The data controller is ALMİN ALÜMİNYUM PROFİL SANAYİ VE TİC.LTD.ŞTİ. All kinds of personal data processed within our company are protected within the scope of relevant national and international legislation, especially the Personal Data Protection Law No. 6698. Our company takes technical and administrative measures in a timely manner to ensure the necessary protection, and in case of any suspicion of violation, it makes the necessary notifications to the relevant individuals, institutions and organizations within the framework of legal provisions as soon as possible.
A. DEFINITIONS
Explicit consent, within the scope of Directive 95/46 EC, should be understood as a statement of approval given by the relevant person freely, with sufficient information on the subject, in a clear manner that leaves no room for hesitation, and limited only to that transaction, to the processing of data about him/her.
Anonymization of personal data means making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.
Data recording system refers to the recording system in which personal data is structured and processed according to certain criteria. The systems in question can be physical or digital. Data can be processed according to more than one criterion within the system in question. For example, data can be recorded and processed based on a registration system based on name and surname, Turkish Republic of Northern Cyprus or place of birth.
Data controller is the person responsible for the processing, transfer, deletion of direct data and other obligations under the law within the scope of Law No. 6698. They are those who determine the purposes and means of processing personal data and are responsible for establishing and managing the data recording system. These persons may be natural persons or legal entities such as public institutions, companies, associations or foundations. Within the scope of this clarification text, ALMİN ALÜMİNYUM PROFİL SANAYİ VE TİC.LTD.ŞTİ. represents the company.
Data processors are real and legal persons who process data on behalf of the data controller. These persons may be employees who process personal data within the framework of the instructions given to them, or they may be a separate natural or legal person determined by the data controller by purchasing services. Any natural or legal person can be both a data controller and a data processor at the same time. For example, while an accounting company is considered a data controller for the data it holds about its own personnel, it will be considered a data processor for the data it holds for its customer companies.
Relevant Person refers to the real person whose personal data is processed, that is, the worker within the scope of this agreement.
Destruction,It refers to the deletion, destruction or anonymization of personal data.
B. METHODS OF COLLECTION OF PERSONAL DATA
Your personal data consists of information and documents received within the scope of your dialogues and communication with our company. Reference letters sent to us and preliminary agreements and contracts concluded, job application forms and trial period employment contracts, website cookie applications, online forms filled out on the website, mobile applications, suggestion/complaint form, various contracts, online, especially in e-mail environments. Information, documents and application forms obtained from communication channels, security cameras, letters, warnings, incident reports and minutes kept within the scope of the workplace are the main data collection sources. These data are obtained and processed in accordance with our data policy and Board decisions, taking into account the conditions within the scope of Articles 5 and 6 of the Personal Data Protection Law (KVKK) and the principles included in Article 4. In all these processes, it is aimed to prevent unnecessary data acquisition by taking into account the principles of proportionality and proportionality.
C. PROCESSING OF PERSONAL DATA
Processing of personal data is defined in paragraph 3/e of Law No. 6698 as follows:
"Processing of personal data: Obtaining and recording personal data by fully or partially automatic or non-automatic means, provided that it is part of any data recording system, "Any operations carried out on data such as storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing its use". How the
information in the nature of personal data in question will be processed is stated in Article 5 of the same law. It is stated as follows:
'' (1) Personal data cannot be processed without the explicit consent of the relevant person.
(2) It is possible to process personal data without the express consent of the relevant person if one of the following conditions exists:
a) It is clearly provided for by law.
b) It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
c) It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
ç) It is mandatory for the data controller to fulfill its legal obligation.
d) It has been made public by the person concerned.
e) Data processing is mandatory for the establishment, exercise or protection of a right.
f) It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned. The
above mentioned articles also mean the conditions for processing personal data and are binding on us as the data controller. When we look at the scope of these articles, explicit consent will not be required for the processing of data in the fulfillment of legal obligations, publicized data, and in cases where our legitimate interest requires it, as long as it does not harm the fundamental rights and freedoms of individuals.
D. SPECIAL PERSONAL DATA AND PROCESSING CONDITIONS
Some data are in a more indispensable position compared to other personal rights in terms of their qualities, nature and the area they intervene in. For this reason, the protection and processing of these rights are regulated separately and with strict formal conditions within the scope of the law in question. Personal rights of a special nature are defined and listed as follows in paragraph 6/1 of the law:
"A person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, Data regarding sexual life, criminal convictions and security measures, and biometric and genetic data are special personal data.''
How the said rights can be processed is stated as follows in other paragraphs of the same article:
''(2) Special quality personal data, Processing without consent is prohibited.
3) Personal data other than health and sexual life listed in the first paragraph may be processed without the explicit consent of the relevant person in cases stipulated by law. Personal data regarding health and sexual life can only be used by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing, without the express consent of the relevant person. can be processed.
(4) In the processing of special categories of personal data, it is also essential to take adequate measures determined by the Board.
It may be possible for private personal data to be processed by organizations or entities such as non-profit political parties, foundations, associations or unions, as a requirement of their activities. The organizations and formations in question will be able to process the special personal data of their members and members in accordance with the establishment purposes, that is, in accordance with the law and limited to the purpose. Storing membership information of a political party means processing of special personal data. As stated above, these organizations and entities can only process these data in accordance with their fields of activity and purposes. For example, a union will only keep its workers' union membership records and will not be able to process their private data regarding their political views or health conditions.
If personal data of a private nature has been made public by the relevant person, that is, has become available to the public, it is possible to process the data in question. In such a case, the data controller will not be held responsible. According to the prevailing view, the legally protected interest of the person concerned has been eliminated in such cases. The point that needs to be considered here is the scope of publicization.
As with personal data, if processing of special data is mandatory for the establishment, exercise or protection of a right, processing is considered lawful without requiring consent. If a workplace that is obliged to employ disabled workers receives and processes the data of the employee in question, that is, shares it with relevant institutions and organizations, explicit consent is not required. Similarly, if the disabled person or his/her guardian who wants to buy a vehicle by taking advantage of the SCT exemption shares the data in question with the Tax Office and the office processes the data, explicit consent will not be required.
When an evaluation is made regarding the processing conditions of special personal data received within the company, the quality of the data in question is important when we look at Article 6 of the law. In the second paragraph of the said law article, it is stated that special personal data can only be processed with explicit consent. In other words, the rule in processing special personal data is explicit consent. However, in paragraph 6/3 of the law in question, it is stated that they can be processed in cases clearly stipulated in the law, except for data regarding health and sexual life. Since the situations written in the law are not regulated as exceptions in terms of data related to health and sexual life, our company requires explicit consent during the processing of these data.
Periodic examination forms and reports are the main data taken as health data. Data regarding sexual life is not collected. Our company also obtains express consent from special personal data in criminal record records.
E. BASIC PRINCIPLES GOVERNING DATA PROCESSING
All kinds of processes such as the use of fully or partially automatic recording methods or obtaining by non-automatic methods, partial or complete modification, categorization, transfer, recording, storage, destruction of personal data belonging to real persons are personal data. It is called processing of data. As can be understood from this explanation, all processes of obtaining, storing, transferring and destroying the data are data processing.
There are basic principles regarding the processing of personal data that are accepted in international documents, especially the GDPR, that is, the European Data Regulation, and included in the authorized board decisions of the countries. In Article 4 of the Personal Data Protection Law, the procedures and principles regarding the processing of personal data are regulated in parallel with the Convention No. 108 and the European Union Directive No. 95/46/EC. According to this; The general (fundamental) principles listed in the law in the processing of personal data are as follows:
• Being in compliance with the law and the rules of honesty,
• Being accurate and up-to-date when necessary,
• Being processed for specific, clear and legitimate purposes,
• Being limited and proportionate to the purpose for which they are processed,
• Being in accordance with the relevant legislation . retained for the period envisaged or necessary for the purpose for which they are processed.
These principles are applied to disputes on the basis of the boards and judicial authorities authorized to take regulatory action. In order for us to be able to say that personal data is obtained and processed in accordance with the law, the data in question must be processed by taking into account the principles and fundamental motives inherent in the principles above.
F. REQUESTED PERSONAL DATA AND THE METHODS OF STORING THEM
As the data controller, the following information must be collected from the workers due to the Labor Law, the employment contract between us, the creation of your personnel file as required by the job and other reasons. The information and documents to be requested are as follows:
• Employment contract/business regulations
• Employment declaration
• Photocopy of ID
• Residence certificate
• Driving license and driver certificate information and documents
• Criminal record
• Health report
• Picture
• Diploma and education documents
• Spouse and children identity photocopies/information
• Periodic examination form
• Permission forms
• Documents regarding the worker or minutes and events involving the worker
• Signed pay slips/account slips
• Contact information (mail, telephone, etc.) and contact information of a relative for emergencies
• Account information for payments
• Union information
• Previous workplace personal health file
• Risk reports received from credit rating agencies (such as Findeks reports)
• Accurate Family Population Registry Sample ( Without divorce and ex-spouse information)
G. LEGAL REASONS AND PURPOSES BASED ON STORAGE AND PROCESSING OF PERSONAL DATA
The concept of processing personal data is defined in the 3rd article of Law No. 6698, in the 4th article, the personal data processed must be related to the purpose for which they are processed, limited and proportionate, and the or stipulated in the relevant legislation It is stated that they should be kept for the period necessary for the purpose for which they are processed, and the processing conditions of personal data are listed in Articles 5 and 6.
Accordingly, within the framework of our Institution's activities, personal data is stored for a period of time stipulated in the relevant legislation or appropriate for our processing purposes.
Legal Reasons for Data Processing and Storage of Data from Sub-Heads of Data Processing:
Personal data processed in the Institution within the scope of its activities are retained for the period stipulated in the relevant legislation. The laws underlying the processing of data and the storage of data, which is a data processing, are as follows;
• Personal Data Protection Law no. 6698,
• Turkish Code of Obligations no. 6098,
• Public Procurement Law no. 4734,
• Social Security and General Health Insurance Law no. 5510,
• No. 5651 on Regulating Publications Made on the Internet and Combating Crimes Committed Through These Publications The Law,
• Public Financial Management Law No. 5018,
• Occupational Health and Safety Law No. 6331,
• Law No. 4982 on Access to Information,
• Law No. 3071 on the Exercise of the Right to Petition,
• Labor Law No. 4857,
• Pensioner Health Law No. 5434,
• Law No. 6102 Turkish Commercial Code
No. 6502 on Consumer Protection Law
No. 6563 on the Regulation of Electronic Commerce Processing
Purposes Requiring Storage
Personal data obtained within the scope of the Company's activities are stored and processed for the following purposes;
• Carrying out internal human resources processes.
• Ensuring internal communication within the company.
• To ensure the security of the company, its employees and third party real and legal persons.
• Required by the protected legal interests of the company and its employees and third party real and legal persons.
• Conducting statistical studies and making risk assessments.
• To ensure in-house event management.
• To manage relationships with business partners, transporters or suppliers.
• Carrying out demand and complaint management.
• To be able to carry out work and transactions as a result of signed contracts and protocols.
• To transmit to the Authority the necessary information and documents to fulfill the obligations imposed on us in accordance with Law No. 6698.
• To ensure the fulfillment of legal obligations as required or required by legal regulations.
• To contact real and legal persons who have business relations with the company.
• Carrying out operations within the scope of the company's production and marketing policies.
• Making legal reports.
• To provide proof of material and legal facts as evidence in possible disputes that may arise in the future.
• To keep track of the Payroll transactions of the account and identity data in question (kept in the accounting program and kept in the data storage area of the said program).
• Making process management mandatory for institution notifications within the scope of the Social Insurance and General Health Insurance Law No. 5510, in order to protect incentives and other legal financial rights in favor of employees/workers.
• To ensure the continuation of internal communication and activities within the Institution, limited to the purpose, with solution partners or third parties and companies regarding reasons such as transportation of your personal data, vehicle supply, business card printing.
• To protect the legal rights of the company or third parties in case legal conditions are met
. • To ensure that audit activities are carried out in accordance with the legislation for the relevant institution auditors in terms of payroll or health information.
• To ensure urgent process management of the contact information of the relevant person's relatives and family.
• Keeping track of entry and exit from work.
• Ensuring physical space security and network security.
• To determine the appropriate personnel for the repair of company vehicles.
• To follow up the training processes.
• To fulfill obligations towards public institutions and organizations, especially İŞKUR and SGK, to which it is mandatory to share data in favor of workers.
• To ensure the provision of information and documents requested by public institutions and organizations, especially regulatory and supervisory institutions and organizations, to the relevant institutions.
• To ensure that the requested information and documents are shared with the judicial authorities in line with the requests of the judicial authorities.
• Creating personnel files.
• Managing assignment processes.
• Creating an authority matrix.
The data obtained for the above purposes will be protected by data processors within the legal periods, keeping their confidentiality under the supervision of the data controller. Our company's data processors are as follows:
• Our company's accounting department/unit
• Our company's human resources department/unit
• Our company's disciplinary board
• Our company's persons responsible for the protection of personal data
• Our company's contact person (this person is also the person responsible for the protection of personal data)
• During recruitment and within the company Administrative personnel in worker interviews with authorization
• Company doctor
• Unit chiefs in terms of performance evaluations
• Company lawyers
• Financial advisors
• Special service providers
• IT department
• Technical personnel
• Marketing Department
Depending on the nature of the job in question, other persons may also process data as required by the situation and the work. can enter the status. Whoever has the title of data processor will try to ensure data security in accordance with the relevant legislation and will use the data in question for a limited purpose. For example, health records will not be reviewed by the accounting department.
Personal data will be kept locked by data processors in a place where they cannot be accessed by anyone, with a key allocated only to the processor. The security of the data in question will be ensured by cameras operating 24 hours a day.
You can access the technical and administrative measures taken during the processing and exclusive storage of personal data from the explanations under the KVKK Destruction Policy and KVKK policy headings under the KVKK heading on the extension website.
H. STORAGE PERIOD AND DESTRUCTION OF PERSONAL DATA
January and July are determined as the destruction periods of the year for the destruction of data within our company. Personal data obtained from relevant persons will be deleted, destroyed or anonymized by the personnel/personnel responsible for the protection of data within the company within the following destruction period after the expiry of the retention period. Minutes regarding the destruction process will be kept in an independent location by the personnel responsible for the protection of data within the company for 3 (three) years. These minutes will be destroyed after three years. Regarding the destruction process, the Regulation on Deletion, Destruction or Anonymization of Personal Data No. 30224 dated October 28, 2017 and the provisions of the Personal Data Protection Law No. 6698 will be taken as basis. For detailed information about disposal : https:// www.alminprofil.com.tr/ KVKK-1.htmlYou can access it under the KVKK Disposal Policy heading on our website with the extension.
The reasons that require destruction are as follows:
• Change or abolition of the relevant legislation provisions underlying the processing of the data in question
, • Elimination of the purpose underlying the processing and storage of the data,
• In cases where personal data is processed only based on the condition of explicit consent, the relevant person withdraws his/her explicit consent,
• Relevant person If the person's application to the company for deletion, destruction or anonymization of data within the scope of Article 11 No. 6698 is accepted,
• If the request for anonymization, destruction or anonymization made to the company is not found appropriate, if the request of the relevant person in the complaint made to the Board is accepted,
• The expiration of the storage period and the absence of any condition specific to the concrete case that would justify storing it for a longer period of time.
Article 12 of the Law and the fourth paragraph of Article 6 of the Law are required for the safe storage of personal data, prevention of unlawful processing and access, and lawful destruction of personal data. Technical and administrative measures are taken by the Company within the framework of adequate measures determined and announced by the Board for special personal data.
Personal data collected from workers are stored and destroyed in different time periods depending on their characteristics. Submitted to the Social Security Institution with recruitment documents; Personnel data, which are the basis for notifications regarding length of service and wages, are retained for a period of 15 (fifteen) years during and after the termination of the service contract. The data in question will be destroyed during the destruction period after the end of this period. Submitted to the Social Security Institution with recruitment documents; Personnel data, other than personnel data based on notifications regarding service period and salary, are kept for a period of 10 (ten) years from the beginning of the calendar year following the continuation of the service contract and its termination. The data in question will be destroyed during the destruction period after the end of this period. The Data in the Workplace Personal Health File is kept for a period of 15 (fifteen) years, during and after the termination of the service contract, for 20 (twenty) years if there is a fatal work accident, and for 30 (thirty) years if the work accident involves a criminal case. The data in question will be destroyed during the destruction period after the end of this period. Detailed explanations regarding the destruction and storage policies in question, especially regarding storage periods, can be found under the heading titled KVKK Disposal Policy on our website.
The relevant person is ALMİN ALÜMİNYUM PROFİL SANAYİ VE TİC.LTD.ŞTİ. pursuant to Article 13 of the Law. requests the deletion or destruction of his/her personal data;
1. If all the conditions for processing personal data have been eliminated; The Company deletes, destroys or anonymizes the personal data subject to the request using an appropriate destruction method, explaining the reason within 30 (thirty) days from the day it receives the request . In order for the Company to be deemed to have received the request, the relevant person must have made the request in accordance with the Personal Data Processing and Protection Policy. In any case, the company informs the relevant person about the transaction.
2. If all the conditions for processing personal data have not been eliminated, this request may be rejected by the Company by explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the rejection response will be notified to the relevant person in writing or electronically within thirty days at the latest. The person concerned reserves the right to complain to the institution. In this context, relevant persons may apply to the Board within 60 (sixty days) after they learn that their requests have been rejected.
3. In this context, applications to be made to our Company in "written" form,
• By the Applicant's personal application,
• Through a notary,
• By signing by the Applicant with the "secure electronic signature" defined in the Electronic Signature Law No. 5070,
• By sending to the Company's registered e-mail address. , may be forwarded to us.
Our contact information for submitting your requests and complaints in order to exercise your rights mentioned within the scope of this information text is given in detail under the title of RIGHTS OF THE WORKER AS A RELATED PERSON in this information text.
I. TRANSFER OF PERSONAL DATA
How and under what conditions personal data will be transferred to third parties within the borders of the country is regulated within the scope of Article 8 of the Personal Data Protection Law. According to this article, it is possible to transfer personal data only if the individuals have their explicit consent. However, in the same law article, it is written that personal data can be transferred without explicit consent if the conditions under Articles 5 and 6 are met. The result of interpreting the articles of law in question together is;
• Obtaining the explicit consent of the person concerned,
• Explicitly foreseen in the law,
• It being mandatory for the protection of the life or physical integrity of the person who is unable to express his consent due to actual impossibility or whose consent is not given legal validity,
• Directly related to the establishment or execution of a contract. Provided that the processing of personal data belonging to the parties to the contract is necessary,
• It is mandatory for the data controller to fulfill its legal obligation,
• It has been made public by the relevant person himself,
• It is possible to transfer personal data if data processing is mandatory for the establishment, exercise or protection of a right,
• If data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.
In order to transfer special personal data;
• If the explicit consent of the relevant person is obtained,
• If it is clearly provided for by law in terms of special personal data other than health and sexual life,
• In case of personal data related to health and sexual life, the protection of public health, preventive medicine, medical diagnosis, treatment and care services are carried out. For the purpose of planning and management of health services and financing, personal data of a special nature may be transferred to third parties by persons under the obligation of confidentiality or by authorized institutions and organizations.
Unlike personal data that can only belong to real persons, "data controller" and "data processor" can be both natural and legal persons. Any natural or legal person who performs operations on personal data is either a data controller or a data processor, depending on the purposes and methods of data processing. In this context, the regulations in Article 8 of the Law must be complied with for any data transfer between the two categories of persons in question.
It is possible to transfer personal data to public and private legal entities abroad within the scope of our company's scope of activity and commercial interests, in accordance with legal conditions. According to Article 9 of the Law, data transfer abroad;
• There is explicit consent of the relevant person,
• In the presence of the conditions specified in the Law (conditions specified in the 2nd paragraph of Article 5 and the 3rd paragraph of Article 6 of the Law), there is adequate protection in the country to which data will be transferred (countries deemed safe by the Board),
• In the presence of the situations specified in the Law (conditions specified in the 2nd paragraph of Article 5 and the 3rd paragraph of Article 6 of the Law) and if there is no adequate protection in the country to which data will be transferred (countries that are not considered safe by the Board), adequate protection must be committed in writing and the Board It can be carried out with the permission of .
In the light of the above explanations, the data in question is the relevant personnel of our company, company managers, the domestic servers we use, persons and organizations that process data on behalf of the data controller and provide measurement, targeting and profiling support, lawyers, audit companies, business and solution partners, suppliers, forensic It can be shared with authorities, regulatory and supervisory institutions and official authorities.
Among the processed data, data in the form of name, surname, telephone, address, location, health reports can be shared with overseas servers and data centers used by communication, storage and communication programs that transfer data online.
Although the country where data is transferred varies in terms of foreign servers and data centers used by communication, storage and communication programs that transfer data online, the headquarters of Google and Microsoft Based Online applications is the United States, and Yandex's headquarters is Russia. Again, in terms of WhatsApp application, the center in question is the United States, while in terms of Telegram, it is Russia.
J. RIGHTS OF THE WORKER AS A RELATED PERSON
Your rights as a relevant person whose data is processed are written as follows in Article 11 of Law No. 6698;
• You can find out whether we process personal data about you, and if we do or have processed personal data, you can request information about it.
• You can learn the purpose of processing your personal data and whether they are used for their intended purpose.
• You can find out whether your personal data is transferred domestically or abroad and to whom it is transferred.
• You may request that your inaccurate or incomplete personal data be corrected and that the recipients to whom this data has been or may have been transferred be informed.
• You can request that your personal data be destroyed (deleted, destroyed or anonymized) within the framework of the conditions stipulated in Article 7 of the KVKK. However, by evaluating your destruction request, we will evaluate which method is appropriate according to the circumstances of the concrete case. In this context, you can always request information from us about why we chose the destruction method we chose.
• You may request that third parties to whom your personal data has been or may be transferred be informed about your destruction request.
• You can object to the results of your personal data analysis, which were created exclusively using an automated system, if these results are contrary to your interests.
• If you suffer damage due to unlawful processing of your personal data, you can request compensation for the damage.
As the data controller, we are obliged to process and evaluate the applications made by the relevant person in accordance with Law No. 6698. Your requests in your Personal Data Breach Application will be finalized free of charge within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost for the Company, the fee specified in the Communiqué on the Procedures and Principles of Application to the Data Controller may be charged by the Personal Data Protection Board.
If an application is made and the application is rejected by the company, you have the right to apply to the Personal Data Protection Board within thirty days from the date you receive the rejection decision. If no notification is made to you, as the Data Controller, within 30 days, an application can be made to the Board within 30 days from the date of thirty days. In order to avoid confusion regarding application periods, it is useful to look at the Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/9 on the Calculation of the Application to the Data Controller and Complaint Periods to the Board, the decision in question is as follows;
If the data controller responds to the application made by the relevant person within 30 days, the relevant person can file a complaint within 30 days following the response of the data controller, and in such cases, the relevant person does not have 60 days from the date of application to the data controller,
The application made by the relevant person If a response is not given by the data controller, the relevant person may file
a complaint with the Board within 60 days from the date of application to the data controller. Considering that the relevant person is not obliged to wait for the response to be given and that he can complain to the Board upon the expiry of the period given to the data controller, the relevant person can make a complaint to the Board within 60 days from the date of application to the data controller, not 30 days from the date the data controller responds to him,
regarding the processing of your personal data. You can make your application on the matters by filling out the application form on the Company's website or by following methods, provided that you comply with the procedures and principles specified in Article 5 of the Communiqué on the Procedures and Principles of Application to the Data Controller:
• In writing and signed by a notary or registered mail
• Registered e-mail (KEP) ) by e-mail sent from your address
• By secure electronic signature or mobile signature
• By notification to your e-mail address
• By notification to 0312 267 58 80
It is beneficial not to lose the registration numbers given to you for the above notifications in terms of file and transaction tracking, and they are the same as the notifications made to us. Feedback can be provided by method or registered mail.
In order to make an application, the information of the Data Responsible is as follows:
Title: ALMİN ALÜMİNYUM PROFİL SANAYİ VE TİC. LTD. ŞTİ.
Mersisno: 0-0550-4031-2600017
E-mail address:bilgiislem@alminprofil.com.tr
Mailing Address: ASO 1st Org. Singing. Region. Dagestan Cad. No:9 Sincan/ANKARA
Tel: 0312 267 58 80
If it is understood by us that the data of the relevant persons were obtained in violation of the procedures and laws, or if there is a reasonable suspicion in this regard, it will be reported to the board as soon as possible in accordance with Article 12 of the KVKK. The shortest time to understand is 2 72 hours.
K. UPDATE AND COMPLIANCE
The Company reserves the right to make changes to this Policy and other policies related to this Policy due to changes made in the Law, in accordance with the decisions of the KVK Board or in line with developments in the sector or the field of informatics. When there are changes within the scope of the policies in question, these will be notified to the workers by announcement and certified copies of the old policies will be kept for 3 (three) years.
Changes made to this Policy are immediately incorporated into the text and explanations regarding the changes are explained at the end of the Policy.
The complaint form you can make to our company, the complaint form you can make to the KVK Institution, this clarification text and the KVKK Policies can be found at the following link(s); You can reach https:// www.alminprofil.com.tr/ KVKK-1.html .
------------------------Footnotes------------------
1- Application to the Data Controller and the Board The following principles are included in the Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/9 on the Calculation of Complaint Periods:
If the data controller responds to the application made by the relevant person within 30 days, the relevant person can file a complaint within 30 days following the response of the data controller, In this respect, in such cases, the relevant person does not have a period of 60 days from the date of application to the data controller,
If the data controller does not respond to the application made by the relevant person, the relevant person can file a complaint with the Board within 60 days from the date of application to the data controller,
In response to the application made by the relevant person. Considering that if the data controller gives an answer after the 30-day period granted in the Law, the relevant person is not obliged to wait for the response to be given after the 30-day period granted to the data controller in the Law and that he/she may file a complaint with the Board upon the expiry of the period granted to the data controller, the relevant person shall be informed that the data controller has responded to him/her. It has been deemed appropriate to make a complaint to the Board within 60 days from the date of application to the data controller, not 30 days from the date of application, and that the issues should be announced to the public with the Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/9.
2- With the decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/10;
Paragraph (5) of Article 12 of the Law states: "In case the processed personal data is obtained by others through illegal means, the data controller shall notify this situation to the person concerned and the Board as soon as possible..." The expression "as soon as possible" in the provision should be interpreted as 72 hours, and in this context, the data controller should notify the Board without delay and within 72 hours at the latest from the date of learning of this situation, and following the determination of the persons affected by the data breach by the data controller, the relevant persons should be notified as soon as possible. Within the period, if the contact address of the relevant person can be reached, notification will be made directly, or if not, notification will be made by appropriate methods such as publishing it on the data controller's own website,