top of page

KVKK

On the Protection of Personal Data Law

PERSONAL DATA PROTECTION POLICY

 

 

Legal Basis: Regulated in Article 20 of the Constitution; Everyone has the right to request the protection of personal data about him/her, and this right; It includes being informed about personal data about oneself, accessing these data, requesting their correction or deletion, and learning whether they are used for their purposes, and that personal data can only be processed in cases stipulated by law or with the express consent of the person, in accordance with the Personal Data Protection Law No. 6698, based on the basic legal basis. We attach utmost importance to the protection and processing of Personal Data in accordance with the law and act with this care in all our planning and activities. As a company, we take all administrative and technical measures to protect and process Personal Data, which is the basis of privacy of private life, and inform and warn our staff about the legal sanctions regulated in Article 135 of the Turkish Penal Code (TCK) No. 5237 and its following.


Purpose: With the Law No. 6698 on the Protection of Personal Data, which is in force, the protection of fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data, and the obligations and procedures and principles to be followed by real and legal persons who process personal data are regulated. The purpose of our policy, which was prepared by taking into account the regulation in question; Ensuring compliance with the obligations regarding the protection of personal data, evaluating the issues related to the processing, transfer and protection of the confidentiality of the information provided within the scope of the activities carried out by our Company with a risk-based approach, determining the strategies, internal controls and measures, operating rules and responsibilities, and raising the awareness of the employees of the institution on these issues. At the same time; It is aimed to ensure transparency by informing the persons whose personal data are processed by our Company, especially our customers, potential customers, employees, employee candidates, Company shareholders, Company officials, visitors, employees, shareholders and officials of the institutions/organizations with which we cooperate, and third parties.


Scope: This policy; It relates to all personal data of our customers, potential customers, employees, employee candidates, Company shareholders, Company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties processed automatically or non-automatically as part of any data recording system. .


Definitions ​


nonymization is the alteration of personal data in such a way that it loses its ability to be associated with an identified or identifiable person and this situation cannot be undone. Example: Masking, aggregation, data corruption, etc. Making personal data unable to be associated with a natural person using techniques.


Employee: Persons who work in the Company in accordance with the employment contract made with the Company.


Employee Candidate: Real persons who have either applied for a job in the Company by any means or have made their CV and relevant information available for review by the Company.


Real Persons and Private Law Legal Entities: Real persons are persons who were born alive and living in accordance with the Turkish Civil Code. Private Law Legal entities refer to the Commercial Companies defined in the Turkish Commercial Code and the associations and foundations defined in the Turkish Civil Code.


Open to Everyone: It refers to a group of people that does not constitute any special feature and includes everyone, that is, all people.


Shareholders: Natural or legal persons who own shares (shares) in the data controller's Company.


Business Partner: Parties with which the data controller carries out commercial activities and has a commercial relationship.


Employees, Shareholders and Officials of the Institutions We Collaborate with: Real persons working in the institutions with which the Company has all kinds of business relations (such as, but not limited to, business partners, suppliers), including the shareholders and officials of these institutions.


4.10.Affiliates and subsidiaries: Affiliates are companies in which the data controller has a share in the capital of another company, in case the data controller has a share in the capital of another company. If the company has more than 50% of the voting rights of the partner company, the relationship between it and the partner company constitutes a subsidiary. If the majority is not in the company, there is a simple subsidiary relationship.

 


Explicit Consent Consent based on being informed about a specific issue and expressed with free will.


Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system, Any action performed on data, such as classifying or preventing its use.


4.12.Personal Data Owner The real person whose personal data is processed. For example; Customers and employees.


4.13.Personal Data Any information regarding an identified or identifiable natural person. Processing of information regarding legal entities is not within the scope of the law. For example; name-surname, TR ID, e-mail, address, date of birth, credit card number, etc.


4.14.Customer: Real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.


4.15.Special Personal Data: Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and Genetic data is special quality data.


4.16.Potential Customer: Real persons who have requested to use or are interested in our products and services, or who have been evaluated in accordance with the rules of commercial practice and honesty as they may have this interest.


4.17.Intern: Real persons who have applied to the company for internship by any means and aim to put their theoretical knowledge about the profession into practice in the workplace.


4.18.Company Shareholder: Real persons who are shareholders of the company


4.19.Company Official: Member of the company's board of directors and other authorized real persons


4.20.Supplier: Parties that have a business relationship with the data controller based on a service contract and/or agency agreement for the procurement of services within the scope of the data controller's commercial activities.

4.21. Group Companies: According to the definition in the Turkish Commercial Code, "Companies that are directly or indirectly affiliated with the dominant company constitute the group of companies together with it."


4.22.Third Party Third party real persons (e.g. family members and relatives) who are associated with these persons in order to ensure the security of commercial transactions between the Company and the above-mentioned parties or to protect the rights of the mentioned persons and to obtain benefits.


4.23.Data Processor is a real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller. For example, the company or companies that hold the Company's data, etc.


4.24.Data Controller The data controller is the person who determines the purposes and means of processing personal data, manages the place where the data is systematically kept (data recording system), provides the necessary information and guidance to the data owner regarding his personal information as a result of the request / application of the data owner.


4.25.Authorized Public Institutions and Organizations: These are public institutions and organizations that are authorized by their relevant legislation to request information and documents from the data controller and are also required to make transfers in order for the Data Controller to fulfill its legal obligations.


4.26.Visitor: Real persons who have entered the physical premises owned by the Company for various purposes or visited our websites.

 


Abbreviations

 

KVKK: Law No. 6698. Personal Data Protection Law No. 6698, dated 24 March 2016, published in the Official Gazette No. 29677, dated 7 April 2016.


Constitution: Published in the Official Gazette dated 9 November 1982 and numbered 17863; Constitution of the Republic of Turkey dated 7 November 1982 and numbered 2709.


KVK Board Personal Data Protection Board


KVK Authority Personal Data Protection Authority


Policy Company Personal Data Protection and Processing Policy


TBK published in the Official Gazette dated 4 February 2011 and numbered 27836; Turkish Code of Obligations No. 6098 dated January 11, 2011.


TCK published in the Official Gazette dated 12 October 2004 and numbered 25611; Turkish Penal Code No. 5237 dated 26 September 2004.


Turkish Commercial Code dated 13 January 2011 and numbered 6102, published in the Official Gazette dated 14 February 2011 and numbered 27846.

 


Data Categories: The Company may record, process or transfer data regarding the following data categories.

Identity (such as name and surname, mother and father's name, date of birth, place of birth, marital status, identity card serial number, Turkish ID number)


Contact (such as address number, e-mail address, contact address, registered e-mail address (KEP), telephone number)


Location (location information of the location)


Personnel (such as payroll information, disciplinary investigation, employment entry-exit document records, CV information, performance evaluation reports)


Legal Procedure (such as information in correspondence with judicial authorities, information in the case file)


Customer Transaction (such as invoice, bill, check information, order information, request information)


Physical Space Security (such as employee and visitor entry and exit registration information, camera recordings)


Transaction Security (such as IP address information, website login and exit information, password and password information)


Risk Management (such as information processed to manage commercial, technical, administrative risks)


6.10.Finance (such as Iban number, fee information)


Professional Experience (such as diploma information, courses attended, in-service training information, certificates, transcript information)


6.12.Marketing (cookie records)


6.13.Visual and Audio Records (such as visual and audio records)


6.14.Disguise and Clothing (Size information due to protective equipment and clothing provided for Occupational Health and Safety)


6.15.Health Information (such as information regarding disability status, blood group information, personal health information, device and prosthesis information used, test and diagnosis information during pandemic and epidemic periods)


6.16.Criminal Conviction and Security Measures (Criminal record record)

 


Personal Data Processing Purposes The Company may record, process or transfer personal data according to the following purposes.


Conducting Emergency Management Processes


Execution of Information Security Processes


Conducting Employee Candidate / Intern / Student Selection and Placement Processes


Carrying out the application processes of employee candidates


Conducting Employee Satisfaction and Loyalty Processes


Fulfillment of Employment Contract and Legislation Obligations for Employees


Execution of Fringe Benefits and Benefits Processes for Employees


Conducting Audit / Ethics Activities


Conducting Educational Activities


7.10. Execution of Access Authorizations


Conducting Activities in Compliance with Legislation


7.12.Performance of Finance and Accounting Affairs


7.13. Execution of Commitment Processes for Company / Product / Services


7.14.Ensuring Physical Space Security


7.15. Execution of Assignment Processes


7.16.Follow-up and Execution of Legal Affairs


7.17.Conducting Internal Audit / Investigation / Intelligence Activities


7.18.Performing Communication Activities


7.19.Planning Human Resources Processes


7.20. Execution/Audit of Business Activities


7.21.Performing Occupational Health / Safety Activities


7.22. Receiving and Evaluating Suggestions for Improving Business Processes


7.23.Performing Business Continuity Ensuring Activities


7.24.Performing Logistics Activities


7.25. Execution of Goods / Service Purchasing Processes


7.26.Performing Goods / Service After-Sales Support Services


7.27. Execution of Goods / Service Sales Processes


7.28. Execution of Goods / Service Production and Operation Processes


7.29. Execution of Customer Relationship Management Processes


7.30. Carrying out Activities for Customer Satisfaction

7.31.Organization and Event Management


7.32. Conducting Marketing Analysis Studies


7.33. Conducting Performance Evaluation Processes


7.34. Execution of Advertising / Campaign / Promotion Processes


7.35. Execution of Risk Management Processes


7.36.Performing Storage and Archive Activities


7.37. Carrying out Social Responsibility and Civil Society Activities


7.38. Execution of Contract Processes


7.39.Performing Sponsorship Activities


7.40. Conducting Strategic Planning Activities


7.41. Tracking of Requests / Complaints


7.42.Ensuring the Security of Movable Property and Resources


7.43. Execution of Supply Chain Management Processes


7.44. Execution of Wage Policy


7.45. Execution of Marketing Processes of Products / Services


7.46.Ensuring the Security of Data Controller Operations


7.47.Foreign Personnel Work and Residence Permit Procedures


7.48.Execution of Investment Processes


7.49. Conducting Talent / Career Development Activities


7.50. Providing Information to Authorized Persons, Institutions and Organizations


7.51.Performing Management Activities


7.52.Creation and Tracking of Visitor Records

Legal Reasons for Processing Personal Data: Legal reasons for processing personal data are regulated in Article 5 of the KVKK.

 

Personal data cannot be processed without the explicit consent of the relevant person.


In case of one of the following conditions, it is possible to process personal data without the explicit consent of the relevant person:

 

8.2.1. It is clearly prescribed by law.


8.2.2. It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.


8.2.3. It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract.


8.2.4. It is mandatory for the data controller to fulfill its legal obligation.


8.2.5.It has been made public by the person concerned.


8.2.6. Data processing is mandatory for the establishment, exercise or protection of a right.


8.2.7. It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.

Legal Reasons for Processing Special Personal Data: Legal reasons for processing personal data are regulated in Article 6 of the KVKK.

 

It is prohibited to process special personal data without the explicit consent of the person concerned.


Special personal data, other than health and sexual life, may be processed without the explicit consent of the relevant person in cases stipulated by law. Personal data regarding health and sexual life can only be used by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing, without the express consent of the relevant person. can be processed.

 


Personal Data Transfer Recipient Groups The Company may transfer personal data to the following Personal Data Transfer Recipient groups.

 

10.1.Shareholders


10.2.Business Partner


10.3.Supplier


10.4.Authorized Public Institutions and Organizations

 


Persons Subject to Personal Data - The Company may record, process or transfer personal data according to the following types of persons.

 

Employee Candidate


Worker


Shareholder/Partner


Potential Product and Service Buyer


Supplier Representative


Person Receiving Product or Service


Visitor

Personal Data Storage Periods: Personal data retention periods are regulated in detail in the Personal Data Storage and Destruction policy.


Deletion, Destruction or Anonymization of Personal Data:

 

13.1. Even though personal data has been processed in accordance with the law, if the reasons requiring processing are eliminated, these data are deleted, destroyed or made anonymous by the data controller ex officio or upon the request of the relevant person.


13.2.The data controller deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.


13.3.The actions to be taken regarding these issues are explained in detail in the personal data retention and destruction policy.

 


Transfer of Personal Data Personal data obtained for processing within the framework of the general principles specified in the Law can be transferred to third parties by obtaining the explicit consent of the relevant person.

 

14.1.Domestic transfer: Details regarding the domestic transfer of personal data and special personal data are regulated in the Transfer of Personal Data procedure.


14.2.Transfer abroad: Personal data may be transferred to countries where adequate protection exists, provided that the relevant person has the express consent of the person concerned and in the presence of the situations specified in the Law. Data transfer to countries where there is not sufficient protection can be carried out in cases where the conditions specified in the Law exist, there is explicit consent, in addition to a written commitment to adequate protection, and the permission of the Board is available. Details on the subject are regulated in the Personal Data Transfer Procedure.

General (Basic) Principles in Processing Personal Data: Personal data will be processed in accordance with the following basic principles as detailed in the personal data processing procedure. These basic principles are regulated in Article 4 of the Personal Data Protection Law.

 

15.1. Complying with the law and the rules of honesty,

 

 

Compliance with the law and the rule of honesty means the obligation to act in accordance with the principles imposed by laws and other legal regulations in the processing of personal data. The rule of honesty means acting in accordance with the rules of trust and in a manner expected from a reasonable person while exercising the rights of individuals.

 

 

 

15.2. Being accurate and up-to-date when necessary,

 

 

Keeping your personal data accurate and up-to-date is necessary to protect the fundamental rights and freedoms of individuals. This principle protects the rights of the person concerned and also serves the interests of the data controller.

 

 

15.3. Processing for specific, clear and legitimate purposes,

 

 

This principle requires data controllers to clearly and precisely determine the purpose of data processing and that this purpose be legitimate. The legitimacy of the purpose means that the data processed is related to and necessary for the work performed or the service provided.

 

 

15.4. Being relevant, limited and proportionate to the purpose for which they are processed,

 

 

The suitability of the processed data to achieve the specified purposes requires avoiding the processing of personal data that is not relevant or needed to achieve the purpose. Again, data processing should not be done to meet needs that may arise later. The principle of proportionality means establishing a reasonable balance between data processing and the purpose to be achieved.

15.5. Preservation for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

 

 

As a requirement of the "purpose limitation principle", personal data must be stored for the period necessary for the purpose for which they are processed. In case the periods stipulated within the scope of the legislation to which the data controller is subject in accordance with its legal obligations, as well as the storage periods determined by them, are exceeded, personal data must be deleted, destroyed or anonymized.

 

 

Explicit Consent: Consent regarding a specific subject, based on information and expressed with free will. As detailed in the procedure for obtaining explicit consent, explicit consent must be related to a specific subject, consent must be based on information, and must be expressed with free will.


Obligation to inform: The relevant persons are informed by the company during the collection of personal data. As detailed in the Disclosure Procedure, this information includes at least the following topics.

17.1. Identity of the data controller and his representative, if any,


17.2.For what purpose personal data will be processed,


17.3.To whom and for what purpose personal data can be transferred,


17.4.Method and legal reason for collecting personal data,


17.5.Other rights of the relevant person listed in Article 11 of the Law.

 


Methods of claiming rights of the relevant person: Relevant persons can apply to the Company; To find out whether personal data about them has been processed or not, to request them if they have been processed, to correct them if the content of the data is incomplete or incorrect, to delete or destroy them if they are against the law, and to notify third parties to whom the data has been disclosed of the actions to be taken accordingly, and to ensure that they are notified of any damages due to unlawful processing of the data. They have the right to request remediation. The relevant person may exercise his application and complaint rights, as detailed in the Relevant Person's Rights Request Procedure.

 

18.1.Application: In order for relevant persons to exercise their rights, they must first apply to the data controller. A complaint cannot be made to the Board without exhausting this option.


18.2.Complaint: In order for the relevant person to file a complaint, the application to the Company must be rejected, the response given must be found insufficient, or the application must not be responded to within 30 days. It is not possible for relevant persons to complain directly to the Board without applying to the Company.

Obligation to Fulfill Board Decisions: If the Board detects the existence of a violation upon complaint or as a result of its ex officio investigation on matters within its field of duty upon learning of an alleged violation, it decides that the illegalities will be remedied by the Company and notifies the decision to the relevant parties. As detailed in the Execution of Board Decisions procedure, the Company implements this decision without delay and within thirty days at the latest from the date of notification.


Data Controllers' Registry (VERBİS) registration obligation: The Company registers to the registration system where data controllers must register and declare information about data processing activities, as specified in the Data Controllers' Registry (VERBİS) registration procedure, and updates these records.


Personal Data Breach: If the processed personal data is obtained by others through illegal means, the Company notifies the relevant person and the Board as soon as possible, as specified in the Personal Data Breach Procedure. If necessary, the Board may announce this situation on its own website or through another method it deems appropriate.


Personal Data Security Measures: The Company takes the following technical and administrative measures in accordance with the Company structure to prevent unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data.

22.1. Security measures are taken within the scope of supply, development and maintenance of information technology systems.


22.2. Training and awareness activities are carried out for employees at regular intervals regarding data security.


22.3.An authority matrix has been created for employees.


22.4.Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.


22.5. Confidentiality commitments are made.


22.6. The authorizations of employees in this area are removed if their duties change or they leave their jobs.


22.7.The signed contracts contain data security provisions.


22.8.Personal data security policies and procedures have been determined.


22.9.Personal data security problems are reported quickly.


22.10.The security of environments containing personal data is ensured.


22.11.Personal data is reduced as much as possible.


22.12.Personal data is backed up and the security of the backed up personal data is ensured.


22.13.Current risks and threats have been identified.


22.14. Protocols and procedures for the security of special personal data have been determined and implemented.


22.15. Data processing service providers are periodically audited regarding data security.


22.16. Data processing service providers are made aware of data security.

Data Controller Title: TOMBAKSAN ISI SANAYİ TİCARET LİMİTED ŞİRKETİ

MERSIS Number: 0850004418100012

Address: ORHANİYE MAHALLESİ ORHANİYE (KÜME EVLER) NO: 269 B KAHRAMANKAZAN/ANKARA

E-mail Address: info@tombaksan.com.tr

bottom of page