Protection and Processing of Personal Data Statement
1.1. INTRODUCTION
PART 1 – INTRODUCTION, POLICY PURPOSE, SCOPE. IMPLEMENTATION AND ENFORCEMENT
The protection of personal data is one of company’s top priorities, more importantly, the protection and processing of the personal data of our customers, prospective customers, employee candidates, company shareholders, company officials, and visitors, as well as the employees, shareholders, and officials of the organisations we cooperate with, and third parties that are covered by this Policy. Our Company’s activities regarding the protection of our employees’ personal data are managed under the Çimsa Çimento Sanayi ve Ticaret A.Ş. (Çimsa or Company) Employees’ Personal Data Protection and Processing Policy, which is prepared in line with the principles in this Policy.
According to the Constitution of the Republic of Türkiye, everyone is entitled to request protection of their personal data. Regarding this Constitutional right, Çimsa pays due attention to protecting the personal data of its employees and propsective employee, shareholders, officials, and third parties governed by this Policy, and makes it a Company policy.
To this end, Çimsa takes the necessary administrative and technical measures to protect the personal data processed in accordance with applicable legislation.
This Policy includes detailed explanations about the basic principles adopted by Çimsa in the processing of personal data as listed below:
1. Processing personal data in accordance with the rules of law and honesty,
2. Keeping personal data accurate and up-to-date when necessary,
3. Processing personal data for specified, explicit, and legitimate purposes,
4. Being relevant, limited, and proportionate to the purposes for which the personal data are processed,
5. Storing personal data for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed,
6. Informing the data subjects,
7. Establishing the necessary system for allowing the data subjects to exercise their rights,
8. Taking the necessary measures to protect personal data,
9. Acting in accordance with the relevant legislation and Personal Data Protection (PDP) Board regulations in transferring personal data to third parties in line with the requirements of the purpose of processing,
10. Demonstrating particular care over the processing and protection of sensitive personal data.
1.2. PURPOSE OF THE POLICY
The main purpose of this Policy is to clarify the personal data processing activities carried out by Çimsa in accordance with the law and the systems adopted for the protection of personal data and thereby ensure transparency by informing the persons including customers, prospective customers, employee candidates, Company shareholders, Company officials, and visitors, as well as the employees, shareholders, and officials of the organisations we cooperate with, and third parties whose personal data are processed by our Company.
1.3. KAPSAM
This policy relates to all the personal data of our customers, prospective customers, employee candidates, Company shareholders, Company officials, and visitors, as well as the employees, shareholders, and officials of the organisations we cooperate with, and third parties, processed through automated means or non-automated means provided that they are part of any data filing system.
Regarding how this Policy pertains to the groups of data subjects listed above, this entire Policy may apply (e.g., visitors who are also active customers) or just some of its provisions (e.g. visitors only).
1.4. IMPLEMENTATION OF THE POLICY AND APPLICABLE LEGISLATION
Current statutory regulations regarding the processing and protection of personal data shall take precedent. If there is a discrepancy between the current legislation and the Policy, our Company accepts that the current legislation shall prevail.
The Policy is prepared by incorporating the rules laid down by the relevant legislation into Çimsa practices. Our Company operates the necessary systems and carries out preparations required to act in accordance with the enforcement periods stipulated in the PDP Law.
1.5. ENFORCEMENT OF THE POLICY
This Policy issued by our Company entered into force on 7 October 2016 in accordance with Personal Data Protection Law No. 6698 published on 7 April 2016. In the event that all or specific articles of the Policy are amended, the Policy shall be updated.
The Policy shall be published on our Company’s website (https://www.cimsakariyerim.com) and made available to the data subjects upon their request.
PART 2 – MATTERS RELATING TO THE PROTECTION OF PERSONAL DATA
Our Company, in accordance with the legislation in force, takes all necessary technical and organisational measures to ensure an appropriate level of security to prevent the unlawful processing of or access to personal data, and protect such personal data, and conducts or commissions the necessary audits in this regard.
2.1. ENSURING THE SECURITY OF PERSONAL DATA
Our Company takes the necessary legal, technical, and organisational measures for data security as far as is technologically possible and exercises due care and diligence in this regard.
Employees are informed that they may not disclose the personal data they have learned to anyone else in violation of the provisions of the Personal Data Protection Law, and may not use it for purposes other than processing and that this obligation will continue after they leave their jobs, and they make the necessary commitments to this effect.
Our Company provides the necessary information throughout the company to prevent the imprudent or unauthorised disclosure, access, transfer, or other unlawful access to personal data, and it takes technical and organisational measures according to the nature of the data to be protected, technological means, and the cost of implementation.
Our Company obligations as a data controller when processing personal data, and its obligation to comply with the legal, organisational, and technical measures it has developed in this regard, are contractually imposed on data processing organisations that our Company deals with in various capacities such as suppliers and business partners, in accordance with the nature of their data processing activities.
Our Company conducts or commissions the necessary audits within its organisation in accordance with applicable legislation. The results of these audits are reported to the relevant department as part of the internal functioning of the Company and necessary activities are carried out to improve the measures taken.
If personal data processed in accordance with applicable legislation are obtained by others unlawfully, our Company operates a system that notifies the data subject affected and the Personal Data Protection Board as soon as possible.
2.2. OBSERVING THE RIGHTS OF THE DATA SUBJECT: CREATING CHANNELS SO THEY CAN COMMUNICATE THEIR RIGHTS TO THE COMPANY, AND EVALUATING THEIR REQUESTS
Our Company has the necessary channels, internal functioning procedures, and organisational and technical arrangements in accordance with applicable legislation to evaluate the rights of personal data subjects and to give the data subjects the necessary information.
If data subjects submit their requests regarding their rights listed below to our Company in writing, our Company shall conclude the request within the periods set forth in the applicable legislation, depending on the nature of the request.
Data subjects have the following rights:
1. To learn whether their personal data are processed or not,
2. To request information if their personal data have been processed,
3. To learn the purpose of the processing of their personal data and whether these personal data are used in compliance with the purpose,
4. To know the third parties to whom their personal data are transferred at home or abroad,
5. To request the rectification of incomplete or inaccurate data, if any,
6. To request the erasure or destruction of their personal data under the conditions stipulated in the applicable legislation,
7. To request that the third parties to whom their personal data has been transferred be notified of the rectification, reasure, and destruction procedures performed in accordance with the applicable legislation,
8. To object to an outcome detrimental to them as a result of processed data being analysed solely by automated systems.
9. To claim compensation for the damage arising from the unlawful processing of their personal data.
Pursuant to the legislation in force, data subjects are required to submit their requests to exercise the above-mentioned rights to our Company in writing or by other methods permitted by the legislation.
Since no additional method has been determined as of the effective date of this Policy, the relevant application must be submitted to our Company in writing in accordance with the mandatory provision of the legislation.
In order to exercise the above-mentioned rights, submitting the request by specifying the necessary information identifying the personal data subject and explanations regarding the right to be exercised, as well as which right the request is related to, will ensure that the application is handled more quickly and effectively.
You can send a petition containing your detailed explanation of the right to be exercised and the subject of your request to the address “Allianz Tower Küçükbakkalköy Mah. Kayışdağı Cad. No: 1 Kat: 23-24 34750 Ataşehir/İstanbul” by registered letter with return receipt requested.
2.3. PROTECTION OF SENSITIVE PERSONAL DATA
With the Personal Data Protection Law, special importance has been attributed to the risk of causing personal injury or discrimination when certain data is processed unlawfully.
These data are related to race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership of associations, foundations, or trade unions, data concerning health, sex life, criminal convictions and security measures, and biometric and genetic data.
Our Company exercises great care in the protection of sensitive personal data, called ‘special category’ by the Personal Data Protection Law and processed in accordance with the law. As such, our Company carefully applies the technical and organisational measures for the protection of personal data to the special categories of personal data, and performs the necessary controls.
PART 3 – MATTERS RELATING TO THE PROCESSING OF PERSONAL DATA
Regarding the processing of personal data in accordance with legislation, our Company conducts personal data processing activities in accordance with the law and the rules of honesty, by processing accurate, and up-to-date data when necessary for specified, explicit, and legitimate purposes, relevant, limited, and proportionate to the purposes for which they are processed. Our Company stores personal data for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.
3.1.PROCESSING OF PERSONAL DATA ACCORDING TO THE PRINCIPLES STIPULATED IN THE LEGISLATION
3.1.1. Processing in accordance with the law and the rules of honesty
Our Company acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. As such, our Company takes into consideration the proportionality requirements in the processing of personal data and does not use personal data other than for its intended purpose.
3.1.2. Ensuring accuracy and keeping up-to-date where necessary
Our Company ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of data subjects and their legitimate interests. It takes necessary measures in this regard.
3.1.3. Processing for Specified, Explicit and Legitimate Purposes
Our Company clearly and precisely determines the legitimate and lawful purpose of processing personal data. Our Company processes personal data in connection with the services it provides and to the extent required for these services. The purpose for which personal data will be processed by our Company is determined before the personal data processing activity begins.
3.1.4. Being Relevant, Limited, and Proportionate to the Purposes for which They are Processed
Our Company processes personal data conducive to achieving the specified purposes, and it avoids processing personal data that is not required or not related to said purpose. For instance, personal data are not processed to meet needs that may arise later.
3.1.5. Storing for the period laid down by relevant legislation or the period required for the purpose for which they are processed
Our Company stores personal data only for the period required by the applicable legislation or for the purpose for which they were processed. To this end, our Company first determines whether the applicable legislation stipulates a period for the storage of personal data; if a period has been specified, it complies with that period; if a period is not specified, it stores personal data for the period required for the purpose of processing them. If the period expires or the purposes of processing are no longer applicable, our Company erases, destroys, or anonymises the personal data.
3.2. PROCESSING PERSONAL DATA BASED ON ONE OR MORE PERSONAL DATA PROCESSING CONDITIONS SPECIFIED IN THE LEGISLATION AND PROCESSING LIMITED TO THESE CONDITIONS
Although the legal basis for processing personal data by our Company varies, all personal data processing activities are performed in accordance with the general principles set out in the legislation.
(i) Seeking the explicit consent of the data subject
One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject should be given on a specific subject, based on information and freely.
For processing personal data based on the explicit consent of the data subject, explicit consent of the customers, prospective customers, and visitors is obtained through the relevant methods.
(ii) Expressly stipulated by the laws
The personal data of the data subject may be processed in accordance with the law if clearly prescribed by law.
(iii) Failure to obtain explicit consent of the data subject due to actual impossibility
Personal data of the data subject may be processed if it is necessary to protect the life or physical integrity of the person himself/herself or of any other person who is unable to explain his/her consent due to physical disability or whose consent is not deemed legally valid.
For example, giving the blood type details of a fainting customer to the doctors by his/her friends.
(iv) Being directly related to the establishment or performance of the contract
Personal data may be processed if the processing of personal data of the parties of a contract is necessary, provided that they are directly related to the establishment or performance of the contract.
(v) Company’s compliance with legal obligations
As the data controller, our Company may process the personal data of the data subject if it is necessary for compliance with legal obligations.
(vi) Publication of Personal Data by the Data Subject
The personal data of the data subject may be processed if they have been made public by the data subject himself/herself.
(vii) Data processing is necessary for the establishment, exercise, or protection of any right
The personal data of the data subject may be processed if data processing is necessary for the establishment, exercise, or protection of any right.
(viii) Processing of data is necessary for the legitimate interests of our Company
The personal data of the data subject may be processed if the processing of data is necessary for the legitimate interests pursued by our Company, provided that this processing does not violate the fundamental rights and freedoms of the data subject.
3.3. PROCESSING SENSITIVE PERSONAL DATA
Our Company shalldiligently comply with the regulations stipulated by the PDP Law when processing ‘sensitive’ personal data as specified by the Personal Data Protection (PDP) Law.
Article 6 of the PDP Law categorises certain personal data as ‘sensitive’ personal data which may cause victimisation or discrimination when processed unlawfully. These data are related to race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations, or trade unions, data concerning health, sexual life, criminal convictions and security measures, and biometric and genetic data.
In accordance with the PDP Law, our Company shall process sensitive personal data in the following cases, provided that adequate measures to be determined by the PDP Board are taken:
1. If the data subject expresses his/her explicit consent, or
2. If the data subject does not express his/her explicit consent
3. The data subject’s sensitive personal data, other than his/her health and sex life, in cases stipulated by law,
The data subject’s sensitive personal data concerning health and sex life may only be processed by the persons subject to the obligation of secrecy or competent public institutions and organisations for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and nursing services, planning and managing health-care services as well as financing them.
3.4. TRANSFER OF PERSONAL DATA
In line with the lawful purposes of personal data processing, our Company may transfer the subject’s personal data and sensitive personal data to third parties (third-party companies, group companies, natural third parties) by taking the necessary security measures. Our Company shall act in accordance with the regulations stipulated in the legislation.
In line with the lawful purposes of personal data processing, our Company may transfer the subject’s personal data and sensitive personal data to third parties by taking necessary security measures and within the extent and framework permitted by the legislation.
3.5. CONDITIONS FOR ERASING, DESTROYING, AND ANONYMISING PERSONAL DATA
Despite being processed in compliance with the provisions of the legislation, personal data shall be erased, destroyed, or anonymised by our Company ex officio or on the request of the data subject, when the reasons for processing them no longer exist.
Our Company has taken the necessary technical and organisational measures within the Company to fulfill its related obligations in this regard, and has developed the necessary mechanisms to do this; it trains the relevant business units, gives them assignments, and raises their awareness so they can comply with these obligations.