POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
TABLE OF CONTENTS
- Purpose
- Scope and Implementation
- Definitions
- Processing of Personal Data
a. Principles for Processing of Personal Data
b. Purposes for Processing of Personal Data
c. Legal Bases for the Processing of Personal Data
d. Legal Reasons for Processing Sensitive Personal Data
5. Disclosure Obligation
6. Data Security
a. Technical Measures
b.Administrative Measures
7. Transfer of Personal Data
a. Domestic Transfer
b. Transfer Abroad
8. Personal Data Inventory
9. Roles and Responsibilities
10. Deletion, Destruction and Anonymization of Personal Data
11. Rights of the Data Subject and Exercise of the Rights
a. Rights of the Data Subject
b. Exercise of Rights
c. Consideration of the Application
d. Right to Refuse the Application
e. Right to Petition
12. Publication and Enforcement of the Policy
13. Updating the Policy
- Purpose
The main purpose of this Policy of Protection and Processing of Personal Data (“Policy”) is to make explanations about the activities of personal data processing carried out by Kimteks Poliüretan Sanayi ve Ticaret A.Ş. (“Company”) in accordance with the law and the systems adopted for the protection of personal data and to determine the procedures and principles to be followed by data controllers due to their relationship with the Company and to ensure transparency towards the persons whose data is processed.
The Company maintains its activities in accordance with the provisions related to the protection and privacy of personal data laid down in particular in the Constitution of Republic of Turkey and the international conventions to which we are a party, as well as the Law on Protection of Personal Data (“PDPL“) and the relevant legislation. The Company approaches with maximum sensitivity to the protection of personal data and fundamental rights and freedoms, it focuses on fundamental human rights such as right to privacy and freedom of expression in all of its activities.
- Scope and Implementation
This Policy has been prepared in compliance with the applicable regulations and international standards. The Company will primarily implement this Policy in all data processing activities, such as processing, transferring, changing data.
The Company has also different policies addressing the protection of personal data and ensuring information security in relation to certain business activities and processes. This Policy does not override the data protection terms in the different policies of the Company with standards for the protection of personal data
. This Policy is implemented in conjunction with such other policies and procedures as appropriate.
In case of a conflict between the provisions of the relevant applicable legislation on the protection and processing of personal data and the provisions of this Policy, the up-to-date legislation provisions will prevail.
- Definitions
PDPL: Law No. 6698 on the Protection of Personal Data
GDPR: European Union General Data Protection Regulation
Data Processor: A natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and manages the data filing system (the place where the data is kept systematically).
Data Owner/Data Subject: The natural person whose personal data are processed, including, but not limited to, employees, customers, business partners, shareholders, officials, potential customers, employee candidates, interns, visitors, suppliers of the Company and its affiliates, employees of the institutions with which the Company cooperates and third parties.
Explicit Consent: Consent on a specific subject, based on information and expressed with free will
Personal Data: Any information relating to an identified or identifiable natural person.
Sensitive Personal Data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of associations, foundations or trade unions, health, sexual life, criminal conviction and security measures and biometrics and genetics.
Processing of Personal Data: Any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.
Anonymization of Personal Data:: Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.
Deletion of Personal Data: Making personal data inaccessible and unfit for re-use for relevant users.
Destruction of Personal Data: Making personal data refers to personal data inaccessible, unretrievable and unfit for re-use for anyone
Board of PDP /Board: Personal Data Protection Board.
PDP Authority/Authority: Personal Data Protection Authority.
- Processing of Personal Data
a) Principles for Processing of Personal Data
The Company’s policies and procedures are implemented in parallel with the processing principles stipulated in the PDPL and relevant legislation. We know that these principles are vital to the exercise of the rights of the data subjects and their control over data and we are highly sensitive to emphasize these principles in all our processing activities. Our principles for protection of personal data are as follows:
- Personal data are processed lawfully, fairly and in a transparent manner.
In data processing activities, the Company relies on the legal bases for processing of data laid down in the PDPL. In addition, it considers the reasonable expectations of the data subjects in accordance with the principle of honesty. The Company uses a clear and understandable language in its communication with the data subjects and it is always in an easily accessible position.
- Personal data are processed only for specified, explicit and legitimate purposes.
The Company determines the purpose for processing before data processing activities. The data are processed only for additional purposes that are compatible with the initial purpose for processing. The compatibility of each additional purpose with initial purpose is determined in accordance with internationally recognized criteria. Our company informs the data subjects about the purposes of data processing taking into consideration the principle of transparency.
- Personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Our company processes data to the extent that is obligatory for the purpose of data processing. Data is obtained using the method most appropriate to ensure the privacy and security of the data. In our processing activities, the disproportionate interference with the rights, interests and freedoms of data subjects is avoided.
- Personal data are accurate and up to date, where necessary.
The Company ensure that the data are up-to-date in all processing activities. Incomplete, incorrect or inaccurate data are destroyed or corrected as soon as possible. The Company verifies the actuality of the data with regular intervals.
- Personal data are stored during time set forth in the relevant regulation and necessary for the purposes for which the personal data are processed.
With the disappearance of purposes for data processing, the data are deleted, destroyed or anonymized as soon as possible.
- Personal data are processed in a manner that ensures appropriate security of the personal data.
Our Сompany implements the data security as the main principle. It takes the necessary administrative and technical measures by following the best practices in this direction.
- The Company demonstrates that it ensures compliance with other principles of PDPL and/or GDPR.
Our Company adheres to the principle of accountability in all processing activities.
b) Purposes for Processing of Personal Data
Purposes for processing of personal data processed by our Company are as follows:
- Execution of Emergency Management Processes
- Execution of Employee Candidate/ Intern/Student Selection and Placement Processes,
- Execution of Application Processes of Employee Candidates
- Fulfillment of Employment and Legislation Obligations for Employees
- Providing Information to Authorized Persons, Institutions and Organizations,
- Execution of Audit / Ethical Activities
- Execution of Educational Activities
- Execution of Access Authorizations
- Execution of Activities in Compliance with the Legislation
- Execution of Finance and Accounting Affairs
- Providing Physical Space Security
- Execution of Assignment Processes
- Execution of Internal Audit / Investigation / Intelligence Activities
- Execution of Communication Activities
- Planning of Human Resources Processes
- Execution / Supervision of Business Activities
- Execution of Occupational Health / Safety Activities
- Receiving and Evaluating Suggestions for Improvement of Business Processes
- Execution of Logistics Activities
- Execution of Goods / Services Procurement Processes
- Execution of Goods / Services After-Sales Support Services
- Execution of Good / Service Sales Processes
- Execution of Goods / Services Production and Operation Processes
- Execution of Activities for Customer Satisfaction
- Organization and Event Management
- Execution of Storage and Archive Activities
- Execution of Contract Processes
- Follow-up of Requests / Complaints
- Ensuring the Security of Movable Property and Resources
- Execution of Supply Chain Management Processes
- Execution of Wage Policy
- Execution of Marketing Processes of Products / Services
- Ensuring the Security of Data Controller Operations
- Execution of Talent / Career Development Activities
- Providing Information to Authorized Persons, Institutions and Organizations
- Creating and Tracking Visitor Records
c )Legal Bases for the Processing of Personal Data:
The Company relies on one of the legal conditions for processing laid down in Article 5 of the PDPL when processing personal data. The conditions for processing personal data, in other word, the cases of compliance with the law, are limited in the Law and these conditions cannot be expanded. The company relies on the following legal bases when processing personal data:
- Existence of explicit consent of the data subject,
- Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the drawing up or performance of the contract.
- Necessity for compliance with a legal obligation to which the data controller is subject,
- Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Our company does not rely on a legal reason for explicit consent in the presence of another legal reason.
d) Legal Reasons for Processing Sensitive Personal Data
It is the data that will expose the person to discrimination in case of disclosure of sensitive personal data such as religion, race, belief, health and sexual life of the person. Sensitive personal data cannot be processed without the existence of limited legal reasons listed in Article 6 of the PDPL.
In this context, the Company processes sensitive personal data except the data concerning health on the legal basis of:
- Explicit consent of the data subject,
. Data concerning health are processed by the persons subject to secrecy obligation:
- Explicit consent of the data subject,
- Protection of public health by persons under the obligation of secrecy, finding the objectives of preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing
- Disclosure Obligation
The Company is obliged to enlighten the data subjects in accordance with the PDPL and the Communiqué on the Procedures and Principles to be Observed in Fulfilling the Disclosure Obligation. If the personal data is obtained from the data subject, the Company informs the data subjects in person or by the persons authorized by the company at the time of obtaining the data. If the personal data are not obtained from the data subject, the disclosure obligation is fulfilled within a reasonable time, at the time of the first communication if the data is to be used for communication with the data subject and at the latest when the first transfer is made if the data is transferred.
The Company informs the data subjects, as a minimum, about the legal entity and address details of the Company, for what purpose the personal data will be processed, to whom and why the processed data can be transferred, the method of collecting personal data and the legal basis for the rights stipulated in the PDPL, Article 11.
When the purpose for personal data processing is amended, the obligation to inform for this purpose is fulfilled before the data processing activity.
The company processes the data of the following persons and publishes the clarification texts at the specified place:
- Employees
It refers to the employees employed by the Company. The Employee Clarification Text was delivered to the them by hand/e-mail.
- Employee Candidates
It refers to the employee candidates who apply to the Company physically or through various portals. The Employee Candidate Clarification Text is hand-delivered to the relevant persons/sent via e-mail.
- Supplier Employee
It refers to the employees of the parties from which the Company purchases goods, products or services for the production and operations of the Company’s goods, products and services. In accordance with the contract between us, the disclosure against the supplier employees is made by the supplier company to which the said employees are affiliated.
- Supplier Official
Refers to the authorities of the parties from which the goods, products or services are purchased for the production and operations of the Company’s goods, products and services. In accordance with the contract between us, the disclosure against the supplier authorities is made by the supplier company to which the said employees are affiliated.
- Potential product or service buyer
Refers to those to whom the company wants to sell products or services. Potential Customer Clarification Text is delivered to them via e-mail.
- The person who buys product or service
Refers to the people to whom the company sells products or services. Pursuant to the contract between us, disclosure is made by the company to which the said employees are affiliated, against those who purchase products or services. In necessary cases, which are not for the performance of the contract, the lighting is made by the Data Controller.
- Intern
Refers to the interns employed by the Company. The Interns Disclosure Text was delivered to the them by hand/e-mail.
- Intern Candidate
Refers to the intern candidates who apply to the Company physically, on the website or through various portals. The Intern Candidate Clarification Text is delivered to them by hand/e-mail.
- Online Visitors
Refers to Online visitors accessing the company’s websites. Online Visitor Clarification Text is published at www.kimpur.com.
- Visitor
Refers to visitors visiting the company’s offices and facilities. The Visitor Clarification Text is presented to the relevant persons at the workplace entrances. It is delivered to them by hand.
- Reference Person
Refers to the reference persons with whom the employee candidates and trainee candidates who apply to the Company physically, on the website or through various portals share their information. The Reference Clarification Text is sent to them via e-mail.
- Data Security
Our Сompany, as a data controller, in the processing of personal data, are obliged to prevent and protect personal data from unlawful processing and access. For this reason, the Company has implemented all technical and administrative measures regarding data security, including additional measures necessary to protect sensitive personal data. The measures implemented by our Company are listed below.
a) The Company’s Technical Measures
– Network safety and application security are ensured.
– Security measures based on procurement, development and maintenance of information technology systems are taken.
– Key management is implemented.
– Security measures are taken based on procurement, development and maintenance of information technology systems..
– The security of personal data stored in the cloud is ensured.
– Data masking is applied when necessary.
– The authorizations of employees who have a change in duty or quit their job in this field are removed.
– Up to date anti-virus systems are used.
– Firewalls are used.
– The security of environments containing personal data is ensured.
– Personal data is backed up and the security of the backed up personal data is also ensured.
– User account management and authorization control system are implemented and these are also followed.
– Existing risks and threats have been identified.
– If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using a KEP or corporate mail account.
– Intrusion detection and prevention systems are used.
– Cyber security measures have been taken and their implementation is constantly monitored.
– Encryption is performed.
– Data loss prevention software is used.
b) Administrative Measures
– There are disciplinary regulations that include data security provisions for employees.
– Training and awareness activities are carried out periodically for employees on data security.
– Confidentiality commitments are made.
– Signed agreements contain data security provisions.
– Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format.
– Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
– Security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
– Personal data is reduced as much as possible.
– In-house periodic and/or random audits are conducted.
– Data processing service providers are periodically audited on data security.
– Awareness activities are carried out for senior management and department managers.
- Transfer of Personal Data
a) Domestic Transfer
Our Company transfers personal data to third parties relied on conditions for data processing stipulated in Articles 5 and 6 of the PDPL. The Company takes all necessary security measures for data transfer activities. The groups of recipients to which our Company transfer data in this context are as follows:
- Suppliers for Execution of Training Activities, Execution of Talent / Career Development Activities, Execution of Goods / Services Procurement Processes, Execution of Communication Activities, Execution of Goods / Services Procurement Processes, Execution of Benefits and Benefits Processes for Employees, Planning of Human Resources Processes, Execution of Finance and Accounting Affairs, Execution / Supervision of Business Activities, Organization and Event Management
- Authorized Institutions and Organizations for the purposes of Fulfillment of Obligations Originated from Employment Contract and Legislation for Employees, Planning of Human Resources Processes, Execution / Supervision of Business Activities, Providing Information to Authorized Persons, Institutions and Organizations,
- Associations for the purposes of Execution/Inspection of Business Activities, Execution of Goods/Services After-Sales Support Services, Execution of Logistics Activities, Ensuring the Security of Movable Goods and Resources,
b) Transfer Abroad
The Company transfers data abroad by meeting one of the following conditions in accordance with Article 9 of PDPL.
- Existence of explicit consent of the data subject,
- The country to which personal data will be transferred having the status of “safe country”and adequate protection is provided,
- Existence of their commitment for adequate protection in written form and authorization of the Board by regulating the rights and obligations of the Company and the recipient regarding data transfer.
The groups of recipients to which our Company transfer data in this context are as follows:
- Suppliers for Execution of Activities for Customer Satisfaction, Receiving and Evaluation of Suggestions for Improvement of Business Processes, Follow-up of Requests / Complaints, Execution of Customer Relationship Management Processes, Execution of Company / Product / Services Loyalty Processes
- Personal Data Inventory
The Company has created a data inventory with the details stipulated by the Law regarding the personal data processed within the scope of PDPL. The company’s data inventory includes the following details:
- Processes using personal data,
- Category of personal data,
- Personal data processed,
- Processed sensitive personal data,
- Purpose and legal reason of the processing activity,
- Domestic recipients of personal data,
- Whether personal data is transferred abroad,
- Personal data retention periods
In case of a change in the processing activities of the Company, the Personal Data Inventory is updated. The Company notifies the Data Controllers Registry of the information and updates, if any, contained in the Personal Data Inventory. The information that the Company will provide to the Data Subject within the framework of the disclosure obligation referred to in this Policy, Article 5 is consistent with the information disclosed in the Registry.
- Roles and Responsibilities
The roles and responsibilities of our company regarding the processing of personal data are as follows:
- The relevant department is responsible for notifying the relevant persons, such as customers, subcontractors, suppliers, whose data is processed, of this Policy.
- The relevant department is responsible for informing the data processors of this Policy on behalf of the Company, such as employees and suppliers, about the Policy, and for the implementation of the Policy by the data processors in question with regular controls.
- The relevant department is responsible for updating this Policy. The unit makes the necessary improvements by considering the needs of the company’s information processing systems and carries out the process of updating the Policy when necessary.
- The relevant department is the authorized approval authority for the approval of updates to this Policy.
- The relevant department is responsible for determining and applying sanctions for violations of the Policy.
- Deletion, Destruction and Anonymization of Personal Data
- In accordance with the PDPL, Article 7 and other relevant legislation provisions, in case the reasons for processing personal data disappear, personal data is deleted, destroyed or anonymized upon the decision of the Company, its periodic control and/or the request of the Data Subject.
- The Company shall not keep personal data longer than necessary in connection with the reason for obtaining the personal data. The company shall delete, destroy or anonymize personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data after the reasons for processing disappear.
- The Company has prepared a Retention and Disposal Policy in order to determine the procedures and principles in this direction. The criteria used in the retention and destruction periods, including the retention period for each category of personal data, the legal obligations that the Company has to keep the data, are specified in this Retention and Disposal Policy. It has been arranged in accordance with the Data Inventory. This Retention and Disposal Policy has been prepared in accordance with the Personal Data Inventory specified in Article 8 of this Policy.
- In the deletion, destruction or anonymization of personal data, the company complies with the principles set out in clause 4/a of this Policy, technical and administrative measures specified in Article 6, the Retention and Destruction Policy, the relevant legislation provisions and the decisions of the Board.
- Personal data will be destroyed securely and in the most appropriate way in accordance with provisions of the PDPL, relevant legislation and the Company’s Retention and Destruction Policy. Upon the request of the data subject, the Company chooses the appropriate method with the justification for its choice. Destruction of personal data shall be recorded with a destruction form and such form shall be kept for at least 3 (three) years. The company chooses the appropriate method upon the request of the Data Subject, by explaining its justification.
- Rights of the Data Subject and Exercise of the Rights
a) Rights of the Data Subject
The data subjects have the following rights regarding their personal data processed in accordance with Article 11 of the PDPL:
- Learning whether personal data is processed or not,
- If personal data has been processed, requesting information regarding the structure of this information and learning to whom it has been disclosed,
- Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
- Knowing the third parties to whom personal data is transferred in the country or abroad and requesting the notification of the transaction made in this direction to third parties,
- Requesting correction of personal data in case of incomplete or incorrect processing and notification of this to third parties,
- Although it has been processed in accordance with the provisions of the relevant law, requesting the deletion or destruction of personal data in the event that the reasons requiring its processing are eliminated,
- Objection to the emergence of a result against the person,
- Requesting the compensation of the damage in case of loss due to unlawful processing of personal data.
b) Exercise of Rights
Applications and requests regarding personal data shall be be delivered to the Company through the Contact Application Form Formu vasıtasıyla,
- By sending it to the DOSB Mah. DES. SAN. SİT. Tic. Merkezi No:3/30-32, Ümraniye/İstanbul with your wet signature and copy of your identity card or,
- By signing with a secure electronic signature or mobile signature and sending it to the PDPL Mail Address: ik@kimpur.com,
- By signing with a secure electronic signature or mobile signature, by sending it via registered electronic mail (KEP) to the Company: kimtekspu@hs01.kep.tr or,
- Files can be forwarded to the company with a valid identity document: Kimteks Poliüretan San. Ve Tic. A.Ş.
The data subject, within the scope of legal obligations regarding the procedures and principles of application to the data controller, must include in his/her application his/her name, surname, signature if the application is in written form, the Republic of Turkey Identity Number if the data subject is a Turkish citizen, the nationality, passport (identity card, if any) number if the data subject is a foreigner, the place of residence or business address, e-mail address and fax number, if any, to be based on notifications and lastly the subject of request. In addition, the documents confirming the identity, as well as information and documents regarding the subject of the request must be attached to the application.
In order to operate the process in the most effective way, the right is requested to be exercised and the details of the requested operation should be clearly and understandably specified in the subject of request.
The subject of the request must be concern the data subject himself/herself. If the application is made on behalf of another person, the person making the request must rely on a specially documented authorization for the requested process (power of attorney). The applications with no authorization will not be considered.
c) Consideration of the Application
Applications are considered and a response is made as soon as possible and no later than within 30 days from the date we receive the application.
During the consideration process, additional information and documents may be requested if required and a fee may be charged for fulfilling the request in cases where this is consistent with the relevant legislation.
The Company takes all necessary administrative and technical measures in order to conclude the applications made by the data subject effectively and in accordance with the law and the rules of good faith.
d) Rejection of Application
- If the application is not made in accordance with the above-mentioned procedure,
- When the application contains a request contrary to the applicable legislation,
- When the application is not based on a just cause or is an abuse of right,
- Processing the personal data subject to application for purposes such as research, planning and statistics by making it anonymous with official statistics,
- Processing of personal data made public by the Data Subject.
- The application is rejected in case of existence of one of the other situations within the scope of PDPL, Article 28.
If the application is rejected, the Company shall notify the relevant person of the rejection by explaining the reason.
e) Right to Petition
In the applications made to the Company, the Data Subject has the right to complain to the Board when the application is rejected or the response given by the Company is insufficient or the Company does not respond within 30 days.
The Data Subject may exercise his/her right to complain within 30 days from the date of learning of the Company’s response and in any case within 60 days from the date of application.
- Publication and Enforcement of the Policy
This Policy enters into force on 30.07.2021.
The current version of this Policy shall be published in the company documentation system.
- Updating the Policy
This Policy shall be updated in accordance with the quality document procedure in accordance with the legal period in the legislation.
The repealed old copies of this Policy shall be canceled with the approval of the data controller and are kept by the archive officer during the legal process in the legislation.
. Policies with expired retention period shall be destroyed by our relevant unit responsible by issuing a report.