Customer Personal Info Protection Policy
PERSONAL DATA PROCESSING AND PROTECTION POLICY
We have prepared this Personal Data Processing and Protection Policy (“Policy”) to explain how we process and protect your personal data as Getir Araç Dijital Ulaşım Çözümleri Ticaret A.Ş. (“GetirDrive” or “Company”).
As GetirDrive, we process personal data in accordance with the Personal Data Protection Law no. 6698 (“PDPL”) and secondary legislation on the protection of personal data and the decisions of the Personal Data Protection Board (“Board”) (collectively referred to as “PDP Legislation”). We act in accordance with the principles in the PDP Legislation in the processing of personal data and take all necessary measures to ensure the security of personal data.
You can contact us at [email protected] for further information about the processing of your personal data by GetirDrive and to direct your questions.
- PURPOSE AND SCOPE OF THE POLICY
This Policy covers all personal data that GetirDrive processes as data controller, including personal data belonging to its users, employees, employee candidates, officials/representatives, natural person business partners/suppliers, employees of business partners/suppliers, website visitors and workplace visitors.
As GetirDrive, we act in accordance with the PDP Legislation and the principles and rules set out in this Policy in all personal data processing activities.
- OUR RESPONSIBILITIES UNDER THE POLICY
As GetirDrive, we aim to comply with applicable laws, rules, regulations, and best practices in all personal data processing activities we carry out. For this reason, all employees of GetirDrive and other persons involved in the processing of personal data are obliged to comply with this Policy and the principles and rules determined by this Policy. Within this framework, we take the necessary measures to ensure that our employees and third parties who are data processors act in accordance with this Policy.
We have set out below the terms and their definitions in the Policy:
Recipient: The category of natural or legal person to whom personal data is transferred by GetirDrive
Explicit Consent: Freely given and informed consent on a specific subject
Employee: GetirDrive employee
Electronic Recording Medium: Recording medium or mediums where personal data can be created, read, changed, and written with electronic devices
Non-electronic Recording Medium: All written, printed, visual and other recording medium or mediums that are not electronic mediums.
Service Provider: Natural or legal persons who provide services under a contract with GetirDrive
Data subject: Natural persons whose personal data are processed
Destruction: Erasure, destruction or anonymization of personal data
Recording Medium: Any medium in which personal data processed by wholly or partially automatic means or by non-automatic means provided that it is a part of any data recording system
Personal Data: Any information relating to an identified or an identifiable natural person
Personal Data Processing Inventory; Inventory: The inventory that GetirDrive creates by associating the personal data processing activities that it carries out depending on its processes with the purposes of processing personal data, data category, transferred recipient group and data subject group and details the maximum period required for the purposes for which personal data are processed, personal data foreseen to be transferred abroad and the measures taken regarding data security
Personal Data Retention Policy: The policy on which GetirDrive relies for determining the maximum period of time required for the purpose for which personal data are processed, and for erasure, destruction or anonymization
Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by wholly or partially automatic means or by non-automatic means provided that it is part of any data recording system
Authority: Personal Data Protection Authority
Special Categories of Personal Data: Data relating to race, ethnicity, political opinion, philosophical belief, religion, religious sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data
Data Recording System: The recording system in which personal data is structured and processed according to certain criteria
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller
Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system; within the framework of this Policy, GetirDrive
For the definitions not included in this Policy, the definitions in the PDP Legislation apply.
- OUR LEGAL OBLIGATIONS REGARDING THE PROCESSING OF PERSONAL DATA
As a data controller, we explain our legal obligations arising from PDP Legislation in this section of the Policy.
4.1. Obligation to Inform
As GetirDrive, in processes in which we obtain and process personal data, we fulfil our obligation to inform in accordance with Communique on Principles and Procedures to be Followed in Fulfillment of the Obligation to Inform, specific to the process and at the latest at the time of obtaining personal data. In this regard, we take utmost care to inform all data subjects on the following:
- For what purpose the personal data of the data subject will be processed
- Company information (trade name, address, contact methods), information on the identity of the Company representative(s), if any
- To whom and for what purpose the personal data can be transferred
- The method and legal reason for obtaining personal data
- Rights of data subjects arising from the PDPL
4.2. Obligation to Ensure the Security of Personal Data
As GetirDrive, we take all necessary technical and organizational measures in our personal data processing activities in order to ensure the confidentiality and security of personal data and to prevent personal data from breached or accessed by unauthorized third parties. We have detailed the technical and administrative measures we have taken regarding these obligations in section 9 of this Policy. We act in accordance with the PDP Legislation regarding the deletion, destruction or anonymization of personal data; we have included our process regarding the destruction of personal data in section 8 of this Policy.
4.3. Obligation to Respond to Data Subject Requests
As GetirDrive, we carry out our process resolving all requests and applications of data subjects as soon as possible and respond to data subjects within the framework of the GetirDrive Data Subject Request Handling Procedure. In the event that the data subjects send their requests by one of the methods described in the Article 10 of this Policy, we finalize the requests of the data subjects free of charge within thirty (30) days at the latest, explaining the reasons for acceptance or rejection of the request, in accordance with the PDPL.
4.4. Obligation to Register to the Data Controllers Registry
We fulfill our obligation to register with the Data Controllers Registry in accordance with the Article 16 of the PDPL and the Regulation on the Data Controllers Registry. Within the scope of our data processing activities, we keep the registration up to date and provide details of our data processing activities to the public.
4.5. Obligation to Fulfill the Decisions of the Personal Data Protection Board
As GetirDrive, we give utmost importance to compliance with the decisions of the Board, which is an important and integral part of the PDP Legislation. We closely follow all decisions of the Board, especially the principle decisions, which are binding for all data controllers, published on the website of the Authority, and use all means to implement all technical and organizational measures stipulated by the Board for the protection of personal data.
- PROCESSING OF PERSONAL DATA
5.1. Personal Data Processing Activities
We process the personal data of data subjects we collect within the scope of our operations based on the legal reasons explained in the continuation of this Policy. Examples of our data processing activities are given in the tables below.
Table-1: Sample Processes for Processing User Personal Data
Full name, phone number, e-mail address, visual and audio records, driver license and the information contained in it
Registration to the GetirDrive application to benefit from our services, verification of the user’s identity.
Full name, identity information rental and payment information
Making Rental or Reservation and Receiving Payment, Collection
Provision of hourly, daily or monthly vehicle rental services, receiving payments and realizing collection transactions.
Information about your preferences, likes, interests and usage habits
Sending Push Notifications
Sending notifications to your phone about the products and services.
Full name, phone number, e-mail address, information on rented vehicle and usage of rented vehicle, requests & complaints
Request & Complaint Management
Receiving, evaluating and finalizing your requests and complaints when you send us your requests, complaints or comments about our products or services.
Information about your preferences, likes, interests and usage habits, driving data collected through vehicle
Ensuring User Satisfaction
Analyzing preferences, likes, interests and usage habits, and informing users about products and opportunities in line with their communication permission preferences.
Table-2: Sample Processes for Processing Employee Personal Data
Full name, phone number, e-mail address, wages and benefits, insurance information
Establishment of employment contract, creating and storing the personnel files
Signing employment contracts, payment of employee wages and benefits, carrying out storage and archiving of personnel files in accordance with GetirDrive’s obligations arising from laws and secondary legislation, namely Labor Law, Social Security Law, Occupational Health and Safety Law.
Full name, phone number, e-mail address, signature
Carrying out the contract negotiations and signature processes
Finalization and execution of contracts with GetirDrive’s business partners and suppliers.
Table-3: Sample Processes for Processing Business Partner/Supplier Personal Data
Full name, phone number, e-mail address
Procurement of services
Procurement of products and services from third parties within the scope of GetirDrive's operational processes.
5.2. Principles of Processing Personal Data
As GetirDrive, we comply with the following data processing principles when processing the personal data we obtain as data controller:
- Compliance with law and good faith: All data processing activities are carried out transparently in accordance with the legislation and the principles of good faith.
- Being accurate and up to date when necessary: Channels which ensure that personal data are accurate and up to date are always kept open, and effective request channels are provided to data subjects for the rectification of inaccuracies in their personal data.
- Processing for specific, explicit, and legitimate purposes: The purposes for which personal data will be processed are determined in accordance with the legislation and the ordinary course of life, and these purposes are notified to data subjects in a transparent and clear manner.
- Being relevant, limited and proportionate to the purposes of processing: Personal data that are not related to or not needed for the purpose of processing personal data are not processed, and personal data processing activities are not carried out to meet indefinite needs. If the necessity arises to use obtained personal data for other purposes, a new data processing activity comes to the agenda; the activity in question is carried out within the scope of the legal grounds stipulated in the PDPL as a completely new processing activity.
- Retention of personal data for the period stipulated in the relevant legislation or required for the purpose for which personal data are processed: If there is a period stipulated in the legislation for the storage of personal data, this period is complied with. If no such period is stipulated in the legislation, personal data are only stored for the period required for the purposes for the processing.
5.3. Processing of Personal Data
As GetirDrive, we process the personal data we obtain as data controller only when there is one of the legal grounds stipulated in the Article 5/2 of the PDPL. In case of the absence of these legal grounds, we apply for the consent of data subjects in accordance with the Article 5/1 of the PDPL. The legal grounds we rely on when processing personal data are explained below:
- Processing of personal data is governed under the law
- Processing of personal data is necessary for the protection of life or physical integrity of a person who is unable to explain their consent due to a physical disability, or whose consent is deemed legally invalid
- Processing of personal data is necessary for the performance of a contract between GetirDrive and data subjects
- Processing personal data is necessary for fulfilling GetirDrive’s legal obligations
- Personal data has been made public by the data subject himself/herself
- Processing of personal data for the establishment, exercise or protection of a right
- Processing of personal data is necessary for our legitimate interests
While determining whether a data processing activity is necessary for the legitimate interests of GetirDrive, we make an assessment based on the criteria specified in the Board's Decision dated 25.03.2019 and numbered 2019/78; while making this assessment, we carry out a balance test by comparing the fundamental rights and freedoms of the data subject with the legitimate interest that will arise.
In cases where at least one of the above-mentioned legal grounds for the processing of personal data does not exist, we act in accordance with the explicit consent of the data subject for the processing of personal data.
Explicit consent is defined in the PDPL as "consent regarding a specific subject, based on information and expressed with free will". As GetirDrive, we take into consideration the following three elements when asking for the explicit consent of data subjects:
- Being related to a specific subject: The explicit consent of the data subjects is asked for the specific data processing activity/activities and it is ensured that the consent texts are clear and understandable.
- Being based on information: Consent texts and notices are presented together/on the same channel, and it is ensured that the data subject understands the consequences of the data processing activity. In this context, firstly, the data subjects are provided with notice, then they are asked whether they have explicit consent or not.
- Being expressed with free will: When asking for the explicit consent of data subjects, misleading statements that may impair their will are avoided, and alternatives/right of refusal are given to data subjects who do not wish to give their explicit consent.
5.4. Processing of Special Categories of Personal Data
As GetirDrive, we process special categories of personal data by taking the necessary organizational and technical measures stipulated in the PDP Legislation, specifically the Board Decision dated 31.01.2018 numbered 2018/10. In GetirDrive’s Policy on the Processing of Special Categories of Personal Data, we have included the rules and principles we comply with when we process special categories of personal data.
In Getir and BiTaksi mobile applications where GetirDrive services are offered, we use various identification technologies to increase the user experience and to ensure that the application works in the best way. Detailed information on the use of identification technologies can be found in the Information on Identification Technologies on the "Help" page on the "Profile" tab in the applications where GetirDrive services are offered.
5.6. Notifications from GetirDrive App
As GetirDrive, in accordance with the purpose and legal grounds described in the User Personal Data Privacy Notice, we send notifications and communicate via phone or email with to our customers who have given explicit consent through the application. You can manage your communication preferences for notifications sent by GetirDrive on the “Communication Preferences” page in the “Account” tab of the GetirDrive mobile app “Communication Preferences” page in the “Profile” tab of the Getir app.
5.7. Keeping Personal Data Up-to-date
Within the scope of our obligation to keep personal data complete, accurate and up to date arising from PDP Legislation, we provide mechanisms that will allow data subjects to change and rectify their personal data. For example, our users always have the opportunity to update their personal data other than their phone number, on the “Profile” tab on the GetirDrive, Getir or BiTaksi app.
As GetirDrive, in order to ensure the security of personal data during account creation and log-in steps, we confirm the phone number by sending SMS OTP (one-time password) to phone numbers of data subjects. In accordance with the measures for privacy and security of personal data, it is not possible to change phone numbers registered to GetirDrive accounts.
- TRANSFER of PERSONAL DATA
As GetirDrive, in order to provide our services, we work together with infrastructure and IT service providers in Turkey and abroad. We transfer personal data of data subjects to third parties both domestically and abroad in compliance with the legal grounds stipulated under Article 8 titled transfer of personal data and Article 9 titled transfer of personal data abroad, and otherwise in line with the explicit consent of data subjects for the transfer.
- RETENTION of PERSONAL DATA
As GetirDrive, we retain the personal data we process for the period required by the purpose of the processing and within the scope of GetirDrive Personal Data Retention and Destruction Policy, without prejudice to the retention periods stipulated in the relevant legislation.
Within the scope of the process that require personal data processing, we determine a retention period for the personal data processed with business teams. In case personal data is processed for more than one purpose, we destroy (delete, destroy or anonymize) personal data if all the purposes of processing are completed or a data subject requests deletion and there are no legal obligations to retain personal data. We act in accordance with the PDP Legislation in matters of deletion, destruction or anonymization.
- DESTRUCTION of PERSONAL DATA
We destroy personal data upon the request of data subjects or ex officio, provided that the period stipulated in the relevant legislation or required for the purpose for which it was processed expired. We carry out such destruction (deletion, destruction and anonymization) operations within the scope of GetirDrive Personal Data Retention and Destruction Policy, without prejudice to the relevant legislation.
Unless otherwise specified by the Board, we choose the appropriate method of destroying the personal data. In case the data subject has a request for the destruction of personal data, after determining the appropriate method for the destruction of personal data, we explain this method to the data subject along with our reasons.
- SECURITY OF PERSONAL DATA
As GetirDrive, we take necessary organizational and technical measures to ensure the protection of personal data. For example, we use intrusion detection and prevention software to detect and prevent possible cyber-attacks, determine and limit the access authorizations of our employees to personal data, and use data loss prevention software. We have detailed the measures we take to ensure the privacy and security of personal data in this section.
- Organizational Measures
Organizational measures we take for the protection of personal data are as below:
- Regarding the processing and protection of personal data, corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
- Personal data security policies and procedures have been determined.
- Existing risks and threats to personal data have been identified.
- Employees who change their position or leave their job are no longer authorized to access personal data.
- Contracts contain data security and privacy clauses.
- There are disciplinary actions in place for employees regarding data security and privacy.
- Personal data processing inventory has been prepared.
- It is ensured that employees are periodically trained on issues related to data security, such as not disclosing and sharing personal data unlawfully, and awareness activities are carried out for employees.
- Extra security measures are taken for personal data transferred via physical methods and the relevant documents are sent in confidential document format.
- Necessary security measures are taken regarding entry and exit to non-electronic media containing personal data.
- Non-electronic media containing personal data are secured against external risks (fire, flood, etc.).
- The security of environments containing personal data is ensured.
- Confidentiality undertakings are prepared to ensure the confidentiality of personal data.
- Data transfer agreements are signed with the data controllers and data processors to whom personal data are transferred and these third parties’ awareness is ensured.
- In the event that personal data is unlawfully obtained by third parties, the procedures to be applied to notify the data subjects and the Board have been determined.
- Policies and procedures for the security of special categories of personal data have been determined and implemented.
- Service providers that process personal data are made aware of data security.
- In-house periodic and/or random audits are carried out.
- Technical Measures
Technical measures we take for the protection of personal data are as below:
- Network security and application security are provided.
- Closed system network is used for personal data transfers through the network.
- Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
- The security of personal data stored in the cloud is ensured.
- An authorization matrix has been created for employees.
- Personal data is backed up and the security of backed up personal data is also ensured.
- Personal data security issues are reported immediately.
- Personal data security is monitored.
- User account management and authorization control system are implemented and these are also monitored.
- Access logs are kept regularly.
- Log records are kept without user intervention.
- Secure encryption/cryptographic keys are used for sensitive personal data and managed by different units.
- Encryption method is used.
- Data masking measures are applied when necessary.
- Penetration tests are applied.
- Cyber security measures have been taken and their implementation is continuously monitored.
- Intrusion detection and prevention systems are used.
- Up-to-date anti-virus systems are used.
- Data loss prevention software is used.
- Responsibilities of Employees
Employees who process personal data within the scope of GetirDrive's activities are obliged to pay attention to the following issues according to the procedures and principles mentioned in this Policy:
- All employees who have access to personal data must act in accordance with the procedures and principles specified in this Policy and other relevant policies and procedures regarding the protection of personal data.
- Employees must carry out data processing activities in accordance with the principles of protection of personal data specified in the PDPL.
- When the employees obtain the personal data of data subjects, they must ensure that the data subject is given notice regarding:
- The purpose for which personal data will be processed
- Information on the identity of the data controller and its representative, if any
- To whom and for what purpose the processed personal data can be transferred
- The method and legal grounds for obtaining personal data
- Rights of data subjects arising from the PDPL
- Employees must ensure that the explicit consent of the data subject is obtained before processing personal data, unless it is one of the cases of processing personal data without explicit consent.
- Employees must ensure that all technical and organizational security measures are taken to prevent unlawful processing of personal data.
- Employees must not access or copy personal data except as required by their authorizations, role descriptions and the performance of their duties.
- Employees must not transfer personal data to unauthorized third parties inside or outside GetirDrive and must ensure that personal data is not accessed by unauthorized thirds parties. Employees must not transfer personal data to unauthorized third parties inside or outside GetirDrive and must ensure that personal data is not accessed by unauthorized third parties.
- Employees must ensure that personal data is not accessed by unauthorized persons during data transfer.
- Employees must carry out data processing within the scope of the purposes for which the data processing is necessary and without exceeding their limits.
- Employees must immediately notify authorized persons within the Company if they become aware of a personal data breach.
- DATA SUBJECT RIGHTS
Article 11 of the PDPL regulates the rights of the data subjects. You may exercise the rights pursuant to Article 11 of the PDPL which are as follows:
- To be informed whether your personal data is processed or not
- If your personal data has been processed, to request information regarding the same
- To be informed on the purpose of processing your personal data and whether it is used in accordance with its purpose
- To be informed on the third parties to whom your personal data is transferred in the country or abroad
- To request the correction of your personal data if it is incomplete or incorrectly processed
- To request the deletion or destruction of your personal data within the scope of the conditions stipulated in Article 7 of the PDPL
- If your personal data is deleted or destroyed within the scope of Article 7 of the Law and your personal data is incomplete or incorrectly processed, to request the notification of the third parties to whom the personal data has been transferred to
- To object to the emergence of a result against you due to the analysis of your personal data exclusively by automated systems
- To request compensation of the damage in case you suffer damage due to unlawful processing of your personal data
You may use the following methods to exercise your rights specified in the Article 11 of the PDPL and submit your requests to GetirDrive:
- By using your email address registered in our system to [email protected]
- By using your registered e-mail (KEP) address to [email protected]
- In writing, including the documents proving your identity, to Etiler Mah. Tanburi Ali Efendi Sok. Maya Residences Sit. T Blok No:13/334 Beşiktaş/İstanbul.
You can submit your applications regarding your rights listed above to our Company by filling out the Getir Araç Dijital Ulaşım Çözümleri Ticaret Anonim Şirketi Data Subject Application Form, which you can access from https://getirarac.com/Upload/Docs/Ilgili_Kisi_Basvuru_Formu.pdf.
- ABOUT THIS POLICY
This Policy is reviewed by GetirDrive as needed and updated when necessary.
Apart from this, in case of changes in the PDP Legislation, the changes in the relevant legislation are applied immediately, even if the Policy has not been updated.
Last Updated: December 2022