Disclosure Statement
​​​​​İSTANBUL ŞEHİR UNIVERSITY
DISCLOSURE STATEMENT ON THE PROTECTION AND
PROCESSING OF PERSONAL DATA

Istanbul Şehir University (the University) takes all legal, technical and administrative measures to protect your privacy while processing, transferring, deleting, destroying or anonymizing your personal data or special categories of personal data in accordance with the Law on the Protection of Personal Data No. 6698.

The university has taken the decision to publish this Disclosure Statement to inform you about the purposes for which your personal data will be processed, about the parties to whom such data will be transferred and for what purposes, the data processing methods used, the legal reasons, and your rights under the Law on the Protection of Personal Data No. 6698 and other legislation.

1) Data Supervisor

In its capacity as “Data Supervisor”, Istanbul Şehir University can collect, process and transfer your personal data or special categories of personal data in accordance with the Law on the Protection of Personal Data No. 6698.

2) Why We Collect and Process Your Personal Data

Although it may vary depending on your relationship with Istanbul Şehir University, your personal data or special categories of personal data will be collected, processed and transmitted verbally, in written, or electronically through media such as the university departments, the website, social media platforms, mobile apps, etc. using automated or non-automated methods. On the basis of your relationship with Istanbul Şehir University, your personal data or special categories of personal data will be processed and transmitted in accordance with the information whose authenticity you have confirmed. Your personal data or special categories of personal data may be processed in order to:
  • Enable the relevant units to perform the necessary work to allow you to benefit from the services provided by the university, promote our university and its activities, maintain educational activities, or conduct scientific research, publishing and consultancy services.
  • Fulfill the obligations set forth by the Higher Education Council (YÖK) and the relevant legislation, in particular the Higher Education Law, and ensure the provision of rights and obligations arising from educational activities within the scope of university regulations, directives and internal regulations.
  • Increase service quality, ensure service continuity, perform listing, reporting, verification, analysis and evaluations to reduce the costs and the workload, produce statistical and scientific data, perform evaluation of educational outcomes and follow-up on student performance, and organize activities, courses, development programs, exhibitions, conferences, workshops, and meetings on or off campus.
  • Protect and fulfill the rights and obligations of students studying at the relevant departments or doing internships within the units at the university or other places outside the university.
  • Inform students about the work areas required concerning university education and training activities, promote them and make offers in terms of continuing the educational and work relations between graduate students and the university.
  • If the student is a member of any of the university clubs, process data to keep records of the associations, foundations, and NGOs with which said club has a connection in accordance with the legislation and share these with authorized public offices and private persons where necessary.
  • Meet the needs of students, employees and short-term visitors staying in the dormitories, lodgings, social facilities, etc. on campus.
  • Fulfill the legal obligations and the requirements or requests of the judicial organs or the competent administrative bodies, including ensuring the safety of life and property of all university stakeholders (students/employees/visitors), or ensuring compliance with the regulations in this context, transfer them to the information processing infrastructures by taking the necessary safety and legal precautions and, for the realization of these purposes, archive data in order to fulfill legal obligations on electronic or physical environments.

Your personal data will be processed in accordance with the personal data processing requirements and purposes set forth in Articles 5 and 6 of Law No. 6698 to improve our services in line with your personal preferences, to enable us to contact you via the communication channels you have shared with us for market research purposes, to notify you about educational activities, to promote the university, make offers, to carry out Social Responsibility Projects in which the university is an executive or stakeholder, to carry out your registration process in line with the principles of efficiency and service quality, to execute and develop the university’s business and academic processes and to enable students to benefit from these services within the scope of educational activities. It will also be processed to:
  • Determine and implement the university’s commercial and business strategies within the scope of the university’s business processes in line with its business strategies, manage system and application management operations, financial operations, procurement operations, and legal operations within the university, and execute commercial and legal evaluation processes, legal and commercial risk analyses, legal compliance processes, financial affairs, communication, market research and social responsibility activities.
  • Execute operations within the scope of the university’s Human Resources policies and in accordance with the university’s Human Resources policies, to recruit qualified staff for open positions, fulfill obligations under the Labor Law, the Social Security Law and related legal regulations governing work life and occupational health and safety, and take the necessary measures.​
  • Fulfill the rights and obligations of all natural and legal persons and their affiliates with whom the university has a contractual relationship.

Article 5 of the Law on the Protection of Personal Data No. 6698 reads as follows:

ARTICLE 5 - (1) Personal data cannot be processed without the express consent of the related party.
(2) In the event that one of the following conditions is present, it is possible to process personal data without the express consent of the related party:
a) It is clearly stipulated in the law.
b) It is necessary to protect the life or bodily integrity of someone else or the person themselves, who is not in a state to express their consent due to physical impossibility or whose consent has no legal validity.
c) The processing of personal data belonging to the parties involved is required, provided that it is directly related to the establishment or execution of an agreement.
ç) It is compulsory for the Data Supervisor to fulfill their legal obligation.
d) It is publicized by the related party themselves.
e) Data processing is necessary in order to institute, use or protect a right.
f) Data processing is necessary for the Data Supervisor’s legitimate interests, provided that it is not to the detriment of the related party’s fundamental rights and freedoms.”

Article 6 of the Law on the Protection of Personal Data No. 6698 reads as follows:

ARTICLE 6 - (1) Data related to a person’s race, ethnicity, political opinion, philosophical belief, religion, sect, or other beliefs, their appearance, affiliation with an association, foundation or union, their health, sexual orientation, criminal convictions or safeguards, and biometric and genetic data are special categories of personal data​.
(2) Processing special categories of personal data is prohibited without the express consent of the related party.
(3) Personal data other than that concerning a person’s health and sexual orientation, as stated in the first paragraph, may be processed without the express consent of the related party in cases stipulated in the law. Personal data on health and sexual orientation can be processed by individuals under a confidentiality obligation or by authorized institutions and organizations without the related party’s express consent only to protect public health, provide preventive medicine, medical diagnoses, treatment and care services, to plan health services or to manage financing.
(4) In the processing of special categories of personal data, it is also obligatory to take the adequate measures determined by the Board.”

3)  To Whom and for What Purposes the Processed Data Can Be Transferred 

Your processed personal data or special categories of personal data may be shared with authorized bodies such as the foundation trust, business partners, higher education institutions, SGK (Social Security Institution), and lawfully authorized public institutions such as ministries, judicial authorities, as well as consultancy agencies, parties, partner organizations or payment system organizations to the extent that it is allowable to do so within the framework of the requirements and purposes for processing personal data stated in Article 8 and 9 of Law No. 6698 for the following purposes: to carry out the educational activities provided by Istanbul Şehir University, carry out the administrative and academic processes to ensure the continuity of our university services, ensure the legal and commercial security of the university and real or legal persons who have contractual relations with the university, provide physical security and control in and around campus facilities and buildings, carry out legal compliance processes, execute financial affairs, and identify and fulfill commercial and business strategies.

Article 8 of the Law on the Protection of Personal Data No. 6698 reads as follows:

ARTICLE 8 - (1) Personal data cannot be transferred without the express consent of the related person.
(2) Personal data may be transferred without the express consent of the related party in the event one of the conditions stated in either:
a) Article 5, Paragraph 2, or 
b) Provided adequate measures are taken, Article 6, Paragraph 3, apply.
(3) The provisions in other laws related to the transfer of personal data are reserved.”

Article 9 of the Law on the Protection of Personal Data No. 6698 reads as follows:

ARTICLE 9 - (1) Personal data cannot be transferred overseas without the express consent of the related party.
(2) Personal data can be transferred overseas without the express consent of the related party in the event one of the conditions stated in Article 5, Paragraph 2 and Article 6, Paragraph 3 are met, and the foreign country to which the personal data shall be transferred:
a) Has adequate protection.
b) In case there is not an adequate level of protection, if the data controllers in Turkey and abroad commit, in writing, to provide an adequate level of protection and the permission of the Board exists.
(3) Countries with adequate protection are determined and announced by the Board.
(4) The Board shall decide whether there is adequate security in the foreign country and if permission can be given in accordance with Sub-Paragraph (b), Paragraph 2 by evaluating;
a) International agreements of which Turkey is a party.
b) The state of reciprocity related to data transfer between the country requesting personal data transfer and Turkey.
c) The nature, purpose and duration of processing personal data in relation to every tangible personal data transfer.
ç) The related legislation of the country to which personal data will be transferred, and its application.
d) Measures committed by the data controller in the country to whom personal data will be transferred and where necessary, by obtaining the opinion of the related institutions and organizations.​
(5) In the event that Turkey or the related party’s interests will be seriously harmed, personal data may be transferred overseas solely with the Board’s permission after obtaining the opinion of the related public institute or organization, with the provisions of international agreement reserved.
(6) The provisions in other laws related to the transfer of personal data overseas are reserved.”

4) Methods Used and Legal Reasons for Collecting Your Personal Data 

Your personal data or special categories of personal data may be collected, processed and transferred in any verbal, written or electronic environment in line with the purposes set out above in order to provide university services and fulfill the obligations arising from contracts, the law and the internal university regulations (regulations, guidelines, policies and procedures) in a thorough and accurate manner.

5) Responsibilities of the Data Supervisor

5.1. Obligation of Disclosure
Data supervisors or persons authorized by them will have to provide the following information to persons whose data is processed concerning collected personal data and/or special categories of personal data​. That is to say:
  • ​​The identity of the Data Supervisor, and, if any, their representative.
  • Why the personal data will be processed.
  • To whom and for what purpose the processed data can be transferred.
  • The method of and legal reason for collecting the personal data.
  • Other rights listed in Article 11.
The Data Supervisor and/or a person authorized by him/her may fulfill the obligation of disclosure by using physical or electronic media such as an oral or written notification, voice recording, or a call center.
5.2. Liabilities Related to Data Security
The responsibilities of Istanbul Şehir University in its capacity as Data Supervisor in accordance with Article 12 of the Law on the Protection of Personal Data No. 6698 are as follows:
​a) To prevent the illegal processing of personal data.
b) To prevent illegal access to personal data.
c) To take all sorts of technical and administrative measures to ensure protection of personal data.
d) To carry out the required controls or have them conducted at the institute or organization and to ensure that the provisions of this Law are fulfilled.
e) In the event that the personal data processed is obtained illegally by others, the Data Supervisor shall notify the related party and the Board of the situation as soon as possible.
Data supervisors and persons authorized by them cannot disclose the personal data they have ascertained to others or use it for purposes contrary to this Law, other than processing. This liability continues even after they have left their positions.
​5.3. Removal, Destruction or Anonymization of Personal Data
Despite having been processed in accordance with Law No. 6698 and the provisions of other relevant laws, in the event that the reasons behind the processing of personal data no longer apply, the personal data shall be deleted, destroyed or anonymized by the Data Supervisor ex officio or upon the request of the related party.

6)  Rights of the Personal Data Owner under the Law on the Protection of Personal Data​ 

As a personal data owner, if you make a request to the university concerning your rights specified in the Law on the Protection of Personal Data No. 6698 via the methods set out below, the request will be processed free of charge within 30 days at the latest according to the nature of the request.  However, in the case the procedure requires an additional cost, a fee rate determined by the Board may be payable. In this respect, owners of personal data have the following rights according to Article 11 of the Law on the Protection of Personal Data No. 6698: 
  • ​​To find out whether their personal data has been processed.
  • If their personal data has been processed, to request information in relation to this.
  • To find out why their personal data has been processed and whether it has been used for the intended purpose.
  • To find out who the third parties to whom personal data is transferred within the country or overseas are.
  • To request correction of personal data if it is incomplete or improperly processed and that third parties be informed of the actions taken.
  • To request the deletion or destruction of personal data in the event that the reasons for the processing of the such data no longer exist, despite the fact that it has been processed in accordance with the provisions of this Law and other relevant laws and to request that third parties be informed of the actions taken.
  • To object to the outcome of a result against them made through the analyzing of processed data exclusively via automatic systems.
  • To request the remedy of losses in the event that said person incurs losses due to the illegal processing of their personal data. 

Pursuant to Article 13, Sub-Paragraph 1 of the Law on the Protection of Personal Data and the Edict Regulating Applications to the Data Supervisor, data owners must forward their requests to data supervisors for exercising their above-mentioned rights in writing or using a registered e-mail address, a secure electronic signature, mobile signature or an e-mail address previously notified to the Data Supervisor by the related data owner and recorded in the system of the Data Supervisor or via software or an application specifically developed for such applications.

The following information must be included in applications made by personal data owners. That is to say:
a) Name, surname and a signature if a written application.
b) Turkish ID no. for Turkish citizens; proof of nationality, passport number or ID no., if any, for foreigners.
c) Place of residence or work address for receival of notifications.
ç) Electronic mail address, phone or fax number, if any, for receival of notifications.
d) The subject matter of the request.

All information and documents relating to the application will be added to the application file. For written applications, the date on which the document has been delivered to the Data Supervisor or his/her representative is accepted as the date of the application. For applications using other methods, the application date is the date when the Data Supervisor receives the application.

The channels and procedures through which you can submit written applications to the university within the framework of Article 11 of the Law on the Protection of Personal Data No. 6698 are explained below. You can submit a written request to exercise your rights as per Article 11 of the Law on the Protection of Personal Data to İstanbul Şehir Üniversitesi Dragos Kampüsü Orhantepe Mahallesi, Turgut Özal Bulvarı, No: 21, 34865 Dragos, Kartal/İstanbul in person by including your ID details in your application, through a notary, through other methods mentioned in the Law on the Protection of Personal Data No. 6698, or by sending an e-mail to istanbulsehiruniversitesi@hs03.kep.tr​ with a secure electronic signature.