The Law on the Protection of Personal Data

RotakimThe Law on the Protection of Personal Data

ROTAKİM ANALİZ HİZMETLERİ VE TEKNİK CİHAZLAR TİC. LTD. STI. INFORMATION ABOUT THE LAW ON THE PROTECTION OF PERSONAL DATA

In the contract, Rotakim Analysis Services Ve Teknik Devices Tic. Ltd. Sti. it will be called “ROTAKİM” for short. In accordance with the Law No. 6698 on the Protection of Personal Data (“KVKK”), as Rotakim, in the capacity of Data Controller, your personal information is within the framework explained below; can be processed.

Purposes and legal reasons for processing personal data; Your Personal Data is processed in a limited, measured and necessary manner for specific, clear and legitimate purposes in accordance with the law and in good faith. In order to issue invoices for the goods and services you receive within the framework of the Tax Procedure Law, to inform you about advertising promotion campaigns via electronic messages within the framework of the Law on the Regulation of Electronic Commerce, and to provide you with better quality products and services, your shopping details are processed within the legal limits for the reasons required by the necessary legislation and company operation. .

Transferring Personal Data :

Your Personal Data may be transferred to the administrative and official authorities that must be legally transferred, due to legal obligations and within the framework of legal limits, your personal data may be transferred to our group companies, our domestic or international business partners with whom we receive services and cooperate to carry out our activities, and domestic and foreign third parties from whom service is received.

Collection Method of Your Personal Data:

Since you are a store customer, your personal data is provided by you and stored in accordance with the relevant legislation in order to keep accounting records, create a shopping history and provide services in accordance with your requests.

Your rights pursuant to Article 11 of the KVKK; By applying to us, your personal data;

  1. Learning whether it has been processed or not,
  2. Requesting information if it has been processed,
  3. Learning the purpose of processing and whether it is used in accordance with its purpose,
  4. Knowing the third parties to whom it was transferred in the country/abroad,
  5. correction if it is incomplete / incorrectly processed,
  6. Requesting deletion / destruction within the framework of the conditions stipulated in Article 7 of the KVKK,
  7. To request notification of the transactions made in accordance with subparagraphs (d) and (e) above, to the third parties to whom it has been transferred,
  8. Objecting to the emergence of a result against you due to the analysis exclusively by automated systems,
  9. If you suffer damage due to unlawful processing, you have the right to demand the compensation of the damage.

To exercise your rights;

Complaints made by Data Owners, whose personal data are processed by Rotakim Companies, will be answered and finalized by Rotakim Companies as soon as possible and within 30 days at the latest.

The Data Owner submits his requests and complaints personally to the Rotakim Company Rotakim KVK Committee, provided that identity checks are made, or applications made by proxy, provided that a notarized power of attorney is submitted, applications made through a notary public, and registered e-mail addresses provided that secure electronic signature is used, and KVKK. It can be done at https://www.rotakim.com/.

INTRODUCTION

 

This Policy refers to the administrative structure, processes and procedures to be adopted and internalized by Rotakim and its subsidiaries for the protection and legal processing of personal data.

The purpose of this Policy is to internalize the processing and keeping of personal data in accordance with the Law on the Protection of Personal Data No. 6698, by taking the necessary technical and administrative measures regarding the security and protection of personal data, and to ensure compliance with the Law by creating the necessary awareness among employees and all business partners.

Rotakim Companies are under the responsibility of ensuring that reasonable steps are taken both internally and, as far as possible, by third parties who process the data provided by Rotakim Companies, in order to handle personal data in accordance with legal requirements and ensure compliance during their business and transactions. Being aware of this responsibility, Rotakim takes competent administrative and legal opinions on this issue and takes the necessary steps to protect data safely beyond the requirements of the Law. In this context, it has also carried out detailed analysis studies on its current practices and, within the framework of the analysis results, all kinds of administrative and technical processes have been initiated in order to align all its processes with the Law and all international regulations on the protection of personal data. Many steps stated in this Policy reflect the system currently being implemented within Rotakim Companies and the requirements of the Law are currently fulfilled by Rotakim Companies. Rotakim sees the harmonization work it has initiated regarding the Law and the protection of personal data as an opportunity to improve its business process in order to determine and implement the highest-level standards regarding the protection of personal data.

This Policy ensures that personal data held by Rotakim Companies and belonging to their employees, customers, suppliers and all other individuals are processed in accordance with the law, that all relevant legal requirements, including the requirements stipulated under the Law and its amendments, are complied with, and that Rotakim Companies’ internal It is prepared to take all necessary steps to ensure that its procedures are periodically audited to ensure integrity and compliance with the law.

Rotakim Companies will act in full compliance with this Policy, and all Rotakim Companies will be audited in accordance with this Policy and the continuity of compliance and internalization for each member of the Rotakim family will be ensured.

 

DEFINITIONS

Data: Refers to information that is stored electronically on a computer or some paper-based filing system.

Personal Data: It means all kinds of information related to an identified or identifiable natural person. Rotakim Companies, through their websites, collect data, which is generally called “web registration information” (for users’ internet browsers, mobile devices, operating system, the pages they visit, the other internet pages they access these pages) in order to understand customer preferences and provide better service and for similar purposes. can collect information about the date and time of the visit to the relevant website, specific pages visited and more) and may use cookies if the pages on the website are visited. In this context, cookies and web registration information will also be subject to this Policy if Personal Data is obtained or if the data collected in this way is processed together, if they point to a specific person.

Special Quality / Sensitive Personal Data: Race, ethnic origin, political opinions, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric data represents the relevant data. Sensitive data can only be processed under stringent conditions, and processing often requires the explicit consent of the data subject.

Data Subject or Owners: Includes all natural persons, including employees, whose personal data are processed by Rotakim. The data owner does not have to be a Turkish citizen or reside in Turkey. All data owners have legal rights regarding their personal data.

 

Data Controller: It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. These persons have responsibilities to set practices and principles in accordance with the Law. The data controller for all personal data used in Rotakim’s business processes is the relevant Rotakim Company and Rotakim.

Data Processor: Any person who processes data on behalf of and under the authority given by a data controller. Employees of the data controller are excluded from this definition, but if applicable, suppliers, business partners and other third parties that process personal data on behalf of Rotakim can be included in this definition.

Data Processing / Processing: It covers all kinds of activities related to data usage. It includes obtaining, recording or keeping the data, or any or a set of operations carried out on the data, including editing, changing, retrieving, using, disclosing, deleting or destroying the data. Transferring data to third parties also means processing the data.

A.    PURPOSE OF THE POLICY

The purpose of this Policy is to ensure that the regulations required for compliance with the Law by Rotakim Companies are adopted within each Rotakim Company, the policies to be implemented are regulated and a union is formed among the subsidiaries. In this context, the Policy aims to determine the basic rules and principles regarding how the rules set by the Law and related legislation are/will be implemented by Rotakim Companies and applicable to all business units.

Rotakim Companies will make all their internal processes comply with the Policy. They will make the necessary arrangements for compliance with the Policy and will ensure the continuity of compliance with the Policy by operating audit mechanisms on compliance with the Policy at certain intervals. It will confirm the compliance of all its employees with the Policy and ensure that all relevant parties are informed about the changes. In-company trainings will be organized in order to adapt to the changing and renewed processes as soon as possible, and he will be responsible for the execution of the whole process in accordance with the Law before all employees.

With this Policy, Rotakim Companies internalize the processing and keeping of Personal Data in compliance with the Law, by establishing the necessary administrative structure, processes and procedures within the scope of the Law and related legislation, and taking the necessary technical and administrative measures for the security and protection of Personal Data. It is aimed to create the necessary awareness among business partners and to comply with the Law.

A.    PRINCIPLES ON THE PROCESSING OF PERSONAL DATA

One of the important issues for Rotakim is the processing of Personal Data in accordance with the general principles stipulated in the Law and relevant legislation. In this context, Personal Data by Rotakim Companies;

  1. a)       It must be processed lawfully and in good faith:

 –       The purpose of this policy is not to prevent the processing of Personal Data, but to ensure that the processing of Personal Data is done in accordance with the rules of honesty and law, and in a way that does not adversely affect the rights of the Data Interest.

–       The Data Owner should be told who the Data Controller is, for what purpose the data will be processed by Rotakim, the identity of the persons to whom the data can be disclosed or transferred, and the rights of this data owner.

–       In order for Personal Data to be processed in accordance with the law, certain conditions must be met. These may include, inter alia, requirements such as the Data Owner’s consent to the processing of his Personal Data or the processing being necessary within the legitimate interest of the Data Controller or the third party to whom the data is disclosed. In some cases, it may be necessary for the Data Owner to give explicit consent to the processing of the relevant data.

–       Personal Data, excluding Processing with the explicit consent of the Data Owner, but the processing is expressly prescribed by law; It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid; it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract; the processing is mandatory for the data controller to fulfill its legal obligation; the processed data has been made public by the person concerned; the processing is necessary for the establishment, exercise or protection of a right; Provided that it does not harm the fundamental rights and freedoms of the data subject, it will be processed in the presence of one of the cases where the processing is necessary for the legitimate interests of the data controller. However, within the scope of the limited exceptions regarding the processing of Personal Data, Data Subjects will be informed in a way to cover the Disclosure Obligation stipulated in accordance with Article 16 of the Law, with the said information, the Personal Data will be processed by Rotakim Companies in accordance with this Policy, and It will be confirmed that the data is processed in accordance with the Law, relevant legislation and this Policy.

–       In this context, Rotakim will establish the necessary processes for compliance with the regulations in the Law.

b)       It must be processed for specific, explicit and legitimate purposes:

–       Personal Data may be processed within the framework of certain purposes notified to the Data Owner at the time the data was first collected, or for any other purpose specifically permitted by the Law. This means that Personal Data cannot be collected for a specific purpose and subsequently used for any other purpose. If it becomes necessary to change the purpose of processing the Personal Data, the data subject must be informed of the new processing purpose before the Personal Data is processed.

c)       It should be processed in a limited, measured and purposeful manner:

–       Personal data should only be collected to the extent required by the specific purpose notified to the Data Owner. Any data not required for this purpose should not be collected. All employees should refrain from receiving unnecessary personal data. Contracts with suppliers/third parties should also include mechanisms to enforce this rule.

d)       It should be accurate and up-to-date where necessary:

–       Opportunities should be provided for Data Owners to update their data and Data Owners should be informed about these opportunities. During the collection of personal data, Data Owners should be informed about the update processes. Employees should also confirm the up-to-dateness of the data at regular intervals, and all data that is out of date or that is not useful to be processed should be deleted or anonymized if it is not possible to update it.

  1. e)       It should not be kept, stored and archived longer than the period stipulated in accordance with the relevant legislation or the period required by the purpose of data collection:

–      Personal Data should not be kept longer than is required for the purpose. In other words, when the processing of personal data is no longer necessary or necessary, personal data should be destroyed or deleted from Rotakim systems or anonymized. Personal Data should not be stored and archived with the assumption that it may need to be used in the future.–       Her bir iş birimi, farklı türdeki Kişisel Verilerin işlenmesi için gerekli süreyi değerlendirmeli ve gerekli sürenin ne kadar olduğunu yazılı şekilde belirlemelidir.

This period must not exceed the period that requires the business unit to retain the data for the purpose of the processing.

–       See (E) regarding the policies regarding storage, deletion, destruction and anonymization of Personal Data.

f)       It must be processed in accordance with the rights of the Data Owner:

–       Please refer to the heading (C) regarding the rights of the Data Owner and the legal remedies.

g)        It should be kept safe:

–       For the details of Rotakim’s policies regarding Data Security, please see the (D) heading.

h)       It should not be transferred to individuals or organizations located in countries that do not have adequate protection:

–       Personal Data is not transferred abroad by Rotakim Companies. Even servers owned by third parties, where Personal Data are kept for archiving purposes, are located in Turkey and in the current situation, the data cannot be transferred abroad.

–       However, if it is decided to transfer the Personal Data abroad or to keep it on servers abroad as per the Company policies, it will only be transferred abroad in accordance with the provisions of the KVKK and within the framework of the rules to be determined by the Personal Data Protection Board (“Board”).

–       See the (D) heading on the transfer of Personal Data to third parties.

B.    THE RIGHTS OF PERSONAL DATA OWNER

Personal Data Owners, regulated in Article 11 of the Law,

  1. Learning whether the Personal Data is processed or not,
  2. If Personal Data has been processed, requesting information about it,
  1. Learning the purpose of processing Personal Data and whether the data is used in accordance with the purpose,
  1. Learning the third parties to whom Personal Data is transferred, and
  2. The right to request correction of Personal Data if it is incomplete or incorrectly processed and to request this to be notified to third parties to whom the Personal Data has been transferred.
  3. In case of loss due to unlawful processing of Personal Data, Rotakim Companies have the right to demand compensation, and upon the request of the Data Owner, action will be taken as soon as possible to fulfill these rights and detailed information will be given to the Data Owner regarding the procedure regarding their requests.

C.    OF PERSONAL DATA

Rotakim Companies are obliged to take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of Personal Data, to prevent unlawful access to Personal Data and to ensure the preservation of Personal Data.

Rotakim must ensure that appropriate security measures are taken against unlawful or unauthorized Personal Data processing or accidental loss or damage to Personal Data. In case of such damages, Data Owners will be able to claim compensation through litigation.

The law obliges Rotakim to take some administrative and technical measures in order to ensure the security of Personal Data from the moment of collection to the moment of destruction.

Ensuring data security means ensuring the confidentiality, integrity and accessibility of personal data, as defined below.

  1. Confidentiality means that only persons authorized to use the data have access to the data.
  2. Integrity means that personal data is correct and suitable for the purpose of processing.
  1. Access means that authorized users can access data if they need it for the purpose for which they are authorized.

Security procedures regarding Personal Data will be implemented in consultation with the Information Technologies (“IT”) unit within Rotakim, which is technically competent regarding data security. In accordance with the current practices of Rotakim Companies, the access rights of each business unit will be limited as necessary in terms of the relevant business unit. Relevant restrictions are currently implemented by Rotakim Companies and these restrictions will be reviewed at regular intervals and access to Personal Data will only be possible to the extent necessary.

All employees of Rotakim Companies will be informed and trained within the framework of the procedures to be determined regarding data security. In this context, the passwords for the systems to which the password is entered upon accessing the Personal Data will not be disclosed to any third party or unauthorized employee. Users authorized to access Personal Data will ensure, if applicable, that confidential information is not shown to passers-by on their individual screens and that they log off from their computer when they are not at their screens.

Necessary technical measures are already taken for the security of all data, including Personal Data held by Rotakim Companies, and the existing security systems, virus protection programs and protection systems for message messages will be periodically audited by Rotakim Companies and the most up-to-date versions of all these systems will be put into effect. In this regard, technological developments will be followed and a technical team and system will be allocated to respond to the risks that may arise as soon as possible.

In addition to the above, all Rotakim employees, in the event that the processed Personal Data is obtained by others illegally and/or there is any risk regarding the security of the Personal Data, immediately coordinate the necessary measures and, if applicable, this situation shall be reported to the relevant Data Owner and the Board as soon as possible. will inform the [Rotakim KVK Committee] unit to be notified.

If applicable, contracts made with existing third parties to whom Personal Data are transferred in accordance with the law, in addition to the current confidentiality obligations, to ensure that the persons to whom Personal Data are transferred will take the necessary security measures for the protection of Personal Data and ensure that these measures are complied with in their own businesses/institutions/organizations. is being changed. No Personal Data will be transferred under any circumstances to third parties who do not provide the security measures required by Rotakim and do not fulfill the requirements of the Law regarding the confidentiality, integrity and access of data.

D.    TRANSFERRING PERSONAL DATA TO THIRD PARTIES

The transfer of Personal Data to third parties in the country is carried out in accordance with the conditions stipulated by the Law, to the extent required for the purposes of processing the Personal Data and the performance of the contracts concluded with the Data Owners and to the extent required by the legitimate interests of the Company. Data is not transferred for any purpose other than the processing of Personal Data. However, although the Processing is evaluated within the scope of the exceptions that require consent, the express consent of the relevant Data Owner will be obtained in order to transfer the Personal Data of the new Data Owners to be obtained between the Rotakim Companies themselves and to the business partners who take the security measures required by Rotakim. In the selection of business partners, Rotakim Companies will make a preliminary examination on matters related to the confidentiality of personal data and will ensure that provisions that will satisfy the requirements of the Law regarding the security and confidentiality of Personal Data are included in the contracts it will make with them.

Personal Data is not transferred abroad by Rotakim Companies. Even servers owned by third parties, where Personal Data are kept for archiving purposes, are located in Turkey and in the current situation, the data cannot be transferred abroad. However, if it is decided to transfer the Personal Data abroad or to keep it on servers abroad, as per the Company policies, the explicit consent of the Data Subject will be obtained by the relevant Rotakim Company, if not, and as a rule, the data will not be transferred to a country other than the countries where there is sufficient protection to be determined by the Board. Personal Data, if applicable, may also be transferred to foreign countries where there is no adequate protection, provided that Rotakim and the natural and/or legal person who will be the data controller in the relevant country undertake in writing that there is sufficient protection and that the Board’s permission is obtained for data transfer.

In this context, the necessary processes will be designed by Rotakim to act in accordance with the regulations stipulated in Articles 8 and 9 of the Law. Data Owners who approve this Policy, subject to the matters specified in this Policy, within the framework of the rights of public institutions and organizations regulated in the relevant legislation, including laws and judicial decisions and administrative decisions, limited to the purposes required for the processing of their Personal Data and to the archiving purpose. without prejudice to the exception that Personal Data can be transferred in cases where a document is requested, between Rotakim Companies and / or third party business partners, public / private institutions and organizations that receive service / support / consultancy or cooperation or become a project / program / financing partner, suppliers , Rotakim expressly consents to sharing it with shareholders, company officials, banks, funds, companies and other third parties or organizations.

In order to carry out the activities of Rotakim Companies in accordance with the principles, operations, processes, goals and strategies of our group of companies, and to protect Rotakim’s rights and interests and reputation, personal data can be processed by Rotakim Companies or their business partners and by the controlling company of our group, if deemed necessary. within its legitimate interests. This will not mean that Personal Data is processed in violation of the Law, and all Rotakim Companies manage their processes in a way that will comply with the Law at the highest level. Rotakim Companies will fulfill the obligation to inform all Data Subjects regarding this situation and shall obtain the written consent of the Data Subjects regarding the data transfer.

 E.    PROCEDURES FOR DELETING, DESTROYING AND ANONYMIZING PERSONAL DATA

 

Procedure for Deletion and Destruction of Personal Data

Rotakim Companies will delete or destroy Personal Data ex officio or upon the request of the person concerned, provided that the minimum retention periods stipulated in the relevant law and legislation are complied with, in the event that the reasons requiring its processing in accordance with the Law disappear. Techniques used during erasure or destruction;

1-     Physically Destructible

Personal data can also be processed in non-automatic ways, provided that it is part of any data recording system. While such data is being deleted/destroyed, a system of physical destruction of personal data is applied so that it cannot be used later.

2-      Can Be Safely Deleted from Software

While deleting/destroying data that is processed by fully or partially automated means and stored in digital media; methods are used to delete the data from the relevant software in a way that cannot be recovered again.

 

Procedure for Anonymizing Personal Data 

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching them with other data.  Procedures used for anonymization;

1.     Masking : With data masking, it is a method of anonymizing personal data by removing the basic determinant information of personal data from the data set.

2.     Aggregation : With the data aggregation method, many data are aggregated and personal data is rendered unrelated to any person.

3.     Data Derivation : With the data derivation method, a more general content than the content of the personal data is created and it is ensured that the personal data cannot be associated with any person.

4.     Data Shuffling, Permutation : With the data mixing method, the values in the personal data set are mixed and the bond between the values and individuals is broken.

 

Minimum periods for deletion, destruction and anonymization of Personal Data will be determined by the business unit processing the relevant Personal Data, and the systems of all Rotakim Companies will be adapted to these processes. In the event that a decision is taken in accordance with the Personal Data processing purposes of Rotakim Companies regarding data retention longer than legal obligations, the Data Subjects will be informed separately about this decision and how long their Personal Data will be processed. In any case, Rotakim Companies must comply with the procedures regarding the storage of Personal Data and the disclosure obligation regarding the purposes of data processing.

Requests for deletion, destruction or anonymization from Data Subjects prior to the expiry of these periods regarding the minimum periods for storage in accordance with the relevant law and legislation will be rejected, provided that the relevant legal obligations are explained.

If a period of time is not regulated in the legislation regarding the storage of personal data, Personal Data is processed for a period of time to be determined by Rotakim in accordance with the data processing purpose, which requires processing in accordance with the current business conduct, procedures and practices and the practices of commercial life; it is then deleted, destroyed or anonymized. Even if the processing purpose of personal data expires, even if the periods determined by the relevant legislation and Rotakim Companies expire, personal data will be processed again as usual (without confirming and providing up-to-dateness) in order to constitute evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. It can be archived, provided that it is not subject. While the statute of limitations is taken into account in the determination of archiving periods, it may be possible to determine periods exceeding the statute of limitations in the light of the Rotakim Companies’ own experiences and previous requests regarding similar data groups. In these cases, personal data will not be accessed for any purpose other than the resolution of legal disputes (without confirming and obtaining a new express consent regarding their up-to-dateness and processing). At the end of the periods to be determined for archiving, even the data that is decided to be archived will be deleted, destroyed and anonymized.

The main Personal Data processed by Rotakim Companies and the main processing purposes of this data are as follows:

 

 

 

 Real Person Customer Data Although not valid for every Rotakim Company, real person customers’ name, surname, address, e-mail, mobile phone, home phone, work phone, date of birth, T.R. ID number, gender, loyalty card number, parent type, marital status, occupation, date of marriage, spouse’s name, spouse’s date of birth, education level, school name, number of children, membership associations, media followed, social media, phone brand, Personal Data such as team, car brand, most frequently visited website, domestic travel preference, foreign travel preference, body size, shoe size and similar personal data can be processed.

Although the Personal Data in question does not cover every Personal Data processed, creating a sales history, creating an invoice, issuing an invoice, defining the loyalty card to the membership account, sending the loyalty card or printed communication materials, delivering the product, sending e-invoices, sending newsletters, marketing communication Processing is limited to making customer analysis, increasing customer loyalty, making special production and similar purposes.
Data on Personnel and Signatory Authorities of Corporate Customers, Suppliers and Service Providers Although it is not valid for every Rotakim Company, the name, surname, personnel registration number, personnel t.c. identification number, personnel height, personnel weight, personnel gender, personnel size; Name, surname, e-mail, T.C. of the person authorized to sign. ID number, bank information, other information about individual companies and similar Personal Data can be processed.

Although the Personal Data in question does not cover every Personal Data processed, analyzing, making sales, creating a sales history, creating an invoice, making an invoice, delivering the product, sending an e-invoice, sending a newsletter, making marketing communication, making customer analysis, current account It is processed as limited to opening, reconciling, receiving project-based government incentives and similar purposes. Data processed by Rotakim Companies may also be transferred to these persons, and the transfer procedures are regulated under the heading (E) of this Policy.

 

 

 

Potencial Customer Data Although not valid for every Rotakim Company, personal data such as name, surname, e-mail, gender, mobile phone, date of birth, home address, work address, size, date of marriage and similar personal data regarding potential customers of Rotakim Companies can be processed.

The Personal Data in question does not cover every Personal Data processed, but is limited to sending gifts, sending loyalty cards, sending event invitations, sending newsletters, making marketing communications, making analysis, informing about new products and similar purposes.

Data regarding potential customers are data obtained with the consent of the relevant potential customer for the transfer of the relevant data to third parties, provided that Rotakim Companies are informed that their data can be processed within the framework of the above-mentioned purposes in order to transfer the said data. In the first communication with potential customers, the potential customer will be informed about this Policy and the data processed within this scope within the scope of the obligation to inform, and the Personal Data in question will be immediately deleted, destroyed and anonymized upon objection / complaint. In case of establishing a customer relationship with a potential customer, the data processed within this scope will also be subject to the procedures regarding customer data.
Employee Data Although not valid for every Rotakim Company, the name, surname, place of birth, date of birth, mobile phone, e-mail, residence address, status of residence, age of the structure of residence, gender, salary, marital status, spouse’s name, regarding the employees of Rotakim Companies, spouse’s surname, spouse’s job status, status of children residing with the taxpayer or being cared for by the taxpayer, number of children, registration number, TR ID number, social security number, shoe number, photo, name and surname of the person to be contacted in an emergency, degree of proximity of the person to be reached in case of emergency, mobile phone number of the person to be contacted in case of emergency, education information, curriculum vitae information, residence certificate, copy of identity card, diploma, employment document , criminal record, blood type, military service certificate, health report, insurance service record, SGK declaration record, employment contract, transcript, reference letter, job fit questionnaire, performance forms, exit interview form, excused leave form, annual leave form, job descriptions and similar Personal Data can be processed.

Sensitive Personal Data of employees, including health data, can also be processed by the Human Resources business unit to the extent required by the legislation. Please refer to the heading (G) on the processing of Sensitive Personal Data. In addition, some health data can be processed by workplace physicians and occupational safety specialists. Health data processed by the Human Resources and workplace physician are processed in accordance with the Regulation on the Processing and Privacy of Personal Data published in the Official Gazette dated October 20, 2016 and numbered 29863 and are not shared with any business unit, including the relevant units. Access to such data is limited at the highest level. For archiving purposes of this data group, shares with third parties will be protected / protected by encryption systems, and no person will have access to health data other than the relevant units, including the archive company. Related contracts with third parties will be revised to confirm this issue. The data processed by the workplace doctor is not shared with any third party, even for archiving purposes. The relevant health data will be transferred to the Central Health Data System at the Ministry of Health within the framework of the standards to be determined by the Ministry of Health in accordance with the Regulation on the Processing and Privacy of Personal Health Data by the workplace physician.

The Personal Data in question does not cover every Personal Data processed, but opening a personnel record, measuring performance in the workshops, paying the personnel salary, getting government incentives for the project, recording the entry and exit times, updating information, making the insurance notification of the employee, analyzing the employee’s performance, It is processed with the consent and consent of the employees, limited to evaluation, exit evaluation, obtaining permission, operating an advance request and similar purposes.

Processing of employee data and personal files of employees are stored and processed by the common Human Resources unit within Rotakim Holding Anonim Şirketi, on behalf of all Rotakim Companies. All employees, limited to the data processed by the Human Resources unit, consent to the processing of their Personal Data by the Human Resources unit of a Rotakim Company other than the Rotakim Company, on which their Personal Data is registered in the current system and on the payroll, upon the acceptance of this Policy.

 

 

 

 Candidate Employee Data Although not valid for every Rotakim Company, the name, surname, mother’s name, father’s name, gender, place of birth, date of birth, military service status, marital status, spouse’s name, spouse’s surname, number of children, residence address regarding the candidates applying to work in Rotakim Companies , home phone, work phone, mobile phone, e-mail, name and surname of the person to be contacted in an emergency, degree of proximity of the person to be contacted in an emergency, mobile phone of the person to be reached in case of emergency, home phone of the person to be contacted in an emergency, work phone of the person to be contacted in an emergency, resume Information, education information, foreign language level, internships, courses and seminars attended, work experience, personal information, the name of the reference person, the surname of the reference person, the place / duty of the reference person, the mobile phone of the reference person and similar Personal Data can be processed. .

The Personal Data in question does not cover every Personal Data processed, but is limited to recruiting suitable employee candidates. With the establishment of the service contract relationship, the data processed within this scope will also be subject to the procedures and processes regarding employee data.
Data on Payment Instruments Although it is not valid for every Rotakim Company, the name and surname of the cardholder, the T.R. ID number, bank name and card type, credit card information and similar Personal Data can be processed.

These Personal Data are processed for payment purposes only. Necessary measures are taken to ensure the security of this data, and access to this data will be limited to authorized personnel only, while existing practices that will prevent the re-use of data in any other way (deletion of the security code after use, etc.) more advanced procedures, if available, will be implemented and updated as necessary.

 

Complaint Data Although it is not valid for every Rotakim Company, in accordance with the Consumer Protection Law No. 6502, the name, surname, gender, e-mail, mobile phone, home phone, date of birth, address, size, T.R. ID number and similar Personal Data can be processed.

The said Personal Data is processed for the purposes of fulfilling the requirements of incoming complaints and requests, making analysis and similar purposes.

 

 

F.     PROCESSING OF SPECIAL QUALITY PERSONAL DATA

 

Within the body of Rotakim Companies, Special Quality Personal Data are only processed in a way that the legal and administrative / judicial authority requirements are fulfilled and is directly related to the operation of Rotakim Companies, and the access is limited and secure at the highest level. Provided that the said data is in full compliance with the Law, (i) in terms of data other than sensitive personal data excluding health and sexual life, the processing is expressly stipulated in the law and (ii) in terms of data related to health and sexual life, it can only be used within the scope of public health. It may be processed without the consent of the Data Subject in case it is processed by persons or authorized institutions and organizations under the obligation of secrecy, for the purpose of protection, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. However, Rotakim Companies will fulfill the requirements of the disclosure obligation regarding the processing of Personal Data of Special Qualified Data for Data Subjects, even if these exception conditions are met, and will obtain the explicit consent of the Data Subject even in cases where there are exceptions. In the event that there are no exceptions or if it is suspected that they are applicable, Private Personal Data received without express consent will be promptly deleted, destroyed and anonymized. In such cases, the [Rotakim KVK COMMITTEE] unit will be informed immediately, in order to coordinate the necessary measures and, if applicable, to notify the relevant Data Owner and the Board as soon as possible.

G.    OBLIGATION TO INFORM THE PERSON RELATED TO PERSONAL DATA

Rotakim Companies are obliged to inform the natural persons whose data will be processed during the acquisition of Personal Data. The scope of this notification obligation is as follows:

–       Identity of the data controller and its representative, if any, 

–      For what purpose the Personal Data will be processed,

 

–      To whom and for what purpose the Processed Personal Data can be transferred,

–       For the management and legal reason of Personal Data collection,

–       Rights of the Data Subject as specified under the heading (C).

In this regard, Rotakim Companies will provide necessary information from Third Parties through data acquisition tools to process in their systems and will obtain informed consent from the Data Owners regarding data processing in order to prove that the obligation of disclosure has been fulfilled. Personal Data may be collected verbally, in writing or electronically, automatically or non-automatically, through all sales channels of Rotakim Companies, including electronic commerce, retail and wholesale stores, branches, websites, call center and all other similar channels where service can be obtained from third parties.

–       Obtaining Personal Data in Written Form:

 

In writing, during the acquisition of Personal Data, the Clarification Obligation regarding the processing of the data will be fulfilled, provided that reference is made to this Policy and the new relevant forms and information to be revised are used. In addition, all forms and contracts, including the Permission Contact Forms to be obtained from the persons with whom customer relations are established, will be revised to show the explicit consent of the Data Subject regarding the processing of Personal Data, although the processing of the relevant data group can be considered as an exception under the Law. In customer relations, new forms, documents and information proving compliance with the Law will be used; all relevant employees will be trained to provide sufficient detailed information to the real person and to show references. Absolutely, it will be ensured that Personal Data is obtained in written forms with informed consent.

–       Obtaining Personal Data Verbally:

 

Information will be given regarding the disclosure obligation regarding the processing of Personal Data during the acquisition of new data that does not exist in any way regarding existing customers, which are processed in accordance with the Permission Communication Forms already received, and when data is obtained through the Call Center. During the acquisition of oral data, it will be reminded that the interview was recorded, provided that prior notice is given, and it will be confirmed that the Personal Data will be processed within the scope of this Policy and existing Permission Communication Forms, if any. Employee and Call Center, business processes will be re-evaluated and implemented within this framework.

–       Obtaining Personal Data in the Electronic Environment:

 

All contracts and documents / link addresses / web pages, including distance sales contracts that require the acquisition and processing of Personal Data, including data obtained through electronic commerce channels and other internet channels of Rotakim, will fulfill the obligation of illumination regarding the processing of Personal Data. will be revised accordingly. This Policy can be accessed from all internet pages, and systems that require approval of data processing by Rotakim Companies will be established in order to obtain data at every link address that may require data to be obtained on the websites of all Rotakim Companies. Unless it is clearly marked that consent is given to the processing of Personal Data, any information and document entered will not be automatically recorded in any Rotakim Company system and will not be processed in any way.

H.    PROCEDURES REGARDING COMPLAINT PROCESSES

 

Complaints made by Data Owners, whose personal data are processed by Rotakim Companies, will be answered and finalized by Rotakim Companies as soon as possible and within 30 days at the latest.

The Data Owner submits his/her requests and complaints personally to the Rotakim Company Rotakim KVK Committee, provided that identity checks are made, or applications made by proxy, provided that a notarized power of attorney is submitted, applications made through a notary public, and registered e-mail addresses provided that secure electronic signature is used, and KVKK. It can be done at https://www.rotakim.com/.

All employees dealing with requests received via e-mail and telephone should be careful about disclosing any personal information held by Rotakim. The mentioned employees, especially;

  • They should check the identity of the person contacted by the call to ensure that the Personal Data is given to the person who has a right/authority to receive the personal data.
  • If employees receive a call in which they are unsure or whose identity cannot be checked, they should suggest that the caller put their request in writing.
  • They should turn to their manager for help in difficult situations. No one should be compelled to disclose Personal Data.

Subject to the above procedures, if an employee receives a notification / request from the Data Owners, this situation will be reported in writing to [Rotakim KVK Committee] immediately after receipt of this notification / request, and when responding to these requests, in accordance with all the instructions of the said unit. will be moved. The said business unit will connect with friends from the relevant business unit and support units to resolve complaints/requests.

Requests from the Data Owner should be carefully reported and reviewed by the Rotakim KVK Committee, taking into account the nature of the request, such complaints will be answered as soon as possible and without incurring any additional expense to the Data Owner, provided that it is within a maximum of 30 days. will be implemented if applicable.

The following process regarding the examination of any Data Subject request, including the deletion, destruction and anonymization of Personal Data, will be as follows:

– [Rotakim KVK Committee] unit will make the initial evaluation of the request to decide whether the request/complaint is valid and whether confirmation of identity or additional information is required.

[Rotakim KVK Committee] unit will contact the individual in writing to confirm receipt of the relevant person’s access request and request identity confirmation and additional information if necessary, or reject the request in case of an exception regarding the relevant person’s access.

–       A search will be conducted on all relevant electronic and print filing systems.

–       [Rotakim KVK committee] may refer complicated situations, especially cases where the request contains information about third parties or where the disclosure of Personal Data may harm commercial confidentiality or legal processes, to the relevant units within the company or third party consultants and support in responding to the request. can take.

–       [Rotakim KVK Committee] will arrange the requested information in an easily readable format.

[Rotakim KVK Committee] may accept the request of the Data Owner on behalf of the relevant Rotakim Company or reject it in writing or electronically by explaining the reason. Without being limited to this, the request may be rejected, especially in cases where one of the exceptions regarding the implementation of the Law and the Policy is in question. If the request of the Data Owner is accepted, the request will be fulfilled immediately by the relevant units of Rotakim.

The complainant will be able to object to the answer or determination given by Rotakim Companies in whole or in part and inform the relevant Rotakim employee about this issue. The relevant employee will immediately inform the [Rotakim KVK Committee]. In such a case, the complaint request will be reconsidered and finally answered. The procedures and periods applicable to the first periods regarding the procedures and periods to be applied will be valid, and this will not mean the interruption or suspension of the periods stipulated by the Law. Because, requests for second evaluation will be re-evaluated only in terms of customer satisfaction, not within the scope of a legal obligation.

Pursuant to the Law, the Data Owner has the right to apply to the Board within thirty days from the first response to the first complaint application, from the date Rotakim Company learns the answer, and in any case within sixty days from the date of the first application, and compliance with the said deadlines is deprivation of rights.

İ.       COMMUNICATION WITH THE PERSONAL DATA PROTECTION AGENCY

 

Rotakim Companies, with the exception of information and documents containing state secrets; The Board is obliged to send the information and documents requested by the Board within 15 days and enable on-site inspection when necessary.

[Rotakim KVK Committee] has been determined as the business unit that will carry out the correspondence with the Institution and the employees should direct all kinds of communication with the Board regarding the protection of Personal Data to the [Rotakim KVK Committee].

Rotakim and all Rotakim employees will comply with the Board’s decisions taken ex officio or as a result of the investigation made upon complaint, without delay and within 30 days at the latest from the notification.

Unless all Rotakim Companies are subject to exceptions to the Data Controllers Registry, which will be kept open to the public by the Presidency of the Personal Data Protection Agency and under the supervision of the Board, following the active operation of the Board and the formation of the presidential organization to be established before the Personal Data Protection Agency, and the exemptions to be brought by the Board to the Data Controllers Registry obligation. will register.

J.     POLICY MANAGEMENT STRUCTURE ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

 

In order for Rotakim to act in accordance with the regulations of the KVK Law and to enforce the Personal Data Protection and Processing Policy, the Personal Data Executive Supreme Board has been established and the Personal Data Protection Committee has been established.

Duties of this committee;

1 – Taking decisions on the Protection and Processing of Personal Data and submitting them to the Supreme Board to be presented to the senior management,

2 – To make changes in the Policy on the Protection and Processing of Personal Data, to ensure the implementation and supervision of the Policy,

3 –  To determine the issues to be done within the framework of the KVK Law and the relevant legislation, 4- Evaluate the applications of the Personal Data owners,

5 – To follow the developments related to the Protection of Personal Data, to ensure the implementation by informing the relevant parties and to take the necessary measures,

 

K.   EXCEPTIONS TO THE IMPLEMENTATION OF THE POLICY

 

As stipulated in Article 28 of the Law, this Policy will not be applied in the following cases where the Law will not be applied:

–      Processing of Personal Data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with;

–      Processing Personal Data for purposes such as research, planning and statistics by making them anonymous with official statistics;

–       Processing Personal Data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime;

–       Processing of Personal Data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security;

–       Processing of Personal Data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

Except for the obligation to inform, Data Owners will not be able to use their rights set forth in the Law and this Policy in the presence of one of the following exceptions:

–       The processing of Personal Data is necessary for the prevention of crime or for criminal investigation;

–       Processing of Personal Data made public by the Data Owner himself;

–       Personal Data processing is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, based on the authority given by the law;

–       The processing of Personal Data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.

Apart from the above, Personal Data obtained completely or partially automatically or by non-automatic means provided that it is a part of any data recording system is also outside the scope of this Policy. In this framework, the Law and this Policy will not be applied in respect of all data not included in any data recording system at Rotakim Companies. Rotakim’s responsibility for the said data belongs to T.C. It will be limited to the provisions of the Constitution and the Turkish Penal Code.

L.     IMPROVEMENTS AND CHANGES

 

If any employee has questions or problems about this Policy and the Law, he/she should contact [Rotakim KVK Committee] about these issues. In this framework, it will be confirmed that the requirements of the Law and this Policy are understood at the highest level for all employees, and it will be ensured that the requirements of the Law and the Policy are internalized by the employees.

All employees shall accept, declare and undertake that their business processes comply with this Policy, upon acceptance of this Policy. Any employee or other

If it is thought that this Policy is not complied with in terms of personal data belonging to Data Owners, the subject will be referred to [Rotakim KVK Committee].

This Policy may be changed and updated in accordance with the Regulation and other secondary legislation that will be prepared and put into effect in accordance with the Law. Rotakim Companies and all their employees accept, undertake and declare to carry out all their processes as soon as possible in full compliance with the changes to be made in the Law and this Policy and the secondary legislation to be enacted on the protection of Personal Data.

In case of any change in this Policy, all Data Owners will be informed about the said change and they will be informed about the link addresses required to reach the updated Policy and the channels through which they can get information about the updated Policy.

 

CONCLUSION AND RESPONSIBILITY 

In order to manage all its processes in accordance with the Law and to fulfill the requirements of the Law, Rotakim is currently improving its processes in line with the provisions of the Constitution of the Republic of Turkey and the Turkish Penal Code and international general principles regarding personal data protection. In this context, in accordance with this general Policy, which has been prepared to be applied to all business units, it binds all business units and employees with the principles of processing Personal Data by Rotakim Companies.

MENU