Personal Data Processing and Protection Policy

 SIRMERSAN MARBLE INDUSTRY INC.  PROCESSING AND PROTECTION OF PERSONAL DATA POLICY

Contents

CHAPTER ONE… 4

1.1. INTRODUCTION. 4

1.2. Purpose of the Policy 4

1.3. Scope of the Policy and Personal Data Owners 4

1.4. Definitions. 5

1.5. Enforcement of the Policy. 6

CHAPTER TWO… 6

2.1. General Principles for the Processing of Personal Data. 6

2.2. Terms of Processing Personal Data 7

2.3. Conditions of Processing of Special Quality Personal Data 8

2.4. Terms of Transfer of Personal Data 8

2.4.1. Terms of Transfer of Personal Data Abroad 8

2.5. Conditions for Transfer of Special Quality Personal Data 9

2.5.1. Transfer of Private Personal Data Abroad 9

CHAPTER THREE… 10

3.1. Classification of Personal Data 10

3.2. Purposes of Processing and Transferring Personal Data 12

3.3. Persons to whom Personal Data will be Transferred. 13

CHAPTER FOUR… 14

4.1. Method and Legal Reason for Personal Data Collection 14

4.2. Deletion, Destruction or Anonymization of Personal Data 14

4.3. Retention Period of Personal Data 14

CHAPTER FIVE… 15

5.1. Ensuring the Security of Personal Data 15

5.1.1. Technical and Administrative Measures Taken to Ensure Legal Processing of Personal Data. 15

5.1.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data. 16

5.1.3. Storing Personal Data in Secure Environments 17

5.1.4. Supervision of Measures Taken for the Protection of Personal Data 18

5.1.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data. 18

5.2. Observing the Legal Rights of Personal Data Owners 18

5.3. Protection of Private Personal Data 18

CHAPTER SIX… 19

6.1. Disclosure of Personal Data Owner 19

6.2. Rights of Personal Data Owner pursuant to KVK Law 19

6.3. Circumstances in which the Personal Data Owner cannot assert his rights. 19

6.4. Use of Personal Data Owner’s Rights 20

6.5. The Company’s Response Procedure and Time to Applications 21

6.6. Personal Data Owner’s Right to Complain to the KVK Board 21

CHAPTER SEVEN… 21

CHAPTER EIGHT… 21

8.1. Update and Adaptation.. 21

8.2. Changes: 22

 

CHAPTER ONE

1.INTRODUCTION

1.1. Introduction

 

SIRMERSAN MARBLE INDUSTRY INC. strong As the (“Company”)  we attach utmost importance to the legal processing and protection of personal data in accordance with the Law on the Protection of Personal Data No. 6698 (“Law”), and we act with this care in all our planning and activities. With this awareness, both the 10th article of the Law. We hereby submit this Personal Data Processing and Protection Policy (“Policy”) to your information in order to fulfill the obligation of disclosure within the scope of the article, and to inform you of all the administrative and technical measures we have taken within the scope of processing and protection of personal data.

1.2. Purpose of the Policy

The main purpose of this Policy is to make explanations about the systems for processing and protecting personal data in accordance with the law and the purpose of the Law, in this context, Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Company and Group. To inform the persons whose personal data are processed by our Company, especially Company Customers, Potential Customers and Third Parties. In this way, it is aimed to ensure full compliance with the legislation in the processing and protection of personal data carried out by our Company and to protect all the rights of personal data owners arising from the legislation regarding personal data.

1.3. Scope of the Policy and Personal Data Owners

This Policy; By automatic or non-automatic means provided that it is a part of any data recording system, our Company collects personal data, particularly from Company Officials, Company Business Partners, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers and Third Parties. It has been prepared for the persons being processed and this will be applied within the scope of the specified persons. This Policy will in no way apply to legal entities and legal entity data.

Our company informs the Personal Data Owners about the Law by publishing this Policy on its website. Personal Data Processing Policy for Employees will be applied for the employees of our Company.  This Policy will not be applied if the data is not included in the scope of  “Personal Data” within the scope specified below or if the Personal Data processing activity carried out by our Company is not in the above-mentioned ways.

In this context, the personal data owners within the scope of this Policy are as follows:

 

 

 

Company Natural Person Partner

:

They are real persons with whom the Company has any business relationship.

Stakeholder, Official, Employee of Company Business Partners

:

All real persons, including the real and legal persons with whom the Company has any kind of business relationship ( (such as business partner,  supplier)  employees,  Stakeholders and officials.

Company official

:

They are the members of the company’s board of directors and other authorized real persons.

Employee Candidate

:

They are real persons who have applied for a job to the Company by any means or have opened their CV and related information to the Company’s review.

Company Customer

:

They are real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.

Group Company Customer

:

They are real persons who use or have used the products and services offered by the Group Companies, regardless of whether the Company has any contractual relationship with the Group Companies.

Potential Customer

:

They are real persons who have requested or been interested in using the Company’s products and services, or have been evaluated in accordance with the rules of commercial practice and honesty that they may have.

Visitor

:

They are all natural persons who enter the physical premises of the Company for various purposes or visit the websites for any purpose.

Third Party

:

Other real persons who are not included in the scope of the Personal Data Protection and Processing Policy prepared for Company Employees and in any personal data owner category in this Policy.

1.4. Definitions

The terms used in this Policy have the following meanings:

Company/ Our Company

:

SIRMERSAN MARBLE INDUSTRY INC.

Personal Data/Data

:

Any information relating to an identified or identifiable natural person.

Special Qualified Personal Data/Data

:

Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Processing of Personal Data

:

Obtaining, recording, storing, preserving, changing, rearranging Personal Data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system,  disclosure,  transferring,  takeover,  making it available,   It is all kinds of operations performed on data such as classification or prevention of use.

Personal Data Owner/Relevant Person

:

Company Stakeholders, Company Business Partners, Company Officials, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers, Third Parties and persons whose personal data are processed by the company.

Group Company

:

It refers to the company/companies affiliated to the group to which the Company is affiliated.

Data Recording System

:

It refers to the registration request in which personal data is structured and processed according to certain criteria.

Data Controller

:

It is the natural or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system.

Data Processor

:

It is the natural and legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.

Open Consent

:

It is the consent of a particular subject, based on information and expressed with free will.

Anonymization

:

It is to render the data previously associated with a person incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching them with other data.

Law

:

Refers to the Law on Protection of Personal Data No. 6698.

KVK Board

:

It is the Personal Data Protection Board.

1.5. Enforcement of the Policy

Edited by the company …/…/20…. This Policy, which entered into force on the date of …/…20…. and updated on the Company’s website. (www.sirmersan.com.tr) is published and made available to the relevant persons upon the request of the Personal Data Owners.

CHAPTER TWO

2. PROCESSING AND TRANSFER OF PERSONAL DATA

2.1. General Principles in the Processing of Personal Data

Personal Data is processed by the Company in accordance with the procedures and principles stipulated in the Law and this Policy. The Company acts with the following principles when processing Personal Data:

  • Personal Data is processed in accordance with the relevant legal rules and the requirements of the honesty rule.
  • It is ensured that Personal Data is accurate and up-to-date. In this context, issues such as determining the sources from which the data is obtained, confirming its accuracy, and evaluating whether it needs to be updated are carefully considered.
  • Personal Data are processed for specific, clear and legitimate purposes. Being legitimate means that the Personal Data processed by the Company is related to and necessary for the work it does or the service it provides.
  • Personal Data is related to the purpose in order to achieve the purposes determined by the Company, and the processing of Personal Data that is not related to the realization of the purpose or is not needed is avoided. It limits the processed data only to what is necessary for the realization of the purpose. Personal Data processed in this context are related, limited and measured for the purpose for which they are processed.
  • If there is a period stipulated for the storage of data in the relevant legislation, it complies with these periods; otherwise, the personal data will be deleted, destroyed or anonymized only for the period necessary for the purpose for which they are processed.
2.2. Terms of Processing Personal Data

The Company does not process Personal Data without the explicit consent of the data owner. In the presence of one of the following conditions, Personal Data may be processed without seeking the explicit consent of the data owner.

  • The Company may process Personal Data of Personal Data Owners in cases expressly stipulated by law, even without express consent. For example; 230 of the Tax Procedure Law. In accordance with the article, the explicit consent of the person concerned will not be sought for the name of the person concerned to be included on the invoice.
  • Personal Data may be processed without explicit consent in order to protect the life or bodily integrity of the person or another person who are unable to express their consent due to actual impossibility or whose consent cannot be validated. For example, in a situation where the person’s consent is not valid due to unconsciousness or mental illness, the Personal Data of the Personal Data Owner may be processed during medical intervention in order to protect the integrity of life or body. In this context, data such as blood type, diseases and surgeries, and medications used can be processed through the relevant health system.
  • Personal Data of the parties to the contract may be processed, provided that it is directly related to the establishment or performance of a contract by the Company. For example, according to a contract made, the account number of the creditor can be obtained for the payment of money.
  • The Company may process the Personal Data of the Personal Data Owners if it is necessary to fulfill its legal obligations as a data controller.
  • Personal Data made public by the Personal Data Owners by the Company, in other words, disclosed to the public in any way, can be processed because the legal benefit that needs to be protected is no longer valid.
  • The Company may process the Personal Data of the Personal Data Owners without seeking explicit consent in cases where data processing is necessary for the exercise or protection of a legally legitimate right.
  • The Company may process the Personal Data of the Personal Data Owners in cases where it is necessary to process the Personal Data for their legitimate interests, provided that the fundamental rights and freedoms of the Personal Data Owners are protected under the Law and Policy. The Company shows the necessary sensitivity to comply with the basic principles regarding the protection of Personal Data and to observe the balance of interests of the Personal Data Owners.
2.3. Conditions of Processing of Special Quality Personal Data

The Company does not process Sensitive Personal Data without the explicit consent of the person concerned. However, Personal Data other than health and sexual life may be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws.  Personal Data regarding health and sexual life are only processed by the Company for the purposes of protecting public health, performing preventive medicine, medical diagnosis and treatment and care services, planning and managing health services and financing, without seeking the explicit consent of the person concerned, under the conditions under which we are under the obligation to keep secrets. The Company carries out the necessary actions to take adequate measures determined by the Board in the processing of Private Personal Data. 

2.4. Terms of Transfer of Personal Data

Our company may transfer the Personal Data of Personal Data Owners and Private Personal Data to third parties in accordance with the Law by creating the necessary confidentiality conditions and taking security measures in line with the purposes of processing Personal Data. Our company acts in accordance with the regulations stipulated in the Law during the transfer of Personal Data. In this context, in line with the legitimate and lawful Personal Data processing purposes of our Company,  Based on and limited to one or more of the Personal Data processing conditions specified in Article

Personal Data to third parties:

  • If the Personal Data owner has express consent;
  • If there is a clear regulation in the law regarding the transfer of Personal Data, if it is necessary for the protection of the life or physical integrity of the Personal Data owner or someone else, and
  • If the Personal Data owner is unable to express his consent due to actual impossibility or if his consent is not legally valid,
  • If it is necessary to transfer the Personal Data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
  • If Personal Data transfer is mandatory for our company to fulfill its legal obligation,
  • If the Personal Data has been made public by the Personal Data owner,
  • If Personal Data transfer is necessary for the establishment, exercise or protection of a right,
  • Provided that it does not harm the fundamental rights and freedoms of the Personal Data owner, Personal Data may be transferred if it is necessary for the legitimate interests of our Company.
2.4.1. Conditions for Transferring Personal Data Abroad

Our company may transfer the Personal Data and Special Qualified Personal Data of the Personal Data Owners to third parties abroad by taking the necessary security measures in line with the Personal Data processing purposes. Personal Data by our Company; It can be transferred to foreign countries that are declared to have sufficient protection by the KVK Board or, in the absence of sufficient protection, to foreign countries where the data controllers in Turkey and the relevant foreign country undertake an adequate protection in writing and where the permission of the KVK Board is available.

2.5. Terms of Transfer of Special Quality Personal Data

 

The company, by showing due diligence, taking the necessary security measures and taking the adequate measures prescribed by the KVK Board; In accordance with the legitimate and lawful Personal Data processing purposes, it can transfer the Personal Data of the Personal Data Owner to third parties in the following cases.

  • In case of explicit consent of the Personal Data Owner, or
  • In the presence of the following conditions, without seeking the explicit consent of the Personal Data Owner;
  • Sensitive Personal Data (race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, criminal conviction and data related to security measures and biometric and genetic data), in cases stipulated by law,
  • Persons who are under the obligation to keep confidential for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, or by authorized institutions and organizations.

 

2.5.1. Transfer of Private Personal Data Abroad

The company, by showing due diligence, taking the necessary security measures and taking the adequate measures prescribed by the KVK Board; In accordance with the legitimate and lawful Personal Data processing purposes, it can transfer the Personal Data of the Personal Data Owner to foreign countries where the data controller has adequate protection or undertakes to provide adequate protection in the following cases.

  • In case of explicit consent of the Personal Data Owner, or
  • In the presence of the following conditions, without seeking the explicit consent of the Personal Data Owner;
  • Sensitive Personal Data (race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, criminal conviction and data related to security measures and biometric and genetic data), in cases stipulated by law,
  • Persons who are under the obligation to keep confidential for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, or by authorized institutions and organizations.

 

 

 

CHAPTER THREE

3. CLASSIFICATION OF PERSONAL DATA, PURPOSE OF PROCESSING AND TRANSFER, PERSONS TO BE TRANSFERRED

3.1. Classification of Personal Data

Before the company; In line with the Company’s legitimate and lawful personal data processing purposes, Article 5 of the Law Based on and limited to one or more of the personal data processing conditions set forth in Article 4, regarding the processing of personal data in particular. Personal data in the categories specified below, limited to the subjects within the scope of this Policy, in compliance with the general principles set forth in the Law, including the principles set forth in the Article, and all obligations set forth in the Law, shall be provided in accordance with Article 10 of the Law. It is processed by informing the relevant persons in accordance with the article. It is also stated in this section that the personal data processed in these categories are related to which data owners are regulated within the scope of this Policy.

PERSONAL DATA CATEGORY

 

PERSONAL DATA CATEGORY EXPLANATION

Credentials

 

Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; data that contains information about the identity of the person; name-surname, T.C. Documents such as driver’s license, identity card and passport containing information such as identity number, nationality information, mother’s name and father’s name, place of birth, date of birth, gender, tax number, SGK number, signature information, vehicle license plate, etc. informations.

Communication information

Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; information such as phone number, address, e-mail address, KEP address, fax number, IP address.

Location Data

 

Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Information that determines the location of the Personal Data Owner during the use of the products and services of the group companies or the employees of the institutions with which they are in cooperation, while using the Company vehicles, within the framework of the operations carried out by the business units of the Company; GPS location, travel data etc.

Transaction Security Information

 

Personal data processed regarding the technical, administrative, legal and commercial security of both the Personal Data Owner and the Company while carrying out the Company’s activities.

Family Members and Close Information

 

Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Family members of the Personal Data Owner (e.g. spouse, mother, father, child) in order to protect the legal and other interests of the Company and the Personal Data Owner regarding the products and services offered by the group companies within the framework of the operations carried out by the company business units, information about relatives and other people who can be reached in case of emergency.

Physical Space Security Information

 

Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Personal data regarding the records and documents taken at the entrance to the physical space, during the stay in the physical space; camera records, fingerprint records and records taken at the security point, etc.

Financial Information

 

Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of a data recording system; Personal data processed for information, documents and records showing all kinds of financial results created according to the type of legal relationship the Company has established with the Personal Data Owner, and data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information. .

Audio/Visual Information

 

Clearly belonging to an identified or identifiable natural person; Photographs and camera recordings (excluding the recordings included in the Physical Space Security Information), audio recordings and data contained in documents that are copies of documents containing personal data.

Personal Information

 

Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of a data recording system; All kinds of personal data processed for obtaining information that will form the basis for the personal rights of real persons who are in a working relationship with the company.

Legal Transaction Information

 

Data processed within the scope of determination of legal receivables and rights of the Company,  follow-up and performance of debts and legal obligations.

Special Qualified Personal Data

 

Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of a data recording system; 6 of the Law. Data specified in the article (eg, health data including blood group, biometric data, religion and association information).

Request/Complaint Management Information

 

Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of a data recording system; Personal data regarding the receipt and evaluation of any request or complaint directed to the Company.

1 of the policy. The type of Personal Data of the Personal Data Owners specified in the article (1.3.) of this Section is stated in the table below:

PERSONAL DATA CATEGORY

 

WHERE RELATED PERSONAL DATA IS RELATED

DATA OWNERS

Credentials

 

Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of the Institutions We Collaborate with, Third Party

Communication information

Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of the Institutions We Collaborate with, Third Party

Location Data

 

Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of the Institutions We Collaborate with, Third Party

Transaction Security Information

 

Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of the Institutions We Collaborate with, Third Party

Family Members and Close Information

 

Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of the Institutions We Collaborate with, Third Party

Physical Space Security Information

 

Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of the Institutions We Collaborate with, Third Party

Financial Information

 

Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of the Institutions We Collaborate with, Third Party

Audio/Visual Information

 

Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of the Institutions We Collaborate with, Third Party

Personal Information

 

Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of the Institutions We Collaborate with, Third Party

Legal Transaction Information

 

Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of the Institutions We Collaborate with, Third Party

Special Qualified Personal Data

 

Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of the Institutions We Collaborate with, Third Party

Request/Complaint Management Information

 

Customer, Potential Customer, Employee Candidate, Company Shareholder, Company Official, Visitor, Employees, Shareholders and Officials of the Institutions We Collaborate with, Third Party

 

3.2. Purposes of Processing and Transferring Personal Data

Personal Data;  In accordance with the law and the purpose of the Law, the Company,

  • Planning and implementing human resources policies in the best way,
  • Accurate planning, execution and management of commercial partnerships and strategies,
  • Ensuring the legal, commercial and physical security of itself and its business partners,
  • Ensuring corporate functioning, planning and execution of management and communication activities,
  • Making the best use of the products and services of the Personal Data Owners and recommending them by customizing them according to their demands, needs and wishes,
  • Ensuring the highest level of data security,
  • Creation of databases,
  • Improving the services offered on the website and eliminating the errors that occur on the site,
  • Communicating with Personal Data Owners who forwarded their requests and complaints to him and ensuring the management of requests and complaints,
  • event management,
  • Management of relations with business partners or suppliers,
  • Execution of personnel procurement processes,
  • Supporting Group Companies’ personnel procurement processes and compliance with the relevant legislation,
  • Planning and execution of audit activities in order to ensure that the activities of the Group Companies are carried out in accordance with the relevant legislation,
  • Supporting the planning and execution of fringe benefits and benefits to be provided to him and the senior executives of the Group Companies,
  • Supporting Group Companies in the realization of company and partnership law transactions,
  • Execution/follow-up of financial reporting and risk management transactions,
  • Execution/follow-up of company legal affairs,
  • Carrying out studies to protect its reputation,
  • Managing investor relations,
  • Giving information to authorized institutions based on legislation,
  • Creating and tracking visitor records.

limited to the purposes of the Law. 5. and It is processed within the scope of the personal data processing conditions specified in Article 6. If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated in the Law, your explicit consent is obtained by the Company regarding the relevant processing process.

3.3. Persons to whom Personal Data will be Transferred

Your Personal Data; In accordance with the law and the purpose of the Law, it can be transferred to the following categories of persons governed by the Policy for the following purposes:

Persons to whom Data Transfer can be made

 

Data Transfer Purpose

Company Partners

While carrying out the commercial activities of the Company, limited personal data can be transferred in order to ensure the fulfillment of the purposes of the establishment of the business partnership established for purposes such as carrying out various projects, receiving services, in person or with the Group Companies.

Group Companies

It can be transferred limited to ensuring the execution of the commercial activities of the Company that require the participation of the companies affiliated to the group to which it is affiliated.

Company Stakeholders

Pursuant to the provisions of the relevant legislation, the activities carried out by the Company within the scope of company law, event management and corporate communication processes can be transferred limited to the objectives.

Company officials

In accordance with the provisions of the relevant legislation, it can be limited to designing the strategies regarding the commercial activities of the Company, ensuring the management at the highest level and auditing purposes.

Legally Authorized Public Institutions and Organizations

It can be transferred for the purpose requested by the relevant public institutions and organizations within the scope of their legal authority, on a limited basis.

Legally Authorized Private Law Persons

It can be transferred for the purpose requested by the relevant private legal persons within the scope of their legal authority in accordance with the provisions of the legislation.

Private Law Legal Entities

In accordance with the provisions of the legislation, it can be transferred limited to the purpose requested by the relevant private legal persons within the scope of its legal authority. (Banks etc.)

 

CHAPTER FOUR

4. METHOD OF COLLECTION AND LEGAL REASON OF PERSONAL DATA, DELETING, DESTROYING AND MAKING ANNOUNCEMENT AND STORAGE PERIOD

4.1. Method and Legal Reason for Personal Data Collection

regulating the purpose of the law regulating the scope of the Law with Article 1 For the purpose of checking compliance with Article 2, Personal Data; in all kinds of verbal, written, electronic media; It is collected through technical and other methods, in various ways such as call center, Company website, mobile application, in order to fulfill the responsibilities arising from the law completely and accurately within the framework of legal reasons based on legislation, contract, demand and request in order to achieve the purposes stated in the Policy, and It is processed by the Company or data processors appointed by the Company.

4.2. Deletion, Destruction or Anonymization of Personal Data

Deletion of Personal Data,  Although the Company has operated in accordance with the provisions of this Law and other laws, without prejudice to the provisions of other laws regarding the destruction or anonymization of the company,  In the event that the reasons for its processing disappear, it deletes, destroys or anonymizes the Personal Data ex officio or upon the request of the data owner. With the deletion of Personal Data, these data are destroyed in such a way that they cannot be used again in any way and cannot be recovered. Accordingly, Personal Data is deleted from the tools such as documents, files, CDs, floppy disks, hard disks in which they are registered, in a way that cannot be recycled. Destruction of Personal Data is the document in which the data is recorded so that the information cannot be retrieved or used again.,  file,  CD,  floppy disk,  It refers to the destruction of materials suitable for data storage, such as hard disks. By anonymizing data, it is meant that Personal Data cannot be associated with an identified or identifiable natural person, even if it is matched with other data.

4.3. Retention Period of Personal Data

The Company stores Personal Data for the period specified in this legislation, if it is stipulated in the legislation. If a period of time is not regulated in the legislation regarding how long personal data should be kept, Personal Data is processed for a period of time that requires it to be processed in accordance with the Company’s practices and commercial life practices, depending on the activity carried out while processing that data, and then deleted, destroyed or anonymized. is brought.

The purpose of processing personal data has ended; if the relevant legislation and the retention periods determined by the Company have also come to an end; Personal data can only be stored to provide evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. Despite the expiry of the statute of limitations and the statute of limitations for the right to assert the aforementioned right in the establishment of the periods herein, retention periods are determined based on the examples previously submitted to the Company on the same issues. In this case, the stored personal data is not accessed for any other purpose and access is provided only when it is required to be used in the relevant legal dispute. Here, too, personal data is deleted, destroyed or anonymized after the aforementioned period expires.

Detailed regulations regarding the Company’s techniques regarding the storage, deletion, destruction and anonymization of Personal Data are included in the Personal Data Retention and Disposal Policy published on the Company’s website.

CHAPTER FIVE

5. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

The company is subject to Article 12 of the Law. takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the Personal Data it processes, to prevent illegal access to the data and to ensure the preservation of the data, and in this context, it makes or has the necessary inspections made.

5.1. Ensuring the Security of Personal Data

5.1.1. Technical and Administrative Measures Taken to Ensure Legal Processing of Personal Data

The Company takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that Personal Data is processed in accordance with the law.

  • Technical Measures Taken to Ensure Legal Processing of Personal Data

The main technical measures taken by the Company to ensure the legal processing of Personal Data are listed below:

  • Personal Data processing activities carried out within the company are audited by established technical systems.
  • The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
  • In technical matters, transactions are carried out with the IT company agreed with the contract.
  • Administrative Measures Taken to Ensure Legal Processing of Personal Data

The main administrative measures taken by the Company to ensure the legal processing of Personal Data are listed below:

  • Employees are informed and trained about the law on the protection of Personal Data and the processing of Personal Data in accordance with the law.
  • All activities carried out by the Company are analyzed in detail specific to all business units, and as a result of this analysis, Personal Data processing activities are revealed, specific to the activities carried out by the relevant business units.
  • Personal Data processing activities carried out by the Company’s business units; The requirements to be fulfilled in order to ensure that these activities comply with the Personal Data processing conditions sought by the Law are determined by each business unit and the detailed activity it carries out.
  • In order to meet the legal compliance requirements determined on the basis of the business unit, awareness is created specific to the relevant business units and the rules of practice are determined; Necessary administrative measures are implemented through in-house policies and trainings to ensure the supervision of these issues and the continuity of implementation.
  • Except for the Company’s instructions and the exceptions made by law, in the contracts and documents governing the legal relationship between the Company and the employees, records that impose the obligation not to process, disclose or use Personal Data are placed, and awareness of the employees is created in this regard, and audits are carried out to fulfill the obligations arising from the Law. is brought.
5.1.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

The Company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and the cost of implementation in order to prevent the reckless or unauthorized disclosure, access, transfer or any other unlawful access to Personal Data.

  • Technical Measures Taken to Prevent Unlawful Access to Personal Data

The main technical measures taken by the Company to prevent unlawful access to Personal Data are listed below:

  • Technical measures are taken in accordance with the developments in technology, the measures taken are periodically updated and renewed.
  • Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on the basis of the business unit.
  • Access authorizations are limited and authorizations are reviewed regularly.
  • The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, the issues that pose a risk are reevaluated and the necessary technological solution is produced.
  • Software and hardware including virus protection systems and firewalls are installed.
  • Personnel knowledgeable in technical matters are employed.
  • Security scans are regularly passed to detect security vulnerabilities in applications where Personal Data is collected. The vulnerabilities found are closed.
  • Administrative Measures Taken to Prevent Unlawful Access to Personal Data

The main administrative measures taken by the Company to prevent unlawful access to Personal Data are listed below:

  • Employees are trained on technical measures to be taken to prevent unlawful access to Personal Data.
  • In accordance with the legal compliance requirements for the processing of Personal Data on a business unit basis, the processes of accessing and authorizing Personal Data are designed and implemented within the Company.
  • Employees are informed that the Personal Data they have learned cannot be disclosed to others in violation of the provisions of the Law and cannot be used for purposes other than processing, and that this obligation will continue after they leave their job, and necessary commitments are taken from them in this direction.
  • Contracts concluded by the Company with the persons to whom Personal Data is transferred in accordance with the law; Provisions are added that the persons to whom Personal Data are transferred will take the necessary security measures for the protection of Personal Data and ensure that these measures are complied with in their own organizations.
5.1.3. Storing Personal Data in Secure Environments

The Company takes the necessary technical and administrative measures according to the technological possibilities and implementation cost in order to keep the Personal Data in secure environments and to prevent its destruction, loss or alteration for unlawful purposes.

  • Technical Measures Taken for Storing Personal Data in Secure Environments

The main technical measures taken by the Company to store Personal Data in secure environments are listed below:

  • Systems suitable for technological developments are used to store Personal Data in secure environments.
  • A contract has been made with a company specialized in technical issues.
  • Technical security systems for storage areas are established, security tests and research are carried out to detect security vulnerabilities on information systems, existing or potential risky issues identified as a result of the tests and researches are eliminated. The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
  • In order to ensure that Personal Data is stored securely, backup programs are used in accordance with the law.
  • Access to the data is restricted to the environments where Personal Data is kept, and only authorized persons are allowed to access this data, limited to the purpose of storing personal data, and accesses to data storage areas where Personal Data are stored are logged and inappropriate accesses or access attempts are instantly communicated to the relevant persons.
  • Administrative Measures to Keep Personal Data in Secure Environments

The main administrative measures taken by the Company to store Personal Data in secure environments are listed below:

  • Employees are trained to ensure that Personal Data is kept securely.
  • Legal and technical consultancy services are obtained in order to follow the developments in the field of information security, privacy and protection of personal data and to take the necessary actions.
  • In the event that an external service is received by the Company due to technical requirements regarding the storage of Personal Data, the contracts concluded with the relevant companies to which the Personal Data are transferred in accordance with the law; Provisions are included that the persons to whom Personal Data are transferred will take the necessary security measures for the protection of Personal Data and that these measures will be complied with in their own organizations.
5.1.4. Supervision of the Measures Taken for the Protection of Personal Data

The company is subject to Article 12 of the Law. In accordance with the article, it makes or has it made the necessary inspections within its own body. The results of these audits are reported to the relevant department within the scope of the internal operation of the Company and necessary activities are carried out to improve the measures taken.

5.1.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

The company is subject to Article 12 of the Law. In the event that the Personal Data processed in accordance with the article is obtained by others unlawfully, it operates the system that ensures that the relevant Personal Data Owner and the KVK Board are notified as soon as possible. If deemed necessary by the KVK Board, this situation may be announced on the website of the KVK Board or by any other method.

5.2. Observing the Legal Rights of Personal Data Owners

The Company observes all legal rights of Personal Data Owners with the implementation of the Policy and Law and takes all necessary measures to protect these rights. Detailed information about the rights of Personal Data Owners is given in the sixth section of this Policy.

5.3. Protection of Private Personal Data

The law attaches special importance to certain Personal Data due to the risk of causing victimization and/or discrimination when processed unlawfully. These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. The Company pays maximum attention to the protection of special quality Personal Data, which is determined as “special quality” by the law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company for the protection of personal data are also implemented with the utmost care in terms of Special Quality Personal Data, and the necessary audits are provided within the Company in this regard.

CHAPTER SIX

6. RIGHTS OF PERSONAL DATA OWNER, USE AND ASSESSMENT OF RIGHTS

6.1. Disclosure of Personal Data Owner

The company is subject to Article 10 of the Law. In accordance with the article, it enlightens the Personal Data Owners during the acquisition of the Personal Data. In this context, if any, it clarifies the identity of the Company representative, for what purpose the Personal Data will be processed, to whom and for what purpose the processed Personal Data can be transferred, the method of collecting Personal Data and the legal reason, and the rights of the Personal Data Owner.

6.2. Rights of the Personal Data Owner in accordance with the KVK Law

The Company informs you of your rights in accordance with Article 10 of the Law; It provides guidance on how to exercise these rights and carries out the necessary internal functioning, administrative and technical arrangements for all these. The Company, in accordance with Article 11 of the Law, to the persons whose Personal Data is received;

  • Learning whether Personal Data is processed or not,
  • If Personal Data has been processed, requesting information about it,
  • Learning the purpose of processing Personal Data and whether they are used in accordance with its purpose,
  • Knowing the third parties to whom Personal Data is transferred in the country or abroad,
  • Requesting correction of Personal Data if it is incomplete or incorrectly processed,
  • 7 of the Law. Requesting the deletion or destruction of Personal Data within the framework of the conditions stipulated in the article,
  • 11 of the Law. Of the item   (d)  and   (e)  Requesting the notification of the transactions made in accordance with the subparagraphs to the third parties to whom the personal data has been transferred,
  • Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
  • Requesting the compensation of the damage in case of damage due to unlawful processing of Personal Data

explains that they have rights.

6.3. Cases where the provisions of the law will not be applied

28 of the Law. The following cases are excluded from the scope of the Law, pursuant to the article:

  • Processing of Personal Data by real persons within the scope of activities related to themselves or family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.
  • Processing Personal Data for purposes such as research, planning and statistics by making it anonymous with official statistics.
  • Processing of Personal Data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
  • Processing of Personal Data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
  • Processing of Personal Data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

Pursuant to Article 28/2 of the Law; In the cases listed below, Personal Data Owners cannot claim their rights listed in article (6.2.) of this Policy, except for the right to demand the compensation of the damage:

  • The processing of Personal Data is necessary for the prevention of crime or for criminal investigation.
  • Processing of personal data made public by the Personal Data Owner.
  • Personal Data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority given by the law.
  • The processing of Personal Data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
6.4. Use of Personal Data Owner’s Rights

Personal Data Owners can submit their requests regarding their rights listed in article (6.2.) of this Policy with information and documents that will identify their identities and by the methods specified below or by other methods determined by the KVK Board. www.sirmersan.com.tr They will be able to fill in and sign the Application Form, which you can access from the link below, and send it to the Company free of charge:

  • After the application form is filled, a wet-signed copy is personally hand-delivered [Denizli OSB Nei. Ibrahim Calli St. No:6 Honaz/DENİZLİ] address,
  • After the application form is filled and signed with your “secure electronic signature” within the scope of Electronic Signature Law No. 5070, the form with secure electronic signature sirmersan@sirmersan.hs03.kep.tr sent by registered e-mail.
  • With mobile signature,
  • Submitting the application form by using the e-mail address previously notified to the Company and registered in the Company system.

In order for third parties to apply on behalf of personal data owners, a special power of attorney issued by the data owner through a notary public on behalf of the person to apply must be present.

6.5. The Company’s Response Procedure and Time to Applications

 

The company concludes the requests included in the application free of charge as soon as possible, within thirty days at the latest, depending on the nature of the request. However, if the said transaction requires an additional cost, the fee in the tariff determined by the KVK Board may be charged. The company may accept the request or reject it by explaining the reason; gives its answer in writing or electronically. In case the request in the application is accepted, the Company fulfills the requirements of the request.

 

6.6. Right of Personal Data Owner to Complain to the KVK Board

In cases where the application is rejected, the answer given is insufficient or the application is not answered in due time; The data owner has the right to file a complaint with the KVK Board within thirty days from the date of learning the answer and in any case within sixty days from the date of application.

CHAPTER SEVEN

7. MANAGEMENT STRUCTURE OF THE COMPANY ACCORDING TO THE PROCESSING AND PROTECTION POLICY OF PERSONAL DATA

 

 

A Personal Data Committee has been established within the company in accordance with the decision of the Company’s senior management to manage this Policy and other policies related to and related to this Policy.  Personal Data Committee, Personal Data Owners’ data,  It is authorized and responsible for taking the necessary actions for the storage and processing in accordance with this Policy and other policies connected and related to this Policy. There are detailed regulations in the Personal Data Retention and Disposal Policy published on the Company’s website regarding those assigned to the Personal Data Committee and their duties.

CHAPTER EIGHT

8. UPDATES, ADAPTATION AND CHANGES

 

8.1. Update and Compliance

The Company reserves the right to make changes in this Policy and other related and related policies due to the changes made in the Law, in accordance with the decisions of the KVK Board or in line with the developments in the sector or in the field of informatics.

Changes made in this Policy are immediately processed in the text and explanations regarding the changes are explained at the end of the Policy.

8.2. Changes

…../…/…….

:

The Personal Data Processing and Protection Policy has been published.

*There is no earlier change.*