| DEFINITIONS | |
|---|---|
| Explicit Consent | Consent that is specific to subject, informed and freely given. |
| Anonymization | Rendering personal data impossible to link with an identified or identifiable natural person, even by matching them with other data. |
| Employee | Natural person employed by the Company. |
| Job Candidate | Natural person who is not an İda Costa employee but holds a candidate statute. |
| Data Subject | Natural person whose data is being processed. |
| Business Partners | Persons which the Company has become partners with through a contractual relationship as part of its business activities. |
| Law | Law No. 6698 on the Protection of Personal of Data published on the Official Gazette dated 7 April 2016 and numbered 29677. |
| Personal Health Data | Any type of medical information concerning an identified or identifiable natural person. |
| Personal Data | All kinds of data concerning an identified or identifiable natural person. |
| Processing of Personal Data | All kinds of operations that are carried out on personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing their use, fully or partially through automatic means or through non-automatic instruments provided that they are part of a data registry system. |
| Board | The Personal Data Protection Board. |
| Sensitive Personal Data | Data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership of associations, foundations or trade-unions, health, sexual life, criminal conviction and security measures and the biometric and genetic data. |
| Policy | Borpa Metal Ticaret ve Turizm Ltd. Şti. Personal Data Protection and Processing Policy. |
| Company / İda Costa | Borpa Metal Ticaret ve Turizm Ltd. Şti. |
| Data Processor | Natural or legal person processing personal data on behalf of and authorized by the data controller. |
| Data Controller | Natural or legal person who determines the processing purposes and instruments of personal data and is responsible for establishing and managing the data registry system. |
1.1. Overview
Borpa Metal Ticaret ve Turizm Ltd. Şti. (will be referred to as “İda Costa” hereafter) attaches high importance to protection and lawful processing of personal data as per the Law No. 6698 on the Protection of Personal Data (“Law”). Therefore, in order to provide high quality services in terms of data security, we act in accordance with the Personal Data Protection and Processing Policy (“Policy”) on protection, retention, processing, use, destruction of personal data, commercial electronic communications and all other matters. In this regard, we submit to your attention the Policy to both fulfill the clarification obligations under Article 10 of the Law and state all administrative and technical measures we have taken within the scope of personal data processing and protection.
1.2. Purpose and Scope of the Policy
Main purpose of the Policy is to explain systems related to processing and protection of personal data in accordance with current laws and the Law’s purpose and within this scope, and give information on Data Subjects’ personal data which is processed by İda Costa automatically or manually provided that it is processed as part of a data registry system.
2.1. Data Subject
Data Subject, under the Policy, is a natural person whose personal data is being processed by İda Costa. Within this framework, Data Subject categories are as follows:
| PERSONAL DATA CATEGORIES | DEFINITION |
|---|---|
| Identity Information | All information on the identity of the person such as driver license, national identity card, residence, passport, lawyer identity, marriage certificate |
| Contact Information | Contact information with regards to the Data Subject such as phone number, address, and e-mail address |
| Employee’s Personal Information | Information with regards to the Data Subject such as payroll, disciplinary proceeding, certificate showing the beginning of the employment/end of the employment, declaration of property, resume, performance assessment notes |
| Car Information | Information such as vehicle registration plate, vehicle license, traffic ticket |
| Information on Customer Transactions | Information on records of use of our service and products by customers and instructions and requests of the customers on the use of our service and product |
| Security Information on Physical Area | Personal data such as camera records of the entrance and inside area of İda Costa that are recorded during visits |
| Financial Information | Any processed personal data showing financial issue between the Data Subject and İda Costa |
| Interview and Recruitment Notes | Personal data that is processed with regards to any job application to İda Costa or recruitment process of İda Costa or İda Costa employees |
| Legal Transaction | Personal data processed (i) while determining, monitoring İda Costa’s legal rights and benefits, (ii) in order to performance of İda Costa’s obligations, and (iii) within the scope of İda Costa’s compliance policy. |
| Information on Audit and Inspection | Personal data processed in order to fulfill İda Costa’s legal obligations and comply with İda Costa’s policies |
| Criminal Conviction and Safety Measures | Information on criminal conviction or safety measures such as criminal record |
| Health Information | Personal health information such as disability, blood type, HES code, prosthesis or device integrated to body |
| Visual and Audio Records | Voice and video records |
| Request/Complaint Management Information | Personal data related to receipt and evaluation of all kinds of requests or demands pointed to İda Costa |
| Work Experience | Information on the Data Subject such as degree, attended courses, trainings, certificates, and transcripts |
| Location | Information on whereabouts |
2.3. Purposes of Personal Data Processing
Your personal data and sensitive personal data is processed by İda Costa in accordance with the personal data protection conditions provided by the Law and the relevant legislation within the scope of (i) doing the necessary work and conducting related business processes by our relevant work units to realise the activities we conduct, (ii) doing the necessary work and conducting related business processes to provide services and products for the Data Subject’s benefit, (iii) ensuring legal and commercial safety of Data Subjects in a business relationship with İda Costa, (iv) planning and execution of İda Costa’s business strategies and (v) planning and execution of human resources policies and processes with the following purposes (including without limitation):
- Planning and conducting activities and operational processes;
- Conducting activities in accordance with the legislation, compliance with retention, reporting and notification obligations provisioned by the legislation and the relevant authorities;
- Ensuring the performance of legal obligations as required by laws;
- Plan and execution of processes related to customer satisfaction, corporate communication activities, customer relations and, customer requests and complaints;
- Ensuring sustainability of the business, planning of activities, determination or execution of strategies;
- Institutional sustainability, corporate governance, strategic planning and, planning, audit and execution of information security processes;
- Planning and execution of sales, marketing and advertising processes of products and services; and determination and customization of use and service consept;
- Execution of works conducted with business partners or suppliers and management of those relations;
- Conducting financial and accounting works;
- Conducting insurance processes;
- Monitoring and performing contractual processes or legal requests or legal works;
- Ensuring physical security of İda Costa’s premises;
- Ensuring legal and commercial safety of İda Costa and persons that have business relationship with İda Costa;
- Execution of İda Costa’s human resources policies including but not limited to; evaluation of job applications, planning and execution of subcontractor’s employees’, additional employees’ and foreign employees’ processes, planning and execution of İda Costa employees’ recruitment and termination processes and management of employees’ personal processes;
- Planning and conducting work health and safety processes;
- Meeting the demands such as transfer, reception and returning forgotten belongings;
- Creating and monitoring visitor records; and
- Conducting retention and archiving activities.
3.1. Data Controller
Data controller is the natural or legal person who determines the processing purposes and instruments of personal data and is responsible for establishing and managing the data registry system. Legal persons are themselves “data controllers” while processing personal data and liabilities stated in the relevant regulations shall belong to the legal persons. There is no difference between public legal persons and private legal persons on this matter.
According to the Law, data controller is the person who determines the processing purposes and instruments of personal data. In other words, it is the person who shall answer the questions of “why” and “how” of the processing activities. Within this context, İda Costa acts as the data controller.
3.2. Obligation to Inform
The law gives Data Subject a right to be informed about by whom, for what purposes and for which legal reasons/basis their data are to be processed, for what purposes and to whom the data may be transferred and these issues are addressed under the data controller’s obligation to inform. Accordingly, under Article 10 of the Law, when collecting personal data, İda Costa or the person authorised by İda Costa is obliged to inform the Data Subjects about the following:
- The identity of the controller and of his representative, if any;
- The purpose of data processing;
- The purpose and the recipients to whom the data can be transferred;
- The methods and legal reasons of collection of personal data; and
- Other rights of the Data Subject referred to in Article 11 of the Law:
· Learn whether or not personal data is being processed;
· Request further information about processing if personal data relating to him is being processed;
· Learn the purpose of processing of personal data and whether personal data is being used consistently with the purpose;
· Know the third parties in the country or abroad to whom personal data is transferred;
· Request rectification of personal data if processed incompletely or inaccurately;
· Request erasure or destruction of personal data within the framework of the principles set out within the Law;
· Request notification of the rectification, erasure or destruction to the third parties to whom personal data has been transferred,
· Object to the processing, exclusively by automatic means of his personal data, which leads to an unfavourable consequence for the Data Subject; and
· Request compensation for the damage arising from the unlawful processing of his personal data.
The controller is obliged to inform to the Data Subject when the data processing adheres to the explicit consent of the data subject or processing is carried out under the conditions specified by the Law. In other words, the Data Subject should be informed in every situation where his personal data is processed.
Per Article 12 of the Law, İda Costa, as a data controller, should:
- prevent unlawful processing of personal data;
- prevent unlawful access to personal data; and
- ensure safe retention of personal data.
İda Costa, as a data controller, should take all necessary technical and organizational measures to provide an appropriate level of security to fulfil the above-mentioned obligations. It is Personal Data Protection Board’s (“Board”) duty and power to carry out a regulatory act to specify obligations related to data security. In addition, in line with the minimum criteria that will be identified by the Board, additional measures may be taken by considering the characteristic of the data that is processed in the specific sector.
In case the processing of personal data is carried out by another natural or legal person on behalf of İda Costa, İda Costa shall jointly be responsible with these persons for taking the necessary measures. Thus, data processors are also responsible to take necessary steps to maintain data security. For instance, if a separate accounting firm retains data of and for İda Costa, İda Costa, as a data controller, and accounting firm shall jointly be responsible for taking the necessary measures on the processing of personal data.
The Law also requires the data controller to carry out necessary audits. Data controller is obliged to carry out the necessary audits, or have them made, in its own institution or organization, to ensure the implementation of the provisions of the Law. Thus, the data controller could make this audit by itself or manage them through a third party.
Besides, the data controllers and data processors shall not disclose the personal data that they have learned to anyone contrary to the provisions of the Law and use such data for purposes other than for which the personal data have been processed. This obligation shall continue even after they resign.
Lastly, in such a case that the data is obtained by others by unlawful means, the data controller shall communicate the breach to the data subject and notify the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through any other way it deems appropriate.
3.4. Obligation to Response to Data Subject’s Requests
Ida Costa, as a data controller, responds to requests on the implementation of the Law in writing or by other means to be determined by the Board. İda Costa responds to the requests free of charge within the shortest time by considering the nature of the request and at the latest within thirty days. However, if the requested action requires an extra cost, İda Costa may request fees specified in the tariff -which are determined by the Board- from the Data Subject.
İda Costa provides its response to the Data Subject in writing or by electronic means in such cases where İda Costa accepts the request or refuses it by justifying the related grounds. If the requested demand is accepted, then it shall be fulfilled by İda Costa. If the request is made due to the fault of İda Costa then İda Costa shall refund the data subject.
If the request is refused, the response is found insufficient or the request is not responded to within the specified time period, the Data Subject may initiate a complaint to the Board within thirty days as of he or she learns about the response of İda Costa, or within sixty days as of the requested date.
3.5. Obligation to Implement the Board’s Decision
If the Board finds out a violation as a result of its examination upon a complaint or ex officio, the Board shall decide that the identified violations shall be remedied by İda Costa and notifies this decision to the relevant parties. İda Costa should implement this decision without delay and within thirty days at the latest after the notification.
4.1. Processing the Personal Data
Processing of personal data refers to any operation concerning the personal data, wholly or partially by automated means or non-automated means as a part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.
İda Costa sets forth the purpose of the processing of personal data before processing it. Besides, the personal data is processed (i) related to the services provided by İda Costa and (ii) essential to the needs of the services.
4.2. General Principles of Processing of Personal Data
İda Costa, by taking all necessary steps and complying with all legal principles, processes the personal data in line with the purposes stated below and in compliance with procedures and principles stated in Article 4 of the Law:
- Lawfulness and Fairness. İda Costa acts in accordance with laws, general principles of law, and regulations while processing personal data. İda Costa considers the reasonable expectations of the Data Subjects and processes the personal data limited to the purpose of processing the personal data.
- Accuracy and Up-to-Dateness. İda Costa checks whether the personal data is up to date and makes necessary controls to keep the data up to date. Data Subjects have the right to request correction or erasure of the non-accurate and outdated data.
Specific, Explicit and Legitimate Purposes. İda Costa sets forth the purpose of processing personal data before each process of personal data and makes sure that those purposes are in line with the laws and regulations.
Relevant, Limited, and Proportionate to the Purposes. İda Costa limits its process of personal data with the necessary personal data that is essential to manage the purpose and takes necessary steps not to process any personal data that is not related to that purpose.
Storing for the Period Specified by Relevant Legislation or the Period Required for the Purpose. İda Costa erases, destructs, or anonymises the personal data in cases where there is no longer reason to process the personal data, or the specified period is expired.
İda Costa processes the personal data only in cases where one of the conditions included in Article 5 of Law is met. Those conditions are explained below:
- Explicit Consent of the Data Subject. İda Costa processes personal data in line with the principles set forth in Article 4.2. of the Law if there is an explicit consent of the data subject. In addition, İda Costa processes personal data if the data subject consents (i) by having adequate information on the process of the personal data by his own will, (ii) without any doubt to his will, and (iii) within the scope of the related purpose.
- Expressly Provided for by the Laws. İda Costa may process personal data without the explicit consent of the data subject where it is expressly provided for by the laws. In such a scenario, İda Costa processes personal data in accordance with the laws and regulations.
- Unable to Receive Explicit Consent Due to the Impossibility and the Process of Personal Data Is Required. İda Costa processes personal data of the data subject in such cases where it is obligatory for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent or whose consent is not deemed legally valid.
- Necessary provided that it is directly related to the conclusion or fulfilment of a contract. Personal data of the parties to a concluding or already concluded contract between the Data Subject and İda Costa, may be processed if it is necessary.
- Mandatory for the data controller to fulfil its legal obligations. İda Costa processes personal data in order to fulfil its legal obligations provisioned by the legislation in force.
- Made public by the Data Subject. Personal data declared to public in any way and made accessible to everyone’s information as a result of being made public may be processed by İda Costa without the explicit consent of the Data Subject to the extent of the purpose that it has been made public.
- Mandatory for the establishment, exercise or protection of any right. İda Costa may process Data Subject’s personal data without its explicit consent within the scope of the necessity.
- Mandatory for the legitimate interests of the controller, provided that such processing shall not violate the fundamental rights and freedoms of the data subjects. İda Costa may process personal data paying regards to the balance between İda Costa and the Data Subject’s interests. Within this scope, İda Costa initially determines the legitimate interest to be achieved with the data processing based on legitimate interest. Evaluates the possible effect of the personal data processing on the Data Subject’s rights and freedoms and processes the data in case it deems that there is no unbalance.
Sensitive personal data is explicitly defined in Article 6 of the Law. These are; personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership of associations, foundations or trade-unions, information relating to health, sexual life, convictions and security measures and the biometric and genetic data.
İda Costa may process sensitive personal data, ensuring that additional measures specified by the Board are taken, under the following conditions:
- Sensitive data excluding those relating to health and sexual life can be processed with the explicit consent of the Data Subject or under the conditions set out by the Law.
- Personal data relating to health and sexual life may only be processed, without explicit consent of the data subject, by persons under an obligation of confidentiality or by authorised institutions and establishments for the purposes of protection of public health, protective medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.
5.1. For How Long Your Personal Data will be Retained?
Personal data processed under the provisions of the Law and with the purposes specified within the Policy shall be erased, destructed or continued to be used in an anonymized way by İda Costa in accordance with Article 7(1) of the Law, upon disappearance of reasons which require the process and/or expiration of processing time periods provisioned/required by the legislation.
5.2. Security of Personal Data
İda Costa takes all necessary measures pursuant to Article 12 of the Law in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the retention of personal data; and prevents illegal processing of personal data by third parties.
6.1. Periodic Extermination and Legal Retention Periods
Physical and digital data for which legal retention and extermination periods expire are exterminated periodically. İda Costa erases, destructs or anonymizes the personal data following the date that the obligation to erase, destruct or anonymize personal data arises.
6.2. Erasure and Destruction Process upon Request of the Data Subjects
İda Costa examines the present situation of personal data processing conditions and takes action accordingly in cases where Data Subjects apply to İda Costa and request that its personal data be erased or destructed.
Personal data subject to request are erased, destructed or anonymized if all the personal data protection conditions have disappeared. İda Costa finalizes the Data Subject’s request and informs the Data Subject in a maximum of 30 days.
If all the personal data protection conditions disappeared and the personal data subject to request have been transferred to third parties, İda Costa notifies the third party of the situation and ensures the necessary actions are taken by the third party within the scope of the Regulation on Erasure, Destruction or Anonymisation of Personal Data.
If all of the personal data protection conditions did not disappear, İda Costa may reject the request explaining the reasons thereof to the Data Subject and notifies its rejection to the Data Subject in writing or electronically in a maximum of 30 days.
7.1. Amendments to the Policy
İda Costa may make amendments to the Policy in accordance with and following any kind of amendments in the relevant legislation.
Any amendments made by İda Costa related to privacy, retention and destruction of personal data, website terms of use, changes in products, services or activities offered to customers by İda Costa shall enter into force with their announcement on the website or other convenient communication instruments.
Amendments made by İda Costa to the Policy may be examined and all kinds of complaint and request for additional information may be made on the following website [www.idacosta.com].
7.2. Enforcement of the Policy
The Policy which is prepared by İda Costa and entered into force on the date of its publication is declared to the public by being published on İda Costa’s website, [www.idacosta.com]. In case of conflict between the legislation in force, notably the Law, and provisions of this Policy, provisions of the legislation shall apply.
İda Costa preserves the right to make amendments to the Policy in accordance with the legal provisions. The up-to-date version of the Policy may be reached through İda Costa’s website, [www.idacosta.com].
The followingS are excluded from the scope of the Law:
- Processing by natural persons, of personal data within the scope of activities related to themselves and their family members residing in the same residence provided that the personal data is not transferred to third parties and obligations regarding data security are complied with.
- Processing of personal data by anonymizing it with official statistics with purposes such as research, planning and statistics.
- Processing of personal data for art, history, literature or scientific purposes or within the scope of the freedom of expression provided that national defence, national security, public safety, public order, economic safety, privacy of personal life or personal rights are not violated and the processing does not constitute a crime.
- Processing of personal data within the scope of preventive, protective or intelligence activities conducted by public authorities appointed and authorized by law in order to ensure national defence, national security, public safety, public order or economic safety.
- Processing of personal data by judicial or execution authorities related to enquiry, prosecution, trial or execution processes.
İda Costa is not obliged to make clarifications to Data Subjects and the Data subjects shall not exercise their rights specified in the Law, excluding their right to demand damages, on the following situations:
- Necessity of personal data processing in order to prevent commission of a crime or necessity of it for a criminal investigation.
- Processing of a personal data which is made public by the Data Subject’s self.
