Corporate Personal Data Protection Policy

Home / Corporate Personal Data Protection Policy

KARMOD PREFABRİK YAPI TEKNO. İNŞ. SAN. TİC. LTD. ŞTİ.
CORPORATE PERSONAL DATA PROTECTION POLICY

Document Information:
Document Name:	Personal Data Protection Policy
Document Relevancy:	The purpose of the Personal Data Protection Policy is to plan the processes for the protection of personal data by KARMOD and to determine the principles to be applied to this issue.
Issuance date:	March 1, 2020
Version No:	1
Reference / Justification:	Personal Data Protectıon Law (the “PDPL”) No. 6698 and other legislation
Approval Authority:	KARMOD Management

1. PURPOSE

To request the protection of personal data of his/her own by each individual is a sacred right arising from the Constitution. As KARMOD, we consider that fulfilling the requirements of this right is one of our most valuable tasks. We therefore care that your personal data is lawfully processed and protected.

The Corporate Personal Data Protection Policy is designed to determine the principles and procedures that we follow while processing and protecting personal data as a result of the emphasis we place on the protection of personal data.

2. SCOPE

The policy covers all kinds of processes carried out on data, such as obtaining, recording, storing, maintaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing its use, etc. of all personal data managed by KARMOD, wholly or partially by automated means or by non-automated means which provided that form part of a data filing system.

The policy relates to all personal data of KARMOD's partners, officials, customers, employees, supplier officials and employees, and third parties that are processed.

KARMOD may modify the policy for the purposes of compliance with legislation and the resolutions of the Personal Data Protection Authority and for better protection of personal data.

3. DEFINITIONS

Abbreviation	Definition
Group of Recipients	The category of real or legal persons to whom the personal data is transferred by data controller.
Explicit Consent	The consent which is context-specific, informed, and freely given.
Anonymization	Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.
Data Subject	The natural person, whose personal data are processed.
Relevant User	Verilerin teknik olarak depolanması, korunması ve yedeklenmesinden sorumlu olan kişi Except for the person or unit, technically responsible for storing, protecting and backing up the data, the person who processes the personal data within the organization of the data controller or in accordance with the authority and instruction received from the data controller.
İmha	Erasure, destruction or anonymization of personal data
Law/PDPL	Personal Data Protectıon Law (the “PDPL”) No. 6698
Filing Medium	Any medium containing personal data processed, wholly or partially, by automated means or by non-automated means which provided that form part of a data filing system.
Personal Data	Erasure, destruction or anonymization of personal data .
Data Inventory	The inventory in which the data controllers explain and detail the personal data processing activities that they carry out in accordance with their business processes; the personal data processing purposes and legal reasons, the data category, and maximum storage period created by linking with the group of recipients to whom data transferred and the data subject group that is needed for the purposes for which the personal data is processed; the personal data intended to be transfer to foreign countries and the measures taken for the data security.
Personal Data Processing	Kişisel verilerin tamamenAll kinds of processes carried out on data, such as obtaining, recording, storing, maintaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing its use, etc., wholly or partially, by automated means or by non-automated means which provided that form part of a data filing system.
Commission	The Personal Data Protection Commission established by KARMOD to manage the Policy and other related procedures and to ensure the enforcement of the Policy.
Board	Personal Data Protection Board.
Authority	Personal Data Protection Authority
Special Categories of Personal Data	The data of persons related to their race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress and clothing, association, foundation or union membership, health, sex life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Destruction	rasure, destruction or anonymization process to be performed ex officio with periodic intervals specified in the policy of storage and destruction of personal data in case of elimination of all the conditions for the processing of personal data contained in the Law.
Policy	Personal Data Protection Policy
Data Processor	The natural or legal person who processes personal data on behalf of the data controller upon the authorization given by the data controller.
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

4. GENERAL PRINCIPLES

KARMOD checks the compliance of the data to be processed in the preparation phase of each work flow requiring a new personal data processing to the following principles. Inappropriate work flows are not realized.

While processing data, KARMOD shall;

(I) Observe the lawfulness and fairness rules.

(II) Ensure that the personal data are accurate and, where necessary, up to date.

(III) Pay attention they are processed for specified, explicit and legitimate purposes.

(IV) Control that processed data are relevant, limited and proportionate to the purposes for which they are processed.

(V) Store the data for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed and destruct when the purpose of processing is no longer exist.

5. DUTIES AND RESPONSIBILITIES

The Personal Data Protection Commission has been established within KARMOD in order to manage the Policy and other related procedures and to ensure the enforcement of the Policy. The Commission consists of the General Manager, Human Resources Officer, Chief Financial Officer and Information Technology Department Manager. KARMOD, when necessary, also receives the PDPL consultancy in order to comply with the Personal Data Protection Law No. 6698. The commission, if deems necessary, may call the PDPL consultant to its meetings.

It convenes, ordinarily, once every 6 months. It may convene, if the conditions require, extra orninarily (for example, in case of an alleged data breach).

It discusses the issues that need to be changed/improved in the Policy.

It identifies the issues that may be carried out for lawful processing and protection of personal data.

The commission determines the steps that can be taken to increase the awareness within the Company and of its business partners.

It identifies the risks that may be encountered in the processing and protection of personal data and takes the necessary administrative and technical measures.

It provides contact with the Authority and manages the relations.

It evaluates the requests from Data Subject.

It follows periodic destruction processes.

It updates the Data Inventory.

It makes the assignments related to the issues mentioned above.

6. Measures Taken For Data Security

KARMOD takes all kinds of technical and administrative measures necessary to ensure the appropriate level of security in order to (I) prevent unlawful processing of personal data, (II) prevent unlawful access to personal data, (III) ensure the protection of personal data.

6.1. Technical Measures

Network security and application security are ensured.

Security measures within the scope of information technology systems procurement, development, and maintenance are taken.

Access logs are kept regularly.

Current anti-virus systems are used.

Firewalls are used.

Necessary security precautions are taken on the way in and out of the physical environments containing personal data.

Physical environments containing personal data are protected against external risks (fire, flood, etc.).

The security of environments containing personal data is ensured.

Personal data is backed up and the security of the backed-up personal data is also ensured.

User account management and authorization control system are implemented and monitored.

Log records are kept without user intervention.

Intrusion detection and prevention systems are used.

Encryption is used.

6.2. Administrative Measures

There are disciplinary arrangements for employees including data security provisions.

Training and awareness activities on data security are conducted periodically for employees.

Corporate policies regarding the access to, security, use, storage and destruction of information have been prepared and started to be implemented.

Data masking measures are applied when necessary.

Confidentiality commitments are made.

An authorization matrix has been created for employees.

The authorities of the employees, who are assigned to another position or who left the job, in this area are removed.

The contracts signed include data security provisions.

Personal data security policies and procedures are determined.

Personal data security problems are reported quickly.

Personal data security is monitored.

The amount of personal data is reduced as much as possible.

Periodic and/or random audits are conducted within the company.

Current risks and threats have been identified.

Protocols and procedures on the security of special categories of personal data are determined and being applied.

If special categories of personal data are to be sent via e-mail, it is always sent in encrypted form and using registered e-mail or corporate e-mail account.

The awareness of the data processing service providers is raised about data security.

7. Rights of Data Subject Regarding Personal Data

Data Subject can apply to KARMOD and make a claim in the following matters:

Learning if his/her personal data is processed,
Request information if his/her personal data has been processed,
Learning the purpose of processing personal data and whether they are used for this purpose,
Learning third parties to whom his/her personal data is transferred, in-country or abroad,
In the event that his/her personal data is incomplete or improperly processed, requesting that they are corrected and that the operation performed in this regard is reported to the third parties to whom his/her personal data is transferred,
Requesting that his/her personal data are erased, destroyed or anonimized if the reasons for their processing cease to exist, even if they are processed in accordance with the provisions of the PDPL and any other relevant laws, and that the operation performed in this regard is reported to third parties to whom his/her personal data has been transferred,
Objecting to occurrence of any result that is a detriment of him/her by means of analysis of his/her processed data exclusively through automated systems,
Requesting to be indemnified if his/her incur a damage due to unlawful processing of his/her personal data.

8. REPORTING BREACHES

KARMOD employees report to the commission any work, action or fact they consider to be in breach of the provisions of the PDPL and/or the Policy. If the commission deems it necessary following this reporting of breach, it convenes and creates an action plan against the breach.

If the breach occurred through the obtainment of personal data by third persons by unlawful means, the Commission shall communicate this situation to the data subject and the Board within 72 hours within the scope of the decision of the Board dated 24.01.2019 and numbered 2019/10.

9. AMENDMENTS

The amendments in the Policy are prepared by the Commission and submitted for the approval of the Board of Directors of KARMOD. The updated policy man be sent to the employees by e-mail or posted on the website.

10. EFFECTIVE DATE

This version of the policy was approved by the Board of Directors and entered into force on 01.03.22020.