1. Introduction
1.1. Introduction
Personal data protection has a great importance in terms of Gotrend (“GOTREND” or the “COMPANY”)
and finds place in company priorities. Within this scope, GOTREND pays utmost attention to protect
personal data of it’s insured employees, job applicants, authorities, visitors, commercial relation
parties (institutions, employees, authorities) and third parties, whose data is somehow processed by the COMPANY.
GOTREND takes the organizational and technical precautions, which are needed to protect personal data,
processed in accordance with legislation. In this Policy, GOTREND following principles about personal
data processing will be explained in detail.
- Processing personal data in compliance with law and good faith,
- Providing the accuracy and actuality of personal data,
- Processing personal data for specific, legitimate and explicit purposes,
- Processing personal data related, limited and proportional to the processing purpose,
- Preserving personal data in accordance with the processing purpose and the duration stated in legislation,
- Clarifying and informing personal data subjects,
- Providing the system, required for data subjects to exercise their rights,
- Taking the measures, necessary for the security of personal data,
- Complying with the regulations and legislations, in the matter of transferring personal data to third parties in accordance with the processing purpose,
- Showing sensitivity, required for processing and protecting sensitive personal data,
- Taking necessary technical, technological, organizational, administrative and legal for your data.
1.2. Policy Purpose
The main purpose of this Policy is to elucidate the lawful processing of
ersonal data and the systems, internalized by the COMPANY to protect processed data.
Within this scope, we aim to provide a transparent processing procedure, by informing the
subjects of data processing, particularly our employees, job applicants, authorities,
visitors, commercial relation parties (institutions, employees, authorities) and third parties,
whose data is somehow processed by the COMPANY.
1.3. Scope
This Policy pertains to all personal data of GOTREND’s insured employees, job applicants,
authorities, visitors, commercial relation parties (institutions, employees, authorities)
and third parties, whose data is somehow processed within GOTREND, by an automatic data
recording system or a non-automatic one, under the condition that must be a part of an
automatic data recording system.
1.4. Enforcement of the Policy
This Policy is drawn up by GOTREND and has entered into force in published on GOTREND’s
Website. The Policy is published on GOTREND’s Website and allows access to
concerned persons on data subjects’ demand.
1.5. Definitions
Personal Data: any information relating to an identified or identifiable natural
person (‘data subject’); an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a name,
an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural
or social identity of that natural person.
Data Controller: the natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purposes and means of the processing of personal
data; where the purposes and means of such processing are determined by Union or Member
State law, the controller or the specific criteria for its nomination may be provided for
by Union or Member State law.
Data Processor: a natural or legal person, public authority, agency or other
body which processes personal data on behalf of the controller.
Recipient: a natural or legal person, public authority, agency or another body, to which the
personal data are disclosed, whether a third party or not. However, public authorities
which may receive personal data in the framework of a particular inquiry in accordance with
Union or Member State law shall not be regarded as recipients; the processing of those data
by those public authorities shall be in compliance with the applicable data protection rules
according to the purposes of the processing.
Processing: any operation or set of operations which is performed on personal data or on sets of
personal data, whether or not by automated means, such as collection, recording, organization,
structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling: any form of automated processing of personal data consisting of the use of personal data to
evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects
concerning that natural person's performance at work, economic situation, health, personal preferences,
interests, reliability, behavior, location or movements.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data Subject Consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes
by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of
personal data relating to him or her.
Genetic Data: personal data relating to the inherited or acquired genetic characteristics of a natural person which
give unique information about the physiology or the health of that natural person and which result, in particular,
from an analysis of a biological sample from the natural person in question
Biometric Data: personal data resulting from specific technical processing relating to the physical, physiological or
behavioral characteristics of a natural person, which allow or confirm the unique identification of that
natural person, such as facial images or dactyloscopic data.
International Organization: an organization and its subordinate bodies governed by public international law, or any
other body which is set up by, or on the basis of, an agreement between two or more countries.
2.1. Ensuring the Security of Personal Data
GOTREND, in compliance with Art 5 and 32 of General Data Protection Regulation (“GDPR”), takes
the necessary organizational and technical measures and also ensures that the inspections are
made in order to safely store the data, prevent unlawful data processes and/or avoid
illegal access to these data.
2.1. Technical and Organizational Measures Taken to Ensure Lawful Processing of Personal Data, Prevent Unlawful Access to Personal Data and Provide Personal Data Retention
GOTREND, within the bounds of technological possibilities, Council’s guide and current developments,
takes all measures, which are necessary to ensure the lawful processing of personal data, prevent unauthorized,
improvident or in any other way unlawful declaration and access, store safely and avoid illegal destruction
or transformation.
Technical measures taken within this scope are as follows:
- To ensure the network and application security,
- Closed system network is used to transfer data through a network path,
- Key method is used,
- Authorization matrix for employees is formed,
- Security measures are taken, in the scope of supply, development and maintenance of information technologies system,
- Access logs are kept regularly,
- Mission based authorization of employees, who change position or quit the job, are taken back,
- Updated anti-virus system are used,
- Security walls are used,
- Security of personal data is followed up,
- Necessary security measures for entries and exits to personal data involving physical medium are taken,
- Personal data involving media are secured,
- Backups for personal data are made and secured,
- User account management and authorization controlling system are used and followed up,
- Log records are kept free from user intervention,
- Current risks and threats are determined,
- Attack detection and prevention systems are used,
- Penetration tests are run,
- Cyber security measures are taken and followed up continuously,
- Encryption is set,
- Software, preventing data loss, are installed,
Organizational measures taken within this scope are as follows;
- Key management is set,
- Security measures are taken, in the scope of supply, development and maintenance of information technologies system,
- There are disciplinary regulations, involving data security provisions for employees,
- Data security and awareness themed periodical trainings for employees are arranged,
- Authorization matrix for employees is formed,
- Corporate policies are created and started to be executed in fields of access, information security, retention and destruction,
- Confidentiality agreements are made,
- Mission based authorization of employees, who change position or quit the job, are taken back,
- Concluded agreements involve data security provisions,
- Additional security measures are taken for personal data, that are transferred through paper and the concerned paper is sent in classified document format,
- Personal data security policies and procedures are determined,
- Personal data security issues are reported swiftly,
- Personal data security is followed up continuously,
- Necessary security measures for entries and exits to personal data involving physical medium are taken,
- Personal data involving physical media are secured against external risks (fire, flood, etc.),
- Personal data involving media are secured,
- Personal data are minimized as far as possible,
- Periodical/random in-house inspections are conducted,
- Current risks and threats are determined,
- Policies and procedures for the security of sensitive personal data are specified and executed,
- Data processing service providers are periodically inspected in the matter of data security,
- Awareness of data processing service providers in the matter of data security must be raised.
2.1.2. Assessing The Measures Relating To Personal Data Protection
The COMPANY conducts all necessary Assessments, tests and evaluations,
in accordance with Art. 32 of the General Data Protection Regulation (“GDPR”).
Results of these inspections are reported to concerned managers and departments,
and necessary improving activities for taken measures are carried out.
2.2. Ensuring Data subjects’ Rights, Providing Request Methods for Data subjects and Assessing These Requests
GOTREND manages the internal functioning, channels and Organizational and technical
regulations, which are necessary to assess data subjects’ rights and notify data
subjects in compliance with Art. 13 of GDPR. If the data subjects send requests
concerning their below mentioned rights, depending on their qualification, they will
be responded to without undue delay and at the latest within one month from the
arrival to GOTREND.
Personal data subjects have right to;
- Where the legal basis of our processing is Consent, to withdraw that Consent at any time (Right to withdraw consent),
- To learn whether the personal data related to you are/have being processed,
- If it is processed, to request access to personal data being processed (Right of access),
- To learn purposes of the processing and whether your personal data has been used for the intended purpose (Right of information),
- To know the third parties within or outside the country to whom the personal data are transferred,
- To request correction of the personal data if the data is processed incompletely or inaccurately (Right of correction),
- o request deletion or destruction of the personal data without undue delay under the conditions set forth in Article 17 of General Data Protection Regulation (“GDPR”) (Right to be forgotten),
- To object to processing of your personal data if it impacts your fundamental Rights and freedoms (Right to object),
- To request your personal data in structured, commonly used and machine-readable format free of charge (Right to Data portability),
- To claim indemnification if you suffered damage due to illegal processing of your personal data (Right to file complaint),
- To be notified of a personal data breach which is likely to result in high risk to their rights and freedoms.
2.3. Protecting Sensitive Personal Data
General Data Protection Regulation gives a particular importance to certain type of
personal data by the reason that their violation may cause to aggrievement and discrimination.
Mentioned data types, as specified in Art 9 of the General Data Protection Regulation
(“GDPR”) are data, concerning; ethnicity, race, political opinion, philosophical belief,
religion, trade union membership, genetic data, biometric data, data concerning health,
natural person’s sex life or sexual orientation. Personal data relating to criminal
convictions and offences including the alleged commission of offences or proceedings
for offences or alleged offences should be treated in the same way to special category data.
GOTREND pays attention to lawful processing and protection of above mentioned
“special categories of personal data”. Within this scope, GOTREND in-house
inspections and all technical and organizational measures, taken for personal data
protection, are executed meticulously also for sensitive personal data.
2.4. Increasing and Controlling Company Departments’ Awareness of Personal Data Protection and Processing
GOTREND provides department training that is necessary to prevent unlawful
processing of personal data, avoid illegal access to personal data and raise the
awareness about data retention. Within this scope, systems, required to create
the personal data protection awareness for company employees or incoming employees are formed.
The results of GOTREND training to raise the awareness for personal data protection
and processing are reported to GOTREND authorities. Accordingly, the COMPANY assesses
the participation in these training, seminars and informing sittings, and conducts necessary
inspections. In addition to this, GOTREND updates and renews the training, in accordance with
the update of personal data protection legislation and other legal regulations.
3. Personal Data Processing Matters
3.1. Processing Personal Data in Accordance with the Principles Stated by Legislation
3.1.1. Processing in Compliance With Law and Good Faith
GOTREND acts in compliance with the principles of legal regulations,
general trust and good faith during the process of personal data. Within this
scope, the COMPANY pays attention to proportionality and limitedness of data
processing and does not use personal data out of their purpose.
3.1.2 Providing the Accuracy and Actuality of Personal Data
GOTREND ensures the actuality and accuracy of personal data, that are processed
considering fundamental rights of data subjects and its own legitimate interests.
It takes required precautions accordingly. Within this scope, personal data subjects
may apply to the COMPANY any time they desire, in order to correct or confirm the
accuracy of data. These applications are assessed by authorized departments of GOTREND
and if the application is approved, requested deletion or confirmation is carried out.
3.1.3 Processing Personal Data for Specific, Legitimate and Explicit Purposes
GOTREND explicitly and precisely specifies the legitimate and lawful purpose of
personal data processing. Within this scope, the COMPANY processes the amount of data
that are necessary only for operating and commercial activities. The processing purpose
is specified by the COMPANY before the process takes place.
3.1.4. Correlativity, limitedness and Proportionality with the Processing Purpose
GOTREND processes the data in a manner that is eligible for realizing the purpose and
avoids to process data, which are irrelevant to purpose. Within this scope, personal
data are not processed to meet probable future needs.
3.1.5. Preserving data, in accordance with the processing purpose and the duration stated in legislation
GOTREND preserves personal data only for the time specified in related legislation
or the time required to serve the purpose. In this context, the COMPANY first determines
if any retention period for personal data is specified via legislation and follows this time
limitation, if there is no time specified here, preserves the data in compliance with the purpose.
In the event that the specified period ends or the processing purpose disappears, personal
data is deleted, destroyed or anonymized by the COMPANY
3.2. Clarification Of Data Subject
In accordance with Art. 13 General Data Protection Regulation (“GDPR”), GOTREND
clarifies personal data subjects during personal data acquiring. Within this scope,
GOTREND clarifies the following issues; purpose of personal data processing,
to whom or for what purpose may the data be transferred, personal data acquiring
method, legal reason and the rights of the data subject.
According to General Data Protection Regulation (“GDPR”), “requesting information”
is one of the personal data subject’s rights in Art. 15 of General Data Protection
Regulation (“GDPR”). In this context, the COMPANY provides the requested information
to data subject in compliance with Art. 15 of General Data Protection Regulation (“GDPR”)
3.3. Processing General and Special Categories of Personal Data
The COMPANY is aware that the protection of personal data is a legal right and obligation.
Special categories of personal data may only be processed in situations prescribed
by law or with explicit consent of the individual. Accordingly, the COMPANY only
processes data by constitutional means, in cases prescribed in Art. 9 of General
Data Protection Regulation (“GDPR”).and other legislations or with explicit
consent of the individual.
GOTREND complies with General Data Protection Regulation (“GDPR”), secondary
legislations and binding legal resolutions related to the matter of processing
personal data, which are mentioned as “special categories of personal data” by General
Data Protection Regulation (“GDPR”). Special categories of personal data are processed by
GOTREND in situations specified in Art. 9 of General Data Protection Regulation (“GDPR”),
under the condition that all necessary measures for personal data security are taken.
3.4. Transfer of Personal Data to Third Countries or International Organizations
GOTREND may transfer the personal data and sensitive personal data of the data subject to
third countries or international organizations in compliance with Art. 44 of General Data
Protection Regulation (“GDPR”) and by taking precautions, which are necessary in line with
lawful personal data processing purposes. The COMPANY may transfer personal
data to foreign countries;
-
If the transfer of personal data to third countries or international organizations takes place
on the basis of an adequacy decision of the Commission (In compliance with Article 45 of GDPR),
-
In the absence of an adequacy decision, if the controller or processor has provided appropriate
safeguard and on condition that enforceable data subject rights and effective legal remedies for
data subjects are available (In compliance with Article 46 and 47 of GDPR),
-
Based on an international agreement between the requesting third party and the Union or a member
state, if the transfer of personal data to third countries or international organization
is not authorized by Union Law (In compliance with Article 48 of GDPR),
-
If one of the exceptional situations as specified in Article 49 of GDPR takes place,
In this context, GOTREND complies with the regulations in Art. 44-49 of General Data Protection Regulation (“GDPR”).
4. Categorization Of Personal Data And Their Purposes
4.1. Categorization of Personal Data
Below categorized personal data are processed, by informing concerned persons in accordance
with Art. 13 of General Data Protection Regulation (“GDPR”) within GOTREND. To perform this
personal data processing, the COMPANY must have legitimate and lawful personal data processing
purposes, one or more of the personal data processing conditions in Art. 6 of
General Data Protection Regulation (“GDPR”) must exist, the processing must be limited and
lastly, compliance with principles and obligations in General Data Protection Regulation
(“GDPR”), particularly principles regulated in Art. 5, must be provided.
-
Identity Information: Driver license, passport, identity card and suchlike documents,
involving information such as; name-surname, identity number, nationality, mother’s name,
father’s name, birthplace, birthdate, sexuality and other data like; tax number, social
security number, signature, number plate, etc.
-
Contact Information: Telephone number, address, e-mail address, fax number, IP address.
-
Customer Operation: Call center records, invoice details, bill information, check information,
information on pay-desk receipt, order information, request information etc.
-
Process Security: IP address information, information about website entries and exits,
password and code information etc.
-
Financial Information: Bank account number, IBAN number, financial profile, asset data,
income details, signatory circular and data, that are processed in regard to information,
documents and records, which indicate all financial results created in accordance with
the relation established with the personal data subject.
-
Marketing: Previous shopping information, poll, cookie records, information provided through campaign etc.
- Audio/Visual Information: photo and camera records.
-
Special Categories of Personal Data: medical reports, biometric data, blood type, compulsory reports in
scope of occupational health and safety, documents for hard and dangerous works,
that are asked to be collected by law etc
-
Location Data: Travel data, airplane ticket, hotel reservations, vehicle tracking system, etc.
-
Personnel Information: All kinds of personal data processed to obtain information, that will
prevent the establishment of personal rights belonging to a natural person,
who has a relation with the COMPANY.
-
Legal Transaction: Information about correspondences with judicial authorities, information in case file etc.
- Risk Management: Information processed to manage commercial, technical and administrative risks etc.
-
Security Information: Data acquired through records of entries and exits to physical location
and the presence time there, camera records, fingerprint records, security records etc.
-
Professional Experience: Diploma information, attended courses, vocational
training details, certificates, transcript details etc.
-
Medical Knowledge: Information about disability status, blood type,
personal health data, used medical devices and prosthesis etc.
4.2. Purposes of Personal Data Processing
GOTREND processes the data limited to personal data processing purposes and
conditions specified in Art. 6 and 9 of the General Data Protection Regulation (“GDPR”).
These purposes and conditions are as follows;
-
If the data subject has given consent to the processing of
his or her personal data for one or more specific purposes;
-
If processing is necessary for the performance of a contract to which the data subject is party or in order
to take steps at the request of the data subject prior to entering into a contract;
-
If processing is necessary for compliance with a legal obligation to which the controller is subject;
-
If processing is necessary in order to protect the vital interests of the
data subject or of another natural person;
-
If processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller;
-
If processing is necessary for the purposes of the legitimate interests pursued by the controller
or by a third party, except where such interests are overridden by the interests or fundamental
rights and freedoms of the data subject which require protection of personal data, in particular
where the data subject is a child.
-
If any of the purposes specified for processing a special category of personal data in Art.9 of GDPR takes place.
Within this scope GOTREND processes your personal data for following purposes;
- Developing performance and execution of the purchase or services contract,
- Analyzing the usability and quality to improve GOTREND’s services,
- Improving the customer services,
- Planning and performing institutional sustainability actions,
- Management of requests and complaints,
- Planning and performing corporate communication operations,
- Management of relations with business associates and suppliers,
- Performing financial reporting and risk management operations of the COMPANY,
- Creating and monitoring visitor records,
- Activity and orientation management,
- Management of GOTREND’s employment procedures,
- Management of the COMPANY’s legal affairs,
- Performing corporate governance,
-
Planning and performing inspections with the objective to assure the
legislation-compliant management of GOTREND’s local and global procedures,
- Act for protection of GOTREND ‘s reputation,
- Management of investors relations,
- nforming public authorities in compliance with legislation,
In the event that processing with mentioned purposes does not meet any of the conditions
stated by the of General Data Protection Regulation (“GDPR”), your explicit consent
regarding the processing procedure is received by the COMPANY
5. Purposes Of Personal Data Transfer And Transeferd Third Parties
GOTREND, in accordance with the Art. 13 of General Data Protection Regulation (“GDPR”),
informs the data subject on who personal data receivers are. GOTREND, in accordance
with the Art. 6 and 44-49 GOTREND may transfer personal data of individuals who are directed
by this Policy, to below mentioned categories.
- Company partners,
- Company suppliers/ service providers,
- Company shareholders,
- Company authorities,
- Legally authorized public institutions and organizations,
- Legally authorized private persons
Personal data are transferred to above mentioned receiver groups with the following objectives;
- Company partners; To ensure that the founding purpose of business partnership is accomplished
- Suppliers/Service Providers; To provide services, that are supplied by GOTREND to fulfil the COMPANY’s commercial operations
- Shareholders; To actualize GOTREND’s legislation-compliant operations in the fields of corporate law, activity management, corporate communication processes
- Company authorities; To strategize GOTREND’s commercial operations in compliance with legislation, to provide top management and to make inspections
- Legally authorized public institutions and organizations; For the purposes, requested by the related public institutions and organizations within their legal province
- Legally authorized private persons; For the purposes, requested by the related private persons within their legal province
6. Deletion, Destruction And Anonymization Personal Data
6.1. GOTREND’s Obligation to Delete, Destruct and Anonymize Personal Data
Despite the matter that personal data are processed in compliance with Art. 6 of
General Data Protection Regulation (“GDPR”), they will be deleted or destructed or
anonymized directly or on demand of the data subject if the processing purpose disappears.
In this context, GOTREND fulfills its obligations through below specified methods.
6.2. Techniques of Personal Data Deletion, Destruction and Anonymization
6.2.1. Techniques of Personal Data Deletion and Destruction
Although GOTREND processes personal data in compliance with legislation,
mentioned personal data will be deleted, destroyed or anonymized by GOTREND’s
decision or on demand of the data subject if the processing purpose disappears.
GOTREND’s commonly used deletion or destruction methods are as follows;
-
Physical Destruction: Personal data may also be processed by non-automatic
ways on condition of being part of
any data recording system. While such data is deleted/destroyed,
a physical destruction system, that prevents their reuse, is used.
-
Secure Erasure From Software: While deleting/destructing personal data that are processed and
preserved by completely or partially automatic ways, deletion methods preventing the
reuse of personal data will be used.
-
Secure Outsource Erasure When Required: GOTREND may come to terms with an expert for deletion of personal
data on its behalf. In such cases, personal data are securely
deleted/destroyed by the expert in an irrecoverable way.
6.2.2. Techniques of Personal Data Anonymization
Anonymizing personal data means, preventing the data from being associable with a
particular or identifiable natural person even by matching the data with others. GOTREND
may anonymize lawfully processed personal data, if the processing purpose disappears.
According to the General Data Protection Regulation (“GDPR”), anonymized personal data may
be processed for purposes like research, planning or statistics. Such operations are out of
the Law’s scope and do not require data subject’s explicit consent.
Anonymizing methods preferred by GOTREND are listed below;
- Masking
- Consolidation
- Data Derivation
7. Rights Of The Data Subject, Exercise And Assesment Of These Rights
In compliance with Art. 13 of General Data Protection Regulation (“GDPR”) informs the
data subject about his/her legal rights and how to exercise them
7.1. Data subject’s Rights and Exercise of these Rights
7.1.1. Rights of The Data subject
Personal data subject has following rights:
- Where the legal basis of our processing is Consent, to withdraw that Consent at any time (Right to withdraw consent),
- To learn whether the personal data related to you are/have being processed,
- If it is processed, to request access to personal data being processed (Right of access),
- To learn purposes of the processing and whether your personal data has been used for the intended purpose (Right of information),
- To know the third parties within or outside the country to whom the personal data are transferred,
- To request correction of the personal data if the data is processed incompletely or inaccurately (Right of correction),
-
To request deletion or destruction of the personal data without undue delay under the conditions set
forth in Article 17 of General Data Protection Regulation (“GDPR”) (Right to be forgotten),
-
To object to processing of your personal data if it impacts your fundamental Rights and freedoms (Right to object),
-
To request your personal data in structured, commonly used and machine-readable format free of charge (Right to Data portability),
-
To claim indemnification if you suffered damage due to illegal processing of your personal data (Right to file complaint),
-
To be notified of a personal data breach which is likely to result in high risk to their rights and freedoms.
7.1.2. Situations, in which the Data subject May Not Assert His/ Her Rights
Personal data subjects may not request above mentioned rights in situations which are
kept out of General Data Protection Regulation (“GDPR”).
- Processing anonymous information for statistical or research purposes
-
Processing of personal data by the Member States when carrying out activities in
relation to the common foreign and security policy of the Union.
-
Processing of personal data by a natural person in the course of a purely personal or
household activity and thus with no connection to a professional or commercial activity.
-
Processing of the personal data is necessary for compliance with a legal obligation to which
the controller is subject or for the performance of a task carried out in the public
interest or in the exercise of an official authority vested in the controller.
-
Process of personal data by judicial and executive authorities in relation to
investigation, prosecution, judgment and execution operations.
7.1.3. Exercise of Data subject’s Rights
You may exercise your rights listed above through filling out and signing a form that you
can obtain from us or [www.gotrend.com] and apply to the following address personally or
with a notary approved power of attorney:
- Fill in the application form, which you can obtain from our website, for your rights listed above; signing with your wet-ink signature and pass it to [Block 18 ElNarges 5 - Fifth Settlement - New Cairo] by personal application, by certified mail or through a notary public.
- Sign with your electronic signature or mobile signature and send it to [Support@gotrend.com] or
[info@gotrend.com] by using your Registered Electronic Mail (REM) address or the e-mail
address registered to the data recording system of CMA.
-
If the application is made by a third person on behalf of a personal data subject,
notarial special power of attorney must be submitted.
7.2. Responses to Applications
t is only necessary to apply GOTREND in cases, where the COMPANY is indicated as data
controller by General Data Protection Regulation (“GDPR”). This is possible when
the COMPANY collects data directly from the related individual. Apart from these,
applications for data processes in which other companies are deemed as data controllers,
must be submitted to the related company.
7.2.1. Procedures and durations of Responses
GOTREND will provide information on action taken on a request under
Articles 15 to 22 to the data subject without undue delay and in any event
within one month of receipt of the request. That period may be extended by two
further months where necessary, taking into account the complexity and number of
the requests. GOTREND will inform the data subject of any such extension within
one month of receipt of the request, together with the reasons for the delay.
Where the data subject makes the request by electronic form means, the information
shall be provided by electronic means where possible, unless otherwise requested by the data subject.
Any actions taken under Articles 15 to 22 and 34 shall be provided free of charge.
Where requests from a data subject are manifestly unfounded or excessive, in particular
because of their repetitive character, the COMPANY may either:
-
Charge a reasonable fee taking into account the administrative costs of
providing the information or communication or taking the action requested; or
- Refuse to act on the request.
7.2.2. Information, Which May Be Requested From The Applicant Data Subject
If GOTREND has reasonable doubts concerning the identity of the natural person
making the request referred to in Articles 15 to 21, the controller may request
the provision of additional information necessary to confirm the identity
of the data subject.
7.2.3. Right To Reject the Application of Data Subject
GOTREND may reject the application in following situations, by indicating its reason:
- Process of personal data for purposes like research, planning and statistic by anonymizing through official statistics,
- Process of personal data within preventive, protective and informative operations, that are conducted by legally authorized public organizations and institutions in order to ensure national defense, national security, public order, public safety and economic security.
- Process of personal data by judicial and executive authorities in relation to investigation, prosecution, judgment and execution operations.
- If processing personal data is necessary for crime investigation or avoiding crime commitment.
- rocessing personal data, which are anonymized by data subject.
- If the process of personal data by legally authorized public organizations, institutions and public professional organizations is necessary to conduct discipline investigations or prosecutions and inspection or regulation obligations.
- If a personal data subject’s request has the possibility to violate others’ rights and freedoms.
- If nonproportional effort requires requests are made.
- If requested information is public