PERALUNA ÖRME SAN. VE TİC. A.Ş.
CORPORATE PERSONAL DATA PROTECTION POLICY
Document Information
|
Document Title:
|
Personal Data Protection Policy
|
Document Relevance:
|
The purpose of the Personal Data Protection Policy is to plan the processes for the protection of personal data and to determine the principles to be applied in this regard by Peraluna Örme San. Ve Tic. A.Ş.
|
Date of Issue:
|
31.07.2023
|
Version No:
|
1
|
Reference / Legal Basis:
|
Personal Data Protection Law no. 6698 and relevant regulations
|
Approving Authority:
|
Peraluna Örme San. Ve Tic. A.Ş. Board of Management
|
PERALUNA ÖRME SAN. VE TİC. A.Ş.
CORPORATE PERSONAL DATA PROTECTION POLICY
1. PURPOSE
The right of every individual to demand the protection of personal data about himself/herself is a sacred right arising from the Constitution. As Peraluna Örme San. Ve Tic. A.Ş. (“Peraluna”), we consider fulfilling the requirements of this right as one of our most valuable duties. For this reason, we attach importance to the processing and protection of your personal data in accordance with the law.
As a result of the importance, we attach to the protection of personal data, Corporate Personal Data Protection Policy has been prepared in order to determine the principles and procedures we apply while processing and protecting personal data.
2. SCOPE
The Policy covers all kinds of processes to be performed on the personal data managed by Peraluna such as obtaining, saving, storing, retaining, modifying, revising, describing, transferring, taking over, making available, classifying or blocking the use of personal data by fully or partially automated means or by nonautomated means provided that they are a part of any data recording system.
The policy relates to all processed personal data of Peraluna's partners, officials, customers, employees, supplier officials and employees, and third parties.
Peraluna may amend the Policy for the purposes of compliance with the applicable regulations and decrees of the Personal Data Protection Authority and improvement in protection of personal data.
3. DEFINITIONS
Abbreviation
|
Definition
|
Recipient Group
|
The category of natural or legal persons to whom personal data is transferred by the data controller.
|
Explicit Consent
|
Consent that is related to a specific issue, based on information and expressed with free will.
|
Anonymization
|
Making personal data not to be associated with any identified or identifiable real person in any way, even when matched with other data.
|
Data Subject
|
Real person whose personal data are processed.
|
Related User
|
The persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except the person or unit responsible for the storage, protection and backup of the data technically.
|
Destruction
|
Deletion, destruction or anonymization of personal data.
|
Law / KVKK
|
Personal Data Protection Law no. 6698.
|
Recording Medium
|
Any media in which personal data are processed, which are fully or partially in automated ways or non-automated ways provided that being part of any data recording system.
|
Personal Data
|
All kinds of information related to an identified or identifiable person.
|
Data Inventory
|
The inventory created and elaborated by data controllers by associating personal data processing activities carried out by data controllers depending on the business processes and personal data processing purposes and the legal reason with the data category, the transferred recipient group and the data subject group, and where they explain the maximum retention period required for the purposes for which the personal data is processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.
|
Processing of Personal Data
|
The Policy covers all kinds of processes performed on personal data such as obtaining, saving, storing, retaining, modifying, revising, describing, transferring, taking over, making available, classifying or blocking the use of personal data by fully or partially automated means or by nonautomated means provided that they are a part of any data recording system.
|
Board
|
Personal Data Protection Board.
|
Institution
|
Personal Data Protection Institution.
|
Sensitive Personal Data
|
Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership of associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data.
|
Periodic Destruction
|
The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data retention and destruction policy, in the event that all of the personal data processing conditions specified in the Law are eliminated.
|
Policy
|
Personal Data Protection Policy
|
Data Processor
|
Real or legal person who processes personal data on behalf of the data controller with the authorization invested by the data controller.
|
Data Controller
|
Real or legal person who determines the purposes and means of personal data processing and assumes responsibility for establishing and managing the data recording system.
|
4. GENERAL PRINCIPLES
Peraluna checks the compliance of the data to be processed with the following principles at the preparation phase of each workflow which requires processing of new personal data. Workflows which are not compatible with the relevant principles are not implemented.
When processing personal data, Peraluna shall;
(I) Comply with the law and principles of integrity.
(II) Ensure that personal data are accurate and up-to-date if and when necessary.
(III) Make sure that the purpose of processing is specific, explicit and legitimate.
(IV) Confirm that the data processed are relevant to the purpose of processing and the processing is restrained and limited to the extent required for the purpose.
(V) Ensure retention of personal data to the extent provided in the relevant regulation or required for the purpose of processing and destroy the personal data once the processing purpose is no longer applicable.
5. MEASURES TAKEN FOR DATA SECURITY
Peraluna takes all kinds of technical and administrative measures necessary to ensure the appropriate level of security in order to (i) prevent unlawful processing of personal data, (ii) prevent unlawful access to personal data, (iii) ensure safekeeping of personal data.
5.1. Technical Measures
- Network security and application security are ensured.
- Security measures within the scope of procurement, development, and maintenance of information technology systems are taken.
- Access logs are kept regularly.
- Up-to-date anti-virus systems are used.
- Firewalls are used.
- Necessary security precautions are taken on the way in and out of the physical media containing personal data.
- Physical media containing personal data are protected against external risks (fire, flood, etc.).
- The security of media containing personal data is ensured.
- Personal data is backed up and the security of the backed-up personal data is also ensured.
- User account management and authorization control system are implemented and monitored.
- Encryption is done.
5.2. Administrative Measures
- There are disciplinary arrangements that include data security provisions for employees.
- Training and awareness activities on data security are conducted periodically for employees.
- Corporate policies regarding the access to, security, use, storage and destruction of information have been prepared and started to be implemented.
- Confidentiality commitments are made.
- The authorizations of the employees who are assigned to another position or who left the job in this area are removed.
- The contracts signed contain data security provisions.
- Personal data security policies and procedures have been established.
- Personal data security problems are reported promptly.
- Personal data security is monitored.
- Personal data is reduced to the extent possible.
- Existing risks and threats have been identified.
- Protocols and procedures for the security of sensitive personal data have been adopted and are being implemented.
- Awareness of data processing service providers on data security is ensured.
6. RIGHTS OF DATA SUBJECT REGARDING PERSONAL DATA
Data Subject can apply to Peraluna and make a request in order to:
- Learn if his/her personal data is processed,
- Request information if his/her personal data has been processed,
- Learn the purpose of processing of the personal data and whether they are used for this purpose,
- Learn the third parties to whom his/her personal data is transferred in the country or abroad,
- In the event that his/her personal data is incomplete or improperly processed, request correction and demand notification of the relevant process to the third parties to whom his/her personal data has been transferred,
- Even though the processing has been performed accordance with the KVKK and other relevant legal provisions, if the reasons that require processing have been eliminated, request deletion, destruction or anonymization of his/her personal data and demand notification of the relevant process to the third parties to whom his/her personal data has been transferred,
- Object to the emergence of any result to the detriment of him/her arising from analysis of his/her processed data exclusively by automated systems,
- Demand the compensation of the damage in case of loss due to processing of his/her personal data in violation of the law.
7. NOTIFICATION OF VIOLATIONS
Peraluna employees report to the Commission any work, action or event they consider to be in violation of the provisions of the KVKK and/or the Policy. If the commission deems it necessary following this reporting of violation, it convenes and creates an action plan against the violation.
If the violation has occurred through acquisition of personal data by third persons by unlawful means, the Commission shall communicate this situation to the data subject and the Board within 72 hours within the scope of the decision of the Board dated 24.01.2019 and numbered 2019/10.
8. AMENDMENTS
The amendments to the Policy are prepared by the Commission and submitted to Peraluna Holding Board of Management for approval. The updated version of the Policy can be sent to employees via e-mail or posted on the website.
9. EFFECTIVE DATE
This version of the Policy has been approved by the Board of Management and entered into force on 31.07.2023.