Effective Date: 2018-01-01 Last Updated: 2025-06-17
1. Introduction
UOSSM International (“the Organization”, “we”, “us”, or “our”) is committed to safeguarding the personal data of all individuals we engage with, including beneficiaries, donors, employees, volunteers, partners, and contractors.
This Data Protection Policy outlines our principles, responsibilities, and procedures for ensuring the protection and lawful processing of personal data in accordance with:
Law No. 6698 on the Protection of Personal Data (KVKK) of Türkiye
Applicable humanitarian standards (e.g., ICRC Data Protection Standards, Sphere Standards)
International best practices on data protection
This Policy complements our Privacy Policy and forms part of our internal compliance and accountability framework.
2. Purpose of the Policy
The purpose of this Policy is to:
Protect the fundamental rights and freedoms of individuals whose data we process.
Ensure that personal data is processed lawfully, fairly, and transparently.
Prevent unauthorized or unlawful processing, loss, destruction, or damage to personal data.
Build trust with beneficiaries, employees, partners, and donors by ensuring responsible data management.
3. Scope
This Policy applies to:
All UOSSM International staff, whether permanent, temporary, or volunteer.
All data processing activities related to ERP systems, field projects, donations, HR, and administration.
All personal data processed within Türkiye or transferred internationally, where applicable.
4. Key Definitions
Personal Data: Any information relating to an identified or identifiable natural person (e.g., name, ID number, health status, location data).
Data Processing: Any operation performed on personal data (collection, recording, storage, alteration, retrieval, transmission, deletion, etc.).
Data Subject: The individual to whom the personal data relates.
Data Controller: UOSSM International, as the entity responsible for determining the purpose and means of processing.
Data Processor: Any third party processing data on behalf of the Organization.
5. Data Protection Principles
We adhere to the following data protection principles:
Principle
Explanation
Lawfulness, Fairness, Transparency
Data must be processed fairly and transparently, with a lawful basis (as per KVKK Art. 5, 6).
Purpose Limitation
Data must be collected for specified, explicit, and legitimate purposes only.
Data Minimization
Only the minimum necessary personal data shall be collected and processed.
Accuracy
Data must be accurate and, where necessary, kept up to date.
Storage Limitation
Data shall not be kept longer than necessary for the purposes for which it is processed.
Integrity and Confidentiality
Data must be processed securely to prevent unauthorized access or damage.
Accountability
The Organization is responsible for demonstrating compliance with these principles.
6. Lawful Basis for Processing
Data is processed lawfully when at least one of the following applies (as defined by KVKK Article 5 and 6):
The data subject has given explicit consent,
Processing is necessary for the performance of a contract,
Processing is necessary for compliance with legal obligations,
Processing is necessary for the public interest or official authority,
Processing is necessary for the legitimate interests of the Organization, provided it does not override individual rights and freedoms,
The data has been publicly disclosed by the data subject,
Processing is required for the establishment, exercise, or defense of legal claims.
7. Special Categories of Personal Data
Where we process sensitive personal data (e.g., health data, biometric data, religious beliefs), we implement enhanced security measures and rely on explicit consent or another lawful basis under KVKK Article 6.
Sensitive data is only collected where strictly necessary for humanitarian or legal purposes.
8. Data Subject Rights
We fully respect the rights of data subjects under KVKK Article 11, including:
Right to access their data
Right to request correction or deletion
Right to object to certain types of processing
Right to compensation in case of unlawful processing
Right to withdraw consent (where applicable)
Requests to exercise these rights can be submitted to: hr@uossm.org with the subject KVKK Data Protection Request.
9. Data Security Measures
We adopt a risk-based approach to protecting personal data, including:
Written data processing agreements with third parties
Incident response plans for potential data breaches
10. Data Sharing and Transfers
Personal data is shared only when necessary and:
With partners or donors for the implementation of programs or reporting purposes, subject to confidentiality agreements
With service providers (e.g., cloud providers, IT support), with written data processing agreements in place
With competent legal authorities in compliance with Turkish law
International Transfers: If personal data is transferred outside Türkiye, we will ensure appropriate safeguards are in place as required by KVKK Article 9, including obtaining explicit consent where necessary.
11. Data Retention
Personal data will be retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Data no longer needed is securely deleted or anonymized.
12. Breach Notification
If a data breach occurs that may pose risks to data subjects, we will:
Notify the Turkish Data Protection Authority (KVKK Kurumu) as required by law.
Notify affected individuals where there is a high risk to their rights and freedoms.
Take immediate remedial action to contain and resolve the incident.
13. Responsibilities
Role
Responsibility
Data Controller
UOSSM International Board & Senior Management
Data Protection Lead (DPL)
Oversees compliance with this Policy and relevant legal obligations
Staff & Volunteers
Must comply with this Policy, attend relevant trainings, and report any incidents
14. Policy Review
This Policy shall be reviewed annually or whenever significant changes occur in operations or applicable data protection laws.
15. Contact Information
For questions or to exercise your rights, please contact: