PROCESSING AND SECURITY OF SPECIAL PERSONAL DATA POLICY
EFELER POLYMER INDUSTRY AND TRADE LIMITED COMPANY
1. PURPOSE
As Efeler Polimer Industry and Trade Limited Company (“Our Company” or “Efeler Polimer”), Personal Data Protection Law No. 6698 (“KVKK” ) and we process and ensure the security of sensitive personal data in accordance with the relevant legislation.
This Policy on Processing and Security of Special Personal Data (“Policy”), “Adequate Precautions to be Taken by Data Controllers in the Processing of Personal Data of a Special Nature” by the Personal Data Protection Board.It has been prepared in accordance with the decision dated 31/01/2018 and numbered 2018/10 (“Board Decision”) in order to determine the measures we have taken as the data controller for the processing of sensitive personal data.
This Policy and Efeler Polimer Personal Data Security Policy (“Security Policy”) are complementary to each other, and the Security Policy should be reviewed for matters not mentioned in this Policy.
Efeler Polimer, as the data controller, will act in accordance with this Policy when processing sensitive personal data, sharing it with third parties and storing it in data recording environments.
2. SCOPE
This Policy covers our activities to ensure the appropriate level of security for the sensitive personal data we have obtained and may acquire belonging to the following persons:
- Our company’s employees, employee candidates, former employees,
- Our customers, customer company employees and officials,
- Our business partners,
- Supplier employees and supplier officials,
- Other third parties.
3. AUTHORITIES AND RESPONSIBILITIES
Efeler Polimer Employees: Efeler Polimer is obliged to collect, process and securely store the personal data of its employees in accordance with KVKK and relevant legislation.
4. DEFINITIONS AND ABBREVIATIONS
Personal Data | Any information regarding an identified or identifiable natural person. |
Special Personal Data | Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. |
Contact Person | The real person whose personal data is processed. |
Processing of Personal Data | Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system or any action performed on the data, such as preventing its use. |
Explicit Consent | Consent regarding a specific issue, based on informed consent and expressed with free will. |
KVKK | Personal Data Protection Law No. 6698, dated 24 March 2016, published in the Official Gazette No. 29677, dated 7 April 2016. |
Board | Personal Data Protection Board. |
Institution | Personal Data Protection Authority. |
Board Decision | Decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 regarding “Adequate Precautions to be Taken by Data Controllers in the Processing of Personal Data of a Special Category”. |
Policy | Processing and Security Policy of Special Personal Data. |
Security Policies | Personal Data Security Policies and Procedures |
Data Controller | The person who determines the purposes and means of processing personal data and manages the place where the data is systematically kept. |
Data Processor | A natural or legal person who processes personal data on behalf of the data controller based on the authority given by him/her. |
Personal Data Processing Inventory | The personal data processing activities carried out by data controllers depending on their business processes; The inventory they create and detail by associating the purposes of processing personal data with the data category, the transferred recipient group and the data subject group of persons. |
5. PROCESSING OF SPECIAL PERSONAL DATA
5.1 General Principles Concerning the Processing of Special Personal Data
Efeler Polimer is obliged to comply with the general principles specified in the KVKK regarding the processing of personal data. In this context, Efeler Polimer will act in accordance with the following principles when processing sensitive personal data:
- It complies with the law and the rules of processing personal data,
- Ensuring that personal data is accurate and up-to-date when necessary,
- Processing personal data for specific, clear and legitimate purposes,
- Processing personal data in a limited and measured manner in connection with the purpose for which they are processed,
- Storage for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.
5.2 Conditions for Processing Special Personal Data
Efeler Polimer is obliged to process special personal data in accordance with the general principles mentioned above and the conditions specified in Article 6 of the KVKK. In this context, Efeler Polimer will be able to process special personal data based on one of the following conditions:
- Obtaining the explicit consent of the relevant person for the processing of special personal data.
- The processing of special categories of personal data is foreseen by law, except for personal data regarding health and sexual life.
- Personal data regarding health and sexual life can be collected without explicit consent, but only for the purposes of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing, by persons or authorized persons under the obligation of confidentiality. It can be processed by institutions and organizations.
5.3 Transfer of Special Personal Data
Efeler Polimer may share special personal data with third parties in accordance with the data processing conditions specified in Articles 8 and 9 of the KVKK. While transferring sensitive personal data to third parties,Efeler Polimer will take the security measures specified in the Board Decision. In this context, Efeler Polimer takes the following precautions;
- If sensitive personal data is to be sent via e-mail, it must be sent encrypted and using a KEP or corporate mail account.
- A closed network system is used when sensitive personal data is transferred between servers in different physical environments.
- Special qualified persons’ data transferred on portable memory, CD, DVD media are encrypted.
- In cases where sensitive personal data is transferred on paper, it takes the necessary precautions against risks such as theft, loss or access of the document by an authorized person and sends the document in the format of “confidential documents”.
5.4 Preservation of Special Personal Data
Efeler Polimer maintains special personal data in accordance with the general principles and processing conditions detailed above. Efeler Polimer will take the security measures specified in the Board Decision regarding the environments where sensitive personal data are stored and/or accessed. In this context, Efeler Polimer takes the following precautions;
- It preserves sensitive personal data using cryptographic methods and keeps cryptographic keys in secure and different environments.
- Transaction records of all transactions carried out on sensitive personal data are logged securely.
- It constantly monitors the security updates of the environments where sensitive personal data is stored, carries out the necessary security tests regularly and records the test results.
- Necessary security measures are taken regarding entry and exit to physical environments.
- Software to prevent the loss of sensitive personal data is used.
- In cases where sensitive personal data is accessed through a software, user authorizations for this software are made.
- Environments where sensitive personal data are processed, stored and/or accessed are physical environments, such as electricity leakage, fire, flood, theft, etc. takes precautions against such situations. Physical security of these environments is ensured, preventing unauthorized entry and exit.
- Special personal data is backed up and the security of the backed up personal data is ensured.
- Secure encryption and cryptographic keys are used for sensitive personal data and are managed by different units.
- Protocols and procedures for the security of special personal data have been determined and implemented.
- Secure encryption and cryptographic keys are used for sensitive personal data and are managed by different units. What is meant by the secure encryption method used is that the data is encrypted using cryptographic methods and prevented from being accessed by people who do not have a key. The data must be securely encrypted and the cryptographic key required to access this data must be evaluated in the same context.
6. PROCESSING OF SPECIAL PERSONAL DATA OF EMPLOYEES
Efeler Polimer takes the following measures specified in the Board Decision for its employees who process sensitive personal data:
- Necessary training and awareness activities are carried out for personnel to ensure the security of personal data and not to disclose or share it unlawfully.
- A confidentiality agreement is signed with the employees.
- Personnel are authorized to access servers containing personal data depending on the department they work in and their job role. The scope and duration of these powers are clearly is determined.
- Authority checks are carried out periodically.
- If employees change their duties or leave their jobs, their access to data is removed and the inventory given to them is taken back.
7. SECURITY POLICY
In order to ensure the security of all personal data it processes, including sensitive personal data, Efeler Polimer has established personal data security policies and procedures in accordance with the KVKK and the technical and administrative measures specified in the Personal Data Security Guide published on the Institution’s website. The Security Policy includes the technical and administrative measures taken by Efeler Polimer to ensure the appropriate level of security in order to ensure the legality of the processed personal data, to prevent unlawful access and to ensure their preservation. In this context, all technical and administrative measures included in the Security Policy are applied in the processing activities of special personal data, in addition to the measures specified in this Policy.