This Policy, titled Personal Data Protection and Privacy Policy, covers all departments and employees within Turan Makina Plastik Boru Sistemleri A.Ş. This Policy has been prepared to explain the rules for the processing of personal data and to provide the necessary information, and was approved by the management of Turan Makina Plastik Boru Sistemleri A.Ş. and entered into force on 26.03.2020.

B. DEFINITIONS

Personal data:	It is any information that is identified or identifiable, and covers all aspects of the person’s identity that enable them to be identified as a result of carrying a concrete content expressing the person’s physical, economic, cultural, social or psychological identity, or being associated with any record such as an identity, tax or insurance number.
Special categories of personal data:	Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
Explicit consent:	Consent based on informed consent and expressed freely on a specific subject.
Anonymization:	Making personal data incapable of being associated with an identified or identifiable natural person in any way, even when matched with other data.
Processing of personal data:	It is any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system. All types of operations performed on data, starting from the initial acquisition of the data, are included in this scope.
Personal data owner:	The natural person whose personal data is processed
Data recording system:	A registration system in which personal data is structured and processed according to certain criteria.
Data controller:	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data processor:	A natural or legal person who processes personal data on behalf of the data controller based on the authority granted to him.
KVKK:	Personal Data Protection Law No. 6698 dated 24 March 2016, published in the Official Gazette No. 29677 dated 7 April 2016
Board:	Personal Data Protection Board
Organisation:	Personal Data Protection Authority
Policy:	Turan Makina Plastik Boru Sistemleri A.Ş. Personal Data Protection and Privacy Policy

C. REFERENCES

Personal Data Protection Law (‘KVKK’):

The subject of this Policy is Law No. 6698 dated 24 March 2016, published in the Official Gazette No. 29677 dated 7 April 2016.

D. CHANGES

Changes to this Policy that will be made with the entry into force of additional legislation within the scope of KVKK or from time to time can be followed on the Company’s corporate website, and the current version of this Policy can also be accessed on this corporate website.

1. PURPOSE

The Company processes the personal data of its suppliers, employees, customers, visitors and other real persons who establish a relationship with it through job applications or any other purpose or channel in accordance with the law in order to carry out its fresh fruit and vegetable packaging, import, export, customs and foreign trade activities.

The purpose of this policy is to inform the relevant persons by providing explanations about the processing activities and personal related systems carried out by the Company, thus ensuring transparency regarding personal data.

In this context, the Company has explained in detail in this Policy the processing of personal data within the scope of KVKK, the data owners subject to this processing and the rights of these persons, together with the use of cookies and similar technologies.

2. PERSONAL DATA

2.1 General Principles Regarding Personal Data Processing

The Company processes personal data in accordance with the following principles within the scope of the purposes exemplified in the 2nd paragraph of Article 4 of the KVKK and the ‘Purposes of Processing Personal Data’ section of this Policy:

Being in compliance with the law and the rules of honesty
Being accurate and up to date when necessary
Processing for specified, explicit and legitimate purposes
Being connected, limited and proportionate to the purpose for which they are processed
Retention for the period required by the relevant legislation or for the purpose for which they are processed.

2.2 Personal Data Processed by the Company

Personal data is processed within the Company through the explicit consent obtained from data owners or without being subject to explicit consent as per Articles 5 and 6 of the KVKK, except for the exceptional cases specified in Articles 5 – 6, and these data will only be processed within the framework of the purposes exemplified in the ‘Purposes of Processing Personal Data’ section of this Policy. These types of personal data, which vary and differentiate depending on the type and nature of the relationship between the Company and the data owner, the communication channels used and the aforementioned purpose information, and are processed in accordance with the principles in this Policy, are as follows:

Information identifying the data owner, such as name, surname, profession, title, employment information, educational status, gender, marital status, spouse/child information, citizenship status, military service information, criminal record information, tax liability status,
Data such as date of birth, place of birth, ID number, blood type, religion and photograph found in identification documents such as a copy of the identity card, copy of the identity card, passport and driver’s license,
Communication records such as address, e-mail, telephone and fax number, as well as other voice data within the scope of telephone conversations and e-mail correspondence,
Real person information in documents for legal entities such as tax certificates, trade gazettes, authorization certificates, qualification certificates, signature circulars and activity certificates,
Detailed financial data on pricing, reconciliation, collection and payment activities.

2.3 Purposes of Processing Personal Data

Personal data may be processed by the Company for the following purposes and stored for as long as these purposes and relevant legal periods require:

Carrying out the necessary work by business units to ensure that customers benefit from the products and services offered by the company,
Planning and execution of sustainability activities,
Providing support to group companies in carrying out corporate and partnership law transactions,
Ensuring the legal and commercial security of the Company and those who have business relations with the Company,
Carrying out commercial activities for the purpose of determining and implementing the company’s commercial and business strategies,

2.4 Transfer of Personal Data

The Company transfers data domestically and internationally within the scope of the purposes exemplified in the ‘Purposes of Processing Personal Data’ section of this Policy and in accordance with Articles 8 and 9 of the KVKK, and personal data may be processed and stored in the servers and electronic environments used within this scope. The nature of these transfers and the parties with whom they are shared vary depending on the type and nature of the relationship between the data owner and the Company, the purpose of the transfer and the relevant legal basis, and these parties are generally as follows:

Domestic and foreign third parties from whom services are received,
Direct and indirect shareholders, affiliates, subsidiaries,
Persons and institutions from which services and/or consultancy are received,
Business partners with whom contracts have been signed

2.5 Collection of Personal Data

In order to meet the purposes exemplified in the ‘Purposes of Processing Personal Data’ section of this Policy, the Company may obtain personal data directly from employees and customers, suppliers, business partners, group companies, call centers, official institutions and other physical environments within the framework of the conditions stipulated in Articles 5 and 6 of the KVKK, as well as through websites, mobile applications, social media and other publicly available channels or organized trainings, organizations and similar events.

2.6 Storage Period of Personal Data

Personal data is kept within the Company for the duration of the relevant legal retention periods and is stored for the period necessary to carry out the activities related to this data and the purposes specified in this Policy. Personal data whose purpose of use has ended and whose legal retention period has expired are deleted, destroyed or anonymized by the Company in accordance with Article 7 of the KVKK.

2.7 Rights of the Data Owner within the Framework of KVKK

The rights of real persons whose personal data are processed are regulated under Article 11 of the KVKK, and pursuant to this article, data owners have the following rights over the Company:

Learning whether personal data is being processed,
To request information regarding the processing of personal data,
To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
To know the third parties to whom personal data is transferred, either domestically or abroad,
To request correction of personal data if it is processed incompletely or incorrectly,
Requesting the deletion or destruction of personal data if the reasons requiring processing of personal data are eliminated,
Request that correction and deletion processes be notified to third parties to whom personal data has been transferred,
To object to a result that is to the detriment of the person himself/herself, as a result of the analysis of the processed data exclusively through automatic systems,
To request compensation in case of damages due to unlawful processing of personal data.

Requests from data owners for the purpose of exercising one of the above rights will be met by the Company within 30 days at the latest. These requests can be delivered personally with identification documents to Turan Makina Plastik Boru Sistemleri A.Ş. Sanayi Mah. Adıgüzel Sk. No:6 İç Kapı No:1 Pendik/Türkiye, sent to the same address through a notary public, or forwarded with a secure electronic signature to turanas@hs01.kep.tr. If the requests require an additional cost, the Company may charge a fee in the amounts determined within the scope of the relevant legislation.

2.8 Data Transfer Abroad

Personal data may be transferred abroad in accordance with the legislation in order to meet the purposes exemplified in the ‘Purposes of Processing Personal Data’ section of this Policy for the purposes of processing, storage, administration or other use specified in this Policy . Necessary measures are taken to ensure that personal data is properly protected in these transfers.

2.9 Security of Personal Data

The Company attaches importance to protecting the confidentiality and security of personal data. In this regard, the necessary technical and administrative security measures are taken to protect personal data against unauthorized access, damage, loss or disclosure. In this regard, the necessary system access controls, data access controls, secure transfer controls, business continuity controls and other necessary institutional controls are implemented.

3. COOKIES AND SIMILAR TECHNOLOGIES

3.1 General

Small data files sent to users’ devices by the internet network server through the internet browser being used are called cookies. Websites recognize users through these cookies, and the lifespan of cookies varies depending on browser settings.

These cookies are created through systems managed by the Company, while some service providers authorized by the Company may also place similar technologies on users’ devices to obtain IP addresses, unique identifiers, and device identifiers. In addition, links to third parties in the Company’s systems are subject to the privacy policies of these third parties, but the Company is not responsible for their privacy practices, and in this context, it is recommended that the site’s privacy policy be read when the site under the relevant link is visited.

3.2 Types of Cookies

Cookies, whose main purpose is to provide convenience to users, are basically grouped into 4 main groups:

3.2.1 Advertising and Third Party Cookies:

These cookies belong to third party suppliers and enable the use of some functions on the Company’s website and advertising tracking.

3.3 Purposes of Use of Cookies

The purposes of use of cookies used by the Company are as follows:

3.3.1 Performance-oriented uses:

The Company may use cookies to evaluate and analyze user behavior and interaction with sent messages in order to improve and measure the performance of its systems.

3.3.2 Uses for advertising purposes:

The Company may use cookies to deliver advertisements and similar content in line with users’ interests through its own or third-party systems, to measure the effectiveness of these advertisements or to analyze clicks.

3.4 Disabling Cookies

Cookie usage is pre-selected in many browsers, and users can change this selection status from the browser settings, thus deleting existing cookies and rejecting future cookie usage; in fact, if cookie usage is cancelled, some features in the Company systems may not be available.

The method for changing cookie usage preferences varies depending on the browser type and can be learned from the relevant service provider at any time.

4. ENFORCEMENT AND UPDATES

This Policy will enter into force on the date it is approved by the Company’s Board of Directors. Any changes to the Policy will enter into force after the approval of the Company’s General Manager. The Policy is normally reviewed and updated once a year. However, the Company reserves the right to review this Policy and, if necessary, update, change or eliminate the Policy and create a new Policy in line with changes in legislation, changes in a referenced technical standard, the Personal Data Protection Board’s procedures and/or decisions, and court decisions. The Company’s Board of Directors has the authority to decide on the repeal of the Policy.

Privacy Internal Policy

A. SCOPE