Personal Data Protection Policy

Personal Data Protection Policy

  1. Policy, Scope and Purpose
    1. ICA Events pledges itself to abide by the principles and rules stipulated by the Constitution of the Republic of Turkey, Personal Data Protection Act (KVKK) no: 6698 and other legislations and to protect the rights and freedoms of the individuals whose data has been processed by ICA Events. To that end, the Board of Directors has adopted a written personal data protection policy and system to be applied and developed.
  1. Scope
Terms of the policy cover all information systems and sub information, contracts, environments and physical areas included in the subject and area of activities of ICA Events and all systems and settings produced therefor.
This policy applies to all units, staff of the company providing support service, visitors, third parties, interns and contract employees of ICA Events.
  1. Purpose of Personal Data Protection Policy and System
The purpose of Personal Data Protection Policy and System is to ensure that ICA Events develops and realizes its standards regarding personal data management, to determine and support the organizational objectives and responsibilities, to establish control mechanisms in compliance with the acceptable risk level of ICA Events, to fulfill responsibilities that ‘ICA Events’ is subject to as per international conventions, the Constitution, the Law, contracts, and codes of practice with respect to personal data protection and to secure the benefits of the individuals in the best way possible.
  1. ICA Events will abide by personal data protection legislation and data protection principles. Data protection principles adopted by ICA Events are provided hereinbelow:
  1. To process personal data only on the condition that it is explicitly required considering legitimate corporate purposes,
  2. To process only the minimum amount of personal data required in line with said purposes,
  3. To provide individuals with explicit information regarding who uses these data and how it is used,
  4. To process only relevant and appropriate personal data,
  5. To process personal data legally and equitably,
  6. To maintain an inventory of personal data categories processed by ICA Events,
  7. To ensure that the personal data is correct and, if needed, updated,
  8. To store the personal data only for a period required by legal regulations, legal responsibilities of ICA Events or legitimate corporate benefits,
  9. To respect the rights of the individuals regarding their personal data, including the right to access,
  10. To keep all personal data safe and secure,
  11. To transfer personal data abroad only on the condition that enough protection is available,
  12. To apply the exceptions permitted by the legislation,
  13. To establish and implement the personal protection system for performing the policy,
  14. To determine the internal and external stakeholders of the company who are a party to the personal data protection system and to which extent they are involved in the personal protection system of ICA Events,
  15. To determine the employee(s) who have/has special powers and responsibilities regarding the personal data protection system.

Notifications
  1. ICA Events informs the Board of Personal Data Protection (“the Board of KVK”) that it is the data controller and having this capacity, which data categories it processes. ICA Events determines all personal data categories it processes in the inventory of personal data.
  2. The notification is issued in the way and method determined by the Board of KVK and a copy of the notification is stored by ICA Events.
  3. If needed, the notifications are repeated periodically.
  4. In order to establish the potential changes that may occur on the notification by the Board of KVK, data processing activities of ICA Events and the changes thereon are reviewed annually and the Board of KVKK is informed, if needed.

In case they violate this policy in any way whatsoever, all units, company staff providing support service, interns and contract employees will be subjected to disciplinary regulations of ICA Events and if the violation in question constitutes any crime or misdemeanor, relevant authorities are notified accordingly as soon as possible.

The solution partners of ICA Events, who have access to or have a possibility to access personal data, and all third parties working with ICA Events are encouraged to read and to abide by this policy. No third party can provide access to personal data processed by ICA Events without signing a written confidentiality agreement which stipulates responsibilities whose standards are at least as strict as the ones of ICA Events and the supervising right of ICA Events thereon.
  1. Definitions
Explicit consent: means freely given, specific and informed consent,
Anonymization: means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data,
President: means President of the Personal Data Protection Authority
Data subject: (natural person concerned) means the natural person, whose personal data are processed
Personal data: means any information relating to an identified or identifiable natural person,
Sensitive personal data: The data regarding the race, ethnicity, political view, philosophical belief, religion, sect and other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal records and security precautions as well as biometric and genetic data of the individuals,
Processing of personal data: means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof,
KVKK: Personal Data Protection Act no: 6698,
The Board: means the Personal Data Protection Board,
Authority: means the Personal Data Protection Authority,
Data Processor: means the natural or legal person who processes personal data on behalf of the data controller upon its authorization,
Data filling system: means the system where personal data are processed by being structured according to specific criteria,
Data controller: means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.
  1. Duties and Responsibilities
    1. ICA Events is the data controller as per KVKK.
    2. All employees, particularly the Top Management, who works in the manager and auditor positions, are responsible for the development and promotion of proper practices regarding personal data processing at ICA Events as well as for other liabilities with respect to this matter that are included in their job definitions.
    3. The Committee of KVK has been established as the unit of authority in the management of the personal data protection system and compliance to KVKK and other legislations and the documentation thereof and regarding these aspects it is responsible to the Board of Directors.
  1. The Committee of KVK
The members of the Committee of KVK with expertise and experience in personal data protection legislation and practices are assigned by the Board of Directors and they directly report to the Board of Directors.
  1. Duties and Responsibilities of the Committee of KVK
  1. The Committee should be informed in respect of Personal Data Protection legislation and developments.
  2. The Committee is responsible for ensuring that the policies and procedures of ICA Events are up to date and the data processing audits take place according to the schedule and for the compliance thereof with the relevant legislation.
  3. Regarding data protection, the Committee functions in harmony with the relevant staff.
  4. The main duties and responsibilities of the Committee are listed hereinbelow:
  • To provide information and guidance to ICA Events, its relevant partners and support service Suppliers regarding personal data protection legislation and compliance.
  • To provide information and guidance to the staff of ICA Events about their liabilities as per personal data protection legislation.
  • To observe the compliance of data processing activities of ICA Events with personal data protection legislation.
  • To contribute to the development and maintaining of personal data protection policy and relevant procedures and processes of ICA Events.
  • To distribute the responsibilities within ICA Events in the scope of compliance with personal data protection legislation.
  • To ensure that all employees involved in personal data processing processes are well-trained and well aware.
  • To observe compliance with the data protection legislation by performing audits regularly and reporting to the Board of Directors.
  • To function in cooperation and in contact with the Board of KVK.
  • To determine the responsible employees that will function as the point of contact and representative of ICA Events before the Board of KVK.
  • To develop an official procedure to communicate personal data protection violation incidents and investigations to the Board.
  • To contribute to the process of the business continuity plan.
  • To provide knowledge and guidance on storing corporate records.
  • To observe the scope of the collected personal data, which were kept and used at ICA Events and to provide the data storage conditions in compliance with the relevant legislation.
  • To supervise and evaluate compliance, sanity, security practices and other checks that may be required.
  • To determine and perform the controls to ensure the confidentiality, integrity and accessibility of the personal data and recommend the additional checks that may be needed.
  • To submit the issues that pose a risk regarding personal data within ICA Events and relevant recommendations to the agenda of the Board of Directors
    1. The Committee of KVK has the power to audit the activities of ICA Events in the systems regarding the collection, process and storage of personal data. The Committee of KVK may request the cooperation of all employees to fulfill its duties, including access to the systems and records. If this cooperation is not established, the Committee reports the situation to the Board of Directors.
  1. All employees of ICA Events processing data are responsible to abide by the Personal Data Protection legislation.
  2. Human Resources unit is responsible to arrange all communication and training required for all employees to know their responsibilities and become well aware of personal data protection.
  3. ICA Events staff is liable to ensure that all the personal data provided to ICA Events or personal data of the employees is correct and up to date.
  1. Data Protection Principles
All data processing activities must be conducted in compliance with data protection principles provided hereinbelow. The policy and procedures of ICA Events aspire to ensure compliance with these principles:
  • To be in compliance with legal rules and good faith.
  • To be correct and when required, up to date.
  • To be processed for specified, explicit and legitimate purposes.
  • To be relevant to the purpose of processing, to be limited and in moderation.
  • To be kept for a period of time required by the relevant legislation or the purpose of processing.
  1. Personal data is processed in transparency and in compliance with legal rules and good faith.
In line with this, ICA Events publishes clarification texts/privacy notices on their personal data processing activities on data collection channels. ICA Events determines the areas where these notices, which include explicit and clear information with respect to which data is processed for which purposes, are to be available and declared. These notices cover the items listed hereinbelow:
  • The identity of ICA Events as data controller and contact details thereof,
  • Types of personal data processed,
  • Purposes of personal data processing,
  • Anticipated storage period for personal data,
  • Rights of the data subject,
  • Third parties that data may be shared with.
  1. Personal data may only be processed for specific, clear and legitimate purposes.
    1. The justifications/purposes of data processing are determined in the personal data inventory and the personal data may not be used for other than the specified purpose without any other legal justification or without the explicit consent of the data subject.
    2. In case the conditions that require the personal data to be used for other than the purpose specified in the personal data inventory occur, the Committee of KVK is notified by the relevant employee/unit. The Committee of KVK investigates the appropriateness of the new purpose and if required, ensures that the data subject is informed about the new data processing for the new purpose.
  1. The personal data should be appropriate and relevant and must be processed within the limits of the purpose.
    1. It is responsible for providing that ICA Events neither collect nor process any personal data which is not explicitly needed for the processing purpose.
    2. ICA Events periodically investigates whether the data processed via the personal data inventory is appropriate and relevant.
    3. ICA Events investigates annually whether all of its data processing methods are appropriate and relevant through internal and/or external audits.
    4. With respect to personal data that ICA Events does not find appropriate or relevant or finds excessive regarding the processing purpose, it is responsible for ceasing the data processing activities and for secure destruction of the processed data as per storage and destruction procedure.
  1. Personal data must be correct and up to date.
    1. Data kept for a long period must be reviewed whether it is correct and up to date.
    2. The manager of the Human Resources unit is responsible to train all staff to collect and keep personal data correct and up to date.
    3. The employees are responsible for providing correct and up to date data about themselves.
    4. The employees/customers and other relevant persons should inform ICA Events to update the processed personal data. In case notified, the relevant unit is responsible for correcting and updating the record in question.
    5. Through evaluating the type of processed data, storage period and the amount by utilizing the data inventory, the Committee of KVK may instruct the relevant unit to review whether the specific data is correct or up to date.
  1. Personal data must only be processed only on the condition that is required for data processing purposes.
    1. In case the personal data is stored due to necessities such as back-up, longer than the required period of time, the personal data must be enciphered and/or anonymized/masked for the sake of individual rights and freedoms when data security vulnerability occurs.
    2. According to the Personal Data Storage and Destruction Policy, the processing of data after the specified periods of time is subject to the written approval of the Committee of KVK.
  1. Rights of The Data Subjects
Data Subjects have the rights listed hereinbelow regarding the data processing activities about them at ICA Events:
  1. To be informed whether their personal data is processed or not,
  2. To demand information if their personal data is processed,
  3. To be informed about the processing purpose of the data and whether they are used according to the purpose or not,
  4. To be informed about the third persons to whom personal data is transferred within the country or abroad,
  5. To demand personal data to be corrected in case they are processed inadequately or incorrectly,
  6. To demand personal data for which there is no legal justification or foundation to be processed as per this policy and KVKK to be deleted or destroyed,
  7. To demand that the third parties to whom their data is transferred are informed of the correction and deletion operations that are performed upon their request,
  8. To object to any result against them, which is obtained through the exclusive analysis of data processed by automatic systems,
  9. To demand compensation for damage in case they suffer a loss due to the illegal processing of personal data.


The data subjects demand access to their personal data and demand to exercise their right listed hereinabove. Regarding these demands, the responses are given within 30 days. The processes for receiving, communicating and responding to demands are conducted according to the Demand Management Procedure.

Data subjects may deliver their requests by filling out KVKK Application form and hand it in at our headquarters, send it to the address “Maslak Mahallesi Aksoy Plaza Ahi Evren Caddesi No:06 Kat: 4 34398 Sarıyer/İstanbul” via notary or as a registered letter with return receipt by submitting their identity verification or to the address “euluslararasifuar@hs01.kep.tr’’ as e-mail.

Click here for KVKK Application Form

Regardless of their job definition, all employees of ICA Events are liable to direct data subjects about the right application method regarding their access demands submitted to them. The staff of ICA Events must be informed and trained about how to handle the demands of data subjects.
  1. Receiving Explicit Consent
ICA Events considers the consent that is given by the data subject regarding specified data processing activities and based on notification and that manifests the decision to have their data processed by their freewill by written/oral declaration and/or explicit confirmatory act as explicit consent. When it comes to sensitive data, explicit consent must absolutely be received in written form. Explicit consent may always be retrieved by the data subject.

Explicit consent may be received by having explicit consent form template signed by data subject or by making a contract with the data subject or including the items covered by this template in the electronic form. Explicit consent regarding the routinely processed personal data of employees, prospective employees and customers are received by means of relevant contracts and forms.

In case the data processing activities based on explicit consent is continuous or to be repeated, a single list of people whose explicit consents are received is kept by the relevant unit. The relevant unit is responsible for keeping this list correct and up to date. Explicit consent forms regarding data processing activities based on explicit consent and relevant proofs are kept by relevant unit.
  1. Data Security
All employees are responsible for keeping the personal data processed by ICA Events and under their responsibility secure.

Personal data must be accessible to solely the ones required to access such data. Security of the personal data is maintained as per KVK Policy of ICA Events and related documents.

Data security incidents regarding personal data is communicated as soon as possible to the Board of KVK and the relevant person by ICA Events.
  1. Data Sharing
    1. Personal data may only be shared with third parties legally and equitably. In line with this, for sharing personal data one of the conditions listed hereinbelow must be met:
  • Explicit consent of the data subject is received.
  • It is stipulated explicitly by law.
  • It is required to protect the life or bodily integrity of the person who cannot declare his consent due to actual impossibility or whose consent is not legally valid or of someone else.
  • In case it is required to process personal data of the parties for the establishment and execution of a contract that is signed or to be signed by ICA Events.
  • It is compulsory for ICA Events to perform its legal liability.
  • It is made public by the relevant person.
  • Data processing is compulsory for establishment, exercise and protection of the rights of ICA Events
  • Data processing is compulsory for the legitimate benefits of ICA Events on condition that it does not violate the rights and freedoms of the relevant person.
    1. Personal data may only be transferred abroad solely in case these conditions hereinabove are met and adequate protection is available in the target country and the explicit consent of the data subject is received regarding this transfer.
With respect to the transfer of personal data abroad, list of countries where adequate protection is available prepared by the Board of KVK is taken into consideration.
When it comes to transferring personal data abroad, it is ensured that required permit and notification procedures before the Board of KVK are conducted as per relevant legislation.
  1. In case a continuous data sharing relationship is established without any legal foundation or legal liability, a KVKK Contract that stipulates data sharing terms is signed with the party in question. KVKK Contract must include at least these items listed hereinbelow:
  • The purpose(s) of the share,
  • Potential third party receivers or receiver type and terms of access rights,
  • The data categories to be shared (it must be at the minimum required for your purposes)
  • General principles about data processing,
  • Data security measures,
  • Storage period of shared data,
  • Rights and access demands of the data subject, procedures of responding to applications and complaints,
  • Review of ceasing the validity of the sharing contract,
  • Responsibilities and sanctions regarding the violation of the contract and individual violation by the employees.
  1. Personal Data Processing Purposes, Personal Data Subjects, Personal Data Categories and Shared Parties Categories Processes in the Scope of Personal Data Processing Activities Conducted by ICA Events
  1. Purposes of Personal Data Processing

In the scope of Data Controller Registry Information System, data processing purposes for personal data processing activities conducted by ICA Events are as such:
  • Conducting Emergency Management Processes
  • Conducting Data Security Processes
  • Conducting Application Processes of Prospective Employees
  • Fulfilling Employee Liabilities Arising from Contract of Employment and the Legislation
  • Conducting Employee Satisfaction and Loyalty Processes
  • Fulfilling Employees’ Liabilities Arising from Contract of Employment and the Legislation
  • Conducting Employees’ Fringe Benefits and Benefits Processes
  • Conducting Audit / Ethical Activities
  • Conducting Training Activities
  • Exercising Access Powers
  • Conducting Activities in Compliance with the Legislation
  • Conducting Financial and Accounting Works
  • Providing the Security of Physical Environment
  • Conducting Loyalty to Firm / Product / Services Processes
  • Conducting Assignment Processes
  • Following-Up and Conducting Legal Works
  • Conducting Communication Activities
  • Planning Human Resources Processes
  • Conducting / Auditing Business Activities
  • Conducting Occupational Health and Safety Activities
  • Conducting Business Continuity Maintaining Activities
  • Conducting Goods / Service Purchase Processes
  • Conducting Goods / Service After-Sales Support Services
  • Conducting Goods / Service Sale Processes
  • Conducting Customer Services Management Processes
  • Conducting Activities for Customer Satisfaction
  • Organization and Event Management
  • Conducting Marketing Analysis Works
  • Conducting Performance Evaluation Processes
  • Conducting Advertorial / Sale / Promotion Processes
  • Conducting Risk Management Processes
  • Conducting Contract Processes
  • Providing Security of Movable Property and Sources
  • Following-Up Demands / Complaints
  • Conducting Supply Chain Management Processes
  • Conducting Wages Policy
  • Informing Authorized Persons, Institutions and Organizations
  • Conducting Management Activities
  • Creating and Following-Up Visitor Records
  1. Personal Data Subjects
PERSONAL DATA SUBJECT CATEGORY DEFINITIONS
Prospective Employee Real persons who have applied for a job at ICA Events in any way or who have submitted their CV’s and related information for ICA Events to view.
Employee The employees whose personal data is processed within the framework of activities related to events, employee satisfaction, human resources, audit, maintaining the security of information technologies and infrastructure and legal compliance that are conducted by ICA Events .
Supplier’s Employee Employee of the party that provides services to ICA Events based on contract and in compliance to the orders and instructions given by ICA Events while ICA Events conducts its business activities.
Authorized Personnel of the Supplier Authorized Personnel of the party that provides services to ICA Events based on contract and in compliance to the orders and instructions given by ICA Events while ICA Events conducts its business activities.
Customer (Person Purchasing Product or Service) Regardless of whether there is a contractual relationship with ICA Events, the real persons whose personal data is obtained through the business relationships within the scope of operations conducted by the business units of ICA Events.
Legal Guardian, Guardian, Representative The persons whose personal data is obtained at ICA Events and who hold a title of legal guardian, guardian or representative.
Visitor Real persons who enter the physical campuses of ICA Events for various purposes or who visit our websites.
Other (Speaker) Real persons who give a speech at the exhibitions held by ICA Events.
  1. Personal Data Categories
PERSONAL DATA CATEGORIES DEFINITIONS
Identity Information The data includes information regarding the identity of the person: full name, TR identity number, nationality, place of birth, date of birth, sex, workplace, registry number, tax identification number, title, biography etc. as well as documents such as occupational ID, ID and passport
Contact Information The information such as telephone number, address, e-mail address, fax number etc.
Process Security Information Your personal data processed for us to provide our technical, administrative, legal and business security while conducting our activities (e.g. log records, IP information, identity authentication information)
Customer Process Information Information such as call center records, invoice, bill, check information, information on teller receipts, order information, demand information
Personnel Information Personnel data such as payroll information, disciplinary proceeding, employment/leaving job certificate records, declaration of property information, CV information, and performance evaluation reports
Prospective Employee Information The information that may be involved in the CV of the prospective employee
Location Location information of where the person is etc.
Legal Transaction Information Personal data processed within the scope of establishment and follow-up of legal debt and rights, discharge of our debts, our legal liabilities and compliance with the policies of our Company
Financial Information Personal data processed regarding any information, document and records that manifests any sort of financial result created based on the type of relationship between ICA Events and personal data subject as well as data such as bank account number, IBAN, income information, debt/credit information
Risk Management Such as data processed for the management of business, technical and administrative risks
Physical Environment Security Data The data regarding the records and documents taken at the entry of the physical environment and during the visit such as camera records, vehicle information records and the records taken at the security point
Occupational Experience Information such as diploma, the courses attended, on-the-job training, certificates and transcript
Visual and Auditory Data Photograph and camera recordings (except for the records in the scope of Physical Environment Security Data) and voice records
Health Data Information about disabilities, blood type, personal health, medical device and prosthesis etc.
Criminal Records and Security Precautions Information regarding criminal records and security precautions
Association Membership Association membership information etc.
Philosophical Belief, Religion, Sect and Other Beliefs Information regarding other beliefs, religious attachment, philosophical belief, sect attachment etc.
  1. Shared Party Categories
SHARED PARTY CATEGORY DEFINITION SHARING PURPOSE
Real persons or private law legal persons Private law legal persons who have the power to obtain information and document from the Company as per relevant legislation provisions It is limited to the demanded purpose within the limits of the legal power of relevant private law persons.
Public All real and legal persons It is limited to the purpose of being publicly shared by ICA Events.
Business Partners The parties with whom ICA Events has established a business partnership with various purposes such as conducting their business activities It is limited to the purpose ensuring that the goals of the partnership are achieved.
Suppliers Parties that provide services to ICA Events based on contract and in compliance to the orders and instructions given by ICA Events while ICA Events conducts its business activities It is limited to the purpose ensuring that the services that are outsourced from the supplier and that are required to conduct Company’s business activities
Affiliates and Subsidiaries The companies of which the Company is a shareholder It is limited to ensuring that the business activities that require the contribution of the affiliates of the Company are conducted.
Suppliers The parties that provide services to ICA Events based on contract and in compliance to the orders and instructions given by ICA Events within the scope of conducting business activities of ICA Events It is limited to the purpose ensuring that the services that are outsourced from the supplier and that are required to conduct Company’s business activities
Group Companies All companies that constitute ICA Events It is limited to purposes such as planning strategies regarding the business activities of the Company and conducting of the activities as well as audit.
Authorized State Institutions and Organizations State institutions and organizations that have power to obtain information and documents from the Company as per relevant legislation provisions It is limited to the demanded purpose within the limits of the legal power of authorized state institutions and organizations.
  1. Management of the Records

Personal data, may not be kept any longer than the period of time required for its processing purposes. The classification of the records that include personal data and the storage period therefor are stipulated by Storage and Destruction Policy.

When the storage period is over or upon the rightful demand of the data subject, personal data is anonymized, deleted or destroyed as per Storage and Destruction Policy so that the real person who is the data subject cannot be identified.

Document Ownership and Approval

The owner of this document is the Committee of KVK and it is responsible for reviewing this document regularly as per review requirements specified hereinabove.

The updated version of this document has been made available to all ICA Events staff on common areas and has been published at the website of the company.