Personal Data Protection Law

Information on the Protection of Personal Data

Türk Telekom’s (“Türk Telekom, TTNET and TT Mobil”) Clarification Text for its subscribers/customers within the scope of the Law No. 6698 on the Protection of Personal Data (“KVKK”) was updated in July 2019. This text contains all details regarding;

a) The identity of data controller,

b) The purpose of processing personal data,

c) To whom and for which purpose personal data may be transferred,

d) The method and legal grounds of collection of personal data and other rights of the data subject under Article 11 of the Law.

In addition, clarification texts are designed and published for employees, visitors, etc. related person categories and different Türk Telekom sites.

Rights of the data subject in the KVKK

ARTICLE 11 – (1) Each person has the right to request to the data controller about himself/herself;

a) to learn whether his/her personal data are processed or not,

b) to request for information as to if his/her personal data have been processed,

c) to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,

d) to know the third parties to whom his personal data are transferred in country or abroad,

e) to demand the rectification of the incomplete or inaccurate data, if any,

f) to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7 (personal data shall be erased, destructed or anonymised by the data controller, ex officio or on the request of the data subject, in the event that the reasons for the processing no longer exist.),

g) to request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom his/her personal data have been transferred,

h) to object to the occurrence of a result against the person himself/herself by analysing the data processed solely through automated systems,

i) to claim compensation for the damage arising from the unlawful processing of his/her personal data.

Data processing parties on behalf of Türk Telekom

Türk Telekom has authorised dealers, which process the data of customers as a third party on behalf of itself. All dealer employees are informed on the legislation governing the protection of personal data through circulars and information guide. In addition, all dealers have updated subscriber/customer information notices located on visible areas. Detailed information texts are provided to subscribers and dealer employees about the business flows requiring express consent, customer explicit consent templates have been drawn, and all dealers are required to obtain these consents when needed.

All agreements to which Türk Telekom is a party are reviewed and revised in line with the KVKK and the secondary legislation. In addition, trainings, announcements and audits were carried particularly for business partners and dealers as a part of the administrative measure obligation to ensure the security of personal data, and will continue to be carried in line with the possible amendments in the legislation.

Liability of the Company management regarding the protection of personal data

In accordance with the KVKK, the legal entities are responsible for all liabilities arising from this law and the relevant legislation. In terms of Türk Telekom, the Türk Telekom Board of Directors /Executive Committee is responsible for the Confidentiality and Safety of Personal Data as the managing body of the data controllers.

Within this framework, the Board of Directors has decided for the establishment of upper and sub-committees consisting of Assistant General Managers and directors for the monitoring and management of Türk Telekom’s compliance process.

With the aforementioned decision, the Committees were assigned on behalf of the Company within the scope of fulfilling their obligations arising from the KVKK and in accordance with Article 11 of the Regulation on the Registry of Data Controllers (“Regulation”).

Türk Telekom General Manager/CEO has been authorised to determine and change the working principles and duties of the committees and persons to take part in the committees.

The purpose of the mentioned committees is the coordination and organisation of the activities carried out in the field of governance regarding the protection of personal data throughout the Company, monitoring and reporting the actions to ensure full compliance with their requirements, supporting the governance structure, taking and following up strategic decisions, determining resource needs, creating an agenda at the level of the Board of Directors/Executive Committee.

Upper and Sub Committee Members

ı. Upper Committee Members

1- Permanent Members

  • Legal and Regulation Assistant General Manager
  • Technology Assistant General Manager
  • Marketing and Customer Care Assistant General Manager (Marketing and Customer Care Director as representative)
  • Strategy, Planning and Digital Assistant General Manager

2- Advisory Members

  • Regulation Compliance Director (permanent)
  • Regulation Compliance Director (permanent)

II. Sub Committee Members

  • Regulation Compliance Director
  • Cyber Security Director
  • Legal Affairs (Corporate Law and Commercial) Director
  • Employee Experience and Wage Management Director
  • Facility Management Director
  • Technology Audit Vice President
  • Marketing Intelligence and Customer Experience Director
  • Product and Service Management Director
  • Purchasing Director
  • Retail Sales Operations and Control Group Manager
  • Digital Product and Service Development Director
  • IT Architecture and Quality Assurance Director
  • Technology Governance Group Manager
  • Wholesale Customer Service Director

Employee trainings related to personal data security and confidentiality

Personal data security and confidentiality trainings have been assigned online to all permanent employees of Türk Telekom, TT Mobil and TTNET, while regional class trainings were provided to the sales teams, regional employees and dealers’ employees.

The regular trainings provided address the following topics:

  • History and the legal basis of the EU Data Protection Regulation and Turkish legislation governing personal data protection
  • The Company’s main responsibilities on the issue
  • Personal Data Processing Inventory and VERBIS (Data Controller Registry Information System)
  • Rights of the data subject
  • Data storage periods and deletion/destruction
  • Penalties set forth in the applicable law and regulations
  • Special measures that need to be taken in the Company business processes
  • Actions to be taken specifically for sensitive personal data
  • Information security awareness

Türk Telekom has also started compliance studies within the scope of the “Regulation on the Processing of Personal Data and Protection of Privacy in the Electronic Communication Sector”, which was published by BTK on December 4, 2020 and will enter into force on June 4, 2021.