INFERNO CLUB PRIVACY AND INFORMATION SECURITY POLICY
1. INTRODUCTION
1.1 Purpose and Scope of the Policy
The Law on the Protection of Personal Data No. 6698 (“Law”) entered into force on April 7, 2016; as Inferno Club (“Inferno Club” or “ While the Company”) conducts our business activities, we process a lot of personal data, including our customers, employees and visitors. Since such personal data are valuable data in the property of Inferno Club, this is hereby in order to protect this data, manage it securely, ensure and protect the confidentiality and security of data, ensure compliance with the law, and determine the obligations and principles to be fulfilled. Club Privacy and Information Security Policy (“Privacy and Information Security Policy”) has been created.
As İnferno Club, we carefully determine all necessary policies in order to protect all your information and take the measures we take in this direction to the highest level possible.
Definitions regarding the terms used in this Privacy and Information Security Policy are in APPENDIX-1.
1.2. Enforcement and Change
The Privacy and Information Security Policy has been published on the intranet used as the Company's internal communication system and on the www.infernoclub.net web page. Inferno Club reserves the right to make changes in the Privacy and Information Security Policy in accordance with legal regulations. Inferno Club will also abide by the “Inferno Club Privacy Policy” published within its own body in accordance with the global rules of the company named Inferno Club, to which it is affiliated, and will be able to seek guidance when necessary. In case of conflict with the provisions of the Law and the Confidentiality and Information Security Policy, the provisions of the current legislation shall apply.
1.3. Application
This Policy applies to all members of İnferno Club, regardless of their role or position. Regardless of the type of employee, Labor Law's All employees, middle managers, executives, senior managers, board members and chairmen, consultants, agency, intermediary, representative, all third parties working on behalf of İnferno Club and regardless of anyone who work on a fixed or indefinite term contract according to this policy. and İnferno Club Privacy Policy’
1.4. Objectives in Information Security and Privacy Policy
İnferno Club Information Security and Privacy Policy, İnferno Club’ In order to protect the reputation, reliability and information assets of the company, and to ensure the sustainability of its basic and supporting business activities,
● To ensure the continuity and security of information systems,
● To raise the consciousness and awareness of the employees to the highest level,
● Ensuring full compliance with contracts made with third parties,
● To eliminate or minimize the possibility of breaching the security of personal data,
● Operation of processes related to obtaining, storing, transferring, subjecting to all kinds of processing activities and deletion, destruction, destruction of personal data in accordance with the applicable legislation,
● Aims to ensure information security by taking the most up-to-date and effective technical and administrative measures.
2. MEASURES TAKEN TO ENSURE INFORMATION SECURITY
Inferno Club identifies information assets and analyzes potential threats and vulnerabilities that may occur on assets. It carries out necessary studies to reduce the effects of these potential threats and vulnerabilities. Even if the risks related to information security are not completely eliminated, an existing risk is managed and minimized. İnferno Club takes all necessary technical, administrative and organizational measures to ensure the confidentiality and security of sensitive personal data, our websites and other applications, and/or your personal data physically obtained.
✓ Inferno Club determines the existing risks and threats to personal data within the framework of the Confidentiality and Information Security Policy within the scope of the measures it has taken. In order to ensure the security of personal data, it is ensured that all personal data processed by İnferno Club, the probability of the risks that may arise regarding the protection of this data, and the losses to be caused in case of realization are accurately determined and appropriate measures are taken. While determining these risks;
● Whether the personal data is sensitive personal data,
● What degree of confidentiality is required by its nature,
● In the event of a security breach, the nature and quantity of the damage that may arise in terms of the person concerned are taken into account.
After defining and prioritizing these risks, control and solution alternatives for reducing or eliminating the said risks; are evaluated in line with the principles of cost, applicability and usefulness, and necessary technical and administrative measures are planned and put into practice.
✓ Inferno Club periodically organizes training and awareness activities on data security for its employees. In case of users' carelessness, inattention or inexperience, data security violations that may occur in the form of opening an e-mail attachment containing malicious software or opening personal data to third parties by sending the e-mail to the wrong recipient should be prevented. For this reason, İnferno Club provides its employees with training and carries out awareness-raising activities. Inferno Club employees, “Everything Is Forbidden Unless Permitted” acts in accordance with the principle of confidentiality and Inferno Club concludes confidentiality agreements as part of its recruitment processes.
✓ Inferno Club conducts various studies to raise the awareness of data processing service providers on data security, and makes and signs confidentiality commitments within the scope of data security with all real and legal persons with whom it cooperates in this regard. In addition, all contracts signed include provisions that can ensure data security and confidentiality.
✓ Inferno Club prepares healthy and safe policies to ensure the security of personal data, ensuring that risks in this context can be determined beforehand and measures are taken consistently. Regular controls are carried out within the scope of the prepared policies and procedures, the issues that need improvement are determined and the necessary updates are carried out. Disciplinary arrangements including data security provisions are made for employees. Protocols and procedures for special quality personal data security are also determined and implemented. Special quality personal data is protected by private security methods.
These policies are;
Personal Data Processing Policy, Internet Usage and Cookie Policy, Privacy and Data Security Policy, Employee Personal Data Processing and Protection Policy, Storage and Disposal Policy. İnferno Club reduces the personal data in its possession as much as possible. Personal data should be accurate and up-to-date when necessary within the scope of the law, and should be kept for as long as required by the relevant legislation or for the purpose for which they are processed. Therefore, in order to prevent the cases where this data loses its accuracy, outdated and does not serve any purpose, it is ensured that the personal data are kept in the right place by evaluating whether there is still a need for the said personal data for processing purposes. All unnecessary, unused, accurate and outdated data are deleted, destroyed or anonymized in accordance with our data retention and destruction policy and the law.
✓ Inferno Club conducts and makes internal periodic and/or random inspections. In addition, data processing service providers are periodically audited on data security. It makes every effort to ensure that data processors also provide the level of security provided by Inferno Club. Care is taken to ensure that the contracts signed with the data processor are in writing and that the data processor is only Inferno Club’ In line with the instructions of the Company, care is taken to ensure that it complies with the purpose and scope of data processing specified in the contract, is in compliance with the law and in accordance with the Personal Data Retention and Destruction Policy. In addition, pursuant to the agreements signed with data processors, it is ensured that data processors are subject to an indefinite confidentiality obligation regarding the personal data they process.
✓ Inferno Club also provides network security and application security, and uses a closed system network for personal data transfers via the network. Inferno Club takes firewall and gateway measures to protect information technology systems containing personal data against unauthorized access threats over the internet. By using these systems, it creates a defense mechanism to prevent potential threats and attacks from the internet environment. Inferno Club is included in a gateway system that will prevent access to websites or online services that may pose a threat to the data in order to protect the security of personal data of employees. Every software and hardware used by İnferno Club is subject to installation and configuration.
✓ Inferno Club implements valid key management and uses up-to-date anti-virus systems. In order to be protected from malicious software, the information system network is regularly scanned and products such as antivirus and antispam that detect dangers are used. These applications are updated, tracked and the necessary files are scanned.
✓ Inferno Club user account management and authorization control system is implemented and these are regularly followed up . Access to systems that contain personal data is limited, and employees are granted access to the extent necessary for their jobs, duties, and authorities and responsibilities, and access to the system is provided by using username-password.
✓ İnferno Club takes security measures within the scope of procurement, development and maintenance of information technology systems and regularly keeps access logs and all log records. In addition, security requirements are taken into account when determining the needs for the procurement, development or improvement of existing systems, checks are made that the inputs of the application systems are correct and appropriate, control mechanisms are applied to the applications to check whether the correctly entered information is corrupted as a result of an error during the process or intentionally. is placed. Applications are designed in a way that minimizes the possibility that errors that occur during the process will compromise data integrity. If the devices that are sent to third parties such as manufacturers, dealers, and service providers because they are malfunctioning or maintenance period has come, contain personal data, before these devices are sent for maintenance and repair, procedures such as removing and storing the data storage medium in the devices to ensure the security of personal data, sending only defective parts. is done. If external personnel come for purposes such as maintenance and repair, necessary measures are taken to prevent them from copying and removing personal data from the institution.
✓ Inferno Club controls information networks software and services in order to ensure personal data security, detects abnormal movements in information networks, reports security problems in the fastest way, and makes official reports for security vulnerabilities in running services and systems.
p>✓ Inferno Club has taken cyber security measures and cyber security products are used when necessary to prevent cyber attacks. It regularly performs penetration tests to detect security vulnerabilities against cyber attacks that may threaten the security of personal data. With this method, it is aimed to detect the damage that the malicious attacker may cause in advance and to take precautionary measures against the weaknesses. Within the scope of cyber security, access is limited for employees who have been dismissed from our company or who have a change of job, without wasting time, by deleting the account or closing the logins.
✓ Inferno Club uses an active and up-to-date encryption method. In this context, attention is paid to password formation, and unpredictable shapes are preferred in directories and combinations. The number of password entry attempts is limited in order to be protected from attacks such as the use of brute force algorithms. In addition, passwords are changed at regular intervals.
✓ Inferno Club uses data loss prevention software and data masking method. In addition, extra security measures are taken for personal data transferred via paper by Inferno Club and the relevant document is sent in confidential document format. In order to ensure the security of personal data, İnferno Club’ It is ensured that all personal data processed by the Company, the degree of confidentiality required by this data, the probability of the risks that may arise regarding the protection of this data and the losses to be incurred in the event of realization are accurately determined and appropriate measures are taken in this direction.
<✓ Inferno Club meticulously ensures the security of environments containing personal data. It takes all physical security measures against threats such as theft or loss of personal data stored both in the head office and on the devices in the locations or physically. In addition, all necessary precautions are taken for external risks (fire, flood, etc.) in physical environments containing personal data.
✓ On the other hand, personal data in the electronic environment is restricted to access between network components or the components are separated. Theft and loss of devices containing personal data may lead to data breach, and measures are taken against data breaches that may occur by transmitting them via e-mail or regular mail.
✓ Devices containing personal data are meticulously kept, and measures are also taken to increase physical security, such as keeping them locked up and keeping entry and exit records. Unauthorized access is prevented by ensuring that the access is accessible to authorized persons. Access control authorization and/or encryption methods are used against the loss or theft of devices containing personal data.
✓ Inferno Club backs up personal data and ensures the security of the backed up personal data. It tries its best to prevent the activity from being interrupted by using the backed up data in case of personal data being damaged, destroyed, stolen or lost for any reason. Physical security of all backups is ensured in order to eliminate potential risks posed by malicious software.
2.1. Note on Children's Use of Our Website
This Site is not intended for children, and as İnferno Club, we request that children do not provide their personal identification information through the website.
2.2. Principles Regarding the Processing of Personal Data
Your personal data is processed by İnferno Club in accordance with the personal data processing principles set forth in Article 4 of the Law. It is mandatory to comply with these principles for each personal data processing activity:
● Processing personal data in accordance with the law and honesty rules,
● Accurate and up-to-date personal data,
● Processing personal data for specific, explicit and legitimate purposes,
● The personal data must be connected, limited and measured for the purpose for which it is processed,
● Storing personal data for as long as required by the legislation or processing purposes
Personal data is deleted, destroyed or anonymized by İnferno Club after the purpose of processing personal data is eliminated or when the period stipulated in the legislation expires. Your personal data is processed by İnferno Club in the presence of at least one of the personal data processing conditions in Article 5 of the Law.
Explicit consent of the personal data owner, The personal data processing activity is clearly stipulated in the laws, The explicit consent of the data owner cannot be obtained due to actual impossibility and personal data processing is mandatory, The personal data processing activity is directly related to the conclusion or performance of a contract, The data controller fulfills its legal obligations It is mandatory to carry out personal data processing to retrieve it, The data owner has made his personal data public, Personal data processing is mandatory for the establishment, use or protection of a right, Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner. carries out the processing activity.
2.3. Conditions Regarding the Processing of Special Categories of Personal Data
In Article 6 of the Law, special categories of personal data are specified in a limited number. These; data about race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.< br>
İnferno Club can process sensitive personal data in the following cases by taking additional measures determined by the Personal Data Protection Board:
● Processing of sensitive personal data other than health and sexual life can only be processed if the data owner gives express consent or if it is expressly stipulated in the law.
● Personal data related to health and sexual life, but only those who are under the obligation of keeping confidential for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing or by authorized institutions and organizations without seeking the explicit consent of the data owner.
2.4. Transfer of Information
Inferno Club, in accordance with the additional regulations listed in Articles 8 and 9 of the Law and determined by the Personal Data Protection Board; In case of conditions for the transfer of personal data, it can transfer personal data at home or abroad.
2.5. Privacy and Security Policy Validity
Privacy and Information Security Policy is valid and binding for all kinds of services offered by İnferno Club.
However, since internet technologies do not have a fixed structure, this policy is open to change depending on current developments, legislation and technical updates. Any changes that can be made in the Privacy and Information Security Policy will be announced to our visitors through our websites and/or applications. You can always visit our website to monitor possible changes to our Privacy and Information Security Policy.
İnferno Club’ If you have questions or concerns about the Privacy and Information Security Policy, you can contact us at any time.
APPENDIX:1 DEFINITIONS
APPENDIX:2 CJ GLOBAL PRIVACY POLT.
ANNEX-1: DEFINITIONS
Definition |
|
Explicit Consent |
|
Anonymization |
|
Employee |
|
Information Security |
|
Personal Health Data |
Any health information relating to an identified or identifiable natural person. |
Personal Data |
Any information relating to an identified or identifiable natural person. |
Data Owner |
Natural person whose personal data is processed. |
Processing of Personal Data |
Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring personal data in whole or in part automatically or non-automatically provided that it is a part of any data recording system, All kinds of operations performed on data such as taking over, making it available, classifying or preventing its use. |
Law |
Law No. 6698 on the Protection of Personal Data, published in the Official Gazette dated April 7, 2016 and numbered 29677. |
Private Personal Data |
Related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures data and biometric and genetic data. |
Policy |
Inferno Club’ Privacy and Data Security Policy |
Company / İnferno Club |
Inferno Club |
Partners |
Persons with whom the Company has established a partnership within the scope of contractual relations within the framework of its commercial activities. |
Data Owner |
Natural person whose personal data is processed |
Data Processor |
|
Data Controller |
It is the person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically. |