A. COMPANY STATEMENT
As the data controller ALMİN ALÜMİNYUM PROFİL SANAYİ VE TİC.LTD.ŞTİ, all kinds of personal data processed within our company are protected within the scope of the relevant national and international legislation provisions, especially the Personal Data Protection Law No. 6698. Our company takes technical and administrative measures in a timely manner to ensure the necessary protection, and in case of any suspicion of violation, it makes the necessary notifications to the relevant individuals, institutions and organizations within the framework of legal provisions as soon as possible.
The information of the Data Controller is as follows:
Title: ALMİN ALÜMİNYUM PROFİL SANAYİ VE TİC. LTD. ŞTİ.
Mersisno: 0-0550-4031-2600017
E-mail address: bilgiislem@alminprofil.com.tr
Postal Address: ASO 1. Org. Singing. Region. Dagestan Cad. No:9 Sincan/ANKARA
Tel: 0312 267 58 80
B. THE NECESSITY AND PURPOSE OF CREATING A POLICY
Within the scope of human rights that have developed over a long period, the importance of the values that make us who we are, that is, personal data, has gained additional importance in the world we come from, and its protection in the context of both criminal and compensation law. Legal regulations have been prepared for The rapid progress in the field of Information Technologies has facilitated the sharing of personal data and led to the development of arbitrary practices. In this context, in order to prevent arbitrariness, necessary legal and administrative regulations have been made and it has become a legal obligation for institutions to determine data protection policies. Thus, arbitrary use of people's personal data is prevented and data processing is subject to certain conditions.
C. IDENTIFICATION OF THE ADDRESSEE
This clarification and information text is addressed to all addressees who have any kind of relationship with our company, and to the relevant persons in its legal form. Relevant persons in this scope are:
All users who connect to our company through digital or physical channels and use these communication channels (Our company's websites and social networking site extensions are:
https:// www.alminprofil.com.tr/ KVKK-1.html,
https:// www.facebook.com/ almin.profil/ ?modal=admin_todo_tour,
https:// www.instagram.com/ almin_profil/ ,
https:// www.instagram.com/ almin_profil/)
• Company's office • Those who connect to the guest network (wifi) in warehouses, stores and the company's production facility
• Those who use Company Mobile applications and company-specific special programs
• All customers in the company database (CRM System)
• Customers who shop from company stores or websites.
• Those who visit our company stores for any purpose
• All customers who contact the COMPANY through the company's social media accounts (including but not limited to sharing comments and making requests)
• Third parties who enter into commercial relations with our company directly or through intermediary consultancy firms
• Company partners
• Our company • Those who are in the process of candidacy
with the Company • Those who are interning within the company
• All customers who fill out surveys and forms in order to benefit from the opportunities provided by the Company to its customers
• Applications are made physically through career portals, İŞKUR, via e-mail, through reference, in order to apply for a job at the Company. Our employee candidates who send their CVs by filling out the form,
• Employees who currently continue to work within the Company,
• Individuals who are interning at our Company or working during a trial period,
• Former employees whose employment contracts have ended for any reason,
• All our business partners within the scope of our commercial activities and their employees,
• Has/will share personal data with the company face to face, distance, verbally, in writing or electronically; All natural persons who have given/will give directly or have enabled/will enable it to be acquired by the company,
• Supplier and transport companies within the scope of company activities,
• Solution partners who receive external services on matters that are not carried out within the company or that require additional expenses to be carried out,
• Company lawyers, financial advisors,
Apart from the relevant persons listed above, anyone who has any legal, humanitarian, commercial or other relationship with our company is the addressee of this text.
Personal data obtained within the scope of the services offered by our company (data processed through online form environments or the application dedicated to our company at the checkout) are never shared with third parties, and are kept only by the relevant data processors within the framework of our privacy and security policies, within the scope of legal obligations, with the informed consent texts signed by the relevant persons. is done. In case of business necessity or explicit consent, your information may be shared with support companies or service providers such as transportation companies within the scope of their privacy policies.
D. PROCESSING OF PERSONAL DATA AND BASIC PRINCIPLES GOVERNING DATA PROCESSING
Any process such as the use of fully or partially automatic recording methods or obtaining by non-automatic methods, partial or complete modification, categorization, transfer, recording, storage, destruction of personal data belonging to real persons is called processing of personal data. As can be understood from this explanation, all processes of obtaining, storing, transferring and destroying the data are data processing.
Your personal data may be processed in connection with the requirements of the commercial activities, workplace order and general operation within our company, Labor Law No. 4857, Personal Data Protection Law No. 6698, Turkish Code of Obligations No. 6098, Social Insurance and General Health Insurance Law No. 5510, Occupational Health and Safety No. 6331. It is processed within the scope of the provisions of the Law and other laws. The data in question is obtained from the information within the scope of employment contracts, commercial contracts, other contractual relations, the party's personnel file, the information and documents submitted by you, and the information and documents legally obtained from the relevant institutions or notified to us by the institutions. Again, the data in question is processed within legal frameworks, limited to their exclusive purposes, by the data processors Human Resources, Data Protection Unit (DPO), Call Center, Accounting, Information Technology, Support Services and other service unit(s) under the supervision and responsibility of our data controller company. . Again, data may be processed by the institution's doctor and lawyer/lawyers for a limited purpose in accordance with the work and legal requirements.
There are basic principles regarding the processing of personal data that are accepted in international documents, especially the GDPR, that is, the European Data Regulation, and included in the authorized board decisions of the countries. In Article 4 of the Personal Data Protection Law, the procedures and principles regarding the processing of personal data are regulated in parallel with the Convention No. 108 and the European Union Directive No. 95/46/EC. According to this; The general (fundamental) principles listed in the law in the processing of personal data are as follows:
• Being in compliance with the law and the rules of honesty,
• Being accurate and up-to-date when necessary,
• Being processed for specific, clear and legitimate purposes,
• Being limited and proportionate to the purpose for which they are processed,
• Being in accordance with the relevant legislation . retained for the period envisaged or necessary for the purpose for which they are processed.
These principles are applied to disputes on the basis of the boards and judicial authorities authorized to take regulatory action. In order for us to be able to say that personal data is obtained and processed in accordance with the law, the data in question must be processed by taking into account the principles and fundamental motives inherent in the principles above.
E. CONDITIONS FOR PROCESSING OF PERSONAL DATA
Processing of personal data is defined in paragraph 3/e of Law No. 6698 as follows:
"Processing of personal data: Obtaining and recording personal data by fully or partially automatic or non-automatic means, provided that it is part of any data recording system, "Any operations carried out on data such as storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of the
data" It is expressed as follows:
''Conditions of processing of personal data ARTICLE 5-
(1) Personal data cannot be processed without the explicit consent of the relevant person.
(2) It is possible to process personal data without the express consent of the relevant person if one of the following conditions exists:
a) It is clearly provided for by law.
b) It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
c) It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
ç) It is mandatory for the data controller to fulfill its legal obligation.
d) It has been made public by the person concerned.
e) Data processing is mandatory for the establishment, exercise or protection of a right.
f) It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person
concerned
. There are. For this reason, the protection and processing of these rights are regulated separately and with strict formal conditions within the scope of the law in question. Personal rights of a special nature are defined and listed as follows in paragraph 6/1 of the law:
"Data regarding individuals' race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data are private "qualified personal data."
How the rights in question can be processed is stated as follows in other paragraphs of the same article:
"(2) It is prohibited to process special personal data without the express consent of the person concerned.
3) Personal data other than health and sexual life listed in the first paragraph may be processed by the person concerned in cases stipulated by law. Personal data regarding health and sexual life can only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, or authorized institutions and organizations that are under the obligation of confidentiality. "It may be processed without the explicit consent of the person concerned.
(4) In the processing of special personal data, it is also essential to take adequate measures determined by the Board."
It may be possible for private personal data to be processed by organizations or entities such as non-profit political parties, foundations, associations or unions, as a requirement of their activities. The organizations and formations in question will be able to process the special personal data of their members and members in accordance with the establishment purposes, that is, in accordance with the law and limited to the purpose. Storing membership information of a political party means processing of special personal data. As stated above, these organizations and entities can only process these data in accordance with their fields of activity and purposes. For example, a union will only keep its workers' union membership records and will not be able to process their private data regarding their political views or health conditions.
If personal data of a private nature has been made public by the relevant person, that is, has become available to the public, it is possible to process the data in question. In such a case, the data controller will not be held responsible. According to the prevailing view, the legally protected interest of the person concerned has been eliminated in such cases. The point that needs to be considered here is the scope of publicization.
As with personal data, if processing of special data is mandatory for the establishment, exercise or protection of a right, processing is considered lawful without requiring consent. If a workplace that is obliged to employ disabled workers receives and processes the data of the employee in question, that is, shares it with relevant institutions and organizations, explicit consent is not required. Similarly, if the disabled person or his/her guardian who wants to buy a vehicle by taking advantage of the SCT exemption shares the data in question with the Tax Office and the office processes the data, explicit consent will not be required.
G. REQUESTED PERSONAL DATA AND THE PURPOSES OF PROCESSING THEM
Contracts concluded with relevant persons, information and documents submitted by the parties to each other as a legal requirement of the established legal relationship, forms filled out on the internet or physically, information you have left to our call center or relevant unit representative, within the scope of the cookie policy The data obtained and the information and documents obtained from other contacts are the main data sources.
Cookie policies are also applied in digital environments to provide better service to customers and other third parties and to inform them of discounts and other opportunities in their favor. Cookies: are small files that are stored by users in browsers when a web page is visited. It keeps a record of what people search for on websites in their browser history. It allows a website to keep the browser records of movements on the site. Cookies were introduced by Netscape in 1994. Its initial purpose was to check whether a user re-entered the site they entered. Nowadays, cookies are used to obtain much more information without deviating too much from their main purpose. Cookies are text files that allow us to be remembered. When our information is written to these files, it will recognize us when we visit the same sites and there will be no need to write our information again. We browse various websites on the Internet and become members of some of them. We click on the remember me icon to avoid entering our username and password every time we enter these sites to which we are members. Cookies come into play as soon as we click on this icon. Our information is recorded in our special text file. Thanks to the information read from cookies, our information reaches the site and recognizes us from the moment we open the site. There is also a cookie policy within our company, and you can access these policies from the following link; https:// www.alminprofil.com.tr/ KVKK-1.html
The cookie policy in question and your data obtained from virtual environments will be protected within the framework of limited legal provisions for the purpose of establishing marketing and advertising policies. Again, job applications, forms filled out in virtual environments for educational purposes, surveys and other information forms will be protected within legal frameworks, limited to their exclusive purposes. Within the framework of the execution of the Human Resources policy, the data in question can only be processed for this purpose within this department. If there is a notification in the forms, the data may be evaluated by another data processing unit within our organization. Again, such data may be used as required by the legal relationship with customers. For example, if delivery is to be made, residence address and identity information, if payment will be received from the bank, or customer account information, credit card information.
Although the requested data varies depending on the relationships the relevant persons have established with our company, they can be categorized as follows:
| Identity Data | It is information about one or more natural persons that makes the person or persons identified or identifiable, processed by automatic, partially automatic or non-automatic methods. The information in question includes not only the TR ID information of the individuals but also the information contained in the documents that replace their identity. For example, documents such as driver's license, identity card and passport containing information such as name-surname, TR ID number, nationality information, mother's name-father's name, place of birth, date of birth, gender, as well as tax number, SSI number, signature information, vehicle license plate. Data such as this can be shown. |
| Contact Data | These are data belonging to one or more natural persons, processed by automatic, partially automatic or non-automatic methods, enabling the person or persons to contact and communicate with each other. Information such as telephone number, address, e-mail address, fax number, IP address and ID numbers defined according to the communication applications used (such as ZOOM and Teamviewer). |
| Family Members and Relatives Data | Family and relative information received from an identified or identifiable natural person or persons within the scope of an automatic or partially automatic system or a non-automatic method. What should be understood from the close information mentioned here are the people whose data the relevant person whose data is processed has consented to contact in processes related to him/her. Consanguinity is not a requirement. These data are processed to ensure company process management, to manage the crisis process in emergency situations, and as required by law. |
| Safety Data | Data regarding entry and exit records received from identified or identifiable natural person or persons within the company's physical campus, within the scope of an automatic or partially automatic system or a non-automatic method; camera records, card entry and exit records and information recorded in the relevant personnel book taken at the security point. |
| Financial Data | All kinds of information and documents regarding the financial situation received from real persons by automatic or non-automatic methods are called financial data. The data received in question is diversified within the scope of the dialogues established with the company. For example, asking about risk status within the scope of Findex data when entering the company, using the account, that is, IBAN information, for salary after signing the employment contract. |
| Audio/Visual Data | Data obtained from visual and audio recording media belonging to a real person or persons and the environments in which these data are stored. Only visual recording is made with the cameras within our company. There is no audio recording. |
| Personnel Data | The data received within the scope of the personnel file, based on the contractual relationship you have established with our company and within the scope of Article 75 of the Labor Law, falls into this group. The data in question constitutes a wide range from identity information to health data. |
| Special Personal Data | Data specified in Article 6 of the Personal Data Protection Law, belonging to real persons, processed by automatic, semi-automatic or non-automatic methods (e.g. health data including blood type, biometric data, religion and membership information, etc.). None of the special personal data related to associations, foundations, unions, religious or philosophical beliefs are processed within our company. Only special personal data such as clothing data, health data and criminal record records are processed. |
| Data Regarding Request/Complaint Management | Data obtained by automatic, semi-automatic or non-automatic methods during the company request and complaint process. |
| Signature and Other Handwriting Information and Records | Data types, form letters, complaint petitions, etc. (Personal Data), the information of which will be determined by the User. (In case of digital signature, Special Personal Data) There is no digital signature application within the Company. |
| Location Data | Location information of a real person or persons is considered as location data. The data in question is processed through software applications. Within the scope of the company's field of activity, the tracking and exit of products can be monitored through these applications. In this way, the safety of the products is ensured. |
| Legal Transaction Data | Data obtained as evidence for legal disputes in which company employees and us are parties and used before judicial authorities are included in this group of data. For example, in a lawsuit alleging that the employee will be overpaid, the employee's "no receivables" signed document and signed pay slips can be given as examples of this situation. |
| Professional experience | In order to carry out the company's recruitment processes, past experiences are collected from candidate employees in the form of narratives. |
| Data on Risk Management | In order to carry out technical and administrative measures, the working procedures of the relevant employees and the environments in which they work are inspected in both routine and non-routine inspections. Personal data may be processed during this process. In the form of signing the minutes and taking the defenses. Again, personal data on dedicated computers is monitored by audit personnel for security purposes. |
| Clothing Data | Since the workplace is in the category of dangerous workplaces, information regarding clothing data is processed to ensure the safety of employees. |
The conditions for processing personal data are listed in Article 5 of the Law, and accordingly, it is possible to process personal data if at least one of the following situations exists:
• Existence of explicit consent of the relevant person,
• Explicitly foreseen in the law,
• Persons who are unable to express their consent due to actual impossibility or whose consent does not have legal validity. It is necessary to protect the life or physical integrity of the unknown person or someone else,
• It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract, •
It is mandatory for the data controller to fulfill its legal obligation, • It is relevant It is made public by the person himself,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.
The conditions for processing personal data, that is, their compliance with the law, are determined by enumeration in the Law, and these conditions cannot be expanded.
Personal data of a special nature can only be processed with the consent of the relevant person. In addition, special personal data, other than data regarding health and sexual life, can be processed within the scope of legal conditions without requiring consent (KVKK 6/2). Personal data regarding health and sexual life can only be used by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing, without the express consent of the relevant person. can be processed.
The information and documents obtained as mentioned above will be protected by our company and the methods of protection and retention are as follows:
| DIGITAL ENVIRONMENTS | PHYSICAL ENVIRONMENTS |
|
Servers Cloud Environments Digital Storage Areas Software Digital Environments (Office software, VERBIS) Devices used for Cyber and Network Security (Firewall, etc.) Mobile Devices such as phones and tablets Portable Disks Printers, Scanners and Photocopiers Optical Disks |
Paper and its derivatives Forms and ledgers filled out in the operating processes of a company All kinds of media where written data are kept Other documents related to physical data (photographs, photocopies, etc.) |
In Article 3 of the Law, the concept of processing personal data is defined, in Article 4, it is stated that the personal data processed should be related to the purpose for which they are processed, limited and proportionate and should be kept for the period foreseen in the relevant legislation or required for the purpose for which they are processed, and in Articles 5 and 6, it is stated that the processing conditions of personal data has been counted.
Accordingly, within the framework of our Institution's activities, personal data is stored for a period of time stipulated in the relevant legislation or appropriate for our processing purposes.
Legal Reasons Requiring Storage and Processing:
Personal data processed by the institution within the scope of its activities are kept for the period stipulated in the relevant legislation. In this context, personal data;
• Personal Data Protection Law No. 6698,
• Turkish Code of Obligations No. 6098,
• Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed through These Publications,
• Law No. 4982 on Access to Information,
• Labor Law No. 4857
• Social Security No. 5510 Insurance and General Health Insurance Law,
• Occupational Health and Safety Law no. 6331,
• Public Financial Management Law no. 5018
• Law on Exercise of the Right to Petition no. 3071,
• Turkish Commercial Code
no. 6102 • Law on Consumer Protection no. 6502
• Electronic Commerce No. 6563 Law on Regulation
• Tax Procedure Law No. 213
• Income Tax Law No. 193
• Pensioner Health Law No. 5434,
• Regulation on Distance Contracts Published in the Official Gazette No. 27866
• Regulation on Commercial Communication and Commercial Electronic Messages Published in the Official Gazette No. 29417 dated 15.07.2015
• After-Sales Services Regulation Published in the Official Gazette No. 29029 and Dated 13.06.2014
• Regulation on Measures Concerning the Prevention of Laundering Proceeds of Crime and Financing of Terrorism No. 26751. They are stored for their retention period and processed based on the provisions of this legislation.
Processing Purposes Requiring Storage and Processing
The Company stores and processes the personal data it processes within the scope of its activities for the following purposes;
• Carrying out internal human resources processes.
• Ensuring internal communication within the company.
• Ensuring the safety of the company, its employees and third parties,
• Conducting statistical studies and making risk assessments.
• To ensure in-house event management.
• Ensuring the management of relationships with business partners or suppliers.
• Conducting demand and complaint management.
• To be able to carry out work and transactions as a result of signed contracts and protocols.
• To transmit to the Authority the necessary information and documents to fulfill the obligations imposed on us in accordance with Law No. 6698.
• To ensure the fulfillment of legal obligations as required or required by legal regulations.
• To contact real and legal persons who have business relations with the company.
• Carrying out operations within the scope of the company's production and marketing policies.
• Making legal reports.
• To provide proof of material and legal facts as evidence in disputes that may arise in the future.
• To keep track of the Payroll transactions of the account and identity data in question (kept in the accounting program and kept in the data storage area of the said program).
• Making process management mandatory for institution notifications within the scope of the Social Insurance and General Health Insurance Law No. 5510, in order to protect incentives and other legal financial rights in favor of employees/workers.
• To ensure the continuation of internal communication and activities within the Institution, limited to the purpose, with solution partners or third parties and companies regarding reasons such as transportation of your personal data, vehicle supply, business card printing.
• To protect the legal rights of the company or third parties in case legal conditions are met
. • To ensure that audit activities for payroll or health information relevant institution auditors are carried out in accordance with the legislation.
• To coordinate the contact information of the relevant person's relatives or family in emergency situations.
• Keeping track of entry and exit from work.
• Driving license and other driver qualification documents (in order to determine the appropriate personnel for the repair of company vehicles)
• Following up the training processes.
• To make notifications to SGK, İŞKUR and similar official institutions and organizations and to fulfill the requirements of legal requirements.
• To make the necessary notifications to the judicial authorities and to deliver the requested information and documents.
• Creating personnel files.
The data obtained within the scope of the above legislative provisions and contractual requirements will be protected by data processors within the legal periods by maintaining their confidentiality under the supervision of the data controller. Our company's data processors are:
• Our company's accounting department/unit
• Our company's human resources department/unit
• Our company's disciplinary board
• Our company's persons Responsible for the Protection of Personal Data
• Our company's contact person (this person is also the person responsible for the protection of personal data)
• Administrative personnel during recruitment and internal authorization and employee interviews
• Company doctor
• Unit heads in terms of performance evaluations
• Company lawyers
• Financial advisors •
Private service providers
• IT department
• Technical personnel
• Marketing Department
Depending on the nature of the job in question, other people may also have this status as data processors, as required by the situation and the work. Whoever has the title of data processor will try to ensure data security in accordance with the relevant legislation and will use the data in question for a limited purpose. For example, health records will not be reviewed by the accounting department.
Personal data will be kept locked by data processors in a place where they cannot be accessed by anyone, with a key allocated only to the processor. The security of the data in question will be ensured by cameras operating 24 hours a day.
If the data in question is processed in digital environments, it will be kept in special locked files, and the security of the digital environment in question will be ensured, and the file passwords will be reserved only for those who process it.
H. STORAGE PERIOD AND DESTRUCTION OF PERSONAL DATA
January and July are determined as the destruction periods of the year for the destruction of data within our company. Personal data obtained from relevant persons will be deleted, destroyed or anonymized by the personnel/personnel responsible for the protection of data within the company within the following destruction period after the expiry of the retention period. Minutes regarding the destruction process will be kept in an independent location by the personnel responsible for the protection of data within the company for 3 (three) years. These minutes will be destroyed after three years. Regarding the destruction process, the Regulation on Deletion, Destruction or Anonymization of Personal Data No. 30224 dated October 28, 2017 and the provisions of the Personal Data Protection Law No. 6698 will be taken as basis.
Personal data collected from those concerned are stored and destroyed in different time periods depending on their characteristics. These data, whose retention period has expired, are destroyed within the nearest destruction period and the records regarding the destruction are kept for 3 years. The general application table regarding personal data retention period and basis is as follows.
| PERSONAL DATA | STORAGE PERIOD |
| Call Center Voice Recordings | It will be stored for 3 years in accordance with Law No. 6563 and Related Legislation. |
| Log Records of Employees | In accordance with Law No. 5651, they will be kept for 2 years and 10 years if they are the subject of a legal dispute. |
| Information Received from Customers as a Basis for Invoices | It will be stored for 10 years in accordance with the Turkish Commercial Code No. 6102. |
| Customer Transaction Information | It will be kept for 10 years in accordance with the Turkish Code of Obligations No. 6098. 3 years in cases falling within the scope of Law No. 6563. |
| Data Collected from Cookie Applications | Transaction Cookies will be kept for 12 months, and visit measurement cookies that store user ID will be kept for 13 months. Session cookies, among the Transaction Cookies, keep data during the session. The periods in question are determined according to the nature of the application, European GDPR and established practices. |
| Transaction Records Regarding After-Sales Services (Ex: Product Installation Date, Information and Documents Given to the Customer After Renovation, Customer Contact Information) | In accordance with the After-Sales Services Regulation published in the Official Gazette dated 13/6/2014 and numbered 29029, some of the products in the attached list will be stored for 10 years. The Regulation in question was revised in some aspects on 12 February 2020. |
| Personal Data Regarding Customers | If a buying and selling relationship has been entered into, it is kept for 10 years in accordance with the Turkish Commercial Code No. 6102, the Code of Obligations No. 6098, Law No. 6502 and Law No. 213. |
| Personal Data Processed for Security Purposes Pursuant to CCTV Cameras (Camera Recordings) | The data obtained through these cameras is stored for 90 days. |
| Data Obtained Pursuant to Contracts Participated in Within the Scope of Company Activity | The data obtained in accordance with the Turkish Commercial Code No. 6102 will be stored for 10 years after the contractual relationship ends. |
| Approval Records for Commercial Electronic Messages Sent to Recipients' Electronic Communication Addresses for Marketing, Promotion and Information Purposes | It is stored for 1 year in accordance with paragraph 13/2 of the regulation on Commercial Communication and Commercial Electronic Messages published in the Official Gazette No. 29417 dated 15.07.2015. |
| Personal Data Regarding Tax Records | It is kept for 5 years in accordance with the Tax Procedure Law No. 213 |
| Personal Data Processed with Documents That Must Be Kept According to Tax Procedure Law, Such as Invoice/Expense Note/Receipt | It is kept for 5 years in accordance with the Tax Procedure Law No. 213. |
| Visitor Personal Data | Book records of visitors and records related to Wi-Fi usage (in accordance with Law No. 5651) are kept for 2 years. Visual records are kept for 6 months. |
| Data Processed within the Scope of Network Services Offered by the Company (Ip Addresses, Data Regarding Transferred Data Type and Capacity, Data Regarding User Information Defined for Open IP and Time Intervals Regarding Service Procurement) | It is stored for 2 years in accordance with law no. 5651. Visual records are kept for 6 months. |
| Personnel File Information | It is kept for 10 years after the end of the contractual relationship in accordance with the Labor Law No. 4857 and Related Legislation and the Turkish Code of Obligations No. 6098. |
| Data within the Scope of Occupational Health and Safety (Routine Health Test Results, OHS Training Records and Other Records Received on Occupational Health and Safety) | It is kept for 15 years from the termination of the contractual relationship in accordance with Article 86 of the Occupational Health and Safety Law No. 6331 and the Occupational Health and Safety Services Regulation. |
| Data on Company Partners and Board Members | It is kept for 10 years in accordance with the Turkish Commercial Code No. 6102. |
| Data Related to Job Application/Internship Application/Application and Candidate Applications (Ex: CV, Resume, Cover Letter, Application Form, etc.) | If the acceptance of the persons in question is not made by the company, the documents are kept as per custom for 6 months from the date of receipt. |
| Data on Suppliers and Transporters | In accordance with Law No. 6102, Law No. 6098 and Law No. 213, it is kept for 10 years following the end of the contractual relationship. |
| Data on Online Visitors | It is stored for 2 years in accordance with Law No. 5651 |
| Membership and Reservation Records | It is kept for 10 years in accordance with Law No. 6098. |
| Satisfaction Surveys Received from Employees and Customers | It is stored for 1 year in order to ensure proportionality between the sectoral practice and the company's legitimate interest and the nature of the personal data. |
| Data Subject to Internal Complaint and Request Information | The data in question is stored for 10 years in accordance with the Turkish Commercial Code No. 6102, the Code of Obligations No. 6098 and the Labor Law No. 4857, in case they may be the subject of a legal dispute. |
| Personal Data of the Relevant Person in Case of Fatal Excavation | It will be kept for 20 years in accordance with the Regulation on Personal Health Data published in the Official Gazette No. 30808 dated 21.06.2018. |
I. SECURITY MEASURES TAKEN
In order to store personal data securely, to prevent unlawful processing and access of them, and to destroy personal data in accordance with the law, in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law, sufficient measures are determined and declared by the Board for special personal data. Technical and administrative measures are taken by the Company within the framework of the measures.
The technical measures taken by the company regarding the personal data it processes are listed below:
• Reporting on risks and threats is made through real-time Information Security Analyzes provided by the company or its solution partners.
• Data and information security is ensured by defining the authorization matrix and not allowing exceptional applications.
• Physical space security of the IT and systems, servers and other security-related devices and applications within the company is ensured. Security has been taken against possible physical attacks by third parties.
• Hardware (access control system that allows only authorized personnel to enter the system room, 24/7 employee monitoring system, ensuring the physical security of the edge switches that form the local area network, fire extinguishing system, air conditioning system, etc.) and software to protect information systems against immediate environmental threats. Necessary precautions (firewalls, attack prevention systems, network access control, malware blocking systems, etc.) have been taken.
• Risk analyzes are carried out by the company and corrective technical measures are taken.
• Access restrictions are imposed for employees within the company and necessary risk analyzes and reporting are carried out.
• Access to storage areas, especially the servers where log records are kept, are recorded and possible unauthorized access is controlled.
• Necessary software and physical precautions are taken to prevent the data in question from being reinstated after deletion.
• Authorization procedures for informing the board in case of possible violations have been effectively defined.
• Applications and methods to ensure information security are kept up to date and appropriate security patches are installed when necessary.
• Password policy has been determined. Strong passwords that are changed at regular intervals are used.
• Logging is done. Log backup is also made.
• Authorizations regarding data held in digital and non-digital media are limited.
• The website served by the company is encrypted with the SHA 256 Bit RSA algorithm using the HTTPS method.
• Separate policies have been determined regarding the protection of sensitive personal data.
• Necessary efforts have been made to inform employees and other third parties who are responsible for storing and processing private personal data, commitments have been taken and confidentiality agreements have been signed.
• Routine information trainings are provided to increase the awareness of employees.
• Servers and Environments Where Private Data Are Kept are monitored 24 hours a day with cameras so that the contents of the data cannot be seen, but who enters and exits the environments can be determined.
In addition to all these, in accordance with the Decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 regarding "Adequate Precautions to be Taken by Data Controllers in the Processing of Special Personal Data", at least the following measures are taken regarding special personal data:
1- Determination of a systematic, clearly defined, manageable and sustainable separate policy and procedure for the security of personal data,
2- For employees involved in the processing of special personal data,
a) Regular procedures regarding the law and related regulations and special personal data security issues.
b) Making confidentiality agreements, c
) Clearly defining the users who have access to data, their authorization scope and duration,
d) Periodically performing authorization checks,
d) Immediately removing the authorizations of employees who change their duties or leave their jobs. In this context, receiving the return of the inventory allocated to it by the data controller,
3- Environments where special personal data are processed, stored and/or accessed, electronic media:
a) Preserving the data using cryptographic methods,
b) Keeping the cryptographic keys in secure and different environments ,
c) Securely logging the transaction records of all movements performed on the data,
ç) Continuously monitoring the security updates of the environments where the data is located, performing the necessary security tests regularly, recording the test results,
d) If the data is accessed through a software, user authorizations for this software are made, regular security tests of these software are carried out, the test results are recorded,
e) If remote access to data is required, at least a two-stage authentication system is provided,
4- Special qualifications The environments in which personal data are processed, stored and/or accessed are physical environments:
a) Ensuring that adequate security measures are taken (against situations such as electricity leakage, fire, flood, theft, etc.) depending on the nature of the environment where sensitive personal data is located,
b) This preventing unauthorized entries and exits by ensuring the physical security of the environments,
5- If special personal data is to be transferred,
a) If the data must be transferred via e-mail, it must be transferred encrypted using the corporate e-mail address or Registered Electronic Mail (KEP) account,
b) Portable Memory, CD, If it is necessary to transfer it through media such as DVD, it must be encrypted with cryptographic methods and the cryptographic key is kept in a different environment,
c) If the transfer is carried out between servers in different physical environments, data transfer is carried out by establishing a VPN between the servers or by sFTP method,
d) If the data must be transferred through paper media, the document is stolen, lost or Necessary precautions must be taken against risks such as being seen by unauthorized persons and the documents must be sent in the format of "confidential documents".
6- In addition to the measures mentioned above, technical and administrative measures to ensure the appropriate level of security specified in the Personal Data Security Guide published on the website of the Personal Data Protection Authority should also be taken into account.
J. TRANSFER OF PERSONAL DATA
How and under what conditions personal data will be transferred to third parties within the borders of the country is regulated within the scope of Article 8 of the Personal Data Protection Law. According to this article, it is possible to transfer personal data only if the individuals have their explicit consent. However, in the same law article, it is written that personal data can be transferred without explicit consent if the conditions under Articles 5 and 6 are met. The result of interpreting the articles of law in question together is;
• Obtaining the explicit consent of the person concerned,
• Explicitly foreseen in the law,
• It is mandatory for the protection of the life or physical integrity of the person or someone else who is unable to express his consent due to actual impossibility or whose consent is not given legal validity,
• It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
• It is mandatory for the data controller to fulfill its legal obligation,
• It has been made public by the data subject himself,
• The data is required to establish, exercise or protect a right. Processing is mandatory,
• It is possible to transfer personal data if data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned. In order to transfer special personal data;
• If the explicit consent of the relevant person is obtained,
• If it is clearly provided for by law in terms of special personal data other than health and sexual life,
• In case of personal data related to health and sexual life, the protection of public health, preventive medicine, medical diagnosis, treatment and care services are carried out. For the purpose of planning and management of health services and financing, personal data of a special nature may be transferred to third parties by persons under the obligation of confidentiality or by authorized institutions and organizations.
Unlike personal data that can only belong to real persons, "data controller" and "data processor" can be both natural and legal persons. Any natural or legal person who performs operations on personal data is either a data controller or a data processor, depending on the purposes and methods of data processing. In this context, the regulations in Article 8 of the Law must be complied with for any data transfer between the two categories of persons in question.
It is possible to transfer personal data to public and private legal entities abroad within the scope of our company's scope of activity and commercial interests, in accordance with legal conditions. According to Article 9 of the Law, data transfer abroad;
• There is explicit consent of the relevant person,
• In the presence of the conditions specified in the Law (conditions specified in the 2nd paragraph of Article 5 and the 3rd paragraph of Article 6 of the Law), there is adequate protection in the country to which data will be transferred (countries deemed safe by the Board),
• In the presence of the situations specified in the Law (conditions specified in the 2nd paragraph of Article 5 and the 3rd paragraph of Article 6 of the Law) and if there is no adequate protection in the country to which data will be transferred (countries that are not considered safe by the Board), adequate protection must be committed in writing and the Board It can be carried out with the permission of .
K. UPDATE AND COMPATIBILITY
The Company reserves the right to make changes to this Policy and other policies related to this Policy due to changes made in the Law, in accordance with the decisions of the KVK Board or in line with developments in the sector or the field of informatics.
Changes made to this Policy are immediately incorporated into the text and explanations regarding the changes are explained at the end of the Policy.
This Policy ALMİN ALÜMİNYUM PROFİL SANAYİ VE TİC.LTD.ŞTİ. Approved by the Executive Committee on 01/01/2021. It will be valid and binding as of this date.
