1.INTRODUCTION

1.1 Introduction

Cemdağ Aydınlatma San. Tic. A.Ş (“Company”) attaches the utmost importance to protecting the fundamental rights and freedoms of persons in the protection and processing of personal data, especially the right of privacy as set out in Article 20 of the Constitution. In this context, it pays attention to protect and process personal data under the Law No. 6698 on Protection of Personal Data (“Law” or “Law of KVK”) and the General Data Protection Regulation of the European Union (GDPR) and acts with this understanding in all its planning and activities.

Our company does not only evaluate the protection and processing of personal data, which is the basis of the right of privacy, within the scope of compliance with the legislation, but puts the value it gives to persons based on its approach. Acting with this awareness, our company takes all necessary administrative and technical measures for the protection and processing of personal data under the law.

1.2 Aim of the Policy

The purpose of the Personal Data Protection and Processing Policy (“Policy”) is to protect the fundamental rights and freedoms of persons to the maximum extent, especially the right of privacy as set out in Article 20 of the Constitution, in the protection and processing of personal data, which is processed wholly or partly automatic ways under the purpose of the law, or by non-automatic means being part of any data filing system and is to inform the data subjects about the obligations, procedures and principles of our company and under the law. The main goal is to ensure full compliance with the legislation in the protection and processing of personal data performed by our company and to protect the right of data subjects to privacy and data security.

1.3 Scope of the Policy

This Policy is prepared for and shall be applied under the specified persons being a natural person: Potential Employee, Supervisor, Family Members of Shareholders, Employee/Authorized Person of Service Provider, Financial Consultant, Customer, Employee/Authorized Person of Customer, Potential Customer, Employee/Authorized Person of Potential Customer, Trainee, Shareholders/Partners, Authorized Person of the Company, Employee/Authorized Person of Subcontractor, Supplier, Employee/Authorized Person of Supplier, Third Parties, Board Members, Visitors. By publishing this Policy on its website, the company informs these data subjects about the law. This Policy shall not be applied to legal entities in any capacity whatsoever. For employees of our company, the “Personal Data Processing Policy for Employees” shall apply.

This policy shall apply to the above-mentioned persons if their data is processed by our company in a wholly or partly automated way, or in a non-automated way being a part of any data filing system. This policy shall not be applied if the data is not included in the scope of “Personal Data” or if the personal data processing performed by our company are not covered by the above-mentioned means.

1.4 Definitions

The concepts used in the implementation of this policy mean the following meanings:

Explicit Consent Freely given specific and informed consent.
Publicizing The concept of publicizing in the sense of “making it known to all“ is counted as one of the exceptions in Article 5 of the law No. 6698,” the requirement to obtain the explicit consent of the natural person whose personal data is processed”, which is necessary for the processing of personal data.
Disclosure It is the responsibility of the data controller to inform the persons to whom his/her data may be processed, for which purposes and for which legal reasons, and for which purposes it may be transferred.
Relevant User The person who processes the personal data within the data controller organization or under the authority and instruction received from the data controller, except for the person or unit who is technically responsible for storing, protecting and backing up the data.
Destruction It refers to the deletion, destruction, or anonymization of personal data.
Processing of Personal Data Any operation which is performed upon personal data such as collection, filing, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system;
Board The Board of Protection of Personal Data.
Relevant Person / Data Subject It refers to Potential Employee, Supervisor, Family Members of Shareholders, Employee/Authorized Person of Service Provider, Financial Consultant, Customer, Employee/Authorized Person of Customer, Potential Customer, Employee/Authorized Person of Potential Customer, Trainee, Shareholders/Partners, Authorized Person of the Company, Employee/Authorized Person of Subcontractor, Supplier, Employee/Authorized Person of Supplier, Third Parties, Board Members, Visitors whose personal data are processed (including sensitive personal data).
Personal Data Any information relating to an identified or identifiable natural person.
Authority The Authority of Protection of Personal Data.
Automatically Processing Data It is a self-performing processing activity performed by processor-owning devices such as computers, phones, watches, without human intervention within the scope of algorithms prepared in advance through software or hardware features.
Sensitive Personal Data Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of an association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are sensitive personal data.
Registry Data Controllers’ Registry
Company Cemdağ Aydınlatma San. Tic. A.Ş.
Data Processor Natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller;
Filing System Any recording system through which personal data are processed by structuring according to specific criteria;
Data Categories It is a class of personal data belonging to a group or groups of people, in which personal data is categorized according to their common characteristics.
Data Subject A natural person whose personal data are processed.
Data Controller Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for the establishment and management of the filing system.

 

1.5 Enforcement of the Policy

The policy, which came into force on 01.01.2020 and regulated by Cemdağ Aydınlatma San. Tic. A.Ş., is published on the company’s website (www.cemdag.com) and made available to data subjects.

 

2.PROTECTION OF PERSONAL DATA

2.1 Security of Personal Data

Under the law, our company takes all necessary administrative and technical measures to ensure the appropriate level of security to store personal data securely and to prevent the illegal processing and access of personal data. The administrative and technical measures taken regarding the security of personal data are detailed in the Personal Data Storage and Destruction Policy of our company.

Our company has established the “Personal Data Protection Management System” to ensure compliance with the regulations contained in the law and other legislation and it has established Personal Data Protection Committee within its body to ensure the implementation of the policy and other related policies.

2.2 Supervision

Our company conducts and (having them conducted) the necessary supervision to establish the data security described above and to ensure the regularity and continuity of the measures taken. The Personal Data Protection Committee supervises the measures taken for the security of personal data.

2.3 Privacy

Our company takes all necessary administrative and technical measures according to technological facilities and application costs to ensure that the relevant data controllers and processors do not disclose their data to anyone in violation of the provisions of Law and Policy and do not use it for processing. In this context, information and training activities about the law and policy are carried out for the employees of the company, and privacy agreements are signed as part of the recruitment processes of the relevant employees.

2.4 Unauthorized Disclosure of Personal Data

If the personal data processed by our company is obtained by others in ways that are not under the law, our company shall take the necessary actions to inform the data subject and the Board within the periods determined by the Board of this situation. If necessary, this shall be announced on the website of the Board or by any other method deemed appropriate by the Board.

2.5 Protection of the Legal Rights of Data Subjects

Our company respects and takes all necessary measures to protect the legal rights of data subjects concerning the implementation of the policy and the law.

2.6 Protection of Sensitive Personal Data

Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of an association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are sensitive personal data. Our company is aware of the fact that sensitive personal data is data that, if learned by others, could cause the data subject to be suffered or discriminated, and therefore takes the appropriate measures determined by the Board to protect such personal data, which is processed under the law, with precision. Within this framework, it has a separate policy (the Security Policy of Sensitive Personal Data) and a systematic procedure, clearly defined, manageable, and sustainable.

 

3.PROCESSING AND TRANSFER OF PERSONAL DATA

3.1 General Principles of Processing and Transfer of Personal Data

Personal data is processed by our company under the procedures and principles set out in the law, GDPR, and this policy. Our company complies with the following principles when processing personal data.

3.1.1 Conforming with the law and good faith

Our company processes and uses personal data under the relevant legislation and the requirements of good faith. Following the principle of compliance with the good faith, our Company considers the interests and reasonable expectations of data subjects when trying to achieve its objectives in data processing. It acts in a way that prevents the appearance of results that the data subject does not expect and does not need to expect. Under the policy, it also ensures that the data processing in question is transparent for the data subject and acts under the notifying and warning obligations.

3.1.2 Being accurate and if necessary, up to date

Our company ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights and legitimate interests of those concerned. In this context, it considers carefully the issues such as certainty of sources from which data is obtained, confirmation of its accuracy, evaluation of whether it needs to be updated. Our company keeps channels open to ensure that information of the data subject is accurate and up-to-date at all times under the due diligence. Keeping personal data accurate and up-to-date is essential in protecting the interests of our company as well as in protecting the fundamental rights and freedoms of data subjects.

3.1.3 Being processed for specified, explicit, and legitimate purposes

Our company determines the purpose of data processing clearly and precisely and ensures that this purpose is legitimate. If the purpose is legitimate, it means that the personal data that our company processes is related to and necessary for the work it has performed or the service it has provided. Our company does not process data for other purposes other than those stated. In this respect, it is sensitive to compliance with the principle of certainty and clarity in legal transactions and texts in which personal data processing purposes are explained.

3.1.4 Being relevant, limited and proportionate to the purposes for which data are processed

Our company considers the personal data processed to be convenient for the achievement of the stated objectives and avoids the processing of data that is not relevant to the achievement of the purpose or that is not needed. Our company does not collect or process personal data for purposes that do not exist and are considered to occur later. It performs the processing conditions set out in the act as if it is the first time it has started processing data to fulfill the needs that are likely to arise later. It also limits the processed data to only what is needed to achieve the objective. Within the scope of the principle of proportionality, it establishes a reasonable balance between data processing and its intended purpose.

3.1.5 Being stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected

Our company complies with these conditions if there is a period stipulated in the relevant legislation to store the data; otherwise, it shall only store the personal data for the period required for the purpose for which it is processed. In the absence of a valid reason for further storage of personal data by our company, such data is deleted, destroyed or anonymized. The procedures for storing and destroying personal data are detailed in the Personal Data Storage and Destruction Policy of our company.

 

3.2 Conditions of Processing Personal Data

Our company does not process personal data without the explicit consent of the data subject. Personal data may only be processed in the event of one of the following conditions without the explicit consent of the data subject:

3.2.1 It is expressly permitted by any law

Our company may process personal data without seeking the explicit consent of the data subject, as expressly permitted by any law.

3.2.2 It is necessary to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent

Our company may process personal data without seeking explicit consent to protect the life or physical integrity of persons where they are physically or legally incapable of giving consent.

3.2.3 It is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract

Our company is directly related to the execution or performance of a contract as parties of the contract to the processing of personal data is obligatory if due to the nature of life, seeking personal data without the explicit consent of the persons concerned for this purpose be limited to can handle. If the processing of personal data of the parties of a contract is necessary directly concerning the execution or performance of a contract, as a natural flow of life, our company may process the personal data of data subjects without explicit consent, limited to this purpose.

3.2.4 It is necessary for compliance with a legal obligation which the controller is subject to

Our company may process the personal data of the data subject without seeking explicit consent when it is necessary to fulfill its legal obligations as a data controller.

3.2.5 The relevant information is revealed to the public by the data subject herself/himself

Our company may process the personal data of data subjects, which is publicized by them, in other words, revealed to the public in any way, only for disclosure in case it is accepted that the legal interest that should be protected in the processing of such data, which is revealed to the public by data subjects and thus becomes known to all, has been eliminated.

3.2.6 It is necessary for the institution, usage, or protection of a right

Our company may process the personal data of data subjects without explicit consent where it is legally necessary to process data for the usage or protection of a legitimate right.

3.2.7 It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed

Our company may process the personal data of data subjects in cases where the processing of personal data is necessary to ensure the legitimate interests of d, without harming the fundamental rights and freedoms protected under the Law and Policy. Our company is sensitive to comply with the basic principles regarding the protection of personal data and to observe the balance of interests between our company and data subjects. Legitimate interest is an effective, specific, and already existing one that can compete with the fundamental rights and freedom of the data subject. Our company takes additional protective measures to prevent damage to the rights of the data subject. A reasonable balance is achieved between the interests of our company and the fundamental rights and freedoms of the data subject.

3.3 Conditions of Processing of Sensitive Personal Data

Our company does not process sensitive personal data without the explicit consent of the data subject. Sensitive personal data may only be processed in the event of one of the following conditions without the explicit consent of the data subject:

3.3.1 It is expressly permitted by any law

Sensitive personal data other than the health and sexual life of the data subject may be processed without the explicit consent of the data subject, where it is expressly permitted by law.

3.3.2 Planning and Management of Health Services and Financing for Public Health Protection, Preventive Medicine, Medical Diagnosis, Treatment and Care Services

Sensitive personal data relating to the health and sexual life of the data subject may be processed by persons under the obligation to keep secrets or by authorized institutions and organizations, for public health protection, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

3.4 Conditions of Transfer of Personal Data

Our company may transfer personal data to third parties based on one or more of the following personal data processing conditions under Article 8 of the law by taking the necessary security measures:

  • Having the explicit consent of the data subject,
  • Existence of a clear regulation regarding the transfer of personal data in the law,
  • Obligation of transfer of personal data for the protection of the life or physical integrity of the data subject or anyone else, and when the data subject is physically or legally incapable of giving consent, or his/her consent is not granted legal validity,
  • Requirement of processing the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract,
  • Obligation of the transfer of personal data for our company to fulfill its legal obligation,
  • Revelation of the relevant information to the public by the data subject herself/himself,
  • Obligation for the institution, usage, or protection of a right,
  • Obligation of the transfer of personal data for the legitimate interests of our company, provided that the fundamental rights and freedoms of the data subject are not harmed.

Sensitive personal data may be transferred based on one of the following conditions and provided that adequate measures are taken on a limited basis:

  • Having the explicit consent of the data subject,
  • In the case of sensitive personal data other than the health and sexual life of the data subject, the existence of a clear regulation in the law regarding the transfer of such data,
  • Sensitive personal data relating to the health and sexual life of the data subject may be processed by persons under the obligation to keep secrets or by authorized institutions and organizations, for public health protection, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

3.4.1  Conditions of Transfer of Personal Data Abroad

Our company may transfer personal data abroad with the explicit consent of the data subject under Article 9 of the law and Part V of the GDPR by taking the necessary security measures.

Besides, in case of the existence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 of the law, our company may transfer personal data without the explicit consent of the data subject only to foreign countries declared to have adequate protection by the Board or in the absence of adequate protection, to foreign countries where data controllers in Turkey and the relevant foreign country undertake adequate protection in written and have the permission of the Board without prejudice to the provisions of the International Convention to which Turkey is a party.

In cases where there is a transfer within the scope of GDPR, an adequacy decision to be issued by the Commission is required. If a transfer is to be made to a country for which no adequacy decision has been made, appropriate technical measures in GDPR Article 46 are taken.

 

4.PERSONAL DATA CATEGORIES AND DATA SUBJECTS

4.1 Personal Data Categories

Personal data is processed by our company by categorizing as follows:

Identity Data containing information about the identity of the data subject: first name, last name, ID number, marital status, parents names, place and date of birth, and other identifying information including driving license, ID card and passport copies, tax number, social security number, signature, etc.
Communication Contact details of data subjects: phone number, address, e-mail address, registered e-mail address, fax number, etc.
Personnel Information Information processed to obtain information that will be fundamental to the protection of personal rights of data subjects: CV, title information, certificate of employment/termination, social security/retirement information, payroll information, declaration of property, disciplinary proceeding, and performance evaluation reports, etc.
Legal Process Data processed within the scope of determination of the company’s legal claims and rights, prosecution, and performance of its debts and legal obligations: power of attorney, court and administrative authority decisions, correspondences with judicial authorities, information in case files, etc.
Safety of Physical Space Personal data relating to records and documents obtained when entering and inside physical spaces of the company: Entrance-Exit records, magnetic card records, security camera records, license plates, etc.
Finance Personal data processed concerning information, documents, and records showing the results of any financial relationship the company has established with data subjects and bank account information, credit information, balance sheet information, financial profile, assets and insurance information, etc.
Professional Experience Degree, transcript, education/course/certificate information, driving license information, foreign language information, reference information, etc. recorded during and afterward of recruitment of data subjects.
Visual and Auditory Information Photographs, camera, and voice records that can be received except the safety of physical space of data subjects, as well as other documents in which this data is transferred: photographs added to documents, video interview and meeting records, etc.
Family Members and Relatives Information It refers to the identity and contact details of the family members of the employees, authorized person of the company and shareholders.
SENSITIVE PERSONAL DATA
Health Health information of data subjects: examination information, bill of health, disability status, health permits, blood group etc.
Criminal Conviction and Security Measures Documents containing information on criminal conviction and security measures decisions about data subjects: criminal records.

 

4.2 Data Subjects

Only natural persons can benefit from the protection of this policy and the law. Data subjects in this scope are grouped as follows:

Potential Employee Natural persons who have applied to our company in any way or who have opened their CV and related information to our company’s review.
Shareholder Natural persons who are shareholders/partners of Cemdağ Aydınlatma San. Tic. A.Ş.
Authorized Person of the Company Natural persons who are authorized in Cemdağ Aydınlatma San. Tic. A.Ş.
Authorized Person of Customer Authorities of natural persons or legal persons such as dealers, distributors, sales points who deliver our company’s products to the end consumer within the scope of the contractual relationship.
Employee of Customer An identified or identifiable employee of natural persons or legal persons such as dealers, distributors, sales points who deliver our company’s products to the end consumer within the scope of the contractual relationship.
Potential Customer Natural persons who have requested or are interested in using our products and services, or who have been assessed by the custom of trade and good faith for which they may have such interest.
Service Provider Natural persons or legal persons who are not included in Customer, Subcontractor and Supplier groups but are independent of our company in which our company has a business relationship.
Authorized Person of Service Provider Authorities of natural persons or legal persons who are not included in Customer, Subcontractor and Supplier groups but are independent of our company in which our company has a business relationship.
Employee of Service Provider Employees of natural persons or legal persons who are not included in Customer, Subcontractor and Supplier groups but are independent of our company in which our company has a business relationship.
Authorized Person of Subcontractor Authorities of natural persons or legal persons with whom our company has established a relationship between the primary employer and the sub-contractor through a contract.
Employee of Subcontractor An identified/identifiable employee of natural persons or legal persons with whom our company has established a relationship between the primary employer and the sub-contractor through a contract.
Authorized Person of Supplier Authorities of natural persons or legal persons who provide input, raw materials or products to our company to provide a product or service.
Employee of Supplier An identified/identifiable employees of natural persons or legal persons who provide input, raw materials or products to our company to provide a product or service.
Family Members of Shareholder Family members of shareholder of Cemdağ Aydınlatma San. Tic A.Ş.
Third Parties  Other persons who are not covered by Cemdağ Aydınlatma San. Tic. A.Ş. Personal Data Protection and Processing Policy for Employees, which is prepared for company employees and by any other data subject groups in this Policy.
Visitor All-natural persons who have entered the physical spaces owned by our company for various purposes or who have visited our websites for any purpose.
Financial Consultant Natural person who keeps the books of our company following the generally accepted accounting principles and the provisions of the relevant legislation, prepares the balance sheet profit-loss statements and declarations and other documents and does similar work.
Supplier Natural persons with whom our company has established a relationship between the primary employer and the sub-contractor through a contract.
Board Members Members who are appointed with managing our company.
Supervisor A natural person who has the authority to supervise our company and does this duty.

 

5.METHOD OF COLLECTING PERSONAL DATA AND CAUSE OF ACTION

5.1 Method of Collecting Personal Data

Our company collects personal data for the purposes specified in Article 6.1 wholly or partly by automatic or non-automatic means; in all kinds of oral, written, electronic media; through, but not limited to, the following channels:

  • Job application forms,
  • Personnel information forms,
  • Various documents submitted to the company,
  • Mail and e-mails sent to the company,
  • Switchboards,
  • Corporate phones,
  • ERP programs,
  • Servers,
  • Relevant software,
  • Purchase-sale invoices,
  • Payroll calculation programs,
  • Health insurance policies,
  • Bill of health,
  • Security cameras,
  • Persons who work at the other departments, third parties (subcontractor companies), and data subjects.

5.2 Cause of Action

Our company collects personal data under Articles 5 and 6 of the law for one of the following cause of actions:

  • Explicit consent of the data subject,
  • Expressly permitted by any law,
  • Revelation of the information to the public by the data subject herself/himself,
  • Requirement of processing the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract,
  • Obligation of processing personal data for our company to fulfill its legal obligation,
  • Obligation of processing personal data for the institution, usage, or protection of a right,
  • Obligation of processing personal data for the legitimate interests of our company, provided that the fundamental rights and freedoms of the data subject are not harmed.

 

6.PROCESSING PURPOSES OF PERSONAL DATA

6.1 Matching Data Subject Groups with the Processing Purposes Related to Personal Data Categories

Matching data subject groups described above with their processing purposes for personal data categories is provided below: (Natural persons can only be included within one group.)

  • Potential Employee

Data Categories: Identity, Communication, Professional Experience, Family Members and Relatives Information, Safety of Physical Space

Processing Purposes: Managing the Selection and Recruitment of Potential Employee/Trainee/Student, Ensuring Security of Physical Space

 

  • Trainee

Data Categories: Identity, Communication, Personnel Information, Finance, Professional Experience, Visual and Auditory Information, Safety of Physical Space, Health

Processing Purposes: Conducting Emergency Activities, Managing the Selection and Recruitment of Potential Employee/Trainee/Student, Conducting Activities under the Legislation, Managing Finance and Accounting Process, Ensuring Security of Physical Space, Conducting Communication Activities, Planning Human Resources Process, Conducting/Supervising Business Activities, Conducting Occupational Health/Safety Activities, Managing Wages Policy, Giving Information to Authorized Persons, Institutions and Organizations

 

  • Shareholder

Data Categories: Identity

Processing Purposes: Conducting Management Activities

 

  • Authorized Person of the Company

Data Categories: Identity, Communication, Finance, Legal Process

Processing Purposes: Managing Finance and Accounting Process

 

  • Board Members

Data Categories: Identity, Communication, Legal Process, Finance, Visual and Auditory Information, Safety of Physical Space

Processing Purposes: Managing the Content and Loyalty Process of Employees, Conducting Activities under the Legislation, Managing Finance and Accounting Process, Ensuring Security of Physical Space, Managing and Pursuing Legal Affairs, Conducting Communication Activities, Receiving and Evaluating Suggestions for Improvement of Business Process, Managing Purchasing Process of Goods / Services, Managing Sale Process of Goods / Services, Managing Production and Operation Process of Goods / Services, Managing Organizations and Events, Managing Advertisement/Campaign/Promotion Process, Managing Contract Process, Managing Foreign Personnel’s Work and Residence Permit Process, Giving Information to Authorized Persons, Institutions and Organizations, Conducting Management Activities

 

  • Customer

Data Categories: Identity, Communication, Finance

Processing Purposes: Managing and Pursuing Legal Affairs

 

 Authorized Person of Customer

Data Categories: Identity, Communication, Finance, Visual and Auditory Information, Legal Process

Processing Purposes: Conducting Activities under the Legislation, Managing Finance and Accounting Process, Managing Purchasing Process of Goods / Services, Managing After Sales Support Process of Goods / Services, Managing Sale Process of Goods / Services, Managing Production and Operation Process of Goods / Services, Managing Advertisement/Campaign/Promotion Process, Managing Contract Process, Creating and Pursuing Visitor Records

 

  • Employee of Customer

Data Categories: Identity, Communication

Processing Purposes: Conducting Activities under the Legislation, Managing Finance and Accounting Process, Conducting Logistic Activities, Managing Sale Process of Goods / Services, Managing Production and Operation Process of Goods / Services, Creating and Pursuing Visitor Records

 

  • Potential Customer

Data Categories: Identity, Communication

Processing Purposes: Managing Sale Process of Goods / Services

 

 Authorized Person/Employee of Potential Customer

 Data Categories: Identity, Communication

Processing Purposes: Managing Finance and Accounting Process, Managing Purchase Process of Goods/Services, Managing Sale Process of Goods/Services, Managing Production and Operation Process of Goods/Services

 

  • Authorized Person of Service Provider

Data Categories: Identity, Communication

Processing Purposes: Conducting Logistic Activities, Managing Sale Process of Goods/Services, Ensuring the Security of Movable Property and Sources

 

  • Employee of Service Provider

Data Categories: Identity, Communication, Security of Physical Space

Processing Purposes: Ensuring Security of Physical Space, Conducting Logistic Activities, Managing Sale Process of Goods/Services, Ensuring the Security of Movable Property and Sources

 

  • Authorized Person of Subcontractor

Data Categories: Identity, Communication, Finance

Processing Purposes: Managing Finance and Accounting Process, Managing Purchase Process of Goods/Services

 

  • Employee of Subcontractor

Data Categories: Identity, Communication

Processing Purposes: Fulfilling Obligations Arising from Employment Contract and Legislation for Employees, Conducting Occupational Health/Safety Activities, Managing Purchase Process of Goods/Services, Managing Production and Operation Process of Goods/Services

 

 Supplier

Data Categories: Identity, Communication, Finance

Processing Purposes: Managing Finance and Accounting Process, Managing and Pursuing Legal Affairs

 

  • Authorized Person of Supplier

Data Categories: Identity, Communication, Finance, Visual and Auditory Information, Legal Process

Processing Purposes: Conducting Activities under the Legislation, Managing Finance and Accounting Process, Conducting/Supervising Business Activities, Managing Purchase Process of Goods/Services, Managing Production and Operation Process of Goods/Services, Managing Advertisement/Campaign/Promotion Process, Managing Contract Process, Managing Supply Chain Management Process

 

  • Employee of Supplier

Data Categories: Identity, Communication, Safety of Physical Space

Processing Purposes: Conducting Emergency Activities, Managing Information Security Process, Fulfilling Obligations Arising from Employment Contract and Legislation for Employees, Conducting Activities under the Legislation, Managing Finance and Accounting Process, Ensuring Security of Physical Space, Conducting/Supervising Business Activities, Conducting Occupational Health/Safety Activities, Managing Purchase Process of Goods/Services, Managing Sale Process of Goods/Services, Managing Supply Chain Management Process, Managing Wages Policy, Giving Information to Authorized Persons, Institutions and Organizations, Creating and Pursuing Visitor Records

 

  • Financial Consultant

 Data Categories: Identity, Communication

 Processing Purposes: Conducting Activities under the Legislation, Managing Finance and Accounting Process

 

  • Supervisor

 Data Categories: Identity, Communication

Processing Purposes: Conducting Audit/Ethical Activities, Managing Purchase Sale Process of Goods/Services

 

  • Family Members of Shareholder

 Data Categories: Identity

Processing Purposes: Conducting Management Activities

 

  • Visitor

 Data Categories: Identity, Communication, Safety of Physical Space

Processing Purposes: Managing Sale Process of Goods/Services, Creating and Pursuing Visitor Records, Ensuring Safety of Physical Space

 

  • Third Parties

Data Categories: Identity, Communication, Finance, Visual and Auditory Information

Processing Purposes: Managing the Selection and Recruitment Process of Potential Employee/Trainee/Student, Conducting Activities under the Legislation, Managing Finance and Accounting Process, Managing Advertisement/Campaign/Promotion Process, Managing Contract Process, Managing Foreign Personnel’s Work and Residence Permit Process, Giving Information to Authorized Persons, Institutions and Organizations, Conducting Management Activities

 

 Personal Data Processing Performed in Physical Spaces

To ensure security in our company’s buildings and facilities, entrances and exit are recorded and public areas are monitored with cameras. There is information about this in the areas where the camera is monitored.

 Under the law on the Regulation of Internet Publications and the Fight against Crimes Committed through These Publications and other legislation, records regarding internet access given in our company’s buildings and facilities are kept. These records may be shared with authorized public institutions and organizations upon request and may be used for the fulfillment of relevant legal obligations in supervision where necessary.

 

  • Personal Data Processing Performed on the Website

Traffic information of online visitors who visit our website is processed automatically to manage information security processes. On the other hand, under law No. 5651 and other legislation, hosting service providers are obliged to record and store website traffic information.

Detailed descriptions of personal data processed through the website are available on the relevant website.

 

  • Personal Data Processing Performed Through Communication Channels

Communication performed through the channels such as call center, mail, e-mail, etc. are supervised and recorded to conduct/supervise business activities and pursue demands/complaints.

Relevant persons are required to use these channels only in the context of their business activities.

 

7.PURPOSES OF TRANSFERRING PERSONAL DATA AND THE PERSONS/ENTITIES TO WHICH IT IS TRANSFERRED

7.1 Purposes of Transferring Personal Data

Our company transfers personal data under the conditions set out in Articles 8 and 9 of the law for the following purposes:

  • Conducting Emergency Activities,
  • Managing the Selection and Recruitment Process of Potential Employee/Trainee/Student,
  • Fulfilling Obligations Arising from Employment Contract and Legislation for Employees,
  • Conducting Activities under the Legislation,
  • Managing Finance and Accounting Process,
  • Managing and Pursuing Legal Affairs,
  • Conducting Communication Activities,
  • Conducting Occupational Health/Safety Activities,
  • Receiving and Evaluating Suggestions for Improvement of Business Process,
  • Conducting Business Continuity Activities,
  • Conducting Logistic Activities,
  • Managing Purchase Process of Goods/Services,
  • Managing After Sales Support Process of Goods/Services,
  • Managing Sale Process of Goods/Services,
  • Managing Production and Operation Process of Goods/Services,
  • Managing Organizations and Events,
  • Managing Advertisement/Campaign/Promotion Process,
  • Managing Contract Process,
  • Managing Wages Policy
  • Managing Foreign Personnel’s Work and Residence Permit Process,
  • Giving Information to Authorized Persons, Institutions and Organizations,
  • Conducting Management Activities

 

7.2 The Persons/Entities to which Personal Data is Transferred

Our company may transfer personal data to the following persons and organizations, limited to data categories and data required for transfer:

  • Natural Persons or Private Legal Entities,
  • Business Partners,
  • Suppliers,
  • Authorized Public Institutions and Organizations

(TAX OFFICE, TRADE REGISTRY, NOTARY, BANKS, CUSTOMERS, SUPPLIERS, SOCIAL SECURITY INSTITUTION(SSI), CONSULATES, AD AGENCIES, REVENUE ADMINISTRATION, MUNICIPALITY, SODEXO, CHAMBERS, CARRIERS, ON-SITE DOCTOR)

8.DESTRUCTION AND STORAGE PERIODS OF PERSONAL DATA

8.1 Destruction of Personal Data

Without prejudice to the provisions of other laws relating to the destruction of personal data, our company deletes, destroys or anonymizes personal data processed under this law and other provisions of the law at the request of the relevant person, according to Personal Data Storage and Destruction Policy, if the reasons for processing are eliminated.

The deletion of personal data refers to the process of making personal data inaccessible and unusable for the users concerned in any way.

Destruction of personal data refers to the process of making personal data inaccessible, non-refundable, and non-reusable by anyone.

Anonymization of personal data refers to the process of making personal data impossible to relate to a natural person whose identity is certain or identifiable under any circumstances, even if it is matched with other data by techniques such as masking, variable extraction, generalization, etc.

8.2 Storage Periods of Personal Data

Our company stores personal data following the periods prescribed by law and other legislation. If there is no storage period prescribed in the laws and other legislation, personal data is stored under our company’s Personal Data Storage and Destruction Policy for the required time to achieve the purpose of processing that personal data, then it is deleted, destroyed or anonymized within the framework of periodic destruction periods.

9.DISCLOSURE OF DATA SUBJECT AND HIS/HER RIGHTS UNDER THE LAW OF KVK

9.1 Disclosure of Data Subject

Under Article 10 of the KVK law, our company provides information about the persons involved in obtaining personal data. In this context, it clarifies the identity of the company representative, the purpose for which the personal data will be processed, to whom and for what purpose the processed data may be transferred, the method of collection and cause of action of personal data, and the rights of the data subject.

9.2 The Cases in which the Policy and the Law shall not be Applied Wholly or Partly

The provisions of this Policy and Law shall not apply in the following cases:

  • Processing of personal data by natural persons entirely within the scope of activities related to him/her or his/her family members living in the same residence, provided that it is not given to third parties and that data security obligations are complied with,
  • Processing of personal data for purposes such as research, planning and statistics by anonymized with official statistics,
  • Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, right to privacy or personal rights or not constitute a crime,
  • Processing of personal data within the scope of preventive, protective and intelligence activities conducted by public institutions and organizations mandated and authorized by law to ensure national defense, national security, public security, public order or economic security,
  • Processing of personal data by judicial or executive authorities concerning investigations, prosecutions, trials, or executions.

Under and proportionate to the purpose and basic principles of this Policy and Law, Article 10 regulating the disclosure obligation of the data controller, Article 11 regulating the rights of the relevant person, except the right to claim damages, and Article 16 regulating the obligation to Registry of Data Controllers shall not apply in the following cases:

  • Requirement of personal data processing to prevent or investigate a crime,
  • Processing of personal data revealed to the public by the data subject,
  • Requirement of personal data processing for the execution of supervision or regulation duties and disciplinary investigation or prosecution by the authorized institutions and organizations and professional organizations of the nature of public institutions, based on the authority given by the law,
  • Requirement of personal data processing to protect the economic and financial interests of the Government concerning budget, tax, and fiscal matters.

9.3 Rights of the Data Subject under the Law of KVK

Under Article 10 of the law, our company informs data subjects about their rights, provides guidance on how to exercise these rights, and performs the necessary internal procedures, administrative and technical arrangements for all these. According to the Article 11 of the Law, data subjects have the right to;

  • Learn whether their data is processed,
  • Request related information if their data is processed,
  • Learn the purposes for processing personal data and whether it is used accordingly,
  • Know the third parties to whom their data is transferred domestically or abroad,
  • Request the rectification of their data if it is processed incompletely or improperly,
  • Request the deletion or destruction of personal data under the Article 7 of the law,
  • Request the third parties who received personal data of the data subject to be notified about the transactions made (rectification and destruction) under Article 11 (d) and (e) of the law,
  • Object to the outcome against the persons themselves by analyzing the processed data exclusively through automated systems,
  • Claim for damages if personal data is damaged due to illegal processing.

Requests and applications regarding the enforcement of the law can be submitted in person or can be sent via notary to the address “Atatürk OSB Mahallesi 10007 Sokak No:4 Çiğli/İZMİR” by filling out the application form on our website (www.cemdag.com.tr). They can also be sent via registered electronic mail address (cemdag@hs02.kep.tr), or using a secure electronic signature or mobile signature.

Requests and applications can also be sent to the address cemdagkvk@cemdag.com if there is an e-mail previously notified to our company by the data subject and registered in the company’s system.

The following information is obligatory in requests and applications:

  • First name, last name, and signature if the application is in writing,
  • Turkish National Identity Number for citizens of the Republic of Turkey, nationality, and passport number (national identification number if applicable) for other nationalities.
  • Permanent address or business address based for notifications,
  • E-mail address, phone and fax number if applicable to the notification,
  • Subject

Information and related documents should be attached to the application.

Our company shall respond to the requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However; if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.

Our company may accept the request or reject it by explaining the reason and informs the data subject in written or electronically. If the request in the application is accepted, our company shall fulfill the requirements as soon as possible and inform the data subject. If the application is caused by the error of our company, the fee shall be refunded to the data subject.

If the application is rejected, the response is insufficient or the application is not responded in due time, the data subject has the right to make a complaint to the Board within thirty days from the date of receipt and, in any case, within sixty days from the date of application.

Print Friendly, PDF & Email