ATILIM SHELF AND STORE EQUIPMENT MARKETING COMPANY PERSONAL DATA PROTECTION AND PROCESSING POLICY

Entrance

Pursuant to Article 20 of the Constitution of the Republic of Turkey, everyone has the right to demand the protection of their personal data. This right includes being informed about the personal data about the person, accessing these data, requesting their correction or deletion and learning whether they are used for their purposes.

Law No. 6698 on the Protection of Personal Data (“KVKK”), the protection of fundamental rights and freedoms of individuals in the processing of personal data, the obligations of natural and legal persons who process personal data, and the procedures and principles to be followed. The purpose of this Policy, prepared in this direction, is to ensure compliance with the obligations of the KVK Law regulations.

governed by policy; Visitor, Product or Service Purchaser, Supplier Official, Supplier Employee, Intern, Potential Product or Service Purchaser, Shareholder/Partner, Employee, Employee Candidate, Customer Employee, Customer Representative, Consultant, Subcontractor Employee, Trainee Candidate, Drawer-Ciranta, Consultant personal data of individual groups.

In case of conflict between the KVKK and other relevant legislation and the Company's Personal Data Protection and Processing Policy, the applicable legislation will apply.

1. Purpose

In order to protect the fundamental rights and freedoms of individuals, especially the privacy of private life in the processing of personal data, and to regulate the obligations of natural and legal persons who process personal data and the procedures and principles to be followed, Atilim Raf and Store Equipment Marketing (Company) Personal Data Protection and Processing Policy (Policy) has been prepared .

With the policy, it is aimed to continue and develop the activities carried out by the Company in accordance with the principles in the KVKK and to inform the personal data owners.

2. Scope

Data owners whose personal data are processed within the scope of this Policy are categorized as follows:

Employee CandidateReal persons who make their resume and related information accessible to the Company by applying for a job or by any means.
WorkerPersons who have an ongoing business relationship with the company
Former EmployeeFormer employees whose employment relationship with the company has ended
VisitorsReal persons who enter the physical facilities of the Company for various purposes or visit the websites
Trainee CandidateReal persons who make their resume and related information accessible to the Company by applying for internships with the Company or by any other means.
InternPersons who have an internship relationship with the company
Product or Service BuyerThe person who purchases products / services from the Company and whose personal data are provided for this purpose
Supplier RepresentativeŞirket’in ürün/hizmet tedarik ettiği gerçek kişi şahıs işletmeleri ya da tüzel kişilerin imza yetkilisi olan kişiler
Supplier EmployeePersons working in the suppliers that the Company supplies products/services to
Potansiyel Ürün veya Hizmet AlıcısıPersons who are potential customers of the Company, prospective customers
Customer RepresentativeNatural person companies or persons who are authorized signatories of legal entities to which the Company sells products/services
Customer EmployeePersons working in the customers that the Company sells products/services to
AdvisorPersons served by the company's R&D department (academics, etc.)
Subcontractor EmployeePersons working in companies that are subcontractors of the Company
Kesideci-CirantaReal persons whose check information is processed in the Company's finance-accounting processes
Third PartiesAlthough not defined in the Policy, the guarantor, family members, etc., whose personal data are processed within the framework of this Policy. other natural persons, including but not limited to

3.    Definitions

The definitions used in this Policy are as follows:

Express consentConsent on a particular subject, based on information and expressed with free will
AnonymizationMaking personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data
Personal health dataAny health information relating to an identified or identifiable natural person
Personal dataAny information relating to an identified or identifiable natural person
Processing of personal dataObtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data completely or partially by automatic or non-automatic means provided that it is a part of any data recording system. All kinds of operations performed on data, such as blocking
KVKKLaw No. 6698 on the Protection of Personal Data
Assembly12.4.Personal Data Protection Unit
OrganisationPersonal Data Protection Authority
Special categories of personal dataData on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data
TCK5237 sayılı Türk Ceza Kanunu
Data processorThe natural or legal person who processes personal data on behalf of the data controller based on the authority given by him.
Personal data ownerThe natural person whose personal data is processed and who is deemed to be the "relevant person" in the KVK Law
Data Owner Application FormApplication form for personal data owners whose personal data are processed within the company when using their applications regarding their rights described in Article 11 of the KVK Law
Data controllerThe natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system
Data Controllers Registry (VERBIS)Registry of data controllers kept by the Personal Data Protection Board
Data InventoryThe personal data processing activities carried out by the Company depending on the business processes, personal data, personal data processing purposes, the recipient group to which the personal data is transferred, the retention periods, the transfers to foreign countries and the security measures taken for the security of personal data are created by associating with the relevant personal data owner group. and detailed personal data processing inventory

4.     General Principles Regarding the Processing of Personal Data

Pursuant to Article 3 of the KVKK, obtaining, recording, storing, keeping, changing, rearranging, disclosing, transferring, taking over, obtaining personal data completely or partially automatically or by non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as making it accessible, classifying or preventing its use, is within the scope of processing personal data.

It is obligatory to comply with the following principles in the processing of personal data:

a. Compliance with the law and honesty rules

Our company carries out its personal data processing activities in accordance with the law and honesty rules, in accordance with the Constitution, the KVK Law and the relevant legislation.

b. Being accurate and up-to-date when needed

All kinds of administrative and technical measures are taken to ensure the accuracy and up-to-dateness of personal data while processing personal data by our company.

c. Processing for specific, explicit and legitimate purposes

Before starting the processing of personal data, our company clearly and precisely determines the legitimate purpose of processing personal data within the framework of the clarification texts.

d. Being connected, limited and restrained with the purpose for which they are processed

Personal data is processed by our company as necessary to achieve the determined purposes. Data processing is not carried out with the assumption that it can be used later.

e. To be stored for the period required by the relevant legislation or for the purpose for which they are processed.

Our company stores personal data for a limited period of time stipulated in the KVK Law and relevant legislation or for the purposes required for data processing.

5.     Personal Data Processing Conditions

Our company can process personal data and sensitive personal data with the explicit consent of the personal data owner or without explicit consent in cases stipulated in Articles 5 and 6 of the KVK Law.

5.1. Processing of Personal Data

As a rule, our company processes your personal data based on your explicit consent. On the other hand, it carries out personal data processing activities without your explicit consent in accordance with the data processing conditions set forth in Article 5 of the KVKK:

a.     Expressly stipulated in the law.

b.    It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express her consent due to actual impossibility or whose consent is not legally valid.

c.     It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.

d.    It is mandatory for our company to fulfill its legal obligations.

e.     The personal data has been made public by the owner herself.

f.      Data processing is mandatory for the establishment, exercise or protection of a right.

g.    Data processing is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.     

5.2. Processing of Private Personal Data:

Our company carries out the processing of personal data of special quality, which carries the risk of discrimination when processed unlawfully, in accordance with the data processing conditions set forth in Article 6 of the KVKK. In addition, it is also obligatory to take adequate measures determined by the Board in the processing of special categories of personal data. It is prohibited to process sensitive personal data without the explicit consent of the personal data owner. However, in the following cases, special categories of personal data may be processed without the explicit consent of the personal data owner:

a. Processing of Personal Health Data:

Personal health data; Provided that (i) take adequate measures to be prescribed by the Ministry of Health, (ii) act in accordance with general principles, (iii) be under the obligation of confidentiality, it can be processed in the presence of one of the conditions listed below:

–          Explicit written consent of the personal data owner

–          Taking adequate precautions as an employer for occupational health and safety and complying with the obligations arising from the legislation,

–          Protection of public health

–          Preventive medicine

–         Operation of medical diagnosis, treatment and care services,

–          Planning and management of healthcare services and financing

b. Processing of Private Personal Data Other than Health and Sexual Life

The data within this scope will be possible with the explicit consent of the personal data owner or in cases stipulated by the laws.

6.     Ensuring the Security and Confidentiality of Personal Data

In accordance with Article 12 of the KVKK, our company takes all necessary technical and administrative measures to prevent the unlawful processing and access of the personal data it processes and to ensure the appropriate level of security in order to ensure the protection of personal data.

6.1. Technical Measures Taken to Ensure Legal Processing of Personal Data and to Prevent Unlawful Access

The company has taken all kinds of technical and technological security measures to protect your personal data and has protected your personal data against possible risks.

Technical measures are taken in accordance with the developments in technology, the measures taken are periodically updated and renewed. There is software and hardware that includes virus protection systems and firewalls. Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the Law and that they cannot use it for purposes other than processing, and that this obligation will continue after they leave their job. Necessary commitments are taken from the employees in this direction, and security policies are published for the employees, which include the rules to be followed in the workplace. Systems suitable for technological developments are used to store personal data in secure environments.

Administrative and Technical Measures Taken to Ensure Legal Processing of Personal Data and to Prevent Unlawful Access:

·         Network security and application security are provided.

·         Security measures are taken within the scope of procurement, development and maintenance of information technology systems.

·        There are disciplinary regulations that include data security provisions for employees.

·         Authorization matrix has been created for employees.

·        Access logs are kept regularly.

·         Corporate policies on access, information security, use, storage and destruction have been prepared and started to be implemented.

·        Confidentiality commitments are made.

·         The authorizations of employees who have a change of job or quit their job in this field are removed.

·         Current anti-virus systems are used.

·         Firewalls are used.

·        Contracts signed include data security provisions.

·        Personal data security policies and procedures have been determined.

·        Personal data security is monitored.

·         Necessary security measures are taken regarding entrances and exits to physical environments containing personal data.

·         The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.

·        The security of environments containing personal data is ensured.

·        Personal data is reduced as much as possible.

·        Personal data is backed up and the security of the backed up personal data is also ensured.

·         User account management and authorization control system are implemented and these are also followed.

·        Log records are kept without user intervention.

·        Attack detection and prevention systems are used.

·         Cyber ​​security measures have been taken and their implementation is constantly monitored.

·         Awareness of data processing service providers on data security is ensured.

·        Data loss prevention software is used.

6.2. Measures to be Taken in Case of Unlawful Disclosure of Personal Data

In case the processed personal data is obtained by others illegally despite the necessary security measures taken, our Company will notify the relevant data owner and the KVK Board within 72 hours from the date of learning. In this direction, Personal Data Gap and Notification Procedure, job descriptions have been created and shared by our Company.

7.     Purposes of Processing Personal Data and Retention Periods

7.1. Purposes of Processing Personal Data

Personal data is processed by our company for the following purposes:

  • Execution of Emergency Management Processes
  • Execution of Information Security Processes
  • Execution of Employee Candidate / Intern / Student Selection and Placement Processes
  • Execution of Application Processes of Employee Candidates
  • Execution of Employee Satisfaction and Loyalty Processes
  • Fulfillment of Employment Contract and Legislative Obligations for Employees
  • Execution of Benefits and Benefits Processes for Employees
  • Conducting Educational Activities
  • Execution of Access Authorizations
  • Execution of Activities in Compliance with the Legislation
  • Execution of Finance and Accounting Affairs
  • Follow-up and Execution of Legal Affairs
  • Execution of Communication Activities
  • Execution / Supervision of Business Activities
  • Execution of Occupational Health / Safety Activities
  • Execution of Logistics Activities
  • Execution of Goods/Services Procurement Processes
  • Execution of Goods / Services After-Sales Support Services
  • Execution of Good / Service Sales Processes
  • Execution of Goods / Services Production and Operation Processes
  • Execution of Performance Evaluation Processes
  • Execution of Storage and Archive Activities
  • Fulfillment of Legislative Obligations for Interns
  • Execution of Contract Processes
  • Ensuring the Security of Movable Property and Resources
  • Execution of Marketing Processes of Products / Services
  • Providing Information to Authorized Persons, Institutions and Organizations
  • Execution of Management Activities
  • Creating and Tracking Visitor Records

7.2. Retention Periods of Personal Data

Our company determines whether a period is foreseen in the relevant legislation for the storage of personal data. If a period is stipulated in the relevant legislation, it complies with this period; if a period is not foreseen, it will keep the personal data for the period necessary for the purpose for which they are processed. If the purpose of processing personal data has expired and the storage periods determined by the relevant legislation and/or our Company have come to an end, it can only be stored for the purpose of providing evidence in possible legal disputes, asserting the relevant right related to the personal data or establishing a defense. Personal data is not stored by our Company, based on the possibility of its use in the future.

8.     Deletion, Destruction and Anonymization of Personal Data

Pursuant to Article 7 of the KVKK, personal data is deleted, destroyed or anonymized by our Company, ex officio or upon the request of the personal data owner, in case the reasons for processing the personal data are no longer valid, although the personal data has been processed in accordance with the relevant legislation.

The procedures and principles regarding this matter will be fulfilled in accordance with the KVK Law and the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224.

In the first periodical destruction process following the date of our obligation to delete, destroy or anonymize personal data, it deletes, destroys or anonymizes personal data.

Personal data will be deleted, destroyed or anonymized within a maximum of 6 (six) months following the date of our obligation to delete, destroy or anonymize personal data.

The time interval during which periodic destruction will be carried out is six months.

When you request the deletion or destruction of your personal data by applying to our company;

a) If all the conditions for processing personal data have disappeared; Your personal data subject to the request is deleted, destroyed or anonymized. Your request will be finalized within thirty days at the latest and you will be informed.

b) If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, it notifies the third parties; It is ensured that the necessary actions are taken within the scope of the regulation.

c) If all of the personal data processing conditions have not been eliminated, your request may be rejected by explaining the reason in accordance with the third paragraph of Article 13 of the KVKK and the rejection response will be notified to you in writing or electronically within thirty days at the latest.

8.1. Deletion and Destruction Techniques of Personal Data

Deletion of personal data is the process of making personal data inaccessible and non-reusable for relevant users.

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.

Example: physical destruction, secure masking from software, secure deletion by expert.

8.2. Techniques for Anonymization of Personal Data

It means making personal data in a way that cannot be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Example: masking, data derivation, aliasing, aggregation, data hashing.

9.     Third Parties To Which Personal Data Is Transferred And Purposes Of Transfer

The procedures and principles to be applied in personal data transfers are regulated in Articles 8 and 9 of the KVKK, and the personal data and sensitive personal data of the personal data owner can be transferred to third parties in the country and abroad. Our company can transfer the personal data and sensitive personal data of the personal data owner to third parties (third party companies, group companies, third real persons) by taking the necessary security measures in line with the personal data processing purposes in accordance with the law. Accordingly, our company acts in accordance with the regulations stipulated in Article 8 of the Law.

Even without the explicit consent of the personal data owner, in case one or more of the following conditions are present, personal data may be transferred to third parties by taking all necessary security measures, including the methods prescribed by the Board, by taking due care by our Company.

• The relevant activities regarding the transfer of personal data are clearly stipulated in the laws,

• The transfer of personal data by the Company is directly related to and necessary for the establishment or performance of a contract,

• The transfer of personal data is mandatory for our Company to fulfill its legal obligations,

• Transferring personal data by our Company in a limited manner for the purpose of making it public, provided that the personal data has been made public by the data owner,

• The transfer of personal data by the Company is mandatory for the establishment, exercise or protection of the rights of the Company or the data owner or third parties,

• It is obligatory to transfer personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data owner,

• Being obligatory for the protection of the life or bodily integrity of the person or another person, who cannot explain his or her consent due to actual impossibility or whose consent is not given legal validity.

Your personal data, by our company, are provided to Authorized Public Institutions and Organizations in order to clearly stipulate in the laws and fulfill legal obligations, the Company's infrastructure providers, trainers, third parties, travel agencies, e-archive and e-invoice for the Company to carry out its commercial activities. It can be shared with legal entities providing services, legal entities providing e-archive services, server service received for our websites, insurance companies, banks/financing companies, collection receivable companies for the collection of receivables, workplace doctor, real and legal persons with whom we have a proxy relationship.

However, in any case, except for the exceptional cases listed in the KVKK, personal data cannot be transferred without the explicit consent of the personal data owner. For this reason, in cases where there is a data transfer subject to the explicit consent of the personal data owner, personal data is not transferred to third parties or shared in any way without the explicit consent of the personal data owner.

9.1. Domestic Transfer of Personal Data

In accordance with Article 8 of the KVKK, the domestic transfer of personal data will be possible provided that one of the conditions specified in the 5th section of this Policy, titled "Personal Data Processing Conditions", is met.

9.2. Transfer of Personal Data Abroad

In accordance with Article 9 of the KVKK, in case personal data is transferred abroad, one of the following conditions is sought in addition to fulfilling the conditions for domestic transfers:

–           Counting the country to be transferred among the countries with adequate protection declared by the KVK Board

–           If there is no adequate protection in the country to be transferred, the data controllers in Turkey and the relevant foreign country must undertake in writing an adequate protection and have the permission of the KVK Board

Data transferred abroad by our company: Identity, Communication, Visual and audio records.

9.3. Person Groups to which Personal Data are Transferred by Our Company       

Our company may transfer the personal data of personal data owners within the scope of this Policy to the following groups of persons, in accordance with Articles 8 and 9 of the KVK Law, for the purposes stated below:

PERSON GROUPSDEFINITIONPURPOSE OF TRANSFER
Authorized Public Institutions and OrganizationsPublic institutions and organizations authorized to receive our Company's information and documents in accordance with the provisions of the relevant legislation (SGK, Tax Offices, Ministries, Security etc.)Explicitly stipulated in the laws and fulfillment of legal obligations limited to the purpose requested by the relevant public institutions and organizations within the framework of their legal authority
Legally Authorized Private Law PersonsPrivate law persons authorized to obtain information and documents from our Company in accordance with the provisions of the relevant legislation (Audit Firms, Law Firms, Service providers)The transfer is necessary for the fulfillment of legal obligations and the establishment, use and protection of a right, limited to the purpose requested by the relevant private legal persons within its legal authority.
Open to everyoneSharing personal data accessible to everyoneCarrying out activities for employee satisfaction on the Company website www.atilimraf.com and other social media sites, Executing the Marketing Process of Products / Services, carrying out activities for customer satisfaction, based on the express consent of the person concerned.

10. Our Company's Liability to Light

In accordance with Article 10 of the KVKK, personal data owners should be informed during the collection of personal data. In this context, our Company fulfills its obligation to inform on the following issues:

a. Title of our Company as data controller

b. For what purpose personal data will be processed

c. To whom and for what purpose the processed personal data can be transferred

d. Method and legal reason for collecting personal data,

e. 11.1 titled "Right of Application" of this Policy. The rights of the personal data owner specified in the section

11.  The Rights of Personal Data Owners and the Use of These Rights

In accordance with Article 13 of the KVKK, the evaluation of the rights of personal data owners and the necessary information to the personal data owners are carried out through the Company Data Owner Application Form as well as this Policy. Personal data owners can send us their complaints or requests regarding the processing of their personal data within the framework of the principles specified in the relevant form.

11.1. Right of Application

In accordance with Article 11 of the KVKK, anyone whose personal data is processed can apply to our Company and make requests regarding the following issues:

a. Learning whether personal data is processed or not,

b. If personal data has been processed, requesting information about it,

c. To learn the purpose of processing personal data and whether they are used in accordance with the purpose,

d. Learning the third parties whose personal data are transferred in the country or abroad,

e. Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,

f. Requesting their deletion, destruction or anonymization in the event that the reasons requiring the processing of personal data disappear, and requesting the notification of the transaction made in this context to the third parties to whom the personal data has been transferred,

g. Objecting to the emergence of a result against the data owner by analyzing the processed data exclusively through automated systems,

h. To request the compensation of the damage in case of loss due to unlawful processing of personal data.

11.2. Situations Outside the Scope of the Right of Application

Pursuant to Article 28 of the KVKK, personal data owners will not be able to assert their rights in the following cases:

a. Processing of personal data by real persons within the scope of activities related to themselves or family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.

b. Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.

c. Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.

d. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.

e. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

Pursuant to paragraph 2 of Article 28 of the KVKK, data owners will not be able to assert their rights, except for the right to demand the compensation of the damage:

a. The processing of personal data is necessary for the prevention of crime or for criminal investigation.

b. Processing of personal data made public by the person concerned.

c. Personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority granted by the law.

d. The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.

11.3. Answering Procedure

In accordance with Article 13 of the KVKK and the Communiqué on Application Procedures and Principles to the Data Controller, our Company will conclude the application requests made by the personal data owner as soon as possible and within 30 (thirty) days at the latest, free of charge, depending on the nature of the request. Pursuant to Article 13 of the KVKK, your application must be submitted to our Company in writing or by other methods to be determined by the Board.

The application of the personal data owner may be rejected in the following cases:

a. Preventing other people's rights and freedoms

b. Requires disproportionate effort

c. Information being publicly available

d. Compromising the privacy of others

e. Existence of one of the situations out of scope pursuant to KVKK

12.  Personal Data Processing Activities within the Company and Data Processing Activities on the Website

12.1. Monitoring with Camera in the Company

In order to protect the interests of our company and other people in ensuring the safety of our company and our factory, camera monitoring is carried out.

In line with the regulations in the KVKK, this Policy is published by our Company on our website regarding the camera monitoring activity and a notification letter is posted at the entrances of the areas where monitoring is performed.

There is no monitoring in areas that may result in interference with the privacy of the person. Only a limited number of Company employees can access the security camera recordings. The said persons who have access to the records declare that they will protect the confidentiality of the data they access with the confidentiality agreement they signed.

12.2. Entries and Exits of Persons Visiting the Company

Personal data processing activities are carried out to monitor the entrance and exit of our guests who visit our company. While obtaining the name-surname, motor vehicle license plate, entry-exit time-date information of the people who come to our company, the said data is processed only for this purpose and the relevant personal data is recorded in the physical environment in the registration system.

12.3.İnternet Sitesi Ziyaretçileri / Üyeleri

Identity, communication, customer transaction data of persons who submit their requests, complaints, opinions and suggestions to our company by filling out the contact form on the website www.atilimraf.com are processed for the purpose of carrying out the Follow-up of Requests / Complaints processes.

12.4.Personal Data Protection Unit

In order to fulfill the obligations in the KVKK, the company makes the necessary assignments within the company for the implementation of the issues specified in this Policy and establishes the procedures accordingly. The Personal Data Protection Unit has been established by the Company to manage this Policy and the procedures related to this Policy within the scope of PDPL. It is necessary for the Unit to distribute the necessary duties to raise awareness within the Company, to follow up the audits to be made, to take the necessary actions to resolve the applications of the relevant persons, to carry out the relations with the Institution, etc. has duties.

This Policy may be revised by the Company when deemed necessary. In case of revision, the most up-to-date version of the Policy will be posted on the Company's website.