
Supplier & Business Partner Privacy Notice
This Privacy Notice for suppliers and business partners has been prepared to ensure compliance with the Personal Data Protection Law No. 6698 (the “Law”) in relation to the personal data that we have obtained or will obtain from you (“Data Subject”) within the scope of the products and services we provide.
Data Controller under the Law
In accordance with Article 3 of the Law, the Data Controller is:
SANUS SIGORTA BROKERLIĞI ANONIM ŞIRKETI (“Sanus”)
Harbiye Mah. Asker Ocağı Cad. Süzer Plaza No: 6 İç Kapı No: 120 Şişli / İstanbul
Tax ID: 7441222438
Trade registry number: 1094833 / Istanbul Trade Registry
Sanus processes personal data of users in compliance with the Law and related secondary regulations.
Principles Governing the Processing of Personal Data
Personal data are processed in accordance with the following principles, pursuant to Article 4 of the Law:
Lawfulness and fairness
Being accurate and kept up to date where necessary.
Being processed for specified, explicit and legitimate purposes.
Being relevant, limited and proportionate to the purposes for which they are processed.
Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.
Legal Grounds for Processing Personal Data (Article 5 and 6)
Personal data are processed in accordance with Articles 5 and 6 of the Law. Personal data shall not be processed without explicit consent of the data subject.
Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met (Article 5 of the Law):
It is expressly provided for by the laws.
It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to physical disability or whose consent is not deemed legally valid.
Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
It is necessary for compliance with a legal obligation to which the data controller is subject.
Personal data have been made public by the data subject himself/herself.
Data processing is necessary for the establishment, exercise or protection of any right.
Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
Personal data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other beliefs, appearance, membership in associations, foundations or trade unions, data concerning health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, are considered special categories of personal data. Special categories of personal data may be processed in accordance with the rules of the Law, and only in cases stipulated by law, provided that sufficient administrative and technical security measures are taken.
It is prohibited to process special categories of personal data. However, such processing is permitted under the following conditions under Article 6 of the Law:
Data subject has given his/her explicit consent,
It is explicitly provided by laws,
It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person who is unable to explain his/her consent due to physical disability or whose consent is not deemed legally valid,
It relates to personal data that have been made public by the data subject, and processing is in consistent with data subject’s intention to make such data public,
It is necessary for the establishment, exercise or protection of any right,
It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and for the planning, management and financing of health-care services by persons subject to legal obligation of confidentiality or by competent public institutions and organizations,
It is necessary for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance,
It relates to the current or former members and affiliates of foundations, associations, and other non-profit organizations established for political, philosophical, religious, or trade union purposes, or to individuals who are in regular contact with these organizations, provided that such processing complies with the applicable legislation governing these organizations and their objectives, is limited to the organizations’ fields of activity, and does not involve disclosure of data to third parties.
Purposes of Processing Your Personal Data
Your personal data are collected by Sanus for the purpose of providing services to you, through automatic or non-automatic means via registration, through channels such as e-mail, relevant websites and mobile applications, and through the accounts to which you have granted access, in electronic environments, as well as through the call center channel or physically via mail/cargo, based on the following legal grounds set forth in Article 5 of the Law.
Personal data will be processed for the following purposes
Carrying out and managing the company’s purchasing, procurement, operating, finance, accounting, information technology (IT), advisory, planning, sales, and marketing activities;
Defining the terms of commercial relationships, conducting negotiation processes, preparing contracts, and performing related communication activities;
Executing, monitoring, auditing, and controlling business processes;
Receiving, evaluating, and forwarding quotation requests to the relevant parties;
Managing commercial relationships with suppliers and business partners, including order, logistics, and delivery processes, providing after-sales support services, forwarding requests and complaints to the relevant parties, and conducting supplier/business partner satisfaction and service quality assessments;
Ensuring that necessary operational activities are carried out by the relevant business units during the use of products and services obtained from us;
Managing communication, logistics, and occupational health and safety processes;
Fulfilling obligations arising from supplier and business partner agreements and managing processes aimed at improving such relationships;
Establishing, interpreting, and evidencing contractual relationships between the parties, including the use of records such as commitments and declarations;
Managing financial operations, including accounting, payment, collection, refund processes, and the tracking of requests and complaints, as well as invoicing processes;
Fulfilling obligations arising from applicable legislation, responding to requests from public institutions and organizations, and providing required information;
Preventing and managing legal disputes and exercising Sanus's rights of defense where necessary;
Monitoring, managing, and completing activities related to legal affairs, finance, accounting, marketing, corporate communications, and logistics.
Personal Data Being Processed
In this context, your personal data shared with us is processed based on the following legal grounds:
| Personal Data | Purpose of Process |
|---|---|
| Identity Information(Trade name, trade registry number, tax office, tax identification number, employee first name, last name, title, and other information) | Article 5 – 2 (a): It is expressly provided by the laws.Article 5 – 2 (c): Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.Article 5 – 2 (ç): It is necessary for compliance with a legal obligation to which the data controller is subject.Article 5 – 2 (e): Data processing is necessary for the establishment, exercise or protection of any right. |
| Contact Information(All types of contact information, including workplace addresses, telephone numbers (mobile and work), fax number, email addresses, and registered electronic mail (KEP) addresses.) | Article 5 – 2 (a): It is expressly provided by the laws.Article 5 – 2 (c): Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.Article 5 – 2 (ç): It is necessary for compliance with a legal obligation to which the data controller is subject.Article 5 – 2 (e): Data processing is necessary for the establishment, exercise or protection of any right. |
| Financial Information(Bank account details, IBAN number, credit and debit card information, payment and invoicing details, debt and receivable information, and other information related to financial transactions.) | Article 5 – 2 (a): It is expressly provided by the laws.Article 5 – 2 (c): Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.Article 5 – 2 (ç): It is necessary for compliance with a legal obligation to which the data controller is subject.Article 5 – 2 (e): Data processing is necessary for the establishment, exercise or protection of any right. |
When you use the website of Sanus, the following data is processed for the purposes of ensuring technical, administrative, legal, and commercial security, as well as providing services: user identification information (username and password), IP address information, system access logs, user activity records (records related to actions such as password creation and password reset), website login and logout information, and device identifiers (device ID) and token information of the device used for access.
Such personal data are processed on the following legal bases: (i) processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract; and/or (ii) data processing is necessary for the establishment, exercise or protection of any right and/or (iii) processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
Transfer of Personal Data to Third Parties and/or Abroad
Your personal data may be transferred to third parties and/or abroad in accordance with the conditions specified in Articles 8 and 9 of the Law for the purposes stated above, based on your explicit consent where required.
Accordingly, your personal data may be transferred to third parties and/or abroad for the purposes stated above under the following circumstances:
It is expressly provided for by the laws.
It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to physical disability or whose consent is not deemed legally valid.
Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
It is necessary for compliance with a legal obligation to which the data controller is subject.
Personal data have been made public by the data subject himself/herself.
Data processing is necessary for the establishment, exercise or protection of any right.
Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
Personal data may be transferred abroad if one of the conditions specified in Articles 5 and 6 of the Law is met and there is an adequacy decision regarding the country, sectors within the country, or international organizations to which the transfer will be made. Transfers are conducted in compliance with the principles of the Law.
Your personal data may be transferred, in line with the purposes stated above and within the framework of the conditions set forth in Articles 8 and 9 of the Law, based on your explicit consent, to (i) domestic and foreign third parties from whom Sanus receives services for storage, archiving, and hosting systems for the purpose of carrying out its information security processes; (ii) domestic and foreign vendors, our consultants, trainers, employees, business partners, suppliers, collaborating employees, and dealers; (iii) authorized public institutions and organizations, where required by applicable legislation; (iv) hosting service providers whose servers are located domestically and/or abroad; and (v) domestic and foreign third parties from whom we receive support for operational activities.
Data Subject Rights under the Law (Article 11)
Pursuant to Article 11 of the Law, data subjects have the right to:
to learn whether his/her personal data are processed or not,
to demand for information as to if his/her personal data have been processed,
to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,
to know the third parties to whom his personal data are transferred in the country or abroad,
to request the rectification of the incomplete or inaccurate data, if any,
to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,
to request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom his/her personal data have been transferred,
to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,
to claim compensation for the damage arising from the unlawful processing of his/her personal data.
You have the right to claim compensation for damages if you suffer harm due to the unlawful processing of your personal data. However, according to Article 28, paragraph 1 of the Law, the rights listed above cannot be asserted in the following cases:
personal data are processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him/her in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security are to be complied with.
personal data are processed for official statistics and provided that they are being anonymized for purposes such as research, planning and statistics.
personal data are processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defence, national security, public security, public order, economic security, right to privacy or personal rights are not violated or the process doesn’t constitute a crime.
personal data are processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorised and assigned by law to maintain national defence, national security, public security, public order or economic security.
personal data are processed by judicial authorities or execution authorities regarding investigation, prosecution, judicial or execution proceedings.
Retention, Deletion, Destruction, and Anonymization of Personal Data
Your personal data are stored for the periods stipulated in the relevant legislation.
In cases where no retention period is stipulated in the law regarding the retention of personal data, it is processed at data controller’s discretion and in accordance with commercial practices for as long as necessary. Upon expiration of this period, personal data are deleted, destroyed, or anonymized.
Personal data whose processing purpose has ended, or which you have requested to be deleted or anonymized, may be retained for purposes such as serving as evidence in potential disputes, asserting a right, or establishing a defense, provided that the retention periods stipulated in the law have also expired.
Even if processed in accordance with the provisions of the legislation, if the reasons requiring its processing cease to exist, personal data will be deleted, destroyed, or anonymized upon Sanus’s decision or your request.
You may submit your requests using one of the application methods listed on the Data Subject Application Form page.
Requests will be concluded as soon as possible and/or within 30 (thirty) days. However, if fulfilling your request incurs additional costs, a fee may be charged in accordance with the tariff determined by the Personal Data Protection Board.
Sanus reserves the right to update this Privacy Notice unilaterally if required by law.
Want to exercise your rights?
You can submit your requests under data protection law via the Data Subject Application Form.
