Contracts

Darüşşafaka Society aims to provide education to underprivileged and talented fatherless and/or motherless children being citizens of the Republic of Turkey, in line with modern educational principles and by providing equal opportunities in education; and to raise leading individuals who are lifelong learners, have adopted universal values, are self-confident, aware of their duties and responsibilities towards their country and community, and have the necessary set of values as individuals. Darüşşafaka Quality Policy is established by the senior management as stated below, and is continuously applied in all activities and units of the Society, so that the operations of the Society can be adopted by all employees and a corporate culture can be ensured. 

  • Managing all of its institutions and organizations by adhering to the principles of “equality”, “transparency” and “accountability” to strengthen the leading role of Darüşşafaka Society as the first non-governmental organization in Turkey in the field of education, its motto of “Equal Opportunities in Education”, and its reliable and established image;
  • Ensuring its students receive the best education by following and applying the developing technologies, while supporting their social and emotional development with social and cultural activities;
  • Creating qualified, competent and skilled staff in every sense and ensuring the development of staff through continuous training with the awareness that the best education can be provided with exemplary behaviours and attitudes;
  • Ensuring the sustainability of donation revenues by improving its donation resources and quality;
  • Working with expert teams to ensure that our donors lead a physically and mentally healthy life, and spend their lives happily and peacefully at Darüşşafaka Residences;
  • Providing and maintaining applicable conditions by constantly checking the effectiveness of management system and making the necessary improvements therein;
  • Ensuring that an inclusive and pluralistic management approach is adopted at our institution, and promoting Leadership and employee engagement in all our processes for this purpose;
  • Raising service quality by closely following the technological developments and performing services beyond expectations;
  • Ensuring service continuity by using resources efficiently and effectively.

Board of Directors

Date: 25.02.2020 / Decision No: 7

Top management of Darüşşafaka Society and its affiliates provides quality to and satisfaction of service recipients in all of its activities, and through its Information Security Management Systems, ensures protection of all of its information assets in terms of confidentiality, integrity, accessibility, continuity and sustainability, in strict compliance with the following fundamental principles.

In connection therewith, Darüşşafaka Society hereby agrees and undertakes to ensure:

  • That all requirements of the Information Security Management System are fulfilled, and documented, and continuously improved; and
  • That all sources required for implementation, maintenance and improvement of the Information Security Management System are properly provided; and
  • That information integrity and information confidentiality are protected; and
  • That all activities are carried out in strict compliance with primary and secondary legislative instruments and contract terms and conditions, especially the applicable laws and regulations pertaining thereto; and
  • That all actual and foreseen information security breaches are duly reported, and the required actions and measures are taken; and
  • That unauthorized use, disclosure and destruction of all information assets are properly prevented; and
  • That probable risks of Information Security are determined, and all required actions and measures are taken against risks, and the actions needed for keeping the risks at minimum level are duly taken; and
  • That the actions required for increase of information security awareness of employees and suppliers are taken and performed; and
  • That all provisions of the Personal Data Protection Law (KVKK) are performed in a timely manner and in full compliance with the law; and
  • That the planning and sources required to ensure continuity in all business processes are provided; and
  • That the employees are ensured to adopt the Information Security Management System and to take all of the required measures in their business processes; and
  • That this policy is accessible by all internal and external parties.

Darüşşafaka Society Disclosure Text on Website Visitors under the Personal Data Protection Law no. 6698

As Darüşşafaka Society (“Society”), it is one of our leading principles to protect  privacy of the visitors of the websites https://www.darussafaka.org  and https://www.dek.k12.tr run by our Society.

This Disclosure Text describes the principles of processing of your personal data by Darüşşafaka Society (“Society”) as and in the capacity of a data controller at the address of “Darüşşafaka Mah. Darüşşafaka Cad. No:5/9 Maslak 34457 Sarıyer, Istanbul” in accordance with the Personal Data Protection Law no. 6698 (“Law”) and other applicable laws and regulations pertaining thereto.

1.Purpose of Processing of Personal Data

Your personal data, consisting of IP and log records obtained from your visit to our website, are processed in order to keep traffic on the website protected within the scope of cyber security measures and thus to ensure legal, commercial and technical reliability, and to develop and disseminate activities carried out by the Society.

2.To Whom and For Which Purposes Personal Data Are Transferred

Your personal data may be transferred for the aforesaid purposes of processing upon legitimate demand to domestic/foreign firms providing support services in cloud computing, and to external service providers of our Society.

3.Method and Legal Basis of Collection of Your Personal Data

Your personal data are collected automatically and electronically by means of technical communication files in the data controller's systems and for the purposes specified in this Disclosure Text. Your personal data are processed in accordance with the obligation to monitor the traffic of website as stipulated in the Law on Regulation of Publications via Internet and Fight Against Crimes Committed Through These Publications no. 5651.

4.Application to the Data Controller and Your Rights

According to Article 11 of the Law, you have the right to file an application to our Society in order (a) to learn whether your personal data are processed, (b) if processed, to request information about processing, (c) to learn the purposes of processing, and whether they are processed and used in accordance with the originally intended purposes, (d) to learn the identity of domestic/foreign parties to which your personal data are transferred, (e) if they are processed incompletely or inaccurately, to request completion or correction of them, as the case may be, (f) to request deletion / destruction in accordance with the conditions stated in Article 7 of the Law, (g) to request notification of actions taken in accordance with paragraphs (e) and (f) hereinabove to the third parties to whom your personal data are transferred, (h) to object against results to detriment of you that may arise solely due to analysis of your personal data by automated systems, (i) to claim indemnification of your damages and losses, if any, you suffer due to processing of your personal data in violation of the Law.

Applications about your rights listed above may be made to the address of “Darüşşafaka Mah. Darüşşafaka Cad. No:5/9 Maslak 34457 Sarıyer/İstanbul” by filling out the Darüşşafaka Society application form available at our website https://www.darussafaka.org/en/contracts/complaint-filing-procedure-for-personel-data, or via the e-mail address kvkk@darrusafaka.org, by secure e-signature, mobile signature, or e-mail address previously reported by you to the data controller and registered in the data controller's system.

Our Society shall fulfil all your requests free of charge as soon as possible and within thirty days at the latest, depending on the nature of your request. However, fees may be charged for costs that may be separately incurred by our Society in connection therewith. Our Society may accept and process the request or may reject it by indicating the reasons in writing.

You are entitled to file a complaint to the Personal Data Protection Board (“Board”) within thirty days following the date of delivery of request and in any case within sixty days following the date of application, if the application is rejected after carrying out the procedure mentioned above, or the reply is deemed insufficient or the requests are not responded in a timely manner. However, the complaint cannot be filed without exhausting this application process.  

The Board shall, upon receipt of a complaint or ex officio upon becoming aware of the allegation of breach, conduct the necessary investigations within its fields of duty. Upon a complaint, the request shall be examined by the Board and answered to the related persons. If no reply is given within sixty days after the date of complaint, the request shall be deemed to be rejected. If, as a result of investigations conducted upon receipt of a complaint or ex officio investigation, a breach is detected, the Board instructs and orders the data controller to remedy the breaches of law, and delivers its decision to the related persons. This decision shall be fulfilled without delay but no later than within thirty days after the notification of decision. The Board is authorized to suspend the data processing or international transfer of personal data in case of occurrence of damages and losses hard or impossible to repair, and upon explicit contravention to or infringement of the law.

We would like to emphasize that your data is meticulously protected by Darüşşafaka and to thank you for the trust that you place in us.

 Darüşşafaka Commercial Enterprise Disclosure Text For Website Visitors under the Personal Data Protection Law no. 6698

As Darüşşafaka Society (“Society”), it is one of our leading principles to protect  privacy of the visitors of the websites http://www.dsftr.com and http://www.urlayasam.com.tr run by our Society.

This Disclosure Text describes the principles of processing of your personal data by Darüşşafaka Society (“Society”) as and in the capacity of a data controller at the address of “Darüşşafaka Mah. Darüşşafaka Cad. No:5/9 Maslak 34457 Sarıyer, Istanbul” in accordance with the Personal Data Protection Law no. 6698 (“Law”) and other applicable laws and regulations pertaining thereto.

  1. Purpose of Processing of Personal Data

Your personal data, consisting of IP and log records obtained from your visit to our website, are processed in order to keep traffic on the website protected within the scope of cyber security measures and thus to ensure legal, commercial and technical reliability, and to develop and disseminate activities carried out by the Society.

  1. To Whom and For Which Purposes Personal Data Are Transferred

Your personal data may be transferred for the aforesaid purposes of processing to our business partners (external service providers, hosting service providers, research firms, etc.) and to the legally authorized public entities and private persons under the personal data processing conditions set forth in Articles 8 and 9 of the Law. Personal data processing purposes are parallel to personal data transfer purposes.

  1. Method and Legal Basis of Collection of Your Personal Data

Your personal data are collected automatically and electronically by means of technical communication files in the data controller's systems and for the purposes specified in this Disclosure Text. Your personal data are processed in accordance with the obligation to monitor the traffic of website as stipulated in the Law on Regulation of Publications via Internet and Fight Against Crimes Committed Through These Publications no. 5651.

  1. Application to the Data Controller and Your Rights

According to Article 11 of the Law, you have the right to file an application to our Society in order (a) to learn whether your personal data are processed, (b) if processed, to request information about processing, (c) to learn the purposes of processing, and whether they are processed and used in accordance with the originally intended purposes, (d) to learn the identity of domestic/foreign parties to which your personal data are transferred, (e) if they are processed incompletely or inaccurately, to request completion or correction of them, as the case may be, (f) to request deletion / destruction in accordance with the conditions stated in Article 7 of the Law, (g) to request notification of actions taken in accordance with paragraphs (e) and (f) hereinabove to the third parties to whom your personal data are transferred, (h) to object against results to detriment of you that may arise solely due to analysis of your personal data by automated systems, (i) to claim indemnification of your damages and losses, if any, you suffer due to processing of your personal data in violation of the Law.

Applications about your rights listed above may be made to the address of “Darüşşafaka Mah. Darüşşafaka Cad. No:5/9 Maslak 34457 Sarıyer/İstanbul” by filling out the Darüşşafaka Society application form available at our website https://www.darussafaka.org/en/contracts/complaint-filing-procedure-for-personel-data, or via the e-mail address kvkk@darrusafaka.org, by secure e-signature, mobile signature, or e-mail address previously reported by you to the data controller and registered in the data controller's system.

Our Society shall fulfil all your requests free of charge as soon as possible and within thirty days at the latest, depending on the nature of your request. However, fees may be charged for costs that may be separately incurred by our Society in connection therewith. Our Society may accept and process the request or may reject it by indicating the reasons in writing.

You are entitled to file a complaint to the Personal Data Protection Board (“Board”) within thirty days following the date of delivery of request and in any case within sixty days following the date of application, if the application is rejected after carrying out the procedure mentioned above, or the reply is deemed insufficient or the requests are not responded in a timely manner. However, the complaint cannot be filed without exhausting this application process.  

The Board shall, upon receipt of a complaint or ex officio upon becoming aware of the allegation of breach, conduct the necessary investigations within its fields of duty. Upon a complaint, the request shall be examined by the Board and answered to the related persons. If no reply is given within sixty days after the date of complaint, the request shall be deemed to be rejected. If, as a result of investigations conducted upon receipt of a complaint or ex officio investigation, a breach is detected, the Board instructs and orders the data controller to remedy the breaches of law, and delivers its decision to the related persons. This decision shall be fulfilled without delay but no later than within thirty days after the notification of decision. The Board is authorized to suspend the data processing or international transfer of personal data in case of occurrence of damages and losses hard or impossible to repair, and upon explicit contravention to or infringement of the law.

We would like to emphasize that your data is meticulously protected by Darüşşafaka and to thank you for the trust that you place in us.

Darüşşafaka Society Disclosure Text on Donators under the Personal Data Protection Law no. 6698

This Disclosure Text describes the principles of processing of your personal data by Darüşşafaka Society (“Society”) as and in the capacity of a data controller at the address of “Darüşşafaka Mah. Darüşşafaka Cad. No:5/9 Maslak 34457 Sarıyer, Istanbul” in accordance with the Personal Data Protection Law no. 6698 (“Law”) and other applicable laws and regulations pertaining thereto.

1.Purpose of Processing Personal Data

Your personal data may be processed by the Society for the purposes of carrying out donation events and organizations, and in order to contact you when necessary for thanking, congratulating, promotion and information purposes, and to draft necessary documents about donations, to share aforesaid documents, to carry out, develop and disseminate community activities, to organize events, to improve donation works, to inform you of the activities of our Society and to fulfil the obligations arising from the relevant applicable laws and regulations.

  1. To Whom and For Which Purposes Personal Data Are Transferred

In reliance upon your explicit consent and/or in the cases legally required or permitted, your personal data may be transferred for the aforesaid purposes upon demand to domestic/foreign firms providing support services in information technologies (cloud computing, e-mail and others), financial institutions cooperating with and/or rendering services to us, consultancy firms in collaboration with our Society, third parties providing supports in sales, marketing and other areas related to the activities of our Society, our domestic/foreign business partners, and other authorized institutions and organizations.

3.Method and Legal Basis For Collecting Your Personal Data

Your personal data, described in this Disclosure Text, are collected electronically by our Society via non-automatic ways through the form on the website of our Society filled in by you in accordance with the applicable laws and regulations in order to maintain and develop in-Society activities. Your personal data are collected for such legal reasons or motives as its being clearly specified in the laws as per article 5/2(a) of the Law, and protection of legitimate interests of our Society without causing any harm to your fundamental rights and freedoms as per article 5/2(f) of the Law, and receipt of your prior explicit consent if and when required as per as per article 5/1 of the Law.

4.Application to the Data Controller and Your Rights

According to Article 11 of the Law, you have the right to file an application to our Society in order (a) to learn whether your personal data are processed, (b) if processed, to request information about processing, (c) to learn the purposes of processing, and whether they are processed and used in accordance with the originally intended purposes, (d) to learn the identity of domestic/foreign parties to which your personal data are transferred, (e) if they are processed incompletely or inaccurately, to request completion or correction of them, as the case may be, (f) to request deletion / destruction in accordance with the conditions stated in Article 7 of the Law, (g) to request notification of actions taken in accordance with paragraphs (e) and (f) hereinabove to the third parties to whom your personal data are transferred, (h) to object against results to detriment of you that may arise solely due to analysis of your personal data by automated systems, (i) to claim indemnification of your damages and losses, if any, you suffer due to processing of your personal data in violation of the Law.

Applications about your rights listed above may be made to the address of “Darüşşafaka Mah. Darüşşafaka Cad. No:5/9 Maslak 34457 Sarıyer/İstanbul” by filling out the Darüşşafaka Society application form available at our website https://www.darussafaka.org/en/contracts/complaint-filing-procedure-for-personel-data, or via the e-mail address kvkk@darrusafaka.org, by secure e-signature, mobile signature, or e-mail address previously reported by you to the data controller and registered in the data controller's system.

Our Society shall fulfil all your requests free of charge as soon as possible and within thirty days at the latest, depending on the nature of your request. However, fees may be charged for costs that may be separately incurred by our Society in connection therewith. Our Society may accept and process the request or may reject it by indicating the reasons in writing.

You are entitled to file a complaint to the Personal Data Protection Board (“Board”) within thirty days following the date of delivery of request and in any case within sixty days following the date of application, if the application is rejected after carrying out the procedure mentioned above, or the reply is deemed insufficient or the requests are not responded in a timely manner. However, the complaint cannot be filed without exhausting this application process.  

The Board shall, upon receipt of a complaint or ex officio upon becoming aware of the allegation of breach, conduct the necessary investigations within its fields of duty. Upon a complaint, the request shall be examined by the Board and answered to the related persons. If no reply is given within sixty days after the date of complaint, the request shall be deemed to be rejected. If, as a result of investigations conducted upon receipt of a complaint or ex officio investigation, a breach is detected, the Board instructs and orders the data controller to remedy the breaches of law, and delivers its decision to the related persons. This decision shall be fulfilled without delay but no later than within thirty days after the notification of decision. The Board is authorized to suspend the data processing or international transfer of personal data in case of occurrence of damages and losses hard or impossible to repair, and upon explicit contravention to or infringement of the law.

We would like to emphasize that your data is meticulously protected by our Society and to thank you for the trust that you place in us.

 Darüşşafaka Society Disclosure Text on E-Newsletter under the Personal Data Protection Law no. 6698

This Disclosure Text describes the principles of processing of your personal data by Darüşşafaka Society (“Society”) as and in the capacity of a data controller at the address of “Darüşşafaka Mah. Darüşşafaka Cad. No:5/9 Maslak 34457 Sarıyer, Istanbul” in accordance with the Personal Data Protection Law no. 6698 (“Law”) and other applicable laws and regulations pertaining thereto.

1.Purpose of Processing of Personal Data

Your personal data obtained due to your membership in the Society’s e-newsletter may be processed by our Society, in accordance with Articles 5 and 6 of the Law, for the purposes of e-newsletter membership, providing you with e-newsletter services, informing you about the activities carried out by the Society and increasing the visibility of our Society, advertising and promotion purposes, announcing the projects and activities carried out/to be carried out by the Society, informing you about our actions, planning and carrying out activities for the development, follow-up, control of the Society-specific works, studies, operations, and using in  media, social media and other marketing activities for marketing purposes.

2.To Whom and For Which Purposes Personal Data Are Transferred

Your personal data may be transferred for the aforesaid purposes of processing to our business partners, domestic/foreign firms providing the services of storage of data in the cloud, outsourcing service providers, hosting service providers, research companies, call centres and the legally authorized public entities and private persons under the personal data processing conditions set forth in Articles 8 and 9 of the Law.

3.Method and Legal Basis of Collection of Your Personal Data

Your personal data are collected electronically via e-newsletter registration form you complete for the purposes specified in this Disclosure Text. Your personal data are processed under the Law for the legal reasons of “obtaining your explicit consent” and “as required for the legitimate interest of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person”.

4.Application to the Data Controller and Your Rights

According to Article 11 of the Law, you have the right to file an application to our Society in order (a) to learn whether your personal data are processed, (b) if processed, to request information about processing, (c) to learn the purposes of processing, and whether they are processed and used in accordance with the originally intended purposes, (d) to learn the identity of domestic/foreign parties to which your personal data are transferred, (e) if they are processed incompletely or inaccurately, to request completion or correction of them, as the case may be, (f) to request deletion / destruction in accordance with the conditions stated in Article 7 of the Law, (g) to request notification of actions taken in accordance with paragraphs (e) and (f) hereinabove to the third parties to whom your personal data are transferred, (h) to object against results to detriment of you that may arise solely due to analysis of your personal data by automated systems, (i) to claim indemnification of your damages and losses, if any, you suffer due to processing of your personal data in violation of the Law.

Applications about your rights listed above may be made to the address of “Darüşşafaka Mah. Darüşşafaka Cad. No:5/9 Maslak 34457 Sarıyer/İstanbul” by filling out the Darüşşafaka Society application form available at our website https://www.darussafaka.org/en/contracts/complaint-filing-procedure-for-personel-data, or via the e-mail address kvkk@darrusafaka.org, by secure e-signature, mobile signature, or e-mail address previously reported by you to the data controller and registered in the data controller's system.

Darüşşafaka shall fulfil all your requests free of charge as soon as possible and within thirty days at the latest, depending on the nature of your request. However, fees may be charged for costs that may be separately incurred by our Society in connection therewith. Our Society may accept and process the request or may reject it by indicating the reasons in writing.

You are entitled to file a complaint to the Personal Data Protection Board (“Board”) within thirty days following the date of delivery of request and in any case within sixty days following the date of application, if the application is rejected after carrying out the procedure mentioned above, or the reply is deemed insufficient or the requests are not responded in a timely manner. However, the complaint cannot be filed without exhausting this application process.  

The Board shall, upon receipt of a complaint or ex officio upon becoming aware of the allegation of breach, conduct the necessary investigations within its fields of duty. Upon a complaint, the request shall be examined by the Board and answered to the related persons. If no reply is given within sixty days after the date of complaint, the request shall be deemed to be rejected. If, as a result of investigations conducted upon receipt of a complaint or ex officio investigation, a breach is detected, the Board instructs and orders the data controller to remedy the breaches of law, and delivers its decision to the related persons. This decision shall be fulfilled without delay but no later than within thirty days after the notification of decision. The Board is authorized to suspend the data processing or international transfer of personal data in case of occurrence of damages and losses hard or impossible to repair, and upon explicit contravention to or infringement of the law.

We would like to emphasize that your data is meticulously protected by Darüşşafaka and to thank you for the trust that you place in us.

Darüşşafaka Society Disclosure Text on Contact Forms under the Personal Data Protection Law no. 6698

This Disclosure Text describes the principles of processing of your personal data by Darüşşafaka Society (“Society”) as and in the capacity of a data controller at the address of “Darüşşafaka Mah. Darüşşafaka Cad. No:5/9 Maslak 34457 Sarıyer, Istanbul” in accordance with the Personal Data Protection Law no. 6698 (“Law”) and other applicable laws and regulations pertaining thereto.

1.Purpose of Processing of Personal Data

Your personal data obtained through the “Contact Form” filled in by you on the Darüşşafaka website are processed by our Society, in accordance with Article 5 and Article 6 of the Law,  in order to be able to contact you, to be able to learn your wishes, suggestions and complaints, to initiate and carry out the necessary operations in accordance with your wishes, suggestions and complaints, to carry out the necessary work through our organization units in the interests of the relevant persons in respect of the services offered by the Society, and to carry out the other relevant business processes.

2.To Whom and for Which Purposes Your Personal Data are Transferred

Your personal data may be transferred in tandem with the above-explained purposes of processing, to our business partners, domestic/foreign firms providing the services of storage of data in the cloud, outsourcing service providers, hosting service providers, research companies, call centres and legally authorized public entities and private persons within the terms and for the purposes of personal data processing specified in Article 8 and Article 9 of the Law.

3.Method and Legal Basis of Collection of Your Personal Data

Your personal data are collected electronically via e-newsletter registration form  you complete for the purposes specified in this Disclosure Text. Your personal data are processed under the Law for the legal reason of obtaining your explicit consent.

4.Application to the Data Controller and Your Rights

According to Article 11 of the Law, you have the right to file an application to our Society in order (a) to learn whether your personal data are processed, (b) if processed, to request information about processing, (c) to learn the purposes of processing, and whether they are processed and used in accordance with the originally intended purposes, (d) to learn the identity of domestic/foreign parties to which your personal data are transferred, (e) if they are processed incompletely or inaccurately, to request completion or correction of them, as the case may be, (f) to request deletion / destruction in accordance with the conditions stated in Article 7 of the Law, (g) to request notification of actions taken in accordance with paragraphs (e) and (f) hereinabove to the third parties to whom your personal data are transferred, (h) to object against results to detriment of you that may arise solely due to analysis of your personal data by automated systems, (i) to claim indemnification of your damages and losses, if any, you suffer due to processing of your personal data in violation of the Law.

Applications about your rights listed above may be made to the address of “Darüşşafaka Mah. Darüşşafaka Cad. No:5/9 Maslak 34457 Sarıyer/İstanbul” by filling out the Darüşşafaka Society application form available at our website https://www.darussafaka.org/en/contracts/complaint-filing-procedure-for-personel-data, or via the e-mail address kvkk@darrusafaka.org, by secure e-signature, mobile signature, or e-mail address previously reported by you to the data controller and registered in the data controller's system.

Our Society shall fulfil all your requests free of charge as soon as possible and within thirty days at the latest, depending on the nature of your request. However, fees may be charged for costs that may be separately incurred by our Society in connection therewith. Our Society may accept and process the request or may reject it by indicating the reasons in writing.

You are entitled to file a complaint to the Personal Data Protection Board (“Board”) within thirty days following the date of delivery of request and in any case within sixty days following the date of application, if the application is rejected after carrying out the procedure mentioned above, or the reply is deemed insufficient or the requests are not responded in a timely manner. However, the complaint cannot be filed without exhausting this application process.  

The Board shall, upon receipt of a complaint or ex officio upon becoming aware of the allegation of breach, conduct the necessary investigations within its fields of duty. Upon a complaint, the request shall be examined by the Board and answered to the related persons. If no reply is given within sixty days after the date of complaint, the request shall be deemed to be rejected. If, as a result of investigations conducted upon receipt of a complaint or ex officio investigation, a breach is detected, the Board instructs and orders the data controller to remedy the breaches of law, and delivers its decision to the related persons. This decision shall be fulfilled without delay but no later than within thirty days after the notification of decision. The Board is authorized to suspend the data processing or international transfer of personal data in case of occurrence of damages and losses hard or impossible to repair, and upon explicit contravention to or infringement of the law.

We would like to emphasize that your data is meticulously protected by our Society and to thank you for the trust that you place in us.

I have shared my personal data with Darüşşafaka Society and its affiliates (“Darüşşafaka” or the “Society”).

I accept and declare that all of my personal data kept by Darüşşafaka are subject to the regulations stipulated under the Personal Data Protection Law no. 6698 and other applicable laws and regulations pertaining thereto, and that the Society has fully and clearly informed me regarding my rights within the scope of the relevant laws and regulations. Within the scope of the relevant enlightenment, Darüşşafaka has committed to fully and completely fulfill its obligations regarding data security within the context of said laws and regulations. Accordingly, I hereby reserve my right to claim indemnification of any damages and losses I may suffer due to illegal processing and acquisition of my personal data, if any.

My personal data are collected and processed by the Society due to the legal obligations that require processing of personal data verbally, in writing and via electronic means and in order to provide the best service within the scope of enforcement of the donation agreement concluded by and between me and the Society and throughout our legal relationship, pursuant to and under the Personal Data Protection Law no. 6698, Turkish Commercial Code no. 6102, Turkish Criminal Code no. 5237 and their secondary legislation. My personal data collected and processed as above are stored in the Society's systems and archives for 10 years and transferred to domestic and foreign business partners in order to improve the quality of service.

This Letter of General Consent includes my explicit consent for the processing, storage and transfer of my personal data domestically or abroad.

1. PURPOSE

This Policy’s objectives are to raise awareness for sustaining Society’s legal and systematic data processing operations, to develop a common language on the basis of institutional principles, to ensure compliance with the legislation, and to ensure that the Data Subjects are able to access accurate and up-to-date information about the data processing processes.

2. SCOPE OF THE POLICY

The Policy covers the personal data processing activities that are performed automatically by the Society, or performed non-automatically provided that they are part of any data recording system.

In the event of any conflict between the terms of the Policiy and applicable legislation, the provisions of the legislation shall prevail. If there are other policies or regulations created on the same subject for more specific purposes, apart from this Policy, articles containing specific provisions shall be applied first. The provisions of other policies and documents, which are in conflict with this Policy and relevant legislation shall not be applied.

Society’s all structural and non-structural data were monitored and all the physical and electronic recording environments were adjusted.

3. DEFINITIONS

The following abbreviations and terms are used in this Policy.

ExpressConsent: The consent that is obtained for a certain subject, and is expressed with free will as a result of being informed

Anonymization: The process of rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data,

Directorate: Directorate for Personal Data Protection Authority

Employee(s): Individuals working at the Society

Law: Turkish Law on Protection of Personal Data no. 6698

Personal Data: All information related to an identified or identifiable natural person

Personal Data Processing: Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.

Board: Personal Data Protection Board

Authority: Personal Data Protection Authority

Sensitive Personal Data: Data related to a person’s race, ethnicity, political opinion, philosophical belief, religion, sect, or other beliefs, their appearance, membership to associations, foundations or unions, their health, sexual orientation, criminal convictions or safeguards, and biometric and genetic data

Deletion: Making personal data inaccessible and non-reusable by any means for the relevant persons

Society: Darüşşafaka Society

Data Processor: The natural or legal person, who processes personal data on behalf of the data controller based on the authority given by the data controller

Data Controller: The natural or legal person in charge of determining the purposes of and means for processing personal data and of the installation and management of the data recording system

Data Controller Registry: Public registry created under the supervision of the Board and the Directorate

Destruction: Making personal data inaccessible, non-recoverable and non-reusable by any means and by any on

4. RESPONSIBILITY

This document is binding for each employee that works for the firm. If necessary, in the case of aviolation of the policies, the Aothority can take legal action against the violator.

5. IMPLEMENTATION

The protection of personal data is highly important for benefactors / testament benefactors / society members / students / guardians of students / alumni / employees / customers / all stakeholders and all cooperated parties and organisations. With this state of mind, processing and protection of personel data are one of the priorities of Society, and mentioned processes are handling with utmost care.

In accordance with the Turkish Law on Protection of Personal Data no. 6698 (“Regulation”) published on Official Gazette dated 07.04.2016, and other relevant legislation, all organisations titled ‘’data controller’’ shall review data processing proceedings and take all necessary organizational, legal, and technical measures. In this context, Darüşşafaka Society and associations (“Society” or “Darüşşafaka”), located in “Darüşşafaka Mah. Darüşşafaka Cad. No: 5/9 Maslak 34457 Sarıyer/İstanbul”, and it’s business proceedings within complied according to Regulation and created the personal data storage and Destruction Policy (“Policy”) that includes fundamentals regarding personel data processing within Society.

6. RULES FOR THE PROTECTION OF PERSONAL DATA

With Turkish Law on Protection of Personal Data no. 6698 published on Official Gazette dated 07.04.2016, the procedures and principles for the protection of “any information about an identified or identifiable natural person” were determined. The following processes were established in accordance with such principles.

6.1 Principles for Processing Personal Data

Personal data is processed by the Society in line with the following principles.

6.1.1 Processing in Good Faith and in accordance with the Law

The Society acts in good faith when processing personal data. In this respect, the Society does not process personal data for purposes other than those announced to Data Subjects.

6.1.2    Ensuring that Personal Data is Accurate, and Up-to-Date when it is Necessary

The necessary precautions are taken based on technical capabilities and destruction processes are organized to keep the processed personal data accurate and up to date. Control mechanisms have been created to correct personal data in case of any error, and confirm the accuracy of the personal data.

6.1.3 Processing for Specific, Explicit and Legitimate Purposes

The data processing operations that is carried out by the Society are sustained only for legitimate purposes, and in accordance with pre-determined rules and Law. The purposes for processing personal data are determined before the data processing activity begins, and such purposes are clearly announced to Data Subjects when collecting their personal data. If the personal data processing purposes of the Society change, the Policy is updated accordingly, and efforts are made to announce the change to Data Subjects through different applicable channels.

6.1.4 To Be Relevant, Limited and Rroportional to the Purposes for Processing

Personal data is processed with regards to pre-determined purposes of the Society and the processing of personal for the reasons other than these is avoided. Only the data required to meet the specified purposes is collected from the Data Subjects.

6.1.5 Maintaining Data Records for the Necessary Period Prescribed in the Applicable Legislation or for the Purposes which the Data is Processed for

The Society maintains personal data only for the period required by the applicable legislation or for a period required by the purpose for which the data is processed. In this context, personal data is stored for the period stipulated for the storage of personal data in the applicable legislation, if available, and if not, for the periods that are determined in accordance with the purpose of processing as specified in this Policy.

6.2 Terms for Processing Personal Data

The personal data processed by the Society is processed in case of the following conditions.

  1. The express consent of the relevant person is obtained
  2. The obligation to process personal data is clearly stipulated in the law
  3. it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid.
  4. The processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of that contract.
  5. It is mandatory for the controller to be able to perform his legal obligations.
  6. The data concerned is made available to the public by the Data Subject himself/herself.
  7. The data processing is mandatory for the establishment, exercise or protection of any right.
  8. It is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the Data Subject.

Sensitive data is not processed without the express consent of the Data Subject unless there is any obligation to process that is explicitly stipulated by the law.

6.3 Transfer of Personal Data

6.3.1 Transfer of Personal Data to Third Parties

The Society can transfer the personal data it processes in line with the purposes for processing personal data, to third parties. Third parties to whom data is or can be transferred are categorically listed below. The Society acts in compliant with the regulations of the Law when transferring personal data.

If the conditions under which sensitive personal data can be processed are present, the Society can transfer sensitive data to third parties by taking the measures stipulated by the Board and the necessary security precautions and paying utmost attention to such process.

6.3.2 Transfer of Personal Data Abroad

The Society can transfer the personal data it processes abroad to third parties and affiliates by taking the necessary security measures.

Society transfers personal data abroad on the basis of legal and legitimate purposes, to foreign countries which are announced to have a sufficient level of protection by the Board or, where there is no adequate level of protection. On the other hand if sufficient protection is not provided in the relevant country, Society transfers personal data only if the relevant domestic/foreigner data controllers execute a written undertaking to provide sufficient level of protection and if the Board authorized such transfer.

6.4 Data Controller’s Obligation to Inform

The Society informs personal Data Subjects about how their personal data will be processed during the collection process of personal data, in accordance with the obligation to inform provided in the Law. In this respect, the Society informs the Data Subjects on at least the following issues.

  1. The identity of the Society and its representative,
  2. The purpose of data processing,
  3. To whom and for what purposes the processed data may be transferred,
  4. The method and legal reason of collection of personal data,
  5. Rights of the personal Data Subject

This obligation is fulfilled through Society’s website, the internal announcements and the commercial communication channels.

6.5 Data Security

As per Article 12 of the Law, the Society,

takes all the necessary technical and administrative measures to provide a sufficient level of security so as to,

(i) prevent unlawful processing of personal data,

(ii) prevent unlawful access to personal data and

(iii) ensure the retention of personal data.

6.5.1 Administrative Measures Taken in relation to Personal Data Security

6.5.1.1 Identifying Current Risks and Threats

In order to ensure the security of personal data, the Society first needs to determine the nature of all the personal data that is processed, and then to accurately identify the probability of occurrence of potential risks related to the protection of data, and the losses that may occur in case of such occurrence, and finally to take the necessary measures. The following points are taken into consideration when determining the risks:

(i) Whether the processed personal data it is sensitive personal data;

(ii) What level of confidentiality it requires based on its nature;

(iii) The nature and quantity of the damage that may arise for the data subject in the event of a security breach.

6.5.1.2 Training of Employees and Awareness Activities

In addition to the attacks that violate personal data security, unlawful disclosure or sharing of personal data are also among the major personal data security violations. These may occur as a result of users’ carelessness or inexperience, e.g. opening an email attachment containing malware or sending an email to the wrong recipient, providing access to personal data for third parties.

The roles and responsibilities of everyone working for the Society related to personal data security are determined in their job descriptions. At this point, it is important to provide trainings on possible situations to employees, to participate in awareness activities and to provide an environment where security risks can be determined to ensure personal data safety. In addition, employees are required to sign a non-disclosure agreement as of the date of employment. The disciplinary process to be implemented if they fail to comply with the security policies and procedures is also established.

6.5.1.3 Identifying Personal Data Security Policies and Procedures

Procedures for managing risks and security breaches that may occur for the categories of data that are identified as a result of the personal data inventory are being established. Such policies and procedures are planned to be regularly checked to ensure consistency.

6.5.1.4 Reducing Personal Data Convergence As Much As Possible

As per subparagraphs (b) and (d) of the Second Paragraph of Article 4 of the Law, personal data should be retained as long as it is accurate and up-to-date or for the time required for the purpose for which it is processed. In this context, the Society monitors the demand for personal data and whether the data is retained in the right place. In addition, personal data that is not required to be frequently accessed and archived, is stored in a safer environment to prevent unauthorized access, although it is suitable for the purpose they are processed. 

6.5.1.5 Management of Relationships with Data Processors

The Society pays attention to ensure that the contract it signed with the data processor is in written form, includes a provision indicating that the data processor will act in accordance with the relevant contractual provisions and legislation in light of the instructions of the data controller, and is in compliance with the Policy. The Society also performs or procures the performance of the required controls to ensure that the provisions of the Law are followed.The Society carries out the necessary audits in order to ensure the implementation of the provisions of the Law, 

6.5.2. Technical Measures for Personal Data Security

6.5.2.1 Ensuring Cyber Security

The following measures are taken by the Society:

(i) Ensuring that in particular firewall and gateway is provided

(ii) Providing software and hardware installation and configuration (it also suggests to remove and delete software and services with documented security vulnerabilities, particularly if they are of old versions, from devices, rather than keeping them updated)

(iii) Performing patch management and software updates

(iv) Regularly monitoring whether software and hardware are functioning properly and whether the security measures taken for the systems are sufficient

(v) Granting access authority for employees to the extent that is necessary for their jobs and duties, powers and responsibilities

(vi) Providing access to systems through the use of a username and password

(vii) Ensuring that combinations of uppercase and lowercase letters, numbers and symbols are preferred instead of sets of numbers or letters that are related to personal information and can be easily guessed, when passwords and passcodes are created (it also suggests that data controllers create an access authorization and control matrix, and that separate policies and procedures for access are established to be implemented within the data controller’s organization)

(viii) Limiting the number of password entry attempts

(ix) Ensuring that passwords and passcodes are changed at regular intervals

(x) Making the manager account and admin authority available only for use when it is necessary

(xi) Promptly deleting the account or blocking the access of employees whose business relationships with the data controller have ended

(xii) Using products such as antivirus, antispam software which regularly scan the information system network and detect risks

(xiii) Keeping the above-mentioned products up-to-date and ensuring that the required files are regularly scanned

(xiv) If personal data is to be obtained from different websites and/or mobile application channels, the connections are made via SSL or a with a more secured way.

6.5.2.2 Monitoring Personal Data Security

To prevent the failure to quickly detect attacks to the systems containing personal data and to avoid delayed responses to such attacks:

(i) software and services running on IT networks are monitored

(ii) IT networks checked to determine whether there is an infiltration or an unwanted activity

(iii) The activity logs of all users are regularly recorded

(iv) Security issues are reported as quickly as possible

(v) Efforts are made to establish a formal reporting procedure for employees to report the system and service security vulnerabilities or threats that take advantage of them

(vi) Security software messages, access control logs and other reporting tools are regularly checked

(vii) Actions are taken upon warnings from systems

(viii) Vulnerability scans and penetration tests are carried out regularly to protect information systems against known vulnerabilities

(ix) Evaluations are made based on the results of tests on emerging security vulnerabilities

(x) Evidence is collected whenever undesirable events occur such as information system crashes, malicious software, system-disabling attacks, missing or incorrect data entries, privacy and integrity violations, and misuse of information systems, and then such evidence shall be safely stored.

6.5.2.3 Ensuring the Security of Environments Containing Personal Data

Personal data is stored on devices located in the workplaces of the Society or in hard copy. Physical measures are taken against threats such as theft and loss of such devices and papers. Apart from this, the physical environment containing personal data is also protected against external risks (fire, flood, etc.) and entries to/exits from these environments are controlled.

In addition:

(i) hard copy documents, servers, backup devices, and devices such as CDs, DVDs and USBs are placed in another room with additional security measures

(ii) Hard copy documents containing personal data are kept locked up and in an environment that is accessible only by authorized persons, and unauthorized access to such documents is prevented

(iii) Access control authorization and/or encryption methods are used against situations such as loss or theft of devices containing personal data

(iv) Password keys are stored in an environment that is accessible only to authorized persons, and unauthorized access to such keys is prevented

(v) Regardless of the encryption methods that are used, internationally recognized encryption programs are used to ensure that personal data is fully protected

(vi) Emphasis is placed on key management processes in accordance with the asymmetric encryption method

(vii) Adequate security measures are taken for cases where employees access to the information system network via their personal electronic devices.

6.5.2.4 Storing Personal Data in Cloud

The Society assesses effectiveness of the security measures provided by the cloud storage service provider. In this context:

(i) The contents of the personal data stored in the cloud are known in detail;

(ii) It is ensured that the relevant personal data is backed up and synchronized;

(iii) A two-factor authentication check is applied where the relevant personal data needs to be accessed remotely;

(iv) Personal data is encrypted with cryptographic methods during storage and use, and placed in the cloud medium by being encrypted;

(v) Where possible, separate encryption keys are used, particularly for each cloud solution for which service is received for personal data.

It is essential for all copies of encryption keys, which can be used to make personal data available, to be destroyed when the cloud storage service relationship ends.

6.5.2.5 Information Technology Systems Procurement, Development and Maintenance

While the actions related to the procurement, development or maintenance of new systems are being carried out, a number of security measures are taken by the data controller.

The accuracy and appropriateness of the inputs of application systems which are designed to minimize the possibility of any errors that may occur during a transaction to disrupt the data integrity should be checked, and a control mechanism is planned to be embedded to check whether the information that is entered correctly in such applications is corrupted as a result of an error that occurs during the transaction or in case of a deliberate control request.

If the devices sent to third parties for maintenance or technical support contain personal data, the data storage medium is removed and stored before the device is sent, or only the defective part is sent. If an external employee comes for maintenance and repair, personal data is copied.

6.5.2.6 Personal Data Backup

Personal data may be damaged, destroyed, stolen or lost for any reason whatsoever, or the data may not be accessible due to malicious software. Data is regularly backed up to avoid exposure to such situations.       

Accessibility of backed up personal data is limited to the system administrator, and the data set backups are strictly stored out of the network.

6.6 Data Subject’s Rights and the Complaint Management

The rights of the Data Subjects are identified as finding out whether their personal data has been processed or not, requesting information if processed, inquiring why their personal data has been processed and learning whether the processed data is used for the intended purpose, learning about the domestic/international third parties to whom their personal data has been transferred, asking for corrections of wrongly or incompletely processed data and requesting for third parties receiving the personal data to be notified of such performed transactions, requesting the deletion or destruction of personal data, if the reasons that are required for its processing are no longer , although it was processed in accordance with the provisions of the Law and other relevant laws, and requesting the relevant transaction to be notified to the third parties to whom the personal data is transferred, objecting to occurrence of any detrimental result by means of analysis of personal data exclusively through automated systems and requesting compensation for the damages due to unlawful data processing. In this context, systems are established by the Society to manage the requests of the Data Subject.

If the Data Subject applies to the Society, the relevant request is responded to as soon as possible and within 30 days at the latest. The request of the relevant applicant is fulfilled as far as possible after an evaluation of the request in terms of compliance with the Law and the obligations that the Society must comply with as required by the legislation. If it is decided as a result of the evaluation that it is not possible to fulfill the request, the application of the Data Subject shall be responded with rejection reasons. If the application of the Data Subject is rejected as per Article 14 of the Law, the Data Subject considers the provided response to be insufficient or the Data Subject’s application is not responded on time, the Data Subhject may file a complaint to the Board within 30 days of the date that they receive the response of the Society, and in any case, within 60 days of the date of application.

7. CATEGORIES OF DATA PROCESSED BY THE SOCIETY and DESTRUCTION

The data processing activities by the Society are carried out on the basis of the below categories. The table below specifies the maximum retention periods for the aforementioned categories of personal data, which are stipulated in the legislation or required for the purpose of processing. Personal data other than those with the exceptions listed below, is stored for 10 years and destroyed on the annual periodic destruction date.

 PERSONAL DATA CATEGORY

DESCRIPTION

DESTRUCTION PERIOD

 ID Information

All information regarding the identity of the person included in documents such as a driver’s license, identity card, residence certificate, passport, attorney ID, marriage certificate

10 years from the completion of the purpose for processing

 Contact Details

Information that is used to contact the Data Subject, such as a phone number, address and email

10 years from the completion of the purpose for processing

 Customer / Donor / Prospective Donor Information

Information that is obtained and generated about the Data Subject as a result of our commercial activities and the operations carried out by our business units in this respect

10 years from the completion of the purpose for processing

 Information on Family Members and Relatives

Details about the family members and relatives of the Data Subject, which are processed in relation to the products and services we offer or to protect the legal interests of the Society and the Data Subject

10 years from the completion of the purpose for processing

Information on Customer / Donor Activities

Records on the use of our services, as well as information such as the instructions and requests of customers, which are required for their use of the services

10 years from the completion of the purpose for processing

Information on the Security of Physical Locations

Personal data related to records and documents such as video footage and fingerprint records that are obtained at the entrance of the physical location and during the time spent in the physical location

 

30 days from the completion of the video footage

1 year for certain locations within the school pursuant to the communiqué issued by the Ministry of National Education

Transaction Security Information

Personal data which is processed to ensure our technical, administrative, legal and commercial security while conducting our commercial activities

10 years from the completion of the purpose for processing

Financial Information

Personal data that is processed in relation to any information, document and record indicating any type of financial results created based on the type of legal relationship that is established by our Society with the Data Subject

10 years from the completion of the purpose for processing

Prospective Employee Information

Personal data that is processed in relation to individuals who applied to become an employee of our Society or were assessed as prospective employees in line with the human resources requirements of our Society in accordance with commercial practices and rules of integrity or who are in a working relationship with our Society

2 years from the decision for not recruiting the individual

Information on Legal Actions and Compliance

Personal data that is processed as part of the identification and monitoring of our legal receivables and rights, payment of our debts, and compliance with our legal obligations and the policies of our Society

10 years from the completion of the purpose for processing and of all of the legal processes that are required for the entire descent pursuant to the law of inheritance

Audit and Inspection Information

Personal data that is processed as part of the legal obligations of our Society, and compliance with the Society’s policies

10 years from the completion of the purpose for processing

Sensitive Data

Data related to a person’s race, ethnicity, political opinion, philosophical belief, religion, sect, or other beliefs, their appearance, affiliation with an association, foundation or union, their health, sexual orientation, criminal convictions or safeguards, and biometric and genetic data are sensitive personal data.

10 years from the completion of the purpose for processing

Health Data of Employees

Stored for occupational health and safety purposes.

15 years from termination

Marketing Information

Personal data that is processed for the customization and marketing of our products and services in line with the usage habits, likes and needs of the Data Subject, and the reports and evaluations created as a consequence of such processing results

10 years from the completion of the purpose for processing

Request/Complaint Management Information

Personal data in relation to the receipt and evaluation of any requests or complaints addressed to our Society

10 years from the completion of the purpose for processing

Information on Reputation Management

Information that is collected for the purpose of protecting the commercial reputation of our Society, as well as evaluation reports that are created accordingly and information on the actions taken

10 years from the completion of the purpose for processing

Information on Incident Management

Personal data that is processed to take the necessary legal, technical and administrative measures to protect the commercial rights and interests of our Society, as well as the rights and interests of our donors / testament donors / society members / students / student parents / alumni / employees / customers / all partners

10 years from the completion of the purpose for processing

Personal data is destroyed as a result of the elimination of the legal or technical reasons for the storage of such personal data with the expiration of the maximum retention periods, by selecting one of the following methods, namely, Deletion, Destruction and Anonymization. In order to prevent data loss during destruction processes, all technical and administrative measures are taken and it is ensured that unauthorized persons are not involved in the process. The periodic destruction date is identified as the month of July every year.

8. PURPOSES FOR PROCESSING PERSONAL DATA

The data processing activities by the Society are carried out in accordance with the following purposes. These purposes may change from time to time.

  • Planning and execution of the operational activities that are required to ensure that the activities of the Society are carried out in accordance with procedures of the Society and/or the applicable legislation
  • Planning and execution of the business activities
  • Planning and execution of the corporate management activities
  • Planning and execution of the activities for ensuring business continuity
  • Planning and execution of the human resources processes and requirements
  • Planning and execution of the processes for the management of member, donor relationships
  • Monitoring of contractual processes and/or legal requests
  • Planning and/or execution of the financial risk processes of the Society
  • Monitoring of financial and/or accounting affairs
  • Performance of risk management
  • Wage management
  • Planning and execution of the audit activities of the Society
  • Providing information to authorized persons and/or organizations as required by the legislation
  • Monitoring of legal affairs
  • Planning and execution of corporate communication activities
  • Planning and execution of the processes for the management of suppliers or business partners
  • Planning, audit and execution of the information security processes
  • Establishment and management of the information technology infrastructure
  • Execution of the recruitment processes
  • Fulfillment of the obligations arising from the legislation
  • Planning and monitoring the performance evaluation processes of employees
  • Planning and execution of talent and career development activities
  • Planning and/or execution of corporate communication/responsibility/event projects for employees
  • Monitoring and/or inspection of the business activities of employees
  • Planning and execution of external or internal training activities
  • Planning and execution of the employee satisfaction and/or loyalty processes
  • Establishment and monitoring of visitor records
  • Planning and execution of the emergency management processes
  • Execution of the Society legislation procedures
  • Ensuring the security of the workplaces, fixtures and resources of the Society
  • Planning of the operational risk processes of the Society
  • Performance of the elderly care processes

These purposes may involve processes that require an explicit consent depending on the characteristics of the relevant case. In such cases, certain processes are implemented for obtaining explicit consent from the Data Subject in accordance with the Law. If the Data Subject does not give explicit consent, the data of the Data Subject can only be processed under the conditions in which personal data can be processed without the explicit consent as specified in the Law and for purposes that are in line with such conditions.

9. COLLECTION AND TRANSFER OF PERSONAL DATA

Personal data that is collected under the associations legislation and other legislative provisions can be transferred to the relevant persons and/or institutions, business partners and the association community for the services to be provided, and such data can also be transferred to the centers and affiliates within the Society after they are anonymized for statistical analyses to be made in relation to the provided services.

Explicit consents regarding personal data and/or sensitive personal data processed as part of the Society’s activities are obtained verbally, in writing or electronically, depending on the preferences of the Data Subject, by the residences, physical therapy, special care and lifestyle facilities, website, mobile application and call centers.

Explicit consents regarding personal data and/or sensitive personal data collected and/or processed automatically when subscribing to the website and shopping/donating online through the website are received electronically. Accordingly, upon collecting explicit consent statements, the personal data and/or sensitive personal data obtained through the website are processed, stored for legal periods for the purposes of the services and transferred to third parties if deemed necessary. Accordingly, personal data is not stored in cookies and is not shared with other applications or individuals. On the other hand, video footage information from nursing homes is transferred abroad only with the consent of the person staying there.

The residences, physical therapy, special care and lifestyle facilities are monitored with closed circuit camera systems for security reasons to fulfill the legal obligations under the Labor Law No. 4857, the Turkish Code of Obligations No. 6098, the Social Insurance and General Health Insurance Law No. 5510 and the Occupational health legislation, as well as other relevant legislations. Such records are maintained for legal periods for the purposes of the related services and shared with the judicial authorities due to the legal interest of the Society arising from its capacity as the data controller and upon request in cases stipulated in laws.

The persons/organizations to whom personal data can be transferred for the purposes stated above are the judicial authorities in addition to the institutions or organizations permitted by the Turkish Code of Commerce, Tax Procedure Law and other legislative provisions.

10. ORGANIZATIONAL MEASURES FOR THE PROTECTION OF PERSONAL DATA

The Society establishes a management structure to ensure the effectiveness of the Policy. A committee is established within the Society to manage this Policy and the other policies that are linked with and related to this Policy. The duties of the committee are listed below. Apart from these duties, the Committee also carries out the other duties to be assigned by the senior management. The Committee carries out all its activities with the approval of the senior management.

  1. Preparing the basic policies regarding the protection and processing of personal data and also preparing the adjustments to these policies, where required;
  2. Deciding on how to implement and inspect the policies regarding the protection and processing of personal data;
  3. Assigning roles within the Society and ensuring coordination;
  4. Identifying the issues to be worked on to ensure compliance with the Law and the applicable legislation and ensuring the implementation of such issues;
  5. Raising awareness on the protection and processing of personal data within the Society and at the institutions that the Society cooperates with, and organizing training programs for this purpose, and identifying the risks that may occur in the personal data processing activities of the foundation to ensure the necessary measures;
  6. Fulfilling the applications of Data Subjects at the highest level;
  7. Following the developments and regulations in relation to the protection of personal data and taking the necessary actions.

The titles, units and job descriptions of the Committee members who are actively involved in the determination of the retention and destruction processes for personal data are shown in Annex 1.

Enforcement Date: 27.08.2019
Revision No/Date: 01/05.10.2021
Document No: POL.02.002

1. PURPOSE

The purpose of this procedure is to ensure that the complaints that may be received from data subjects in relation to data processed within Darüşşafaka Society (“Society”) under the process of compliance with the Personal Data Protection Law no. 6698 (“Law”) are responded to following a systematic evaluation and conclusion within our Society.

2. SCOPE

This procedure covers the registration, management, evaluation, analysis, reporting and answering of applications filed by data subjects under the Law through a number of communication channels including registered letter, return requested, and delivery by hand, at our Society’s headquarters  at the address of Darüşşafaka Mah. Darüşşafaka Cad. No:5/9 Maslak 34457 Sarıyer/ ISTANBUL, or email with secure electronic signature our address of kvkk@darussafaka.org.

An applicant may have requests as listed below through an application to be submitted to our Society:

a) To find out whether his personal data have been processed or not, and

b) If processed, to request information about processing, and

c) To find out the purpose of processing and whether the processed data are used in accordance with the originally intended purposes or not, and

d) To learn the identity of any persons or entities to whom his personal data are transferred at home or abroad, and

e) If processed incompletely / inaccurately, to request completion of correction of his personal data, and

f) To request deletion/destruction of his personal data under the terms stipulated in Article 7 of the Law, and

g) To request our Society to report the proceedings under subparagraphs (e) and (f) above to third parties to whom his personal data are transferred, and

h) To raise objection against probable results of processing to his detriment due to analysis of his personal data solely by automatic systems, and

i) To claim indemnification of all and any damages and losses, if any, he may incur due to illegal processing of his personal data.

3. RESPONSIBILITIES

3.1. Board of Directors

In order to identify and procure resources needed for effective and efficient handling and management of complaints:

  • To determine and publish a policy that includes commitments for handling and management of complaints and
  • To ensure that objectives of the process are identified.

3.2. Complaint Review Team (Committee)

Chairperson of the Committee

Corporate Contact Person

Board of Directors

Assistant to the Board of Directors

Internal Auditing

Unit Manager

Financial Affairs and Operations

 

Financial Affairs and Finance

Unit Manager

Real Estate Unit

Information Technologies

Business Analysis Specialist

Human Resources

Unit Manager

Donation Communication, Fundraising

 

Donations

Unit Managers

Donation Relations

Contact

Museum

Legal

Attorney at Law

Facility Management

 

Administrative Affairs

Unit Managers

Security

Technic

Purchasing  

Unit Manager and Officer

Warehouse

Darüşşafaka Educational Institutions

 

High School

Principal and Assistant Principals

Secondary School

Yaşam

Infirmary

In-house Physician

Residence

 

Maltepe

Facility Managers

Şenesenevler

Yakacık

Urla

Commercial Enterprise  

 

Maltepe Special Care

Facility Managers

Maltepe FTR

Urla Yaşam

3.3. Personnel

All Society personnel are liable to ensure compliance of the Society for performance of its legal responsibilities and obligations in its capacity as data controller under the Law, and to be cognizant of the Society’s personal data policies and modus operandi of the process.  Personnel are obliged to report to the relevant unit as soon as possible any complaints and/or applications they receive through any means of communication.

3.4. Audit Team

Another task of the Complaint Review Team as cited in Article 3.2 is to ensure effective compliance with the legislation on protection of personal data within the Society, to ensure that the policies on personal data inventory are up-to-date, and to audit and check the currency of personal data protection processes, and the implementation of technical and administrative measures within the departments, by holding meetings at least once a year and setting a roadmap in the light of the recent developments.

4. PROCEDURE

Immediately upon receipt, applications of complaint are directed to the relevant units for resolution. Each complaint is carefully and diligently examined by expert teams and every action taken during resolution phase of the complaint is duly recorded.

Applications delivered to the Society are managed as follows:

In order to make sure that the above-mentioned legal periods are not exceeded, Personnel receiving an application of complaint shall direct the relevant notification to the Complaint Review Team within one business day by referring to the date of delivery of notification on it or in the message. Within one week, after collecting the underlying documents available in the Society, the Team shall share the final response in writing with the Data Subject. All departments are obliged to respond to the Complaint Review Team as quickly as possible for collection of the documents required for the response thereto.

5. EFFECTIVE DATE

This procedure shall enter into force on the date of publication and its enforcement shall be checked by the contact person and the committee.

Please click here for the Darüşşafaka Society and Commercial Enterprise Application Form

This Cookie Policy applies to this website which is operated by or on behalf of Darüşşafaka Society.

We use cookies to allow you to benefit from our website in the most efficient manner possible and to improve your user experience. If you do not prefer cookies to be used, you can delete or block cookies in your browser settings. However, we would like to remind you that this may affect your use of all the features of our website. Unless you change your cookie settings in your browser, we will assume that you accept the use of cookies on this website.

1.What is a cookie and why is it used?

Cookies are small text files that are stored on your device or network server via browsers by the websites you visit.

The main purposes for using cookies on our website are listed below:

  • To improve the services provided to you by increasing the functionality and performance of the website,
  • To improve the website and offer new features via the website and customize the offered features according to your preferences,
  • To ensure the legal and commercial security of the website, you and our Society.

2.Types of cookies used on our website

Cookies are divided into two types: “permanent cookies” and “temporary cookies”. Permanent cookies are created the first time you visit the website, and they remain on your device for the “lifetime”, i.e. validity period of the cookie or until they are deleted by you. They are reactivated each time you visit the website on your device. Temporary cookies, on the other hand, are also known as “session cookies”. Temporary cookies are valid during the “browser session”. The browser session starts when you open your internet browser window and ends when you close your browser window. All temporary cookies are deleted when you close your browser. 

3.Cookies used on our Website

Cookie Remarks Relevant Privacy Policy
Google Analytics It is used to provide a better user experience, to be able to determine the number of visitors and collect statistical anonymous data, and to ensure that advertisements that you may be interested in are presented to you. https://support.google.com/ads/answer/2662922?hl=en
Google Adwords Conversion Google AdWords Conversion tracking cookies help us understand whether you complete some actions on our website(s) after seeing or clicking on one of our ads presented on Google. https://support.google.com/ads/answer/2662922?hl=en
Google (Remarketing) Google uses this cookie to understand what content you interact with on our websites in order to provide you with targeted advertisements on Google partner websites, thereby providing a number of targeted ads based on the content you interacted with on our website(s). https://support.google.com/ads/answer/2662922?hl=en
Facebook Pixel It is used to provide a better user experience, and to ensure that advertisements that you may be interested in are presented to you and measured. https://www.facebook.com/policy.php
Hotjar It is used to provide a better user experience and to collect statistical anonymous data. https://www.hotjar.com/privacy/

4.Blocking the use of cookies

You have the opportunity to customize your preferences for cookies by changing the settings of your browser. Browser manufacturers provide relevant help pages for the management of cookies, specific to their products. Please check the links below for more information.

Chrome: https://support.google.com/chrome/answer/95647?hl=en

Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

Internet Explorer: https://support.microsoft.com/en-us/help/260971/description-of-cookies

Safari: https://support.microsoft.com/en-us/help/260971/description-of-cookies 

The profiling process can be carried out by the methods specified in this Cookie Policy, and the necessary activities are performed for the improvement of our website.

This Cookie Policy issued by our Society may be updated periodically, without prior notice, to demonstrate our personal information practices. If any significant changes are made to our Cookie Policy, there will be a noticeable announcement on our website and such changes will be informed in this way. 

Enforcement Date: 11.05.2020
Revision No/Date: 00/--
Document No: Pol.02.004

Pursuant to Article 38 pertaining to income and expense documents of the Regulation on Associations issued and published by the Interior Ministry in the Official Gazette edition 25772  on 31.03.2005, if and when an Association’s revenues are collected through banks, such documents as  bank receipt or account statement or extract issued by the related bank are considered and treated as an acknowledgement of receipt. Please tick here for the related regulation.

Within the framework of this Regulation, also with a view to complying with the environmental sustainability principles, starting from 1 April 2014, our Society will not separately send a printed receipt to the donators having an e-mail account for their donations below TL 10,000.

Our donators who do not have any e-mail address in our database will, if their address is known by our Society, continue to receive a printed receipt for their donations equal to or more than TL 1,000.

With effect from July 2022, due to the increasing cargo expenses, a separate printed receipt will not be sent to our donators for their donations below TL 1,000, and if, nevertheless , any donator demands so, a printed receipt will be sent to that donator on “cash on delivery” basis.

We hereby would like to thank you for each tree you thus save from being cut, and for each cargo expense which may now be spent by us for education of our students.

For changing your communication and confidentiality choices, and updating your communication data, and for your other probable demands:

Communication Data

Telephone:

  

+90 212 939 2800 #2496

 

E-Mail:

 

bagis@darussafaka.org

 

 

 Hello, How can I help you?