PERSONAL DATA PROTECTION POLICY PURSUANT TO THE PROCEDURE AND PRINCIPLES OF THE LAW ON THE PROTECTION OF PERSONAL DATA WITH NUMBER 6698 (“PERSONAL DATA PROTECTION LAW”)
Mateks Makina – DURSUN BAL shows utmost care to the safe protection, processing, transferring, erasure and destruction of personal data in both physical and numerical environments pursuant to the law numbered 6698 and we take the necessary administrative and technical measures in this regard in all our activities. Mateks Makina – DURSUN BAL carries out all the activities with regard to the protection of personal data according to this Personal Data Protection, Processing, Transferring, Destruction Policy (“Policy”).
Mateks Makina shall analyze the personal data processing activities it conducts based on this Policy and take any technical and administrative measures for the compliance with Policy. After the determined action and measures are carried out, the internal control mechanisms shall be processed and the continuance of the compliance with Policy shall be maintained.
The main purpose of this Policy is to inform the persons whose personal data we process and who are identified or identifiable with respect to issues such as the personal data processing, storing, protection, erasure activities of Mateks Makine; measures taken within this scope; rights of data owners and the way of using such rights.
The scope of this Policy is all the processed personal data of the persons whose data we process and who are identified or identifiable.
The specified articles in the Policy cover any kinds of information and document which may be associated with an identified or identifiable natural person and the measures taken and regulations made in relation to this.
This Policy executed by Mateks Makina entered into force on 14.10.2020.
In case of revision of some or all articles of Policy, the revision date of Policy shall be stated.
In case of a discrepancy between the applicable legislation and Policy, the provisions of legislation shall prevail. In case there is another policy or regulation executed on the same subject for more special purposes except this main Policy, the articles containing more special provisions shall prevail. The provisions of other policies and documents, which conflict with this Policy and the applicable legislation, shall not be applied.
DEFINITIONS | EXPLANATION |
Explicit Consent | Consent regarding a specific topic, which is based on being informed and explained with one’s free will. |
Anonymization | Rendering personal data unassociatable with an identified or identifiable natural person by way of matching with other data. |
Employee | Employees of Mateks Makina |
Employee Candidate | The candidate who is interviewed for the purpose of employment. |
Relevant Person | A natural person whose personal data is processed. |
Relevant User | Persons who process the personal data within the data controller organization or pursuant to the authorization and instruction given by data controller, except for the person or department responsible for the technical storage, protection and backing up of data |
Destruction | Transaction of erasure, destruction or anonymization of personal data |
Law | Personal Data Protection Law |
Recording Medium | Any medium where personal data which is processed through wholly or partly automatic or non-automatic ways provided that it is part of any data recording system is stored |
Personal Data | Any information regarding an identified or identifiable natural person |
Personal Data Processing Inventory | Personal data processing inventory where the data controllers explain in detail the personal data processing activities they conduct based on their business processes; the maximum period they create by associating with personal data processing purposes, data category, the transferred receiver group and the group of people subject to data and which is necessary for the purposes of processing personal data; personal data which is anticipated to be transferred to abroad and the measures taken with respect to data safety. |
Anonymization of Personal Data | Anonymization of personal data, rendering personal data such that it becomes impossible to relate it to an identified or identifiable natural person even if by way of matching the personal data with other data |
Destruction of Personal Data | Erasure, anonymization or disposal of personal data |
Erasure of Personal Data | The process of rendering personal data inaccessible and nonreusable in any way for the relevant users |
Disposal of Personal Data | Disposal of the personal data, rendering it inaccessible, unrestorable and nonreusable in any way for anybody |
Personal Data Protection Law | Personal Data Protection Law published in the Official Gazette dated 7 April 2016 with number 29677 |
Personal Data Protection Board | Personal Data Protection Board |
Sensitive Personal Data | Data about people’s race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data |
VERBIS (Data Registry Information System) | Information system accessible via the internet, created and administered by the Presidency, which shall be used by data controllers in the application to the Registry and other acts regarding the Registry |
Data Processor | Natural or legal person who processes the personal data on behalf of the data controller pursuant to his authorization |
Data Controller | Natural or legal person who determines the purposes and means of processing personal data, responsible for establishing and administering data recording system |
Mateks Makine processes the personal data in accordance with the provisions and rules laid down by Personal Data Protection Law numbered 6698 (“Law”) and the other applicable legislation.
Personal data processing principles are laid down by the Law. Mateks Makina acts according to such principles in each data processing activity.
Mateks Makina acts according to legal arrangements and good faith in processing personal data. Within this scope, Mateks Makina processes the personal data in accordance with personal data protection legislation and the rules laid down by the related legislation; does not process personal data for purposes other than those announced to data owners; processes personal data only in the required amount, in a level in compliance with the data processing purposes by applying the principles of proportionality and necessity in processing personal data.
Mateks Makina takes the required measures in data processing procedures to ensure that the processed data is accurate and updated. Within this scope, the personal data owner is allowed to apply to Mateks Makina to have its data updated or corrected.
Mateks Makina processes personal data only for legal purposes. Mateks Makina establishes its personal data processing purposes before starting the data processing activity, except for exceptional cases set forth by Personal Data Protection Law and announces such purposes explicitly to data owners while obtaining their personal data.
Personal data is processed in relation to the purpose clearly and precisely determined, in a limited and measured manner, and we refrain from the processing of unnecessary personal data.
Mateks Makina processes the personal data according to one or more of the personal data processing terms set forth by the articles 5 and 6 of the Personal Data Protection Law, provided the relevant person gives explicit consent or it is within the scope of exceptions set forth by the Personal Data Protection Law. Our company processes personal data in accordance with the regulations laid down by the Law. Data processing activities outside this scope are terminated.
In the following legal exceptional cases, sensitive personal data is processed without explicit consent:
Our company may transfer the personal data which we process in accordance with our personal data processing purposes to third parties, except for the above-mentioned exceptional circumstances, provided that the relevant person gives explicit consent. In case of need, Mateks Makine performs the transfer of personal data in accordance with the decisions and regulations laid down by the Personal Data Protection Law and taken by Personal Data Protection Board.
As a principle, Mateks Makina does not transfer the Personal Data abroad without the explicit consent of data owner.
Mateks Makina informs the personal data owners about how their personal data will be processed during the acquisition of personal data in compliance with the disclosure requirement provided by Law. Within this scope, Mateks Makina informs the data owners about the following matters in minimum:
Mateks Makina stores personal data, which they process in accordance with the principles set forth by Law, for the period of time as stated in legislations. After the related regulations are put into force by Personal Data Protection Board, a contact person shall be assigned within the scope of personal data processing activities and the registration to VERBIS (Data Registry Information System) shall be carried out.
If a retention period for the related types of personal data is not established by the legislation, personal data shall be retained until the purpose for which they are processed ends.
In case a retention period for the related types of personal data is not established by the legislation, retention periods specific to each data processing purpose are established. Within this scope, retention periods are determined based on the applications of Mateks Makina and the practices of business life.
Personal data may be stored for purposes of constituting evidence in possible legal disputes except for the purpose of processing, claiming something which may be proved with personal data, pleading and responding to the information requests coming from the competent public institutions. In establishing the periods herein, the period of limitation regarding the relevant claims and company practice and general practices in the same subjects is considered.
In case of circumstances where Mateks Makina has a legitimate interest, although the purpose of processing and the periods provided by relevant laws are expired, personal data may be stored until the end of the general period of limitation (ten years) which is regulated by the Turkish Code of Obligations numbered 6098, provided that it does not violate the fundamental rights and freedoms of data owners. After the mentioned period of limitation expires, personal data shall be erased, destructed or anonymized according to the above-mentioned procedure.
Personal Data Protection Board may bring detailed arrangements with respect to obligations regarding data safety. In case detailed arrangements are brought, a proper effort shall be made and a maximum level of security be maintained to comply with the obligations in the arrangements.
Technical Measures:
Administrative Measures:
When the specified periods expire, Mateks Makina makes an official report and destructs the relevant personal data by selecting one of the 3 (three) options. They are as follows:
The details of these three methods will be explained in the following sections. Also, personal data is erased, destructed or anonymized upon the request of the personal data owner.
Mateks Makina’s “Personal Data Processing Inventory” is controlled by the Data Controller at 6 (six) month intervals and if there are destruction procedures, the necessary actions are taken and logs (details of the destructed documents) shall be retained for 2 years as laid down by Law.
In the event that the reasons requiring the personal data processing laid down by article 5 and 6 in Personal Data Protection Law no longer exist, Mateks Makina destructs the personal data ex officio or upon the request of the relevant person (data owner), if the request is accepted upon evaluation. Also, in case the terms of personal data processing no longer exist and personal data subject to request are transferred to third parties, Mateks Makina informs the third party on this subject and requests the necessary actions to be taken on behalf of the third party.
Technical Measures:
Administrative Measures:
Erasure and disposal of personal data in Mateks Makina is carried out through the following methods in accordance with the principles specified by this Policy.
Contact person assigned by Mateks Makina is liable to take any technical and administrative measures so that the erased personal data shall be inaccessible and nonreusable for the relevant users.
The basic process the Data Controller shall follow in personal data erasure procedures is as follows:
As the personal data in Mateks Makina may be stored in different recording mediums, they shall be erased through methods in accordance with their recording mediums. Examples of the methods used by Mateks Makina to erase personal data are as follows:
In cloud system applications used by our company, personal data may be erased permanently by Relevant User. Relevant User is not authorized to restore the relevant data in the cloud system.
Personal data in paper format within our Company are destroyed by a paper shredder. However, in exceptional circumstances, they may be erased by using the darkening method. This process is carried out by cutting out the personal data on the relevant document, if possible, and if not, making it invisible to relevant users by using marking ink in a way that cannot be reversed and cannot be read through technological solutions.
In case the Relevant User is authorized to delete something permanently in the file where personal data is stored, they may delete the relevant file irreversible by the delete command in the operating system of the file. If they are not authorized to delete permanently, the rights of access of the Relevant User regarding the file index where the file is located are removed. During the performance of such procedures, necessary measures are taken so that the Relevant User shall not be the system administrator at the same time.
Personal data in Flash-based storage mediums within Mateks Makina are stored encoded and deleted by using software appropriate for such mediums.
Personal data stored in Mateks Makina’s databases are deleted by database commands (DELETE, etc.). While performing this procedure, it should be ensured that the Relevant User is not also the database administrator.
Personal data disposed by Mateks Makina are rendered in a way that cannot be accessed, restored and reused by anybody. Data controller is liable to take any technical and administrative measures required for disposal of personal data.
In order to dispose of personal data, it is required to determine all the copies where the data exists and dispose of them one by one by using one or more of the following methods according to the type of the systems where data is located.
Mateks Makina, if necessary, may agree with a specialist to have him dispose of personal data on behalf of Mateks Makina. In this case, personal data are safely disposed by a person who is specialized in this matter in a way that cannot be recovered.
Mateks Makina may use one or more of the following methods to dispose of the personal data over the relevant local systems.
The process of destroying the data by passing the magnetic media through a special device and exposing it to a high-powered magnetic field. Mateks Makina may agree with a specialist for this process, if necessary.
Process of physical destruction such as the melting, burning or powdering of optical media and magnetic media. Data is rendered inaccessible through processes such as melting, burning and powdering the optical or magnetic media or passing it through a metal grinder. If overwriting or degaussing processes fail with respect to solid-state drives, this media shall also be destroyed physically. Mateks Makina may agree with a specialist for this process, if necessary.
Process of preventing the recovery of old data by writing random data consisting of at least seven ones and zeros over the magnetic media and rewriteable optical media. This process may be performed by using special software. Mateks Makina may agree with a specialist for this process, if necessary.
Mateks Makina may use whatever is appropriate among the following methods to destroy the personal data over the relevant environmental systems based on the media type.
Storage mediums in the relevant devices are fixed. Devices mostly have delete commands but they lack destroy commands. It is destroyed by using one or more of the appropriate methods specified in Local Systems section.
Flash-based hard drives with ATA (SATA, PATA, etc.), SCSI (SCSIExpress, etc.) interfaces are destroyed by using their command, if it is supported, and if not, by using the method of destruction
recommended by the manufacturer or one or more of the appropriate methods specified in Local Systems section.
Mediums store the data with the help of micromagnet pieces on elastic tape. It shall be destroyed by degaussing exposing it to high-powered magnetic fields or by physical destruction methods such as burning and melting. Mateks Makina may agree with a specialist for this process, if necessary.
Mediums store the data with the help of micromagnet pieces on elastic (plate) or fixed mediums. It shall be destroyed by degaussing exposing it to high-powered magnetic fields or by physical destruction methods such as burning and melting. Mateks Makina may agree with a specialist for this process, if necessary.
There is a delete command in the permanent memory of portable mobile phones; however, most of them lack of destroy command. It shall be destroyed by using one or more of the appropriate methods specified in Local Systems section.
Data storage mediums such as CD and DVD. It shall be destroyed by physical destruction methods such as burning, cutting up and melting.. Mateks Makina may agree with a specialist for this process, if necessary.
It shall be destroyed by using one or more of the appropriate methods specified in Local Systems section according to its feature upon verifying that all the data recording mediums are removed. Mateks Makina may agree with a specialist for this process, if necessary.
While performing the destruction of personal data in Paper, Microfiche and equivalent mediums, paper shredders are used.
Personal data transferred from the original paper format to electronic medium by scanning shall be destroyed by using one or more of the appropriate methods specified in Local Systems section according to the electronic medium they are located in. Mateks Makina may agree with a specialist for this process, if necessary.
During the storage and use of personal data in cloud systems, they shall be encoded through cryptographic methods and separate encryption keys shall be used for areas available for personal data, especially for each cloud solution from which we receive service. When the cloud information
service relationship is terminated, all copies of encryption keys required for rendering the personal data available shall be destroyed.
In addition to the foregoing mediums, procedure for destroying the personal data in broken or in- repair devices is conducted as follows:
Mateks Makina may anonymize personal data when reasons requiring the lawful processing of personal data no longer exist and when necessary. Methods of anonymization to be used by Mateks Makina in case of need are as follows:
Process of removing the basic identifying information of the personal data out of the data set and anonymizing the personal data through data masking.
“Transforming into a data set where it is impossible to identify the personal data owner by removing identifying information of the personal data owner such as name, T.R. Identity No., etc.”
“ In case of asterisking some of the credit card numbers of the person, it is a case of data masking. (6698**** **** 0006)”
Several data is generalized through the method of generalization and personal data are rendered unassociatable with anyone.
“Demonstrating that there is Z number of employees at the age of X without demonstrating the age of employees individually.”
“Data on the number of female employees in the company being Z and 40% of them having bachelor’s degree and 60% of them having master’s degree are anonymized.”
Through data derivation method, a more general content than the content of personal data is established and the personal data is rendered unassociatable with anyone.
“In case of writing the age of the person instead of the Day/Month/Year details of the birth date, it is an example of anonymization by data derivation.”
Through the data swapping method, the values in the personal data set are swapped and the values and persons are disconnected.
“Rendering the voices and data owners unassociatable by changing the feature of voice records”
“In case of swapping the values demonstrating the ages of pupils in a class of which age average is to be calculated, it is an example of data swapping.“
All procedures regarding data processing activities within Mateks Makine are analyzed by relevant departments, a Personal Data Processing Inventory is prepared by every department within this scope. Persons involved in personal data storage and destruction procedures and those authorized are the top employees of each respective department.
Mateks Makina, in accordance with article 12 of Personal Data Protection Law, takes the necessary technical and administrative measures to maintain the safety of personal data within the corporation and to prevent the illegal access to personal data and the illegal process of such personal data.
Mateks Makina shows maximum effort with respect to the protection of sensitive personal data. Within this scope, technical and administrative measures taken by our Company for the protection of personal data are carried out carefully in terms of sensitive personal data and necessary inspections are made within Mateks Makina.
Mateks Makina, in the event the personal data it processes are obtained by others through illegal ways, shows maximum effort to notify this situation to relevant data owner and Board as soon as possible.
Mateks Makina makes in-house inspections in accordance with article 12 of Personal Data Protection Law. The final report of inspection is reported to the relevant Data Controller and in case of a problem, regulative and preventive activities are performed.
Mateks Makina carries out the system which enables notifying this situation to relevant data owner and Personal Data Protection Board as soon as possible in the event the personal data it processes in accordance with article 12 of Personal Data Law are obtained by others through illegal ways.
In case deemed necessary by Personal Data Protection Board, such situation may be announced on the website of Personal Data Protection Board or through another method.
Sensitive personal data are identified in definitions sections.
Mateks Makina shows sensitivity in the protection of sensitive personal data, which is identified as sensitive by Personal Data Protection Board and lawfully processed by Mateks Makina. Within this scope, technical and administrative measures taken by Mateks Makina for the protection of personal data are carried out carefully in terms of sensitive personal data and necessary inspections are made within Mateks Makina.
Personal Data Owner has the following rights over their personal data.
If a different method is determined by Personal Data Protection Board, Personal Data Owner may submit their requests regarding their Personal data through this method or submit to the address of Mateks Makina in writing with wet signature.
In the application The Personal Data Owner will make to exercise the above-mentioned rights which contains the explanations regarding the right they request to exercise; the requested issue shall be exact and clear; the requested issue shall be related to the applicant or if they act for someone else, they shall be personally authorized in this matter and such authorization shall be certified, also, the identity and address information of the applicant shall be included and documents certifying their identity shall be attached to the application.
Relevant requests shall be made personally and requests to be made by unauthorized third parties shall not be considered.
Requests regarding personal data are responded as soon as possible and no later than 30 days according to the nature of the request. While evaluating the application, additional documents and information may be requested.
If not all the reasons for processing personal data are disappeared, this request may be rejected by Mateks Makina by explaining the reason and the answer to rejection shall be notified to the relevant person no later than 30 days in writing or electronically.
If the request is accepted, the relevant action is taken and a notification is made in writing or electronically.
If our Company, upon the evaluation of accepted applications, decides to destroy the personal data, the destruction is conducted by Data Controller by using the appropriate method among the methods specified in this Policy no later than 30 (thirty) days or within the period set forth by Law and a notification is made to the relevant person.
In case of the rejection of request, it is notified to the application holder in writing or electronically by explaining the reason.
Copyright © 2021 XStore Theme. Created by 8theme - Premium WooCommerce Themes.