I. PURPOSE AND SCOPE
The Policy on Protection and Processing of Personal Data ("Policy") is the acquisition, recording, storage, preservation, modification, rearrangement, disclosure, transfer, taking over of personal data by Yemmak Makine Sanayi ve Ticret Anonim Şirketi ("Company"). It determines the procedures and principles regarding the execution of all kinds of transactions regarding personal data, such as making it usable, classifying or preventing its use, in accordance with the law, within the framework of the Personal Data Protection Law No.6698 and the related secondary legislation ("PDPL").
All units, departments, employees, officials and representatives of the Company are obliged to comply with this Policy and take the necessary steps to comply with the Policy. Shared with the Company and acquired by the Company, the Company's past, present and future employees, officials, representatives, customers, suppliers, business partners, consultants, service providers and their employees, visitors of the Company's facilities and website and all those who have a connection with the Company. Personal data pertaining to other real persons constitute the subject of the Policy. The PDPL Policy is only related to personal data belonging to real persons, and the data of legal persons are not covered by the Policy. In case of inconsistency between this Policy and the Personal Data Protection Law and other legislation, the legislation and / or the provisions of the law are applied.
II. DEFINITIONS
Within the scope of Yemmak personal data protection and processing policy, the terms defined below have the meanings attributed to them:
Explicit consent: Consent on a specific subject, based on information and expressed with free will
Anonymization: Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching with other data.
Deletion: Making personal data inaccessible and unavailable in any way for relevant users
Personal data: All kinds of information regarding an identified or identifiable natural person
Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosure, transferring, taking over, making available, by means of non-automatic means, provided that personal data are fully or partially automated or are part of any data recording system, Any action taken on data, such as classification or prevention of use.
Personal data storage and destruction policy: PDPL The policy of determining the maximum time required for the purpose for which personal data is processed and the policy for deletion, destruction and anonymization of Personal Data Law No.6698 and related secondary legislation.
Board: Personal Data Protection Board
Personal data of special nature: Data on the race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, dress and dress, association, foundation or union membership, health, sexual life, criminal conviction, and security measures. with biometric and genetic data
Policy: This Policy of Protection and Processing of Personal Data
Company: Yemmak Makine Sanayi Ticaret Anonim Şirketi
Destruction: Making personal data inaccessible, unrecoverable and reusable by anyone.
III. PRINCIPLES TO BE FOLLOWED IN THE PROCESSING OF PERSONAL DATA
In terms of processing personal data within the company, it is necessary to act in accordance with the following principles listed in the PDPL at all times and in any case:
1. Law and honesty rules will be followed in the processing of personal data.
2. Personal data will be kept accurate and up-to-date when necessary.
3. Personal data will be processed for specific, explicit and legitimate purposes.
4. Personal data will be processed in a limited and measured manner in connection with the purpose for which they are processed.
5. Personal data will be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
IV. RIGHTS AND OBLIGATIONS RELATED TO PERSONAL DATA
Disclosure of Personal Data Owner: During the acquisition of personal data by the company, the relevant person;
(i) The identity of the company representative, if any, as PDPL data controller,
(ii) The purpose for which personal data will be processed,
(iii) To whom and for what purpose the processed personal data can be transferred,
(iv) Method and legal reason for collecting personal data, and
(v) The disclosure obligation is fulfilled by the company by preparing an illumination text containing the above-mentioned subjects and submitting it to the relevant personal data owner.
3. Ensuring Data Security
The Company takes all kinds of measures stipulated by the KVK and the relevant legislation, including but not limited to the following, or that it determines to be necessary to ensure data security with regard to ensuring data security:
a. Technical measures
The company establishes or sets up the necessary technical infrastructure for the recording, transfer of personal data to third parties, deletion, destruction, anonymization and in any other way.
The company establishes the necessary technical infrastructure and takes technical measures to ensure the security of personal data recorded. These measures are updated in accordance with technological developments and standards to be determined by the Board or under the new legislation.
The company restricts access to its internal systems from outside, and takes firewall and similar technical measures within this scope. Inappropriate accesses are instantly transmitted to the relevant units and the necessary interventions are made by the relevant units.
Through the programs used within the company, the authorities regarding access to and processing of personal data are limited on the basis of department and employee.
The technical infrastructure established is regularly audited and reported.
The company employs expert personnel regarding the technical measures taken or, when necessary, procures this service from third parties. It ensures compliance with the relevant legal legislation in all services, including but not limited to the technical infrastructure services provided by third party institutions and suppliers that provide services.
b. Administrative measures
Company's employees, officials and representatives are trained and informed about the legal processing of personal data. In addition, an obligation to comply with the obligations under the PDPL has been imposed on them through internal protocols concluded with the employees.
Company activities are examined on the basis of departments and the processes and principles of processing personal data specific to each department are revealed. The necessary measures to be taken for each department are determined by the Company and implemented through in-department training.
In the event of receiving services from third parties or cooperating with third parties for the storage or other processing of personal data, in contracts made with these persons; Provisions regarding the legal storage, processing and security of personal data are included.
The company takes action and implements these decisions when it deems necessary in order to ensure personal data security and to comply with the legislation.
V.PROCESSING OF PERSONAL DATA
1. Purposes of Processing Personal Data: The Company processes the personal data it obtains for the following purposes.
- Carrying out the daily activities of the company,
- Fulfilling the Company's obligations arising from legislation or other legal obligations, including providing information to authorized public institutions and organizations,
- Conducting the legal and commercial relations of the Company with past, current and future employees, officials, representatives, customers, suppliers, business partners, consultants and service providers, and processing personal data of the relevant parties in order to execute contracts within this scope,
- Carrying out the marketing activities of the company,
- Determining the preferences and needs of the company's past, current and future employees, officials, representatives, partners, customers, dealers, suppliers, business partners, consultants, service providers and their employees,
- Informing the Company's past, current and future employees, officials, representatives, partners, customers, suppliers, business partners, consultants and service providers about the business and issues related to the Company,
- Conducting corporate communication and management activities,
- Strengthening internal communication and cooperation,
- Conducting human resources processes including recruitment, performance evaluation, recruitment processes, information and applications to the relevant authorities, and transactions regarding individual retirement,
- Fulfilling the obligations in terms of occupational health and safety legislation,
-Execution of corporate governance activities,
- Execution of financial reporting activities,
- Execution of risk management activities,
- Carrying out accounting, invoicing and payment activities,
- Execution of internal reporting activities,
- Execution of corporate law processes,
- Follow-up of lawsuits, enforcement proceedings, administrative and criminal investigations, prosecutions and similar processes regarding the company,
- Management of customer feedback and complaints and execution of call center services,
- Ensuring security in company facilities and keeping visitor records for this purpose,
- Ensuring internal data security.
2. Categories of Personal Data to be Processed
The following personal data may be processed by the Company in accordance with the PDPL and the Policy, without limitation:
a. Within the scope of the purposes listed in Section [V.1] and especially the purposes of conducting the daily activities and corporate communication activities of the Company; All personal data contained in the electronic mail accounts and electronic database of the company provided for the purpose of conducting business activities to the Company employees are accessible to the Company, and these personal data are registered and processed by the Company.
b. The purposes listed in Section [V.1] and in particular, the execution of daily activities, legal and commercial relations of the Company, the execution of contracts within this scope, fulfillment of obligations arising from legislation and / or contracts to which the Company is a party, carrying out the marketing activities of the Company, Within the scope of determining their preferences and needs; Identity information, contact information and, if necessary, financial information regarding past, present and future customers, dealers, suppliers, business partners, consultants, service providers, visitors and their employees are obtained, recorded and processed.
All or part of these personal data, the execution of daily activities, legal and commercial relations of the Company, the execution of contracts in this context, fulfillment of the obligations arising from the legislation and the contracts to which it is a party, the execution of the marketing and promotional activities of the Company, the determination of the preferences and needs of the relevant persons. It can be transferred to and processed by customers, vendors, suppliers, business partners, consultants, service providers for the purpose of
These personal data can be transferred to authorized public institutions and organizations in order to fulfill the obligations arising from the law and can be processed by these public institutions and organizations.
c. Within the scope of the purposes listed in section [V.1] and especially the purpose of conducting human resources processes; Identity information, contact information, personal information about past, present and future employees, officials and representatives, especially the name, surname, date of birth, gender, T.C. Identity number and similar personal data, photographs and contact information such as address and telephone number are obtained, recorded and processed.
These personal data can be transferred to the Social Security Institution and similar authorized public institutions and organizations in order to fulfill the obligations arising from the law and can be processed by these public institutions and organizations.
These personal data can be included in the company's system specific to employees and database module specific to the Human Resources Department; These personal data can be accessed and processed by human resources in order to strengthen internal communication and cooperation.
These personal data can be transferred to contracted subcontractors, consultants and business partners operating in these sectors in order to provide services such as infirmary, ambulance, security and travel agency, information technology technical support provided by consultants and business partners provided through subcontractors, and subcontractors, consultants and can be processed by business partners.
Identity information and IBAN numbers from these personal data can be transferred to and processed by banks within the scope of payments made to employees, officials and representatives.
Identity information, contact information can also be transferred to and processed by insurance and private pension companies for the purposes of conducting insurance policies and private pension transactions.
In addition, personal data of company employees can be transferred to other Company employees through the Human Resources system in order to strengthen internal communication and cooperation.
D. Within the scope of the purposes listed in section [V.1] and especially the purpose of conducting human resources processes; Personal data obtained through career and employment support sites regarding past, current and future employees, officials and representatives are recorded and processed.
These personal data can be included in the company's system specific to employees and database module specific to the Human Resources Department; These personal data can be accessed and processed by Company employees in order to strengthen communication and cooperation within the company.
Within the scope of the purposes listed in Section [V.1] and the purposes related to human resources processes such as determining the minimum cost of living allowance, providing private health insurance and private pension policy and strengthening in-company communication and cooperation; Identity information of past, present and future employees, officials and representatives' spouses and children and their relatives is obtained, registered and processed.
These personal data can be transferred to authorized public institutions and organizations, private health insurance and private pension companies in order to fulfill the obligations arising from the legislation and human resources processes, and can be processed by these institutions, organizations, companies and persons.
These personal data can be transferred to other Company employees in order to strengthen internal communication and cooperation.
f. Within the scope of the purposes listed in Section [V.1] and especially the purpose of fulfilling the internal health services as a part of human resources processes; The data obtained through the health forms filled out during the visits of current and future employees, officials and representatives to the workplace doctor within the sub-employer are registered and processed by the relevant sub-employer and the Company.
These personal data can be transferred to the company's database in order to fulfill the workplace health service provided by the subcontractor.
g. The purposes listed in section [V.1] and especially the customer feedback and complaints
Within the scope of management and execution of call center services; Personal data of customers are obtained, recorded and processed through the call center and / or electronically filled forms and texts.
h. Within the scope of the purposes listed in Section [V.1] and especially the purpose of performing security services in the facilities of the Company; Personal data about the visitors of the company's facilities are obtained, recorded and processed. These data can only be accessed by the employees and officers of the counseling department who process the data regarding the provision of security services of the Company.
I. Within the scope of the purposes listed in Section [V.1] and especially the purpose of providing information technology services; Personal data about the visitors of the company's website are obtained, recorded and processed.
j. Within the scope of the purposes listed in Section [V.1] and especially the purpose of performing security services in the facilities of the Company; The factories and facilities of the company are monitored by cameras and these images are stored in digital environment. The Company aims to protect the interests of the Company, its personnel and other persons in ensuring their safety by monitoring with security cameras. The monitoring areas and number of security cameras are limited for security purposes. Areas (such as toilets) that exceed security objectives and may have negative consequences for personal rights are not subject to monitoring. Only the relevant authorized personnel of the Company and the employees of the information department of the Company are authorized to access these records recorded and kept in digital environment.
k. Within the scope of the purposes listed in Section [V.1] and especially for the purpose of fulfilling the consultancy and guidance services in the facilities of the Company; Personal data processing is carried out to track guest entry and exit. Visitors who come to the Company as guests are given a visitor card against an identity document, and while obtaining the names and surnames of the persons, their entry and exit times, and who they will contact with, the guests who will enter the production area are requested to have health and occupational safety documents required by other relevant legislation. The data obtained for the purpose of tracking guest entry and exit are processed for this purpose only.
l. For the purposes listed in Section [V.1] and especially for the security of the Company and other legitimate purposes, internet access can be provided to the visitors who request it within the Company's borders. In this case, log records regarding internet access are recorded in accordance with the Law No. 5651 and the governing provisions of the legislation regulated in accordance with this Law; These records are only processed when requested by the authorized public institutions and organizations or to fulfill our legal obligation in the audit processes to be carried out within the Company. Only a limited number of companies and IT employees of suppliers providing authorized information technology services have access to the log records obtained within this framework. Company employees, who have access to the aforementioned records, only access these records for use in the request or audit processes from the authorized public institutions and organizations and share them with legally authorized persons.
m. Your Personal Data can be transferred to Yemmak Makine San Tic. A.S. can be shared for business purposes.
n. Within the purposes listed in Section [V.1], your Personal Data can be shared for the purpose of carrying out business activities within the framework of the legal legislation regarding the companies that are our business partners in the field of information technologies.
3.Explicit Consent to the Processing of Personal Data
Obtaining the explicit consent of the person concerned is essential in the processing of personal data.
Within the scope of the express consent exception regulations brought by the PDPL , in the presence of one of the following conditions, it is possible to process personal data by the Company without seeking the express consent of the relevant person:
a) Clearly stipulated in the laws
b) The person who is unable to disclose his / her consent due to actual impossibility or whose consent is not legally valid is compulsory for the protection of himself or someone else's life or physical integrity.
c) It is necessary to process personal data belonging to the parties of the contract, provided that it is directly related to the establishment or performance of a contract.
d) It is mandatory for the company to fulfill its legal obligation
e) It is made public by the person concerned.
f) Data processing is mandatory for the establishment, use or protection of a right
g) Provided that the fundamental rights and freedoms of the relevant person are not harmed, it is mandatory for the legitimate interests of the Company to process data.
The existence of one of these conditions does not eliminate the obligation of the personal data owner to be disclosed by the Company.
4. Special Quality Personal Data
Obtaining the explicit consent of the person concerned is essential in the processing of special quality data. However, personal data other than health and sexual life among special quality personal data can be processed without the explicit consent of the person concerned, in cases stipulated by the law.
5. Transfer of Personal Data
Personal data obtained by the company can be transferred to third parties in accordance with the purposes of processing personal data, as specified in Section [V.2].
In transferring personal data to third parties, it is essential to obtain the explicit consent of the relevant person.
In the event of one of the following conditions, it is possible for the Company to transfer personal data to third parties without seeking the explicit consent of the person concerned:
a) Clearly stipulated in the laws
b) If the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid, is compulsory for the protection of himself or another person's life or physical integrity
c) It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
d) It is mandatory for the company to fulfill its legal obligation
e) Being made public by the person concerned
f) Data processing is mandatory for the establishment, use or protection of a right
g) Provided that it does not harm the fundamental rights and freedoms of the relevant person, it is mandatory for the legitimate interests of the Company to process data.
h) Special quality personal data other than health and sexual life can be transferred to third parties without seeking the explicit consent of the relevant person, in cases stipulated by the law.
The existence of one of these conditions does not eliminate the obligation of the personal data owner to be disclosed by the Company.
6. Transfer of Personal Data Abroad
It is essential to obtain the express consent of the person concerned in the event that personal data are not transferred abroad or are transferred abroad.
(i) The existence of the conditions stipulated in Article 4 of Section (V), (ii) the existence of sufficient protection in the foreign country where the personal data will be transferred, or the fact that the data controller in the relevant foreign country undertakes an adequate protection in writing and (iii) The Board's permission If there is, personal data can be transferred abroad without the explicit consent of the person concerned.
Transfer of duly anonymized information abroad does not constitute the subject of this Policy.
7.Storage, Deletion, Destruction and Anonymization of Personal Data
Personal data obtained by the company, if a period is stipulated in the legislation regarding the use or storage of the personal data, during this period; If such a period is not stipulated, it is stored for the period required for the realization of the purpose pursued in the processing of the relevant personal data by the Company and, in any case, for the period of limitation determined for asserting a right related to the personal data.
In the event that the reasons requiring the processing of a personal data are eliminated, this personal data is deleted, destroyed or anonymized in the first periodic destruction process following the disappearance of the reasons in accordance with the Personal Data Storage and Destruction Policy issued by the Company.
Conditions such as the contract between the company and the related party not being established at all, not being valid, automatically terminating, terminating or reversing from the contract, processing personal data contrary to the law or good faith; It constitutes an example of situations where the reasons requiring the processing of personal data disappear.
In the event that the person whose personal information is processed applies to the data controller to use his / her right to request deletion, destruction or anonymization under the PDPL , the Company evaluates the application within 30 days and informs the relevant person. If all the conditions for processing personal data have been eliminated, the Company accepts the application and performs the destruction process in due time. If all the conditions for processing personal data are not eliminated, this request will be rejected in writing by explaining the reason.
VI. PUBLISHING AND UPDATING THE POLICY
Yemmak PDPL Policy is published on the company's website (http://www.yemmak.com) and made available to personal data owners upon request.
Yemmak PDPL Policy is updated as and when required.
VII. FORCE
Yemmak PDPL Policy was regulated and entered into force by the Company.