Privacy Policy

1. PURPOSE

As SDGTalking; our priority is to process the personal data of real persons, including our members, visitors, suppliers, and employees, in compliance with the relevant legislation, especially the Constitution of the Republic of Turkey, international agreements to which our country is a party regarding human rights, and the Law on the Protection of Personal Data No. 6698 (“KVKK”).

Therefore, we conduct the processing, storage, and transfer of all personal data obtained during our activities, including but not limited to our employees, suppliers, customers, visitors, members, and users visiting our website and mobile applications, in accordance with the SDGTalking Data Protection and Processing Policy (“Policy”).

The protection of personal data and the observance of the fundamental rights and freedoms of the individuals whose personal data is processed are the fundamental principles of our data processing policy. Therefore, we carry out all activities involving the processing of personal data, taking into account the protection of the privacy of private life, the confidentiality of communication, freedom of thought and belief, and the right to use effective legal remedies.

We take all administrative and technical protection measures required by the nature of the relevant data in accordance with legislation and up-to-date technology to ensure the protection of personal data.

This Policy explains the methods we follow in processing, storing, transferring, deleting, or anonymizing personal data shared during our commercial, social responsibility, and similar activities, in accordance with the principles mentioned in the KVKK.

2. SCOPE

All personal data processed by the Company, including visitors, business connections, partners, employees, suppliers, members, and third parties, fall within the scope of this Policy.

Our policy is applied to all activities related to the processing of personal data owned or managed by the Company, in compliance with the KVKK and other relevant legislation on personal data and international standards in this field.

3. DEFINITIONS and ABBREVIATIONS

In this section, special terms, phrases, concepts, abbreviations, etc. used in the Policy are briefly explained.

SDGTalking: SDGTalking | SDGTalking.com
SDGTalking or Company: SDGTalking and its affiliated partnerships, subsidiaries, and business partners.
Explicit Consent: Clear, informed, and freely given consent limited to a specific subject.
Anonymization: Making personal data unidentifiable or untraceable to a specific real person in any way, even when matched with other data.
Employee: Company Personnel.
Data Subject (Concerned Person): The real person whose personal data is processed.
Personal Data: Any information related to an identified or identifiable real person.
Special Categories of Personal Data: Data related to individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction, and biometric and genetic data.
Processing of Personal Data: Any operation performed on personal data, including obtaining, recording, storing, altering, reorganizing, disclosing, transferring, taking over, making it obtainable, classifying, or using it in any way.
Data Processor: The real or legal person processing personal data on behalf of the data controller based on the authority given by the data controller. Data Controller: The real or legal person determining the purposes and means of processing personal data and responsible for the establishment and management of the data recording system.
Personal Data Protection Board: Personal Data Protection Board. Personal Data Protection Authority: Personal Data Protection Authority.
KVKK: Law on the Protection of Personal Data published in the Official Gazette dated April 7, 2016, and numbered 29677. Policy: SDGTalking Data Protection and Processing Policy.

4. LEGAL OBLIGATIONS

The legal obligations regarding the protection and processing of personal data as the data controller under the KVKK are listed below:

4.1. Our obligation to inform

As the data controller, when collecting personal data:

The purpose for which your personal data will be processed, Information about our identity and, if any, the identity of our representative, To whom and for what purpose your processed personal data may be transferred, Our method of collecting data and its legal basis, Rights arising from the law, We have the obligation to inform the Concerned Person about the matters mentioned.

We strive to make this Policy, which is publicly available, clear, understandable, and easily accessible.

4.2. Our obligation to ensure data security

As the data controller, we take the administrative and technical measures prescribed by the legislation to ensure the security of personal data in our possession. The obligations regarding data security and the measures taken are detailed in the 8th and 9th sections of this Policy.

5. CLASSIFICATION OF PERSONAL DATA

5.1. Personal data

Personal data is any information about an identified or identifiable real person.

The protection of personal data is only related to real persons, and information about legal persons that does not contain information about real persons is excluded from personal data protection. Therefore, this Policy does not apply to data belonging to legal persons.

5.2. Special categories of personal data

Special categories of personal data include data related to individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction, and biometric and genetic data.

6. PROCESSING OF PERSONAL DATA

6.1. Our principles for processing personal data

We process personal data in accordance with the principles listed below.

6.1.1. Processing in accordance with the law and honesty

We process personal data in accordance with the principles of honesty, transparency, and our obligation to inform.

6.1.2. Ensuring the accuracy and, when necessary, the updating of personal data

We take necessary measures in our data processing procedures to ensure that the processed data is accurate and up-to-date. We provide the Data Subject with the opportunity to update their data and correct any errors in the processed data.

6.1.3. Processing for specific, clear, and legitimate purposes

As a company, we process personal data within the scope of legitimate purposes clearly defined in terms of content and scope, in line with our legitimate purposes determined within the framework of legislation and the normal flow of commercial life.

6.1.4. Being related, limited, and proportionate to the purposes for which personal data are processed

We process personal data in a related, limited, and proportionate manner to the purpose clearly determined by us.

We avoid processing personal data that is not relevant or necessary. Therefore, we do not process or, when necessary, obtain explicit consent for processing special categories of personal data unless required by law.

6.1.5. Storage of personal data for the period required by legal regulations and our legitimate interests

Many regulations in the legislation obligate the storage of personal data for a certain period. Therefore, we keep the personal data we process for the duration specified in the relevant legislation or as long as necessary for the purposes of processing personal data.

Upon the expiration of the statutory storage period or the elimination of the processing purpose, we delete, destroy, or anonymize personal data. Our principles and procedures regarding storage periods are detailed in the 8.1. article of this Policy.

6.2. Our purposes for processing personal data

As SDGTalking, we process personal data within the scope of the following purposes:

To conduct our activities, To provide support services within the scope of contracts and service standards, To identify the preferences and needs of our members/visitors and shape and update the services we provide accordingly, To ensure the fulfillment of our legal obligations as required by legal regulations or mandatory, To conduct market research and statistical studies, Surveys, competitions, promotions/channel development, and sponsorships, To evaluate job applications, To establish contact with individuals in business relations with the Company, Marketing, Compliance management, Vendor/supplier management, Legal reporting, Invoicing, To advertise and promote blogs and websites, To provide personalized job advertisements and information related to employment, To send newsletters or notifications via email.

6.3. Processing of special categories of personal data

Special categories of personal data are processed by us if it is foreseen by the laws and if the administrative and technical measures foreseen by the Personal Data Protection Board are taken, and explicit consent is obtained, or in cases required by legislation.

As special categories of personal data related to health and sexual life are processed by individuals or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, preventive medicine, conducting medical diagnosis, treatment and care services, and planning and managing the financing of health services, they are not processed by us except for the data of our employees. Such data belonging to our employees can be processed by individuals specified in the laws.

6.4. Processing of personal data collected through cookies

We use cookies to improve the operation and usage of our websites or mobile applications and to make your time spent on our digital platforms more efficient and enjoyable. In addition, we use some cookies to remember your preferences on our websites and mobile applications, aiming to provide you with an improved and personalized experience.

We may collect, process, transfer, and store your personal data through cookies on our digital platforms.

Detailed information about the cookies we use can be found in the “SDGTalking Privacy Policy.”

6.5. Processing of personal data for human resources and employment purposes

We process, store, and transfer the personal data, including resumes, diplomas, etc., shared by you as a job applicant during the job application evaluation process for the purpose of job application evaluation. The processing, transfer, and storage of the personal data shared by job applicants fall within the scope of this Policy.

6.9. Processing of personal data within the scope of SDGTalking.com

SDGTalking.com is a platform that provides digital publishing and content.

Within the scope of the services offered on SDGTalking.com, visitors, as members according to Article 6.6 of this Policy, can share comments on content by selecting their name and surname information or choosing a nickname. The information shared by members/visitors through comments is considered to be publicly disclosed by the member/visitor, including cases where the shared information falls within the scope of special categories of personal data as mentioned in Article 5.2 of this Policy. The processing of such content is possible without the explicit consent of the member/visitor within the scope of the processing purposes in Article 6.2 of this Policy.

Within SDGTalking.com, links to websites owned by SDGTalking may be provided as per the content that visitors or members want to view.

The deletion, destruction, or anonymization of personal data within this platform falls within the scope of Article 8 of this Policy.

6.19. Exceptional cases where explicit consent is not required for the processing of personal data

In the exceptional cases listed below and in cases required by law, we may process personal data without obtaining explicit consent:

If explicitly provided for in the laws; If processing personal data of the parties to a contract is necessary for the establishment or performance of a contract directly related to them; If processing data is mandatory for the establishment, exercise, or protection of a right; If it is compulsory for our legitimate interests as the data controller, provided that it does not harm fundamental rights and freedoms. The exceptional situations where special categories of personal data can be processed without the explicit consent of the Data Subject are specified in Article 6.3 of this Policy.

7. TRANSFER OF PERSONAL DATA

7.1. Transfer of personal data within the country

As a company, we act in accordance with the decisions and regulations set forth by the Personal Data Protection Authority (KVKK) regarding the transfer of personal data.

Except for exceptional cases stipulated in the legislation, personal data and special category data are not transferred by us to other individuals or legal entities without the explicit consent of the Data Subject.

In exceptional cases specified by the KVKK and other relevant legislation, personal data may be transferred to authorized administrative or judicial authorities without the explicit consent of the Data Subject, provided that the necessary measures prescribed by the legislation are taken.

Additionally, personal data may be transferred without explicit consent in line with the exceptional cases and conditions stated in Article 6.19 of this Policy and Article 6.3 of this Policy regarding special category personal data.

7.2. Transfer of personal data abroad

As a rule, personal data is not transferred abroad without the explicit consent of the Data Subject. However, in cases where one of the exceptional situations mentioned in Article 6.3 and Article 6.19 of this Policy exists, personal data can be transferred abroad without explicit consent only if:

The third parties in foreign countries are located in countries where the KVKK has declared sufficient protection, In the absence of sufficient protection in the countries where they are located, data controllers in Turkey and the foreign country in question explicitly commit in writing to ensuring adequate protection, and the permission of the KVKK is obtained, In such cases, personal data may be transferred abroad without explicit consent.

7.2.1. Transfer of personal data abroad for the purpose of providing services and marketing activities

We work with service providers located abroad for purposes such as the development of the internet site and digital platforms, conducting surveys, increasing product and service variety according to the preferences of visitors and members, and measuring user experience. It is recommended to review the policies of the service providers with whom we collaborate regarding the processing and protection of personal data.

7.3. Institutions and organizations to which personal data is transferred

Personal data may be transferred:

To our suppliers, To our business partners and business connections, To production companies, To group companies, To legally authorized public institutions and organizations, To legally authorized private legal entities, To our shareholders, in accordance with the principles and rules explained above.

7.4. Measures taken for the legal transfer of personal data

7.4.1. Technical measures

To protect personal data, we:

Establish an in-house technical organization for the lawful processing and storage of personal data, Ensure the security of the databases where your personal data will be stored, Monitor and audit the processes of the established technical infrastructure, Define procedures for reporting technical measures and audit processes, Periodically update and renew technical measures taken, Reevaluate risky situations to produce necessary technological solutions, Use software or hardware security products such as virus protection systems, firewalls, and similar, and establish security systems compatible with technological developments, Employ personnel with technical expertise.

7.4.2. Administrative measures

To protect personal data, we:

Establish policies and procedures for access to personal data, including employees of our company and subsidiaries, Inform and educate our employees about the legal protection and processing of personal data, Record the measures to be taken in case of unlawful processing of personal data by our employees in contracts and/or policies established by our company, Monitor the processing activities of data processors or partners of data processors.

8. STORAGE OF PERSONAL DATA

8.1. Storage of personal data for the period prescribed in the relevant legislation or required for the processing purpose

We store personal data for the duration required by the processing purpose, without prejudice to the storage periods prescribed in the legislation.

In cases where personal data is processed for multiple purposes, data is deleted, destroyed, or anonymized if the purposes of processing are eliminated or at the request of the Data Subject, provided that there is no legal obstacle in the legislation. Compliance with legislation provisions and decisions of the KVKK is ensured in matters of deletion, destruction, or anonymization.

8.2. Measures taken for the storage of personal data

8.2.1. Technical measures

To delete, destroy, and anonymize personal data, we:

Establish technical infrastructure and control mechanisms for the deletion, destruction, and anonymization of personal data, Take measures necessary for the secure storage of personal data, Employ personnel with technical expertise, Develop systems for business continuity and emergency plans in case of risks, Create security systems in accordance with technological developments for the areas where personal data is stored.

8.2.2. Administrative measures

To protect personal data, we:

Inform our employees about the technical and administrative risks associated with the storage of personal data to create awareness, Include provisions in contracts with companies that process personal data in case of cooperation for the storage of personal data, regarding the measures to be taken for the protection and secure storage of the transferred personal data.

9. SECURITY OF PERSONAL DATA

9.1. Our obligations regarding the security of personal data

We take administrative and technical measures within the technological capabilities and application costs to:

Prevent the unlawful processing of personal data, Prevent unauthorized access to personal data, Ensure the legal storage of personal data.

9.2. Measures taken to prevent the unlawful processing of personal data

To prevent the unlawful processing of personal data, we:

Conduct necessary audits within our company and have them conducted, Train and inform our employees about the lawful protection and processing of personal data, Evaluate the activities carried out by relevant departments in detail in terms of the commercial activities performed by those units regarding the processing of personal data, Include provisions in contracts with companies that process personal data in case of cooperation, regarding the measures to be taken by those who have access to personal data for the protection of personal data, Establish security systems in line with technological developments to prevent unauthorized access to personal data.

9.2.1. Technical and administrative measures taken to prevent unauthorized access to personal data

To prevent unauthorized access to personal data, we:

Employ personnel with technical expertise, Periodically update and renew technical measures taken, Establish access authorization procedures within our company, Define procedures for reporting technical measures and audit processes, Establish data recording systems used within our company in accordance with the legislation and conduct periodic audits, Develop emergency plans for possible risks and establish systems for their implementation, Train and inform our employees about accessing personal data and authorization, In cases where cooperation is made with third parties for the processing of personal data, include provisions in contracts with companies that allow access to personal data, regarding the measures to be taken for the security of personal data.

9.2.2. Measures taken in case of the unlawful disclosure of personal data

To prevent the unlawful disclosure of personal data, we take administrative and technical measures and update them in accordance with our procedures. In the event that we determine that personal data has been disclosed without authorization, we establish systems and infrastructure to report this situation to the Data Subject and the KVKK in accordance with our procedures.

In case of an unauthorized disclosure despite all administrative and technical measures, the situation may be announced by the KVKK on its website or by another method, if deemed necessary by the KVKK.

10. RIGHTS OF THE DATA SUBJECT

Within the scope of our obligation to inform, we inform the Data Subject and establish systems and infrastructure for this purpose. The Data Subject has the following rights over their personal data:

To learn whether personal data is processed, If personal data is processed, to request information regarding this processing, To learn the purpose of processing personal data and whether they are used in line with this purpose, To know the third parties to whom personal data is transferred, domestically or abroad, To request correction if personal data is incomplete or incorrect, To request the deletion or destruction of personal data if the reasons requiring processing cease to exist, To request notification of corrections, deletions, or destructions to third parties to whom personal data has been transferred, if any, To object to the result of the analysis of processed data exclusively through automated systems resulting in an adverse effect, To request the remedy of damages in case of harm due to the unlawful processing of personal data.

10.1. Exercise of rights related to personal data

The Data Subject can exercise their rights regarding personal data by sending their request with explanations about the requested subject, which must be clear and understandable, their identity and address information, and identity documents to 100th Year Neighborhood, 2264th Street No:1 Bağcılar/İstanbul, in writing and wet-signed, or with electronic signatures and through the registered email system (KEP) or any other method determined by the KVKK.

These requests must be made individually, and requests made by unauthorized third parties regarding personal data will not be considered.

10.2. Evaluation of the application

10.2.1. Response time for the application

Requests regarding personal data are concluded as soon as possible, and in any case, within 30 (thirty) days free of charge or under the conditions specified in the tariff that may be published by the KVKK in case the conditions in the tariff are met.

During the application or during the evaluation of the application, additional information and documents may be requested.

10.2.2. Our right to reject the application

Applications regarding personal data may be rejected with justification in case of:

Processing of personal data for research, planning, and statistics purposes by making them anonymous through official statistics, Processing of personal data for artistic, historical, literary, or scientific purposes or for the sake of freedom of expression, provided that it does not violate the privacy of private life or personal rights, or does not constitute a crime, The application not being based on a justifiable reason, The application containing a demand contrary to the relevant legislation, Non-compliance with the application procedure, Cases stated above.

10.3. Procedure for evaluating the application

In order for the response time specified in Article 11.2.1 of this Policy to start, requests made must be sent in writing and wet-signed, or electronically signed and sent through the registered email system (KEP) or other methods specified by the KVKK, along with information and documents proving the identity of the applicant.

If the request is accepted, the relevant process is applied, and the response is notified in writing or electronically. In case of rejection of the request, it is notified to the applicant in writing or electronically with an explanation.

10.4. Right to complain to the Personal Data Protection Authority

In case the application is rejected, the response is found insufficient, or no response is given within the specified period; the Data Subject has the right to file a complaint with the KVKK within 30 (thirty) days from the date they learn about the response or, in any case, within 60 (sixty) days from the date of the application.

11. PUBLICATION AND STORAGE OF THE DOCUMENT

This Policy is stored in two different environments, both in printed paper and electronic form.

12. UPDATE PERIOD

This Policy is reviewed at least once a year and updated as needed, following the principles determined in the Documentation Management Procedure.

13. EFFECTIVENESS

This Policy is deemed effective after being published on the Company’s website.

14. REPEAL

In case of a decision to repeal this Policy, the old copies with wet signatures are canceled by the approval of the Section Manager and signed by the Legal Department, and stored by the Legal Department for a period of 5 years.