Processing And Protection Of Personal Data Policy

PROCESSING AND PROTECTION OF PERSONAL DATA POLICY CONCEPTS OF ZAHİT ALUMINIUM

CHAPTER I

INTRODUCTION

The purpose of this regulation is to protect the personal data as well as all other data containing personal data of employees, prospective employees, customers, suppliers, shareholders, and visitors within the scope of the Personal Data Protection Law No. 6698.

With this policy, the principles to be adopted and taken into consideration at the point of application by our Company regarding the processing, protection, deletion, destruction, and anonymization of personal data have been set forth.

PURPOSE

The purpose of this policy is to determine the policy of protection and processing of personal data and to inform the natural persons, whose personal data may be processed, about the personal data processing activities carried out by our Company in accordance with the law and the processes adopted for the protection of personal data.

SCOPE

This policy is related to all personal data of natural persons whose data are processed by our Company.

POLICY IMPLEMENTATION

The Protection and Processing of Personal Data Policy issued by us takes effect upon the decision of the Company Management and is e-mailed upon the request of the personal data subjects.

II.BÖLÜM

CHAPTER II

1- GENERAL PRINCIPLES FOR PROCESSING OF PERSONAL DATA

Zahit Aluminium complies with the following principles regarding the processing of personal data in accordance with the Article 4 of PDPL.

1.1- Engaging in Personal Data Processing Activities in Compliance with Law and Good Faith

Zahit Aluminium acts in accordance with the principles introduced by the laws and other legislative regulations for the processing of personal data. In accordance with the principle of compliance with good faith, our Company considers the interests and reasonable expectations of the data subjects while endeavoring to achieve its objectives in data processing.

1.2- Ensuring that Personal Data are Accurate and Up-to-Date When Required

Zahit Aluminium takes the necessary measures and takes the utmost care to ensure that personal data are up-to-date and accurate by considering the fundamental rights and legitimate interests of personal data subjects.

1.3- Processing for Specific, Explicit, and Legitimate Purposes

Zahit Aluminium specifies its purpose of processing of personal data in an explicit and definite way. Our Company does not process the data for purposes other than the purpose specified to the data subject. The data processed by our Company is in connection with the works that have been done or the services that have been provided, and no more than we have to.

1.4- Being Relevant, Limited and Proportionate to the Purpose for Which They are Processed

Zahit Aluminium provides sufficient data fit for its purpose and does not process any unnecessary data. It does not collect personal data for purposes that do not exist and are thought to take effect later.

1.5- Retaining for the Period Stipulated in Applicable Legislation or Required for the Purpose for which they are Processed

2- CONDITIONS OF PROCESSING OF PERSONAL DATA

Personal data may be processed in the presence of one of the following conditions:

2.1- Explicit Consent of Personal Data Subject

One of the conditions for processing of personal data is the explicit consent of the data subject. Explicit consent of the personal data subject must be related to a specific matter, must be informed, and must be with their free will.

2.2- Explicitly Stipulated in Law

Personal data of the data subject may be lawfully processed if it is clearly stipulated in the law.

2.3- Failure to Obtain Explicit Consent of Data Subject Due to Actual Impossibility

Personal data of the data subject may be processed if it is mandatory to process the personal data of the person, who is unable to give their consent or whose consent cannot be acknowledged due to actual impossibility, in order to protect the life or physical integrity of themselves or another person.

2.4- Direct Relevance to Establishment or Performance of Contract

Provided that it is directly related to the establishment or performance of a contract, personal data may be processed if it is required to process the personal data of the contracting parties.

2.5- Fulfillment of Legal Obligations

Personal data of the data subject may be processed if data processing is mandatory for the fulfillment of legal obligations.

2.6- Personal Data Made Public by Data Subject

If the personal data are made public by the data subject, it may be processed limited to the purpose.

2.7- Mandatory Data Processing for Establishment or Protection of a Right

Personal data of the data subject may be processed if data processing is mandatory for the establishment, exercise, or protection of a right.

2.8- Mandatory Data Processing for Legitimate Interest of Data Controller

Provided that it does not harm the fundamental rights and freedoms of the personal data subject, personal data of the data subject may be processed if data processing is mandatory for the legitimate interests of our Company.

3- NOTIFYING AND INFORMING THE PERSONAL DATA SUBJECT

Our Company discloses the purpose for which personal data shall be processed, to whom and for what purpose the processed personal data may be transferred, the methods and legal grounds for collecting personal data, and the rights of the personal data subject.

4- PROCESSING OF SENSITIVE DATA

Our Company acts in accordance with the regulations stipulated in PDPL for the processing of personal data specified as “sensitive” by PDPL.

Such data are biometric & genetic data and data on race, ethnicity, political opinion, philosophical belief, religion, sect or other faiths, appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions, and security measures.

Sensitive personal data are processed by our Company in the following conditions by taking the necessary measures:

If the explicit consent of the personal data subject is available, or

If the explicit consent of the personal data subject is not available, it may be processed in situations stipulated by the law.

Data on health and sexual life are processed only under the control of our occupational physician, otherwise, the explicit consent of the data subject is obtained.

CHAPTER III

1- PERSONAL DATA PROCESSED BY OUR COMPANY

Personal data processed by our Company are as follows. However, which data shall be processed for each personal data subject may vary depending on various considerations such as the nature of the relationship between the personal data subject and our Company, as well as the communication channels used.

2- GROUPS OF PERSONS WHOSE DATA ARE PROCESSED BY OUR COMPANY

Those whose personal data are processed by our Company are employees/relatives of employees, prospective employees/relatives of prospective employees, customers, suppliers, shareholders, visitors.

3- PURPOSES OF PROCESSING OF PERSONAL DATA

• Your personal data shall be processed by our Company for the following purposes:
• Fulfilment of the application processes of prospective employees,
• Fulfillment of intern training processes,
• Establishment of employment contracts,
• Fulfillment of regulatory obligations,
• Informing of authorized persons, institutions, and organizations,
• Execution of contract processes,
• Fulfillment of payment and collection processes,
• Execution of communication activities,
• Fulfillment of occupational health and safety obligations,
• Execution of debit and authorization processes,
• Execution of training activities,
• Creation and monitoring of visitor records,
• Ensuring security of movable assets and resources,
• Creation of email signature,
• Monitoring and execution of legal affairs,
• Execution of goods/service procurement processes,
• Execution of goods/service sales activities,
• Monitoring and inspection of work,
• Execution of clearance,
• Ensuring information security,
• Execution of ethics activities,
• Fulfillment of payments and collections,
• Execution of logistics and delivery processes,
• Ensuring security of physical location, life, and property,
• Fulfillment of financial accounting transactions,
• Execution of retaining and archiving activities,
• Execution of business activities and ensuring business continuity,
• Execution of after-sales support services,
• Execution of customer relationship management processes,
• Execution of production and operation processes,
• Protection of public health,
• Execution of fringe benefits and interests of employees,
• Execution of management activities,
• Utilization of projects and incentives,
• Fulfillment of professional qualification processes,
• Execution of processes related to intellectual and industrial property rights,
• Execution of academic studies/collaborations with academicians within company,
• Execution of travel, transfer, reservation, and accommodation processes,
• Execution of promotions, advertisements, and special occasion celebrations,
• Arrangement of organizations and events.

• Our Company processes personal data:
• if it is necessary to process the personal data of the parties pursuant to the business relationship established by the contract;
• if explicitly stipulated in the law; and
• if data processing is mandatory for the legitimate interests of our Company provided that it does not harm the fundamental rights and freedoms of the data subject, and if it is processed with the “Explicit Consent” of the data subject pursuant to the legal grounds in the absence of such grounds.

4- RETENTION PERIODS OF PERSONAL DATA

Our Company retains personal data for the period stipulated in the applicable legislation or required for the purpose for which they are processed.

If no period is specified in the legislation on how long the personal data should be retained, the data are processed by our Company for the period required to be processed as per the customs of the Company’s practices and business life in line with the operations executed while processing that data.

If the purpose of processing of personal data is no more and the retention periods determined by the applicable legislation or our Company have expired, personal data can only be retained for the purpose of constituting evidence in possible legal disputes or asserting a right related to personal data or constitution of defense. In the constitution of the periods herein, retention periods are determined based on the statute of limitations for the assertion of a right in question and the examples of the requests previously addressed to our Company on the same issues despite the expiration of the statute of limitations. In this case, the retained personal data cannot be accessed for any other purpose and the relevant personal data can be accessed only when it is required to be used in the relevant legal dispute. After the aforementioned period expires, personal data are deleted, destroyed, or anonymized.

CHAPTER IV

CAMERA SURVEILLANCE ACTIVITIES CARRIED OUT IN AND AROUND THE BUILDING OF ZAHİT ALUMINIUM

Our Company surveils certain areas with cameras in order to ensure the security of physical location and life, and to conduct labor inspection in a way that will not result in the disturbance of the privacy of the person. Our Company acts in accordance with the PLPD in camera surveillance activities carried out for security purposes. Camera surveillance activities are declared by publishing this policy, and posting signs, signages, and fair processing notice regarding the surveillance in surveillance areas.

Surveillance areas, the number of cameras, and the time of surveillance are determined in a way that is convenient to ensure security. Necessary technical and administrative measures are taken to ensure the security of personal data obtained through video and audio recordings by camera. Camera recordings (video only) taken by our Company through camera surveillance activities are retained for 45 days, video and audio recordings are retained for 2 months, and camera recordings taken for work entry/exit detection are retained for 1 year.

Only a limited number of Company employees have access to the camera recordings, and these recordings are only shared with the SSI, law enforcement officers, and judicial authorities in the event of an incident or upon request.

CHAPTER V

TRANSFER OF PERSONAL DATA

Although the third parties, institutions, and organizations to which the personal data may be transferred may vary depending on the type and nature of the relationship between the data subject and Zahit Aluminium, these are generally as follows.

• Your personal data shall be transferred to:
• Revenue Administration, Social Security Institution, Chamber of Commerce, Chamber of Industry, and other authorized persons, institutions, and organizations for the fulfillment of obligations arising from the legislation;
• Ministry of Labor and Social Security for the fulfillment of obligations in the processes of foreign employees;
• Our financial consultant for the execution of official accounting transactions;
• OSGB (Joint Health and Safety Unit) for the fulfillment of obligations regarding occupational health and safety;
• Bank for the execution of payment, collection, collateral, and check clearing transactions;
• General Directorate of Security for the execution of ID processes;
• Our lawyer for the execution of legal affairs;
• Enforcement Office and bank for the execution of enforcement procedures;
• PPS company for the execution of private pension transactions;
• Shuttle company for the execution of personnel transportation and shuttle services;
• Sistem Global Danışmanlık A.Ş. for the purpose of benefitting from R&D incentives;
• Mefa İş ve Sosyal Güvenlik Müşavirliği Limited Şirketi for the execution of SSI incentive and payroll transactions;
• Mobiliz company for the purpose of using the vehicle tracking system and tracking the location;
• Authorized certification body for the execution of vocational training procedures and certification;
• Turkish Employment Agency (İŞKUR) for the fulfillment of obligations regarding on-the-job training program and disabled staff employment;
• Security company for the purpose of creating and monitoring the visitor records at the entrances and exits of the building;
• Ministry of Industry, Ministry of Commerce, Ministry of Transport, Chamber of Commerce, Trade Registry Office, Chamber of Industry, Exporters’ Association, SSI, Ministry of Finance, and Notary Public for the execution of management operations and business continuity;
• Ministry of Finance, our lawyer, notary public, and CPA for the execution of leasing transactions;
• Consulting company for the execution of declaration and inward processing regime procedures;
• Independent audit company for the execution of reconciliation procedures;
• Ministry of Industry and Technology for the execution of tax exemption procedures for the products purchased during the Investment Incentive Certificate processes;
• Our customers for the execution of waybill procedures during the logistics phase;
• Logistics companies for the execution of sales and delivery processes;
• Law enforcement officers and judicial authorities for the execution of labor inspections in the event of incidents;
• Persons and organizations that provide trainings for the execution of training activities, and occupational physician that provide services;
• Travel agency for the execution of accommodation, transfer, and travel procedures; and
• Social media platform Instagram for the execution of advertising and promotion activities.
• Within the scope of the operations of the R&D Center:
  • Survey institutions such as Turkish Statistical Institute (TÜİK), Turkish Standards Institute, Ministry of Industry and Technology, Mediterranean Exporters’ Association (AKİB), etc. for the survey responses sent by our employees in line with the requests of government agencies;
  • TPI and Tercih Patent A.Ş. (consulting company) for the execution of intellectual property rights procedures in line with the project deliverables;
  • Ministry of Industry and Technology for the execution of management processes and to report the activities, details, and camera recordings of the employees working in the headquarter within the scope of the fulfillment of obligations under Law No. 5746 and the applicable legislation;
  • Ministry of Industry and Technology, Ministry of Commerce, Ministry of Energy and Natural Resources, Scientific and Technological Research Council of Türkiye (TÜBİTAK), and customers for the execution of inspections and/or during inspections;
  • Scientific and Technological Research Council of Türkiye (TÜBİTAK), Ministry of Commerce, and Ministry of Energy and Natural Resources for the purpose of applying for projects and incentives/benefits;
  • 112 Yazılım and Söz Dijital for the purpose of keeping track of the entry and exit of the employees working in the headquarter;
  • National and international journals for the purpose of publishing the papers, articles, and bulletins written by the employees working in the headquarter;
  • Universities, public institutions, overseas and domestic companies, and individuals for the purpose of being a party to and signing the cooperation protocols;
  • Academics for the execution of university-industry collaboration works;
  • Governorship of Adana and Provincial Directorate of Science and Technology of Adana for the purpose of sharing information with the authorized institutions and organizations;
  • Overseas customers for the purpose of holding meetings and sharing the project lifecycles;
  • Our customers and potential customers for the designs, projects, and drawings prepared by the headquarter employees in line with the customer demands; and
  • TSE, BQS Certification, B&A Certification, DSR Certification, Aluminium Surface Treatment Association (AYİD), BSI Certification, National/International Organizations, Warringtonfire, military factories, and our customers for the data processed for the execution of Quality Assurance and Quality Control processes of our products and services and for the purpose of notifying the customers.
• The foregoing data transfers shall be done in accordance with Article 8 of Law No. 6698.
• Your personal data shall be transferred abroad in accordance with Article 9 of Law due to the overseas origin of the electronic mail system (Office-365) used to execute the communication activities of the Company, due to the existence of foreign trade transactions of our Company, due to the execution of European Union projects within the Company, and due to the R&D center operations and inspection processes.

CHAPTER VI

CONSIDERATIONS FOR PROTECTION OF PERSONAL DATA

We take the necessary technical and administrative measures in order to maintain the appropriate level of security for the prevention of unlawful processing of and unlawful access to personal data and for ensuring the protection of such data, and conduct or have the necessary inspections conducted within this scope.

The actions and measures taken by our Company to ensure the “data security” in accordance with Article 12 of PDPL are stated below.

We take technical and administrative measures within technological possibilities and implementation costs to ensure that the personal data are processed in accordance with the law. Employees are informed and duly commit that they cannot disclose the personal data they have learned to anyone else in violation of the provisions of PDPL, that they cannot use it for purposes other than processing of data, and that this obligation will continue even after they leave the job.

We provide our employees with the necessary trainings in order to raise awareness for the purpose of preventing the unlawful processing of and unlawful access to personal data, and ensuring the protection of such data.

We also take the necessary technical and administrative measures in order to retain the personal data in secure environments and to prevent the destruction, loss, or alteration of personal data for unlawful purposes.

CHAPTER VII

CONDITIONS OF DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

Although they are processed in accordance with the provisions of the applicable legislation as in Article 7 of PDPL, personal data are deleted, destroyed, or anonymized within 6 months at the latest if the reasons requiring their processing are no more. In the event that all the conditions for the processing of personal data are no more, our Company deletes, destroys, or anonymizes the personal data upon the request of the data subject. We finalize the request of the data subject within thirty days at the latest and inform the data subject.

In accordance with Article 28 of PDPL, the anonymized personal data may be processed for the purposes such as research, planning, and statistics. Since such procedures are outside the scope of PDPL, the explicit consent of the personal data subject is not sought.

CHAPTER VIII

RIGHTS OF PERSONAL DATA SUBJECTS, AND METHOD FOR EXERCISE & EVALUATION OF THESE RIGHTS

We conduct the necessary channels, internal functioning, and administrative & technical arrangements in accordance with Article 13 of PDPL in order to evaluate the rights of personal data subjects and to provide them with the necessary information.

• Personal data subjects have the following rights:
• To learn whether their personal data are processed,
• To request information if their personal data have been processed,
• To learn the purpose of processing of personal data and whether they are used for their intended purpose,
• To know the third parties to whom he personal data are transferred domestically or abroad,
• To request correction of personal data in the event of their incomplete or incorrect processing, and to request notification of such process to third parties to whom the personal data are transferred,
• To request the deletion or destruction of personal data if the reasons requiring their processing are no more, and to request notification of such process to third parties to whom the personal data are transferred, although they are processed in accordance with the provisions of PDPL and other applicable legislation.

Within this scope, the Data Subject as the Data Controller is required to submit their applications to our Company in writing or by other methods to be determined by the Personal Data Protection Board in order to exercise their rights in accordance with Article 13 of PDPL.

Applications to be made to our Company in writing shall be submitted to the following address by using the “Data Subject Application Form” to be obtained from our Company:

Adana Hacı Sabancı Organize Sanayi Bölgesi Oğuz Kağan Köksal Cd. No:5 Sarıçam / Adana in person, by registered letter with return receipt, or through notary public as original signed document.

Or via email to zahit@zahit.com.tr email address.

Our Company shall finalize the requests regarding the exercise of the rights under Article 13 of the Law by qualifications as soon as possible and for free of charge within thirty days at the latest from the date of receipt of the request by our Company. However, if the process requires an additional cost, our Company may request the fees in the tariff determined by the Board from the applicant data subject. If our Company accepts the request or rejects it by explaining the reason, the data subject shall be notified of this response in writing or electronically.

In the event that the information and documents submitted by the data subject to our Company are incomplete or unintelligible, our Company may request information/documents for the purpose of clarifying the application or determining whether the person is the real owner of the personal data in question or ensuring the security of the data, and may ask additional question(s) to the personal data subject regarding the application.

CHAPTER IX

MANAGEMENT STRUCTURE FOR PROCESSING AND PROTECTION OF PERSONAL DATA POLICY

Our Company establishes the appropriate management structure for the fulfillment of the obligations under PDPL and for the execution of this Policy and for the fulfillment of the duties specified below.

• To issue basic policies on the protection and processing of personal data, as well as amendments on these policies, and to submit them to the approval of the executive management,
• To decide how the policies on the protection and processing of personal data will be implemented and how they will be supervised, and to submit this to the approval of the executive management by appointing the employees within this framework,
• To identify the things to do in order to ensure compliance with the Personal Data Protection Law and the applicable legislation, to submit them to the approval of the executive management, to supervise their implementation, and to ensure the coordination,
• To raise awareness among the Company employees on the Protection and Processing of Personal Data,
• To identify the risks that may arise in personal data processing operations, to ensure that necessary measures are taken, and to submit the improvement proposals to the approval of the executive management,
• To design and provide trainings on the protection of personal data and the implementation of policies,
• To respond to the applications of personal data subjects in due time,
• To manage the relations with the Personal Data Protection Board.

In addition to the above-mentioned duties, the responsible person(s) to be appointed in this regard may be assigned other duties and responsibilities in line with the needs of the Company and the nature of the operations conducted.

CHAPTER X

TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR SECURITY OF PERSONAL DATA

Our Company takes the necessary administrative and technical measures to ensure that personal data are retained lawfully and securely. For this purpose:

• There are disciplinary regulations for employees that include data security provisions.
• Training and awareness raising activities on data security are carried out for employees at regular intervals.
• Corporate policies on the processing, use, retention, and destruction of personal data have been prepared and are implemented.
• Confidentiality commitments are issued.
• GEmployees who are reassigned or leave their jobs are deauthorized in this regard.
• Signed contracts contain data security provisions.
• Personal data security policies and procedures have been determined.
• Personal data security issues are reported quickly.
• Personal data security is monitored.
• Necessary security measures are taken regarding the entry and exit to the physical environments containing personal data.
• Physical environments containing personal data are secured against external risks (fire, flood, etc.).
• Environments containing personal data are secured.
• Personal data are minimized as much as possible.
• Data processing service providers’ awareness on data security is raised.
• Network security and application security are ensured.
• Closed system network is used for personal data transfers through the network.
• Key management is conducted.
• Security measures are taken within the scope of the procurement, development, and maintenance of information technologies systems.
• Personal data stored in the cloud are secured.
• Authorization matrix has been built for employees.
• Access logs are kept regularly.
• Data masking measures are taken when necessary.
• Up-to-date anti-virus systems are used.
• Firewalls are used.
• Personal data are backed up and the backed up personal data are also secured.
• User account management and authorization control system are implemented and monitored.
• Log records are kept in a way to have no user intervention.
• Immediate risks and threats have been identified.
• If sensitive personal data will be sent via electronic mail, they are always sent as encrypted and by using a REM address or a corporate email account.
• Intrusion detection and prevention systems are used.
• Cyber security measures have been taken and their implementation is constantly monitored.
• Encryption is done.
• Sensitive personal data transferred on memory sticks, CDs, and DVDs are encrypted.