OUR INFORMATION SECURITY POLICY

Aim
This Document contains the policy explaining what Information Security is and the approach of Arnavutköy Municipality towards information security. Arnavutköy Municipality will announce this policy to all users benefiting from its information resources, third parties it has business relations with as well as suppliers. At the same time, Arnavutköy Municipality explains in this policy its purpose in establishing an Information Security Management System (ISMS), its goals, and how to install, implement, monitor and report on the system.

Scope
This policy determines the information security requirements to be fulfilled during the activities in all systems and locations within the scope of ISMS.

Information Se
Information security is defined as preventing unpermitted or unauthorized access, use, modification, disclosure, elimination, hand-over and damage of all tools that record, access and store information, and consists of three basic elements: "privacy", "integrity" and "accessibility". Damage to any of these three basic security elements will lead to security vulnerability.

Confidentiality: It is the protection of information against unauthorized use and access.

Integrity: : It is the prevent unauthorized person changing the information.

Accessibility (usability): It is defined as making information accessible and available to authorized persons in case of need. ISMS (Information Security Management System) is a system that ensures the security and integrity of all types of information produced, collected, processed, stored or forwarded by institutions, organizations and companies as part of their activities and it allows authorized persons to access information easily, quickly and accurately when necessary. The rules have been integrated with the international ISO/IEC 27001 standard. Although there is no legal regulation directly obligating Arnavutköy Municipality to establish an ISMS, the ISMS Management Committee systematically established its ISMS to abide by certain applicable laws, regulations, strategies, action plans, etc.
The international standard followed for information security management is TS ISO/IEC 27001:2013.

Yönetimin Taahhüdü

To implement the ISMS, manage all kinds of risks related to information security and information assets, Arnavutköy Municipality commits to:

• Accept corporate information, employees' personal information, citizen/taxpayer and supplier information (financial data, personal information) as valuable and critical and fulfill the obligations imposed by the laws on information security,
• Provide the necessary infrastructure and take the necessary security measures in order for the information services used in corporate activities to continue uninterruptedly, personal and private data to be accessible only by authorized persons,
• Document and continuously improve the applications of the Information Security Management System and meet the requirements of the ISO/IEC 27001 standard,
• Support guiding people to ensure the effectiveness of information security management activities,
• Comply with all legal regulations and contracts related to information security,
• Systematically manage risks to information assets,
• Develop trainings for technical and behavioral competencies to enhance information security awareness; apply ISMS and other management systems in an integrated manner; and commit to work hard to become the leading organization with full-fledged information security practices in the field of local administration.
  
  

  Goals and Objectives of the ISMS

  With the establishment of an ISMS under the body of Arnavutköy Municipality, it is aimed to ensure the security and proper management of all information assets that corporate units have in the physical and digital environment. In addition, the availability of an approved ISMS system will help fulfill many obligations arising from the laws.

  In this regard, the objectives of the Information Security Management System are determined as follows:

  • To improve the quality of the Management System in accordance with the ISO27001 standard, and to ensure its continuity,
  • To increase the awareness of employees about the ISMS,
  • To increase the proficiency and competence related to ISMS processes,
  • To determine the costs of ISMS and create the necessary budget items and provide investments,
  • To reduce the risks of ISMS to acceptable levels.

Risk Management
Arnavutköy Municipality determines and analyzes the information security risks related to its assets in order to ensure the intended outputs of the Information Security Management System, and to prevent or reduce unwanted effects. It defines the activities necessary to correctly assess the nonconformities arising from risk management and turn them into an improvement opportunity, and plans and ensures the implementation of these activities by integrating them with ISMS processes.

The Framework of Information Security
To be implemented in Arnavutköy Municipality, the ISMS protects the confidentiality of corporate information provided in personal and electronic communications and information exchanges with third parties for everyone using the information processing infrastructure of the institution and accessing its information resources.

• Information is backed up according to its level of criticality.
• Security measures are taken according to the risk levels.
• Information security violations are reported and all necessary actions are taken.
• In-house information resources cannot be shared with third parties in any way except in cases clearly defined in the binding legislation or the contracts of the institution.
• Corporate information resources cannot be used for any purpose or activity contrary to the laws, affiliated legislations and directives.

Supply of Resources
Depending on its purpose and goals, Arnavutköy Municipality will supply the necessary human resources, financial assets, time, and infrastructure to fulfill the information security requirements and achieve its planned goals as per the binding legislations. The ISMS Management Committee will run and supervise the provision of the resources necessary for the ISMS.

Roles and Responsibilities
Roles and responsibilities are determined, and ISMS Management and Executive Committees are formed with the aim of building, implementing, sustaining, monitoring and continuously improving the system under the body of Arnavutköy Municipality.
In this context, the Management Committee will be responsible for the decision and approval stages of ISMS, and providing the necessary workforce and budget. It was decided that the Committee will consist of Committee President, Vice Presidents, Management Representative and Institution Managers in case of need. The Executive Committee is responsible for executing, maintaining and monitoring the decisions taken by the Management Committee and managing possible risks of information security. It was decided that the Executive Committee will consist of a Management Representative, ISMS Officer and teams designated in the directorates.

Execution of the Information Security Management System and User Responsibility

Arnavutköy Municipality has turned the requirements to be followed when setting up and managing the ISMS into written procedures in accordance with its business goals.

The relevant policies and procedures will rule access to information systems by mobile devices determined in the standards, as well as the use of the Internet to access the system and network safely, remote access, passwords, in addition to the use and checks of clean table and clean screen applications.

This policy will be supported by business continuity and emergency plans, data backup, and protection from viruses and malware, physical and environmental security, system supply and fulfilling maintenance requirements, communication and network security and access control procedures. The functioning of these areas is defined by specific documented policies and procedures.

The Target Tracking List is used to monitor, measure and evaluate the planned targets in the ISMS. Qualified internal auditors will conduct internal controls at least once a year. The Senior Management will review the Information Security Management System at scheduled intervals to ensure its continuous suitability, accuracy and effectiveness.

Arnavutköy Belediyesi; tedarikçiler vasıtası ile aldığı hizmetin kesintisiz ve kaliteli olarak sağlanmasını güvence altına almak ve isteklilerine iş yaptırma/ihalelere girme bariyeri koyma hususunda Bilgi Güvenliği/İdare Memnuniyetini bir tercih unsuru olarak görmektedir. Bu hususu kendi çalışanlarına, isteklilerine ve yüklenici/ tedarikçilerine açıkça deklare etmektedir. Bu bağlamda Kurum, tedarikçiler/yüklenicileri ile bu politika çerçevesinde çalışacaktır.

Arnavutköy Municipality considers Information Security/Management Satisfaction as a preferred element in order to ensure uninterrupted and high-quality service provision by its suppliers and to put a barrier for its bidders to do business/enter into tenders. It clearly declares this issue to its employees, bidders and contractors/suppliers. In this context, the institution will work with its suppliers/contractors within the framework of this policy.

The participation and awareness of all employees are important in ensuring the sustainability of the ISMS. To raise the personnel's awareness of information security, the Municipality will regularly send e-mails and SMS texts, place banners, posters and distribute brochures to ensure information security in the municipality campuses as much as possible and to encourage notification of violations.

All the personnel who have access to Arnavutköy Municipality's information and information processing systems are obliged to be aware of the Institution's Information Security Policy and the policies, procedures and instructions referred to in this policy. They are also responsible for abiding by the rules when using the municipality's assets. This obligation will be guaranteed by a commitment letter by all users (all personnel, including the management level, civil servants, employees, contractors, service procurement personnel, supplier companies' employees and third parties). The Acceptable Use of Assets Policy describes the rules to be followed in the use of assets in detail.

In cases where Information Security requirements are not met and policies and procedures are violated, a disciplinary process will be initiated. As per the binding legislation, the following sanctions will be imposed on the personnel, who are found to have committed a security violation:

• notification,,
• warning,
• penalty fine,
• temporary suspension,
• definite suspension,
• filing a compensation claim,
• recourse of the results of the compensation lawsuit.

One or more of these penalties may be imposed on the personnel committing the security violation. To ensure sustainability, information security violations will be recorded and corrective-remedial activities will be planned and followed up for the recorded Information Security violations. These activities are aimed at continuous improvement in the ISMS.

6698 SAYILI KVKK KANUNU KAPSAMINDA VERİ SAHİPLERİNİN HAKLARI

Veri sahipleri haklarındaki Belediye nezdindeki veri işleme faaliyetleri ve kayıtlara ilişkin olarak aşağıdaki haklara sahiptir:

•    Kişisel verisinin işlenip işlenmediğini öğrenme,
•    Kişisel verileri işlenmişse buna ilişkin bilgi talep etme,
•    Kişisel verilerin işlenme amacını ve bunların amacına uygun kullanılıp kullanılmadığını öğrenme,
•    Yurt içinde veya yurt dışında kişisel verilerin aktarıldığı üçüncü kişileri bilme,
•    Kişisel verilerin eksik veya yanlış işlenmiş olması hâlinde bunların düzeltilmesini isteme, 
•    KVKK veya bu politika uyarınca işlenmesi için hukuka uygun bir gerekçe veya dayanak bulunmayan kişisel verilerin silinmesini veya yok edilmesini isteme,
•    İsteği üzerine yapılan düzeltme veya silme işlemlerinin, kişisel verilerin aktarıldığı üçüncü kişilere bildirilmesini isteme,
•    İşlenen verilerin münhasıran otomatik sistemler vasıtasıyla analiz edilmesi suretiyle kişinin kendisi aleyhine bir sonucun ortaya çıkmasına itiraz etme,
•    Kişisel verilerin kanuna aykırı olarak işlenmesi sebebiyle zarara uğraması hâlinde zararın giderilmesini talep etme.

Arnavutköy belediyesi KVKK m. 11 uyarınca tarafınızca yapılacak başvuruları ivedilikle, etkin ve kapsamlı bir şekilde değerlendirebilmek ve çözümleyebilmek adına Veri Sahibi Başvuru Formunu iletişim sayfamızda bildirilen Arnavutköy Belediye Başkanlığı adresimize ıslak imzalı olarak iadeli taahhütlü posta ile iletebilir, elden teslim edebilir, noter kanalıyla veya KVKK’da belirtilen başka yöntemlerle ulaştırabilir ya da ilgili formu arnavutkoy@hs01.kep.tr adresine güvenli elektronik imzalı olarak gönderebilirsiniz. Arnavutköy Belediyesi, niteliğine göre, talebinizi mümkün olan en kısa sürede ve her halükarda en geç otuz (30) gün içinde ücretsiz olarak sonuçlandıracaktır. Ancak, başvurunuzun incelenmesi ve sonuçlandırılmasına yönelik olarak gerçekleştirilecek işlemlerin ayrıca bir maliyeti gerektirmesi halinde, Kişisel Verileri Koruma Kurulu tarafından belirlenen tarifedeki ücretler tarafınıza fatura edilecektir. Kişisel Verilerin Korunması Politikamızı indirip inceleyebilirsiniz. Kişisel Verilerin Korunması Kanunu hakkında daha detaylı bilgi almak için KVKK internet sayfasını ziyaret edebileceğinizi hatırlatmak isteriz.

OBJECTIVES AND DEFINITIONS
As Arnavutköy Municipality, we attach importance to the security of your personal data, which we process under the title of data controller defined in the Personal Data Protection Law No. 6698. For this reason, we would like to inform you about the processing of your personal data.

PURPOSE OF PROCESSING PERSONAL DATA
Your personal data are processed in accordance with the Personal Data Protection Law No. 6698 and secondary regulations within the framework of the following purposes and legal reasons: Your personal data such as "Name-surname, date of birth, telephone number, voice record, and your images taken in our service buildings during your visits to our institution and recorded by cameras in Arnavutköy parks" will be partially processed to address the caller correctly, confirm the call and determine the number of calls in statistical terms, provide information and consultancy services in our institution, use as evidence in any dispute and ensure the safety of the buildings and Arnavutköy parks by camera recordings pursuant to the legitimate interest specified in article 5/2-f of the law no. 6698.

TO WHOM AND FOR WHAT PURPOSE PERSONAL DATA CAN BE TRANSFERRED
Arnavutköy Municipality may share your personal data with partners and affiliates of the municipality (and/or third-party business partners when it is necessary to share the data for the completion of specific work) or, with Authorized Public Institutions if requested or necessary in accordance with the above-mentioned purposes and articles 8 and 9 of the Law.

THE METHOD AND LEGAL REASON FOR THE COLLECTION OF PERSONAL DATA
Arnavutköy Municipality collects your personal data by keeping audio recordings during phone calls, and taking security camera images during your visit to the institution locations and Arnavutköy parks. In addition, your personal data will also be collected in cases where you disclose by contacting Arnavutköy Municipality by other methods. Your personal data will be processed and kept for a limited period of time during the legal limited periods based on the legal reasons set out in article 5/2-f of the Law No. 6698.

OTHER INFORMATION

By applying to Arnavutköy Municipality as the data owner, you can be entitled to:

•    Find out if your personal data have been processed,
•    Request information in case your personal data have been processed,
•    Find out the purpose of processing personal data and whether they are used for the intended purpose,
•    Learn the third parties to whom your personal data are transferred at home or abroad,
•   Request correction of your personal data in case of incomplete or incorrect processing and request notification of third parties, to whom your personal data have been transferred, of such correction actions,
•  Request the deletion or elimination of your personal data if the reasons requiring its processing disappear and request notification of third parties, to whom your personal data have been transferred, of such correction actions,
•   Object to any conclusion against you resulting from processing your personal data only by automated systems,
•   Request the deletion or elimination of personal data in accordance with article 7 of the law, and request notification of third parties, to whom your personal data have been transferred, of such correction, deletion or elimination actions,
•   Request compensation for damages if you incur damages due to illegal processing of your personal data.

In case you submit your requests to use the rights listed above to Arnavutköy Municipality in accordance with the application procedures stipulated in the Communiqué on the Procedures and Principles of Application to the Data Controller, Arnavutköy Municipality will finalize your request as soon as possible and no later than 30 (thirty) days for free, depending on the nature of the application. However, if such an action requires an additional cost, Arnavutköy Municipality will be able to charge the fee in the tariff determined by the Personal Data Protection Board. For detailed information, please see our Personal Data Protection Policy at www.arnavutkoy.bel.tr.

ARNAVUTKÖY MUNICIPALITY CONTACT FORM CLARIFICATION TEXT
As Arnavutköy Municipality, we attach importance to the security of your personal data, which we process under the title of data controller defined in the Personal Data Protection Law No. 6698. For this reason, we would like to inform you about the processing of your personal data.

THE PURPOSE AND LEGAL REASON FOR PROCESSING YOUR PERSONAL DATA
Your personal data are processed in accordance with the Personal Data Protection Law No. 6698 and secondary regulations within the framework of the following purposes and legal reasons: in case you fill in the "CONTACT FORM" at www.arnavutkoy.bel.tr, your personal information such as "name-surname, e-mail, telephone number, message" will be processed by Arnavutköy Municipality to contact you, and to evaluate and finalize requests, complaints and suggestions as part of your contact request pursuant to the legitimate interest in article 5/2-f of the law no. 6698.

TRANSFERRING PERSONAL DATA
Arnavutköy Municipality will be able to share your personal data processed in accordance with the above purposes and legal reasons pursuant to article 5/2-ç of law No. 6698 with its partner Associations and Foundations (and/or with third-party business partners with whom information should be shared for the fulfillment of specific work) or public and private Institutions Authorized by Law in case of need.

METHODS OF COLLECTING PERSONAL DATA
Arnavutköy Municipality collects your personal data through the website you visit/contact form you fill in. In addition, your personal data will also be collected in cases where you disclose by contacting Arnavutköy Municipality by other methods.

STORING PERSONAL DATA
Your personal data will be processed in accordance with the aforementioned purposes and legal reasons pursuant to articles 5/2-ç and 5/2-f of the Personal Data Protection Law No. 6698 for legal periods and stored for a limited period of time.

YOUR RIGHTS REGARDING YOUR PERSONAL DATA

By applying to Arnavutköy Municipality as the data owner, you can be entitled to:
•    Find out if your personal data have been processed,
•    Request information in case your personal data have been processed,
•    Find out the purpose of processing personal data and whether they are used for the intended purpose,
•    Learn the third parties to whom your personal data are transferred at home or abroad,
•  Request correction of your personal data in case of incomplete or incorrect processing and request notification of third parties, to whom your personal data have been transferred, of such correction actions,
•  Request the deletion or elimination of your personal data if the reasons requiring its processing disappear and request notification of third parties, to whom your personal data have been transferred, of such correction actions,
•   Object to any conclusion against you resulting from processing your personal data only by automated systems
•  Request the deletion or elimination of personal data in accordance with article 7 of the law, and request notification of third parties, to whom your personal data have been transferred, of such correction, deletion or elimination actions,
•  Request compensation for damages if you incur damages due to illegal processing of your personal data.

In case you submit your requests to use the rights listed above to Arnavutköy Municipality in accordance with the application procedures stipulated in the Communiqué on the Procedures and Principles of Application to the Data Controller, Arnavutköy Municipality will finalize your request as soon as possible and no later than 30 (thirty) days for free, depending on the nature of the application. However, if such an action requires an additional cost, Arnavutköy Municipality will be able to charge the fee in the tariff determined by the Personal Data Protection Board.

For detailed information, please see our Personal Data Protection Policy at www.arnavutkoy.bel.tr. I have been informed by Arnavutköy Municipality about the methods, purposes and legal reasons for processing and transferring my personal data and the rights I have.

COOKIES POLICY
This Cookies Policy applies to the websites operated by Arnavutköy Municipality and the platforms accessed and used through mobile applications, third-party programs or websites (briefly referred to as the "Platform").

As Arnavutköy Municipality, we are working to protect the privacy of the users of our Platforms in order to ensure that they benefit from our services safely and completely. For this reason, we are using Cookies to show personal content to visitors, to perform analytical activities on the website, and to track visitor usage habits in order to make full and secure use of our services.

This Cookies Policy is an integral part of the "Personal Data Protection Policy". Arnavutköy Municipality has prepared this Cookies Policy to explain which cookies are used and how users can manage their preferences in this regard. For more detailed information about the processing of your personal data by Arnavutköy Municipality, we recommend that you review the "Personal Data Protection Policy of Arnavutköy Municipality".

What are Cookies?
Cookies are small data files that visitors of websites leave on their computers or mobile devices. The next time they connect, websites read these data files that users created when they first visited, allowing them to work more efficiently and quickly load user settings such as preferred website language.

What are the Types of Cookies?
There are two types of cookies depending on their validity periods: temporary and permanent cookies. Temporary cookies are defined as data files that are created during users' visits to the website, store the user's preferences during this visit, and are automatically deleted when the visit ends and the user leaves the website. Permanent cookies, on the other hand, are not deleted even after the end of the user's visit and continue to work on the user's device in the folder reserved for its purpose until the expiration of the validity period. The user preferences stored in this data file are quickly read and loaded from this file the next time the user visits the website, allowing the user to get a faster and more efficient website experience.

Both temporary and permanent cookies can be used on Arnavutköy Municipality websites and mobile applications for the following purposes:
•   To ensure website security management
•   To ensure that the website and the application function as intended
•   To monitor the performance of the website or the application and keeping it at a high level
•   To save user time by remembering user preferences
•   To measure the effectiveness of Arnavutköy Municipality and third-party ads used on the website.

Why are Cookies Used?
Cookies are used to:
 •   Enable the basic functions necessary for the operation of our platforms,
 •   Record the user experience and preferences on our platforms for the purpose of personalizing their subsequent visits,
 •   Carry out product and service promotion activities for your interest,
 •   Customize our platforms according to your preferences,
 •   And analyze our platforms and increase their performance.

The cookies we use do not contain any confidential information belonging to users.

Are Cookies Mandatory?
Internet browsers on computers or mobile devices allow cookies by default. These cookie settings allow websites to use this feature to enhance the user experience. Users can change their cookie settings and partially or completely block the use of cookies by methods that vary depending on the type of internet browsers on their devices. The method of changing the cookie usage terms varies depending on the browser type and users can learn about this from the relevant service provider at any time.

As with cookies of other internet sites, users can partially or completely block the cookies used by Arnavutköy Municipality whenever they want. However, this is not recommended since almost all of our cookies are designed to make the website or the application function properly and blocking them may result in disrupted functions.

Performance and Analysis Cookies
Thanks to these cookies, we are able to improve the services we provide to you by analyzing your use of our website as well as the performance of our website. For example, thanks to these cookies, we are able to determine which pages our visitors view the most, whether our website is working as it should and identify possible problems.

How Can You Control Cookies?
You can personalize your cookie preferences by changing the settings of your browser. You must choose preference settings for cookies individually for each device through which you access the Platform.

You can control or delete cookies as you wish. You can delete cookies that are already available on your device and set your internet browser to block cookies. However, we would like to warn you that if you set your browser to block cookies, some of the services on our website may not work properly. You must make your preferences regarding cookies individually for each device on which you access the Platform.

Do Arnavutköy Municipality's Cookies Store My Confidential Information?
Arnavutköy Municipality does not store the confidential information of its users through cookies. Cookies contain only information about your visit history and do not access files stored on your computer or mobile device. Arnavutköy Municipality has the right to make changes to this Cookies Policy without notifying its users or website visitors.

Objectives and Definitions
As Arnavutköy Municipality, we attach importance to the security of your personal data, which we process under the title of data controller defined in the Personal Data Protection Law No. 6698. For this reason, we would like to inform you about the processing of your personal data.

Your personal data are processed in accordance with the Personal Data Protection Law No. 6698 and secondary regulations within the framework of the following purposes and legal reasons:

Purpose of Processing Personal Data
Your personal data such as "name-surname, ID number, e-mail, telephone number, address, population and citizenship information, photograph, and details of requests, complaints or suggestion" that you share with our institution by petition or applying in person are processed by Arnavutköy Municipality for the purposes of contacting you, and evaluating and finalizing complaints and suggestions within the scope of your requests, complaints, suggestions, requests for information pursuant to the legitimate interest stipulated in article 5/2-f of the law no. 6698.

To Whom and for What Purpose Personal Data can be Transferred
Arnavutköy Municipality will be able to share your personal data processed in accordance with the above purposes and legal reasons pursuant to article 5/2-ç of law No. 6698 with its partner Associations and Foundations (and/or with third-party business partners with whom information should be shared for the fulfillment of specific work) or public and private Institutions Authorized by Law in case of need.

The Method and Legal Reason for the Collection of Personal Data
Arnavutköy Municipality collects your personal data through your petition or with your declaration during your application in person. In addition, your personal data will also be collected in cases where you disclose by contacting Arnavutköy Municipality by other methods.

Your personal data will be processed in accordance with the aforementioned purposes and legal reasons pursuant to articles 5/2-ç and 5/2-f of the Personal Data Protection Law No. 6698 for legal periods and stored for a limited period of time.

Other Information
By applying to Arnavutköy Municipality as the data owner, you can be entitled to:
•    Find out if your personal data have been processed,
•    Request information in case your personal data have been processed,
•    Find out the purpose of processing personal data and whether they are used for the intended purpose,
•    Learn the third parties to whom your personal data are transferred at home or abroad,
•    Request correction of your personal data in case of incomplete or incorrect processing and request notification of third parties, to whom your personal data have been transferred, of such correction actions,
•   Request the deletion or elimination of your personal data if the reasons requiring its processing disappear and request notification of third parties, to whom your personal data have been transferred, of such correction actions,
•   Object to any conclusion against you resulting from processing your personal data only by automated systems,
•   Request the deletion or elimination of personal data in accordance with article 7 of the law, and request notification of third parties, to whom your personal data have been transferred, of such correction, deletion or elimination actions,
•   Request compensation for damages if you incur damages due to illegal processing of your personal data.

In case you submit your requests to use the rights listed above to Arnavutköy Municipality in accordance with the application procedures stipulated in the Communiqué on the Procedures and Principles of Application to the Data Controller, Arnavutköy Municipality will finalize your request as soon as possible and no later than 30 (thirty) days for free, depending on the nature of the application. However, if such an action requires an additional cost, Arnavutköy Municipality will be able to charge the fee in the tariff determined by the Personal Data Protection Board.

For detailed information, please see our Personal Data Protection Policy at www.arnavutkoy.bel.tr.