BOMAKSAN KVKK PERSONAL DATA SECURITY MANAGEMENT SYSTEM
PERSONAL DATA
POLICY OF HANDLING, STORAGE AND DESTRUCTION
1. Introduction
In accordance with the law numbered 6698, the safe protection, processing, transfer, deletion and destruction of personal data in both physical and digital environments Bomaksan Endüstriyel Hava Filtration Sistemleri San. Tic. A.S. and the necessary administrative and technical measures are taken in all our processes in this direction. All activities of our company regarding the protection of personal data are carried out in accordance with this Policy of Storing, Processing, Transferring and Disposal of Personal Data (” Policy “).
Our company will analyze the personal data processing activities carried out by taking this Policy as a guide and will take all technical and administrative measures to comply with the Policy. After the determined actions and measures are implemented, compliance with this policy will be ensured by operating internal audit mechanisms.
2. Purpose of the Policy
The main purpose of this Policy is to determine the individuals whose personal data we are processing; Our company ‘ of personal data processing, preservation, protection, deleting activities, the measures taken in this context, the rights of owners of data and to be informed on issues such as the use of methods such rights
3. Scope of the Policy
The scope of this Policy; are all personal data of identified or identifiable persons whose data we are processing . The stated articles in the policy also include all kinds of information and documents that can be associated with an identified or identifiable natural person, and the measures taken and regulations made in relation to them.
4. Enforcement of the Policy
This Policy, prepared by our company , entered into force on 20/09/2020 . In case of revision of all or certain articles of the Policy, the revision date of the Policy will be specified.
In case of inconsistency between the current legislation and the Policy, the provisions of the legislation will be applied with priority. If there is another policy or regulation on the same subject for more specific purposes other than this basic Policy, the articles containing special provisions are applied first. Provisions of other policies and documents that conflict with this Policy and the relevant legislation are not applied.
5. Definitions
DEFINITION | EXPLANATION |
---|---|
Open Consent | Consent on a specific subject, based on information and expressed with free will |
Anonymous Render | Making personal data unrelated to an identified or identifiable natural person by matching other data |
Working | Employees of our company and its affiliated companies |
Employee Candidate | Candidate interviewed for recruitment |
Related person | The real person whose personal data is processed |
Related User | Except for the person or unit responsible for the technical storage, protection and backup of the data, the persons who process personal data within the organization of the Data Controller or in accordance with the authorization and instruction received from the Data Controller. |
Destruction | The process of deletion, destruction or anonymization of personal data |
Law | Personal Data Protection Law No. 6698 |
Recording Medium | Any environment containing personal data that is fully or partially automated or processed in non-automatic ways, provided that it is a part of any data recording system. |
Personal Data | All kinds of information regarding an identified or identifiable natural person |
Personal Data Processing Inventory Form | Personal data processing activities carried out by data controllers depending on the business processes; personal data processing purposes, categories of data, the export recipient group and gives the person purposes actions they create their personal data associating with a group for necessary the maximum time, foreign countries transfer specified personal data and the document detailed by explaining the measures taken regarding data security. |
Making Personal Data Anonymous | Anonymizing personal data, making personal data unrelated to an identified or identifiable natural person under any circumstances, even if they are matched with other data. |
Destruction of Personal Data | The process of deletion, anonymization or destruction of personal data |
Deletion of Personal Data | The process of making personal data inaccessible and unavailable in any way for relevant users |
Destruction of Personal Data | The process of destroying personal data, making personal data inaccessible, unrecoverable and reusable in any way. |
KVKK | Personal Data Protection Law published in the Official Gazette dated April 7, 2016 and numbered 29677 |
KVK Board | Personal Data Protection Board |
Special Quality Personal Data | People’s race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, costume and dress, association, foundation or union membership, health, sexual life, criminal conviction and biometric and genetic data |
Periodic Destruction | The deletion, destruction or anonymization process specified in the personal data storage and disposal policy and to be carried out ex officio at repeated intervals in the event that all the conditions for processing personal data in the KVKK are eliminated. |
Data Record System | A registry system where Personal Data is structured and processed according to certain criteria. |
VERBIS (Data Registry Information System) | The information system that data controllers will use in the application to the Registry and in other related transactions related to the Registry, accessible on the internet, created and managed by the Presidency. |
Data Processor | The real who processes personal data on his behalf based on the authority given by the Data Controller or legal person |
Data Controller Representative | The data recording system that determines the purposes and means of processing personal data. Natural or legal person responsible for establishment and management |
6. Rules Regarding the Processing of Personal Data
6.1 Processing of Personal Data in Compliance with the Principles Stipulated in Legislation
Our company processes personal data in accordance with the provisions and rules stipulated in the Personal Data Protection Law No.6698 (” Law “) and other relevant legislation. Personal data processing principles are determined in the Law. Our company acts in accordance with these principles in every data processing activity.
6.1.1 Processing in Compliance with Law and Good Faith
Our company acts in accordance with legal regulations and the rule of honesty in the processing of personal data. In this context, our Company processes personal data in accordance with the protection legislation and the rules set forth in the relevant legislation, does not process personal data for purposes other than those announced to data owners, and processes only as much personal data as necessary by applying the principles of proportionality and necessity in the processing of personal data.
6.1.2 Correct and if necessary Current Being of Personal Data Provisioning
Our company takes necessary measures in data processing processes to ensure that the processed data is accurate and up to date. In this context, it provides the personal data owner with the opportunity to apply to our Company to update or correct their own data.
6.1.3 Processing for Specific, Clear and Legitimate Purposes
Our company only processes personal data for legitimate purposes. Before our company starts data processing, except for the exceptional cases stipulated in the KVKK, it determines the personal data processing purposes and clearly announces these purposes to the data owners during the acquisition of their personal data.
6.1.4 Being Connected, Limited and Measured for the Purpose of Processing Personal Data
Personal data are processed clearly and precisely for the purpose determined, in a limited and measured manner, and we avoid the processing of unnecessary personal data.
6.2 Conditions for Processing Personal Data
Personal data are processed by our company based on one or more of the personal data processing conditions specified in Articles 5 and 6 of the KVKK, if the person concerned has explicit consent or within the scope of the exceptions specified in the KVKK. Our company processes personal data in accordance with the regulations set forth in the Law. Data processing activities that do not fall within this scope are stopped.
6.2.1 Exceptional Cases Where Explicit Consent is Not Required in the Processing of Personal Data
6.2.2 Exceptional Cases where Explicit Consent is Not Required in the Processing of Special Quality Personal Data
In exceptional cases stated below and arising from the law, special quality personal data are processed without explicit consent:
6.3 Transfer of Personal Data
6.3.1 Domestic Transfer of Personal Data
Our company is able to transfer the personal data it processes for personal data processing purposes to third parties by obtaining the express consent of the relevant person, except for the exceptions mentioned above. In case of need, our company transfers personal data in line with the decisions and regulations stipulated in the KVKK and taken by the KVK Board.
6.3.2 Transfer of Personal Data Abroad
Personal data are not transferred abroad by our company without the express consent of the data owner. If one of the exceptions mentioned above is provided, the person can transfer it to foreign countries where there is sufficient protection or a Data Controller Representative, regardless of whether the data subject has explicit consent.
6.3.3 Institutions / Organizations to Which Personal Data Are Transferred
There are mainly institutions and organizations to which personal data can be transferred, without being limited to those mentioned. This information is detailed in the data inventory form.
6.4 Informing Personal Data Owner
In line with the disclosure obligation in the Law, our company informs the personal data owners about how their personal data will be processed during the acquisition of personal data. In this context, our Company informs data owners on the following issues as a minimum .
7. Storage of Personal Data
7.1 Storage of personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed
Our company stores the personal data that it processes in accordance with the principles in the Law, for the period stipulated in the legislation. After the relevant regulations are put into effect by the KVK Board, a contact person will be assigned within the scope of personal data processing activities and registration to VERBIS will be made.
If a certain period is not stipulated in the legislation for the storage of the relevant personal data types, the personal data are kept until the end of the purpose for which they are processed.
In the event that a certain period is not stipulated in the legislation for the storage of the relevant personal data types, the retention periods are determined specific to each data processing purpose. In this context, retention periods are determined by taking into account the practices of our Company and the customs of commercial life.
Personal data; It can be stored for the purpose of providing evidence in possible legal disputes other than the purpose of processing, to assert a right that can be proved by personal data, to establish a defense and to respond to information requests from authorized public institutions. In the establishment of the periods here, the company practice and general practices are taken into consideration in the same issues as the statute of limitations for the right to be asserted.
In cases where our company has a legitimate interest, personal data are subject to the Turkish Code of Obligations numbered 6098, provided that the fundamental rights and freedoms of data owners are not harmed despite the expiration of the purpose of processing and the periods specified in the relevant laws.
It can be stored until the expiry of the general prescription period (ten years). After the expiry of the aforementioned limitation period, personal data will be deleted, destroyed or anonymized according to the specified procedure.
7.1.1 Measures we take regarding the storage of personal data
The KVK Board will be able to introduce detailed regulations on obligations regarding data security. In case of a detailed regulation, in order to comply with the obligations in the regulations, a maximum level of security should be ensured by making a reasonable effort.
Technical Measures:
Administrative Measures:
8. Destruction of Personal Data
8.1 Obligation to Destroy Personal Data
Our company , when the specified periods expire, the relevant personal data is destroyed by issuing a report and choosing one of the 3 (three) methods stated below. These:
Details on these three methods can be found in the following sections. In addition, personal data are deleted, destroyed or anonymized at the request of the personal data owner .
Our company is controlled by the Representative of the Data Responsible at 6 (six) months periodic intervals in the “Personal Data Processing Inventory Form” and the destruction operations are carried out as required, and records (information on destroyed documents) are kept for 3 years as stipulated in the Law .
8.2 Conditions for Disposal of Personal Data
In the event that the reasons requiring the processing of personal data specified in Articles 5 and 6 of the KVKK are eliminated, the personal data are destroyed by our Company, either ex officio or upon the request of the relevant person (data owner), if the request is found positive as a result of the evaluation. In addition, if all the conditions for processing personal data have disappeared and the personal data subject to the request is transferred to third parties, this situation is notified to the third party by our Company; Necessary procedures are requested to be taken by the third party.
8.3 Precautions We Take Regarding the Destruction of Personal Data Technical Measures:
Administrative Measures:
8.4 Deletion and Destruction of Personal Data
The deletion and destruction of personal data within our company is carried out in accordance with the principles specified in this Policy, using the methods explained below.
8.4.1 Deletion of Personal Data
The Data Responsible Representative assigned within our company is obliged to take all necessary technical and administrative measures to ensure that the deleted personal data cannot be accessed and reused for the relevant users.
8.4.1.1 Deletion Process of Personal Data
The basic process that the Data Controller Representative must follow in the deletion of personal data is as follows.
8.4.1.2 Methods of Deleting Personal Data
Since personal data within our company can be stored in different recording media, they must be deleted by methods appropriate to the recording media. Sample methods used by our company to delete personal data are as follows:
1. Application Type Cloud Solutions as a Service ( such as Google Suite, Google Drive )
Personal data are not kept in cloud system applications used in our company . If it is kept, it can be permanently deleted by the Related User. The relevant User is not authorized to retrieve relevant data on the cloud system.
2. The paper found in the Media Personal Data
Personal data in the paper environment of our company are destroyed by being passed through a shredder. However, in exceptional cases, it can be erased using the blackout method. This process is done by cutting the personal data on the relevant documents whenever possible, and making them invisible to the relevant users by using fixed ink in a way that cannot be reversed and readable with technological solutions in cases where it is not possible.
3. Office Files on the Central Server
If the relevant User has permanent deletion authorization in the file containing personal data, the file can be deleted in such a way that the file cannot be accessed again with the delete command in the operating system. If there is no permanent deletion authorization, the relevant user’s access rights are removed on the directory where the file is located. While performing these procedures, necessary precautions are taken to ensure that the Related User is not the system administrator at the same time .
4. Personal Data on Portable Media
Personal data in Flash-based storage environments within our company are stored encrypted and deleted using software suitable for these environments .
5. Data Bases
Personal data stored in our company’s databases are deleted with database commands (DELETE etc.). While performing this process, it is noted that the Related User is not a database manager at the same time.
8.4.2 Destruction of Personal Data
Personal data destroyed by our company are rendered inaccessible, retrieved and reusable by anyone. The Data Controller Representative is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.
8.4.3 Methods of Destroying Personal Data
In order to destroy personal data, all copies of the data must be detected and destroyed one by one using one or more of the following methods, depending on the type of systems in which the data is located .
Our company can agree with an expert to destroy personal data on behalf of itself, when necessary. In this case, no personal data are secure in a manner which can not be recovered again by the person skilled in the art is .
1. Local Systems
Our company can use one or more of the following methods to destroy personal data on these local systems.
a – De-magnetize
It is the process of unreadable degradation of the data on the magnetic media by passing it through a special device and exposing it to a very high magnetic field. Our company can agree with an expert for this procedure, if necessary.
b – Physical destruction
It is the process of physical destruction of optical media and magnetic media, such as melting, burning or pulverizing. It is ensured that the data is inaccessible by processes such as melting, burning, pulverizing or passing the optical or magnetic media through a metal grinder. For solid state disks, if overwriting or de-magnetizing is not successful, this media must also be physically destroyed. Our company can agree with an expert for this procedure, if necessary .
c – Overwrite
It is the process of preventing the recovery of old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media / USB memory or portable HDD. This process is done using special software. Our company can agree with an expert for this procedure, if necessary.
2. Environmental Systems
Depending on the type of environment, our company can use the appropriate method to destroy personal data on these environmental systems.
a-Network devices (nas etc.)
The storage media inside the devices in question are fixed. Products often have a delete command but no destruction feature. It is destroyed by using one or more of the appropriate methods specified in the Local Systems section.
b-Flash based environments
Flash-based hard disks have ATA (SATA, PATA, etc.), SCSI (SCSI Express, etc.) interfaces, using the command if supported, using the manufacturer’s recommended destruction method if not supported, or using one or more of the appropriate methods specified in the Local Systems section. is being destroyed.
c-Magnetic Tape
They are the media that store the data with the help of micro magnet pieces on the flexible tape. It must be destroyed by exposing and de-magnetizing to very strong magnetic media or by physical destruction methods such as burning and melting. Our company can agree with an expert for this procedure, if necessary.
d-Units such as magnetic disc
They are media that store data with the help of micro magnet pieces on flexible (plate) or fixed media. It must be destroyed by exposing and de-magnetizing to very strong magnetic media or by physical destruction methods such as burning and melting. Our company can agree with an expert for this procedure, if necessary.
e-Mobile phones (simcard and fixed memory areas)
There are erase commands in fixed memory areas on portable smartphones, but most do not have a destroying command. It should be destroyed by using one or more of the appropriate methods specified in the Local Systems section.
f-Optical discs
They are data storage media such as CDs and DVDs. It must be destroyed by physical destruction methods such as incineration, fragmentation, and melting. Our company can agree with an expert for this procedure, if necessary.
g- Peripherals such as printers, fingerprint access systems with removable data recording media
It is necessary to verify that all data recording media have been removed and be destroyed by using one or more of the appropriate methods specified in the Local Systems section, depending on their characteristics. Our company can agree with an expert for this procedure, if necessary. h- Peripherals such as printer, fingerprint door access system with fixed data recording medium
Most of the systems in question have a delete command, but no command to destroy. It must be destroyed by using one or more of the appropriate methods specified by the IT officer / consultant.
3. Paper and microfiche and Related Media
Paper shredder or clipping machines are used when performing the process of destroying personal data in paper and microfiche and similar media. Personal data transferred from the original paper format to the electronic environment by scanning should be destroyed by using one or more of the appropriate methods specified in the Local Systems section according to the electronic environment in which they are located. Our company can agree with an expert for this procedure, if necessary.
4. Cloud Environment
During the storage and use of personal data in cloud systems, it is required to be encrypted with cryptographic methods and, where possible, for personal data, especially for each cloud solution that is served, separate encryption keys should be used. When the cloud computing service relationship ends; All copies of encryption keys required to make personal data usable must be destroyed. In addition to the above environments, the processes for the destruction of personal data in devices that are malfunctioning or sent for maintenance are carried out as follows .
1. maintenance of the relevant device manufacturer for repair, dealer, before being transferred to third parties within the personal services such as data Local System are specified in the section appropriate methods one or the few to be used by do not be,
2. In cases where destruction is not possible or appropriate, the data storage medium is disassembled and stored, other defective parts are sent to third institutions such as manufacturer, dealer, service ,
3. Necessary precautions must be taken to prevent personnel coming from outside for maintenance and repair purposes from copying personal data and removing them outside the organization .
8.5 Techniques for Anonymizing Personal Data
Our company , when eliminating the cause of the processing of personal data processed in accordance with the law and personal data, if needed, can anonymization. Anonymization techniques to be used by our company if needed are listed below .
1. Masking
Data masking is a method of anonymizing personal data by extracting the basic identifying information of personal data from the data set.
“The name that enables the identification of the personal data owner, TR Identity Number, etc. By extracting the information, it is transformed into a data set in which identification of the personal data owner becomes impossible. “
“If a part of the person’s credit card number is starred, there is masking. (09988 **** **** 87806) ”
2. Aggregation
With the data aggregation method, many data are aggregated and personal data cannot be associated with any person.
“Proving that there are up to Z employees at the age of X without showing the age of the employees individually.”
“The data regarding the fact that the number of female employees in the company is Z and that 40% of the number is university graduate and 60% of the number is graduate have been anonymous.”
3. Data Derivation
With the data derivation method, a more general content is created than the content of personal data and it is ensured that personal data cannot be associated with any person.
“In case the person’s age is written directly instead of the Day / Month / Year details of the date of birth information, anonymization has been made by deriving data.”
4. Data Hash
With the data mixing method, it is ensured that the values in the personal data set are mixed and the connection between values and individuals is broken.
“Changing the quality of sound recordings, making the voices and data owner unrelated.”
“In a class whose average age is desired to be taken, data is mixed when values showing the ages of the individuals are interchanged.”
9. Personal Data Storage And Disposal Process in the Location field of Titles, Units and Task Descriptions
All processes related to data processing activities within our company are analyzed on the basis of relevant departments , within this scope, PERSONAL DATA TYPE RECORDING PERIOD AND PLACES LIST is prepared by each department. The persons involved and responsible in the processes of storing and destroying personal data are the most competent employees of each relevant department on a department basis.
10. Protection of Personal Data
In accordance with Article 12 of the KVKK , our company takes the necessary technical and administrative measures to ensure the security of personal data, to prevent unlawful access to personal data and to illegally process these data. Our company takes utmost care to protect sensitive personal data. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of special quality personal data and the necessary inspections are provided within our Company.
In the event that the personal data processed by our company is obtained by others through illegal means, our company takes utmost care to ensure that this situation is reported to the relevant personal data owner and the Board as soon as possible.
10.1 Security of Personal Data
10.1.1 Supervision of the Measures Taken for the Protection of Personal Data
Our company conducts internal audits in accordance with Article 12 of the KVKK. The final report of the audit is reported to the relevant managers and in case of a problem, the necessary regulatory and preventive actions are taken.
10.1.2 Personal Data Unauthorized a figure Disclosure Case to be taken Measures
Our company carries out a system that ensures that personal data processed in accordance with Article 12 of the KVK Law are obtained by others illegally, and this situation is reported to the relevant personal data owner and the KVK Board as soon as possible. If deemed necessary by the KVK Board, this may be announced on the website of the KVK Board or by any other method.
10.2 Protection of Special Quality Personal Data
Special quality personal data are defined in the definitions section.
Our company acts sensitively in the protection of personal data of special nature determined by the KVKK and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of special quality personal data and the necessary inspections are provided within our Company.
11. Rights of the Data Owner and Rules Regarding the Exercise of These Rights
11.1 Rights of Personal Data Owner
Personal Data Owner has the following rights on his personal data.
11.2 of the rights of the owner of Personal Data Handling
The Personal Data Owner may send his request regarding his personal data in written and wet signed form to the address of our Company or by this method if a separate method is determined by the KVK Board.
In the application containing the explanations about the right that the Personal Data Owner will make to use the above-mentioned rights and demand to use; The requested matter should be clear and understandable, the requested subject should be related to the person of the applicant, or if someone is acting on behalf of someone else, it should be specially authorized in this matter and this authorization should be documented, it should also include the identity and address information of the application and documents proving its identity should be attached to the application.
These requests will be made individually and requests made by unauthorized third parties regarding personal data will not be taken into consideration.
11.3 Evaluation of the application
Requests for personal data respond to the request as soon as possible and within thirty days at the latest, depending on the nature of the request. While the application is being evaluated, it may be possible to request additional information and documents.
11.4 Our right to reject the application
If all the conditions for processing personal data are not eliminated, this request may be rejected by our Company with the justification and the rejection response is notified to the relevant person in writing or electronically within thirty days at the latest.
11.5 Application evaluation procedure
If the request is accepted, the relevant process is applied and a written or electronic notification is made. If the decision to destroy personal data is taken by our Company as a result of the examination of the accepted applications, the destruction process will be carried out by the Data Controller Representative within 30 (thirty) days at the latest or in the Law, by using the appropriate method specified in this Policy for destruction.
It is carried out within the prescribed period and the relevant person is informed. If the request is rejected, the reason is explained to the applicant in writing or electronically.
12. Information on Our Company’s Data Processing Processes
12.1 Types of Personal Data Processed by the Company
Within our company, the relevant persons are informed in accordance with Article 10 of the Law, and personal data are processed based on one or more of the personal data processing conditions specified in Article 5 of the Law and in accordance with the law and honesty rules in line with the legitimate purposes of our Company. Storage and disposal periods are specified in the Personal Data Processing Inventory Form.
13. Our company Plants Made In Personal Data Processing Operations with VIA Internet Site Data Processing Operations
13.1 Camera Monitoring in Our Company’s Facilities
In order to ensure security by our company, our Company conducts personal data processing activities in its buildings and facilities with security cameras to monitor guest entrances and exits.
Personal data processing activities are carried out by our Company by using security cameras and recording guest entrance and exit. In this context, our company acts in accordance with the Constitution, KVKK and other relevant legislation.
The monitoring areas, number of security cameras and when to be monitored are put into practice in a sufficient and limited way to achieve the security purpose. Areas that may cause an intervention to the privacy of the person beyond the security objectives are not subject to monitoring. The rules regarding security, retention and deletion foreseen in the processing of personal data are also applied in terms of camera recordings .
Camera recordings can only be accessed by authorized units. Apart from this, camera recordings are shared with third parties in cases such as a complaint, an internal disciplinary process, a request for information regarding an ongoing legal dispute and similar situations.
13.2 Our Company’s Building, Facility Entrances and Tracking of Guest Entrances and Exits
By our company; The entrance and exit of guests can be followed in our Company’s buildings and facilities for the purpose of ensuring security and for the purposes specified in this Policy.
While obtaining the names and surnames of persons who come to our Company’s buildings as guests, the personal data owners in question are illuminated within the scope of information boards within the Company, texts made available to guests or in other ways. The data obtained for the purpose of tracking guest entry and exit are processed for this purpose only and the relevant personal data are recorded. Data regarding guest entry and exit are deleted after the retention periods expire.
13.3 Website Visitors
On the websites owned by our company; to ensure that those who visit these sites perform their visits on the sites in a suitable manner for visiting purposes; Internet movements within the site are recorded by technical means (eg cookies-cookies) in order to show them customized content and to perform online advertising activities.
13.4 Storage of Records Regarding Internet Access Provided to Our Visitors in Our Company’s Buildings and Facilities
For the purpose of ensuring security by our company and for the purposes specified in this Policy; Internet access can be provided to our visitors who request during their stay in our buildings and facilities by our company. In this case, the log records regarding your internet access are recorded in accordance with the Law No. 5651 and the governing provisions of the legislation regulated according to this Law; These records are only processed when requested by the authorized public institutions and organizations or in order to fulfill our legal obligation in the audit processes to be carried out within the Company. Only a limited number of employees of our Company have access to the log records obtained within this framework . Company employees, who have access to the aforementioned records, access these records only for use in the request or audit processes from the authorized public institutions and organizations and share them with legally authorized persons. A limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.
ANNEX 1
Types of Personal Data | Explanation | Personal Data Category |
---|---|---|
TR ID number, nationality information, passport number, name-surname, place of birth, date of birth, age, place of birth, certificate of identity card copy, tax number, SGK number, gender and similar information | Identification of an identified or identifiable natural person belonging is clear who and data recording system located in, driving license, identity card, residence, passport, attorney’s identity, marriage certificate as information contained in documents | Identity Information |
E-mail address, phone number, address, IP address and similar information | Identification of an identified or identifiable natural person belonging is clear who and data recording system located within, which is used to communicate with the contact information | Communication information |
Location data obtained during the use of company vehicles | Identification of an identified or identifiable natural person belonging is clear who and data recording system located within, for detecting the position of the data subject data | Location Data |
Identity information, contact information and professional, educational information about the children and spouses of the personal data owner informations | Identification of an identified or identifiable natural person belonging is clear who and data recording system located within the respective companies and data have legal processed in order to protect their interests information about family members and relatives of the data subject | Family Members and Relatives Information |
Entry-exit logs, visit information, camera records and similar information | Personal data regarding the records and documents that are clearly belonging to an identified or identifiable natural person and that are included in the data recording system , at the entrance to the physical space, during the stay in the physical space. | Physical Space Security Information |
The processed personal data regarding all kinds of financial results, documents and records created according to the type of legal relationship our COMPANY has established with the personal data owner, and data such as bank account number, IBAN number, credit card information, financial profile, assets data, income information | Identity identified or identifiable natural person belonging is clear who and data recording system contained in personal data with the owner of the existing legal relationship to the type of all kinds of financial results showing information created, according to documents and records individual within the scope of data | Financial Information |
All kinds of information and documents required by law to be included in the personal file; Salary amount, SSI premiums, payrolls and similar information | Identification of an identified or identifiable natural person belonging is clear who and data recording system located within the employees’ personal rights fundamental to the formation of the personal data. | Personal Information |
CV, interview notes, personality test results and similar information | Identification of an identified or identifiable natural person belonging is clear who and data recording system located within, our company started to share data with the information to do the job application, application evaluation process used in personal data. | Employee Candidate Information |
Race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, costume and dress, association, foundation or union membership information, data on health and sexual life, data on criminal convictions and security measures, biometric data, genetic data | Identity identified or identifiable natural person belonging is clear who and data recording system located within the race of persons, ethnic origin, political opinion, philosophical belief, religion, creed or other beliefs, costumes and dress, association, foundation or union membership, data on his health, sexual life, criminal conviction and security measures with biometric and genetic data. | Special Quality Personal Data |
All kinds of requests and complaints against our COMPANY , and related records and reports | Identification of an identified or identifiable natural person belonging is clear who and data recording system located within, COMPANY ‘ to any kind of request or receipt of the complaint, which is directed on the assessment and personal data | Request / Complaint Management Information |
Photographs, camera recordings and sound recordings | Identification of an identified or identifiable natural person belonging is clear who and data recording system within field of personal data by having associated visual and audio recordings. | Audio / Visual Data |
ANNEX-2
Personal Data Owner Category | Explanation |
---|---|
Employees | Persons working in our company in accordance with the business contract made between our company |
Employee Candidate | Real persons who have applied for a job to our company in any way or who have opened their curriculum vitae and related information to our Company for inspection. |
Collaborating Employees, Shareholders and Officials of Institutions | Real persons working in institutions with which our company has all kinds of business relations (such as business partners, suppliers, but not limited to them), including the shareholders and officials of these institutions |
Customer | Real persons whose personal data are obtained through business relations within the scope of the operations carried out by the business units of our Company , regardless of whether they have any contractual relationship with our company. |
Potential Customer | Real persons who have been interested in our products or who have been evaluated in accordance with the rules of commercial practice and honesty to whom they may have this interest. |
Company Shareholder | Real persons who are the shareholders of our company |
Company Official | Board member of our company and other authorized real persons |
Third Person | Third-party natural persons (e.g. family members and relatives) or other real persons not covered by this policy in order to ensure the security of commercial transactions between our company and the parties mentioned above or to protect the rights of the aforementioned persons and to obtain benefits. |
Visitor | Entering the physical sites owned by our company for various purposes or Real persons visiting our websites |
ANNEX-3
Persons for Data Transfer | Definition of | Data Transfer Purpose |
---|---|---|
Shareholders | Shareholders of our company | Designing strategies for the commercial activities of our company and auditing according to the provisions of the relevant legislation |
Legally Authorized Public Institutions and Organizations | Public institutions and organizations authorized to receive information and documents from our company in accordance with the provisions of the relevant legislation | Limited to the purpose requested by the relevant public institutions and organizations within the legal authority |
Legally Authorized Private Law Persons | Private law persons authorized to receive information and documents from our company in accordance with the provisions of the relevant legislation | Limited to the purpose requested by the relevant private law persons within the legal authority |
Business Units | Our business units within our company that need to be transferred | Limited to the purpose and scope of the execution of business processes within our organizational structure |
Business Partner | Business related to the commercial activities of our company It defines the parties with which it establishes a partnership. | Establishing the objectives of the business partnership ensure fulfillment |
Affiliates | Companies in which our company is a shareholder | Ensuring that the commercial activities of our company that require the participation of its affiliates are carried out |
Company official | Board member of our company and other authorized real persons | Designing strategies for the commercial activities of our company and auditing according to the provisions of the relevant legislation |
Suppliers | It defines the parties that provide services to our Company on a contract basis in accordance with our Company’s orders and instructions while conducting the commercial activities of our company. | The services provided by our company outsourced from the supplier and necessary to carry out the commercial activities of our company are provided to our Company. provide to be presented |
FOR CONTACT :
Bomaksan Industrial Air Filtration Systems San. Tic. A.S
Head Office Address: Küçükbakkalköy Mah. Serdar Sk. Gresan Plaza No: 1/14 Ataşehir İstanbul Merkez Tel : (+90) 216 541 93 34
Mail: kvk.bilgi@bomaksan.com
PEP Address: bomaksan@hs01.kep.tr
© 2017 - 2022 Bomaksan Industrial Air Filtration Systems. All Rights Reserved.