Privia Security was chosen as one of Türkiye's fastest growing companies!

Read the News Read the News

Information Security Policy

Our Quality and Information Security Policy
• To provide awareness, training and motivation to ensure that our employees participate in and comply with the information security system, as required by the holistic approach to information security,
• To control, monitor, review and continuously improve the efficiency of our quality and information security systems through internal and external audits;
• To provide and sustain the necessary resources for the required hardware, software, training and other controls to reduce information security risks,
• To protect personal data used in our business processes in accordance with personal data protection legislation,
• To protect the confidentiality of information for our customers and to ensure compliance with standards and legal regulations,
• To follow technological developments and offer next-generation solutions to our customers,
• To adopt ensuring customer satisfaction in all our business processes as a principle.
Data Security Policy
The Personal Data Protection Policy (“Policy”) of Privia Security Ltd. contains the declarations and statements of Privia Security Ltd. (“Privia Security”) regarding the processing, within the scope of the Law, of personal data belonging to natural persons in the categories listed below. In this context, the scope of application of the Policy covers the processes of processing personal data belonging to the following data subjects:
• Potential Customers
• Corporate Customer Shareholders, Authorised Representatives, Employees
• Business Partner Shareholders, Authorised Representatives, Employees
• Supplier Shareholders, Authorised Representatives, Employees
This Policy may be updated from time to time in order to adapt to changing conditions and legislation.

  1. PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
    Privia Security, acting as data controller, in accordance with Article 4 of the Law…
    • Being in compliance with the law and the rules of good faith,
    • Being accurate and up-to-date when necessary,
    • Being processed for specific, explicit and legitimate purposes,
    • Being relevant, limited and proportionate to the purposes for which they are processed,
    • Being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
    ii. Being accurate and up-to-date
    Data controllers must establish the necessary processes to ensure that the personal data they process is accurate and up-to-date. In this regard, Privia Security provides data subjects with the opportunity to update their data and takes the necessary measures to ensure the accurate transfer of data to the databases.
    iii. Processing for specific, explicit and legitimate purposes
    Data controllers are obliged to inform data subjects about the purposes for which their personal data is processed, in line with their disclosure obligations under the Law. In this regard, Privia Security, as data controller, limits its data processing activities to specific and legitimate purposes and clearly informs data subjects through disclosure texts regarding these purposes.
    iv. Being relevant, limited and proportionate to the purposes for which they are processed
    Personal data processed by Privia Security is kept limited to what is necessary for the purpose notified to the data subject at the time of collection, and data is retained only for the required period. Following the expiry of the aforementioned periods, data is deleted, destroyed or anonymised in accordance with Company procedures.
  2. PURPOSES OF PROCESSING PERSONAL DATA BY Privia Security Ltd.
    Articles 5 and 6 of the Law set out the conditions for processing personal data and special categories of personal data. Special categories of personal data are listed on a limited basis in the Law and include data relating to individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. While Article 5 of the Law determines the conditions for processing non-special category personal data, the conditions for processing special category data are regulated in Article 6.
    According to these articles, non-special category personal data may be processed:
    • Where the data subject has given explicit consent.
    • Where processing is explicitly stipulated by laws.
    • Where processing is mandatory for the protection of the life or physical integrity of a person who is unable to disclose their consent due to actual impossibility or whose consent is not legally valid, or of another person.
    • Where processing of personal data belonging to the parties of a contract is necessary, provided it is directly related to the establishment or performance of a contract.
    • Where processing is mandatory for the data controller to fulfil its legal obligations.
    • Where the personal data has been made public by the data subject themselves.
    • Where processing is mandatory for the establishment, exercise or protection of a right.
    • Where processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.
    Special category personal data may be processed subject to the following conditions:
    • Where the data subject has given explicit consent.
    • Special category personal data other than health and sexual life data (data relating to individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, as well as biometric and genetic data) may be processed where explicitly stipulated by laws.
    • Health and sexual life data may be processed — in all cases after adequate measures have been taken — by persons or authorised institutions and organisations under an obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, and the provision and planning of treatment and care services.
    Personal data of natural persons in the categories specified in Annex-1 are processed by Privia Security Ltd. for the following purposes:
    • Designing and/or implementing personalised marketing and/or promotional activities,
    • Planning and/or implementing market research activities for the sale and/or marketing of products and services,
    • Planning and implementing event management processes,
    • Planning and managing application processes for products and/or services,
    • Planning and/or implementing processes for providing customers with appropriate tools and/or information for accessing and/or using products and/or services through the relevant channels,
    • Monitoring contract processes and/or legal requests,
    • Monitoring customer requests and/or complaints,
    • Planning and/or implementing necessary operational activities to ensure that Company activities are carried out in accordance with Company procedures and/or relevant legislation,
    • Implementing strategic planning activities,
    • Planning and implementing supply chain management processes,
    • Ensuring the security of Company operations,
    • Monitoring finance and/or accounting matters,
    • Ensuring the security of Company premises and/or facilities,
    • Establishing and/or managing information technology infrastructure,
    • Planning and/or implementing customer relationship management processes,
    • Designing and/or implementing advertising and/or promotional and/or marketing activities through digital and/or other channels,
    • Planning and/or implementing activities related to customer satisfaction and/or experience,
    • Planning and/or implementing campaign and/or promotion and/or promotional processes,
    • Planning and/or implementing corporate communication activities,
    • Planning and/or implementing sales processes for products and/or services,
    • Planning and implementing renewal processes relating to products and/or services,
    • Providing information required by legislation to authorised persons and/or organisations,
    • Planning and/or implementing the Company’s audit and/or ethics activities,
    • Evaluating references for personnel recruitment and/or Company security processes,
    • Planning and/or implementing after-sales support service activities,
    • Planning and/or implementing authorisation of business partners and/or suppliers’ access to information,
    • Planning, auditing and/or implementing information security processes,
    • Planning and/or implementing cross-selling activities related to other products offered by our Company,
    • Planning and/or implementing business activities.
  3. TRANSFER OF PERSONAL DATA BY Privia Security Ltd.
    i. General Conditions Regarding Transfer
    Article 8 of the Law makes a distinction regarding the transfer of personal data depending on whether the data constitutes special category personal data. According to the said article, non-special category personal data may be transferred to third parties where one of the processing conditions specified in Section 2 above is present. In this regard, personal data may be shared by Privia Security with persons other than legal entities where:
    • The data subject has given explicit consent,
    • Data processing is explicitly stipulated by laws,
    • Processing is mandatory for the protection of the life or physical integrity of a person who is unable to disclose their consent due to actual impossibility or whose consent is not legally valid, or of another person,
    • Personal data has been made public by the data subject themselves,
    • Processing is mandatory for the establishment, exercise or protection of a right,
    • Processing is mandatory for the data controller’s legitimate interests, provided that the fundamental rights and freedoms of the data subject are not harmed.
    Article 8 also refers to the processing conditions specified in Section 2 for special category personal data, but additionally requires that adequate measures be taken for the transfer. Accordingly, special category personal data is shared with third parties by Privia Security in all cases after adequate measures have been taken.
    ii. Transfer Abroad
    Personal data may be transferred abroad by Privia Security:
    • Where the data subject has given explicit consent, or
    • Where the explicit consent of the data subject is absent but one or more of the other conditions specified above are met;
    • Where adequate protection exists in the country to which the data is transferred, or
    • Where adequate protection does not exist in the country to which the data is transferred, provided that the relevant Privia Security and the data controller in the relevant foreign country jointly commit to providing adequate protection in writing and the permission of the Personal Data Protection Board is obtained.
    Data is also shared with legally authorised public institutions and organisations and legally authorised private persons or organisations, limited to the information requested within the framework of their legal authorities.
  4. PERSONAL DATA PROCESSED BY Privia Security Ltd.
    The categorisation of personal data processed by Privia Security is covered in Annex-1.
  5. PROCEDURE FOR PROCESSING PERSONAL DATA BY Privia Security Ltd.
    Privia Security, as required by the Law, informs personal data subjects at the time of obtaining personal data, as data controller, about the purposes for which personal data is processed, to whom and for what purposes the processed personal data may be transferred, the method and legal basis for personal data collection, and the rights of the data subject.
    Where any process requires obtaining explicit consent under the Law, explicit consent is obtained from data subjects by Privia Security following the aforementioned disclosure.
  6. RETENTION AND DESTRUCTION OF PERSONAL DATA BY Privia Security Ltd.
    Where the conditions requiring data retention no longer apply, and where there is no other legal reason or basis that allows for the retention of the data, data is deleted, destroyed or anonymised.
  7. RIGHTS OF DATA SUBJECTS AND THE EXERCISE OF THESE RIGHTS
    i. Rights of Data Subjects
    In accordance with Article 11 of the Law, personal data subjects have the following rights against the data controller:
    • To learn whether personal data relating to them is being processed.
    • To request information if personal data relating to them has been processed.
    • To learn the purpose of processing personal data and whether they are being used in accordance with their purpose.
    • To know the third parties to whom personal data has been transferred, whether domestically or abroad.
    • To request the rectification of personal data in the event it is incomplete or incorrectly processed.
    • To request the deletion or destruction of personal data within the framework of the conditions stipulated in the relevant legislation.
    • To request that the transactions carried out as a result of correction, deletion and destruction requests be notified to the third parties to whom personal data has been transferred.
    • To object to the emergence of a result against the person themselves through the analysis of processed data exclusively by automated systems.
    • To request the remedy of damages in the event of suffering a loss due to personal data being processed unlawfully.
    The rights specified above cannot be exercised in the following cases:
    • Where personal data processing is necessary for the prevention of a criminal offence or for criminal investigation,
    • Processing of personal data made public by the data subject themselves,
    • Where personal data processing is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by public institutions and organisations and professional bodies with the status of public institutions, acting under the authority granted by law,
    • Where personal data processing is necessary for the protection of the State’s economic and financial interests with respect to budget, tax and financial matters.
    Pursuant to Article 28(1) of the Law, in the following cases the data falls outside the scope of the Law, and therefore requests from data subjects in relation to such data will also not be processed:
    • Where personal data is processed entirely in connection with the person themselves or their family members by natural persons, provided it is not shared with third parties and data security obligations are complied with.
    • Processing for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not breach privacy.
    • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organisations authorised by law to ensure national defence, national security, public security, public order or economic security.
    • Processing of personal data by judicial authorities or enforcement bodies in relation to investigation, prosecution, trial or enforcement proceedings.
    ii. Exercise of Rights by Data Subjects
    Data subjects may use the “Application Form to be Submitted by the Personal Data Subject to the Data Controller” available at (www.priviasecurity.co.uk or priviahub.com) in order to exercise the aforementioned rights.
    Applications shall be made, together with documents that will identify the relevant data subject, through one of the following methods:
    • By sending the completed form with a wet-ink signed copy via e-mail or post to the relevant address.
    For third parties to make an application on behalf of personal data subjects, there must be a special power of attorney drawn up through a notary by the data subject, in favour of the person who will make the application.
    Data subject applications are as a rule processed free of charge; however, in the event that a fee schedule is stipulated by the Personal Data Protection Board, fees may be charged according to this schedule.
    Privia Security may request information from the relevant person in order to determine whether the applicant is the personal data subject, and may direct questions to the personal data subject regarding their application in order to clarify the matters stated therein.
  8. PROTECTION OF PERSONAL DATA BY Privia Security Ltd.
    Privia Security takes reasonable technical and administrative measures to prevent unauthorised access risks, accidental data loss, and intentional deletion or damage to data, in order to ensure the security of personal data.
    In this context, Privia Security:
    • Ensures the compliance of personal data processing activities with the Law,
    • Makes appropriate authorisations within the Company according to the nature of the data accessed,
    • Subjects access to special category personal data to more stringent measures,
    • Subjects persons who have access to special category personal data to additional security checks,
    • Where data is accessed externally due to outsourcing or similar reasons, obtains commitments from external service providers to ensure compliance with the Law,
    • Takes the necessary actions to inform all employees — especially those with access to personal data — about their duties and responsibilities under the Law.
    Privia Security Data Security Policy — Annex 1 and Annex 2: Data Categorisation