Follow us
PERSONAL DATA PROTECTION LAW
Başhan Tarımsal Ürünleri Pazarlama Sanayi ve Dış Ticaret Anonim Şirketi
Personal Data Protection and Processing Policy
Information Form
Document Name: Başhan Tarımsal Ürünleri Pazarlama Sanayi ve Dış Ticaret Anonim Şirketi
Personal Data Protection and Processing Policy
Target Audience: All real persons whose personal data are processed by Başhan Tarımsal Ürünleri Pazarlama Sanayi ve Dış Ticaret Anonim Şirketi
Prepared by: Başhan Tarımsal Ürünleri Pazarlama Sanayi ve Dış Ticaret Anonim Şirketi Personal Data Protection Committee
Approved by: Başhan Tarımsal Ürünleri Pazarlama Sanayi ve Dış Ticaret Anonim Şirketi Board of Directors.
Effective Date: 24.03.2022
// This document may not be reproduced or distributed without the written permission of Başhan Tarımsal Ürünleri Pazarlama Sanayi ve Dış Ticaret Anonim Şirketi.
CONTENTS
CONCEPTS
SECTION I.
SECTION II.
SECTION III.
SECTION IV.
Bashan Tarımsal Ürünleri Pazarlama Sanayi ve Dış Ticaret Anonim Şirketi Building, Facility Entrances and Monitoring with Camera Carried Inside
SECTION V.
Transfer of Personal Data
SECTION VI.
Matters Regarding the Protection of Personal Data
SECTION VII.
Terms of Deletion, Destruction and Anonymization of Personal Data
SECTION VIII.
Rights of Personal Data Owners, Use and Evaluation Method of These Rights
SECTION IX.
Protection and Processing of Personal Data Policy Management Structure
SECTION X.
Technical and Administrative Measures Taken for the Security of Personal Data
BAŞHAN TARIMSAL ÜRÜNLERİ PAZARLAMA SAN. VE DIŞ TİC. AŞ.
POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
CONCEPTS
Processing of Personal Data | Any operation performed on data, such as blocking, obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data completely or partially by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on data, such as blocking, is called. |
Relevant Person / Personal Data Owner | The real person whose personal data is processed. |
Personal Data | Any information relating to an identified or identifiable real person. |
Special Qualified Personal Data | Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. |
Data Controller | The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system). |
Deletion | It is the process of making personal data inaccessible and unusable for the relevant users in any way. |
Disposal | It is the process of making personal data inaccessible, irretrievable and reusable by anyone in any way. |
Anonymization | It is to render personal data incapable of being associated with an identified or identifiable real person under any circumstances, even if it is matched with other data. With this method, personal data must be rendered unrelated to an identified or identifiable real person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning personal data by the recipient or groups of recipients and matching the data with other data. |
Data Processor | A real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller. |
Open Consent | Consent on a particular subject, based on information and expressed with free will |
SECTION I.
INTRODUCTION
The purpose of this regulation is to protect the personal data of employees, employee candidates, interns, customers, suppliers, shareholders and visitors and all other personal data within the scope of the Law on Protection of Personal Data No.6698.
With this Policy, the principles to be adopted by our Company and to be taken into account at the point of implementation have been set forth in the processing, protection, deletion, destruction and anonymization of personal data.
PURPOSE
The purpose of this Policy is to inform the real data that can be processed and to determine the protection and protection policy of personal data regarding the protection adopted by our Company for the execution of personal data processing activity in accordance with the law and the protection of personal data.
SCOPE
This Policy; It relates to all personal data of real persons whose data are processed by our company.
ENFORCEMENT OF THE POLICY
This policy, which has been issued and put into effect by us, is published on our Company's website and is made available to personal data owners in this way.
SECTION II.
1-GENERAL PRINCIPLES FOR PROCESSING PERSONAL DATA
Kıvam A.Ş pays attention to the following principles regarding the processing of personal data in accordance with Article 4 of the PDPL.
1.1-Performing Personal Data Processing Activities in Compliance with Law and Integrity
Başhan A.Ş acts in accordance with the principles introduced by laws and other legal regulations during the processing of personal data. In accordance with the principle of compliance with the rule of honesty, our Company considers the interests and reasonable expectations of the data subjects while trying to achieve its goals in data processing.
1.2-Ensuring Personal Data Are Accurate and Up-to-Date When Necessary
Başhan A.Ş takes the necessary measures to ensure that personal data is up-to-date and accurate, taking into account the fundamental rights of personal data owners and its own legitimate interests, and shows maximum care in this regard.
1.3-Processing for Specific, Clear and Legitimate Purposes
Başhan A.Ş clearly and precisely determines the purpose of processing personal data. Our company does not process data for other purposes other than the purpose stated to the relevant person. The data processed by our company is related to the work it has done or the service it has provided and as much as is necessary for them.
1.4-Related to the Purpose for which they are Processed, Limited and Proportionate
Başhan A.Ş provides sufficient data in connection with the purpose and does not process unnecessary data. It does not collect personal data for non-existent and future purposes.
1.5-Preservation for as long as required by the relevant legislation or for the purpose for which they are processed.
Başhan A.Ş retains personal data only for the periods stipulated in the relevant legislation or for the purpose for which they are processed. In this context, if a period is determined for the storage of personal data in the relevant legislation, this period is complied with. If a period has not been determined, personal data are retained for the period necessary for the purpose for which they are processed. Personal data is deleted, destroyed or anonymized by BaşhanA.Ş. Detailed information on this subject is given in section 7 of this policy.
2- TERMS OF PROCESSING PERSONAL DATA
Personal data may be processed in the presence of one of the following conditions;
2.1- Explicit Consent of the Personal Data Owner
One of the conditions for the processing of personal data is the explicit consent of the data owner. The explicit consent of the personal data owner should be based on information on a specific subject and should be disclosed voluntarily.
2.2- Explicitly Provided in Laws
The personal data of the data owner can be processed in accordance with the law, if it is expressly stipulated in the law.
2.3- Failure to Obtain the Explicit Consent of the Related Person Due to Actual Impossibility
The personal data of the data owner may be processed if it is necessary to process the personal data of the person who is unable to express his or her consent due to actual impossibility, or whose consent cannot be validated, in order to protect the life or physical integrity of himself or another person.
2.4- Directly Related to the Establishment or Performance of the Contract
Provided that it is directly related to the establishment or performance of a contract, personal data may be processed if it is necessary to process the personal data of the parties to the contract.
2.5- Fulfillment of Legal Obligation
Personal data of the data owner may be processed if data processing is necessary in order to fulfill legal obligations.
2.6- Making Personal Data of the Data Owner Public
If personal data has been made public by the data owner, it may be processed for a limited purpose.
2.7- Mandatory Data Processing for the Establishment or Protection of a Right
If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.
2.8- Obligatory Data Processing for the Legitimate Interest of the Data Controller
Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company.
3- DISCLOSURE AND INFORMATION OF THE PERSONAL DATA OWNER
Our company clarifies for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the rights of the personal data owner for legal reasons.
4- PROCESSING OF SPECIAL QUALITY PERSONAL DATA
Our company acts in accordance with the regulations stipulated in the PDPL in the processing of personal data determined as "special quality" by PDPL.
These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
By our company; Special categories of personal data are processed in the following cases by taking the necessary precautions:
If the personal data owner has express consent, or
If there is no explicit consent of the personal data owner, it can be processed in the cases stipulated by the laws.
Health and sexual life data are only processed under the control of our workplace physician, otherwise the explicit consent of the data owner is obtained.
SECTION III.
1. PERSONAL DATA PROCESSED BY OUR COMPANY
Personal data processed by our company are listed below. However, which data will be processed for each personal data owner; It may vary depending on various factors such as the nature of the relationship between the personal data owner and our Company and the communication channels used.
PERSONAL DATA | EXPLANATION |
Identity | Name, surname, identity number, nationality, date/place of birth, father/mother name, gender, marital status and other information on the identity card, signature, identity information for foreign nationals |
Contact | Address, phone number, email address, business address |
Physical Space Security | Visit date, reason for visit, video recording |
Finance | Bank account information, salary amount |
Visual Recording | Photograph |
Legal action | Personal data in executive files; Name and surname, address, identity number, order of execution, file number, subject of lawsuit, creditor person/institution, enforcement deduction amount, court decisions regarding commercial cases |
Transaction Security | Software and storage program used to perform business activities, data infrastructure, user name |
Professional Knowledge | Graduated schools, education/course/certificate certificate, diploma information, information on graduation certificate, profession/task/title information, work experience |
Customer/Supplier Transaction Data | Brand of the product, company title, invoice information, bank information, check information, collection amount, signature circular, interview notes, photocopy of tax plate, tax number, bank where it works, payment amount, payment method, vehicle license plate |
Personnel | Personal data received for the personal transactions of real persons who are in a working relationship with our company; employment date, registration number, personal data in the employment contract, profession/occupational code, disability status, work experience, educational evaluation result, sample information taken from the hand, military service status, personal data in the driver's license, resume information, wage information, date of dismissal /reason, insurance status, insurance branch, reason for missing days, leave information, family and relatives information, personal data of the intern, embezzlement and assignment information, notice / severance pay information, body measurements, foot number |
Risk management | Identity information of the shareholders, residence addresses, signature circular, share ratios, board resolution book, general assembly book, share book, personal data in the trade registry newspaper |
Location | Information received from the visitor whether they have been to the risky area/abroad in the last 6 months, the location information of the dealer from the satellite, the location information of the place where the employee will go as an officer. |
Special Qualified Personal Data | Health Information: Personal data in the health report and incapacity report, laboratory findings, test / analysis / x-ray / examination results, heavy and dangerous work report, birth report, information about whether contact lenses or glasses were used, whether vomiting and diarrhea have occurred in the last seven days , nose, eye and ear discharge, is there any contagious skin disease on the hands, arms and neck, information about typhoid, paratyphoid, salmonella, dysentery, staphylococcus in the last seven days
Criminal Conviction and Security Measures: Criminal record information |
Other | Message content received via web page with hes code |
Those whose personal data are processed by our company; employees, prospective employees, interns, subcontractors, customers (dealers), suppliers, shareholders and visitors.
PURPOSE OF PROCESSING PERSONAL DATA
Your personal data by our company;
• Getting to know the supplier and the customer, researching and carrying out the approval procedures,
• To carry out studies related to quality management systems,
• Making audit applications and carrying out audit procedures,
• Fulfilling obligations regarding food and occupational health and safety,
• To carry out educational activities,
• Creating the visitor record and executing the transactions according to the visit rules,
• Carrying out sales/logistics/shipment activities,
• Ensuring information security and access authorizations,
• Ensuring the safety of physical space and life and property,
• Execution of storage and archive activities,
• Fulfilling the obligations arising from the employment contract and legislation for the employees,
• Fulfillment of fringe benefits and benefits processes for employees,
• Carrying out the application processes of employee candidates,
• Execution of product/service purchasing and sales activities,
• Execution of financial accounting transactions,
• Providing e-bulletin sending,
• Execution of communication activities,
• Carrying out advertising and promotional activities,
• Meeting requests/complaints,
• Fulfilling the obligations arising from the legislation,
• Follow-up of legal affairs,
• Execution of proxy and assignment processes,
• Execution of tendered transactions,
• Execution of management activities, ensuring business continuity,
• Providing information to authorized persons, institutions and organizations,
• Making SSI incentive transactions,
• Execution of human resources processes,
• Conducting vocational training processes for interns,
• Execution of travel, accommodation, visa procedures,
• Making insurance transactions,
• Protection of public health, fulfillment of covid-19 measures,
• It operates in accordance with the purpose of conducting social responsibility projects.
Our company; on your personal data;
• Fulfilling our legal obligations,
• It is necessary to process the personal data of the parties based on the business relationship established by the contract,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• Prescribed in laws,
• Making it public by the person concerned,
• Provided that it does not harm the fundamental rights and freedoms of the data subject, the protection of our Company's legitimate interests is based on legal grounds or by obtaining the “Explicit Consent” of the data owner.
PERSONAL DATA STORAGE PERIOD
Our company keeps personal data for as long as required by the relevant legislation or for the purpose for which they are processed.
If a period of time is not regulated in the legislation regarding how long personal data should be kept, it is processed by our Company for a period of time that requires it to be processed in accordance with the practices and commercial life practices of the Company, depending on the activity carried out while processing that data.
The purpose of processing personal data has ended; if the storage periods determined by the relevant legislation or our Company have also come to an end; Personal data can only be stored to provide evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. Despite the expiry of the statute of limitations and the statute of limitations for the right to assert the aforementioned right in the establishment of the terms herein, retention periods are determined based on the examples previously submitted to our Company on the same issues. In this case, the stored personal data cannot be accessed for any other purpose, and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. Here, too, personal data is deleted, destroyed or anonymized after the aforementioned period expires.
SECTION IV.
BAŞHAN A.Ş. BUILDING, BUILDING ENTRANCES AND INSIDE CAMERA MONITORING ACTIVITY:
By our company; Certain areas are monitored with cameras in order to ensure physical space security and life safety and in a way that does not result in interference with the privacy of the person. Our company acts in accordance with the PDPL in the camera surveillance activities carried out for security purposes. Information about the monitoring activity with the camera; This policy is published on the website, and signs and signs and lighting texts indicating that monitoring will be carried out in the monitoring areas are posted.
The monitoring areas of the cameras, their number and when they will be monitored are determined to ensure security. Necessary technical and administrative measures are taken to ensure the security of personal data obtained with the camera. Personal data obtained by our company through camera monitoring is kept for 20 days.
Only a limited number of Company employees have access to the footage. A limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality agreement.
SECTION V.
TRANSFERRING PERSONAL DATA
Although the third parties, institutions and organizations to which personal data can be transferred may vary depending on the type and nature of the relationship between the data owner and Başhan AŞ, they are generally as shown below.
Your personal data;
• To the Social Security Institution, the Revenue Administration, the Turkish Employment Agency and other authorized persons, institutions and organizations in order to fulfill the obligations arising from the legislation,
• To the authorized enforcement office due to enforcement proceedings,
• To the customs company in order to fulfill the obligations arising from the logistics activities and legislation,
• To the driver and logistics company in order to carry out logistics/transport/shipment transactions,
• To the courier company due to document approval and sending of documents,
• To the bank for payment, collection transactions,
• Certified public accountant in order to control financial documents,
• To the software company and technical support company due to the program used for financial/accounting transactions and fulfillment of business processes,
• To the notary public, legal counsel and the institution or organization where the attorney will act, due to proxy transactions,
• To the inspection company for procedures such as taking samples from the product,
• To the hotel and travel agency for accommodation, transfer and travel transactions of the guests,
• To the OHS Specialist OSGB Company in order to fulfill the occupational health and safety obligations,
• Audit Firms within the scope of brand and ethical audits,
• The institution providing training for obtaining vocational qualification certificate,
• To the Population Administration, the Consulate of the country to be entered or the Intermediary Institutions for visa and passport procedures,
• To our customers and suppliers in order to carry out purchasing and sales transactions,
• To Mersin Chamber of Commerce and Industry for the purpose of maintaining the business activities and performing the management activities of the Company,
• To the Police Department due to identity reporting,
• To the Incentive Firm in order to carry out SSI Incentive transactions,
• Accredited External Laboratory for Swab Analysis processes,
• The training institution to which the intern is related in order to carry out vocational training activities for the interns,
• Institutions, organizations and foundations that purchase by tender due to tendered sales transactions,
• In case of disagreement, our lawyer and judicial authorities
Moreover;
• Due to the use of "whatsapp" during the execution of communication activities, your personal data will be transferred abroad in accordance with Article 9 of the Law.
SECTION VI.
ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
Our company takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data within its body and to prevent illegal access to this data, to ensure the preservation of the data, and in this context, it makes or has the necessary inspections made.
The actions and measures taken by our company to ensure "data security" in accordance with Article 12 of the PDPL are listed below.
Our company takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that personal data is processed in accordance with the law. Employees are informed that the personal data they have learned cannot be disclosed to others in violation of the provisions of the PDPL, cannot be used for purposes other than processing, and that this obligation will continue after they leave their job, and necessary commitments are taken from them in this direction.
Our company provides its employees with the necessary trainings to prevent the illegal processing of personal data, to prevent illegal access to data, and to increase awareness of data protection.
Our company takes the necessary technical and administrative measures in order to store personal data in secure environments and to prevent their destruction, loss or alteration for unlawful purposes.
SECTION VII.
TERMS OF DELETING, DESTROYING AND ANONYMIZING PERSONAL DATA:
Although it has been processed in accordance with the provisions of the relevant law, as regulated in Article 7 of the PDPL, personal data is deleted, destroyed or anonymized within 6 months at the latest, in the event that the reasons for processing disappear. In the event that the conditions for processing personal data cease to exist, our Company deletes, destroys or anonymizes the personal data subject to the request, upon the request of the person concerned. Our company finalizes the request of the person concerned within thirty days at the latest and informs the person concerned.
In accordance with Article 28 of the PDPL, anonymized personal data may be processed for purposes such as research, planning and statistics. Since such transactions are outside the scope of PDPL, the explicit consent of the personal data owner is not sought.
SECTION VIII.
RIGHTS OF PERSONAL DATA OWNERS, THE METHOD OF USE AND ASSESSMENT OF THESE RIGHTS:
Our company carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the PDPL in order to evaluate the rights of personal data owners and to provide necessary information to personal data owners.
Personal data owners;
• Learning whether personal data is processed or not,
• If personal data has been processed, requesting information about it,
• To learn the purpose of processing personal data and whether they are used in accordance with the purpose,
• Knowing the third parties to whom personal data is transferred in the country or abroad,
• Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
• Despite the fact that it has been processed in accordance with the provisions of the PDPL and other relevant laws, it has the right to request the deletion or destruction of personal data in case the reasons requiring its processing disappear, and to request the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred.
In this context, the Data Subject is required to submit applications to our Company in writing or by other methods to be determined by the Personal Data Protection Board, in order to exercise his rights in accordance with Article 13 of the PDPL.
Applications to be made to our Company in writing, by using the "Data Owner Application Form" available on the website of our Company at www.kivambakliyat.com.tr;
t must be sent to Başhan Tarımsal Ürünleri Pazarlama Sanayi ve Dış Ticaret Anonim Şirketi, with a wet signature, to Sancaktepe, 957. Sokak No:1/A, 34200 Bağcılar/İstanbul by hand, by registered letter with return receipt or via notary public.
or
After signing with your secure electronic signature, it should be sent to info@kivambakliyat.com or web@kivambakliyat.com.tr e-mail address.
Our company will conclude the requests regarding the exercise of the rights within the scope of Article 13 of the Law submitted to it as soon as possible according to their qualifications and at the latest within thirty days from the date of receipt of the request by our Company, free of charge. However, if the transaction requires a separate cost, our Company may request the fees in the tariff determined by the Board from the applicant data owner. If our company accepts the request or rejects it by explaining its reason, it will notify the relevant person in writing or electronically.
If the information and documents submitted by the data owner to our Company are incomplete or incomprehensible, our Company may request information/documents in order to clarify the application or to determine whether the person is the real owner of the personal data subject to the application or to ensure the security of the data; may ask the personal data owner additional question/s regarding his/her application.
SECTION IX.
PERSONAL DATA PROTECTION AND PROCESSING POLICY MANAGEMENT STRUCTURE
Our company establishes the appropriate management structure in order to fulfill the obligations in the PDP Law and to fulfill the duties stated below for the implementation of this Policy.
• To prepare the basic policies regarding the protection and processing of personal data and the changes in these policies and submit them to the approval of the senior management,
• To decide how the policies regarding the protection and processing of personal data will be implemented and how the control will be carried out, and to present it to the approval of the senior management by assigning it among the employees within this framework,
• To determine the issues that need to be done in order to ensure compliance with the Law on the Protection of Personal Data and the relevant legislation and submit them to the approval of the senior management; to monitor and coordinate its implementation,
• To raise awareness among Company employees on the Protection and Processing of Personal Data,
• To identify the risks that may occur in personal data processing activities, to ensure that the necessary precautions are taken, and to submit improvement suggestions to the senior management for approval,
• To design and implement trainings on the protection of personal data and the implementation of policies,
• To respond to the applications of personal data owners in due time,
• Managing relations with the Personal Data Protection Authority.
In addition to the above-mentioned duties, the responsible person(s) to be appointed in this regard may be assigned other duties and responsibilities depending on the Company's needs and the nature of the activities it carries out.
SECTION X.
TECHNICAL AND ADMINISTRATIVE MEASURES FOR THE SECURITY OF PERSONAL DATA
Our company takes the necessary administrative and technical measures to keep personal data legally and securely. For this;
• Training and awareness activities are carried out periodically for employees on data security.
• Institutional policies on personal data processing, storage and destruction have been prepared and started to be implemented.
• Confidentiality commitments are made.
• Personal data security policies and procedures have been determined.
• Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
• The security of environments containing personal data is ensured.
• Personal data is reduced as much as possible.
• In-house periodic and/or random audits are conducted and made.
• Network security and application security are provided.
• Closed system network is used for personal data transfers via network.
• Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
• The security of personal data stored in the cloud is ensured.
• An authorization matrix has been created for the employees.
• Access logs are kept regularly.
• Current anti-virus systems are used.
• Firewalls are used.
• Personal data is backed up and the security of the backed up personal data is also ensured.
• User account management and authorization control system is implemented and these are also followed.
• Log records are kept without user intervention.
• Intrusion detection and prevention systems are used.
• Cyber security measures have been taken and their implementation is constantly monitored.
• Encryption is done.
