Personal Data Processing Notice (Web)
Doc. No.: SO.SI.1 | Published: 01.08.2022 | Revised: 13.09.2024 | Rev. No.: 3
Data Controller Companies within the Group
| Redibex Bilgi Teknolojileri A.Ş. | NGI Bilgi Teknolojileri A.Ş. | Runibex Yazılım Teknoloji A.Ş. | Runibex Technology Ltd Data Controller Representative (Redibex Bilgi Teknolojileri A.Ş.) |
|---|
| Mersis | 734184136400001 | 631067897800016 | 735092557600021 | 734184136400001 |
| KEP Address | redibex.bilgi@hs01.kep.tr | ngi.bilgi@hs01.kep.tr | — | — |
| Email | info@runibex.com |
| Website | www.runibex.com |
| Address | Altayçeşme Mah. Zühal Sk. Niyazi Bey İş Merkezi No: 22 İç Kapı No: 5 Maltepe, İstanbul, Türkiye | Bulgurlu Mah. Kızıltepe Sk. Malatya Teknokent Sitesi Teknokent-A No: 3/2 İç Kapı No: Z2, Battalgazi, Malatya, Türkiye | 389C High Road, London N22 8JA, United Kingdom |
This Personal Data Processing Notice (“Notice”) has been prepared to inform Data Subjects about the processing, storage and transfer of personal data within the framework of the activities arising from the Turkish Personal Data Protection Law No. 6698 (“KVKK”) and related legislation by the companies within Runibex Technology Group (“RTG”): Redibex Bilgi Teknolojileri A.Ş., Runibex Yazılım Teknoloji A.Ş., NGI Bilgi Teknolojileri A.Ş. and Runibex Technology Ltd. Detailed information about cookies and software development kits (SDKs) used on
www.runibex.com can be found in the Cookie Policy. Personal data processed through the website is covered in this Notice. The personal data set out in this Notice may be processed by RTG in its capacity as Data Controller, within the scope described below. A Data Controller is the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. This Notice shall be effective from its date of publication and may be amended by RTG when deemed necessary. Any amendments will be published on
www.runibex.com and will take effect from the date of publication.
1. Personal Data Processed, Processing Purposes & Legal Bases
1.1. Customers
RTG provides services to corporate customers. In the Customer category, RTG may process data belonging to the authorised representatives and employees of corporate customers. For cases not covered by the purposes below, personal data may be processed on the basis of explicit consent as detailed in the Explicit Consent Text. Such personal data is collected through the Data Subject’s requests and applications, business card exchanges, emails, software, contracts, official correspondence from judicial and administrative authorities, and other printed/electronic documents, information security systems and electronic devices.
| Data Category | Sub-Items | Processing Purpose | Legal Basis |
|---|
| Identity | Name, surname | Finance and accounting; Communication activities; Legal affairs; Business continuity; Business operations; Goods/services sales processes and after-sales support; Customer relationship management; Advertising, campaigns and promotions; Storage and archiving; Contract and membership processes; Complaint tracking; Informing authorised persons, institutions and organisations | Explicitly stipulated in law; Necessary for establishment or performance of a contract; Necessary for the data controller to fulfil a legal obligation; Necessary for the data controller’s legitimate interests, provided it does not harm the fundamental rights and freedoms of the data subject |
| Contact | Telephone number, mobile phone number, email address, fax number |
| Customer Transaction | Invoices, bills of exchange, cheque details, request information, order forms | Finance and accounting; Business operations and auditing; Goods/services sales processes; Storage; Informing authorised persons, institutions and organisations | Explicitly stipulated in law; Necessary for establishment or performance of a contract; Necessary for the data controller to fulfil a legal obligation |
| Financial Information | Bank account/IBAN, invoices | Finance and accounting; Business operations; Regulatory compliance; Informing authorised persons, institutions and organisations | |
| Transaction Security | Website login/logout data, IP address, username, password and credential information | Communication activities; Business continuity; Goods/services sales and after-sales support; Customer relationship management; Contract and membership processes; Complaint tracking | Necessary for the data controller’s legitimate interests, provided it does not harm the fundamental rights and freedoms of the data subject; Necessary for establishment or performance of a contract |
| Visual and Audio Records | Microsoft Teams, Zoom, Google Meet, etc. | Communication activities; Business operations; Goods/services sales and after-sales support; Customer relationship management; Contract processes; Complaint tracking | Necessary for the data controller’s legitimate interests, provided it does not harm the fundamental rights and freedoms of the data subject |
| Legal Proceedings | Notices, case file contents, correspondence with judicial authorities | Legal affairs; Informing authorised persons, institutions and organisations; Storage; Complaint tracking | Necessary for the data controller to fulfil a legal obligation; Necessary for the establishment, exercise or protection of a right |
1.2. Suppliers / Business Partners / Service Providers
RTG may process the following personal data relating to its individual or corporate suppliers, business partners and service providers (including data of authorised representatives and employees of corporate entities). For cases not covered by the purposes below, personal data may be processed on the basis of explicit consent. Such data is collected through requests and applications, business card exchanges, face-to-face meetings, emails, software, contracts, official correspondence from judicial and administrative authorities, and other printed/electronic documents, information security systems and electronic devices.
| Data Category | Sub-Items | Processing Purpose | Legal Basis |
|---|
| Identity | Name, surname, Turkish ID number, signature specimen, signature | Finance and accounting; Communication activities; Business continuity; Business operations; Goods/services procurement and sales processes; After-sales support; Operational security; Customer relationship management; Storage and archiving; Contract processes; Complaint tracking; Informing authorised persons, institutions and organisations; Risk management | Explicitly stipulated in law; Necessary for establishment or performance of a contract; Necessary for the data controller to fulfil a legal obligation; Necessary for the data controller’s legitimate interests, provided it does not harm the fundamental rights and freedoms of the data subject |
| Contact | Telephone number, mobile phone number, email address, fax number |
| Transaction Information | Invoices, bills of exchange, cheque details, request information, order forms | Finance and accounting; Business operations; Goods/services sales processes; Storage; Contract processes; Informing authorised persons, institutions and organisations | Explicitly stipulated in law; Necessary for establishment or performance of a contract; Necessary for the data controller to fulfil a legal obligation |
| Financial Information | Bank account/IBAN, invoices | Finance and accounting; Business operations; Regulatory compliance; Informing authorised persons, institutions and organisations |
| Transaction Security | Website login/logout data, IP address, username, password and credential information | Communication activities; Business continuity; Goods/services sales and after-sales support; Customer relationship management; Contract processes; Complaint tracking | Necessary for the data controller’s legitimate interests, provided it does not harm the fundamental rights and freedoms of the data subject |
| Visual and Audio Records | Zoom, Google Meet, etc. | Communication activities; Business operations; Goods/services sales and after-sales support; Customer relationship management; Contract processes; Complaint tracking |
| Risk Management | Information processed for managing commercial risks | Business operations; Storage; Risk management processes; Contract processes; Complaint tracking; Internal audit; Intelligence activities |
| Legal Proceedings | Notices, case file contents, correspondence with judicial authorities | Legal affairs; Informing authorised persons, institutions and organisations; Storage; Complaint tracking | Necessary for the data controller to fulfil a legal obligation; Necessary for the establishment, exercise or protection of a right |
1.3. Prospective Customers / Product and Service Purchasers
RTG provides services to corporate customers. In the prospective Customer category, RTG may process data belonging to the authorised representatives and employees of prospective corporate customers. For cases not covered by the purposes below, personal data may be processed on the basis of your explicit consent. Such data is collected through requests and applications, business card exchanges, emails, software, contracts, electronic forms, official correspondence from judicial and administrative authorities, and other printed/electronic documents, information security systems and electronic devices.
| Data Category | Sub-Items | Processing Purpose | Legal Basis |
|---|
| Identity | Name, surname | Communication activities; Goods/services sales processes; Advertising, campaigns and promotions; Complaint tracking; Informing authorised persons, institutions and organisations | Explicitly stipulated in law; Necessary for the data controller to fulfil a legal obligation; Necessary for the data controller’s legitimate interests, provided it does not harm the fundamental rights and freedoms of the data subject; Explicit consent |
| Contact | Telephone number, mobile phone number, email address, fax number |
| Transaction Security | Website login/logout data, IP address, username, password and credential information | Communication activities; Goods/services sales processes; Complaint tracking | Necessary for the data controller’s legitimate interests, provided it does not harm the fundamental rights and freedoms of the data subject |
1.4. Job Applicants
Personal data of job applicants is collected through CVs sent to RTG by email, through Private Employment Agencies (İŞKUR, Kariyer.net, etc.), other platforms (LinkedIn, etc.) and declarations made by the applicants themselves.
| Data Category | Sub-Items | Processing Purpose | Legal Basis |
|---|
| Identity | Name, surname, Turkish ID number, date and place of birth, marital status | Candidate/intern selection, placement and application processes; Interview processes; Communication activities | Necessary for the data controller’s legitimate interests, provided it does not harm the fundamental rights and freedoms of the data subject; Necessary for establishment or performance of a contract |
| Contact | Mobile phone number, email address, postal address | |
| Personal Details | Military service status, references, CV information | Candidate selection, placement and application processes; HR policy and process planning; Interview processes; Contract processes; Remuneration policy |
| Professional Experience | Education/work history, diploma/foreign language/IT skills, position/title information | Necessary for establishment or performance of a contract; Necessary for the data controller’s legitimate interests, provided it does not harm the fundamental rights and freedoms of the data subject; Explicit consent (for references) |
| Health Information | Disability status, blood type | Candidate selection, placement and application processes; HR policy and process planning | Processed within the limitations set out in Article 6 of the KVKK |
1.5. Visitors
Personal data of visitors is collected through declarations and records entered in the visitor logbook.
| Data Category | Sub-Items | Processing Purpose | Legal Basis |
|---|
| Identity | Name, surname, signature | Candidate selection, placement and application processes; HR policy and process planning; Interview processes; Business operations; Contract processes; Communication activities | Necessary for the data controller’s legitimate interests, provided it does not harm the fundamental rights and freedoms of the data subject; Necessary for establishment or performance of a contract |
| Physical Premises Security | Entry/exit records | Physical premises security; Occupational health and safety activities; Creation and tracking of visitor records | Necessary for the data controller’s legitimate interests, provided it does not harm the fundamental rights and freedoms of the data subject |
| Visual & Audio Records | CCTV footage |
1.6. Online Users
Personal data of online users is collected through internet applications, information systems, electronic devices, and other documents declared by Data Subjects.
| Data Category | Sub-Items | Processing Purpose | Legal Basis |
|---|
| Transaction Security | Website login/logout data, IP address | Communication activities; Goods/services sales processes; Complaint tracking; Information security processes; Informing authorised persons, institutions and organisations | Necessary for the data controller’s legitimate interests, provided it does not harm the fundamental rights and freedoms of the data subject |
2. Parties to Whom Personal Data May Be Transferred & Transfer Purposes
2.1. Domestic transfers
Personal data processed by RTG may be transferred, in compliance with the rules set out in Article 8 of Law No. 6698, with the necessary technical and administrative measures in place, and only to the extent necessary for the relevant purpose, to the following parties for the following purposes:
- Subsidiaries, affiliates, shareholders and group companies, limited to the purposes stated in Section 1;
- Audit firms for financial, legal and technical auditing;
- Legal, financial and tax advisors to fulfil obligations arising from law;
- Public institutions and organisations within the scope of legal obligations;
- Notaries and judicial authorities for the establishment and protection of rights;
- Banks for the conduct of commercial and financial activities;
- Principal employers for the conduct of commercial activities;
- Data processors by way of contractual agreement within the scope of the law;
- Business partners for the conduct of commercial activities;
- Travel agencies, hotels and airlines for planning employee business travel;
- Suppliers and supplier employees for the procurement of products and services;
- Authorised persons and official institutions as required by legislation;
- Insurance companies for the conduct of commercial and financial activities;
- Customers for the execution of product and service delivery;
- Domestic and/or overseas service providers supporting storage, archiving, IT (servers, hosting, software, cloud computing, etc.);
- IYS (Commercial Electronic Message Management System) and integrator companies for marketing, promotion and business development purposes, for Data Subjects who have given explicit consent.
2.2. International transfers
RTG may transfer personal data abroad in accordance with Article 9 of the Law, where explicit consent exists as per the principles in Article 4(2), or without explicit consent where the conditions in Articles 5(2) and 6(3) are met. Personal data may be transferred to overseas business partners, suppliers, group companies and shareholders that provide services to RTG, as well as to overseas service providers supporting storage, archiving, IT (servers, hosting, software, cloud computing, etc.) on behalf of RTG, within the framework of the personal data processing conditions set out in Article 9 of the Law and the purposes stated above.
3. Personal Data Collection Methods and Legal Bases
Personal data is collected through various channels including requests and applications, business card exchanges, emails, software, contracts, electronic forms, attendance at meetings or events, printed forms, employment agencies, CVs, official correspondence from judicial and administrative authorities, and other printed/electronic documents. Data is collected in physical or electronic environments, stored and processed wholly or partially by automated means, or by non-automated means provided they form part of a data recording system, by RTG or by data processors appointed by RTG.
4. Rights of the Data Subject
4.1. Your rights
A Data Subject whose personal data is processed may exercise the following rights by applying to RTG under Article 11 of Law No. 6698:
- The right to learn whether your personal data has been processed;
- The right to request information if your personal data has been processed;
- The right to learn the purpose of processing and whether data is used in accordance with that purpose;
- The right to know the third parties to whom your personal data has been transferred;
- The right to request rectification of incomplete or inaccurately processed personal data;
- The right to request deletion or destruction of personal data within the conditions stipulated in the KVKK;
- The right to request notification of rectification, deletion or destruction to third parties to whom data has been transferred;
- The right to object to any result arising from the analysis of processed data exclusively by automated systems that is to your detriment; and
- The right to claim compensation for damages arising from unlawful processing of personal data.
RTG is required to retain records and documents relating to its operations for certain periods under legal regulations. Where a Data Subject requests deletion, destruction or anonymisation of personal data, this request may be fulfilled by RTG at the end of the legally prescribed retention period. However, during this period the personal data will not be processed by RTG and will not be shared with third parties except where required by national and international legal, regulatory and contractual obligations.
4.2. How to exercise your rights
Data Subjects may apply using one of the following methods:
- In person, by completing the Application Form available at www.runibex.com/kvkk, signing it with a wet signature, and presenting it in person with identity documents at: Altayçeşme Mah. Zühal Sk. Niyazi Bey İş Merkezi No: 22 İç Kapı No: 5 Maltepe, İstanbul, Türkiye;
- Via notary, by completing and signing the Application Form and sending it by notarial notification to the above address; or
- By email, by completing the Application Form and sending it to the registered electronic mail address specified in Section 1, or via an email address registered in RTG’s systems.
The application must include the following information/documents:
- Name, surname, and signature (if the application is in writing);
- Turkish ID number for Turkish citizens; nationality, passport number or ID number for foreign nationals;
- Residential or workplace address for notification purposes;
- Email address, telephone and fax number (if available);
- A notarised power of attorney with specific authority (if applying through a representative);
- Subject of the request; and
- Supporting information and documents relating to the subject.
RTG will respond to the Data Subject’s request as soon as possible and within a maximum of thirty (30) days, in accordance with the nature of the request and within the limits prescribed by the Law. For third parties to apply on behalf of a Data Subject, a notarised special power of attorney issued in the name of the person making the application must be provided. Data Subject applications are generally processed free of charge; however, a fee may be charged in accordance with the tariff set by the Personal Data Protection Board (pursuant to the Communiqué on the Procedure and Principles of Application to the Data Controller, published in the Official Gazette dated 10.03.2018, No. 30356: no charge is made for written responses up to ten pages; a processing fee of 1 Turkish Lira per page may apply beyond ten pages; where the response is provided on a recording medium such as CD or flash drive, the fee shall not exceed the cost of the medium). RTG may request information from the applicant to verify whether they are the personal data owner, and may direct questions to the Data Subject to clarify matters raised in the application. RTG will accept the request or reject it with reasons stated, and will notify the Data Subject in writing or electronically. Where the request is accepted, RTG will take the necessary action. Where the application arises from an error by RTG, any fee charged will be refunded.
