THE POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

 

CONTENTS  

DEFINITIONS 2

ABBREVIATIONS/ACRONYMS 3

PERSONAL DATA PROTECTION AND PRIVACY POLICY    4

  1. INTRODUCTION   4
  2. PURPOSE AND SCOPE   4
  3. PERSONAL DATA 5
  1. Definition of Personal Data   5
  2. General Principles for Processing of Personal Data   5
  3. Personal Data Processed by Mars Sportif    6
  4. The Purposes of Processing Personal Data   6
  5. Transfer of Personal Data Inside and Outside Turkey 7
  6. Methods of Collecting Personal Data 8
  7. Retention Period for Personal Data   8
  8. Security of Personal Data and Security   9
  9. Measures taken by Mars Sportif for The Protection and Security of Personal Data 9
  10. Data Subject’s Rights withing The Framework of The PDPL 11

 

  1. COOKIES AND SIMILAR TECHNOLOGIES 12
  2. THIRD PARTY SITES, PRODUCTS AND SERVICES   12
  3. AMENDMENTS 13
  4. EFFECTIVE DATE 13
  5. ANNEX: PERSONAL DATA RETENTİONAND DESTRUCTION  POLICY 14

 

 

 

 

 

 

 

 

 

DEFINITIONS

Explicit Consent

Shall mean a consent that is related to a specific issue, based on information and expressed with freewill.

Anonymization of Personal Data

Refers to a process by which personal data is irreversibly altered in such a way that a data subject can no longer be associated with an identified or identifiable real person in any way, even if the personal data is matched with other data.

Application Form

Shall mean the application form annexed to this Policy which is used by data subjects to submit their requests regarding exercising any of their rights as data subjects under the relevant legislation.

Website/Websites

Shall mean any or all of the following websites owned by Mars Sportif:  www.macfit.com.tr, www.nuspa.com.tr, www.marsathletic.com

Business Partner

Shall mean persons, whether natural or juridical, with whom Mars Sportif during the course of its business operations, either individually or together with its parent company(ies) or group companies, has formed a business partnership for purposes such as carrying out various project, receiving services, and etc.      

Personal Data

Refers to any information relating to an identified or identifiable natural person.

Processing of Personal Data

Refers to any type or kind of operation or set of operations which is performed upon personal data such as collection, recording, organization, storage, adaptation or alteration, disclosure, transmission, dissemination, retrieval, making available for use or collection, categorization or blocking its use, wholly or partly, whether through automatic means, or through non-automatic means or other means provided that they form part of a filing system.

Data of A Sensitive Nature

Shall mean data relating to race, ethnicity, political views, philosophical belief, religious denomination or other beliefs, clothing and attire, membership in associations, charities or trade unions, health, sex life, convictions, security measures, biometric and genetic data.

Data Subject

Shall mean a natural person whose personal data is processed. 

Data Controller

Shall mean a natural or legal person who is responsible for the determination of the purpose and means of the processing of personal information as well as for establishment and management of the place where the personal data is registered and maintained (data registry system)

 

ABBREVIATIONS/ACRONYMS 

PDPL

Refers to the Law No 6698 on the Protection of Personal Data  published in the Official Gazette No 29677, dated April 7, 2016

KVK Board

Refers to the Personal Data Protection Board

Mars Sportif/Company

Mars Sportif Tesisler İşletmeciliği A.Ş.

Policy

Shall mean the Personal Data Protection and Privacy Policy prepared  and issued by Mars Sportif Tesisler İşletmeciliği A.Ş.

 

 

 

 

PERSONAL DATA PROTECTION AND PRIVACY POLICY

 

  1. INTRODUCTION  

 

As Mars Sportif Tesisler İşletmeciliği A.Ş. (“Mars Sportif”) we give utmost importance to the protection of personal data of individuals who come into contact and/or conclude an agreement with us, either personally or as a representative of a company or other organization or institution and/or our customers/members who benefit from the services we offer, and our business partners, shareholders, employees and other natural persons who contact us  for a job application or by visiting our Websites or through our mobile applications or social media platforms or by any other means.  

 

We, acting in our capacity as a “Data Controller” have prepared this Personal Data Protection and Privacy Policy (the “Policy”) to describe our policy approach on the processing of personal data withing the framework of the Law No 6698 on the Protection of Personal Data (“PDPL”). 

 

  1. PURPOSE AND SCOPE

 

The Law No 6698 on the Protection of Personal Data (“PDPL”) was published in the Official Gazette No 29677 of April 07, 2016. PDPL has been enacted for the purpose of protecting fundamental rights and freedoms of individuals whose personal data is processed including the right to privacy of private life and defining and regulating the respective obligations of the persons, whether natural or juridical, processing personal data.   

 

The purpose of this Policy is to develop and implement management instructions, procedural requirements and technical policy to ensure that personal data relating to relevant persons described above is processed and protected in accordance and in compliance with the provisions of the PDPL by Mars Sportif.      

 

This Policy applies to all activities conducted regarding the processing and protection of all personal data owned or managed by Mars Sportif.  This Policy has been designed and prepared based on the PDPL and other applicable legislation regarding the processing and protection of personal data.   

 

  1. PERSONAL DATA

 

  1. Definition of Personal Data

Pursuant to article 3/I (d) of the PDPL “personal data” refers to all information relating to an identified or identifiable natural person. In this regard; anonymous data, data rendered anonymous or other data that cannot be associated with an identifiable person does not qualify as personal data under this Policy.

 

  1. General Principles for Processing of Personal Data

Pursuant to article 3/I (d) of the PDPL, the term “processing of personal data” shall mean and include any operation or set of operations performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof by automatic means, in full or in part, or non-automatic means provided that the process is a part of any data registry system.

Mars Sportif processes personal data in compliance with the principles set out below:

  1. Lawfulness and conformity with the rules of honesty (bona fides);   
  2. Accuracy and being up-to-date; 
  3. Being processed for specific, explicit and legitimate purposes;
  4. Being relevant, limited and proportionate  to the purposes for which data is processed; 
  5. Retained for the period of time determined by the relevant legislation or the period deemed necessary for the purpose of the processing designated by the relevant. 

 

In this respect, your personal data and/or your data of a sensitive nature captured, acquired or obtained by Mars Sportif, acting in its capacity as a Data Controller and by branches/clubs, subsidiaries of Mars Sportif or through websites including but not limited to all kinds of channels, in oral, written or electronic media within the scope of the PDPL or other legislation may be acquired, collected, recorded, stored, retained, modified to the extent and manner provided for in the PDPL and shared with and processed by any person deemed appropriate by Mars Sportif including other persons and/or relevant third persons whether natural or juridical and whether based in Turkey or in a foreign country for legal, legitimate or lawful reasons or in line with the actual requirements for the services offered by Mars Sportif, also including cross-border data transfer.   

 

  1.  Personal Data Processed by Mars Sportif

Mars Sportif may process general personal data and personal data of a sensitive nature with the explicit consent of the relevant data subject or without the explicit consent of the relevant data subject in cases provided for in articles 5 and 6 of the PDPL.

 

Personal data may be processed by Mars Sportif in accordance with and within the limits specified in the relevant provisions of the applicable laws and regulations, communiqués, circulars and other legal arrangements enacted under these relevant applicable laws including but not limited to the Law No 6502 on Consumer Protection, and Regulation on Subscription Agreements and   Regulation on Distance Contracts introduced under this Law, Law No 6563 on the Regulation of Electronic Commerce, Regulation on Private Physical Training and Sports  Facilities, Labor Law No 4857, Social Insurance and General Health Insurance Law No 5510, Turkish Commercial Code No 6102, Tax Procedure Law No 213. 

 

Personal data that may be processed by Mars Sportif, in the light of other relevant legislation and in line with the rules set forth in this Policy and legitimate interests of are set out below:  

  1. Additional personal data peculiar to and distinguishing a data subject from others such as name, surname, educational background, professional background, professional experience, gender, marital status, citizenship status;     
  2. In cases where presentation of an identity document is mandatory, information and data contained in documents which may be used to prove a person’s identity such as identity card, passport and driver’s license;    
  3. Contact details such as address, phone number, electronic mail or facsimile number of home, business place, office or temporary residence;
  4. Records of communications with Mars Sportif such phone calls and conversations and electronic mail correspondences and other audio and visual data, records of complaints and claims, and data from CCTV footage;   
  5. Data intended to identify the habits of the members and club usage data with the aim of developing and improving service standards;   
  6. Data such as Internet protocol (IP) address, device identity, unique identifier, device type, advertisement identity, unique device symbol, statistical data relating to website view and display, incoming and outgoing traffic data, routing URL, Internet log data, location data, visited websites and data concerning acts executed via our web sites, platforms, Internet network and our advertisement and electronic mail contents.
  1. The Purposes of Processing Personal Data

Mars Sportif may process personal data for the following purposes and may retain your personal data as long as it is needed to conduct its legitimate business purposes and/or to comply with its legal obligations:   

  1. To fulfill its legal and administrative obligations;  
  2. To negotiate, construct, execute and perform present/future agreements;
  3. Development and efficient provision of services demanded  by members, creation and registration of a personal account for the member on the website, handling and management of subscription procedures through the internet using the personal account, informing members and customers about campaigns and opportunities or explore new methods of marketing and efficiently communicating to customers about prices of services provided and promotion, bringing, introducing, delivering other offerings, proposals and information to members and customers;   
  4. To ensure the security of  the website(s) and other electronic systems, social media accounts and physical environments owned and/or  operated by Mars Sportif;  
  5. Promotion, publicity and advertising of Mars Sportif’s services  as well as design and development of these services, seeking the opinion of the data subject through polls,  surveys and voting;      
  6. To ensure access control and entry- exit security  and to prevent uncontrolled and unauthorized access;
  7. To celebrate our members’ and/or customers’ and/or data subjects’  birthdays, to inform our members and/or customers and/or data subjects about lotteries and contests and to provide their participation in lotteries or contests, to present gifts  and to organize and hold other events, promotions and campaigns  of a similar nature;   
  8. To investigate, identify, detect and prevent any breach of contract and any unauthorized, fraudulent or illegal activity and to report  any such case to the relevant competent administrative or judicial authorities or bodies;   
  9. Settlement of legal disputes that have already arisen or that may arise in the future; 
  10. To respond to demands, claims and inquires; 
  11. To deal with companies law and partnership law matters;  
  12. Conduct of the recruitment process withing the framework of human resources policy;  
  13. Evaluation of the job applications and fitness of the applicant for the job and finalization of the application process, getting into contact with candidates who apply for a job;  
  14. In cases where data processing is mandatory for the establishment, exercise or protection of any right;  
  15. Mars Sportif’s Protection of the legitimate interests, provided that it does not  harm the fundamental rights and freedoms of the relevant data subject;       

 

  1. Transfer of personal data Inside and Outside Turkey  

Mars Sportif may transfer personal data obtained for the purposes set forth in this Policy to third parties inside or outside Turkey and process and store on servers or other electronic media located either in Turkey or abroad provided that Mars Sportif complies with general principles enumerated in the PDPL and adheres to the requirements stipulated in articles 8 and 9 of the PDPL and further provided that all necessary safety measures are taken by Mars Sportif.

 

While third parties to whom personal data may be transferred may vary depending on various factors such as the type (membership relationship, business relationship) and nature of the relationship between the relevant data subject and Mars Sportif, in general they comprise the following: (i) Mars Sportif Group Companies, (ii) Settlement and custody institutions, platform owners, data broadcasting organizations, infrastructure providers and other business partners, suppliers and subcontractors with whom Mars Sportif works, either  in or outside Turkey; (iii) Any competent authority or governmental or public agency; (iv) Banks for collection  purposes and/or organizations authorized to collect on behalf of Mars Sportif and companies and other organizations either based in Turkey or abroad and other relevant third parties with whom Mars Sportif works to carry out its collection activities.  

 

  1. Methods of Collecting Personal Data  

Mars Sportif may collect personal data in written or oral form, or audio or visual recording or audio-visual mode or in other physical or electronic media or paper-based systems through various channels for the purposes set forth in this Policy in accordance with the provisions and within the framework of the conditions set forth in articles 5 and 6 of the PDPL.  Furthermore, personal data may also be collected by and/or through head office, branches, other venues and physical spaces owned by Mars Sportif, call centers, websites, mobile applications, electronic transaction platforms, social media and other publicly available channels or events organized, sales and marketing units, customer forms, proposals, cookies used during Website(s) visits or by any other means through which data subjects may contact.        

 

  1. Retention Period for Personal Data

Except in cases where it is permitted or required, by law, to retain personal data for a longer period of time, Mars Sportif stores and retains personal data, that it has obtained and processed in line with the purposes set forth in this Policy and Annex- Personal Data Retention and Destruction Policy and in accordance and in compliance with the relevant provisions of the PDPL, for a specific period of time for retention specified by the PDPL and other special laws.

 

Mars Sportif stores personal data until it is no longer necessary for the purpose(s) for which such data is collected and/or processed and the expiration of the period required or permitted by the PDPL and other relevant laws and relevant legislation,  however Mars Sportif  may still continue to store personal data only in cases where such personal data serves as evidence in legal proceedings, or for the purpose of claiming of a right depending on such personal data and/or establishing defense or submission to competent authorities upon their request. In determination of the said periods of time, statutory limitation and retention periods with respect to claiming such right and/or establishing are taken as a basis. In such cases, personal data may not be accessed for any purpose other than settlement of the relevant legal proceedings.

The statutory limitation and retention periods referred to above are closely and diligently monitored by Mars Sportif and personal data whose retention period has expired is erased, destroyed or anonymized by Mars Sportif in accordance with the relevant provisions of the PDPL in the manner as specified in detail in the Annex- Personal Data Retention and Destruction Policy.         

 

  1. Security of Personal Data and Supervision 

Within the framework of article 12 of the PDPL, Mars Sportif, acting in its capacity as a “data controller”, takes all necessary technical and administrative measures to provide a sufficient level of security to prevent unlawful processing of personal data and unlawful access to personal data and to ensure the safe retention of personal data. To that end, Mars Sportif (i) ensures that its internal organization operates and business operations are conducted in compliance with the internal polices and rules designed, developed and implemented for the protection of personal data; (ii) ensures that all necessary trainings are provided to its employees regarding the legislation on personal data protection and internal policies and rules designed and developed in line therewith as well as employees’ duties and responsibilities relating to personal data protection and privacy policy are clearly defined and effectively communicated (iii) takes all reasonable statements to ensure that its employees and other persons, institutions and organizations processing personal data on behalf of Mars Sportif are bound by confidentiality and privacy obligations in relation to the protection of personal data by requiring each of them to sign a commitment letter or declaration, to that effect, (iv) adopts and implements all necessary information security measures to ensure the security of personal data in and outside the company and to prevent unauthorized access to personal data (v) ensures that internal policies and rules designed and developed and implemented for the protection of personal data are complied with and adhered to at all times, (vi) periodically at regular intervals checks the adequacy of the measures taken and supplies and installs new data security systems and/or enhances and upgrades the existing systems depending on the needs and possibilities and performs all necessary audits as part of the security management system.   

 

  1.  Measures Taken by Mars Sportif for Ensuring the Protection and Security of Personal Data 

Mars Sportif;

  1. Ensures that personal data collected is processed in accordance with the principles set forth in article 4 of the PDPL and in a manner in compliance with the conditions specified in articles 5 and 6 of  the same law;
  2. Fulfills its  “Duty to Inform and Disclose” imposed on it as a “Data Controller” withing the framework of the PDPL through Disclosure Statements posted on the websites owned by Mars Sportif and its clubs’ platforms;
  3. In cases where legally required, acting in its capacity as a Data Controller, establishes the necessary infrastructure to obtain an “explicit consent” from the relevant data subject to ensure that personal data is obtained and processed in accordance and in compliance with the PDPL;     
  4. Establishes the necessary infrastructure to ensure that personal data is collected in accordance and in compliance with the PDPL  for the purposes of communication, marketing, promotion, advertising and  providing information and opportunity notices  and makes necessary revisions and changes to the in-house based applications;  
  5. Creates necessary conditions and takes all necessary measures for the collection and storage of personal data in compliance with the relevant provisions of the PDPL during the job application and hiring process; 
  6. Mars Sportif, either ex officio or on request of the relevant data subject, erases or destructs personal data processed in compliance with the relevant provisions of the PDPL and  other relevant laws, rendering it permanently unusable and unrecoverable or anonymizes such data in the event the reasons for the processing of personal data  no longer exist and  expiration of the retention periods set out in the article of this Policy under  the heading “Retention Period  for Personal Data”  and Annex- Personal Data Retention and Destruction Policy.   Mars Sportif introduces limitations or in-house data access authorizations in accordance with the PDPL to ensure data security, and carries out the procedures of destruction of personal data that needs to be destroyed rendering it irretrievable, inaccessible and unusable by anyone;
  7. Takes all necessary technical and administrative measures to provide a sufficient level of security to prevent unlawful processing of personal data and unlawful access to personal data and to ensure the safe retention of it in accordance and in compliance with the PDPL. Mars Sportif, for the purposes of ensuring data security and safe storage develops and enhances in-house encryption policies and configures existing encryption settings;    
  8. Mars Sportif, for the purpose of defending against data loss and preventing data leakage, takes all necessary in-house data security measures through various in-house applications and outsourced security tools;
  9. Determines statutory retention periods depending upon the type and nature of the personal data collected in a manner in compliance with the provisions of the relevant legislation.   The Company designs and develops retention policies in compliance with the determined retention periods and puts it into implementation;    
  10. Takes all reasonable measures to prevent unauthorized access to and use of personal data processed and transferred or data transferred from other parties by different departments and persons, whether natural or juridical, who process personal data based upon the authority granted to them by Mars Sportif.      
  11. Periodically audits data storage operations performed by persons, whether natural or juridical, who process personal data based upon the authority granted to them by Mars Sportif.
  12. In the event of unauthorized or unlawful access to personal data by third parties despite all reasonable technical and administrative measures have been taken with respect to the process, transfer and storage of personal data Mars Sportif shall take all reasonable technical and administrative measures for protection of personal data in accordance with the relevant legislation and decisions of Personal Data Protection Board to prevent any harm to those concerned.    
  13. Monitors and audits data register systems used withing the company in a periodic manner to verify whether they are designed, developed and used in compliance with the  with the PDPL and relevant legislation 

 

  1. Data Subject’s Rights Withing The Framework of The PDPL

Pursuant to article 11 of the PDPL data subjects are entitled to:

  1. Learn whether his/her personal data has been processed;
  2. Request information as to the processing of his/her personal data;
  3. Learn the purpose of processing of his/her personal data and whether it is used in conformity with the purposes for what they are collected;
  4. Request information about third parties located within the country or abroad to whom his/her personal data has been transferred; 
  5. Request rectification and correction in the event his/her personal data has been processed incompletely or inaccurately;
  6. Request deletion or destruction of his/her personal data within the framework of the conditions provided for in article 7 of the PDPL;
  7. Request transactions made pursuant to subparagraphs (d) and (e) above be communicated to third parties to whom his/her personal data has been transferred;  
  8. Raise an objection to any adverse outcome to the detriment of or against him/her resulting from analyzing his/her processed data exclusively by automated systems;  
  9. Request compensation for his/her losses in the event he/she suffers or sustains any loss or damage due to the processing of his/her personal data in violation of the law; 

 

If a data subject wishes to exercise any of his/her rights set forth above, he/she is required to complete the application form annexed to this Policy and submit a copy of application form with wet-ink signature form by personally delivering it to the closest branch or sending it through a notary public together with the identity documents proving the identity of the applicant. In the event, the Personal Data Protection Board decides that data subjects may submit their requests by other methods other than those described above Mars Sportif will announce the channels, methods and procedures to be used for submission of applications.       

 

Pursuant to article 13 of the PDPL, Mars Sportif is required to respond to applications duly submitted by data subjects “as soon as possible and in any event not later than thirty days of receipt of your application” depending on the nature of the application.    

In principle; we proceed, evaluate and conclude data subjects’ requests free of charge withing the shortest time possible, however in cases where the requested transaction requires an additional cost we may charge the relevant data subject a fee specified withing the framework of the relevant legislation.  

 

  1.  COOKIES AND SIMILAR TECHNOLOGIES  

Mars Sportif may place small data files on users’ computers, mobile phones, tablets or other devices which allow recording and collection of specific data, during access to websites, electronic platforms and applications of Mars Sportif or emails and commercial messages sent by Mars Sportif  as a cookie or similar type of file to register and collect data related through technical means for the purpose of facilitating and enhancing your communication and interaction with Mars Sportif and delivering customized content and conducting online advertising activities. These data files stored on computers or other devises may be in the form of cookies, pixel tags, flash cookies or web beacons, tags, and similar technologies that work on mobile devices (“Cookies”). Although it is possible to collect personal data through cookies, any data collected through cookies may not be personal data, accordingly, it has to be noted that the data obtained through cookies will only be considered within the scope of this Policy and the Law on Protection of Personal Data (PDPL) to the extent they constitute personal data under Turkish law. You may delete or disable cookies by following the instructions in the “help” file or visiting"www.allaboutcookies.org". By deleting our cookies or disabling future cookies you may continue to use our website or mobile or digital applications but you may not be able to access certain areas or features or some of their functionalities may be affected.

 

  1. THIRD PARTY SITES, PRODUCTS AND SITES

The websites, platforms and applications owned or operated by Mars Sportif may contain links to third party websites, products and services. These links are subject to the privacy policies of third parties and data subjects should be aware of the fact that the third party and third party websites are independent of Mars Sportif and that Mars Sportif is not responsible for the privacy practices of third parties. In case of visiting the linked websites, please keep in mind to read the privacy policies of these sites. 

 

  1. AMENDMENTS

Mars Sportif has the right to make amendments from time to this Personal Data Protection and Privacy Policy for various reasons including but not limited to the new provisions and articles of relevant Regulations to be enacted under the PDPL and in the light of the relevant legislation. The current version of the Policy will be posted on websites owned or operated by Mars Sportif and will be open to access from computers and websites of users and members.

 

  1. EFFECTIVE DATE

This Policy will take effect on the date posted on the site and will remain in full force and effect until it is removed from the site.

 

ANNEX: MARS SPORTİF PERSONAL DATA RETENTİON AND DESTRUCTION POLICY

 

  1.   DEFINITIONS

 

Relevant User

Shall mean any person except those who are responsible for the technical storage, preservation and backup of the data, who processes personal data within the organization of the data controller or with the authority given by the data controller

Destruction

Shall mean deletion, erasure destruction or anonymization of personal data

Periodic Destruction

Shall mean the periodic destruction, deletion or anonymization of personal data that is no longer processed validly, as described in the Personal Data Retention and Destruction Policy

Erasure of Personal data

Shall mean the process of rendering personal data inaccessible and unusable for all relevant users 

Destruction of personal data

Shall mean the process of rendering personal data inaccessible, irretrievable and unusable by anyone, under any circumstances. 

Anonymization of personal data

Refers to a process by which personal data is irreversibly altered in such a way that a data subject can no longer be associated with an identified or identifiable real person in any way, even if the personal data is matched with other data.

 

  1. THE PURPOSE AND SCOPE OF THE PERSONAL DATA RETENTION AND DESTRUCTION POLICY

 

The purpose of this Retention and Destruction Policy is to design, develop and implement management instructions, procedural requirements and technical policy for Mars Sportif for the purpose of the deletion, erasure destruction or anonymization of personal data of data subjects in compliance and in accordance with the PDPL and the Regulation on the Deletion, Erasure, Destruction or Anonymization of Personal Data  which has taken effect as the secondary legislation of the PDPL after being published in the Official Gazette no 30224 of October 28, 2017, (“Regulation”) despite being processed and stored in compliance and in accordance with the Law on the Protection of Personal Data (the “Law” or “PDPL”) in the event the reasons for the processing of such personal data  no longer exist and  upon expiration of the retention periods set out in the Law and the relevant legislation and for ensuring that Mars Sportif fulfills its obligations arising under the Regulation.

                                              

This Retention and Destruction Policy is implemented by Mars Sportif in its activities regarding the storage, retention and destruction of personal data processed by it. 

 

This Retention and Destruction Policy has been designed, developed and prepared based on the PDPL and the “Regulation on the Deletion, Erasure, Destruction or Anonymization of Personal Data” and other legislation regarding the storage, retention and destruction of personal data.   

 

  1. ACTIVITIES CARRIED OUT BY MARS SPORTIF FOR THE ERASURE, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA 

 

Personal Data is retained by Mars Sportif only for the period of time stipulated by relevant legislation withing the period of limitations and/or as long as it is necessary to fulfill the purpose for which the relevant data has been collected. Accordingly, Mars Sportif determines whether there is any legal retention period and/or statute of limitations in the relevant legislation with regard to the storage and retention of personal data and stores personal data in compliance with the retention periods and/or statute of limitations. If no legal retention period is provided for in the relevant legislation then personal data is stored and retained in accordance with the relevant provisions of the PDPL and as long as such personal data is necessary in relation to the purposes for which it was collected or otherwise processed.    

 

As provided for in article 7 of the PDPL, Mars Sportif, ex officio or upon request of the relevant data subject, destroys personal data deleting, erasing, destroying or anonymizing it in accordance with articles 8, 9 and 10 of the “Regulation on the Deletion, Erasure, Destruction or Anonymization of Personal Data” despite such personal data has been processed in accordance with the relevant provisions of the law, upon disappearance of the reasons which require the process.  

 

Mars Sportif has taken all reasonable technical and administrative measures and developed all necessary operating mechanisms to fulfill its obligations arising under the Law and Regulation and has been continuously training its units and departments on this subject and makes all necessary appointments for this prose    

 

  1.  CIRCUMSTANCES THAT REQUIRE THE DESTRUCTION OF PERSONAL DATA AND METHODS OF ERASURE, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA 

 

  1. Circumstances that require the destruction of personal data 

Pursuant to the Law on the Protection of Personal Data and Regulation, Mars Sportif, ex officio or on request of the relevant data subject, deletes, erases , destructs or anonymizes personal data relating data subjects under any of the following circumstances:

  1. Amendment and/or repeal of the provisions of other legislation which constitute as a basis for processing, storage and retention of personal data in a manner removing the obligation of data controllers with regard to the storage and retention of personal data;  
  2. The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;  
  3. If the “Conditions for Processing Personal Data” as set forth in Articles  5 and 6 of the Law are no longer present;  
  4. The relevant data subject withdraws his/her  consent in cases where personal data may only be processed based upon the “explicit consent” of the data subject;  
  5. Acceptance of the request made by the relevant data subject within the scope of his/her rights set forth in subparagraphs 2/e-f of Article 11 of the PDPL  for the erasure, destruction or anonymization of his/her data by the data controller;     
  6. Issuance of a decision by the Personal Data Protection regarding the erasure, destruction or anonymization of the relevant personal data; 
  7. Upon expiration of the maximum retention period required by law there is no valid ground justifying a longer retention period and there are no overriding legitimate grounds for the retention of personal data for a longer period;    

 

  1. Erasure, Destruction and Anonymization of Personal Data
    1.  Generally

For destroying personal data, Mars Sportif uses erasure, destruction and anonymization methods according to the PDP Law

  1. For the erasure method; deletion of database objects is achieved by using delete command
  2. For the destruction method; data found in paper forms are physically destroyed through the archiving provider organization.
  3. For the anonymization method; these methods apply data distortion using masking operations and data are anonymized by replacing character type data with the sign “*” and numeric values with the “1”.

 

  1.  Specifically

Mars Sportif carries out erasure, destruction and anonymization of personal data kept withing its organization under the following 3 (three) main categories as follows:   

 -          Member Data

-           Data Cards

-           Employee /Applicant Candidate Data

 

  1. Member Data:

All members of Mars Sportif are divided into 3 (three) groups namely, candidates, active members and resigned members. Candidate members are also grouped into 2 (two) categories as active members and passive members and all data related to passive candidate members together with the data of candidate members older than 2 years are automatically erased and deleted from the system. Destruction method is applied by permanently deleting personal data from the database by a delete command and these operations are repeated at regular intervals of at most 4 (four) to 6 (six) months.   

 

For the purpose of fulfilling legal requirements and obligations under the agreement between the parties and on account of the principles regarding processing of personal data as referred to in Articles 5 and 6 of the PDP Law, Mars Sportif shall keep all active member data until the relationship between the consumer and the service provider is terminated by taking all necessary measures pursuant to the provisions of the PDP Law.  

 

 

Following the termination of the contractual relationship between the parties, personal data that are required to be kept as per the relative legislation are retained by Mars Sportif during the period of limitation according to the relative legislation and by taking all necessary measures pursuant to the provisions of the PDP Law. All other personal data that are not expressly covered by the provisions of Article 5 or 6 of the PDP Law are destroyed by applying one of the methods of erasure, destruction and/or anonymization of personal data.

 

After the membership term has ended, upon the request of the data subject to erase the personal data, all personal data other than those that must be kept during the period of limitation pursuant to the applicable legislation shall be anonymized and all sensitive personal data shall be permanently deleted. Anonymization method applies data distortion using masking operations and data are anonymized by replacing character type data with the sign “*” and numeric values with the “1”. As a result of the anonymization process all personally identifiable information is removed so that the anonymized data cannot be associated with any identified or identifiable data subject.

 

Save for cases where a longer retention period is required by the applicable laws or regulations, starting from the expiration of the membership agreement, relevant legal retention periods apply to the retention of personal data according to the category of personal data provided that retention period of three years stipulated  in the Regulation on Distance Contracts which has entered into force after being published in the Official Gazette No 29188 of November 27, 2014,  retention period of two years provided for in Law No 6502 on Consumer Protection and retention period of five years provided for in Tax Procedure Law are taken into consideration and said personal data is periodically deleted, erased, destroyed or anonymized according to the retention periods specified in this This Retention and Destruction Policy.       

 

  1.  Data Cards:

 The forms completed by candidate members who have not yet signed membership agreement with Mars Sportif clubs and including personal data of such candidates are called Data Cards. Data Cards are organized and archived in alphabetical and monthly order for a period of 1 (one) year and at the end of the relevant year all data cards are sent to a third-party archiving provider. All personal data collected in this context will be used for the purpose of contacting individuals under the Law on the Regulation of Electronic Commerce and upon the request of the data

 

subject and/or if two years or more have lapsed between the time created and the date of signing of the membership agreement such personal data will be physically destroyed.     

 

  1.  Employee / Applicant Candidate Data:

 The continuous labor requirement depending on the clubs’ growth results in a significant increase in the volume of applications filed and Mars Sportif Human Resources department keeps all application forms for a period of two years to avoid inviting candidates that have been deemed ineligible for the position in the previous job interview or to reassess the application forms in case of intensive labor requirement. All application forms and curricula vitae where two years have lapsed from the date of filing will be deleted by the Human Resources Department of Mars Sportif from the computers and public folders and all application forms on paper that are older than 6 (six) months will be physically destroyed.   

 

  1. DEPARTMENTS, TITLES AND JOB DESCRIPTIONS OF MARS SPORTIF STAFF ENGAGED IN STORING AND DESTRUCTION OF PERSONAL DATA

Business Systems Manager and Hardware and System Manager will be responsible for storing, erasing, destroying personal data from the database and anonymization operations. The job descriptions of these employees are defined by Mars Sportif as follows: 

 

Business Systems Manager

Department     : Information Technology

Brief job description: To project and manage the software requirements in line with the company’s strategies.

 

System Manager

Department     : Information Technology

Brief job description: To manage and ensure the security of the infrastructure required for the effective and smooth operation business systems and applications within the company.

 

 

 

 

  1. RETENTION AND DESTRUCTION PERIODS 

 

Data Categories

Retention Periods

Destruction Periods

Member Personal Data

Save for cases where a longer retention period is required by the applicable laws or regulations, from the expiration of the membership agreement relevant legal retention periods apply to the retention of personal data according to the category of personal data provided that retention period of three years stipulated  in the Regulation on Distance Contracts which has entered into force after being published in the Official Gazette no 29188 of November 27, 2014,  retention period of two years provided for in Law No 6502 on Consumer Protection and retention period of five years provided for in Tax Procedure Law are taken into consideration. 

Upon expiration of the retention period, such personal data is destroyed in the first periodic destruction withing a period of between four to six months.   

Member’s Special Category of Personal Data (Health data)

Save for cases where a longer retention period is required by the applicable laws or regulations from the expiration of the membership agreement relevant legal retention periods apply to the retention of personal data according to the category of personal data provided that retention period of three years stipulated  in the Regulation on Distance Contracts which has entered into force after being published in the Official Gazette no 29188 of November 27, 2014,  retention period of two years provided for in Law No 6502 on Consumer Protection and retention period of five years provided for in Tax Procedure Law are taken into consideration.  

 

Upon expiration of the retention period, such personal data is destroyed in the first periodic destruction withing a period of between four to six months.   

Data Cards

One year following the expiration of the validity of the approval.

Is physically destroyed if two years or more have lapsed between the time created and date of signing of the membership agreement.

Curricula Vitae

Two years 

Curricula vitae where two years have lapsed from the date of filing are deleted from computers. On the other hand,    all application forms and curricula vitae on paper that are older than 6 (six) months are physically destroyed. 

 

 

  1. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN BY MARS SPORTIF TO STORE PERSONAL DATA IN A SECURE MANNER AND TO PREVENT UNAUTHORIZED PROCESSING AND ACCESS OF PERSONAL DATA
  1. Membership service representatives working at the clubs have limited access to members’ data based on software defined authorities and to ensure data security they are not authorized to retrieve the complete list of members from the system.  

 

  1. To ensure data security and to limit authority granted, each employee may only have access to data of the members of the club where the employee works.     

 

  1. Access authority of users is restricted on the main server of the company.

 

  1. “Deep freeze” software is installed on all public access computers of Mars Sportif to protect the core operating system and computer by automatically deleting downloaded files each time the computer is restarted. Moreover, these public access computers are configured to use only Chrome and Explorer browsers for internet access.  

 

  1. New encryption techniques are developed for personnel computers and users are required to regularly change their passwords.

 

  1. USB (universal serial bus) inputs of computers allocated to employees and users’ authorities to print are restricted. USB drives are used on only one computer in the club, namely the club manager’s computer