The Policy of Personal Data Protection and Processing
CHAPTER 1 – INTRODUCTION
The Policy of Personal Data Protection and Processing was established in order to ensure that the personal data processing operations performed by our Company comply with the regulations included in the Personal Data Protection Law no 6698.
This Policy is about all the personal data of our Company’s employees and other persons, processed in a completely or partially automatic way or not automatic way being a part of any data entry system.
Practice of the Policy and the Relevant Legislation
The legal regulations effective in personal data processing and protection shall apply in the first place. In the event that there is a dispute between the effective legislation and the Policy, our Company agrees that the effective legislation shall apply. The Policy regulates the rules stipulated by the relevant legislation by embodying them within the scope of the Company practices.
Effect of the Policy
The effective date of the Policy of Personal Data Protection and Processing is 25.11.2019.
CHAPTER 2 – ISSUES RELATED TO PERSONAL DATA PROTECTION
Ensuring Security of Personal Data
Our Company, in accordance with Clause 12 of the Law, takes the necessary technical and administrative actions according to the nature of the data to be protected, and makes and procures the necessary audits within this scope in order to prevent illegal disclosure, access to or transfer of personal data or potential security flaws occurring otherwise.
Sensitive Personal Data Protection
Some personal data is attributed special importance by law because of the risk of causing personal victimization or discrimination in case of illegal processing. This is the data about race, ethnic origin, political view, philosophical belief, religion, sect or other beliefs, appearance, membership to associations, foundations or unions, health, sexual life, punishment and security measures, and the biometric and genetic data.
Our Company acts sensitively in protection of sensitive personal data determined as “sensitive” by law and processed as per the law. Units are provided with the necessary trainings in order to prevent illegal processing of personal data and illegal access to personal data, and to raise awareness about ensuring protection of personal data. Within the scope of the Personal Data Security;
- All processes related to the data processing operations are analysed based on the work units, and subject to the analysis, things to do to ensure compliance with law are determined based on units,
- Personal data processing processes are audited through to-be-developed technical systems and reported to whom it may concern,
- Employees are informed about lawful personal data processing and the sanctions against unlawful personal data processing,
- Records are included in agreements and documents made with employees, business partners, suppliers and customer, related to confidentiality of shared personal data and the way required in processing and storing it,
- Access to personal data is limited to employees working for the purpose of processing,
- Relevant technical personnel are employed,
- Technologically appropriate technical measures are taken to prevent access to the systems and locations where personal data is stored, and the measures taken are periodically updated,
- Relevant software and systems are installed including the software and hardware involving the virus protection systems and the firewalls,
- Commitment is taken from employees, which shall be maintained after leaving a job, that they shall not disclose the learnt personal data to others contrary to the provisions of PDPL or use it for purposes other than processing,
- Backup programs are used in accordance with the law to ensure that personal data is stored in a secure way, and
- In case of any external service is procured due to technical requirements related to storing of personal data, agreements made with relevant companies to which personal data is lawfully transferred include provisions that persons transferred personal data to shall take the necessary security measures to protect personal data and ensure that these measures are obeyed in their own organizations.
CHAPTER 3 – ISSUES RELATED TO PERSONAL DATA PROCESSING
Our Company, in personal data processing, acts in accordance with the principles stipulated by legal regulations and the general trust and honesty rule, and takes the necessary measures to keep the personal data correct and updated as long as it is processed, and establishes the necessary mechanisms to ensure the correctness and up-to-dateness of the personal data for certain periods. Within this framework, personal data is processed to the extent our Company’s business operations require and as limited to the same.
Our Company, in the event that it is stipulated in relevant laws and legislations, stores personal data during the term stated in these legislations.
Unless a term is regulated in the legislation related to how long to store personal data, it is processed for a period of time required for processing as per our Company’s practices and the commercial life’s practices depending on the services provided by our Company when processing that data, and then deleted, eliminated or anonymized.
In the event that the purpose of personal data processing has ended and the periods of storage determined by the relevant legislation and the Company have expired, personal data may only be stored for constituting evidence in potential legal disputes, or claiming a relevant right related to personal data, or establishing defence. Periods of storage are determined by grounding on the periods of limitation for claiming a mentioned right in establishing these periods and on the examples in the previous claims against our Company in the same respect despite the expiry of the periods of limitation. Then, the stored personal data is not accessed for any other purpose, and however, the relevant personal data is accessed when required to be used in the relevant legal dispute. After the mentioned period expires, the personal data is deleted, eliminated or anonymized.
Ground for personal data processing may be one or more of the requirements of ‘Open Consent of Personal Data Owner, Express Stipulation in Laws, No Open Consent of the Relevant Person due to De Facto Impossibility, Direct Relation with Establishment or Performance of the Contract, Company’s Performance of its Legal Responsibility, Publicizing of the Personal Data by the Personal Data Owner, Compulsory Data Processing for Establishment or Protection of a Right, Compulsory Data Processing for Our Company’s Legitimate Interest’ for the same personal data processing work.
Our Company, in accordance with Clause 10 of the Law and the secondary legislation, enlightens personal data owners. Within this scope, it informs the relevant persons about who, as a data supervisor, the personal data is processed by for what purposes, who it is shared with for what purposes, what ways it is collected in, and the legal reason for it, and the data owners’ gained rights within the scope of personal data processing.
Our Company may transfer to third persons (third person companies, public and private authorities, third real persons) a personal data owner’s personal data and sensitive personal data by taking the necessary security measures for the purpose of lawful personal data processing. Our Company acts in accordance with the regulations stipulated in Clause 8 of the Law for this purpose.
Even if in absence of open consent of a personal data owner, the personal data may be transferred to third persons by taking the necessary care and taking all the necessary security measures by our Company in the event of presence of one or more of the below-provided requirements.
- Open stipulation, in laws, of relevant activities related to transfer of personal data,
- Direct relation of and necessity with transfer of personal data by the Company with establishment or performance of a contract,
- Obligation to transfer personal data for performance of legal liability of our Company,
- Limited transfer of personal data by our Company for the purpose of publicizing provided that it has been publicized by the data owner,
- Obligation to transfer personal data by the Company for establishment, use or protection of rights of the Company or the data owner or third persons,
- Without prejudice to the fundamental rights and freedoms of the data owner, obligation of the Company to engage in transfer personal data for the legitimate interests of the Company, and
- Compulsion for protection of one’s own or others’ life or physical integrity, who is not able to declare his consent due to de facto impossibility or whose consent is not granted legal validity.
In addition to the above points, personal data may be transferred to Countries with Adequate Protection in the event of presence of one of the above-listed requirements. In the event of absence of adequate protection, it may be transferred to Countries with a Data Supervisor Guaranteeing Adequate Protection in accordance with the data transfer requirements stipulated in the legislation.
At our Company, personal data is processed by informing the relevant persons as per Clause 10 of the Law and the secondary legislation, for the purposes of our Company’s personal data processing, based on and limited to at least one of the personal data processing requirements states in Clauses 5 and 6 of the Law, and in accordance with the general principles stipulated in the Law, the principles mentioned in Clause 4 of the Law related to personal data processing being in the first place.
Our Company stores personal data in accordance with the minimum terms required for the purpose of processing and stipulated in the legal legislation any relevant activity is subject to. Within this scope, our Company firstly determines whether any term is stipulated for personal data storage in the relevant legislation, and then it acts in accordance with that term, if stipulated any. In the event of absence of any legal term, personal data is stored for the term required for the purpose of processing.
As regulated in Clause 7 of the PDP Law, personal data is annihilated through methods of annihilation (deleting and/or eliminating and/or anonymizing) determined according to the periodical terms of annihilation, our Company’s option or the request by a personal data owner at the end of the determined terms of storage in the event that reasons requiring processing have disappeared even though it has been processed in accordance with the provisions of the relevant law.
Anonymizing of personal data means making it impossible to associate it with an identified or identifiable real person in any way even by matching with other data. Our Company may anonymize personal data, which has been processed according to law, when reasons requiring processing have disappeared.
CHAPTER 4 – RIGHTS OF PERSONAL DATA OWNERS AND USE OF THESE RIGHTS
Rights of Personal Data Owners
Personal data owners have the rights listed as follows:
- To learn whether their personal data has been processed,
- In the event that their personal data has been processed, to request information about it,
- To learn the purpose of personal data processing and whether it is used for the intended purpose,
- To know the domestic or foreign third persons personal data is transferred to,
- In the event that personal data is processed incompletely or wrongly, to request it to be corrected and to request the proceeding performed within this scope to be notified to the third persons the personal data has been transferred to,
- To request the personal data to be deleted or eliminated in case of disappearing of the reasons requiring processing even though it has been processed in accordance with the relevant law and the other provisions of law, and to request the proceeding performed within this scope to be notified to the third persons the personal data has been transferred to,
- To object to any result against them by the way of analysing the processed data by means of automatic systems exclusively, and
- To request indemnification in the event of damage because of unlawful personal data processing.
Personal data owners need, subject to paragraph one of clause 13 of the PDP Law, to submit to us their requests related to their above-listed rights in written for applications to be made to our Company, which is the Data Supervisor, or by using the other methods determined by the Committee for Personal Data Protection (“Committee”). Within this framework, applications to be made to our Company “in written” shall be submitted to us by sending them;
- Together with the personal application of the Applier,
- By means of a notary public,
- To the Company’s registered electronic mail address by signing with a “secure electronic signature”, by the Applier, described in the Electronic Signature Act no 5070.
Our contact details are as follows to help you use this right.
Title: TEMSAN YAPI VE MAKİNA ENDÜSTRİ A. Ş.
Central Registration System Number: 0838004703200016
Our Company may request information from the relevant person in order to determine whether the applier is the personal data owner.
Our Company may pose questions about the personal data owner about their application in order to clarify the issues found in the personal data owner’s application.
In the event that a personal data owner duly submits to our Company their request for the afore-mentioned rights, our Company shall conclude for free the relevant request as soon as possible and within not later than 30 (thirty) days depending on the type of the application. However, in the event that the proceeding requires an additional cost, the fee in the price list set out by the Committee for Personal Data Protection shall be received.
Our Company may reject an applier’s application by justification in the event of;
- Personal data processing intended for research, planning, and statistics by the way of anonymizing by means of official statistics,
- Personal data processing intended for art, history, literature or science, or within the scope of freedom of speech without violating the national defence, the national security, the public security, the public order, the economic security, the right of privacy or the personality rights, or without constituting any crime,
- Personal data processing within the scope of preventive, protective and intelligence operations carried out by public institutions and organizations assigned and authorized by law in order to ensure the national defence, the national security, the public security, the public order or the economic security,
- Personal data processing by judicial authorities or enforcement offices in connection with the proceedings of investigations, prosecutions, trials or enforcements,
- Personal data processing required for prevention of committals or for criminal investigations,
- Request by the personal data owner for the personal data anonymized by the self of the personal data owner,
- Personal data processing required for carrying out the duties of auditing or regulating as well as disciplinary investigations or prosecutions by assigned and authorized public institutions and organizations as well as professional organizations having the characteristics of a public institution based on the authority granted by the law,
- Personal data processing required for protection of the Government’s economic and financial interests in connection with budgets, taxes and financial issues, or
- Probability that a personal data owner’s request will prevent others’ rights and freedoms.
CHAPTER 5 – PURPOSE AND EXCEPTIONS OF PERSONAL DATA PROCESSING
Personal Data is processed in order to:
- Ensure the execution of the human resources policies,
- Ensure the legal and commercial security of our Company and the persons in a business relationship with our Company, and
- Observe the legal requirements for and the legitimate interests of our employees.
- Personal data shall be processed to carry out our business operations in order to determine and apply trade and business strategies in accordance with the requirements and purposes of personal data processing specified in clauses 5 and 6 of the Law no 6698.
Our Company engages, in accordance with clause 10 of the Law, in operations of personal data processing in order to track guest entries and exits by monitoring with security cameras at its buildings and facilities for the purpose of ensuring security by enlightening the personal data owner with more than one method of monitoring with cameras and by processing personal data in connection with, limited to and with the extent to the intended purpose in accordance with clause 4 of the Law.
Monitoring is not performed in areas (for example, toilets) where it might result in interventional consequences in a way that exceeds the person’s privacy and security purposes.
A limited number of employees have access to live camera images and records taken and stored in the digital environment. The limited number of persons with access to the records declare that they shall protect the confidentiality of the data they have access to under a declaration of confidentiality.
Our Company engages in operations of personal data processing for purposes of ensuring security and for purposes specified in this Policy at its buildings and facilities in order to track the guests’ entries and exits. The data obtained in order to track the guests’ entries and exits is only processed for this purpose, and the relevant personal data is recorded in the data entry system in the physical environment.
CHAPTER 6 – MANAGEMENT PRINCIPLES OF PERSONAL DATA PROTECTION AND PROCESSING
A “Committee for Personal Data Protection” was established within the Company in order to manage this Policy and the other related policies. The Committee President was determined as the Deputy Director General of Administration, and the Members as the Accounting Director, the Human Resources Director, the Purchasing and Quality Assurance Director, the Offer Preparation Director and the personnel employed in the staff of Computer Technicians. Duties of this committee are to:
- Prepare the fundamental policies related to Personal Data Protection and Processing, and submit them to the approval of the top management to put into effect,
- Decide how to perform the application and audit of the policies related to Personal Data Protection and Processing, and submit to the approval of the top management the issues of assigning persons within the company within this framework and ensuring coordination,
- Determine the activities requiring to be conducted in order to ensure compliance with the relevant legislation related to the Personal Data Protection Law and submit to the approval of the top management the things to do, and observe how these are applied and ensure their coordination,
- Raise awareness within the Company and at the institutions the Company is in cooperation with in connection with Personal Data Protection and Processing,
- Ensure that necessary measures are taken by determining the potential risks in the personal data processing operations of the Company, and submit to the approval of the top management the suggestions of improvement,
- Design and implement trainings for personal data protection and application of policies,
- Resolve applications of personal data owners at the highest level,
- Coordinate the implementation of informative and training activities in order to ensure that personal data owners are informed about the personal data processing operations and their legal rights,
- Prepare the amendments in the fundamental policies related to Personal Data Protection and Processing, and submit them to the approval of the top management to put into effect,
- Follow the developments and regulations in the subject of Personal Data Protection, and provide the top management with suggestions on the things to do within the Company in accordance with these development and regulations,
- Coordinate the relationships with the Committee and the Institution of Personal Data Protection, and
- Perform the other duties to be assigned by the Company’s top management for personal data protection.