ANTALYA MAYSEN TURİZM SEYAHAT ACENTASI TURSAB BELGE NO: 17737

ŞAH GRUP MEDİKAL İTHALAT İNŞAAT TURİZM SANAYİ VE TİC. LTD. ŞTİ.
INFORMATION SECURITY POLICY

a) Purpose and Scope

This Information Security Policy ("Policy") has been prepared by ŞAH GRUP MEDİKAL İTHALAT İNŞAAT TURİZM SANAYİ VE TİC. LTD. ŞTİ. ("Şah Grup") to meet information security requirements arising from national, international, or sectoral regulations, relevant legislation and standard requirements, to fulfill obligations arising from agreements, to address corporate responsibilities, and to protect Şah Grup and its users against security threats that could compromise integrity, confidentiality, reputation, or business processes.

The scope of this Policy covers the processing of personal data and information belonging to the following data subjects:

  • Actual Customers
  • Potential Customers
  • Corporate Customer Shareholders, Officials, Employees
  • Company Officials and Shareholders
  • Business Partner Shareholders, Officials, Employees
  • Supplier Shareholders, Officials, Employees
  • Employee Candidates
  • Visitors
  • Third Parties

‘Information’ refers to any document, data (including personal data), content, information, or object, regardless of the medium or format it is in (including physical and electronic records).

b) Responsibilities Regarding Information Security

Within the framework of this Policy, Şah Grup will ensure the protection of the confidentiality, integrity, and accessibility values of the company's information assets and keep the risks related to processes at an acceptable level. Fulfilling the requirements of the Personal Data Protection Law (KVKK) is among these responsibilities. Şah Grup, as the data controller, acts in accordance with the principles of data processing as per Article 4 of the KVKK, which are:

  • Compliance with the law and rules of honesty,
  • Being accurate and, where necessary, up-to-date,
  • Being processed for specific, explicit, and legitimate purposes,
  • Being relevant, limited, and proportionate to the purposes for which they are processed,
  • Being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

All employees are obliged to comply with all information security procedures, including ensuring confidentiality and data integrity. Failure to comply with these procedures may result in disciplinary action against the relevant employees. Each employee is responsible for the operational security of the information systems they use. Every system user is obliged to comply with the current privacy requirements and must ensure that the confidentiality, integrity, and accessibility of the information they use are protected to the highest standard.

c) Method

The following methods and principles will be applied to ensure information security:

  • The confidentiality and security of customer information must be ensured, maximum care must be taken to protect customer information, and actions must be in compliance with relevant legislation.
  • Action must be taken as soon as possible and without interruption to comply with all legal regulations and contracts related to information security.
  • Information security awareness training must be included in the recruitment and onboarding processes.
  • Employee security requirements must also be addressed during recruitment processes, and all employment contracts must include a confidentiality clause.
  • Information security expectations for employees should be included in appropriate job descriptions.
  • Access to information systems or restricted areas containing stored data must be provided only to relevant and authorized employees.
  • Access to computer facilities must be limited to authorized users who have a business need to use these facilities.
  • Equipment must be physically protected from all kinds of threats and environmental hazards to minimize the loss or damage to all business assets, personal data, and information.
  • After identifying information security risks, necessary action plans will be implemented to manage and eliminate these risks.
  • All information security breaches will be investigated to determine their causes and effects in order to prevent similar incidents from occurring.
  • Şah Grup will use countermeasure software and management procedures to protect against malicious software. All employees are expected to act in cooperation within the scope of this policy.