PERSONAL DATA PROTECTION LAW
Corporate Personal Data Protection Policy

FIN PLASTIC PRODUCTS MANUFACTURING INDUSTRY AND TRADE LIMITED COMPANY

CORPORATE PERSONAL DATA PROTECTION POLICY

Document Information

Document Name:

Personal Data Protection Policy

Document Relevance:

The purpose of the Personal Data Protection Policy, Fin Plastik Ürünleri İmalatı Sanayi Ve Ticaret

Personal data by the Limited Liability Company

planning the processes for protection and determining the principles to be applied in this regard.

Publication Date:

01.03.2023

Version No:

1

Reference / Justification:

Law No. 6698 on the Protection of Personal Data and other legislation

Approval Authority:

Fin Plastik Ürünleri İmalatı Sanayi Ve Ticaret Limited Şirketi Board of Directors

FIN PLASTIC PRODUCTS MANUFACTURING INDUSTRY AND TRADE LIMITED COMPANY

CORPORATE PERSONAL DATA PROTECTION POLICY

1. PURPOSE

The right of every individual to request the protection of personal data about him/her is a sacred right arising from the Constitution. As Fin Plastic Products Manufacturing Industry And Trade Limited Company, we accept fulfilling the requirements of this right as one of our most valuable duties. For this reason, we attach importance to the processing and protection of your personal data in accordance with the law.

As a result of the importance we attach to the protection of personal data, the Corporate Personal Data Protection Policy has been prepared in order to determine the principles and procedures we apply while processing and protecting personal data.

2. COVERAGE

The Policy covers all personal data managed by Fin Plastic Products Manufacturing Industry And Trade Limited Company and all kinds of operations performed on the data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of the data in whole or in part by automatic or non-automatic means provided that it is part of any data recording system.

The policy is related to all personal data of Fin Plastic Products Manufacturing Industry And Trade Limited Company partners, officials, customers, employees, supplier officials and employees, and third parties.

Fin Plastic Products Manufacturing Industry And Trade Limited Company may change the Policy for the purposes of compliance with the legislation and the decisions of the Personal Data Protection Authority and better protection of personal data.

3. DEFINITIONS

Abbreviation

Definition

Recipient Group

The category of natural or legal person to whom personal data is transferred by the data controller.

Open Consent

Consent on a specific issue, based on information and freely given.

Anonymization

Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Contact Person

The natural person whose personal data is processed.

Related User

Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.

Destruction

Deletion, destruction or anonymization of personal data.

Law/P.D.P.L

Law No. 6698 on the Protection of Personal Data.

Recording Media

Any medium containing personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system.

Personal Data

Any information relating to an identified or identifiable natural person.

Data Inventory

Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes and legal grounds for processing personal data, the data category, the group of recipients transferred and the group of data subjects, and by explaining the maximum retention period required for the purposes for which personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.

Processing of Personal Data

Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Commission

The Personal Data Protection Commission established by Fin Plastic Products Manufacturing Industry And Trade Limited Company to manage the Policy and other related procedures and to ensure the enforcement of the Policy.

Board

Personal Data Protection Board.

Institution

Personal Data Protection Authority

Sensitive Personal Data

Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Periodic Disposal

Deletion, destruction or anonymization to be carried out at recurring intervals specified in the personal data storage and destruction policy in the event that all of the conditions for processing personal data specified in the Law disappear.

Politics

Personal Data Protection Policy

Data Processor

A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.

Data Controller

The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
  1. GENERAL PRINCIPLES

Fin Plastic Products Manufacturing Industry And Trade Limited Company checks the compliance of the data to be processed with the following principles during the preparation phase of the workflow that requires each new personal data processing. Inappropriate workflows are not implemented.

Fin Plastic Products Manufacturing Industry And Trade Limited Company processes personal data;

  • Law and good faith
  • Ensure that personal data is accurate and, where necessary, up to date
  • Ensure that the purpose of processing is specific, explicit and legitimate
  • It checks that the processed data is related to the purpose of processing, that it is processed limited to the extent required to be processed and that it is proportionate.
  • It retains the data only for as long as stipulated in the relevant legislation or as necessary for the purpose of processing, and destroys it when the purpose of processing is no longer necessary.

5. DUTIES AND RESPONSIBILITIES

Personal Data Protection Commission has been established within Fin Plastic Products Manufacturing Industry And Trade Limited Company in order to manage this Policy and other relevant procedures regarding the processing of personal data and to ensure the enforcement of the Policy. The Commission consists of the General Manager, Accounting and Human Resources Officer, Administrative and Financial Affairs Chief and Quality-Security Chief. Fin Plastic Products Manufacturing Industry And Trade Limited Company also receives KVKK consultancy support in order to comply with the Personal Data Protection Law No. 6698 when necessary. The Commission may invite the KVKK consultant to its meetings if deemed necessary.

The duties and responsibilities of the Commission are set out below.

  • Ordinarily, it meets every 6 months. Extraordinary meetings may be convened if circumstances require (for example, in the event of a possible data breach).
  • Discusses the issues that need to be changed/improved in the Policy.
  • It determines the issues that can be fulfilled for the lawful processing and protection of personal data.
  • The Commission determines the steps that can be taken to raise awareness of KVKK within the company and among business partners.
  • Identifies the risks that may be encountered in the processing and protection of personal data and takes the necessary administrative and technical measures.
  • Provides liaison with the Institution and manages the relations.
  • Evaluates the requests received from the Relevant Person.
  • Follows periodic destruction processes
  • Updates the Data Inventory.
  • Assignments related to the above-mentioned issues

6. MEASURES TAKEN FOR DATA SECURITY

Fin Plastic Products Manufacturing Industry And Trade Limited Company takes all necessary technical and administrative measures to ensure the appropriate level of security in order to (i) prevent unlawful processing of personal data, (ii) prevent unlawful access to personal data, (iii) ensure the preservation of personal data.

6.1. Technical Measures

  • Network security and application security are ensured.
  • Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
  • Access logs are kept regularly.
  • Up-to-date anti-virus systems are used.
  • Firewalls are used.
  • Necessary security measures are taken for entry and exit to physical environments containing personal data.
  • Physical environments containing personal data are secured against external risks (fire, flood).
  • Security of environments containing personal data is ensured.
  • Personal data is backed up and the security of backed up personal data is also ensured.
  • User account management and authorization control system is implemented and monitored.
  • Log records are kept without user intervention.
  • Intrusion detection and prevention systems are used.
  • Encryption is performed.

6.2. Administrative Measures

  • Disciplinary regulations with data security provisions for employees
  • Training and awareness raising activities on data security are carried out at regular intervals for employees.
  • Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
  • Data masking measures are applied when necessary.
  • Confidentiality undertakings are made.
  • An authorization matrix has been created for employees.
  • The authorizations of employees who change their duties or leave their jobs are removed.
  • Signed contracts contain data security provisions.
  • Personal data security policies and procedures have been determined.
  • Personal data security issues are reported quickly.
  • Personal data security is monitored.
  • Personal data is minimized as much as possible.
  • Internal periodic and/or random audits are conducted and commissioned.
  • Existing risks and threats have been identified.
  • Protocols and procedures for the security of sensitive personal data have been determined and implemented.
  • If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using KEP or corporate mail account.
  • Awareness of data processing service providers on data security is ensured.

7. RIGHTS OF THE DATA SUBJECT IN RELATION TO PERSONAL DATA

The relevant person may apply to Fin Plastic Products Manufacturing Industry And Trade Limited Company and make a request on the following issues:

  • Learn whether their personal data is being processed,

  • Request information if their personal data has been processed,
  • To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
  • To learn the third parties to whom personal data are transferred domestically or abroad, To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data are transferred,
  • Although it has been processed in accordance with the provisions of the KVKK and other relevant laws, to request the deletion, destruction or anonymization of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
  • To object to the occurrence of a result to your detriment by analyzing the processed data exclusively through automated systems,
  • In case of damage due to unlawful processing of personal data, to demand compensation for the damage.

8. BREACH NOTIFICATIONS

Fin Plastic Products Manufacturing Industry And Trade Limited Company employees report to the Commission the work, action or fact that they think violates the provisions of the KVKK and / or the Policy. The Committee meets if deemed necessary following this violation notification and creates an action plan regarding the violation.

If the violation has occurred through the unlawful acquisition of personal data by others, the Commission notifies the relevant person and the Board within 72 hours within the scope of the Board’s decision dated 24.01.2019 and numbered 2019/10.

9. CHANGES

Amendments to the Policy are prepared by the Commission and submitted to Fin Plastic Products Manufacturing Industry And Trade Limited Company Board of Directors for approval. The updated Policy can be sent to employees via e-mail or published on the website.

10. EFFECTIVE DATE

This version of the Policy was approved by the Board of Directors on 01.03.2023 and entered into force.