Menu
Your Cart
Students! Would you like to create an undergraduate group at your school? Learn more

GDPR Policy

PROTECTION AND PROCESSING OF PERSONAL DATA POLICY

1. PURPOSE

As Namdaris Teknoloji Tasarım ve Danışmanlık Ltd. Şti. (“Company”), registered in Turkey, it is our priority to process personal data of real persons—including our employee candidates, users, members, customers, visitors, and employees—in accordance with the Constitution of the Republic of Turkey, relevant legislation, international human rights conventions to which Turkey is a party, and Law No. 6698 on the Protection of Personal Data (“GDPR or KVKK”). We also prioritize ensuring the effective exercise of the rights of individuals whose data is processed.

Accordingly, we carry out, without limitation, the processing, storage, and transfer of all personal data obtained from our users, members, customers, visitors, employees, and employee candidates in accordance with this Protection and Processing of Personal Data Policy (“Policy”).

The protection of personal data and the respect for fundamental rights and freedoms of real persons whose personal data is processed is the main principle of our policy. Therefore, all activities involving the processing of personal data are carried out with regard for the privacy of private life, confidentiality of communication, freedom of thought and belief, and the right to effective remedies.

To protect personal data, we take all administrative and technical protection measures required by the nature of the data in line with legislation and current technology.

This Policy describes the methods we use to process, store, transfer, and delete or anonymize personal data shared during our commercial, social responsibility, and similar activities in accordance with the principles set forth in the GDPR.

2. SCOPE

This Policy covers all personal data processed by our company, including our users, members, customers, business contacts, business partners, employees, employee candidates, consumers, potential customers, and third parties.

Our policy is applied to all activities involving the processing of personal data managed by our company and has been prepared in accordance with the GDPR, other relevant data protection legislation, and international standards in this field.

3. DEFINITIONS AND ABBREVIATIONS

This section explains specific terms, concepts, and abbreviations used in this Policy.

  • Company: Namdaris Teknoloji Tasarım ve Danışmanlık Ltd. Şti. (www.rhinocenter.net)
  • Explicit Consent: Freely given, specific, informed consent regarding a particular issue and transaction.
  • Anonymization: Rendering personal data impossible to link with an identified or identifiable natural person, even by matching it with other data.
  • Employee: Company personnel.
  • Personal Data Owner (Data Subject): The real person whose personal data is processed.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Sensitive Personal Data: Data relating to race, ethnicity, political opinion, philosophical belief, religion, sect, or other beliefs, dress and attire, association, foundation or union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
  • Processing of Personal Data: Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, retrieval, classification, or prevention of use, whether fully or partially by automatic means or, if part of any data registry system, through non-automatic means.
  • Data Processor: Any real or legal person who processes personal data on behalf of the Data Controller upon their authorization.
  • Data Controller: Any real or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.
  • GDPR Board: Personal Data Protection Board.
  • GDPR Authority: Personal Data Protection Authority.
  • GDPR: Law No. 6698 on the Protection of Personal Data, published in the Official Gazette dated April 7, 2016, and numbered 29677.
  • Policy: The General Personal Data Protection and Processing Policy of Namdaris Teknoloji Tasarım ve Danışmanlık Ltd. Şti.

4. LEGAL LIABILITIES

The following legal obligations for the protection and processing of personal data as a Data Controller arise under the GDPR:

  • When collecting personal data as a Data Controller, we are obligated to inform the Data Subject about:
    • The purpose of data processing,
    • Our identity, and the identity of our representative if any,
    • To whom and for what purposes the data may be transferred,
    • The method and legal reason for data collection,
    • The rights and issues arising from the law.
  • As the “Company,” we ensure this Policy is clear, understandable, and easily accessible to the public.
  • Our obligation to ensure data security:
    As the Data Controller, we take administrative and technical measures prescribed by legislation to ensure the security of the personal data in our possession. Data security obligations and measures are detailed in sections 9 and 10 of this Policy.

5. CLASSIFICATION OF PERSONAL DATA

Personal Data:
Personal data is any information related to an identified or identifiable real person. The protection of personal data relates only to real persons; data pertaining solely to legal entities is not subject to personal data protection and is excluded from this Policy.

Sensitive Personal Data:
Sensitive data includes data relating to race, ethnicity, political thought, philosophical belief, religion, sect, or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction, security measures, and biometric and genetic data.

Categories of Personal Data
We collect the following categories of personal data for the purposes of membership, licensing, and other services:

Data Category: Identity Information

  • Description: Data relating to identifying a person.
  • Collected From: Employees, employee candidates, customers, users of our website/online store/mobile applications, licensors, visitors, and business contacts.
  • Content: Name, surname, T.C. identification number, photograph, copy of identification.
  • Purpose of Collection: To issue invoices, deliver products or services, conduct advertising and marketing; to comply with legal obligations (labor and social security laws), assess job applications, fulfill commercial needs and obligations, and meet contractual requirements.

Data Category: Contact Information

  • Description: Data used to communicate with the person.
  • Collected From: Employees, employee candidates, customers, licensors, users, visitors, business contacts.
  • Content: Home and work address, mobile phone number, home phone number, postal address, e-mail address, IP address.
  • Purpose of Collection: To provide services, fulfill commercial activities, ensure communication, comply with legal obligations, and manage employment and business relationships.

Data Category: Other Data

  • Description: Other data collected in the course of our commercial activities.
  • Collected From: Employees, employee candidates, customers, visitors, business contacts, individuals registering on our website.
  • Content: Identity and contact information, financial information, web browsing activity, searches and site usage, business contact personnel data, event/organization/training application data, vendor applications, complaint and communication data, e-mail subscription registration.
  • Purpose of Collection: To evaluate applications for training and events, organize events, assess vendor applications, confirm academic identity, perform marketing and promotional activities, fulfill commercial and contractual obligations.

Legal Basis for Personal Data Collection
Personal data is processed for the provision of services, software licensing, file downloads, and employment; on the basis of our obligations under relevant legislation, contractual relationships, and legitimate interests.

6. PROCESSING PERSONAL DATA

Our Personal Data Processing Principles:

  • Lawfulness and Fairness
    We process personal data in accordance with the principles of honesty, transparency, and our obligation to inform.
  • Accuracy and Up-to-Date Data
    We take necessary steps to ensure data is accurate and up to date. The Data Subject can contact us to update or correct their data.
  • Specific, Explicit, and Legitimate Purposes
    Data is processed for specific, explicit, and legitimate purposes consistent with business needs and legislation.
  • Data Minimization and Relevance
    We process personal data only as necessary and relevant for the intended purposes. We do not process unnecessary data. Sensitive personal data is processed only with legal basis or explicit consent.
  • Storage for Statutory and Legitimate Commercial Periods
    Personal data is stored for periods required by legislation or necessary for business purposes. Data is deleted, destroyed, or anonymized once the retention period or processing purpose expires.

Personal Data Processing Purposes (including but not limited to):

  • Conducting licensing activities,
  • Providing customer support within contracts and service standards,
  • Determining and responding to customer preferences and needs,
  • Fulfilling legal obligations,
  • Implementing company procedures,
  • Improvement management and planning,
  • Managing vendor applications,
  • Organizing events and organizations,
  • Ensuring security,
  • Creating and managing visitor records,
  • Managing website and mobile applications,
  • Measuring customer satisfaction,
  • Market research and statistics,
  • Surveys, contests, promotions, sponsorships,
  • Evaluating job applications,
  • Contacting business partners,
  • Marketing,
  • Compliance management,
  • Vendor/supplier management,
  • Advertising,
  • Legal reporting,
  • Risk management and quality improvement,
  • Invoicing.

Processing of Sensitive Personal Data
Sensitive personal data is processed with administrative and technical measures, explicit consent, or where legally required. Health and sexual life data may be processed without consent only by persons or institutions under confidentiality obligation, for public health and healthcare purposes, as specified by law.

Processing Data via Cookies on Our Website
Cookies are used to enhance website operation, improve user experience, and remember preferences. Personal data may be collected, processed, transferred, and stored via cookies. For details, see our "Cookie Policy."

Processing Personal Data Collected Through the Website
Collected through forms for communication, licensing, and purchases:

  • Name, surname,
  • E-mail and phone,
  • Full address,
  • Purchaser/institution billing information (ID number, tax number, tax office).
    Collected through application forms:
  • Name, surname,
  • Place and date of birth,
  • Contact information.

Processing Data for Security Purposes
We collect and process personal data to ensure the security of our electronic media (website, server, domain):

  • Website visitor activities and transactions,
  • Registration form information,
  • Visitor details (name, surname, ID number, tax number, tax office).

Processing Data for Suggestions, Requests, and Complaints
For service improvement, personal data is collected and processed through forms for suggestions, requests, and complaints:

  • Name, surname,
  • E-mail,
  • Message content.

Processing Data with Explicit Consent
By law, personal data cannot be processed without explicit consent, defined as informed and voluntary agreement on a specific subject. For sensitive data, section 6 applies.

Exceptions Where Explicit Consent Is Not Required
Personal data may be processed without explicit consent in the following legal circumstances:

  • Where required by law,
  • Where consent cannot be obtained due to actual impossibility,
  • Where necessary for the conclusion or execution of a contract,
  • Where required to fulfill the Data Controller’s legal obligation,
  • Where the data subject has made their data public,
  • Where required for the establishment, use, or protection of a right,
  • Where processing is necessary for the legitimate interests of the Company, provided fundamental rights and freedoms are not violated.

7. TRANSFER OF PERSONAL DATA

Transfer of Personal Data Domestically
Our company acts in accordance with the decisions and regulations of the GDPR and the resolutions of the Personal Data Protection Board (GDPR Board) regarding the transfer of personal data. Unless otherwise stipulated by law, personal data and sensitive personal data are not transferred to other real or legal persons without the explicit consent of the Data Subject. In exceptional cases set forth in the GDPR or other relevant legislation, data may be transferred to authorized administrative or judicial bodies without explicit consent, provided that it is within the legal limits and scope.

Additionally, in situations defined in Article 6 of this Policy:

  • In cases described in Article 6 concerning sensitive personal data,
  • Personal data relating to health and sexual life may only be transferred, without explicit consent, to persons or institutions under a confidentiality obligation or to authorized institutions and organizations for purposes such as protecting public health, providing preventive medicine, medical diagnosis, treatment and care, and managing and financing healthcare services, in line with the measures established by the GDPR Board and relevant legislation.

Transfer of Personal Data Abroad
As a rule, personal data is not transferred abroad without the explicit consent of the Data Subject. However, if one of the exceptions specified in Article 6 of this Policy applies, personal data may be transferred abroad without explicit consent:

  • To third parties located in countries deemed to provide adequate protection by the GDPR Board,
  • If adequate protection is not present, to third parties in countries where both the data controllers in Turkey and in the relevant country commit to sufficient protection in writing and obtain permission from the GDPR Board.

Institutions and Organizations to Which Personal Data May Be Transferred

  • Business Partners: Parties with whom our company has established business partnerships for obtaining licenses, goods, or services.
    • Purpose: To carry out activities planned under the business partnership.
  • Suppliers: Parties providing services under contract as per the needs and instructions of our company.
    • Purpose: To ensure the continuity of services provided by the supplier.
  • Authorized Personnel: Individuals authorized within our company.
    • Purpose: To plan and execute company activities.
  • Legally Authorized Public Institutions and Organizations: Governmental authorities entitled to receive information and documents from our company under applicable regulations.
    • Purpose: As prescribed by relevant regulations.
  • Legally Authorized Private Law Persons: Private legal entities authorized to receive information and documents from our company under relevant laws.
    • Purpose: As prescribed by relevant regulations.

Measures for Lawful Data Transfer

  • Technical Measures:
    • Establishing in-house technical organization for lawful processing and storage,
    • Creating a secure technical infrastructure for databases,
    • Monitoring and auditing the technical infrastructure,
    • Reporting and updating technical measures regularly,
    • Implementing virus protection, firewalls, and similar security software/hardware,
    • Keeping up with technological developments and risk mitigation.
  • Administrative Measures:
    • Establishing access policies and procedures,
    • Training and informing employees and consultants about data protection,
    • Embedding data protection clauses in employment and consultancy contracts,
    • Auditing third-party data processors and their partners for compliance.

8. STORAGE OF PERSONAL DATA

Retention for Required Periods
Personal data is stored for as long as necessary for the processing purpose and as stipulated by relevant legislation. Where personal data is processed for more than one purpose, it is deleted, destroyed, or anonymized upon request by the Data Subject (such request must be clearly communicated by mail with a wet signature) unless otherwise prohibited by law. Destruction, deletion, or anonymization procedures follow the legislation and GDPR Board decisions.

Measures for Secure Storage

  • Technical Measures:
    • Developing infrastructure and audit mechanisms for deletion, destruction, and anonymization,
    • Securing storage of personal data,
    • Employing technical experts,
    • Creating business continuity and emergency plans,
    • Installing state-of-the-art security systems for storage areas.
  • Administrative Measures:
    • Raising awareness among employees and consultants about storage risks,
    • Including necessary security provisions in agreements with third parties for storage.

9. SECURITY OF PERSONAL DATA

Our Obligations Regarding Data Security

We implement administrative and technical measures, considering technological capabilities and costs, to:

  • Prevent unlawful processing,
  • Prevent unauthorized access,
  • Ensure lawful retention.

Measures to Prevent Unlawful Processing

  • Conducting necessary inspections and audits,
  • Training and informing employees and business consultants,
  • Ensuring all business units process personal data lawfully,
  • Including security measures in contracts with external processors,
  • Investigating and reporting unlawful disclosures or data leaks to the GDPR Board as required.

Measures Against Unauthorized Access

  • Employing technical specialists,
  • Regularly updating technical protections,
  • Setting up access authorization procedures,
  • Auditing and monitoring data recording systems,
  • Planning for emergencies and developing contingency systems,
  • Educating staff and consultants on access rights and procedures.

Actions in Case of Unlawful Disclosure

  • Taking immediate administrative and technical action,
  • Notifying the Data Subject and GDPR Board in case of unauthorized disclosure,
  • Announcing the breach on the GDPR Board’s website or by other means if deemed necessary.

10. RIGHTS OF THE PERSONAL DATA OWNER (DATA SUBJECT)

We inform Data Subjects of their rights and ensure technical and administrative structures to exercise these rights. Data Subjects have the following rights:

  • To learn whether personal data is processed,
  • To request information if personal data has been processed,
  • To learn the purpose of processing and whether data is used for the intended purpose,
  • To know third parties to whom personal data is transferred domestically or abroad,
  • To request correction of incomplete or inaccurate personal data,
  • To request deletion or destruction of personal data if processing grounds disappear,
  • To request notification to third parties of corrections, deletions, or destruction,
  • To object to outcomes resulting from automated analysis of personal data,
  • To seek compensation for damages arising from unlawful processing.

Exercise of Rights

Requests must be sent as a clear, original, and wet-signed petition to İçerenköy Mh. Değirmenyolu Cad. Kutay İş Merkezi B Blok No: 18 K: 4 D: 9 34752, Ataşehir/Istanbul or emailed with a secure electronic signature to info@rhinocenter.net. Requests must be specific, relevant to the applicant, and accompanied by identification and supporting documents.

Application Evaluation

  • Response Time: Applications are concluded as soon as possible, and within 30 days at the latest, free of charge (unless the GDPR Board publishes a fee tariff). Additional information may be requested if necessary.
  • Right to Reject: Applications may be rejected, with justification, in the following cases:
    • Where data is processed for statistical, research, or other lawful purposes,
    • Where processing does not infringe privacy or constitute a crime,
    • Where data has been made public by the data subject,
    • Where requests are baseless, contrary to law, or not made in compliance with procedures.

Complaint Procedure

If an application is rejected, the response is insufficient, or no reply is given within the period, the applicant may file a complaint with the GDPR Board within 30 days of receiving the response, or within 60 days of the application date.

11. PUBLISHING AND STORING THE POLICY

This Policy is retained both in printed and electronic formats.

12. ENFORCEMENT

This Policy enters into force upon publication on the Company’s website.