PURPOSE
Within the scope of the Personal Data Protection Law No. 6698, the "Personal Data Management Policy" prepared by PSL Elektronik San. ve Tic A.Ş. aims to transparently describe the processes of collecting, processing, protecting, deleting, and destroying personal data in accordance with the law by our legal entity and its affiliated organizations and to inform individuals in communication with the company about our PDPL processes.
SCOPE
The personal data of candidates, our human resources, customers, or suppliers with whom we have communication in terms of employment opportunities or for the performance of contracts established with them, as well as the personal data of stakeholders whose information we record for the sake of our physical security during visits to our company, are managed within the scope of our policy.
DEFINITIONS
The terms/concepts in our Constitution, the Personal Data Protection Law, and our Policy text are explained under the heading "TERMS" within the scope of our disclosure obligation:
- Personal Data Protection Law: Law dated March 24, 2016, and numbered 6698, published in the Official Gazette dated April 7, 2016, and numbered 29677. The Personal Data Protection Authority is the authorized public institution for the implementation and supervision of the Law.
- PSL: Represents PSL Elektronik San. ve Tic. A.Ş. and other companies affiliated with our legal entity.
- Personal Data: Any information relating to an identified or identifiable natural person. It is a type of data that allows the identification of a person by associating it with any record. It is defined in the Policy text with the abbreviation "PD".
- Special Categories of Personal Data: Data related to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance, membership of associations, foundations or trade-unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. It is limited by law and it is not possible to expand the special category PDs by analogy.
- Processing of Personal Data: It is any operation performed on the data such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making it available, limiting, or preventing its use provided that the PD is fully or partially automated or part of any data recording system.
- Data Controller: The natural or legal person who determines the purposes and means of processing PDs and establishes and manages the data recording system. Legal entities are inherently "Data Controllers" and legal responsibility belongs to the legal entity.
- Data Processor: Those who process PDs on behalf of the Data Controller based on the authority given by them. The data processor is obliged to perform the data processing responsibility in accordance with the instructions given to it. The Data Controller may appoint a separate natural or legal person from PSL for the data processing process through a contract.
- Data Recording System: It is the recording system where PD is structured and processed according to certain criteria. The system may be electronic or physical.
- Automatic Data Processing: These are the operations performed by devices that process data automatically without human intervention within the scope of algorithms prepared in advance through software and hardware features such as computers, devices with processors such as computers, phones, and security camera systems.
- Anonymization: It is the process of making the PD in no way associated with an identified or identifiable natural person even if it is matched with other data.
- Anonymous Data: A type of data obtained without being associated with a specific individual and cannot be subsequently associated with a specific individual.
- Publicization: It means “making it known to everyone”. In publicized data, data can be processed without seeking explicit consent. Because this type of data is data that has been disclosed to the public in any way by the person with the will to make it public. Publicized data can be processed within the scope of the general principles regulated in Article 4 of the Law.
- Explicit Consent: Consent on a specific subject based on information expressed with free will.
- Disclosure Obligation: The process of informing the data subject about the management of PDs by the Data Controller. It is the obligation to inform individuals about who can process the data, for what purpose, and based on what legal grounds; who the data can be transferred to and for what purpose.
- Data Subject: The natural person whose PD is processed.
- Data Controllers Registry: It is the record system envisaged to be kept publicly by the Presidency of the Personal Data Protection Authority. Data Controllers are obliged to register in this system.
- Data Security: Technical and administrative measures taken for the management of the data subject to the data processing process in accordance with the data policy of the enterprise.
- Transfer of Personal Data: The process of transferring PDs under the responsibility of Data Controllers.
- Deletion/Destruction: The process of making the PD inaccessible and unusable in any way in the possession of the data controller.
Management of Personal Data
Within the scope of the Personal Data Protection Law No. 6698, published in the official gazette on 07.04.2016, as of the date of publication, the PDs processed by PSL are managed as described below:
Our principles in the process of processing data:
- In accordance with the law and good faith
- By ensuring that data is accurate and can be updated when necessary
- For specific, explicit, and legitimate purposes
- Provided that it is connected, limited, and proportionate to the purpose of processing
- By keeping the data for a limited period of time as stipulated in the relevant legislation or in accordance with the purpose for which they are processed
We manage our processes in accordance with our principles, taking into account that the cost and effort spent for preservation in data processing processes is proportionate to the purpose of data protection.
In the process of processing PDs explicit consent is sought first. Data that are not based on explicit consent are not processed in our data inventory except for the cases listed in the law. Explicit consent must have the following qualifications:
- In the explicit consent declaration, the purpose for which the data will be used is described in the clarification text.
- Explicit consent is required before data processing.
- It is related to a specific subject and limited to the subject content.
- It is a declaration of will and is disclosed with the free will of the person.
In cases specified in Article 5 of the Law, data processing can be performed without explicit consent. The limited number of conditions listed in the law are as follows and cannot be expanded except by law:
- If explicitly stipulated by law
- Data processing is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid, himself/herself, or someone else
- It is directly related to the establishment or performance of a contract and it is necessary to process personal data of the contracting parties
- A state of necessity for the establishment, exercise, or protection of a right
- It is mandatory for the data controller to fulfill its legal obligation
- Explicit consent is not required in cases where data processing is mandatory for the legitimate interests of the data controller provided that it does not harm the fundamental rights and freedoms of the data subject.
- It is limited to being made public by the data subject himself/herself.
PDs are kept within the scope of PSL's policies within the specified periods not contrary to the periods determined by law. It is deleted when the specified period expires and the need for the data ends.
In our business, data that if learned may cause discrimination or victimization of the person is not processed without explicit consent.
Collection and Processing of Personal Data
The PDs processed by our business are managed within the scope of our policy in accordance with the inventory specified in Table 1:
| Data Category | Processing Purpose | Content |
|---|---|---|
| Contact | It is the type of data processed in order to ensure uninterrupted communication as required by our business. | Data such as phone number, fax number, contact address, e-mail address, IP address. |
| Identity | Data processed for the purpose of establishing contracts, organizing the customer/employee - PSL relationship, or establishing security in the workplace within the scope of the laws. | Data contained in documents such as identity card, civil registration sample, marriage certificate, driver's license, passport, SSI documents. |
| Health | It is the type of data that is required within the scope of our business processes and processed within the scope of legal regulations in accordance with the legal obligations of the customers served. | Blood type, medical history, periodic examination results are the data processed during Organized Industrial Zone services. |
| Vehicle | Data on vehicles entering and exiting the areas owned by our customers, suppliers, or legal entities according to our business processes. | License plate number, license information. |
| Location | Data processed through technological intermediaries both for the follow-up of the work and for the security of the employee or employer. | GPS location data. |
| Audio/Visual | Data that is necessary for the performance or follow-up of work or for security purposes. | Audio and visual data such as audio and video recordings or photographs. |
| Biometric / Genetic | It is the type of data processed for the management of the employee-employer relationship in accordance with the law and for the realization of the relevant legal transactions. | Fingerprint. |
| Digital Trace | Data processed for business processes that develop between the employee, employer, customer, supplier, and public authority. | LOG data records containing digital traces. |
| Financial/Property | It is the type of data processed regarding the business processes that develop between the employee, employer, customer, supplier, and public authority. | Bank name, account no, IBAN no, card information, financial profile, mail order form, credit rating, credit card slips, check, promissory note, letter of guarantee, title deed, etc. |
| Legal Transaction | It is the type of data processed regarding the business processes that develop between the employee, employer, customer, supplier, and public authority. | Data specific to legal situations such as correspondence with judicial authorities and case files. |
| Education and Occupation | It is the type of data processed in terms of the requirements and development of business processes arising from the employee and employer relationship. In addition, the data of customers and suppliers in this category are also processed when necessary within the scope of the business relationship. | Employed institution, professional chamber registration, diploma information, transcript information, seminar/training records - evaluation results, Vocational Qualification Certificates, etc. |
| Signature | Data on signatures or initials on contracts and forms formed according to the type of business relationship. | Wet signature, e-signature, signature stamp, initials, etc. |
| Other | Data that may vary according to the type of work during the workflow and are needed for the correct management of the business relationship. | These are data used for dress code, association – membership information, race/religion information, company data, request/complaint data, or marketing activities. |
Data Transfer
PDs may be transferred to internal or external stakeholders as necessary in accordance with PSL's business and processes. Data transfers may be made to the stakeholders described in Table 2, provided that reasonable and appropriate precautions are taken:
| Stakeholders to whom Data may be Transferred | Definition of Stakeholders | Data Transfer Purpose |
|---|---|---|
| Business Partner | Natural/legal persons with whom we interact as part of our business and who have a legal contractual relationship with PSL. | The data required for the performance of the contract may be transferred as necessary, business-oriented. |
| Supplier | The natural/legal person who provides the required material or service. | In the process of supplying the material or receiving the service, reasonable transfer may be made if necessary to ensure business and transaction security and to finalize the processes smoothly. |
| Client | The natural/legal person who provides the required material or service. | In the process of supplying the material or receiving the service, reasonable transfer may be made if necessary to ensure business and transaction security and to finalize the processes smoothly. |
| Inside PSL | Personnel working at PSL and its Business Partners with SSI affiliation and the departments they are assigned to. | Limited transfers are made when necessary for the management of the works that PSL and its business partners are responsible for. |
| Public Institution or Legal Authorities | Authorized persons or institutions that have public authority or legally represent a real or legal person. | Transfers made due to legal obligations and in accordance with the law. |
In the process of transferring PDs abroad, the party to be transferred must be resident abroad or an intra-PSL transfer must be in question. Transfers are made to countries with the status of foreign countries with adequate protection which will be announced by the PDP Board in cases where the Data Controller in the country undertakes adequate protection in writing. Under the heading of foreign transfer, the CRM, e-mail server, backup companies, etc. software/programs used by PSL are also included in cases where the software/programs are abroad.
In the sharing of PDs to third parties, action is taken according to the type of data and in accordance with the law:
- Explicit consent of the data subject
- Transfer being expressly provided for in the laws
- Necessity of the transfer for the data controller to fulfill its legal obligation
- Public disclosure of the PD by the data subject
- Necessity of the transfer for the establishment, exercise, or protection of a right
- Necessity of the transfer for the legitimate interests of the data subject.
Data Retention Periods
Within the scope of the legislation that PSL is obliged to comply with regarding the business processes, PDs are managed in the enterprise in accordance with the specified periods. The processed data is managed by the data controller in accordance with the periods determined in accordance with the laws and is destroyed in the event that all data processing conditions are eliminated.
| Data Type | Data Retention Period |
|---|---|
| Identity, Contact, Personnel File, Legal Action, Professional Experience, Health Information, Criminal Conviction and security measures | 15 years |
| Customer Transaction, Risk Management, Finance | 10 years |
| Marketing | 5 years |
| Process Security | 3 years |
| Biometric Data, Disguise and Dress | 1 year |
| Location | 6 months |
| Audio-visual records, vehicle license information, travel accommodation information, physical space security | Generally stored for less than 6 months; 2-3 and 5 months depending on the type. |
Data whose retention period has expired or to be destroyed are checked and destroyed every 6 months.
Data Security Processes
In the processes of management and preservation of PDs, PSL manages the measures by creating the appropriate technical infrastructure at reasonable costs and conducting awareness studies on the importance of PD management within the enterprise.
It audits the management process indefinitely, identifies security gaps, and develops new measures to resolve the gaps. The operations we perform for our Data Management process:
- Prior to VERBIS registration, a data inventory was created and our data management policy was put into effect.
- A record was created in the Data Controller registry in the VERBIS system.
- Each new colleague joining our team receives information training on our PD processes during the orientation process.
- All employees working in the enterprise have a contract in which they undertake to act in a way that they are aware of their responsibilities regarding their PD obligations and the data they process during the period they work at PSL, being aware of these responsibilities and fulfilling the necessary.
- PSL periodically conducts studies to increase awareness of the PD process through update trainings organized for its personnel in contact with PD.
- The data types categorized in the PSL Data Inventory are managed in line with the requirements of our business processes and on a limited sharing basis. Our aim is to process the data to the extent that the work can be done and to undertake the security of the processed data to ensure that it can be transferred when necessary.
- In the event that data needs to be shared outside PSL in line with business requirements, the data security process is undertaken by raising awareness on the relevant party and sharing responsibilities with our contracts with the contact points to be shared in the content related to the PD process.
- In the process of processing and storing data, various security systems are implemented and the effectiveness of the systems are periodically audited by evaluating the suitability of the systems in accordance with technological developments to the PSL infrastructure.
- Audit procedures are carried out by internal audit mechanisms in 6-month periods and by receiving support from external sources in 24-month periods (such as Penetration Tests).
- Corrective and preventive measures are taken to eliminate risks within reasonable periods of time by evaluating the risk level according to the situations that pose a risk in audits.
- All our security processes are managed by developing the necessary infrastructure and workflows in accordance with the law.
Erasure, Destruction, or Anonymization of Data
The Regulation on Erasure, Destruction, or Anonymization of PDs was published in the Official Gazette dated October 28, 2017, and numbered 30224, and was made public.
Personal data shall be erased, destructed, or anonymized by the data controller ex officio or on the request of the data subject in the event that the reasons for the processing no longer exist. It is the duty of the Data Controller to take all necessary technical and administrative measures in the process of making personal data inaccessible and non-reusable in any way for the relevant users. Data Controller:
- Relevant users have been identified for each PD.
- Authorization and methods of the relevant users such as access, retrieval, and reuse have been determined.
- The data that will be subject to deletion is managed as a result of both the request of the personal data owner and the expiration of the storage purpose.
- The relevant data may be erased, destructed, or anonymized. In this case, interventions such as access, retrieval, and reuse of the relevant data are prevented.
Depending on the type of personal data and the method of processing or storage, erasure, destruction, and anonymization are applied in the following ways:
Erasure Process
It is the process of making the PD inaccessible and unusable for the relevant users in any way. Blackout is applied to the data in the physical environment. The process is applied by cutting the data when possible and in cases where it is not possible, by making it invisible to users by using fixed ink in a way that cannot be reversed and cannot be read with technological solutions. Data stored in technological devices and systems are processed with the delete command and the process is managed by removing access rights on the directory or cloud system where the relevant file or file is located. Data stored on portable devices are stored encrypted and deleted using appropriate software.
Destruction
It is the process of making PDs inaccessible, irretrievable, and non-reusable by anyone in any way. All copies of the data must be identified and destroyed one by one according to the type of systems in which the data is located. In this process, de-magnetization and physical destruction of the data are applied.
Anonymization
It is the process of making PDs impossible to associate with an identified or identifiable natural person under any circumstances even if they are matched with other data. The aim is to break the link between the data and the person with whom the data is identified. One or more of the variables are deleted from the data set, the relevant variable can be removed from the data set. Data records containing uniqueness in the dataset can be removed. The value that creates an exceptional situation in the dataset can be replaced with expressions or symbols such as “unknown, N/A -”. The process of generating a cumulative report by converting the relevant data from a specific value to a general value and executing operations on total figures can be applied. With the lower and upper bound coding method, a category can be defined for a certain variable and the values within the grouping can be combined over the categories. With the global coding method, a new definition can be made in which the relevant data is recorded by creating a common and new group in data sets that do not contain numeric values or cannot be sorted numerically, where lower and upper bound coding cannot be applied. All transactions related to the erasure, destruction, and anonymization of data shall be recorded, and such records except for other legal obligations shall be kept in accordance with the specified periods as of the calendar year following the year in which the data was processed.
Rights of the Data Subject and Application Method
The data subject has the following rights under the law and in line with PSL's “Personal Data Management Policy”. In order to exercise his/her rights, he/she must apply in accordance with the specified method:
- To learn whether the data is being processed
- Requesting information about the data process in case his/her personal data is processed
- To learn the purpose of data processing and whether the data is used in accordance with the purpose
- Obtaining information on whether the data is transferred to third parties both domestically and abroad
- To request correction of the transaction in case of incorrect or incomplete processing of the data
- Request erasure and destruction of the data
- Object to the occurrence of a result to the detriment of the data subject by analyzing the data through automated systems
- In case of damage arising from the data processing process, they have rights such as requesting compensation for the damage and the data owner will exercise these rights as follows;
The data subject may exercise these rights by filling out the “Personal Data General Application Form” on the PSL Elektronik website and submitting it to PSL. The data subject who sends the relevant form to PSL is required to include a note marked “CONTAINS PERSONAL DATA” in the envelope/subject of the shipment. Thus, the request will be transmitted to the relevant unit by ensuring data security. The request of the data subject shall be examined by the Data Controller and answered free of charge within 30 days at the latest. In the event that the response is not given within the specified period or the request is rejected or is not sufficient for the data subject's request, the data subject may exercise the right to apply to the Personal Data Protection institution. The data subject may apply to the board within 30 days from the date of the data controller's response. Since the Law provides for a gradual application procedure, the data subject must first submit all kinds of requests to the Data Controller. Notices and complaints must be submitted in accordance with the provisions specified in Article 6 of the Law No. 3701 on the use of the Right to Petition. It is envisaged that the Board will respond to the relevant person within sixty days. If no response is given within the specified day, the request will be deemed rejected.
PSL as the Data Controller receives requests for the personal data it processes in writing by the following methods and responds in writing. Requests may be submitted to the Data Controller by any of the following methods:
- It can be filled in handwritten and sent to Antalya Organize Sanayi Bölgesi 3. Kısım 25. Cad. No:30 Döşemealtı/ANTALYA
- You can come to the PSL address in person and fill in the PD information destruction notification form and submit it
- The form can be printed and filled out from the website and sent as an e-mail to [email protected]
- You can send a FAX to 0242 228 16 18
Obligations regarding the Protection of Personal Data are announced on the website www.kvkk.gov.tr. In addition, information can be obtained by calling the Information Hotline number 198 under the name ALO VERİ KORUMA.
Updating the Policy
PSL Elektronik San. ve Tic. A.Ş.'s “Personal Data Management Policy” may be amended as a result of the audits to be carried out annually in accordance with the redefined processes and with the approval of the Data Controller. The most up-to-date document of the Personal Data Management Policy is announced on www.fiberli.com for public information.
