SAMI TRAFO MAKINA INSAAT IMALAT TAAH. GENEL TIC. LTD. STI
PERSONAL DATA PROTECTION AND PROCESSING POLICY
Sami Trafo Makina İnşaat İmalat Taah. Genel Tic. Ltd. Şti
Personal Data Protection and Processing Policy
Information Form
Document Name: Sami Trafo Makina İnşaat İmalat Taah. Genel Tic. Ltd. Şti Personal Data Protection and Processing Policy
Target Audience: All natural persons whose personal data is processed by Sami Trafo Makina İnşaat İmalat Taah. Genel Tic. Ltd. Şti
Prepared by: Sami Trafo Makina İnşaat İmalat Taah. Genel Tic. Ltd. Şti Personal Data Protection Committee
Approved by: Approved by Sami DAĞSUYU.
Effective Date: 23.12.2020
// This document may not be reproduced or distributed without the written permission of Sami Trafo Makina İnşaat İmalat Taah. Genel Tic. Ltd. Şti.
TABLE OF CONTENTS
CONCEPTS
SECTION I
INTRODUCTION
- PURPOSE
- SCOPE
- ENFORCEMENT OF THE POLICY
SECTION II
- General Principles for Processing Personal Data
- Conditions for Processing Personal Data
- Informing and Notifying the Data Subject
- Processing of Special Categories of Personal Data
SECTION III
- Personal Data Processed by Our Company
- Groups of Individuals Whose Data is Processed by Our Company
- Purposes of Processing Personal Data
- Retention Periods of Personal Data
SECTION IV
- Camera Surveillance Activities Conducted at the Entrance and Inside the Premises of Sami Trafo Makina İnşaat İmalat Taah. Genel Tic. Ltd. Şti
SECTION V
- Transfer of Personal Data
SECTION VI
- Issues Related to the Protection of Personal Data
SECTION VII
- Conditions for Deletion, Destruction, and Anonymization of Personal Data
SECTION VIII
- Rights of Data Subjects, Methods for Exercising These Rights, and Evaluation Procedures
SECTION IX
- Management Structure of the Personal Data Protection and Processing Policy
SECTION X
- Technical and Administrative Measures Taken for the Security of Personal Data
| Processing of Personal Data | Any operation performed on personal data, whether fully or partially automated or carried out by non-automated means provided that it is part of a data recording system, including but not limited to the collection, recording, storage, retention, modification, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use of such data. |
| Data Subject | The natural person whose personal data is processed. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Sensitive Personal Data | Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, attire, association, foundation, or trade union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data. |
| Data Controller | The person or entity that determines the purposes and means of processing personal data and manages the data recording system where data is systematically stored. |
| Erasure (Deletion) | The process of making personal data completely inaccessible and unusable for relevant users. |
| Destruction |
The process of making personal data completely inaccessible, irretrievable, and unusable by anyone. |
| Anonymization | The process of making personal data impossible to link to an identified or identifiable natural person, even when matched with other data. This method ensures that personal data cannot be reversed or re-associated with an identified or identifiable person through technical methods appropriate to the storage medium and the related field of activity. |
| Data Processor | A natural or legal person who processes personal data on behalf of the data controller, based on the authorization given by the data controller. |
SECTION I
INTRODUCTION
The purpose of this regulation is to ensure the protection of personal data belonging to our customers, job applicants, employees, interns, suppliers, and visitors, as well as all other data classified as personal data, within the scope of Law No. 6698 on the Protection of Personal Data.
This Policy sets forth the principles adopted and implemented by our Company regarding the processing, protection, deletion, destruction, and anonymization of personal data.
PURPOSE
The purpose of this Policy is to inform individuals whose personal data may be processed by our Company about the lawfully conducted personal data processing activities and the processes adopted for data protection, as well as to establish the principles for the protection and processing of personal data.
SCOPE
This Policy applies to all personal data processed by our Company concerning natural persons.
ENFORCEMENT OF THE POLICY
This Policy, prepared and enacted by our Company, is published on our Company’s website and made accessible to data subjects through this means.
SECTION II
1- GENERAL PRINCIPLES FOR PROCESSING PERSONAL DATA
Sami Trafo Makina İnşaat İmalat Taah. Genel Tic. Ltd. Şti complies with Article 4 of the Law on the Protection of Personal Data (KVKK) and adheres to the following principles when processing personal data.
1.1- Lawful and Fair Processing of Personal Data
The processing of personal data within Sami Trafo Makina İnşaat İmalat Taah. Genel Tic. Ltd. Şti is conducted in compliance with legal regulations and the principles of good faith. In this regard, our Company processes only the necessary personal data to the extent required by the purposes of data processing.
1.2- Ensuring Accuracy and Updating Personal Data When Necessary
Sami Trafo Makina İnşaat İmalat Taah. Genel Tic. Ltd. Şti takes the necessary measures to ensure that personal data is accurate and up to date, considering the fundamental rights of data subjects and the Company’s legitimate interests.
1.3- Processing for Specific, Explicit, and Legitimate Purposes
Before initiating any personal data processing activities, Sami Trafo Makina İnşaat İmalat Taah. Genel Tic. Ltd. Şti clearly defines the purposes for which personal data will be processed.
1.4- Processing Data in a Relevant, Limited, and Proportionate Manner
Sami Trafo Makina İnşaat İmalat Taah. Genel Tic. Ltd. Şti processes personal data only to the extent necessary for its business activities and in accordance with relevant legal regulations. The Company refrains from processing irrelevant or unnecessary personal data.
1.5- Retention for the Period Required by Legislation or Processing Purposes
Sami Trafo Makina İnşaat İmalat Taah. Genel Tic. Ltd. Şti retains personal data only for the duration stipulated by relevant legislation or as required by the purpose of processing. In cases where the legislation prescribes a specific retention period, the Company complies with such requirements. If no specific period is stipulated, personal data is retained only for as long as necessary to achieve the processing purpose. Once the retention period expires or the reasons for processing no longer exist, personal data is deleted, destroyed, or anonymized by Sami Trafo Makina İnşaat İmalat Taah. Genel Tic. Ltd. Şti. The Company does not retain personal data for potential future use without a justified purpose. Further details on this matter are provided in Section 7 of this Policy.
2- CONDITIONS FOR PROCESSING PERSONAL DATA
Our Company processes personal data only in cases stipulated by law or with the explicit consent of the data subject.
Personal data may be processed if one of the following conditions is met:
2.1- Presence of the Data Subject’s Explicit Consent
One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject must be provided for a specific subject, based on informed decision-making, and given voluntarily.
2.2- Explicitly Stipulated by Law
If the processing of personal data is explicitly stipulated by law, such processing may be carried out lawfully.
2.3- Inability to Obtain Consent Due to Actual Impossibility
If the data subject is unable to provide consent due to an actual impossibility, or if their consent cannot be deemed legally valid, and if the processing of personal data is necessary to protect the life or physical integrity of the data subject or another person, the data may be processed.
2.4- Necessity for the Establishment or Performance of a Contract
If the processing of personal data belonging to the parties of a contract is necessary for the establishment or performance of the contract, personal data may be processed.
2.5- Compliance with Legal Obligations
If the processing of personal data is necessary for our Company, as the data controller, to fulfill its legal obligations, the personal data of the data subject may be processed.
2.6- Public Availability of the Data Subject’s Personal Data
If the data subject has made their personal data publicly available, the data may be processed to the extent required by the intended purpose.
2.7- Necessity for the Establishment, Exercise, or Protection of a Right
If the processing of personal data is necessary for the establishment, exercise, or protection of a right, the personal data of the data subject may be processed.
2.8- Necessity for the Legitimate Interests of the Data Controller
If personal data processing is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the data subject, the personal data may be processed.
3- INFORMING AND NOTIFYING THE DATA SUBJECT
Our Company provides information regarding the purposes for which personal data will be processed, to whom and for what purposes the processed personal data may be transferred, the method and legal basis for collecting personal data, as well as the rights of the data subject. (See: Privacy Notice)
4- PROCESSING OF SPECIAL CATEGORY PERSONAL DATA
Our Company complies with the regulations stipulated in the Personal Data Protection Law (KVKK) when processing personal data classified as special category under the law.
These special category personal data include:
- Race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs
- Appearance and attire
- Membership in associations, foundations, or trade unions
- Health and sexual life
- Criminal convictions and security measures
- Biometric and genetic data
Our Company processes special category personal data only under the following conditions, with necessary precautions taken:
- If the data subject has provided explicit consent
- If the data subject has not provided explicit consent, only in cases stipulated by law
However, personal data related to health and sexual life can only be processed with the explicit consent of the data subject.
III. SECTION
PERSONAL DATA PROCESSED BY OUR COMPANY
The personal data processed by our Company are listed below. However, the specific personal data processed for each data subject may vary depending on factors such as the nature of the relationship between the data subject and our Company, as well as the communication channels used.
| PERSONAL DATA | DESCRIPTION | |
| Identity | Name-surname, Turkish ID number, date/place of birth, gender, nationality, age, marital status, as well as documents such as ID photocopy and signature. | |
| Contact Information | Home address, home and mobile phone numbers, email address, residence certificate, and similar data. | |
| Physical Space Security | Security camera recordings taken at Sami Trafo Makina İnşaat İmalat Taah. Genel Tic. Ltd. Şti. | |
| Financial | Bank account details. | |
| Visual Records | Photograph. | |
| Personnel | Employment start date, number of working days, Social Security (SGK) number, contract date, payroll data, job title, military service document, family status declaration form, family and next of kin information, driver’s license photocopy, resume data, leave information, assignment documents, mandatory internship certificate, student number, internship start and end dates, school information, department, HES code. | |
| Legal Transactions |
|
|
| Location | Vehicle tracking system records of company vehicles. | |
| Professional Information | Graduated school, work experience, job role, education level, profession, graduation and diploma information, foreign language proficiency, certification/course details, department of employment. | |
| Customer Transactions | Invoice details, discount amounts, product price and quantity. | |
| Special Category Personal Data | Data specified under Article 6 of the Personal Data Protection Law (KVKK) (e.g., blood type, other health data, and criminal record). | |
| Other | HES Code |
-
GROUPS OF INDIVIDUALS WHOSE DATA IS PROCESSED BY OUR COMPANY
Our Company processes the personal data of employees, employee candidates, interns, suppliers, customers, visitors, workplace physicians, occupational safety experts, and other service providers, as well as visitors.
-
PURPOSES OF PROCESSING PERSONAL DATA
Your personal data is processed by our Company for the following purposes:
- Execution of goods/services procurement and sales transactions,
- Carrying out after-sales support, maintenance, and repair activities,
- Performing finance and accounting operations,
- Managing employee recruitment and application processes,
- Executing personnel affairs of employees,
- Conducting intern selection and placement processes,
- Fulfilling contractual and legal obligations,
- Ensuring business continuity,
- Managing corporate governance activities,
- Providing information to authorized persons, institutions, and organizations,
- Ensuring the continuation of communication activities,
- Protecting public health and implementing COVID-19 precautions,
- Fulfilling occupational health and safety obligations,
- Ensuring workplace audits and maintaining physical space, life, and property security.
Personal data will be processed in accordance with:
-
- Compliance with legal obligations,
- The necessity of processing personal data within the scope of an established contractual relationship,
- The necessity of data processing for the establishment, exercise, or protection of a legal right,
- The explicit provisions of the law,
- Publicly disclosed personal data by the data subject,
- The necessity of processing personal data for the legitimate interests of our Company, provided that fundamental rights and freedoms of the data subject are not violated,
- Or based on the explicit consent of the data subject
-
RETENTION PERIODS FOR PERSONAL DATA
Our Company retains personal data for the period stipulated in the relevant legislation or for as long as necessary for the purpose for which they are processed.
If no specific retention period is defined in the legislation, personal data is retained for as long as required by the nature of the processing activity, taking into account the Company’s internal policies and commercial practices.
Once the purpose of processing personal data has been fulfilled and the statutory or Company-defined retention periods have expired, the data may only be retained for the purposes of serving as evidence in potential legal disputes or for the establishment, exercise, or defense of a legal claim. The retention periods in such cases are determined based on statutory limitation periods and past claims directed at the Company on similar matters.
During this retention period, access to the stored personal data is strictly limited, and the data can only be accessed if necessary in the event of a legal dispute. After the expiration of this period, the personal data is deleted, destroyed, or anonymized.
2. CAMERA SURVEILLANCE ACTIVITIES AT SAMİ TRAFO MAKİNA İNŞAAT İMALAT TAAH. GENEL TİC. LTD. ŞTİ PREMISES AND FACILITY ENTRANCES
Our Company conducts camera surveillance in designated areas to ensure the security of the facility and individuals, while avoiding unnecessary intrusion into personal privacy. The camera surveillance activities carried out by our Company comply with the Personal Data Protection Law (KVKK).
Information regarding camera surveillance is provided through the publication of this policy on our website, as well as through signage and notices placed in surveillance areas.
The locations, number of security cameras, and recording times are determined in accordance with security needs and are limited to the intended purpose. To ensure the security of the personal data obtained through camera surveillance, necessary technical and administrative measures are implemented.
Personal data obtained through camera surveillance is retained for 15 days.
Live camera footage and recorded digital data can only be accessed by a limited number of Company employees. Employees with access to such data are bound by a confidentiality agreement, ensuring that they uphold the confidentiality of the data they access.
V. SECTION
TRANSFER OF PERSONAL DATA
The third parties to whom personal data may be transferred vary depending on the nature and type of the relationship between the data subject and Sami Trafo Makina İnşaat İmalat Taah. Genel Tic. Ltd. Şti. However, in general, personal data may be transferred to the following entities:
- In compliance with the Social Security Law, Labor Law, Turkish Commercial Code, Income Tax Law, and Identity Notification Law, personal data may be shared with institutions such as the Social Security Institution (SGK), the Turkish Employment Agency (İŞKUR), the Revenue Administration, law enforcement agencies, and judicial authorities if necessary, as well as other individuals, institutions, and organizations permitted by legal regulations.
- To the extent legally authorized and limited to the requested purpose, personal data may be transferred to our attorney, mediator, customs consultant, incentive consulting firms, KOSGEB (Small and Medium Enterprises Development Organization of Turkey), and, in connection with and limited to the intended purpose, to companies receiving sales, maintenance, and repair services, banks providing services, occupational physician, occupational safety specialist, educational institutions for internship purposes, and other service providers.
1. SECTION
MEASURES FOR THE PROTECTION OF PERSONAL DATA
Our Company takes the necessary technical and administrative measures to prevent the unlawful processing of personal data, unauthorized access to such data, and to ensure their secure storage. In this context, necessary audits are conducted or commissioned.
Pursuant to Article 12 of the Personal Data Protection Law (KVKK), our Company has taken the following security measures to ensure the protection of personal data:
- Our Company implements technical and administrative measures appropriate to technological capabilities and operational costs to ensure the lawful processing of personal data.
- Employees are informed that they cannot disclose any personal data they acquire in violation of KVKK provisions, nor can they use such data for purposes other than processing. They are also required to sign confidentiality agreements, which remain binding even after their employment ends.
- Our Company provides necessary training to raise awareness regarding the prevention of unlawful processing and access to personal data, as well as ensuring its secure storage.
- Our Company takes the necessary technical and administrative measures to store personal data in secure environments and to prevent unauthorized destruction, loss, or alteration of such data for unlawful purposes.
VII. SECTION
CONDITIONS FOR DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA
As stipulated in Article 7 of the Personal Data Protection Law (KVKK), even if personal data has been processed lawfully in accordance with the relevant legal provisions, it shall be deleted, destroyed, or anonymized by our Company within a maximum period of six months if the reasons requiring its processing cease to exist.
If all conditions for processing personal data no longer apply, our Company shall delete, destroy, or anonymize the personal data upon the request of the data subject. Our Company shall finalize the request within thirty days at the latest and inform the data subject accordingly.
In accordance with Article 28 of KVKK, anonymized personal data may be processed for purposes such as research, planning, and statistics. Since such processing falls outside the scope of KVKK, explicit consent of the data subject is not required.
VIII. SECTION
RIGHTS OF DATA SUBJECTS, METHODS OF EXERCISING THESE RIGHTS, AND EVALUATION PROCESS
Our Company ensures the necessary channels, internal procedures, and administrative and technical regulations are in place to evaluate the rights of data subjects and provide the necessary information to them in compliance with Article 13 of KVKK.
Data subjects have the following rights:
- To learn whether their personal data is being processed,
- If personal data has been processed, to request information regarding such processing,
- To learn the purpose of processing personal data and whether the data is used in accordance with that purpose,
- To know the third parties to whom personal data is transferred, whether domestically or abroad,
- If personal data is incomplete or inaccurate, to request its correction and to request that third parties to whom the data has been transferred be notified of such correction,
- Even if personal data has been processed in accordance with KVKK and other relevant laws, to request the deletion or destruction of personal data if the reasons requiring its processing cease to exist, and to request that third parties to whom the data has been transferred be notified of such actions.
-
SECTION I
MANAGEMENT STRUCTURE OF THE PERSONAL DATA PROTECTION AND PROCESSING POLICY
Our Company establishes the necessary management structure to fulfill its obligations under the Personal Data Protection Law (KVKK) and to implement this Policy, with the aim of carrying out the following functions:
- Preparing and submitting fundamental policies and amendments related to the protection and processing of personal data for approval by senior management,
- Determining how policies will be implemented and monitored, making assignments among employees accordingly, and submitting these assignments for approval by senior management,
- Identifying necessary actions to ensure compliance with KVKK and relevant regulations, submitting them for approval by senior management, overseeing implementation, and ensuring coordination,
- Raising awareness among Company employees regarding the protection and processing of personal data,
- Identifying potential risks in personal data processing activities, ensuring necessary measures are taken, and submitting improvement proposals for approval by senior management,
- Designing and implementing training programs on personal data protection and policy enforcement,
- Responding to data subjects’ requests within the prescribed timeframes,
- Managing relations with the Personal Data Protection Authority (KVKK Authority).
A committee is established as part of this management structure. The composition and distribution of responsibilities within this committee are determined by the Company’s senior management. In addition to the tasks outlined above, additional duties and responsibilities may be assigned to the committee or designated personnel based on the Company’s needs and the nature of its operations.
-
TECHNICAL AND ADMINISTRATIVE MEASURES FOR THE SECURITY OF PERSONAL DATA
Our Company takes the necessary administrative and technical measures to ensure the lawful and secure storage of personal data. Accordingly:
- Access rights of employees who change positions or leave the company are revoked.
- Personal data is minimized as much as possible.
- Disciplinary regulations containing data security provisions are in place for employees.
- Employees receive regular training and awareness programs on data security.
- Corporate policies on data usage, storage, and disposal have been established and implemented.
- Confidentiality agreements are signed.
- Contracts include data security provisions.
- Necessary security measures are taken for entry and exit control in physical environments containing personal data.
- The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
- Data processors and service providers are made aware of data security.
- Network security and application security are ensured.
- Security measures are implemented for the procurement, development, and maintenance of IT systems.
- An authorization matrix has been created for employees.
- Up-to-date antivirus systems are used.
- Firewalls are utilized.
- Personal data is backed up, and the security of backups is also ensured.
- User account management and access control systems are implemented and monitored.
- Existing risks and threats have been identified.
- Intrusion detection and prevention systems are in use.
- Penetration testing is conducted.
- Cybersecurity measures have been implemented and are continuously monitored.
- Encryption is used.
- Sensitive personal data transferred via portable storage devices (USB), CDs, or DVDs is encrypted.