As Data Controller ALMİN ALÜMİNYUM PROFİL SANAYİ VE TİC.LTD.ŞTİ , we would like you to know that we take the necessary measures for data security within the scope of our Personal Data Policy with utmost effort to protect your personal data, taking into account the Personal Data Protection Law No. 6698 and other legislation and international agreements.
A. DEFINITIONS
Explicit consent, within the scope of Directive 95/46 EC, should be understood as a statement of approval given by the relevant person freely, with sufficient information on the subject, in a clear manner that leaves no room for hesitation, and limited only to that transaction, to the processing of data about him/her.
Anonymization of personal data means making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.
Data recording system refers to the recording system in which personal data is structured and processed according to certain criteria. The systems in question can be physical or digital. Data can be processed according to more than one criterion within the system in question. For example, data can be recorded and processed based on a registration system based on name and surname, Turkish Republic of Northern Cyprus or place of birth.
Data controller is the person responsible for the processing, transfer, deletion of direct data and other obligations under the law within the scope of Law No. 6698. They are those who determine the purposes and means of processing personal data and are responsible for establishing and managing the data recording system. These persons may be natural persons or legal entities such as public institutions, companies, associations or foundations. Within the scope of this information text, it refers to ALMİN ALÜMİNYUM PROFİL SANAYİ VE TİC.LTD.ŞTİ .
Data processors are real and legal persons who process data on behalf of the data controller. These persons may be employees who process personal data within the framework of the instructions given to them, or they may be a separate natural or legal person determined by the data controller by purchasing services. Any natural or legal person can be both a data controller and a data processor at the same time. For example, while an accounting company is considered a data controller for the data it holds about its own personnel, it will be considered a data processor for the data it holds for its customer companies.
Relevant Person refers to the real person whose personal data is processed, that is, the customer within the scope of this agreement.
Destruction refers to the deletion, destruction or anonymization of personal data.
B. METHODS OF COLLECTION OF PERSONAL DATA
Your personal data consists of information and documents received within the scope of dialogues and communication you have established with our company. Information, documents and applications obtained from online communication channels, especially the reference letters sent to us and the preliminary agreement and contract concluded, website cookie applications, data received from social media platforms, online forms filled out on the website, suggestion/complaint form, e-mail environments. Data received and reported within the scope of forms, security cameras, letters and warnings are the main data collection sources. These data are obtained and processed in accordance with our data policy and Board decisions, taking into account the conditions within the scope of Articles 5 and 6 of the Personal Data Protection Law (KVKK) and the principles included in Article 4. In all these processes, it is aimed to prevent unnecessary data acquisition by taking into account the principles of proportionality and proportionality.
C. PROCESSING OF PERSONAL DATA
Processing of personal data is defined in paragraph 3/e of Law No. 6698 as follows:
"Processing of personal data: Obtaining and recording personal data by fully or partially automatic or non-automatic means, provided that it is part of any data recording system, "Any operations carried out on data such as storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing its use". How the
information in the nature of personal data in question will be processed is stated in Article 5 of the same law. It is stated as follows:
'' (1) Personal data cannot be processed without the explicit consent of the relevant person.
(2) It is possible to process personal data without the express consent of the relevant person if one of the following conditions exists:
a) It is clearly provided for by law.
b) It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
c) It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
ç) It is mandatory for the data controller to fulfill its legal obligation.
d) It has been made public by the person concerned.
e) Data processing is mandatory for the establishment, exercise or protection of a right.
f) It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned. The items above also mean the conditions for processing personal data and are binding on us as the data controller. When we look at the scope of these articles, explicit consent will not be required for the processing of data in the fulfillment of legal obligations, publicized data, and in cases where our legitimate interest requires it, as long as it does not harm the fundamental rights and freedoms of individuals.
D. BASIC PRINCIPLES GOVERNING DATA PROCESSING
All kinds of processes such as the use of fully or partially automatic recording methods or obtaining by non-automatic methods, partial or complete modification, categorization, transfer, recording, storage, destruction of personal data belonging to natural persons are personal data. It is called processing of data. As can be understood from this explanation, all processes of obtaining, storing, transferring and destroying the data are data processing.
There are basic principles regarding the processing of personal data that are accepted in international documents, especially the GDPR, that is, the European Data Regulation, and included in the authorized board decisions of the countries. In Article 4 of the Personal Data Protection Law, the procedures and principles regarding the processing of personal data are regulated in parallel with the Convention No. 108 and the European Union Directive No. 95/46/EC. According to this; The general (fundamental) principles listed in the law in the processing of personal data are as follows:
• Being in compliance with the law and the rules of honesty,
• Being accurate and up-to-date when necessary,
• Being processed for specific, clear and legitimate purposes,
• Being limited and proportionate to the purpose for which they are processed,
• Being in accordance with the relevant legislation . retained for the period envisaged or necessary for the purpose for which they are processed.
These principles are applied to disputes on the basis of the boards and judicial authorities authorized to take regulatory action. In order for us to be able to say that personal data is obtained and processed in accordance with the law, the data in question must be processed by taking into account the principles and fundamental motives inherent in the principles above.
E. LEGAL REASONS AND PURPOSES BASED ON STORAGE AND PROCESSING OF
PERSONAL DATA The concept of processing personal data is defined in the 3rd article of Law No. 6698, in the 4th article, the personal data processed must be related to the purpose for which they are processed, limited and proportionate, and must be kept for the period foreseen in the relevant legislation or required for the purpose for which they are processed. It is stated that it should be processed, and the processing conditions of personal data are listed in Articles 5 and 6.
Accordingly, within the framework of our Institution's activities, personal data is stored for a period of time stipulated in the relevant legislation or appropriate for our processing purposes.
Personal data obtained within the scope of the company's activities are stored and processed for the following purposes;
• Ensuring cooperation and communication between companies,
• Maintaining corporate activities,
• Creating customer cards,
• Carrying out internal and external operations of the company in the fields of accounting, finance and marketing,
• Fulfilling obligations arising from legal regulations,
• To enable relevant people to benefit from the products and services offered by the company. Carrying out the necessary work by business units and carrying out the relevant business processes,
• Carrying out the necessary work by the relevant business units to realize the commercial activities carried out by the company and carrying out the related business processes,
• Customizing the products and services offered by the company according to the tastes, usage habits and needs of the customers. To be able to offer more personalized products and services to customers,
• To carry out activities or commercial relations with solution partners and contractual parties,
• To be able to inform customers about products and services, to measure their satisfaction through surveys, to evaluate quality unit production within the company,
• To be able to create products and services in line with customers' requests. and development,
• Ensuring the safety of our company and employees,
• Being able to be used as evidence in legal disputes that may arise, •
Ensuring the legal, technical and commercial/occupational security of customers who have business relations with the company,
• Ensuring compliance with service and quality standards,
• Carrying out after-sales services ,
• Fulfillment of contractual and legal obligations in accordance with the relevant articles of the distance sales contract and the Law on Consumer Protection and ensuring compliance processes in accordance with new legal regulations,
• Fulfillment of legal obligations and requests of authorized institutions and organizations in line with the protected interests of third parties,
• Related to the website • Using cookies for analysis, performance, improvement of terms of use, evaluation of customer preferences and trends, determination of effective marketing methods,
• Tracking product and service orders and ensuring their delivery,
• Requested by public institutions and organizations, especially regulatory and supervisory institutions and organizations. It can be processed for the purposes of ensuring the provision of information and documents to the relevant institutions,
• Ensuring that the requested information and documents are shared with the judicial authorities in line with the requests of the judicial authorities.
Personal data processed by the institution within the scope of its activities are retained for the period stipulated in the relevant legislation. In this context, the legislations underlying the processing and storage of data are as follows;
• Personal Data Protection Law No. 6698,
• Turkish Code of Obligations No. 6098,
• Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed through These Publications,
• Law No. 4982 on Access to Information,
• Law No. 3071 on the Exercise of the Right to Petition,
• Turkish Commercial Code No. 6102
• Law No. 6502 on Consumer Protection
• Law No. 6563 on the Regulation of Electronic Commerce •
Tax Procedure Law No. 213
• Income Tax Law No. 193
• Regulation on Distance Contracts Published in the Official Gazette No. 27866
• Regulation No. 29417 Dated 15.07.2015 Regulation on Commercial Communication and Commercial Electronic Messages Published in the Official Gazette
• After-Sales Services Regulation Published in the Official Gazette No. 29029 and Dated 13.06.2014
• Regulation on Measures Concerning the Prevention of Laundering Proceeds of Crime and Financing of Terrorism No. 26751
Data up to the periods included in the above-mentioned legislative provisions It is processed and destroyed in the first destruction period at the end of the period.
F. DATA TITLES AND CONTENTS RELATING TO THE PROCESSED DATA
We can categorize the personal data collected from the collection methods explained above, in accordance with the purposes and legal regulations explained above, as follows.
Identity data; Name, surname, TR ID
number Contact data; Phone, e-mail, workplace address, residence address
Customer Transaction Data: Call center records, Invoice, promissory note, check information, order information, demand information, satisfaction, quality and recommendation surveys, Data regarding complaint contents,
Financial data; Bank account information, credit card information, balance sheet information if necessary for risk management in case of commercial shopping, financial performance information, credit and risk information, asset information,
marketing data; Shopping history information
Legal Transaction Data; In case of a legal issue or lawsuit, information in correspondence with judicial authorities, information and documents in the case file
Study data; Company he/she works for, department, way of working, profession, title, signature circular.
Visual and audio data; Camera recordings
Website/Application usage data;The user's on-site activities, the user's mouse movements.
The above data is not collected within the scope of every branch, and the scope of the data to be collected may narrow depending on whether you are a corporate customer, real customer or potential customer. However, no other data is received apart from the above data.
G. TRANSFER OF PERSONAL DATA
As the Data Controller ALMİN ALÜMİNYUM PROFİL SANAYİ VE TİC.LTD.ŞTİ, taking into account the principles stated in Article 4
of Law No. 6698 ,
It is necessary to protect the life or physical integrity of oneself or another person,
• It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract,
• It is mandatory for the data controller to fulfill its legal obligation, It is done by the data subject himself. being made public,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person,
• Protection of public health, preventive medicine, medical diagnosis, treatment. Transfers can be made to third parties and institutions for the execution of care services, planning and management of health services and their financing, provided that the conditions stated in Articles 8 and 9 of the KVKK and the measures determined by the Board are taken.
The data in question is the relevant personnel of our company, company managers, the domestic servers we use, the domestic institutions and organizations from which we receive cloud services, persons and organizations that process data on behalf of the data controller and provide measurement, targeting and profiling support, lawyers, audit companies, business and It can be shared with solution partners, suppliers, judicial authorities, regulatory and supervisory institutions and official authorities.
Among the processed data, data in the form of name and surname, TR Identity Number, location, address, telephone, tax number can be shared with our foreign affiliated companies and foreign servers and data centers used by communication, storage and communication programs that transfer online data abroad.
Although the country where data is transferred varies in terms of foreign servers and data centers used by communication, storage and communication programs that transfer data online, the headquarters of Google and Microsoft Based Online applications is the United States, and Yandex's headquarters is Russia. Again, in terms of WhatsApp application, the center in question is the United States, while in terms of Telegram, it is Russia.
H. PERSONAL DATA STORAGE AND DESTRUCTION POLICY
January and July of the year have been determined as the destruction periods for the destruction of data within our company. Personal data obtained from relevant persons will be deleted, destroyed or anonymized by the personnel/personnel responsible for the protection of data within the company within the following destruction period after the expiry of the retention period. Minutes regarding the destruction process will be kept in an independent location by the personnel responsible for the protection of data within the company for 3 (three) years. These minutes will be destroyed after three years. Regarding the destruction process, the Regulation on Deletion, Destruction or Anonymization of Personal Data No. 30224 dated October 28, 2017 and the provisions of the Personal Data Protection Law No. 6698 will be taken as basis. You can access the data security policies and destruction policies we follow in this process under the KVKK Destruction Policy heading on our website with the extension https:// www.alminprofil.com.tr/ KVKK-1.html .
The reasons that require destruction are as follows:
• Change or abolition of the relevant legislation provisions underlying the processing of the data in question
, • Elimination of the purpose underlying the processing and storage of the data,
• In cases where personal data is processed only based on the condition of explicit consent, the relevant person withdraws his/her explicit consent,
• Relevant person If the person's application to the company for deletion, destruction or anonymization of data within the scope of Article 11 No. 6698 is accepted,
• If the request for anonymization, destruction or anonymization made to the company is not found appropriate, if the request of the relevant person in the complaint made to the Board is accepted,
• The expiration of the storage period and the absence of any condition specific to the concrete case that would justify storing it for a longer period of time.
Article 12 of the Law and the fourth paragraph of Article 6 of the Law are required for the safe storage of personal data, prevention of unlawful processing and access, and lawful destruction of personal data. Technical and administrative measures are taken by the Company within the framework of adequate measures determined and announced by the Board for special personal data.
Your personal data will be stored as long as our customer and company relationship continues, and will be kept for 10 (ten) years following the termination of the contractual or other legal relationship in question. In accordance with the list attached to the After-Sales Services Regulation published in the Official Gazette No. 29029 and dated 13.06.2014, data regarding repair, after-sales installation, maintenance and repair services for some goods in the list can be stored for 15 years. Data regarding cookies and LOG records will be kept for a maximum of 2 years in accordance with the Internet Law No. 5651. During the first destruction period after the end of the storage period, the data stored electronically will be deleted or anonymized, and other data will be destroyed by burning, by the data controller's personnel exclusively dedicated to this task, using methods within the scope of the Personal Data Protection Law and relevant regulations. These destruction procedures will be recorded. Detailed explanations regarding the destruction and storage policies in question, especially regarding storage periods, can be found under the heading titled KVKK Disposal Policy on our website.
When the relevant person requests the deletion or destruction of his personal data by applying to ALMİN ALÜMİNYUM PROFİL SANAYİ VE TİC.LTD.ŞTİ pursuant to Article 13 of the Law;
1. If all the conditions for processing personal data have been eliminated; The Company deletes, destroys or anonymizes the personal data subject to the request using an appropriate destruction method, explaining the reason within 30 (thirty) days from the day it receives the request. In order for the Company to be deemed to have received the request, the relevant person must have made the request in accordance with the Personal Data Processing and Protection Policy. In any case, the company informs the relevant person about the transaction.
2. If all the conditions for processing personal data have not been eliminated, this request may be rejected by the Company by explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the rejection response will be notified to the relevant person in writing or electronically within thirty days at the latest. The person concerned reserves the right to complain to the institution. In this context, relevant persons may apply to the Board within 60 (sixty days) after they learn that their requests have been rejected.
3. In this context, applications to be made to our Company in "written" form,
• By the Applicant's personal application,
• Through a notary,
• By signing by the Applicant with the "secure electronic signature" defined in the Electronic Signature Law No. 5070,
• By sending to the Company's registered e-mail address. , may be forwarded to us.
In order to convey your requests and complaints in order to exercise your rights mentioned in this context, our contact information is given in detail in this clarification text under the heading RIGHTS OF THE WORKER AS A RELATED PERSON.
I. RIGHTS OF THE WORKER AS A RELATED PERSON
Your rights as a relevant person whose data is processed are written as follows in Article 11 of Law No. 6698;
• You can find out whether we process personal data about you, and if we do or have processed personal data, you can request information about it.
• You can learn the purpose of processing your personal data and whether they are used for their intended purpose.
• You can find out whether your personal data is transferred domestically or abroad and to whom it is transferred.
• You may request that your inaccurate or incomplete personal data be corrected and that the recipients to whom this data has been or may have been transferred be informed.
• You can request that your personal data be destroyed (deleted, destroyed or anonymized) within the framework of the conditions stipulated in Article 7 of the KVKK. However, by evaluating your destruction request, we will evaluate which method is appropriate according to the circumstances of the concrete case. In this context, you can always request information from us about why we chose the destruction method we chose.
• You may request that third parties to whom your personal data has been or may be transferred be informed about your destruction request.
• You can object to the results of your personal data analysis, which were created exclusively using an automated system, if these results are contrary to your interests.
• If you suffer damage due to unlawful processing of your personal data, you can request compensation for the damage.
As the data controller, we are obliged to process and evaluate the applications made by the relevant person in accordance with Law No. 6698. Your requests in your Personal Data Breach Application will be finalized free of charge within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost for the Company, the fee specified in the Communiqué on the Procedures and Principles of Application to the Data Controller may be charged by the Personal Data Protection Board.
If an application is made and the application is rejected by the company, you have the right to apply to the Personal Data Protection Board within thirty days from the date you receive the rejection decision. If no notification is made to you, as the Data Controller, within 30 days, an application can be made to the Board within 30 days from the date of thirty days. In order to avoid confusion regarding application periods, it is useful to look at the Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/9 on the Calculation of the Application to the Data Controller and Complaint Periods to the Board, the decision in question is as follows;
• If the data controller responds to the application made by the relevant person within 30 days, the relevant person can file a complaint within 30 days following the response of the data controller, and in this respect, in such cases, the relevant person does not have 60 days from the date of application to the data controller,
• The application made by the relevant person In case the data controller does not provide a response, the relevant person may file a complaint with the Board within 60 days from the date of application to the data controller,
• If the data controller responds to the application made by the relevant person after the 30-day period granted in the Law, the relevant person may file a complaint within the 30-day period granted to the data controller in the Law. Considering that the relevant person is not obliged to wait for the response to be given and that he can complain to the Board upon the expiry of the period given to the data controller, the relevant person can make a complaint to the Board within 60 days from the date of application to the data controller, not 30 days from the date the data controller responds to him,
regarding the processing of your personal data. You can make your application on the matters by filling out the application form on the Company's website or by following methods, provided that you comply with the procedures and principles specified in Article 5 of the Communiqué on the Procedures and Principles of Application to the Data Controller:
• In writing and signed by a notary or registered mail
• Registered e-mail (KEP) ) by e-mail sent from your address
• By secure electronic signature or mobile signature
• By notification to your e-mail address
• By notification to 0312 267 58 80
It is beneficial not to lose the registration numbers given to you for the above notifications in terms of file and transaction tracking, and they are the same as the notifications made to us. Feedback can be provided by method or registered mail.
In order to make an application, the information of the Data Responsible is as follows:
Title: ALMİN ALÜMİNYUM PROFİL SANAYİ VE TİC. LTD. ŞTİ.
Mersisno: 0-0550-4031-2600017
E-mail address: bilgiislem@alminprofil.com.tr
Postal Address: ASO 1. Org. Singing. Region. Dagestan Cad. No:9 Sincan/ANKARA
Tel: 0312 267 58 80
If it is understood by us that the data of the relevant persons were obtained in violation of the procedures and laws, or if there is a reasonable suspicion in this regard, it will be reported to the board as soon as possible in accordance with Article 12 of the KVKK. The shortest time to understand is 2 72 hours.
I. UPDATE AND COMPLIANCE
The Company reserves the right to make changes to this Policy and other policies affiliated and related to this Policy due to changes made in the Law, in accordance with the decisions of the KVK Board or in line with developments in the sector or the field of informatics. When there is a change within the scope of the policies in question, you will be notified by announcement and certified copies of the old policies will be kept for 3 (three) years
. Changes made to this Policy are immediately recorded in the text and explanations regarding the changes are explained at the end of the Policy.
The complaint form you can make to our company, the complaint form you can make to the KVK Institution, this clarification text and the KVKK Policies can be found at the following link(s); You can reach https:// www.alminprofil.com.tr/ KVKK-1.html .
In addition, the technical and administrative measures taken by us are arranged in detail under the title of KVKK Policy on our website, where you can access the necessary information.
------------------------Footnotes------------------
1-a) Compliance with law and honesty comply with the rules.
b) Being accurate and up to date when necessary.
c) Processing for specific, clear and legitimate purposes.
ç) Being related to the purpose for which they are processed, limited and proportionate.
d) To be kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.
2- With the decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/10;
Paragraph (5) of Article 12 of the Law states: "In case the processed personal data is obtained by others through illegal means, the data controller shall notify this situation to the person concerned and the Board as soon as possible..." The expression "as soon as possible" in the provision should be interpreted as 72 hours, and in this context, the data controller should notify the Board without delay and within 72 hours at the latest from the date of learning of this situation, and following the determination of the persons affected by the data breach by the data controller, the relevant persons should be notified as soon as possible. Within the period, if the contact address of the relevant person can be reached, notification will be made directly, or if not, notification will be made by appropriate methods such as publishing it on the data controller's own website,
Address
ASO 1.Organized Industrial Zone Dagestan Cd. No:9 Sincan / ANKARA / TURKEY
