1.PURPOSE
The right of every individual to request the protection of their personal data is a fundamental right arising from the Constitution. As Çağ Çelik Demir Ve Çelik Endüstri Anonim Şirketi (“Çağ Çelik”), we consider fulfilling the requirements of this right as one of our most valuable duties. For this reason, we attach importance to the lawful processing and protection of your personal data. The Corporate Personal Data Protection Policy has been prepared in order to determine the principles we adopt and the procedures we implement while processing and protecting personal data, as a result of the importance we attach to the protection of personal data.
2.SCOPE
The Policy covers all personal data managed by Çağ Çelik and all kinds of processing activities carried out on such data, whether obtained, recorded, stored, preserved, altered, reorganized, disclosed, transferred, acquired, made available, classified or prevented from use, either fully or partially by automated means or by non-automated means provided that they form part of any data recording system. The Policy relates to all personal data processed concerning Çağ Çelik’s shareholders, officials, customers, employees, supplier representatives and employees, and third parties. Çağ Çelik may amend the Policy in order to comply with the legislation and the decisions of the Personal Data Protection Authority and to ensure better protection of personal data.
3.DEFINITIONS
Abbreviation Definition
Recipient Group The category of natural or legal persons to whom personal data is transferred by the data controller.
Explicit Consent Consent given freely, based on information and relating to a specific subject.
Anonymization Rendering personal data in such a way that it can no longer be associated with an identified or identifiable natural person, even by matching it with other data.
Data Subject The natural person whose personal data is processed.
Relevant User Persons who process personal data within the organization of the data controller or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
Destruction The deletion, destruction or anonymization of personal data.
Law/KVKK Law No. 6698 on the Protection of Personal Data.
Recording Environment Any environment where personal data processed fully or partially by automated means or by non-automated means provided that they form part of any data recording system are stored.
Personal Data Any information relating to an identified or identifiable natural person.
Data Inventory The inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes and legal grounds of processing, data categories, recipient groups and data subject groups, specifying the maximum retention periods required for the purposes for which the personal data are processed, the personal data foreseen to be transferred abroad, and the measures taken regarding data security.
Processing of Personal Data Any operation performed on personal data such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, acquiring, making available, classifying or preventing the use of personal data, whether fully or partially by automated means or by non-automated means provided that they form part of any data recording system.
Commission The Personal Data Protection Commission established by Çağ Çelik in order to manage the Policy and related procedures and to ensure the enforcement of the Policy.
Board The Personal Data Protection Board.
Authority The Personal Data Protection Authority.
Special Categories of Personal Data Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Destruction The deletion, destruction or anonymization process to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy in the event that all conditions for processing personal data set forth in the Law cease to exist.
Policy Personal Data Protection Policy www.akkasgroup.com
Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Data Controller A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
4.GENERAL PRINCIPLES
Çağ Çelik audits the compliance of the data to be processed with the principles below during the preparation phase of each new workflow requiring personal data processing. Workflows that are not found compliant are not implemented. While processing personal data, Çağ Çelik:
(I) Acts in accordance with the law and principles of good faith.
(II) Ensures that personal data are accurate and kept up to date where necessary.
(III) Ensures that the purpose of processing is specific, explicit and legitimate.
(IV) Checks that the processed data are relevant to the purpose for which they are processed, limited to what is necessary and proportionate.
(V) Retains data only for the period stipulated in the relevant legislation or required for the purpose of processing and destroys them when the purpose ceases to exist.
5.DUTIES AND RESPONSIBILITIES
Within Çağ Çelik, the Personal Data Protection Commission has been established in order to manage this Policy and related procedures regarding the processing of personal data and to ensure the enforcement of the Policy. The Commission consists of the General Manager, Human Resources Manager, Purchasing Manager and Quality Control Manager. In addition, Çağ Çelik receives KVKK consultancy support when necessary to ensure compliance with Law No. 6698 on the Protection of Personal Data. The Commission may invite the KVKK consultant to its meetings if deemed necessary. The duties and responsibilities of the Commission are stated below.
(I) Meets ordinarily once every 6 months. Extraordinary meetings may be held if conditions require (for example, in the event of a possible data breach).
(II) Discusses matters that need to be amended/improved in the Policy.
(III) Identifies matters to be fulfilled for the lawful processing and protection of personal data.
(IV) Determines the steps to be taken to increase KVKK awareness within the company and among business partners.
(V) Identifies risks that may be encountered in the processing and protection of personal data and takes the necessary administrative and technical measures.
(VI) Ensures communication with the Authority and manages relations.
(VII) Evaluates requests received from the Data Subject.
(VIII) Monitors periodic destruction processes.
(IX) Updates the Data Inventory.
(X) Makes assignments regarding the matters listed above.
6.MEASURES TAKEN FOR DATA SECURITY
Çağ Çelik takes all necessary technical and administrative measures to ensure an appropriate level of security in order to (i) prevent unlawful processing of personal data, (ii) prevent unlawful access to personal data, and (iii) ensure the preservation of personal data.
6.1. Technical Measures
(I) Network security and application security are ensured.
(II) Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
(III) Access logs are kept regularly.
(IV) Up-to-date anti-virus systems are used.
(V) Firewalls are used.
(VI) Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
(VII) The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
(VIII) The security of environments containing personal data is ensured.
(IX) Personal data are backed up and the security of backed-up personal data is also ensured.
(X) A user account management and authorization control system is implemented and monitored.
(XI) Log records are kept in a way that prevents user intervention.
(XII) Intrusion detection and prevention systems are used.
(XIII) Encryption is applied.
6.2. Administrative Measures
(I) There are disciplinary regulations for employees that include provisions on data security.
(II) Training and awareness activities on data security are carried out for employees at regular intervals.
(III) Corporate policies regarding access, information security, use, retention and destruction have been prepared and implemented.
(IV) Data masking measures are applied when necessary.
(V) Confidentiality undertakings are executed.
(VI) An authorization matrix has been created for employees.
(VII) The authorizations of employees who change positions or leave the company are revoked in this field.
(VIII) Executed contracts include data security provisions.
(IX) Personal data security policies and procedures have been determined.
(X) Personal data security issues are reported promptly.
(XI) Personal data security is monitored.
(XII) Personal data are minimized as much as possible.
(XIII) Periodic and/or random internal audits are carried out and caused to be carried out.
(XIV) Existing risks and threats have been identified.
(XV) Protocols and procedures for the security of special categories of personal data have been determined and implemented.
(XVI) If special categories of personal data are to be sent via electronic mail, they are sent encrypted and via KEP or a corporate email account.
(XVII) Awareness of data processors and service providers regarding data security is ensured.
7.RIGHTS OF THE DATA SUBJECT REGARDING PERSONAL DATA
The Data Subject may apply to Çağ Çelik and make requests on the following matters:
(I) To learn whether their personal data are processed,
(II) To request information if their personal data have been processed,
(III) To learn the purpose of processing their personal data and whether they are used in accordance with that purpose,
(IV) To learn the third parties to whom their personal data are transferred domestically or abroad,
(V) To request the correction of their personal data if processed incompletely or inaccurately and to request notification of the transaction made within this scope to third parties to whom the personal data have been transferred,
(VI) Although processed in accordance with the KVKK and other relevant laws, to request the deletion, destruction or anonymization of their personal data in the event that the reasons requiring processing cease to exist and to request notification of the transaction made within this scope to third parties to whom the personal data have been transferred,
(VII) To object to the occurrence of a result against them by analyzing the processed data exclusively through automated systems,
(VIII) To request compensation for damages in the event that they suffer damage due to unlawful processing of their personal data.
8.BREACH NOTIFICATIONS
Çağ Çelik employees report to the Commission any work, action or fact that they believe violates the provisions of the KVKK and/or the Policy. Following such breach notification, the Commission convenes if deemed necessary and establishes an action plan regarding the breach. If the breach has occurred through the unlawful acquisition of personal data by others, the Commission notifies the relevant person and the Board within 72 hours within the scope of the Board’s decision dated 24.01.2019 and numbered 2019/10.
9.AMENDMENTS
Amendments to the Policy are prepared by the Commission and submitted for approval to the Board of Directors of Çağ Çelik. The updated Policy may be sent to employees via e-mail or published on the website.
10.EFFECTIVE DATE
This version of the Policy entered into force upon approval by the Board of Directors on 18.03.2020. Click to download the Application Form.
Search
English
