LAW ON PROTECTION AND PROCESSING PERSONAL DATA

LAW ON PROTECTION AND PROCESSING PERSONAL DATA

• INTRODUCTION

Çiftay İnş. Taah. ve Tic. A.Ş – Central Registration System no: 0-2540-0093-0200016 (“ÇİFTAY A.Ş) in accordance with Law No. 6698 on Protection of Personal Data (“Law No. 6698”), can process the personal data of its employees, job candidates prospective customers, its visitors, third parties and other real persons with whom it has business relations within the scope of the below-mentioned fundamental principles as the data controller

With this Policy we are aiming to process and protect our customers, prospective customers, employees, job candidates, visitors and third parties concerned in full compliance with the legislation as required by law and and preseving its earliest form in which it was submitted to us.

DEFINITIONS

Explicit consent: Defines freely given, specific and informed consent.

Anonymizing: Defines rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.

Application Form: Defines the application form which will allow personal data owner to exercise his rights pursuant to Turkish Law No 6698 on the Protection of Personal Data. This application form is submitted to data controller.

Job Candidate: Defines real persons who have applied for a job in any possible way or who have submitted their CV and related information to ÇİFTAY A.Ş.

Employees, Shareholders and Authorities of Cooperated Institutions: Defines real persons, including the shareholders and officials of institutions with which ÇİFTAY A.Ş. has business relations.

Business Associate: Defines the parties that ÇİFTAY A.Ş. has established a business partnership with to conduct various projects and getting services from other parties to carry out its commercial activities.

Law: Turkish Law No. 6698 on the Protection of Personal Data (“KVKK”).

Processing of Personal Data: Defines any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means,.

Personal Data Owner: Defines the real person whose data is being processed.

Personal Data: Defines all the information relating to an identified or identifiable natural person

Board: Defines the Personal Data Protection Board

Customer: Defines real people who benefit from the mining, energy, construction, tourism and oil activities of the company.

Personal Data of Special Nature: Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are deemed to be personal data of special nature.

Policy: Defines the rules for the processing of personal data, as defined by the Policy on Processing and Protection of Personal Data of ÇİFTAY A.Ş.

Prospective Customer: Defines real people who have the potential to become customers within the scope of the Company’s fields of activity.

Vendor: Defines the parties that provide services to ÇİFTAY A.Ş., according to the contract, while conducting the commercial activities of ÇİFTAY A.Ş.

Third Party: Defines the real persons whose personal data are processed under the policy but who are not defined differently under the policy.

Processor: Defines the real or legal person who processes personal data on behalf of the controller upon his authorization.

Controller: Defines the real or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system. Çiftay A.Ş. is the data controller within the scope of this policy.

Erasing Data: Process of making personal data inaccessible and unusable for the users concerned.

Data Destruction: The process of making personal data inaccessible, irreversible and reusable by anyone.

Visitor: Defines the real persons who have visited the office, construction site, workshop, gas station and website of ÇİFTAY A.Ş. for various purposes.

OBJECTIVE OF POLICY

Main objectives of this policy are:

The aim of this policy is to make statements about the personal data processing activity carried out by Çiftay A.Ş.in accordance with the law and the principles adopted for the protection of personal data.
After obtaining personal data by aforementioned environments, to Inform our employees, job candidates prospective customers, our visitors, third parties and other real persons with whom we have business relations and their shareholders on their rights and how they can make use of their rights

SCOPE OF POLICY

The scope of this policy pertains to processed personal data of our employees, job candidates prospective customers, our visitors, third parties and other real persons with whom we have business relations and their shareholders by means of recording systems, your sharings via e-mail correspondences, training attendance sheets, eyewitnesses information, petition, on-site data in forms of automatic or manual recordings, digital format, in oral, written or electronic form. This Policy is published on our website (www.ciftay.com.tr) and made available to the relevant persons upon the request of personal data owners. If there are any differences between the current legislation and the Policy, provisions of legislation will prevail.

GENERAL PRINCIPLES OF PERSONAL DATA PROCESSING

ÇİFTAY A.Ş. informs the data owners in accordance with the 10th article of the LAW ON THE PROTECTION OF PERSONAL DATA and requests their consent in cases where consent of data owner is required. These data are processed in accordance with legal and good faith, Keeping Personal Data Up-to-date when necessary, Justifiable Reasons principles and following criteria and pursuant to related Legislations. Personal data is being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed.

RULES ON PERSONAL DATA PROTECTION

In accordance with the 10th Article of Constitution and the 4th Article of the LAW ON THE PROTECTION OF PERSONAL DATA, Çiftay A.Ş. processes the personal data for specific, explicit and legitimate purposes in compliance with legal, good faith and justifiable reasons.

ÇİFTAY A.Ş. retains personal data in compliance with the procedures and principles set forth in Laws for the period of time stipulated by relevant legislation or the purpose for which they are processed.

ÇİFTAY A.Ş. processes personal data such as credentials (name, surname, TR identity number, gender, age, date of birth), contact information (e-mail address, phone number, address information)location, occupational information, visual and audio data, educational background, information about family members, health data of its employees, job candidates, visitors, suppliers and third parties.

In addition to following procedures and obligations that are followed while processing data, the personal data processing conditions and purposes specified in Articles 5 and 6 of Law No. 6698 and the Identity Reporting Law No. 1774, Insurance Law No. 5684 and the obligations arising from Tax legislation, regulations of supervisory and regulatory institutions and organizations and other obligations of public authorities are satisfied. In addition to our obligations mentioned above and in order to fulfill the requirements of the contracts that we are a party to and to carry out the works and operations related to mining, energy, construction, tourism, and oil activities, your personal data is retained and processed for following purposes:

Ensuring the contact with potential customers before starting our mining, energy, construction, tourism and petroleum activities, conducting the process of proposal preparation, sharing the contract details with you in order to draw up the contract.
For the creation of records of business and transactions related to our fields of activity in the system and for the completion of contract processes.
In order to conduct financial affairs and transactions, risk management and operations that are related to your safety and emergencies, your personal data and other data such as after-sale communication to evaluate customer satisfaction, information about products and services offered by our company and updating this information, bills related to services and products, etc. are retained in the physical or electronic environment. .

PROTECTION OF PERSONAL DATA

ÇİFTAY A.Ş., takes the necessary technical and administrative steps to prevent the illegal processing of personal data that it processes in accordance with article 12 of the Personal Data Protection Law and takes the necessary measures to prevent illegal access to the data, ensures the appropriate level of protection in order to retain the data.

7.1. These measures, including but not limited to, are as follows:

Personal data processing activities, which are conducted within the Çiftay A.Ş., are audited by the established technical systems.
Technical departments have been established for related technical matters and experts are employed in this field.
New technological developments are followed and technical precautions, especially in the field of cybersecurity, are taken. All necessary measures which are taken measures to provide protection are updated and renewed periodically.
Technical solutions such as access and authorization permits are executed within the framework of legal compliance requirements determined for each department within the Çiftay A.Ş..
Access permits are restricted and they are regularly checked.
Access restrictions are applied to former employees and their accounts are deleted.
Softwares and hardwares including antivirus, data protection, and firewalls are installed.
All information systems, including applications where personal data are collected, are regularly tested for external impacts to detect security vulnerabilities and the glitch found according to the results of this test are debugged.

7.2. The administrative measures taken, but not limited to, are listed below:

ÇİFTAY A.Ş. informs and trains its employees on the protection of personal data and the processing of personal data in accordance with the law.
ÇİFTAY A.Ş. employees were informed verbally and in writing about not exploiting the personal data they have acquired during the trainings and not violate the provisions of the Personal Data Protection Law. In this context, service contracts and related documents between ÇİFTAY A.Ş. and its employees contain information about personal data records and personal data protection information, and additional protocols are signed with the employees that their obligations will continue after their resignation.
All personal data processing operations conducted by ÇİFTAY A.Ş.’ are in accordance with the personal data inventory and its annexes, which were created by scrutinizing all departments in detail.
The obligations required to conduct the personal data processing operations by the relevant department within the company in accordance with the Personal Data Protection law have been determined by ÇİFTAY A.Ş. in written policies and procedures. Each department has been informed about these procedures and policies.
Additional contracts between ÇİFTAY A.Ş. and a person to whom personal data is transferred accordance with the law are made which comprise that these perons or their organizations will take necessary security measures to protect the personal data.
In the event that the processed personal data is obtained by others through illegal ways, ÇİFTAY A.Ş. will notify this situation to the concerned persons and the Board as soon as possible.

PROTECTION OF PERSONAL DATA OF SPECIAL NATURE

Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are deemed to be personal data of special nature.

ÇİFTAY A.Ş. acts responsible towards processing the personal data of special nature. In this context, technical and administrative measures are applied by ÇİFTAY A.Ş. meticulously in terms of personal data of special nature in accordance with resolutions published by the Board for the protection of personal data and necessary audits conducted within ÇİFTAY A.Ş.

OBLIGATION OF CONTROLLER TO INFORM

ÇİFTAY A.Ş. informs personal data owners while obtaining personal data in accordance with Article 10 of the Personal Data Protection Law and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Informing Obligation. Hereunder, we have placed information note and application form to easily visible places for our employees, job candidates prospective customers, our visitors, third parties and other real persons with whom we have business relations whose personal data were obtained during their visit of our office, construction site, workshop, gas station and website. Information note and application form are also published on www.ciftay.com.tr

TRANSFER OF PERSONAL DATA

ÇİFTAY A.Ş. may transfer personal data of the personal data owner and personal data of special nature that has been processed in line with Law, to third parties in accordance with the law, by taking the necessary security measures. Çiftay A.Ş. may transfer personal data to foreign countries which are declared by the Board to be credible in terms of personal data protection. Before exercising such action, credible organization in those foreign countries have to guarantee a sufficient protection in writing.

Possible transfer reasons are as follows:

Regulations on the personal data transfer in related Laws.
If it is necessary to transfer the personal data of the parties related to the contract, provided that it is directly related to the establishment or execution of such a contract.
If personal data transfer is mandatory for Çiftay A.Ş. to fulfill its legal obligation.
If personal data transfer is mandatory for use or protection of a right
If personal data transfer is mandatory for the Çiftay’s legitimate interests and in cases that transfer would not harm the fundamental rights and freedoms of the personal data owner.

RETENTION PERIOD FOR THE PERSONAL DATA

ÇİFTAY A.Ş. retains personal data for the period specified in the legislation.

ÇİFTAY A.Ş. firstly determines whether a period is foreseen for the retention of personal data in the relevant legislation in this context, if there is a specific period for retention, personal data is retained according to that period. If there is not any specific retention period, Çiftay retains the personal data for the time required and during data procession for particular purposes. At the end of retention period for the personal data, personal data are erased, destructed or anonymized in accordance with the Law.

If personal data retention period or retention period determined by Çiftay A.Ş. is over, personal data can only be retained in order to adduce evidence in possible legal disputes, against any claims or to protect company interest in case of any court hearings. Period of limitation in this case is determined according to previous claims and requests that were directed to Çiftay A.Ş.. In that case, the retained personal data cannot be accessed for any other purposes, and access is provided only when it is required to be processed in any legal dispute. At the end of aforementioned retention period, personal data is erased, destructed or anonymized.

Rights of Personal Data Owners

You have the following rights regarding your personal data, in accordance with Article 11 of Law No. 6698. For detailed information about procedures how to submit your application to data controller, please see article 6 of this Information Note.

Learn whether the personal data has been processed.
Request information if personal data has been processed.
Learn about the purpose of processing personal data and whether they are used in accordance with the intended purpose.
Enlighten about the third parties to whom personal data has been transferred in Turkey or abroad.
Request for the correction of personal data in case of incomplete or incorrect processing.
Request for the deletion or destruction of the personal data if data processing is no longer needed.
Request to inform third parties in case of data deletion or destruction if data processing is no longer needed.
Object to any consequences that may arise against the person as a result of the analysis of the processed data exclusively through automated systems,
Request for damages in cases where the data owner incur damage due to unlawful processing of the personal data.

Personal data owners can submit their request with regard to their rights which are stated in the 11th article of the Law No. 6698, in accordance with the “Notification on the Application Procedures and Principles of the Data Responsible to the Data Controller” via e-mails, e-signature or other means of application that are particularly developed for this purpose by adding necessary documents to their application.

The requests that contain name, surname and application request on it, must also contain details as signatures, T.R. identity number (for Turkish Citizens), permanent address, work address and if available e-mail address, mailing address, telephone number, fax number, request subject and passport number (for non-citizens).

The concerned personal data owners can submit requests via registered mail with acknowledgement of receipt or by the agency of notary public at “Kızılırmak MAH. Dumlupınar Bulvarı NEXT Level İş Kulesi No:3 Kat:26 06520 ÇANKAYA / ANKARA”

Upon receiving the request and according to the nature of the request, Çiftay will finalize them in accordance with the legislations in 30 (thirty days) days at the latest.

Upon approval of a relevant person’s request by Çiftay A.Ş., relevant person will be informed at the earliest.

EVENTS IN WHICH DATA OWNERS CANNOT CLAIM ANY RIGHTS

The provisions of this Law shall not be applied in the following cases where:

Personal data is processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with.
Personal data is processed for the purpose of official statistics and for research, planning and statistical purposes after having been anonymized.
Personal data is processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defence, national security, public security, public order, economic security, right to privacy or personal rights are not violated or they are processed so as not to constitute a crime.
Personal data is processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorised and assigned to maintain national defence, national security, public security, public order or economic security.
Personal data is processed by judicial authorities or execution authorities with regard to investigation, prosecution, criminal proceedings or execution proceedings.

Erasure, Destruction or Anonymisation of Personal Data

In accordance with the “Regulation on Erasure, Destruction or Anonymisation of Personal Data” issued by the the Board, personal data which is no longer needed to be processed can be erased, destructed or anonymized at Çiftay’s sole discretion or by request of data owner.

This Policy has been prepared in accordance with the Law on Protection of Personal Data and the legislation in force and published on our website (www.ciftay.com.tr) and made available to the relevant people. If there is any differences between the legislation and policy in force, the provisions of the legislation will prevail.

With Kind Regards

contact

social media accounts

KVKK