PDPA Politics

PERSONAL DATA PROTECTION POLICIES …………………………………………………

  1. DATA PRIVACY COMMITMENT………………………………………………………………………..
  2. PURPOSE OF THE POLICY ……………………………………………………………………………………
  3. SCOPE OF THE POLICY ……………………………………………………………………………….
  4. DEFINITIONS ……………………………………………………………………………………………………..
  5. PRINCIPLES OF PERSONAL DATA PROCESSING ………………………………………………………….
  6. PROCESSING OF PERSONAL DATA ………………………………………………………………….
  7. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA …………………………………..
  8. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA……………………………………………………………….
  9. TRANSFER OF PERSONAL DATA AND PROCESSING OF PERSONAL DATA BY THIRD PARTIES ……………………………………………………………………..
  10. DISCLOSURE OBLIGATION OF THE COMPANY AND RIGHTS OF THE DATA SUBJECT……….
  11. MEASURES TAKEN FOR DATA MANAGEMENT, SECURITY AND PROTECTION OF PERSONAL DATA
  12. TRAINING ………………………………………………………………………………………………………….
  13. AUDIT ………………………………………………………………………………………………………
  14. VIOLATIONS …………………………………………………………………………………………………….
  15. RESPONSIBILITIES………………………………………………………………………………………
  16. AMENDMENTS TO THE POLICY…………………………………………….
  17. EFFECTIVE DATE OF THE POLICY ……………………………………………………….

PERSONAL DATA PROTECTION POLICY

1. COMMITMENT TO DATA CONFIDENTIALITY

TEKNOMELT SAN. VE TİC. A.Ş. (‘Company’) undertakes to act in accordance with this Policy and the procedures to be implemented in accordance with the Policy in terms of Personal Data within its body.

2. PURPOSE OF THE POLICY

The purpose of this policy is to determine the principles regarding the methods and processes for the protection of personal data within the scope of the Personal Data Protection Law No. 6698 (‘KVKK’) regarding Company activities.

3. SCOPE OF THE POLICY

The main field of activity of the Company is to manufacture and sell yarn and textiles. This Policy covers and applies to all activities for Personal Data that the Company carries out all kinds of processing activities for the continuation of its activities.

This Policy may be amended from time to time if required by the KVK Regulations or if deemed necessary by the Company’s Data Controller Representative or management, provided that legal obligations are observed.

4. DEFINITIONS

The definitions used in this Policy have the following meanings;

“Explicit Consent” refers to the consent expressed by Personal Data Owners of their free will, based on being informed, and without any conditions, regarding the processing of their data.

“Anonymization” refers to making Personal Data impossible to associate with an identified or identifiable natural person in any way, even if it is matched with other data.

“Anonymised Data” refers to data that cannot be associated with a real person in any way.

“Personal Data” refers to any information regarding an identified or identifiable natural person.

“Personal Data Processing” means obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available Personal Data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. It refers to any operation performed on data, such as classifying or preventing its use.

“Board” refers to the Personal Data Protection Board.

“Institution” refers to the Personal Data Protection Authority.

“KVKK” refers to the Personal Data Protection Law No. 6698.

“KVK Regulations/Provisions” means the Personal Data Protection Law No. 6698 and other relevant legislation for the protection of Personal Data, binding decisions, principle decisions, provisions, instructions and applicable international agreements for the protection of data made by regulatory and supervisory authorities, courts and other official authorities. and any other legislation.

“KVK Procedures” refers to the procedures that determine the obligations that the Company, employees and the Data Controller Representative must comply with within the scope of this Policy.

“Special Category Personal Data” is data regarding individuals’ race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures. It refers to biometric and genetic data.

“Deletion or Deletion” is the process of making Personal Data inaccessible and unusable in any way for the relevant users.

“Personal Data Inventory” includes Personal Data Processing processes and methods, Personal Data Processing purposes, data category, third parties to whom Personal Data is transferred, etc. for the Company’s Personal Data Processing activities. It refers to the inventory containing information.

“Data Processor” refers to the natural or legal person who processes Personal Data on behalf of the Data Controller, with authorization from the Data Controller.

“Data Owner” refers to the natural person to whom the Personal Data belongs.

“Data Controller” refers to the natural or legal person who processes Personal Data by specifying the processing purposes and processing methods and is responsible for establishing and managing the data recording system.

“Data Controller Representative” refers to the employee who manages the Company’s relations with the Institution.

“Destruction” refers to the destruction of personal data, making it inaccessible, irretrievable and unusable by anyone.

5. PERSONAL DATA PROCESSING PRINCIPLES

5.1. Processing of Personal Data in Compliance with Law and Integrity Rules

Personal Data is processed by the Company in accordance with the law and the rules of honesty and on the basis of proportionality. What is meant by the principle of proportionality is the processing of as much personal data as necessary for the company’s activities for the necessary period of time.

5.2. Taking Necessary Precautions to Keep Personal Data Accurate and Up-to-Date When Necessary

The Company takes all necessary measures to ensure that Personal Data is complete, accurate and up-to-date, and updates the relevant Personal Data if the Data Owner requests changes to the Personal Data.

5.3. Processing of Personal Data for Specific, Legitimate and Explicit Purposes

Before Processing Personal Data, the purpose for which Personal Data will be processed is determined by the Company. In this context, the Data Owner is informed within the scope of KVK Regulations and their Explicit Consent is obtained where necessary.

5.4. Personal Data Must Be Related to the Purpose for Processing, Limited and Proportionate

The Company processes Personal Data only in cases where explicit consent is not required within the scope of KVK Regulations and/or in cases where explicit consent is required, for the purpose within the scope of the Explicit Consent received from the Data Owner and in accordance with the principle of proportionality.

5.5. Keeping Personal Data as Long as Necessary and Deleting It Afterwards

5.5.1. The Company retains Personal Data as long as necessary for company activities in accordance with the purpose of processing. If the Company wishes to retain Personal Data for a period longer than the period stipulated in the KVK Regulations or required by the purpose of Personal Data Processing, the Company acts in accordance with the obligations specified in the KVK Regulations.

5.5.2. After the period required for the purpose of Personal Data Processing expires, Personal Data is Deleted, Destroyed or Anonymised. In this case, third parties to whom the Company transfers Personal Data are also enabled to Delete, Destroy or Anonymize Personal Data.

5.5.3. The Data Controller Representative is responsible for the operation of the Deletion, Destruction and Anonymization processes. In this context, the necessary procedure is created by the Data Controller Representative.

6. PROCESSING OF PERSONAL DATA

Within the scope of company activities, personal data may be processed for the purpose of performing commercial activities and providing services, including but not limited to the following purposes;

  • Carrying out activities,
  • Data obtained through website use,
  • Providing services within the scope of the contract and within the framework of service standards and fulfilling the contract requirements,
  • Fulfillment of legal obligations as required or required by legislation
  • Conducting market research and statistical studies,
  • Evaluating job applications and providing employment. CV, diploma, etc. shared by any method during the application process you will make as an
  • Employee Candidate. Personal data contained in other documents may be processed, stored and transferred for the purpose of job application evaluation within the scope of this Policy. In case of employment, the personal data of the employees are processed, stored and transferred in accordance with the
  • Labor Law No. 4857 and other legislative obligations,
  • Establishing contact with people who have business relations with the company,
  • Marketing,
  • Receiving and placing advertisements,
  • Legal and financial reporting,
  • Billing.

Personal Data can only be processed by the Company within the scope of the procedures and principles specified below.

6.1. Explicit Consent

In cases where explicit consent is required for the processing of Personal Data within the scope of KVK Regulations;

6.1.1. Personal Data is processed after informing Data Owners within the framework of fulfilling the Disclosure Obligation and if Data Owners give Explicit Consent.

6.1.2. Within the framework of the Information Obligation, Data Owners are informed of their rights before obtaining Explicit Consent.

6.1.3. Explicit Consent of Data Owners is obtained by methods in accordance with KVK Regulations. Explicit Consent is verifiable and kept by the Company for the period required within the scope of KVK Regulations.

6.1.4. The Data Controller Representative ensures that the Disclosure Obligation is fulfilled in terms of all Personal Data Processing processes and that Explicit Consent is obtained and maintained when necessary. All department employees who process Personal Data are obliged to comply with the instructions of the Data Controller Representative and this Policy.

6.2. Processing of Personal Data Without Explicit Consent

6.2.1 In cases where it is envisaged to process Personal Data without Explicit Consent within the scope of KVK Regulations (in cases listed in the law, including but not limited to Article 5.2 and Article 6.3 of KVKK), the Company may process Personal Data without obtaining the Explicit Consent of the Data Owner. If Personal Data is processed in this way, the Company Processes Personal Data within the limits set by KVK Regulations and in compliance with the Disclosure Obligation. In this context:

6.2.1.1. Personal Data may be processed by the Company without Explicit Consent in order to protect the life or physical integrity of the Data Subject and/or a person other than the Data Subject who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.

6.2.1.2. If the conditions of being directly related to the establishment, implementation, execution or termination of a contract are met, Personal Data of the parties to the contract may be processed by the Company without the Explicit Consent of the Data Owners. In this sense, service contracts, employment contracts, etc. to which the Company is a party. Personal data collected within the scope of all contracts necessary for the continuation of its activities, such as, are processed, stored, deleted and destroyed within the framework of this Policy without explicit consent.

6.2.1.3. If the Processing of Personal Data is mandatory for the Company to fulfill its legal obligation, Personal Data may be processed by the Company without the Explicit Consent of the Data Owners.

6.2.1.4. Personal Data made public by the Data Owner may be processed by the Company without explicit consent.

6.2.1.5. If processing Personal Data without Explicit Consent is the only possible way to establish, exercise or protect a right, Personal Data may be processed by the Company with the knowledge of the Data Controller Representative without Explicit Consent.

6.2.1.6. Personal Data may be processed by the Company without Explicit Consent, provided that data processing is mandatory for the legitimate interests of the Company, provided that the fundamental rights and freedoms of the Data Owners are not harmed.

7. PROCESSING OF SPECIAL PERSONAL DATA

7.1. Personal Data of Special Nature can only be processed if there is Explicit Consent of the Data Owner or if processing is expressly required by law in terms of Personal Data of Special Nature other than sexual life and personal health data.

7.2. The Company does not collect, store or process special personal data in any way, except for special personal data that is required to be collected as a legal requirement due to employment contracts to which it is a party or transferred to it.

7.3. Personal Data regarding health and sexual life can only be processed without Explicit Consent for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing. Therefore, until otherwise stipulated in the KVK Regulations, personal health data and sexual life data can only be processed within the scope of Explicit Consent or by the Company physician who is under the obligation of confidentiality.

7.4. While processing special personal data, precautions determined by the Board are taken.

7.5. In any case that requires the processing of special personal data, the Data Controller Representative is informed by the relevant employee.

7.6. If it is not clear whether a data is Special Personal Data or not, the opinion of the Data Controller Representative is sought by the relevant department.

8. STORAGE, DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

8.1. When the legitimate purpose for Processing Personal Data is eliminated, the relevant Personal Data is Deleted, Destroyed or Anonymised. Situations requiring deletion, destruction or anonymization of personal data are monitored by the Data Controller Representative.

8.2. Resumes sent to the Company by any means are deleted within 1 year at the latest if there is no response.

8.3. Personal data shared with the Company via the contact screen at www.teknomelt.com.tr is deleted within three months at the latest.

8.4. Personal data obtained by the Company due to employment contracts to which it is a party are destroyed when the retention obligation arising from the employment contract expires.

8.5. The Company does not store Personal Data solely for the possibility of future use. The above items also apply to personal data that the company does not collect but is transferred to the company for similar purposes.

9. TRANSFER OF PERSONAL DATA AND PROCESSING OF PERSONAL DATA BY THIRD PARTIES

The Company may transfer Personal Data to a third natural or legal person (“Contractor”) in accordance with the KVK Regulations. In this case, the Company ensures that third parties to whom it transfers Personal Data comply with this Policy. In this context, necessary protective regulations are added to the contracts concluded with third parties. The clause to be added to the contracts concluded with third parties to whom all kinds of Personal Data are transferred is obtained from the Data Controller Representative. Each employee is obliged to go through the process set out in this Policy in case of Personal Data transfer. If the third party to whom Personal Data is transferred requests a change in the article communicated by the Data Controller Representative, the employee immediately notifies the Data Controller Representative.

Personal data, including but not limited to the following;

  • To suppliers,
  • Business partners and business contacts,
  • To group companies,
  • To legally authorized public institutions and organizations,
  • To legally authorized private legal persons,
  • It may be transferred to shareholders in accordance with the principles and rules explained in this Policy.

9.1. Personal Data Transfer to Third Parties in Turkey

9.1.1. Personal Data may be transferred by the Company to third parties in Turkey for the purpose of continuing its activities or fulfilling its obligations, without express consent in cases specified by the Personal Data Protection Law, or with the express consent of the Data Owner in cases where express consent is required.

9.1.2. The Company is responsible for ensuring that the transfer of Personal Data to third parties in Turkey complies with the KVK Regulations.

9.2. Personal Data Transfer to Third Parties Abroad

9.2.1. The Company may transfer personal data abroad due to its import and export activities within the framework of this Policy and legislation.

9.2.2. Personal Data may be transferred by the Company to third parties abroad, without express consent in cases specified by the Personal Data Protection Law, or with the express consent of the Data Owner in cases where express consent is required.

9.2.3. In cases where Personal Data is transferred without explicit consent in accordance with KVK Regulations, one of the following conditions must also exist in terms of the foreign country to which it will be transferred:

9.2.3.1 The foreign country to which the Personal Data is transferred must have the status of countries where adequate protection is provided by the Board (please follow the Board’s current list for the list),

9.2.3.2  If the foreign country where the transfer will take place is not included in the Board’s list of safe countries, the Company and the Data Controllers in the relevant country must obtain permission from the Board by making a written commitment that adequate protection will be provided.

9.2.4. The Company is responsible for ensuring that the transfer of Personal Data to third parties abroad complies with the KVK Regulations.

9.2.5. The company can receive services from service providers such as Google, Hotmail and Outlook for electronic communication purposes. In this context, personal data that may be included in the electronic communications of the company are stored on the servers of the service providers and are stored, transferred and processed within the scope of the data protection policies of the companies in question.

10. COMPANY’S OBLIGATION TO INFORM AND DATA OWNER’S RIGHTS

10.1. The Company informs Data Owners regarding the Processing of Personal Data in accordance with Article 10 of the KVKK. In this context, the Company fulfills its Disclosure Obligation with the Disclosure Text prepared during the acquisition of Personal Data. The notification to be made to Data Subjects within the scope of the Disclosure Obligation includes the following elements, respectively:

  • Identity of the Data Controller and his representative, if any,
  • For what purpose the Personal Data will be processed,
  • To whom and for what purpose the processed Personal Data can be transferred,
  • Method and legal reason for collecting Personal Data,

The relevant person can obtain information on the following subjects by filling out the Application Form and sending it to the address “kvkk@teknomelt.com.tr” specified in the Company’s Information Text;

  • Learning whether personal data is processed or not,
  • Requesting information if personal data has been processed,
  • Learning the purpose of processing personal data and whether they are used for their intended purpose,
  • Knowing the third parties to whom personal data is transferred at home or abroad,
  • Requesting correction of personal data if they are incomplete or incorrectly processed
  • Requesting the deletion or destruction of personal data in case the reasons requiring the processing of personal data disappear,
  • Requesting that the correction, deletion or destruction mentioned above be notified to third parties to whom personal data has been transferred,
  • Objecting to an adverse result arising from the analysis of processed data exclusively through automatic systems,
  • Requesting compensation for damage in case of damage due to illegal processing of personal data

10.2. If the Company requests information about the Data Owner’s personal data processed in accordance with the KVK Provisions, it provides the necessary information within 30 (thirty) days at the latest after verifying the identity of the Data Owner. The Company reserves the right to reject the application, including but not limited to the reasons listed below;

  • Failure to verify the identity of the person requesting information as the relevant data owner,
  • Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics,
  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not
  • violate the right to privacy or personal rights or constitute a crime,
  • Processing of personal data made public by the Personal Data Owner,
  • The application is not based on a justified reason,
  • The application contains a request contrary to the relevant legislation,
  • In cases such as failure to comply with the application procedure, the application will be rejected by explaining the reason for rejection.

10.3. In cases where the application is rejected, the response to the application is found insufficient or the response is not given in time; The applicant has the right to complain to the KVK Board within 30 (thirty) days from the date of learning the answer and in any case within 60 (sixty) days from the date of application.

10.4. The employee and the Data Controller Representative who follow the relevant process carry out the fulfillment of the necessary Disclosure Obligation before the Processing of Personal Data.

10.5. If the Data Processor is a third party other than the Company, the third party must undertake to comply with the above-mentioned obligations with a written contract before starting Personal Data Processing. In cases where third parties transfer Personal Data to the Company, the clause to be added to the contracts is obtained from the Data Controller Representative. Each employee is obliged to go through the process set out in this Policy in case Personal Data is transferred to the Company by a third party. If the third party transferring Personal Data requests a change in the article communicated by the Data Controller Representative, the employee immediately notifies the Data Controller Representative.

11. MEASURES TAKEN FOR DATA MANAGEMENT, SECURITY AND PROTECTION OF PERSONAL DATA

11.1. The Company appoints a Data Controller Representative to fulfill its obligations under the KVK Regulations, to ensure and supervise the implementation of the KVK Procedures necessary for the implementation of this Policy, and to make recommendations regarding their operation.

In order to ensure personal data security, the Company takes administrative and technical measures within the scope of the KVK Authority’s relevant guide on the subject.

11.1.1. Administrative Measures

  • The company creates policies and procedures covering the entire data processing process, conducts periodic studies to identify current risks and threats, and ensures transparency in the data processing process.
  • Company employees are informed and trained regarding the protection and legal processing of Personal Data.
  • It reduces the personal data processed and stored as much as possible and anonymizes the data whenever possible.
  • It manages its relations with real and legal persons who process personal data in accordance with the job description within the Company or the business relationship with the Company. In this context, Company employees can access Personal Data only within the authority defined for them and in accordance with the relevant KVK Procedure. Any access or operation carried out by the employee in a way that exceeds his or her authority is against the law and is a reason for termination of the employment contract with just cause. Each person who is allocated a Company device is responsible for the security of the devices allocated for his/her use. Each Company employee or person working within the Company is responsible for the security of the physical and electronic files/data within their area of responsibility. If a department within the company processes personal data of special nature, this department is informed about the importance, security and confidentiality of the Personal Data they process and they act in accordance with the instructions of the relevant department Data Controller Representative. Access to Special Personal Data is granted only to limited employees, and their listing and tracking is done by the Data Controller Representative. In case of additional security measures requested or to be additionally requested for the security of Personal Data within the scope of KVK Regulations, all employees are obliged to comply with the additional security measures and ensure the continuity of these security measures. All employees involved in the relevant process are jointly responsible, to the extent of their faults, for the protection of Personal Data in accordance with this Policy and KVK Procedures. Company employees have been informed that their obligations regarding the security and confidentiality of Personal Data will continue after the termination of the employment relationship, and a commitment has been received from the relevant employees of the Company to comply with these rules.

11.1.2. Technical Measures

  • The Company ensures the cyber security of all personal data it processes and stores within its organization. IT personnel who are knowledgeable in technical issues for Personal Data Processing activities are employed.
  • The Company monitors the cyber security of all personal data processed and stored within the Company and periodically performs maintenance and audits. Personal Data Processing activities are audited by the Company with technical systems according to technological possibilities and application cost.
  • The Company does not use a cloud storage system for all personal data processed and stored within its organization.
  • The Company procures information technology systems and receives development and maintenance from the companies providing these services. In order to store Personal Data in secure environments, software and hardware including virus protection systems and firewalls are installed in accordance with technological developments. The Company has a security policy that includes technical measures for the protection of Personal Data.
  • The Company uses backup programs to prevent loss or damage to Personal Data and adequate security measures are taken.

12. EDUCATION

The Company provides its employees with the necessary training regarding the protection of Personal Data within the scope of the Policy and KVKK Regulations and keeps records of these trainings.

13. AUDIT

The Company has the right to regularly and ex officio audit, without any prior notice, whether all employees, departments and contractors of the Company comply with this Policy and KVK Regulations, and carries out the necessary routine audits within this scope. The Data Controller Representative creates the KVK Procedure for these inspections and ensures the implementation of the said procedure.

14. VIOLATIONS

14.1 Each employee of the Company reports to the Data Controller Representative any work, transaction or action that he/she considers to be contrary to the procedures and principles specified in the KVK Regulations and this Policy. In this context, the Data Controller Representative creates an action plan for the relevant violation in accordance with this Policy and KVK Procedures.

14.2. As a result of the information provided, the Data Controller Representative prepares the notification to be made to the Data Owner or the Institution regarding the violation, taking into account the provisions of the applicable legislation on the subject, especially the KVK Regulations. The Data Controller Representative carries out the correspondence and communication with the Institution.

15. PROCESS MANAGEMENT

Process management regarding the Protection of Personal Data within the company is provided by the employee, department and Data Controller Representative. In this context, the Data Controller Representative, who will ensure the implementation of the Policy and manage the Personal Data Protection process, is appointed by the decision of the Company management, and changes in this context are made in the same way.

16. CHANGES TO BE MADE IN THE POLICY

The Company shares the updated Policy text with the Data Owners via e-mail so that the changes made to the Policy can be reviewed and/or made available in a way that can be seen in the workplace and/or on a website that may be established in the future.

This Policy came into force after being approved by the management on 03.03.2020.