This Personal Data Protection and Processing Policy (" Policy") is issued by Papara Elektronik Para A.Ş (" Papara"), acting as a data controller, in order to make explanations regarding the processing and protection of personal data which has been obtained in accordance with the Law on Protection of Personal Data numbered 6698 ("Law" or "LPPD") of individual data owners listed below and listed in detail under Article 1 of this Policy in accordance with the Law. Papara carries out data processing activities in accordance with its obligations under the Law and the rules of honesty and informs the data owners and related parties through the Clarification Text which is open to public and on www.papara.com website. Users (referred to as Individual Customers), potential users (referred to as potential customers), Papara shareholders, officials, employees and employee candidates, business partner shareholders, officials and employees, representative shareholders, officials and employees, visitors and all other related third parties, as data owners, are in the application area of this Policy. Papara shall amend and update this Policy to adapt to legislative changes.
| Data Category | Explanations |
| Identity Information | Name-surname, Turkish Identity No., identity card information, criminal record information, identity registry information, residence information, driver's license information etc. |
| Communication information | Phone number, e-mail information, address information etc. |
| Corporate information | Title, tax number, tax plate, signature circular, company manager and employee information etc. |
| Representative Information | Representative officer name and surname, address, etc. |
| Provider Information | Provider name, provider code, beneficiary code, VAT declaration registry document, financial scheme information, service information (service name, service type, service code, service tariff plan) etc. |
| User Information | Username and surname, user group information, user password, etc. |
| Financial Information | Bank name, account number, IBAN number, balance information, etc. |
| Document Information | Contracts, court and administrative authority documents, etc. |
| User Transaction Information | Transaction owner information, transaction number, transaction creation date, processing date, payment date, transaction amount, etc. |
| Physical Location Security Information | Entry to and exit from work log records, visitor records, camera records, fingerprint control records, etc. |
| Personnel Information | Payroll information, SSI information, annual leave-excuse minutes, job change forms, employment contracts, information security commitments and any and all kinds of information and documents that are required to be in an employee’s personal file by law without being limited to those listed. |
| Employee Information | Private health insurance, side benefits, performance evaluation reports, mail tracking information, etc. |
| Employee Candidate Information | CV, interview notes, personality inventory records, etc. |
| Request / Complaint Management Information | Any requests and complaints submitted by users, any comments added during the transaction process, and all kinds of records and reports related to them. |
| Data Stored on Device | Contact list, photo gallery (image information), and other data stored on the phone, tablet, or other device where the application is used. |
Personal data collected by Papara in accordance with Article 1 and 2 of the Law, shall be processed in line with the purposes explained in detail below and within the scope of data processing conditions and purposes stipulated under Article 5 and 6 of the Law. During processing of these data, it is declared and undertaken by Papara that it shall act in accordance with the below principles.
- Papara shall
comply with the law and the rules of honesty
during any personal data processing process.
- Papara shall ensure that any personal data it processes as a
data controller is accurate and up to date.
- Papara, as a data controller, shall
limit its data processing activities to specified, explicit and
legitimate purposes
.
- Papara, as a data controller, shall
process the personal data it obtains in line with the purpose of
processing, in a limited and proportionate manner
as notified to the data owner.
- Papara, as a data controller, shall
store any personal data it processes for the period laid down by
relevant legislation or for a period necessary for the purpose of
processing
.
Personal data, which are specified in detail in Article 2 of this Policy; not limited to those listed herein, information obtained directly through human resources processes, directly through our representatives, providers and / or business partners, the connection information recorded in accordance with the legislation when using our website and social media accounts, information and documents that you have shared through written or verbal communications with our Company through the contact forms you have filled in electronically, other forms that you have filled in our workplaces, offices and representatives, and online channels, e-mails that you sent to our Company through the e-mail system, information and documents you sent to our Company via fax or letter, information and documents you shared with the call center through the telephone channel or directly with our Company and / or our business partners, representatives and any contract you have signed with our Company and personal data you shared verbally, in writing or electronically or by any other means are collected in accordance with Articles 1 and 2 of the Law, either partially or fully, automatic or non-automatic methods.
Personal data collected by Papara in accordance with Articles 1 and 2 of the Law and listed in detail under Article 2 of this Policy, shall be processed, transferred and stored for the purposes set out below and in accordance with the personal data processing conditions and purposes set out in Articles 5 and 6 of the Law by Papara and / or individuals and legal entities, including representatives that are in cooperation with Papara or authorized by Papara.
- Performance and execution of services and business activities
provided by Papara and carrying out the necessary tasks and
conducting business processes in order to have the relevant persons
benefit from these services.
- Planning and execution of operational activities required to
ensure that Papara services and activities are carried out in
accordance with Company procedures and / or applicable legislation.
- Sharing information about the services offered by Papara,
which can be used in current campaigns and payment tools, especially
useful for the use of the electronic money service of the Customers
in a wider area and more effective way.
- The data stored on the device can be used for easy processing of
payment transactions (such as money transfer) through the
application and for personalizing the application, and when
necessary, it may be transferred to third parties within the
framework of this Policy.
- Ensuring the legal, technical and commercial business safety of
Papara and the related persons who have a business relationship with
Papara.
- Communication with the relevant persons within the scope of other
contracts or commercial relations.
- Planning and / or execution of audit activities.
- Giving legislation-based information to the authorized
institutions.
- Ensuring the security of Papara operations.
- Planning, auditing and execution of information security
processes.
- Creation and management of information technologies
infrastructure.
- Follow-up of processes related to finance, accounting and / or
billing.
- Follow-up of legal processes, fulfillment of legal obligations.
- Communication and correspondence with official institutions.
- Follow-up of customer requests and / or complaints.
- Follow-up of contract processes and / or legal requests.
- Execution of customer relationship management processes.
- Execution of management processes of relations with
representatives, providers and / or other business partners.
- Planning and / or execution of the access rights of the
representatives, providers and / or other business partners.
- Planning and ensuring customer satisfaction activities.
- Ensuring that the data are accurate and up to date.
- Keeping system records and reporting on the services provided.
- Planning and / or execution of analysis of business activities.
- Planning and / or execution of occupational health and safety
processes.
- Planning and / or executing business continuity activities.
- Planning and / or execution of human resources processes and
needs.
- Managing processes related to personnel employment.
- Planning and / or execution of side benefits and rights for
employees.
- Planning and / or follow-up of employee performance evaluation
processes.
- Planning and / or execution of employee access rights.
- Ensuring the security of the company premises, fixtures and
resources.
- Execution of all other operational activities that may
occur.
Personal data collected in accordance with Articles 1 and 2 of the Law and listed in detail under Article 2 of this Policy may be included in any processing by Papara in accordance with the explicit consent of the data owner. These data may be processed by Papara without seeking the explicit consent of the data owner in following cases in accordance with Article 5 of the Law where:
- It is clearly provided for by the laws.
- It is mandatory for the protection of life or physical integrity
of a person himself or of any other person who is bodily incapable
of giving his consent or whose consent is not deemed legally valid.
- Processing of personal data belonging to the parties of a contract
is necessary, provided that it is directly related to the conclusion
or fulfilment of that contract.
- It is mandatory for the controller to be able to perform its legal
obligations.
- The data concerned is made available to the public by the data
owner herself / himself.
- Data processing is mandatory for the establishment, exercise or
protection of any right.
- It is mandatory for the legitimate interests of the
controller, provided that this processing shall not violate the
fundamental rights and freedoms of the data owner.
Personal data which are collected according to the Articles 1 and 2 of the Law and related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are deemed to be personal data of special nature and these data may be included in any processing by Papara in accordance with the explicit consent of the data owner. These data can be processed by Papara in accordance with Article 6 of the Law, even without seeking explicit consent, in following cases:
- In terms of personal data except for data concerning health and
sexual life; where it is provided for by laws,
- In terms of data concerning health and sexual life; for the
purposes of protection of public health, operation of preventive
medicine, medical diagnosis, treatment and nursing services,
planning and management of health-care services as well as their
financing, by the persons subject to confidentiality obligation or
by competent institutions and organizations.
Personal data which are collected in accordance with Articles 1 and 2 of the Law and listed in detail under Article 2 of this Policy, may be subject to transfer processes by Papara at home and abroad in accordance with the explicit consent of the data owner. These data may be shared and transferred by Papara to our subsidiaries, shareholders, business partners, representatives, service providers, auditors, legally authorized public institutions and organizations and private institutions and organizations, professional organizations and similar organizations, supervisory and regulatory authorities, all kinds of private / public institutions and organizations, such as but not limited to, municipalities, foundations, private persons and other persons and organizations permitted by the legislation that will provide social assistance regarding all kinds of services mediated by Papara provided that it is acceptable as “social aid”, for the purposes of processing, which are described in detail under Article 4 of this Policy and in the presence of any one of the processing conditions listed separately under Article 5 of this Policy for personal data and personal data of special nature in accordance with the Law and within the framework of the terms and purposes of transferring personal data specified in Articles 8 and 9 of the Law. In the transfer of these data abroad without seeking explicit consent; in addition to the conditions explained above, in accordance with Article 9 of the Law; -adequate protection will be sought in the foreign country where the data will be transferred, -in the absence of adequate protection, existence of commitment for adequate protection in writing by Papara and the relevant foreign country and authorization of the Board will be sought.
Papara and / or individuals and legal entities, including representatives whom Papara cooperate with or authorized by Papara shall store personal data only for a certain period of time in accordance with the processing purposes and business practices prescribed in the relevant legislation and stated in this Policy, provided that other regulations for the cases where personal data are allowed to be kept for a longer period or where personal data are required to be kept for a longer period of time in accordance with the relevant legislation are reserved, and erase, destroy or anonymize these data ex-officio or upon the request of the data owner in the event that the purposes for the processing no longer exist.
Personal data collected by Papara and / or individuals and legal entities, including representatives whom Papara cooperate with or authorized by Papara, in accordance with Articles 1 and 2 of the Law, shall be stored confidentially in the Papara database within the scope of Article 12 of the Law, illegal access and processing shall be prevented and these data shall protected. Papara declares and undertakes that it has taken all kinds of technical and administrative measures, including the necessary security measures, to protect the systems that contain personal data from unauthorized access and illegal transactions, that it shows the highest level of attention and care in this regard and it performs the necessary audits or provides the necessary audits to be performed. In case the data processed are damaged or obtained by others by unlawful means although Papara took the necessary measures, Papara shall communicate the breach to the data owner and notify it to the Board within the shortest time.
You, as data owners, have the rights listed below against Papara, acting as the data controller, within the scope of Article 11 of the Law:
- To learn whether your personal data are processed or not,
- To request for information regarding if your personal data have
been processed,
- To learn the purpose of the processing of your personal data and
whether these personal data are used in compliance with the purpose,
- To know the third parties to whom your personal data are
transferred at home or abroad,
- To request rectification of the incomplete or inaccurate data, if
any, and to request reporting of the operations carried out within
this scope to third parties to whom your personal data is
transferred,
- To request deletion, destruction or anonymization of your personal
data although it has been processed in accordance with the
provisions of LPPD and other relevant laws, if the purposes for the
processing no longer exist, and to request reporting of the
operations carried out within this scope to third parties to whom
your personal data is transferred,
- To object to the occurance of a result against you by analyzing
your processed data solely through automated systems,
- To claim compensation for the damage arising from the
unlawful processing of your personal data.
As a data owner, you can fill " Personal Data Owner Application Form " at [ www.papara.com ] for your requests regarding your aforementioned rights and send it to our e-mail address kisiselveri@papara.com by signing it with a secure electronic signature along with the necessary information to identify your identity or you can send a wet-signed copy of this form to our address "Burhaniye Mahallesi, Atilla Sokak, No:7-1, Üsküdar / İstanbul" in person or through a notary or registered letter with return receipt. In the case of a request made by a third party on behalf of the personal data owner, a power of attorney issued by the notary public on behalf of the applicant must also be submitted.
Papara declares and undertakes to conclude your application by giving you a free written reply within thirty days at the latest, as stipulated in the Law, according to the nature of your request. However, if the transaction also requires a cost, Papara reserves the right to claim the fee at the tariff determined by the Board.
In cases where the application of the personal data owner is rejected in accordance with Article 14 of the Law, the answer is insufficient or the application is not answered in due time; the applicant has the right to make a complaint to the Board within thirty and in any case sixty days from the date of application.
Deletion, Anonymization, or Destruction of Your Personal Data
If the reasons requiring the processing of your personal data, which must be kept in accordance with the provisions of the relevant legislation, have ceased to exist, you may request the deletion, anonymization, or destruction of your personal data. You can submit your deletion, anonymization, or destruction requests by filling out the " Personal Data Owner Application Form " at [www.papara.com] for your requests regarding your aforementioned rights and send it to our e-mail address kisiselveri@papara.com by signing it with a secure electronic signature along with the necessary information to identify your identity or you can send a wet-signed copy of this form to our address "Burhaniye Mahallesi, Atilla Sokak, No:7-1, Üsküdar / İstanbul" in person or through a notary or registered letter with return receipt. In the case of a request made by a third party on behalf of the personal data owner, a power of attorney issued by the notary public on behalf of the applicant must also be submitted.
Data owners covered by the application area of this Policy cannot claim their rights explained under Article 9 against Papara, since the cases listed below are excluded in accordance with Article 28/1 of the Law:
- Processing personal data for purposes such as research, planning
and statistics by making it anonymous with official statistics,
- Processing personal data for art, history, literature or
scientific purposes or within the scope of freedom of expression,
provided that national defense, national security, public security,
public order, economic security, privacy or personal rights are not
violated or a crime is not constituted,
- Processing of personal data within the scope of preventive,
protective and intelligence activities carried out by public
institutions and organizations authorized by law to provide national
defense, national security, public security, public order or
economic security,
- Processing of personal data by judicial authorities or
execution authorities regarding investigation, prosecution, trial or
execution proceedings.
However, data owners covered by the application area of this Policy cannot claim their other rights except for the right to claim compensation for damages among their rights explained in Article 9 against Papara in accordance with Article 28/2 of the Law, in the following cases where:
- Personal data processing is necessary for the prevention of crime
or for criminal investigation,
- Processing personal data publicized by the personal data owner,
- Personal data processing is required for the execution of auditing
or regulatory duties and for disciplinary investigation or
prosecution by the public institutions and organizations and
professional organizations that are public institutions, which are
authorized and in charge based on the authority given by law,
- Personal data processing is necessary to protect the
economic and financial interests of the State in relation to budget,
tax and financial matters.