PDPLPersonal data retention and disposal policy

Telephone +90 (224) 482 36 35 - +90 (224) 493 20 66
Fax +90 (224) 215 03 96
E-mail info@meha-automotive.com
Adrdess Hasanağa Organize Sanayi Bölgesi, Hosab Sanayi Cad. No:34 Nilüfer/Bursa/TÜRKİYE
Central registration system number 0613072638400011
Tax Office Çekirge Tax Office
Tax Number 6130726384
Trade registration number 76534
Content

 

  • 1. Introduction
  • 2. Aim
  • 3. Scope
  • 4. Abbreviations and definitions
  • 5. Responsibilities and duties
  • 6. Settings for recording of personal data
  • 7. General principles for processing of personal data 
  • 7.1. Privacy Policy
  • 7.2. General principles
  • 8. Conditions for processing of personal data 
  • 9. Conditions for processing of special categories of personal data
  • 10. Legal reason for collecting and processing of personal data
  • 10.1. Processing of personal data
  • 10.2. Personal data processing inventory
  • 11. Principles regarding personal data retention and disposal
  • 11.1. Personal data retention
  • 11.2. Legal reasons for personal data retention
  • 11.3. Processing purposes for personal data retention
  • 11.4. Reasons for personal data disposal
  • 12. Technical and administrative measures regarding the personal data retention and disposal
  • 12.1. Technical measures
  • 12.2. Administrative measures
  • 13. Definitions of techniques for personal data disposal
  • 13.1. Personal data deletion
  • 13.2. Personal data destruction
  • 13.3. Personal data anonymization
  • 14. Personal data retention and disposal periods
  • 15. Responsibility of the data controller to disclosure
  • 16. Ownership rights over personal data (The Right to petition)
  • 16.1. The right to petition of personal data owner
  • 16.2. Procedure, time and principles for the data controller to respond to applications
  • 16.3. The right of the personal data owner to a complaint with the Board
  • 17. Cases in which the personal data owner cannot declare his/her rights (exceptions)
  • 18. Inspection period and periodic personal data disposal
  • 19. Periods for deletion and destruction upon the petition of the related person
  • 20. Publication, retention, and updating of the policy
  • 21. Enforcement and repeal of the policy

The contents of this policy; cannot be partially or completely copied, reproduced, used elsewhere, or published without permission. Failing this, legal remedies will be applied to the relevant natural or legal persons following the Law on intellectual and artistic works No.5846. All rights of the document are reserved. Characteristic expressions are used in the text.


1. Introduction


As Meha Metal Döküm Sanayi Ticaret Limited Şirketi (“Company”) limited to the field of activity of our company, we are in a legal relationship; with customers, suppliers, service providers, managers and employees, business partners, affiliates, company partners, personnel, employee candidates, interns, visitors, employees of public institutions and organizations and private law legal entities, and relevant third parties, covering the personal data of all individuals, we pay utmost importance to the processing and preservation of personal data following the Personal Data Protection Law No.6698 (PDPL). For this purpose, our company takes the necessary administrative and technical measures following the legal regulations and the decisions taken.

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No.108) of the Council of Europe opened for signature in Strasbourg on January 28, 1981, entered into force on October 1, 1985, and was signed by our country on January 28, 1981. This contract was included in our domestic law, published in the Official Gazette dated March 17, 2016 and numbered 29656. Accordingly the Personal Data Protection Law ("PDPL") was entered into force in the Official Gazette on April 7, 2016. It is regulated by The General Data Protection Act/Regulation (GDPR) within the scope of the legislation of the European Union (EU) on the protection of personal data.

Policies and annexes on processing, retention, and disposal of personal data, prepared following the Personal Data Protection Law No.6698 and the relevant legislation; by MEHA METAL DÖKÜM SANAYİ TİCARET LİMİTED ŞİRKETİ in its 
capacity as data controller, following the Personal Data Protection Law No.6698 ("Law") and the Regulations on the deletion, destruction, or anonymization of personal data.

2. Aim


With this policy prepared by our company MEHA METAL DÖKÜM SANAYİ TİCARET LİMİTED ŞİRKETİ, to fulfill the compliance process with the PDP Law, in line with the basic principles written below; the personal data of customers, suppliers, service providers, managers and employees, business partners, company partners, personnel, employee candidates, interns, visitors, employees of public institutions and organizations and private law legal entities, and relevant third parties; intended to be processed following the decisions published by the PDP Authority, with the principles determined by T.C. Constitution, International Conventions, the Personal Data Protection Law No.6698, and relevant legislation, and to use the rights of the related persons effectively. Work and operations regarding the retaining and disposal of personal data are carried out following this policy.

3. Scope


The personal data of customers, suppliers, service providers, managers and employees, business partners, affiliates, company partners, personnel, employee candidates, interns, visitors, employees of public institutions and organizations and private law legal entities, and relevant third parties; covered by this policy are all personal data processed by our company by automated means or non-automated means in all recording environments within the scope of company activities for the processing of personal data.

 

4. Abbreviations and definitions

Abbreviations

Definitions

Consent

Freely given affirmative action on a specific subject based on information

 

Recipient group

Category of natural or legal persons to which the personal data are transferred by the data controller

Anonymization

The process in which personal data has been rendered anonymous in such a way that the individual is not or no longer identifiable, even by matching with other data.

Employee

The employee of Meha Metal Döküm Sanayi Ticaret Limited Şirketi

Employee candidate

Those who apply for a job by filling out the job application form using the internet page or coming to the workplace in person.

Electronic environment

Environments where personal data can be created, read, changed, and disseminated by electronic devices

Non-electronic environment

All other than electronic environments; written, printed, visual media, etc.

Service provider

The natural or legal person providing services within the framework of a certain contract with the company

Related user

Persons who process personal data within the organization of the data controller or upon authorization and instructions received from the data controller, other than the person or department which is responsible for the technical storage, protection, and backup of personal data.

Related person

The natural person whose personal data are processed

Recording medium

Any type of environment that keeps the personal data processed wholly or partially by automated means or non-automated means which provided that form part of a data filing system

Personal data

Any information relating to an identified or identifiable natural person

Personal data processing inventory

The inventory detailed by explanations of the following: personal data processing activities of data controllers according to their business processes, purposes and legal ground of personal data processing, data category; maximum data storage period required for the purposes formed relating to the recipient group to whom the data are transferred and with data subject groups, and for personal data processing, personal data envisaged to be transferred to foreign countries, and measures taken relating to the data security.

Processing of personal data

Any operation which is performed on personal data, wholly or partially by automated means or non-automated means, provided that form part of a data filing system, such as collecting, recording, retaining, storage, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.

Law

Personal Data Protection Law No.6698

Board

Personal Data Protection Board

Authority

Personal Data Protection Authority

Personal Data Protection Committee

The unit, formed by the decision of the Board of Directors of the Company, consisting of more than one member responsible for the protection and processing of personal data, supervision and surveillance

Personal Data Contact Person

The natural person notified by the data controller which is natural and legal person established in Turkey and by representative who represents the data controller which is natural and legal person not established in Turkey during the registration with the Registry for communicating with the Authority relating to obligations within the scope of the Law and secondary legislation to be prepared in accordance with this Law.

Anonymization of personal data

The process in which personal data has been rendered anonymous in such a way that the individual is not or no longer identifiable, even by matching with other data.

Personal data disposal

Deletion, destruction or anonymization of personal data

Personal data deletion

The process of making personal data inaccessible and unavailable for the related users.

Personal data destruction

The process of making personal data inaccessible, non-retrievable and unavailable for any person in any way.

Special categories of personal data

Data revealing racial or ethnic origin, political opinions, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health-related data, sex life, criminal conviction and security measures, biometric and genetic data.

Periodic Disposal

The deletion, destruction or anonymization process which is determined in the personal data retention and disposal policy and to be carried out periodically ex officio, in the event that all of the conditions for processing laid down in the Law no longer exist.

Policy

Personal Data Processing, Retenton and Disposal General Policy

Interns

Students who receive practical vocational training and work in the company for this purpose.

Trainee Candidate

Students applying to the company for internship.

Company

Meha Metal Döküm Sanayi Ticaret Limited Şirketi

Data Processor

The natural or legal person who processes personal data on behalf of the data controller upon its authorization.

Data filing system

The filing system where personal data are processed by being structured according to specific criteria.

Data Controller

The natural or legal person who determines the purpose and means of processing personal data and is responsible for the establishment and management of the data filing system.

Data Controllers’ Registry Information System

Information system that is accessible through the Internet, established and managed by the Presidency, that data controllers will use for the registration with the Registry and the other operations related to the Registry.

VERBIS

Data Controllers’ Registry Information System

Board of Directors

Company’s Board of Directors

Regulation

Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017

 

5. Responsibilities and duties


To ensure the necessary coordination within the company, within the scope of ensuring, preserving and maintaining compliance with personal data protection legislation, following the PDP Law No.6698 and the relevant legislation, the company's data contact person, his duties and responsibilities have been defined, necessary decisions have been taken and notified to the relevant parties. Additionally, a contact person has been appointed by the data controller to carry out the PDPL process in compliance with the Law No.6698, to make necessary controls, to ensure coordination between departments, to manage the retention and disposal processes, to make the information system technically compatible with the PDPL, and to communicate with the PDP Authority. To ensure the necessary implementation of the technical and administrative measures taken within the scope of this policy, to increase the training and awareness of the personnel of the relevant unit, to prevent the illegal processing and access of personal data, and to ensure that personal data is stored following the Law, in all environments where personal data are processed, technical and administrative measures are fulfilled by the personal data contact person and responsible departments.

 

6. Settings for recording of personal data

In its capacity as data controller; personal data are kept by our company, server, software, personal computers, mobile devices such as phones and tablets, optical disks, personal data kept in electronic media such as removable disks and paper form, personal files, job application forms, contracts between the company and third parties, manual data recording systems (survey forms, visitor forms, personal data kept in written, printed and visual media, unit cabinets, archive rooms).

Personal data are retained following the PDP Law No.6698 and the relevant legislation and international data security principles. Personal data, wholly or partially by automated means or non-automated means, provided that they are part of a data recording system, recorded, stored, altered, adapted, subject of any operation carried out on personal data, are processed, and retained by our company.

 

7. General principles for processing of personal data

7.1. Privacy policy
As explained in this policy, the data of both employees and all persons who have personal data in connection with our company are confidential. Within the scope of this policy and the measures taken, no one can use, reproduce, copy, transfer to others the data of individuals for any other purpose, except for the cases specified in the Law, and cannot be used for purposes other than those determined by the policies.

7.2. General principles
Personal data processed by our company are processed following the principles in Article 4 of the PDP Law No.6698. The personal data are processed, protected, deleted, and disposed of, by the company, following the procedures and principles defined in the Law and following the principles.


Lawfulness and fairness

  • Being accurate and kept up to date where necessary.
  • Being processed for specified, explicit and legitimate purposes.
  • Being relevant, limited and proportionate to the purposes for which they are processed.
  • Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.

 

8. Conditions for processing of personal data

Personal data processed by our company are processed following the principles in Article 5 of the PDP Law No.6698. Personal data shall not be processed without explicit consent of the data subject. Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met.

  • It is expressly provided for by the laws. Lawfulness principle.
  • It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid. Factual impossibility.
  • Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract. Contract enforcement.
  • It is necessary for compliance with a legal obligation to which the data controller is subject. Legal responsibility.
  • Personal data have been made public by the data subject himself/herself. Publicity.
  • Data processing is necessary for the establishment, exercise or protection of any right. Obligation.
  • Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject. Legitimate interest.

 

9. Conditions for processing of special categories of personal data

Special categories of personal data processed by our company are processed following the principles in Article 6 of the PDP Law No.6698. Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance and clothing, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data. Accordingly, it is prohibited to process special categories of personal data without explicit consent of the data subject. Personal data, except for data concerning health and sexual life, listed in the Article 6/1 may be processed without seeking explicit consent of the data subject, in the cases provided for by laws.

Personal data concerning health and sexual life may only be processed,

  • Protection of public health,
  • Preventive medicine,
  • Medical diagnosis, treatment and nursing services,
  • Planning and management of health-care services as well as their financing,
  • By the persons subject to secrecy obligation or competent public institutions and organizations

without seeking explicit consent of the data subject. Our company, in the processing of special categories of personal data, follows Law No.6698 and the relevant legislation and is taking adequate measures determined by the Board.

10. Legal reason for collecting and processing of personal data

Personal data, International regulations, Constitution, Personal Data Protection Law, Code of Obligations, Labor Law, Turkish Commercial Code, Tax procedural law and related financial legislation, Customs Law, Customs Regulation, Foreign Trade Legislation, Turkish Criminal Law, Turkish Code of criminal procedure, Law on the regulation of publications on the internet and suppression of crimes committed by means of such publications, Regulation of the procedures and principles regarding the law on the regulation of publications on the internet, Regulation on the privacy and handling of personal health data, Law on the regulation of electronic commerce, Electronic signature law, Electronic communication law, Regulation on the processing of personal data and protection of confidentiality in the electronic communication sector, Regulation on service providers and intermediary service providers in electronic commerce, Regulation on commercial communication and commercial electronic messages, Law of police powers, Turkish statistical law, Social security institution law, Law regarding the prevention of laundering of crime revenues, Regulation on trade registry, Regulation on private employment offices, Regulation on internet sites to be opened by companies with shared capital, Communiqué on processes and technical criteria related to the registered electronic mail system, Regulation on internal systems of banks; collected in accordance with the relevant legislation, laws, regulations and communiqués in force, are collected and processed for the purposes below, with the explicit consent and legal liability arising from the legislation only limited to these purposes, the establishment of contracts with our company, performance, making personal data public, data processing is necessary for the establishment, exercise or protection of a right, within the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

10.1. Processing of personal data
  • Identity information (Turkish/Foreign Identity Number, name and surname, place and date of birth, mother's and father's name, marital status, gender, passport, family registration license, marriage license, driver's license, information provided on the vehicle license document, identity document or other identifying information from the identity sharing system)
  • Contact information (residence address, phone number, e-mail address)
  • Location information (information of your current location, address information)
  • EDP Security (IP address, ID number, website login and logout information, passcode and password information)
  • Personnel information (employment contract, education, diploma information, certificate information, SSI employment entry, notice of dismissal, GHI entry information, identity information written on the family status declaration, dependents, spouse, child proximity information, the identity registration information of family members, embezzlement certificate received according to the nature of the job, work certificate, resignation, termination, severance, and payment in lieu of notice, payroll information, disciplinary investigation information, SSI registry number, service scheme, resume information, leave information, personnel performance evaluation reports, work accident information, information in the job application form, references, information about the letter of recommendation, bank account information, IBAN number information)
  • Information about legal operations (personal information in correspondence with judicial authorities, bank account information, case and enforcement files, information notified to lawyers, arbitral tribunals, mediators and relevant public institutions and organizations within this scope)
  • Information about operating with customer, supplier, service providers (name, surname, Turkish identity number, identity information, address, e-mail, telephone, bank account information, check, warrant, payment, finance, authorized signatory list information)
  • Physical space security information (customers, suppliers, service providers, managers and employees, company partners, group company's manager and employees, personnel, employee candidates, visitors' entrance and exit camera recording information, security entry-exit information kept in forms)
  • Financial information (balance sheet information, financial performance information, credit and risk information, assets information, bank account information, information on customs procedures, personal information in foreign trade-related and notified forms)
  • Information about work experience (education information, diploma information, working life, reference information, courses attended, in-service training information, certificates, driver's license information, other information kept in forms)
  • Visual records (photo information on filled, printed forms, documents and official identity documents, photos taken when necessary within the scope of job application and company activities, in fairs, advertisements, marketing events, company campaigns, website, social media accounts or third-party social media channels, shared photos, your images in camera recordings)
  • Health information (health status information of employees and employee candidates written in the job application form, health reports of employees, periodic examination information, medication information, blood group, personal health and physical disability status information, medical board report)
  • Information about criminal conviction and security measures (criminal record, conviction, judicial status information)
  • Appearance and clothing information (height, weight, size number of clothing, footwear number)
  • Risk management data (personal data collected by the company during business operation, vehicle license, trade registry information)
  • User name, password, other personal information added to the system, electronically recorded on the company's website.
  • Information about complaints or requests submitted through the website, social media accounts, or call services and the actions taken during the evaluation and management of the process
  • Information obtained through corporate call services, personal information obtained by e-mail, letter, or other communication tools

Following Article 20 of the Constitution and Article 4 of the PDP Law, personal data are processed and protected for the purposes and legal reasons stated above.

 

10.2. Personal data processing inventory

Personal data are processed based on the personal data processing inventory, which is defined in Article 5/1 of the Regulation and is mandatory to be regulated, and it is stated that it must contain the issues and information listed in the relevant legislation. The personal data processing inventory created by our company is updated periodically.

11. Principles regarding personal data retention and disposal

With this policy prepared by our company, personal data of customers, suppliers, service providers, managers and employees, business partners, affiliates, company partners, personnel, employee candidates, interns, visitors, employees of public institutions and organizations and private law legal entities, and relevant third parties, are retained and disposed of, following the relevant legislation, procedure and law.

11.1. Personal data retention

The processing of personal data is defined in Article 3 of the Law No.6698, Article 4 regulates that the processed personal data should be related to the purpose for which they are processed, limited and measured, and should be kept for the period required by the relevant legislation or for the purpose for which they were processed, and the conditions for processing personal data are listed in the Articles 5 and 6. of the Law No.6698. Detailed explanations are written before in this policy; personal data are within the scope of company activities, retained by taking administrative and technical measures for the required period of time following the relevant legislation or as long as necessary following our processing purposes.

11.2. Legal reasons for personal data retention

With this policy, personal data processed within the scope of our company's activities are kept and retained for the period written in the relevant legislation. Accordingly, International Conventions of which we are a party, Constitution, Personal Data Protection Law,
Code of Obligations, Turkish Commercial Code, Labor Law, Manufacturing Industry Legislation, Environmental Law and legislation, Turkish Criminal Law, Turkish Code of criminal procedure, Tax procedural law and related financial legislation, Law on the regulation of publications on the internet and suppression of crimes committed by means of such publications, Regulation of the procedures and principles regarding the law on the regulation of publications on the internet, Regulation on the privacy and handling of personal health data, Law on the regulation of electronic commerce, Electronic signature law, Electronic communication law, Regulation on the processing of personal data and protection of confidentiality in the electronic communication sector, Regulation on service providers and intermediary service providers in electronic commerce, Regulation on commercial communication and commercial electronic messages, Law of police powers, Turkish statistical law, Social security institution law, Law regarding the prevention of laundering of crime revenues, The Communiqué on electronic general assembly meeting system applicable to general assembly meetings of Joint Stock companies, Regulation on trade registry, Regulation on private employment offices, Regulation on internet sites to be opened by companies with shared capital, Communiqué on processes and technical criteria related to the registered electronic mail system, Regulation on patient rights, Regulation on internal systems of banks; collected following the relevant legislation, laws, regulations, and communiqués in force, personal data are stored for the periods specified in the laws above to which the individuals are subject within the scope of company activities and within the framework of secondary regulations the written retaining periods and the statute of limitations for the crimes stipulated in the laws.

Additionally, considering the statute of limitations defined in criminal law and laws referring to private law and disputes that occurred or may occur with third parties with whom the company is in legal contact, taking into account the company's organizational memory and its commercial business and activities, the legitimate interest of the company and the establishments of contracts that were made or will be made with the relevant data owners in respect to performance processes, personal data retention and disposal periods, except for the periods defined by law,  were defined by this policy with the decision of the authority.

11.3. Processing purposes for personal data retention

The company retains the personal data it processes for the purposes below, following the relevant legislation, limited to company activities. Accordingly; the processing purposes that require retaining personal data are set out below.

  • Developing the company's products and services, continue corporate development activities.
  • To continue the company's finance and accounting business.
  • To continue commercial activities and service procurement transactions of company with third parties.
  • Carrying out legal obligations within the scope of company activities.
  • Planning and executing human resources business operations, fulfilling job and internship application processes.
  • Creating personnel files, fulfilling financial obligations.
  • Making and executing the contracts and protocols that the company has made or will make with its customers, suppliers, employees, and related third parties with whom it has legal relations.
  • Continuing marketing activities.
  • Ensuring corporate communication with the company.
  • To ensure the corporate quality of the company, to ensure security of the related persons.
  • To carry out the work and transactions, processes before the PDP Authority within the scope of the PDP Law.
  • To provide communication and conversation with natural and legal persons with whom the company has legal relations within the scope of company activities.
  • Following the legislation; to make necessary legal notifications to the relevant public institutions and organizations.
  • The company's obligation to proof the evidence in legal disputes of the company with third parties.
  • Ensuring corporate and personal development through participation in training, seminars, or events organized by the company.
  • Contact with our compay, to continue the necessary processes for using our website concerning company activities, to use the company's contact information for communication, to fill in the forms on our website.
  • Providing security of company buildings and premises, controlling company building entrance-exits of customers, suppliers, service providers, managers and employees, business partners, company partners, personnel, employee candidates, interns, visitors, employees of public institutions and organizations and private law legal entities, and relevant third parties.

Your personal data will be processed following conditions and purposes determined in Articles  5 and 6 of the Law. Personal data will not be used for any purpose other than the company's activities.

11.4. Reasons for personal data disposal

Personal data; are deleted, destroyed, or anonymized by the company following the procedures and principles defined in the policy, law, and regulation, upon the request of the related person by filling out the application form, for the reasons stated below. Accordingly;

  • In the event that the purpose for which personal data is to be processed or stored by the company no longer exists.
  • Changing or repealing the provisions of the relevant legislation, which is the basis for the processing of personal data.
  • In cases where the processing of personal data by the company is based on the condition of explicit consent and  the related person withdraws their explicit consent.
  • Following Article 11 of the PDP Law No.6698, the application of the related person regarding the deletion and destruction of personal data within the scope of their right to petition to the company is accepted by the PDP Authority.
  • In cases where the PDP Authority rejects the application made by the related person with the request for the deletion, destruction or anonymization of his personal data, finds the answer insufficient or does not respond within the time period designated by the Law No.6698; and a complaint is made to the PDP Board and this request is found correct by the PDP Board.
  • Following relevant legal regulation, the maximum period for keeping the personal data has passed and there is no reason left to keep the personal data.
12. Technical and administrative measures regarding the personal data retention and disposal

Within the scope of the regulations determined by this policy; to retain personal data safe and duly, to prevent unlawful processing, to prevent access to, to prevent data leaks, and to dispose personal data following the Law, “Adequate measures determined by the Board must be taken in the processing of special categories of personal data” in the scope of special categories of personal data regulated in Article 6 of the PDP Law No.6698 following Article 6/4. In line with the necessary adequate measures determined and announced by the PDP Board following provisions in Article 12 to ensure the security of personal data, the following technical and administrative measures are taken by the company, in its capacity as data controller.

The Administrative and Technical Measures are determined and announced in details on the PDP Authority's website https://www.kvkk.gov.tr. These measures are listed in Table 1.

TABLE 1 Technical and Administrative Measures

Technical Measures

Administrative Measures

Authority Matrix

Preparing personal data processing inventory

Authority Control

Corporate Policies (Access, Information Security, Use, Retention and Disposal, etc.)

Access Logs

Corporate Policies (Between Data Manager - Data Manager, Data Manager - Data Processing)

User Account Management

Privacy Commitments

Network Security

In-House Periodic and/or Random Audits

Application Security

Risk Analysis

Encryption

Employment Contract, Disciplinary Regulation (Addition of Legal Provisions)

Infiltration Test

Corporate Communication (Crisis Management, Board and Contact Information Processes, Reputation Management, etc.)

Intrusion Detection and Prevention Systems

Education and Awareness Activities (Information Security and Law)

Log Records

Notification to the Data Managers Registry Information System (VERBIS)

 

12.1. Technical Measures
Regarding the technical measures stated in the table above and announced by the PDP Authority, the following necessary measures have been taken by the company in its capacity as data controller.

TABLE 2 Technical Measures Taken

  • The Data Processing Unit has prepared PDPL Technical Measures Analysis Report regarding the technical measures and the precautions to be taken.
  • As a result of on-site and real-time analyzes regarding information security, risks and threats that will affect the continuity of information systems have been identified and are continuously monitored.
  • Access to information systems and authorization of users is done through access and authorization matrix and security policies.
  • Necessary measures are taken for the physical security of the company's information systems equipment, software and data.
  • To ensure the security of information systems against external threats, necessary precautions are taken; an access control system that allows only authorized personnel to enter the server room, a 24/7 working camera monitoring system, the physical security of the edge switches that make up the local area network, fire extinguishing system, precautions are taken by using hardware measures such as air conditioning system and security walls, attack prevention systems, network access control, systems that prevent malicious software.
  • Risks to prevent unlawful processing of personal data are determined, technical measures regarding this risks are taken, and routine and non-routine technical controls are carried out for the measures taken.
  • Establishing access procedures within the company,  analysis and reporting  studies regarding access to personal data are carried out.
  • Accesses to the storage areas of personal data are recorded and inappropriate access or access attempts are kept under control.
  • The company uses the necessary software and hardware to ensure that the deleted personal data of the related users cannot be accessed and reused.
  • In case that personal data are obtained unlawfully by others, necessary policies to notify the relevant person and the Board have been established by the company.
  • Strong passwords are used in electronic environments where personal data are processed. Security vulnerabilities are monitored and information systems are kept up-to-date.
  • Secure record-keeping (logging) systems are used in electronic environments where personal data are processed. Data backup programs are used to keep personal data safe.
  • Access to personal data stored in electronic or non-electronic media is limited according to access principles.
  • Special categories of personal data security training has been provided for employees involved in special categories of personal data processing, confidentiality agreements have been made, and the authorizations of users who have access to data have been defined.
  • Adequate security measures are taken for the physical environments where special categories of personal data are processed, retained, and/or accessed, and unauthorized entries and exits are prevented by ensuring physical security.
  • If special categories of personal data need to be transferred via e-mail, they are transferred in encrypted form with a corporate e-mail address or by using a KEP account. If they need to be transferred via media such as portable memory, CD, DVD, they are transferred by taking the necessary technical and security measures. If transferring is carried out between servers in different physical environments, data transfer is carried out by establishing a VPN between servers. If they need to be transferred via paper media, they are sent by taking necessary precautions against risks such as theft, loss, or viewing of the document by unauthorized persons.
12.3. Administration Measures

Regarding the administrative measures stated in the table above and announced by the PDP Authority, the following necessary measures have been taken by the company in its capacity as data controller.

TABLE 3 Administrative Measures Taken
  • Necessary training is provided to improve the qualification of employees, to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, to ensure the protection of personal data, and to raise awareness.
  • Confidentiality agreements are signed by the employees regarding the activities carried out by the company.
  • An internal disciplinary directive has been prepared to be applied for employees who do not comply with security policies and procedures.
  • Before starting to process personal data, the company fulfills its obligation to inform the related persons. Separate policies regarding this have been created and communicated to the relevant parties.
  • Personal data processing inventory is prepared and necessary updates are made by the company in its capacity as the data controller.
  • Information security training is provided for employees. Periodic and random audits are carried out within the Authority.
  • The clarification and information content has been prepared, the application form has been prepared and published on the website.
  • Privacy Policy and Cookies Policy have been prepared. 
  • Personal data protection, processing, retention, and disposal policy is determined, published on the website, and implemented within the company by the PDP Committee.
  • The PDP Committee has been established, its powers and responsibilities have been determined and communicated to the relevant parties.
  • Explicit consent texts were created for each relevant group separately, and clarification texts were created for each group of people separately.
  • Studies to implement the requirements for the storage and destruction of personal data have been initiated.
  • Necessary actions have been taken to ensure compliance with the PDP Law; company contracts, and texts containing personal data have been scanned and brought into compliance with the PDPL.
  • General Risk Analysis Report on administrative measures was prepared.

 

13. Definitions of techniques for personal data disposal


As written about the processed personal data in the policy and personal data inventory created by our company, the period determined in the relevant legal legislation or at the end of the required retaining period for the purpose for which personal data were processed; are destroyed by the authorized departments of the company spontaneously or upon the application of the related personal data owner to our company, by the methods and techniques specified below following the PDP Law No.6698 and the provisions of the relevant legislation.

13.1. Personal data deletion
  • Personal Data on the Server with Data Recording Media: The system administrator removes the access authorization of the related users and deletes the personal data on the servers for those whose storage period has expired.
  • Personal Data in the Electronic Media: in the electronic media retained personal data whose period of storage has expired, are made inaccessible and not reusable for all other employees (related users) except for the database administrator.
  • Personal Data in the Physical Environment: Personal data, kept in the physical environment, of which retaining period has expired are rendered inaccessible and non-reusable in any way to all other employees, except for the department manager responsible for the document archive. Additionally, the process of tarnishing in a way that data cannot be read is applied by drawing/painting/erasing.
  • Personal Data in Portable Media: Personal data, of which retaining period has expired, kept in flash-based storage media, are encrypted by the system administrator and stored in secure environments with encryption keys where only the system administrator is authorized to access.
13.2. Personal data destruction
  • Personal Data in the Physical Environment: Personal data, kept in the physical environment, of which retaining period has expired are irreversibly destroyed in paper schredders.
  • Personal Data in Optical-Magnetic Media: Personal data, of which retaining period has expired, kept in optical and magnetic media, are destructed in a physical way such as melting, burning or pulverizing. Additionally, magnetic media are passed through a special device and exposed to a high magnetic field, making the data on it unreadable.

13.3. Pesonal data anonymization

Anonymization is the process of rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.

To anonymize the personal data, personal data shall be rendered impossible to relate/associate to identified or identifiable person, even through using appropriate techniques in respect of the recording medium and relevant field of activity, such as recovery of data by the data controller, recipient or recipient groups and matching data with other data.

14. Personal data retention and disposal periods

Personal data processed by the company within the scope of this policy and relevant legislation, are processed according the category of processed data, within the periods stipulated in the relevant legislation to which data are subject or periods required by the purpose of processing, following the procedures and principles determined by the PDP Law and this policy. 

These periods are written in the company's Personal Data Retention and Disposal Policy and in the table below. The retention and disposal periods of personal data written in the table below have been determined taking into account the legitimate interests of the company and the establishment and execution of contracts with the related data owner, lawsuits and legal proceedings that may be filed.

 

TABLE 4 Personal data retention and disposal periods

Operations

Retention period

Disposal period

Information about employees

15 years from the expiry of the contract

Within 180 days after the end of the storage period

Employee candidates, CVs of intern candidates, information on job application forms

2 years from the completition of the request

Within 30 days from the date of petition and 180 days from the end of the retention period

Interns (students)

15 years from the beginning of the calendar year following the end of the internship

Within 180 days after the end of the retention period

Business partner/Service providers

10 years from the end of the contract and business relationship with the business partner/service providers

Within 180 days after the end of the retention period

Visitors

2 years

Within 180 days after the end of the retention period

Camera recordings of visitors

1 week

Within 30 days upon request

Potential customer (personal information received in accordance with the legal relationship with the company)

2 years

Within 180 days after the end of the retention period

Personal data held for customers under the conract

15 years from the end of the contract and business relationship with the business partner/service providers

Within 180 days after the end of the retention period

 

All records related to accounting and financial transactions

15 years

Within 180 days after the end of the retention period

Personal data for suppliers under the contract

 

Within 180 days after the end of the retention period

 

15. Responsibility of the data controller to disclosure
 
Following the Protection of Personal Data Law No.6698 (“PDPL”), our company pays utmost attention to the processing and protection of personal data. In its capacity as data controller; all necessary technical and administrative measures have been taken to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the protection of personal data. Following Article 10 of the Law; policies and clarification contents covering personal data are shared with customers, suppliers, service providers, managers and employees, business partners, company partners, personnel, employee candidates, interns, visitors, employees of public institutions and organizations and private law legal entities, and relevant third parties.
 
Following the aforementioned clarification responsibility, the information that must be notified to the owners of personal data as listed in the law are:
  • Identity of the data controller and its representative, if any
  • For what purpose personal data will be processed
  • To whom and for what purpose the processed personal data can be transferred
  • Method and legal reason for collecting personal data,
  • Petition and other rights listed in Article 11 of the PDP Law.
  • On our website you can review the clarification text prepared by our company in its capacity as data controller, following Article 10 of the Personal Data Protection Law No.6698 ("Law") and provisions of Comminuque On The Principles And Procedures For The Request To Data Controller.

 

16.1. The Right to petition of personal data owner
Following Article 11 of the Law; in relation to themselves, everyone, by applying to the data controller;
 
  • Learning whether personal data is processed or not
  • If it has been processed, requesting information on personal data
  • Learning the purpose of processing personal data and whether they are used in accordance with its purpose
  • To know the third parties to whom personal data are transferred in the country or abroad
  • Requesting alteration of personal data in case of incomplete or incorrect processing
  • Requesting the deletion or destruction of personal data within the framework of the conditions defined in Article 7 of the PDPL
  • In case of alternation, deletion or destruction of personal data, requesting to notify third parties to whom personal data has been transferred
  • Objecting to the result against the person himself by analyzing processed data exclusively through automated systems
  • The right to demand compensation for the damage in case of loss due to the unlawful processing of personal data.
 
16.2 Procedure, time and principles for the data controller to respond to applications
Following Article 13/1 of the PDP Law No.6698, you must submit your applications in writing or through the above-mentioned methods determined by the PDP Authority to exercise your above-mentioned rights. Our company will conclude your requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board will be charged. If the application is caused by the fault of the data controller, the fee collected is returned to the related person.
 
16.3. The right of the personal data owner to a complaint with the Board
In cases when the application is rejected, the answer given is insufficient or the application is not answered in due time; the related person may file a complaint with the Board within thirty days from the date of
learning the answer from the data controller and in any other case within sixty days from the date of the application. Following Article 13 of the Law, a complaint cannot be made before the remedy is exhausted.
 
17. Cases in which the personal data owner cannot declare his/her rights (exceptions)
Following Article 28/1 of the PDP Law No.6698, the matters written below are excluded from the scope of application of the law (exceptions), and personal data owners cannot claim their rights listed above in paragraph 16.
 
  • Personal data are processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him/her in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with.
  • Personal data are processed for official statistics and provided that they are being anonymized for the  purposes for such as research, planning and statistics.
  • Personal data are processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defence, national security, public security, public order, economic security, right to privacy or personal rights are not violated or the process doesn’t constitute a crime.
  • Personal data are processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorised and assigned by law to maintain national defence, national security, public security, public order or economic security.
  • Personal data are processed by judicial authorities or execution authorities with regard to investigation, prosecution, judicial or execution proceedings.
 
Following Article 28/2 of the PDP Law No.6698, provided that it is in compliance with and proportionate to the purpose and fundamental principles of this Law, Article 10 regarding responsibility of the data controller to disclosure, Article 11 regarding the rights of the data subject, excluding the right to claim compensation, and Article 16 regarding the obligation to register with the Data Controllers’ Registry shall not be applied in the following cases where personal data processing:
 
  • Is necessary for the prevention of committing a crime or for crime investigation.
  • Is carried out on the data which are made public by the data subject himself/herself.
  • Is necessary for performance of supervision or regulatory duties and disciplinary investigation and prosecution to be carried out by the assigned and authorised public institutions and organizations and by public professional organizations, in accordance with the power conferred on them by the law.
  • Is necessary for protection economic and financial interests of State related to budget, tax and financial matters.

 

18. Inspection period and periodic personal data disposal

The periods for ex officio deletion, destruction or anonymization of personal data are regulated in Article 11 of the Regulation as written below. Accordingly, the data controller, who has issued data storage and disposal policy, shall erase, destruct or anonymize the personal data in the first periodic disposal process following the date when obligation of erasure, destruction or anonymization of personal data arises. Time interval for periodic disposal shall be defined in personal data storage and disposal policy by the data controller. This time interval cannot exceed six months in any case. Data controllers who are not obliged to issue personal data storage and disposal policy, shall erase, destruct or anonymize personal data within three months following the date for obligation of erasure, destruction or anonymization of personal data arises. Additionally, the necessary audits will be carried out by the members of the Personal data Committee and the data controller once every 3 months, not exceeding 6 months. Board may shorten the durations specified in this Article in the case of irreparable or impossible damages, and in the event of explicit infringement of the law.

19. Periods for deletion and destruction upon the petition of the related person

The periods of deletion and destruction of personal data upon the application of the related person are regulated in Article 12 of the Regulation as written below. Accordingly, in the event that all of the conditions for the processing no longer exist; the data controller shall erase, destruct or anonymize the mentioned personal data which are subject to the request. The data controller shall act on the request of the data subject at the latest within thirty days and inform the data subject. In the event that all of the conditions for the processing no longer exist and the personal data which are subject to the request have been transferred to any third party; the data controller shall notify the third party of such request and ensure the performance of necessary operations by the third party within the scope of the Regulation. In the event that all of the conditions for the processing have not disappeared completely, the request may be rejected by the data controller following the Article 13/3 of the Law together with its justified grounds and such rejection shall be communicated to the data subject in writing or by electronic means at the latest within thirty days.

20. Publication, retention, and updating of the policy

This policy, prepared by the company, is published in two different media: electronically on the company's website www.meha-automotive.com, and with wet signature (printed paper). The policy will be considered to have been disclosed to the public when it is published on the website. The printed paper copy is kept in the PDP file by the Data Contact Person. This policy will be reviewed once a year at the end of each year, starting from the date of publication, within the scope of the authority and responsibilities of the designated data contact person, and the relevant sections will be updated as necessary.

21. Enforcement and repeal of the policy

This policy, written above, will be considered to have entered into force after it is published on the company's website www.meha-automotive.com.

If it is decided to repeal the policy with the approval of the data controller and the decision of the personal data contact person, the old copies of the policy with wet signatures are canceled and signed by the data contact person (with the cancellation stamp or by writing cancellation) and for at least 5 years by the personal data contact person. stored in the unit.

PDPL Application form

Personal Data Owner Application Form of Meha Metal Döküm Sanayi Ticaret Limited Şirketi can be accessed by clicking this link.