PETROYAĞ AND CHEMICALS INDUSTRY AND TRADE JOINT STOCK COMPANY
1. PURPOSE AND SCOPE
The main purpose of this Personal Data Protection Policy (“Policy”) is to provide explanations on the personal data processing activities carried out by Petroyağ (“Company”) in accordance with the law and the systems adopted for the protection of personal data, and to ensure transparency by informing the persons whose personal data are processed by our company within this scope.
This Policy is applied together with the relevant detailed data procedures in all activities carried out for the processing and protection of all personal data managed by the Company.
2. Definitions
- Law on the Protection of Personal Data (KVKK) Personal Data Protection Law No. 6698
- GDPR: European Union General Data Protection Regulation
- Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted to him.
- Data Controller: Data Owner/Relevant Person: The person who determines the purposes and means of processing personal data and manages the place where data is systematically kept (data recording system). Employees, customers, business partners, shareholders, officials, potential customers, candidate employees, interns, visitors, suppliers, employees of institutions they work in cooperation with, third parties and real persons whose personal data is processed, including but not limited to those listed here, with whom the Company and its subsidiaries have commercial relations.
- Explicit Consent: Consent based on information and free will on a specific subject
- Personal Data: Any information relating to an identified or identifiable natural person
- Special Personal Data: Data regarding individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.
- Anonymization of Personal Data: Making personal data in no way identifiable or identifiable with an identified or identifiable natural person, even when matched with other data.
- Deletion of Personal Data: Making personal data inaccessible and non-reusable for the relevant users in any way.
- Destruction of Personal Data: The process of rendering personal data inaccessible, irreversible and reusable by anyone.
- Board of PPD the Board of Protection of Personal Data
- Authority of Personal Data Personal Data Protection Authority
3. Procedure
The Company also has different policies addressing the protection of personal data and ensuring information security in relation to specific business activities and functions. This Policy does not override the data protection terms in these different policies of the Company, unless they contain additional terms or demand higher standards for the protection of personal data.
The provisions of the relevant legislation in force regarding the processing and protection of personal data will be applied first; in case of any conflict between the relevant legislation and the provisions of this Policy, the provisions of the current legislation will prevail.
4. Issues Regarding the Protection of Personal Data
This Policy has been created in accordance with the rules and procedures stipulated in the KVKK and other relevant legislation for the protection of personal data. In this sense, the Data Controller is obliged to take all necessary technical and administrative measures, as he/she is obliged to prevent the unlawful processing and access of personal data and to ensure their preservation, in accordance with the KVKK. The Company has taken all relevant technical and administrative measures, including measures taken for the protection of special personal data; the content of the technical and administrative measures taken is detailed in the Personal Data Protection Legal Compliance Audit Report and D.17 Storage and Destruction Policy.
5. Personal Data Processing Policy
a. Principles to be Followed When Processing Personal Data
Personal data processed by the Company is processed in accordance with the relevant legislation (KVKK and/or GDPR). The Company's policies and procedures are implemented in parallel with the processing principles set out in the KVKK and relevant legislation. Whereas;
- Personal data is processed in a transparent manner and in accordance with the law and the rule of honesty,
- Personal data is collected only for specific, clear and legitimate purposes,
- Personal data are relevant, limited and proportionate to the purpose for which they are processed,
- Personal data is accurate and, where necessary, up-to-date, and will be deleted or corrected without delay.
- They are kept for the period required by the relevant legislation or for the purpose for which they are processed.
- Personal data is processed in a way that ensures appropriate security,
- The data controller demonstrates compliance with KVKK and/or other principles of the GDPR. (Being held accountable).
b.Purposes of Petroyağ's Processing of Personal Data
The Company informs the relevant persons when collecting personal data in accordance with the KVKK and other relevant legislation. In this context, the Company informs the relevant person about the purpose for which personal data will be processed, to whom and for what purposes the processed data may be transferred, the method of collecting personal data and the legal reason for collecting personal data.
The purposes for which personal data is processed by the Company are as follows:
To ensure that the Company can provide its services to its customers under the best conditions, to provide services reliably and uninterruptedly, to ensure Company security, to ensure customer satisfaction and reliability, to carry out transactions related to the services offered by the Company, to carry out and develop operations, to carry out promotion, marketing, advertising and campaign activities of the services offered by the Company, to fulfill contracts signed with customers, to carry out transactions requested by the relevant public institutions and organizations, to fulfill the Company's obligations arising from other relevant laws.
c. Petroyağ's Legal Reasons for Processing Personal Data:
- The existence of the explicit consent of the relevant person,
- Explicitly stipulated by laws,
- It is necessary to protect the life or physical integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally valid, or that of another person.
- It is necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract,
- It is mandatory for the data controller to fulfill its legal obligations,
- It has been made public by the relevant person himself,
- Data processing is mandatory for the establishment, exercise or protection of a right,
- Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person. The conditions for processing personal data, i.e. the cases of compliance with the law, are listed in a limited number in the Law and these conditions cannot be expanded.
6. Transfer of Personal Data
a. Domestic Transfer
Except for the situations where the transfer of personal data to administrative and judicial institutions and organizations is required by the KVKK or the relevant legislation, the Company does not transfer personal data of the relevant persons to other persons without the explicit consent of the relevant person, unless the matters listed in Articles 5 and/or 6 of the KVKK are applicable.
The Company may transfer personal data to third parties in Türkiye by taking all security measures specified in the KVKK and relevant legislation and in accordance with the Law and/or contract.
b. International Transfer
The Company may transfer personal data abroad by taking the necessary security measures in accordance with the conditions stipulated in the KVKK and relevant legislation and by obtaining the explicit consent of the relevant person. For cases where the explicit consent of the relevant person is not required, the country to which the personal data will be transferred must have the status of a "safe country" and whether it provides adequate protection. For cases where the country to which data is transferred is not deemed to have safe country status by the Board, a data transfer protocol is signed with the Board's permission to ensure adequate protection.
Service providers and customers to whom data is/may be transferred abroad are legal entities/real persons originating from ….................
c. Institutions and Organizations to Which Transfers Are Made
The Company may share personal data with relevant public institutions and organizations in accordance with the following legislation:
- Personal Data Protection Law No. 6698
- Labor Law No. 4857
- Turkish Code of Obligations No. 6098
- Turkish Commercial Code No. 6102
- Occupational Health and Safety Law No. 6361
- Law No. 4982 on Information
- Retirement Health Law No. 5343
- Social Services Law No. 2828
- Tax Procedure Law No. 213 and other secondary regulations in force pursuant to these laws.
7. Personal Data Processing Activities at Petroyağ Service Building and Website Visitors
Personal data processing activities can be carried out in Petroyağ service building in accordance with KVKK and other relevant legislation. Accordingly, in order to ensure security, there is a security camera monitoring in the corridors and entrances and exits of the service building(s); and a card pass system is available at the entrance system. The system used for guest entries has been determined in accordance with the Company's "Physical Security Procedure".
Access to records related to security measures recorded and stored in digital environment is provided by administrative affairs and technical department personnel, audit teams, general manager and managers directly subordinate to the general manager, who are under the obligation to protect confidentiality.
8. Rights of the Data Subject and Exercise of Their Rights
Natural persons whose personal data are processed by the Company may exercise the following rights regarding the processing of their personal data and the data recorded about them by applying to the Company at the address Tembelova Mevkii, Gençlik Cad, 32nd Sk. No:3014, Gebze/Kocaeli, or via the e-mail address …………..:
- Learning whether personal data is being processed,
- If your personal data has been processed, to request information about the nature of this information and to learn to whom it has been disclosed,
- To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
- To know the third parties to whom personal data is transferred, whether domestically or abroad, and to request that the transaction made in this direction be notified to third parties,
- To request correction of personal data if it is processed incompletely or incorrectly and to request notification of this to third parties,
- Requesting the deletion or destruction of personal data in case the reasons requiring processing are eliminated, even though the personal data has been processed in accordance with the relevant legal provisions,
- Objection to the emergence of a result against oneself,
- To request compensation in case of damages due to unlawful processing of personal data.
9. Deletion, Destruction and Anonymization of Personal Data
- 9.1. In accordance with Article 7 of the KVKK and other relevant legislation, if the reasons for processing the processed personal data are eliminated, personal data will be deleted, destroyed or made anonymous upon the Company's decision, periodic control and/or the request of the relevant person.
- 9.2. In this regard, the Company has prepared a Personal Data Storage and Destruction Policy. For detailed information [D.17]: See Personal Data Storage and Destruction Policy.
- 9.3. The company will not store personal data for longer than is necessary to enable the identification of the data owner in relation to the main reason for which the data was collected.
- 9.4. The company may store personal data for longer periods only for public interest, scientific or historical research or statistical purposes, taking appropriate technical and organizational measures to protect the rights and freedoms of the data owner.
- 9.5. The retention period for each category of personal data and the criteria used to determine this period, including the legal obligations under which the Company is obliged to retain the data [D.17]: It is stated in the Retention and Destruction Policy.
- 9.6. Company data storage and destruction procedures ([D.17]: Retention and Destruction Policy) will apply in all cases.
- 9.7. Personal data will be securely destroyed in accordance with the provisions of the KVKK and the relevant legislation – processing in an appropriate manner to ensure security and thereby protect the “rights and freedoms” of the data subject. Any destruction of data will be done in accordance with the Storage and Destruction Policy.
10. Data Inventory
The company has created a data inventory as part of its approach to identify risks and opportunities throughout the KVKK and GDPR compliance process. The company's data inventory determines:
- Business processes that use personal data;
- Source of personal data;
- Data subject application
- Description of each element of personal data;
- Processing activity;
- Purpose and legal basis of processing activity
- Management of the inventory of processed personal data and data categories;
- Filing the purpose(s) for each category of personal data used;
Recipients and potential recipients of personal data; - The role of the Company during the data flow;
- Key systems and storage;
- Any data transfer; and
- All storage and disposal requirements.