Personal Data Protection Law
ROTA KİMYA INDUSTRY AND TRADE JOINT STOCK COMPANY
PERSONAL DATA PROCESSING, PROTECTION AND DESTRUCTION POLICY
DATA PRIVACY COMMITMENT
This Data Privacy and Security Policy (Policy), ROTA KİMYA Sanayi ve Ticaret Anonim Şirketi (Data Controller), in accordance with the Personal Data Protection Law No. 6698 (K.V.K.K.) and other relevant legislation, data protection The data controller determines the principles to be followed by the Data Controller when fulfilling his obligations and processing personal data. The Data Controller undertakes to apply a sufficient and reasonable level of security for the personal data within itself, to respect the confidentiality of personal data and to ensure compliance with the tools, programs and processes to be implemented in accordance with this Policy.
POLITICIAN OBJECTIVE
The main purpose of this Policy is to set forth the personal data processing activities carried out in accordance with the law by the Data Controller and the principles for the protection of personal data, and in this context to ensure transparency by enlightening and informing the persons whose personal data are processed by our company.
KAPSAMI POLITICIAN
This Policy covers all departments and employees of the Data Controller.
This Policy will cover all activities in which the Data Controller processes personal data and will be applied in all kinds of events and actions.
This Policy will not apply to data that has been anonymized or is not personal data.
If determined by new legislation, the Data Controller will provide a higher level of security on personal data in accordance with the new legislation and comply with the legislative requirements.
In cases where it is determined that there is a legal obstacle in the implementation of this Policy by the Data Controller, the Data Controller will re-determine the steps to be taken by consulting the Board if necessary.
DEFINITIONS
The definitions used in this Policy are listed below:
PERSONAL DATA INVENTORY AND CLASSIFICATION OF PERSONAL DATA
Before the Data Controller, in line with the Data Controller's legitimate and lawful personal data processing purposes, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the K.V.K.L., especially in Article 4 regarding the processing of personal data. by complying with the general principles and all obligations regulated in the K.V.K.K. and personal data owners within the scope of this Policy (customers, potential customers, employees, employee candidates, visitors, supplier employees and officials with whom we cooperate, natural persons from whom we receive services and Limited to legal entity officials and employees:
The Data Controller has created a personal data inventory in accordance with the Data Controllers Registry Regulation issued by the Personal Data Protection Authority. This data inventory includes data categories, data source, data processing purposes, data processing process, recipient groups to which the data is transferred and storage periods. In this context, the following types of data categories are included in the Data Controller, but are not limited to these types: Identity information, contact information, education information, work experience information, family members and relatives information, visual and audio information, personnel information, legal transaction information, customer transaction information, physical location security information, transaction security information, financial information, association, foundation. , professional association-chambers or union information, professional experience information, criminal conviction and ongoing investigation or case information, security measure information, health data, employee performance and career development data, personnel tracking information and other information data category.
GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
TERMS OF PROCESSING OF PERSONAL DATA
Personal data can only be collected, processed or used within the scope of the legal bases specified below.
Processing of Personal Data Without Explicit Consent
Processing of Special Personal Data
Processing of Employees' Data
RESPONSIBILITY
All units and employees of the Data Controller shall ensure the proper implementation of the technical and administrative measures taken within the scope of this Policy, the training and awareness raising of unit employees, their monitoring and continuous supervision, and the prevention of unlawful processing of personal data and unlawful access to personal data. and actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed, in order to ensure that personal data is stored in accordance with the law.
RECORDING MEDIA
Personal data is stored securely by the Data Controller in accordance with the law in the environments listed in the table below.
TRANSFER OF PERSONAL DATA
Transfer to Third Parties in Turkey
Transfer to Third Parties Abroad
Transfer of Personal Health Data
RIGHTS OF RELATED PERSONS
SECURITY
All personal data processed by the Data Controller within the scope of the law are confidential. Employees may carry out collection, processing, transfer, use, deletion, destruction and anonymization activities on personal data only within the authority defined for them. Otherwise, employees are prohibited from carrying out these activities. Additionally, employees cannot use personal data for individual or commercial purposes.
SECURITY
The security of personal data is the responsibility of the employee, department and Data Controller respectively. Personal data must be protected against loss, unlawful processing, misuse, and all kinds of processing by unauthorized persons. These security measures cover all personal data stored electronically and physically. The Data Controller takes technical and administrative measures according to technological possibilities and implementation costs to ensure that personal data is processed in accordance with the law.
The Data Controller has taken all kinds of technical and technological security measures to protect your personal data and protects your personal data against possible risks. For example:
Administrative Measures Taken to Ensure Lawful Processing of Personal Data and Prevent Unlawful Access to Personal Data
Precautions to be Taken in Case of Illegal Disclosure of Personal Data If the processed personal data is obtained by others through illegal means, the Data Controller will notify the relevant data owner and the Board as soon as possible (within a maximum of 72 hours).
PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT WITH THE DATA CONTROLLER'S WORKPLACE LOGINS
MONITORING THE ENTRANCES AND EXITS CONDUCTED AT AND INSIDE THE DATA RESPONSIBLE ADMINISTRATION BUILDING, CONSTRUCTION SITE AND FACILITY ENTRANCES
STORAGE OF RECORDS OF THE INTERNET ACCESS PROVIDED TO OUR VISITORS AT THE DATA CONTROLLER'S FACILITIES
For the purpose of ensuring security and other purposes specified in this Policy, the Data Controller may provide internet access to our visitors upon request during their stay in our buildings and facilities. In this case, log records regarding your internet access are kept in accordance with the mandatory provisions of Law No. 5651 and the legislation issued in accordance with this Law; These records are processed only upon request by authorized public institutions and organizations or in order to fulfill our legal obligations during the audit processes to be carried out within the Data Controller.
DESTRUCTION (DELETION, DESTRUCTION AND ANONYMIZATION) CONDITIONS OF PERSONAL DATA
In accordance with Article 138 of the Turkish Penal Code, Article 7 of the K.V.K.K. and the "Regulation on Deletion, Destruction and Anonymization of Personal Data" issued by the Institution, although it has been processed in accordance with the provisions of the relevant law, the reasons requiring processing have been eliminated. In case of termination, personal data will be deleted, destroyed or made anonymous based on the Data Controller's own decision or upon the request of the personal data owner. The Data Controller has created a Policy on this subject in accordance with the provisions of the regulation, and in accordance with this Policy, the data is destroyed according to its nature. In accordance with this Regulation, periodic destruction dates have been determined by the Data Controller, and a calendar has been created according to which periodic destruction will be carried out at various intervals with the beginning of the obligation.
PERSONAL DATA DESTRUCTION TECHNIQUES
At the end of the period stipulated in the relevant legislation or the storage period required for the purpose for which they are processed, personal data is destroyed by the Data Controller or upon the application of the relevant person, using the techniques specified below, in accordance with the provisions of the relevant legislation.
Deletion or destruction of Personal Data Personal data is deleted or destroyed by the Data Controller using the methods shown in the table below.
Anonymization of Personal Data
Anonymization of personal data means making it impossible to associate personal data with an identified or identifiable natural person in any way, even if it is matched with other data.
In order to anonymize personal data, it is carried out by making it impossible to associate it with an identified or identifiable natural person, even by using appropriate techniques in terms of the recording environment and the relevant field of activity, such as returning the personal data by the data controller or third parties and/or matching the data with other data. .
STORAGE AND DISPOSAL PERIOD
Regarding the personal data being processed by the Data Controller within the scope of its activities;
Over the said retention periods, if necessary, Data Controller K.V.K. Updates are made by the commission. On personal data whose storage period has expired, Data Controller K.V.K. Deletion, destruction or anonymization is carried out ex officio by the Commission.
Table of storage and destruction times based on process
PERIODIC DESTRUCTION PERIOD
In accordance with Article 11 of the Regulation on Deletion, Destruction or Anonymization of Personal Data, the Data Controller has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out by the Data Controller every year in June and December.
VIOLATION INCIDENTS
Each employee working at the Data Controller is subject to K.V.K.K. and is obliged to report to department managers any action or event that he/she thinks is contrary to the restrictions specified within this Policy. As a result of the information provided, the Data Controller's K.V.K. The Commission is obliged to notify the relevant person or authorized institution regarding violation actions or events, taking into account the legislation.
RESPONSIBILITIES
Responsibilities within the Data Controller are as follows: employee and department. In this context:
EXECUTIVE
K.V.K.K. is responsible for the execution of this Policy by the Data Controller. The management structure has been established to ensure compliance with the regulations and the enforcement of the standard of protection and processing of personal data. Personal Data Protection Commission has been established within the Data Controller, in accordance with the decision of the Data Controller's senior management, to manage this Policy and other Policies affiliated and related to this Policy.
EFFECTIVE DATE OF THE POLICY
This Policy entered into force on …/…/2022.
DATA PRIVACY COMMITMENT
This Data Privacy and Security Policy (Policy), ROTA KİMYA Sanayi ve Ticaret Anonim Şirketi (Data Controller), in accordance with the Personal Data Protection Law No. 6698 (K.V.K.K.) and other relevant legislation, data protection The data controller determines the principles to be followed by the Data Controller when fulfilling his obligations and processing personal data. The Data Controller undertakes to apply a sufficient and reasonable level of security for the personal data within itself, to respect the confidentiality of personal data and to ensure compliance with the tools, programs and processes to be implemented in accordance with this Policy.
POLITICIAN OBJECTIVE
The main purpose of this Policy is to set forth the personal data processing activities carried out in accordance with the law by the Data Controller and the principles for the protection of personal data, and in this context to ensure transparency by enlightening and informing the persons whose personal data are processed by our company.
KAPSAMI POLITICIAN
This Policy covers all departments and employees of the Data Controller.
This Policy will cover all activities in which the Data Controller processes personal data and will be applied in all kinds of events and actions.
This Policy will not apply to data that has been anonymized or is not personal data.
If determined by new legislation, the Data Controller will provide a higher level of security on personal data in accordance with the new legislation and comply with the legislative requirements.
In cases where it is determined that there is a legal obstacle in the implementation of this Policy by the Data Controller, the Data Controller will re-determine the steps to be taken by consulting the Board if necessary.
DEFINITIONS
The definitions used in this Policy are listed below:
| Explicit consent | Consent regarding a specific issue, based on information and expressed with free will |
| anonymise | Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data |
| personal data | Any information regarding an identified or identifiable natural person |
| Processing of personal data | Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any action performed on data, such as blocking |
| K.V.K.K. | Personal Data Protection Law No. 6698 |
| K.V.K. board | Personal Data Protection Board |
| K.V.K. institution | Personal Data Protection Authority |
| Special personal data | Data regarding people's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data |
| data processor | Natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller |
| Personal data owner | Natural person who is considered as a relevant person in K.V.K.K. and whose personal data is processed |
| Data controller | Natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system |
| Buyer Group | It is the category of natural or legal person to whom personal data is transferred by the data controller. |
| Destruction | It is the process of deleting, destroying or anonymizing personal data. |
| Personal data processing inventory | Personal data processing activities carried out by data controllers depending on their business processes; It is an inventory that they create by associating personal data with the purposes of processing personal data, data category, transferred recipient group and data subject person group, and detailing the maximum period required for the purposes for which personal data are processed, personal data envisaged to be transferred to foreign countries, and measures taken regarding data security. |
PERSONAL DATA INVENTORY AND CLASSIFICATION OF PERSONAL DATA
Before the Data Controller, in line with the Data Controller's legitimate and lawful personal data processing purposes, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the K.V.K.L., especially in Article 4 regarding the processing of personal data. by complying with the general principles and all obligations regulated in the K.V.K.K. and personal data owners within the scope of this Policy (customers, potential customers, employees, employee candidates, visitors, supplier employees and officials with whom we cooperate, natural persons from whom we receive services and Limited to legal entity officials and employees:
- To ensure that the relevant persons benefit from the services promised by the Data Controller by fulfilling the requirements of the commercial activities carried out by the Data Controller and the performance of the service,
- Carrying out the necessary work by the relevant business units of the Data Controller and carrying out related business processes and making reports,
- Determining and implementing the Data Controller's commercial, operational and business strategies,
- Ensuring the legal and commercial security of third parties who have a business relationship with the Data Controller, monitoring legal processes and establishing, exercising and protecting rights arising from the legislation, through the products and services offered by the Data Controller's suppliers or service providers,
- Ensuring that the Data Controller's activities are carried out in accordance with company procedures or relevant legislation,
- Ensuring business continuity through planning, auditing and execution of corporate sustainability, corporate management, strategic planning and information security processes,
- Execution of work and management of relationships with our business partners in sectors that vary depending on needs,
- Fulfilling information sharing, reporting and information obligations stipulated by public institutions and all authorities,
- Fulfilling information and document retention obligations arising from legal legislation,
- Carrying out the planning and statistical activities required by the Data Controller,
- Conducting our finance, communication, business development and purchasing operations,
- Maintaining in-company system and application management operations,
- For the purposes of managing our legal processes and providing you with better and more reliable service without interruption, personal data will be processed within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the K.V.K.K.
The Data Controller has created a personal data inventory in accordance with the Data Controllers Registry Regulation issued by the Personal Data Protection Authority. This data inventory includes data categories, data source, data processing purposes, data processing process, recipient groups to which the data is transferred and storage periods. In this context, the following types of data categories are included in the Data Controller, but are not limited to these types: Identity information, contact information, education information, work experience information, family members and relatives information, visual and audio information, personnel information, legal transaction information, customer transaction information, physical location security information, transaction security information, financial information, association, foundation. , professional association-chambers or union information, professional experience information, criminal conviction and ongoing investigation or case information, security measure information, health data, employee performance and career development data, personnel tracking information and other information data category.
GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
- Compliance with Law
- Keeping the Data Accurate and Up-to-Date When Necessary
- Specific, Legitimate and Clear Purpose
- Data must be related to the purpose for which they are processed, limited and proportionate.
- Keeping Personal Data as Long as Necessary and Deleting It Afterwards
TERMS OF PROCESSING OF PERSONAL DATA
Personal data can only be collected, processed or used within the scope of the legal bases specified below.
- Explicit Consent
- Explicit consent must be given with free will, otherwise it is void.
- Explicit consent will be obtained from the relevant person in writing or electronically. In addition to these situations, verbal consent may also be accepted in cases where recording is required. In this way, explicit consent will be recorded in a verifiable manner. Individuals will be informed of their relevant rights before obtaining explicit consent.
- In cases where it is necessary to process special personal data, explicit consent will be obtained in writing.
- Departments that process personal data are obliged to check the existence and validity of the relevant data owner's explicit consent when collecting the personal data they process. If it is determined that there is no explicit consent, data processing activity will be stopped.
Processing of Personal Data Without Explicit Consent
- It is clearly stipulated in the law,
- It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity,
- It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
- It is mandatory for the data controller to fulfill its legal obligation,
- The data has been made public by the owner himself,
- Data processing is mandatory for the establishment, exercise or protection of a right,
- Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner.
Processing of Special Personal Data
- Special categories of personal data can only be processed with the explicit consent of the data owner or when expressly provided for by law.
- Personal data regarding health and sexual life can only be processed without explicit consent for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing. In the case of such processing, the data processor is under a duty of confidentiality.
- While processing special personal data, adequate measures determined by the Board will be taken.
- In all cases where special personal data must be processed, K.V.K. The Commission will be informed.
Processing of Employees' Data
- All personal data processing principles determined above will also be applied to employees' personal data.
- Personal data of job applicants without using CV collection channels may be processed without their explicit consent in order to initiate a business relationship. If an application received in this way is evaluated negatively for a suitable position, the personal data of the relevant person will be deleted. It will only be stored with the express consent of the employee candidate.
- Employee personal data in connection with the employment relationship and the performance of the contract may be processed without the express consent of the employees. Otherwise, there must be a justification such as employee consent, legal conviction, legitimate interest or similar.
RESPONSIBILITY
All units and employees of the Data Controller shall ensure the proper implementation of the technical and administrative measures taken within the scope of this Policy, the training and awareness raising of unit employees, their monitoring and continuous supervision, and the prevention of unlawful processing of personal data and unlawful access to personal data. and actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed, in order to ensure that personal data is stored in accordance with the law.
RECORDING MEDIA
Personal data is stored securely by the Data Controller in accordance with the law in the environments listed in the table below.
| Electronic Media | Non-Electronic Media |
| – Servers (Internal memory, backup memory, email, database, web, file sharing, etc.) – Software (office software, portal, Electronic Document Management Systems.) – Information security devices (firewall, intrusion detection and prevention, log file, anti-virus, etc.) – Personal computers (Desktop, laptop) – Mobile devices (phone, tablet, etc.) – Optical discs (CD, DVD, etc.) – Removable memories (USB, Memory Card, etc.) | - Paper – Manual data recording systems (survey forms, visitor login book) – Written, printed, visual media |
- Personal data can only be transferred to third parties in Turkey in cases where the relevant person has explicit consent.
- If at least one of the conditions specified in the 2nd paragraph of Article 5 of the TPL is valid, it can be transferred to third parties in Turkey without the express consent of the person.
- The relevant department making the transfer is responsible for ensuring compliance with the obligations to be followed during the transfer of personal data within Turkey.
Transfer to Third Parties Abroad
- Regarding the transfer of personal data abroad, the explicit consent of the data owner is required in accordance with Article 9 of the K.V.K.K.
- However, if there are conditions that allow the processing of personal data, including sensitive personal data, without the explicit consent of the data owner, personal data may be transferred abroad by the Data Controller without seeking the explicit consent of the data owner, provided that there is adequate protection in the foreign country to which the personal data will be transferred.
- If the country to be transferred is not determined by the Board among the countries with adequate protection, the Data Controller and the data controller/data processor in the relevant country will undertake to provide adequate protection in writing and permission will be obtained from the Board.
Transfer of Personal Health Data
- Personal health data cannot be transferred to third parties without being anonymized, in compliance with the legislation, and without obtaining the necessary permissions and approvals.
- Personal health data can be transferred to public institutions and organizations within the framework of the purposes of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing, and if it is clearly foreseen by law.
- The relevant department making the transfer is responsible for ensuring compliance with the obligations to be followed during the transfer of health data.
RIGHTS OF RELATED PERSONS
- The Data Controller will respond to the following requests of the relevant persons whose personal data it holds, within the periods specified in the law:
- Information about whether personal data is processed or not,
- Information about which personal data it processes,
- Information about whether personal data has been transferred or not,
- Information about third parties to whom personal data is transferred and the contact persons of third parties,
- Purpose of processing personal data,
- Responding when the person requests that the relevant personal data be updated,
- Request for anonymization, deletion or destruction of personal data,
- Receive a copy of your personal data held by the Data Controller
- In cases where data owners exercise their rights and/or believe that the Data Controller does not act within the scope of this Policy while processing their data, the following Data Controller K.V.K.K. They can contact the responsible person using their contact information. (They can also apply within the scope of the above-mentioned rights with the K.V.K.K. Application Form available on the website.)
SECURITY
All personal data processed by the Data Controller within the scope of the law are confidential. Employees may carry out collection, processing, transfer, use, deletion, destruction and anonymization activities on personal data only within the authority defined for them. Otherwise, employees are prohibited from carrying out these activities. Additionally, employees cannot use personal data for individual or commercial purposes.
SECURITY
The security of personal data is the responsibility of the employee, department and Data Controller respectively. Personal data must be protected against loss, unlawful processing, misuse, and all kinds of processing by unauthorized persons. These security measures cover all personal data stored electronically and physically. The Data Controller takes technical and administrative measures according to technological possibilities and implementation costs to ensure that personal data is processed in accordance with the law.
- Technical Measures Taken to Ensure Lawful Processing of Personal Data and Prevent Unlawful Access to Personal Data
The Data Controller has taken all kinds of technical and technological security measures to protect your personal data and protects your personal data against possible risks. For example:
- Network security and application security are ensured.
- Security measures are taken within the scope of supply, development and maintenance of information technology systems.
- An authority matrix has been created for employees.
- Access logs are kept regularly.
- Up-to-date anti-virus systems are used.
- Firewalls are used.
- Personal data is backed up and the security of the backed up personal data is ensured.
- User account management and authorization control system is implemented and these are also monitored.
- Log records are kept without user intervention.
- Intrusion detection and prevention systems are used.
- Cyber security measures have been taken and their implementation is constantly monitored.
- Encryption is done.
Administrative Measures Taken to Ensure Lawful Processing of Personal Data and Prevent Unlawful Access to Personal Data
- A management framework has been established within the Data Controller to initiate and control information security operation and implementation.
- K.V.K. The Commission and the Contact Person have been appointed and job descriptions have been determined.
- K.V.K.K. Application channels have been determined.
- Violation and request/complaint management workflows have been determined.
- The main principles, policies and procedures regarding the processing, protection and destruction of personal data have been determined.
- Existing risks and threats have been determined within the scope of processed personal data.
- Training and awareness activities are carried out for employees regarding personal data security.
- Roles, responsibilities and job descriptions regarding data security have been determined to ensure that employees and contractors are aware of and fulfill their information security responsibilities.
- There is a disciplinary process for employees that will be activated in case of non-compliance with security, Policy, guidelines and procedures.
- Confidentiality commitments are made.
- Employees, prospective employees, customers, subcontractors, service providers and suppliers, visitors, etc. Clarification text has been published for.
- Processes requiring explicit consent have been determined and implemented.
- Periodic and/or random audits are carried out within the Data Controller. It eliminates privacy and security vulnerabilities that arise as a result of audits.
- It is evaluated whether the personal data mentioned is needed for the purpose of processing, and personal data is reduced as much as possible.
- If data is obtained by others through illegal means, necessary precautions are taken by employees to report the situation to the relevant person and the Board as soon as possible.
Precautions to be Taken in Case of Illegal Disclosure of Personal Data If the processed personal data is obtained by others through illegal means, the Data Controller will notify the relevant data owner and the Board as soon as possible (within a maximum of 72 hours).
PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT WITH THE DATA CONTROLLER'S WORKPLACE LOGINS
- In order to ensure security by the Data Controller, personal data processing activities are carried out for the monitoring of guest entries and exits through security camera monitoring in the Data Controller's workplace buildings.
- Personal data processing is carried out by the Data Controller by using security cameras and recording guest entries and exits.
- Within the scope of surveillance activities with security cameras, the Data Controller; It aims to protect the interests of the Data Controller and other persons in terms of ensuring their security.
- This monitoring activity, K.V.K.K. and is carried out in accordance with the Law on Private Security Services and relevant legislation.
- In this context, the information that camera monitoring is taking place is announced to all employees and visitors and people are informed. Notification letters are hung at the entrances of the monitored areas.
- Necessary technical and administrative measures are taken by the Data Controller in accordance with Article 12 of the K.V.K.K. to ensure the security of personal data obtained as a result of camera monitoring activities.
MONITORING THE ENTRANCES AND EXITS CONDUCTED AT AND INSIDE THE DATA RESPONSIBLE ADMINISTRATION BUILDING, CONSTRUCTION SITE AND FACILITY ENTRANCES
- Personal data processing activities are carried out by the Data Controller for the purpose of ensuring security and other purposes specified in this Policy, for tracking entries and exits in and within the Data Controller's management buildings, construction site and facility entrances.
- While the identity data of people coming to the Data Controller's management buildings, construction sites and facilities are obtained, or through texts posted at the Data Controller or made accessible to visitors in other ways, the personal data owners in question are clarified in this context.
- Data obtained for the purpose of tracking entry and exit at the Data Controller's management buildings, construction sites and facilities are processed solely for this purpose and the relevant personal data are recorded in the data recording system in physical and digital environment.
- In places where privacy is high, imaging is not performed.
STORAGE OF RECORDS OF THE INTERNET ACCESS PROVIDED TO OUR VISITORS AT THE DATA CONTROLLER'S FACILITIES
For the purpose of ensuring security and other purposes specified in this Policy, the Data Controller may provide internet access to our visitors upon request during their stay in our buildings and facilities. In this case, log records regarding your internet access are kept in accordance with the mandatory provisions of Law No. 5651 and the legislation issued in accordance with this Law; These records are processed only upon request by authorized public institutions and organizations or in order to fulfill our legal obligations during the audit processes to be carried out within the Data Controller.
DESTRUCTION (DELETION, DESTRUCTION AND ANONYMIZATION) CONDITIONS OF PERSONAL DATA
In accordance with Article 138 of the Turkish Penal Code, Article 7 of the K.V.K.K. and the "Regulation on Deletion, Destruction and Anonymization of Personal Data" issued by the Institution, although it has been processed in accordance with the provisions of the relevant law, the reasons requiring processing have been eliminated. In case of termination, personal data will be deleted, destroyed or made anonymous based on the Data Controller's own decision or upon the request of the personal data owner. The Data Controller has created a Policy on this subject in accordance with the provisions of the regulation, and in accordance with this Policy, the data is destroyed according to its nature. In accordance with this Regulation, periodic destruction dates have been determined by the Data Controller, and a calendar has been created according to which periodic destruction will be carried out at various intervals with the beginning of the obligation.
PERSONAL DATA DESTRUCTION TECHNIQUES
At the end of the period stipulated in the relevant legislation or the storage period required for the purpose for which they are processed, personal data is destroyed by the Data Controller or upon the application of the relevant person, using the techniques specified below, in accordance with the provisions of the relevant legislation.
Deletion or destruction of Personal Data Personal data is deleted or destroyed by the Data Controller using the methods shown in the table below.
| MEDIUM WHERE THE DATA IS RECORDED | METHOD OF DELETION OR DESTRUCTION OF DATA |
| Personal Data on Servers | For personal data on the servers whose retention period has expired, the system administrator removes the access authorization of the relevant users and deletes them. |
| Personal Data in Electronic Media | Among the personal data in the electronic environment, those whose period of storage has expired are made inaccessible and unusable in any way for other employees (relevant users) except the database administrator. |
| Personal Data in Physical Environment | For personal data kept in physical media, for which the period requiring its storage has expired, it is made inaccessible and unusable in any way for other employees, except for the unit manager responsible for the document archive. In addition, blackening is also applied by drawing/painting/erasing the surface so that it cannot be read. |
| Personal Data Contained in Portable Media | Among the personal data kept on portable media storage media that have expired, they are stored in secure environments with encryption keys, by being encrypted by the system administrator and access authorization is given only to the system administrator. |
| Personal Data in Physical Environment | Personal data stored on paper that have expired are irreversibly destroyed in paper shredding machines. |
| Personal Data Contained in Optical / Magnetic Media | Personal data contained in optical media and magnetic media whose storage period has expired are physically destroyed, such as melting, burning or pulverizing. In addition, the data on the magnetic media is rendered unreadable by passing it through a special device and exposing it to a high magnetic field. |
STORAGE AND DISPOSAL PERIOD
Regarding the personal data being processed by the Data Controller within the scope of its activities;
- Personal data-based retention periods for all personal data within the scope of activities carried out depending on the processes are stated in the Personal Data Processing Inventory,
- Process-based retention periods are included in this Personal Data Processing, Protection and Destruction Policy.
Over the said retention periods, if necessary, Data Controller K.V.K. Updates are made by the commission. On personal data whose storage period has expired, Data Controller K.V.K. Deletion, destruction or anonymization is carried out ex officio by the Commission.
Table of storage and destruction times based on process
| PERIOD | STORAGE PERIOD | DESTRUCTION PERIOD |
| Transactions arising from the activity | 10 years from the end of the relevant activity | During the first periodic destruction following the end of the storage period |
| Preparation of contracts | 10 years following the termination of the contract | During the first periodic destruction following the end of the storage period |
| Execution of Communication Activities | 10 years following the termination of the activity | During the first periodic destruction following the end of the storage period |
| Execution of Human Resources Processes | 10 years following the termination of the activity | During the first periodic destruction following the end of the storage period |
| Log Record Tracking Systems | 2 years | During the first periodic destruction following the end of the storage period |
| Execution of Hardware and Software Access Processes | 2 years | During the first periodic destruction following the end of the storage period |
| Camera Recordings | 3 is | During the first periodic destruction following the end of the storage period |
PERIODIC DESTRUCTION PERIOD
In accordance with Article 11 of the Regulation on Deletion, Destruction or Anonymization of Personal Data, the Data Controller has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out by the Data Controller every year in June and December.
VIOLATION INCIDENTS
Each employee working at the Data Controller is subject to K.V.K.K. and is obliged to report to department managers any action or event that he/she thinks is contrary to the restrictions specified within this Policy. As a result of the information provided, the Data Controller's K.V.K. The Commission is obliged to notify the relevant person or authorized institution regarding violation actions or events, taking into account the legislation.
RESPONSIBILITIES
Responsibilities within the Data Controller are as follows: employee and department. In this context:
- Employees are responsible for all personal data in printed or computerized formats within their work areas and will comply with the conditions specified in the Law and this Policy in all processing of this data.
- Department managers are responsible for all printed or computerized personal data processed by employees within their departments and guarantee that their department complies with the conditions specified in the Law and this Policy for all processing on this data.
- Department managers will contribute to the implementation of this Policy in their own departments by carrying out checks and audits.
- Employees in managerial positions are responsible for personal data processing activities within their field and will ensure that personal data is processed in accordance with the Law and this Policy.
- Departments shall comply with the Data Controller's K.V.K. in any case of new data processing, data deletion, uncertainty and similar situations regarding personal data. He is obliged to inform the Commission.
EXECUTIVE
K.V.K.K. is responsible for the execution of this Policy by the Data Controller. The management structure has been established to ensure compliance with the regulations and the enforcement of the standard of protection and processing of personal data. Personal Data Protection Commission has been established within the Data Controller, in accordance with the decision of the Data Controller's senior management, to manage this Policy and other Policies affiliated and related to this Policy.
EFFECTIVE DATE OF THE POLICY
This Policy entered into force on …/…/2022.
