Privacy Notice
Happy Place to Work processes personal data in compliance with KVKK and GDPR, ensuring lawful, transparent, and secure handling. Data is collected for contractual, research, and service purposes, shared only when necessary, and retained for legal periods. Individuals may request access, correction, or deletion of their data anytime under applicable regulations.
Privacy Notice
Identity of the Data Controller
The data controller responsible for determining the purposes and means of processing personal data related to all data processing activities, establishing and managing the data recording system, is Happy Place to Work Research Training Consultancy Limited Company, with the address and contact details provided below (referred to as the "Data Controller" or the "Company"):
Company Address: Yıldız Posta Cad. Akın Sitesi No 8/13 Gayrettepe Beşiktaş/İstanbul
MERSIS Number: 0948044045800017
Trade Registry Number: 814861
Corporate Phone Number: (0212) 318 01 42
Email Address: info@happyplacetowork.com.tr
Registered Email Address (KEP): happyplace@hs01.kep.tr
Purpose and General Provisions of the Information Notice
The purpose of this Information Notice on the Protection and Processing of Personal Data (the "Information Notice") is to transparently inform you, as the data subject, about the collection methods, purposes of processing, legal grounds, data sharing practices, and your rights regarding the personal data obtained from individuals (referred to as "Customers") who have contractual service agreements with the Company. It also applies to data collected from individuals and entities (referred to as "Suppliers") supporting the Company's services, as well as employees of Customers ("Employees") who are involved in research activities.
The Information Notice has been prepared in accordance with Article 10 of the Turkish Law No. 6698 on the Protection of Personal Data (the "KVKK"), which sets out the data controller's obligation to inform data subjects.
The Company reserves the right to update or amend this Information Notice at its sole discretion and without prior notice. Updates will be published on the Company’s website and will take effect on the date of publication. Any updates will not retroactively apply to personal data processed before the date of the change.
By visiting the website or accessing the Company's services, all Customers and data subjects are deemed to have read and been informed of this Information Notice.
The Company explicitly declares that it does not process special categories of personal data.
Principles of Processing Personal Data
Personal data is processed in accordance with the principles outlined in Article 4 of the KVKK:
In compliance with the law and good faith.
Ensuring data is accurate and up-to-date.
For specific, legitimate, and explicit purposes.
Limited and relevant to the purposes of processing.
Retained for the duration specified by applicable legislation or as required by the purpose of processing.
These principles constitute the foundation of our approach to ensuring the security and confidentiality of personal data.
Categories and Processing of Personal Data
Below is a summary of the personal data processed by the Company:
Data Category | Data Subject Group | Processed Data | Purpose of Processing | Legal Basis |
Identity Data | Customer Representative | Name, Surname, and information from Signature Circulars | Execution of contractual processes and communication | KVKK Art. 5/2-c; GDPR Art. 6/1-b |
Communication Data | Customer Representative, Supplier Representative | Phone, Email, Address | Communication and management of contract processes | KVKK Art. 5/2-c; GDPR Art. 6/1-b |
Employee Data | Customer Employees | Seniority, Professional Experience, Company | Execution of survey studies and reporting processes | KVKK Art. 5/2-c; GDPR Art. 6/1-b |
Survey Responses | Customer Employees | Survey Answers | Execution of survey studies and reporting processes | KVKK Art. 5/2-c; GDPR Art. 6/1-f |
Visual and Audio Data | Customer Employees, Representatives | Photos and video recordings from events and physical premises | Security measures, promotional activities | KVKK Art. 5/1 (explicit consent); GDPR Art. 6/1-a |
Personal Data Processing Procedures
Contractual Processes and Related Transactions
The Company processes personal data under Article 5/2 (c) of the KVKK and Article 6/1 (b) of the GDPR for the establishment or execution of contracts. This includes:
Workplace culture and employee satisfaction analysis,
Certification processes,
Workshops and similar customer-focused services,
Management of supplier agreements,
Provision of offers and services,
Communication and management of processes.
Service Improvement, Request Management, and Customer Satisfaction
Personal data is processed in accordance with Article 5/2 (c) of the KVKK and Article 6/1 (b) of the GDPR for the fulfillment of contracts, and under Article 5/2 (f) of the KVKK and Article 6/1 (f) of the GDPR based on legitimate interests. This includes:
Evaluating customer complaints and suggestions,
Improving service quality,
Managing requests under applicable regulations.
Additionally, data is processed under Article 5/2 (ç) of the KVKK and Article 6/1 (c) of the GDPR to fulfill legal obligations related to data protection requests.
Processing Visual and Audio Recordings
The Company processes visual and audio recordings of individuals participating in events or activities based on explicit consent under Article 5/1 of the KVKK and Article 6/1 (a) of the GDPR. These recordings may be shared on social media accounts or the Company's website for promotional purposes.
Marketing and Commercial Communication Activities
Personal data may be processed with explicit consent under Article 5/1 of the KVKK and Article 6/1 (a) of the GDPR for:
Advertising and promotional activities,
Campaigns,
Sending commercial electronic communications for events or special occasions.
Data Processing for Security Purposes
To prevent unauthorized access, cyberattacks, and other malicious activities, the Company processes traffic data and cookies to monitor and secure online platforms. Physical security measures, such as security cameras and visitor logs, are also employed to ensure safety at events and physical locations.
Data Transfer and Retention
Sharing Personal Data
Personal data is shared with third parties only when necessary and within the scope of legal obligations or the explicit consent of the data subject. Data processors acting on behalf of the Company are contractually bound to maintain the confidentiality and security of the data.
International Data Transfers and Safeguards
The Company transfers personal data to Happy Workplaces LLC ("HWP") in the United States under the Standard Contractual Clauses issued by the KVKK and GDPR for international data transfers.
Data Retention and Destruction
Personal data is retained only for the duration required to fulfill the purposes of processing or as mandated by applicable legislation. After these periods expire, data is securely deleted, destroyed, or anonymized. Specific retention and destruction processes are detailed in the HPTW Data Retention, Transfer, and Destruction Policy.
Data Sharing with Third Parties
Transferred Third Party | Purpose of Transfer | Third Party’s Jurisdiction | Legal Basis |
Happy Workplaces LLC (HWP) | Data processing, analysis, and reporting | USA | KVKK Art. 9, Regulation Art. 14 |
Arai Teknoloji Ltd. Şti. (Anketix) | Survey software provider using local servers | Turkey | KVKK Art. 5/2-c; GDPR Art. 6/1-b |
Pusula İletişim Bilişim Ltd. (UzmanPosta) | Local email distribution service provider | Turkey | KVKK Art. 5/2-c; GDPR Art. 6/1-b |
İleti Yönetim Sistemi A.Ş. (İYS) | Management and control of electronic communication permissions | Turkey | KVKK Art. 5/2 (a); Electronic Commerce Law Art. 11 |
Legal Service Provider | Protecting company interests and resolving legal disputes | Turkey | KVKK Art. 5/2-f; GDPR Art. 6/1-f |
Retention and Destruction of Personal Data
Retention Periods
Personal data is retained even if the service acquisition does not occur, for the duration necessary to comply with relevant legislation following the initial data collection. Personal data collected from Customer Employees as part of the provided services is destroyed during the next periodic destruction period after the initial data processing activity.
Conditions for Deletion, Destruction, or Anonymization of Personal Data
Personal data is deleted, destroyed, or anonymized under the following circumstances:
When the legal provisions that form the basis for processing are amended or repealed.
When the purpose of processing is no longer valid.
When processing occurs solely based on explicit consent, and the data subject withdraws their consent.
Upon the data subject’s request under Article 11 of the KVKK, if approved by the Company.
If a complaint about the Company's refusal to delete data is upheld by the Personal Data Protection Authority (DPA).
When the maximum retention period expires, and no legal reason exists for extended storage.
At the end of the legally required retention or the necessity of processing, personal data is securely deleted, destroyed, or anonymized in compliance with the relevant legislation.
Access to the Detailed Retention Policy
The detailed procedures for retaining, transferring, and destroying personal data are outlined in the HPTW Data Retention, Transfer, and Destruction Policy. You can request access to this document by contacting the Company.
Rights of the Data Subject
Under applicable regulations, data subjects have the following rights regarding their personal data:
To learn whether their personal data is processed,
To request information on the processed data,
To learn the purpose of processing and whether the data is used appropriately,
To know the domestic or international third parties to whom their data is transferred,
To request correction of incomplete or inaccurate data,
To request deletion or destruction of data when the purpose of processing no longer applies,
To request notification of corrections or deletions to third parties,
To object to adverse outcomes from exclusively automated processing,
To claim compensation for damages caused by unlawful processing,
To object to processing based on legitimate interests under GDPR Article 6 (e) or (f).
The Company will assess and address any objections unless legitimate overriding interests or legal obligations justify continued processing.
Procedures for Exercising Data Subject Rights
Data subjects can exercise their rights by contacting the Data Controller through the following methods:
Written Applications: Delivered to the Company's address at Yıldız Posta Cad. Akın Sitesi No 8/13 Gayrettepe Beşiktaş/İstanbul.
Online Forms: Completed and submitted via email or physical delivery using the Data Controller Application Form.
Secure Electronic Means: Sent via secure electronic or mobile signature to happyplace@hs01.kep.tr.
Applications must include the following details:
Full name and, if submitted in writing, a signature,
Turkish nationals must provide their national ID number; foreign nationals must include their passport number,
Residential or business address for notifications,
Contact details such as phone, email, or fax,
The subject of the request and supporting documents, if applicable.
The Company will respond within 30 days. Requests may be accepted, partially accepted, or rejected with justification.
If the request is denied or the response is unsatisfactory, data subjects may file a complaint with the Personal Data Protection Authority (DPA) within 30 days of receiving the response or the expiration of the response period.
Updates to the Information Notice
This Information Notice is current as of the last update date indicated. It will be presented to Customer Employees before any survey studies. Other stakeholders can access the most recent version via the Company’s website. Significant changes will be communicated to the affected data subjects.