PERSONAL DATA SECURITY POLICY

EFELER POLYMER INDUSTRY AND TRADE LIMITED COMPANY

1. PURPOSE

As Efeler Polimer Industry and Trade Limited Company (“Our Company” or “Efeler Polimer”), Personal Data Protection Law No. 6698 (“KVKK” ) and we process and ensure the security of sensitive personal data in accordance with the relevant legislation. This Personal Data Security Policy (“Policy”) defines the basic principles and procedures that must be followed in order to ensure the legality of personal data processed by Efeler Polimer, prevent unlawful access to personal data and ensure the preservation of personal data, and the necessary It was prepared to determine technical and administrative measures. With this Policy, Efeler Polimer Policy on Processing and Security of Special Personal Data ( “SPD Policy”) are complementary to each other, and the SPD Policy should be reviewed for matters not mentioned in this Policy.

2. SCOPE

This Policy covers our activities to ensure the appropriate level of security for the personal data we obtain from the following persons:

  • Our company’s employees, employee candidates, former employees and family relatives of these people,
  • Company representative or proxies,
  • Employee, representative and attorney of our business partners,
  • Employees, officers and representatives of our suppliers,
  • Our customers, customer company employees and officials,
  • Our potential customers,
  • Legally authorized persons,
  • Our visitors,
  • Other third parties.

In this context, all parties who have access to Efeler Polimer information systems and personal data are subject to this Policy.

3. DEFINITIONS AND ABBREVIATIONS

Personal Data Any information regarding an identified or identifiable natural person.
Special Personal Data Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Contact Person The real person whose personal data is processed.
Processing of Personal Data Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system or any action performed on the data, such as preventing its use.
Explicit Consent Consent regarding a specific issue, based on informed consent and expressed with free will.
KVKK Personal Data Protection Law No. 6698, dated 24 March 2016, published in the Official Gazette No. 29677, dated 7 April 2016.
Board Personal Data Protection Board.
Institution Personal Data Protection Authority.
Policy Personal Data Security Policy.
Processing and Security Policy of Special Personal Data This is the Efeler Polimer policy prepared based on the decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 regarding “Adequate Precautions to be Taken by Data Controllers in the Processing of Special Personal Data”.
Data Controller The person who determines the purposes and means of processing personal data and manages the place where the data is systematically kept.
Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authority given by him/her.
Personal Data Processing Inventory The personal data processing activities carried out by data controllers depending on their business processes; The inventory they create and detail by associating the purposes of processing personal data with the data category, the transferred recipient group and the data subject group of persons.
Regulation on Destruction of Personal Data Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette No. 30224 dated 28 October 2017.
Electronic Media Environments where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Media All written, printed, visual, etc. except electronic media. other media.

4. PERSONAL DATA SECURITY POLICY

Efeler Polimer considers the corporate and personal data belonging to itself or its stakeholders, which it processes through information systems or physically, as a highly valuable asset. It effectively and continuously protects information systems and physical business areas containing corporate and personal information from threats and takes all technical and administrative measures specified in Chapter 6 regarding these. It is the common responsibility of all our employees to ensure that any information, including personal data processed by Efeler Polimer or its suppliers, is used only by authorized persons for its intended purpose, is stored completely and accurately, is ready for use when necessary, and is destroyed at the right time and in the right way. By ensuring personal data and information security, it is aimed to protect Efeler Polimer from material and moral damages and possible legal penalties arising from systemic security weaknesses and to reduce their possible effects. Regardless of their authority and responsibilities, all Efeler Polimer employees and all business partners working with Efeler Polimer are bound by Efeler Polimer Personal Data Security Policy, Efeler Polimer Storage and Destruction Policy and all other corporate policies and procedures published by Efeler Polimer management. and must comply with the instructions. All business partners and personnel of these business partners who have access to Efeler Polimer’s information systems and processed personal data and corporate information are required to comply with the general principles and principles of personal data and information security defined by Efeler Polimer and adhere to their obligations. Efeler Polimer expects all its employees and stakeholders to pay attention to the following issues;

  • Ensuring that the unit for which each unit manager is responsible continues its activities in accordance with KVKK,
  • Keeping personal data processing inventories and VERBIS records up to date,
  • Acting in accordance with corporate security policies and procedures,
  • Processing personal data processed by Efeler Polimer only for the purposes prescribed by law or Efeler Polimer’s lawful processing purposes,
  • Continuing risk assessment studies for the Protection of Personal Data,
  • Reporting personal and corporate data breaches to the Efeler Polimer administrative unit without delay.

At Efeler Polimer, the business unit responsible for information technologies is the functional owner of the policies and procedures that define the security of information systems and is responsible for their correct implementation within the company. All company employees undertake to work in parallel with these instructions. Unit managers are primarily responsible for taking the necessary precautions and monitoring the activities in their units to ensure compliance with personal data and information security policies and procedures. Efeler Polimer corporately undertakes to meet and continuously improve applicable conditions regarding information security and confidentiality. Ensuring that Efeler Polimer’s personal data processing purposes and methods comply with KVKK will support the protection of our reputation and the continuity of the success of our business.

5. PRECAUTIONS REGARDING THE SECURITY OF PERSONAL DATA

In accordance with Article 12 of the KVKK, Efeler Polimer takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and to carry out the necessary inspections within this scope. and is obliged to have it done. The administrative and technical measures taken by Efeler Polimer within the framework of this obligation are listed below:

5.1. Administrative Measures

  • Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in confidential document format.
  • Necessary training and awareness activities are carried out for employees to ensure the security of personal data and not to disclose or share it unlawfully.
  • Training and awareness activities are carried out for employees on data security at regular intervals.
  • Confidentiality commitment is taken from employees regarding the activities carried out by Efeler Polimer and confidentiality agreements are signed regarding specific activities. The signed contracts contain data security and disciplinary provisions.
  • Contracts signed with third parties contain data security provisions.
  • A disciplinary procedure is applied against employees who do not comply with internal procedures, policies and instructions regarding personal data security.
  • Before starting to process personal data, Efeler Polimer fulfills its obligation to inform the relevant persons.
  • Personal dataA processing inventory is prepared and changes in data processing processes are updated.
  • Personal data security policies and procedures are determined. Compliance with personal data security policies and procedures is monitored.
  • Periodic and random audits are carried out within the institution.
  • Technical measures taken are reported periodically in accordance with the internal audit mechanism.
  • The use of personal data is reduced as much as possible for business purposes.
  • Contracts regarding the processing, protection and security of personal data are signed with the persons with whom personal data is shared, or provisions regarding this are added to the existing contract.
  • Data processing service providers are made aware of data security and protective provisions are included in the contracts signed in this context.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • The risks that Efeler Polimer may face and the existing risks have been identified and precautions have been taken.
  • Personal data processing activities carried out within Efeler Polimer are analyzed specifically for business units, ensuring that business units process personal data only for the purpose of carrying out their activities.
  • A separate policy has been determined for the security of sensitive personal data.
  • Employees involved in the processing of special personal data have been provided with training on special personal data security, confidentiality agreements have been made, and the powers of users who have access to data have been defined.

5.2. Technical Measures

  • Special qualified personal data transferred on portable memory, CD, DVD media are stored encrypted and, if necessary, transferred encrypted.
  • Network security and application security are ensured, and a closed system network is used for personal data transfers via the network.
  • Security measures are taken within the scope of supply, development and maintenance of information technology systems.
  • The security of personal data stored in the cloud is ensured.
  • An authority matrix has been created for employees. The authorities of employees who change their duties or leave their jobs in this area are removed. User account management and authorization control system is implemented and these are also monitored.
  • Access logs are kept regularly.
  • Log records are kept without user intervention.
  • Up-to-date anti-virus systems are used.
  • Personal data security problems are reported quickly and solutions are taken immediately.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • If sensitive personal data is to be sent via e-mail, it must be sent encrypted and using a KEP or corporate mail account.
  • Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units.
  • Penetration test is applied.
  • Intrusion detection and prevention systems are used.
  • Data loss prevention software is used and tests are performed.
  • Data processing service providers are audited at regular intervals regarding data security, and data processing service providers are made aware of data security.
  • Cyber security measures have been taken and their implementation is constantly monitored.
  • Personal data is backed up and the security of the backed up personal data is ensured.
  • Consultancy regarding technical security is received from expert external sources.

6. STORING PERSONAL DATA IN SECURE ENVIRONMENTS

6.1. Non-Electronic Media

Personal data can be stored in non-electronic media as paper, forms, documents, contracts or any printed entity. The environments in which printed assets are stored are stated below.

  • Locked cabinets in Efeler Polimer offices,
  • Boards in Efeler Polimer offices,
  • Archive room located in Efeler Polimer offices,
  • Drawers and folders in Efeler Polimer offices.

In this context, it is accepted that all personal data that we obtain electronically but then store by printing or writing on paper, form or document is also stored in physical environment.

6.2. Electronic Media

Personal data may be stored in the following electronic environment.

  • Desktop and laptop computers,
  • Mobile devices,
  • E-mail servers,
  • Cloud environment,
  • Software and the databases it is connected to
  • Portable media (USB Memory, CD and DVD etc.),
  • Disk drives used to store data on the network.

In this context, it is accepted that all personal data that we have obtained in physical form, verbally or on printed paper, form or document, but have recorded in a fully or partially automated system, is also stored electronically.

7. TECHNIQUES FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

In accordance with Article 7 of the KVKK, Efeler Polimer is obliged to delete, destroy or anonymize personal data ex officio or upon the request of the relevant person, in case the reasons requiring the processing of personal data are eliminated. In this context, the Regulation on Deletion, Destruction or Anonymization of Personal Data was prepared by the Board and published in the Official Gazette No. 30224 dated 28 October 2017. Efeler Polimer will be obliged to delete, destroy or anonymize personal data in the following cases. Efeler Polimer will be able to carry out this destruction activity in the first periodic destruction process following the end of these periods.

  • Elimination of the personal data processing requirement (For example, withdrawal of explicit consent, termination of the contract, etc.),
  • Efeler Polimer does not have a legitimate purpose for processing personal data,
  • If the application regarding the deletion, destruction or anonymization of the personal data of the relevant person is accepted by Efeler Polimer or the request is approved by the complained Board.

In the above-mentioned cases, Efeler Polimer fulfills its obligation to delete, destroy or anonymise, by the methods explained below, as of the end of the retention periods stipulated by law and the periods specified in the Efeler Polimer Personal Data Storage and Destruction Policy.

8. REFERENCES AND BASIS

The guide named Personal Data Security Guide (Technical and Administrative Measures) published by KVKK and Personal Data Protection Authority