CASTİMO KİMYA İNŞAAT YAPI MALZEMELERİ SANAYİ VE TİCARET LİMİTED ŞİRKETİ
PERSONAL DATA PROTECTION AND PROCESSING POLICY
For:
All natural persons except employees of Castimo Kimya İnşaat Yapı Malzemeleri Sanayi Ve Ticaret Limited Şirketi whose personal data is processed by Castimo Kimya İnşaat Yapı Malzemeleri Sanayi Ve Ticaret Limited Şirketi
Prepared by:
Castimo Kimya İnşaat Yapı Malzemeleri Sanayi Ve Ticaret Limited Şirketi ……………………
Approved by:
Castimo Kimya İnşaat Yapı Malzemeleri Sanayi Ve Ticaret Limited Şirketi administrative board.
VERSİYON: 1.0
Date of Effect: 04/01.2021
© Castimo Kimya İnşaat Yapı Malzemeleri Sanayi Ve Ticaret Limited Şirketi, 2020
This document cannot be reproduced or distributed without the written permission of Castimo Kimya İnşaat Yapı Malzemeleri Sanayi Ve Ticaret Limited Şirketi
INTRODUCTION
1.1 Introduction
Castimo Kimya İnşaat Yapı Malzemeleri Sanayi Ve Ticaret Limited Şirketi (“Company”) attaches the utmost importance to protecting the fundamental rights and freedoms of persons in the protection and processing of personal data, especially the right of privacy as set out in Article 20 of the Constitution. In this context, it pays attention to protect and process personal data under the Law No. 6698 on Protection of Personal Data (“Law” or “Law of KVK”) and acts with this understanding in all its planning and activities.
Our company does not only evaluate the protection and processing of personal data, which is the basis of the right of privacy, within the scope of compliance with the legislation, but puts the value it gives to persons based on its approach. Acting with this awareness, our company takes all necessary administrative and technical measures for the protection and processing of personal data under the law.
1.2 Aim of the Policy
The purpose of the Personal Data Protection and Processing Policy (“Policy”) is to protect the fundamental rights and freedoms of persons to the maximum extent, especially the right of privacy as set out in Article 20 of the Constitution, in the protection and processing of personal data, which is processed wholly or partly automatic ways under the purpose of the law, or by non-automatic means being part of any data filing system and is to inform the data subjects about the obligations, procedures and principles of our company and under the law. The main goal is to ensure full compliance with the legislation in the protection and processing of personal data performed by our company and to protect the right of data subjects to privacy and data security.
1.3 Scope of the Policy
This Policy is prepared for and shall be applied under the specified persons being a natural person: Potential Employee, Family Members of Employee, Shareholder, Authorized Person of the Company, Shareholder, Authorized Person of Supplier, Employee of Supplier, Supplier, Customer, Authorized Person of Customer, Employee of Customer, Potential Customer, Service Provider, Employee of Service Provider, Authorized Person of Service Provider, Financial Consultant, Auditor, Third Parties, Visitor. By publishing this Policy on its website, the company informs these data subjects about the law. This Policy shall not be applied to legal entities in any capacity whatsoever. For employees of our company, the “Personal Data Processing Policy for Employees” shall apply.
This policy shall apply to the above-mentioned persons if their data is processed by our company in a wholly or partly automated way, or in a non-automated way being a part of any data filing system. This policy shall not be applied if the data is not included in the scope of “Personal Data” or if the personal data processing performed by our company are not covered by the above-mentioned means.
1.4 Definitions
The concepts used in the implementation of this policy mean the following meanings:
Explicit Consent
Freely given specific and informed consent.
Publicizing
The concept of publicizing in the sense of “making it known to all“ is counted as one of the exceptions in Article 5 of the law No. 6698,” the requirement to obtain the explicit consent of the natural person whose personal data is processed”, which is necessary for the processing of personal data.
Disclosure
It is the responsibility of the data controller to inform the persons to whom his/her data may be processed, for which purposes and for which legal reasons, and for which purposes it may be transferred.
Relevant User
The person who processes the personal data within the data controller organization or under the authority and instruction received from the data controller, except for the person or unit who is technically responsible for storing, protecting and backing up the data.
Destruction
It refers to the deletion, destruction, or anonymization of personal data.
Processing of Personal Data
Any operation which is performed upon personal data such as collection, filing, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system;
Board
The Board of Protection of Personal Data.
Relevant Person / Data Subject
Potential Employee, Family Members of Employee, Shareholder, Authorized Person of the Company, Shareholder, Authorized Person of Supplier, Employee of Supplier, Supplier, Customer, Authorized Person of Customer, Employee of Customer, Potential Customer, Service Provider, Employee of Service Provider, Authorized Person of Service Provider, Financial Consultant, Auditor, Third Parties, Visitor.
Personal Data
Any information relating to an identified or identifiable natural person.
Authority
The Authority of Protection of Personal Data..
Automatically Processing Data
It is a self-performing processing activity performed by processor-owning devices such as computers, phones, watches, without human intervention within the scope of algorithms prepared in advance through software or hardware features.
Sensitive Personal Data
Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of an association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are sensitive personal data.
Registry
Data Controllers’ Registry
Company
Castimo Kimya İnşaat Yapı Malzemeleri Sanayi Ve Ticaret Limited Şirketi’dir.
Data Processor
Natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller;
Filing System
Any recording system through which personal data are processed by structuring according to specific criteria;
Data Categories
It is a class of personal data belonging to a group or groups of people, in which personal data is categorized according to their common characteristics.
Data Subject
A natural person whose personal data are processed.
Data Controller
Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for the establishment and management of the filing system.
1.5 Enforcement of the Policy
The policy, which came into force on 07/01/2021 and regulated by Castimo Kimya İnşaat Yapı Malzemeleri Sanayi Ve Ticaret Limited Şirketi, is published on the company’s website (https://www.castimo.de) and made available to data subjects.
2. PROTECTION OF PERSONAL DATA
2.1 Security of Personal Data
Under the law, our company takes all necessary administrative and technical measures to ensure the appropriate level of security to store personal data securely and to prevent the illegal processing and access of personal data. The administrative and technical measures taken regarding the security of personal data are detailed in the Personal Data Storage and Destruction Policy of our company.
Our company has established the “Personal Data Protection Management System” to ensure compliance with the regulations contained in the law and other legislation and it has established Personal Data Protection Committee within its body to ensure the implementation of the policy and other related policies.
2.2 Supervision
Our company conducts and (having them conducted) the necessary supervision to establish the data security described above and to ensure the regularity and continuity of the measures taken. The Personal Data Protection Committee supervises the measures taken for the security of personal data.
2.3 Privacy
Our company takes all necessary administrative and technical measures according to technological facilities and application costs to ensure that the relevant data controllers and processors do not disclose their data to anyone in violation of the provisions of Law and Policy and do not use it for processing. In this context, information and training activities about the law and policy are carried out for the employees of the company, and privacy agreements are signed as part of the recruitment processes of the relevant employees.
2.4 Unauthorized Disclosure of Personal Data
If the personal data processed by our company is obtained by others in ways that are not under the law, our company shall take the necessary actions to inform the data subject and the Board within the periods determined by the Board of this situation. If necessary, this shall be announced on the website of the Board or by any other method deemed appropriate by the Board.
2.5 Protection of the Legal Rights of Data Subjects
Our company respects and takes all necessary measures to protect the legal rights of data subjects concerning the implementation of the policy and the law.
2.6 Protection of Sensitive Personal Data
Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of an association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are sensitive personal data. Our company is aware of the fact that sensitive personal data is data that, if learned by others, could cause the data subject to be suffered or discriminated, and therefore takes the appropriate measures determined by the Board to protect such personal data, which is processed under the law, with precision. Within this framework, it has a separate policy (the Security Policy of Sensitive Personal Data) and a systematic procedure, clearly defined, manageable, and sustainable.
3. PROCESSING AND TRANSFER OF PERSONAL DATA
3.1 General Principles of Processing and Transfer of Personal Data
Personal data is processed by our company under the procedures and principles set out in the law and this policy. Our company complies with the following principles when processing personal data.
3.1.1 Conforming with the law and good faith
Our company processes and uses personal data under the relevant legislation and the requirements of good faith. Following the principle of compliance with the good faith, our Company considers the interests and reasonable expectations of data subjects when trying to achieve its objectives in data processing. It acts in a way that prevents the appearance of results that the data subject does not expect and does not need to expect. Under the policy, it also ensures that the data processing in question is transparent for the data subject and acts under the notifying and warning obligations.
3.1.2 Being accurate and if necessary, up to date
Our company ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights and legitimate interests of those concerned. In this context, it considers carefully the issues such as certainty of sources from which data is obtained, confirmation of its accuracy, evaluation of whether it needs to be updated. Our company keeps channels open to ensure that information of the data subject is accurate and up-to-date at all times under the due diligence. Keeping personal data accurate and up-to-date is essential in protecting the interests of our company as well as in protecting the fundamental rights and freedoms of data subjects.
3.1.3 Being processed for specified, explicit, and legitimate purposes
Our company determines the purpose of data processing clearly and precisely and ensures that this purpose is legitimate. If the purpose is legitimate, it means that the personal data that our company processes is related to and necessary for the work it has performed or the service it has provided. Our company does not process data for other purposes other than those stated. In this respect, it is sensitive to compliance with the principle of certainty and clarity in legal transactions and texts in which personal data processing purposes are explained.
3.1.4 Being relevant, limited and proportionate to the purposes for which data are processed
Our company considers the personal data processed to be convenient for the achievement of the stated objectives and avoids the processing of data that is not relevant to the achievement of the purpose or that is not needed. Our company does not collect or process personal data for purposes that do not exist and are considered to occur later. It performs the processing conditions set out in the act as if it is the first time it has started processing data to fulfill the needs that are likely to arise later. It also limits the processed data to only what is needed to achieve the objective. Within the scope of the principle of proportionality, it establishes a reasonable balance between data processing and its intended purpose.
3.1.1 Being stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected
Our company complies with these conditions if there is a period stipulated in the relevant legislation to store the data; otherwise, it shall only store the personal data for the period required for the purpose for which it is processed. In the absence of a valid reason for further storage of personal data by our company, such data is deleted, destroyed or anonymized. The procedures for storing and destroying personal data are detailed in the Personal Data Storage and Destruction Policy of our company.
3.2 Conditions of Processing Personal Data
Our company does not process personal data without the explicit consent of the data subject. Personal data may only be processed in the event of one of the following conditions without the explicit consent of the data subject:
3.2.1 It is expressly permitted by any law
Our company may process personal data without seeking the explicit consent of the data subject, as expressly permitted by any law.
3.2.2 It is necessary to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent
Our company may process personal data without seeking explicit consent to protect the life or physical integrity of persons where they are physically or legally incapable of giving consent.
3.2.3 It is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract
Our company is directly related to the execution or performance of a contract as parties of the contract to the processing of personal data is obligatory if due to the nature of life, seeking personal data without the explicit consent of the persons concerned for this purpose be limited to can handle. If the processing of personal data of the parties of a contract is necessary directly concerning the execution or performance of a contract, as a natural flow of life, our company may process the personal data of data subjects without explicit consent, limited to this purpose.
3.2.4 It is necessary for compliance with a legal obligation which the controller is subject to
Our company may process the personal data of the data subject without seeking explicit consent when it is necessary to fulfill its legal obligations as a data controller.
3.2.5 The relevant information is revealed to the public by the data subject herself/himself
Our company may process the personal data of data subjects, which is publicized by them, in other words, revealed to the public in any way, only for disclosure in case it is accepted that the legal interest that should be protected in the processing of such data, which is revealed to the public by data subjects and thus becomes known to all, has been eliminated.
3.2.6 It is necessary for the institution, usage, or protection of a right
Our company may process the personal data of data subjects without explicit consent where it is legally necessary to process data for the usage or protection of a legitimate right.
3.2.7 It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed
Our company may process the personal data of data subjects in cases where the processing of personal data is necessary to ensure the legitimate interests of d, without harming the fundamental rights and freedoms protected under the Law and Policy. Our company is sensitive to comply with the basic principles regarding the protection of personal data and to observe the balance of interests between our company and data subjects. Legitimate interest is an effective, specific, and already existing one that can compete with the fundamental rights and freedom of the data subject. Our company takes additional protective measures to prevent damage to the rights of the data subject. A reasonable balance is achieved between the interests of our company and the fundamental rights and freedoms of the data subject.
3.3 Conditions of Processing of Sensitive Personal Data
Our company does not process sensitive personal data without the explicit consent of the data subject. Sensitive personal data may only be processed in the event of one of the following conditions without the explicit consent of the data subject:
3.3.1 It is expressly permitted by any law
Sensitive personal data other than the health and sexual life of the data subject may be processed without the explicit consent of the data subject, where it is expressly permitted by law.
3.3.2 Planning and Management of Health Services and Financing for Public Health Protection, Preventive Medicine, Medical Diagnosis, Treatment and Care Services
Sensitive personal data relating to the health and sexual life of the data subject may be processed by persons under the obligation to keep secrets or by authorized institutions and organizations, for public health protection, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
3.4 Conditions of Transfer of Personal Data
Our company may transfer personal data to third parties based on one or more of the following personal data processing conditions under Article 8 of the law by taking the necessary security measures:
- Having the explicit consent of the data subject,
- Existence of a clear regulation regarding the transfer of personal data in the law,
- Obligation of transfer of personal data for the protection of the life or physical integrity of the data subject or anyone else, and when the data subject is physically or legally incapable of giving consent, or his/her consent is not granted legal validity,
- Requirement of processing the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract,
- Obligation of the transfer of personal data for our company to fulfill its legal obligation,
- Revelation of the relevant information to the public by the data subject herself/himself,
- Obligation for the institution, usage, or protection of a right,
- Obligation of the transfer of personal data for the legitimate interests of our company, provided that the fundamental rights and freedoms of the data subject are not harmed.
Sensitive personal data may be transferred based on one of the following conditions and provided that adequate measures are taken on a limited basis:
- Having the explicit consent of the data subject,
- In the case of sensitive personal data other than the health and sexual life of the data subject, the existence of a clear regulation in the law regarding the transfer of such data,
- Sensitive personal data relating to the health and sexual life of the data subject may be processed by persons under the obligation to keep secrets or by authorized institutions and organizations, for public health protection, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
3.4.1 Conditions of Transfer of Personal Data Abroad
Our company may transfer personal data abroad with the explicit consent of the data subject under Article 9 of the law by taking the necessary security measures.
Besides, in case of the existence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 of the law, our company may transfer personal data without the explicit consent of the data subject only to foreign countries declared to have adequate protection by the Board or in the absence of adequate protection, to foreign countries where data controllers in Turkey and the relevant foreign country undertake adequate protection in written and have the permission of the Board without prejudice to the provisions of the International Convention to which Turkey is a party.
4. PERSONAL DATA CATEGORIES AND DATA SUBJECTS
4.1 Personal Data Categories
Personal data is processed by our company by categorizing as follows:
Identity
Data containing information about the identity of the data subject: first name, last name, ID number, marital status, parents names, place and date of birth, and other identifying information including driving license, ID card and passport copies, tax number, social security number, signature, etc.
Communication
Contact details of data subjects: phone number, address, e-mail address, registered e-mail address, fax number, etc.
Personnel Information
Information processed to obtain information that will be fundamental to the protection of personal rights of data subjects: CV, title information, certificate of employment/termination, social security/retirement information, payroll information, declaration of property, disciplinary proceeding, and performance evaluation reports, etc.
Legal Process
Data processed within the scope of determination of the company’s legal claims and rights, prosecution, and performance of its debts and legal obligations: power of attorney, court and administrative authority decisions, correspondences with judicial authorities, information in case files, etc.
Safety of Physical Space
Personal data relating to records and documents obtained when entering and inside physical spaces of the company: Entrance-Exit records, magnetic card records, security camera records, license plates, etc.
Process Security
Personal data processed in order to ensure the security of transactions during electronic transactions: IP / Mac Information, IMEI Number, User Name / Password Information, etc.
Finance
Personal data processed concerning information, documents, and records showing the results of any financial relationship the company has established with data subjects and bank account information, credit information, balance sheet information, financial profile, assets and insurance information, etc.
Professional Experience
Degree, transcript, education/course/certificate information, driving license information, foreign language information, reference information, etc. recorded during and afterward of recruitment of data subjects.
Visual and Auditory Information
Photographs, camera, and voice records that can be received except the safety of physical space of data subjects, as well as other documents in which this data is transferred: photographs added to documents, video interview and meeting records, etc.
Family Members and Relatives Information
It refers to the identity and contact details of the family members of the employees, authorized person of the company and shareholders.
SENSITIVE PERSONAL DATA
Health
Health information of data subjects: examination information, bill of health, disability status, health permits, blood group etc.
Criminal Conviction and Security Measures
Documents containing information on criminal conviction and security measures decisions about data subjects: criminal records.
4.2 Data Subjects
Only natural persons can benefit from the protection of this policy and the law. Data subjects in this scope are grouped as follows:
Potential Employee
Natural persons who have applied to our company in any way or who have opened their CV and related information to our company’s review.
Family Members of Employee, Shareholder and Authorized Person of the Company
Family Members of Employee, Shareholder and Authorized Person of Castimo Kimya İnşaat Yapı Malzemeleri Sanayi Ve Ticaret Limited Şirketi
Authorized Person of the Company
Natural persons who are authorized in Castimo Kimya İnşaat Yapı Malzemeleri Sanayi Ve Ticaret Limited Şirketi
Shareholder
Natural persons who are shareholders/partners of Castimo Kimya İnşaat Yapı Malzemeleri Sanayi Ve Ticaret Limited Şirketi
Authorized Person of Supplier
Authorities of natural persons or legal persons who provide input, raw materials or products to our company to provide a product or service.
Employee of Supplier
Identified/identifiable employees of natural persons or legal persons who provide input, raw materials or products to our company to provide a product or service.
Supplier
Natural persons who provide input, raw materials or products to our Company in order to provide a product or a service.
Customer
Natural persons such as dealers, distributors, sales points who deliver our company’s services to the end consumer within the scope of a contractual relationship, and natural persons who purchase these services.
Authorized Person of Customer
Authorities of natural persons or legal persons such as dealers, distributors, sales points who deliver our company’s products to the end consumer within the scope of the contractual relationship.
Employee of Customer
An identified or identifiable employee of natural persons or legal persons such as dealers, distributors, sales points who deliver our company’s products to the end consumer within the scope of the contractual relationship.
Potential Customer
Natural persons who have requested or are interested in using our products and services, or who have been assessed by the custom of trade and good faith for which they may have such interest.
Service Provider
Natural persons or legal persons who are not included in Customer, Subcontractor and Supplier groups but are independent of our company in which our company has a business relationship.
Employee of Service Provider
Employees of natural persons or legal persons who are not included in Customer, Subcontractor and Supplier groups but are independent of our company in which our company has a business relationship.
Authorized Person of Service Provider
Authorities of natural persons or legal persons who are not included in Customer, Subcontractor and Supplier groups but are independent of our company in which our company has a business relationship.
Financial Consultant
Natural persons who provide consultancy services to our company in financial matters within the framework of self-employment rules.
Auditor
Natural persons or authorized persons of the legal persons who serve in the audit processes of our company.
Third Parties
Other persons who are not covered by Castimo Kimya İnşaat Yapı Malzemeleri Sanayi Ve Ticaret Limited Şirketi Personal Data Protection and Processing Policy for Employees, which is prepared for company employees and by any other data subject groups in this Policy.
Visitor
All-natural persons who have entered the physical spaces owned by our company for various purposes or who have visited our websites for any purpose.
5. METHOD OF COLLECTING PERSONAL DATA AND LAWFUL BASIS
5.1 Method of Collecting Personal Data
Our company collects personal data for the purposes specified in Article 6.1 wholly or partly by automatic or non-automatic means; in all kinds of oral, written, electronic media; through, but not limited to, the following channels:
- Computer,
- Documents,
- Fax,
- Security camera records,
- Internet,
- Mail,
- Systematic,
- Oral communication,
- Telephone,
- Website,
- Website contact form,
- Website membership form,
- Face to face interview
5.2 Lawful Basis for the Collection of Personal Data
Our company collects personal data under Articles 5 and 6 of the law for one of the following lawful bases:
- Explicit consent of the data subject,
- Expressly permitted by any law,
- Revelation of the information to the public by the data subject herself/himself,
- Requirement of processing the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract,
- Obligation of processing personal data for our company to fulfill its legal obligation,
- Obligation of processing personal data for the institution, usage, or protection of a right,
- Obligation of processing personal data for the legitimate interests of our company, provided that the fundamental rights and freedoms of the data subject are not harmed.
6. PROCESSING PURPOSES OF PERSONAL DATA
6.1 Matching Data Subject Groups with the Processing Purposes Related to Personal Data Categories
Matching data subject groups described above with their processing purposes for personal data categories is provided below: (Natural persons can only be included within one group.)
POTENTIAL EMPLOYEE
Data Categories: Identity, Communication, Personnel Information, Professional Experience, Safety of Physical Space, Family Members and Relatives Information, Criminal Conviction and Security Measures, Health
Processing Purposes: Execution of the Selection and Recruitment of Potential Employee/Trainee/Student, Execution of the Application Processes of Potential Employees, Execution of Audit / Ethical Activities, Ensuring Security of Physical Space, Execution/Supervision of Work Activities.
FAMILY MEMBERS OF EMPLOYEE, SHAREHOLDER AND AUTHORIZED PERSON OF THE COMPANY
Data Categories: Identity, Communication, Personnel Information, Professional Experience, Safety of Physical Space, Visual and Auditory Information
Processing Purposes: Execution of Emergency Activities, Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees, Execution of Ancillary Rights and Benefits Processes for Employees, Execution of Audit / Ethical Activities, Execution of Activities in Accordance with the Legislation, Execution of Finance and Accounting Process, Ensuring Security of Physical Space, Execution and Prosecution of Legal Affairs, Planning Human Resource Process, Execution/Supervision of Work Activities, Execution of Business Continuity Activities, Organization And Event Management (Making Reservations for Travel and Accommodation), Execution of Contract Process, Giving Information to Authorized Persons, Institutions and Organizations
SHAREHOLDER
Data Categories: Identity, Communication, Finance, Legal Process, Visual and Auditory Information, Safety of Physical Space
Processing Purposes: Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees, Execution of Ancillary Rights and Benefits Processes for Employees, Making Salary Payments of Employees, Execution of Audit / Ethical Activities, Execution of Activities in Accordance with the Legislation, Execution of Finance and Accounting Process, Ensuring Security of Physical Space, Execution and Prosecution of Legal Affairs, Execution of Communication Activities, Execution/Supervision of Work Activities, Execution of Business Continuity Activities, Organization And Event Management (Making Reservations for Travel and Accommodation), Execution of Contract Process, Execution of Investment Process, Giving Information to Authorized Persons, Institutions and Organizations, Execution of Management Activities.
AUTHORIZED PERSON OF THE COMPANY
Data Categories: Identity, Communication, Personnel Information, Professional Experience, Finance, Safety of Physical Space, Visual and Auditory Information
Processing Purposes: Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees, Execution of Ancillary Rights and Benefits Processes for Employees, Making Salary Payments of Employees, Employee Productivity Tracking and Management, Execution of Educational Activities, Execution of Activities in Accordance with the Legislation, Execution of Finance and Accounting Process, Ensuring Security of Physical Space, Execution of Assignment Process, Execution and Prosecution of Legal Affairs, Execution of Communication Activities, Planning Human Resource Process, Execution/Supervision of Work Activities, Execution of Occupational Health / Safety Activities, Receiving and Evaluating Suggestions for Improvement of Business Process, Execution of Business Continuity Activities, Execution of Goods / Services’ Sale Process, Execution of Goods / Services’ Production and Operation Process, Organization and Event Management, Execution of Performance Assessment Process, Execution of Contract Process, Execution of Ability/Career Improvement Activities, Giving Information to Authorized Persons, Institutions and Organizations, Execution of Management Activities.
SUPPLIER:
Data Categories: Identity, Communication, Finance, Legal Process
Processing Purposes: Execution of Activities in Accordance with the Legislation, Execution of Finance and Accounting Process, Execution and Prosecution of Legal Affairs, Execution of Communication Activities, Execution/Supervision of Work Activities, Execution of Business Continuity Activities, Execution of Goods / Services’ Sale Process, Execution of Goods / Services’ Production and Operation Process, Execution of Goods / Services’ Purchasing Process, Execution of Customer Relationship Management Process, Organization and Event Management, Execution of Contract Process, Execution of Supply Chain Management Process, Execution of Wages Policy,
AUTHORIZED PERSON OF SUPPLIER:
Data Categories: Identity, Communication, Finance, Safety of Physical Space
Processing Purposes: Execution of Audit / Ethical Activities, Execution of Activities in Accordance with the Legislation, Execution of Finance and Accounting Process, Ensuring Security of Physical Space, Execution of Communication Activities, Execution/Supervision of Work Activities, Execution of Business Continuity Activities, Execution of Goods / Services’ Purchasing Process, Execution of Goods / Services’ After Sales Support Services, Execution of Goods / Services’ Sale Process, Execution of Goods / Services’ Production and Operation Process, Execution of Customer Relationship Management Process, Organization and Event Management (Making Reservations for Travel and Accommodation), Execution of Contract Process, Execution of Supply Chain Management Process, Execution of Wages Policy, Giving Information to Authorized Persons, Institutions and Organizations
EMPLOYEE OF THE SUPPLIER:
Data Categories: Identity, Communication, Safety of Physical Space
Processing Purposes: Execution of Business Continuity Activities, Organization and Event Management (Making Reservations for Travel and Accommodation), Execution/Supervision of Work Activities, Execution of Contract Process, Ensuring Security of Physical Space, Execution of Audit / Ethical Activities.
AUTHORIZED PERSON OF THE CUSTOMER:
Data Categories: Identity, Communication, Finance, Legal Process, Safety of Physical Space
Processing Purposes: Execution of Audit / Ethical Activities, Execution of Educational Activities, Execution of Activities in Accordance with the Legislation, Execution of Finance and Accounting Process, Ensuring Security of Physical Space, Execution and Prosecution of Legal Affairs, Execution of Communication Activities, Execution/Supervision of Work Activities, Execution of Business Continuity Activities, Execution of Logistic Activities, Execution of Goods / Services’ After Sales Support Services, Execution of Goods / Services’ Sale Process, Execution of Goods / Services’ Purchasing Process, Execution of Goods / Services’ Sale Process, Execution of Goods / Services’ Production and Operation Process, Execution of Customer Relationship Management Process, Execution of Activities Related to Customer Content, Organization and Event Management (Making Reservations for Travel and Accommodation), Execution of Storage and Archiving Activities, Execution of Contract Process, Prosecution of Demand/Complaint, Ensuring the Security of Movable Property and Sources, Giving Information to Authorized Persons, Institutions and Organizations.
EMPLOYEE OF THE CUSTOMER:
Data Categories:: Identity, Communication, Finance, Legal Process, Safety of Physical Space
Processing Purposes: Execution of Audit / Ethical Activities, Execution of Educational Activities, Execution of Activities in Accordance with the Legislation, Ensuring Security of Physical Space, Execution and Prosecution of Legal Affairs, Execution of Communication Activities, Execution/Supervision of Work Activities, Execution of Business Continuity Activities, Execution of Logistic Activities, Execution of Goods / Services’ Purchasing Process, Execution of Goods / Services’ After Sales Support Services, Execution of Goods / Services’ Sale Process, Execution of Goods / Services’ Production and Operation Process, Execution of Customer Relationship Management Process, Execution of Activities Related to Customer Content, Organization and Event Management (Making Reservations for Travel and Accommodation), Execution of Storage and Archiving Activities, Execution of Contract Process, Prosecution of Demand/Complaint, Ensuring the Security of Movable Property and Sources.
CUSTOMER:
Data Categories: Identity, Communication, Finance
Processing Purposes: Execution of Information Security Process, Execution of Access Authorization, Execution of Activities in Accordance with the Legislation, Execution of Finance and Accounting Process, Execution of Communication Activities, Execution/Supervision of Work Activities, Execution of Business Continuity Activities, Execution of Logistic Activities, Execution of Goods / Services’ After Sales Support Services, Execution of Goods / Services’ Sale Process, Execution of Goods / Services’ Production and Operation Process, Execution of Goods / Services’ Purchasing Process, Execution of Activities Related to Customer Content, Execution of Customer Relationship Management Process, Execution of Advertisement/Campaign/Promotion Process, Execution of Contract Process, Ensuring the Security of Movable Property and Sources, Execution of Supply Chain Management Process, Execution of Wages Policy, Execution of Marketing Product/Services Process, Creating and Prosecuting Visitor Records,
POTENTIAL CUSTOMER:
Data Categories: Identity, Communication, Safety of Physical Space
Processing Purposes: Execution of Audit / Ethical Activities, Execution of Finance and Accounting Process, Ensuring Security of Physical Space, Execution/Supervision of Work Activities, Execution of Business Continuity Activities, Execution of Goods / Services’ Purchasing Process, Execution of Goods / Services’ After Sales Support Services, Execution of Goods / Services’ Sale Process, Execution of Goods / Services’ Production and Operation Process, Organization and Event Management (Making Reservations for Travel and Accommodation), Execution of Contract Process.
SERVICE PROVIDER:
Data Categories: Identity, Communication, Finance, Legal Process, Safety of Physical Space
Processing Purposes: Execution of Audit / Ethical Activities, Execution of Activities in Accordance with the Legislation, Execution of Finance and Accounting Process, Ensuring Security of Physical Space, Execution and Prosecution of Legal Affairs, Execution/Supervision of Work Activities, Execution of Occupational Health / Safety Activities, Execution of Business Continuity Activities, Execution of Goods / Services’ Production and Operation Process, Execution of Goods / Services’ Purchasing Process, Organization and Event Management, Execution of Contract Process, Execution of Supply Chain Management Process, Execution of Wages Policy, Giving Information to Authorized Persons, Institutions and Organizations.
AUTHORIZED PERSON OF THE SERVICE PROVIDER:
Data Categories: Identity, Communication, Finance, Safety of Physical Space
Processing Purposes: Execution of Audit / Ethical Activities, Execution of Activities in Accordance with the Legislation, Execution of Finance and Accounting Process, Ensuring Security of Physical Space, Execution/Supervision of Work Activities, Execution of Goods / Services’ Production and Operation Process, Execution of Goods / Services’ Purchasing Process, Execution of Contract Process, Execution of Wages Policy.
EMPLOYEE OF THE SERCIVE PROVIDER:
Data Categories: Identity, Communication, Finance, Safety of Physical Space
Processing Purposes: Execution of Audit / Ethical Activities, Execution of Activities in Accordance with the Legislation, Execution of Finance and Accounting Process, Ensuring Security of Physical Space, Execution/Supervision of Work Activities, Execution of Logistic Activities, Execution of Goods / Services’ Production and Operation Process, Execution of Goods / Services’ Purchasing Process, Execution of Contract Process, Ensuring the Security of Movable Property and Sources.
AUDITOR:
Data Categories: Identity
Processing Purposes: Execution of Activities in Accordance with the Legislation, Giving Information to Authorized Persons, Institutions and Organizations, Execution of Audit / Ethical Activities, Execution of Occupational Health / Safety Activities.
FINANCIAL CONSULTANT:
Data Categories: Identity, Communication
Processing Purposes: Execution of Activities in Accordance with the Legislation, Execution of Finance and Accounting Process, Execution of Contract Process.
THIRD PARTIES:
Data Categories: Identity, Safety of Physical Space
Processing Purposes: Execution of Audit / Ethical Activities, Execution of Activities in Accordance with the Legislation, Ensuring Security of Physical Space, Execution and Prosecution of Legal Affairs, Execution/Supervision of Work Activities, Ensuring the Security of Movable Property and Sources, Giving Information to Authorized Persons, Institutions and Organizations.
VISITOR:
Data Categories: Identity, Communication, Personnel Information, Process Security
Processing Purposes: Execution of Information Security Process, Execution of Audit / Ethical Activities, Execution of Access Authorization, Execution of Activities in Accordance with the Legislation, Ensuring Security of Physical Space, Execution of Communication Activities, Execution/Supervision of Work Activities, Creating and Prosecuting Visitor Records.
Personal Data Processing Performed in Physical Spaces
To ensure security in our company’s buildings and facilities, entrances and exit are recorded and public areas are monitored with cameras. There is information about this in the areas where the camera is monitored.
Under the law on the Regulation of Internet Publications and the Fight against Crimes Committed through These Publications and other legislation, records regarding internet access given in our company’s buildings and facilities are kept. These records may be shared with authorized public institutions and organizations upon request and may be used for the fulfillment of relevant legal obligations in supervision where necessary.
6.2 Personal Data Processing Performed on the Website
Traffic information of online visitors who visit our website is processed automatically to manage information security processes. On the other hand, under law No. 5651 and other legislation, hosting service providers are obliged to record and store website traffic information.
Detailed descriptions of personal data processed through the website are available on the relevant website.
6.3 Personal Data Processing Performed Through Communication Channels
Communication performed through the channels such as call center, mail, e-mail, etc. are supervised and recorded to conduct/supervise business activities and pursue demands/complaints.
Relevant persons are required to use these channels only in the context of their business activities.
7. PURPOSES OF TRANSFERRING PERSONAL DATA AND THE PERSONS/ENTITIES TO WHICH IT IS TRANSFERRED
7.1 Purposes of Transferring Personal Data
Our company transfers personal data under the conditions set out in Articles 8 and 9 of the law for the following purposes:
- Execution of Emergency Activities,
- Execution of the Application Processes of Potential Employees,
- Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees,
- Execution of Ancillary Rights and Benefits Processes for Employees,
- Making Salary Payments of the Employees,
- Employee Productivity Tracking and Management
- Execution of Audit / Ethical Activities,
- Execution of Educational Activities,
- Execution of Activities in Accordance with the Legislation,
- Execution of Finance and Accounting Process,
- Ensuring Security of Physical Space,
- Execution of Assignment Process,
- Execution and Prosecution of Legal Affairs,
- Planning Human Resource Process,
- Execution/Supervision of Work Activities,
- Execution of Occupational Health / Safety Activities,
- Execution of Business Continuity Activities,
- Execution of Logistic Activities,
- Execution of Goods / Services’ Purchasing Process,
- Execution of Goods / Services’ After Sales Support Services,
- Execution of Goods / Services’ Sale Process,
- Execution of Goods / Services’ Production and Operation Process,
- Execution of Customer Relationship Management Process,
- Execution of Activities Related to Customer Content,
- Organization and Event Management,
- Execution of Marketing Activities,
- Execution of Performance Assessment Process,
- Execution of Advertisement/Campaign/Promotion Process,
- Execution of Risk Management Process,
- Execution of Contract Process,
- Execution of Strategic Planning Activities,
- Prosecution of Demand/Complaint,
- Participation of Group Companies in Personnel Recruitment Activities,
- Execution of Marketing Product/Services Process,
- Execution of Investment Process,
- Giving Information to Authorized Persons, Institutions and Organizations,
- Execution of Management Activities,
- Creating and Prosecuting Visitor Records,
7.2 The Persons/Entities to which Personal Data is Transferred
Our company may transfer personal data to the following persons and organizations, limited to data categories and data required for transfer:
- Authorized Persons, Institutions and Organizations,
- Group Companies,
- Natural Persons or Private Law Legal Entities,
- Business Partners,
- Affiliates And Subsidiaries,
- Official Government Institutions,
- Government Agencies,
- Agency Firm,
- Judicial Authorities,
- Ministry of Family, Labor and Social Security,
- Banks,
- Consultant Joint Health and Safety Unit,
- Airlines Website,
- Service Provider Company,
- Law Firm,
- IT Firm,
- Gendarmerie,
- Courier Company,
- Consulate,
- Financial Consultant,
- Customer Firm,
- Customer,
- Netsis,
- Notary Public,
- Hotel,
- Planet,
- Police,
- SGK,
- Insurance Companies,
- Supplier Company,
- Aircraft Company,
- Tax Administration,
- Website
8. DESTRUCTION AND STORAGE PERIODS OF PERSONAL DATA
8.1 Destruction of Personal Data
Without prejudice to the provisions of other laws relating to the destruction of personal data, our company deletes, destroys or anonymizes personal data processed under this law and other provisions of the law at the request of the relevant person, according to Personal Data Storage and Destruction Policy, if the reasons for processing are eliminated.
The deletion of personal data refers to the process of making personal data inaccessible and unusable for the users concerned in any way.
Destruction of personal data refers to the process of making personal data inaccessible, non-refundable, and non-reusable by anyone.
Anonymization of personal data refers to the process of making personal data impossible to relate to a natural person whose identity is certain or identifiable under any circumstances, even if it is matched with other data by techniques such as masking, variable extraction, generalization, etc.
8.2 Storage Periods of Personal Data
Our company stores personal data following the periods prescribed by law and other legislation. If there is no storage period prescribed in the laws and other legislation, personal data is stored under our company’s Personal Data Storage and Destruction Policy for the required time to achieve the purpose of processing that personal data, then it is deleted, destroyed or anonymized within the framework of periodic destruction periods.
9. DISCLOSURE OF DATA SUBJECT AND HIS/HER RIGHTS UNDER THE LAW OF KVK
9.1 Disclosure of Data Subject
Under Article 10 of the KVK law, our company provides information about the persons involved in obtaining personal data. In this context, it clarifies the identity of the company representative, the purpose for which the personal data will be processed, to whom and for what purpose the processed data may be transferred, the method of collection and cause of action of personal data, and the rights of the data subject.
9.2 The Cases in which the Policy and the Law shall not be Applied Wholly or Partly
The provisions of this Policy and Law shall not apply in the following cases:
- Processing of personal data by natural persons entirely within the scope of activities related to him/her or his/her family members living in the same residence, provided that it is not given to third parties and that data security obligations are complied with,
- Processing of personal data for purposes such as research, planning and statistics by anonymized with official statistics,
- Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, right to privacy or personal rights or not constitute a crime,
- Processing of personal data within the scope of preventive, protective and intelligence activities conducted by public institutions and organizations mandated and authorized by law to ensure national defense, national security, public security, public order or economic security,
- Processing of personal data by judicial or executive authorities concerning investigations, prosecutions, trials, or executions.
Under and proportionate to the purpose and basic principles of this Policy and Law, Article 10 regulating the disclosure obligation of the data controller, Article 11 regulating the rights of the relevant person, except the right to claim damages, and Article 16 regulating the obligation to Registry of Data Controllers shall not apply in the following cases:
- Requirement of personal data processing to prevent or investigate a crime,
- Processing of personal data revealed to the public by the data subject,
- Requirement of personal data processing for the execution of supervision or regulation duties and disciplinary investigation or prosecution by the authorized institutions and organizations and professional organizations of the nature of public institutions, based on the authority given by the law,
- Requirement of personal data processing to protect the economic and financial interests of the Government concerning budget, tax, and fiscal matters.
9.3 Rights of the Data Subject under the Law of KVK
Under Article 10 of the law, our company informs data subjects about their rights, provides guidance on how to exercise these rights, and performs the necessary internal procedures, administrative and technical arrangements for all these. According to the Article 11 of the Law, data subjects have the right to;
- Learn whether their data is processed,
- Request related information if their data is processed,
- Learn the purposes for processing personal data and whether it is used accordingly,
- Know the third parties to whom their data is transferred domestically or abroad,
- Request the rectification of their data if it is processed incompletely or improperly,
- Request the deletion or destruction of personal data under the Article 7 of the law,
- Request the third parties who received personal data of the data subject to be notified about the transactions made (rectification and destruction) under Article 11 (d) and (e) of the law,
- Object to the outcome against the persons themselves by analyzing the processed data exclusively through automated systems,
- Claim for damages if personal data is damaged due to illegal processing.
Requests and applications regarding the enforcement of the law can be submitted in person or can be sent via notary to the address “Fatih Mahallesi 1185/1 Sokak No:2, 35410 Gaziemir/İzmir” by filling out the application form on our website (https://www.castimo.de). They can also be sent via registered electronic mail address (castimokimya@hs03.kep.tr), or using a secure electronic signature or mobile signature.
Requests and applications can also be sent to the address info@castimo.com if there is an e-mail previously notified to our company by the data subject and registered in the company’s system.
The following information is obligatory in requests and applications:
- First name, last name, and signature if the application is in writing,
- Turkish National Identity Number for citizens of the Republic of Turkey, nationality, and passport number (national identification number if applicable) for other nationalities.
- Permanent address or business address based for notifications,
- E-mail address, phone and fax number if applicable to the notification,
- Subject
Our company shall respond to the requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However; if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.
Our company may accept the request or reject it by explaining the reason and informs the data subject in written or electronically. If the request in the application is accepted, our company shall fulfill the requirements as soon as possible and inform the data subject. If the application is caused by the error of our company, the fee shall be refunded to the data subject.
If the application is rejected, the response is insufficient or the application is not responded in due time, the data subject has the right to make a complaint to the Board within thirty days from the date of receipt and, in any case, within sixty days from the date of application.