Get a Quote

1- Purpose This Personal Data Processing and Protection Policy (“Policy”) regulates the principles determined by our company to ensure compliance with the applicable legislation regarding the processing of personal data and the protection and destruction of this data. 2- Definitions Terms used in this Policy that start with a capital letter and are not defined within the Policy will have the meanings assigned to them below. Explicit Consent refers to consent regarding a specific subject, based on being informed and expressed with free will. Anonymization refers to making Personal Data unable to be associated with an identified or identifiable natural person in any way, even by matching it with other data. Secondary Legislation means any regulation, circular, notification, principle decision or similar administrative decision or general opinion issued or taken by the Personal Data Protection Authority in accordance with the Law. Relevant Users: It refers to the persons who process personal data within the data controller organization or in line with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data. The law refers to the Personal Data Protection Law No. 6698. Personal Data/s refers to any information regarding an identified or identifiable natural person. Processing of Personal Data Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available Personal Data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. It refers to any operation performed on data, such as classifying or preventing its use. Board refers to the Personal Data Protection Board. Institution refers to the Personal Data Protection Authority. Personal Data of a Special Nature: Data regarding people's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. Registry refers to the Data Controllers Registry, which is a registration system in which data controllers must register and declare information regarding their data processing activities. Deletion means making personal data inaccessible and unusable in any way for Relevant Users. Deletion and Destruction Policy refers to the policy prepared by the Company within the framework of the Regulation on Deletion, Destruction or Anonymization of Personal Data, regulating the procedures and principles regarding deletion and destruction. Company refers to PİDOSAN ALÜMİNYUM CEPHE VE DOĞRAMA ANONİM ŞİRKETİ. Data Processor refers to the real or legal person who processes Personal Data on behalf of the Data Controller, based on the authority given by him/her. Data Protection Commission refers to the Company's Personal Data Protection Commission. Data Owner: Data Owner, defined as "Relevant Person" in the Law, refers to the natural person whose Personal Data is processed. Data Owners also include customers, internet users, individuals in contact, e-mail and marketing database lists, employees, contract parties and suppliers. Data Controller refers to the natural or legal person who determines the purposes and means of processing Personal Data and is responsible for establishing and managing the data recording system. Draft Regulation on Data Controllers Registry The Draft Regulation on Data Controllers Registry has been prepared in accordance with Article 16 of the Law. It has not yet entered into force. Destruction refers to making personal data inaccessible, irretrievable and unusable by anyone. 3- Scope The Company undertakes to comply with the confidentiality and security requirements of existing Personal Data within the scope of the Law, therefore the Company has adopted this Policy to establish the principles of understanding, policies and procedures regarding the protection and processing of Personal Data. This Policy applies to all full and part-time employees, subcontracted employees, and employees of the Company's Affiliates who have access to Personal Data collected and processed by the Company, who provide information to the Company, or who receive Personal Data from the Company. It applies to joint venture employees and all suppliers and vendors. In addition, all provisions contained in this Policy are subject to the Law and Secondary Legislation. In cases where the provisions contained in this Policy conflict or conflict with the relevant provisions of the Law, the provisions of the Law will prevail and be applied. 4- Principles 4.1 Principles to be followed in the processing of personal data 4.1.1 Personal data is processed only in accordance with the law and rules of integrity. The Company adheres to law and honesty in the processing of Personal Data.acts in accordance with the rules. In this context, the Company processes Personal Data in accordance with the rules imposed by the Law. In addition, the Company follows the Secondary Legislation to be published by the Board from time to time and the regulations regarding data processing activities and, if necessary, makes/will endeavor to make improvements in its practices within the framework of these legal regulations. 4.2.2 Personal Data Must Be Accurate and Up to Date Where Necessary. The Company takes the necessary measures to ensure that the Personal Data it processes is accurate and, when necessary, up-to-date. 4.2.3 Personal Data Must Be Processed for Specific, Clear and Legitimate Purposes. The Company clearly and precisely determines the purpose of data processing and processes Personal Data only for legitimate purposes. What we mean by this is that the data processed by the Company is related to and necessary for the work it does or the service it offers. The Company clearly announces these purposes to Data Owners before obtaining their Personal Data. If the Company's Personal Data processing purposes change, this Policy will be updated to the extent necessary. In addition, efforts will be made to notify Data Owners of changes in data processing purposes through different channels as much as possible. 4.2.5 Personal Data Should Be Retained for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose for which they are Processed. The Company retains Personal Data only for the period specified in the relevant legislation or necessary for the purpose for which they are processed. In this context, the Company primarily retains Personal Data if a period of time is stipulated in the relevant legislation for the retention of Personal Data, limited to these periods. However, considering that Personal Data may need to be protected subject to different legislation, especially the statute of limitations for lawsuits, the Company bases maximum retention periods for the preservation of data in a way that will not cause loss of rights of its employees and customers. If a period is not specified in the legislation or there is no legal reason requiring the data to be kept for a longer period of time, the Company keeps Personal Data for the period necessary for the purpose for which they are processed. In addition, the Company complies with the rules and procedures regarding the retention of data in the Company Destruction Policy. 4.3 Processing Conditions 4.3.1 Processing of Personal Data Personal Data is processed by the Company based on one or more of the lawful processing conditions of Personal Data specified in the Law. Our company processes Personal Data in accordance with the regulations introduced in the Law. In this context: 4.3.1.1 Personal Data can be processed with the Explicit Consent of the Data Owner. 4.3.1.2 It is possible to process Personal Data without seeking the Data Owner's Explicit Consent if one of the following conditions exists: 1. It is clearly provided for by law; 2. It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity; 3. It is necessary to process the Personal Data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract; 4. It is mandatory for the Data Controller to fulfill its legal obligation; 5. It has been made public by the Data Owner; 6. Data processing is mandatory for the establishment, exercise or protection of a right; 7. It is mandatory to process data for the legitimate interests of the Data Controller, provided that it does not harm the fundamental rights and freedoms of the Data Owner. 4.3.2. Data Protection Commission It has been decided that personal data processing activities will be carried out and supervised by the Data Protection Commission within the framework of the Company's compliance program. The duties of the Data Protection Commission are as follows: a) Ensuring that vendors, suppliers and third parties to whom Personal Data is transferred from the Company, those who have access to Personal Data obtained and processed by the Company, and those who provide data to the Company comply with this Policy b) To determine the necessary procedures and standard contractual provisions for compliance with this Policy, to determine regular audit mechanisms, applied procedures and valid rules, c) To respond quickly and appropriately to the requests of the Data Owner to the Company while exercising their rights arising from the Law. d) To ensure that the Company's compliance program is up to date, to inform senior executives, managers and managers and to carry out the necessary transactions, f) to manage and carry out the Company's relations with the Institution, the Board and the Registry, g) to submit to the Registry the relevant legislation and the Board