PDPA Personal Data Protection Law

PDPA Personal Data Protection Law

1. ENTRY

1.1. Generally

Ensuring the confidentiality and security of personal data and compliance with relevant legal Deci-sions are among the most important priorities of Ahes Inşaat Ticaret ve Sanayi Anonim Şirketi (the ‘Company”) and utmost care is taken in this regard. In this context, the process and the intended purpose managed by this Personal Data Protection and Processing Policy (‘Policy’) and other written policies within the Company regarding the processing and protection of personal data; it is to inform our employees, employee candidates, visitors, guests and other third parties (‘Related Persons’) about the processing, storage and protection of their personal data in accordance with the law and to reflect our corporate culture.

In the preparation of this Policy, we consider the provisions contained in the relevant legal norms related to the protection and processing of personal data, in particular the regulations contained in the Constitution of the Republic of Turkey and the Personal Data Protection Law No. 6698 (‘KVKK’), as well as the decisions of the Personal Data Protection Board to be a guide for our Company.

In this Policy, explanations will be made regarding the basic principles adopted by our Company for the processing of personal data and the following::

  • Processing of personal data in accordance with the law and the rules of honesty,
  • Keeping personal data accurate and updated when necessary,Processing of personal data for specific, clear and legitimate purposes,
  • The personal data must be related, limited and measured for the purposes for which they are processed,
  • Retention of personal data for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed,
  • Kişisel verilerin ilgili mevzuatta öngörülen veya işlendikleri amaç için gerekli olan süre kadar muhafaza edilmesi,
  • Enlightening the relevant people,
  • Establishment of the necessary processes for the relevant persons to exercise their rights,
  • Taking the necessary measures in the processing and storage of personal data,
  • Transfer of personal data to third parties in accordance with the requirements of the purpose of processing,
  • Demonstrating the necessary sensitivity in the processing and protection of personal data of a special nature,
  • Deletion, destruction or anonymization of personal data for which the purpose of processing has disappeared.

1.2. The Purpose of the Policy

The main purpose of this Policy is to provide explanations about the personal data processing activities carried out by our Company in accordance with the law and the procedures adopted for the protection of personal data, and to ensure transparency by informing the Relevant Persons in this context. In addition, this PDP Policy and other written policies prepared aim to make our principle of compliance with the PDP and other relevant legal regulations related to personal data security sustainable.

1.3. Scope of the Policy

The scope of this policy is aimed at real persons whose personal data are processed by our Company automatically or performed by non-automatic means provided that they are part of any data recording system, and an Internal Directive on the Protection of Personal Data has been established within the scope of this Policy.

1.4. Implementation of the Policy and Related Legislation

This Policy has been organized by embodying it within the principles set forth by the relevant legislation. Our Company undertakes and accepts that if there is a discrepancy between the current legislation and this Policy, the applicable legislation will be applied Decently.

1.5. Effectiveness of the Policy

This policy enters into force upon approval by the board of directors of our Company, on the website (.................) are published and made available to the Relevant People in this way.

2. TANIMLAR VE KISALTMALAR

Explicit Consent

Consent related to a specific subject, based on information and explained by free will

Anonymization/Anonymization

Making personal data that cannot be associated with an identified or identifiable real person under any circumstances, even by matching it with other data

Employee

Company employees

Employee Candidate

Real persons who have applied for a job to our company by any means or submitted their resume and related information to the review of our Company

Related Person

The real person whose personal data is processed

Personal Data

All kinds of information about an identified or identifiable real person

Processing of Personal Data

All kinds of operations performed on the data such as obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, inheriting, making available, classifying or preventing the use of personal data by means that are fully or partially automatic or non-automatic, provided that they are part of any data recording system

Committee

Personal Data Protection Committee

Assembly

Personal Data Protection Board

Institution

Personal Data Protection Authority

KVK Policy

Personal Data Protection and Processing Policy

KVKK

Personal Data Protection Law No. 6698

Special Categories of      Personal Data

Race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, disguise, association, foundation or trade union membership, health, sex life, criminal conviction and security measures related data, as well as biometric and genetic data

Periodic Destruction Process

In case all of the conditions for processing personal data contained in the Law disappear, the deletion, destruction or anonymization process to be performed on your own at recurring intervals specified in the personal December data retention and destruction policy

 Politics

KVK Policy

Potential Customer

Persons who have requested to use our Services or who have been evaluated in accordance with commercial practices and honesty rules to be found

Company

Ahes Construction Trade and Industry Joint Stock Company

Processing Data

The natural and legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller

Data Recording System

The registration system in which personal data is processed by structuring according to certain criteria, index

Data Controller

A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system

Application Form                to the Data Controller

Relevant Persons, KVKK 11. the application form that they will use when applying for their rights contained in the article

Deleting Data

Making personal data inaccessible and unusable again in any way for the relevant users

Destroying Data

Making personal data inaccessible, irrevocable and reusable by no one in any way

3.  PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

3.1. Processing of Personal Data in Accordance with the Principles Stipulated in the Legislation

3.1.1. Processing in Accordance with the Rules of Law and Honesty

Our company has adopted the basic principle of being in compliance with the law and honesty rules in all kinds of transactions to be performed on personal data. In this context, by adopting the principle of transparency, it informs the relevant Persons about the purpose of using the collected personal data through this Policy and other texts.

3.1.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

Our Company has a system and process aimed at ensuring the accuracy and timeliness of the personal data it processes while carrying out the processing of personal data. In this context, the Relevant Persons may make it possible to keep their personal data accurate and up-to-date by applying to our Company.

3.1.3. Processing for Specific, Clear and Legitimate Purposes

Our Company clearly determines the purpose of personal data processing within legitimate and legally appropriate limits and provides it to the information of the Relevant Persons before the personal data processing activity has started yet through this Policy and other texts.

3.1.4. Being Limited and Restrained in Connection with the Purposes for which They are Processed

Our Company processes personal data in a manner that is related to and proportionate to the subject matter of the activity within the scope of the purposes necessary for the execution of the activity. In this context, while conducting data processing activities, it carefully avoids processing personal data that are not related to the realization of the purpose and are not needed at the moment / in the future.

3.1.5. To Keep them for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for which They are Processed

Our Company stores personal data only for the limited period specified in the relevant legislation or necessary for the purpose for which they are processed. In this context, firstly, it is determined whether a period has been determined in the relevant legislation for the storage of personal data, if a period has been determined, appropriate action is taken for this period, and if a specific period has not been determined, the period necessary for the purpose for which each personal data is processed is determined and stored for this period.

In this context, our Company prepares and implements the policy and directive for the deletion, destruction or anonymization of personal data.

3.2. 5 Of the KVKK of Personal Data. Processing in Accordance with the Personal Data Processing Conditions Specified in the Article and Limited to These Conditions

Our Company processes personal data only on the basis of the explicit consent of the Relevant Person or in cases specified in the KVKK that explicit consent will not be sought, without explicit consent, in a way that will be limited to these conditions and conditions.

3.2.1. Explicit Consent

Explicit consent is a statement that the Person Concerned makes with free will regarding a certain issue and based on information. KVKK m. In accordance with 5/1, our Company respects and complies with the explicit consent of the Relevant Person if necessary in the processing of personal data.

3.2.2. Cases where Explicit Consent is Not Sought

KVKK m. according to 5/2, it regulates the processing of personal data in some cases without the explicit consent of the Relevant Person. Since obtaining explicit consent from the relevant person in the presence of one of the specified conditions will be considered misleading to the Relevant Person, our Company does not apply for explicit consent in cases where data processing conditions exist.

3.3. Processing of Personal Data of a Special Nature

Our Company shows maximum sensitivity in the processes of processing and protection of personal data designated as “special quality” by the KVKK due to the risk of causing greater victimization or discrimination of persons when processed, and the accepted principles regarding special quality personal data are also discussed in this Policy.

Our Company may process personal data of a special nature in the following cases only if the explicit consent of the person concerned does not exist, provided that adequate measures to be determined by the Board are taken.

a) Personal data of a special nature other than the health and sexual life of the person concerned in the cases stipulated by the laws,

b) Private personal data related to the health and sexual life of the person concerned may, however, be processed by persons or authorized institutions and organizations under obligation to keep secrets for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and maintenance services, planning and management of health services and financing, without seeking the explicit consent of the person concerned.

Our Company has determined additional measures and processes regarding the processing of personal data of a October special nature and the access to this data. Within this framework, the environments where private personal data are stored are protected with secondary locks and secondary passwords, and are processed only by authorized persons within the framework of the authorization matrix.

3.4. Transfer of Personal Data

Personal data, in order to fulfill the purposes specified in this Policy, to supervisory organizations within the framework of audit activities, to our shareholders for reasons arising from audit and partnership rights in accordance with relevant legal regulations, to legally authorized public institutions and organizations, to our suppliers and business partners located at home and/or abroad, to natural persons who supply services or to third parties to whom services are provided

Personal data may be transferred within the framework of the processing conditions and purposes specified in articles 8 and 9 of the KVKK.

4. PRINCIPLES REGARDING THE PROTECTION OF PERSONAL DATA

4.1. Technical and Administrative Measures Taken by Our Company regarding the Security of Personal Data

4.1.1. Technical Measures

The main technical measures taken by our company to ensure that personal data is processed in accordance with the law and to prevent unlawful access to personal data are as follows:

  • The personal data processing activities carried out within the body of our company are controlled by the established technical systems.
  • Knowledgeable and experienced personnel are employed on technical issues.
  • Relevant departments have been established for technical issues.
  • The technical measures taken are periodically reported to the authorized unit /person in accordance with the internal audit mechanism.
  • A backup program is used in accordance with the law to ensure the secure storage of personal data.
  • New technological developments are followed up and technical measures are taken on the systems, especially in the field of cyber security, the measures taken are periodically updated and renewed.
  • Access and authorization technical measures are used within the framework of the legal compliance requirements determined for each department within our company.
  • Access permissions are restricted, permissions are regularly reviewed, and the accounts of former employees are closed.
  • Software and hardware including virus protection systems and firewalls are used.
  • The use of fake software and hardware is strongly avoided. All the products we use are original and licensed.

Within this framework, our Company is carrying out continuous and sustainable studies on the technical measures determined by the Board and listed below:

  • Authority Matrix
  • Authority Control
  • Access Logs
  • User Account Management
  • Network Security
  • Application Security
  • Encryption
  • Infiltration Test
  • Intrusion Detection and Prevention Systems
  • Log Records
  • Data Masking
  • Data Loss Prevention Software
  • Backup
  • Firewalls
  • Current Anti-Virus Systems
  • Deleting, Destroying or Anonymizing
  • Key Management

4.1.2. Administrative Measures

The main administrative measures taken by our company to ensure that personal data is processed in accordance with the law and to prevent unlawful access to personal data are as follows:

  • Our staff is informed and trained about the law on the protection of personal data and the processing of personal data in accordance with the law.
  • The personal data processing activities carried out by the business units of our company; the requirements to be fulfilled in order to ensure the compliance of these activities with the data processing requirements specified in the KVKK are examined in the context of each business unit and the activity carried out.
  • With the contracts and documents governing the legal relationship between our Company and employees, records are placed that impose obligations not to process, disclose and use personal data, except for the exceptions imposed by the Company's instructions and the law, and the awareness of employees on this issue is increased.
  • In order to ensure the legal compliance requirements determined on the basis of our business units, awareness is being raised and implementation is being initiated for the relevant business units. The administrative measures necessary to ensure the supervision of these issues and the continuity of implementation are implemented with in-house policies and trainings.
  • In accordance with the activity-based legal compliance requirements, access and authorization processes for personal data are designed and implemented within our Company.
  • It is monitored by the Personal Data Protection Committee, which has been established for convenience and compliance with the follow-up of business and transactions related to the KVKK and other relevant regulations.
  • Provisions are added to the agreements established with the Third parties in which the Personal Data of our Company are processed in accordance with the law, that the necessary security measures will be taken to protect the transferred personal data and that they will ensure compliance with these measures in their own organizations.

Within this framework, regarding the administrative measures determined by the Board and listed belowOur company is carrying out continuous and sustainable works:

  • Preparation of Personal Data Processing Inventory
  • Corporate Policies (Access, Information Security, Use, Storage and Destruction, etc.)
  • Contracts (Between the Data Controller-the Data Controller, the Data Controller - the Data Processor) Dec.
  • Privacy Commitments
  • Periodic and/or Random Internal Audits
  • Risk Analysis
  • Employment Contract, Disciplinary Regulation (Adding Provisions in Accordance with the Law)
  • Corporate Communication (Crisis Management, Board and Related Person Information Processes, Reputation Management, etc.)
  • Education and Awareness Activities (Information Security and Law)
  • Notification to the Registration Information System of Data Controllers (VERBIS)

4.2. Increasing the Awareness and Supervision of Our Employees in the Field of Personal Data Protection

Our company provides the necessary trainings and meetings to increase awareness of the illegal processing of personal data, to prevent illegal access to data and to ensure the safe storage of data.

In order to increase the awareness of existing employees within our company about the protection of personal data, we work with professional persons if necessary in this regard.

4.3. Protection of Personal Data of a Special Nature

The personal data determined as special quality by our Company with the KVKK and processed in accordance with the law are protected with sensitivity. In this context, the technical and administrative measures taken by our Company for the protection of personal data have been determined on the basis of the relevant legal regulation and the decision “Adequate Measures to be Taken by the Data Controllers in the Processing of Personal Data of a Special Nature” published by the Personal Data Protection Authority and are carefully applied in terms of the protection of personal data of a special nature.

4.4. The Process to be Followed in Case of Unauthorized Disclosure of Personal Data

our company will notify the relevant person and the Board within 72 hours if the personal data it processes are seized by others by illegal means.

If deemed necessary by the Board, this situation may be announced on the Board's website or by another method.

4.5. Personal Data Inventory

Each unit of our company creates an up-to-date personal data processing inventory. The unit manager is responsible for the accuracy, timeliness and submission of this inventory to the contact person if necessary. Keeping the inventories correct, implementing the current Company policy on the protection of personal data and current developments on the protection of personal data are always followed up.

5. THE APPLICATION OF THE RELEVANT PERSONS TO THE DATA CONTROLLER, OUR COMMUNICATION CHANNELS AND THE EVALUATION PROCESSES OF THE APPLICATION

5.1. Subject of Application

Our company attaches great importance and value to the rights of the Relevant Persons and provides opportunities and opportunities for them to exercise these rights. A “Data Controller Application Form” has been prepared and published on our website by our company, through which the relevant persons can easily submit their requests. However, it is not mandatory for Interested Persons to use this form. Every application made in accordance with the Communiqué on the Application Procedures and Principles to the Data Controller will be evaluated.

Everyone is related to themselves by applying to our Company;

a) To learn whether his/her personal data has been processed or not,           

b) If your personal data has been processed, do not request information about it,

c) To learn the purpose of the processing of their personal data and whether they are used in accordance with their purpose,                                                                       

ç) To know the third parties to whom their personal data are transferred at home or abroad,         

d) To request the correction of your personal data in case of incomplete or incorrect processing of your personal data,                                                                                     

e) 7 OF the KVKK. requesting the deletion or destruction of personal data within the framework of the conditions stipulated in the article,

f) to request that the transactions carried out in accordance with subparagraphs (d) and (e) be notified to the third parties to whom the personal data are transferred,,

g) Objecting to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,

ğ) Objecting to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,

5.2. Application Method and Address

Application Method

The Address where the Application will be Made

Application Subject Title

Application by hand (If the applicant applies in person, a document confirming his identity must be available, and if an application is made by proxy, a notarized power of attorney must be available.)

……………………

“Information Request Within the Scope of the Personal Data Protection Law”will be written on the envelope.

Notification through a notary public

……………………

“Information Request Within the Scope of the Personal Data Protection Law” will be written on the notification envelope.

E-Mail via E-Signature/Mobile Signature

……………………

“Information Request Within the Scope of the Personal Data Protection Law”will be written in the subject section of the e-mail.

Application via registered Electronic Mail (PEP) address

……………………

“Information Request Within the Scope of the Personal Data Protection Law” will be written in the subject section of the e-mail.

E-mail address registered in our systems (Your e-mail address must have been matched with your ID in our systems before.)

……………………

“Information Request Within the Scope of the Personal Data Protection Law” will be written in the subject section of the e-mail.

5.3. The Post-Application Process

Applications submitted to us are answered within 30 (thirty) days at the latest from the date of receipt of the request to our Company, depending on the nature of the request. Our responses are sent to the Data Controller based on the notification form specified by the applicant in the Application Form.

Relevant Persons; 14 of the KVKK. if the application is rejected in accordance with the article, the answer given is insufficient or the application is not answered in time, the Company may file a complaint to the Board within thirty days from the date of receipt of the answer and in any case within sixty days from the date of application.

5.4. Application Fee

As a rule, applications are made free of charge. However, if the transaction requested by the relevant persons also requires a cost, the fee in the tariff determined by the Board will be charged by our Company.

6. INFORMING AND INFORMING THE RELEVANT PEOPLE

Our company, KVKK 10. in accordance with the regulation in the article, it is to enlighten the relevant persons about the process of obtaining personal data through this Policy and the Clarification Text and other texts that are easily accessible on our website. In this context, our Company informs the relevant persons about the identity of the data controller, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal reason for collecting personal data, and other rights of the relevant person.

An Application Form has been created for a Data Controller in order for the relevant Person to be able to use the rights specified in the KVKK more easily and has been published on the website of our Company. The relevant section is described in detail in title 5.

7. PURPOSES OF PROCESSING OF PERSONAL DATA AND STORAGE PERIODS

7.1. Purposes of Processing of Personal Data

Our company, personal data 5 of the KVKK. and 6. it processes personal data limited to the purposes and conditions within the processing conditions specified in the article. These purposes and conditions;

  • The fact that the processing of personal data is clearly stipulated in the laws for our Company to engage in the relevant activities,
  • The processing of personal data by our Company is directly related to and necessary for the establishment or performance of a contract,
  • The processing of personal data is mandatory in order for our Company to fulfill its legal obligation,
  • Processing of personal data by the Company on a limited basis for the purpose of publicization, provided that the personal data has been made public by the relevant person;,
  • The fact that the processing of personal data by the Company is mandatory for the establishment, use or protection of a right,
  • It is mandatory to engage in personal data processing activities for the legitimate interests of the Company, provided that they do not harm the fundamental rights and freedoms of the relevant persons,
  • It is mandatory for the protection of the life or body integrity of the relevant persons or someone else to engage in personal data processing activities by our company, and in this case the relevant persons are unable to disclose their consent due to actual impossibility or legal invalidity,
  • Personal data of a special nature other than the health and sexual life of the persons concerned, in the cases stipulated by the laws,
  • Private personal data related to the health and sexual life of the persons concerned are processed by persons or authorized institutions and organizations under the obligation to keep secrets for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and maintenance services, planning and management of health services and financing.

7.2. Storage Periods of Personal Data

As a company, we store personal data for the period specified in this legislation, if it is stipulated in the relevant legislation. In addition, in determining the storage periods, our obligations arising from the relevant contracts, our responsibilities / obligations in administrative and legal terms are also taken into account.

The purpose of processing personal data has expired, and when the relevant legislation and the retention period determined by the company expire, these personal data are deleted and backed up only to serve as evidence in possible legal disputes or to assert the relevant right related to personal data. In this case, access to personal data is not provided for any other purpose. Personal data is destroyed or anonymized after the expiry of the periods specified in the Personal Data Storage and Destruction Policy of our Company.

The processed personal data and personal data inventories are reviewed in 6-month periods and the personal data that need to be deleted / destroyed are deleted /destroyed within these 6-month periodic destruction periods and the transaction is recorded.

8. PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT WITHIN THE FIELDS OF WORK

8.1. Monitoring Activities with the Camera Carried Out at the Entrances of the Work Areas and Inside

By our company; In order to ensure the safety of the Related Persons and our Company, we provide services and carry out these services, security camera monitoring activities at the entrance and in the work areas, as well as personal data processing activities for the tracking of entrances / exits and overtime tracking are carried out. In this context, as a Company, we act in accordance with the KVKK and other relevant legislation.

8.1.1. Informing about the Monitoring Activity with the Camera

10 Of the KVKK by our company. in accordance with the article, the relevant persons are informed; thus, it is aimed to prevent damage to the fundamental rights and freedoms of the relevant persons and to ensure transparency. For camera monitoring activities, it provides lighting on the Company's website both with this Policy (online Policy) and with a notification letter that monitoring will be performed at the entrances of the areas where monitoring is performed (on-site lighting / layered lighting).

8.1.2. Limitation of the Purpose and Purpose of Carrying out the Monitoring Activity with the Camera

As a company, we process personal data in accordance with the KVKK in connection with the purposes for which they are processed, to a limited and measured extent. The purpose of continuing the monitoring activity with video camera recording by the Company is limited to the purposes listed in this Policy. In this direction, the monitoring areas of the security cameras, the number and when the monitoring will be carried out are sufficient to achieve the security purpose and are being applied on a limited basis for this purpose.

8.1.3. Ensuring the Security of the Data Obtained by Monitoring Activities with a Camera

All kinds of necessary technical and administrative measures are taken by the Company to ensure the security of the personal data obtained by camera recording. Detailed information is included in the Measures related to data security section.

8.1.4. Who Has Access to the Information Obtained as a Result of Monitoring and to Whom This Information is Transferred

The information obtained as a result of monitoring and the storage environment can only be accessed by authorized persons in this regard. On the other hand, live camera images can be watched by security guards who are company employees or who have received external services. A limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality commitment.

8.2. Visitor Entry/Exit Tracking Carried Out at the Entrances and Inside the Working Areas

Personal data processing activities are carried out by the Company and the company from which external services are obtained for the purposes of ensuring security and tracking visitor entrances and exits in the Company's work areas for the purposes specified in this Policy.

While the names and surnames of the people who come to our work areas as visitors are obtained, the relevant people are illuminated through the texts posted in the relevant areas or made available to the guests in other ways. The data obtained for the purpose of visitor entry and exit tracking are processed only for this purpose and the relevant personal data are recorded in the data recording system in physical and/or electronic environment.

8.3. Recording of Information about Electronic Devices at the Entrances to Work Areas

As a company, in connection with the care and sensitivity we pay to information security and personal data protection, we record the MAC addresses of computers or similar electronic devices when our guests use their own personal computers or similar electronic devices. The reason for this is to ensure the security of our company and the people whose personal data are included in our company.

9. REVIEW

This policy enters into force upon approval by the Company's board of directors. Regarding the changes to be made in the policy, the approval of the person / persons to be authorized by the board of directors is obtained. The issues related to the implementation of this policy within the Company have been systematized by the internal policy, procedures and internal guidelines. The policy is reviewed every 6 months and revisions are made with the approval of the authorized person, if necessary.

10. PERSONAL DATA PROTECTION COMMITTEE

The company has appointed a contact person within the framework of the personal data protection law. Among the employees of the company units Dec .......... a personal Committee has been formed. The Personal Data Protection Committee (“Committee”) is chaired by the Company contact person.

The contact person acts with the opinions and recommendations of the Committee on administrative and technical measures. The principles determined by the Committee regarding administrative and technical measures are taken into account. The Committee makes the necessary efforts to ensure that the Company complies with the legislation on the protection of personal data. The contact person supervises the Company units that he/she is responsible for within the scope of the personal data protection law. As a result of these audits, it alerts the relevant units if necessary and informs the top management about the situation.

The contact person provides coordination on responding to the related person applications made to the Company within the legal deadlines and in accordance with the procedure. The contact person manages the Company's relations with the Personal Data Protection Authority.

11. ENACTMENT

This Policy enters into force from the date of acceptance and announcement by the company's board of directors / authorized bodies.