Clarification Text on Personal Data Processing

TED University

Clarification Text on Personal Data Processing

TED University (“University”) may process personal or private data using technological resources and infrastructures under “need-to-know” principle in order to implement related administrative and academic procedures according to the regulations it is bound by, to provide students with the best education experience and to become one of the most prominent foundation universities of Turkey in line with the vision, mission and basic values it has adopted. In processing the data, principles in Article 4 and measures in Article 12 of the Law No. 6698 on Personal Data Protection (“Law”) are considered. Media for the records consist of information system servers, applications, institutional computers, and storage areas for electronic data; offices and archives for printed documents.

1.  Definitions and Abbreviations

Definitions of terms and abbreviations used in the text are as follows:

Law: Turkish Personal Data Protection Law No. 6698, dated March 24th, 2016 as published in the Official Gazette No. 29677, dated April 7th 2016.

Communiqué: Communiqué on procedures and principles to follow in performing the liability of clarification as published in the Official Gazette No. 30356, dated March 10th, 2018.

Regulations: The complete set of laws, bylaws and statutes in effect.

University: TED University, which was established by the Turkish Education Association, Higher Education Foundation, based on the Law on Amendments to the Law on the Establishment of Higher Education Institutions (No. 5913) as published in the Official Gazette No. 27281, on 07.07.2009

Personal Data: Any type of information about an identified (or identifiable) natural person.

Private Personal Data: Data on a person’s race, ethnic origin, political and philosophical opinions, religion, religious sect and other beliefs, apparel, membership information to associations, foundations or syndicates, sexual life, conviction, security measures, biometric and genetic information.

Data subject: Natural person whose data are to be processed.

Processing of Personal Data: Any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transmission, retrieval, making available for collection, categorization or blocking its use, wholly or partly by automatic means or by other means provided that they form part of a filing system

Data supervisor (controller): The natural or legal person who determines the ends and means of the processing of personal data and who is responsible for the establishment and management of the filing system.

Data filing system: The filing system in which personal data are structured and processed according to specific criteria.

Data processor: The natural or legal person who processes personal data based on the authority granted by the Data supervisor (controller) on his behalf

Explicit consent: Any free and informed consent given with respect to a specific issue,

Data Storage Medium: Any type of data storage medium where the data are stored, wholly or partly, being processed by automatic means or manually (provided that it is a part of a data filing system.)

Board: Personal Data Protection Board

CoHE (YÖK): Council of Higher Education

SSI (SGK): Social Security Institution

2.  Identity of Data Supervisor (Controller)

According to the Law, University, being the data supervisor, may process, record, store, classify, and update your personal data following the guidelines of Law and good faith, for the purposes given below; and may reveal/transfer it to the third parties in cases where the regulation permits to do so and limited to the sole purpose for which they were processed.

3.  Collecting and Processing of Personal Data and the Purpose of Processing

University may collect personal or private data for the objectives listed below:

• In order to ensure rights arising from educational activities in the scope of internal regulations of University and regulations on other academic procedures; to fulfill obligations of education and training activities imposed by the Law on Higher Education and the Council of Higher Education (CoHE); and to maintain activities of scientific research, publication and consultancy, and to perform academic activities,
• In order to perform student registration procedures and other procedures needed during the studentship status.
• In order to fulfill the requirements of the Labour Law, Social Security Law, and other regulations, to provide occupational health and safety, in order to recruit new personnel for vacancies,
• In order to meet legal liabilities and demands by the judiciary organs or authorized administrative institutions including responsibilities for providing safety of life and property of the employees, students and third parties on the campus.
• In order to carry out activities, to establish and protect rights, for performing legal and commercial evaluations, and risk analyses, for conducting financial affairs and establishing legal conformity in the scope of cooperation with and contracts made with business partners,
• In order to conduct financial operations and procurement procedures (demand, quote, evaluation, order, budget, contract, payment), for formulating and implementing University strategies, for managing internal systems and applications.
• In order to establish contact with you directly through the channels you have provided for improving University services and for conducting market surveys.
• For preparing lists, reports, analyses and assessments, producing statistical and scientific data, and performing analyses on the usage of our website and other channels of communication.
• For holding seminars, courses, cultural and social responsibility activities, sports events, conferences and meetings at University for improving social interactions and personal development.
• In order to implement research activities of University; for conducting projects and landing contracts for the people participating in local or international research projects supported by internal or external resources.
• In order to benefit from information technology services offered by University (corporate e-mail address, portal, wireless network, TEDU Moodle, ISP, etc.)
• In order to introduce University activities; to ensure people benefit from the services offered by University; and for the legitimate interests of University provided that fundamental rights and freedoms are not violated.

However it may vary according to the type of relation with the data subject, University may collect personal or private data, directly or indirectly, through University units, through internet website, social media, mobile applications, etc. as written, oral or in electronic form. Your personal data are updated and processed as long as your engagement with University is valid. In this context, the following data are processed in line with the above mentioned objectives and according to the principles of University Personal Data Storage and Disposal Policy:

Students: Credentials, contact address, residence information, education information, health information, discipline and investigation data, scholarship information, family information, financial information, social security institution (SSI) data, military service information, background information, internet access using the university network, campus entry and exit times, video and photographic images.

Employees: Credentials, contact address, residence information, education information, health information, discipline and investigation data, family information, financial information, social security institution (SSI) data, background information, data on appointments, interview, exam and evaluation results, internet access using the university network, campus entry and exit times, video and photographic images.

Third Parties:

• Students’ Families: Credentials, contact address, residence information, education information, health information, financial information, social security institution (SSI) data, internet access using the university network, campus entry and exit times, video and photographic images.
• Event Speakers: Credentials, picture, cv/biography, contact address, signature, Internet access data using the university network, campus entry and exit times, video and photographic images.
• Event Attendees: Credentials, contact address, signature, Internet access data using the university network, campus entry and exit times, video and photographic images.
• Project Partners: Credentials, contact address, residence information, educational information, project information, financial information, social security institution (SSI) data, background information, campus entry and exit times, video and photographic images.
• Business Partners: Credentials, contact address, residence information, financial information, social security institution (SSI) data, campus entry and exit times, video and photographic images.
• Visitors: Credentials, contact address, Internet access data using the university network, campus entry and exit times, video and photographic images.

4.  Data Can Be Transferred to Whom and For Which Reason?

Personal data, including credentials, contact address, residence information, education information, scholarship information, health information, discipline and investigation data, family contact information, financial information, social security institution (SSI) data, project information, background information, internet access using the university network, campus entry and exit times, video and photographic images, can be transferred to the following parties in line with the Articles 8 and 9 of the Law, in order to meet the provisions of the contracts or regulations, to protect the legitimate interests of University, to enable University units to carry out their functions, for the planning of education policies, performing activities of education, training and internship, and for providing security on the campus: 

• Students,
• Personnel,
• Third parties,

to the legally authorized public institutions (Council of Higher Education, Social Security Institution, Ministry of National Education, law enforcement, state universities, banks, etc.), to the private enterprises in cooperation with University (Turkish Education Association, other private universities, Scientific and Technological Research Council of Turkey, private banks, etc.) and to other parties.

Additionally, data can be transferred abroad, with the consent of related parties, contents varying according to type of relation, during the time it is deemed necessary, within the framework of research projects or education activities in cooperation with foreign institutions, education programs, staff exchange programs, countries or country representations of the foreign national employees, co-hosted events, etc.

5.   Collection Method of Personal Data and Its Legal Base

However it may vary according to the type of relation with the data subject, University may collect personal or private data, directly or indirectly, through University units, TEDU commercial enterprises, TEDU Alumni Association, through internet website, social media, mobile applications, etc. as written, oral or in electronic form, in line with the above mentioned objectives according to the principles on personal data processing as stated in Articles 5 and 6 of the Law

6.  Rights of Data Subjects according to the Article 11 of the Law on PDP.

Data subjects have the following rights according to their relation with University,

• The right be informed on whether their personal data are processed or not,
• The right to obtain related information on the details of the process,
• The right to inquire the reason for processing their personal data and its conformity with legitimate purposes,
• The right to obtain information on the third persons (at home or abroad) to whom their data are transferred.
• The right to have inaccurate personal data rectified, or completed if it is incomplete,
• The right to request erasure or disposal of their personal data according to the provisions at Article 7 of the Law.
• The right to request notification of the operations carried out in compliance with sub-paragraphs (d) and (e) to third parties to whom his personal data has been transferred
• The right to object in cases of exclusive processing of their personal data by automated systems which produce unfavorable effects to the data subject,
• The right to claim compensation for damages arising from the unlawful processing of his personal data.

You can submit your request to claim any of the above mentioned rights according to the Clause 1, Article 13 of the Law, to University as written statement or via other means made available by the Personal Data Protection Law. The request is typically, however depending on the nature of the request, concluded in 30 (thirty) days at the latest by our university and the requestor is notified of the result. The requestor will be liable to reimburse the sum demanded by our University according to the tariff determined by the Board if the process incurs an additional cost.

You can submit your request to claim any of the above mentioned rights to the following address: “TED Üniversitesi, Ziya Gökalp Caddesi No:48 06420, Kolej, Çankaya/ANKARA,” with a written explanation (in Turkish) containing details on your request along with the related information (Name, surname, Turkish Republic ID number/passport information, residential information, contact information) for your identification, a complete and signed copy of the form on  our website (www.tedu.edu.tr), in person or via notary, or send it with secure e-signature through the following e-mail: tedu@tedu.hs03.kep.tr.