DETRO HEALTHCARE KİMYA SANAYİ A.Ş. PERSONAL DATA PROTECTION AND PROCESSING POLICY
CONTENTS
INTRODUCTION
DATA SUBJECTS, DATA PROCESSING PURPOSES AND DATA CATEGORIES FOR THE PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT BY OUR COMPANY
PRINCIPLES AND CONDITIONS REGARDING THE PROCESSING OF PERSONAL DATA
DISCLOSURE OF DATA SUBJECTS AND RIGHTS OF DATA SUBJECTS
DELETION, DESTRUCTION OR ANONYMISATION OF PERSONAL DATA SCOPE OF THE LAW AND LIMITATIONS ON ITS APPLICATION INTRODUCTION
Purpose and Scope of the Policy
This Detro Healthcare Kimya Sanayi A.Ş. (“DETROX”) Policy on the Protection and Processing of Personal Data (“Policy“), established in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”), covers the procedures and principles determined by our Company within the scope of ensuring compliance with the Law.
Our Company has adopted the principles and principles determined within the scope of the Law in the protection and processing of personal data. This Policy regulates the issues regarding the processing of data of employee candidates, business partners, suppliers and third parties whose data are processed by our Company.
Definitions of terms used in the policy are given in Annex-1.
The Policy has entered into force within the scope of the Personal Data Protection Compliance Project carried out by the Company. The Company reserves the right to make changes to the Policy in parallel with legal regulations.
Data Subjects
Data subjects within the scope of the Policy are all natural persons other than Company employees whose personal data are processed by the Company. In this context, the categories of data subjects are as follows:
DATA SUBJECT CATEGORIES | EXPLANATION | |
1 | Person Receiving Service | Corporate companies benefiting from the services provided by our company, professionals participating in our trainings |
2 | Employee Candidate | Natural persons who apply for a job by sending a CV to the Company or by other methods |
3 | Working Family | Family members of employees working in the company |
4 | Business Partner | Our business partners who benefit from our services |
5 | Potential Service Recipient | Candidates who wish to benefit from the services offered by our company |
6 | Supplier Employee – Authorised | Employees and officials of the companies from which the company receives products or services |
7 | Third Person | OHS Expert, Auditor, Consultant |
Your personal data and sensitive personal data may be processed by the Company for the following purposes in accordance with the personal data processing conditions in the Law and the relevant legislation:
Personal Data Categories
Your personal data categorised below are processed by the Company in accordance with the personal data processing conditions set out in the Law and the relevant legislation:
PERSONAL DATA CATEGORISATION | EXPLANATION |
Credentials | Name, surname, mother’s and father’s name, mother’s and father’s name, mother’s maiden name, date of birth, place of birth, marital status, birth certificate serial number, Turkish ID number, number plate |
Contact Details | Information for contacting the data subject such as telephone number, address, e-mail |
Location Information | Location information of the current location |
Personal Information | Payroll information, Disciplinary investigation, Employment document records, Property declaration information, CV information, Performance evaluation reports, Insurance information, Employment-exit control information, Body measurements |
Legal Process Knowledge | Information in correspondence with judicial authorities, Information in the case file, Employee salary garnishment information |
Customer Transaction Information | Information obtained and produced about the relevant person as a result of our commercial activities and the operations carried out by our business units within this framework |
Physical Space Security | Camera recordings taken at the entrance to the physical space and during the stay in the physical space |
Process Security Information | Your personal data processed to ensure our technical, administrative, legal and commercial security while conducting our commercial activities |
Financial Information | Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by our company with the personal data owner, bank account information |
Professional Experience Information | Data on past professional experience |
Marketing Information | Shopping history information, Survey, Cookie records, Information obtained through campaigns |
Audio and Visual Recordings | All kinds of visual and audio records of our employees associated with the personal data owner (For example: photographs, camera recordings, voice recordings, etc.) |
Family Members and Relatives | Personal information about the families of our clients (For example: name, surname, telephone, etc.) |
Special Categories of Data | Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive personal data. |
Principles Regarding the Processing of Personal Data
Your personal data is processed by the Company in accordance with the personal data processing principles set out in Article 4 of the Law. These principles must be complied with for each personal data processing activity:
Your personal data is processed by the Company in the presence of at least one of the personal data processing conditions specified in Article 5 of the Law. Explanations regarding these conditions are given below:
In Article 6 of the Law, special categories of personal data are specified in a limited number. These are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
The Company may process special categories of personal data in the following cases by ensuring that additional measures determined by the Personal Data Protection Board are taken:
In accordance with the additional regulations listed in Articles 8 and 9 of the Law and determined by the Personal Data Protection Board, the Company may transfer personal data domestically or abroad if the conditions for the transfer of personal data are met.
In the event that the country to which the transfer will be made is not one of the safe countries to be announced by the Personal Data Protection Board, personal data may be transferred to third parties abroad upon the Company and the data controller in the relevant country undertaking adequate protection in writing, in the presence of at least one of the data processing conditions specified in Articles 5 and 6 of the Law upon the Personal Data Board’s authorisation of this processing.
Within the general principles of the Law and the data processing conditions in Articles 8 and 9, the Company may transfer data to the parties categorised in the table below:
SHARED PARTY CATEGORISATION | SCOPE |
Authorised Public Institutions and Organisations | Public institutions and organisations legally authorised to receive information and documents from the Company |
Natural Persons or Private Law Legal Entities | Natural persons or private law legal entities Suppliers Business Partners Bank Individuals and legal entities from whom services are received Service providers located abroad |
Open to All | Publicly available information Content shared on social media channels |
According to Article 10 of the Law, data subjects must be informed about the processing of personal data before or at the latest at the time of processing personal data. Pursuant to the relevant article, the necessary internal structure has been established to ensure that data subjects are enlightened in all cases where personal data processing activities are carried out by the Company as the data controller. In this context;
We would like to state that as a data subject, you have the following rights pursuant to Article 11 of the Law:
You can send your applications regarding your rights to kvkk@detrox.com.tr. Depending on the nature of your request, your applications will be finalised free of charge as soon as possible and within thirty days at the latest; however, if the transaction requires an additional cost, you may be charged a fee according to the tariff to be determined by the Personal Data Protection Board.
DESCRIPTION | |
Personal Data | Any information belonging to an identified or identifiable natural person. |
Sensitive Personal Data | Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures and biometric data. |
Data Subject / Relevant Person |
Natural person whose personal data is processed |
Processing of Personal Data | It is any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganising, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non- automatic means provided that it is part of any data recording system. |
Open Consent | Consent on a specific subject, based on information and expressed with free will |
Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system |
Data Processor | Natural or legal person who processes personal data on behalf of the data controller based on the authorisation granted by the data controller |
Personal Data Processing Inventory | Inventory in which data controllers detail the Company’s personal data processing activities carried out depending on their business processes by associating them with the purposes of processing personal data, data category, transferred recipient group and data subject group and by explaining the maximum time required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and measures taken regarding data security |
Personal Health Data | Any health information relating to an identified or identifiable natural person. |
KVK Law | Law on the Protection of Personal Data dated 24 March 2016 and numbered 6698 |
Constitution | Constitution of the Republic of Turkey No. 2709 |
KVK Board | Personal Data Protection Board |
KVK Agency | Personal Data Protection Authority |
Politics | Detro Healthcare Kimya Sanayi Personal Data Processing and Protection Policy |
Company / Data Controller |
Detro Healthcare Kimya Sanayi A.S. |
DATA SUBJECT APPLICATION FORM
Pursuant to Article 11 of the Law No. 6698 on the Protection of Personal Data (“KVK Law“), you have the right to make various requests regarding the processing of personal data. In this context, as Detro Healthcare Kimya Sanayi A.Ş. (“Company“), as the data controller, your applications that you will submit to our Company in writing through the following channels will be concluded free of charge within 30 days at the latest from the date your request is received by our Company in accordance with Article 13 of the KVK Law. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.
Click here to download the Data Subject Application Form
Contents
1.1. Purpose
This Detro Healthcare Kimya Sanayi Personal Data Storage and Destruction Policy (“Policy”), established in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”), covers the procedures and principles determined by our Company within the scope of ensuring compliance with the Law.
The works and transactions regarding the storage and destruction of personal data are carried out in accordance with the Policy prepared by the Company in this direction.
1.2. Scope
Personal data belonging to Company employees, employee candidates and other third parties are within the scope of this Policy and this Policy is applied in all recording media and activities for personal data processing where personal data owned or managed by the Company are processed.
In addition, unless otherwise stated in this Policy, the documents referred to by the Policy include both hard and electronic copies.
2. DEFINITIONS AND ABBREVIATIONS
Open Consent | Consent on a specific subject, based on information and expressed with free will, | |
Buyer Group | The category of natural or legal person to whom personal data is transferred by the data controller | |
Constitution |
Constitution of the Republic of Turkey, | |
Anonymisation | Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data. | |
Electronic Media | Environments where personal data can be created, read, changed and written with electronic devices. | |
Non-Electronic Media | All written, printed, visual, etc. other media other than electronic media |
Service Provider | A natural or legal person who provides services under a specific contract with the Company | |
Relevant Person / Personal Data Owner |
The natural person whose personal data is processed. | |
Related User | Persons who process personal data within the organisation of the data controller or in accordance with the authority and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data, | |
Destruction |
Deletion, destruction or anonymisation of personal data, | |
Law | Law No. 6698 on the Protection of Personal Data. | |
Recording Media | All kinds of media containing personal data that are fully or partially automated or processed by non-automated means, provided that they are part of any data recording system, | |
Personal Data | Any information relating to an identified or identifiable natural person (e.g. name-surname, Turkish ID number, e- mail, address, date of birth, credit card number, bank account number – Therefore, the processing of information on legal persons is not covered by the Law), | |
Personal Data Processing Inventory | Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes and legal grounds for processing personal data, the data category, the group of recipients transferred and the group of data subjects, and by explaining the maximum retention period required for the purposes for which personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security. |
Processing of Personal Data | Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganising, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system, | |
Board |
Personal Data Protection Board, | |
Sensitive Personal Data | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data, | |
Periodic Disposal | In the event that all of the conditions for processing personal data specified in the Law disappear, the deletion, destruction or anonymisation process to be carried out ex officio at recurring intervals specified in this Policy, | |
Politics | Personal Data Storage and Destruction Policy | |
Data Processor | A natural or legal person who processes personal data on behalf of the data controller based on the authorisation granted by the data controller. | |
Data Recording System | Recording system in which personal data are structured and processed according to certain criteria. | |
Data Controller | The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system), | |
VERBIS | Data Controllers Registry, | |
Regulation | Regulation on Deletion, Destruction or Anonymisation of Personal Data published in the Official Gazette dated 28 October 2017, |
All units and employees of the Company actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law, by duly implementing the technical and administrative measures taken by the responsible units within the scope of the Policy, training and raising awareness of the unit employees, monitoring and continuous supervision. The distribution and destruction processes of the titles, units and job descriptions of those involved in the storage and destruction processes of personal data are as follows;
TITLE | TASK | |
IT | Responsible for providing the technical solutions needed for the implementation of the Policy. | |
Other Committee Members | It is responsible for the preparation, development, execution, publication and updating of the Policy in relevant environments and for the employees to act in accordance with the Policy. |
4. RECORDING MEDIA
Electronic Media | Physical Environments |
Software (office software, portal) | Paper |
Cloud systems | Manual data recording systems Written, printed, visual media |
Emails | |
Firewall, intrusion detection and blocking, antivirus, etc. |
Personal computers (Desktop, laptop) | |
Mobile devices (phone, tablet, etc.) | |
Optical discs (CD, DVD etc.) | |
Removable memories (USB, Memory Card, etc.) | |
Printer, scanner, photocopier |
All personal data obtained by the Company are stored and destroyed in accordance with the Law. In this context, detailed explanations regarding storage and destruction are given below respectively.
5.1. Explanations on Safekeeping
Article 3 of the Law defines the concept of processing personal data, Article 4 states that the personal data processed must be related, limited and proportionate to the purpose for which they are processed and must be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and Articles 5 and 6 list the conditions for processing personal data.
Accordingly, within the framework of our Company’s activities, personal data are stored for the period stipulated in the relevant legislation or in accordance with our processing purposes.
5.2. Legal Grounds Requiring Retention
In our company, personal data processed within the framework of its activities are kept for the period stipulated in the relevant legislation. In this context, personal data are processed within the scope of the relevant legislation, including but not limited to those listed below.
5.3. Processing Purposes Requiring Retention
It stores and uses personal data for the purposes of personal data processing specified in the relevant articles of the Personal Data Protection and Processing Policy and in accordance with the conditions for processing personal data specified in Articles 5 and 6 of the Law, and destroys personal data ex officio or upon the request of the personal data owner in the event that all of these conditions disappear.
5.4. Reasons Requiring Destruction
Personal data;
In such cases, it shall be deleted, destroyed or ex officio deleted, destroyed or anonymised by the Company upon the request of the relevant person.
6. TECHNICAL AND ADMINISTRATIVE MEASURES
Technical and administrative measures are taken by the Company within the framework of adequate measures determined and announced by the Board for special categories of personal data in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law for the safe storage of personal data, prevention of unlawful processing and access and destruction of personal data in accordance with the law. You can find detailed information in our “Policy on Processing and Protection of Special Categories of Personal Data”.
6.1. Technical Measures
6.2. Administrative Measures
7. PERSONAL DATA DESTRUCTION TECHNIQUES
All transactions carried out within the scope of destruction are recorded and stored by our Company. Unless otherwise decided by the Board, our Company chooses the appropriate method of ex officio deletion, destruction or anonymisation of personal data according to technological possibilities and implementation cost, and explains the reason for the appropriate method upon request of the personal data owner.
7.1. Methods of Deletion of Personal Data
Deletion of personal data is the process of making personal data inaccessible and non-reusable in any way for the relevant users. Our Company takes all necessary technical and administrative measures according to the technological possibilities and the cost of implementation in order to make the deleted personal data inaccessible and non-reusable for the relevant users.
In this context, our Company applies the following methods for the deletion of personal data:
Data Recording Environment | Description | |
Personal Data on Servers | For the personal data on the servers, deletion is made by the system administrator by removing the access authorisation of the relevant users for those whose retention period has expired. | |
Personal Data in Electronic Media | The personal data stored in electronic media that expire after the period of time required for their retention shall be rendered inaccessible and non-reusable in any way for employees (relevant users) other than the database administrator. | |
Personal Data in Physical Environment | For the personal data kept in physical environment, those whose period of retention has expired are rendered inaccessible and non-reusable in any way for other employees, except for the unit manager responsible for the document archive. In |
addition, the blackout process is also applied by scratching / painting / erasing in a way that cannot be read. | ||
Personal Data on Portable Media | The personal data kept in Flash-based storage media and those whose period of retention has expired are encrypted by the system administrator and access authorisation is given only to the system administrator and stored in secure environments with encryption keys. |
7.2. Methods of Destruction of Personal Data
Destruction of personal data is the process of making personal data inaccessible, unrecoverable and non-reusable by anyone in any way. Our Company takes all necessary technical and administrative measures regarding the destruction of personal data according to technological possibilities and the cost of implementation.
In this context, our Company applies the following methods for the destruction of personal data:
Data Recording Environment | Description | |
Personal Data in Physical Environment | Those of the personal data in paper media whose retention period has expired are irreversibly destroyed in paper shredding machines | |
Personal Data in Optical / Magnetic Media | The personal data contained in optical media and magnetic media are physically destroyed, such as melting, incineration or pulverisation, when the period of time required to be retained has expired. In addition, the magnetic media is passed through a special device and the data on it is rendered |
unreadable by exposing it to a high magnetic field. |
7.3. Methods of Anonymisation of Personal Data
Anonymisation of personal data is to render personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data. In order for personal data to be anonymised; personal data must be rendered unassociable with an identified or identifiable natural person, even by using appropriate techniques in terms of the recording medium and the relevant field of activity, such as reversal and matching of data with other data by our Company, recipients or recipient groups. Our Company takes all necessary technical and administrative measures regarding the anonymisation of personal data according to technological possibilities and implementation cost.
In this context, our Company applies the following methods for anonymising personal data:
Anonymisation Methods | Description | |
Personal Data in Physical Environment | The data that will reveal the identity of the personal data in the paper environment are anonymised by deletion and blackout method. | |
Audio and Video Recordings / Videos Used in Trainings | Anonymisation of the identities of the persons in audio and video recordings/videos by using technology in such a way that they become unrecognisable. |
8. STORAGE AND DESTRUCTION PERIODS
Our Company stores and destroys personal data only for the period specified in the relevant legislation that it is obliged to comply with or for the period required for the purpose for which they are processed. In this context, our Company stores and destroys personal data for the maximum periods specified in the 11th Storage and Destruction Periods Table below:
9. PERIODIC DESTRUCTION PERIODS
Pursuant to Article 11 of the Regulation, the Company has determined the period of periodic destruction as 6 months. Accordingly, periodic destruction is carried out in May and June every year in our Company.
10. PUBLICATION OF THE POLICY
This Policy has entered into force on the date of its publication.
11. storage and disposal periods
Process Based Data Group |
Storage Period |
Destruction Period | |
User Files and Personal Data (Physical media) |
10 years after the end of the labour relationship | At the first periodic destruction period following the end of the storage period | |
User File and Personal Data (Electronic Environment) |
10 years after the end of the labour relationship | At the first periodic destruction period following the end of the storage period | |
Research Input Data |
10 Years | At the first periodic destruction period following the end of the storage period | |
Video Recordings Obtained with Client’s Permission |
During consent | At the first periodic destruction period following the end of the storage period |
Proposals Submitted to Companies in Physical Environment |
2 Years | At the first periodic destruction period following the end of the storage period | |
Bids Submitted to Companies in Electronic Environment |
10 Years | At the first periodic destruction period following the end of the storage period | |
Training Audio Recordings and Videos |
During consent | At the first periodic destruction period following the end of the storage period | |
Documents Used in Education |
10 Years | Immediately at the end of the deadline | |
Training Evaluation Forms |
1 year (physical) – 10 years (electronic) | At the first periodic destruction period following the end of the storage period | |
Contracts with Companies |
Legal Relationship + 10 Years | At the first periodic destruction period following the end of the storage period | |
Personnel Files |
Legal Relationship + 10 Years | At the first periodic destruction period following the end of the storage period | |
Occupational Health and Safety Records |
Legal Relationship + 15 Years | At the first periodic destruction period following the end of the storage period | |
Accounting and Finance Processes |
Legal Relationship + 10 Years | At the first periodic destruction period following the end of the storage period | |
E-mail contents working within the scope of information processing activities |
5 years | At the first periodic destruction period following the end of the storage period | |
Employee e-mails within the scope of IT activities |
Legal Relationship + 1 Year | At the first periodic destruction period following the end of the storage period | |
Camera recordings |
6 months | At the first periodic destruction period following the end of the storage period | |
Legal Affairs |
Legal Relationship + 10 Years | At the first periodic destruction period following the end of the storage period | |
Publicity unit activities |
Legal Relationship + 10 Years | At the first periodic destruction period following the end of the storage period | |
History:
Signature:
TABLE OF CONTENTS
This Policy on the Protection of Special Categories of Personal Data (“Policy”), which is established within the scope of the Law No. 6698 on the Protection of Personal Data (“Law”), aims to ensure compliance with the Law and to determine the rules regarding the protection and processing of special categories of personal data by our Company.
This Policy has entered into force within the scope of the Personal Data Protection Compliance Project carried out by the Company. The Company reserves the right to make changes in the Policy in parallel with legal regulations.
Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures and biometric data.
Our Company sensitively complies with the regulations stipulated in the Law in the processing of personal data determined as “special categories” by the Law. In Article 6 of the Law, a number of personal data that have the risk of causing victimisation or discrimination when processed unlawfully are determined as “special categories”. These data are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
In accordance with the law, special categories of personal data may be processed and transferred by our Company with the explicit consent of the data subject, provided that adequate measures to be determined by the PDP Board are taken. Sensitive personal data other than the health and sexual life of the data subject are processed in cases stipulated by law, and sensitive personal data relating to the health and sexual life of the personal data subject are processed only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorised institutions and organisations under the obligation of confidentiality.
Our Company may transfer the special categories of personal data of the personal data owner in line with the legitimate and lawful personal data processing purposes by taking the necessary care, taking the necessary security measures and taking the adequate measures stipulated by the PDP Board; upon the explicit consent of the data owner, to Foreign Countries where there is a Data Controller with Adequate Protection or Committed to Adequate Protection. In cases where there is no Adequate Protection, the undertaking regarding the transfer of data abroad published by the Authority will be signed by the relevant parties and submitted to the Board for approval.
Our Company acts sensitively in the protection of special categories of personal data, which are determined as “special categories” by the Law and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of special categories of personal data and necessary audits are provided within our Company.
In addition, technical and administrative measures are also taken to ensure the appropriate level of security with the measures determined by the Personal Data Protection Board in terms of special categories of personal data.
The general principle of our company does not process special categories of personal data unless there are reasons arising from the law. Unnecessary special categories of personal data are deleted or obscured.
Accordingly, the rules for the security of special categories of personal data are set out in this policy;