Policy on the Protection and Processing of Personal Data

Policy on the Protection and Processing of Personal Data

PART 1. INTRODUCTION

I. IMPORTANCE OF PROTECTION OF PERSONAL DATA

The protection of personal data is a constitutional right and is within the scope of our Company's priorities. Yet, having adopted this objective, it has been aimed to establish a system in our Company which is continuously updated so this policy has been issued accordingly. Within the scope of the Law on the Protection of Personal Data no. 6698, in its capacity as the Data Officer, TAM PLASTİK VE KALIP SAN. TİC. LTD. ŞTİ. (Central Registration System No: 0817000642600015) (the Company), this policy has been issued in order to fulfill the general disclosure and informational obligation and to determine the basic principles of our company's personal data processing rules and the principles on the protection of the personal data of our customers, potential customers, employees, our employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the companies we cooperate with, their shareholders and authorities and third parties are regulated accordingly.

For the implementation of the issues stated in this Policy, necessary procedures are organized within the Company, disclosure texts are formed and complied with the personal data processing inventory specific to the categories of persons, confidentiality agreements and third party agreements are executed, job descriptions are revised and necessary administrative and technical measures are taken as well as necessary controls are made or caused to be made in this context by TAM PLASTİK VE KALIP SAN VE TİC LTD ŞTİ. for the protection of personal data. The protection of personal data is an issue also adopted by and under the responsibility of the top management and the process of protecting personal data is managed through the formation of a special Committee regarding this matter (Company PPD Committee).

II. PURPOSE OF THE POLICY

The main objective of this Policy is to set forth the principles for the processing and protection of personal data activities carried out by TAM PLASTİK VE KALIP SAN. TİC. LTD. ŞTİ. in accordance with the law by our Company and the systems adopted for the protection of personal data and in this context to ensure transparency by means of disclosing to and informing the persons whose personal data is processed by our Company mainly our customers, our potential customers, our employee candidates, employees, company shareholders, company officials, employees, our visitors, employees, shareholders and officials of the companies we cooperate with, shareholders and third parties.

III. SCOPE

This policy relates to all personal data of our customers, potential customers, candidate employees, Company shareholders, Company officials, visitors, as well as employees, shareholders and authorities of the institutions we cooperate, and third parties, processed through automated means or provided that they are part of any data registry system through non-automated means.

III. SCOPE

This policy relates to all personal data of our customers, potential customers, candidate employees, Company shareholders, Company officials, visitors, as well as employees, shareholders and authorities of the institutions we cooperate, and third parties, processed through automated means or provided that they are part of any data registry system through non-automated means.

IV. IMPLEMENTATION OF THE POLICY AND THE RELEVANT LEGISLATION

The relevant legal regulations in force for the processing and protection of personal data shall primarily apply. In case of any inconsistency between the legislation in force and this Policy, our Company acknowledges that the current legislation shall prevail.

V. ACCESS AND UPDATE

The policy shall be published on our Company's website http://www.tamplastik.com) and made available to the access of the relevant persons upon request of the personal data owners and updated when required.

PART 2: PROCESSING OF PERSONAL DATA

In accordance with Article 20 of the Constitution and Article 4 of the LPPD, our company engages in personal data processing in a limited and modular manner in accordance with the rules of law and honesty, in an accurate and updated manner if required and with specific, clear and legitimate purposes, in connection with the objective. Our Company retains personal data for as long as required by law or as required for the personal data processing purposes.

Pursuant to Article 20 of the Constitution and Article 5 of the LPPD, our company processes personal data on the basis of certain requirements under Article 5 of the LPPD regarding the processing of personal data.

As per Article 419 of the Code of Obligations and without prejudice to the LPPD numbered 6698, our Company processes the personal data of the employees and the employee candidates based on their inclination to work and the purposes of the performance of the employment contract.

In accordance with Article 20 of the Constitution and Article 10 of the LPPD, our company discloses to personal data owners and provides the necessary information if the personal data owners request information and apply for their rights arising from the law and responds to the applications within the legal period.

Our Company complies with the regulations envisaged for the processing of data of special nature, pursuant to the provisions of Article 6 of the LPPD.

Our Company complies with the rules stipulated in the Law on the transfer of personal data in accordance with Articles 8 and 9 of the LPPD and fulfills the practices by taking into consideration the decisions and the notifications issued by the PPD Board and the lists of safe countries.

I. PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES SET FORTH IN THE LEGISLATION
  1. Principles on the Processing of Personal Data
    1. Processing in compliance with the Rule of Law and Good Faith

      Our Company acts in accordance with the principles set out by legal regulations and general trust and good faith in the processing of personal data. In this context, our company takes into consideration the proportionality requirements in processing of personal data and does not use personal data other than for its intended purpose.

    2. Ensuring that Personal Data is Correct and Up to date when Required

      Our Company ensures that personal data processed by it is accurate and up to date, taking into account the fundamental rights of personal data owners and its own legitimate interests. In this respect, our company takes the necessary measures.

    3. Processing with Certain, Explicit and Legitimate Objectives

      Our company clearly and precisely defines the purpose of processing personal data in a legitimate and lawful manner. Our company processes personal data as much as is necessary for and related to the service offered by it. The purpose for which personal data will be processed by our Company will be set forth before starting the personal data processing activity.

    4. Personal Data is linked to, limited and measured with the purpose of being processed

      Our company processes personal data in a manner that is conducive to achieving the stated objectives and avoids the processing of personal data that is not relevant or not required to be performed.

    5. Personal data is maintained for the time stipulated in the relevant legislation or for the time required regarding the purpose for which they are being processed.

      Our Company retains personal data only for the period specified in the relevant legislation or for the purpose for which such data has been processed. In this context, our Company in the first place determines whether a period has been stipulated for the storage of personal data in the relevant legislation and if a period has been stipulated, then it acts in compliance with this period, takes into account the legal and penal prescription periods and retains personal data for the time period required for the purpose for which they were processed. In the case the period expires or the reasons for such processing are not present anymore, the personal data will be deleted, destroyed or anonymized by our Company.

  2. Rules for the Processing of Personal Data of Special Nature

    Protection of Personal Data is a constitutional right and may be restricted by law only, subject to the circumstances set forth in the relevant articles of the Constitution, without prejudice to their essence. Pursuant to the paragraph three of Article 20 of the Constitution, personal data may only be processed in the cases provided for in the law or upon the person's explicit consent. However, in the presence of one of the conditions listed below, personal data of the person concerned may be processed without such explicit consent by our Company:

    1. In the case it's clearly prescribed by the law,
    2. The existence of an obligation to protect the life or bodily integrity of the person who cannot explain his/her consent due to actual impossibility or whose consent is not deemed valid in legal terms.
    3. The necessity of processing the personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract.
    4. The existence of an obligation for the data supervisor to perform its legal liability.
    5. The data has been declared and publicized by the person concerned.
    6. Data processing to be mandatory for the establishment, exercise or protection of a right,
    7. Data processing is obligatory for the legitimate interests of the data supervisor, provided that the basic rights and freedom of the person concerned are not damaged.
    8. In the absence of the above conditions, the concerned person's express consent based on information shall be sought by our Company.
  3. Rules for the Processing Personal Data Of Special Nature

    In processing personal data designated as "data of special nature" by the LPPD, our Company adheres to the regulations stipulated in the Law. The personal data of special nature listed under article 6 of the LPPD is related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress codes, association, foundation or trade union memberships, health, sexual life, criminal conviction and security measures as well as biometric and genetic data. In accordance with the LPPD, our Company processes special quality personal data in the following cases, provided that the required measures to be determined by the LPPD are taken:

    1. 1Personal data of special nature other than the health and sexual life of the personal data owner may be processed in the cases prescribed by the law or if the personal data owner has explicit consent accordingly and personal data of special nature of the data owner relating to health and sexual life may only be processed by any person or authorized public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.
    2. Regardless of the underlying reason, the general data processing principles shall always be taken into account in the processing activities and such principles are complied with (LPPD art. 4; see Part 2 above, I, 1).

  4. Disclosure and Providing Information to the Personal Data Owner

    Our Company, in accordance with Article 10 of the LPPD, discloses to the Personal Data Owners during the acquisition of personal data. In this context, our Company provides information regarding the purpose for which the personal data is to be processed, to whom and for which purpose the personal data will be transferred, the method of collecting personal data and the legal reasons and the rights of the personal data owner. "Requesting information" has also been listed among the rights of the personal data owner in article 11 of the LPPD and in this context, as per Article 20 of the Constitution and Article 11 of LPPD, our company provides necessary information if this is requested by the Personal Data Owner.

II. TRANSFER OF PERSONAL DATA

Our company may transfer personal data and personal data of special nature of the personal data owner to third parties (third party companies, group companies, third party real persons) by taking the required security measures pursuant to the personal data processing purposes in accordance with the law. In this respect, our Company acts in accordance with the regulations stipulated in Article 8 of the LPPD.

  1. Principles on the Transfer of Personal Data

    Our company may transfer personal data to third parties in line with legitimate and legal personal data processing purposes on the basis of one or more of the personal data processing conditions specified in Article 5 of the Law listed below:

    If explicit consent of the data owner is available, or

    1. If there is an explicit regulation in the law related to the issue of the transfer of personal data,
    2. If the transfer is mandatory for the protection of life or physical integrity of the person or of any other person who is physically incapable of giving his/her consent or whose consent is not deemed legally valid;
    3. If the transfer of personal data belonging to the parties to a contract is necessary provided that it is directly related to the conclusion or fulfilment of such contract,
    4. If the personal data transfer is mandatory for our Company to fulfill its legal obligations,
    5. If the personal data has been made available to the public by the data owner himself/herself,
    6. If the personal data transfer is mandatory for the establishment, exercise or protection of any right,
    7. If it is mandatory for the legitimate interests of our Company, provided that such transfer does not violate the fundamental rights and freedoms of the data owner.

    Regardless of the underlying reason, the general data transfer principles shall always be taken into account in the processing activities and such principles are complied with (LPPD art. 4; see Part 2 above, I, 1).

  2. Transfer of Personal Data of Special Nature

    Our company may transfer personal data of special nature of the personal data owner to third parties in the following cases in line with legitimate and legal personal data processing purposes, by showing due diligence, taking the required security measures and adequate measures stipulated by the PPD Board.

    If explicit consent of the data owner is available, or

    If no explicit consent of the data owner is available;

    1. In the cases prescribed by the law, the personal data of special nature of the data owner (related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data), other than his/her health and sexual life,
    2. Personal data of special nature of data subject relating to health and sexual life may only be processed by any person or authorized public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

    Regardless of the underlying reason, the general data transfer principles shall always be taken into account in the processing activities and such principles are complied with (LPPD art. 4; see Part 2 above, I, 1).

  3. Transfer of Personal Data to Abroad

    Our company may transfer personal data and personal data of special nature of the personal data owner to third parties by taking the required security measures pursuant to the personal data processing objectives in accordance with the law. Personal data shall be transferred by our Company to foreign countries that have been announced by the PPD Board to have adequate protection ("Foreign Country with Adequate Protection") or in the absence of an adequate protection, to the foreign countries allowed by the PPD Board and where an adequate protection has been undertaken in written form by the data officers Both in Turkey and in the relevant foreign country ("Foreign Country where the Data Officer Undertaking the Adequate Protection is Located"). In this respect, our Company acts in accordance with the regulations stipulated in Article 9 of the LPPD.

    Our company, pursuant to the legitimate personal data processing objectives in accordance with the law, may transfer personal data if there is explicit consent of the data owner or to Foreign Countries with Adequate Protection or to the Foreign Countries where the Data Officer Undertaking the Adequate Protection is Located in the presence of any one of the below listed cases if there is no explicit consent of the data owner:

    1. If there is an explicit regulation in the law related to the issue of the transfer of personal data,
    2. If the transfer is mandatory for the protection of life or physical integrity of the person or of any other person who is physically incapable of giving his/her consent or whose consent is not deemed legally valid;
    3. If the transfer of personal data belonging to the parties to a contract is necessary provided that it is directly related to the conclusion or fulfilment of such contract,
    4. If the personal data transfer is mandatory for our Company to fulfill its legal obligations,
    5. If the personal data has been made available to the public by the data owner himself/herself,
    6. If the personal data transfer is mandatory for the establishment, exercise or protection of any right,
    7. If it is mandatory for the legitimate interests of our Company, provided that such transfer does not violate the fundamental rights and freedoms of the data owner.
  4. Third Parties to which Personal Data is Transferred by our Company and the Purpose of such Transfer
    1. Persons to whom Data is Transferred

      In accordance with Article 10 of the LPPD, our Company informs the personal data owner of the groups to whom personal data has been transferred. In accordance with Articles 8 and 9 of the LPPD, our Company may transfer personal data to the following categories of persons:

      1. Business Partners,
      2. Suppliers,
      3. Main Shareholders,
      4. Legally authorized public institutions and organizations,
      5. Legally Authorized Private Entities.
    2. Purpose of Data Transfer

      Only limited to the fulfillment of the purpose of establishing a business partnership,

      In a limited manner in order to ensure that the services, which are outsourced by our Company from the supplier and which are required to fulfill the commercial activities of our company, are provided to our Company,

      Pursuant to the aim to ensure that human resources policies of our company are carried out, in order to carry out the human resources operations in accordance with the human resources policies of our Company, to fulfill the obligations within the framework of occupational health and safety and to take the necessary measures,

      To our Affiliates, Shareholders, Legally Authorized Public Institutions and Organizations, Legally Authorized Private Entities, to companies to which our Company is a shareholder according to the provisions of the relevant legislation,

      In accordance with the provisions of the relevant legislation, to our shareholders authorized to design the strategies and audit activities related to the commercial activities of our Company,

      In accordance with the provisions of the relevant legislation, to the public institutions and organizations authorized to receive information and documents from our Company, in a manner limited to provide the conduct of commercial activities requiring the participation of the private legal entities authorized to receive information and documents from our Company as well as the affiliates of our Company,

      In accordance with the provisions of the relevant legislation, limited to the designing and auditing strategies regarding the commercial activities of the Company and to the objective required by the relevant public institutions and organizations within the scope of their legal authorities,

      In the transfers made by our Company for the purpose requested by the relevant private legal entities within the scope of their legal authority, the principles and rules set forth in this Policy are complied with.

PART 3: LEGAL BASIS OF PROCESSING PERSONAL DATA AND THE OBJECTIVES

I. LEGAL BASIS OF PROCESSING PERSONAL DATA
  1. General Principles

    Although the legal basis for the processing of personal data by our Company varies, we act in accordance with the general principles set forth in Article 4 of the LPPD in all kinds of personal data processing activities. According to this, the below issues are considered in all kinds of data processing activities:

    1. Acting in accordance with the law and integrity rules,
    2. Being correct and up to date when required,
    3. Processing with certain, explicit and legitimate objectives,
    4. Personal Data being linked to, limited and measured with the purpose of being processed
    5. Personal data being maintained for the time stipulated in the relevant legislation or for the time required regarding the purpose for which they are being processed.
  2. Reasons for Compliance with the Law
    1. Explicit Consent of the Data Owner to be Available
      One of the conditions for the processing of personal data is the owner's explicit consent. The explicit consent of the personal data owner must be explained based a specific subject, on an informative basis and with free will.
    2. The Processing of Personal Data to be clearly prescribed by the law
      The personal data of the data owner may be processed in accordance with the law if it is explicitly provided for in the law. For example, reporting the identity of our employees to the competent authorities in accordance with the Law on the Reporting of Identity.
    3. No Explicit Consent being Available due to Actual Impossibilities
      The personal data of the data holder may be processed if it is compulsory to process the personal data in order to protect the life or bodily integrity of the person himself/herself or of someone else who is not able to explain his/her reason due to the actual impossibility or whose consent cannot be considered as valid.
    4. Direct Relation with the Establishment or Execution of the Contract
      Personal data may be processed if it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract.
    5. Performance of the Legal Obligations by the Company
      The data owner's personal data may be processed if it is compulsory for our company to fulfil its legal obligations as the data official.
    6. Personal Data Owner Declaring the Personal Data as Public
      If the data owner's personal data has been declared as public by himself/herself, the relevant personal data may be processed.
    7. Data Processing is Compulsory for the Establishment or Protection of a Right
      If data processing is compulsory for the establishment or protection of a right, the data owner's personal data may be processed.
    8. Data Processing is Compulsory for the Legitimate Interest of our Company br /> The personal data of the data owner may be processed if the data processing is compulsory for our Company's legitimate interests provided that the fundamental rights and freedoms of the personal data owner are not prejudiced.
  3. Processing Personal Data of Special Nature and Reasons for Compliance with the Law
    If the personal data owner does not have explicit consent, our Company may only process personal data of special nature in the cases specified under the Law provided that adequate measures to be determined by the PPD Board are taken. Personal data of special nature of data subject relating to health and sexual life may only be processed by any person or authorized public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. Regardless of the underlying reason, the general data processing principles shall always be taken into account in the processing activities and such principles are complied with (LPPD art. 4; see Part 2 above, I, 1).
II. PURPOSE OF PROCESSING PERSONAL DATA

Our Company processes personal data limited to the purposes and conditions within the scope of the personal data processing requirements specified in paragraph 2 of article 5 and paragraph 3 of article 6 of the Law on the Protection of Personal Data No. 6698. In the data processing process, the legal basis mentioned above is taken into consideration and the consent of the person concerned is requested if the other legal basis is not available. Here, audits on general principles are carried out within the scope of Article 4 and above all, the condition where data processing is generally compliant with the principles of the law is sought. The explicit consent of the person concerned is obtained based on information and free will.

The personal data in our company units may be processed for the below stated purposes:

  1. In order to improve, develop, diversify our products and services and to offer alternatives to legal entities/real persons with whom commercial relations are available,
  2. In order to develop products and services, to evaluate new technologies and applications and determine and implement commercial and business strategies of our Company,
  3. For the purposes such as to carry out our required quality and standard audits or to fulfill our reporting and other obligations determined by laws and regulations,
  4. Pursuant to the aim to ensure that human resources policies of our company are carried out, for the recruitment of personnel eligible for open positions in accordance with the human resources policies of our company, in order to carry out the human resources operations in accordance with the human resources policies of our Company, the selection of employee candidates, management of personal affairs, to specify training and career plans, to fulfill the obligations within the framework of occupational health and safety and to take the necessary measures,
  5. Pursuant to the aim to ensure the legal and commercial security of our Company and the persons with business relations with our company, in order to ensure the administrative security carried out by our Company for communication, management of legal operations, legal compliance process, physical security and supervision of the Company's locations,
  6. Furthermore, in a manner as required or obliged by the legal regulations and the regulatory and supervisory authorities, within the scope of the requirements and obligations specified to ensure the fulfillment of the legal obligations stated under the Law on the Protection of Personal Data,
  7. Pursuant to the aim of determining and implementing commercial and business strategies of our company, in order to manage the communication, market research and social responsibility activities, procurement operations (requisition, proposal, evaluation, order, budgeting, contract), product / project / manufacturing / investment quality processes and operations, internal system and application management operations, finance operations and financial affairs conducted by our Company.

PART 4: STORING, DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

As set out in Article 138 of the Turkish Penal Code and Article 7 of the LPPD, personal data shall be deleted, destroyed or made anonymous upon the Company's own decision or at the request of the personal data owner, in the case the reasons that require processing are eliminated in spite of the fact that it has been processed in accordance with the relevant legal provisions.

I. RETENTION AND RETENTION PERIOD OF PERSONAL DATA

Our Company stores personal data, where stipulated in the relevant laws and regulations, for the period stated in such legislations. In cases where the legislation does not regulate the period of retention for how long personal data should be stored, personal data shall be processed for a period, which requires the processing of our data in accordance with the requirements of our Company's practices and precedents of commercial activities, depending on the services offered by our Company and they shall be then deleted, destroyed or anonymized.

II. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

As set out in Article 138 of the Turkish Penal Code and Article 7 of the LPPD, personal data shall be deleted, destroyed or made anonymous upon the Company's own decision or at the request of the personal data owner, in the case the reasons that require processing are eliminated in spite of the fact that it has been processed in accordance with the relevant legal provisions. In this context, our Company fulfills its relevant obligation with the methods explained in this section.

  1. Deletion of Personal Data
    Although our Company has processed personal data in accordance with the provisions of the relevant law, if the reasons for the processing of personal data disappear, it may delete the data on the basis of its own decision or at the request of the personal data owner. Deletion of personal data is the process of making personal data inaccessible to and not reusable by the users concerned. Our Company takes all kinds of technical and administrative measures to ensure that deleted personal data cannot be accessed and reused by the relevant users.
  2. Destruction of Personal Data
    Although our Company has processed personal data in accordance with the provisions of the relevant law, if the reasons for the processing of personal data disappear, it may delete or destruct the data on the basis of its own decision or at the request of the personal data owner. Destruction of personal data is the irreversible process of making personal data inaccessible to and not reusable by the users concerned. Our Company takes all kinds of technical and administrative measures for the destruction of personal data.
  3. Anonymization of Personal Data
    Anonymization of personal data refers to making personal data unlikely to be associated with any identifiable real person in any way even when personal data is paired with other data. Our company may anonymize personal data when the reasons requiring the processing the personal data processed in accordance with the law have disappeared. For the anonymization of personal data, personal data must not be associated with any identifiable real person in any way in terms of any recording environment even when personal data is paired with other data and/or recovered by the data officer or receiver groups as well as by means of using the appropriate techniques in terms of the relevant field of activity. Our Company takes all kinds of technical and administrative measures for the anonymization of personal data. In accordance with Article 28 of the LPPD, anonymized personal data can be processed for research, planning and statistics purposes. Such processing will be considered to be outside the scope of the LPPD and will not require the express consent of the personal data owner.

PART 5: RIGHTS HELD BY THE DATA OWNER

I. SCOPE OF DATA OWNER'S RIGHTS AND EXERCISE OF THESE RIGHTS
  1. Rights Held by the Data Owner
    Personal data owners are entitled to the following:
    1. To learn whether personal data has been processed,
    2. If personal data has been processed, to request information regarding this,
    3. To learn the purpose of processing personal data and whether they are used appropriately in accordance with this purpose,
    4. To have information about third parties to which personal data is transferred either in Turkey or abroad,
    5. To requesting correction of personal data if it is incomplete or improperly processed and to request that the process carried out in this context be notified to third parties to whom personal data is transmitted,
    6. To request that personal data be deleted or destroyed even if it has been processed in accordance with the provisions of the LPPD and other relevant laws and in the case that the reasons for such processing are not present any more to request that the process carried out in this context be notified to third parties,
    7. To object to the occurrence of a result against the person himself by means of analyzing the processed data exclusively through automated systems,
    8. To demand that damages be eliminated in the event of a corruption due to the processing of personal data contrary to the law,
  2. Exercise of the Rights by Personal Data Owner

    As per paragraph 1 of Article 13 of the LPPD, personal data owners are required to submit to our Company their request for the exercise of their above-mentioned rights with the methods stated below, which would be sufficient:

    Application Method Application Address Information to be Submitted in during the Application
    Personal Application (Application by the applicant personally by validating his/her identity) Kavakli Mh. Deniz Aktas Cd. No: 32 34520 Beylikduzu/Istanbull "Information Request within the scope of Law on the Protection of Personal Data" shall be written on the envelope.
    Notification through Notary Public Kavakli Mh. Deniz Aktas Cd. No: 32 34520 Beylikduzu/Istanbul "Information Request within the scope of Law on the Protection of Personal Data" shall be written on the notification envelope..
    By being signed with "Secured Electronic Signature" and sending it to the registered Company electronic mail address (KEP) tamplastik@hs01.kep.tr "Information Request on the Law on the Protection of Personal Data" should be written in the subject line of the e-mail

    In the application;

    It is obligatory that the name, surname, signature - if the application is made in a hardcopy format - Turkish Republic Identity Number for the Turkish Republic citizens, nationality if the applicant is of foreign origin, passport number or identity number, if available, place of residence or business address constituting the basis for notices, e-mail address constituting the basis for notices, if any, telephone and fax number and the subject matter of the request are present. Information and documents related to the subject matter will be attached to the application.

    It is not possible to place a request by third parties on behalf of personal data owners. In order for a person other than the personal data owner to make such a request, there must be a special power of attorney issued by the personal data owner in the name of the applicant. In the application, personal data owner should clearly state the requested subject matter, the subject matter should be related to the person himself/herself or if he/she is acting on behalf of another person, he/she must be specially authorized and such authority must be certified and documented, the application should contain the identity and address information and the documents confirming the identity must be attached to the application.

    It is not possible to place a request by third parties on behalf of personal data owners. In order for a person other than the personal data owner to make such a request, there

  3. Responding to Applications

    In the event that the personal data owner duly communicates his/her request to our Company, we shall conclude the demands involved in the applications within the shortest time possible depending on the nature of the demand and within thirty days at the latest and free of charge. However, if the process requires a separate cost, our Company shall charge the applicant the fee listed in the tariff set by the PPD Board. Our company may request information from the person concerned to determine whether the applicant is the personal data owner or not. In order to clarify the issues in the application of the personal data owner, our Company may direct questions to the personal data owner about the application.

PART 6: ENSURING THE SECURITY OF PERSONAL DATA

I. TECHNICAL AND ADMINISTRATIVE MEASURES FOR THE PROCESSING OF PERSONAL DATA IN ACCORDANCE WİTH THE LAW

Our company takes all required technical and administrative measures to ensure that personal data is processed in accordance with the law. In this context;/p>

  1. Within our company, a data inventory compatible with the VERBIS system is issued (Data Mapping) and audits for compliance the law and purpose audits are carried out.
  2. The employees are provided training about the law on the protection of personal data and processing of personal data and in accordance with the law,
  3. All activities carried out by our company are analyzed in detail within all business units and as the result of this analysis, personal data processing activities are revealed unique to the commercial activities carried out by the relevant business units.
  4. The personal data processing activities carried out by the business units of our Company and the requirements to be fulfilled in order to ensure compliance with these activities for the personal data processing requirements required by the by Law No. 6698 are determined in each business unit and unique to the activity conducted by it.
  5. In the contracts and documents governing the legal relationship between the Company and the employees, provisions are included bringing the obligation not to process, disclose and use personal data except for the Company's instructions and the exceptions provided by law and therefore awareness of the employees is created and audits are carried out.
II. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN IN PROCESSING DATA OF SPECIAL NATURE

With the LPPD, some personal data has been attributed special importance due to the risk to cause victimization of persons or discrimination when processed contrary to the law. This data is, related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress codes, association, foundation or trade union memberships, health, sexual life, criminal conviction and security measures as well as biometric and genetic data. Our company sensitively handles the protection of personal data of special nature determined by LPPD as "of special nature" and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully applied with regard to special quality personal data and necessary controls are provided.

III. ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN TO PREVENT ILLEGAL ACCESS TO PERSONAL DATA

Our company takes technical and administrative measures to protect the personal data from unauthorized or negligent disclosure, access, transfer or other forms of illegal and unauthorized access.

  1. Technical Measures Taken to Prevent Illegal Access to Personal Data

    The main technical measures taken by our Company in order to prevent illegal access to personal data are listed as follows:

    1. Ensuring Cyber Security
      Cyber security products are primarily used to provide the security of personal data, but measures are not limited to this. A line of defense against attacks from environments such as the Internet is established through measures such as firewall and network gateway. Unused software and services are removed from the devices.
    2. Software updates
      It is ensured that software and hardware run properly with patch management processes and software updates and that whether the security measures taken for the systems are sufficient or not are controlled on a regular basis.
    3. Access Restrictions
      Access to systems containing personal data is also restricted. Within this scope, the employees are granted access authorizations to the extent required to perform to their duties and tasks as well as their powers and responsibilities and the relevant systems are accessed by means of using a username and a password. While creating these passwords, it is ensured that combinations of uppercase and lowercase letters, numbers and symbols are preferred instead of numbers or letter sequences related to personal information which can be easily guessed. Accordingly, an access authorization and control matrix are established.
    4. Encryption
      Besides the use of strong passwords, access is restricted by means of methods such as limiting the number of attempts to enter the password, ensuring that the password is changed at regular intervals, activating the administrator account and admin authority only to be used when required and deleting the account or blocking the access of the employees who have been dismissed and who have no relation with the data officer any more in the shortest time possible.
    5. Anti-Virus Software
      In order to be protected against malware, products such as antivirus and antispam, which regularly scans the information system network and detect the dangers, are used and these are kept up-to-date and the required files are scanned on a regular basis. If personal data is to be obtained through different internet sites and/or mobile applications, it is ensured that the connection is provided through SSL or a more secure method.
    6. Monitoring of Personal Data Security
      1. Checking which software and services are running in information networks,
      2. Determining whether there is a leakage or movement that should not exist in the information networks,
      3. Keeping record of all user transactions on a regular basis (such as log records),
      4. Reporting security problems as quickly as possible,

      are all carried out. An official reporting procedure is being established for the employees to report security vulnerabilities on the system and the services or to report the threats using the same.

      Evidence is collected and securely safeguarded in undesirable cases such as crashing of the information system, malicious software, attack to leave the service unavailable, incomplete or incorrect data entry, violations of privacy and integrity and misappropriation of the information system.

    7. Ensuring the Security of the Environments Containing Personal Data

      If the personal data is stored on the devices located in the premises of the data officers or in hardcopy format, physical security measures are taken against threats such as theft or loss of these devices and hardcopies.

      The physical environments which contain personal data are protected against external risks (such as fire, flood, etc.) using appropriate methods and the entrances/exits to such environments are controlled.

      If the personal data is kept in electronic environment, access may be restricted between the network components or the components are ensured to be disconnected to prevent personal data security breaches.

      The measures at the same level are also taken for the hardcopy media, electronic environment and devices (laptops, mobile phones, flash drives) which are located outside the Company premises and which contain personal data belonging to the Company. Personal data to be transmitted by electronic mail or mail is also sent carefully with the adequate measures taken.

      Sufficient security measures are also taken in the case employees provide access to the information system network with their personal electronic devices.

      The use of access control authorization and/or encryption methods are applied against the cases such as loss or theft of devices containing personal data. In this context, the password key is stored only in the environment accessible to authorized persons and unauthorized access will be prevented.

      Documents in hardcopy format containing personal data are also stored in a locked and in an environment only accessible by authorized persons therefore unauthorized access to such documents is prevented.

    8. Storing Personal Data in the Cloud
      In the case the personal data is stored in the cloud, it should be observed and assessed by the Company whether the security measures taken by the cloud storage service provider are adequate and appropriate. In this context, the measures specified in the guidelines and recommendations of the PPD Board are taken into consideration.
    9. Information Technology Systems Procurement, Development and Maintenance
      While determining the requirements for the supply, development or improvement of the existing systems by the Company, security requirements are taken into consideration.
    10. Back Up of Personal Data
      In cases where personal data has been damaged, destroyed, stolen or lost for any reason, the Company will use the back-up data as soon as possible to resume the activity in the shortest time possible. The personal data subject to back-up will be accessible only by the system administrator, and data set backups are excluded from the network.
  2. Administrative Measures Taken to Prevent Illegal Access to Personal Data

    The main administrative measures taken by our Company in order to prevent illegal access to personal data are listed as follows:

    1. Employees are informed and trained on the technical measures to be taken to prevent illegal access to personal data.
    2. Employees are informed that they will not be able to disclose the personal data they have learned in violation of the provisions of the LPPD except for the purpose of data processing and that this obligation will continue after leaving the company and the necessary commitments are received from their side pursuant to this.
    3. Personal Data Security Policies and Procedures are determined, regular controls are carried out within the scope of the policies and procedures, the controls are documented and the issues which are required to be improved are determined. Yet, the risks that may arise for each category of personal data and how to manage the security breaches are clearly defined.
    4. Reducing Personal Data to the extent possible: As per subparagraphs (b) and (d) paragraph two of article 4 of the Law, personal data should be accurate and up-to-date if necessary, and be retained for the period as required by the relevant legislation or for the purpose for which they are processed. However, it is evaluated whether data which is inaccurate, outdated and which does not serve to any purpose is still required and the personal data which is not needed anymore is either deleted, destroyed or anonymized pursuant to the personal data storage and destruction policy.
    5. Management of Relationships with Data Processors: When the Company receives services from the data processors in order to meet its IT requirements, the transaction is performed by assuring that such data processors provide at least the level of security provided by their own with regard to the personal data. In this context, protective arrangements related to the protection of personal data are introduced in the contracts signed with the data processor.
IV. STORAGE OF PERSONAL DATA IN SAFE ENVIRONMENTS

Our company takes the necessary technical and administrative measures according to technological facilities and cost of implementation in order to prevent personal data from being stored in non-safe environments and being destroyed, lost or changed with illicit purposes.

V. TRAINING
  1. Our Company provides the necessary trainings to its employees regarding the Protection of Personal Data within the scope of the Policy, the LPPD Procedures and the LPPD Regulations.
  2. In the trainings, the definitions and applications for the protection of Personal Data of Special Nature are especially mentioned.
  3. If our Company employee accesses the Personal Data physically or in a computer environment, our Company provides training to its relevant employee particularly for such accesses (such as the computer software accessed).
VI. AUDIT
  1. Increasing the Awareness and Auditing of the Business Units about the Protection and Processing of Personal Data
    Our company ensures that required notifications are given to the business units in order to increase the awareness for preventing unauthorized and illicit processing of the personal data and unauthorized access to data contrary to the law and providing the safekeeping of data.
  2. Increasing the Awareness and Auditing of the Business Partners and Suppliers about the Protection and Processing of Personal Data
    Our company ensures that required notifications are given to the business partners in order to increase the awareness for preventing unauthorized and illicit processing of the personal data and unauthorized access to data contrary to the law and providing the safekeeping of data.
  3. Inspection of the Measures Taken on the Protection of Personal Data
    Our Company is entitled to perform regular and ex officio inspections whether all the employees, departments and contractors of the Company act in compliance with this Policy and the PPD Regulations without any prior notification and conducts the necessary routine audits. The results of these audits shall be evaluated in line with the Company's internal operation procedures and the required activities shall be carried out to improve the measures taken. Measures to be Taken in the case of Unauthorized Disclosure of Personal Data In the case that personal data processed in accordance with Article 12 of the LPPD are obtained by others through illegal means, our company operates a system that allows this situation to be notified to the concerned personal data owner and the PPD Board as soon as possible.