Personal Data Protection And Processing Policy

DETAM COMPANIES GROUP POLICY ON PROTECTION AND PROCESSING OF PERSONAL DATA

1 GOAL

This Personal Data Storage and Disposal Policy (“Policy”) has been prepared in order to determine the procedures and principles regarding the operations and transactions related to the storage and disposal activities established and carried out by the companies operating within the DETAM GROUP.

DETAM Group; In line with Mission, Vision and basic principles; Within the Group, personal data belonging to Company employees, employee candidates, service providers, visitors and other third parties are collected by T.C. constitution, international conventions, Personal Data Protection Law No.6698 (“PDP – KVKK Law”) and other relevant legislation, and ensuring that the relevant persons exercise their rights effectively has determined it as a priority.

Jobs and transactions regarding the storage and destruction of personal data are carried out by the Company in this direction, accordance with the policy prepared, DETAM Group is carried out over the DEBIS (DETAM Information System) Software System, which is carried out by KYC (Corporate Management Solutions Inc.), which operates autonomously within the company, within the framework of the independence commitment.

2 SCOPE

Personal data of DETAM Group Companies employees, employee candidates, service providers, visitors and other third parties are within the scope of this policy, and this policy is applied to all recording media and activities related to personal data processing, which are owned or managed by the company.

3 RESPONSIBILITY

All units and employees of the company, the responsible departments of the policy, the proper implementation of the technical and administrative measures taken within the scope of the policy, the training and awareness of the employees of the unit, their monitoring and continuous auditing, preventing the illegal processing of personal data, preventing the unlawful access to personal data and personal data. It actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data are processed in order to ensure legal storage.

4 LEGAL OBLIGATION

4.1. Disclosure Obligation

During the acquisition of personal data within the framework of Article 10 of the Law, the data controller is obliged to provide the following information to the relevant person in person or through the person authorized by her/him:

Identity of the data controller and, if any, its representative,
For what purpose personal data will be processed,
To whom and for what purpose personal data can be transferred,
Method and legal reason for collecting personal data,
Other rights enumerated in Article 11 of the Law

4.2. Obligation to Ensure Data Security

Data controller obliged on data security according to Article 12 of the Law;

Preventing unlawful processing of personal data,
Preventing unlawful access to personal data,
Ensuring the protection of personal data.

5 DEFINITIONS AND ABBREVIATIONS

Reciever Group	The category of natural or legal persons to whom personal data is transferred by the data controller.
Open Consent	Consent on a specific subject, based on information and expressed with free will.
Anonymization	Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching other data.
Employee	DETAM GROUP Companies Employee Personnel
EBYS	Electronic Document Management System (Example: M-Files)
Electronic Media	Media where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Media	All written, printed, visual and so on, other than electronic media. other medias.
Service Provider	DETAM GROUP A natural or legal person who provides services within the framework of a specific contract with each company.
Data Subject	The Real Person whose Personal Data Is Processed
Current User	Data controller, excluding the person or unit responsible for the technical storage, protection and backup of data
Destruction	Deletion, destruction or anonymization of personal data.
LAW	Personal Data Protection Law No. 6698.
Recording Media	Any media containing personal data that is fully or partially automated or processed by non-automatic means provided that it is a part of any data recording system.
Personal Data	All kinds of information regarding an identified or identifiable natural person.
Personal Data Processing Inventory	Personal data processing activities carried out by data controllers depending on the business processes; The purposes and legal reasons for processing personal data, the data category, the recipient group transferred and the data subject group, the maximum retention period required for the purposes for which the personal data is processed, the personal data foreseen to be transferred to foreign countries, if any, and the data security detailed inventory, explaining the measures.
Personal Data Processing	Prevention of obtaining, recording, storing, storing, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automated or non-automatic means provided that they are part of any data recording system. All kinds of operations performed on data such as.
Data Processor	The person who processes personal data on behalf of the data controller based on the authority given by the data controller.
Data Record System	Registration system where personal data are structured and processed according to certain criteria.
Data Controller	Natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Legislation	Legislation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.
Special Qualified Personal Data	Pursuant to Article 6 of the Law, these are data that, if learned, may cause discrimination or victimization about the persons concerned. According to the law, these data are; data; race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress of persons,

6. RECORDING MEDIA

Personal data are securely stored by the Company in the environments listed in Table 1 in accordance with the law..

Servers (Domain, backup, e-mail, Database, web, file sharing, etc.)

Softwares (Office softwares, portal, EBYS,

VERBİS.)

• Information security devices (firewall,

Intrusion detection and blocking, daily recording

file, antivirus etc.)

• Personal computers (Desktop, laptop)

• Mobile devices (phone, tablet, etc.)

• Optical disks (CD, DVD vb.)

• Removable sticks (USB, Memory Card

etc.)

• Printer, scanner, copier

• Paper

• Manuel data recording systems (questionnaire forms,

Guest entry book)

• Written, printed, visual media

7.PROCESSING OF PERSONAL DATA

We process Personal Data in accordance with the principles below;

Compliance with the law and honesty rules

Being accurate and up-to-date when necessary
Processing for specific, explicit and legitimate purposes
Being connected, limited and measured with the purpose for which they are processed
Being kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

Processing personal data and special quality data

Processing of personal data with express consent: In accordance with the relevant legislation; personal data in order to be processed, the explicit consent of the persons concerned is required. According to the law; explicit consent, “a specific consent related to the subject, based on information and declared with free will ”.
Processing of special quality data: As mentioned in the “Definitions and Abbreviations” section of this Policy; Personal data that has the risk of causing victimhood or discrimination when unlawfully processed has been identified as “special quality“. These data; It is processed by the company in cases where the express consent of the relevant person is obtained within the framework of the rules stipulated by the Law.
Processing of personal data collected for human resources and employment purposes: Personal data included in employee candidate applications collected for employment purposes are processed for the purpose of examining the job application and, if the person concerned consents, is stored for 10 years to be evaluated in future positions within the company. The processing of personal data shared as an employee candidate is carried out in accordance with the principles and rules specified in this Policy. Personal data of employee candidates; It is gathered for the purpose of evaluating the suitability of the employee candidate for the vacant position, confirming the accuracy of the information and documents provided by the employee candidate, or conducting research about the employee candidate, communicating with the employee candidate, and improving our Human Resources Policy. In this context; written or electronically provided application forms are collected, processed and stored within the framework of Human Resources needs.
Personal data of employees: Personal data of the persons working within the company are collected, processed and stored within the scope of this policy.

8.EXPLANATIONS ON STORAGE AND DISPOSAL

By the company; personal data belonging to employees, candidates for employees, visitors and employees of third parties, institutions or organizations with whom we deal as service providers are stored and destroyed in accordance with the Law.

In this context, detailed explanations on storage and disposal are given below, respectively.

Explanations Regarding Storage

The concept of processing personal data has been defined in article 3 of the Law, it is stated in article 4 that personal data processed must be related, limited and measured with the purpose for which they are processed, and must be kept for the period stipulated in the relevant legislation or for the purpose for which they are processed, and in articles 5 and 6, personal data processing conditions are counted.

Accordingly, within the framework of our company’s activities, personal data are stored for a period stipulated in the relevant legislation or in accordance with our processing purposes.

8.1.1 Legal Reasons Requiring Storage

The personal data processed within the framework of the activities of the company, for the period specified in the relevant legislation

It is preserved. In this context, personal data;

Law No. 6698 on Protection of Personal Data.
Law No. 6098 Turkish Code of Obligations,
Law No. 4734 Public Procurement,
Law No. 5510 Social Insurance and General Health Insurance,
Law No. 6331 Occupational Health and Safety,
Law No. 4982 on Access to Information,
Law No. 3071 on Exercising the Right to Petition,
Law No. 4857 Labor Law
Regulation on Health and Safety Measures to be Taken in Workplace Building and Extensions, Regulation on Archive Services
Other secondary regulations in force in accordance with these laws

Stored for the storage periods stipulated in its framework.

8.1.2 Processing Purposes Requiring Preservation

The company stores the personal data processed within the framework of its activities for the following purposes.

Carrying out human resources processes.
Providing corporate communication.
Ensuring company security,
To be able to do statistical studies.
To be able to perform works and transactions as a result of signed contracts and protocols.
Within the scope of VERBİS, to determine the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors, to organize the services provided accordingly and to update them if necessary.
Ensuring that legal obligations are fulfilled as required or required by legal regulations.
Establishing contact with real / legal persons who have business relations with the company.
Making legal reporting.
Obligation to prove as evidence in legal disputes that may arise in the future.

8.1.3 Causes Requiring Destruction

Personal Data;

The amendment or abolition of the relevant legislation provisions that form the basis of its processing,
The disappearance of the purpose requiring processing or storage,
In cases where the processing of personal data takes place only on the condition of express consent, the person concerned withdraws his express consent,
In accordance with article 11 of the Law, the application made by the company for the deletion and destruction of personal data within the framework of the rights of the person concerned,
In the event that the company rejects the application made by the person concerned with the request for deletion, destruction or anonymization of his personal data, finds his answer inadequate or does not respond within the period stipulated in the Law; making a complaint to the institution and the request is approved by the company,
In cases where the maximum period that requires the storage of personal data has passed and there are no conditions to justify the storage of personal data for a longer period, they are deleted, destroyed or anonymized by the company at the request of the person concerned.

9.TECHNICAL AND ADMINISTRATIVE MEASURES

In accordance with article 12 of the Law and the fourth paragraph of article 6 of the Law, within the framework of adequate measures determined and announced by the company for special quality personal data, for the safe storage of personal data, to prevent unlawful processing and access, and to destroy personal data in accordance with the law. Technical and administrative measures are taken by the company.

Technical Measures

The technical measures taken by the company in relation to the personal data it processes are listed below:

As a result of real-time analysis with information security event management, risks and threats that will affect the continuity of information systems are constantly monitored.
Access to information systems and authorization of users are done through access and authorization matrix and security policies over the corporate active directory.
Necessary measures are taken for the physical security of the information systems equipment, software and data of the institution.
In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 monitoring system, physical security of edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, network access control, systems that prevent malicious software, etc.) are taken.
Risks to prevent unlawful processing of personal data are identified, technical measures are taken in accordance with these risks, and technical controls are carried out for the measures taken.
By establishing access procedures within the company, reporting and analysis studies regarding access to personal data are carried out.
Access to storage areas containing personal data is recorded and inappropriate access or access attempts are kept under control.
The company takes the necessary measures to ensure that the deleted personal data are inaccessible and unavailable for the relevant users.
In case personal data is illegally obtained by others, a suitable system and infrastructure has been established by the company in order to notify the relevant person and the Board.
Security vulnerabilities are followed and appropriate security patches are installed and information systems are kept up-to-date.

Strong passwords are used in electronic environments where personal data are processed.
Secure record keeping (logging) systems in electronic environments where personal data are processed in use.
Data backup programs that ensure the safe storage of personal data in use.
Access to personal data stored in electronic or non-electronic media is restricted according to access principles.
It is encrypted with SHA 256 Bit RSA algorithm using secure protocol (HTTPS) when accessing the company website.
Special quality personal data security trainings were provided for employees involved in processing processes of special quality personal data, confidentiality agreements were made, and the authorizations of users authorized to access data were defined.
Adequate security measures are taken in physical environments where personal data of special nature are processed, stored and / or accessed, and unauthorized entries and exits are prevented by ensuring physical security.

Administrative Measures

The administrative measures taken by the company in relation to the personal data it processes are listed below:

In order to improve the quality of employees, trainings are provided on the prevention of unlawful processing of personal data, prevention of unlawful access to personal data, protection of personal data, communication techniques, technical knowledge skills, and relevant legislation.
Confidentiality agreements are made to the employees regarding the activities carried out by the company.
A disciplinary procedure has been prepared to be applied to employees who do not comply with security policies and procedures.
Before starting to process personal data, the company fulfills the obligation to inform the relevant persons.
Personal data processing inventory has been prepared.
Periodic and random inspections are carried out within the company.
Information security trainings are provided for employees.

10. PERSONAL DATA DISPOSAL METHODS

At the end of the period stipulated in the relevant legislation or the storage period required for the purpose for which they are processed, personal data are destroyed by the company or on the application of the relevant person, again in accordance with the provisions of the relevant legislation, using the following techniques.

10.1. Deletion of Personal Data

Personal data are deleted with the methods given in Table-2.

Data Recording Media	Explanation
Personal Data on Servers	For those who have expired from the personal data on the servers, the system administrator removes the access authorization of the relevant users and deletes them.
Personal Data in Electronic Media	Those who have expired from personal data in electronic media are made inaccessible and unavailable in any way for other employees (relevant users), except for the database manager.
Personal Data in The Physical Media	Unit manager responsible for document archive for those who require storage of personal data kept in physical media it is made inaccessible and unavailable in any way for other employees. Also, unreadable blackening process is also applied by drawing / painting / wiping.
Personal Data on Portable Media	The personal data kept in flash-based storage media, those that require storage are encrypted by the system administrator and are stored in secure environments with encryption keys, with access authorization given only to the system administrator.

10.2. Destruction of Personal Data

Personal data are destroyed by the company by the methods specified in Table-3.

Data Recording Media	Data Recording Media
Personal Data in The Physical Media	Those who have expired from the personal data in the paper, are irreversibly destroyed in the paper trimming machines..

10.3. Making Personal Data Anonymous

The anonymization of personal data is the rendering of personal data that cannot be associated with an identified or identifiable natural person under any circumstances, even if they are matched with other data.

In order for personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording medium and the relevant field of activity, such as the return of personal data by the data controller or third parties and / or matching the data with other data.

11 STORAGE AND DESTRUCTION PERIODS

Regarding personal data being processed by the company within the scope of its activities;

Storage periods based on personal data related to all personal data within the scope of activities carried out depending on processes are in the Personal Data Processing Inventory;
Storage periods based on data categories are registered to VERBIS;
Process-based retention periods are included in the personal data protection and processing policy and are destroyed with the Material Destruction Form within the scope of archive regulation.

Updates are made by the company, if necessary, on the storage periods in question..

Table 4: Storage and disposal times table by process

PROCESS	STORAGE PERIOD	DESTRUCTION TIME
Company Transactions	10 Years	The end of the retention period
Preparation of contracts	10 Years Following Contract Expiry	During the first periodic destruction period following the expiry of the storage period
Execution of Company Communication Activities	10 Years Following Contract Expiry	Saklama süresinin bitimini takip eden ilk periyodik imha süresinde
Execution of Human Resources Processes	10 Years Following Activity Expiry	During the first periodic destruction period following the expiry of the storage period
Log Record Tracking Systems	2 Years	The end of the retention period during the first periodic destruction period following
Execution of Hardware and Software Access Processes	2 Years	During the first periodic destruction period following the expiry of the storage period
Registration of Visitors and Meeting Participants	2 Years Following Event Ending	During the first periodic destruction period following the expiry of the storage period
During the first periodic destruction period following the expiry of the storage period	30 Days	During the first periodic destruction period following the expiry of the storage period

12 STORAGE AND DESTRUCTION PERIODS

In accordance with article 11 of the regulation, the company has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out in the company in June and December every year.

13 PUBLISHING AND STORAGE OF THE POLICY

The policy is published in two different media as wet signed (printed paper) and electronically, and it is also published on the website.

14 UPDATING THE POLICY

The policy is updated as needed and republished.

15 ENTRY INTO FORCE AND TERMINATION OF THE POLICY

The policy is deemed to have entered into force after its publication on the company’s DEBIS and Web Site.

In case of a decision to annul it, old copies of the policy with wet signature are annulled (by stamping or canceled) by the company board of directors and kept within the scope of Quality Management Systems for at least 5 years. In case certain articles of the policy are renewed, the effective date and version are updated on the website.

İş Sağlığı ve Güvenliği Danışmanlığı

Eğitim Hizmetleri

Sağlık Hizmetleri

Yazılım ve Dijital Yayın Hizmetleri

İş Kazası Acil Vaka İnceleme Ekibi Görevlendirme Hizmeti

3. Göz Denetim Hizmetleri

İş Kazası İncelemesi Ve Teknik Değerlendirme Raporu Hazırlama Hizmeti

Ürün ve Hizmet Belgelendirme

Patlamadan Korunma Dokümanı Hazırlanması

IRATA- SPRATA Belgelendirme ve GWO Eğitimleri

Çevre/Hijyen Laboratuvarı& Periyodik Kontrol

Endüstriyel Dağcılık ve Yüksekte Çalışma

Yangın ve Acil Durumlar Risk Mühendisliği

Mimari Müşavirlik ve Proje Taahhüt

Çevre ve ÇED Hizmetleri

Yeşil Bina Sertifikalandırma

Enerji Danışmanlık Hizmetleri

İstihdam/Geçici İşçilik

Risk Yönetim Danışmanlığı

KKD Satış

-Hakkımızda

-Temel İlke ve Değerlerimiz

-Vizyon & Misyon

-Kalite Politikamız

-Detam Group Zaman Dizini

-Yönetim Ekibimiz

-Markalarımız

-İş Birlikteliklerimiz

-Belgelerimiz

-E-Detam

-Fotoğraf Galerisi

-Video Galerisi

-Kişisel Verilerin Korunması

-Müşteri Memnuniyet Anketi

-KVKK Kapsamında Kullanım ve Gizlilik Şartları