PERSONAL DATA PROTECTION POLICY

1. Purpose and Scope

The main purpose of this Personal Data Protection Policy (“Policy”) is to clarify the personal data processing activity carried out by Proil Oleo (“Company”) in accordance with the law, the systems adopted for the protection of personal data, and to ensure transparency by informing the persons whose personal data are processed by our company in this context.
This Policy is implemented along with the relevant detailed data procedures in the activities carried out for the processing and protection of all personal data by the Company.

2. Definitions

KVKK: Personal Data Protection Law No. 6698
GDPR: The EU General Data Protection Regulation 
Data Processor: The natural or legal person who processes personal data on behalf of the data controller upon its authorization 
Data Contoller: The person who determines the purposes and means of processing personal data and manages the storage where data is stored systematically (data filling system)
Data Subject/Natural Person Concerned: Employees, customers, business partners, shareholders, officials, potential customers, candidate employees, trainees, visitors, suppliers, employees of the institutions with which the Company collaborates, third parties, and natural persons whose data is processed, including but not limited to those listed here
Explicit Consent: Freely given, specific and informed consent 
Personal Data: Any information relating to an identified or identifiable natural person 
Sensitive Personal Data: Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or unions, health, sexual life, data about criminal convictions and security measures, and biometric and genetic data 
Processing of Personal Data: Any operation which is performed on personal data, wholly or partially by automated means or non-automated means -provided that it is part of any data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof 
Anonymization of Personal Data: Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data 
Erasure of Personal Data: Rendering personal data inaccessible and unusable for the relevant users in any way
Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and reusable by anyone in any way
KVK Board/Board: Personal Data Protection Board 
KVK Authority/Authority: Personal Data Protection Authority

3. Procedure 

The Company has different policies that focus on the protection of personal data and the provision of information security in relation to certain business activities and functions. This Policy does not override the data protection terms in these different policies of the Company unless it contains additional terms or entails a higher standard for the protection of personal data.
The provisions of the applicable legislation on the processing and protection of personal data will be primarily applied; In case of conflict between the relevant legislation and the provisions of this Policy, the current legislation provisions shall prevail.

4. Considerations Regarding the Protection of Personal Data

This Policy has been prepared in accordance with the rules and procedures specified in KVKK and other relevant legislation for the protection of personal data. In this sense, the Data Controller is obliged to take all necessary technical and administrative measures, as he/she is obliged to prevent unlawful processing and access of personal data and to ensure their preservation pursuant to KVKK. The Company has taken all relevant technical and administrative measures, including the measures taken for the protection of sensitive personal data. The content of the technical and administrative measures taken are detailed in the Protection of Personal Data Legal Compliance Audit Report and D.17 Storage and Disposal Policy.

5. Policy for the Processing of Personal Data 

a.Principles for the Processing of Personal Data  

Personal data processed by the Company are processed in accordance with the relevant legislation (KVKK and/or GDPR). The Company’s policies and procedures are implemented in parallel with the processing principles in the KVKK and relevant legislation as follows:

• Personal data is processed in a lawful, honest and transparent manner,
• Personal data is collected only for specific, clear and legitimate purposes,
• Personal data is linked to the purpose of processing, is limited and prudent,
• Personal data is accurate and up-to-date when necessary, shall be erased or corrected without delay.
• Personal data is kept for the period specified in the relevant legislation or required for the purpose of processing,
• Personal data is processed is a way to ensure appropriate security,
• Data controller shows that it complies with other principles of KVKK and/or GDPR. (Accountability).

b. Proil Oleo’s Purposes for Processing Personal Data 

In accordance with the KVKK and other relevant legislation, the Company informs the relevant persons during the collection of personal data. In this context, the Company gives the relevant person detailed information about the purpose for which personal data will be processed, to whom and for what purposes the processed data can be transferred, the method of collecting personal data and the legal reasons for collecting personal data.

The purposes of processing personal data by the company are as follows:

Providing services to customers under the best conditions by the Company, providing services in a reliable and uninterrupted manner, ensuring the security of the Company, ensuring customer satisfaction and reliability, execution of the required transactions for the services offered by the Company, carrying out and improving the operations, running promotion, marketing, advertising and campaign activities for the services offered by the Company, execution of contracts signed with customers, realization of transactions requested by relevant public institutions and organizations, fulfilment of Company obligations arising from other relevant laws.
 

c. Legal Reasons of Proil Oleo for Processing Personal Data:

• The person concerned gives explicit consent,
• It is clearly stipulated in the laws,
• It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his/her consent due to actual impossibility or whose consent is not legally valid,
• It is necessary to process the personal data of the parties to a contract, provided that it is directly related to the drawing up or execution of the contract,
• It is mandatory for the data controller to fulfil his/her legal obligation,
• The person concerned has made it public himself/herself,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not violate the fundamental rights and freedoms of the data subject.
• The conditions of processing personal data, in other words, the conditions of compliance with the law, are listed in a limited number in the Law and these conditions cannot be extended.

6. Transfer of Personal Data

a. Transfer in Turkey

Without prejudice to the situations where the transfer of personal data to administrative and judicial institutions and organizations is obligatory as per the KVKK or the relevant legislation, the personal data of the persons concerned are not transferred by the Company to other persons without the explicit consent of the person concerned, except for the issues listed in Article 5 and/or 6 of the KVKK.

The Company may transfer personal data to third parties in Turkey by taking all security measures specified in the KVKK and relevant legislation and in accordance with the Law and/or contract.

b. Transfer Abroad 

The Company may transfer personal data abroad by taking the necessary security measures and in accordance with the conditions stipulated in the KVKK and the relevant legislation, and by obtaining the explicit consent of the person concerned. In cases where the explicit consent of the data subject is not required, the country to which the personal data will be transferred must have the “safe country” status and must provide adequate protection. In cases where the country to which data is transferred is not considered a safe country by the Board, a data transfer protocol that will guarantee adequate protection shall be signed with the permission of the Board.

Service providers and customers which can/will transfer data abroad are legal/real persons originating from ………………….

c. Institutions and Organizations to Which Data Can Be Transferred

The Company may share personal data with relevant public institutions and organizations in accordance with the following legislation:

• Protection of Personal Data Law No. 6698,
• Labour Law No. 4857
• Turkish Code of Obligations No. 6098
• Turkish Commercial Code No. 6102
• Occupational Health and Safety Law No. 6361
• Access to Information Law No. 4982
• Retirement Fund Law No. 5343
• Social Services Law No. 2828
• Tax Procedure Law No. 213 and other applicable secondary regulations in accordance with these laws.

7. Personal Data Processing Activities for Proil Oleo’s Service Building and Website Visitors

In the Proil Oleo service building, personal data processing activities can be carried out in accordance with the KVKK and other relevant legislation. Accordingly, to ensure security, corridors, entrances and exits of the service building(s) are monitored with security cameras, and there is a card pass system for entries. The system used for guest entries has been determined in accordance with the Company’s “Physical Security Procedure”.

The records regarding the security measures recorded and stored in the digital media can be accessed by the administrative personnel and the technical department staff who are under the obligation of security protection, audit teams, the general manager and the managers directly reporting to the general manager.

8. Relevant Person’s Rights and Exercise of Rights

Real persons whose personal data is processed by the Company can get in contact with the Company to exercise the following rights about the processing of personal data and the data recorded about them via the Company’s physical address Tembelova Mevkii Genç Cad. 32. Sk No: 3014 Gebze/Kocaeli or e-mail address …………..:

1. Learn whether personal data is processed or not,
2. If personal data has been processed, request information about the nature of this information and learn to whom it has been disclosed,
3. Learn the purpose of processing personal data and whether they are used in accordance with its purpose,
4. Learn the third parties to whom personal data is transferred in Turkey or abroad and request to inform the third parties about the transaction made in this direction,
5. Request the correction of personal data in case of incomplete or incorrect processing and request to inform third parties about this action,
6. Request the erasure or destruction of personal data in the event that the reasons for processing personal data disappear, although it has been processed in accordance with the provisions of the relevant law,
7. Reject to the emergence of an adverse result for himself/herself,
8. Request the compensation of the damage in case of loss due to unlawful processing of personal data.

9. Erasure, Destruction and Anonymization of Personal Data

9.1. As per the 7th article of KVKK and the provisions of other relevant legislation, personal data shall be erased, destructed or anonymized upon the Company’s decision, periodic review and/or upon the request of the data subject, in the event that the reasons for the processing the personal data no longer exist.
9.2. The Company has a Policy on Storing and Destruction of Personal Data in this regard. For detailed information, please see [D.17]: Policy on Storing and Destruction of Personal Data.
9.3. The Company will not store personal data for longer than the necessary duration in a way that would allow the identification of the data subject, in connection with the primary reason for which the data was collected.
9.4. The Company may store personal data for a longer period of time only for public interest, scientific or historical research or statistical purposes, by taking appropriate technical and organizational measures to protect the rights and freedoms of the data subject.
9.5. The criteria that determine the period of storing personal data, including the duration of storage for each personal data category and the legal obligations of the Company regarding the storage of personal data are specified in [D.17]: Storage and Destruction Policy.
9.6. The Company’s data storage and destruction procedures ([D.17]: Storage and Destruction Policy) shall apply in all cases.
9.7. Personal data will be securely destructed in line with the provisions of the KVKK and relevant legislation by proper processing to ensure security and thus protecting the “rights and freedoms” of the data owner. Destruction of data will be made in accordance with the Storage and Destruction Policy.

10. Veri Envanteri

The Company has created a data inventory as part of its approach to identify risks and opportunities throughout the KVKK and GDPR compliance process. The company's data inventory determines:
•    Business processes that use personal data,
•    Source of personal data,
•    Data subject volume,
•    Description of each element of personal data,
•    Processing activity,
•    Purpose and legal reason of the processing activity,
•    Data categories inventory management of processed personal data,
•    Filing of purpose(s) for each category of personal data used,
•    Recipients and potential recipients of personal data,
•    Company's role in data flow,
•    Key systems and protection,
•    Any kind of data transfer, and
•    All storage and destruction requirements.