AKC MOBİLYA ORMAN ÜRÜNLERİ TURİZM İNŞAAT İTHALAT İHRACAT SANAYİ TİCARET LİMİTED ŞİRKETİ
PROCESSING AND PROTECTION OF PERSONAL DATA POLICY
1. PURPOSE AND SCOPE
Akc Mobilya Orman Ürünleri Turizm İnşaat İthalat İhracat Sanayi Ticaret Limited Şirketi (“Company”), which has adopted the utmost care in compliance with the legal order from its past to the present, establishes systems for the execution of all kinds of activities necessary for compliance with the legislation on the processing and protection of personal data and attaches great importance to privacy.
The Personal Data Processing and Protection Policy (“KVK Policy”) regulates the principles adopted by our Company in the processing and protection of personal data. In this context, it is aimed to establish the necessary system and order to ensure compliance with the personal data protection legislation in the Company's activities, to increase awareness about the protection of personal data within the Company, to prevent unlawful personal data processing and unlawful access to personal data.
In line with the importance our company attaches to the protection of personal data, the basic principles regarding the compliance of the KVK Policy and the activities carried out by our Company with the regulations in the Personal Data Protection Law No. With the implementation of the KVK Policy regulations, the data security principles adopted by our Company will be made sustainable.
This Policy; Our employee candidates, employees, shareholders/partners, interns, customers, potential customers, suppliers, company officials and employees we cooperate with, our visitors (as well as our website online visitors) fully or partially automated or provided that they are part of any data recording system It relates to all personal data processed by non-automatic means and to groups of persons whose personal data are processed.
2. ROLES AND RESPONSIBILITIES
In the implementation of the regulations, procedures, guides, standards and training activities prepared in accordance with the KVK Policy within our Company, the Accounting Unit advice resource and guide; The General Manager of the Company will also be the KVK Responsible. All of our employees and stakeholders throughout the company are obliged to cooperate with the Accounting Unit teams in order to prevent legal risks and imminent danger, together with compliance with the KVK Policy.
The duties of the KVK Officer are as follows:
- To prepare the basic policies regarding the processing and protection of personal data and, if necessary, to prepare and submit them to the approval of the Board of Directors,
- To decide how to implement and control the policies regarding the processing and protection of personal data, and within this framework, to assign and coordinate within the company, (or to submit these issues to the approval of the Board of Directors)
- To determine the issues to be done in order to ensure compliance with the KVK Law and the relevant legislation and to submit the necessary actions to the approval of the Board of Directors,
- To carry out the necessary studies to raise awareness within the Company and among the business partners of the Company on the processing and protection of personal data,
- To determine the risks that may arise in the personal data processing activities of the company, to ensure that the necessary measures are taken, to submit the improvement proposals to the approval of the Board of Directors,
- To design and implement trainings on the protection of personal data and the implementation of policies,
- To decide and finalize the applications of personal data owners,
- To follow the developments and regulations on the protection of personal data, to advise the Board of Directors on what should be done within the Company in accordance with these developments and regulations,
- Coordinating relations with KVK Institution and KVK Board,
- To perform other duties assigned by the Board of Directors regarding the protection of personal data.
3. POLICY PRINCIPLES
3.1. BASIC PRINCIPLES
In order to ensure and maintain compliance with the personal data protection legislation, our company adopts the basic principles listed below and also specified in the KVK Law:
3.1.1. Processing personal data in accordance with the law and honesty rules
Our company carries out its personal data processing activities in accordance with the legislation on the protection of personal data, the law and honesty rules, especially the Constitution of the Republic of Turkey.
3.1.2. Ensuring the accuracy and up-to-dateness of the personal data processed
Our company ensures the accuracy and up-to-dateness of the personal data it processes, takes the necessary administrative and technical measures within this framework, and carries out the necessary processes. In this context, it operates mechanisms to correct and confirm the accuracy of personal data of personal data owners in case of inaccuracy.
3.1.3. Processing personal data for specific, explicit and legitimate purposes
Our company clearly and precisely determines the purpose of processing personal data, which is legitimate and lawful. Our company processes personal data in connection with the service it provides and as much as is necessary for them. The purpose for which personal data will be processed by our company is determined before starting the data processing activity.
3.1.4. Processing personal data in a limited and measured way in connection with the purpose for which they are processed
Our company processes personal data in connection with data processing purposes and as necessary for the performance of these services. Our company processes personal data in a way that is suitable for the realization of the legitimate purposes it has determined, and does not process personal data that is not suitable for the realization of its purposes or is not needed. Again, it does not process personal data for needs that are not needed at the moment but that are likely to arise in the future.
3.1.5. Keeping personal data for as long as required by the relevant legislation or for the purpose for which they are processed.
Our company retains personal data for a limited period of time stipulated in the relevant legislation or required by the purpose of data processing. In this respect, the time limit arising from legislation such as Contract Legislation, Labor Legislation, Trade Legislation, Tax Legislation, Occupational Health and Safety Legislation is complied with. Our company deletes, destroys or anonymizes personal data in the event that the period stipulated in the legislation expires or the reasons requiring the processing of personal data disappear.
3.2. PERFORMING PERSONAL DATA PROCESSING ACTIVITIES IN ACCORDANCE WITH DATA PROCESSING CONDITIONS
While processing personal data within our company, we comply with the data processing conditions determined in the 5th and 6th articles of the KVK Law and the Regulation on the Processing of Personal Health Data, provided that the above-mentioned basic principles are complied with.
In this direction, it is determined whether the said data processing conditions exist in terms of personal data processing activities; In the absence of the conditions, personal data is not processed. Accordingly, in Article 20 of the Constitution and Articles 5 and 6 of the KVK Law, personal data can be processed with the explicit consent of the person concerned. However, the explicit consent of the personal data owner is only one of the legal bases that makes it possible to process personal data in accordance with the law. Apart from express consent, personal data may also be processed in the presence of one of the other conditions listed below. There may be only one of these conditions, or more than one of them may be the basis for the processing of the same personal data.
Although the legal reasons for the processing of personal data by our company differ, the above-mentioned basic principles are followed in all personal data processing activities.
By our company; Personal data is processed based on the conditions listed below for legal reasons in Article 5 of the KVK Law.
- Explicit consent of the person whose personal data is processed,
- Clearly stipulated in the law,
- Being directly related to the establishment or performance of a contract,
- It is compulsory for the company to fulfill its legal obligations,
- It has been made public by the person concerned,
- It is compulsory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the person concerned.
Among the legal reasons listed in Article 6 of the KVK Law;
- Explicit consent of the person whose personal data is processed,
- Clearly stipulated in the law,
- Personal data is processed based on the conditions of processing by the workplace physician for the purpose of medical diagnosis and treatment.
Within the scope of the processing of personal data, our company complies with the Constitution of the Republic of Turkey, the Turkish Penal Code, the KVK Law and other relevant legislation and the rules set forth in the KVK Policy.
3.3. PERSONAL DATA TRANSFER ACCORDING TO THE TRANSFER CONDITIONS
The condition of transferring personal data, like the processing of personal data, is subject to the explicit consent of the data subject. However, the KVK Law also allows for the transfer of personal data without seeking the explicit consent of the person concerned, in cases where personal data can be processed without seeking explicit consent. In this context, some personal data processed by our Company are sent to SGK and Other Authorized Institutions and Organizations, to the Bank with which the Private Pension Agreement is made, to the Bank from which Salary is received, to the Company's Contracted Lawyer, to the Contracted Financial Advisor, to the Contracted Consulting Firm, to the Group Company, to the Contracted Travel Agency, to the Contracted Car Rental Firm, It can be transferred to the Contracted Supplier Company. Personal data transfers made by our company (actively sharing personal data with third parties or making personal data accessible to third parties) comply with the personal data transfer conditions regulated in Article 8 of the KVK Law.
3.4. ENSURING THE SECURITY OF PERSONAL DATA
Our company takes all necessary measures, within the possibilities, according to the nature of the data to be protected, in order to prevent the unlawful processing, disclosure, transfer of personal data, illegal access to personal data or any other security deficiencies that may occur.
In this context, the following administrative and technical measures are implemented.
3.4.1. Administrative Measures
- There are Disciplinary Regulations Containing Data Security Provisions for Employees,
- Training and Awareness Studies on Data Security for Employees are carried out at certain intervals,
- Authorization Matrix Has Been Created for Employees,
- Institutional Policies on Access, Information Security, Use, Storage and Disposal have been Prepared and Implemented,
- Confidentiality Commitments Are Made,
- Signed Contracts Contain Data Security Provisions,
- Personal Data Security Policies and Procedures Have Been Determined,
- Personal Data Security Issues Are Reported Quickly,
- Personal Data Security is Followed,
- Necessary Security Measures are Taken Regarding Entry and Exit to Physical Environments Containing Personal Data,
- The Physical Environment Containing Personal Data is Secured Against External Risks (Fire, Flood, etc.),
- The Security of Environments Containing Personal Data is Provided,
- Personal Data Is Reduced As Much As Possible,
- In-house Periodic and/or Random Inspections are and are made.
- Current Risks and Threats Identified,
- Protocols and Procedures Regarding the Security of Special Quality Personal Data have been Determined and Implemented.
3.4.2. Technical Measures
- A closed system network is used for personal data transfers via the network.
- Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
- Current anti-virus systems are used.
- Firewalls are used.
- Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format.
- Personal data is backed up and the security of the backed up personal data is also ensured.
- Existing risks and threats have been identified.
- If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using a KEP or corporate mail account.
- Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units.
- Personal data transferred in portable memory, CD and DVD media are encrypted and transferred.
- Data processing service providers are periodically audited on data security.
- Awareness of data processing service providers on data security is provided.
- Data loss prevention software is used.
3.4.3. Audit Activities on Protection of Personal Data
The compliance, functioning and effectiveness of the technical measures, administrative measures and practices taken by our company within the scope of protection and security of personal data with the relevant legislation, policies, procedures and instructions are audited by the Accounting unit. The accounting unit can perform the said audit activity through its own organization or outsource audit firms.
The results of the audit activities performed should be reported to the managers of the Accounting, Marketing, Customer Relations, Information Processing Units and the Board of Directors. It is the primary responsibility of the process owners to regularly monitor the planned actions regarding the audit results. The accounting unit also monitors the actions within the scope of this report, performs verification tests and audits.
Activities that will enable the development and improvement of the measures taken regarding the protection of data, without being limited to the audit results, are carried out by the relevant executive units of our Company.
3.4.4. Measures to be Taken in Case of Unlawful Disclosure of Personal Data
In the event that the personal data processed by our company is obtained by unauthorized persons unlawfully, the situation is reported to the KVK Board and the relevant data owners without delay (within 72 hours at the latest). In case the Data Owners cannot be reached directly, the data breach notification is published on our Company's website.
Necessary actions and notifications are made by the KVK Officer of our company within the framework of the procedures and principles determined in the announcement of the KVK Board dated 24.01.2019 and numbered 2019/10 regarding the data breach.
3.5. OBLIGATIONS REGARDING PERSONAL DATA PROCESSING ACTIVITY
Our company undertakes to comply with the obligations stipulated by the KVK Law for data controllers in personal data processing activities. The main points to be followed in this context are listed below:
3.5.1. Obligation to Register and Notify the Data Controller Registry
Our company has been registered with the Data Controllers Registry (“VERBIS”) in accordance with Article 16 of the KVK Law and the procedures and principles of the Regulation on the Data Controllers Registry. The following information in VERBIS is kept open to the public.
- Information and address of our Company as data controller,
- Purpose of processing personal data,
- Data subject groups and categories of personal data processed by these persons,
- Persons or groups of persons to whom personal data can be transferred,
- Personal data that can be transferred abroad,
- Measures taken to ensure the security of processed personal data,
- Maximum retention periods required for the purpose of processing personal data.
In case of a change in the information recorded in the registry, the changes are notified to the KVK Institution via VERBIS within seven days from the date of the change.
3.5.2. Obligation to Inform the Data Owner
In accordance with Article 10 of the KVK Law and the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation of Clarification, there are necessary illumination texts to ensure that the data owners are informed during the acquisition of personal data. The information to be submitted to the data owners within the scope of the disclosure obligation is as follows:
- Identity of the data controller and its representative, if any,
- For what purpose personal data will be processed,
- To whom and for what purpose the processed personal data can be transferred,
- Method and legal reason for collecting personal data,
- Other rights of the person concerned as listed in Article 11 of the KVK Law.
3.5.3. Obligation to Ensure the Security of Personal Data
With the awareness that, in accordance with Article 12 of the KVK Law, our company must ensure the security of personal data and not harm the fundamental rights and freedoms of data owners;
- To prevent the unlawful processing of personal data,
- To prevent unlawful access to personal data,
- To ensure the protection of personal data,
All necessary technical and administrative measures are taken to ensure the appropriate level of security for its purposes.
In addition, necessary audits within the scope of the operation of mechanisms to ensure data security are or are made by our Company's Accounting Unit.
3.5.4. Obligation to Fulfill the Decisions Made by the KVK Board
Our company undertakes to act in accordance with the decisions taken by the KVK Board, which is the executive organ of the KVK Institution, which operates in order to ensure that personal data is processed in accordance with fundamental rights and freedoms, and to fulfill these decisions without delay and within thirty days at the latest as of the notification date. Information and documents requested by the KVK Board will be sent within fifteen days at the latest and an on-site inspection will be provided when necessary.
3.5.5. Obligation to Respond to Data Owner Applications
Our company, as a data controller, undertakes to finalize the requests of data subjects regarding their personal data as soon as possible and within thirty (30) days at the latest, according to the nature of the request, in accordance with Article 13 of the KVK Law. Data owners are required to fulfill their requests regarding their personal data with the application form they will obtain from the website of our Company or from the Front Office, in line with the Communiqué on Application Procedures and Principles to the Data Controller. We send the wet signed application forms of the data owners to our Company. “Süleymaniye OSB District 1st Street No: 27 İnegöl/Bursa” to their address by hand or by notary public or by post, or Sending with Registered Electronic Mail (KEP) or Secure Electronic Signature or Mobile Signature or e-mail addresses previously reported to our Company by the data owners and registered in our Company's systems. [email protected] must be sent to our e-mail address.
Pursuant to Article 11 of the KVK Law, personal data owners can apply to the data controllers and make requests regarding the following issues:
- To learn whether your personal data is processed,
- If personal data has been processed, to request information about it,
- To learn the purpose of processing personal data and whether they are used in accordance with its purpose,
- To know the third parties to whom personal data is transferred in the country or abroad,
- Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
- Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
- Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
- To request the compensation of the damage in case of loss due to unlawful processing of personal data.
3.5.6. Obligation to Transfer and Obtain Personal Data in Compliance with the Law
Our company processes personal data in accordance with the law and honesty in accordance with Article 4 of the KVK Law. In this context, the activities of obtaining and transferring personal data are carried out in accordance with the law.
3.5.7. Obligation to Act in Compliance with the Regulations Regarding the Retention of Personal Data
Our company, pursuant to Article 7 of the KVK Law; It has published the necessary policies and established its internal mechanisms for the deletion, anonymization or destruction of personal data for which the reason for processing has disappeared, although it has been processed in accordance with the law.
4. PREPARING POLICY, PROCEDURE AND RELATED GUIDELINES ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
In order to ensure compliance with the personal data protection law, necessary documents have been prepared to be presented to the public or used within the company. The documents prepared within this scope have been prepared in accordance with the documentation model applied by our Company. Changes to be made in the policies to be made available to the public will be presented in a way that data owners can easily access.
5. REVIEW
This Policy takes effect from the moment it is approved by the Board of Directors. Except for the repeal of this Policy, the Board of Directors has authorized the Accounting Unit for the changes to be made in the Policy and how it will be put into effect. With the recommendation and suggestion of the accounting unit and the approval of the Board of Directors, this Policy may be amended and put into effect.
In any case, this Policy is reviewed once a year, and if necessary changes are made, it is updated by submitting it to the approval of the Board of Directors. The Company's KVK Policy has been published on our website and presented to the public. In case of conflict between the applicable legislation, especially the KVK Law, and the regulations included in this Policy, the provisions of the legislation shall apply.
6. DEFINITIONS
The definitions used and important in the KVK Policy are listed below.
7. CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY
Details by our company “PERSONAL DATA PROCESSING INVENTORY” Personal data in the following data category specified in
1-Identity (Name and surname, Mother - father's name, Mother's maiden name, Date of birth, Place of birth, Marital status, Identity card serial number, TR ID number etc.)
2-Contact (Address no, E-mail address, Contact address, Registered e-mail address (KEP), Telephone no. etc.)
3-Personnel (Payroll information, Disciplinary investigation, Recruitment document records, Property declaration information, CV information, Performance evaluation reports, etc.)
4-Legal Action (Information in correspondence with judicial authorities, information in the case file, etc.)
5-Customer Transaction (Call center records, Invoice, promissory note, check information, Information on box office receipts, Order information, Request information, etc.)
6-Physical Space Security (Entry and exit registration information of employees and visitors, Camera recordings, etc.)
7-Finance (Balance sheet information, Financial performance information, Credit and risk information, Asset information, etc.)
8-Professional Experience (Diploma information, Courses attended, In-service training information, Certificates, Transcript information, etc.)
9-Marketing (Shopping history information, Survey, Cookie records, Information obtained through campaign work, etc.)
10-Audio and Audio Recordings (Visual and Audio recordings etc.)
11-Philosophical Belief, Religion, Sect and Other Beliefs (Information on other beliefs, Information on religious affiliation, Information on philosophical belief, Information on sectarian affiliation, etc.)
12-Health Information (Information on disability status, Blood group information, Personal health information, Device and prosthesis information etc.)
13-Criminal Conviction and Security Measures (Information on criminal conviction, Information on security measures, etc.)
14- Dress and Dress (Information on attire, etc.)
15-Biometric Data (Fingerprint information etc.)
16-Other Information (Commercial Activity Certificate / Copy of the Registry of the Chamber of Commerce (For Foreign Fair Participation))
17-Other Information (Commercial Invitation (For Foreign Fair Participation))
18-Other Information (Bank Statement (For Foreign Fair Participation))
19-Other informations (Exhibition Participation Certificate (For Foreign Fair Participation))
8. PURPOSE OF PROCESSING PERSONAL DATA BY OUR COMPANY
Our company processes personal data for the purposes specified separately for each data category in the VERBIS system and our KVKK data inventory.