Lighting Text

ABKA STATIONERY AND PACKAGING INDUSTRY TRADE LIMITED COMPANY

PRIVACY AND PROTECTION POLICY OF PERSONAL DATA

* INTRODUCTION AND PURPOSE

* Scope

* Definitions

* PERSONAL DATA PROTECTION

* REGARDING THE PROCESSING OF PERSONAL DATA

* Data subject Kvkk M.11 APPLICATION TO RIGHTS & DATA MANAGER WITHIN THE SCOPE AND CONCLUSION OF THE APPLICATION

* PURPOSES FOR PROCESSING PERSONAL DATA BY COMPANIES

* Terms of deletion, destruction and anonymization of personal data

Abka Kirtasiye ve Ambalaj Sanayi Ticaret Limited Şirketi (hereinafter referred to as “Abka stationery”).) they attach great importance to the protection of the personal data they hold and take all necessary administrative and technical measures to ensure the security of personal data. This personal data privacy and protection policy (“privacy policy”) with the payroll of companies registered employees, officials, contacts with business partners, and third parties in the legal relationship of abka stationary in cooperation with other institutions and organizations with employees ' personal data the personal data protection Act No. 6698 (“KVKK”) and in accordance with the provisions on the preservation and handling of secondary legislation is intended. Companies take necessary care for the protection of personal data protected by various legislation within Turkish law and fulfill the requirements of the legislation.

This policy is in accordance with the law for the protection and handling of personal data with companies created systems/procedures to inform about personal data, in terms of principles and aims at ensuring the necessary transparency policy.

This privacy policy on the payrolls of companies, employees, business partners, customers and third parties that have a legal relationship with the other institutions and organizations that are in a contractual relationship within the employees, visitors and third parties partially or completely automated, to be part of the record or any of the data recording system with non-personal data processed in automated ways to covers. Information about such personal data holders is provided for consideration in detail in Annex 1 of this policy (Annex-1: Personal Data holders), as an example.

Registration system provided by the company to be part of any fully or partially automated or non-personal data processed in ways and terms of processing and preservation with the provisions of the kvkk other relevant legislation in force in protection of personal data issued by the board and published policy decisions will be taken into consideration. The provisions of the legislation intended by this policy are to be embodied and understood by companies from the point of view of data stakeholders whose personal data is processed, and to fulfill the disclosure/disclosure obligation arising from the law in accordance with the communique on the procedures and principles to be followed in the fulfillment of the disclosure obligation.

Descriptions of the definitions contained in this policy are as follows;

* Buyer group: the category of natural or legal person to whom personal data is transferred by the data officer,

* Contact: a natural person whose personal data is processed,

* Relevant user: persons who process personal data within the organization of the data officer or in accordance with the authority and instructions received from the data officer, except for the person or unit responsible for technical storage, protection and backup of the data,

* Destruction: deletion, destruction or anonymization of personal data,

* KVKK: law on Personal Data Protection dated 24/3/2016 and numbered 6698,

* Recording media: any environment in which personal data is processed by non-automatic means, whether fully or partially automated or as part of any data recording system,

• The processing of personal data inventory: Data processing activities, depending on the principals of the business processes they are accomplishing personal data; the purpose and legal reason of personal data processing the data category, data is transferred to the recipient group and associating with a group of people created by the subject of personal data required for the purposes they are processed and the maximum conservation of the duration of the measures prescribed by explaining the transfer of personal data to foreign countries detaylandirdik inventory and data protection,

* Personal Data Retention and destruction policy: the policy that data managers base on deleting, destroying and anonymizing the process of determining the maximum time required for the purpose for which personal data is processed,

* Board: Personal Data Protection Board,

* Special Qualified Personal Data: Act 6. As described in the article data related to race or ethnic origin, political opinion, philosophical belief, religion and sect and other beliefs, dress, Association, Foundation or trade union membership, health, sexual life, criminal convictions and security measures are genetic and biometric information.

* Data recording system: a recording system in which personal data is structured and processed according to certain criteria,

* Data officer: a natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,

* Regulation: regulation on the deletion, destruction or anonymization of personal data

1. Ensuring The Security Of Personal Data

Companies take maximum care in maintaining the protection of the personal data they hold with them, and Kvvv 12 entitled “obligations related to data security”. in accordance with the article, it takes administrative and technical measures specified separately in terms of each personal data that is specified in the personal data processing inventory. However, employees registered on the payroll of companies; adopting the principle of “everything is prohibited unless it is prohibited” instead of the principle of “everything is prohibited” in relation to the processing of personal data; as required by this principle; a user account management and authority control system is created and information security trainings are given regarding the need to act within the specified authority matrices, and after the relevant trainings, random audits are carried out to determine whether the trainings are acting in accordance with them. Personnel disciplinary procedures have been established to be applied in case of violations of the policies and procedures applied by the employer and/or violations of the personal data protection legislation. Employees are informed that they will not share the personal data they learn with third parties and will not use it for processing purposes, that they will be subject to sanctions in accordance with the disciplinary regulation of the KVKK, which is an octet of the employment contract, if any violations are detected in information security training and data processing activities. However, the necessary measures are taken regularly, taking into account the precedent decisions made by the board.

Although companies are aware of their obligations arising from Kvkk as a data officer, if kvkk transfers personal data under appropriate conditions, the necessary commitments are taken from the relevant data processors and personal data security awareness is created by the data processors. In order to be applied if the legal processing purposes of personal data are removed from the middle, a policy on the storage and destruction of personal data specific to companies has been prepared and put into effect. In order to prevent illegal access and processing of personal data held by companies as a result of imprudence, it takes the necessary technical and administrative measures in physical and electronic environments. If any unlawful data breach is detected, the procedure to be applied in case of a data breach is implemented immediately.

2. Protection Of Personal Data Of Special Nature

A separate importance has been attributed to the protection of some personal data within the scope of KVKK. Kvkk's 6. item of the person's race, ethnic origin, political opinion, philosophical belief, religion and sect, or other beliefs, costume and clothing, Association or trade union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data with data on processing of private data qualified as a special/separate privacy is subject to certain conditions, has bouts of. In this context,; In terms of special quality personal data held by companies, great sensitivity is shown, relevant special quality personal data is processed in cases provided for by law or in cases where there is clear consent of the data person concerned, and checks are carried out on whether the measures set out in relation to its security are applied as required.

* Terms Of Processing Of Personal Data

* REGARDING THE PRINCIPLES OF PROCESSING OF PERSONAL DATA

* CLARIFICATION OF DATA INTEREST

* TRANSFER OF PERSONAL DATA

* Presence of explicit consent of the data subject (KVKK m.5/1)

* Clearly stipulated in the laws (KVKK m.5/2 - (a) )

* Lack of explicit consent of the data subject due to actual impossibility (KVKK m.5/2-(b) )

* Directly related to the establishment or execution of a contract (KVKK m.5/2-(c) )

* Mandatory for the data controller to fulfill its legal obligation (KVKK m.5/2-(C.) )

* Data to be publicized by the person concerned (KVKK m.5/2-(d) )

* Necessary for the establishment or protection of a right (KVKK m.5/2-(e) )

* Mandatory in accordance with the legitimate interest of the data controller (KVKK m.5/2-(e) )

* The country in which personal data is transferred is in the “Safe Country” list published by the board,

* Data in the country and Turkey not included in the “Safe Country” list