About

Personal Data Processing And Protection Policy

1. INTRODUCTION

Within the framework of this Personal Data Protection and Processing Policy (“Policy”), the principles adopted in the personal data processing activities carried out by Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. and the basic principles adopted by Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş.’s compliance with the regulations set forth in the Personal Data Protection Law No. 6698 (“Law”) regarding its data processing activities, thereby informing data subjects about the legal provisions and general principles adopted by our Company.

Your personal data are processed and protected under this Policy with the full awareness of our responsibilities in this regard.


2. PURPOSE OF POLICY

The main purpose of this Policy is to set out the principles of personal data processing activities carried out by Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. in accordance with the law and the protection of personal data, and to ensure transparency by informing and educating individuals whose personal data is processed by our company.


3. SCOPE OF THE POLICY

This Policy concerns your personal data processed by Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. The principles governing the processing of personal data and personal health data, the purposes and conditions of processing such data, its transfer within and outside the country, its destruction, and the application and principles regarding your rights over the processed data are set out below.


4. ACCESS AND UPDATE

The policy is published on our Company’s website and made available to the relevant persons upon request of the personal data subjects. (The personal data we collect and process must be accurate and, where necessary, up to date in accordance with Article 4 of the Personal Data Protection Law No. 6698. Therefore, if there is any change in your personal data, you can notify us of your current and accurate personal information using the methods described in the Clarification Text on our website.)

Our company reserves the right to make changes in the Policy in line with the legal regulations.

If there is a conflict between the current legislation, especially the Law, and the regulations in this Policy, the provisions of the legislation shall apply.


5. DEFINITIONS 

The definitions used in this Policy are as follows:

Explicit consent

It means a consent about a specific subject based on information and expressed in free will.

Anonymization

Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Personal Data

Any information related to real person who is identified or identifiable

Processing of personal data

Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

PDP Law

Law on Protection of Personal Data No. 6698

PDP Board

Personal Data Protection Board

PDP Institution

Personal Data Protection Institution

Sensitive personal data

It means personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership of associations, foundations or trade-unions, information relating to health, sexual life, convictions and security measures, and the biometric and genetic data.

Data subject

The real person whose personal data is processed and who is referred to as “the relevant person” in

Data Controller

Real or legal person responsible for identifying the purposes and means of personal data processing, and installing and managing data recording system.

Data Processor

A natural or legal person who processes personal data on his behalf on the basis of the authority conferred by the data officer

Data Controllers Registry

Register of data controllers (VERBİS) kept by the Presidency under the supervision of the Personal Data Protection Board.

Data Inventory

The inventory created and detailed by Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. by linking its personal data processing activities carried out in accordance with its business processes to the purposes of personal data processing, the group of recipients to whom personal data is transferred, and the relevant group of personal data subjects.


6. PERSONAL DATA INVENTORY AND CLASSIFICATION OF PERSONAL DATA

At Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş., in accordance with the legitimate and lawful personal data processing purposes of Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş., based on one or more of the personal data processing conditions specified in Article 5 of the PDP Law and limited to these, in compliance with the general principles set forth in the PDP Law, including the principles regarding the processing of personal data specified in Article 4, and all obligations regulated by the PDP Law, and without limitation to the personal data subjects covered by this Policy (Product and Service Recipients, Potential Product and Service Recipients, Employees, Employee Candidates, Visitors, Supplier Employees, Supplier Authorized Representatives, References, Shareholders/Partners, Employee Relatives, Persons to be Contacted in Case of Emergency, Reference Persons);

  • To ensure that the relevant persons benefit from the products and services offered by our company with the fulfillment of the commercial activity requirements carried out by our company and the performance of the service,
  • To carry out the necessary works by the relevant business units of our company and to carry out the related business processes and to make reports,
  • To determine the commercial, operational and business strategies of our company; determining the appropriate products, projects and services,
  • Planning and realizing sales and marketing activities specific to you,
  • Reporting/Evaluation of Requests and Complaints
  • Ensuring the legal and commercial security of third parties who have a business relationship with our company with the products and services offered by our company and/or our dealers, following the legal processes and establishing, using and protecting the rights arising from the legislation,
  • Ensuring that our company activities are carried out in accordance with company procedures or relevant legislation,
  • Execution of the works carried out with our business partners in the sectors that differ according to the needs and management of reference relations,
  • Fulfilling the information sharing, reporting and information obligations stipulated by the Public Institution and all authorities,
  • Fulfillment of information and document retention obligations arising from legal legislation,
  • Conducting our finance, communication, market research and purchasing operations,
  • The management of our legal processes will be processed within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law No. 6698 in order to provide you with better and reliable service without interruption.

Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. has created a personal data inventory in accordance with the Data Controllers Registry Regulation issued by the Personal Data Protection Authority. This data inventory includes data categories, data sources, data processing purposes, data processing processes, recipient groups to whom data is transferred, and storage periods.

In this context, Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. contains the following types of data categories, without being limited to these types.

Identity Information

Information written in your identity card; name, surname, mother’s name, father’s name, place of birth, date of birth, marital status, religion, blood type, registered province, district and neighborhood, including but not limited to the information written in your identity card.

Contact Information

Your contact data such as home phone number, mobile phone number, residence address or other address information, e-mail address requested or provided by you in order to communicate with you. Voice call recordings kept by customer representatives or call center standards.

Personal Information

·       Photocopy of ID

·       Identity register copy,

·       Certificate of Residence

·       Health report

·       Photocopy of diploma

·       Criminal record certificate

·       Passport photo,

·       Document informing the family status

·       Certificate of Military Service Status

·       Employment Contract / Service Contract,

·       SSI employment declaration

·       Your criminal record,

·       Information and documents regarding your health status.

Professional Experience

·       Information such as diploma information, courses attended, in-service training information, certificates, etc.

Bank Account Information (Finance)

·       Bank account number, IBAN number, other information related to the bank card.

Resume

·       Your education information requested by Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. or provided by you, school information about your education, certificate information, education status and information about your trainings,

·       Place, date and duration information about your work experiences requested by Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. or given by you, information about the job and duty you have worked before, all kinds of information about your work experiences,

·       Your photograph as stated in your resume or requested by Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. or provided by you

·       Your driver’s license as stated in your resume or as requested by Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. or provided by you, and the information stated on your driver’s license.

·       References listed in your resume or requested by Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. or provided by you, and information about your references.

·       Information about hobbies and interests listed in your resume.

Physical Space Security (Visitor Information)

·       Name, surname, license plate number, visiting hours, camera recording, internet access information, covid control information, person visited and other information of the visitors to the company.

Health Data

·       All kinds of health information and data received while creating the personal file (disability information, blood group information, personal health information,)

Criminal Conviction Data

·       With the criminal record document obtained while creating the personal file

Process Security

·       Transaction Security (Information such as IP addresses, website login and logout information and password),

Customer Transaction

·       Information such as call center records, invoice, promissory note, check information, information on the counter receipts, order information, request information.

Legal Action

·       Information in correspondence with judicial authorities, information in the case file, etc.

Marketing

·       Historical service information, survey, cookie records, information obtained through campaign work.

Other

·       The educational status of the relative working in the AGİ process, the certificate number of the instructor and the signature in the signature circular.


7. PRINCIPLES RELATING TO PROCESSING PERSONAL DATA

Compliance with Law

Our company carries out its personal data processing activities in accordance with the Constitution, the PDP Law and the relevant legislation, in accordance with the law and the rules of honesty. In this context, our Company carries out transactions by determining the legal bases that require the processing of personal data, takes into account the requirements of proportionality, does not use personal data other than as required by the purpose, and does not process without the knowledge of the persons.

Being accurate and up-to-date when necessary,

Our company ensures that personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data subjects and their legitimate interests. In this context, data on all categories of persons are tried to be kept up-to-date, and all kinds of administrative and technical measures are taken to ensure their accuracy and up-to-dateness.

Specific, Legitimate and Clear Purpose

Our company processes personal data only for clearly and precisely determined legitimate purposes and does not carry out data processing activities other than these purposes. The purpose for which personal data will be processed by our company is determined before the processing activity and is also processed in the “Personal Data Inventory”.

Being connected, limited and proportionate with the purpose of processing

Personal data is processed by our association to the extent necessary to achieve the specified goals. No data processing activity is performed with the assumption that it can be used later. In this context, the processes are constantly reviewed and the principle of reducing personal data is tried to be implemented.

Storage of Personal Data for as Long as Necessary and Subsequent Deletion

Our company stores personal data only for the time required by the relevant legislation or for the purpose for which it was processed. In this context, our company determines whether a period has been stipulated for the storage of personal data in the relevant legislation; if this is the case, it takes into account this period; otherwise it retains personal data for the time period required for the purpose for which they were processed. Personal data are deleted, destroyed or anonymized in the event of expiration of the period or the disappearance of the reasons requiring the processing of the data.


8. CONDITIONS FOR PROCESSING PERSONAL DATA

Personal data may only be collected, processed or used within the scope of the legal bases specified below.

8.1. Explicit Consent

In Article 3 of the Law, explicit consent is defined as “consent regarding a specific subject, based on information and expressed with free will”. Furthermore, Article 20 of the Constitution clearly stipulates that personal data can only be processed in cases specified in the law or by express consent of the relevant person. Explicit consent is stipulated in Law No. 6698 as the reason for compliance with the basic law in terms of both sensitive personal data and non-sensitive personal data.

Articles 5, 6, 8, and 9 of the Law stipulate the conditions for data processing and the cases requiring consent. In line with these provisions, our company processes personal data by obtaining explicit consent that is freely given and verifiable (in writing, electronically, or verbally and recorded). In cases where special categories of personal data are processed, explicit consent will be obtained in writing when necessary.

Process managers who process personal data are obliged to ensure the control of the existence and validity of the explicit consent of the relevant data subject when collecting the personal data they process. In the event that it is determined that there is no explicit consent (with the following exceptions), no data processing activity will be carried out.

8.2. Processing of Personal Data Without Obtaining Explicit Consent

In the presence of one of the following conditions, it is possible to process personal data without the explicit consent of the person concerned:

  • The processing is explicitly set forth in the law,
  • In the event that it is mandatory for the protection of life or physical integrity of a person himself/herself, or any other person, who is bodily incapable of giving his/her consent or whose consent is not deemed legally valid,
  • When it is required to process personal data of the parties of the contract provided that it is directly related to establishing or executing a contract.
  • Data processing is essential for the data controller to fulfill their legal obligations
  • It has been made public by the personal data subject themselves
  • In the event that data processing is obligatory for the establishment, use or protection of a right,
  • In the event that processing is required for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not damaged.

can be processed without explicit consent in such cases.

8.3. Processing of Sensitive Personal Data

Our company shows special sensitivity in the processing of sensitive personal data, which is more critical for the protection of data subjects in various aspects. In this context, such data are not processed without the explicit consent of the data subjects, provided that adequate measures are taken as determined by the Board. However, it can be processed without explicit consent provided that adequate measures are taken and in the presence of the following reasons:

  • The processing is explicitly set forth in the law,
  • In the event that it is mandatory for the protection of life or physical integrity of a person himself/herself, or any other person, who is bodily incapable of giving his/her consent or whose consent is not deemed legally valid,
  • Relating to personal data made public by the data subject and in accordance with the data subject’s intention to make it public,
  • In the event that data processing for the establishment, exercise or protection of any right,
  • Necessary for the purpose of the protection of public health, the execution of preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation of confidentiality or authorized institutions and organizations,
  • It is mandatory to fulfill legal obligations in the areas of employment, occupational health and safety, social security, social services, and social assistance,
  • It is possible for foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes to be directed to their current or former members and members or to persons who are in regular contact with these organizations and formations, provided that they comply with the legislation and purposes they are subject to, are limited to their fields of activity and are not disclosed to third parties.

In all cases where sensitive personal data needs to be processed, the PDPL Committee will be informed.


9. TRANSFER OF PERSONAL DATA

Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. may transfer the personal data of the data subjects to third parties and institutions within the scope of the personal data processing conditions specified in Articles 5 and 6 of the PDP Law No. 6698 and limited to the purposes specified in this Policy, in accordance with Articles 8 and 9 of the PDP Law.

The scope of the persons to whom the transfer is made and the purposes of data transfer are specified above and in the clarification text. Persons and institutions to which the transfer is made;

Your personal data can be transferred to our business partners at home and/or abroad, our affiliates, consultants, shareholders or solution partners, other group companies, suppliers, insurance companies, notaries, banks and financial institutions, consultancy companies that we receive support in areas such as law, tax, etc., legally authorized public institutions and private persons, our service providers that we receive support in the fields of storage, archiving, information technology support (server, hosting, software, cloud computing, etc.) that process personal data at home and/or abroad on behalf of our company, –


10. RIGHTS OF DATA SUBJECTS

Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. shall respond to the requests of the relevant persons whose personal data it processes within the scope of the following rights within 30 days:

  • The right to learn whether personal data is being processed,
  • Request information if their personal data has been processed,
  • To learn the purpose of processing personal data and whether they are used in line with their purpose,
  • To know the third parties to whom personal data are transferred domestically or abroad,
  • To request correction of the personal data processed incompletely or inaccurately and to request the provision of the information on the transaction performed under this scope to the third parties to whom the personal data are transferred,
  • Where reasons for processing personal data are disappeared, although these were processed in accordance with the provisions of PDP Law and other related laws, to request the deletion or destruction of her/his personal data and to request the provision of the information on the transaction performed under this context to third parties to whom such personal data are transferred,
  • To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively in care of automated systems,
  • In case of damage due to unlawful processing of personal data, to demand compensation for the damage.

Data subjects can apply within the scope of the above-mentioned rights with the information and documents that will determine their identity and with the methods specified below or with other methods determined by the Personal Data Protection Board with the PDPL application form on the website.

11. CONFIDENTIALITY and DATA SECURITY MEASURES

Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. and all of the personal data processed within the scope of Article 12 of the Law are confidential and all necessary technical and administrative measures in order to ensure the appropriate level of security for the purpose

  • a) To prevent illegal processing of personal data,
  • b) To prevent illegal access of personal data,
  • c) To enable personal data protection,

stipulated in Article 12 of the Law are taken.

11.1. Technical Measures for Ensuring Lawful Processing of Personal Data and for Preventing Unlawful Access to Personal Data

Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. has taken all kinds of technical and technological security measures to protect your personal data and protects your personal data against possible risks. For example;

  • Network security and application security are ensured.
  • Security measures are taken within the scope of supply, development and maintenance of information technology systems.
  • Up-to-date anti-virus systems are used.
  • Firewalls are used.
  • Access logs are kept regularly.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
  • Personal data is backed up and the security of the backed-up personal data is also ensured.
  • Personal data is reduced as much as possible.
  • User account management and authority control system are implemented and also followed-up.
  • Encryption is performed. Systems containing personal data are accessed by using a user name and password.


11.2. Administrative Measures Taken to Ensure the Lawful Processing of Personal Data and Prevent Unlawful Access to Personal Data

  • A management framework has been established to initiate and control the information security operation and implementation within the organization.
    • The PDPL Committee and the Contact Person have been appointed and their job descriptions have been determined.
    • PDPL Application channels have been determined.
    • Infringement, claim/complaint management workflows have been determined.
  • Principles, policies and procedures regarding the processing and protection of personal data have been determined.
    • Data Processing and Retention Policy has been created.
    • Policy on Processing and Protection of Personal Data has been established.
    • Policy on Sensitive Personal Data Security has been established.
  • Current risks and threats have been identified within the scope of the processed personal data.
  • Training and awareness raising activities on data security are carried out for employees at regular intervals.
  • Roles and responsibilities and job descriptions related to data security have been determined to ensure that employees and contractors are aware of and fulfill their information security responsibilities.
  • For employees, there is a disciplinary process that will be activated if they do not comply with the security policy, main principles and procedures.
  • Confidentiality commitments are made.
  • Clarification text has been published for employees, customers, suppliers, etc.
  • The processes that require explicit consent are determined and implemented.
  • Internal periodic and/or random audits are carried out and commissioned. It addresses privacy and security weaknesses revealed as a result of audits.
  • It is evaluated whether there is a need for the aforementioned personal data in terms of the purpose of processing, and personal data is reduced as much as possible.
  • In the event that the data is obtained unlawfully by others, the necessary measures are taken by the employees to notify the relevant person and the Board as soon as possible.

11.3. Measures to be Taken in Case of Unlawful Disclosure of Personal Data

In the event that personal data is obtained by others through unlawful means, our Company will notify the relevant data subject and the Board as soon as possible (within maximum of 72 hours).

12. DATA PROCESSING ACTIVITIES CARRIED OUT FOR OUR GUESTS;

Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. collects and processes personal data for the purpose of ensuring security and for other purposes specified in this Policy. Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. provides internet access to visitors who request it while they are in our offices, buildings, and facilities, and log records are stored.

Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. processes personal data for the purpose of ensuring security by monitoring guest entries and exits with security cameras in Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. buildings. No monitoring is carried out in areas where privacy is highly important.

When collecting the identity data of persons visiting the buildings of Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. as guests, or through texts posted at Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. or made available to guests in other ways, the owners of the personal data in question are informed within this scope.

Data obtained for the purpose of tracking guest arrivals and departures is processed solely for this purpose, and relevant personal data is recorded in a data recording system in physical and electronic environments within the framework of legitimate interests.

13. DISPOSAL OF PERSONAL DATA (DELETION, DESTRUCTION AND ANONYMIZATION)

 In accordance with Article 138 of the Turkish Penal Code, Article 7 of the PDP Law, and the “Regulation on the Erasure, Destruction, and Anonymization of Personal Data” issued by the Authority; even if the personal data has been processed in accordance with the relevant legal provisions, if the reasons necessitating its processing no longer exist, Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. may delete, destroy, or anonymize the personal data at its own discretion or upon the request of the data subject. Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. has established a Policy in accordance with the provisions of the Regulation, and data is destroyed in accordance with this Policy depending on the nature of the data. In accordance with this regulation, Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. has determined periodic destruction dates, and a calendar has been created according to which periodic destruction will be carried out at various intervals upon the commencement of the obligation.

14. EXECUTION

Foe the execution of this Policy, Desi Kimya Madencilik İnşaat Turizm San. ve Tic. A.Ş. has established a management structure to ensure that it acts in accordance with the regulations of the PDP Law.

15. EFFECTIVE DATE OF THE POLICY

This Policy entered into force on 01.07.2022 and was updated on 16.07.2024.

Annex:

Choose your language

Message Sent Successfully.

Your request has been successfully received.
Our team will contact you as soon as possible. Thank you.

Return to Homepage