EN
TR

PERSONAL DATA PROTECTION AND PROCESSING POLICY

Version 1.1

Release Date: 02.04.2021

 

CHAPTER 1

INTRODUCTION

This policy prepared within the scope of the protection of personal data has been prepared for use throughout our company named below.

Our Company ;

İnpak Makina Sanayi ve Ticaret A.Ş

Protection of personal data is among the most important priorities of our company. The most important pillar of this issue is the protection and processing of personal data of our customers, guests, potential customers, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with and third parties, which are managed by this Policy. The activities carried out by our Company regarding the protection of the personal data of our employees are managed under the Policy on the Protection and Processing of Personal Data of Company Employees, which is written in parallel with the principles in this Policy.

According to the Constitution of the Republic of Turkey, everyone has the right to request the protection of personal data related to him/her. Regarding the protection of personal data, which is a constitutional right, the Company pays due attention to the protection of the personal data of its customers, potential customers, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions it cooperates with and third parties and makes it a company policy.

In this context, necessary administrative and technical measures are taken by the Company’s shareholders within the borders of the Republic of Turkey for the protection of personal data processed in accordance with the relevant legislation.

In this Policy, detailed explanations will be made regarding the basic principles adopted by our company in the processing of personal data and listed below:

  • Processing personal data in accordance with the law and good faith,
    Keeping personal data accurate and updated when necessary,
    Processing personal data for specific, explicit and legitimate purposes,
    Processing personal data in connection with the purpose for which they are processed, limited and measured,
    Retaining personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed,
    Informing and enlightening personal data subjects,
    Establishing the necessary system for personal data subjects to exercise their rights,
    Taking necessary measures for the protection of personal data,
    To act in accordance with the relevant legislation and the regulations of the PDP Board in transferring personal data to third parties in line with the requirements of the purpose of processing,
    Showing the necessary sensitivity to the processing and protection of sensitive personal data.

 

1.2. PURPOSE OF THE POLICY

The main purpose of this Policy is to make explanations about the personal data processing activities carried out by our company in accordance with the law and the systems adopted for the protection of personal data, and in this context, to ensure transparency by informing the persons whose personal data are processed by our company, especially our customers, potential customers, employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties.

1.3 SCOPE

This Policy relates to all personal data of our customers, potential customers, employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties, which are processed automatically or non-automatically provided that they are part of any data recording system.

The scope of application of this Policy regarding the groups of personal data owners in the categories mentioned above may be the entire Policy (e.g. our Active customers who are also our visitors); or only some of its provisions (e.g. only our visitors).

1.4    IMPLEMENTATION OF THE POLICY AND RELATED LEGISLATION
Personal data processing and protection will primarily be applied to our company in accordance with the relevant legal regulations in force. In the event of any inconsistency between the current legislation and the Policy, our company acknowledges that the current legislation and the law shall prevail.

The Policy has been developed by concretizing the rules set forth by the relevant legislation within the scope of our company’s practices. Our company is conducting the necessary system and preparations to comply with the timeframes envisaged in the Personal Data Protection Law.

1.5 EFFECTIVENESS OF THE POLICY

This Policy, prepared by our company, was created on June 4, 2018, and revised on June 11, 2019, in accordance with changing business processes and compliance with Law No. 6698, entering into force as version 1.1. The effective date of the Policy will be updated in case of renewal of the entire Policy or specific articles.

The Policy is published on our company’s website and is made accessible to relevant individuals upon request by data subjects.

Our company, in accordance with Article 12 of the Personal Data Protection Law, has taken necessary technical and administrative measures to prevent the unlawful processing of personal data it processes, to prevent unauthorized access to data, and to ensure the security of data. In this context, technical infrastructure security audits and cybersecurity audits are conducted by purchasing domestic audits.
  1. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

2.1. ENSURING THE SECURITY OF PERSONAL DATA

2.1.1. Our company takes technical and administrative measures in line with technological possibilities and application costs to ensure the lawful processing of personal data.

  • Technical measures are taken by our company to ensure the lawful processing of personal data.
  • The technical measures taken are periodically reported to the relevant authorities as part of the internal audit mechanism.
  • Technical measures are taken to ensure that personal data are stored in a single location within our company, and necessary security measures are taken on the computers of all employees and data entry computers.
  • Administrative measures taken by our company to ensure the lawful processing of personal data include:
  • Employees are informed and trained about the law on the protection of personal data and the lawful processing of personal data.
  • All activities carried out by our company are analyzed in detail within each business unit, and the personal data processing activities are determined within the scope of the requirements to ensure compliance with the personal data processing conditions required by Law No. 6698 and GDPR.
  • The legal compliance requirements determined by business units are created awareness within the respective business units, and application rules are established. Administrative measures are implemented through company policies and training to ensure compliance and continuity of the application.
  • Records specifying that personal data will not be processed, disclosed, or used in violation of the Law on the Protection of Personal Data and GDPR, except for the exceptions brought by the Company’s instructions and the law, are included in contracts and documents governing the legal relationship between our company and employees. Employees are informed about this, and inspections are carried out.

2.1.2. Our company takes technical and administrative measures in line with technological possibilities and application costs to prevent the unlawful access, disclosure, access, transfer, and other unlawful access to protected data.

  • Technical measures taken by our company to prevent unlawful access to personal data include:
  • Technical precautions are taken to be in line with technological developments, and the measures taken are periodically updated and renewed.
  • Access and authorization technical solutions are put into operation in accordance with unit-based legal compliance requirements.
  • Technical measures taken are periodically reported to the relevant authorities as part of the internal audit mechanism, and issues posing a risk are re-evaluated to produce the necessary technological solutions.
  • Software and hardware, including virus protection systems and security firewalls, are installed.
  • All data management is centralized.
  • Administrative measures taken by our company to prevent unlawful access to personal data include:
  • Employees are trained in technical measures to prevent unlawful access to personal data.
  • Access and authorization processes for personal data within the company are designed and implemented in accordance with unit-based legal compliance requirements.
  • Employees are informed that they cannot disclose personal data they have learned contrary to the Law on the Protection of Personal Data and GDPR, use it for purposes other than processing, and that this obligation will continue even after they leave their duties. Necessary commitments are obtained in this regard.
  • Contracts and documents governing the legal relationship between our company and employees include provisions that personal data will not be processed, disclosed, or used in violation of the Law on the Protection of Personal Data and GDPR, except for the exceptions brought by the Company’s instructions and the law. Contracts include provisions that the persons to whom personal data are transferred will take necessary security measures to protect personal data and ensure compliance with these measures in their organizations.

2.1.3. Our company takes necessary technical and administrative measures to prevent the unlawful processing of personal data and to prevent unauthorized access to data, taking into account the nature of the data to be protected, technological possibilities, and application costs, in order to prevent the unlawful disclosure, access, transfer, and other unlawful access to data or any other form of unlawful access.

  • Technical measures taken by our company to ensure the safe storage of personal data include:
  • Systems suitable for technological developments are used for the safe storage of personal data.
  • Technical security systems are established for storage areas, technical measures taken are periodically reported to the relevant authorities as part of the internal audit mechanism, and issues posing a risk are re-evaluated to produce the necessary technological solutions.
  • Backup programs that comply with the law are used to ensure the safe storage of personal data.
  • Administrative measures taken by our company to ensure the safe storage of personal data include:
  • Employees are trained to ensure the safe storage of personal data.
  • If, due to technical requirements, external services are procured for the storage of personal data, contracts concluded with companies to which personal data are lawfully transferred include provisions that the persons to whom personal data are transferred will take necessary security measures to protect personal data and ensure compliance with these measures in their organizations.

2.1.4. Our company conducts necessary audits within itself or has them conducted in accordance with Article 12 of the Personal Data Protection Law in a manner compatible with the technical requirements for the protection of personal data, in a manner compatible with the technical requirements for the protection of personal data, and in a manner compatible with the technical requirements for the protection of personal data. The results of these audits are reported to the relevant department within the company’s internal functioning and necessary activities are carried out for the improvement of the measures taken.

2.1.5. Our company operates a system that ensures that the personal data processed in accordance with Article 12 of the Personal Data Protection Law is notified to the relevant personal data owner and the Personal Data Protection Board as soon as possible in case it is unlawfully obtained by others through illegal means. If deemed necessary by the Personal Data Protection Board, this situation may be announced on the website of the Personal Data Protection Board or by any other method.

2.2. PROTECTION OF THE RIGHTS OF THE DATA SUBJECT

The establishment of channels for the data subjects to communicate these rights to our company and the evaluation of the requests of the data subjects;

Our company carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the Personal Data Protection Law to evaluate the rights of data subjects and to inform the data subjects as required by the law.

Data subjects can have their requests regarding the rights listed below resolved free of charge by our company in the shortest time and at the latest within thirty days if they submit their requests in writing to our company. However, if the transaction also requires a cost, the fee specified in the tariff determined by the Personal Data Protection Board will be charged by our company. Data subjects have the following rights:

  • To learn whether personal data is processed,
  • To request information if personal data has been processed,
  • To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
  • To know the third parties to whom personal data is transferred domestically or abroad,
  • If personal data is processed incompletely or inaccurately, to request their correction and to request the notification of the transaction made within this scope to third parties to whom personal data has been transferred,
  • To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law No. 6698 and other relevant laws, in the event that the reasons requiring their processing disappear, and to request the notification of the transaction made within this scope to third parties to whom personal data has been transferred,
  • To object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,
  • If personal data is processed unlawfully and causes harm to the person, to request the removal of the damage.

2.3. PROTECTION OF SPECIAL QUALIFIED PERSONAL DATA

The protection of certain personal data has been attached special importance due to the risk of causing harm or discrimination to individuals if they are unlawfully processed.

These data include race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction, and security measures related data, as well as biometric and genetic data.

Our company acts with care in the protection of personal data of special nature as determined by the Personal Data Protection Law. In this context, technical and administrative measures taken for the protection of personal data are applied with diligence in terms of personal data of special nature, and audits are provided within our company.

2.4. INCREASING AWARENESS AND AUDITING OF BUSINESS UNITS REGARDING THE PROTECTION AND PROCESSING OF PERSONAL DATA

Our company ensures the awareness of business units for the prevention of the unlawful processing of personal data, prevention of unlawful access to data, and safeguarding data by organizing the necessary training.

Our company establishes the necessary systems to create awareness about the protection of personal data among the current employees of business units and newly hired employees within our company, and professional individuals are consulted when needed.

2.5. AWARENESS AND AUDITING OF PARTNERS AND SUPPLIERS REGARDING THE PROTECTION AND PROCESSING OF PERSONAL DATA

Our company organizes training sessions and seminars for partners to increase awareness for the prevention of unlawful processing of personal data, prevention of unlawful access to data, and data protection.

Our company establishes the necessary systems to create awareness about the protection of personal data among current employees of business units and newly hired employees within our company, and professional individuals are consulted when needed.

Our company, in accordance with Article 4 of the Personal Data Protection Law, processes personal data in compliance with legal regulations, with accuracy, and as required by the principles of honesty; for specific, clear, and legitimate purposes; in connection with the purpose; limited and proportionate to the purposes of processing personal data. Our company retains personal data for the period specified in the relevant laws or for the period required by the processing purpose.

Our company, in accordance with Articles 5 of the Personal Data Protection Law, processes personal data based on one or more of the conditions specified in Article 5 of the Personal Data Protection Law.

Our company, in accordance with Article 6 of the Personal Data Protection Law, informs personal data owners during the acquisition of personal data and provides the necessary information to data subjects if they request it.

Our company, in accordance with Article 6 of the Personal Data Protection Law, acts in compliance with the regulations regarding the processing of special qualified personal data.

Our company, in accordance with Articles 8 and 9 of the Personal Data Protection Law, complies with the regulations set forth in the law and by the Personal Data Protection Board regarding the transfer of personal data.

All activities aimed at increasing awareness regarding the protection and processing of personal data for our company’s business partners are reported to our company’s management and shareholders. Our company applies Supplier Privacy Agreements to all business partners and ensures the sensitivity of Personal Data Protection is maintained with the relevant contract clauses.

  1. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA

3.1. PROCESSING PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES SPECIFIED IN THE LEGISLATION

3.1.1. Processing in Compliance with the Law and Honesty

Our company acts in compliance with the principles established by legal regulations and the general trust and honesty principle in the processing of personal data. In this context, our company takes into account the requirements of proportionality in the processing of personal data and does not use personal data beyond the requirements of the purpose.

3.1.2. Ensuring the Correctness and Timeliness of Personal Data

Our company ensures that the personal data it processes is correct and up-to-date, taking into account the fundamental rights of personal data owners and their legitimate interests. In this regard, necessary precautions are taken. For example, our company has established a system for personal data owners to correct their personal data and confirm its accuracy. Detailed information on this topic is provided in Section 10 of this Policy.

3.1.3. Processing for Specified, Clear, and Legitimate Purposes

Our company clearly and precisely determines the purpose of processing personal data in a lawful and legitimate manner. Our company processes personal data only to the extent necessary and related to the services it provides. The purpose of processing personal data by our company is determined before the personal data processing activity begins.

3.1.4. Being Related, Limited, and Proportional to the Purpose for Which They Are Processed

Our company processes personal data in a way that is suitable for achieving the purposes defined and avoids processing personal data that is not relevant or necessary for achieving the purpose. For example, personal data processing activities that may be required for potential future needs are not carried out.

3.1.5. Retaining Personal Data for the Period Required by Relevant Legislation or the Purpose of Processing

Our company retains personal data only for the period required by relevant legislation or the purpose for which it was processed. In this context, our company first determines whether there is a specified period for the storage of personal data in the relevant legislation, acts in accordance with this period if determined, and if no period is specified, retains personal data for the period required for the purpose for which personal data was processed. When the period expires or the reasons requiring processing disappear, personal data is deleted, destroyed, or anonymized by our company. Our company does not retain personal data for future use. Detailed information on this topic is provided in Section 9 of this Policy.

3.2. PROCESSING PERSONAL DATA BASED ON ONE OR MORE OF THE CONDITIONS SPECIFIED IN ARTICLE 5 OF THE PERSONAL DATA PROTECTION LAW AND LIMITED TO THESE CONDITIONS

The protection of personal data is a constitutional right. Fundamental rights and freedoms may only be limited by law and for reasons stipulated in the relevant articles of the Constitution without infringing on their essence. Pursuant to Article 20, paragraph three of the Constitution, personal data can only be processed in cases stipulated by law or with the express consent of the individual. In this regard, our company processes personal data only as stipulated by law or with the explicit consent of the individual. Detailed information on this topic is provided in Section 7 of this Policy.

3.3. INFORMING AND NOTIFYING THE DATA SUBJECT

Our company informs data subjects in accordance with Article 10 of the Personal Data Protection Law during the acquisition of personal data. In this context, our company provides information about the identity of the company and, if any, its representative, the purpose for which personal data will be processed, to whom and for what purpose personal data may be transferred, the method of personal data collection, and the legal basis for processing personal data. Detailed information on this topic is provided in Section 10 of this Policy.

Article 20 of the Constitution establishes the right of everyone to be informed about their personal data. In this context, Article 11 of the Personal Data Protection Law includes “requesting information” among the rights of the data subject. In accordance with Article 20 of the Constitution and Article 11 of the Personal Data Protection Law, our company provides the necessary information when the data subject requests information. Detailed information on this topic is provided in Section 10 of this Policy.

3.4. PROCESSING OF SPECIAL QUALIFIED PERSONAL DATA

Our company complies with the regulations stipulated in the Personal Data Protection Law regarding the processing of personal data identified as “special qualified” by the law.

Article 6 of the Personal Data Protection Law identifies certain personal data as “sensitive” data, which poses a risk of causing harm or discrimination to individuals when processed unlawfully. These data include race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dressing, association, foundation or union membership, health, sexual life, criminal convictions, and data related to security measures, as well as biometric and genetic data.

In accordance with the Personal Data Protection Law, our company processes sensitive personal data in the following cases, provided that adequate precautions determined by the Personal Data Protection Board are taken:

  • If the data subject has given explicit consent; or
  • If the data subject has not given explicit consent:
  • Sensitive personal data other than data related to the data subject’s health and sexual life, in cases foreseen by laws,
  • Sensitive personal data related to the data subject’s health and sexual life, only by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment, and care services, planning and managing health services and their financing.

Our company takes the highest level of precautions within the organization for the processing and recording of sensitive data, and as soon as the data processing is completed, regardless of the retention period, the data is destroyed.

3.5. TRANSFER OF PERSONAL DATA

Our company, in accordance with legal purposes for processing personal data and by taking necessary security measures, can transfer personal data and sensitive personal data of data subjects to third parties (third-party companies, business partners, third parties) if applicable. Our company complies with the regulations stipulated in Article 8 of the Personal Data Protection Law in this regard. Detailed information on this topic is provided in the 6th section of this Policy.

3.5.1. Transfer of Personal Data

Our company, based on one or more of the conditions specified in Article 5 of the Personal Data Protection Law, and limited to these conditions, can transfer personal data to third parties:

  • If the data subject has given explicit consent,
  • If there is a clear regulation in the laws regarding the transfer of personal data,
  • If it is necessary to protect the life or physical integrity of the data subject or someone else, and the data subject is unable to disclose their consent due to actual impossibility or if their consent is not legally valid,
  • If it is directly related to the establishment or performance of a contract, provided that it is necessary for the transfer of personal data belonging to the parties of the contract,
  • If the transfer of personal data is mandatory for our company to fulfill its legal obligations,
  • If personal data has been made public by the data subject,
  • If the transfer of personal data is necessary to establish, use, or protect a right,
  • If the transfer of personal data is necessary for the legitimate interests of our company, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.5.2. Transfer of Sensitive Personal Data

Our company does not transfer sensitive data except in cases specified below. However, in cases where it is necessary, our company takes the necessary precautions, implements the required security measures, and complies with the adequate safeguards prescribed by the Personal Data Protection Board:

  • If the data subject has given explicit consent; or
  • If the data subject has not given explicit consent:
  • Sensitive personal data other than data related to the data subject’s health and sexual life (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dressing, association, foundation or union membership, criminal convictions, and data related to security measures, as well as biometric and genetic data), in cases foreseen by laws,
  • Sensitive personal data related to the data subject’s health and sexual life, only by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment, and care services, planning and managing health services and their financing.

3.6. TRANSFER OF PERSONAL DATA ABROAD

Our company does not transfer personal data abroad except in special cases mentioned in sections 3.6.1 and 3.6.2, apart from lawful purposes of personal data processing. Our company complies with the regulations stipulated in Article 9 of the Personal Data Protection Law in this regard. Detailed information on this topic is provided in the 6th section of this Policy.

3.6.1. Transfer of Personal Data Abroad

Our company can transfer personal data abroad to countries where there is adequate protection or where the data controller providing adequate protection undertakes, based on the explicit consent of the data subject or if explicit consent is not obtained, if one of the following conditions exists:

  • If there is a clear regulation in the laws regarding the transfer of personal data,
  • If it is necessary to protect the life or physical integrity of the data subject or someone else, and the data subject is unable to disclose their consent due to actual impossibility or if their consent is not legally valid,
  • If it is directly related to the establishment or performance of a contract, provided that it is necessary for the transfer of personal data belonging to the parties of the contract,
  • If the transfer of personal data is mandatory for our company to fulfill its legal obligations,
  • If personal data has been made public by the data subject,
  • If the transfer of personal data is necessary to establish, use, or protect a right,
  • If the transfer of personal data is necessary for the legitimate interests of our company, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.6.2. Transfer of Sensitive Personal Data Abroad

Our company does not transfer sensitive personal data abroad except in the cases specified below. However, in cases where it is necessary, our company takes the necessary precautions, implements the required security measures, and complies with the adequate safeguards prescribed by the Personal Data Protection Board:

  • If the data subject has given explicit consent; or
  • If the data subject has not given explicit consent:
  • Sensitive personal data other than data related to the data subject’s health and sexual life (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dressing, association, foundation or union membership, criminal convictions, and data related to security measures, as well as biometric and genetic data), in cases foreseen by laws,
  • Sensitive personal data related to the data subject’s health and sexual life, only by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment, and care services, planning and managing health services and their financing.

Our company informs the data subjects about which groups of data subjects’ personal data it processes, the purposes of processing their personal data, and the retention periods of their personal data in accordance with Article 10 of the Personal Data Protection Law.

  1. CATEGORIZATION, PROCESSING PURPOSES, AND RETENTION PERIODS OF PERSONAL DATA PROCESSED BY OUR COMPANY

4.1. CATEGORIZATION OF PERSONAL DATA

Our company processes personal data in limited categories, as explained below, within the scope of the periods in this Policy and in accordance with the Personal Data Protection Law, general principles specified in Article 4 of the Personal Data Protection Law, and all obligations regulated in the Personal Data Protection Law.

PERSONAL DATA EXPLANATION OF PERSONAL DATA CATEGORIZATION
Identity Information Information clearly identifying a real person, partially or entirely processed automatically or non-automatically as a part of data recording system; all information contained in documents such as Driver’s License, Identity Card, Residence, Passport, Lawyer’s Identity, Marriage Certificate.
Contact Information Information clearly identifying a real person, partially or entirely processed automatically or non-automatically as a part of data recording system; information such as phone number, address, email.
Location Data Information clearly identifying a real person, partially or entirely processed automatically or non-automatically as a part of data recording system; information determining the location of the data subject while using our products and services or while using the company’s vehicles in collaboration with the employees of institutions we cooperate with.
Customer or Guest Information Information clearly identifying a real person, partially or entirely processed automatically or non-automatically as a part of data recording system; information obtained and generated about the relevant person in the course of our commercial activities and operations conducted by our business units.
Family Members and Relatives Information Information clearly identifying a real person, partially or entirely processed automatically or non-automatically as a part of data recording system; information about the family members and relatives of the data subject for the purpose of protecting the legal interests of the data subject and the company in relation to our products and services.
Customer Transaction Information Information clearly identifying a real person, partially or entirely processed automatically or non-automatically as a part of data recording system; records regarding the use of our products and services, as well as information such as instructions and requests necessary for the use of products and services by the customer.
Physical Space Security Information Information clearly identifying a real person, partially or entirely processed automatically or non-automatically as a part of data recording system; personal data regarding the entry into physical spaces and records and documents taken during the stay in the physical space.
Transaction Security Information Information clearly identifying a real person, partially or entirely processed automatically or non-automatically as a part of data recording system; your personal data processed in order to ensure our technical, administrative, legal, and commercial security while conducting our commercial activities.
Risk Management Information Information clearly identifying a real person, partially or entirely processed automatically or non-automatically as a part of data recording system; personal data that can be processed through methods used in accordance with legal, commercial customs and honesty in order to manage our commercial, technical, and administrative risks.

Here is the English translation of the provided text:

 

 

 

Financial Information

Information, documents, and records processed partially or entirely automatically or non-automatically as part of the data recording system, showing all kinds of financial results created depending on the type of legal relationship established by our company with the personal data owner, whose identity is clear or can be identified.

 

 

 

 

 

Employee Information

Any kind of personal data processed for the purpose of obtaining the basic information that will form the employment rights of our employees or individuals who are in an employment relationship with our company, whose identity is clear or can be identified, whether partially or entirely automatically or non-automatically as part of the data recording system.

 

 

 

 

 

Employee Transaction Information and

Employee Candidate Information

Any kind of personal data processed for the purpose of any transaction carried out by individuals who are in an employment relationship with our company or individuals who have applied to become employees of our company or have been evaluated as employee candidates in accordance with commercial customs and honesty rules by our company’s human resources needs, whether partially or entirely automatically or non-automatically as part of the data recording system.

Any kind of personal data processed for individuals who have applied to become employees of our company or have been evaluated as employee candidates in accordance with commercial customs and honesty rules by our company’s human resources needs, whose identity is clear or can be identified, whether partially or entirely automatically or non-automatically as part of the data recording system.

 

 

 

 

 

Employee Performance and Career Development Information

Any kind of personal data processed for the purpose of measuring the performance and planning the career development of our employees or individuals who are in an employment relationship with our company, whose identity is clear or can be identified, whether partially or entirely automatically or non-automatically as part of the data recording system.

 

 

 

 

 

Benefit and Welfare Information

Any kind of personal data processed for the planning of the benefits and welfare we offer and will offer to employees or other individuals in an employment relationship with our company, the determination of objective criteria related to their entitlements, and the tracking of their entitlements in accordance with legal obligations and the company’s policies.

 

 

 

 

 

Legal Transaction and Compliance Information

Any kind of personal data processed for the determination, follow-up of legal receivables and rights, the performance of our debts, our legal obligations, and compliance with the company’s policies in accordance with the identity of a definite or identifiable natural person, whether partially or entirely automatically or non-automatically as part of the data recording system.

 

 

 

 

Audit and Inspection Information

Any kind of personal data processed for the purpose of complying with our company’s legal obligations and company policies.

 

 

 

Special Categories of Personal Data

Data specified in Article 6 of Law No. 6698, which is processed partially or entirely automatically or non-automatically as part of the data recording system, the identity of a definite or identifiable natural person being clear.

 

 

 

 

 

 

Marketing Information

Personal data processed for the purpose of marketing our products and services by customizing them according to the usage habits, preferences, and needs of the data subject, and the reports and evaluations created as a result of this processing.

 

 

 

Complaints/Compliance Management Information

Personal data processed for the receipt and evaluation of any kind of complaint or request directed to our company.

 

 

 

 

4.2.       PURPOSES OF PROCESSING PERSONAL DATA

 

The top purposes of processing personal data, according to the categorization prepared by our company, are shared below:

  • Conducting necessary work by relevant business units for the realization of commercial activities conducted by our company,
  • Planning and executing the commercial and/or business strategies of our company,
  • Conducting necessary work by our business units to benefit the relevant individuals from the products and services offered by our company,
  • Planning and implementing human resources policies and processes of our company,
  • Ensuring the legal, technical, and commercial job security of the individuals who are in an employment relationship with our company,
  • Compliance with laws and legal requirements.

 

The data processing purposes within the scope of the above-mentioned top purposes are as follows:

  • Analysis and planning of processes in public tenders and private tenders,
  • Exploration and market research within the scope of project evaluation in tenders,
  • Planning and execution of Corporate Communication Activities,
  • Planning and Execution of Information Security Processes,
  • Establishment and Management of Information Technology Infrastructure,
  • Planning and Implementation of Access Rights to Information and Facilities for Business Partners and/or Suppliers,
  • Planning and Execution of Benefit and Welfare for Supplier and/or Business Partner Employees,
  • Monitoring of Finance and/or Accounting Affairs,
  • Management of Relationships with Business Partners and/or Suppliers,
  • Planning and Implementation of Sales Processes for Products and/or Services,
  • Activities for Identifying the Financial Risks of Customers,
  • Tracking of Contract Processes and/or Legal Claims,
  • Tracking of Customer Requests and/or Complaints,
  • Planning of Human Resources Processes,
  • Execution of Personnel Recruitment Processes,</li >
  • Planning and Execution of Career Development Processes,
  • Planning and Implementation of Wage Policy and Payroll Management,
  • Planning and Implementation of Performance Evaluation Processes,
  • Planning and Implementation of Training Processes,
  • Planning and Implementation of Social Opportunities and/or Activities,
  • Planning and Implementation of Health and/or Safety Activities,
  • Management of Occupational Health and Safety Processes,
  • Planning and Implementation of Legal Transactions,
  • Planning and Implementation of Auditing and/or Compliance Activities,
  • Planning and Implementation of Marketing and/or Promotion Activities,
  • Planning and Implementation of Complaints/Compliance Management Activities.

 

 

 

Categorization of Personal Data

The categories of personal data and the individuals to whom the relevant personal data is related are detailed in the table below:

 

Category of Personal DataRelated Category of Data SubjectIdentity InformationCustomer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees of Collaborating Institutions, Shareholders, and Officials of Collaborating Institutions, Third PartiesContact InformationCustomer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees of Collaborating Institutions, Shareholders, and Officials of Collaborating Institutions, Third PartiesLocation DataCustomer, Employee, Employees of Collaborating InstitutionsCustomer InformationCustomerFamily Members and Close Relatives InformationCustomer, Visitor, Employee Candidate, Third Parties, Employees of Collaborating Institutions, Shareholders, and Officials of Collaborating InstitutionsCustomer Transaction InformationCustomerPhysical Space Security InformationVisitor, Company Officials, Employees of Collaborating Institutions, Shareholders, and Officials of Collaborating InstitutionsTransaction Security InformationCustomer, Visitor, Third Parties, Company Officials, Employees of Collaborating Institutions, Shareholders, and Officials of Collaborating InstitutionsRisk Management InformationCustomer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees of Collaborating Institutions, Shareholders, and Officials of Collaborating Institutions, Third PartiesFinancial InformationCustomer, Employee, Company Shareholder, Company Official, Company Shareholder, Employees of Collaborating Institutions, Shareholders, and Officials of Collaborating InstitutionsEmployee InformationEmployees of Collaborating Institutions, Shareholders, and Officials of Collaborating InstitutionsEmployee Candidate InformationEmployee Candidate, Employees of Collaborating InstitutionsEmployee Transaction InformationEmployees of Collaborating InstitutionsEmployee Performance and Career Development InformationEmployees of Collaborating InstitutionsBenefit and Welfare InformationEmployees of Collaborating InstitutionsLegal Transaction and Compliance InformationCustomer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees of Collaborating Institutions, Shareholders, and Officials of Collaborating Institutions, Third PartiesAudit and Inspection InformationCustomer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees of Collaborating Institutions, Shareholders, and Officials of Collaborating Institutions, Third PartiesSpecial Categories of Personal DataCustomer, Employee Candidate, Company Shareholder, Company Official, Employees of Collaborating Institutions, Shareholders, and Officials of Collaborating InstitutionsMarketing InformationCustomer, Potential CustomerComplaints/Compliance Management InformationCustomer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees of Collaborating Institutions, Shareholders, and Officials of Collaborating Institutions, Third Parties

 

 

 

 

  1. Third Parties to Whom Personal Data is Transferred by Our Company and Purposes of Transfer

 

Our company informs the data subject about the groups of individuals to whom personal data is transferred in accordance with Article 10 of the KVK Law.

 

In accordance with Articles 8 and 9 of the KVK Law (See Section 3/Title 3.5), our company may transfer personal data of customers to the following categories:

 

  • Our company’s business partners,
  • Our company’s suppliers,
  • Our company’s subsidiaries,
  • Our company’s shareholders,
  • Public institutions and organizations authorized by law,
  • Private legal entities authorized by law.

The scope and purposes of data transfer to the aforementioned individuals are stated below.

 

Entities to Which Data Will Be Transferred Definition Purpose of Data Transfer
 

 

 

 

 

Business Partner

Refers to the parties with whom our company has established a partnership for purposes such as selling, promoting, and marketing our company’s products and services, providing post-sales support, and running joint customer loyalty programs while conducting our company’s commercial activities. Only for the purpose of ensuring that the objectives of the partnership are met within the scope of transactions that require legal compliance, and limited to legal requirements, for example, to banks for collection processes.
 

 

 

Supplier

Refers to the parties providing services to our company based on contracts in accordance with our company’s orders and instructions while conducting our company’s commercial activities. Limited to ensuring the provision of services necessary for our company’s commercial activities, which are outsourced from suppliers by our company.
Our Subsidiaries Refers to companies in which our company holds shares. Limited to ensuring the conduct of commercial activities requiring the participation of subsidiaries of our company.
Our Shareholders Our shareholders authorized by relevant legislation to design strategies and audit activities regarding our company’s commercial activities. Limited to designing strategies related to our company’s commercial activities and audit purposes in accordance with relevant legislation.
Public Institutions and Organizations Authorized by Law Public institutions and organizations authorized by relevant legislation to request information and documents from our company. Limited to the purposes requested by relevant public institutions and organizations within the scope of their legal authority.
Private Legal Entities Authorized by Law Private legal entities authorized by relevant legislation to request information and documents from our company. Limited to the purposes requested by relevant private legal entities within the scope of their legal authority.

 

 

In the transfers carried out by our company, the issues regulated in Sections 2 and 3 of the Policy are complied with.

 

Our company informs the data subject about the personal data processed in accordance with Article 10 of the KVK Law.
  1. Processing of Personal Data Based on Conditions Specified in the Law and Limited to These Conditions

 

7.1.       Processing of Personal Data and Special Categories of Personal Data

 

7.1.1.    Processing of Personal Data

Obtaining explicit consent from the data subject is one of the legal bases that enable personal data to be processed legally. In addition to explicit consent, personal data can be processed if one of the other conditions listed below exists. The basis for personal data processing may be only one of the conditions listed below, or more than one of these conditions may be the basis for the same personal data processing activity. Regardless of the legal basis for processing personal data by our company, all personal data processing activities are carried out in accordance with the general principles specified in Article 4 of Law No. 6698 (See Section 3.1).

 

A – Existence of Explicit Consent of the Data Subject

One of the conditions for the processing of personal data is the explicit consent of the data subject. The explicit consent of the data subject should be based on specific information and given with free will.

 

Except for the primary processing of personal data related to the reasons for obtaining personal data, secondary personal data processing activities (second processing) require at least one of the conditions in this title (ii), (iii), (iv), (v), (vi), and (vii); if none of these conditions exist, these personal data processing activities are carried out based on the explicit consent of the data subject to these processing activities.

 

Personal data is processed based on the explicit consent of customers, potential customers, and visitors, among others, obtained through relevant methods. .

 

B – Explicit Provisions of the Law

Personal data can be processed legally if it is explicitly provided by the law.

 C – Inability to Obtain the Explicit Consent of the Data Subject Due to Physical Impossibility

Physical impossibility to explain his/her consent due to physical impossibility or invalidity of his/her consent due to physical impossibility, and if it is necessary to process his/her personal data to protect his/her own or someone else’s life or physical integrity, personal data can be processed.

D – Directly Related to the Establishment or Performance of a Contract

If personal data processing is necessary for the establishment or performance of a contract, as long as it is directly related to the parties of the contract, personal data can be processed.

 

E – Fulfillment of the Company’s Legal Obligations

Example: Submitting requested information to the court as required by a court order.

If necessary for our company, as the data controller, to fulfill its legal obligations, the personal data of the data subject may be processed.

 

F – Public Disclosure of Personal Data by the Data Subject

Example: Data of a person who indicates on a website that they want to buy a car with certain features and provides their phone number can be processed within the scope of this purpose without the need for their explicit consent. In this context, individuals who want to sell a car with the relevant features can contact the person concerned without requiring any consent.

If the data subject has publicly disclosed their personal data themselves, the relevant personal data may be processed.

 

G – Necessity of Processing Data for the Establishment or Protection of a Right

Example: Keeping and using evidence (such as sales contracts, invoices) when needed.

If processing personal data is necessary for the establishment, use, or protection of a right, the personal data of the data subject may be processed.

 

H – Necessity of Processing Data for Our Company’s Legitimate Interests

Example: Processing of personal data for internal accounting calculations by the accounting department.

If it is necessary to process personal data for the legitimate interests of our Company without harming the fundamental rights and freedoms of the data subject, the personal data of the data subject may be processed.

 

7.1.2. Processing of Special Categories of Personal Data

Our company may process special categories of personal data without the explicit consent of the data subject only if sufficient measures to be determined by the DPA Board are taken, except for health and sexual life data, which may be processed in cases explicitly set forth in the laws, or if processing is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment, and care services, planning, and management of healthcare services and financing, by persons or authorized institutions and organizations under the obligation of secrecy.

The personal data processing activities carried out by our company at building facility entrances and within the facility are carried out in compliance with the Constitution, the KVK Law, and other relevant legislation.

  1. PROCESSING OF PERSONAL DATA WITH BUILDING FACILITY ENTRANCES AND WITHIN THE BUILDING FACILITY AND INTERNET SITE VISITORS

 

For the purpose of ensuring security, our Company conducts personal data processing activities for monitoring with security cameras in our Company’s buildings and facilities and for tracking guest entrances and exits.

The personal data processing activity has been carried out by our Company through the use of security cameras and the recording of guest entrances and exits.

In this context, our Company acts in accordance with the KVK Law and other relevant legislation.

 

8.1. MONITORING WITH CAMERAS IN BUILDING AND FACILITY ENTRANCES AND WITHIN

 

In this section, explanations regarding our Company’s camera monitoring system will be made, and information on how personal data is protected, and fundamental rights are preserved will be provided.

 

Our Company, under the scope of camera monitoring activity, aims to improve the quality and reliability of the service offered, ensure the security of the Company, visitors, employees, and other individuals, and protect their legitimate interests.

 

8.1.1. Legal Basis for Camera Monitoring Activity

 

The camera monitoring activity conducted by our Company is carried out in compliance with the Law on Private Security Services and relevant legislation.

 

 

8.1.2. Camera Monitoring Activity in Compliance with the KVK Law

 

The camera monitoring activity carried out by our Company for security purposes is conducted in compliance with the regulations in the KVK Law.

 

For the purpose of ensuring security, our Company conducts personal data processing activities for monitoring with security cameras in our Company’s buildings and facilities and for tracking guest entrances and exits.

  1. PART 9 – CONDITIONS FOR DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

 

9.1. OBLIGATION TO DELETE, DESTROY, OR ANONYMIZE PERSONAL DATA

In accordance with the relevant legislation and personal data protection principles, the personal data processed by our Company is deleted, destroyed, or anonymized ex officio or upon the request of the data subject, in case the reasons for processing disappear.

 

9.1.1. Cases Requiring Deletion, Destruction, or Anonymization of Personal Data

 

The personal data processed by our Company is deleted, destroyed, or anonymized in the following cases:

  1. The data subject withdraws their consent regarding the processing of personal data and there is no other legal ground for processing.
  2. The purpose of processing personal data disappears or ceases to exist.
  3. The obligation to delete, destroy, or anonymize personal data arises from the provisions of the legislation.
  4. The data subject applies to our Company and requests the deletion, destruction, or anonymization of their personal data.

 

9.1.2. Methods for Deletion, Destruction, or Anonymization of Personal Data

 

The personal data deleted, destroyed, or anonymized is carried out by our Company by taking the necessary administrative and technical measures to ensure that the personal data can never be accessed and reused.

 

9.1.3. Notification of Deletion, Destruction, or Anonymization

 

Our Company, as the data controller, notifies the relevant data subject, third parties, and institutions and organizations to which personal data has been transferred, if any, about the deletion, destruction, or anonymization process made in accordance with the relevant legislation.

  • Physical Destruction

Personal data can also be processed through non-automatic means, as long as they are part of any data recording system. When such data is deleted or destroyed, a system is applied to physically destroy the personal data in a way that it cannot be used again.

 

  • Secure Deletion Software

When personal data, processed entirely or partially through automatic means and stored in digital environments, is deleted or destroyed, methods are used to ensure that the data is irreversibly deleted from the relevant software.

 

 

  • Sending to a Specialist for Secure Deletion

In some cases, our company may collaborate with an expert to delete personal data on its behalf. In this case, personal data is securely deleted or destroyed in a way that it cannot be recovered by the expert.

 

9.2.2. Techniques for Making Personal Data Anonymous

 

Anonymizing personal data means rendering personal data unidentifiable or associable with any identifiable natural person in any way, even by matching it with other data. Our company can anonymize personal data when the reasons requiring the processing of lawfully processed personal data cease to exist.

 

In accordance with Article 28 of the Law on the Protection of Personal Data (KVKK), anonymized personal data may be processed for research, planning, and statistical purposes. Such processing falls outside the scope of the KVKK, and explicit consent of the data subject is not required. As personal data processed through anonymization falls outside the scope of the KVKK, the rights regulated in the 10th section of this Policy shall not be applicable to such data.

 

Our company uses the following anonymization techniques:

 

  • Masking
Example: Transforming a dataset into a form where the personal data subject cannot be identified by removing information such as name, Turkish ID number, etc., that enables the identification of the data subject.

Data masking is a method of anonymizing personal data by removing the basic identifying information of the data subject from the dataset.

 

  • Aggregation
Example: Revealing that there are X employees aged Y without disclosing individual ages.

The data aggregation method involves aggregating multiple data points, making personal data unidentifiable with any specific individual.

 

  • Data Derivation
Example: Indicating ages instead of birth dates; specifying the region of residence instead of the exact address.

Data derivation involves creating a more general content from the content of personal data, making it unidentifiable with any individual.

 

 

  • Data Shuffling (Permutation)
Example: Modifying the quality of voice recordings to render them unidentifiable with the data subject by altering the sounds.

The data shuffling method involves mixing the values within a personal data set to break the connection between values and individuals.

 

 

 

  1. RIGHTS OF DATA SUBJECTS; METHODOLOGY FOR EXERCISING THESE RIGHTS

 

Our company informs the data subject of their rights in accordance with Article 10 of the KVKK, guides the data subject on how to exercise these rights, and carries out the necessary channels, internal processes, administrative, and technical regulations to evaluate the rights of data subjects and provide the necessary information to data subjects in accordance with Article 13 of the KVKK.

 

10.1 EXERCISING THE RIGHTS OF DATA SUBJECTS

 

10.1.1. Rights of Data Subjects

Data subjects have the following rights:

 

(1)      To learn whether personal data is processed,

(2)      To request information if personal data is processed,

(3)      To learn the purpose of processing personal data and whether they are used in accordance with their purpose,

(4)      To know the third parties to whom personal data are transferred domestically or abroad,

(5)      To request correction of personal data in case they are processed incompletely or incorrectly and to request notification of the operations made within this scope to third parties to whom personal data are transferred,

(6)      To request deletion or destruction of personal data if the reasons for processing them disappear, despite being processed in accordance with the KVKK and other relevant laws, and to request notification of the operations made within this scope to third parties to whom personal data are transferred,

(7)      To object to the occurrence of a result against the individual by exclusively analyzing the processed data through automated systems,

(8)      To claim compensation in case of damage due to the unlawful processing of personal data.

 

 

10.1.2. Cases Where Data Subjects Cannot Assert Their Rights

 

Data subjects cannot assert their rights specified in Article 10.1.1. since the following cases are excluded from the scope of the KVKK in accordance with Article 28 of the KVKK:

 

(1)   Processing of personal data for research, planning, and statistical purposes by anonymizing personal data through official statistics.

(2)    Processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy, or personal rights or constitute a crime.

(3)    Processing of personal data within the scope of preventive, protective, and intelligence activities conducted by public institutions and organizations authorized and authorized by the law to ensure national defense, national security, public security, public order, or economic security.

(4)   Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial, or execution proceedings.

(5)   Processing of personal data for the protection of the economic and financial interests of the state in relation to budget, tax, and financial matters.

 

In accordance with Article 28/2 of the KVKK, data subjects can only assert their right to request the remedy of damage in the following cases, except for the right to request the remedy of damage:

(1) When the processing of personal data is necessary to prevent a crime or for the conduct of a criminal investigation.

(2) Processing of personal data that has been made public by the data subject themselves.

(3) Processing of personal data by public institutions and organizations, which are authorized and authorized to carry out supervisory or regulatory duties, within the scope of their tasks for the purpose of conducting disciplinary investigations or prosecutions and conducting supervisory or regulatory duties.

(4) Processing of personal data for the purpose of protecting the economic and financial interests of the state with respect to budget, tax, and financial matters.

 

10.1.3. Exercise of Rights by Data Subjects

 

Data subjects can exercise their rights listed in the 10.1.1. section by freely submitting their requests to our Company in accordance with the procedure below:

 

1 – By sending a signed copy of the KVKK Application Form available on our website or the form explicitly indicating their requests by registered mail or notary public to the following address:

Inpak Makina Sanayi ve Ticaret A.Ş.

                                                    

İkitelli O.S.B. Biksan Sanayi Sitesi B.1 Blok No: 33 Başakşehir / ISTANBUL

 

2 – By sending the KVKK Application Form to the email address inpakmakina@hs01.kep.tr after signing it with a secure electronic signature as part of the Electronic Signature Law No. 5070 after signing it.

 

3 – By personally applying to the place of service with a wet signed copy of the KVKK Application Form.

 

It is not possible for third parties to make requests on behalf of data subjects. In order for a person other than the data subject to make a request, a special power of attorney issued by the data subject for the person making the request must be available.

 

Data subjects can only use the 2 methods provided in this section when making their applications.

 

10.1.4. Right to Lodge a Complaint with the KVKK by the Data Subject

 

In cases where the application is rejected, the response is found insufficient, or a response is not given to the application within the legal period, the data subject has the right to lodge a complaint with the KVKK within thirty days from the date of learning the response of our company, and in any case within sixty days from the date of application.

 10.2. RESPONSE TO APPLICATIONS UNDER KVKK AND GDPR

 

10.2.1. Procedure and Period for Responding to Applications to Our Company

 

If a data subject submits their request to our Company in accordance with the procedure specified in the 10.1.3. section of this part, our Company will conclude the relevant request as soon as possible, and at the latest within thirty days, depending on the nature of the request.

 

However, if the process requires an additional cost, our Company will charge the fee determined by the KVKK Board from the applicant.

10.2.2. Information Our Company May Request from the Data Subject Making the Application

Our Company may request information from the relevant individual in order to determine whether the person making the application is a data subject.

In order to clarify the issues in the application of the data subject, our Company may ask questions to the data subject regarding their application.

 

10.2.3. Right of Our Company to Reject the Application of the Data Subject

 

Our Company may reject the application of the data subject with reasons in the following cases:

 

(1) Processing of personal data for research, planning, and statistics by anonymizing personal data through official statistics.

(2) Processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy, or personal rights or constitute a crime.

(3) Processing of personal data within the scope of preventive, protective, and intelligence activities conducted by public institutions and organizations authorized and authorized by the law to ensure national defense, national security, public security, public order, or economic security.

(4) Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial, or execution proceedings.

(5) Processing of personal data to prevent a crime or for the conduct of a criminal investigation.

(6) Processing of personal data that has been made public by the data subject themselves.

(7) Processing of personal data by public institutions and organizations, which are authorized and authorized to carry out supervisory or regulatory duties, within the scope of their tasks for the purpose of conducting disciplinary investigations or prosecutions and conducting supervisory or regulatory duties.

(8) Processing of personal data for the purpose of protecting the economic and financial interests of the state with respect to budget, tax, and financial matters.

(9) Possibility of interfering with the rights and freedoms of other individuals with the data subject’s request (10) Making requests that require disproportionate effort.

(11) The information requested is publicly available.

 

  1. – RELATIONSHIP OF THE COMPANY PERSONAL DATA PROTECTION AND PROCESSING POLICY WITH OTHER POLICIES

The fundamental policies related to the protection and processing of personal data, which are associated with the principles set forth by the Company in this Policy, are as follows. By establishing a governance structure to ensure compliance with the regulations of the Personal Data Protection Law (KVKK) and the implementation of the Personal Data Protection and Processing Policy, the Company has harmonized processes between different policy principles operated by the Company for similar purposes in various areas. Some of the policies used within the Company are for internal use. The principles of internal policies are reflected in public policies to the extent relevant, aiming to inform the public within this framework and to ensure transparency and accountability regarding the personal data processing activities conducted by the Company.

The Company has established a governance structure to ensure compliance with the regulations of the Personal Data Protection Law (KVKK) and the implementation of the Personal Data Protection and Processing Policy.

12. COMPANY GOVERNANCE STRUCTURE FOR PERSONAL DATA PROTECTION AND PROCESSING POLICY

The “Personal Data Protection Committee” has been established by the decision of the senior management of the Company to manage this policy and other related policies (See Section 11). The tasks of this committee are as follows:

  • To prepare and submit fundamental policies regarding the protection and processing of personal data for approval by senior management.
  • To decide on how the policies regarding the protection and processing of personal data will be implemented and audited and to present these matters to senior management for approval, including internal appointments and coordination within this framework.
  • To identify the issues that need to be addressed for compliance with the Personal Data Protection Law and relevant legislation and to present what needs to be done to senior management for approval; to oversee the implementation and coordination.
  • To increase awareness within the Company and institutions collaborated with by the Company regarding the protection and processing of personal data.
  • To ensure the identification of risks that may arise in the Company’s personal data processing activities and to ensure the taking of necessary measures; to present improvement proposals to senior management for approval.
  • To design training programs on the protection of personal data and the implementation of policies and ensure their execution.
  • To make the final decisions on personal data subjects’ applications at the highest level.
  • To coordinate the execution of information and training activities to ensure that data subjects are informed about personal data processing activities and their legal rights related to personal data processing.
  • To prepare and implement changes in fundamental policies regarding the protection and processing of personal data for approval by senior management.
  • To monitor developments and regulations related to the protection of personal data and make recommendations to senior management on what needs to be done within the Company in line with these developments and regulations.
  • To coordinate relations with the Personal Data Protection Board and Authority.
  • To perform other tasks to be assigned by the senior management of the Company regarding the protection of personal data.

Here is the translation of the provided text into English without modifying the HTML characters:

ANNEX 1 DEFINITIONS

 

Explicit Consent: Consent based on specific information for a particular subject, given freely and by one’s own will.

Anonymousization: The process of altering personal data in a way that it loses its personal nature and cannot be reversed. Examples include masking, aggregation, data scrambling, etc., to make personal data unidentifiable with an actual individual.

Job Applicant: Individuals who have applied for a job at our company through any means or have provided their resumes and relevant information for our company’s review, in collaboration with employees of the institutions we work with.

Shareholders and Officials: Individuals employed in institutions with which our company has any form of business relationship (such as business partners, suppliers, etc., but not limited to these), including employees, shareholders, and officials of these institutions, who are real persons.

Processing of Personal Data: Any operation performed on personal data, whether fully or partially automated or as part of any data recording system, including obtaining, recording, storing, keeping, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of data.

Data Subject: A real person whose personal data is processed.

For example, customers and employees. Personal Data encompasses any kind of information related to an identified or identifiable real person. Therefore, the processing of information related to legal entities is not within the scope of the Law. For example, name-surname, TR ID number, email, address, date of birth, credit card number, etc.

Visitor: Real and legal persons who have used or are using our company’s products and services, regardless of whether they have any contractual relationship with our company.

Sensitive Personal Data: Data such as race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation, or union membership, health, sexual life, criminal record, and security measures, as well as biometric and genetic data, are considered sensitive personal data.

Potential Customer: Real persons who have shown interest in or requested to use our products and services in accordance with commercial customs and integrity, or who may have such interest.

Company Shareholder: Real persons who are shareholders of our company.

Company Official: Members of the board of directors and other authorized real persons of our company.

Third Party: Third-party real persons related to these individuals to ensure the security of commercial transactions with our company, protect the rights and interests of the individuals mentioned, and provide benefits (e.g., guarantor, companion, family members, and close relatives).

Data Processor: Real and legal persons who process personal data on behalf of the data controller based on the authority given by the data controller. For example, a cloud computing company that holds your company’s data.

Data Controller: The person who determines the purposes and means of processing personal data, manages the place where the data is systematically kept (data recording system).

Visitor: Real persons who have entered our company’s physical premises or visited our websites, regardless of whether they have any contractual relationship.

 

ANNEX 2 IMPORTANT DATES FOR THE APPLICATION OF THE KVK LAW

 

 

April 7, 2016

 

As of April 7, 2016, our company complies with the following obligations:

(i) General rules and principles regarding the processing of personal data

(ii) Obligations regarding the enlightenment of data subjects

(iii) Obligations related to ensuring data security

 

October 7, 2016

 

As of October 7, 2016, the following regulations have come into effect, and our company complies with these regulations:

– Provisions regarding the transfer of personal data to third parties and abroad

– Regulations regarding the exercise of rights by the data subject, such as learning whether personal data is processed, requesting information, learning the third parties to whom it is transferred, and requesting correction, if necessary, and making complaints to the DPA.

 

April 7, 2017

 

(i) Until April 7, 2017, consents obtained in accordance with the law before April 7, 2016, will be deemed to be in compliance with the KVK Law, unless otherwise stated by the data subject.

(ii) (vii) As of April 7, 2017, the Regulations regarding the KVK Law will come into effect, and our company will comply with these regulations.

 

April 7, 2018

 

Personal data processed before April 7, 2016, will be brought into compliance with the KVK Law by April 7, 2018, or will be deleted or anonymized by our company.

 

 

ANNEX 3 PROCESSING OF PERSONAL DATA OF JOB APPLICANTS AND EMPLOYEES OF BUSINESS PARTNERS

 

(ix) Data Subject (x) Collection and Processing of Personal Data (xii) Exercise of Rights and Application
(xiii)

(xiv) Job Applicants

(xv) The personal data of job applicants collected during the recruitment process, as well as special category personal data collected based on the nature of the job, are processed by our company for the purposes stated in Sections 4.2 and 7 of the Policy and as listed below:

(xvi) • Assessing the qualifications, experience, and suitability of the candidate for the open position,

(xvii) • If necessary, verifying the accuracy of the information provided by the candidate or contacting third parties to conduct research about the candidate,

(xviii) • Communicating with the candidate about the application and recruitment process or, if applicable, contacting the candidate for any positions that may become available domestically or internationally,

(xix) • Complying with the requirements of relevant legislation or requests from authorized institutions or organizations,

(xx) • Improving and enhancing the recruitment principles applied by our company. Personal data of job applicants can be collected through the following methods:

(xxi) • Digital application form published in written or electronic media; • Resumes sent by candidates to our company via email, mail, references, and similar methods,

(xxii) • Employment or consultancy firms;

(xxiii) • During video conferencing, telephone interviews, or face-to-face interviews,

(xxiv) • Checks made to confirm the accuracy of the information provided by the candidate and research conducted by our company,

(xxv) • Recruitment tests conducted by experienced experts to determine abilities and personality traits and the results are reviewed.

(xxvi) Job applicants can submit their requests related to their rights arising from being data subjects to our company through the method described in Section 10 of this Policy.</td >
 

Employees of Business Partners

 

Our company may process personal data related to the employees of business partners within the scope of performing commercial activities established with business partners for the purposes specified in Sections 4.2 and 7 of the Policy.

Job applicants can submit their requests related to their rights arising from being data subjects to our company through the method described in Section 10 of this Policy.