DATA PRIVACY COMMITMENT
This Personal Data Protection Policy (“Policy”) sets out the principles to be followed within and/or by DEHA METALURJİ METAL SANAYİ VE DIŞ TİCARET Ltd. Şti. (“Company”) while fulfilling its obligations to protect Personal Data and processing Personal Data in accordance with the provisions of the Personal Data Protection Law No. 6698 and related legislation.
The Company commits to act in accordance with this Policy and the procedures to be applied under this Policy in terms of Personal Data within its structure.
PURPOSE OF THE POLICY
The main purpose of this Policy is to establish principles regarding the methods and processes for the protection of Personal Data by the Company.
SCOPE OF THE POLICY
This Policy applies to all activities related to Personal Data processed by the Company and is applied to such activities.
This Policy does not apply to data that do not qualify as Personal Data.
This Policy may be amended with the approval of the board of directors as required by the PDPL Regulations or deemed necessary by the Company’s Data Controller Representative or the Committee.
DEFINITIONS
Definitions within this Policy shall have the following meanings;
“Explicit Consent” is the consent declared by the Data Subject based on being informed about the processing of their Personal Data with free will.
“Anonymization” means making Personal Data unidentifiable and unrelatable to a natural person, even if matched with other data.
“Anonymized Data” refers to data that cannot possibly be related to a natural person.
“Personal Data” refers to any information related to an identified or identifiable natural person. (“Personal Data” within the scope of this Policy shall include “Special Category Personal Data” as defined below, as applicable).
“Personal Data Processing” spans obtaining, recording, storing, maintaining, altering, reorganizing, disclosing, transferring, taking over, making recoverable, classifying, or obstructing the use of data by automated or non-automated means as part of any data recording system.
“Committee” is the committee responsible for executing this Policy and the procedures to be applied under this Policy.
“Board” refers to the Personal Data Protection Board.
“Authority” indicates the Personal Data Protection Authority.
“PDPL” stands for Law No. 6698 on the Protection of Personal Data.
“PDPL Regulations” denote the Law No. 6698 on the Protection of Personal Data, related legislation for the protection of Personal Data, binding decisions, principle decisions, provisions, instructions, applicable international agreements, and other legislation enacted by regulatory and supervisory authorities, courts, and other official bodies.
“PDPL Procedures” are the procedures approved by the Board of Directors governing the obligations to be performed by the Company, employees, the Committee, and the Data Controller Representative under this Policy.
“Special Category Personal Data” refers to data regarding individuals' race, ethnicity, political opinion, philosophical beliefs, religion, sect, or other beliefs, attire, memberships to associations, foundations, or unions, health, sexual life, criminal record, and security measures, as well as biometric and genetic data.
“Deletion or Erasure” is the process rendering Personal Data inaccessible and unusable by relevant users in any way.
“Data Inventory” is an inventory containing information about Personal Data Processing activities by the Company, such as purposes of Personal Data Processing, data category, and third parties to whom Personal Data is transferred.
“Data Processor” is a real or legal person processing Personal Data on behalf of the Data Controller, authorized by the Data Controller.
“Data Subject” includes all real persons whose Personal Data are being processed by or on behalf of the Company.
“Data Controller” is the real or legal person determining the purposes and means of Processing Personal Data, establishing and managing the data recording system.
“Data Controller Representative” is an employee chosen from within the Committee, managing relationships with the Authority, appointed by the decision of the board of directors.
“Destruction” refers to making Personal Data inaccessible, non-recoverable, and unusable by anyone.
PRINCIPLES OF PERSONAL DATA PROCESSING
Processing of Personal Data in Compliance with the Law and Principles of Integrity
Personal Data is processed by the Company lawfully and in accordance with principles of integrity.
Ensuring Accuracy and Timeliness of Personal Data
The Company takes all necessary measures to ensure Personal Data is complete, accurate, and up-to-date and updates relevant Personal Data upon request by the Data Subject for changes.
Processing Personal Data for Specific, Legitimate, and Clear Purposes
The Company determines the purpose for processing Personal Data beforehand. Within this scope, the Data Subject is informed in accordance with PDPL Regulations, and explicit consent is obtained where necessary.
Personal Data Processed Related to, Limited, and Measured for Purpose
The Company processes Personal Data only under exceptional circumstances within the scope of PDPL Regulations (Article 5.2 and Article 6.3) or for purposes within the scope of explicit consents obtained from the Data Subject (Article 5.1 and Article 6.2) appropriately to the principle of proportionality.
Maintaining Personal Data as Necessary and Deleting Subsequently
The Company retains Personal Data for the duration necessary for the respective purpose. If the Company desires to retain Personal Data longer than the period prescribed or required by the purpose of Personal Data Processing, it acts in compliance with the obligations stated in the PDPL Regulations.
After the period required by the purpose of Personal Data Processing ends, Personal Data is deleted, destroyed, or anonymized. In this case, third parties to which the Company has transferred the Personal Data are also ensured to delete, destroy, or anonymize the Personal Data.
The process of deletion, destruction, and anonymization is managed by the Data Controller Representative and the Committee. Relevant procedures are established by the Data Controller Representative and the Committee.
PROCESSING OF PERSONAL DATA
Personal Data can only be processed by the Company under the procedures described below.
Explicit Consent
Personal Data is processed upon providing information within the scope of the Obligation to Inform and obtaining Explicit Consent from the Data Subjects.
Before obtaining Explicit Consent under the Obligation to Inform, Data Subjects are informed of their rights.
Explicit Consent of the Data Subject is obtained through methods compliant with PDPL Regulations. Explicit Consents are preserved for the required period under PDPL Regulations by the Company in a manner that can be proved.
The Data Controller Representative or the Committee is responsible for ensuring the fulfillment of the Obligation to Inform and, if necessary, taking and retaining Explicit Consent for all Personal Data Processing processes. All department employees involved in Personal Data Processing are obliged to comply with the instructions of the Data Controller Representative and/or the Committee, this Policy, and the PDPL Procedures attached to this Policy.
Processing of Personal Data Without Obtaining Explicit Consent
In cases where Processing of Personal Data without Explicit Consent is stipulated under the PDPL Regulations (Article 5.2 and Article 6.3), the Company may process Personal Data without obtaining the Data Subject’s Explicit Consent. In processing Personal Data in this way, the Company operates within the boundaries outlined by the PDPL Regulations.
In this context:
If the Data Subject, due to an actual impossibility, cannot declare consent or is not legally recognized to do so, or for the protection of the life or physical integrity of the Data Subject and/or another person, Personal Data may be processed by the Company without Explicit Consent.
If a contract is directly relevant to its formation, performance, implementation, or termination, Personal Data belonging to the parties of the contract may be processed by the Company without the Data Subjects’ Explicit Consent.
If Processing of Personal Data is mandatory for the Company to fulfill its legal obligations, Personal Data may be processed by the Company without the Data Subjects’ Explicit Consent.
Personal Data made public by the Data Subject can be processed by the Company without obtaining explicit consent.
If the only possible way for establishing, exercising, or protecting a right necessitates processing Personal Data without obtaining explicit consent, Personal Data may be processed by the Company with the knowledge of the Data Controller Representative.
Personal Data may be processed by the Company without Explicit Consent in cases where processing is necessary for the legitimate interests of the Company, provided that it does not damage the fundamental rights and freedoms of the Data Subject.
PROCESSING OF SPECIAL CATEGORY PERSONAL DATA
Special Category Personal Data may only be processed if the Data Subject has given Explicit Consent or if processing other than personal health data is made obligatory by law.
Personal health data may be processed without explicit consent for protecting public health, preventive medicine, medical diagnosis, treatment, maintaining care services, and managing finance and planning of health services until otherwise stated by PDPL Regulations.
When Processing Special Category Personal Data, measures determined by the Board are taken.
The Company will act in compliance with the PDPL Regulations, particularly the Personal Data Security Guide published by the Board concerning ensuring the security of Personal Data, including Special Category Data.
In each case requiring the Processing of Special Category Personal Data, the relevant employee informs the Data Controller Representative.
If it is not clear whether data is Special Category Personal Data, the relevant department consults the Data Controller Representative for opinions.
RETENTION PERIOD OF PERSONAL DATA
Personal Data is held within the Company for the duration of the relevant legal retention periods, maintained as long as necessary to conduct activities related to these data and the purposes specified in this Policy. Personal Data with its usage purpose terminated and legal retention period ended is deleted, destroyed, or anonymized by the Company pursuant to Article 7 of PDPL.
DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA
When the legitimate purpose of Personal Data Processing no longer exists, the relevant Personal Data is deleted, destroyed, or anonymized. Situations requiring the deletion, destruction, or anonymization of Personal Data are monitored by the Data Controller Representative or the Committee.
The process of deletion, destruction, and anonymization is managed by the Data Controller Representative and the Committee. Relevant procedures are established by the Data Controller Representative and the Committee.
The Company does not retain Personal Data in consideration of prospective future use.
TRANSFER OF PERSONAL DATA AND PROCESSING BY THIRD PARTIES
The Company may transfer Personal Data to a third party located domestic or abroad (company officials, representatives, authorized dealers, suppliers, distributors, business partners, Group Companies, Authorized Public Institutions and Bodies) in accordance with PDPL Regulations. In such cases, the Company ensures that third parties to whom Personal Data are transferred comply with this Policy. Necessary protective arrangements are included in contracts concluded with third parties in this context. The clause to be added to contracts with any third parties to whom Personal Data is transferred is obtained from the Data Controller Representative. Each employee must follow the process outlined in this Policy in cases of Personal Data transfer. If the third party requests a change in the clause conveyed by the Data Controller Representative, this is immediately reported to the Data Controller Representative by the employee.
Transfer of Personal Data to Third Parties in Turkey
Personal Data may be transferred without Explicit Consent in exceptional cases specified in Article 5.2 and Article 6.3 of PDPL, or in other cases with the Data Subject’s Explicit Consent (Article 5.1 and Article 6.2) to third parties in Turkey by the Company.
The employees of the Company and the Data Controller Representative are jointly responsible for ensuring that the transfer of Personal Data to third parties in Turkey is in compliance with PDPL Regulations.
Transfer to Third Parties Abroad
Personal Data may be transferred without Explicit Consent in exceptional cases specified in Article 5.2 and Article 6.3 of PDPL, or in other cases with the Data Subject’s Explicit Consent (Article 5.1 and Article 6.2) to third parties abroad by the Company.
If Personal Data is transferred abroad without obtaining explicit consent under PDPL Regulations, one of the following conditions for the foreign country to which it will be transferred must be present:
If the foreign country to which Personal Data is transferred is in the status of countries with adequate protection defined by the Board (please follow the Board's updated list for the list),
If the country where the transfer will take place is not on the safe countries list of the Board, the Company's and the Data Controllers in the relevant country’s written undertakes to provide adequate protection and obtains permission from the Board.
The employees of the Company and the Data Controller Representative are jointly responsible for ensuring that the transfer of Personal Data abroad to third parties is in compliance with PDPL Regulations.
COMPANY'S OBLIGATION TO INFORM
The Company informs Data Subjects before Processing Personal Data in compliance with Article 10 of PDPL. In this context, the Company fulfills the Obligation to Inform during the acquisition of Personal Data. The notification to be made to Data Subjects within the Obligation to Inform includes the following elements respectively:
The identity of the Data Controller and its representative, if any,
The purpose for which Personal Data is processed,
Recipients to whom processed Personal Data may be transferred and for what purpose,
The method and legal reason for collecting Personal Data,
The rights of Data Subjects as listed in Article 11 of PDPL.
The Company provides necessary information upon a request for information by the Data Subject, pursuant to Article 20 of the Turkish Constitution and Article 11 of PDPL.
If requested by Data Subjects, the Company notifies the Data Subject of the Personal Data it processes.
The relevant process-tracking employee and the Data Controller Representative are jointly responsible for ensuring that the Obligation to Inform is fulfilled before Processing Personal Data. Within this scope, necessary PDPL Procedures are established by the Data Controller Representative or the Committee to be reported for each new processing process.
If the Data Processor is a third party other than the Company, it must undertake to act in accordance with the obligations mentioned above in writing, prior to starting Personal Data Processing. In cases where third parties transfer Personal Data to the Company, the clause to be added to the contracts is obtained from the Data Controller Representative. Each Company employee is obliged to follow the process included in this Policy when Personal Data transfer is made to the Company by a third party. If the third-party requests a change in the clause conveyed by the Data Controller Representative, the employee immediately reports the situation to the Data Controller Representative.
RIGHTS OF THE DATA SUBJECTS
The Company responds to the following requests related to Data Subjects whose Personal Data is held in compliance with PDPL Regulations:
To learn whether Personal Data is processed by the Company,
To request information if Personal Data is processed,
To learn the purpose of processing and whether Personal Data is used appropriately for its purpose,
To know third parties, both domestic and abroad, to whom Personal Data is transferred,
To request rectification of Personal Data processed incorrectly or incompletely by the Company,
To request the deletion, destruction, or anonymization of Personal Data by the Company if the reasons for processing Personal Data disappear, including principles of purpose, duration, and legitimacy,
To request that transactions regarding rectification, deletion, or destruction of Personal Data by the Company be notified to third parties to whom Personal Data is transferred,
To object to an outcome produced exclusively against the Data Subject as a result of processing carried out through automated systems,
To claim compensation for the damages suffered as a result of unlawful processing of Personal Data.
Data Subjects intending to exercise their rights and/or considering that the Company is not acting within the scope of this Policy while Processing Personal Data may submit their requests by preparing them in such a way that they meet the conditions specified by the Personal Data Protection Authority and deliver them electronically signed via the below-given and changing from time to time e-mail address or hand-deliver a wet-signed petition with identity-confirming documents to the postal address below, or sent via a notary. Current application methods and content must be confirmed with legislation before applying.
Data Controller: DEHA METALURJİ METAL SANAYİ VE DIŞ TİCARET Ltd. Şti.
E-mail: info@dehametal.com.tr
Postal: 34956
Upon receiving requests regarding the rights of the Data Subjects listed above in writing, the Company concludes the request free of charge, depending on the nature of the request, within thirty days at the latest. If fulfilling the requests by the Data Controller results in a cost, fees may be charged based on the tariff determined by the Personal Data Protection Board.
DATA MANAGEMENT AND SECURITY
The Company appoints a Data Controller Representative and/or forms a Committee to fulfill its obligations under the PDPL Regulations, ensure the implementation of necessary PDPL Procedures to apply this Policy, monitor their operation, and provide recommendations on them.
All employees involved in the relevant process are jointly responsible for ensuring the protection of Personal Data in accordance with this Policy and the PDPL Procedures.
Technological means and application costs are used by technical systems to monitor Personal Data Processing activities conducted by the Company.
Knowledgeable personnel about technical issues related to Personal Data Processing activities are employed.
Company employees are informed and trained regarding the protection of Personal Data and its lawful processing.
The necessary PDPL Procedure is created to enable Company employees to access relevant Personal Data who need it.
Company employees may access Personal Data solely within their defined authorization and in accordance with the relevant PDPL Procedure. Any access or processing that exceeds the employee's authority is unlawful and grounds for termination of the employment contract for just cause.
If a Company employee suspects that Personal Data’s security is not sufficiently ensured or detects such a security vulnerability, they notify the Data Controller Representative immediately.
A detailed PDPL Procedure regarding the security of Personal Data is