I. Introduction
This Policy sets out the procedures and principles to be followed by LMA MOTIF ALUMINYUM DOKUM SANAYI MUMESILLIK LIMITED SIRKETI (hereinafter referred to as the “Company”) regarding the protection and processing of personal data.
The Policy aims to align the Company’s operations with the Law on the Protection of Personal Data No. 6698 regarding the protection and processing of personal data, and to define the framework and ensure coordination of the compliance activities planned to be carried out by the Company. In accordance with the Law on the Protection of Personal Data No. 6698, your personal data may be processed by the Company, as the data controller, within the scope described below.
In this context, it is aimed to ensure that the Company’s activities are carried out in accordance with the law and legislation, and within the framework of the principles of honesty, transparency and fairness.
This Policy comprehensively regulates the protection and processing of personal data of company shareholders, company officials and executives, current and potential customers, employees, job candidates, visitors, and third parties, aiming to ensure transparency and accountability regarding data processing. All personal data processed by non-automated means, provided that it is part of any data recording system, and all data owners are covered by this Policy.
II. DEFINITIONS
| CONCEPT | DEFINITION |
|---|---|
| Explicit Consent | It refers to consent regarding a specific subject, based on information and expressed with free will. |
| Anonymization | It refers to making personal data in a way that cannot be associated with an identified or identifiable natural person, even by matching it with other data. |
| Relevant person / Personal Data Owner | Refers to the natural person whose personal data is processed. For example, customers, employees, prospective personnel. |
| Personal Data | It refers to any information relating to an identified or identifiable natural person. Therefore, the processing of information relating to legal entities is not within the scope of Law No. 6698. |
| Processing of personal data | It refers to any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system. |
| Sensitive Personal Data | Data regarding individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data are sensitive personal data. |
| Data Processor | A natural or legal person who processes personal data on behalf of a data controller based on the authority granted by the data controller. For example, an IT company that stores customer data for a company is considered within this scope. |
| Data Controller | The data controller is the person who determines the purposes and means of processing personal data and manages the place where data is systematically kept (data recording system). |
III. COMPANY’S OBLIGATIONS REGARDING THE PROTECTION AND PROCESSING OF PERSONAL DATA
A. General Obligations of the Company
The Company’s obligations regarding the protection and processing of personal data are as follows:
- The Company’s Obligation to Register for the Data Controllers Registry
- The Company’s Obligation to Disclose Personal Data Owners
- The Obligation to Ensure the Security of Personal Data
- The Obligation to Comply with Legislation Regarding the Protection and Processing of Special Personal Data
- The Obligation to Comply with Legislation in Case of Transfer of Personal Data
- The Obligation to Process Personal Data Based on and Limited to the Processing Conditions in the Law
B. Obligation to Disclose
The Company aims to inform personal data owners about the following issues:
- The identity of the Company and its representative, if any, as the data controller;
- The purpose for which personal data will be processed;
- To whom and for what purpose personal data may be transferred;
- The method and legal basis for collecting personal data; and the rights of the personal data owner.
The rights of the personal data owner within the scope of the Company’s obligation to inform are as follows:
- To learn whether their personal data is being processed,
- To learn the purpose of processing and whether it is being used in accordance with the purpose,
- To know the persons to whom personal data is transferred,
- To request correction in case of incomplete or inaccurate processing and, if the conditions are met, to request the erasure of personal data, and to have these requests communicated to third parties,
- To object to the analysis of processed data exclusively through automated systems, leading to a detrimental result,
- To claim compensation in the event of damages suffered due to unlawful processing.
C. Obligation to Take Precautions
The Company considers it its duty to take the necessary technical and administrative measures to prevent the unlawful processing and/or unlawful access of personal data it has processed within the scope of the Law on the Protection of Personal Data No. 6698 and to ensure the appropriate and sufficient level of security in order to ensure the protection of the relevant personal data.
The company creates systems to carry out and have carried out the necessary inspections regarding the functioning of the technical and administrative measures to be prepared in this context.
The Company is obligated to immediately notify the relevant data owner and, if required by law, the Personal Data Protection Board if personal data it has processed in accordance with the Law No. 6698, applicable legislation, and this Policy is obtained by others through unlawful means. Furthermore, if the Company identifies a security risk, the necessary measures must be taken immediately to eliminate the risk.
IV. PURPOSES OF PROCESSING PERSONAL DATA AND RETENTION PERIOD
A) Purposes of Data Processing
The Company’s data processing purposes are briefly stated as follows:
- The Company’s personal data processing activity being necessary to protect the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to express his/her consent due to actual or legal invalidity,
- The processing personal data being necessary for the Company’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of the persons concerned,
- Sensitive personal data other than the health and sexual life of the personal data owner being prescribed by law,
- The processing of personal data by the Company being directly related to and necessary for the establishment or performance of a contract,
- The processing of personal data by the Company being necessary for the establishment, exercise or protection of the rights of the Company or the relevant parties or third parties,
- Personal data being able to be processed by the Company in a limited manner for the purpose of publicizing it to the relevant parties, provided that it is made public by the relevant parties,
- The Company’s activity regarding the processing of personal data being clearly prescribed by law.,
- Processing of personal data being mandatory for the Company to fulfill its legal obligations.,
- In terms of sensitive personal data of a personal data owner’s regarding his/her health and sexual life; the data can be processed by persons under a confidentiality obligation or authorized institutions and organizations for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.
In this context, the Company processes the personal data of the relevant parties for the following purposes: To ensure that our legal obligations are fulfilled as required or mandated by legal regulations; to carry out the Company’s employee personnel processes and to have the necessary work conducted by the relevant units to ensure that the commercial activities specified in the Company’s articles of association are carried out in accordance with the legislation and relevant company policies, as well as to have activities carried out in this direction; to determine, plan and implement the Company’s short, medium and long-term commercial policies, to provide effective customer service, and to carry out Company activities and procedures, to provide services and offers, to plan and execute the access authorization of employees to Data Owner information, to have the necessary work and the related business processes conducted by our relevant business units in order to carry out the commercial activities carried out by the Company, to carry out fiscal, accounting and financial transactions including service-related billing activities, to follow up on legal affairs, to plan and execute of corporate communication activities, to ensure that data is accurate and up-to-date, to maintain business and operations, to ensure the legal and commercial security of our company and the people who have business relations with our company through the services offered by our company, to fulfill the obligations arising from the legislation, to follow and execute the legal processes and communication processes with official institutions and to provide services within this scope, to carry out the company’s employee personnel processes.
If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the Law on the Protection of Personal Data, the Company shall obtain the explicit consent of the relevant persons for the relevant processing process within the framework of this policy.
B) Personal Data Categorization
It is possible to categorize personal data processed within the company as follows:
| Category | Explanation |
|---|---|
| Identity Information | The relevant person’s identity information falls under this category. This includes name and surname, parents’ names, mother’s maiden name, date of birth, place of birth, marital status, identity card serial and sequence number, Turkish ID number, driver’s license information, and similar data. |
| Contact Information | The telephone number, address, e-mail address, registered e-mail address (KEP), contact address and similar data of the relevant person are included in this scope. |
| Location Information | The location information of the relevant person and the location information processed by tracking vehicles within the scope of commercial activities are included in this scope. |
| Employee/Personal Information | This includes information that forms the basis for establishing the personal rights of our company personnel and/or individuals who have a working relationship with the company. This includes payroll, disciplinary investigations, employment/termination records, asset declaration information, resume information, performance evaluation reports, and similar data. |
| Legal Information | This includes data processed for the legal determination of our receivables and rights, the discharge of our debts, and the fulfillment of our legal obligations. This also includes information held by judicial authorities and case files. |
| Customer Information | This includes the personal data of our customers, namely the relevant persons, processed as a result of our commercial activities. This includes data such as call center records, order information, invoice and promissory note information. |
| Space Security Information | This includes personal data related to records and documents taken within the physical space. This includes employee and visitor entry/exit records, camera recordings, and similar data. |
| Transaction Security Information | IP address information, website login/logout information, password/password information and similar data are included in this scope. |
| Risk Management Information | Data processed regarding the management of commercial, technical and administrative risks are within this scope. |
| Financial Information | Personal data processed regarding the relevant person’s financial information, documents, and records are within this scope. This includes balance sheets, financial asset information, credit and risk information, and financial performance information. |
| Professional Experience Information | This includes professional experience information that forms the basis for individuals’ work areas. Diploma information, in-service training information, certificates, transcripts, and so on. |
| Audio and Visual Recordings | Visual and audio recordings such as camera recordings, voice recordings, etc. are within this scope. |
| Health Data (Sensitive) | Health data held for the purpose of enabling the data controller to fulfill its legal obligations are within this scope. This includes disability status, blood type information, personal health information, and device and prosthesis information. |
C) Retention Periods of Personal Data
The Company retains personal data for the period specified in relevant legislation, if required by applicable law. Unless otherwise stipulated by law, personal data is retained for the period required by the Company’s practices and business practices, in accordance with the services provided by the Company while processing that data, and is then deleted, destroyed, or anonymized.
V. TRANSFER OF PERSONAL DATA TO THIRD PARTIES
In accordance with applicable legislation, the Company may transfer customer personal data to the following categories of individuals: Transfers to the Company, authorized public institutions and organizations, Company officials, and authorized private legal entities may occur within the framework of relevant legislation. In this context:
| PERSONS / INSTITUTIONS TO WHICH TRANSFER CAN BE MADE | EXPLANATION |
|---|---|
| Administration/Authorized Public Institutions and Organizations | This includes public institutions and organizations authorized to receive information and documents from the Company pursuant to relevant legislation. Data may be transferred to these institutions and organizations on a limited basis for the purposes requested, within their legal authority. |
| Authorized Private Law Persons / Suppliers | This includes private legal entities authorized to receive information and documents from the Company in accordance with relevant legislation. Data may be transferred to authorized private legal entities for limited purposes, within the framework of their legal authority. |
| Company Official | In accordance with the relevant legislation, data transfer may be limited to the design of strategies regarding the Company’s commercial activities, ensuring their highest level of management and for auditing purposes. |
VI. CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
Although processed in accordance with the relevant legal provisions, personal data will be deleted, destroyed or anonymized based on the Company’s own decision or upon the request of the personal data owner, if the reasons requiring processing are eliminated.
The Company reserves the right not to fulfill the data subject’s request in cases where it has the right and/or obligation to preserve personal data pursuant to the Law on the Protection of Personal Data. This is because, pursuant to the Law on the Protection of Personal Data, personal data may be processed without the explicit consent of the data subject if one of the following conditions exists:
- It is clearly foreseen in the laws.
- it is necessary for the protection of the life or physical integrity of a person who is unable to give his consent due to a physical impossibility or whose consent is not legally valid, or of another person.
- The processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of a contract.
- It is mandatory for the data controller to fulfill its legal obligations.
- It has been made public by the relevant person himself/herself.
- Data processing is necessary for the establishment, exercise or protection of a right.
- Data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.
VII. RIGHTS OF PERSONAL DATA OWNERS
A) In General
Data owners have the following rights in accordance with the relevant legislation:
- Learning whether his/her personal data is being processed,
- Requesting information if his/her personal data is processed,
- Learning the purpose of processing his/her personal data and whether they are used in accordance with their purpose,
- Knowing the third parties to whom his/her personal data is transferred, either domestically or abroad,
- Requesting correction of personal data if it is processed incompletely or incorrectly and requesting notification of the action taken in this context to third parties to whom his/her personal data has been transferred,
- Requesting the deletion or destruction of his/her personal data in case the reasons requiring processing are eliminated, even though they have been processed in accordance with the relevant legislation and requesting that the transaction made within this scope be notified to third parties to whom his/her personal data has been transferred.,
- Objecting to the emergence of a result to the detriment of the person himself/herself, by means of analysis of the processed data exclusively through automated systems,
- Requesting compensation in case of damages due to unlawful processing of his/her personal data.
B) Data Owner’s Right to Apply to the Company
If data owners wish to exercise any of their rights specified above, they may do so by using the contact form on the Company’s corporate website. If the Personal Data Protection Board decides that requests should be submitted by methods other than those specified above, the methods by which applications can be submitted will be announced separately.
The Company will evaluate and finalize requests from data subjects within thirty days, depending on the nature of the request. Data subjects may be notified of positive or negative responses to requests in writing or electronically.
While requests from data owners will, as a rule, be resolved free of charge, if responding to the request requires an additional cost, a fee may be charged in amounts determined within the framework of the relevant legislation. The procedures and principles for paying this fee will be specified in the Application Form. It should be noted that applications will not be considered if this fee is not paid in accordance with the procedures and principles outlined. If the application is found to be a mistake on the part of the Company, the fee will be refunded to the applicant.
C. Special Cases Where Data Owners Cannot Claim Their Rights
Since the following situations are excluded from the scope of the Law on the Protection of Personal Data, personal data owners cannot assert their rights described above in these matters:
- Processing of personal data for purposes such as research, planning and statistics by making them anonymous through official statistics,
- Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime,
- Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security,
- Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.
D. The Company’s Right to Reject the Application of the Personal Data Owner
The company may reject the applicant’s application by explaining the reason in the following cases:
- Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security,
- Processing of personal data for purposes such as research, planning and statistics by making them anonymous through official statistics,
- Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime,
- Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings,
- The requested information being publicly available information,
- Personal data processing being necessary for the prevention of crime or criminal investigation,
- Personal data processing being necessary for the execution of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law,
- Personal data processing being necessary to protect the economic and financial interests of the State regarding budget, tax and financial matters,
- Processing of personal data being made public by the personal data owner,
- The request of the personal data owner having the possibility to hinder the rights and freedoms of other persons,
- Requests requiring disproportionate effort being made