Personal Data Protection And Processing Policy
|Processing of Personal Data||Any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.|
|Personal Data Owner/Relevant Person||Real person whose data is processed.|
|Personal Data||Any information relating to an identified or identifiable natural person.|
|Special Qualified Personal Data||The data related to race, ethnic origin, political thought, philosophical belief, religion, communion or other believes, appearance, association, foundation or union membership, health, sexual life, conviction or security measures and the biometric and genetic data.|
|Data Operator||The person who determines the purposes and means of processing personal data and manages the place (data recording system) where the data is kept systematically.|
|Deletion||The deletion is the procedure of making the personal data inaccessible and unreusable for the relevant users.|
|Destruction||The destruction is the procedure of making the personal data inaccessible, unrecoverable and unreusable by any person.|
|Anonymization||The anonymization is to make the personal data not to be able to be correlated with a real person whose identity is definite or determinable by any means even by matching with other data. With this method, it is necessary to render personal data unrelated to an identified or identifiable real person, even by using techniques suitable for the recording medium and the relevant field of activity, such as having personal data returned by the recipient or recipient groups and matching the data with other data.|
|Data Processor||The real or legal entity who processes personal data on behalf of the data controller upon its authorization.|
The purpose of this regulation is to protect our customers, prospective employees, employees, people with whom we have a business relationship, our visitors and all other personal data within the scope of the Personal Data Protection Law No.6698.
This Policy sets forth the principles to be adopted by our Company regarding the processing, protection, deletion, destruction and anonymization of personal data and to be taken into account at the point of application.
The aim of this Policy is to inform our target audience, whose personal data is processed, about the personal data processing activities carried out by our Company in accordance with the law and the processes adopted for the protection of personal data, and to determine the policy of protection and processing of personal data.
This Policy is related to all personal data of natural persons processed by our Company.
ENFORCEMENT OF THE POLICY
This policy, which was issued and entered into force by us, is published on the website of our Company and made available to personal data owners in this way.
1-PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH RELEVANT LEGISLATION
Our company, in accordance with Article 4 of the KVKK, regarding the processing of personal data;
1.1-Performing Personal Data Processing Activities in Compliance with Law and Good Faith Rules
In our company, the processing of personal data is carried out in accordance with legal regulations and rules of good faith. In this context, our Company processes only the necessary personal data at a level that is in accordance with the data processing purposes.
1.2-Ensuring that Personal Data is Accurate and Up-To-Date
Our company ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and their own legitimate interests, and takes necessary measures in this direction.r
1.3-Processing with Certain, Clear and Legitimate Purposes
The purpose for which personal data will be processed by our company is revealed before the personal data processing activity begins.
1.4-Being Connected, Limited, and Proportional to the Purpose of Processing
Our company processes personal data in the context of the requirements of the activities it carries out, as required by the work and within the scope and in accordance with the relevant legal regulations, and the processing of unrelated or unnecessary personal data is avoided.
1.5-Retention As Long As Stipulated in the Applicable Legislation or Required for the Purpose of Processing
Our company retains personal data only for the periods stipulated in the relevant legislation or for the purpose for which it is processed. In this context, if a period is specified for the retention of personal data in the relevant legislation, this period shall be followed. If a period of time is not specified, personal data is stored for the period required for the purpose for which it is processed. In the case of the expiration of the period or in the case that the reasons requiring the processing of the personal data disappear, the personal data is deleted, destroyed or made anonymous by our Company. Personal data is not retained by our Company for any possible future-use. Detailed information on this issue is given in Chapter 7 of this policy.
2- PROCESSING OF PERSONAL DATA
Our company processes personal data only in cases stipulated by law or with the explicit consent of the person.
Personal data may be processed in the presence of one of the conditions listed below;
2.1-Explicit Consent of the Personal Data Owner
One of the processing requirements of the personal data is the explicit consent of the data owner. The explicit consent of the personal data owner should be clarified with respect to a specific subject, based on notification and with free will.
2.2-Expressly Stipulated in the Laws
The personal data of the personal data owner can be processed in compliance with the law if expressly stipulated in the laws.
2.3- Inability to obtain the Explicit Consent of the Relevant Person due to Physical Impossibility
The personal data of the personal data owner can be processed if the processing of the personal data is compulsory for protecting the life or physical body integrity of the person who cannot disclose his consent due to the physical impossibility or whose consent is not accepted as valid and applicable or any other person.
2.4- Direct Relation with the Establishment or Performance of the Contract
It is possible to process the personal data if the processing of the personal data of the parties to the contract is necessary, provided that it is directly related to the establishment or performance of a contract.
2.5- Fulfillment of Legal Liability
The personal data of the data owner can be processed if the processing is compulsory for the fulfillment of its legal obligations by our Company as the data controller.
2.6- Personal Data Owner Anonymizing His/Her Personal Data
If the personal data of the data owner is made public by him/her, it can be processed, provided that it is limited to the purpose.
2.7- Compulsory Data Processing for the Establishment or Protection of any right
If the data processing is compulsory for the establishment, use or protection of any right, the personal data of the data owner can be processed.
2.8- Compulsory Data Processing for the Legitimate Interest of our Data Controller
If the data processing is compulsory for the legitimate interests of our Company, provided that it will not cause damage to the fundamental rights and freedoms of the personal data owner, the personal data of the data owner can be processed.
3- ENLIGHTENMENT AND INFORMING OF THE PERSONAL DATA OWNER
Our company informs about the purposes for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the rights of the personal data owner for legal reasons. (See Clarification Text)
4- PROCESSING OF PERSONAL DATA OF SPECIAL QUALITY
In the processing of the personal data designated as “special quality” by the KVKK, our Company acts in compliance with the regulations stipulated in the KVKK.
These data are the ones related to race, ethnic origin, political thought, philosophical belief, religion, communion or other believes, appearance, association, foundation or union membership, health, sexual life, conviction or security measures and the biometric and genetic data.
Personal data of special quality is processed by our company in the following situations by taking the necessary precautions:
If the personal data owner has explicit consent, or
If the personal data owner does not have an explicit consent, it can be processed in the cases stipulated by the laws.
Data on health and sexual life is processed only with the explicit consent of the data owner.
PERSONAL DATA PROCESSED BY OUR COMPANY, PROCESSING PURPOSES AND RETENTION PERIOD
1. 1- The personal data processed by our company are stated below. However, which data will be processed for each personal data owner may vary depending on various factors such as the type and nature of the relationship between the personal data owner and our Company and the communication channels used.
|Identity Details||These are data containing information about the identity of the person; Documents such as name, surname, identity number, nationality information, mother's name-father's name, place of birth, date of birth, gender such as driver's license, identity card, and information such as tax number, SSI number, signature information, vehicle plate etc.|
|Contact Details||Information such as phone number, address, e-mail address, etc.|
|Family Members and Affinity Details||Information about family members (eg spouse, children), relatives and other persons who may be contacted in case of emergency notified to our Company by the personal data owner within the framework of operations carried out by the departments of our company|
|Security Details||Personal data regarding the records and documents taken at the entrance to the company headquarters, branches, sales offices and all kinds of facilities and during the stay in these locations; camera recordings, recordings taken at the security point, etc.|
|Customer Transaction and Financial Details||Personal data related to all kinds of financial information, documents and records created according to the business relationship established by our company with the personal data owner, and data such as bank account number, IBAN number, credit card information, income information|
|Marketing activities||Data pertaining to the technical analysis reports of the produced goods prepared specially for our company’s customers|
|Visual/Audio Information||Photography, video recordings.|
|Occupational Information||Educational status and certificate information of our company's employees and people with whom we do business|
|Personnel Data||All kinds of personal data processed to obtain information that will constitute a basis for the personal rights of real persons who are in a business relationship with our company.|
|Transaction Security||Data such as access records of data stored in computer environment, log records, user name and IP address kept regarding the security of our company's business and transactions.|
|Special Qualified Personal Data||Data specified in Article 6 of the Law on KVK (e.g. health data including blood type, religion and criminal record)|
|Other Information||Data such as reference information received during the job application processes in order to carry out the human resources policies of our company, military service information and logistics activities, job follow-up and vehicle license plate information for keeping entry-exit records.|
2. GROUPS OF PEOPLE SUBJECT TO DATA PROCESSED BY OUR COMPANY
These are our company's customers, visitors, prospective employee, employees, company shareholders, employees of the companies we have a business relationship with, and the employees of the institutions we cooperate with.
3. PURPOSES FOR THE PROCESSING OF THE PERSONAL DATA
- Our company processes the personal data specified in section III 1 of this policy for the following reasons:
- Fulfilling the legal obligations of our company,
- Following-up of finance and accounting affairs,
- Carrying out goods sales and purchases,
- Carrying out the communication activities
- Carrying out the logistics activities
- Carrying out the auditing/ethical activities
- Carrying out Wage Policy
- Carrying out Occupational Health / Safety Activities
- Conducting activities for customer satisfaction
- Following corrective actions for quality and R&D studies Creating visitor records,
- Providing the security of the physical spaces
- Informing Authorized Persons, Institutions and Organizations
- Carrying out the management activities
- Fulfilling the Obligations Arising From Employment Contract And Legislation For Employees
- Planning human resources processes
- Carrying out job application processes
- Carrying out the Fringe Benefits and Benefits Processes for Employees
- Carrying out the access authorizations
- Carrying out Transaction security, Information Security
- Processes, Internal Audit Activities,
Carrying out risk management processes
- Fulfilling the legal obligations of our company,
- It is necessary to process personal data of the parties based on the business relationship established
- Stipulated in the laws and
- For legal reasons such as the protection of the legitimate interests of our Company, provided that the fundamental rights and freedoms of the relevant person are not damaged.
4. RETENTION PERIODS OF THE PERSONAL DATA
Our Company retains the personal data only for the period specified in the relevant legislation or necessary for the purpose of processing.
If a period of time is not regulated in the legislation regarding how long personal data should be retained, Personal Data is processed for a period that requires processing in accordance with the practices of our Company and the practices of our business life, depending on the activity carried out while processing that data.
If the purpose of processing personal data is no more applicable, and if the retention periods determined by the relevant legislation or our Company have come to an end, personal data can only be stored for the purpose of providing evidence in possible legal disputes or for the purpose of asserting the relevant right related to personal data or making defense. In the establishment of the periods here, the retention periods are determined based on the examples in the requests made to our Company on the same issues before, although the periods of limitation and the periods of limitation for the claiming of the mentioned right have passed. In this case, the personal data retained cannot be accessed for any other purpose, and the relevant personal data can only be accessed when it is required to be used in the relevant legal dispute. In such case as well, personal data is deleted, destroyed or anonymized after the aforementioned period expires.
1. CAMERA SURVEILLANCE ACTIVITIES CARRIED OUT AT THE ENTRANCES OF THE BUILDINGS AND FACILITIES OF OUR COMPANY
Within the scope of security camera surveillance activities, certain areas are subject to camera surveillance in order to ensure the interests of the Company and other persons in ensuring their security, and limited to this policy, in a way that does not interfere with the privacy of the person beyond the security objectives. Our company acts in accordance with the KVKK in the camera surveillance activities that are carried out for security purposes. The information regarding the camera surveillance activities is made by publishing this policy on the website, by hanging clarification text, signs and plates stating will the areas will be monitored.
The monitoring areas of security cameras, their number and the monitoring times are implemented in a sufficient way to achieve the security purposes as limited to such purposes. Necessary technical and administrative measures are taken to ensure the security of personal data obtained as a result of camera surveillance. Detailed information regarding the retention period of personal data obtained by our company's camera surveillance activity is included in Article 3.4 of this Policy titled Personal Data Retention Times.
Only a limited number of Company employees have access to live camera images and digitally recorded and retained records. A limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality commitment.
2. FOLLOW-UP OF THE VISITOR ENTRANCES AND EXITS CARRIED OUT AT THE ENTRANCES AND INSIDE OF THE BUILDINGS AND FACILITIES OF OUR COMPANY
Personal data processing activities are carried out by our company for the purposes of ensuring security and for the purposes specified in this Policy, in order to monitor visitors’ entry and exit in our Company's buildings and facilities.
While the names and surnames of the persons who come to our Company's buildings as guests, the name of the institution and organization they are affiliated with and the vehicle plate information are obtained, personal data owners are enlightened within this scope. The data obtained for the purpose of tracking visitor entry and exit are processed for this purpose only and the relevant personal data are recorded in the data recording system in a physical environment.
TRANSFER OF PERSONAL DATA
Although third parties to whom personal data can be transferred may vary depending on various factors such as the type and nature of the relationship between the data owner and our Company and the markets where the transaction is made, the third parties to whom the data can be transferred are generally as follows:
Authorized public institutions and persons or organizations permitted by the provisions of the Turkish Commercial Code and other relevant legislation,
Private law legal entities limited to the purpose they claim within their legal authority,
Our company's domestic and/or foreign business partners,
Auditors and/or service providers
ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
Our company takes the necessary technical and administrative measures to prevent the unlawful processing of the personal data it processes, prevent unlawful access to the data, and ensure the appropriate security level, and performs the necessary inspections within this scope.
The actions and measures taken by our company to ensure "data security" in accordance with Article 12 of the KVKK are listed below.
Our Company takes technical and administrative measures in order to ensure the processing of the personal data in compliance with the law according to technological possibilities and application cost. The employees are informed about that they may not disclose the personal data that they learned to others in contrary to the provisions of the KVKK, they may not use the personal data for any purpose other than their intended use and this obligation will continue also after their discharge and accordingly, the necessary commitments are obtained from them.
Our Company provides necessary trainings for the increase of the awareness for preventing the processing of the personal data in contrary to the law, preventing the data is accessed in contrary to the law and ensuring the maintenance of the data.
Our Company takes the necessary technical and administrative measures according to the technological opportunities and the application cost in order to ensure that the personal data is retained in secure environments and to prevent the personal data from being destroyed, lost or modified for the purposes in contrary to the law.
CONDITIONS ON DELETION, DESTRUCTION AND ANONYMIZATION OF THE PERSONAL DATA
Although it has been processed in accordance with the provisions of the relevant law as regulated in Article 7 of the KVKK, if the reasons requiring processing are no more, personal data will be deleted, destroyed or anonymized within 3 months pursuant to the decision of our Company. In the event that the personal data processing conditions are no more at all, our company deletes, destroys or anonymizes the requested personal data upon the request of the relevant person. Our company finalizes the request of the relevant person within thirty days at the latest and informs the relevant person.
The personal data which is anonymized may be processed for the purposes such as research, planning and statistics in compliance with the article 28 of the KVKK. Since such transactions are outside the scope of KVKK, explicit consent of the personal data owner is not sought.
RIGHTS OF PERSONAL DATA OWNERS; METHOD FOR EXERCISING AND EVALUATING THESE RIGHTS
Our company carries out the necessary channels, internal operation, administrative and technical regulations in accordance with Article 13 of the KVKK in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.
Personal data owners have the following rights:
Learning whether the personal data has been processed or not,
Requesting the relevant information if the personal data has been processed,
Learning for what purposes personal data relating to them are processed and whether these data are used in line with these purposes,
Having information of the third persons to whom personal data relating to them are transferred in the country and overseas,
Requesting rectification of personal data relating to them in cases where they are processed incompletely or inaccurately, and to request informing third parties to whom your personal data were transferred about this rectification within this scope,
Requesting deletion or destruction of personal data in case the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the KVKK and the provisions of other relevant law, and requesting the notification of this transaction to third parties to whom your personal data were transferred,
PERSONAL DATA PROTECTION AND PROCESSING POLICY MANAGEMENT STRUCTURE
Our company establishes the necessary management structure in order to fulfill the obligations in the KVK Law and to fulfill the following functions for the implementation of this Policy.
- To prepare the basic policies and changes related to the Protection and Processing of Personal Data and to submit them for the approval of the senior management to put them into effect
- To decide on the implementation and supervision of the policies regarding the Protection and Processing of Personal Data, and to make in-company assignments and coordination within this framework, to submit these issues to the approval of the senior management,
- To determine the issues to be done in order to comply with the Personal Data Protection Law and the relevant legislation, and to submit what needs to be done to the approval of the senior management, to monitor its implementation and to ensure its coordination,
- To raise awareness within the Company and among the Company's business partners regarding the Protection and Processing of Personal Data,
- To identify the risks that may occur in the personal data processing activities of the company, to ensure that the necessary measures are taken, to submit improvement suggestions to the approval of the senior management
- To design trainings on the protection of personal data and implementation of policies, and to ensure implementation thereof,
- To respond to the applications of personal data owners within due time,
- To manage the relations with the Personal Data Protection Board and Institution.
While establishing the management structure, a committee is established and the members of this committee and the distribution of tasks are determined by the senior management of our company. In addition to the above-mentioned duties, the Committee and the responsible person(s) to be appointed in this regard may be assigned other duties and responsibilities according to the needs of our Company and the nature of the activities carried out.
TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE SECURITY OF PERSONAL DATA
Our company takes the necessary administrative and technical measures to retain personal data legally and securely. For this purpose;
- Trainings and awareness activities on data security are carried out periodically for employees.
- Personal data security policies and procedures have been determined.
- Personal data security problems are reported quickly.
- Personal data is reduced as much as possible.
- User account management and authorization control system is implemented and their follow-up is also performed.
- Periodic and/or random in-house audits are carried out and had carried out.
- Network security and application security are provided.
- Closed system network is used for personal data transfers through network.
- Key management is implemented.
- Security measures within the scope of procurement, development and maintenance of information technology systems are taken.
- The security of personal data stored in the cloud is ensured.
- An authority matrix has been created for the employees.
- Access logs are kept regularly.
- Institutional policies on access, information security, use, storage and disposal issues have been prepared and started being implemented.
- When necessary, data masking measures are applied.
- The authorities, in this field, of the employees whose job is changed or who left the job are removed.
- Up-to-date antivirus systems are used.
- Firewalls are used. The signed contracts contain data security provisions.
- Extra security measures are taken for personal data transferred by paper, and the relevant documents are sent in a confidential document format.
- Personal data in electronic environment is backed up and the security of backed up personal data is also ensured.
- Log records are kept in a way that user intervention is not possible.
- Current risks and threats have been identified.
- Protocols and procedures for security of personal data of special quality have been determined and being implemented.
- Intrusion detection and prevention systems are used.
- Cyber security measures have been taken and their implementation is constantly monitored.
- Encryption is used.
- Periodical auditing and awareness-raising of data processing service providers on data security is provided.
- In the event that it is determined that the personal data processed or transferred by our company are illegally acquired by unauthorized persons, this situation will be reported to the KVK Board within 72 hours and to the relevant data owner as soon as possible.