Detrox

DETRO HEALTHCARE KİMYA SANAYİ A.Ş. PERSONAL DATA PROTECTION AND PROCESSING POLICY

CONTENTS
INTRODUCTION

  • Purpose and Scope of the Policy
  • Enforcement and Amendment

DATA SUBJECTS, DATA PROCESSING PURPOSES AND DATA CATEGORIES FOR THE PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT BY OUR COMPANY

  • Data Subjects
  • Purposes of Processing Personal Data
  • Personal Data Categories

PRINCIPLES AND CONDITIONS REGARDING THE PROCESSING OF PERSONAL DATA

  • Principles Regarding the Processing of Personal Data
  • Conditions Regarding the Processing of Personal Data
  • Conditions Regarding the Processing of Special Categories of Personal Data TRANSFER OF PERSONAL DATA

DISCLOSURE OF DATA SUBJECTS AND RIGHTS OF DATA SUBJECTS

DELETION, DESTRUCTION OR ANONYMISATION OF PERSONAL DATA SCOPE OF THE LAW AND LIMITATIONS ON ITS APPLICATION INTRODUCTION

Purpose and Scope of the Policy 

This Detro Healthcare Kimya Sanayi A.Ş. (“DETROX”) Policy on the Protection and Processing of Personal Data (“Policy“), established in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”), covers the procedures and principles determined by our Company within the scope of ensuring compliance with the Law.

Our Company has adopted the principles and principles determined within the scope of the Law in the protection and processing of personal data. This Policy regulates the issues regarding the processing of data of employee candidates, business partners, suppliers and third parties whose data are processed by our Company.

Definitions of terms used in the policy are given in Annex-1.

Enforcement and Amendment 

The Policy has entered into force within the scope of the Personal Data Protection Compliance Project carried out by the Company. The Company reserves the right to make changes to the Policy in parallel with legal regulations.

DATA SUBJECTS, DATA PROCESSING PURPOSES AND DATA CATEGORIES FOR THE PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT BY OUR COMPANY

Data Subjects 

Data subjects within the scope of the Policy are all natural persons other than Company employees whose personal data are processed by the Company. In this context, the categories of data subjects are as follows:

DATA SUBJECT CATEGORIES

EXPLANATION

1

Person Receiving Service

Corporate companies benefiting from the services provided by our company, professionals participating in our trainings

2

Employee Candidate

Natural persons who apply for a job by sending a CV to the Company or by other methods

3

Working Family

Family members of employees working in the company

4

Business Partner

Our business partners who benefit from our services

5

Potential Service Recipient

Candidates who wish to benefit from the services offered by our company

6

Supplier Employee – Authorised

Employees and officials of the companies from which the company receives products or services

7

Third Person

OHS Expert, Auditor, Consultant

Purposes of Processing Personal Data 

Your personal data and sensitive personal data may be processed by the Company for the following purposes in accordance with the personal data processing conditions in the Law and the relevant legislation:

  • Managing emergency management processes
    • Execution of information security processes
    • Conducting employee candidate selection and placement processes
    • Carrying out the application processes of employee candidates
    • Managing audit / ethics activities
    • Carrying out training activities
    • Execution of access authorisations
    • Execution of activities in accordance with the legislation
    • Carrying out financial and accounting affairs
    • Ensuring physical space security
    • Execution of assignment processes
    • Follow-up and execution of legal affairs
    • Conducting internal audit / investigation / intelligence activities
    • Carrying out communication activities
    • Planning of human resources processes
    • Execution / supervision of work activities
    • Receiving and evaluating suggestions for the improvement of business processes
    • Carrying out activities to ensure business continuity
    • Execution of goods / service procurement processes
    • Carrying out after-sales support services for goods/services
    • Execution of goods / service sales processes
    • Organisation and event management
    • Carrying out storage and archive activities
    • Execution of contract processes
    • Carrying out strategic planning activities
    • Follow-up of requests / complaints
    • Ensuring the security of movable property and resources
    • Execution of the remuneration policy
    • Execution of marketing processes of products/services
    • Ensuring the security of data controller operations
    • Informing authorised persons, institutions and organisations
    • Managing management activities
    • Creation and follow-up of visitor records

Personal Data Categories 

Your personal data categorised below are processed by the Company in accordance with the personal data processing conditions set out in the Law and the relevant legislation:

PERSONAL DATA CATEGORISATION

EXPLANATION

Credentials

Name, surname, mother’s and father’s name, mother’s and father’s name, mother’s maiden name, date of birth, place of birth, marital status, birth certificate serial number, Turkish ID number, number plate

Contact Details

Information for contacting the data subject such as telephone number, address, e-mail

Location Information

Location information of the current location

Personal Information

Payroll information, Disciplinary investigation, Employment document records, Property declaration information, CV information, Performance evaluation reports, Insurance information, Employment-exit control information, Body measurements

Legal Process Knowledge

Information in correspondence with judicial authorities, Information in the case file, Employee salary garnishment information

Customer Transaction Information

Information obtained and produced about the relevant person as a result

of our commercial activities and the operations carried out by our business units within this framework

Physical Space Security

Camera recordings taken at the entrance to the physical space and during the stay in the physical space

Process Security Information

Your personal data processed to ensure our technical, administrative, legal and commercial security while conducting our commercial activities

Financial Information

Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by our company with the personal data owner, bank account information

Professional Experience Information

Data on past professional experience

Marketing Information

Shopping history information, Survey, Cookie records, Information obtained through campaigns

Audio and Visual Recordings

All kinds of visual and audio records of our employees associated with the personal data owner (For example: photographs, camera recordings, voice recordings, etc.)

Family Members and Relatives

Personal information about the families of our clients (For example: name, surname, telephone, etc.)

Special Categories of Data

Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive personal data.

PRINCIPLES AND CONDITIONS REGARDING THE PROCESSING OF PERSONAL DATA 

Principles Regarding the Processing of Personal Data 

Your personal data is processed by the Company in accordance with the personal data processing principles set out in Article 4 of the Law. These principles must be complied with for each personal data processing activity:

  • Processing of personal data in accordance with the law and good faith; The Company acts in accordance with the laws, secondary regulations and general principles of law in the processing of your personal data; It attaches importance to processing personal data limited to the purpose of processing and taking into account the reasonable expectations of data owners.
  • Accuracy and timeliness of personal data; The Company pays attention to whether your personal data processed by the Company is up to date and to carry out the relevant checks. In this context, data subjects are given the right to request correction or deletion of their inaccurate and outdated
  • Processing of personal data for specific, explicit and legitimate purposes; The Company determines the purposes of data processing before each personal data processing activity and ensures that these purposes are not unlawful.
  • Personal data being relevant, limited and proportionate to the purpose for which it is processed; Data processing activity by the Company is limited to the personal data required to fulfil the purpose of collection and necessary steps are taken to ensure that personal data not related to this purpose are not processed.
  • Retention of personal data for the period required by the legislation or processing purposes; Personal data are deleted, destroyed or anonymised by the Company after the purpose of processing personal data disappears or upon expiration of the period stipulated in the legislation.

Conditions Regarding the Processing of Personal Data

Your personal data is processed by the Company in the presence of at least one of the personal data processing conditions specified in Article 5 of the Law. Explanations regarding these conditions are given below:

  • In cases where the explicit consent of the personal data owner does not exist in the absence of other data processing conditions, in accordance with the general principles under the heading 3.1., the personal data of the data owner can be processed by the Company with the free will of the data owner, having sufficient information about the personal data processing activity, in a manner that leaves no room for doubt and limited to that transaction.
  • Personal data may be processed by the Company without the explicit consent of the data subject if the personal data processing activity is explicitly stipulated in the laws. In this case, the Company will process personal data within the framework of the relevant legal regulation.
  • In the event that the explicit consent of the data subject cannot be obtained due to actual impossibility and personal data processing is mandatory, personal data belonging to the data subject who is unable to disclose his consent or whose consent cannot be validated by the Company will be processed in the event that personal data processing is mandatory to protect the life or physical integrity of the data subject or a third person.
  • If the personal data processing activity is directly related to the establishment or performance of a contract, personal data processing activity will be carried out if it is necessary to process personal data belonging to the parties of the contract established or already signed between the data subject and the Company.
  • In the event that it is mandatory to carry out personal data processing activities in order to fulfil the legal obligation of the data controller, the Company processes personal data in order to fulfil its legal obligations stipulated under the applicable legislation.
  • If the data owner has made his/her personal data public, personal data that have been disclosed to the public in any way by the data owner and made available to everyone as a result of publicisation may be processed by the Company limited to the purpose of publicisation, even without the explicit consent of the data owners.
  • In the event that personal data processing is mandatory for the establishment, exercise or protection of a right, the Company may process the personal data of the data subject without the explicit consent of the data subjects within the scope of the obligation.
  • Provided that it does not harm the fundamental rights and freedoms of the data subject, if data processing is mandatory for the legitimate interests of the data controller, personal data may be processed by the Company, provided that the balance of interests of the Company and the data subject is observed. In this context, in the processing of data based on legitimate interest, the Company first determines the legitimate interest to be obtained as a result of the processing It evaluates the possible impact of the processing of personal data on the rights and freedoms of the data subject and carries out the processing activity if it is of the opinion that the balance is not disturbed.

Conditions Regarding the Processing of Special Categories of Personal Data 

In Article 6 of the Law, special categories of personal data are specified in a limited number. These are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

The Company may process special categories of personal data in the following cases by ensuring that additional measures determined by the Personal Data Protection Board are taken:

  • Processing of sensitive personal data other than health and sexual life can be processed if the data subject gives explicit consent or if it is explicitly stipulated in the laws.
  • Personal data relating to health and sexual life may only be processed without the explicit consent of the data subject by persons under the obligation of confidentiality or by authorised institutions and organisations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

TRANSFER OF PERSONAL DATA

In accordance with the additional regulations listed in Articles 8 and 9 of the Law and determined by the Personal Data Protection Board, the Company may transfer personal data domestically or abroad if the conditions for the transfer of personal data are met.

  • Your personal data may be transferred by the Company to third parties in the country, provided that at least one of the data processing conditions specified in Articles 5 and 6 of the Law exists and provided that the basic principles regarding the data processing conditions are complied with.
  • In cases where the transfer of personal data to third parties abroad does not have the explicit consent of the person, your personal data may be transferred abroad by the Company in the presence of at least one of the data processing conditions specified in Articles 5 and 6 of the Law and provided that the basic principles regarding the data processing conditions are complied with.

In the event that the country to which the transfer will be made is not one of the safe countries to be announced by the Personal Data Protection Board, personal data may be transferred to third parties abroad upon the Company and the data controller in the relevant country undertaking adequate protection in writing, in the presence of at least one of the data processing conditions specified in Articles 5 and 6 of the Law upon the Personal Data Board’s authorisation of this processing.

Within the general principles of the Law and the data processing conditions in Articles 8 and 9, the Company may transfer data to the parties categorised in the table below:

SHARED PARTY CATEGORISATION

SCOPE

Authorised Public Institutions and

Organisations

Public institutions and organisations legally authorised to receive information and documents from the Company

Natural Persons or Private Law Legal Entities

Natural persons or private law legal entities Suppliers

Business Partners Bank

Individuals and legal entities from whom services are received

Service providers located abroad

Open to All

Publicly available information

Content shared on social media channels

DISCLOSURE OF DATA SUBJECTS AND RIGHTS OF DATA SUBJECTS 

According to Article 10 of the Law, data subjects must be informed about the processing of personal data before or at the latest at the time of processing personal data. Pursuant to the relevant article, the necessary internal structure has been established to ensure that data subjects are enlightened in all cases where personal data processing activities are carried out by the Company as the data controller. In this context;

We would like to state that as a data subject, you have the following rights pursuant to Article 11 of the Law:

  • To learn whether your personal data is being processed,
  • Request information if your personal data has been processed,
  • To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
  • To know the third parties to whom your personal data is transferred domestically or abroad,
  • To request correction of your personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom your personal data has been transferred,
  • Although it has been processed in accordance with the Law and other relevant provisions of the law, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom your personal data has been transferred,
  • To object if a result arises to your detriment by analysing the processed data exclusively through automated systems,
  • To request compensation for damages in case you suffer damage due to unlawful processing of your personal data.

You can send your applications regarding your rights to kvkk@detrox.com.tr. Depending on the nature of your request, your applications will be finalised free of charge as soon as possible and within thirty days at the latest; however, if the transaction requires an additional cost, you may be charged a fee according to the tariff to be determined by the Personal Data Protection Board.

ANNEX-1: DEFINITIONS 

DESCRIPTION

Personal Data

Any information belonging to an identified or identifiable natural person.

 

 

 

Sensitive Personal Data

Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal

convictions and security measures and biometric data.

Data Subject / Relevant Person

 

Natural person whose personal data is processed

 

 

 

Processing of Personal Data

It is any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganising, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non- automatic means provided that it is part of any data recording system.

 

Open Consent

Consent on a specific subject, based on information and expressed with free will

 

 

Data Controller

The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and

management of the data recording system

 

Data Processor

Natural or legal person who processes personal data on behalf of the data controller based on the authorisation granted by the data controller

 

 

 

 

Personal Data Processing Inventory

Inventory in which data controllers detail the Company’s personal data processing activities carried out depending on their business processes by associating them with the purposes of processing personal data, data category, transferred recipient group and data subject group and by explaining the maximum time required for the purposes for which personal data are processed, personal data foreseen to be transferred to

foreign countries and measures taken regarding data security

 

Personal Health Data

Any health information relating to an identified or identifiable natural person.

 

KVK Law

Law on the Protection of Personal Data dated 24 March 2016 and numbered 6698

Constitution

Constitution of the Republic of Turkey No. 2709

KVK Board

Personal Data Protection Board

KVK Agency

Personal Data Protection Authority

 

Politics

Detro Healthcare Kimya Sanayi Personal Data Processing and Protection Policy

Company / Data Controller

 

Detro Healthcare Kimya Sanayi A.S.

DATA SUBJECT APPLICATION FORM

 Pursuant to Article 11 of the Law No. 6698 on the Protection of Personal Data (“KVK Law“), you have the right to make various requests regarding the processing of personal data. In this context, as Detro Healthcare Kimya Sanayi A.Ş. (“Company“), as the data controller, your applications that you will submit to our Company in writing through the following channels will be concluded free of charge within 30 days at the latest from the date your request is received by our Company in accordance with Article 13 of the KVK Law. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.

Click here to download the Data Subject Application Form

DETRO HEALTHCARE CHEMICALS INDUSTRY PERSONAL DATA STORAGE AND DESTRUCTION POLICY 

Contents

  1. INTRODUCTION
    • Purpose
    • Scope
  2. DEFINITIONS AND ABBREVIATIONS
  3. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES
  4. RECORDING MEDIA
  5. EXPLANATIONS ON STORAGE AND DISPOSAL
    • Explanations on Safekeeping
    • Legal Grounds Requiring Retention
    • Processing Purposes Requiring Retention
    • Reasons Requiring Destruction
  6. TECHNICAL AND ADMINISTRATIVE MEASURES
    • Technical Measures
    • Administrative Measures
  7. PERSONAL DATA DESTRUCTION TECHNIQUES
    • Methods of Deletion of Personal Data
    • Methods of Destruction of Personal Data
    • Methods of Anonymisation of Personal Data
  8. STORAGE AND DESTRUCTION PERIODS
  9. PERIODIC DESTRUCTION PERIODS
  10. PUBLICATION OF THE POLICY
  11. storage and disposal periods

PERSONAL DATA STORAGE AND DESTRUCTION POLICY 

  1. INTRODUCTION

1.1. Purpose

This Detro Healthcare Kimya Sanayi Personal Data Storage and Destruction Policy (“Policy”), established in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”), covers the procedures and principles determined by our Company within the scope of ensuring compliance with the Law.

The works and transactions regarding the storage and destruction of personal data are carried out in accordance with the Policy prepared by the Company in this direction.

1.2. Scope 

Personal data belonging to Company employees, employee candidates and other third parties are within the scope of this Policy and this Policy is applied in all recording media and activities for personal data processing where personal data owned or managed by the Company are processed.

In addition, unless otherwise stated in this Policy, the documents referred to by the Policy include both hard and electronic copies.

2.    DEFINITIONS AND ABBREVIATIONS 

 

Open Consent

Consent on a specific subject, based on information and expressed with free will,

 
 

 

Buyer Group

The category of natural or legal person to whom personal data is transferred by the data controller

 

 

Constitution

 

Constitution of the Republic of Turkey,

 
 

 

 

Anonymisation

Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

 

 

Electronic Media

Environments where personal data can be created, read, changed and written with electronic devices.

 

 

Non-Electronic Media

All written, printed, visual, etc. other media other than electronic media

 

 

Service Provider

A natural or legal person who provides services under a specific contract with the Company

 

Relevant Person / Personal Data Owner

 

The natural person whose personal data is processed.

 

 

 

 

Related User

Persons who process personal data within the organisation of the data controller or in accordance with the authority and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data,

 
 

 

Destruction

 

Deletion, destruction or anonymisation of personal data,

 
 

Law

Law No. 6698 on the Protection of Personal Data.

 

 

 

Recording Media

All kinds of media containing personal data that are fully or partially automated or processed by non-automated means, provided that they are part of any data recording system,

 
 

 

 

 

Personal Data

Any information relating to an identified or identifiable natural person (e.g. name-surname, Turkish ID number, e- mail, address, date of birth, credit card number, bank account number – Therefore, the processing of information on legal

persons is not covered by the Law),

 
 

 

 

 

 

 

 

 

Personal Data Processing Inventory

Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes and legal grounds for processing personal data, the data category, the group of recipients transferred and the group of data subjects, and by explaining the maximum retention period required for the purposes for which personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data

security.

 

 

 

 

 

Processing of Personal Data

Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganising, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system,

 

 

Board

 

Personal Data Protection Board,

 
 

 

 

 

Sensitive Personal Data

Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and

genetic data,

 

 

 

 

Periodic Disposal

In the event that all of the conditions for processing personal data specified in the Law disappear, the deletion, destruction or anonymisation process to be carried out ex officio at recurring intervals specified in this Policy,

 

Politics

Personal Data Storage and Destruction Policy

 

 

 

Data Processor

A natural or legal person who processes personal data on behalf of the data controller based on the authorisation granted by the data controller.

 

 

Data Recording System

Recording system in which personal data are structured and processed according to certain criteria.

 

 

 

Data Controller

The person who determines the purposes and means of processing personal data and manages the place where the

data is kept systematically (data recording system),

 
 

VERBIS

Data Controllers Registry,

 

 

 

Regulation

Regulation on Deletion, Destruction or Anonymisation of Personal Data published in the Official Gazette dated 28 October 2017,

 
  1. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES

All units and employees of the Company actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law, by duly implementing the technical and administrative measures taken by the responsible units within the scope of the Policy, training and raising awareness of the unit employees, monitoring and continuous supervision. The distribution and destruction processes of the titles, units and job descriptions of those involved in the storage and destruction processes of personal data are as follows;

TITLE

TASK

 
 

IT

Responsible for providing the technical solutions needed for the implementation of the Policy.

 

Other Committee Members

It is responsible for the preparation, development, execution, publication and updating of the Policy in relevant environments and for the employees to act in accordance with the Policy.

 

4.    RECORDING MEDIA 

Electronic Media

Physical Environments

Software (office software, portal)

Paper

 

Cloud systems

Manual data recording systems Written, printed, visual media

Emails

 

Firewall, intrusion detection and blocking, antivirus, etc.

 

Personal computers (Desktop, laptop)

 

Mobile devices (phone, tablet, etc.)

 

Optical discs (CD, DVD etc.)

 

Removable memories (USB, Memory Card, etc.)

 

Printer, scanner, photocopier

 

 

  1. EXPLANATIONS ON STORAGE AND DISPOSAL

 

All personal data obtained by the Company are stored and destroyed in accordance with the Law. In this context, detailed explanations regarding storage and destruction are given below respectively.

5.1. Explanations on Safekeeping 

Article 3 of the Law defines the concept of processing personal data, Article 4 states that the personal data processed must be related, limited and proportionate to the purpose for which they are processed and must be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and Articles 5 and 6 list the conditions for processing personal data.

Accordingly, within the framework of our Company’s activities, personal data are stored for the period stipulated in the relevant legislation or in accordance with our processing purposes.

5.2. Legal Grounds Requiring Retention 

In our company, personal data processed within the framework of its activities are kept for the period stipulated in the relevant legislation. In this context, personal data are processed within the scope of the relevant legislation, including but not limited to those listed below.

  • Law 6698 on the Protection of Personal Data,
  • Turkish Code of Obligations 6098,
  • Law 5510 on Social Security and General Health Insurance,
  • Law 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through These Publications,
  • Law 6331 on Occupational Health and Safety,
  • Law 4982 on Access to Information,
  • Labour Law 4857,
  • Tax Procedure Law 213
  • Turkish Commercial Code 6102

5.3. Processing Purposes Requiring Retention 

It stores and uses personal data for the purposes of personal data processing specified in the relevant articles of the Personal Data Protection and Processing Policy and in accordance with the conditions for processing personal data specified in Articles 5 and 6 of the Law, and destroys personal data ex officio or upon the request of the personal data owner in the event that all of these conditions disappear.

5.4. Reasons Requiring Destruction 

Personal data;

  • Amendment or abolition of the relevant legislation provisions that constitute the basis for processing,
  • Disappearance of the purpose requiring processing or storage,
  • In cases where the processing of personal data is carried out only on the basis of explicit consent, the person concerned may withdraw his/her explicit consent,
  • Pursuant to Article 11 of the Law, the application made by the data subject regarding the deletion and destruction of his/her personal data within the framework of his/her rights is accepted by the Authority,
  • In cases where the company rejects the application made by the data subject with the request for the deletion, destruction or anonymisation of his/her personal data, finds the answer insufficient or does not respond within the period stipulated in the Law; to file a complaint to the Board and this request is approved by the Board,
  • The maximum period of time required for the retention of personal data has expired and there are no circumstances that justify the retention of personal data for a longer period of time,

In such cases, it shall be deleted, destroyed or ex officio deleted, destroyed or anonymised by the Company upon the request of the relevant person.

6.    TECHNICAL AND ADMINISTRATIVE MEASURES 

Technical and administrative measures are taken by the Company within the framework of adequate measures determined and announced by the Board for special categories of personal data in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law for the safe storage of personal data, prevention of unlawful processing and access and destruction of personal data in accordance with the law. You can find detailed information in our “Policy on Processing and Protection of Special Categories of Personal Data”.

6.1. Technical Measures 

  • Network security and application security are
  • “Closed system network” is used for personal data transfers through the
  • Key management is
  • Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
  • The security of personal data stored in the cloud is
  • An authorisation matrix has been created for
  • Access logs are kept
  • Access, information security and utilisation policies have been
  • Data masking measures are applied when
  • The authorisation of employees who change their duties or leave their jobs in this area is
  • Up-to-date anti-virus systems are
  • Firewalls are
  • Personal data security issues are reported
  • Personal data security is
  • Personal data is backed up and the security of backed up personal data is also
  • User account management and authorisation control system are implemented and these are also
  • In-house periodic and/or random audits are conducted and
  • Log records are kept without user
  • Existing risks and threats have been
  • If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using KEP or corporate mail account.
  • Intrusion detection and prevention systems are
  • Penetration test is
  • Cyber security measures have been taken and their implementation is constantly
  • Encryption is
  • Sensitive personal data transferred in portable memory, CD, DVD media are transferred by encrypting the data.
  • Data loss prevention software is

6.2. Administrative Measures 

  • Disciplinary regulations with data security provisions for employees are in
  • Training and awareness raising activities on data security are carried out at regular intervals for
  • Institutional policies on retention and destruction have been prepared and started to be
  • Confidentiality commitments are
  • The signed contracts contain data security
  • Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format.
  • Personal data security policies and procedures have been
  • Necessary security measures for entering and exiting physical environments containing personal data
  • The security of environments containing personal data is
  • Personal data is minimised as far as
  • Protocols and procedures for the security of special categories of personal data have been determined and implemented.
  • Data processing service providers are periodically audited on data
  • Awareness of data processing service providers on data security is

7.    PERSONAL DATA DESTRUCTION TECHNIQUES

All transactions carried out within the scope of destruction are recorded and stored by our Company. Unless otherwise decided by the Board, our Company chooses the appropriate method of ex officio deletion, destruction or anonymisation of personal data according to technological possibilities and implementation cost, and explains the reason for the appropriate method upon request of the personal data owner.

7.1. Methods of Deletion of Personal Data 

Deletion of personal data is the process of making personal data inaccessible and non-reusable in any way for the relevant users. Our Company takes all necessary technical and administrative measures according to the technological possibilities and the cost of implementation in order to make the deleted personal data inaccessible and non-reusable for the relevant users.

In this context, our Company applies the following methods for the deletion of personal data:

Data Recording Environment

Description

 
 

Personal Data on Servers

For the personal data on the servers, deletion is made by the system administrator by removing the access authorisation of the relevant users for those whose retention

period has expired.

 

Personal Data in Electronic Media

The personal data stored in electronic media that expire after the period of time required for their retention shall be rendered inaccessible and non-reusable in any way for employees (relevant users) other than the database administrator.

 

Personal Data in Physical Environment

For the personal data kept in physical environment, those whose period of retention has expired are rendered inaccessible and non-reusable in any way for other employees, except for the unit manager

responsible for the document archive. In

 
 

addition, the blackout process is also applied by scratching / painting / erasing in a way that cannot be read.

 

Personal Data on Portable Media

The personal data kept in Flash-based storage media and those whose period of retention has expired are encrypted by the system administrator and access authorisation is given only to the system administrator and stored in secure environments with

encryption keys.

 

7.2. Methods of Destruction of Personal Data 

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and non-reusable by anyone in any way. Our Company takes all necessary technical and administrative measures regarding the destruction of personal data according to technological possibilities and the cost of implementation.

In this context, our Company applies the following methods for the destruction of personal data:

Data Recording Environment

Description

 
 

Personal Data in Physical Environment

Those of the personal data in paper media whose retention period has expired are irreversibly destroyed in paper shredding machines

 

Personal Data in Optical / Magnetic Media

The personal data contained in optical media and magnetic media are physically destroyed, such as melting, incineration or pulverisation, when the period of time required to be retained has expired. In addition, the magnetic media is passed through a special

device and the data on it is rendered

 
 

unreadable by exposing it to a high magnetic field.

 

7.3. Methods of Anonymisation of Personal Data

Anonymisation of personal data is to render personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data. In order for personal data to be anonymised; personal data must be rendered unassociable with an identified or identifiable natural person, even by using appropriate techniques in terms of the recording medium and the relevant field of activity, such as reversal and matching of data with other data by our Company, recipients or recipient groups. Our Company takes all necessary technical and administrative measures regarding the anonymisation of personal data according to technological possibilities and implementation cost.

In this context, our Company applies the following methods for anonymising personal data:

Anonymisation Methods

Description

 
 

Personal Data in Physical Environment

The data that will reveal the identity of the personal data in the paper environment are anonymised by deletion and blackout

method.

 

Audio and Video Recordings / Videos Used in Trainings

Anonymisation of the identities of the persons in audio and video recordings/videos by using technology in such a way that they become unrecognisable.

 

8.    STORAGE AND DESTRUCTION PERIODS 

Our Company stores and destroys personal data only for the period specified in the relevant legislation that it is obliged to comply with or for the period required for the purpose for which they are processed. In this context, our Company stores and destroys personal data for the maximum periods specified in the 11th Storage and Destruction Periods Table below:

  • In the event that the personal data owner requests the destruction of his/her personal data by applying to our Company, our Company:
  • If all the conditions for processing personal data have disappeared:
  • finalises the request of the personal data subject within thirty days at the latest and informs the personal data subject, and
  • If the personal data subject to the request has been transferred to third parties, it notifies this situation to the third party; ensures that the necessary actions are taken before the third
  • If all of the conditions for processing personal data have not disappeared, the request of the personal data owner may be rejected by explaining the reason in accordance with the third paragraph of Article 13 of the Law and notifies the personal data owner in writing or electronically within thirty days at the latest.

9.    PERIODIC DESTRUCTION PERIODS 

Pursuant to Article 11 of the Regulation, the Company has determined the period of periodic destruction as 6 months. Accordingly, periodic destruction is carried out in May and June every year in our Company.

10.  PUBLICATION OF THE POLICY 

This Policy has entered into force on the date of its publication.

11.  storage and disposal periods 

 

Process Based Data Group

 

Storage Period

 

Destruction Period

 
 

 

User Files and Personal Data (Physical media)

 

10 years after the end of the labour relationship

At the first periodic destruction period following the end of the storage period

 

 

User File and Personal Data (Electronic Environment)

 

10 years after the end of the labour relationship

At the first periodic destruction period following the end of the storage period

 

 

 

Research Input Data

 

 

10 Years

At the first periodic destruction period following the end of the storage period

 

 

Video Recordings Obtained with Client’s Permission

 

 

During consent

At the first periodic destruction period following the end of the storage period

 

Proposals Submitted to Companies in Physical Environment

 

 

2 Years

At the first periodic destruction period following the end of the storage period

 

 

Bids Submitted to Companies in Electronic Environment

 

 

10 Years

At the first periodic destruction period following the end of the storage period

 

 

Training Audio Recordings and Videos

 

 

During consent

At the first periodic destruction period following the end of the storage period

 

 

Documents Used in Education

 

10 Years

Immediately at the end of the deadline

 

 

 

Training Evaluation Forms

 

1 year (physical) – 10 years (electronic)

At the first periodic destruction period following the end of the storage period

 

 

 

Contracts with Companies

 

 

Legal Relationship + 10 Years

At the first periodic destruction period following the end of the storage period

 

 

 

Personnel Files

 

 

Legal Relationship + 10 Years

At the first periodic destruction period following the end of the storage period

 

 

Occupational Health and Safety Records

 

 

Legal Relationship + 15 Years

At the first periodic destruction period following the end of the storage period

 

 

Accounting and Finance Processes

 

 

Legal Relationship + 10 Years

At the first periodic destruction period following the end of the

storage period

 
 
 

E-mail contents working within the scope of information processing activities

 

 

5 years

At the first periodic destruction period following the end of the storage period

 
 
 
    

 

Employee e-mails within the scope of IT activities

 

 

Legal Relationship + 1 Year

At the first periodic destruction period following the end of the storage period

 
 

 

 

Camera recordings

 

 

6 months

At the first periodic destruction period following the end of the storage period

 
 
 

 

 

Legal Affairs

 

 

Legal Relationship + 10 Years

At the first periodic destruction period following the end of the storage period

 
 
 

 

 

Publicity unit activities

 

 

Legal Relationship + 10 Years

At the first periodic destruction period following the end of the storage period

 
 
 

History:

Signature:

DETRO HEALTHCARE CHEMICALS INDUSTRY POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA OF SPECIAL NATURE

TABLE OF CONTENTS

  1. INTRODUCTION
    • PURPOSE AND SCOPE OF THE POLICY
    • EFFECTIVE AND AMENDMENT
  2. PERSONAL DATA OF SPECIAL NATURE
    • PROCESSING AND TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA
    • TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA ABROAD
    • PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA
      • MEASURES FOR EMPLOYEES INVOLVED IN THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
      • FOR ELECTRONIC MEDIA WHERE SPECIAL CATEGORIES OF PERSONAL DATA ARE PROCESSED AND STORED
      • FOR PHYSICAL ENVIRONMENTS WHERE PERSONAL DATA OF SPECIAL NATURE ARE PROCESSED AND STORED
      • MEASURES REGARDING THE TRANSFER OF PERSONAL DATA OF SPECIAL NATURE
  1. INTRODUCTION

1.1. PURPOSE AND SCOPE OF THE POLICY

This Policy on the Protection of Special Categories of Personal Data (“Policy”), which is established within the scope of the Law No. 6698 on the Protection of Personal Data (“Law”), aims to ensure compliance with the Law and to determine the rules regarding the protection and processing of special categories of personal data by our Company.

1.2. EFFECTIVE AND AMENDMENT 

This Policy has entered into force within the scope of the Personal Data Protection Compliance Project carried out by the Company. The Company reserves the right to make changes in the Policy in parallel with legal regulations.

2.    SPECIAL CATEGORIES OF PERSONAL DATA 

Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures and biometric data.

2.1. PROCESSING AND TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA 

Our Company sensitively complies with the regulations stipulated in the Law in the processing of personal data determined as “special categories” by the Law. In Article 6 of the Law, a number of personal data that have the risk of causing victimisation or discrimination when processed unlawfully are determined as “special categories”. These data are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

In accordance with the law, special categories of personal data may be processed and transferred by our Company with the explicit consent of the data subject, provided that adequate measures to be determined by the PDP Board are taken. Sensitive personal data other than the health and sexual life of the data subject are processed in cases stipulated by law, and sensitive personal data relating to the health and sexual life of the personal data subject are processed only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorised institutions and organisations under the obligation of confidentiality.

2.2. TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA ABROAD

Our Company may transfer the special categories of personal data of the personal data owner in line with the legitimate and lawful personal data processing purposes by taking the necessary care, taking the necessary security measures and taking the adequate measures stipulated by the PDP Board; upon the explicit consent of the data owner, to Foreign Countries where there is a Data Controller with Adequate Protection or Committed to Adequate Protection. In cases where there is no Adequate Protection, the undertaking regarding the transfer of data abroad published by the Authority will be signed by the relevant parties and submitted to the Board for approval.

2.3. PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA 

Our Company acts sensitively in the protection of special categories of personal data, which are determined as “special categories” by the Law and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of special categories of personal data and necessary audits are provided within our Company.

In addition, technical and administrative measures are also taken to ensure the appropriate level of security with the measures determined by the Personal Data Protection Board in terms of special categories of personal data.

The general principle of our company does not process special categories of personal data unless there are reasons arising from the law. Unnecessary special categories of personal data are deleted or obscured.

Accordingly, the rules for the security of special categories of personal data are set out in this policy;

2.3.1. MEASURES FOR EMPLOYEES INVOLVED IN THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

  • Regular trainings are provided on the Law and related regulations and special categories of personal data security.
  • Confidentiality agreements are
  • The authorisation scopes and authorisation processes of users who are authorised to access data are defined by the AUTHORITY MATRIX.
  • Periodic authorisation checks are carried
  • Employees who are reassigned or leave their jobs are immediately de-authorised in these
  • If inventory is allocated to the employee, it is taken back

2.3.2. FOR ELECTRONIC MEDIA WHERE SPECIAL CATEGORIES OF PERSONAL DATA ARE PROCESSED AND STORED

  • As a rule, special categories of data are not kept
  • In mandatory cases, if personal data of special nature are transferred to electronic media, the data are destroyed, and if it is desired to continue to be stored, they are stored using cryptographic
  • Security updates of the environments where the data are located are constantly
  • If the data is accessed through software, user authorisation of this software is

2.3.3. FOR PHYSICAL ENVIRONMENTS WHERE PERSONAL DATA OF SPECIAL NATURE ARE PROCESSED AND STORED

  • Necessary security measures are taken for entry and exit to and from physical environments containing special categories of personal data.
  • Data is kept in locked cabinets and/or locked

2.3.4. MEASURES REGARDING THE TRANSFER OF PERSONAL DATA OF SPECIAL NATURE 

  • In case of transfer via e-mail, the corporate e-mail address or Registered Electronic Mail (KEP) account is used.
  • If transferred via media such as portable memory, CDs, DVDs, , they are encrypted with cryptographic methods and the cryptographic key is kept in different media.
  • Necessary precautions are taken against risks such as theft, loss or unauthorised access to the documents and the documents are sent in a sealed envelope in the format of “confidential documents”.
Open chat
1
Hello 👋
What did you want to get information about?