loader image

TEKA PURO ÜRETİM VE TİCARET A.Ş.
PERSONAL DATA PROCESSING, PROTECTION, DESTRUCTION AND CONFIDENTIALITY POLICY

INTRODUCTION

1.1. GENERAL POLICY INFORMATION

At Teka ("Company"), we attach the utmost importance to the lawful processing, storage, destruction, and confidentiality of personal data, pursuant to the provisions of the Personal Data Protection Act 6698, and related secondary legislation. In our capacity as "DataController", we prioritize the processing of personal data of natural persons associated with the Company, including its employees, customers, suppliers and users of its website, in conformity with the provisions of the relevant laws and regulations and ensuring theeffective exercise of the rights of the data subjects whose data are processed. In this context, we hereby present this Personal Data Processing, Protection, Destruction, and Privacy Policy ("Policy") to your kind attention to fulfill our obligation of disclosure underArticle 10, Personal Data Protection Act 6698, and to inform you of all administrative and technical measures we take regarding the processing, protection, destruction, and confidentiality of personal data.

1.2. DEFINED TERMS

  • Teka: Teka Puro Üretim ve Ticaret A.Ş.
  • Explicit Consent: Consent limited to a specific subject matter, based on the free will of the individual, after being informed, and within a specific subject matter.
  • Anonymization: The rendering of personal information in such a way that it cannot be associated in any way with an identified or identifiable natural person.
  • Employee: Refers to the employees of Teka Puro Üretim ve Ticaret A.Ş.
  • Data Subject: The natural person whose personal data is processed.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing of Personal Data: It is defined as any operation performed on personal data such as obtaining, recording, storing, altering, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully orpartially automatic or non-automatic means, provided that it is part of a data recording system.
  • Data Processor: A natural or legal person who processes personal data on behalf of the controller on the basis of an authorization granted by the controller.
  • Data Controller: The natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for the establishment and management of the data recording system.
  • KVKK: Personal Data Protection Act 6698
  • KVK Board: Personal Data Protection Board.
  • KVK Organization: Personal Data Protection Association.
  • KVKK: Personal Data Protection Act promulgated in the Official Gazette number 29677 on April 7, 2016.
  • Policy: Teka Puro Üretim ve Ticaret A.Ş. Personal Data Protection, Processing, Destruction and Privacy Policy

1.3. TARGET AUDIENCE

The target audience whose personal data is processed by Teka Puro Üretim ve Ticaret A.Ş.; suppliers, business and solution partners, company stakeholders, company officials, visitors, existing and potential customers of the company, employees of the company, prospectiveemployees, and all real persons who are interlocutors in a similar way.

1.4. PURPOSE AND SCOPE

KVKK came into force on April 7, 2016 when it was officially gazetted. KVKK and article 20 of the Constitution define the obligations of natural and legal persons who process personal data to protect the fundamental rights, and freedom of natural persons whose personaldata are processed, including the right to privacy.

The protection of personal data and the respect for the fundamental rights and freedoms of individuals whose personal data we collect is the fundamental principle of our policy on the processing of personal data. In this regard, we conduct all activities involving theprocessing of personal data in compliance with the protection of privacy, confidentiality of communications, freedom of thought and belief, and the right to effective legal remedies.

The primary purpose of this policy is to inform the persons whose personal data are processed by our company, in particular the company's stakeholders, suppliers, employees, applicants, visitors, the company's customers, potential customers and third parties, byexplaining the systems for processing and protecting personal data in accordance with the law and the purpose of the law. In this regard, our aim is to ensure full compliance with the law in the processing, protection, destruction, and confidentiality of personal datacarried out by the Company and to protect all the rights of the data subjects deriving from the legislation on personal data.

Scope of Our Policy and Personal Data Subjects including

  • Our employees
  • Prospective employees
  • Our Suppliers
  • Our Visitors
  • Our customers and potential customers, and
  • Third parties whose personal data that we process is covered by this policy.

Only "natural persons" are included in the scope of personal data protection, and data belonging to legal entities that do not contain information about natural persons are outside the scope of our policy and personal data protection.

This policy applies to the processing of all personal data collected within the Company.

1.5. EFFECTIVE DATE

This Policy has been in effect since [*] / [*] / 2020. This Policy is made available to Personal Data Subjects and Interested Parties. The Company reserves the right to make changes to the Policy as required by law. If changes to the Policy are required, the relevantarticles will be updated accordingly and you will be able to access the amendments on our website.

CATEGORIES OF PERSONAL DATA

The Company has created a personal data inventory in accordance with the Regulation on the Register of Data Controllers introduced by the Authority for the Protection of Personal Data. This inventory includes the categories of data, the source of the data, the purposes ofthe data processing, the data processing process, the recipients to whom the data is transferred and the storage periods. In this context, the Company's personal data inventory includes the following types of data categories --including but not limited to

The categories set forth below are for informational purposes only, and we may add other categories in the future for the Company to pursue its commercial and business activities. In such cases, the Company will continue to update the specified categories for you in therelevant texts to keep you informed as accurately as possible.

CATEGORIZATION OF PERSONAL DATA

CATEGORIZATION OF PERSONAL DATA DESCRIPTION

Data that unambiguously belongs to an identified or identifiable natural person; processed partially or fully automated or non-automated as part of a data collection system;

IDENTIFICATION

Documents such as driver's license, ID card, and passport containing information about the person's identity such as name and surname, Turkish ID number, nationality, mother's name-father's name, place of birth, date of birth, gender, and information suchas tax number, SSI number, signature information, and vehicle license plate, etc.

CONTACT DETAILS

Phone number, address, email address, fax number, and IP address.

SIGNATURE

Personal signature information --wet ink signature, electronic signature, photocopied or scanned signature).

HEALTH DATA

Person's health data --blood group, medical history, examination result, consultation report, and diet form).

 

VEHICLE/LOCATION DATA

Personal vehicle information - license plate number, chassis number, engine number, registration information -, information that determines the location of the data subject in the context of the operations carried out by the Company's business units, inthe context of the use of the products and services of the Group's companies or in the context of the use of the Company's vehicles by the employees of the entities with which the Company collaborates; GPS location, and travel data, etc.

TRANSACTION SECURITY INFO

Personal data processed for the technical, administrative, legal and commercial security of both the data subject and the Company in the course of the Company's activities.

DETAILS ABOUT FAMILY MEMBERS AND RELATIVES

Information about the family members (e.g. spouse, mother, father, child), relatives and other persons who can be reached in case of emergency within the framework of the operations carried out by the Company's business units, regarding the productsand services offered by the group companies or in order to protect the legal and other interests of the Company and the Personal Data Subject.

CUSTOMER DETAILS

Information obtained and created about the individual as a result of the business activities and operations conducted by the business units within this framework.

SPACE SAFETY INFORMATION

Personal data related to records and documents taken at the entrance to the physical space, during the stay in the physical space; camera recordings, and records taken at the security checkpoints, etc.

FINANCIALS/ASSETS

Personal data processed in relation to information, documents and records showing all types of financial results, created according to the type of relationship established by the Company with the the personal data subject, and data such as bank accountnumber, IBAN, credit card information, financial profile, data on the assets owned by the person --copy/scan of title deed, copy/scan of vehicle license--, and income details.

AUDIOVISUAL DATA

Data contained in documents that clearly belong to an identified or identifiable natural person, such as photographs and camera recordings (except for recordings within the scope of physical space security information), voice recordings, photocopy/scanof driver's license, photocopy/scan of ID card, and photocopy/scan of passport, etc., which are copies of documents containing personal data.

MARKETING DATA

Personal data processed for the marketing of our products and services by customizing them to the usage habits, preferences and needs of the personal data subject, as well as the reports and evaluations generated as a result of these processingresults.

PERSONAL RIGHTS EDUCATION/PERFORMANCE DETAILS/BENEFITS

All types of personal data processed for the purpose of obtaining information that will be the basis for the formation of personal rights of natural persons who have a working relationship with the Company, as well as educational background of theperson --diploma grade, diploma photocopy/scan.

Performance information; personal data processed for the purpose of measuring the performance of employees or natural persons who have an employment relationship with the Company and for planning and implementing their career development within thescope of our Company's human resources policy.

Fringe benefits; personal data processed for the purpose of planning fringe benefits and benefits offered and to be offered to employees or other real persons in a working relationship with the Company, determining objective criteria forentitlement to them and monitoring entitlement to them.

LEGAL ACTIONS

Data processed for the purpose of establishing and following up the legal claims and rights of the Company and for the performance of its debts and legal obligations.

SANCTIONS

Data related to sanctions the person has received in the past - convictions, sentencing, and disciplinary record.

SENSITIVE PERSONAL DATA

Data specified in Article 6 of the Law, e.g. health data, including blood group, biometric data, religion and membership of associations.

CLAIM/COMPLAINT MANAGEMENT DATA

Personal data related to the receipt and evaluation of requests or complaints addressed to the Company.

TRAVEL DATA

Data related to the person's travel --flight information, flight card, itinerary, mileage card number, and accommodation data.

AUDIT DATA

Personal data processed within the scope of the company's legal obligations and compliance with company policies.

PROCESSING OF PERSONAL DATA

3.1. OUR PRINCIPLES FOR PROCESSING PERSONAL DATA

The Company processes personal data in line with the following principles;

  • Processing for specific, explicit and lawful purposes: The Company processes personal data for specific, explicit and legitimate purposes. In this context, the Company determines the purpose for which personal data will be processed and informs the data subjects ofthe personal data obtained prior to processing. Personal data should not be processed for purposes other than those stated. The data processing purposes identified by the Company are legitimate and lawful.
  • Relevant, limited and proportionate to the purposes for which they are processed: The Company processes personal data in a manner that is conducive to the achievement of the specified purposes and avoids processing personal data that is not related to or necessary forthe achievement of those purposes.
  • Accurate and current when required: The Company ensures that the personal information it processes is accurate and up to date and takes the necessary steps to do so. For instance, the Company develops systems that allow data subjects to correct, amend and update theirpersonal data.
  • Compliance with Laws and Honesty Rules: The Company shall act in accordance with the law and in good faith when processing personal data. In this context, the Company implements the principles of proportionality and necessity in the processing of personal data andprocesses only as much personal data as necessary, in a measured manner and at a level appropriate to the purposes of the data processing.
  • Retention for the period prescribed by law or for the purpose for which they are processed: The Company will only keep personal data for the period prescribed by law or for the purpose for which it is processed. In this context, if the relevant legislation specifies aperiod for the storage of personal data, it will act in accordance with that period. If no period is specified, personal data will be kept for the period necessary for the purpose for which they are processed.

The personal data processing principles will apply to all personal data processing activities and all personal data processing activities will be carried out in accordance with these principles.

3.2. PURPOSES OF PERSONAL DATA PROCESSING

Personal data collected by the Company may be processed for the purposes described below:

Primary Purpose

Secondary Purpose:

HR Operations

  • Planning and execution of the company's human resources policies and processes (execution of recruitment processes)
  • Implementation of performance evaluation processes
  • Execution of employee entry and exit processes
  • Implementation of employee satisfaction and loyalty processes
  • Fulfillment of obligations arising from employment contracts and employee legislation
  • Performing employee benefits and perquisites processes
  • Event Management
  • Fulfilling regulatory obligations for employees
  • Planning and execution of occupational health and safety processes

In-house operations

  • Execution / monitoring of business activities
  • Receiving and evaluating business process improvement proposals
  • Performing business continuity activities
  • Performing audit activities
  • Performing training activities
  • Performing access authorizations
  • Perform finance and accounting activities
  • Performing emergency management processes
  • Performing information security processes
  • Establishing and managing information technology infrastructure
  • Executing allocation processes
  • Carrying out internal audit / investigation / intelligence activities
  • Performing communication activities
  • Fulfill our legal obligations as required or mandated by legal regulations
  • Performing risk management processes
  • Performing storage and archiving activities
  • Performing social responsibility activities
  • Execution of investment processes
  • Organization and event management
  • Planning and execution of corporate communication activities
  • Planning and execution of corporate sustainability activities
  • Planning and/or execution of efficiency/effectiveness and/or relevance analyses of business activities
  • Conduct advertising, promotion and marketing activities
  • Performing strategic planning activities
  • Performing logistics activities

The Company's commercial and/or business strategies and execution

  • Conducting product/service procurement processes
  • Providing product/service after-sales support services
  • Conducting product/service sales processes
  • Conducting product/service production and operation processes
  • Conducting customer relationship management processes
  • Conducting advertising/campaign/promotion processes
  • Conducting contract processes
  • Conducting sponsorship activities
  • Follow-up on legal requirements
  • Planning and executing customer relationship management processes
  • Conducting company/product/service loyalty processes
  • Inquiry / Complaint tracking
  • Fulfillment of legal obligations
  • Implementing wage policy

Ensuring the legal, technical, commercial, and business security of the Company and its affiliates that have a business relationship with the Company

  • Creating and tracking visitor records
  • Planning and executing operational activities necessary to ensure that company activities are conducted in accordance with company procedures and/or relevant laws.
  • Ensuring the security of company facilities and/or resources
  • Ensuring the safety of company operations
  • Providing legal information to authorized institutions
  • Ensuring that data is accurate and up to date
  • Ensuring the security of physical space
  • Planning and conducting corporate audit activities
  • Pursuing legal matters
  • Providing regulatory information to authorized institutions and preparing for audits by authorized institutions

The purposes of processing personal data may be updated in the context of the Company's policies and our obligations under the law. In the event that the data processing activity carried out for the aforementioned purposes does not meet any of the conditions establishedby law, the Company will obtain your explicit consent to the relevant data processing activity.

3.3. PERSONAL DATA PROCESSING TERMS AND CONDITIONS

Pursuant to Article 4 of the KVKK, the Company processes personal data in accordance with the law and in good faith, accurately and, where necessary, up to date, for specific, clear and legitimate purposes, in a limited and proportionate manner, for the period providedfor by the relevant legislation or for the purpose for which they are processed. In addition, the Company acts in accordance with its obligation of transparency, information and clarification in the processing of personal data.

The Company processes personal information in accordance with the following terms and conditions.

Except for the exceptions listed in the Act, the Company processes personal data only with the explicit consent of the data subjects, and in the following cases listed in the Act, personal data may be processed without the explicit consent of the data subject.

  • Explicitly stipulated in the law,
  • It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
  • Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract,
  • It is mandatory for the data controller to fulfill its legal obligation,
  • It has been made public by the data subject himself/herself (personal data that has been made public can be processed without obtaining explicit consent, since the legal interest to be protected has disappeared),
  • Data processing is mandatory for the establishment, exercise or protection of a right,
  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.4. PROCESSING SENSITIVE PERSONAL DATA

The law attaches particular importance to certain personal data because of the risk that their unlawful processing may lead to harassment or discrimination. These data include data concerning race, ethnic origin, political opinions, philosophical beliefs, religion,sect or other beliefs, physical appearance and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

The Company is sensitive to the protection of special categories of personal data, which are defined as "special categories" by the law and are processed in accordance with the law. In this regard, the technical and administrative measures taken by the Company for theprotection of personal data are carefully implemented with respect to special categories of personal data, and necessary audits are provided within the Company.

It is prohibited to process sensitive personal data without the explicit consent of the data subject. Personal data relating to health and sexual life may be processed without the explicit consent of the data subject only for the purposes of public health protection,preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under an obligation of confidentiality.

In this regard, the health data of employees are processed through the Company's occupational health service, and the necessary training is provided to personnel who have access to this special quality of personal data, the scope and duration of the accessauthorization of such personnel is determined, periodic audits are performed, and confidentiality agreements are signed. In the event that such personnel leave the Company, their access authorization shall be immediately revoked.

Physical files containing personal health information that are physically stored in employee health records are kept in locked areas that are accessible only by appropriate infirmary personnel. No entity other than the infirmary staff has access to employee healthinformation.

3.5. PERSONAL DATA PROCESSING CONDUCTED AT THE ENTRANCE TO AND WITHIN THE COMPANY PREMISES AND BY VISITORS TO THE WEBSITE

For security purposes, the Company conducts personal data processing activities to monitor the entry and exit of visitors by means of security camera surveillance in the Company's buildings and facilities. The names and surnames of the persons who enter the premises ofthe Company as visitors are obtained or through the texts posted in the Company or otherwise made available to the visitors, and the personal data subjects concerned are informed in this regard. The processing of personal data is done by the Company by means of securitycameras recording the entry and exit of visitors. This monitoring activity is performed in accordance with the KVKK and the Law on Private Security Services, and the relevant legislation. In this context, all employees, visitors and persons are informed that camerasurveillance is performed. This Policy is published on the Company's website and notices are posted at the entrances of the monitored areas. In pursuance of the Law, necessary technical and administrative measures are taken by the Company to ensure the security ofpersonal data obtained as a result of camera surveillance activities.

Only a limited number of Company employees have access to the records saved and kept in digital media. Live camera footage can be viewed by employees of the departments responsible for security and administrative matters within the company. Access by other parties is notallowed.

For the purpose of ensuring the Company's security, and for other purposes specified in this Policy, Internet access may be provided to visitors who request it during their stay in the buildings and facilities. In this case, pursuant to Law no. 5651, and the mandatoryprovisions of the legislation regulated under to this Law, log records of Internet access are kept, and shall be processed only if requested by authorized public institutions and organizations or to fulfill the relevant legal obligation in the audit processes to beconducted at the Company’s premises.

3.6. MONITORING OF VISITOR ENTRANCES AND EXITS CONDUCTED AT THE ENTRANCES OF COMPANY PREMISES AND FACILITIES

The Company conducts personal data processing activities in order to ensure security and, for the purposes specified in this Policy, to track the entry and exit of visitors to the Company's premises and facilities. The names and surnames of persons who enter the Company'spremises as visitors are collected or the data subjects concerned are informed thereof by means of texts posted in the Company or otherwise made available to visitors. The data obtained for the purpose of monitoring the entry and exit of visitors are processed only forthis purpose, and the relevant personal data are physically recorded in the data recording system.

LEGAL OBLIGATIONS

Pursuant to KVKK and the relevant legislation, the Company is subject to legal obligations within the scope of personal data processing and protection. These obligations are listed below:

4.1. DISCLOSURE OBLIGATION

Teka Puro Üretim ve Ticaret A.Ş. is responsible for informing the data subject during the collection of personal data, and in this regard, obliged to provide the data subject with the following information:

  • Identification of the data controller and its representative, if any,
  • The purposes for which the personal data will be processed
  • To whom and for what purpose the processed personal data may be communicated,
  • The method and legal grounds for the collection of personal data, and
  • The rights of the data subject.

Within the framework of the obligation to provide information, the Company informs data subjects about the processing of their personal data through various means, primarily through its website, and attaches importance to the fact that the public policy is understandableto the personal data subjects. Information on the above mentioned issues is available on the website of Teka Puro Üretim ve Ticaret A.Ş. The means used to inform the data subjects are specified in the internal policies.

LEGAL OBLIGATIONS

Pursuant to KVKK and the relevant legislation, the Company is subject to legal obligations within the scope of personal data processing and protection. These obligations are listed below:

4.2. OBLIGATION TO INFORM

Pursuant to Article 11, KVKK, the rights of the person to whom the personal data is provided regarding the protection of the personal data are defined in this Policy.

Pursuant to Article 13, KVKK, the Company is responsible for processing the claims submitted regarding the rights in question and for informing the relevant persons, and this notification will be made within the period specified by the legal regulations.

4.3. OBLIGATION TO ENSURE DATA SECURITY

The responsibilities of the Company, the data controller under Article 12, KVKK with respect to data security are set forth in this policy.

4.4. DATA CONTROLLERS' REGISTRATION OBLIGATIONS

Pursuant to Article 16, KVKK, the Company is required to register with the Register of Data Controllers within the period to be specified by the Board. Pursuant to Article 16/3, KVKK, exceptions to the registration requirement may be made for some data, taking intoaccount objective criteria to be determined by the Board, such as the nature and number of personal data processed, the lawfulness of the data processing or the status of transfer to third parties.

TRANSFER OF PERSONAL DATA

Without prejudice to the exceptional circumstances set forth in the legislation, we do not transfer personal data and sensitive personal data to other natural persons or legal entities without the explicit consent of the data subject.

 

5.1. EXCEPTIONS:

In the presence of one of the following conditions, personal data may be transferred without seeking the explicit consent of the data subject:

  • Explicitly required by law,
  • It is mandatory for the protection of life or physical integrity of the person who is unable to give his/her consent due to actual impossibility or whose consent is not legally valid,
  • It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the conclusion or performance of the contract,
  • It is mandatory for the data controller to comply with its legal obligation,
  • It has been made public by the data subject himself/herself (personal data that have been made public can be processed without obtaining explicit consent because the legal interest to be protected has disappeared),
  • The processing is necessary for the establishment, exercise or protection of a right,
  • processing is necessary to protect the legitimate interests of the controller, provided that the fundamental rights and freedoms of the data subject are not violated.

5.2. TRANSFER OF SENSITIVE PERSONAL DATA:

In order for special personal data to be transferred; at least one of the following conditions must be present. These conditions are;

  • If the data subject's express consent has been obtained,
  • In case it is expressly provided by the laws regarding personal data of a special nature other than health and sexual life,
  • As regards personal data relating to health and sexual life, they may be communicated by persons subject to confidentiality obligations or by authorized institutions and organizations for the protection of public health, preventive medicine, medical diagnosis,treatment and care services, planning and management of health services, and financing.

5.3. TRANSFER OF PERSONAL DATA TO ANOTHER COUNTRY

Due to the fact that the Company has a multinational structure, personal data may be transferred to our subsidiaries located in other countries as part of our operations, provided that the data subjects are informed and limited to cases where this is necessary for theoperation.

Personal data cannot be transferred to other countries without the explicit consent of the data subject. In the presence of one of the following conditions, personal data may be transferred to other countries without seeking the explicit consent of the data subject:

  • The data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
  • Is explicitly provided for by law,
  • Data processing is mandatory for the establishment, exercise or protection of a right,
  • It is mandatory for the protection of the life or physical integrity of the person who is unable to give his/her consent due to practical impossibility or whose consent is not legally valid,
  • It is necessary to process the personal data of the parties to a contract, provided that it is directly related to the conclusion or performance of the contract,
  • It is mandatory for the data controller to comply with its legal obligation,
  • It has been made public by the data subject himself/herself (personal data that has been made public can be processed without obtaining explicit consent because the legal interest to be protected has disappeared),

and in the foreign country to which the personal data is transferred;

  1. The availability of an adequate level of protection,
  2. In the absence of an adequate level of protection, the data controllers in Turkey and in the relevant foreign country undertake in writing to provide an adequate level of protection and the approval of the Board is obtained,

5.4. THE PURPOSES FOR WHICH WE MAY TRANSFER PERSONAL DATA AND THE THIRD PARTIES TO WHOM WE MAY TRANSFER PERSONAL DATA

The Company may, in the course of its business activities, transfer personal data:

  1. to its business partners, limited to the parties with whom it has established business partnerships for purposes such as the execution of various projects and the receipt of services, in order to ensure that the purposes for which the business partnership hasbeen established are fulfilled;
  2. to its suppliers, limited to the purpose of ensuring that the services required to carry out the Company's business activities are provided to the Company;
  3. to public institutions and organizations that are entitled to receive information and documents from the Company in accordance with the provisions of the applicable legislation, limited to the purpose requested by the relevant public institutions andorganizations within the scope of their legal powers;
  4. to persons under private law who are authorized to receive information and documents from the Company in accordance with the provisions of the relevant legislation, limited to the purpose requested by the relevant persons under private law within the scope ofthe legal authority;

provided that the necessary technical and administrative measures are taken under the principles and conditions set forth in this Policy.

CONDITIONS FOR DISPOSING OF – ERASURE, DESTRUCTION, AND ANONYMIZATION OF– PERSONAL DATA

In the event that the conditions for the processing of personal data established by law are no longer applicable, the Company will delete personal data by making it inaccessible and not usable in any way by the users concerned.

6.1. THE MEANS OF ERASURE, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

The Company's procedures and policies regarding the erasure and destruction techniques of personal data are set forth in the following articles:

6.1.1. ERASURE OF PERSONAL DATA

  • Secure Erasure by an Expert: In some cases, the Company may contract with an expert to erase Personal Information on its behalf. In this case, the expert securely deletes/destroys personal information in a manner that cannot be recovered.
  • Secure Erase from Software: When erasure/destruction of data processed by fully or partially automated means and stored on digital media; methods are used to erase the data from the relevant software so that it cannot be recovered.

This may include erasing the relevant data in the cloud system by executing the erase command; removing the relevant user's access rights to the file or the directory where the file is located on the central server; erasing the relevant rows in databases usingdatabase commands; or erasing the data on portable media, i.e. flash/hard disk media, using appropriate software. However, if the deletion of personal data results in the inability to access and use other data within the system, personal data shall also beconsidered deleted if the personal data is archived by making it unassociated with the data subject, provided that the following conditions are met:

  • Being inaccessible to any other institution, organization or person,
  • All necessary technical and administrative measures are taken to ensure that only authorized persons have access to the personal data.

Redaction of personal information in hard copy:

The process of physically cutting and removing the relevant personal data from the document or rendering it invisible by the use of fixed ink so that it cannot be reversed and cannot be read by technological solutions to prevent the improper use of the personaldata or to delete the data.

6.1.2. DESTRUCTION OF PERSONAL DATA:

  • Physical destruction of personal information: Personal data may also be processed by non-automated means if it is part of a data recording system. When such data is erased/destroyed, the system is used to physically destroy the personal data in such a way thatit cannot be used later.
  • Overwriting: Overwriting is a data destruction method that makes it impossible to read and recover old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media using special software.
  • Demagnetization: It is the method of passing the magnetic media through special devices where it is exposed to high magnetic fields and the data on it is distorted in an unreadable way. It should be noted that if destruction by this method is not effective,the destruction process can be completed only by physical destruction of the media.

Teka Puro Üretim ve Ticaret A.Ş. ensures full compliance and takes all necessary administrative and technical measures to ensure data security in accordance with the provisions of KVKK, Regulation and other relevant laws during the realization of the abovementioned situations.

6.1.3. ANONYMIZATION OF PERSONAL DATA:

Anonymization of personal data is the process of making it impossible to associate personal data with an identified or identifiable natural person under any circumstances, even by matching it with other data. Our Company may anonymize personal data when thereasons for processing personal data in accordance with the law cease to exist.

In accordance with the law; anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the Act and the explicit consent of the data subject may not be sought. Since personal dataprocessed by anonymization will be outside the context of the Law, the rights set out in the Policy cannot apply to such data.

The company's most common anonymization techniques are;

  • Data Shuffling, Permutation: The data shuffling method randomly distributes the data and breaks the links between the personal data sets.
  • Data Derivation: The data derivation method creates a more general content from the content of the personal data and ensures that the personal data cannot be associated with any particular person.
  • Masking: Data masking is a method of anonymizing personal data by removing the basic identifying information of the personal data from the data set.
  • Aggregation: Data aggregation is a method of aggregating multiple pieces of data and making personal data unassociated with any person.

PERSONAL DATA RETENTION AND DESTRUCTION PERIODS:

Pursuant to Article 7 of the Law and Article 138 of the Turkish Penal Code No. 5237, the Company shall keep the personal data it processes only for the period specified in the relevant legislation or, if no period is specified in the legislation, for the periodrequired for the purpose of processing the personal data. The retention periods, destruction periods and periodic destruction periods established by our Company can be found in the table below. Personal data that has expired will be destroyed in 6-month periods inaccordance with the procedures set forth in this Policy, within the destruction periods set forth in the Appendix to this Policy.

All operations related to the deletion, destruction and anonymization of personal data will be recorded and such records will be kept for at least three years, without prejudice to other legal obligations.

PROCESS

RETENTION PERIOD

TERM OF DESTRUCTION

Planning and performing corporate communications activities

10 years from the date of termination of the business relationship

Within 30 days of the data subject's request for destruction

Responding to court/enforcement information requests related to personnel

10 years from the date of termination of the business relationship

Within 180 days of the end of the retention period

Preparation of contracts

10 years

Within 180 days of the end of the retention period

Recruitment activities

10 years from the date of termination of the business relationship

Within 180 days of the end of the retention period

Payroll administration

10 years from the date of termination of the business relationship

Within 180 days of the end of the retention period

Organizing the preparation of private health and accident insurance policies for employees

1 year

Within 180 days of the end of the retention period

Allocation of vehicles to employees

1 year

Within 180 days of the end of the retention period

Health and safety practices

10 years from the date of termination of the business relationship

Within 180 days of the end of the retention period

Log/recording/tracking systems

1 year

Within 180 days of the end of the retention period

Information on shareholders and directors

10 years

Within 180 days of the end of the retention period

Personnel Financing Processes

10 years from the date of termination of the business relationship

Within 180 days of the end of the retention period

Part of the contracting process and contract maintenance

10 years from the date of termination of the business relationship

Within 180 days of the end of the retention period

Share meeting notes with attendees

10 years

Within 180 days of the end of the retention period

Job Applicants

1 YEAR from the end of the application period

Within 180 days of the end of the retention period

PERSONAL DATA SECURITY - MEASURES

At Teka Puro Üretim ve Ticaret A.Ş., we implement technical, physical, and administrative safeguards to ensure the confidentiality, security, and integrity of your personal data.

8.1. ADMINISTRATIVE MEASURES

The administrative measures taken by the Company:

  • The Company shall follow developments in the field of information security, privacy and protection of personal data and shall seek legal and technical advice in order to take the necessary measures.
  • In the event that processed personal data is obtained by others through unlawful means, the Company will notify the individual and the Board of Directors as soon as possible.
  • Service contracts and related documents between the Company and employees include information about personal data and data security, and additional protocols are established. Efforts are made to create the necessary awareness among employees on this issue.
  • Internal access to stored personal data is limited to those employees who have a need to know. In limiting access, consideration is also given to the special nature of the data and its level of importance.
  • The Company shall employ personnel who are knowledgeable and experienced in the processing of personal data and shall provide its personnel with the necessary training within the scope of the legislation on the protection of personal data and data security.
  • Perform and have performed the necessary audits to ensure the implementation of the provisions of the Law within its legal entity. Eliminate confidentiality and security vulnerabilities that arise as a result of audits.
  • With respect to the transfer of personal data, the Company signs a framework agreement on the protection of personal data and data security with the persons to whom personal data is transferred, or ensures data security with the provisions added to theexisting agreement.
  • Defines the scope of access to personal data of our internal employees according to their duties and positions, limits their access authorizations, and regularly reviews the authorizations.

8.2. TECHNICAL MEASURES:

The Company takes the following technical measures:

  • Periodically conducts security scans to identify vulnerabilities in applications that collect personal information and ensures that any vulnerabilities found are addressed.
  • Ensures that the access rights to personal data of employees working in Information Technology units are under control.
  • Supervises the personal data processing activities carried out within the Company with the technical systems in place and carries out the necessary internal controls.
  • It uses anti-virus systems, firewalls and similar software or hardware security products and establishes security systems in accordance with technological developments.
  • Establishes departments for technical issues and employs personnel with expertise in this area.
  • Technical measures taken are periodically reported to the appropriate person as required by the internal audit mechanism.
  • Technical measures are periodically updated and renewed.
  • Performs information technology risk assessment and business impact analysis processes within the established systems.
  • It uses backup programs in accordance with the law to ensure that personal data is stored securely.
  • Ensures that personal data is destroyed without a trace so that it cannot be recovered.
  • Ensures that the technical infrastructure is in place and matrices are in place to prevent or monitor data leakage outside the organization.
  • Ensure the control of system vulnerabilities by obtaining penetration testing services on a regular basis and as needed.
  • Pursuant to Article 12 of the Law, all types of digital media on which personal data are stored are protected by encrypted or cryptographic methods to ensure information security requirements.

In addition, the Company takes the following physical measures to ensure the security of personal information:

  • Documents and storage devices containing personal information are securely destroyed, and such documents and storage devices are backed up to prevent loss, as required by law and this policy.
  • Physical access measures are taken for locations where personal data is stored, documents and storage tools containing personal data are stored in locked cabinets, card access systems are used for work areas, and work areas are monitored by closed circuittelevision recording system.

DATA SUBJECTS' RIGHTS AND HOW TO EXERCISE THEM

Pursuant to Article 13, KVK, the exercise of the rights of personal data subjects and the necessary information to the personal data subjects are carried out through the Data Subject Application Form as well as this Policy. Personal data subjects may submit theircomplaints or requests regarding the processing of their personal data to us within the framework of the principles specified in the relevant form.

Within the scope of the Law, a personal data subject may apply to the Company, and request the following rights related to him/her;

  • To request the cancellation or destruction of personal data within the limits of the law,
  • To oppose the use of his/her personal data for purposes that are unfavorable to him/her, with the exception of the use of automated systems for the analysis of the data,
  • To know if personal data are being processed,
  • To be informed of the operations carried out on third parties to whom personal data have been communicated, in accordance with the above-mentioned rights of rectification, erasure or destruction,
  • To obtain information on whether or not your personal data is being processed,
  • In case of damage caused by unlawful processing of personal data, to obtain compensation for the damage,
  • To know the purposes for which the personal data are being processed and whether they are being used for their intended purpose,
  • To know the third parties to whom the personal data are communicated in the country or abroad,
  • To request the rectification of personal data in case of incomplete or incorrect processing,

Relevant persons may submit their claims after filling out the Application Form available at the link https://www.tekapuro.com.tr/politika/veri-sahibi-basvuru-formu;

  • In person or through a notary at the address of Tepeören ITOSB mah, 14. Cd. no: 8, 34959 Tepeören Osb/Tuzla/Istanbul with wet signature -- "Information request within the scope of the Personal Data Protection Law" should be written on the envelope /notification, or
  • As an e-mail attachment to info@tekapuro.com.tr from the e-mail addresses registered in the Company's system -- "Information Request under the Law on the Protection of Personal Data" should be written in the subject line of the e-mail; or
  • As an e-mail attachment to the registered e-mail address tekapuro@hs01.kep.tr - "Personal Data Protection Law Information Request" should be written in the subject line of the e-mail.

Relevant information and documents should be attached to the application form.

The requests in the application will be completed free of charge within 30 days at the latest, depending on the nature of the request. However, if the transaction requires additional costs, the applicant may be charged a fee in accordance with the tariffestablished by the Board. The application must be accompanied by relevant information and documents. Third parties who have been granted a special power of attorney by the data subjects through a notary public may apply on behalf of the data subjects.

DISTRIBUTION

This Policy, as prepared by the Company, is published electronically on the Company's website at www.tekapuro.com.tr.

The Policy shall be deemed to have been disclosed to the public upon its publication on the website. This Policy shall be reviewed by the designated Data Liaison/Controller within the scope of his or her authority and responsibility from the date of itspublication, annually at the end of each year, as necessary, and the relevant sections shall be updated as necessary. Changes to be made to the Company's policy shall be made available to data subjects in a manner that is readily accessible to data subjects.

 

 

Are you over 18 years old? Due to legal requirements, you need to verify your age to view our website.