means the process of anonymizing data previously associated with a person in a manner so that such data cannot be associated with a natural person who is identified or might be identified under any circumstances even if matched with other data,
Personal Data: means all kinds of information about a natural person who is identified or might be identified,
Processing Personal Data: means all kinds of processes performed on the data such as obtaining Persona Data through fully or partially automated methods or non-automated methods provided that the method is a part of any data recording system as well as recording, storing, keeping, changing, rearranging, disclosing, transferring, taking over, making available, classifying such data or preventing use of it. 
Personal Data Owner / Data Subject: means persons whose personal data has been processed by the Organization,
Organization / Data Controller: means Izmir Metropolitan Municipality,
PPD Law / Law: means Law Nr. 6698 on Protection of the Personal Data,
PPD Board / Board: means Protection of the Personal Data Board,
Sensitive Personal Data: means data related to race, ethnicity, political views, philosophical beliefs, religion, sects or other beliefs, clothing, membership to an association, foundation or union, health, sexual preferences, conviction and security measures as well as biometric and genetic data.
 
PURPOSE and SCOPE
This Policy functions as a guide for our Organization’s enforcement of the rules established by the PPD Law and related regulation.
The primary purposes of this policy are to make statements about processing and protection of the personal data pursuant to the Law and to assure transparency of the personal data processed by our Organization by informing people. Our goal is to fully comply with the legislation during the personal data processing and protection operations conducted by our Organization and to protect all personal data related rights of the personal data owners that are granted under the legislation.
This Policy applies to all personal data owned by our Citizens, Employees, Employee Candidates, Visitors, Establishments and Third Parties cooperating with us and processed through automated methods or any non-automated method that must be a part of any data recording system.
 
PRINCIPLES
The actions and measures taken by our Organization for assuring “data security” pursuant to the PPD Law are as follows. 
  1. We comply with the technical and administrative measures to be taken under the Law, provisions of the related regulations and Board Decisions when it comes to deleting, destroying and anonymizing the personal data.
  2. All operations performed for deleting, destroying and anonymizing the personal data are recorded by our Organization.
  3. Unless decided otherwise by the Board, the optimum method of ex-officio deletion, destruction and anonymization of the personal data is selected by the legislation binding on us.
    1. Terms and conditions of processing personal data, as laid down by the Law, are arranged within the framework of this legislation. Thus, if the Data Subject files an application to our Organization;4.1The requests are finalized within a maximum period of 30 (thirty) days following receipt and the Data Subject is informed, 
      4.2 If the data subject to the request is transferred to the third parties, the third party will be informed about the request and necessary formalities shall be performed before these third parties.
  4. According to the PPD Law and other laws (such as Nr. 657, 5510 etc.) that are binding on the employees; the personnel have legal liabilities such as not disclosing the personal data they have by violating the personal data laws, not using the data for any purpose other than the purpose of processing and they are aware that this liability shall survive after end of their offices. 
  5. Non-Disclosure Agreements are concluded with the Contractors and thus they are bound by the legal, administrative and technical liabilities to be observed when processing the personal data as the data controller.
  6. Our Organization takes necessary technical and administrative measures for storing the personal data in secure platforms and preventing destruction, loss or change of such data for illegal purposes.
  7. Our Organization performs or arranges performance of necessary inhouse audits pursuant to the PPD Law. These results of such audit are reported to the related departments and managements and necessary activities are performed for improvement of the measures taken.
 
PROCESSING PERSONAL DATA
Our Organization processes the personal data pursuant to the laws binding it while fulfilling its liabilities and responsibilities.
 
The personal data cannot be processed unless it is clearly stated in the binding laws or unless explicit consent of the data owner is obtained. Explicit consent given by the personal data owner is only one of the legal grounds allowing legal processing of personal data. In addition to the explicit consent, the personal data might be processed if one of the following conditions exists.
  1. Our Organization might process the personal data even without the Explicit Consent of the Personal Data Owners if it is clearly allowed under the laws. For example; processing ID details of the Bidder Company’s Authorized Officer pursuant to the Public Procurement Law.
  2. If a person is in a condition that physically prevents stating consent or that nulls his/her consent, the Personal Data might be processed without explicit consent for protecting life or physical integrity of that person or another person. For example; the Organization’s security personnel might give ID details of an unconscious visitor to the doctors.  
  3. The Personal Data of the contracting parties might be processed provided that the Organization is directly associated with conclusion or performance of a contract. For example; receiving account number of the creditor for making a payment under the contract.
  4. The Organization might process the Personal Data of the Personal Data Owners if it is required for fulfilling its legal liabilities. For example; Presenting information to a court as required under a court order.
  5. The Organization might process the Personal Data that are made public by the Personal Data Owners. For example; contact details of an employee candidate that are published on the job search websites.
  6. If data processing is necessary for establishing, using or protecting a right, the personal data of the data owner might be processed. For example; storing data that might be used as a proof (for example an invoice) and using it when necessary.
  7. If data processing is necessary for using or protecting a legal right, the Organization might process the Personal Data of the Personal Data Owners without obtaining the explicit consent. For example; Security cameras recording in the buildings and facilities owned by the Organization for security purposes.
Our Organization does not process the Sensitive Personal Data without the explicit consent of the data subject unless clearly stated otherwise under the laws.
When processing the Personal Data, our Organization:
  1. Follows the principles imposed by the regulations as well as the overall principle of trust and integrity when processing the personal data. Accordingly, it bears in mind the requirements of proportionality when processing the personal data and it does not use the personal data outside its intended purpose.
  2. Assures that the personal data processed by respecting the fundamental rights of the personal data owners and its legal interests is accurate and current.
  3. Our Organization processes the personal data to the extent it is connected with and required for the service provided by our Organization.
  1. Processes the personal data in a manner suitable for realizing the intended purposes and avoids processing data that is not related with or required for realizing the purpose.
  2. Keeps the personal data only as long as stated on the related regulation. Accordingly, if the related regulation specifies a certain period for keeping the personal data our Organization follows this period but if a period is not specified, the personal data is kept as long as it is required for the purpose of processing such personal data.
PURPOSES OF PROCESSING PERSONAL DATA
Our Organization processes your personal data for the following purposes:
  1. To use for the services to be provided by our Organization under the scope of the effective law and related regulations,
  2. To perform municipal services and to identify data for determining the owner and recipient of all kinds of works and transactions,
  3. To issue information and documents to be the basis of works and transactions to be made on paper or on the electronic environment,
  4. To store information required by the authorized judicial and administrative authorities pursuant to the related regulation,  
  5. To plan and perform corporate sustainability activities,
  6. Efficiency management,
  7. Management of organization’s relationship with companies and contractors,
  8. To conduct personal recruitment processes,
  9. To perform / follow up financial reporting and risk management formalities,
  10. To perform / follow up legal formalities,
  11. To plan and perform corporate communication operations,
  12. To perform corporate management operations,
  13. HİM (fellow countryman communication center) and Right to Information request, complaint management,
  14. To give information to the authorized bodies as required by the legislation,
  15. To issue and track visitor records,
  16. To improve the services offered through the Websites and Applications,
  17. To provide free and wireless internet connection
If the processing operations done for any purpose other than the abovementioned purposes do not meet any one of the conditions stipulated under the scope of PPD Law, the Organization obtains explicit consent of the personal data owner for the processing the related personal data.
 
CLASSIFICATION OF PERSONAL DATA
Our Organization processes the personal data listed under the following categories pursuant to the legal and justified purposes of personal data processing and by following all liabilities laid down by the Law and the data subjects are informed duly, as required under the Law. The data subjects related the personal data processed in these categories are also stated in this section, as regulated by this Policy.
 
Personal Data Classification Explanation
ID Details Documents such as driver’s license, ID card and passport that provide information such as name and surname, Turkish ID number, nationality information, father’s-mother’s name, place of birth, date of birth and information such as tax number, Social Security number, signature, vehicle license plate etc.
Contact Details Phone number, address, e-mail address, fax number, IP address etc.
Location Data Information pinpointing the location of the Personal Data Owner within the framework of services provided by the Organization or as a result of the services provided by the establishments cooperating with us; GPS location, address info etc.
Citizen Data Information obtained and generated about the data subject pursuant to the responsibilities of our Organization and services provided by our departments etc.
Information about Family Members and Relatives / Kith & Kin Information about the family members (for example spouse, mother, father, child) and kith & kin of the personal data owner as well as guardianship information, emergency contact info etc. for services provided by Organization or for protecting legal and other interests of the personal data owner etc.
 
Location Security Information Personal data related to records and documents submitted when entering a location and remaining in that location; surveillance records and data recorded on the security check points etc.
 
Financial Information Personal data processed in connection with information, documents and records issued based on the type of legal relationship established by and between the Organization and personal data owner to state all kinds of financial results and bank account number, IBAN number, credit card information, income information etc.
 
Visual/Audial Information Photograph and camera footage (excluding the records entered as Location Security Information), voice recordings and data in the documents considered as the copies of documents containing personal data etc.
 
Personnel Information All kinds of personal data etc. processed for obtaining information basis to establishing personnel information of the Organization’s personnel
 
Sensitive Personal Data Data etc. listed in Article 6 of the PPD (for example health information including the blood type
 
Transaction Security Information Personal data etc. processed for assuring our technical, administrative and legal security when performing our operations based on our responsibilities
Legal Transaction and Compliance Information Personal data etc. processed for determining, monitoring our legal receivables and rights as well as settlement of our debts and for compliance to our legal liabilities and corporate policies.
Service Information Personal data processed for offering services based on service preference habits, taste and needs of the personal data owner and reports & evaluations etc. created based on the results of this processing.
Request / Complaint Management Information Personal data related to receiving and reviewing all kinds of requests or complaints submitted to the Organization and reports & evaluations etc. created based on the results of this processing.
 
DATA PROCESSING OPERATIONS AT THE ENTRANCE OF AND IN THE BUILDINGS AND FACILITIES
For assuring security in our Organization, our Organization has security surveillance system in the buildings and facilities of our Organization and also we process personal data for monitoring entrances and exits of the visitors. These activities are performed by using security cameras, seeing ID documents and recording entrances and exits of the visitors.
The surveillance system of and records kept by our Organization comply with the Law on Private Security Services and related regulation.
Our Organization takes necessary technical and administrative measures for assuring security of the personal data obtained as a result of the surveillance system as required under Article 12 of the PPD Law.
Our Organization offers internet access to our Visitors when they are in our Building and Facilities, if requested. In this case, the logs of your internet accesses are kept according to the Law numbered 5651 and the governing provisions of the regulation issued based on this Law however these records are issued only for the purpose of fulfilling our legal liability if the records are requested by the authorized public institutions and organizations or for the internal audits of the Organization.  

WEBSITE and APP VISITORS
In the websites and apps owned by our Organization, our Organization records the visits of people visiting these sites for the purpose of assuring that these visits comply with their intended purposes.
The details explanations about processing and protection of the personal data by our Organization in the websites and apps are as written in the Confidentiality Policy available under “Protection of Personal Data” section of our corporate website.

SHARING PERSONAL DATA
The personal data provided to our Organization might be shared with persons, establishments and / or institutions as required / allowed under the law, other acts and other legislations that are binding on us; with county municipalities for carrying on services provided to the citizens; with universities and public institutions within the scope of binding laws or with approval of the Izmir Metropolitan Municipal Council and also with the third parties providing services in order to perform the municipal activities but this information sharing is subject to the legal restrictions. 

PERSONAL DATA RETENTION PERIODS
If required under the related laws and regulations, our Organization keeps the personal data for the periods specified under these regulations.
If the legislation does not specify the length of personal data retention period, the Personal Data are processed for the periods required depending on the activity conducted by the Organization while processing that data.

DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
When the reasons that require data processing are not valid anymore, our Organization deletes, destroys or anonymizes the personal data following a decision made by the Organization or a request made by the personal data owner even if such personal data was processed according to Article 138 of the Turkish Penal Code and Article 7 of the PPD Law and pursuant to the related provisions of the law.
Accordingly, our Organization takes necessary in-house technical and administrative measures for fulfilling our related liabilities and we train, assign related departments and raise awareness for complying with these liabilities.
Anonymizing the personal data means the process of anonymizing data in a manner so that such data cannot be associated with a natural person who is identified or might be identified under any circumstances even if matched with other data. According to Article 28 of the PPD Law, the anonymized personal data might be processed for purposes such as research, planning and statistics.

HANDLING REQUESTS OF DATA SUBJECTS
If the personal data owners submit requests related to their rights using the application filing methods listed on our official website www.izmir.bel.tr under “Protection of Personal Data” section, these requests shall be finalized by our Organization for free within a period of maximum thirty days.
To use your rights as the Data Subject,  your request including the disclosure of your identifying information should be submitted by completing the form available on www.izmir.bel.tr; delivering the signed copy of the form by hand to İzmir Büyükşehir Belediyesi Yazı İşleri Şube Müdürlüğü Cumhuriyet Bulvarı No:1 Kat:3 Konak IZMİR with your ID documents or you might serve it by virtue of a notary or submit the related form to izmirbuyuksehirbelediye@hs01.kep.tr with secure electronic signature.
 
TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR PROTECTION OF THE PERSONAL DATA
Our Organization takes necessary technical and administrative measures for preventing unauthorized processing of and unauthorized access to the Personal Data that has been processed by our Organization pursuant to the Law and for assuring protection of the data. These measures are as follows:

Technical Measures
  1. We take proper technical measures based on the technological developments; these measures are updated and renewed periodically.
  2. We limit the access authorizations and review these authorizations regularly.
  3. The technical measures taken are periodically reported to the relevant parties, as required under the internal audit mechanism, and the risky particulars are reevaluated to come up with the necessary technological solutions.
  4. Software programs and hardware including anti-virus systems and firewalls are installed.
  5. Personnel qualified in the technical matters are hired.
  6. The applications used to collect personal data are regularly subjected to security scans for identifying any security vulnerabilities. The vulnerabilities discovered are eliminated.
  7. Systems fit to the technological developments are used for storing Personal Data on secure media.
  8. Back-up programs are used for secure storage of the Personal Data but as allowed under the law.
  9. Access to the platforms used for storing the Personal Data and access to the data are restricted and only the authorized personnel are allowed to have access to such data only for the purpose of storing the personal data; track records are kept for accesses to the data storage platforms where the Personal Data are kept and unauthorized accesses or attempted accesses are reported to the related parties.
Administrative Measures;
  1. The personnel are informed and trained about the Law on the Protection of the Personal Data and processing the Personal Data pursuant to the law.
  2. All operations carried out by the Organization are analyzed in detail on department basis and, as a result of this analysis, the Personal Data processing operations of the related departments are determined on department basis.
  3. For complying with the legal compliance requirements determined on department basis, we raise awareness and establish rules of practice specifically for the related department; we implement necessary administrative measures for auditing these particulars and assuring sustainability of the practices.
  4. The personnel are trained about the technical measures to be taken for preventing unauthorized access to the Personal Data.
  5. In-house Personal Data access and authorization processes are designed and implemented by the Organization according to the legal compliance requirements for processing personal data.
  6. In addition to the contracts executed by and between the Organization and the persons that legally received the Personal Data from the Organization; we sign confidentiality agreements with the persons receiving the Personal Data to confirm that they will take necessary security measures for protecting the Personal Data and they will assure compliance to these measures by their establishments.