Blog
Information on Personal Data Protection;
CNG CENGİZ TEDARİK FOREIGN TRADE ANONYMOUS COMPANY
PERSONAL DATA PROTECTION POLICY
Effective Date: June 25, 2020
This Personal Data Protection Policy contains our policies regarding the personal data processed by our company, CNG CENGİZ TEDARİK FOREIGN TRADE ANONYMOUS COMPANY, as the data controller, while providing services.
TABLE OF CONTENTS
1. ABBREVIATIONS USED IN OUR POLICY 3
2. PURPOSE OF OUR POLICY 4
3. SCOPE OF OUR POLICY 4
4. IMPLEMENTATION OF OUR POLICY 4
5. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA 4
6. PROTECTION OF SPECIAL NATURE OF PERSONAL DATA 5
7. PERSONAL DATA PROCESSING POLICY 5
7.1. Personal Data Processed 5
7.2. Principles to be Followed Regarding the Processing of Personal Data 6
7.2. Purposes for Our Company’s Processing of Personal Data 6
7.2.1 Conditions 6
7.2.2 Purposes 7
8. TRANSFER OF PERSONAL DATA 8
8.1 Transfer of Personal Data Domestic 8
8.2 Transfer of Personal Data Abroad 9
8.3 Institutions and Organizations to Which Transfers Are Made 9
9. PERSONAL DATA PROCESSING ACTIVITIES CONDUCTED AT BUILDING ENTRANCES, WITHIN BUILDINGS, AND WEBSITE VISITORS 9
10. RIGHTS OF INDIVIDUALS WHOSE PERSONAL INFORMATION IS PROCESSED BY THE COMPANY 10
11. STORAGE OF PERSONAL DATA 10
12. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE STORAGE OF PERSONAL DATA 11
13. PERSONAL DATA DELETION, DESTRUCTION, ANONYMIZATION, AND DESTRUCTION 11
14. PERSONAL DATA SUBJECT EXERCISE OF THEIR RIGHTS 12
15. CASES WHERE THE PERSONAL DATA SUBJECT CANNOT EXERCISE THEIR RIGHTS 13
16. OTHER MATTERS 13
17. KVKK DATA SUBJECT INFORMATION APPLICATION FORM
ABBREVIATS USED IN OUR POLICY
KVKK: Personal Data Protection Law No. 6698 and related legislation, published in the Official Gazette No. 29677, dated April 7, 2016
GDPR: EU (European Union) General Data Protection Regulation
Constitution: Law No. 7, published in the Official Gazette No. 17863, dated November 9, 1982 Constitution of the Republic of Turkey, Law No. 2709, dated 1982
Data Processor: The person who processes personal data within the Data Controller’s organization or on behalf of the Data Controller, excluding the person or unit responsible for the technical storage, protection, and backup of data.
Data Subject/Relevant Person/Relevant Persons: The natural person whose personal data is processed, such as employees, customers, business partners, shareholders, officials, potential customers, prospective employees, interns, visitors, suppliers, employees of institutions with which the Company and/or its subsidiaries/affiliates have commercial relationships, third parties, and other persons, including but not limited to those listed above.
Data Controller: The natural or legal person responsible for establishing and managing the data recording system, determining the purposes and means of processing personal data.
Explicit Consent: Consent given on a specific subject, based on informed consent, and freely given.
Destruction: Deletion, destruction, or anonymization of personal data.
Recording Medium: Any medium containing personal data processed by fully or partially automated means, or non-automated means provided that it is part of any data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Special Personal Data: Data relating to an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance, membership in associations, foundations, or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing its use, whether fully or partially automated, or non-automated means provided that it is part of any data recording system. Anonymizing Personal Data: Making personal data inaccessible or reusable, even by matching it with other data, in no way linked to an identified or identifiable natural person.
Deletion of Personal Data: Deletion of personal data; rendering personal data inaccessible and reusable for the relevant users.
Destruction of Personal Data: The process of rendering personal data inaccessible, irretrievable, and reusable by anyone.
Periodic Destruction: The process of deletion, destruction, or anonymization to be carried out ex officio at repeated intervals in the event that all of the processing conditions for personal data specified in the law cease to exist.
Regulation on the Deletion, Destruction, or Anonymization of Personal Data: Published in the Official Gazette No. 30224 dated October 28, 2017
Regulation on the Deletion, Destruction, or Anonymization of Personal Data, which entered into force on January 1, 2018.
Personal Data Protection Board / Board: Personal Data Protection Board
Personal Data Protection Authority: Personal Data Protection Authority
Company: CNG CENGİZ TEDARİK FOREIGN TRADE LIMITED COMPANY
PURPOSE OF OUR POLICY
The purpose of this document is to regulate the methods and principles to be followed by our company to ensure the processing and protection of personal data in compliance with the Personal Data Protection Law (KVKK), published in the Official Gazette dated April 7, 2016 and numbered 29677. In this context, to ensure transparency by informing those whose personal data is processed by our company, particularly our employees, prospective employees, customers, potential customers, suppliers, business partners, company shareholders and officials, visitors, employees, shareholders, and officials of institutions we collaborate with, and third parties.
SCOPE OF OUR POLICY
This Policy document applies to all activities conducted by our Company regarding the processing and protection of personal data. It applies to all personal data processed by our Company, whether automatically or non-automatically, provided that it is part of a data recording system, of our employees, prospective employees, customers, potential customers, suppliers, business partners, company shareholders, company officials, visitors, employees, shareholders, and officials of institutions we collaborate with, and third parties.
APPLICATION OF OUR POLICY
Relevant applicable legislation will be the primary application in the processing and protection of personal data. In the event of a conflict between the provisions of the legislation and the policy, our Company agrees that the current legislation will prevail.
In accordance with Article 12 of the Personal Data Protection Law, as the data controller, we take all necessary technical and administrative measures to ensure an appropriate level of security in order to prevent the unlawful processing of personal data, prevent unlawful access to personal data, and ensure the preservation of personal data.
ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
Our company conducts a risk analysis to determine what personal data constitutes and the risks that may arise regarding the protection of this data. In accordance with Article 12 of the Personal Data Protection Law, we take the necessary technical and administrative measures to ensure an appropriate level of security in order to prevent the unlawful processing of personal data, prevent unlawful access to personal data, and ensure the preservation of personal data. The main measures taken are listed below.
All activities carried out by our company have been analyzed in detail across all business units, and a process-based personal data processing inventory has been prepared as a result of this analysis. Risky areas within this inventory are identified, and the necessary legal and technical measures are continuously monitored.
Personal data processing activities carried out by our company are monitored using information security systems, technical systems, and legal methods. Our company has established provisions regarding confidentiality and data security in the employment contracts signed during the recruitment process and requires employees to comply with these provisions.
Employees are regularly informed and trained on personal data protection law and the necessary measures taken in accordance with this law. Employee roles and responsibilities have been reviewed and job descriptions revised accordingly.
The personal data processing carried out by our company and its subcontractors is subject to compliance with the personal data processing requirements stipulated by the Personal Data Protection Law (KVKK). An information security commitment has been added to and signed in the contracts signed with these parties. The contracts signed by the Company have been reviewed in accordance with the Personal Data Protection Law (KVKK), and necessary changes have been made. An information security commitment has been added to the contracts signed with these parties and mutually signed.
Appropriate technical measures are being taken in line with technological advancements, and these measures are periodically reviewed, updated, and renewed.
Access authorizations are limited, and these authorizations are regularly reviewed. Employees who change positions or leave their jobs have their authorizations in this area limited.
The technical measures taken are regularly reported to the relevant authorities, and risk-posing issues are reviewed, and efforts are made to develop the necessary technological solutions.
Virus protection system
Software and hardware, including security systems and firewalls, are installed.
Backup programs are used to ensure the secure storage of personal data.
Security systems are used for storage areas, technical measures taken are periodically reported to the relevant parties as required by internal audits, and risky issues are re-evaluated and necessary technological solutions are developed.
Files/printouts stored physically are stored in physically locked or secured areas and destroyed in accordance with established procedures following the expiration of the retention period.
Data whose retention period has expired is destroyed.
Data masking is implemented when necessary.
The company’s systems are being brought into compliance with the EU General Data Protection Regulation (GDPR).
To protect against any personal data security breaches, crisis and reputation management have been discussed, and processes for informing the Personal Data Protection Board and the relevant person have been designed within this scope.
Information and explicit consent texts have been prepared, and the natural persons whose personal data is processed by our company have signed them. The technical and administrative measures recommended by the Authority have been reviewed, and the necessary administrative and technical measures have been taken to ensure the security of the personal data processed by our Company.
PROTECTION OF SENSITIVE PERSONAL DATA
Our Company undertakes the necessary activities to ensure the security of sensitive personal data and takes all technical and administrative measures to comply with legal requirements and the adequate measures determined by the Board to ensure the lawful processing of this data.
PERSONAL DATA PROCESSING POLICY
Processed Personal Data
Our company processes certain personal data (such as your identification data such as name, surname, Turkish ID No., date of birth, and place of birth; contact data such as address, email address, and phone number; data required for personal files such as occupation, education, and residence address; vehicle license plate, visual recordings, biometric data, visitor records, financial information, health information, location, and dress code data) in accordance with the Personal Data Protection Law and our legal obligations in order to fulfill our company’s activities and legal obligations. This personal data will be processed and stored, where permitted by law, based on the legal processing reason or your explicit consent, and with information security measures in place, provided that it is not used outside the purposes and scope set forth in this Personal Data Protection Policy.
Principles Regarding the Processing of Personal Data
All personal data processed by our Company is processed in accordance with the Personal Data Protection Law (KVKK) and relevant legislation. In accordance with Article 4 of the KVKK, the Company processes personal data in accordance with the law and principles of integrity, in an accurate and, where necessary, up-to-date manner, for specific, clear, and legitimate purposes, and in a purpose-related, limited, and proportionate manner:
Processing in Accuracy and in Accuracy: The Company acts in accordance with the principles established by legal regulations and the general principle of trust and integrity in the processing of personal data. In this context, the Company takes into account the requirements of proportionality in the processing of personal data and does not use personal data for purposes other than those required for the purpose.
Ensuring Accuracy and Up-to-Dateness of Personal Data: The Company ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of personal data subjects and its own legitimate interests.
Processing for Specific, Clear, and Legitimate Purposes: The Company clearly and precisely defines the legitimate and lawful purpose of processing personal data. The Company processes personal data in connection with the products and services it offers and to the extent necessary for these purposes. The purpose for which personal data will be processed is determined by the Company before any personal data processing activity begins.
Relationship, Limitation, and Proportionality to the Purpose of Processing: The Company processes personal data in a manner suitable for achieving the specified purposes and avoids processing personal data that is not relevant or necessary to achieve the purpose.
Retention for the Period Stipulated in Relevant Legislation or Necessary for the Purpose of Processing: The Company retains personal data only for the period stipulated in relevant legislation or necessary for the purpose of processing. In this context, the Company first determines whether a retention period for personal data is stipulated in the relevant legislation. If a retention period is specified, it complies with this period. If no retention period is specified, it retains personal data for the period necessary for the purpose of processing. Upon expiration of this period or the elimination of the reasons requiring processing, personal data is transferred to the Company.
It is deleted, destroyed, or anonymized by the Company.
Our Company’s Purposes for Processing Personal Data
In accordance with Article 10 of the Personal Data Protection Law, our Company informs data subjects when collecting personal data. In this context, we inform data subjects about the identity of the Company and its representative, if any, the purposes for which personal data will be processed, to whom and for what purposes the processed personal data may be transferred, the method and legal basis for collecting personal data, and the rights of data subjects under Article 11 of the Personal Data Protection Law.
Our Company processes personal data limited to the following conditions within the personal data processing conditions specified in Articles 5 and 6 of the Personal Data Protection Law and for the following purposes.
Conditions:
Except for personal data related to health and sexual life, the Company’s relevant activity in processing personal data is expressly prescribed by law.
The processing of personal data by the Company is directly related to and necessary for the establishment or performance of a contract. During the pre-contract phase, personal information may be processed for the purpose of preparing an offer, preparing a purchase form, or meeting the data subject’s requests related to the outcome of the contract. During the contract preparation process, data subjects may be contacted based on the information they provide.
Example: Obtaining the name and contact information of the authorized person of the contracting company.
Processing personal data is also permitted if the processing is necessary for the Company to fulfill its legal obligations; personal data is requested, required, or permitted by law. Data processing must be necessary for legally permitted data processing activities in terms of type and scope and must comply with relevant legal provisions.
Example: Submitting information requested by a court order to the court.
Provided that personal data has been made public, the Company may process it for limited purposes.
Example: If a person expresses interest in purchasing a product with certain features on a website and provides their phone number, their data may now be processed without their explicit consent, but only to this extent. Within this framework, individuals wishing to sell a vehicle of this type will be able to contact the relevant person without the need for consent.
The processing of personal data by the Company is necessary for the establishment, exercise, or protection of the rights of the Company, the individuals whose data is processed, or third parties.
Example: Storing and using evidentiary data (sales contract, invoice) when necessary.
The processing of personal data is necessary for the Company’s legitimate interests, provided that it does not violate the fundamental rights and freedoms of the individuals whose data is processed. Personal data may also be processed when the Company has a legitimate interest.
Legitimate interests include interests consistent with law, morality, and decency, as well as financial interests.
Examples of situations where the Company has a legitimate interest in processing personal data include using storage, hosting, maintenance, and support services for the purpose of collecting receivables, avoiding breaches of contractual and legal obligations, and providing technical and security IT services. The Company may process employees’ personal data as a basis for their promotions, salary increases, or social benefits, or for the distribution of tasks and roles during the restructuring of the company, provided that their fundamental rights and freedoms are not violated. Fundamental principles regarding the protection of personal data will be adhered to, and the balance between the interests of the data controller and the data subject will be observed.
If the Company’s personal data processing is necessary to protect the life or physical integrity of the data subject or another person, and if the data subject is unable to provide consent due to a practical impossibility or legal invalidity,
Example: A fainted customer’s blood type information is provided to doctors by their friends.
Special personal data, other than those related to the data subject’s health and sexual life, may be processed in the cases stipulated by law:
Example: Processed by persons under a confidentiality obligation or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of healthcare services and financing.
If the above-mentioned conditions are not met; To process personal data, the Company, either directly or through its customers, seeks the explicit consent of data subjects.
Purposes:
Our Company processes personal data for the purposes of ensuring the legal, technical, and commercial-business security of the Company and the individuals who have a business relationship with the Company;
The Company’s purpose is to carry out the necessary work and related business processes by our relevant business units to carry out the commercial activities; to plan and execute the Company’s commercial and/or business strategies; and to plan and execute the Company’s human resources policies and processes, etc., but is not limited to the following:
Determining and implementing company strategies and ensuring the implementation of our company’s human resources policies.
To ensure the implementation of our human resources policies, the Company provides the following services: recruiting suitable personnel for open positions in accordance with the Company’s human resources policies; conducting human resources operations in accordance with the Company’s human resources policies; fulfilling obligations within the framework of Occupational Health and Safety and taking the necessary measures.
To ensure the services offered by the Company are performed by the relevant business units; providing independent auditing, accounting services, and consulting services, etc., performed by the Company or outsourced. Performance of services,
Administrative operations related to communication, auditor independence, risk management, and quality control, carried out to ensure the legal and commercial security of the Company and its business partners,
Relationship management, account management, internal financial reporting, and provision of information technology (IT) services (including storage, hosting, maintenance, support, and use of a central distributed server system).
Processes and operations carried out to determine and implement the Company’s commercial and business strategies, including financial operations, communications, market research, and social responsibility activities, and execution of purchasing operations (requests, offers, evaluations, orders, budgeting, and contracts).
Determination and implementation of the Company’s commercial and business strategies, internal system and application management,
Planning, auditing, and executing information security processes, establishing and managing the information technology infrastructure,
Planning and executing employee satisfaction and/or loyalty processes, planning and executing employee benefits and benefits, planning and executing employee information access rights, monitoring and/or managing employees’ work activities. Auditing,
Following up on financial, accounting, and legal affairs,
Planning and executing market research activities for the sales, marketing, and/or promotion of business activities and services,
Planning and executing access rights for business partners and/or suppliers to information, and managing relationships with business partners and/or suppliers,
Planning and executing corporate communication activities, planning and/or executing corporate risk management activities, planning and executing corporate sustainability activities, and planning and executing corporate governance activities,
Planning and executing customer relationship management processes, planning and/or monitoring customer satisfaction processes, and monitoring customer requests and/or complaints,
Fulfilling obligations arising from employment contracts and/or legislation for company employees,
Ensuring the security of company assets and/or resources,
Planning and executing external training activities,
Planning and executing necessary operational activities to ensure that company activities are carried out in accordance with company procedures and/or relevant legislation,
Ensuring the accuracy and accuracy of data Ensuring that the data is up-to-date,
Planning and executing talent and career development activities,
Providing information to authorized individuals and/or organizations as required by legislation,
Creating and monitoring visitor records, and ensuring the security of the company’s campus and facilities.
Preserving information regarding data required to be stored pursuant to relevant legislation and fulfilling legal obligations,
Executing and monitoring the company’s legal affairs,
TRANSFER OF PERSONAL DATA
Transfer of Personal Data Domestically
The Company is responsible for acting in accordance with the KVKK (Personal Data Protection Law), the decisions made by the KVKK Board, and relevant regulations regarding the transfer of personal data.
Personal data and sensitive data belonging to the data subjects cannot be transferred by the Company to other natural persons or legal entities without the explicit consent of the data subject. However, in cases mandated by the KVKK and other laws, data may be transferred to authorized administrative or judicial institutions or organizations without the explicit consent of the data subject, in the manner and within the limits stipulated in the legislation.
In addition, transfer is possible without the consent of the data subject in cases stipulated in Articles 5 and 6 of the Law. Our company processes personal data in accordance with the conditions stipulated in the Law and other relevant legislation, and by taking all security measures specified in the legislation, if there is an existing signed contract with the data subject, and in accordance with the contract and the Law or
Unless otherwise regulated by other relevant legislation, our Company may transfer personal data to third parties located in Turkey and to other companies within the Company’s network. Our Company obtains explicit consent from individuals whose data is transferred domestically.
Transfer of Personal Data Abroad
Our Company may transfer personal data to third parties in Turkey, as well as to third parties abroad, for processing in Turkey or for processing and storage outside Turkey, including outsourcing, in accordance with the conditions stipulated in the Law and other relevant legislation as described above, and by taking all security measures stipulated in the legislation. If there is an existing signed contract with the data subject, it may also transfer data abroad, unless otherwise stipulated in the contract, the Law, or other relevant legislation.
In exceptional cases where explicit consent is not required for the transfer of personal data as specified in the KVKK, in addition to the conditions for processing and transfer without consent, the requirement that the country to which the data is to be transferred has adequate protection is also required. The Personal Data Protection Board will determine whether adequate protection is provided. In the absence of adequate protection, data controllers in both Turkey and the relevant foreign country must undertake in writing to provide adequate protection and obtain the approval of the Personal Data Protection Board. Our Company obtains explicit consent from the individuals whose data is processed.
Transfer Institutions and Organizations
Information requested by public legal entities under their respective legislation is shared in accordance with Article 8 of the Personal Data Protection Law. Other persons or organizations to whom personal data may be transferred for the purposes specified above are: subsidiaries and/or domestic/international organizations from which we receive services, collaborate, and are program partners under relevant contracts to carry out activities as direct/indirect domestic/international companies, relevant public institutions and organizations, relevant department heads, and other third parties.
PERSONAL DATA PROCESSING ACTIVITIES CONDUCTED AT BUILDING ENTRANCES, WITHIN BUILDINGS, AND WEBSITE VISITORS
Our Company conducts personal data processing activities in building corridors and offices in accordance with the Constitution, the Personal Data Protection Law, and other relevant legislation. To ensure security, our Company monitors corridors and offices in buildings where workplaces are located using security cameras. Additional recordings are also kept at entrances for guests’ security purposes.
Our Company conducts personal data processing activities through security cameras, door cards, facial recognition systems, biometric data processing, and registration at entrances to improve the quality of the service provided, ensure its reliability, ensure the safety and security of the company, data subjects, employees, and other individuals, and protect the legitimate interests of these individuals.
The Company’s primary purpose in maintaining video camera surveillance is to ensure security and is limited to the purposes listed in this policy. Accordingly, the monitoring areas, number of security cameras, and the timing of monitoring are implemented in a manner sufficient to achieve the security objective and limited to this purpose. Individuals’ privacy is not monitored in areas that could result in an intrusion beyond their security objectives. The Company takes the necessary technical and administrative measures in accordance with Article 12 of the Personal Data Protection Law.
Access to records recorded and maintained digitally is granted to a limited number of Company employees and subcontractor security personnel. Individuals with access to the records are obligated to maintain the confidentiality of the data within the framework of a confidentiality agreement or information security commitment.
RIGHTS OF PERSONS WHOSE PERSONAL INFORMATION IS PROCESSED BY THE COMPANY
Individuals whose personal data is processed by our Company may apply to our Company in accordance with the procedures specified in this policy and request the following:
To learn whether personal data has been processed,
To request information if personal data has been processed,
To learn the purpose of processing personal data and whether it is being used in accordance with its intended purpose,
To know the third parties to whom personal data has been transferred, whether domestically or internationally,
To request correction of personal data if it is incompletely or incorrectly processed,
To request the deletion or destruction of personal data if the reasons requiring processing no longer exist, even though it has been processed in accordance with the relevant law,
To request notification of the actions taken pursuant to subparagraphs (d) and (e) to third parties to whom personal data has been transferred,
To request the processing of processed data exclusively through automated systems.
Objecting to a conclusion to one’s detriment through the analysis of personal data through automated systems, for example, an employee’s right to object to an automated system’s analysis of their performance and work, and its evaluation based on the analysis results, will be considered within this scope.
In the event of damages incurred due to unlawful processing of personal data, the employee has the right to demand compensation for the damages.
STORAGE OF PERSONAL DATA
Our company stores and destroys personal data belonging to employees, job candidates, visitors, and employees of third parties, institutions, or organizations with which we engage as service providers, in accordance with the Law. Detailed explanations regarding storage and destruction are provided below.
Article 3 of the Law defines the concept of processing personal data. Article 4 stipulates that personal data processed must be relevant, limited, and proportionate to the purpose for which they are processed, and must be retained for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed. Articles 5 and 6 list the conditions for processing personal data. Accordingly, personal data obtained within the scope of our company’s activities is stored for the period stipulated in relevant legislation or in accordance with our processing purposes. Personal data processed within our company within the scope of our activities is stored for the period stipulated in relevant legislation. In this context, personal data; Personal Data Protection Law No. 6698, Turkish Code of Obligations No. 6098, Public Procurement Law No. 4734, Civil Servants Law No. 657, Social Security and General Health Insurance Law No. 5510, Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through Such Publications, Public Financial Management Law No. 5018, Occupational Health and Safety Law No. 6331, Law No. 4982 on Access to Information, Law No. 3071 on the Exercise of the Right to Petition, Labor Law No. 4857, Higher Education Law No. 2547, Retirement Health Law No. 5434, Social Services Law No. 2828, Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes, Regulation on Archive Services
Other legal regulations and in accordance with these laws These data are stored for the retention periods stipulated under other applicable secondary regulations.
Our company retains personal data processed within the scope of its activities for the periods specified in relevant laws, including for the purposes of conducting recruitment and human resources processes, ensuring corporate communication, protecting the interests of the data controller and ensuring company security, performing tasks and transactions as a result of signed agreements and protocols, identifying the preferences and needs of employees, data controllers, contact persons, data controller representatives, and data processors within the scope of the Personal Data Protection Law (KVKK), adjusting the services provided accordingly and updating them if necessary, ensuring the fulfillment of legal obligations as required or mandated by legal regulations, maintaining contact with natural and legal persons who have a business relationship with the company, producing legal reports, fulfilling the burden of proof in future legal disputes, ensuring occupational health and safety, ensuring physical premises security, and for other reasons specified in the law and necessary for the conduct of business.
TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE STORAGE OF PERSONAL DATA
Our Company takes technical and administrative measures to ensure the secure storage of personal data, to prevent unlawful processing and access, and to lawfully destroy personal data, within the framework of adequate measures determined and announced by the Board for special personal data pursuant to Article 12 of the Law and the fourth paragraph of Article 6 of the Law.
DELETION, DESTRUCTION, ANONYMIZATION, AND DESTRUCTION OF PERSONAL DATA
In accordance with Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Law, personal data will be deleted, destroyed, or anonymized upon the Company’s own decision or upon the request of the data subject, even though it has been processed in accordance with the relevant legal provisions, if the reasons requiring processing no longer exist. In cases where our company has the right and/or obligation to preserve personal data in accordance with relevant legislation, we reserve the right not to fulfill the data subject’s request.
When personal data is processed by non-automated means, provided that it is part of a data recording system, the system of physically destroying the data in a manner that prevents its subsequent use is implemented when the data is deleted/destroyed. When the company contracts with a person or organization to process personal data on its behalf, the personal data is transferred to that person or organization.
It is securely deleted, irretrievably, and irretrievably.
Our Company adheres to the following principles when storing and destroying personal data:
a. We fully comply with the Law and relevant legislative provisions, Board decisions, and this Policy regarding the deletion, destruction, and anonymization of personal data.
b. All actions related to the deletion, destruction, and anonymization of personal data are recorded by the Company, and these records are retained for at least 3 (three) years, excluding any other legal obligations.
c. Unless otherwise decided by the Board, we select the appropriate method for deleting, destroying, or anonymizing personal data ex officio. However, upon the request of the Data Subject, the appropriate method will be selected, with an explanation of the reason.
d. If all of the processing conditions for personal data stipulated in Articles 5 and 6 of the Law cease to be met, the Company will delete, destroy, or anonymize personal data ex officio or upon the request of the Data Subject. If the Data Subject contacts the Company regarding this matter, requests submitted will be responded to within 30 (thirty) days at the latest. If the data subject to the request has been transferred to a third party, this will be notified to the third party to whom the data has been transferred, and the necessary procedures will be carried out with the third party.
Data subjects’ personal data is stored by our Company, within the limits specified in the Law and other relevant legislation, particularly for (i) the continuation of commercial activities, (ii) the fulfillment of legal obligations, and (iii) the planning and implementation of employee rights and fringe benefits.
Regarding personal data processed by our Company within the scope of our activities and legal obligations, the retention periods for all personal data within the scope of our processes are listed in the Personal Data Processing Inventory; and the retention periods for data categories are recorded in the VERBIS registry.
Updates to these retention periods are made by the Personal Data Protection Commission, if necessary. For personal data whose retention periods have expired, the Personal Data Protection Commission will perform the deletion, destruction, or anonymization process ex officio.
In accordance with relevant legislation, our company has set the periodic destruction period as 6 months. Accordingly, our company carries out periodic destruction processes every June and December. All transactions related to the deletion, destruction, and anonymization of personal data are recorded, and these records are retained for at least 3 (three) years, excluding any other legal obligations.
EXERCISE OF THE RIGHTS OF THE PERSONAL DATA SUBJECT
As a personal data subject, you can submit your requests regarding your rights listed above, along with information and documents that will allow us to identify you, by completing and signing the Application Form available at www.zelglobal.com, to CNG Cengiz Tedarik Dış Tic. Ltd. Şti. Bağyurdu Yeni Mah. Ova Yolu Küme Evleri No.78-A /1 Kemalpaşa – İZMİR. You can submit the application form to our company’s Human Resources department with a signature, or send it to us at info@zelglobal.com with the subject line “KVKK Application.” For third parties to submit an application on behalf of personal data subjects, the data subject must have a special power of attorney issued through a notary public in the name of the applicant.
If the personal data subject submits their request to our company, the request will be finalized within thirty days at the latest, depending on the nature of the request. If the transaction requested by the personal data subject requires an additional cost, a fee as determined by the Board may be requested separately. If the application is due to the data controller’s error, the fee will be refunded to the data subject.
Our company may request information and documents from the data subject to determine whether the applicant is the personal data subject. Our company may ask the data subject questions regarding their application to clarify the matters included in the personal data subject’s application.
Our company may reject an applicant’s application, explaining the reason, in the following cases:
Processing of personal data for purposes such as research, planning, and statistics, after anonymization by official statistics.
Processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy, or personal rights, or constitute a crime.
Processing of personal data for purposes of ensuring national defense, national security, public safety, public order, or economic security, in accordance with the law.
v and processing within the scope of preventive, protective, and intelligence activities carried out by authorized public institutions and organizations.
Processing of personal data by judicial authorities or enforcement authorities in connection with investigation, prosecution, trial, or execution proceedings.
The processing of personal data is necessary for the prevention of crime or for criminal investigation.
Processing of personal data made public by the personal data subject.
The processing of personal data is necessary for the performance of supervisory or regulatory duties, or for disciplinary investigations or prosecutions, by authorized public institutions and organizations and professional organizations with public institution status, based on the authority granted by law.
The processing of personal data is necessary to protect the economic and financial interests of the State regarding budgetary, tax, and financial matters.
The request of the personal data subject is likely to impair the rights and freedoms of other persons.
The requests require disproportionate effort.
The requested information is publicly available.
CASES IN WHICH PERSONAL DATA SUBJECTS CANNOT ASK FOR THEIR RIGHTS
Personal data subjects cannot assert their rights listed above, as the following situations are excluded from the scope of the Personal Data Protection Law, pursuant to Article 28 of the Personal Data Protection Law:
Processing of personal data for purposes such as research, planning, and statistics, after being anonymized by official statistics.
Processing of personal data for artistic, historical, literary, or scientific purposes, or for freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy of private life, or personal rights, or constitutes a crime.
Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order, or economic security.
Processing of personal data by judicial authorities or enforcement authorities in connection with investigations, prosecutions, trials, or executions.
Pursuant to Article 28/2 of the KVKK, personal data subjects cannot assert their other rights listed in Article 9, excluding the right to claim compensation for damages, in the following cases:
The processing of personal data is necessary for the prevention of a crime or for a criminal investigation.
The processing of personal data made public by the data subject.
The processing of personal data is necessary for the performance of supervisory or regulatory duties, or for disciplinary investigations or prosecutions, by authorized public institutions and organizations, or professional organizations with public institution status, based on the authority granted by law.
The processing of personal data is necessary to protect the economic and financial interests of the State regarding budgetary, tax, and financial matters.
OTHER MATTERS
In the event of any inconsistency between the provisions of the KVKK and other relevant legislation and this Policy, the provisions of the KVKK and other relevant legislation will prevail.
This Policy, prepared by our company, the data controller, has entered into force in accordance with the decision of the Company’s Board of Directors.
CNG CENGİZ TERTARİK FOREIGN TRADE ANONYMOUS COMPANY
DATA SUBJECT INFORMATION APPLICATION FORM
Dear Applicants,
The protection of personal data, a constitutional right, is of the utmost importance to our company. Personal data subjects (“Applicants”), defined as the relevant person in Law No. 6698 on the Protection of Personal Data (“PDP Law”), are granted the right to make various requests regarding the processing of personal data by Article 11 of the PPD Law. Applications regarding these rights must be submitted to our Company, the data controller under the PPD Law, in writing or through other methods determined by the Personal Data Protection Board (“Board”).
Your applications submitted to us in writing through the channels below will be processed free of charge within 30 days of your request’s receipt by our Company, in accordance with Article 13 of the PPD Law. However, if the process requires additional costs, you may be charged the fee specified in the tariff determined by the Board.
IDENTITY AND CONTACT INFORMATION OF THE PERSONAL DATA SUBJECT
The personal data you submit under this form is collected solely for the purpose of evaluating and finalizing your application, and contacting you. Data processing is not permitted for any other purposes.
Data Controller: CNG CENGİZ TEDARİK FOREIGN TRADE ANONYMOUS COMPANY
Applicant’s Name and Surname:
Turkish Republic Identity Number:
Phone Number:
Address:
Email Address:
KEP ADDRESS (If Applicable):
Your Relationship with Our Company:
(Customer, visitor, business partner, prospective employee, former employee, third-party company employee, shareholder, etc.)
Company
Is Your Relationship with Us Still Continuing?
INFORMATION REGARDING THE RIGHTS TO BE EXERCISED BY THE PERSONAL DATA SUBJECT
(Please check the boxes next to the statement that applies to your request)
I would like to know whether your company processes personal data.
If you process personal data, I would like information about these data processing activities.
If you process personal data, I would like to know the purpose of processing and whether it is used in accordance with the purposes for which it was processed.
If my personal data is being transferred to third parties, domestically or internationally, I would like to know who these third parties are.
I request that my personal data be rectified because it is incomplete or inaccurate.
Even though my personal data has been processed in accordance with the legislation, I request that my personal data be erased.
I also request that my personal data, which I believe to be incomplete or inaccurate, be rectified by the third parties to whom it was transferred.
I also request that my personal data, which I request to be erased, be erased by the third parties to whom it was transferred.
I believe that my personal data processed by your company has been analyzed exclusively through automated systems, and that this analysis has resulted in a conclusion detrimental to me. I object to this conclusion.
Other: …………………………..
DESCRIPTION ABOUT THE REQUEST:
METHOD OF OUR RESPONSE TO YOUR APPLICATION
Sent to my address.
Sent to my email address.
I will receive it in person when you provide information by phone.
APPLICANT’S DECLARATION
This application form has been prepared to identify your contact with our company, CNG Cengiz Tedarik Dış Ticaret Limited Şirketi, and to identify your personal data, if any, processed by our company, so that we can provide an accurate and timely response to your application. To prevent errors and ensure the security of your personal data, our company reserves the right to request additional documents and information (copy of your ID card or driver’s license, etc.) for identification and authorization. Our company is not responsible for any legal or criminal liability arising from the information regarding your requests within this application form that is not accurate or up-to-date, or from unauthorized applications, or from unlawful, misleading, or false applications.
APPLICATIONS
(Please indicate any documents you wish to attach to your application.)
APPLICATION PROCEDURE
You can submit your written application by completing this form by mail, with a wet signature, to our company’s headquarters, CNG Cengiz Tedarik Dış Tic. Ltd. Şti., Bağyurdu Yeni Mah. Ova Yolu Küme Evleri No.78-A /1 Kemalpaşa – İZMİR. You can send it in person to our company’s Human Resources department head with a signature, or to us at info@zelglobal.com with the subject line “KVKK Application.”
Personal Data Subject
Name and Surname:
Application Date:
Signature:
Persons Applying on Behalf of Someone Else
(Persons applying on behalf of someone else must attach documents proving their authority to apply (notarized power of attorney, etc.) to their application.)
Name and Surname:
Application Date:
Signature:
Thank you.
CNG CENGİZ TEDARİK FOREIGN TRADE ANONYMOUS COMPANY
Address: Bağyurdu Yeni Mahalle, Ova Yolu, Küme Ev No: 78 A, İç Kapı No: 1, Kemal Paşa / İzmir
Phone: 0232 880 60 06
