General Overview on the Protection and Processing of Personal Data
1.1. INTRODUCTION
PART 1 – INTRODUCTION, POLICY, PURPOSE, SCOPE. IMPLEMENTATION and ENFORCEMENT
Protection of personal data is among the most important priorities of our Company. The most important component of this issue is protecting and processing the personal data of our customers, potential customers, employee candidates, Company shareholders, Company authorities, visitors, and the employers, shareholders and authorities of the institutions we collaborate with, and third parties; and this issue is administered in line with this Policy. Operations conducted by our Company for protecting the personal data of our employees are administered in line with Çimsa Çimento Sanayi ve Ticaret A.Ş. (Çimsa or Company) Employees, Protecting and Processing Personal Data Policy, issued in parallel to the essentials given in this Policy.
According to the Constitution of the Republic of Turkey, each individual has the right of asking for protection for his/her own personal data. For personal data protection, being a constitutional right, Çimsa exercises due care in relation with protecting the personal data of its employees and employee candidates, shareholders and authorities, and third parties, as administered in line with this Policy, and views this issue as a Company policy.
In this respect, Çimsa takes the necessary administrative and technical measures in order for protecting the personal data that we have processed as required by the relevant regulation.
In this policy, the following essential principles adopted by Çimsa for personal data processing will be explained in detail:
1. Processing personal data in line with the law and good faith,
2. Keeping personal data right and, when necessary, updated,
3. Processing personal data for specified, clarified and legitimate purposes,
4. Processing personal data in relation, limited and restrained with the purpose of processing,
5. Maintaining personal data for a period required by the relevant regulation or as necessary for the purpose of processing,
6. Providing clarification and informing the owners of the personal data,
7. Establishing the system necessary for the owners of the personal data to use their rights,
8. Taking the measures necessary for maintaining the personal data,
9. Acting in line with the relevant regulation and the Personal Data Protection Agency’s (PDP Agency) regulations when transferring personal data to third persons as required by the purpose of processing,
10. Showing the necessary sensitivity for processing and protecting sensitive personal data.
1.2. PURPOSE OF THE POLICY
The main purpose of this Policy is to provide clarifications on personal data processing operations conducted by Çimsa in line with the relevant law and the systems adopted for personal data protection and to offer transparency by informing people whose personal data is processed by our Company, especially our customers, potential customers, employee candidates, Company shareholders, Company authorities, visitors, and the employees, shareholders and authorities of the institutions we collaborate with, and third parties.
1.3. SCOPE
This Policy covers all personal data of our customers, potential customers, employee candidates, Company shareholders, Company authorities, visitors, and the employers, shareholders and authorities of the institutions we collaborate with, and third parties, processed automatically or manually as part of any data record system.
The implementation of this Policy regarding the personal data owners classified in the categories stated above may cover either the whole Policy (e.g. our active customers who are also our visitors) or only some of the provisions (e.g. Only our visitors).
1.4. IMPLEMENTATION OF THE POLICY AND THE RELEVANT LEGISLATION
The relevant legal regulations for processing and protecting personal data which are currently in effect will be implemented with priority. If there is a conflict between the regulation in effect and this Policy, our Company agrees that the regulation in effect will govern.
The Policy has been issued by regulating the rules required by the relevant regulation in line with the operations conducted in Çimsa. Our Company sustains the system and adjustments necessary for compliance with the enforcement periods specified in the Personal Data Protection Law (PDP Law).
1.5. ENFORCEMENT OF THE POLICY
This Policy, issued by our Company, was published on 07.04.2016 and put into effect on 07.10.2016 in line with the Law on Protection of Personal Data no 6698. The Policy will be updated if the whole Policy or certain items of the Policy are renewed.
The Policy is published on our Company’s website (http://www.cimsa.com.tr) and access is offered to relevant persons upon demand of the personal data owners.
PART 2 – PROVISIONS ON PROTECTION OF PERSONAL DATA
In line with the regulation in effect, our Company takes the technical and administrative measures required to provide a level of security appropriate for preventing illegal processing of personal data it processes, preventing illegal access to data and enabling protection of data, and conducts the necessary audits in this regard internally or externally.
2.1. ENABLING SAFETY OF PERSONAL DATA
Our Company takes the necessary legal, technical and administrative measures in terms of data security within the bounds of technological possibility, and shows the necessary care and attention in this regard.
It is communicated to employees that they cannot disclose the personal data they learn about to any other person in violation of the PDP Law and use such data for any purpose other than the processing purpose and that this liability would continue after they leave their positions, and their reassurance is obtained accordingly.
Our Company internally relays information required to prevent reckless or unauthorized disclosure, access, transfer or any other illegal access in any other way in relation with personal data, and takes technical and administrative measures based on the attribute of personal data to be protected, technological possibilities and cost of implementation.
The liabilities which our Company has to follow when processing personal data as the data controller and the liability to follow the legal, administrative and technical measures it has developed in this regard are contractually encumbered on data processing institutions with which our Company collaborate under the name of supplier, business partner, etc. in line with the nature of the operation they conduct for data processing.
In line with the regulation in effect, our Company conducts the necessary audits internally or externally. The results of this audit are reported to the relevant department of the Company as part of the internal functioning, and necessary operations are carried out in order to improve the measures taken.
Our Company maintains a system which enables immediate notification to the relevant data owner and the PDP Agency in cases when personal data processed in line with the regulation in effect is illegally accessed by others.
2.2. PROTECTION OF DATA OWNER’S RIGHTS; CREATING CHANNELS FOR THEM TO COMMUNICATE WITH OUR COMPANY FOR THESE RIGHTS AND ASSESSING DATA OWNERS’ REQUESTS
Our Company maintains the channels, internal functioning, administrative and technical regulations required to assess the rights of personal data owners and to inform personal data owners as necessary in line with the regulation in effect.
When personal data owners submit their requests regarding their rights listed below to our Company in written, our Company concludes the request in line with the nature of the request within periods required by the regulation in effect.
Personal data owners have the right to;
1. Learn whether their personal data has been processed or not,
2. Request information on processing if their personal data has been processed,
3. Learn about the purpose of personal data processing and whether the data has been used in line with this purpose or not,
4. Know the third persons to which their personal data has been transferred both domestically and abroad,
5. Request correction if the processed personal data belonging to them is wrong or missing,
6. Request deletion or destruction of their personal data within the scope of the conditions specified in the relevant regulation,
7. Request us to notify the third parties to which their personal data has been transferred of the correction, deletion and destruction actions in line with the relevant regulation,
8. Object to any result to the detriment of them obtained by exclusively analyzing their data via automatic systems,
9. Request compensation for their loss if they suffer a loss due to illegal processing of their personal data.
Personal data owners shall submit their requests for using their rights stated above in line with the regulation in effect to our Company “in written” or via other methods allowed by the regulation.
As no additional method has been specified as of the effective date of this Policy, the relevant application shall be submitted to our Company in written as requested by the governing provision of the regulation.
In order to use the rights stated above, the request shall be submitted along with information required to identify the personal data owner and explanations regarding the right desired to be used, by also stating the right with which the application is related; by this way, the request application will be replied faster and more effectively.
For this matter, you may submit your petition involving your detailed explanation on the topic of your request and the right you desire to use by registered and reply paid letter to the following address: Allianz Tower Küçükbakkalköy Mah. Kayışdağı Cad. No: 1 Kat: 23-24 34750 Ataşehir/İstanbul.
2.3. PROTECTION OF SENSITIVE PERSONAL DATA
Some personal data has been considered as sensitive by the PDP Law, as they have the risk of leading to victimization or discrimination if illegally processed.
Such data is related to race, ethnic origin, political view, philosophical belief, religion, doctrine or other beliefs, appearance, association, foundation or union membership, health, sexual life, conviction and security measures, including biometric and genetic data.
Our Company acts sensitively in protecting sensitive personal data defined to be “sensitive” by the PDP Law and processed on legal grounds. In this scope, the technical and administrative measures taken to protect personal data by our Company are implemented carefully in terms of sensitive personal data, and necessary audits are carried out.
PART 3 – PROVISIONS ON PERSONAL DATA PROCESSING
In line with the regulation, our Company processes personal data lawfully and with good faith for the right, and when necessary, updated, specified, clarified and legitimate purposes, in a manner that limited, restrained and connected with said purposes. Our Company maintains the personal data for the period required by the laws or by the purpose of personal data processing.
3.1. PROCESSING PERSONAL DATA IN LINE WITH THE PRINCIPLES SPECIFIED IN THE REGULATION
3.1.1. Processing in line with Law and Good Faith
Our Company acts in line with the principles set forward by legal regulations and general trust and good faith principles in personal data processing. In this scope, our Company considers the proportionality requirements in personal data processing and does not use personal data for any other purpose.
3.1.2. Keeping Personal Data Right and, When Necessary, Updated
Our Company considers the fundamental rights of personal data owners and its own legitimate interests, and keeps the personal data it processes right and updated. In this scope, our Company takes the necessary precautions.
3.1.3. Processing for Certain, Clarified and Legitimate Purposes
Our Company defines its legitimate and legal purpose of personal data processing explicitly and precisely. Our Company processes personal data in relation with the service it offers, and to the extent required for this action. The purpose for which our Company will process personal data is defined before the personal data processing operation is initiated.
3.1.4. Processing In Relation, Limited and Restrained with the Purpose of Processing
Our Company processes personal data in a way that will enable the specified purposes to be realized and avoids processing personal data which is not related to the realization of the purpose or which is not necessary. For instance, personal data is not processed in order to meet the requirements that are possible to emerge in the future.
3.1.5. Maintaining for a Period Required by the Relevant Regulation or As Necessary for the Purpose of Processing
Our Company maintains personal data only for a period specified in the relevant regulation or as necessary for the purpose of processing. In this scope, our Company firstly determines whether there is a period specified in the relevant regulation for maintaining personal data or not, abides by the period if it is specified, and, if no period is specified, maintains personal data for a period required by the purpose of processing. When the period ends or the reasons requiring the processing action do not exist anymore, the personal data is deleted, destroyed or anonymized by our Company.
3.2. PROCESSING PERSONAL DATA IN LINE WITH ONE OR MORE CONDITIONS ON PERSONAL DATA PROCESSING SPECIFIED IN THE REGULATION AND AS LIMITED WITH THESE CONDITIONS
While the legal basis for personal data processing by our Company differs, the general principles specified in the regulation are followed in each personal data processing operation.
(i) Express Consent of the Personal Data Owner
One of the conditions required to process personal data is the express consent of the owner. The express consent of the personal data owner must be received upon providing information on a specific issue and by the free will of the owner.
To process personal data upon the express consent of the personal data owner, express consent is received from customers, potential customers and visitors via relevant methods.
(ii) Expressly Specified in Law
Personal data of the data owner may be processed on a legal basis if it is expressly specified in law.
(iii) Inability to Receive Express Consent of the Relevant Person Due To Actual Impossibility
In cases when it is compulsory to process personal data of an individual who is not able to give his/her express consent due to actual impossibility or whose consent cannot be regarded as valid in order to be able to save the owner himself/herself or any other person’s life or bodily integrity, personal data of the data owner may be processed.
Example: The blood group of someone who has fainted may be learned from his/her friends by doctors.
(iv) Direct Relation with Preparation or Execution of the Contract
In cases when it is directly related to the preparation or execution of a contract, it is possible to process personal data if it is necessary to process personal data of the parties to the contract.
(v) Fulfillment of the Company’s Legal Liability
In cases when it is necessary to process personal data in order for our Company to fulfill its legal liabilities as the data controller, personal data of the data owner may be processed.
(iv) Personal Data Made Public by the Personal Data Owner
In cases when the data owner makes his/her personal data public, the relevant personal data may be processed.
(vii) Obligation to Process Data to Establish or Protect a Right
In cases when it is obliged to process data to establish, use or protect a right, personal data of the data owner may be processed.
(viii) Obligation to Process Data for Legitimate Interest of our Company
In cases when it is obliged to process data for legitimate interests of our Company, on condition that fundamental rights and freedoms of the personal data owner are preserved, personal data of the data owner may be processed.
3.3. SENSITIVE PERSONAL DATA PROCESSING
Our Company acts sensitively in processing personal data defined to be “sensitive” by the PDP Law and follows the regulations specified in the PDP Law.
In the 6th Article of the PDP Law, some personal data has been considered as “sensitive” as they have the risk of leading to victimization or discrimination if illegally processed. Such data is related to race, ethnic origin, political view, philosophical belief, religion, doctrine or other beliefs, appearance, association, foundation or union membership, health, sexual life, conviction and security measures, including biometric and genetic data.
In line with the PDP Law, special personal data may be processed by our Company in the following conditions on condition that adequate measures to be specified by the PDP Agency have been taken:
1. If express consent has been received from the personal data owner or
2. If express consent has not been received from the personal data owner;
3. Special personal data except the health and sexual life information of the personal data owner, on conditions specified by law,
Sensitive personal data regarding the health and sexual life of the personal data owner may only processed in order to protect the public health, to carry out medical diagnostics, treatment and care services, to plan and administer healthcare services and financing, by people who are liable to keep the data confidential or by authorized organizations and institutions.
3.4. TRANSFER OF PERSONAL DATA
Our Company may transfer personal data and sensitive personal data of personal data owners to third persons (third person companies, group companies, real third persons) by taking the required security measures for the purposes of personal data processing on legal grounds. Our Company acts in line with the directions specified in the regulation in this regard.
Our Company may transfer personal data and sensitive personal data of personal data owners to third persons by taking the required security measures and to the extent that is allowed by the regulation for the purposes of personal data processing on legal grounds.
3.5. CONDITIONS ON DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
In cases when the reasons causing the processing action to be necessary do not exist anymore, even though the processing action has been realized in line with the provisions of the regulation, personal data is deleted, destroyed or anonymized directly by our Company or upon request of the personal data owner.
In this scope, in order to fulfill its relevant liability, our Company has taken the necessary technical and administrative measures within the Company and has developed the required functioning mechanisms in this regard; it trains and assigns the relevant business units in order for them to act in line with these liabilities, and creates awareness.