Document Information
Document Name Personal Data Protection Policy
Document Relevance The purpose of the Personal Data Protection Policy is MEGAPLAST KALIP SAN. VE TİC. LTD. ŞTİ. Planning the processes for the protection of personal data and determining the principles to be applied on this subject
Release date 01.12.2020
Version No one
Reference / Justification Personal Data Protection Law No. 6698 and other legislation
Approval Authority MEGAPLAST KALIP SAN. VE TİC. LTD. ŞTİ. Board of Directors

CORPORATE PERSONAL DATA PROTECTION POLICY

GOAL

The right of every individual to demand the protection of personal data about himself is a sacred right arising from the Constitution. MEGAPLAST KALIP SAN. VE TİC. LTD. ŞTİ. Ş., we consider fulfilling the requirements of this right as one of our most valuable duties. For this reason, we attach importance to the processing and protection of your personal data in accordance with the law.

As a result of the importance we attach to the protection of personal data, Corporate Personal Data Protection Policy has been prepared in order to determine the principles and procedures we apply while processing and protecting personal data.

SCOPE

Politika MEGAPLAST KALIP SAN. VE TİC. LTD. ŞTİ. ' Obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, all personal data managed by Ş. It covers all kinds of operations performed on data such as classification or prevention of use.

Politika MEGAPLAST KALIP SAN. VE TİC. LTD. ŞTİ. ' It relates to all personal data of partners, officials, customers, employees, supplier officials and employees, and third parties.

MEGAPLAST KALIP SAN. VE TİC. LTD. ŞTİ. It may change the Policy to comply with the legislation and the decisions of the Personal Data Protection Authority and to better protect personal data.

DEFINITIONS

Abbreviation Definition
Buyer Group The category of natural or legal persons to whom personal data is transferred by the data controller.
Open Consent Consent on a specific subject, based on information and expressed with free will.
Anonymization Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching other data.
Related person The natural person whose personal data is processed.
Related User Except for the person or unit responsible for the technical storage, protection and backup of the data, they are the persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller.
Destruction Deletion, destruction or anonymization of personal data.
Law / KVKK Personal Data Protection Law No. 6698.
Recording Media Any medium containing personal data that is fully or partially automated or processed in non-automatic ways, provided that it is part of any data recording system.
Personal Data Any information pertaining to an identified or identifiable natural person.
Data Inventory Personal data processing activities carried out by data controllers depending on the business processes; The inventory that they have created by associating with the data category, the recipient group and the data subject group of personal data processing purposes and the legal reason, explaining the maximum retention period required for the purposes for which personal data is processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.
Processing of Personal Data Obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or using personal data through fully or artially automatic means or non-automatic means provided that they are part of any data recording system. Any action taken on the data, such as blocking.
Board Personal Data Protection Board.
Institution Personal Data Protection Authority
Special Quality Personal Data Individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Periodic Destruction The deletion, destruction or anonymization process to be carried out ex officio at repetitive intervals specified in the personal data storage and disposal policy in case all of the conditions for processing personal data in the Law are eliminated.
Policy Personal Data Protection Policy
Data Processor The natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
Data Supervisor Natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

GENERAL PRINCIPLES

MEGAPLAST KALIP SAN. VE TİC. LTD. ŞTİ. Checks the compliance of the data to be processed in the preparation phase of each new personal data processing workflow with the following principles. Workflows that are not found suitable are not implemented.

MEGAPLAST KALIP SAN. VE TİC. LTD. ŞTİ. when processing personal data;

  • It abides by the law and the rules of honesty.
  • Ensures that personal data are accurate and, when necessary, up-to-date.
  • It takes care that the purpose of the processing is specific, clear and legitimate.
  • It checks that the processed data is linked for the purpose of processing, that it is processed to the extent that it needs to be processed, and that it is measured.
  • It preserves the data only as required by the relevant legislation or for the purpose of processing, and destroys it when the purpose of processing disappears.

DUTIES AND RESPONSIBILITIES

MEGAPLAST KALIP SAN. VE TİC. LTD. ŞTİ. Personal Data Protection Commission has been established to manage this Policy and other related procedures regarding the processing of personal data and to ensure the enforcement of the Policy. The Commission is composed of the General Manager, Human Resources Officer and Accounting Manager. MEGAPLAST KALIP SAN. VE TİC. LTD. ŞTİ. In addition, it also receives KVKK consultancy support in order to comply with the Personal Data Protection Law No.6698 when necessary. If the commission deems necessary, it may call the KVKK consultant to its meetings.

The duties and responsibilities of the Commission are as follows.

  • It normally meets every 6 months. It may be collected extraordinarily if circumstances require it (for example in the event of a possible data breach).
  • Discusses the issues that need to be changed / improved in the policy.
  • Identifies the issues that can be fulfilled in the name of legal processing and protection of personal data.
  • The Commission determines the steps that can be taken to increase the awareness of KVKK within the company and before its business partners.
  • It determines the risks that may be encountered in the processing and protection of personal data and takes the necessary administrative and technical measures.
  • It provides contact with the institution and manages the relations.
  • It evaluates the requests from the Related Person.
  • Follows periodic destruction processes.
  • Updates the Data Inventory.
  • Makes the assignments regarding the above-mentioned issues.

MEASURES TAKEN FOR DATA SECURITY

MEGAPLAST KALIP SAN. VE TİC. LTD. ŞTİ. It takes all necessary technical and administrative measures to (i) prevent unlawful processing of personal data, (ii) prevent unlawful access to personal data, (iii) ensure the protection of personal data, and to ensure the appropriate level of security.

Technical Measures

  • Network security and application security are provided.
  • Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
  • Access logs are kept regularly.
  • Current anti-virus systems are used.
  • Firewalls are used.
  • Necessary security measures are taken for entering and exiting physical environments containing personal data.
  • Physical environments containing personal data are secured against external risks (fire, flood, etc.).
  • The security of environments containing personal data is ensured.
  • Personal data are backed up and the security of backed up personal data is also ensured.
  • User account management and authorization control system is applied and their follow-up is also performed.
  • Log records are kept without user intervention.
  • Intrusion detection and prevention systems are used.
  • Encryption is done.

Administrative Measures

  • There are disciplinary regulations that include data security provisions for employees.
  • Training and awareness activities on data security are carried out periodically for employees.
  • Corporate policies on access, information security, use, storage and disposal issues have been prepared and implemented.
  • When necessary, data masking measures are applied.
  • Confidentiality commitments are made.
  • An authority matrix has been created for the employees.
  • Employees who have a change of position or leave their jobs are removed from their authority in this area.
  • The signed contracts contain data security provisions.
  • Personal data security policies and procedures have been determined.
  • Personal data security problems are reported quickly.
  • Personal data security is monitored.
  • Personal data is reduced as much as possible.
  • Periodic and / or random inspections are carried out and made in-house.
  • Current risks and threats have been identified.
  • Protocols and procedures for special quality personal data security have been determined and implemented.
  • If personal data of special nature will be sent via e-mail, they are necessarily sent in encrypted form using KEP or corporate mail account.
  • The awareness of data processing service providers on data security is ensured.

RIGHTS OF THE RELATED PERSON REGARDING PERSONAL DATA

The contact person is MEGAPLAST KALIP SAN. VE TİC. LTD. ŞTİ. ' You can make a request by applying to:

  • Learning whether your personal data is processed or not
  • Requesting information if personal data has been processed
  • Learning the purpose of processing personal data and whether they are used appropriately for their purpose
  • Learning the third parties to whom personal data is transferred domestically or abroad
  • To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data are transferred
  • Although it has been processed in accordance with the provisions of KVKK and other relevant laws, in case the reasons requiring its processing disappear, to request the deletion, destruction or anonymization of your personal data and to notify the third parties to whom the personal data is transferred
  • Objection to the emergence of an unfavorable result by analyzing the processed data exclusively through automated systems
  • To request the compensation of the damage in case of damage due to unlawful processing of personal data

VIOLATION NOTICES

MEGAPLAST KALIP SAN. VE TİC. LTD. ŞTİ. employees report the work, action or fact that they think violates the provisions of KVKK and / or the Policy to the Commission. The committee will convene after this notification of violation if it deems necessary and prepare an action plan regarding the violation.

If the violation occurred through the unlawful acquisition of personal data to others, the Commission shall notify the relevant person and the Board within 72 hours within the scope of the Board's decision dated 24.01.2019 and numbered 2019/10.

CHANGES

The changes on the policy are prepared by the Commission and MEGAPLAST KALIP SAN. VE TİC. LTD. ŞTİ. It is submitted for the approval of the Board of Directors. The Updated Policy can be sent to employees via e-mail or posted on the website.

EFFECTIVE DATE

This version of the Policy has been approved by the Board of Directors on 01.12.2020 and entered into force.