{"id":7954,"date":"2025-10-13T01:05:46","date_gmt":"2025-10-12T22:05:46","guid":{"rendered":"https:\/\/antlojistik.com.tr\/en\/?page_id=7954"},"modified":"2025-10-13T01:05:47","modified_gmt":"2025-10-12T22:05:47","slug":"information-security-management","status":"publish","type":"page","link":"https:\/\/antlojistik.com.tr\/en\/information-security-management\/","title":{"rendered":"Information Security &amp; Management"},"content":{"rendered":"\n<p><strong>DATA BREACH RESPONSE PLAN<\/strong><\/p>\n\n\n\n<p><strong>Purpose, Scope, and Definitions<\/strong><\/p>\n\n\n\n<p><strong>Purpose<\/strong><\/p>\n\n\n\n<p>This Plan aims to define roles and responsibilities within ANT Lojistik Limited \u015eirketi (&#8216;Company&#8217;) as the data controller in order to fulfill obligations to ensure an appropriate level of security to protect fundamental rights and freedoms\u2014particularly the privacy of private life\u2014prevent unlawful processing, prevent unlawful access, and ensure the preservation of personal data; and to set out procedures and principles regarding who will report to whom within the Company in the event that personal data processed is obtained by others through unlawful means, notifications to be made under the Law, assessment of possible consequences of the data breach, and who holds responsibility within the Company.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Scope<\/h5>\n\n\n\n<p>The scope of this Plan includes employees tasked with processing personal data by the Company in physical or electronic environments.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Definitions<\/h5>\n\n\n\n<p>For the purposes of this Plan:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Explicit consent:<\/strong> Consent that is related to a specific subject, based on information, and declared with free will.<\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data subject:<\/strong> The natural person whose personal data is processed.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Law: <\/strong>Personal Data Protection Law No. 6698 (&#8216;Law&#8217;).<\/li>\n\n\n\n<li><strong>Personal data:<\/strong> Any information relating to an identified or identifiable natural person.<\/li>\n\n\n\n<li><strong>Processing of personal data:<\/strong> Any operation performed upon personal data wholly or partially by automatic means or by non-automatic means provided that it is a part of any data registry system, such as obtaining, recording, storing, retaining, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing use.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Board:<\/strong> Personal Data Protection Board.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Plan: <\/strong>Company\u2019s Data Breach Response Plan.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data Breach: <\/strong>Personal data processed by the data controller being obtained by others through unlawful means.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data registry system:<\/strong> The registry system in which personal data is processed by being structured according to specific criteria.<\/li>\n<\/ul>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Data controller:<\/strong> The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data registry system.<\/li>\n<\/ol>\n\n\n\n<h5 class=\"wp-block-heading\">Data Breach<\/h5>\n\n\n\n<p>Pursuant to Article 12\/5 of the Law, it is defined as personal data processed by the Company being obtained by others through unlawful means. In addition, a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed, shall also be considered a Data Breach within the scope of this Plan.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Objectives, Roles, and Responsibilities<\/h5>\n\n\n\n<p><strong>Objectives<\/strong><\/p>\n\n\n\n<p>In the event of a Data Breach, the Company\u2019s objectives under this Plan are to:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Investigate the incident that caused the Data Breach internally across all relevant departments (in cooperation with law enforcement and other public institutions where necessary).<\/li>\n\n\n\n<li>Identify the source of the Data Breach.<\/li>\n\n\n\n<li>Identify the categories of personal data affected by the Data Breach.<\/li>\n\n\n\n<li>Identify the groups\/parties of data subjects affected by the Data Breach.<\/li>\n\n\n\n<li>Identify the groups\/parties of data subjects affected by the Data Breach.<\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Determine the impact of the Data Breach on the Company\u2019s organization, including the extent of commercial loss, operational reduction, reputational harm, and\/or financial damage, and minimize them lawfully.<\/li>\n\n\n\n<li>Determine the time to recovery after the Data Breach.<\/li>\n\n\n\n<li>If there is a cyberattack, determine whether information systems were affected, the breached element, the impact on the Company\u2019s organization, and the time to recovery after the attack.<\/li>\n<\/ul>\n\n\n\n<p>\u2022 Determine steps taken to prevent recurrence of the breach and estimate the timelines to complete them.<\/p>\n\n\n\n<p>\u2022 Notify the Board within 72 hours in accordance with the Law.<\/p>\n\n\n\n<p>\u2022 Notify affected data subjects as soon as possible using appropriate methods.<\/p>\n\n\n\n<p>\u2022 Notify employees as soon as possible.<\/p>\n\n\n\n<p>\u2022 Where necessary, notify other domestic organizations or institutions within legal deadlines.<\/p>\n\n\n\n<p>\u2022 Notify foreign data protection authorities or relevant institutions within legal deadlines where applicable.<\/p>\n\n\n\n<p>\u2022 Conduct internal audits, organize training activities, and ensure internal communication after the incident to minimize future Data Breaches.<\/p>\n\n\n\n<p>\u2022 Record information about data breaches, their impacts, and measures taken and keep them ready for the Board\u2019s inspection.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Departments and Responsibilities<\/h5>\n\n\n\n<p>In the event of a Data Breach, departments responsible under this Plan shall be determined according to the nature of the incident; at least one representative from each department will be assigned. Responsibilities include:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong><u>Management\/Consultant<\/u><\/strong><\/td><td><strong><u>Veri \u0130hlali Halinde Sorumluluklar\u0131<\/u><\/strong><\/td><\/tr><tr><td><strong>Management\/Consultant<\/strong><\/td><td>Investigate the incident internally (and with relevant authorities where necessary).<br>\u2022 Identify the source, affected data categories, affected groups, potential impacts, organizational impacts, time to recovery, and non-recurrence steps and timelines.<br>\u2022 Notify the Board within 72 hours; notify foreign authorities where applicable; record all details; conduct internal audit, training, and communication; ensure notification by the data processor where relevant; review the Plan every six (6) months from its effective date.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>&nbsp;<\/td><td><\/td><\/tr><tr><td><strong>IT Department<\/strong><\/td><td>Determine whether information systems were affected; identify the breached element; determine organizational effects and recovery time.<\/td><\/tr><tr><td><strong>Human Resources Department<\/strong><\/td><td>Determine whether the breach was carried out by a Company employee; determine whether employees were affected; identify the breached element, organizational effects, and recovery time; prepare training and carry out internal communication; notify employees promptly; conduct internal audit after the incident.<br>Notify affected data subjects as soon as possible using appropriate methods; notify domestic organizations or institutions within legal deadlines where necessary.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>&nbsp;<\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h5 class=\"wp-block-heading\">Notification by the Data Controller<\/h5>\n\n\n\n<p>To prevent or minimize adverse consequences that may arise for affected individuals, notifications must be made to the Board and to affected data subjects. In line with the Board\u2019s Decision dated 24.01.2019 and numbered 2019\/10, the Company shall:<\/p>\n\n\n\n<p>\u2022 Notify the Board without delay and within 72 hours at the latest from the date the Data Breach is learned.<\/p>\n\n\n\n<p>\u2022 Upon identification of affected individuals, notify data subjects as soon as reasonably possible, directly if contact information is available, or via appropriate methods such as publication on the Company\u2019s website if not.<\/p>\n\n\n\n<p>\u2022 If it is not possible to notify the Board within 72 hours for a justified reason, explain the reasons for the delay together with the notification.<\/p>\n\n\n\n<p>\u2022 Use the &#8216;Personal Data Breach Notification Form&#8217; available at https:\/\/ihlalbildirim.kvkk.gov.tr\/ or the form in Annex-1 of this Plan for notifications to the Board and read the guide in Annex-2 when using the internet form.<\/p>\n\n\n\n<p>\u2022 Where it is not possible to provide all information at once, provide such information in stages without delay.<\/p>\n\n\n\n<p>\u2022 Record information about data breaches, their impacts, and measures taken and keep them ready for the Board\u2019s inspection.<\/p>\n\n\n\n<p>All notification-related activities shall be carried out by the units specified above.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Principles for Notifying the Data Subject<\/h5>\n\n\n\n<p>Pursuant to the Board\u2019s Decision dated 18.09.2019 and numbered 2019\/271, notifications to affected or potentially affected data subjects shall be made in clear and plain language and shall include at least:<\/p>\n\n\n\n<p>\u2022 When the breach occurred;<\/p>\n\n\n\n<p>\u2022 Which personal data categories were affected (distinguishing between personal data and special categories of personal data);<\/p>\n\n\n\n<p>\u2022 Possible consequences of the personal data breach;<\/p>\n\n\n\n<p>\u2022 Measures taken or proposed to reduce adverse effects;<\/p>\n\n\n\n<p>\u2022 Names and contact details of contact persons from whom data subjects can obtain information about the breach, or the full address of the data controller\u2019s website, call center, etc.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Notification by the Data Processor<\/h5>\n\n\n\n<p>Where personal data held by the data processor is obtained by others through unlawful means, the data processor shall, without delay, notify the data controller (the Company). The Company shall then notify the Board.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Cross-Border Data Breach<\/h5>\n\n\n\n<p>If a data breach occurs at a data controller located abroad and affects data subjects resident in T\u00fcrkiye who benefit from the products and services in T\u00fcrkiye, that data controller shall also notify the Board.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Entry into Force<\/h5>\n\n\n\n<p>This Plan enters into force as of [\u2022] and after its publication on the Company\u2019s website.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Review of the Plan<\/h5>\n\n\n\n<p>This Plan shall be reviewed periodically every six (6) months.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>DATA BREACH RESPONSE PLAN Purpose, Scope, and Definitions Purpose This Plan aims to define roles and responsibilities within ANT Lojistik Limited \u015eirketi (&#8216;Company&#8217;) as the data controller in order to fulfill obligations to ensure an appropriate level of security to&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-7954","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/antlojistik.com.tr\/en\/wp-json\/wp\/v2\/pages\/7954","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/antlojistik.com.tr\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/antlojistik.com.tr\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/antlojistik.com.tr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/antlojistik.com.tr\/en\/wp-json\/wp\/v2\/comments?post=7954"}],"version-history":[{"count":1,"href":"https:\/\/antlojistik.com.tr\/en\/wp-json\/wp\/v2\/pages\/7954\/revisions"}],"predecessor-version":[{"id":7955,"href":"https:\/\/antlojistik.com.tr\/en\/wp-json\/wp\/v2\/pages\/7954\/revisions\/7955"}],"wp:attachment":[{"href":"https:\/\/antlojistik.com.tr\/en\/wp-json\/wp\/v2\/media?parent=7954"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}