ROBERT COLLEGE OF ISTANBUL PERSONAL DATA PROTECTION POLICY
1. INTRODUCTION
1.1. Purpose and Scope of the Policy
The Personal Data Protection Law 6698 (“The Law”) entered into force on April 7, 2016. The aim of Robert College’s Personal Data Protection Policy (“Policy”) is to set the principles for Robert College (“RC” or “the school”) to act according to The Law, and to fulfill its obligations concerning the protection of personal data.
The Policy defines the conditions for processing personal data and the school’s fundamental principles while doing so. The Policy encompasses the school’s all personal data processing activities, the data subjects, and all the processed personal data in scope of The Law.
Matters concerning the processing of the personal data of school staff is not within the scope of this policy, but are tackled in the RC Policy for the Processing and the Protection of the Personal Data of the Staff.
You can find the glossary in the Appendix.
1.2. Enforcement and Amendments
RC posted The Policy on its internet site and made it available to the public. In the case of any conflict between The Policy and the Law or the current regulations, the provisions in the regulations will be in effect.
RC reserves the right to make amendments to The Policy in parallel with legislative regulations . The updated version of The Policy can be accessed at RC’s website www.robcol.k12.tr
2. PURPOSE OF PROCESSING PERSONAL DATA BY THE SCHOOL AND DATA CATEGORIES
2.1. Data Subjects
The data subjects as mentioned in the Policy are all The natural persons except for the school staff. The categories of data subjects are listed below:
DATA SUBJECT CATEGORIES, DESCRIPTION
1.Student, Natural persons who are offered education by school.
2. Family Members and Relatives, The family and the relatives of the students.
3.Parents, Natural persons who represent the students upon whom they hold parental rights.
4.Business Partner, Natural persons who are legally and financially independent from the school and who are contracted to carry out a given task together with the school within the framework of an agreement between them.
5.Candidate Student, Natural persons who have applied for admission to the school and who are in the process of registering.
6.Event Attendee, Natural persons who participate in the events organized by the school.
7.Candidate Employee, Natural persons who applied for a job at the school, sending their CV or via other means.
8.Visitor, Natural persons who visit the school campus.
9.Supplier, Natural persons who offer services to the school as needed by the school.
10.Alumni, Natural persons who completed the school’s 5-year education and graduated.
11.Donor, Natural persons who make grants to the school.
12.RC Official / Representative of the Executive Board, Natural persons authorized to represent RC.
13.Third Parties, Natural persons other than those listed above or the school staff.
The data subject categories are indicated as general information. If a data subject doesn’t fall in any one of these categories, it doesn’t waive their qualification of data subject as specified in the Law.
2.2. The Objectives of Data Processing
The school may process your personal data and special categories of personal data in compliance with the conditions in The Law and in the regulations:
PRIMARY OBJECTIVES/SECONDARY OBJECTIVES
To conduct the necessary tasks and to manage the operations that will make the services offered by the school available to the related people
1. To plan and to execute the governance of the relationships between the school and the students,2. To plan and to execute the school’s scholarship operations,
3. To manage the registration at the residences and the residence-students relationships,
4. To plan and to execute the management process for the relationships with the alumni,
5. To plan and to execute the management process for the relationships with the parents.
To plan and to carry out the school’s operational, commercial and business strategies
1. To plan and to execute the educational operations off campus,
2. To manage the relationships with the business partners and the suppliers,
3. To plan and to execute the programs and the education offered by the school as regards their scope and their content.
To carry out the necessary operations by the respective departments for the execution of the school’s activities
1. Event management,
2. To plan and to carry out the planning and the execution of the activities,
3. To plan and to carry out the institutional communication activities,
4. To plan, to control and to implement information security,
5. To create and to manage the IT infrastructure,
6. To plan and to implement the business partners’ and the suppliers’ permissions to access information,
7. To follow-up the finance and accounting work,
8. To plan and to carry out the institutional sustainability activities.
To plan and to carry out the school’s human resources policies and processes
1. To plan and to carry out the professional development activities,
2. To plan and to effectuate the allowances and the benefits for faculty and staff,
3. To plan and to carry out the internal training activities,
4. To manage the procedures of the RC Summer program,
5. To manage the procedures of the RC Academy program,
6. To manage the salaries,
7. To plan the human resources procedures,
8. To carry out the recruitment processes,
9. To plan and to carry out the appointment, promotion and dismissal processes,
10. To monitor the work of the staff and of the faculty,
11. To handle the work permit and the residence permit procedures of the foreign faculty and staff,
12. To plan and to carry out the recruitment, the assignment and the operations of trainees and of students,
13. To fulfill the obligations for the faculty and staff arising from the employment contracts and relevant regulations.
To ensure the legal, technical and financial/ institutional security of the school and of those who have a business relationship with the school.
1. To follow the legal procedures,
2. To keep and to follow the visitor records,
3. To plan and to carry out the emergency management procedures,
4. To plan and to carry out the occupational health and safety procedures,
5. To make sure that the data are accurate and up-to-date,
6. To ensure the security of the campus and of the facilities,
7. To ensure the safety of the school’s properties and resources.
2.3. Personal Data Categories
Your personal data as categorized below are processed by the school according to the conditions in The Law and in the relevant regulations:
PERSONAL DATA CATEGORIES/DESCRIPTION
Identity Information, All kinds of identity information as appears on the driving license, the ID card, the domicile certificate, the passport, the lawyer ID, the marriage certificate, etc.
Contact Information, All kinds of information that provides communication with data subjects such as, phone number, address, e-mail, etc.
Parents and Relatives, Personal info about the students’ parents and relatives.
Location Security, Personal data on records and documents, like video recordings when entering the physical facility and during the time spent there, fingerprints, etc.
Operational Security, Your personal data processed with the purpose of ensuring our technical, administrative, legal and financial security during our educational activities.
Financial Information, Personal data about financial outcomes, as on documents and records created according to the legal nature of the relationships with the data subject.
Audio-Visual Data, Sound and video records.
Employment Details, The content of the employment contract, the details and the dates of the employment commencement and termination, etc.
Candidate Information, Personal data of the individuals who apply for a job at our school.
Legal Act and Compliance Information, Personal data processed within the scope of determination and pursuance of our claims and rights, payment of our debts, and compliance with our legal obligations and the school’s policies.
Special Categories of Personal Data, Data related to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, biometrics and genetics.
Incident Management Information, Personal data processed to take the necessary legal, technical and administrative measures in the case of incidents, with the purpose of protecting the commercial rights and benefits of our school and the rights and the benefits of data subjects.
Candidate Student Information, Personal data concerning the applicants to the school.
Alumni Information, Personal data of those who graduated after completing the 5-year program of the school.
Student Information, Personal data of those who takes the educational services offered by the school.
Student Operations Details, Information about the requests from the students and the instructions for the students.
Personnel Affairs Details, Payrolls, discipline investigation, hiring and dismissal records, declaration of property, personal background, performance evaluation, etc.
Professional Development Details, Performance evaluation interviews/results/reports/tests, etc.
Allowances and Benefits, Details about benefits.
3. PRINCIPLES AND CONDITIONS FOR PROCESSING PERSONAL DATA
3.1. Principles for Processing Personal Data
The school processes your personal data as aligned with the principles specified in article 4 of The Law. It is compulsory to follow these principles for each and every personal data processing activity:
- The personal data are processed lawfully and in conformity with rules of bone fides : The school acts according to the laws, the secondary legislation and the general legal principles; it pays attention to process the data as limited to the purpose, and to take account of the reasonable expectations of the data subjects.
- The personal data must be accurate and up-to-date: The school makes sure that your personal data are up-to-date. It recognizes the data subjects’ rights to request the rectification or the deletion of any inaccurate or outdated data.
- The personal data will be processed for specific, clear and legitimate purposes: The school determines the purposes of processing personal data before taking action, and makes sure that these purposes are not against the law.
- The personal data must be related, limited and proportional to the purpose of processing: The school limits the data processing to the personal data necessary for the purpose of collecting data, and takes steps to prevent the processing of any unrelated data.
- The school will keep the personal data as long as necessitated by the regulations or by the purposes of processing: The school will delete, destroy or anonymize the personal data when the purpose of data collection disappears , or at the end of the period specified in the regulations.
3.2. Conditions for Processing Personal Data
The school will process your personal data when at least one of the conditions stipulated in article 5 of The Law is present. Below are the details of these conditions:
- Explicit consent of the data subject: If none of the other conditions is present, and subject to the general principles listed under item 3.1, the school may process personal data in the case that the data subject freely gives informed and explicit consent specific to the operation in question.
- The purpose of personal data processing is clearly stipulated in the laws: In this case, the school may process personal data without the explicit consent of the data subject, within the principles in the related legal procedures.
- The data subject is physically incapable of giving consent and it is mandatory to process personal data: If the data subject is not in a situation to give consent or if such consent in invalid, the school may process personal data in order to protect the life or the bodily integrity of the data subject or of a third party.
- The data processing is directly related to the drafting and the execution of a contract: The school will process personal data if this is necessary for the drafted or signed contract between the data subject and the school.
- The processing of personal data is essential for the data controller to fulfill the legal obligations: The school may process the personal data in order to fulfill its legal obligations. The data subject made own data available to the public: If the data subject publicly revealed their personal data, such data may be processed by the school without the explicit consent of the data subject, but limited to the purpose of the revealed information.
- The processing of personal data is mandatory for the establishment, exercise or protection of any right : The school may process personal data without explicit consent of data subjects within the scope of imperativeness.
- It is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject : In such a case, the school first determines the legitimate interest that will ensue from the processing of personal data. It assesses the potential impact of data processing on the data subject’s rights and freedoms, and proceeds with data processing if convinced that it will have no adverse effect.
3.3. Conditions for Processing Special Categories of Personal Data
Article 6 of The Law defines the limited number of personal data of a special nature. These are: race, ethnic origin, political opinions, philosophical convictions, religion, sect or other beliefs, appearance and dress, membership of an association, foundation or trade-union, health, sexual life, criminal conviction, security measures, biometrics and genetics.
The school may process personal data of a personal nature under the following circumstances, at the condition of taking the additional measures stipulated by the Personal Data Protection Board:
- Personal data of a special nature except for those concerning health and sexual life: At the condition that the data subject gives explicit consent or it is clearly specified in the laws.
- Personal data concerning health and sexual life: They may only be processed, without taking the explicit consent of the data subject, by people bound by confidentiality, or by authorized institutions, with the purpose of public health preservation, preventive medicine, medical diagnosis, treatment and care, health services and the financial planning needed for this.
4. TRANSFER OF PERSONAL DATA
The school may transfer personal data abroad or within Turkey, if it conforms to the conditions stipulated in articles 8 and 9 of the Law.
- Transfer of personal data to third parties in Turkey: If at least one of the conditions in articles 5 and 6 of The Law, as explained under item 3 above, is present, and at the condition of complying with the fundamental principles of data processing, the school may transfer your personal data.
- Transfer of personal data to third parties abroad: The school may transfer your personal data without explicit consent if at least one of the conditions in articles 5 and 6 of The Law, as explained under item 3 above, is present, and at the condition of complying with the fundamental principles of data processing.
In the case that the country where the data will be transferred is not one of the countries listed by the Personal Data Protection Board as having an adequate data protection level, the school and the data controller in the target country must certify in writing that they will provide appropriate protection, and at least one of the conditions in articles 5 and 6 of The Law (see Policies, item 3) must be present in order to transfer personal data to third parties abroad.
The school may transfer personal data to the external stakeholders listed below, within the data processing provisions in The Law’s general principles and articles 8 and 9:
CATEGORIES OF THIRD PARTIES, DEFINITIONS, PURPOSE OF TRANSFER
Business Partner, The parties with whom the school established a business relation to conduct its educational activities,Limited transfer of personal data as needed for the accomplishment of the purposes of business partnership
Supplier, The parties that provide services for the school’s business operations, in accordance with the instructions from the school and based on the contract between them and the school, Transfer is limited to the services provided externally by the supplier
Legally Authorized Public Institution, Public agencies and institutions that have legal authority to ask for information and documents from the school, Sharing the personal data is limited to the purpose of the information requested by the public institution/agency
Legally Authorized Private Institution, Private legal entities that are authorized to ask for information and documents from the school, Sharing the personal data is limited to the purpose of the information requested by the legal entities authorized by law to ask for this information
Other, Third parties other than those above, Third parties with whom data is shared for the needs of the educational activities
5. OBLIGATION TO INFORM THE DATA SUBJECTS AND THE RIGHTS OF THE DATA SUBJECTS
According to article 10 of The Law, the data subjects must be informed that their data will be processed before beginning to process, or during the processing at the latest. As per this article, the school, in its capacity as data controller, must create the infrastructure at the school to inform the data subjects whenever personal data will be processed. Accordingly, please take note of the following:
- See the item 2.2 in this Policy about the purpose of the processing of your personal data.
- See the section 4 in this Policy about the parties to whom your personal data are transferred, and the purpose of the transfer.
- See the items 3.2 and 3.3. of this Policy about the conditions concerning the collection of your personal data via various channels in physical or electronic environments.
- As per the article 11 of The Law, you, in your capacity as data subject, have the right to:
―Learn whether or not your personal data have been/are being processed,
― Ask for details if your personal data have been processed,
― Learn the purpose of processing your personal data and whether or not these have been used in accordance with the purpose,
― Learn to whom your personal data have been transferred in Turkey or abroad,
― Request rectification if your personal data are processed incompletely or inaccurately, and ask that the third parties to whom your data were transferred be notified of the amendments,
― Request deletion or destruction of your personal data in the case that the reasons for processing the data have disappeared even though they were duly processed according to The Law, and ask that the third parties to whom your data were transferred be notified of this change,
― Object to any outcome detrimental to your person, resulting from an analysis of your personal data solely via automatic systems,
― Request compensation for any damages you incurred because of an unlawful processing of your personal data.
To submit your applications concerning your above rights, fill in the Robert College Data Subject Application Form which you can access at www.robcol.k12.tr. Depending on the nature of your request, your application will be processed free of charge within the shortest possible time and within thirty days at the latest; however, in the case that the process involves additional charges, you may be asked for payment according to the tariff set by the Personal Data Protection Board.
Upon receipt of an application, the school first checks that the applicant is the actual right holder. However the school may also ask for additional and detailed information as it deems necessary to clarify the request.
The school will respond to the applicant in writing or via electronic medium. If the request is rejected, it will be explained with the justifications to the applicant.
In the case that the personal data have not directly been obtained from the data subject, the school will inform the data subject (1) within a reasonable period of time after the data have been collected, or (2) if the purpose of processing the personal data was to contact the data subject: the first time that the data subject is contacted, or (3) if the personal data will be transferred: before or at the moment the data will be transferred.
6. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
In the case that the reasons for processing personal data disappear even though they were processed in accordance with the law, , as required by article 7, the school will delete, destroy or anonymize the data on its own motion or upon request by the data subject, as specified in the school’s handbooks.
7. SCOPE OF THE LAW AND LIMITATIONS
The law will not be enforced in the situations below:
- At the condition of not sharing the data with third parties and of complying with the data security liabilities, the personal data are processed by natural persons for the sole purpose of matters concerning themselves or their family members living at the same address.
- The personal data are anonymized and are processed for the purpose of research, planning and statistics.
- The personal data are processed for the purpose of arts, history, literature or science or within the scope of freedom of expression, but at the condition of not violating national defense, public safety, public order, economic security, privacy of personal life or personal rights, and should not constitute any offense.
- The personal data are processed in the context of preventive, protective and informative measures by legally authorized public agencies and institutions for the sake of national defense and security, public safety, public order or economic security.
- The personal data are processed by judicial authorities or by law enforcement agencies in the context of investigation, trial or conviction processes.
The school is not obliged to inform the data subject in the situations below, and the data subjects may not claim their legal rights within the scope of The Law except for compensation to cover their losses:
- Personal data processing is mandatory for preventing or investigating a crime,
- The processed personal data have been made public by the data subject themselves,
- Personal data processing is mandatory to carry out the audit or regulation responsibilities or the discipline investigation/prosecution duties by the appointed and authorized public agencies and institutions or by professional associations, as per the authority invested upon them by the law.
- Personal data processing is mandatory to safeguard the state’s economic and financial interests as regards budget, tax and financial matters.