Trader Saloon

Kvkk

Home
Kvkk

POLIFONI INDUSTRY AND TRADE LIMITED COMPANY PERSONAL DATA PROTECTION AND PROCESSING POLICY

Document Name: Polifoni Industry and Trade Limited Company Personal Data Protection and Processing Policy
Prepared by: Polifoni Industry and Trade Limited Company
Approved by: Approved by the senior management of Polifoni Industry and Trade Limited Company.

This text may not be reproduced or distributed without the written permission of Polifoni Industry and Trade Limited Company.

INTRODUCTION

This Policy has been prepared to establish protocols related to data storage and destruction activities. It outlines the principles to be adopted and considered in practice by Polifoni Industry and Trade Limited Company. The Policy aims to define and coordinate the framework of compliance activities to be conducted company-wide to ensure compliance with the Law No. 6698 on the Protection of Personal Data.

The objective within this scope is to continue executing activities in accordance with the principles of legality, integrity, and transparency adopted since the establishment of Polifoni Industry and Trade Limited Company. Furthermore, the company will create the necessary structure, procedures, and processes for compliance with the Law on Protection of Personal Data (KVKK) and will implement mechanisms to raise awareness among employees and business partners.

SCOPE

This Policy covers all personal data of individuals outside of the company's employees, processed either automatically or through any non-automatic data recording system. Detailed information about the data subjects can be found under the "Personal Data Subjects" section of this Policy.

APPLICATION OF THE POLICY AND RELEVANT LEGISLATION

Relevant legal regulations in force regarding the processing and protection of personal data will primarily be applicable. In the case of any inconsistency between the current legislation and the Policy, the company accepts that the current legislation will prevail. The Policy regulates the rules set forth by the relevant legislation within the framework of company practices.

SECTION 1 – PURPOSE OF THE "PERSONAL DATA PROTECTION AND PROCESSING POLICY"

The purpose of this Policy is to ensure that regulations essential for KVKK compliance are implemented legally by Polifoni Industry and Trade Limited Company. In this context, the Policy serves as a guiding document on how the company will concretely apply the rules set by KVKK and related legislation. The company will make the necessary arrangements for compliance with the Policy and ensure its ongoing adherence. All necessary administrative and technical measures will be taken for the processing and protection of personal data in accordance with the principles outlined in the Policy, awareness among employees will be ensured, necessary compliance processes for new employees will be implemented, and required notifications and warnings will be made.

SECTION 1 – PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

Adhering to the general principles regarding the processing of personal data under KVKK is crucial. Accordingly, our company acts in accordance with the fundamental principles listed below as per the Constitution and KVKK.

There are fundamental principles regarding the processing of personal data accepted in international documents and reflected in the practices of many countries. Article 4 of the Law regulates the procedures and principles for the processing of personal data in parallel with the Convention 108 on the Protection of Individuals against Automatic Processing of Personal Data and the EU Data Protection Directive 95/46/EC. According to the Law, the general principles for processing personal data are:

Compliance with the law and fairness rules,
Accuracy and, when necessary, keeping it up-to-date,
Processing for specific, explicit, and legitimate purposes,
Being relevant, limited, and proportionate to the purpose for which it is processed,
Being retained for as long as required by the relevant legislation or the purpose for which it is processed.

The fundamental principles listed above are inherent in all personal data processing activities within the company and all such activities are carried out in compliance with these principles.

CONDITIONS FOR PROCESSING PERSONAL DATA

Apart from the explicit consent of the data subject, the basis for processing personal data can be one or more of the conditions stated below. If the processed data is sensitive personal data, the conditions specified under the heading “Processing of Sensitive Personal Data” in this Policy will apply.

(i) Explicit Consent of the Data Subject
One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject must be given on an informed basis and freely.

Personal data can be processed without the explicit consent of the data subject if one or more of the following conditions apply:

(ii) Explicitly Foreseen by Law
If the processing of personal data is explicitly provided for by law, i.e., if there is a clear provision in the relevant law regarding the processing of personal data, this condition will be applicable.

(iii) Inability to Obtain Consent Due to Physical Impossibility
If the data subject is in a situation where they cannot give consent due to physical impossibility, or where consent cannot be validated, and it is necessary to process personal data to protect the life or bodily integrity of the person or another person, the data subject’s personal data can be processed.

(iv) Directly Related to the Establishment or Performance of a Contract
If the processing of personal data is necessary for the establishment or performance of a contract to which the data subject is a party, this condition will be deemed to be fulfilled.

(v) Fulfillment of Legal Obligations of the Company
If the processing is required for the company to fulfill its legal obligations, the data subject’s personal data can be processed.

(vi) Data Subject's Disclosure of Personal Data
If the data subject has made their personal data public, the data can be processed only for the purposes for which it was made public.

(vii) Mandatory for the Establishment or Protection of a Right
If the processing of personal data is mandatory for the establishment, use, or protection of a right, the data subject’s personal data can be processed.

(viii) Mandatory for the Legitimate Interests of the Company
Provided that it does not harm the fundamental rights and freedoms of the data subject, if the processing is necessary for the legitimate interests of the company, the data subject’s personal data can be processed.

PROCESSING OF SENSITIVE PERSONAL DATA

Sensitive personal data is processed by our company in accordance with the principles outlined in this Policy and with all necessary administrative and technical measures, including methods determined by the Board, under the following conditions:

(i) Sensitive Personal Data Other Than Health and Sexual Life
Sensitive personal data other than health and sexual life can be processed without the explicit consent of the data subject if explicitly provided by laws. Otherwise, the explicit consent of the data subject will be required.

(ii) Sensitive Personal Data Related to Health and Sexual Life
Sensitive personal data related to health and sexual life can be processed without explicit consent by persons or authorized institutions under confidentiality obligations for the purposes of protecting public health, conducting medical diagnosis, treatment and care services, and planning and managing healthcare services and financing. Otherwise, the explicit consent of the data subject will be required.

SECTION – OBLIGATIONS REGARDING THE PROTECTION AND PROCESSING OF PERSONAL DATA

Registration Obligation with the Data Controllers Registry
Before starting data processing, the company must register with the Data Controllers Registry within the period specified by the KVK Board. The registration application must include the following information:
1. Identity and address information of the company as the data controller and its representative, if any.
2. The purpose of processing personal data.
3. Explanation of the data subjects and data categories related to them.
4. Recipients or recipient groups to whom personal data may be transferred.
5. Personal data to be transferred to foreign countries.
6. Measures taken for personal data security.
7. The maximum period for which personal data will be retained for the purpose for which it is processed.
Obligation to Ensure Compliance with Data Processing Conditions
Our company must comply with the data processing conditions specified in Articles 5 and 6 of the KVK Law and the Regulation on the Processing of Personal Health Data while performing personal data processing activities, adhering to the fundamental principles. The company must verify whether these data processing conditions exist and must not carry out data processing activities if these conditions are not met.

Our company should establish the necessary mechanisms in its internal systems for the legal processing of personal data, create internal awareness regarding the protection of personal data, and implement necessary audit mechanisms.

In the scope of personal data processing, the company must comply with the rules set forth in the Constitution of the Republic of Turkey, the Turkish Penal Code, the KVK Law, and other relevant legislation, as well as the KVK Policy of Öztaş Besicilik Gıda Ürünleri İnşaat Nakliyat Sanayi Ve Ticaret Limited Şirketi.

Obligation to Inform the Data Subject
During the collection of personal data, the data subject must be informed about the following:
1. Identity of the data controller and its representative, if any,
2. Purpose of processing personal data,
3. To whom and for what purpose personal data may be transferred,
4. The method and legal reasons for collecting personal data,
5. The rights of the data subject, including:
  - Learning whether personal data is being processed,
  - Learning the purpose of processing and whether it is used for the intended purpose,
  - Knowing the recipients of the personal data,
  - Requesting correction in case of incomplete or incorrect processing and, if applicable, requesting the deletion of personal data and transmission of these requests to third parties,
  - Objecting to a result arising against them solely through automated systems,
  - Requesting compensation for damages caused by unlawful processing.

In this context, the company should identify personal data collection channels to fulfill the obligation to inform, ensure that the data collection activities meet the scope and conditions required by KVKK, and design appropriate processes.

Obligation to Ensure the Security of Personal Data

In accordance with Article 12 of the KVK Law, with the awareness of the importance of ensuring the security of personal data and protecting the fundamental rights and freedoms of data subjects;

They must take all necessary technical and administrative measures to prevent the unlawful processing of personal data,
Prevent unauthorized access to personal data, and
Ensure the preservation of personal data. Companies are also obliged to carry out or have carried out necessary audits within the scope of operating mechanisms for ensuring data security.

Obligation to Comply with Decisions Issued by the KVK Board

The company must act in accordance with the decisions made by the KVK Board, which is the executive body of the KVK Institution, to ensure that personal data is processed in a manner consistent with fundamental rights and freedoms.

Obligation to Respond to Data Subject Requests

As the data controller, Öztaş must conclude the data subjects' requests regarding their personal data in the shortest time possible and within a maximum of thirty (30) days, depending on the nature of the request, in accordance with Article 13 of the KVK Law. Data subjects must make their requests in accordance with the Notification on Application Procedures and Principles to the Data Controller. According to Article 11 of the KVK Law, personal data subjects can request the following from data controllers:

Learn whether their personal data is processed,
Request information about their processed personal data,
Learn the purpose of processing their personal data and whether it is used in accordance with that purpose,
Know the third parties to whom their personal data is transferred, both domestically and internationally,
Request correction of personal data if it is incomplete or incorrect and request that the correction be notified to third parties to whom the personal data has been transferred,
Request the deletion or destruction of personal data when the reasons for processing it have ceased to exist, even if it has been processed in accordance with the KVK Law and other relevant laws, and request that this be notified to third parties to whom the personal data has been transferred,
Object to the result of processing of personal data exclusively through automated systems if it has an adverse effect on them,
Request compensation for damages suffered due to unlawful processing of personal data.

Obligation to Process and Obtain Personal Data Lawfully

Our company must process personal data in accordance with the law and principles of honesty as stipulated in Article 4 of the KVK Law. In this context, the activities of obtaining and transferring personal data must also be conducted in compliance with the law.

Obligation to Comply with Regulations on the Storage of Personal Data

In accordance with Article 7 of the KVK Law, our company must establish internal systems necessary for deleting, anonymizing, or destroying personal data whose processing purposes have ceased, even if it has been processed lawfully. These systems consist of methods that the company can choose as specified in the destruction policy. Besides securely storing personal data, it is also important to anonymize, destroy, or delete the data in accordance with the law. Therefore, there is an obligation to act in accordance with the law.

SECTION - KEY ISSUES TO BE ADDRESSED BY THE COMPANY TO COMPLY WITH THE KVK POLICY AND KVK LAW

Öztaş Besicilik Gıda Ürünleri İnşaat Nakliyat Sanayi Ve Ticaret Limited Şirketi has established criteria for compliance with the KVK Law and the guiding Öztaş Besicilik Gıda Ürünleri İnşaat Nakliyat Sanayi Ve Ticaret Limited Şirketi KVK Policy. The compliance steps are as follows:

FULFILLING THE OBLIGATIONS STATED IN THE KVK POLICY OF POLIFONI SANAYİ VE TİCARET LİMİTED ŞİRKETİ

Polifoni Sanayi Ve Ticaret Limited Şirketi must act in accordance with the basic obligations described under the section "Obligations Regarding the Protection and Processing of Personal Data" in the Polifoni Sanayi Ve Ticaret Limited Şirketi Personal Data Protection Policy.

ESTABLISHING PERSONAL DATA PROTECTION AND PROCESSING POLICIES

The company must create a Personal Data Protection and Processing Policy considering its operations and the regulations set out by the KVK Law. This policy must be clear and understandable to data subjects.

PREPARATION OF POLICIES, PROCEDURES, AND GUIDELINES REGARDING PERSONAL DATA PROTECTION AND PROCESSING

To ensure compliance with personal data protection law, necessary documents for internal use or submission to the institution must be prepared. Changes in publicly available policies should be presented in a way that allows easy access for data subjects.

CREATING A PERSONAL DATA STORAGE AND DESTRUCTION POLICY

Our company retains personal data for the period necessary for the purpose for which it was processed and for the minimum duration specified by relevant legal regulations. The company first determines whether a retention period is specified in the relevant legislation, complies with it if specified, and prepares a policy accordingly. If no legal period is set, personal data is retained for the period necessary for the purpose for which it was processed. At the end of the defined retention periods, personal data is destroyed in accordance with periodic destruction schedules or data subject requests, using specified destruction methods (deletion and/or destruction and/or anonymization).

Personal Data Categories and Descriptions

Identity Information: Data related to an individual's identity: documents like driver's license, ID card, and passport containing information such as name, TC identity number, nationality, mother’s name, father’s name, place and date of birth, gender, tax number, SGK number, vehicle plate number, etc.
Contact Information: Phone number, address, email, fax number.
Location Data: Information determining the location of the data subject while using our products and services or while using our company's vehicles by employees of partner institutions.
Customer Information: Information obtained and produced about individuals as a result of our commercial activities and the operations of our business units.
Family and Close Contacts Information: Information about the data subject’s family members and close contacts, collected in the context of our operations or to protect the legal and other interests of the company and the data subject.
Customer Transaction Information: Information about the use of our products and services, including records and instructions necessary for the use of these products and services, which is clear within the data record system.
Physical Space Security Information: Personal data related to records and documents taken during entry and stay in physical spaces, such as camera recordings, fingerprint records, and security checkpoint recordings.
Processing Security Information: Personal data processed to ensure technical, administrative, legal, and commercial security in conducting our business activities (e.g., log records).
Risk Management Information: Personal data processed through methods used in accordance with generally accepted legal, commercial practices, and honesty rules to manage commercial, technical, and administrative risks.
Financial Information: Information related to financial results of the legal relationship between the company and the data subject, including data such as bank account numbers, IBAN numbers, credit card information, financial profiles, assets data, and income information.
Personnel Information: Personal data processed to establish the rights of individuals working with the company.
Job Applicant Information: Personal data of individuals who have applied for a job with the company or who have been assessed as job candidates according to commercial practices and honesty rules.
Special Categories of Personal Data: Data about individuals’ race, ethnic origin, political views, philosophical beliefs, religion, sect, or other beliefs, appearance and dress, membership in associations, foundations, or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
Request/Complaint Management Information: Personal data related to the receipt and evaluation of all types of requests or complaints directed to the company.
Audit Information: Personal data processed during internal or external audits for compliance with legal obligations and company policies.
Legal Actions and Compliance: Personal data processed for determining, monitoring, and fulfilling legal rights and obligations, and for compliance with company policies.

EXERCISING THE RIGHTS OF THE DATA SUBJECT

Data subjects can submit their requests regarding their rights ("Rights of Data Subjects") to our company using the methods determined by the Board. In this context, a Data Subject Application Form may be requested from our company.

The company will process requests in accordance with Article 13 of the Law, free of charge, within a maximum of 30 (thirty) days, depending on the nature of the request. In case of rejection of the request, the reasons will be justified in writing or electronically. If the request incurs a cost, the tariff set by the KVK Board will apply.

You may contact us for the application or submit your request in person to the company address.