GDPR Policy
ENTRANCE
Within the framework of this Personal Data Protection and Processing Policy (“Policy”), Nalbantoğlu Metal San.ve Tic. Ltd. Ltd. The principles adopted in the conduct of personal data processing activities carried out by Nalbantoğlu Metal San.ve Tic. Ltd. Ltd. The basic principles adopted in terms of compliance of data processing activities with the regulations in the Personal Data Protection Law No. 6698 (“Law”) are explained and thus inform personal data owners about the legal provisions and general principles adopted by our Company.
With full awareness of our responsibility in this context, your personal data is processed within the scope of this Policy and protected at a reasonable level.
PURPOSE OF THE POLICY
The main purpose of this Policy is Nalbantoğlu Metal San.ve Tic. Ltd. Ltd. To reveal the principles regarding the personal data processing activities carried out in accordance with the law and the protection of personal data, and to ensure transparency by informing and enlightening the persons whose personal data are processed by our company.
SCOPE OF THE POLICY
This Policy; Nalbantoğlu Metal San.ve Tic. Ltd. Ltd. Regarding your personal data processed by us; The principles and principles of processing personal data and personal health data, the purposes and conditions of processing of these data, their transfer at home and abroad, their destruction, and the practices and principles regarding your rights on the processed data are informed to you below.
ACCESS AND UPDATE
The policy is published on our Company’s website and made available to relevant persons upon the request of personal data owners and updated when necessary. (Your personal data that we collect and process must be accurate and updated when necessary, in accordance with Article 4 of the Personal Data Processing Law No. 6698. Therefore, if any changes occur in your personal data, you can report your current and accurate personal information through the methods described in the Information Text on our website. .)
Our company reserves the right to make changes to the Policy in parallel with legal regulations.
In case of conflict between the current legislation, especially the Law, and the regulations contained in this Policy, the provisions of the legislation shall apply.
DEFINITIONS
The definitions used in this Policy are listed below:
Explicit consent: Consent regarding a specific issue, based on being informed and expressed with free will.
Anonymization Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data
Personal data: Any information regarding an identified or identifiable natural person.
Processing of personal data Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any action taken on the data, such as preventing its use or
KVK Law: Personal Data Protection Law No. 6698
KVK Board: Personal Data Protection Board
KVK Authority: Personal Data Protection Authority
Personal data of special nature: Data regarding people’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric data and genetic data
Data owner: The natural person whose personal data is processed, who is considered as the “relevant person” in the KVK Law.
Data controller: Natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Data processor: Natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Controllers Registry: Data controllers registry (VERBİS) kept by the Presidency under the supervision of the Personal Data Protection Board.
Data Inventory: Nalbantoğlu Metal San.ve Tic. Ltd. Şti.’s personal data processing activities depending on its business processes; The inventory created and detailed by associating it with the personal data processing purposes, the recipient group to which the personal data is transferred, and the relevant personal data owner group.
PERSONAL DATA INVENTORY AND CLASSIFICATION OF PERSONAL DATA
Nalbantoğlu Metal San.ve Tic. Ltd. Ltd. before; Nalbantoğlu Metal San.ve Tic. Ltd. Ltd. In line with the legitimate and lawful personal data processing purposes of , based on and limited to one or more of the personal data processing conditions specified in Article 5 of the KVK Law, especially the principles specified in Article 4 regarding the processing of personal data. By complying with the general principles specified and all obligations regulated in the KVK Law and personal data owners within the scope of this Policy (Product and Service Recipient, Potential Product and Service Buyer, Employees, Employee Candidates, Visitors, Supplier Employees, Supplier Officials, Reference, Shareholder/Partner , Employee Relative, Reference Person, Trainer, Workplace Physician, Consultant)
Fulfilling the requirements of the commercial activities carried out by our company and ensuring that the relevant persons benefit from the products and services offered by our company through the performance of the service,
Carrying out the necessary work by the relevant business units of our company and carrying out related business processes and making reports,
Determination of our company’s commercial, operational and business strategies; determining suitable products, projects and services,
Planning and carrying out company-specific sales and marketing activities,
Evaluation of requests and complaints,
Ensuring the legal and commercial security of third parties who have a business relationship with our company and the products and services offered by our company and/or dealers, monitoring legal processes and establishing, exercising and protecting the rights arising from the legislation,
Ensuring that our company activities are carried out in accordance with company procedures or relevant legislation,
Execution of work carried out with our business partners in sectors that vary depending on needs and management of reference relationships,
Fulfilling information sharing, reporting and information obligations stipulated by public institutions and all authorities,
Fulfilling information and document retention obligations arising from legal legislation,
Conducting our finance, communication, market research and purchasing operations,
For the purposes of managing our legal processes and providing you with a better and more reliable service without interruption, personal data will be processed within the scope of the processing conditions and purposes specified in Articles 5 and 6 of Law No. 6698.
Nalbantoğlu Metal San.ve Tic. Ltd. Ltd. has created a personal data inventory in accordance with the Data Controllers Registry Regulation issued by the Personal Data Protection Authority. This data inventory includes data categories, data source, data processing purposes, data processing process, recipient groups to which the data is transferred and storage periods.
In this context, Nalbantoğlu Metal San.ve Tic. Ltd. Ltd. It includes, but is not limited to, the following types of data categories:
Identity Information: Written on your identity card; Name, surname, mother’s name, father’s name, place of birth, date of birth, marital status, religion, blood group, registered province, district and neighborhood and the information written on your identity card, including but not limited to these.
Contact Information: Requested from you or provided by you in order to communicate with you; Your contact data such as home phone number, mobile phone number, residence address or other address information, e-mail address. Your voice call records kept in accordance with customer representatives or call center standards.
Personal Information:
· Photocopy of identity card,
· Identity register copy,
· Certificate of residence,
· Health report,
· Photocopy of diploma,
· Criminal record,
· Passport photo,
· Document stating family status,
· Military service certificate,
· Employment Agreement / Service Agreement,
· SSI employment declaration,
· Your criminal record (criminal record),
· Information and documents regarding your health status.
Professional Experience: Diploma information, courses attended, in-service training information, certificates, etc.
Bank Account Information (Finance): Bank account number, IBAN number, other information regarding the bank card.
Information Included in the Resume
· Nalbantoğlu Metal San.ve Tic. Ltd. Ltd. Your education information requested by or provided by you, school information related to your education, certificate information, education status and information about your training,
· Nalbantoğlu Metal San.ve Tic. Ltd. Ltd. Location, date and duration information regarding your work experiences requested by or given by you, information regarding your previous job and position, any information regarding your work experiences,
· Nalbantoğlu Metal San.ve Tic. Ltd. Ltd. Your photograph requested by or provided by you,
· Nalbantoğlu Metal San.ve Tic. Ltd. Ltd. Your driver’s license requested by or given by you and the information on your driver’s license,
· Nalbantoğlu Metal San.ve Tic. Ltd. Ltd. Information about your references and references requested by or provided by you.
· Association Membership Information on your CV
· Foundation Membership Information on your CV
Physical Space Security (Visitor Information): Name, surname, vehicle license plate, visiting hours, camera recording, internet access information, person visited and other information of visitors to the company.
Health Data: All kinds of health information and data obtained while creating your personnel file (information regarding disability status, blood group information, height-weight personal health information,)
Criminal Conviction Data: With the criminal record document obtained when creating the personnel file
Transaction Security: Such as IP address information, website login and exit information, password and password information.
Risk Management Information: Information processed to manage commercial, technical and administrative risks.
Customer Transaction: Invoice, promissory note, check information, information on teller receipts, order information, request information, etc.
Legal Procedure: Information in correspondence with judicial authorities, information in the case file,
Marketing: Past service information, survey, cookie records, information obtained through campaign work.
Race and Ethnicity Information: Nationality information regarding work permits for foreign personnel
Other: Data such as the educational status of the relative working in the AGI process, his/her profession and signature in the signature circular.
GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
Compliance with the Law
Our Company carries out its personal data processing activities in accordance with the law and the rules of honesty in accordance with the KVK Law and relevant legislation, especially the Constitution. Within this scope, our Company makes transactions by determining the legal grounds that require the processing of personal data, takes into account the requirements of proportionality, does not use personal data except for the purpose required, does not perform processing activities without the knowledge of persons.
The Data Should be Accurate and Up-to-Date When Necessary
Our Company ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of the personal data owners and its own legitimate interests, and takes the necessary measures in this direction. In this context, we try to keep the data related to all categories of persons up to date, and all kinds of administrative and technical measures are taken to ensure their accuracy and timeliness.
Specific, Legitimate and Clear Purpose
Our Company processes personal data only for clearly and precisely determined legitimate purposes and does not engage in data processing activities other than for these purposes. The purpose for which personal data will be processed by our company is determined before the processing activity and is also processed in the “Personal Data Inventory”.
The Data Must be Related, Limited and Measured for the Purposes for which They are Processed
Personal data are processed by our company to the extent necessary for the realization of the determined purposes. Data processing activities are not carried out on the assumption that they can be used later. In this context, the processes are constantly being reviewed and the principle of reduction of personal data is being tried to be implemented.
Retention of Personal Data for as Long as Necessary and Subsequent Deletion
Our Company retains personal data only for the period specified in the relevant legislation or necessary for the purpose for which they are processed. In this context, our Company firstly determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, acts in accordance with this period if a period has been determined, takes into account the legal and criminal statute of limitations in this context and stores personal data for as long as necessary for the purpose for which they are processed. In case of expiration of the period or disappearance of the reasons requiring processing, the personal data are deleted, destroyed or anonymized according to the “Data Destruction Policy” of our Company.
CONDITIONS OF PROCESSING OF PERSONAL DATA
Personal data may be collected, processed or used only within the scope of the following legal bases.
Explicit Consent
3 Of the Law. in the article, explicit consent is defined as ”consent related to a certain subject, based on being informed and explained by free will”. Also, Article 20 of the Constitution. article 3. in its paragraph, it is stipulated that personal data can be processed only in the cases stipulated by the law or with the explicit consent of the person. Explicit consent is stipulated in Law No. 6698 as a reason for compliance with the basic law both in terms of personal data of a special nature and personal data that are not of a special nature. According to this, respectively, the Law,
5. of the article, 1. in the paragraph “Personal data cannot be processed without the explicit consent of the relevant person”,
6. 2 of the article. in the paragraph “It is prohibited to process personal data of a special nature without the explicit consent of the person concerned”,
8. article 1. in the paragraph “Personal data cannot be transferred without the explicit consent of the relevant person”,
9. article 1. in the paragraph “Personal data cannot be transferred abroad without the explicit consent of the relevant person”
there are regulations in place and personal data are processed by obtaining explicit consents declared by our company with free will and obtained in a provable manner (written, electronic or verbally recorded) in accordance with this. In case of processing of personal data of a special nature, explicit consents will be obtained in writing if necessary.
Process managers who process personal data are obliged to ensure the control of the existence and validity of the explicit consent of the relevant data owner when collecting the personal data they process. If it is determined that there is no explicit consent, no data processing activity will be performed (except for the following exceptions).
Processing of Personal Data Without Explicit Consent
In the presence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the person concerned:
8.2.1 Clearly stipulated in the laws,
8.2.2 It is mandatory for a person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid to protect the life or body integrity of himself or someone else,
8.2.3 It is necessary to process the personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
8.2.4 Mandatory for the data controller to be able to fulfill his/her legal obligation,
8.2.5 It has been made public by the data owner himself,
8.2.6 Data processing is mandatory for the establishment, exercise or protection of a right,
8.2.7 Mandatory data processing for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner,
in such cases, it may be processed without explicit consent.
Processing of Personal Data of a Special Nature
Special sensitivity is shown by our company in the processing of personal data of a special nature, the protection of which is believed to be of more critical importance for data owners in various respects. In this context, such data are not processed without the explicit consent of the data owners, provided that adequate measures determined by the Board are taken. However, personal data of a special nature, other than data related to health and sexual life, can also be processed without the explicit consent of the data owner in the cases stipulated by the laws. However, data related to health and sexual life can be processed without explicit consent provided that adequate measures are taken and in the presence of the following reasons:
Protection of public health,
Preventive medicine,
Medical diagnosis,
Execution of treatment and care services,
Planning and management of health services and their financing.
The KVKK Committee will be informed in all cases where special categories of personal data need to be processed.
TRANSFER OF PERSONAL DATA
Nalbantoglu Metal San.ve Tic. Ltd. Şti. , the personal data of the data owners, 5 of the KVK Law No. 6698. and 6. within the scope of the personal data processing conditions specified in the articles and limited to the purposes specified in this Policy, 8 of the KVK Law. and 9. by being in accordance with the articles 3. it will be able to transfer to people and institutions.
The scope of the persons being transferred and the data transfer purposes are stated above and in the clarification text. Persons and institutions transferred;
Your personal data; to our business partners who are located at home and/or abroad and with whom we cooperate in order to continue the activities and business processes of our company, to our affiliated companies, consultants, shareholders or solution partners of our company, to our suppliers, insurance companies, notaries, banks and financial institutions, law, tax, etc. storage, archiving, information technology support (server, hosting, software, cloud computing, etc.) to our consulting firms, legally authorized public institutions and private individuals we support in similar areas, who process personal data on behalf of our company at home and/or abroad.) etc. to our service providers whom we support in their fields, 8 of the Law No. 6698. and 9. Personal data may be transferred within the framework of the processing conditions specified in the Articles and the purposes specified above.
Transfer of Personal Data Domestically ;
8 Of the KVK Law. transfer of personal data domestically in accordance with Article 8 of this Policy entitled “Conditions of Processing of Personal Data”. it will be possible provided that one of the conditions specified in the section (processing conditions) is met.
Transfer of Personal Data Abroad;
9 Of the KVK Law. in accordance with the article, in case personal data is transferred abroad without explicit consent, in addition to the fact that the conditions for their domestic transfer have been met, the existence of one of the following issues is sought:
That the country to be transferred be counted among the countries with adequate protection declared by the Dec ,
or
If there is not sufficient protection in the country where the transfer will be made, the data controllers in Turkey and the relevant foreign country must commit to adequate protection in writing and have the permission of the Board.
Transfer of Special Categories of Personal Data Abroad
By taking the necessary security measures and taking the adequate measures prescribed by the KVK Board, our Company is able to transfer the personal data owner’s special quality data to Foreign Countries where the Data Controller has Adequate Protection or Undertakes Adequate Protection in the following cases for legitimate and lawful personal data processing purposes.
If the personal data owner has explicit consent, or,
If the personal data owner does not have explicit consent;
Personal data of a special nature other than the health and sexual life of the personal data owner (race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, disguise and clothing, association, foundation or trade union membership, criminal conviction and security measures related data, as well as biometric and genetic data), in the cases stipulated by the laws,
Private personal data related to the health and sexual life of the personal data owner are processed only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and maintenance services, planning and management of health services and finances, by persons under obligation to keep secrets or authorized institutions and organizations.
The relevant employee who makes the transfer is responsible for ensuring compliance with the obligations to be complied with during the transfer of special data.
RIGHTS OF THE PERSONS CONCERNED
Nalbantoglu Metal San.ve Tic. Ltd. Şti. it will respond to the requests of the relevant persons whose personal data it processes within 30 days within the scope of the following rights:
To learn whether personal data is processed or not,
If your personal data has been processed, do not request information about it,
To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
To know the third parties to whom personal data are transferred at home or abroad,
To request correction of personal data in case of incomplete or incorrect processing of personal data and to request notification of the transaction made in this context to the third parties to whom the personal data are transferred,
Although it has been processed in accordance with the KVK Law and other relevant provisions of the law, to request the deletion or destruction of personal data if the reasons requiring its processing disappear, and to request that the transaction made in this context be notified to the third parties to whom the personal data has been transferred,
Objecting to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,
Do not request compensation for the damage if the personal data is damaged due to illegal processing.
Data owners can apply within the scope of the rights mentioned above with the information and documents that will determine their identity and with the methods specified below or other methods determined by the Personal Data Protection Board via the KVKK application form on the website.
PRIVACY and DATA SECURITY MEASURES ;
Nalbantoglu Metal San.ve Tic. Ltd. Şti. all of the personal data processed in it are confidential and are subject to Article 12 of the Law. Stated in the article ;
a) To prevent the unlawful processing of personal data,
b) To prevent unlawful access to personal data,
c) To ensure the preservation of personal data,
Jul takes all necessary technical and administrative measures to ensure the appropriate level of security for its purpose.
Technical Measures Taken to Ensure the Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data
Nalbantoglu Metal San.ve Tic. Ltd. Şti. in order to protect your personal data, it has taken all kinds of technical and technological security measures and protects your personal data against possible risks. For example;
Network security and application security are provided.
Security measures are taken within the scope of information technology systems procurement, development and maintenance.
The powers of employees who have changed their duties or have left their jobs in this area are being removed.
The security of the environments containing personal data is ensured.
Current anti-virus systems are used.
Firewalls are used.
Intrusion detection and prevention systems are used.
Administrative Measures Taken to Ensure the Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data
A management framework has been established within the organization in order to initiate and control the information security operation and implementation.
The KVKK Committee and the Contact person have been appointed and the task definitions have been determined.
KVKK Application channels have been determined.
Violation, claim/complaint management workflows have been determined.
The Main Principles, policies and procedures related to the processing and protection of personal data have been determined.
The Data Processing and Storage Policy has been Established.
The Policy of Processing and Protection of Personal Data has been Established.
A Policy has been Established for the Security of Personal Data of a Special Nature.
Existing risks and threats have been identified within the scope of the processed personal data.
Confidentiality commitments are made.
Employee, customer, supplier, etc. the lighting text for it has been published.
The processes required to obtain explicit consent have been determined and are being implemented.
Periodic and/or random internal audits are carried out and carried out. It fixes the privacy and security vulnerabilities that arise as a result of audits.
In case the data is obtained by others by unlawful means, the necessary measures are taken by the employees to inform the relevant person and the Board as soon as possible.
Measures to be Taken in Case of Disclosure of Personal Data by Unlawful Means
If the processed personal data is obtained by others by illegal means, our Company will inform the relevant data owner and the Board about this situation as soon as possible (Maximum 72 hours).
DATA PROCESSING ACTIVITIES CARRIED OUT FOR OUR GUESTS ;
Nalbantoglu Metal San.ve Tic. Ltd. Şti. in order to ensure security by Nalbantoğlu Metal, San.ve Tic. Ltd. Şti. personal data processing activities are carried out for the monitoring of guest entrances and exits with security camera monitoring activities in the buildings. There is no viewing in places where privacy is high.
Nalbantoğlu Metal as a guest San.ve Tic. Ltd. Şti. when obtaining the identity data of people who come to their buildings, or Nalbantoğlu Metal San.ve Tic. Ltd. Şti. the owners of the personal data in question are informed in this context through the texts posted in front of them or made available to the guests in other ways.
The data obtained for the purpose of guest entry and exit tracking are processed only for this purpose and the relevant personal data are recorded in the data recording system in physical and electronic environment within the framework of legitimate interests.
These monitoring activities are carried out in accordance with the provisions of the relevant legislation.
- DESTRUCTION (DELETION, DESTRUCTION AND ANONYMIZATION) CONDITIONS OF PERSONAL DATAIn accordance with Article 138 of the Turkish Penal Code, Article 7 of the KVK Law and the “Regulation on Deletion, Destruction and Anonymization of Personal Data” issued by the Institution; Even though it has been processed in accordance with the provisions of the relevant law, if the reasons requiring processing disappear, Nalbantoğlu Metal San.ve Tic. Ltd. Ltd. Based on ‘s own decision or upon the request of the personal data owner, personal data is deleted, destroyed or made anonymous. Nalbantoğlu Metal San.ve Tic. Ltd. Ltd. A Policy has been created in accordance with the provisions of the regulation on this subject, and in accordance with this Policy, the data is destroyed according to its nature. In accordance with this regulation, Nalbantoğlu Metal San.ve Tic. Ltd. Ltd. Periodic destruction dates have been determined by the company and a calendar has been created according to which periodic destruction will be carried out at various intervals with the beginning of the obligation.
EXECUTIVE
Nalbantoğlu Metal San.ve Tic. is responsible for the implementation of this Policy. Ltd. Ltd. A management structure has been established to ensure compliance with the KVK Law regulations.
EFFECTIVE DATE OF THE POLICY
This Policy entered into force on 04.08.2020.