I. DATA PRIVACY COMMITMENT
1.1. This Personal Data Protection Policy (“Policy”) sets forth the principles to be followed by VİŞNE MADENCİLİK and/or VİŞNE MADENCİLİK when performing its obligations by VİŞNE MADENCİLİK ÜRETİM SANAYİ And TİCARET A.Ş. to protect the Personal Data and processing the Personal Data in accordance with the provisions of the relevant legislation, in particular the Personal Data Protection Law 6698.
1.2. VİŞNE MADENCİLİK undertakes to comply with the procedures to be applied in accordance with this Policy and Policy in terms of Personal Data within its own body.
II. PURPOSE OF POLICY
The main purpose of this Policy is to set forth the principles regarding the methods and processes for the protection of Personal Data by VİŞNE MADENCİLİK.
III. SCOPE OF POLICY
3.1. This Policy covers all activities related to the Personal Data processed by VİŞNE MADENCİLİK and applies to such activities.
3.2. This Policy will not apply to data that do not have the nature of Personal Data.
3.3. This Policy may be amended from time to time with the approval of the Board of Directors if the provisions of the Foreign Trade and Customs legislation or the legislation to be supervised by the Banking Law are required by the Data Controller Representative of VİŞNE MADENCİLİK.
IV. DEFINITIONS
Definitions contained in this Policy have the following meanings;
“Explicit Consent” refers to the consent of the Data Subject to the processing of Personal Data based on information and disclosed with free will.
“Anonymization” refers to rendering personal data unlikely to be associated with any identified or identifiable real person in any way even when personal data is mapped with other data.
“Anonymous Data” refers to data that may not be associated with the natural person in any way.
“Personal Data” refers to any information related to an identified or identifiable natural person (for the purposes of this Policy, “Personal Data” will include, to the extent applicable, “Sensitive Personal Data” as defined below).
“Personal Data Processing” refers to all kinds of processes performed on Personal Data, including obtaining, recording, storing, re-arranging, disclosure, transmission, acquisition, making available, classification or prevention of use in whole or in part, automatically or in non-automatic ways, being part of any data recording system.
“Board” refers to Personal Data Protection Board.
“Authority” refers to Personal Data Protection Authority.
“Personal Data Protection Law” refers to Personal Data Protection Law no. 6698.
“Personal Data Protection Law” refers to Personal Data Protection Law no. 6698 and other relevant legislation for the protection of Personal Data, binding decisions, policy decisions, provisions, instructions and applicable international agreements and any other legislation issued by regulatory and supervisory authorities, courts and other official authorities for the protection of data.
“Personal Data Protection Procedures” refers to the procedures that are approved and entered into force by the Board of Directors and specify the obligations of VİŞNE MADENCİLİK, employees, Data Controller Representative under this Policy.
“Sensitive Personal Data” refers to the biometric and genetic and security data and security measures of individuals with respect to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership to an association, foundation or trade union, health, sexual life, criminal conviction and security measures.
“Erasure or Deletion” refers to making personal data inaccessible and unavailable to the users involved in any way.
“Data Inventory” refers to the inventory of Personal Data Processing activities of VİŞNE MADENCİLİK which includes information such as the processes and methods of Personal Data Processing, the purposes of the Personal Data Processing, the category of data, the third parties to whom the Personal Data is transferred, etc.
“Data Processor” refers to real or legal person who processes Personal Data on behalf of Data Controller by obtaining authorization from Data Controller.
“Data Subject” refers to all natural persons whose Personal Data are processed by or on behalf of VİŞNE MADENCİLİK.
“Data Controller” refers to real or legal person responsible for personal data processing purposes and means of processing and installing and managing data registry system.
“Data Controller Representative” refers to the employee selected from among employees of VİŞNE MADENCİLİK and conducting his/her relations with the Personal Data Protection Authority and appointed by the decision of the Board of Directors.
“Destruction” The process of destruction of personal data is the process of making personal data inaccessible, recoverable and unavailable to anyone.
V. PRINCIPLES OF PERSONAL DATA PROCESSING
5.1. Processing Personal Data in Compliance with Law and Integrity Guidelines
Personal Data are processed by VİŞNE MADENCİLİK in accordance with the law and the guidelines of integrity and on the basis of moderation.
5.2. Taking Required Measures for Accurate and Up-to-date Personal Data When Required
VİŞNE MADENCİLİK will take all necessary measures to ensure that the Personal Data is complete, accurate and up-to-date and will update the relevant Personal Data if the Data Subject requests changes to the Personal Data.
5.3. Processing of Personal Data for Specific, Legitimate and Clear Purposes
Before the Processing of the Personal Data, the purpose for which the personal data is to be processed is determined by VİŞNE MADENCİLİK. In this context, the Data Subject is clarified within the scope of the Personal Data Protection Regulations and their explicit consent is obtained when necessary.
5.4. Personal Data being Related, Limited and Measured for the Purpose they are Processed
VİŞNE MADENCİLİK processes the Personal Data only in exceptional cases within the scope of the Personal Data Protection Law Regulations (Articles 5.2 and 6.3 of Personal Data Protection Law) or for the purpose of the explicit consent received from the Data Subject (Articles 5.1 and 6.2 of Personal Data Protection Law) and in accordance with the principle of moderation.
5.5. Maintaining Personal Data as Needed and Deleting Them Thereafter
5.5.1. VİŞNE MADENCİLİK will keep Personal Data for as long as is necessary for the purpose herein. If VİŞNE MADENCİLİK wishes to retain the Personal Data for a period longer than the period stipulated in the Personal Data Protection Law Regulations or required for the purpose of the Personal Data Processing, VİŞNE MADENCİLİK will comply with the obligations set out in the Personal Data Protection Law Regulations.
5.5.2. After the expiry of the period required for the purpose of Personal Data Processing, Personal Data is Erased, Destroyed or Anonymized. In this case, third parties to whom VİŞNE MADENCİLİK transfers the Personal Data are also ensured to Erase, Destroy or Anonymize the Personal Data.
5.5.3. The Data Controller is responsible for the operation of Erasing, Destroying and Anonymizing Procedures. In this context, the necessary procedures are established by the Data Controller.
VI. PROCESSING PERSONAL DATA
Personal Data may only be processed by VİŞNE MADENCİLİK within the scope of the following procedures and principles.
6.1. Explicit Consent
6.1.1. Personal Data are processed after the notification to be made within the framework of fulfilling the obligation to disclose to Data Subjects and if the Data Subjects give explicit consent.
6.1.2. Data Subjects are informed of their rights before obtaining explicit consent within the framework of the Disclosure Obligation.
6.1.3. The explicit consent of the Data Subject is obtained by appropriate methods in accordance with the Personal Data Protection Law Regulations. Explicit Consents will be maintained by VİŞNE MADENCİLİK for the time required under the Personal Data Protection Law Regulations in a provable manner.
6.1.4. The Data Controller is responsible for ensuring the fulfilment of the Disclosure Obligation in respect of all Personal Data Processing processes and, if necessary, obtaining and maintaining the explicit consent. All department employees who process Personal Data are liable for complying with the Data Controller instructions, this Policy and the Personal Data Protection Procedures attached to this Policy.
6.2. Processing Personal Data Without Explicit Consent
6.2.1. Where the Processing of Personal Data is foreseen under the Personal Data Protection Law Regulations without explicit consent (Articles 5.2 and 6.3 of the Personal Data Protection Law), VİŞNE MADENCİLİK may process the Personal Data without obtaining the explicit consent of the Data Subject. In the event that Personal Data is processed in this way, VİŞNE MADENCİLİK Processes Personal Data within the limits set by the Personal Data Protection Regulations. Within this scope:
6.2.1.1. Personal Data may be processed by VİŞNE MADENCİLİK without explicit consent for the protection of the life or body integrity of a person other than the Data Subject and/or the Data Subject for which legal validity has not been recognized for its consent and which is in a position to explain its consent due to the actual impossibility.
6.2.1.2. Personal Data pertaining to the parties of the contract may be processed by VİŞNE MADENCİLİK without the explicit consent of the Data Subjects, if the conditions are met that it is directly related to establishment, implementation, performance or termination of a contract.
6.2.1.3. If the Processing of Personal Data is compulsory for VİŞNE MADENCİLİK to fulfil its legal obligation, Personal Data may be processed by VİŞNE MADENCİLİK without the explicit consent of the Data Subjects.
6.2.1.4. Personal Data publicized by the Data Subject may be processed by VİŞNE MADENCİLİK without explicit consent.
6.2.1.5. Personal Data processing without explicit consent is the only possible way for the establishment, use or protection of a right, and Personal Data may be processed by VİŞNE MADENCİLİK without explicit consent of the Data Controller Representative.
6.2.1.6. It is mandatory to process data for the legitimate interests of VİŞNE MADENCİLİK, provided that it does not prejudice the fundamental rights and freedoms of the Data Subject,
personal data may be processed by VİŞNE MADENCİLİK without explicit consent.
VII. PROCESSING SENSITIVE PERSONAL DATA
7.1. Sensitive Personal Data may only be processed if explicit consent of the Data Subject is obtained or if explicit processing is required by law in respect of Sensitive Personal Data other than sexual life and personal health data.
7.2. Personal Data relating to health and sexual life can only be processed without explicit consent for planning and managing the financing and health services and executing protective medicine, medical diagnosis, treatment and care services and protecting public health. Therefore, personal health data and sexual life data can only be processed by the physician of VİŞNE MADENCİLİK who is under the obligation of keeping secrets or within the scope of explicit consent until otherwise stipulated in the Personal Data Protection Law Regulations.
7.3. When Processing Sensitive Personal Data, measures determined by the Board are taken.
7.4. In any case requiring Processing Sensitive Personal Data, the Data Controller Representative is informed by the relevant employee.
7.5. If it is not understandable whether a data is Sensitive Personal Data, an opinion is obtained from the Data Controller Representative by the relevant department.
VIII. ERASURE, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
8.1. When the legitimate purpose for the Processing of Personal Data vanishes, the relevant Personal Data is Erased, Destroyed or Anonymized. Any cases where Personal Data must be Erased, Destroyed of or Anonymized are monitored by the Data Controller.
8.2. The Data Controller is responsible for the operation of Erasing, Disposing and Anonymizing Procedures. In this context, the necessary procedure is created by the Data Controller.
8.3. VİŞNE MADENCİLİK will not store the Personal Data after the expiry date of the legal periods considering the possibility of future use and will destroy it as specified in the Destruction Procedure.
IX. TRANSFERRING PERSONAL DATA AND PROCESSING PERSONAL DATA BY THIRD PARTIES
VİŞNE MADENCİLİK may transfer Personal Data to a third natural or legal person (the “Contractor”) in accordance with the Personal Data Protection Law Regulations. In this case, VİŞNE MADENCİLİK will ensure that third parties to whom the Personal Data is transferred comply with this Policy. In this context, necessary protective arrangements are added to the contracts concluded with third parties. The article to be added to the contracts concluded with third parties to which all kinds of Personal Data are transferred will be obtained from the Data Controller Representative. Each employee is obligated to progress the process set forth in this Policy in the event of Personal Data transfer. If the third party to whom personal data is transferred requests a change in the article communicated by the Data Controller Representative, the employee will immediately notify the Data Controller Representative.
9.1. Personal Data Transfer to Third Parties in Turkey
9.1.1. Personal Data may be transferred by VİŞNE MADENCİLİK to third parties in Turkey without explicit consent in exceptional cases specified in Article 5.2 and Article 6.3 of Personal Data Protection Law or provided that explicit consent of the Data Subject is obtained in other cases (Article 5.1 and Article 6.2 of Personal Data Protection Law).
9.1.2. Employees of VİŞNE MADENCİLİK and Data Controller’s Representative will be severally responsible for ensuring that the transfer of Personal Data to third parties in Turkey complies with the Personal Data Protection Regulations.
9.2. Transfer to Third Parties within Foreign Borders
9.2.1. Personal Data may be transferred by VİŞNE MADENCİLİK to third parties abroad without explicit consent in the exceptional cases set out in Articles 5.2 and 6.3 of the Personal Data Protection Law or provided that explicit consent of the Data Subject is obtained in other cases (Articles 5.1 and 6.2 of the Personal Data Protection Law).
9.2.2. In the event that the Personal Data is transferred without explicit consent in accordance with the Personal Data Protection Law Regulations, the presence of one of the following conditions is required in terms of the foreign country to be transferred separately:
9.2.3. The foreign country in which the personal data is transferred has the status of countries with adequate protection by the Board (please follow the current list of the Board for the list),
9.2.4. If the foreign country to which the transfer will take place is not included in the Council’s list of safe countries, VİŞNE MADENCİLİK and the Data Controllers in the relevant country will obtain permission from the Board by making a written commitment to ensure adequate protection.
9.2.5. Employees of VİŞNE MADENCİLİK and Data Controller’s Representative will be severally responsible for ensuring that the transfer of Personal Data abroad to third parties complies with the Personal Data Protection Regulations.
X DISCLOSURE OBLIGATION OF THE COMPANY
10.1. VİŞNE MADENCİLİK will make a disclosure to Data Subjects before processing Personal Data in compliance with Article 10 Personal Data Protection Law. In this context, VİŞNE MADENCİLİK fulfils the Disclosure Obligation during acquiring the personal data. The notification to be made to Data Subjects under the Disclosure Obligation will include the following elements, respectively:
10.1.1. Identification of Data Controller or its representative, if any,
10.1.2. For what purpose the personal data is to be processed,
10.1.3. To whom and what purpose the processed personal data will be transferred,
10.1.4. Method and legal reason for personal data collection,
10.1.5. Rights of Data Subjects.
10.2. VİŞNE MADENCİLİK will make the required disclosure in cases where Data Subject requests information in compliance with Article 11 of Personal Data Protection Law.
10.3. If requested by Data Subjects, VİŞNE MADENCİLİK will notify the Data Subject of the Personal Data processed by the Data Subject.
10.4. The employee and the Data Controller Representative following the relevant process are severally responsible for ensuring that the necessary Disclosure Obligation is fulfilled before the Processing of Personal Data. In this context, the Personal Data Protection Procedure is established by the Data Controller Representative and the Committee to report each new processing process to the Data Controller Representative.
10.5. In case the Data Processor is a third party other than VİŞNE MADENCİLİK, it must be committed by the third party before the start of the Personal Data Processing by a written contract in which the third party will comply with the obligations set out above. In cases where third parties transfer Personal Data to VİŞNE MADENCİLİK, the article to be added to the contracts is supplied from the Data Controller Representative. Each employee is obliged to proceed with the process contained in this Policy in case of transfer of Personal Data to VİŞNE MADENCİLİK by a third party. If the third party transferring the Personal Data requests changes in the article communicated by the Data Controller Representative, the employee will immediately notify the Data Controller Representative.
XI. RIGHTS OF DATA SUBJECTS
11.1. VİŞNE MADENCİLİK will respond to the following requests of the Data Subjects to whom it holds Personal Data in accordance with the Personal Data Protection Law Regulations:
11.1.1. Acquiring the information whether or not personal data are processed by VİŞNE MADENCİLİK,
11.1.2. Requesting information if their personal data is processed,
11.1.3. Being aware of the purpose of the processing of personal data and whether they are used in accordance with their purpose,
11.1.4. Being aware of the third parties to whom personal data are transferred at home or abroad,
11.1.5. Requesting correction of Personal Data in case of incomplete or incorrect processing by VİŞNE MADENCİLİK,
11.1.6. Requesting the deletion, destruction or anonymization of the personal data by VİŞNE MADENCİLİK in the event that the reasons requiring processing of the personal data are eliminated for evaluation within the purpose, duration and legitimacy principles,
11.1.7. Requesting notification of the transactions made within the scope of Articles 11.1.5 and 11.1.6 to the third parties to whom the personal data are transferred,
11.1.8. Objecting to this result in the event of a result to the detriment of the Data Subject if the Processed Personal Data is analyzed exclusively through automated systems,
11.1.9. Requesting compensation in case of unlawful processing of Personal Data and consequent loss of Data Subject.
In cases where the Data Subjects wish to exercise their rights and/or VİŞNE MADENCİLİK considers that they are not acting within the scope of this Policy when processing the Personal Data, they may deliver their requests by hand to the e-mail address of the Data Controller given below and which may change from time to time, either by secure electronic signature or by a wet signed petition identifying them to the postal address below and which may change from time to time, or by notary public.
Data Controller: Vişne Madencilik Üretim San. Ve Tic. A.Ş.
E-mail: kvk@visnemadencilik.com
Address: Mınak Boğazı Mevkii Çelemli Belgesi Yüreğir Adana Türkiye
11.2. VİŞNE MADENCİLİK will conclude the request free of charge within at the latest thirty days according to the nature of the request if the Data Subjects submit their requests regarding the rights listed above to VİŞNE MADENCİLİK in writing. In case of a separate cost related to the finalization of the claims by the Data Controller, the fees in the tariff determined by the Personal Data Protection Board may be requested by the Data Controller. The Data Controller accepts or rejects the request by explaining the reason and notifies in writing or electronically to the relevant person. If the request included in the application is accepted, it will be duly fulfilled by the Data Controller. In case the application is caused by the error of the Data Controller, the fee collected will be returned to the data subject.
XII. DATA MANAGEMENT AND SECURITY
12.1. VİŞNE MADENCİLİK appoints a Data Controller Representative to fulfil its obligations under the Personal Data Protection Law Regulations, to ensure and supervise the implementation of the Personal Data Protection Law Procedures required for the implementation of this Policy, and to make suggestions for their functioning and to form a Committee.
12.2. All employees involved in the process of protecting Personal Data in accordance with this Policy and Personal Data Protection Procedures are severally responsible.
12.3. Personal Data Processing activities are audited by VİŞNE MADENCİLİK with technical systems according to technological facilities and application cost.
12.4. Knowledgeable personnel are employed in technical matters related to Personal Data Processing activities.
12.5. VİŞNE MADENCİLİK is informed and trained for the protection and lawful processing of Personal Data.
12.6. In order to ensure that the employees who need to access the Personal Data in VİŞNE MADENCİLİK have access to the said Personal Data, the necessary Personal Data Protection Procedure is established and the Data Controller Representative and the Committee are jointly and severally responsible for its creation and implementation.
12.7. Employees of VİŞNE MADENCİLİK may access Personal Data only within the scope of the authority defined for them and in accordance with the relevant Personal Data Protection Law Procedure. Any access and processing performed by the employee in excess of his/her authority is against the law and is a valid reason for termination of the employment contract.
12.8. If VİŞNE MADENCİLİK suspects that the security of the Personal Data is not adequately ensured or detects such a vulnerability, he/she will immediately notify the Data Controller Representative.
12.9. Detailed Personal Data Protection Procedure for the security of Personal Data is established by the Data Controller Representative and the Committee.
12.10. Each person assigned VİŞNE MADENCİLİK device is responsible for the safety of the devices allocated for his/her own use.
12.11. Each employee or person working within VİŞNE MADENCİLİK is responsible for the security of the physical files in his/her area of responsibility.
12.12. In case of security measures requested or to be requested additionally for the security of Personal Data within the scope of the Personal Data Protection Regulations, all employees are obliged to comply with additional security measures and to ensure the continuity of these security measures.
12.13. Software and hardware containing virus protection systems and firewalls are installed in compliance with technological improvements for storing Personal Data in secure environments in VİŞNE MADENCİLİK.
12.14. Backup programs are used in order to prevent the loss or damage of Personal Data in VİŞNE MADENCİLİK and adequate safety measures are taken.
12.15. Documents containing Personal Data in VİŞNE MADENCİLİK are protected by encrypted (encrypted) systems in the server environment on the site where Vişne Madencilik A.Ş. factory is located. Within this scope, Personal Data is not stored in common areas and on desktop. Documents such as files and folders containing Personal Data etc. will not be moved to desktop or common folder, information on computers of VİŞNE MADENCİLİK may not be transferred to another device such as USB etc. without the prior written consent of the Data Controller Representative, and may not be taken out of VİŞNE MADENCİLİK.
12.16. The Committee, together with the Board of Directors, is obliged to take technical and administrative measures for the protection of all Personal Data in VİŞNE MADENCİLİK, to continuously follow the developments and administrative activities and to prepare the necessary Personal Data Protection Procedures and submit them to the approval of the Board of Directors, to announce them within VİŞNE MADENCİLİK after approval and to ensure that they are complied with and to supervise them. Within this scope, the Committee and Data Controller Representative organize the necessary trainings to increase the awareness of the employees.
12.17. If a department within VİŞNE MADENCİLİK Processes Sensitive Personal Data, that department will be informed by the Committee of the importance, security and confidentiality of the Personal Data they process and the relevant department will act in accordance with the instructions of the Committee. Access to Sensitive Personal Data is granted only to limited employees and is listed and monitored by the Committee.
12.18. All Personal Data processed within VİŞNE MADENCİLİK will be accepted as “Confidential Information” by VİŞNE MADENCİLİK.
12.19. Employees of VİŞNE MADENCİLİK have been informed that their obligations regarding the security and confidentiality of Personal Data would continue even after the termination of the business relationship and VİŞNE MADENCİLİK employees have been obliged to comply with these guidelines.
XIII. TRAINING
13.1. VİŞNE MADENCİLİK will provide its employees with the necessary training sessions within the scope of the Policy on the Protection of Personal Data and the Personal Data Protection Procedures and the Personal Data Protection Law Regulations contained in its annex.
13.2. Applications for the definition and protection of Sensitive Personal Data in Training Sessions are specifically mentioned.
13.3. If employee of VİŞNE MADENCİLİK accesses Personal Data physically or in a computer environment, VİŞNE MADENCİLİK provides training to the relevant employee on these accesses (e.g. the accessed computer program).
XIV. AUDIT
VİŞNE MADENCİLİK will have the right to inspect the compliance of all employees, departments and contractors of VİŞNE MADENCİLİK with this Policy and Personal Data Protection Regulations at all times and without any prior notice on a regular basis and will carry out the necessary routine inspections within this context. The Committee and the Data Controller’s Representative will establish the Personal Data Protection Procedure for these audits, submit it to the approval of the Board of Directors and ensure the implementation of the said procedure.
XV. BREACHES
15.1. Each employee of VİŞNE MADENCİLİK reports to the Committee any work, transaction or action that he/she considers contrary to the principles and procedures specified in the Personal Data Protection Regulations and this Policy. In this context, the Committee will establish an action plan in accordance with this Policy and Personal Data Protection Procedures for the relevant violation.
15.2. As a result of the notifications made, the Committee prepares the notification to be made to the Data Subject or Institution regarding the violation taking into account the provisions of the legislation in force on the subject, especially the Personal Data Protection Regulations. The Data Controller Representative conducts correspondence and communication with the Institution.
XVI. RESPONSIBILITIES
Responsibilities within VİŞNE MADENCİLİK are respectively employee, department, Data Controller Representative. In this context,
16.1. The Representative of the Committee and Data Controller responsible for the implementation of the policy will be appointed by the Board of Directors of VİŞNE MADENCİLİK with the decision of the Board of Directors and the amendments in this context will be made in the same way.
XVII. AMENDMENTS IN THE POLICY
17.1. This Policy may be amended by VİŞNE MADENCİLİK with the approval of the Board of Directors from time to time.
17.2. VİŞNE MADENCİLİK shares the updated Policy text with its employees via e-mail so that the changes made to the Policy can be exchanged or makes it available to the employees and Data Subjects via the following web address.
Related website: www.visnemadencilik.com
XVIII. EFFECTIVE DATE OF THE POLICY
This version of this Policy has been approved and entered into force by the General Directorate of VİŞNE MADENCİLİK on 30.09.2019