ALUMINANCE ALÜMİNYUM SANAYİ VE TİCARET A.Ş.’S POLICY OF PERSONAL DATA PROTECTION AND PROCESSING
Information Form of ALUMINANCE Alüminyum Sanayi ve Ticaret A.Ş.’s Policy of Personal Data Protection and Processing
ALUMINANCE Alüminyum Sanayi ve Ticaret A.Ş’s Policy of Personal Data Protection and Processing
Title of Document: ALUMINANCE Alüminyum Sanayi ve Ticaret A.Ş’s Policy of Personal Data Protection and Processing
Target Group: Real persons, whose personal data is processed by ALUMINANCE Alüminyum Sanayi ve Ticaret A.Ş.
Prepared By: ALUMINANCE Alüminyum Sanayi ve Ticaret A.Ş.’s Committee of Personal Data Protection
Approved By: It was Approved by the Board of Directors of ALUMINANCE Alüminyum Sanayi ve Ticaret A.Ş.
Date of Enforcement: 10/01/2024
This document may not be reproduced and distributed without the written consent of ALUMINANCE Alüminyum Sanayi ve Ticaret A.Ş.
ALUMINANCE Alüminyum Sanayi ve Ticaret A.Ş.’s Policy of Personal Data Protection and Processing
CONCEPTS
PART I
INTRODUCTION- PURPOSE
- SCOPE
- ENFORCEMENT OF THE POLICY
PART II
General Principles for Processing the Personal Data Terms for Processing the Personal Data Clarifying and Informing the Personal Data Owner Processing the Sensitive DataPART III
Personal Data Processed by our Company Person Groups Whose Personal Data is Processed by our Company Purposes of Processing the Personal Data Periods of Storing the Personal DataPART IV
Activity of Monitoring Carried out within the Building of and Around ALUMINANCE Alüminyum Sanayi ve Ticaret A.Ş.PART V
Transferring the Personal DataPART VI
Matters Regarding the Personal Data ProtectionPART VII
Terms of Deleting, Destroying and Anonymizing the Personal DataPART VIII
Rights of Personal Data Owners, Method of Exercising and Evaluating These RightsPART IX
Management Structure of Personal Data Protection and Processing PolicyPART X
Technical and Administrative Measures Taken for the Security of Personal DataConcepts
Concept | Definition |
---|---|
Processing Personal Data | All kinds of procedures performed on the data such as obtaining through wholly or partially automatic ways or non-automatic ways, provided to be part of any data recording system, recording, storing, keeping, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing use of personal data. |
Concerned Person / Personal Data Owner | Real person, whose personal data is processed. |
Personal Data | All kinds of information regarding the real person, whose identity is identified or identifiable. |
Sensitive Personal Data | Data related with race, ethnic origin, political opinion, philosophic belief, religion, communion or other beliefs, appearance, membership of association, foundation or union, health, sexual life, criminal conviction and safety measures, and biometric and genetic data. |
Data Supervisor | Person, who determines the purposes and means of personal data processing, manages the place, where the data is kept systematically (data recording system). |
Deleting | It is the procedure of making the personal data inaccessible and non-reusable in any manner for the concerned users. |
Destroying | It is the procedure of making the personal inaccessible, non-recoverable and non-reusable by anybody in any manner. |
Anonymizing | It is making impossible that the personal data is linked with a real person, whose identity is identified or identifiable, in any manner, even by matching it with other data. By this method, it is required to make the personal data impossible to be linked with a real person, whose identity is identified or identifiable, even if by the receiver or receiver groups through utilizing the techniques suitable for the recording media and the relevant field of activity such as recovering and matching the data with other data. |
Data Processor | The real and legal person, who processes personal data on behalf of the data supervisor, based on the authorization granted by it. |
Explicit Consent | It is the consent expressed regarding a certain subject, based on being informed, and with free will. |
PART I
INTRODUCTION
Purpose of this regulation is consisted of protecting the personal data of the employees, employee candidates, interns, customers, employees of the customers, suppliers, employees of the suppliers, shareholders, and all data having the nature of personal data, within the scope of the Law on the Protection of Personal Data with number 6698.
The principles that shall be adopted and considered by our Company at the point of implementation on processing, protecting, deleting, destroying and anonymizing the personal data are set forth by this Policy.
PURPOSE
The purpose of this Policy is to inform the real persons, whose personal data may be processed, on the personal data processing activity carried out lawfully by our Company and the processes adopted for the protection of personal data; and to determine the policy of protecting and processing the personal data.
SCOPE
This Policy is on all personal data of the real persons, whose personal data is processed by our Company.
ENFORCEMENT OF THE POLICY
This Policy, which was issued by the Committee of Personal Data protection, is put into force by the resolution of Company’s Management and presented to the attention of the concerned persons by being published on the website of our Company.
PART II
1-GENERAL PRINCIPLES FOR PROCESSING THE PERSONAL DATA
1.1-Carrying out Activities of Personal Data processing in Compliance with the Law and Good Faith
We act in compliance with the principles imposed by the laws and other legal regulations in processing the personal data at ALUMINANCE Alüminyum Sanayi ve Ticaret A.Ş. Our Company considers the interests and reasonable expectations of the concerned persons, when trying to achieve its purposes in data processing, pursuant to the principle of complying with the good faith.
1.2-Ensuring that the Personal Data is Correct and Updated, When Necessary
ALUMINANCE Alüminyum Sanayi ve Ticaret A.Ş. takes the necessary measures in order to ensure that the personal data is updated and correct, considering the fundamental rights of the personal data owners and its own legitimate interests, and displays maximum attention on this matter.
1.3-Processing for Particular, Clear and Legitimate Purposes
Alumınance Alüminyum Sanayi ve Ticaret A.Ş. determines its purpose for processing the personal data explicitly and accurately. Our Company does not process data for purposes other than those stated to the concerned person. The data is processed by our Company to the extent it is in connection with the business it carries out or the service it provides and required for these.
1.4-Being in Connection, Limited with the Purpose of Processing and Prudent
ALUMINANCE Alüminyum Sanayi ve Ticaret A.Ş. obtains the sufficient data in connection with the purpose, and does not process unnecessary data. It does not collect personal data for the purposes that are not present and thought to be realized later.
1.5- Keeping for a Period Stipulated in the Relevant Legislation or Required by the Purpose of Processing
ALUMINANCE Alüminyum Sanayi ve Ticaret A.Ş. keeps the personal data only for the periods stipulated in the relevant legislation and as limited with the purpose of processing. Within this scope, if a certain period has been specified in the relevant legislation for keeping the personal data, then action is taken in accordance with this period. If a certain period has not been specified, then the personal data is kept for the period required for the purpose, for which they are processed. In case the period expires or the causes, which require processing, are disappeared, then the personal data is deleted, destroyed or anonymized by ALUMINANCE Alüminyum Sanayi ve Ticaret A.Ş. The detailed information on this matter is provided in Part 7 of this policy.
2- TERMS OF PROCESSING PERSONAL DATA
Personal data may be processed in case any of the requirements written below is present;
2.1- Having the Explicit Consent of the Personal Data Owner
One of the terms of personal data processing is the explicit consent of the data owner. Explicit consent of the personal data owner must be regarding a certain subject, based on being informed, and expressed by free will.
2.2- Being Explicitly Stipulated in Laws
Personal data of the data owner may be processed lawfully, in case it is stipulated in the law explicitly.
2.3- Failing to Obtain the Explicit Consent of the Concerned Person due to Actual Impracticability
If it is mandatory to process the personal data of the person, who is not able to express his/her explicit consent or validity of his/her consent cannot be recognized due to actual impracticability in order to protect the life or physical integrity of the person or the others, then the personal data of the data owner may be processed.
2.4- Being Directly Related with the Drawing up or Performance of the Contract
Personal data may be processed, in case processing the personal data of the parties of the contract is necessary, provided to be directly related with drawing up or performance of the contract.
2.5- Fulfilling the Legal Obligation
Personal data of the data owner may be processed, in case processing the data is required in order to fulfil the legal obligations.
2.6- Making the Personal Data of Data Owner Public
In case the personal data has been made public by the data owner, then it may be processed as limited with the purpose.
2.7- If Processing Data is Required to Establish or Protect a Right
Personal data of the data owner may be processed, in case data processing is required to establish, exercise or protect a right.
2.8- If Data Processing is Required for the Legitimate Interest of Data Supervisor
Personal data of the data owner may be processed, in case data processing is required for the legitimate interests of our Company, provided not to harm the fundamental rights and freedoms of the personal data owner.
3- CLARIFYING AND INFORMING THE PERSONAL DATA OWNER
Our Company makes clarification about for what purposes personal data shall be processed, to whom and for what purposes the processed personal data may be transferred, the method and legal cause of personal data collection, and the rights of the personal data owner.
4- PROCESSING THE SENSITIVE PERSONAL DATA
Our Company acts in compliance with the regulations stipulated in LPPD in processing the personal data that is determined by LPPD as “sensitive”.
This data is the data related with race, ethnic origin, political opinion, philosophic belief, religion, communion or other beliefs, appearance, membership of association, foundation or union, health, sexual life, punishment sentence and safety measures, and biometric and genetic data.
Sensitive personal data is processed by our Company in the cases below by taking the necessary measures:
- It may be processed if the personal data owner gives explicit consent, or
- If the personal data owner does not give explicit consent, it may be processed in cases stipulated in laws.
Data regarding health and sexual life are only processed under the control of our workplace physician, otherwise explicit consent of the data owner is obtained.
PART III
1- PERSONAL DATA PROCESSED BY OUR COMPANY
Personal data that is processed by our Company is specified below. However, the fact that which data shall be processed specific to each personal data owner may vary depending on various factors such as the qualification of the relationship between the personal data owner and our Company, and the communication channels used.
PERSONAL DATA | EXPLANATION |
---|---|
Identity | Name, surname, TR identity number, date/place of birth, gender, marital status, age, nationality, and other personal data on the identity card, driving licence, signature |
Contact | Business address, residential address, e-mail address, name firm he/she is employed, company telephone number / personal telephone number |
Safety of Physical Space | Imagery record taken by the security camera and visitor records taken during the entry to the factory |
Finance | Bank account information, IBAN nr, price information, insurance policy |
Legal Proceeding | Personal data in suit and execution files |
Visual Record | Photograph |
Professional Information | Educational background, schools of graduation, date/degree of graduation, foreign language knowledge, job experience, computer knowledge, profession, position, title, certificate/course/diploma information, professional competence knowledge/certificate |
Customer Transaction | Current account information, cheque information, invoice information |
Supplier Transaction | Invoice information, product information, name of firm it works with |
Risk Management | Specimen f signature of the shareholders, powers of attorney |
Personnel | Personal data obtained in order to carry out personnel procedures of the real persons, who are in working relationship with our Company; date of contract, starting date of employment, payroll information, attendance/absence information, settlement/domicile information, copy of civil registry, military service status, leave information, debit information, letters of commitment, defences and minutes, OHS training documents, and cause of resigning / termination, date/code of termination, amounts regarding seniority/notice/other receivables of the employees who quit the job |
Other | Ticket and reservation information of business travels, amount of the gifts granted to those, who get married and have child, in order to ensure employee satisfaction, and reference information, wage expectation, job requested by him/her, date on which he/she may start working, military service status of the employee candidates |
Sensitive Personal Data | Health Information: Health data in employment and periodic examination form, health data on incapacity report, blood group Punishment Sentence and Security Measures: Criminal record information |
2- PERSON GROUPS, WHOSE PERSONAL DATA IS PROCESSED BY OUR COMPANY
Those, whose personal data is processed by our Company, are the shareholders, employees, employee candidates, interns, customer’s representatives/employees, supplier’s representatives/employees.
3 - PURPOSES OF PROCESSING PERSONAL DATA
- Carrying out the application processes of the employee candidates
- Ensuring employee satisfaction
- Carrying out the benefit and interest processes for the employees
- Being able to draw up employment agreement
- Fulfilling the obligations arising from the legislation
- Carrying out the training processes of the interns
- Informing the competent persons, institutions and organizations
- Carrying out the communication activities
- Carrying out the contractual processes
- Fulfilling the obligations of occupational health and safety
- Carrying out the entry-exit (shift) checks
- Carrying out the financial and accounting transactions
- Carrying out the foreign sales processes
- Performing the customs procedures
- Carrying out the transportation / shipment activities
- Supplying goods / services
- Following up and carrying out the legal procedures
- Carrying out storing and archiving activities
- Being able to make the IPI (Individual Pension Insurance) payments
- Benefiting from the SSI (Social Security Institution) incentives
- Following up and auditing the works
- Making the payments and collections
- Ensuring the safety of physical space, life and property
- Carrying out the business activities and ensuring the business continuity
- Performing the travel and accommodation procedures
- Carrying out the management activities
Our Company processes the personal data;
- To fulfil our legal obligations
- If it is required to process the personal data of the parties referring to the business relationship established with a contract
- If it is mandatory to process the data in order to establish, exercise or protect a right
- If it is stipulated by the Laws
- Relying on the legal cause of “the necessity of data processing for the legitimate interests of our Company, provided not to harm the fundamental rights and freedoms of the concerned person”, and in case these causes are not present, then by obtaining the “Explicit Consent” of the data owner.
4 - PERIODS OF STORING THE PERSONAL DATA
Our Company stores the personal data for the period stipulated in the relevant legislation or for the period required for the purpose of processing.
If any period is not regulated in the legislation regarding how long the personal data must be stored, then they are processed by our Company for the period, which requires processing, pursuant to the applications of the Company and the practices of commercial life depending on the activity being carried out while processing that data.
If the processing purpose is expired, and the keeping periods determined by the relevant legislation and company are also expired; then the personal data may be kept only for constituting an evidence in case of possible legal disputes or to be able to claim for the right connected with the personal data or to establish defence. In establishing the periods herein, keeping periods are determined based on the periods of limitation for being able to claim the mentioned right, and the examples in the requests directed to our Company previously with the same subject although the period of limitations are expired. In such case, the personal data, which are kept, is not accessed with another purpose, however access to the relevant personal data is provided, when the use of them is needed for legal disputes. Also after the period, which is also mentioned here, the personal data is deleted, destroyed or anonymized.
PART IV
ACTIVITY OF SURVEILLANCE VIA CAMERA THAT IS CARRIED OUT AT THE BUILDING ENTRANCES OF AND WITHIN THE BUILDING OF ALUMINANCE ALÜMİNYUM SANAYİ VE TİCARET A.Ş.:
Images are recorded by our Company via cameras at certain places, in a manner that shall not lead the result of interfere with the privacy of people, in order to ensure the security of the physical space, to ensure the safety of life and to carry out the labour inspection. Our Company acts in accordance with LPPD in the activity of surveillance via cameras, which is carried out for security purposes. Information related with the activity of surveillance via cameras is given by publishing this policy and by hanging signs and guide boards and clarification text.
The facts such as the surveillance areas and number of the cameras, and when the surveillance shall be carried out are determined so as to be sufficient to ensure the security. The technical and administrative measures required to ensure the security of the personal data obtained via cameras are taken. The personal data obtained by the activity of surveillance via cameras, is kept by our Company for 1 month.
Only the Company representatives may access the camera records, and these records are shared with law enforcement officers and judicial authorities only in when an incident occurs or it is requested.
PART V – TRANSFERRING THE PERSONAL DATA
The third parties, institutions and organizations, to which the personal data may be transferred, may vary depending on the type and nature of the relationship between the data owner and ALUMINANCE Alüminyum Sanayi ve Ticaret A.Ş., and the purpose of fulfilling the obligations arising from the legislation. However, they are as the following in general. Personal data is transferred:
- To the Social Security Institution, Revenue Administration and to the other competent persons, institutions and organizations, in order to fulfil the obligations arising from the legislation,
- to Zahit Alüminyum A.Ş., which is our group company, in order to perform the financial and accounting transactions, to carry out the management and business activities,
- To the notary Office, in order to perform the procedures such as power of attorney, notification, etc.,
- To our attorney, in order to follow up and carry out the legal procedures,
- To the institution, where the intern receives training during the internship training,
- To the mediator in order to carry out the dismissal procedures,
- To ETA Entegre Ticari Uygulama Programları Yazılım Şirketi through the programme used in order to perform the financial, accounting and personnel transactions,
- To 112 Yazılım ve Bilişim Sistemleri Limited Şirketi, in order to control the shifts of the employees,
- To the JHSU (Joint Health and Safety Unit) company, in order to fulfil the obligations of occupational health and safety,
- To the bank, in order to carry out the payment and collection transactions,
- To the customers and suppliers, in order to carry out sales / purchasing processes and business activities,
- To the shipping agents, in order to carry out the transportation / shipment activities,
- To the customs broker, in order to be able to carry out the clearance,
- To Bnp Paribas (Teb), in order to perform the IPI (Individual Pension Insurance) transactions,
- To the incentive company, in order to make the SSI incentive calculations,
- To the public agencies and banks, in order to carry out the management activities and to ensure the business continuity,
within the framework of the requirements in Article 8 of Law Nr. 6698.
PART VI – MATTERS ON THE PROTECTION OF PERSONAL DATA
Our Company takes the necessary technical and administrative measures required to ensure the appropriate security level in order to prevent that the personal data is processed unlawfully and accessed unlawfully, and to ensure the protection of data, and it carries out the necessary audits or have them carried out within this scope.
The actions and measures, which are taken by our Company for ensuring the “data security”, pursuant to Article 12 of LPPD, are presented below.
- Our Company takes technical and administrative measures, in order to ensure that the personal data is processed lawfully, depending on the technical opportunities and application cost.
- Employees are informed on the facts that they shall not disclose the personal data they learn to the others, by violating the provisions of LPPD, shall not use them for purposes other than the purpose of processing, and this obligation shall survive also after they quit working; and the necessary letters of commitment are taken from them in this respect.
- Our Company takes the necessary technical and administrative measures, in order to store the personal data in safe environment, and to prevent that they are destroyed, lost or modified for unlawful purposes.
PART VII – REQUIREMENTS FOR DELETING, DESTROYING AND ANONYMIZING THE PERSONAL DATA:
As regulated in Article 7 of LPPD, personal data is deleted, destroyed or anonymized at the latest within 6 months, in case the causes, which require processing, are disappeared, although they are processed in accordance with the provisions of the relevant law. In case the requirements for processing the personal data are disappeared in whole, then our Company deletes, destroys or anonymizes the personal data in question, also upon the request of the concerned person. Our Company concludes the request of the concerned person at the latest within thirty days, and informs the concerned person.
Personal data, which was anonymized in accordance with the Article 28 of LPPD, may be processed for purposes such as research, planning and statistics. Since such procedures are out of the scope of LPPD, explicit consent of the personal data owner is not sought.
PART VIII – RIGHTS OF PERSONAL DATA OWNERS, METHOD OF EXERCISING AND EVALUATING THESE RIGHTS:
Our Company carries out the necessary channels, internal operation, administrative and technical regulations in accordance with Article 13 of LPPD, in order to evaluate the rights of the personal data owners and to give the necessary information to the personal data owners. They have the right:
- To learn whether the personal data has been processed or not
- If yes, to request information regarding this
- To learn the purpose of processing and whether they are used in accordance with the purpose or not
- To know the third parties, to whom the personal data is transferred inland or abroad
- In case the personal data is incomplete or falsely processed, to request the correction of them and to request the transaction, which was carried out within this scope, be notified to the third parties, to whom the personal data has been transferred
- To request the deletion or destruction of the personal data, if the causes, which require processing, disappear, even if they have been processed in accordance with the provisions of LPPD and other relevant laws and to request the transaction, which was carried out within this scope, be notified to the third parties, to whom the personal data has been transferred.
Within this scope, the Concerned Person is required to deliver the applications, which shall be made to our Company as the Data Supervisor in order to exercise his/her rights pursuant to Article 13 of LPPD, to our Company in writing or through other methods to be determined by the Committee of Personal Data Protection.
For the applications to be made to our Company in writing, it is required to deliver them by using the “Data Owner Application Form” to be obtained from our Company;
By hand to the address of …………………………………………… as bearing the wet signature, via registered letter with return receipt or via notary office, or
It is required to be forwarded to the kep address of …………………………….. or to the e-mail address of …………………………….after signing it with your safe electronic signature.
Our Company shall conclude the requests, which are delivered to it, regarding to exercise the rights under Article 13 of the Law, as soon as possible depending on their nature, and at the latest within thirty days following the date, on which the request is received by our Company, free of charge. However, in case the transaction requires a separate cost, then the Company may request the fees in the tariff, which is determined by the Board, from the data owner making the application. If our Company accepts the request or rejects by explaining the justification, then it shall notify its response to the concerned person in writing or in electronic environment.
In case the information and documents presented by the data owner to our Company are incomplete or complicated, then our Company may request information / document in order to make the application clear, or to identify whether the person is the real owner of the personal data, which is the subject of the application, or not, or to ensure the security of the data; and may direct additional question/s to the personal data owner in relation with his/her application.
PART IX - MANAGEMENT STRUCTURE OF THE POLICY OF PERSONAL DATA PROTECTION AND PROCESSING
Our Company establishes the appropriate management structure in order to fulfil its obligations in LPPD and for the implementation of this Policy and to carry out the tasks specified below.
- To prepare the basic policies related with the protection and processing of personal data and the amendments in these policies, and to submit for the approval of the senior management,
- To decide on how the policies regarding the protection and processing of the personal data shall be implemented and how the auditing shall take place; and to make assignments among the employees within this framework, and to submit for the approval of the senior management,
- To determine the matters that have to be performed in order to ensure the compliance with the Law on the Protection of Personal Data and the relevant legislation, and to submit for the approval of the senior management; to observe its implementation and to ensure its coordination,
- To raise awareness among the employees of the Company on the Protection and Processing of the Personal Data,
- To determine the risks that may occur in the personal data processing activities, to ensure that the necessary measures are taken, to submit the improvement suggestions to the approval of senior management,
- To design trainings on the protection of personal data and implementation of the policies, and to ensure that they are implemented,
- To respond the applications of the personal data owners in due time,
- To manage the relations with the Agency for Personal Data Protection.
In addition to the tasks specified above, other tasks and responsibilities may be given to the responsible person / persons to be appointed in this matter, depending on the needs of the Company and the characteristics of the activities carried out.
PART X -TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE SECURITY OF PERSONAL DATA
Our Company takes the necessary administrative and technical measures on storing the personal data lawfully and safely. For this:
- Trainings and awareness studies on the subject of data security are conducted for the employees in certain intervals.
- Corporate policies on the subjects of using, storing and destroying the personal data have been prepared and started to be implemented.
- Letters of confidentiality commitment are made.
- Authorizations of the employees, whose position is changed or who quit the job, are revoked.
- The agreements, which are signed, include data security provisions.
- Policies and procedures of personal data security are determined.
- Personal data security problems are reported quickly.
- Personal data security is monitored.
- Necessary safety measures are taken in relation with entry-exit to/from the physical environments containing personal data.
- Security of the physical environment containing personal data is ensured against external risks (fire, flood, etc.).
- Safety of the media containing personal data is ensured.
- Personal data is being reduced as far as possible.
- Awareness of the service providers, which process data, on data security is ensured.
- Network security and application security is ensured.
- Security measures under supplying, developing and maintenance of information technologies are being taken.
- Up-to-date antivirus systems are used.
- Firewalls are used.
- Personal data is backed up and security of the backed-up personal data is also ensured.
- User account management and authorization control system is being applied and they are also followed up.
- Current risks and threats are determined.
- Encoding is being made.