Informative Text on the PPD Law

Informative Text on the Processing of Personal Data

As Kadir Has University (“the University”), we pay maximum sensitivity regarding the security of your personal data. With this awareness, we, as the University, attach great importance to the processing and retention of all personal data of all individuals associated with the University pursuant to Law No. 6698 on the Protection of Personal Data (“PPD Law”). With a full understanding of this responsibility and acting in the capacity of “Data Supervisor” defined within the scope of the PPD Law, we process your personal data as explained below and within the limits prescribed by the legislation.

1. Collection, Processing and Processing Purposes of Personal Data

The personal data acquired may vary depending on your relationship with our University; however all your data shall be collected verbally, in writing or electronically, by automatic or non-automatic methods, through the departments and relevant units of the University, website, social media channels, mobile applications and similar means. Your personal data may be collected and updated as long as your relationship with our University is maintained. Your personal data shall be processed in line with the personal data processing terms, conditions and purposes specified in Articles 5 and 6 of the PPD Law in accordance with the purposes such as allowing the relevant business units to carry out the necessary work in order for you to benefit from the services offered by our university, ensuring the legal and commercial security of our university and those who are in business relations with our university (administrative operations for communication carried out by our university, ensuring the physical security and supervision of the university locations, legal compliance, financial affairs, etc.), determining and implementing the strategies of our university and executing the human resources policies of our university.

2. To Whom and For What Purpose the Processed Personal Data Can Be Transferred

Your personal data may be transferred/disclosed to our business partners, suppliers, legally authorized public institutions and private persons in line with the personal data processing terms, conditions and purposes specified in Articles 8 and 9 of the PPD Law in accordance with the purposes such as allowing the relevant business units to carry out the necessary work in order for you to benefit from the services offered by our university, ensuring the legal and commercial security of our university and those who are in business relations with our university (administrative operations for communication carried out by our university, ensuring the physical security and supervision of the university locations, legal compliance, financial affairs, etc.), determining and implementing the commercial and business strategies of our university and executing the human resources policies of our university.

3. Methods and Legal Grounds of Personal Data Collection

Your personal data are acquired verbally, in written or via any electronic environment in order to provide our services in line with the above-mentioned purposes and to completely and accurately fulfill our University’s contractual and legal responsibilities. Your personal data collected for this legal reason can be also processed and transferred within the context of the terms and purposes of personal data processing specified in articles 5 and 6 of Privacy Act with the purposes specified in articles (1) and (2) of this text.

4. Rights of Personal Data Owner As Per Article 11 of PPD Law

As personal data owners, in case you send your requests regarding your rights to our University with the methods regulated below, our University will finalize the request within a maximum of thirty days depending on the nature of the request. However, if a fee is stipulated by the Personal Data Protection Authority, the fee in the tariff determined by our University shall apply. In this context, personal data owners have the right to;
  •     Learn whether personal data is processed or not,
  • Request information regarding that if the personal data is processed,
  • Learn the purpose of personal data processing and whether they are used in accordance with its purpose,
  • Know the third persons to whom the personal data is transferred in the country and abroad,
  • In case the personal data is processed incompletely or wrongfully, request their correction and request the transaction made within this context to be informed to the third persons to whom the personal data is transferred,
  • In case the reasons requiring the processing are removed despite being processed in accordance with the provisions of Privacy Act and other relevant laws, request the personal data to be removed or destructed and request the transaction made within this context to be informed to the third persons to whom the personal data is transferred,
  • Make objection to a result against himself/herself by means of the processed data to be analyzed solely through automatic systems,
  • In case the personal data is damaged due to being processed against the law, request to recover the damage.
Pursuant to paragraph 1 of article 13 of Privacy Act, you can send your request regarding the use of your rights specified above to our University in written or with the other methods specified by Board of Personal Data Protection. As Personal Data Protection Authority has not yet determined any method at this stage, you are required to submit your application to our University in writing in accordance with the PPD Law. Within this framework, the channels and procedures that you will send your application in written are disclosed below for your applications to be made within the scope of article 11 of Privacy Act. To exercise your rights stated above; you may submit your request specifying your explanations regarding which of the rights specified in Article 11 of the PPD Law you want to use by filling out the form at www.khas.edu.tr and delivering a printed and signed copy at hand, through a public notary or via other methods specified in the PPD Law to the ‘Kadir Has Üniversitesi Kadir Has Cad. Cibali 34083 İstanbul’ address together with the necessary personal identity information or you can deliver the relevant form to khas@hs01.kep.tr with a secure electronic signature.

5. Kadir Has University’s Purposes and Legal Basis for Processing Personal Data

Kadir Has University will only process your personal data for lawful purposes under the GDPR related to the University’s charitable, educational and scientific purposes and arising from your relationship with the University as a prospective, current, or former student (or such a student’s parent or guardian), faculty or staff member or an employee, contractor, donor, supporter, research subject, visitor to the University or its website, or attendee at a University event. When Kadir Has University cannot rely on either of such legal grounds, it will seek your prior consent. For example, GDPR Article 9 generally requires Kadir Has University to obtain your prior consent if it collects special categories of personal data protected under the GDPR (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic or biometric data to uniquely identify a natural person, health data, or data related to one’s sexual activities or orientation). The purposes for which Kadir Has University collects personal data, and the legal bases for processing such personal data, are summarized in the chart that appears below. PURPOSE FOR PROCESSING LEGAL BASIS FOR PROCESSING Student Admissions Applications and Other Student Data: Obtaining admissions applications, transcripts, test scores, and related documents from applicants to determine their qualification for admission, and preparing related correspondence, including acceptance and rejection letters; obtaining job applications, resumes, background checks, motor vehicle records, and other background materials from students applying for jobs. Such processing is necessary for the performance of a contract. Kadir Has University has a legitimate interest in collecting information needed to evaluate an applicant’s personal, educational, and work background in order to make admissions and employment decisions and otherwise process such applications, and in compiling statistical information to evaluate the University’s diversity, affirmative action, and equal opportunity performance. Staff and Faculty Job Applications: Preparing acceptance and rejection letters; obtaining job applications, resumes, background checks, motor vehicle records, and other background materials from job applicants. Such processing is necessary for the performance of a contract. Kadir Has University has a legitimate interest in collecting information needed to evaluate an applicant’s personal, educational, and work background in order to make an employment decision and otherwise process such applications, and in compiling statistical information to evaluate the University’s diversity, affirmative action, and equal opportunity performance Managing Student Accounts: Establishing and administering student accounts, issuing invoices, processing payments and refunds, preparing related correspondence, and, if necessary, pursuing collection efforts. Such processing is necessary for the performance of a contract Kadir Has University has a legitimate interest in charging tuition, fees, and other charges and collecting amounts due related to a student’s education in order to maintain the University’s fiscal stability Managing Payroll Accounts: Collecting forms needed to satisfy regulatory requirements, and other documents necessary to prepare payroll checks, bank account information, make withholdings, process pension and retirement contributions and payments, and related employee payroll matters. Such processing is necessary for the performance of a contract Kadir Has University has a legitimate interest in collecting necessary information so that the University can, in a timely and accurate manner, and in compliance with applicable laws, pay its employees their salaries, make appropriate withholdings, and make required reports to and file required documents with the tax authorities. Managing Expenses, Purchasing, and Reimbursements: Collecting, issuing, and processing expense requests, purchasing invoices, receipts, approvals, payment records, bank accounts, checks, and electronic payments Such processing is necessary for the performance of a contract Kadir Has University has a legitimate interest in collecting necessary information so that the University can account for expenses, pay bills on time, recover amounts owed to the University, and otherwise administer the University’s day-to-day financial affairs Administering Grant, Scholarship, and Financial Aid Programs: Accepting, reviewing, and making decisions related to financial assistance programs, including preparing, executing, monitoring, and enforcing grant, scholarship, and loan agreements and notes documenting such financial assistance Such processing is necessary for the performance of a contract Kadir Has University has a legitimate interest in helping students find financial resources to pay for their education, in complying with third-party lender and federal and state requirements, and documenting and administering such financial assistance programs Class Registration, Enrollment, and Education Records: Registering students for courses, confirming completion of required course work, accepting, reviewing, and evaluating student course work, operating education software to support teaching, conducting institutional statistical research to measure effectiveness, and for accreditation and collaborative purposes Such processing is necessary for the performance of a contract Kadir Has University has a legitimate interest in establishing that students are enrolled and completing classes necessary to satisfy enrollment requirements (which may also be a condition to eligibility for certain benefits) and degree requirements, and scheduling and staffing courses, in assigning and evaluating homework, administering tests, and facilitating group instruction and learning. Evaluating Academic Performance and Granting Degrees: Assigning grades and other performance measures (such as with respect to clinical programs); confirming satisfaction of required classwork and out-of-class requirements applicable to the awarding of degrees; preparing transcripts and diplomas; maintaining long-term graduation and performance records and providing these to employers. Such processing is necessary for the performance of a contract Kadir Has University has a legitimate interest in evaluating student performance, awarding degrees, recognizing outstanding achievements, holding graduation ceremonies, and providing its graduates and prospective employers with information confirming such performance, degrees, and achievements Evaluating Faculty and Staff Performance: Preparing and processing evaluations (including self-evaluations), maintaining personnel and disciplinary files, compiling other performance measure data. Such processing is necessary for the performance of a contract Kadir Has University has a legitimate interest in evaluating the performance of faculty and staff members for purposes of promotions, tenure decisions, disciplinary action, setting salaries, and improving productivity Issuing and Use of University Identification, Payment: Issuing (a) identification cards bearing faculty, staff or student photos and embedded with personal information for use in accessing University facilities, events, and resources; (b) making payments; and (c) other University purposes, and monitoring all such usages Such process is necessary for the performance of a contract Kadir Has University has a legitimate interest in identifying whether an individual is a student, faculty, or staff member, or who is otherwise authorized to be on University property and to access University programs and services, in classifying persons as either University community members or trespassers, in establishing the authority of individuals to take certain actions, and in facilitating the flow of persons, information, and payments throughout the University Campus Security Measures: Taking measures to protect persons and property (both physical, personal, and digital) through encryption, firewalls, password, reset questions, surveillance cameras, login systems, card-swiping and similar entrance/exit tracking devices, and other security efforts. Such processing is necessary for the performance of a contract Kadir Has University has a legitimate interest in insuring the physical and digital security of its campus and the members of the Kadir Has University community, and in preventing, detecting, and taking enforcement action with respect to criminal and other unlawful and/or unauthorized activity; such legitimate interest includes sharing security information with federal, state, and local law enforcement authorities, as required or permitted by law Complaint and Grievance Procedures: Enabling students, staff and faculty to file and process complaints and grievances by such means as Campus Safety, sexual harassment complaints, Human Resources complaints, and Honor Code grievance appeals process Such processing is necessary for the performance of a contract Kadir Has University has a legitimate interest in providing procedures for University members to report dishonest behavior, wrongful actions, injurious conduct, and conflicts of interest, and to contest University decisions that are perceived to be unfair or otherwise inappropriate Offering Access to University Information Services: Providing a user identity account including Kadir Has University email account, storing information on University servers (and servers of third-party processors), allowing students, faculty, staff, and alumni, and other authorized persons the right to use University-licensed software, providing access to educational platforms, assessment tools, social media, library applications, archives, and digital collections Such processing is necessary for the performance of a contract Kadir Has University has a legitimate interest in providing access to University information services for learning and communication purposes, in assuring the University’s compliance with applicable licenses and contracts relating to the use of such services, in securing data on such systems, in monitoring the system, and in performing system maintenance, analytics, and upgrades Recruitment and University Marketing: Tracking inquiries and website activity (including through the use of “cookies” and similar tracking files) to identify and recruit prospective students, faculty, and staff Kadir Has University has a legitimate interest in identifying both qualified students to attend the University and qualified faculty and staff to work at the University Research: Conducting educational, scientific, and other research and related statistical analysis Kadir Has University has a legitimate interest in carrying out experiments, interviews, clinical evaluations, longitudinal studies and other research activities to advance knowledge and translate such research into activities and applications that benefit society Alumni and Advancement Communications: Maintaining contact information for alumni and donors in order to send correspondence, magazines, newsletters, online communications, invitations, and to seek and accept gifts and donations Kadir Has University has a legitimate interest in maintaining an ongoing relationship with alumni for informational, networking, job placement, continuing education, and fund-raising purposes, and in communicating the University’s programs and successes to the general public Categories of Personal Data Collected In certain instances, Kadir Has University, in its capacity as a controller, may acquire your personal data from a third party, and not directly from you. If this occurs, then within a reasonable period of time, but not later than the earlier to occur of (a) the first time Kadir Has University communicates with you, and (b) one month after Kadir Has University acquires such personal data, Kadir Has University will advise you of the categories of personal data collected, the source from which Kadir Has University acquired such personal data, and certain additional information required under GDPR Article 14. Recipients/Categories of Recipients Who May Receive Your Personal Data The specific categories of recipients who will receive your information depend on whether you are a prospective, current, or former student (or such a student’s parent or guardian), faculty or staff member, or a contractor, donor, supporter, or research subject, or have some other status, and the types of personal data that you provide. The categories of recipients are likely to include one or more of the following: As to the Kadir Has University data collection activities described in the preceding chart, responsible faculty and staff involved in such activities may receive your personal data (for example, personnel in the Registrar’s office will have access to personal data related to student admissions, class registration, enrollment, grades and transcript); such persons will generally be located in İstanbul Turkey. As to personal data required Turkish Education Ministry departments and agencies, Ministry of Taxation and Finance. Third parties who underwrite, administer, or provide services related to the personnel’s health insurance, benefits, and pension and retirement programs may receive your personal data; Lenders and other third parties who assist in originating, monitoring, and collecting student loans, scholarships, and other financial aid programs, may receive your personal data; and Third party processors who host and process information in the “cloud” on servers located in the Turkey may receive your personal data. If you would like more detailed information as to the specific identify of recipients receiving particular personal data, please contact the Controller at gdpr@khas.edu.tr Transfer of Personal Data Personal data that you provide while in the EU countries, may be transferred to outside of EU . The GDPR permits such transfer when necessary for the performance of a contract between you and Kadir Has University, or if Kadir Has University obtains your explicit consent to such transfer. In transferring your personal data to a processor, Kadir Has University will employ suitable safeguards, including those described in the Information Security section below, to protect the privacy and security of your personal data so that it is only used in a manner consistent with your relationship with the University and this privacy notice. How Long Will Your Personal Data Be Stored? The GDPR requires that your personal data be kept no longer than necessary. The applicable time period will depend on the nature of such personal data and will also be determined by legal requirements imposed under applicable laws and regulations. If you have specific questions concerning how long a certain type of personal data will be retained, please contact the Controller at gdpr@khas.edu.tr You Have Certain Rights to Control Your Personal Data Articles 15-21 of the GDPR give you the right to control your personal data by directing Kadir Has University, as controller, to do one or more of the following, subject to certain conditions and limitations: allow you to access your personal data to see what information the University has collected concerning you; correct (rectify) any inaccuracy in your personal data; delete (erase) your personal data, unless Kadir Has University can demonstrate that retention is necessary or that Kadir Has University has other overriding legitimate grounds for retention; restrict the processing of your personal data; transfer your personal data to a third party (portability); and upon your objection, stop processing personal data when Kadir Has University is relying on a legitimate interest basis for processing such data unless Kadir Has University can demonstrate compelling legitimate grounds for processing that override your interests in prohibiting such processing. If You Consent to the Processing of Your Data, You Can Withdraw Such Consent GDPR Remedies Include the Right to File A Complaint with The Supervisory Authority If you believe your privacy rights under the GDPR have been violated, the GDPR gives you the rights and remedies set forth in GDPR Articles 77-82. These include the right to file a complaint with the EU data protection supervisory authority. Are You Obligated to Provide Personal Data? As discussed above, Kadir Has University will sometimes ask you to provide information necessary to perform contracts to which you are a party, or to satisfy certain legal requirements binding upon the University. If you do not provide such information, Kadir Has University will not be able to process such contracts or comply with such legal requirements, and you will not be eligible to receive the benefits that may result from the processing of such contracts, or compliance with such requirements. For example, if you do not provide personal data needed to process an admission, financial aid, student housing application or agreement, you will not be admitted to the University, awarded financial aid, or allowed to live in student housing. Similarly, if you do not provide legally required information needed to process a visa, or as part of a legally required background check process related to a job or internship position, your visa will not be approved and you will not be eligible for such job or internship. You Have the Right to Know If Kadir Has University Uses Your Personal Data In Automated Decision-Making, Including Profiling The GDPR limits Kadir Has University’s right to use your personal data for predictive purposes as part of an automated decision-making process, including profiling. Such a process uses your personal data, such as preferences, interests, behavior, locations, and personal movement, to make an analytically-determined decision, instead of a personalized, individual decision. The GDPR limitation does not apply when such automated decision-making is necessary for the performance of a contract to which you are, or will be, a party. Kadir Has University does not intend to use personal data in an automated decision-making process, except in the context of such a contract. However, if it does, it will seek your consent for such use. Information Security All personal data and special categories of sensitive personal data collected or processed by Kadir Has University under the scope of this Policy must comply with the security controls and systems and process requirements and standards as set forth in the Kadir Has University Data Classification and Handling Policy.