MUYA POLYURETHANE KAUÇUK SANAYİ TİCARET ANONİM ŞİRKETİ

POLICY ON THE PROCESSING OF SPECIAL PERSONAL DATA

VERSION 1.0 –02.11/2020

CONTENTS

POLICY ON THE PROCESSING OF SPECIAL PERSONAL DATA

 

  1. PURPOSE AND SCOPE OF THE POLICY
  2. DEFINITIONS
  • PRINCIPLES OF PROCESSING OF PERSONAL DATA
  1. PROCESSING OF SPECIAL PERSONAL DATA
  2. TRANSFER OF SPECIAL PERSONAL DATA DOMESTIC AND ABROAD
  3. STORAGE PERIOD AND DESTRUCTION OF SPECIAL PERSONAL DATA
  • PERIODIC DESTRUCTION PERIOD
  • PERIOD APPLICABLE TO THE DATA SUBJECT'S (RELATED PERSON'S) REQUEST FOR DELETION, DESTRUCTION OR ANONYMIZATION OF SPECIAL PERSONAL DATA
  1. SAFETY PRECAUTIONS TAKEN BY THE COMPANY
  2. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE STORAGE OF PERSONAL DATA AND PREVENTING THEIR ILLEGAL PROCESSING AND ACCESS
  3. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE LEGAL DESTRUCTION OF PERSONAL DATA
  • RIGHTS OF SPECIAL PERSONAL DATA SUBJECTS
  • EDUCATION
  • AUDIT
  1. CHANGES TO BE MADE IN THE POLICY
  • EFFECTIVE DATE OF THE POLICY

 

 

 

 

 

 

 

 

 

This Policy determines the procedures and principles that must be followed within and/or by the Company when Muya Anonim Şirketi (“ Company ”) fulfills its obligations to protect personal data and processes personal data in accordance with the provisions of the relevant legislation, especially the Personal Data Protection Law No. 6698. .

 

  1. PURPOSE AND SCOPE OF THE POLICY

 

The purpose of the Personal Data Processing Policy is the Personal Data Protection Law No. 6698 (" Law ") and the " Adequate Precautions to be Taken by Data Controllers in the Processing of Special Personal Data " dated 31/01/2018 by the Personal Data Protection Board. To specify how sensitive personal data belonging to existing and potential customers, business partners, suppliers, visitors, employees, employee candidates and third parties will be processed and protected in order to comply with Decision No. 2018/10.

This Policy covers all special personal data processed, transferred and stored within the Company.

The provisions and principles contained in this Policy apply to any sensitive information and documents that can be accessed physically or digitally, relating to identified or identifiable natural persons.

In case of any inconsistency between the relevant legislation and this Policy, the relevant legislation will prevail.

  1. DEFINITIONS

The equivalents of the technical terms included in the policy are shown below.

 

Explicit Consent:

It refers to consent based on being informed about a certain issue and expressed with free will.

 

Buyer Group:

It is the category of natural or legal person to whom personal data is transferred by the data controller.

 

Related User:

Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.

 

Related person:

It refers to real persons whose Personal Data is processed by the Company or by persons/institutions authorized on behalf of the Company.

 

Law:

It is the Personal Data Protection Law No. 6698 dated 24/3/2016.

 

Regulation:

It refers to the Regulation on Deletion, Destruction or Anonymization of Personal Data.

 

Recording Media:

It is any medium containing personal data that is processed by fully or partially automated or non-automatic means, provided that it is part of any data recording system.

 

Personal Data:

It refers to any information regarding an identified or identifiable natural person (within the scope of this Policy, the expression "Personal Data" will also include Special Personal Data defined below, to the extent appropriate).

 

Special Qualified Personal

Data:

It refers to data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. .

 

Personal Data Processing:

Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available Personal Data by fully or partially automatic or non-automatic means provided that it is part of any Data Recording System, It refers to any operation performed on data, such as classifying or preventing its use.

 

Data Inventory:

Personal data processing activities carried out by data controllers depending on their business processes; It is an inventory that they create by associating personal data with the purposes of processing personal data, data category, transferred recipient group and data subject person group, and detailing the maximum period required for the purposes for which personal data are processed, personal data envisaged to be transferred to foreign countries, and measures taken regarding data security.

 

Board:

It refers to the Personal Data Protection Board.

 

Organisation:

It refers to the Personal Data Protection Authority.

 

KVKK:

It refers to the Personal Data Protection Law No. 6698.

 

Periodic Destruction:

It is the process of deleting, destroying or anonymizing personal data, which is specified in the personal data storage and destruction policy and will be carried out ex officio at recurring intervals, in case all the conditions for processing personal data specified in the law are eliminated.

 

Record:

It is the data controllers' registry maintained by the Personal Data Protection Authority.

 

Data Recording System:

It is a recording system in which personal data is structured and processed according to certain criteria.

 

Data Controller:

(Muya Joint Stock Company) is the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

 

Anonymization:

It means making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.

 

Anonymised

Data:

It refers to data that cannot be associated with an identified or identifiable natural person in any way, even by matching it with other data.

 

Deletion:

 

It is the process of making personal data inaccessible and unusable for the relevant users in any way.

 

Annihilation:

It is the process of making personal data inaccessible, irretrievable and reusable by anyone.

 

Direct Identifiers:

On their own, they are descriptors that directly reveal, disclose and make distinguishable the person with whom they relate.

 

Indirect Identifiers:

They are identifiers that, combined with other identifiers, reveal, disclose and make distinguishable the person they are in relationship with.

 

Destruction:

It is the deletion, destruction or anonymization of personal data.

 

Blackout:

These are processes such as scratching, painting and icing all personal data in a way that cannot be associated with an identified or identifiable natural person.

 

Masking:

These are processes such as deleting, crossing out, painting and starring certain areas of personal data in a way that cannot be associated with an identified or identifiable natural person.

  • PRINCIPLES OF PROCESSING OF PERSONAL DATA

 

Our company carries out personal data processing activities within the framework of the following principles and principles in accordance with Article 4 of the KVKK, which regulates the procedures and principles regarding the processing of personal data.

  1. Compliance with Law and Honesty Rules

Our company processes your personal data in accordance with KVKK and other laws and regulations that must be complied with due to the work performed.

  1. Being Accurate and Up to Date

Our company carries out the necessary procedures and takes the necessary technical and administrative measures to ensure that the personal data provided by the data owner is not changed without permission and is untrue, and to update the personal data if requested by the data owner in case of a change in the processed data.

  1. Processing for Specific, Clear and Legitimate Purposes

Your personal data processed by our company is processed in accordance with the processing purpose and within the framework notified to you.

  1. Being Relevant, Limited and Proportionate to the Purpose of Processing

Our Company does not process personal data that does not coincide with its activities, is not required within the framework of the Company's activities, and exceeds the purpose of processing.

  1. Preservation for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose for which they are Processed

Your data processed within the framework of KVKK and other relevant laws and regulations are kept for the period stipulated in the relevant legislation or required to be kept due to the nature of the personal data processed.

Personal data is deleted or anonymized after the period required for the purpose of personal data processing has expired. In this case, third parties to whom the Company transfers personal data are also enabled to delete, destroy or anonymize personal data.

 

  1. PROCESSING OF SPECIAL PERSONAL DATA

 

Data regarding individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data of special quality is personal data. It is prohibited to process special personal data without the explicit consent of the person concerned.

Personal data regarding health and sexual life can only be disclosed to persons under the obligation of confidentiality (e.g. company physician) or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing. It may be processed by organizations without explicit consent.

While processing special personal data, precautions determined by the Board and necessary administrative and technical measures are taken.

Personal data processing activities carried out within the scope of measures taken against the COVID-19 virus and similar epidemic diseases are carried out in a necessary, purpose-related, limited and measured manner. In the context of preventing the spread of the COVID-19 virus, special personal data such as vaccination information may be processed.

Data processing activities carried out for the purpose of preventing the spread of the COVID-19 virus are carried out only in connection with the purpose and to a limited extent, and unnecessary processing of personal data is avoided in accordance with the data minimization principle.

The provisions of the Personal Data Processing Policy apply to matters not included in this policy.

  1. TRANSFER OF SPECIAL PERSONAL DATA DOMESTIC AND ABROAD

 

The Company may transfer the special personal data of the data subject (the relevant person) to third parties, by taking the necessary security measures, in line with the data processing purposes, and the special personal data it has obtained in accordance with the law.

In this regard, the Company may transfer special personal data to third parties if one of the processing conditions specified in the above section and one of the following conditions is met:

- If the data subject has explicit consent,

- If there is a clear regulation in the law regarding the transfer of special personal data,

- If it is necessary to protect the life or physical integrity of the data subject or someone else, and the data subject is unable to express his consent due to actual impossibility or his consent is not given legal validity;

- If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,

- If personal data transfer is mandatory for the company to fulfill its legal obligations,

- If special categories of personal data are made public by the data subject himself,

- If the transfer of special personal data is mandatory for the establishment, exercise or protection of a right,

- If personal data transfer is necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject.

By showing due care, taking the necessary security measures and adequate measures prescribed by the Board, in line with legitimate and lawful personal data processing purposes, the Company may transfer the sensitive personal data of the data subject to foreign countries where the data controller has adequate protection or undertakes adequate protection in the following cases. In case there is not sufficient protection, it may be transferred to Foreign Countries Where the Data Controller Committed to Adequate Protection is located, in line with the data transfer conditions stipulated in the legislation.

- If the data subject has explicit consent, or

- If the data subject does not have explicit consent;

  • Special personal data other than the data subject's health and sexual life (data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, criminal conviction and security measures) biometric and genetic data ), in cases stipulated by law,
  • Special personal data regarding the health and sexual life of the data subject can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. within the scope of processing.

  1. STORAGE PERIOD AND DESTRUCTION OF SPECIAL PERSONAL DATA

 

Your personal data processed for the purposes specified in this Policy; It will be deleted, destroyed and anonymized by us when the purpose requiring processing in accordance with Article 7/1 of KVKK no longer exists and the periods determined by law have passed.

The company does not store personal data in any way, considering the possibility of future use.

All deletion, destruction and anonymization activities that the company will perform on personal data will be carried out in accordance with the principles specified in the Personal Data Storage, Destruction and Anonymization Policy.

In the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises, your personal data will be deleted, destroyed or anonymized. This period will probably not exceed six (6) months .

If irreparable or impossible damages occur and there is a clear violation of the law, the Board may shorten the period specified in this article.

  • Deletion of Special Personal Data

 

Deletion of personal data processed wholly or partially by automatic means; It is the process of making the personal data in question inaccessible and unusable by the relevant users in any way. The data controller explains in its relevant policies and procedures how the conditions specified in the third paragraph are met for personal data to be deemed deleted.

This will be done by anonymizing non-essential personal data in paper form, which is transferred to electronic media through scanning or without being digitized. In cases where the Company deletes personal data, it will make the data inaccessible or unusable in any way. While doing this, the company guarantees that the data is not accessible or reusable by any user. This warranty is the responsibility of the data controller.

  • Destruction of Special Personal Data

 

Destruction will be carried out in cases where the Company processes data in physical recording environments, and the Company is obliged to make this data impossible to recover.

During these procedures, Company employees and relevant departments are obliged to notify the responsible person of the relevant data to be destroyed, and then the Company will take all necessary technical and administrative measures.

  • Anonymization of Special Personal Data

 

Anonymization means that, in cases where the Company processes personal data by physical or automatic means, this data cannot be associated with an identified or identifiable natural person, even if it is matched with other data.

  • PERIODIC DESTRUCTION PERIOD

 

Special personal data held by the company will be checked at certain periodic intervals, and those whose processing conditions are completely eliminated will be deleted, destroyed or anonymized.

Periodic destruction is carried out at 6 (six) month intervals for all personal data. The said period does not exceed the maximum periodic destruction period specified in Article 11 of the Regulation under any circumstances. The Company undertakes to comply with the new periods in case the Board shortens the periods within the scope of KVKK and relevant legislation.

These periodic review and destruction processes to be applied to special personal data are included in the Personal Data Processing Inventory created and implemented by the Company.

All transactions carried out within the scope of destruction are recorded by the Company and these records are kept for at least 3 (three) years, excluding other legal obligations. The company's obligation to preserve personal data arising from other legal obligations is reserved.

  • PERIOD APPLICABLE TO THE DATA SUBJECT'S (RELATED PERSON'S) REQUEST FOR DELETION, DESTRUCTION OR ANONYMIZATION OF SPECIAL PERSONAL DATA

 

The data subject submits his/her requests regarding the implementation of the Law to the Company in writing or by other methods determined by the Board. The Company accepts the request or rejects it by explaining the reason and notifies the relevant person of its response in writing or electronically within thirty (30) days at the latest. If the request in the application is accepted, it will be fulfilled accordingly.

If all the processing conditions for special personal data subject to the request have been eliminated, the special personal data subject to the request will be deleted, destroyed or anonymized. The requests in the application are concluded free of charge as soon as possible and within thirty (30) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be taken as basis. If it is due to the company's error, the fee collected will be refunded to the data subject.

Unless a contrary decision is taken by the Board, the Company will choose the appropriate method to delete, destroy or anonymize personal data ex officio. Upon the request of the relevant person, the Company selects the appropriate method by explaining the reason.

If the personal data subject to the request has been transferred to third parties, this will be notified to the third party; It will be ensured that the necessary procedures are carried out within the scope of the Regulation on Deletion, Destruction or Anonymization of Personal Data before the third party.

You can apply for issues regarding the processing of your personal data by filling out the form on the Company's website or in writing* to the address below.

Muya Joint Stock Company Contact Information

Contact Email Address: kvkk@muya.com

Head Office Address: ADNAN KAHVECİ Mahallesi, İNÖNÜ Caddesi, No: 95 BeylikdüZÜ / ISTANBUL

Head Office Phone Number: 212 855 73 73

Website address: www.muya.com

*In case of written application, please state the subject as "Information Request within the Scope of the Personal Data Protection Law" on the envelope.

  1. SAFETY PRECAUTIONS TAKEN BY THE COMPANY

 

10.1 The security measures taken by the Company for the Processing of Special Personal Data are as follows:

10.1.1 This Policy and related KVK Procedures, which are systematic, clearly defined, manageable and sustainable, have been created by the Company for the security of Special Personal Data.

10.1.2 For employees involved in the Processing of Special Personal Data by the Company or by expert trainers from whom the Company receives service support on the subject:

  1. Regular training is provided on KVKK Regulations and Special Personal Data security,
  2. Confidentiality agreements are made,
  3. The authorization scope and duration of users who are authorized to access Special Personal Data are clearly defined,
  4. The authorizations of employees who change their duties or leave their jobs in this area are immediately removed. In this context, the inventory allocated to it by the Company is returned.

10.1.3 The environments in which Special Personal Data are processed, stored and/or accessed are electronic media :

  1. Data is preserved using cryptographic methods,
  2. Cryptographic keys are kept in secure and different environments,
  3. Transaction records of all movements performed on the data are logged securely,
  4. Security updates for the environments where the data is stored are constantly monitored, the necessary security tests are regularly performed by the Company, and the test results are recorded,
  5. If the data is accessed through a software, user authorizations for this software are made, security tests of this software are regularly performed by the Company, and the test results are recorded,
  6. If remote access to data is required, at least a two-stage authentication system is provided.

10.1.4 The environments in which Special Personal Data are processed, stored and/or accessed are the physical environment :

  1. Adequate security measures are taken (against situations such as electricity leakage, fire, flood, theft, etc.) depending on the nature of the environment where the Special Personal Data is located,
  2. Physical security of these environments is ensured, preventing unauthorized entry and exit.

10.1.5 If Special Personal Data will be transferred to third parties:

  1. If the data must be transferred via e-mail, it is transferred encrypted using the corporate e-mail address or Registered Electronic Mail (KEP) account,
  2. If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment,
  3. If transfer is made between servers in different physical environments, data transfer is made between the servers by establishing a VPN or using the SFTP method,
  4. If data must be transferred via paper, necessary precautions are taken against risks such as theft, loss, or viewing of the document by unauthorized persons, and the document is sent in the "confidential documents" format.

 

10.2 In addition to this Policy and the above-mentioned measures, the Company agrees to take all kinds of technical and administrative measures to ensure the appropriate level of security specified in the Muya Joint Stock Company Personal Data Protection and Processing Policy published on the www.muya.com website.

  1. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE STORAGE OF SPECIAL PERSONAL DATA AND PREVENTING THEIR ILLEGAL PROCESSING AND ACCESS

 

Technical Precautions Taken to Ensure the Lawful Storage of Your Special Personal Data and Preventing It from Being Unlawfully Processed and Accessed

 

  • Personal data storage, processing and access activities are supervised by established technical systems.
  • Software and hardware including virus protection systems and firewalls are used.
  • The technical measures taken are reported to the relevant person.
  • Technically knowledgeable personnel are employed.
  • Access authorizations are limited and authorizations are reviewed regularly.
  • Backup programs are used in accordance with the law to ensure that personal data is stored safely.
  • Access to data storage areas containing personal data is logged and inappropriate access or access attempts are instantly communicated to the relevant parties.

 

Administrative Measures Taken to Ensure Lawful Storage of Personal Data and Prevention of Unlawful Processing and Access

  • Employees are informed and trained about personal data protection law and the legal storage and processing of personal data.
  • Personnel who will process, store and access personal data have been determined in the Personal Data Processing inventory.
  • All activities carried out are analyzed in detail for all departments, and as a result of this analysis, personal data processing activities are revealed specific to the commercial and administrative activities carried out by the relevant business units.
  • In order to meet the legal compliance requirements determined on a departmental basis, awareness is created and implementation rules are determined for the relevant departments; The necessary administrative measures to ensure the control of these issues and the continuity of the application are implemented through in-company policies and training.
  • Employees are informed that they cannot disclose the personal data they have learned to anyone else, contrary to the provisions of the Personal Data Protection Law No. 6698, or use it for purposes other than processing, and that this obligation will continue after they leave office, and the necessary commitments are taken from them in this regard.
  • Records that impose an obligation not to process, disclose or use personal data, except for the instructions of Muya Joint Stock Company and exceptions brought by law, are included in the contracts and documents governing the legal relationship between employees, and employees' awareness on this issue is created.

 

  1. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE LEGAL DESTRUCTION OF PERSONAL DATA

 

  • Secure Deletion from Software: When deleting data processed entirely or partially automatically and stored in digital media; Methods are used to delete the data from the relevant software in a way that makes it inaccessible and unusable for the relevant users.
  • Deleting Relevant Data in the Cloud System by Giving a Delete Command : Removing the access rights of the relevant user on the file on the central server or the directory where the file is located; Deleting relevant lines in databases with database commands or deleting data on portable media, i.e. flash media, using appropriate software can be considered in this scope.

However, if the deletion of personal data will result in the inability to access and use other data within the system, personal data will be deemed deleted if the personal data is archived in a way that it cannot be associated with the relevant person, provided that the following conditions are met.

  • It is not accessible to any other institution, organization or person,
  • Taking all necessary technical and administrative measures to ensure that personal data is accessed only by authorized persons.

  • Secure Deletion by an Expert: In some cases, the Company may contract with an expert to delete personal data on its behalf. In this case, personal data will be securely deleted by a person specialized in this field, making them inaccessible and unusable in any way for Relevant Users.
  • Blackening of Personal Data on Paper: It is the method of physically cutting and removing the relevant personal data from the document in order to prevent the non-purposeful use of personal data or to delete the data requested to be deleted, or to make it invisible and cover it by using fixed ink in a way that cannot be returned and read with technological solutions.
  • De-magnetization: It is the method of corrupting the data on the magnetic media in an unreadable way by passing it through special devices where it is exposed to high magnetic fields.
  • Physical Destruction: Personal data can also be processed by non-automatic means, provided that it is part of any data recording system. When destroying such data, a system of physically destroying personal data in such a way that it cannot be used later is applied. Destruction of data on paper and microfiche is carried out in this way, as it is not possible to destroy them in any other way.
  • Overwriting: The overwriting method is writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media through special software.
  • Anonymization Methods That Do Not Cause Value Irregularity: Without making any changes or additions/removals to the personal data stored with anonymization methods that do not cause value irregularities; It is the generalization of any personal data group, replacement with each other, or the removal of a specific data or sub-data group from the group.
  • Variable Extraction: Anonymization of the existing data set by removing the "highly descriptive" variables from the variables in the data set created after bringing together the data collected by the method of removing descriptive data.
  • Removing Records: The stored data is anonymized by removing the data line containing a singularity from the records.
  • Regional Hiding: If a single data has a deterministic nature because it creates a rarely visible combination, anonymization is achieved by hiding the relevant data.
  • Lower and Upper Bound Coding: Using the lower and upper limit coding method, the values ​​in a data group containing predefined categories are anonymized by combining them by determining a certain criterion.
  • Generalization: With the data aggregation method, many data are aggregated and personal data is made unable to be associated with any individual.
  • Global Coding: With the data derivation method, a more general content is created from the content of personal data and it is ensured that personal data cannot be associated with any person.
  • Anonymization Methods That Provide Value Irregularity: In anonymization methods that provide value irregularity, unlike those that do not provide value irregularity, distortion is created by changing some data in personal data groups.
  • Adding Noise: The method of adding noise to the data makes the data anonymous by adding some positive or negative deviations to the existing data at a determined rate, especially in a data set where numerical data is predominant.
  • Micro Joining: In the micro-joining method, all data is first arranged in a meaningful order and divided into groups, the average of the groups is taken, and the value obtained is written instead of the relevant data in the current group, providing anonymization.
  • Data Exchange: In the data exchange method, the values ​​of a variable are exchanged with each other between pairs selected from the stored data.

During the above-mentioned situations, full compliance with the provisions of the KVKK, the Regulation and other relevant legislation is ensured and all necessary administrative and technical measures are taken to ensure data security.

 

  • RIGHTS OF THE SPECIAL PERSONAL DATA SUBJECT (RELATED PERSON)

 

Regarding the personal data processed within the scope of our Company's activities, the data subject may, within the framework of your rights listed in Article 11 of the KVVK, by applying to our Company;

  1. a) Learning whether personal data is being processed or not,
  2. b) Requesting information if personal data has been processed,
  3. c) Learning the purpose of processing personal data and whether they are used for their intended purpose,
  4. d) Knowing the third parties to whom personal data is transferred domestically or abroad,
  5. e) Requesting correction of personal data if they are incomplete or incorrectly processed,
  6. f) Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVKK,
  7. g) To request that the transactions carried out in accordance with paragraphs (d) and (e) be notified to third parties to whom personal data is transferred,
  8. h) Object to the emergence of a result against the person by analyzing the processed data exclusively through automatic systems,
  9. i) In case of damage due to unlawful processing of personal data, they have the right to demand compensation for the damage.

In cases where data subjects wish to exercise their rights and/or think that the Company does not act within the scope of this Policy when processing personal data, they can submit their requests by filling out the form on the Company website or by creating their own requests in a way that meets the conditions determined by the Authority, to the e-mail address given above, which may change from time to time. They can be sent by e-mail from the e-mail address previously notified to the Company and registered in the Company system (the e-mail address registered in the system should be checked), or with a secure electronic signature or mobile signature, to the Company kep address, or by e-mail, which is also listed above and may change from time to time. They can deliver their identity documents along with a petition with a wet signature to the address by hand or through a notary, and send it by other methods determined by the Institution that may be added to them in the future. Current application methods and application content must be confirmed by the legislation before application.

If data subjects submit their requests regarding the rights listed above to the Company in writing, the Company will finalize the request free of charge within thirty (30) days at the latest, depending on the nature of the request. If an additional cost arises for the conclusion of the requests by the Data Controller, the fees in the tariff determined by the Personal Data Protection Board may be requested by the Data Controller.

  • EDUCATION

 

The Company provides its employees with the necessary training on the protection of sensitive personal data within the scope of Company Policies and Procedures and KVKK Regulations.

In the training, the definitions of special personal data and practices for their protection are specifically addressed.

If a Company employee accesses personal data physically or on a computer, the Company provides training to the relevant employee regarding these accesses (for example, the computer program accessed).

  • AUDIT

 

The Company has the right to regularly and ex officio audit, without any prior notice, whether all employees, departments and contractors of the Company comply with this Policy and KVKK regulations, and carries out the necessary routine audits within this scope.

  1. CHANGES TO BE MADE IN THE POLICY

 

This Policy may be amended by the Company from time to time with the approval of the Board of Directors.

The Company shares the updated Policy text with its employees via e-mail so that the changes made to the Policy can be reviewed, or makes it accessible to employees and other relevant persons via the web address below.

In cases where there is a conflict between the Turkish language text in which this Policy was prepared and the translation text in any language published by the Company, the Turkish text will prevail.

  • EFFECTIVE DATE OF THE POLICY

 

The first version of this Policy has been approved by the Company's Board of Directors and entered into force as of 02/11/2020, to be applied to all personal data processing activities of the Company.