ONTAD GIDA İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ
1. PURPOSE OF THE POLICY
The purpose of this Policy is to establish the rules, roles, and responsibilities to be applied throughout ONTAD GIDA İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ regarding the storage and disposal of personal data in accordance with the Law No. 6698 on the Protection of Personal Data (the “Law”) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data (the “Regulation”) published in the Official Gazette No. 30224 dated 28.10.2017, specifically Articles 5 and 6 of the Regulation, and to fulfill the obligations therein.
2. SCOPE OF THE POLICY
This Policy covers the personal data and special categories of personal data defined under the Law No. 6698, all employees, managers, consultants of ONTAD GIDA İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ, and in cases where personal data sharing is in question, its subsidiaries, external service providers, and any natural or legal persons with whom the company has legal relations.
The Policy applies to personal data processed wholly or partly by automated means or non-automated means provided that they are part of any data recording system as defined under the Law.
Unless otherwise specified in this Policy, personal data and special categories of personal data shall be collectively referred to as “Personal Data.”
3. DEFINITIONS
Anonymization:
The process of making personal data impossible to associate with an identified or identifiable natural person, even if matched with other data.
Disposal:
The deletion, destruction, or anonymization of personal data.
Personal Data:
Any information relating to an identified or identifiable natural person.
Personal Data Retention Table (Durations):
A table showing the periods for which personal data is stored by ONTAD GIDA İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ.
Personal Data Processing Inventory:
An inventory created by data controllers by associating their personal data processing activities with their business processes, including purposes of processing personal data, data category, recipient groups, and the data subject group, indicating the maximum storage period necessary for the purposes of processing, personal data envisaged to be transferred abroad, and the technical and administrative measures taken regarding data security.
Deletion of Personal Data:
The process of rendering personal data inaccessible and unusable for relevant users in any way.
Destruction of Personal Data:
The process of rendering personal data inaccessible, unrecoverable, and unusable by anyone in any way.
Special Categories of Personal Data:
Data regarding a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Disposal:
The process of deleting, destroying, or anonymizing personal data at repeated intervals as specified in the Personal Data Retention and Disposal Policy, in the event that the conditions for processing personal data set out in the Law no longer exist.
Data Recording System:
The system in which personal data are processed and structured according to specific criteria.
Direct Identifiers:
Identifiers that, on their own, reveal, disclose, and make the individual identifiable.
Indirect Identifiers:
Identifiers that reveal, disclose, and make the individual identifiable when combined with other identifiers.
Law:
Law No. 6698 on the Protection of Personal Data, published in the Official Gazette No. 29677 dated 07.04.2016.
Regulation:
The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette No. 30224 dated 28.10.2017.
Board:
The Personal Data Protection Board.
Recording Medium:
Any environment where personal data are processed wholly or partly by automated means or non-automated means provided that they are part of any data recording system.
Personal Data Protection and Processing Policy:
The policy published at “https://ontad.com.tr/” that sets forth the procedures and principles for the management of personal data held by ONTAD GIDA İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ.
4. RECORDING MEDIA COVERED UNDER THIS POLICY
All media where personal data are processed wholly or partly by automated means or non-automated means provided that they are part of any data recording system are considered recording media.
4.1 ENVIRONMENTS WHERE PERSONAL DATA IS STORED
Personal data stored by ONTAD GIDA İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ are kept in environments suitable to the nature of the data and legal obligations within the scope of the ISMS (ISO 27001:2013).
The recording environments generally used for storing personal data include the following. However, some data, due to their special nature or legal obligations, may be stored in environments different from those listed herein. Acting as the data controller, ONTAD GIDA İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ processes and protects the data within the scope of the ISMS (ISO 27001:2013), in accordance with the Law and the Personal Data Protection and Processing Policy, and this Personal Data Retention and Disposal Policy.
a) Physical Environments
Environments where data is stored on paper or microfilm.
b) Local Digital Environments
Digital environments such as servers, fixed or portable disks, optical disks within the company.
c) Cloud Environments
Although not within the company, these are internet-based systems encrypted by cryptographic methods used by ONTAD GIDA İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ.
4.2 SECURITY OF ENVIRONMENTS
ONTAD GIDA İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ takes all necessary technical and administrative measures within the scope of ISMS (ISO 27001:2013) to ensure the secure storage of personal data and to prevent unlawful processing and access, according to the nature of the environment where the data is stored.
These measures, including but not limited to the ones listed below, are implemented in proportion to the nature of the data and the environment in which it is stored.
4.2.1 Technical Measures
ONTAD GIDA İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ takes the following technical measures for all environments where personal data is stored, suitable to the nature of the data and the environment:
-
Only up-to-date and secure systems compatible with technological developments are used in environments where personal data is stored.
-
Security systems are used for environments where personal data is stored.
-
Security tests and research are conducted to detect vulnerabilities in information systems, and any identified existing or potential risks are mitigated.
-
Access to environments where personal data is stored is restricted so that only authorized persons can access the data solely for the purpose of storing it.
-
The company employs sufficient technical personnel to ensure the security of the environments where personal data is stored.
4.2.2 Administrative Measures
ONTAD GIDA İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ takes the following administrative measures under the Law for all environments where personal data is stored, suitable to the nature of the data and the environment:
-
Training and awareness activities are conducted to increase the awareness of all employees regarding information security, personal data, and privacy.
-
Legal and technical consultancy services are obtained to monitor developments in information security, privacy, and personal data protection and to take necessary actions.
-
In cases where personal data needs to be transferred to third parties due to technical or legal requirements, protocols are signed with such third parties for the protection of personal data, and care is taken to ensure compliance with the obligations under these protocols.
4.2.3 Internal Audits
ONTAD GIDA İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ conducts internal audits in accordance with Article 12 of the Law to ensure compliance with the provisions of the Law and the policies of Personal Data Retention and Disposal and Personal Data Protection and Processing.
If deficiencies or faults are detected during these audits, necessary corrections are promptly made.
If, during audits or otherwise, it is determined that personal data under the responsibility of the company has been unlawfully obtained by others, the company will notify the data subject and the Board as soon as possible.
5. DUTIES AND AUTHORITIES OF THE PERSONAL DATA PROTECTION COMMITTEE
5.1
The Personal Data Protection Committee is responsible for notifying the relevant business units of this Policy and for monitoring the fulfillment of the requirements by the units of ONTAD GIDA İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ.
5.2
The Personal Data Protection Committee ensures that the relevant business units are informed about any changes in legislation regarding personal data protection, regulatory actions and decisions of the Board, court decisions, or any other developments related to processes, practices, or systems, and ensures updates are made to business processes if necessary.
5.3
The Personal Data Protection Committee defines and notifies the relevant units about processes for the review, evaluation, follow-up, and resolution of decisions and requests from the Board, courts, and other competent authorities concerning the Law, secondary regulations, and decisions of the Board.
6. ACTIONS TO BE TAKEN WHEN CONDITIONS FOR PROCESSING PERSONAL DATA CEASE TO EXIST
6.1
If the purpose for processing personal data ceases to exist, consent is withdrawn, or all legal grounds specified in Articles 5 and 6 of the Law no longer apply, or none of the exceptions mentioned therein apply, the relevant business unit shall delete, destroy, or anonymize the personal data, taking into account business needs and in accordance with Articles 7, 8, 9, or 10 of the Regulation, stating the reason for the method chosen. If there is a final court decision, the disposal method ruled by the court shall be applied.
6.2
All users processing or storing personal data and data owners within ONTAD GIDA İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ shall review the data recording environments at least every four months to determine whether the conditions for processing personal data continue to exist. If a request is made by the data subject, the Board, or a court, the review shall be made immediately, regardless of the periodic review period.
6.3
If, following periodic reviews or otherwise, it is determined that the conditions for processing data no longer exist, the relevant user or data owner shall decide on deletion, destruction, or anonymization of the relevant personal data in accordance with this policy. In case of doubt, the data owner shall consult the relevant business unit. If a decision is required for the disposal of personal data involving multiple stakeholders in the central information systems, the opinion of the Personal Data Protection Committee shall be sought, and the data owner business unit shall make the decision accordingly.
6.4
All actions related to the deletion, destruction, or anonymization of personal data shall be recorded and such records shall be kept for at least three years, except where otherwise required by legal obligations.
6.5
According to Article 7.4 of the Regulation, methods for the deletion, destruction, or anonymization of personal data shall be published and explained following the entry into force of this Policy.
6.6
Deletion, destruction, or anonymization of personal data must comply with the general principles outlined in Article 4 of the Law, the technical and administrative measures required under Article 12, the relevant provisions of legislation, decisions of the Board, and court decisions.
6.7
If a data subject requests the deletion, destruction, or anonymization of their personal data pursuant to Article 13 of the Law, the relevant data owner business unit shall examine whether the processing conditions have ceased to exist. If the conditions have ceased to exist, the data shall be deleted, destroyed, or anonymized in accordance with this policy within thirty days from the application date and the data subject shall be informed via the KVKK contact person appointed by the KVKK Officer. If the personal data subject to the request has been transferred to third parties, the data owner business unit shall immediately inform the third party and ensure that necessary actions are taken under the Regulation.
6.8
If the conditions for processing personal data have not ceased to exist, requests for deletion or destruction may be rejected by ONTAD GIDA İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ, providing justification under Article 13/3 of the Law. The rejection shall be notified to the data subject in writing or electronically within thirty days.
6.9
Requests for deletion or destruction of personal data will only be evaluated if the identity of the requester can be verified. Requests made through other channels shall be directed to proper channels where identity verification can be performed.