GDPR Policy

BOMAKSAN KVKK PERSONAL DATA SECURITY MANAGEMENT SYSTEM

PERSONAL DATA

POLICY OF HANDLING, STORAGE AND DESTRUCTION

1. Introduction

In accordance with the law numbered 6698, the safe protection, processing, transfer, deletion and destruction of personal data in both physical and digital environments Bomaksan Endüstriyel Hava Filtration Sistemleri San. Tic. A.S. and the necessary administrative and technical measures are taken in all our processes in this direction. All activities of our company regarding the protection of personal data are carried out in accordance with this Policy of Storing, Processing, Transferring and Disposal of Personal Data (” Policy “).

Our company will analyze the personal data processing activities carried out by taking this Policy as a guide and will take all technical and administrative measures to comply with the Policy. After the determined actions and measures are implemented, compliance with this policy will be ensured by operating internal audit mechanisms.

2. Purpose of the Policy

The main purpose of this Policy is to determine the individuals whose personal data we are processing; Our company ‘ of personal data processing, preservation, protection, deleting activities, the measures taken in this context, the rights of owners of data and to be informed on issues such as the use of methods such rights

3. Scope of the Policy

The scope of this Policy; are all personal data of identified or identifiable persons whose data we are processing . The stated articles in the policy also include all kinds of information and documents that can be associated with an identified or identifiable natural person, and the measures taken and regulations made in relation to them.

4. Enforcement of the Policy

This Policy, prepared by our company , entered into force on 20/09/2020 . In case of revision of all or certain articles of the Policy, the revision date of the Policy will be specified.

In case of inconsistency between the current legislation and the Policy, the provisions of the legislation will be applied with priority. If there is another policy or regulation on the same subject for more specific purposes other than this basic Policy, the articles containing special provisions are applied first. Provisions of other policies and documents that conflict with this Policy and the relevant legislation are not applied.

5. Definitions

DEFINITIONEXPLANATION
Open ConsentConsent on a specific subject, based on information and expressed with free will
Anonymous RenderMaking personal data unrelated to an identified or identifiable natural person by matching other data
WorkingEmployees of our company and its affiliated companies
Employee CandidateCandidate interviewed for recruitment
Related personThe real person whose personal data is processed
Related UserExcept for the person or unit responsible for the technical storage, protection and backup of the data, the persons who process personal data within the organization of the Data Controller or in accordance with the authorization and instruction received from the Data Controller.
DestructionThe process of deletion, destruction or anonymization of personal data
LawPersonal Data Protection Law No. 6698
Recording MediumAny environment containing personal data that is fully or partially automated or processed in non-automatic ways, provided that it is a part of any data recording system.
Personal DataAll kinds of information regarding an identified or identifiable natural person
Personal Data Processing Inventory FormPersonal data processing activities carried out by data controllers depending on the business processes; personal data processing purposes, categories of data, the export recipient group and gives the person purposes actions they create their personal data associating with a group for necessary the maximum time, foreign countries transfer specified personal data and the document detailed by explaining the measures taken regarding data security.
Making Personal Data AnonymousAnonymizing personal data, making personal data unrelated to an identified or identifiable natural person under any circumstances, even if they are matched with other data.
Destruction of Personal DataThe process of deletion, anonymization or destruction of personal data
Deletion of Personal DataThe process of making personal data inaccessible and unavailable in any way for relevant users
Destruction of Personal DataThe process of destroying personal data, making personal data inaccessible, unrecoverable and reusable in any way.
KVKKPersonal Data Protection Law published in the Official Gazette dated April 7, 2016 and numbered 29677
KVK BoardPersonal Data Protection Board
Special Quality Personal DataPeople’s race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, costume and dress, association, foundation or union membership, health, sexual life, criminal conviction and biometric and genetic data
Periodic DestructionThe deletion, destruction or anonymization process specified in the personal data storage and disposal policy and to be carried out ex officio at repeated intervals in the event that all the conditions for processing personal data in the KVKK are eliminated.
Data Record SystemA registry system where Personal Data is structured and processed according to certain criteria.
VERBIS (Data Registry Information System)The information system that data controllers will use in the application to the Registry and in other related transactions related to the Registry, accessible on the internet, created and managed by the Presidency.
Data ProcessorThe real who processes personal data on his behalf based on the authority given by the Data Controller or legal person
Data Controller Representative

The data recording system that determines the purposes and means of processing personal data. Natural or legal person responsible for establishment and management

6. Rules Regarding the Processing of Personal Data       

6.1 Processing of Personal Data in Compliance with the Principles Stipulated in Legislation

Our company processes personal data in accordance with the provisions and rules stipulated in the Personal Data Protection Law No.6698 (” Law “) and other relevant legislation. Personal data processing principles are determined in the Law. Our company acts in accordance with these principles in every data processing activity.

6.1.1 Processing in Compliance with Law and Good Faith

Our company acts in accordance with legal regulations and the rule of honesty in the processing of personal data. In this context, our Company processes personal data in accordance with the protection legislation and the rules set forth in the relevant legislation, does not process personal data for purposes other than those announced to data owners, and processes only as much personal data as necessary by applying the principles of proportionality and necessity in the processing of personal data.

6.1.2 Correct and if necessary Current Being of Personal Data Provisioning

Our company takes necessary measures in data processing processes to ensure that the processed data is accurate and up to date. In this context, it provides the personal data owner with the opportunity to apply to our Company to update or correct their own data.

6.1.3 Processing for Specific, Clear and Legitimate Purposes

Our company only processes personal data for legitimate purposes. Before our company starts data processing, except for the exceptional cases stipulated in the KVKK, it determines the personal data processing purposes and clearly announces these purposes to the data owners during the acquisition of their personal data.

6.1.4 Being Connected, Limited and Measured for the Purpose of Processing Personal Data

Personal data are processed clearly and precisely for the purpose determined, in a limited and measured manner, and we avoid the processing of unnecessary personal data.

6.2 Conditions for Processing Personal Data

Personal data are processed by our company based on one or more of the personal data processing conditions specified in Articles 5 and 6 of the KVKK, if the person concerned has explicit consent or within the scope of the exceptions specified in the KVKK. Our company processes personal data in accordance with the regulations set forth in the Law. Data processing activities that do not fall within this scope are stopped.

6.2.1 Exceptional Cases Where Explicit Consent is Not Required in the Processing of Personal Data

  • If there is an explicit regulation in the laws that personal data will be processed
  • If the personal data owner is unable to disclose his consent due to actual impossibility, or if it is mandatory for the protection of the life or body integrity of the person whose consent is given legal validity or another person .
  • If it is necessary to process personal data belonging to the parties of the contract, provided that it is directly related to the establishment or performance of a contract.
  • Our company’s personal data must be processed in order to fulfill the legal obligations while
  • Personal data personal data by the owner-public have the
  • Personal data processing facility is a right, use or necessary for the protection of the
  • Personal data provided to the owner of damaging the fundamental rights and freedoms, the Company ‘s mandatory personal data processed for the legitimate interests of the

6.2.2 Exceptional Cases where Explicit Consent is Not Required in the Processing of Special Quality Personal Data

In exceptional cases stated below and arising from the law, special quality personal data are processed without explicit consent:

  • Special quality personal data (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire and clothing, association, foundation or union membership, criminal conviction and security measures) other than the health and sexual life of the special quality personal data owner. relevant data and biometric and genetic data) in cases stipulated by law
  • Personal data of special quality regarding the health and sexual life of the personal data owner, only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, persons or authorized institutions and organizations under the obligation to keep confidentiality. by
  • Adequate measures must be taken with

6.3 Transfer of Personal Data

6.3.1 Domestic Transfer of Personal Data

Our company is able to transfer the personal data it processes for personal data processing purposes to third parties by obtaining the express consent of the relevant person, except for the exceptions mentioned above. In case of need, our company transfers personal data in line with the decisions and regulations stipulated in the KVKK and taken by the KVK Board.

6.3.2 Transfer of Personal Data Abroad

Personal data are not transferred abroad by our company without the express consent of the data owner. If one of the exceptions mentioned above is provided, the person can transfer it to foreign countries where there is sufficient protection or a Data Controller Representative, regardless of whether the data subject has explicit consent.

6.3.3 Institutions / Organizations to Which Personal Data Are Transferred

There are mainly institutions and organizations to which personal data can be transferred, without being limited to those mentioned. This information is detailed in the data inventory form.

6.4 Informing Personal Data Owner

In line with the disclosure obligation in the Law, our company informs the personal data owners about how their personal data will be processed during the acquisition of personal data. In this context, our Company informs data owners on the following issues as a minimum .

  • The identity of the Data Controller and its representative , if any ,
  • For what purpose personal data will be processed,
  • To whom and for what purpose personal data can be transferred,
  • Methods and legal reasons for collecting personal data ,
  • The rights of the personal data owner in accordance with Article 11 of the KVKK.

7. Storage of Personal Data

7.1 Storage of personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed

Our company stores the personal data that it processes in accordance with the principles in the Law, for the period stipulated in the legislation. After the relevant regulations are put into effect by the KVK Board, a contact person will be assigned within the scope of personal data processing activities and registration to VERBIS will be made.

If a certain period is not stipulated in the legislation for the storage of the relevant personal data types, the personal data are kept until the end of the purpose for which they are processed.

In the event that a certain period is not stipulated in the legislation for the storage of the relevant personal data types, the retention periods are determined specific to each data processing purpose. In this context, retention periods are determined by taking into account the practices of our Company and the customs of commercial life.

Personal data; It can be stored for the purpose of providing evidence in possible legal disputes other than the purpose of processing, to assert a right that can be proved by personal data, to establish a defense and to respond to information requests from authorized public institutions. In the establishment of the periods here, the company practice and general practices are taken into consideration in the same issues as the statute of limitations for the right to be asserted.

In cases where our company has a legitimate interest, personal data are subject to the Turkish Code of Obligations numbered 6098, provided that the fundamental rights and freedoms of data owners are not harmed despite the expiration of the purpose of processing and the periods specified in the relevant laws.

It can be stored until the expiry of the general prescription period (ten years). After the expiry of the aforementioned limitation period, personal data will be deleted, destroyed or anonymized according to the specified procedure.

7.1.1 Measures we take regarding the storage of personal data

The KVK Board will be able to introduce detailed regulations on obligations regarding data security. In case of a detailed regulation, in order to comply with the obligations in the regulations, a maximum level of security should be ensured by making a reasonable effort.

Technical Measures:

  • Technical issues authorized staff or external resource usage by ensuring companies within the permanent staff are employed.
  • All processes related to data processing activities within our company are analyzed on the basis of relevant departments, within this scope , Personal Data Processing Inventory Form is prepared by each department and stored as a single data inventory .
  • Databases to store your personal data and software / hardware storage units and similar technical infrastructure are created and used.
  • Risky situations are re-examined and necessary technological solutions are produced.
  • Virus protection systems and the security of the wall containing the software and hardware are also included related software and systems are established.
  • The KVK Law is implemented by the units of our Company under the name of “Personal Data Security Management System” by creating policies and related processes in accordance with all technical requirements .

Administrative Measures:

  • Awareness activities and trainings are carried out on the legal storage of personal data .
  • In case of cooperation with third parties for the storage of personal data, contracts with companies to which personal data are transferred; We include provisions for the persons to whom personal data are transferred to take necessary security measures in order to protect the transferred personal data and to store it securely .
  • We sign confidentiality agreements with subcontractors that transfer personal data to us, and we receive confirmation through these agreements that these data are transferred in accordance with the law .
  • Access to personal data is restricted to employees assigned for the purpose of processing. Employees’ access to personal data that they do not use for their duties should be restricted.
  • Employees work this Policy ‘comply or can be in terms of our company policy ‘ e of the internal network and are published on the website and provisions on labor contracts in place will conform to company procedures and rules are.
  • Provisions regarding taking necessary security measures in order to protect personal data are added to the contracts concluded with the persons to whom personal data are transferred .
  • The KVK Law is implemented by the units of our Company under the name of “Personal Data Security Management System” by creating policies and related processes in accordance with all administrative requirements.

8. Destruction of Personal Data

8.1 Obligation to Destroy Personal Data

Our company , when the specified periods expire, the relevant personal data is destroyed by issuing a report and choosing one of the 3 (three) methods stated below. These:

  • Deletion of personal data
  • Destruction of personal data
  • It is the anonymization of personal data.

Details on these three methods can be found in the following sections. In addition, personal data are deleted, destroyed or anonymized at the request of the personal data owner .

Our company is controlled by the Representative of the Data Responsible at 6 (six) months periodic intervals in the “Personal Data Processing Inventory Form” and the destruction operations are carried out as required, and records (information on destroyed documents) are kept for 3 years as stipulated in the Law .

8.2 Conditions for Disposal of Personal Data

In the event that the reasons requiring the processing of personal data specified in Articles 5 and 6 of the KVKK are eliminated, the personal data are destroyed by our Company, either ex officio or upon the request of the relevant person (data owner), if the request is found positive as a result of the evaluation. In addition, if all the conditions for processing personal data have disappeared and the personal data subject to the request is transferred to third parties, this situation is notified to the third party by our Company; Necessary procedures are requested to be taken by the third party.

8.3 Precautions We Take Regarding the Destruction of Personal Data Technical Measures:

  • For the safe destruction of personal data, technical infrastructures and related control mechanisms and technical measures are established and the appropriate disposal method is determined.
  • Employees with technical expertise in the destruction of personal data are employed or external technical support is received in cases where this process takes place .
  • The destruction of the data in the paper environment is done by the grinding machines. These machines are located in locations that data processors can easily use. 

Administrative Measures:

  • Awareness is raised by informing our employees about the obligations set out in KVKK .
  • With the control mechanisms, it is checked whether the destruction of personal data is done on time and whether the relevant records are taken. In this context, a personal data protection committee will be established or a Data Responsible Representative will be elected, a meeting will be held every 6 (six) months by this committee or the representative to inspect the destruction processes of the relevant departments. Our company in these committees / representatives, every meeting after that create the report Data Specialist knowledge and the approval will be presented.

8.4 Deletion and Destruction of Personal Data

The deletion and destruction of personal data within our company is carried out in accordance with the principles specified in this Policy, using the methods explained below.

8.4.1 Deletion of Personal Data

The Data Responsible Representative assigned within our company is obliged to take all necessary technical and administrative measures to ensure that the deleted personal data cannot be accessed and reused for the relevant users.

8.4.1.1 Deletion Process of Personal Data

The basic process that the Data Controller Representative must follow in the deletion of personal data is as follows.

  • Determining the personal data that will constitute the subject of the destruction process in the “Personal Data Processing Inventory Form”
  • Detailing the groups of Relevant Users on the “Personal Data Processing Inventory Form” on the basis of person / role
  • Access to the relevant user, retrieval, detection methods, such as the qualifications and re-use to be
  • Closing, destroying and keeping the logs of the data to be destroyed and the authorization and methods of access, retrieval and re-use of the relevant Users within the scope of personal data

8.4.1.2 Methods of Deleting Personal Data

Since personal data within our company can be stored in different recording media, they must be deleted by methods appropriate to the recording media. Sample methods used by our company to delete personal data are as follows:

1. Application Type Cloud Solutions as a Service ( such as Google Suite, Google Drive )                   

Personal data are not kept in cloud system applications used in our company . If it is kept, it can be permanently deleted by the Related User. The relevant User is not authorized to retrieve relevant data on the cloud system.

2. The paper found in the Media Personal Data                   

Personal data in the paper environment of our company are destroyed by being passed through a shredder. However, in exceptional cases, it can be erased using the blackout method. This process is done by cutting the personal data on the relevant documents whenever possible, and making them invisible to the relevant users by using fixed ink in a way that cannot be reversed and readable with technological solutions in cases where it is not possible. 

3. Office Files on the Central Server                   

If the relevant User has permanent deletion authorization in the file containing personal data, the file can be deleted in such a way that the file cannot be accessed again with the delete command in the operating system. If there is no permanent deletion authorization, the relevant user’s access rights are removed on the directory where the file is located. While performing these procedures, necessary precautions are taken to ensure that the Related User is not the system administrator at the same time .

4. Personal Data on Portable Media                   

Personal data in Flash-based storage environments within our company are stored encrypted and deleted using software suitable for these environments . 

5. Data Bases                   

Personal data stored in our company’s databases are deleted with database commands (DELETE etc.). While performing this process, it is noted that the Related User is not a database manager at the same time.

8.4.2 Destruction of Personal Data

Personal data destroyed by our company are rendered inaccessible, retrieved and reusable by anyone. The Data Controller Representative is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.

8.4.3 Methods of Destroying Personal Data

In order to destroy personal data, all copies of the data must be detected and destroyed one by one using one or more of the following methods, depending on the type of systems in which the data is located .

Our company can agree with an expert to destroy personal data on behalf of itself, when necessary. In this case, no personal data are secure in a manner which can not be recovered again by the person skilled in the art is .

1. Local Systems                   

Our company can use one or more of the following methods to destroy personal data on these local systems.

a – De-magnetize

It is the process of unreadable degradation of the data on the magnetic media by passing it through a special device and exposing it to a very high magnetic field. Our company can agree with an expert for this procedure, if necessary.

b – Physical destruction

It is the process of physical destruction of optical media and magnetic media, such as melting, burning or pulverizing. It is ensured that the data is inaccessible by processes such as melting, burning, pulverizing or passing the optical or magnetic media through a metal grinder. For solid state disks, if overwriting or de-magnetizing is not successful, this media must also be physically destroyed. Our company can agree with an expert for this procedure, if necessary .

c – Overwrite

It is the process of preventing the recovery of old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media / USB memory or portable HDD. This process is done using special software. Our company can agree with an expert for this procedure, if necessary.

2. Environmental Systems                   

Depending on the type of environment, our company can use the appropriate method to destroy personal data on these environmental systems.

a-Network devices (nas etc.)

The storage media inside the devices in question are fixed. Products often have a delete command but no destruction feature. It is destroyed by using one or more of the appropriate methods specified in the Local Systems section.

b-Flash based environments

Flash-based hard disks have ATA (SATA, PATA, etc.), SCSI (SCSI Express, etc.) interfaces, using the command if supported, using the manufacturer’s recommended destruction method if not supported, or using one or more of the appropriate methods specified in the Local Systems section. is being destroyed.

c-Magnetic Tape

They are the media that store the data with the help of micro magnet pieces on the flexible tape. It must be destroyed by exposing and de-magnetizing to very strong magnetic media or by physical destruction methods such as burning and melting. Our company can agree with an expert for this procedure, if necessary.

d-Units such as magnetic disc

They are media that store data with the help of micro magnet pieces on flexible (plate) or fixed media. It must be destroyed by exposing and de-magnetizing to very strong magnetic media or by physical destruction methods such as burning and melting. Our company can agree with an expert for this procedure, if necessary.

e-Mobile phones (simcard and fixed memory areas)

There are erase commands in fixed memory areas on portable smartphones, but most do not have a destroying command. It should be destroyed by using one or more of the appropriate methods specified in the Local Systems section.

f-Optical discs

They are data storage media such as CDs and DVDs. It must be destroyed by physical destruction methods such as incineration, fragmentation, and melting. Our company can agree with an expert for this procedure, if necessary.

g- Peripherals such as printers, fingerprint access systems with removable data recording media

It is necessary to verify that all data recording media have been removed and be destroyed by using one or more of the appropriate methods specified in the Local Systems section, depending on their characteristics. Our company can agree with an expert for this procedure, if necessary. h- Peripherals such as printer, fingerprint door access system with fixed data recording medium

Most of the systems in question have a delete command, but no command to destroy. It must be destroyed by using one or more of the appropriate methods specified by the IT officer / consultant.

3. Paper and microfiche and Related Media                   

Paper shredder or clipping machines are used when performing the process of destroying personal data in paper and microfiche and similar media. Personal data transferred from the original paper format to the electronic environment by scanning should be destroyed by using one or more of the appropriate methods specified in the Local Systems section according to the electronic environment in which they are located. Our company can agree with an expert for this procedure, if necessary.

4. Cloud Environment                   

During the storage and use of personal data in cloud systems, it is required to be encrypted with cryptographic methods and, where possible, for personal data, especially for each cloud solution that is served, separate encryption keys should be used. When the cloud computing service relationship ends; All copies of encryption keys required to make personal data usable must be destroyed. In addition to the above environments, the processes for the destruction of personal data in devices that are malfunctioning or sent for maintenance are carried out as follows .

1. maintenance of the relevant device manufacturer for repair, dealer, before being transferred to third parties within the personal services such as data Local System are specified in the section appropriate methods one or the few to be used by do not be,                   

2. In cases where destruction is not possible or appropriate, the data storage medium is disassembled and stored, other defective parts are sent to third institutions such as manufacturer, dealer, service ,                   

3. Necessary precautions must be taken to prevent personnel coming from outside for maintenance and repair purposes from copying personal data and removing them outside the organization .

8.5 Techniques for Anonymizing Personal Data

Our company , when eliminating the cause of the processing of personal data processed in accordance with the law and personal data, if needed, can anonymization. Anonymization techniques to be used by our company if needed are listed below . 

1. Masking                   

Data masking is a method of anonymizing personal data by extracting the basic identifying information of personal data from the data set.

“The name that enables the identification of the personal data owner, TR Identity Number, etc. By extracting the information, it is transformed into a data set in which identification of the personal data owner becomes impossible. “

“If a part of the person’s credit card number is starred, there is masking. (09988 **** **** 87806) ”

2. Aggregation                   

With the data aggregation method, many data are aggregated and personal data cannot be associated with any person.

“Proving that there are up to Z employees at the age of X without showing the age of the employees individually.”

“The data regarding the fact that the number of female employees in the company is Z and that 40% of the number is university graduate and 60% of the number is graduate have been anonymous.”

3. Data Derivation                   

With the data derivation method, a more general content is created than the content of personal data and it is ensured that personal data cannot be associated with any person.

“In case the person’s age is written directly instead of the Day / Month / Year details of the date of birth information, anonymization has been made by deriving data.”

4. Data Hash                   

With the data mixing method, it is ensured that the values ​​in the personal data set are mixed and the connection between values ​​and individuals is broken.

“Changing the quality of sound recordings, making the voices and data owner unrelated.”

“In a class whose average age is desired to be taken, data is mixed when values ​​showing the ages of the individuals are interchanged.”

9. Personal Data Storage And Disposal Process in the Location field of Titles, Units and Task Descriptions

All processes related to data processing activities within our company are analyzed on the basis of relevant departments , within this scope, PERSONAL DATA TYPE RECORDING PERIOD AND PLACES LIST is prepared by each department. The persons involved and responsible in the processes of storing and destroying personal data are the most competent employees of each relevant department on a department basis.

10. Protection of Personal Data

In accordance with Article 12 of the KVKK , our company takes the necessary technical and administrative measures to ensure the security of personal data, to prevent unlawful access to personal data and to illegally process these data. Our company takes utmost care to protect sensitive personal data. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of special quality personal data and the necessary inspections are provided within our Company.

In the event that the personal data processed by our company is obtained by others through illegal means, our company takes utmost care to ensure that this situation is reported to the relevant personal data owner and the Board as soon as possible.

10.1 Security of Personal Data

10.1.1 Supervision of the Measures Taken for the Protection of Personal Data

Our company conducts internal audits in accordance with Article 12 of the KVKK. The final report of the audit is reported to the relevant managers and in case of a problem, the necessary regulatory and preventive actions are taken.

10.1.2 Personal Data Unauthorized a figure Disclosure Case to be taken Measures

Our company carries out a system that ensures that personal data processed in accordance with Article 12 of the KVK Law are obtained by others illegally, and this situation is reported to the relevant personal data owner and the KVK Board as soon as possible. If deemed necessary by the KVK Board, this may be announced on the website of the KVK Board or by any other method.

10.2 Protection of Special Quality Personal Data

Special quality personal data are defined in the definitions section.

Our company acts sensitively in the protection of personal data of special nature determined by the KVKK and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of special quality personal data and the necessary inspections are provided within our Company. 

11. Rights of the Data Owner and Rules Regarding the Exercise of These Rights

11.1 Rights of Personal Data Owner

Personal Data Owner has the following rights on his personal data.

  • Learning whether personal data is processed ,
  • If their personal data has been processed, to request information regarding this, 
  • Learning the purpose of processing personal data and whether they are used appropriately for their purpose ,
  • To know the third parties to whom personal data are transferred domestically or abroad ,
  • To request correction of personal data in case of incomplete or incorrect processing ,
  • Personal data processing requires the causes disappearance as personal data wipe, or none of the request,
  • The above -mentioned correction, deletion or not to process the, personal data transferred to third persons to be notified request,
  • Object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems ,
  • To request the compensation of the damage in case of damage due to the processing of personal data illegally.

11.2 of the rights of the owner of Personal Data Handling

The Personal Data Owner may send his request regarding his personal data in written and wet signed form to the address of our Company or by this method if a separate method is determined by the KVK Board.

In the application containing the explanations about the right that the Personal Data Owner will make to use the above-mentioned rights and demand to use; The requested matter should be clear and understandable, the requested subject should be related to the person of the applicant, or if someone is acting on behalf of someone else, it should be specially authorized in this matter and this authorization should be documented, it should also include the identity and address information of the application and documents proving its identity should be attached to the application.

These requests will be made individually and requests made by unauthorized third parties regarding personal data will not be taken into consideration.

11.3 Evaluation of the application

Requests for personal data respond to the request as soon as possible and within thirty days at the latest, depending on the nature of the request. While the application is being evaluated, it may be possible to request additional information and documents.

11.4 Our right to reject the application

If all the conditions for processing personal data are not eliminated, this request may be rejected by our Company with the justification and the rejection response is notified to the relevant person in writing or electronically within thirty days at the latest.

11.5 Application evaluation procedure

If the request is accepted, the relevant process is applied and a written or electronic notification is made. If the decision to destroy personal data is taken by our Company as a result of the examination of the accepted applications, the destruction process will be carried out by the Data Controller Representative within 30 (thirty) days at the latest or in the Law, by using the appropriate method specified in this Policy for destruction. 

It is carried out within the prescribed period and the relevant person is informed. If the request is rejected, the reason is explained to the applicant in writing or electronically.

12. Information on Our Company’s Data Processing Processes

12.1 Types of Personal Data Processed by the Company

Within our company, the relevant persons are informed in accordance with Article 10 of the Law, and personal data are processed based on one or more of the personal data processing conditions specified in Article 5 of the Law and in accordance with the law and honesty rules in line with the legitimate purposes of our Company. Storage and disposal periods are specified in the Personal Data Processing Inventory Form.

13. Our company Plants Made In Personal Data Processing Operations with VIA Internet Site Data Processing Operations

13.1 Camera Monitoring in Our Company’s Facilities

In order to ensure security by our company, our Company conducts personal data processing activities in its buildings and facilities with security cameras to monitor guest entrances and exits.

Personal data processing activities are carried out by our Company by using security cameras and recording guest entrance and exit. In this context, our company acts in accordance with the Constitution, KVKK and other relevant legislation.

The monitoring areas, number of security cameras and when to be monitored are put into practice in a sufficient and limited way to achieve the security purpose. Areas that may cause an intervention to the privacy of the person beyond the security objectives are not subject to monitoring. The rules regarding security, retention and deletion foreseen in the processing of personal data are also applied in terms of camera recordings .

Camera recordings can only be accessed by authorized units. Apart from this, camera recordings are shared with third parties in cases such as a complaint, an internal disciplinary process, a request for information regarding an ongoing legal dispute and similar situations.

13.2 Our Company’s Building, Facility Entrances and Tracking of Guest Entrances and Exits

By our company; The entrance and exit of guests can be followed in our Company’s buildings and facilities for the purpose of ensuring security and for the purposes specified in this Policy.

While obtaining the names and surnames of persons who come to our Company’s buildings as guests, the personal data owners in question are illuminated within the scope of information boards within the Company, texts made available to guests or in other ways. The data obtained for the purpose of tracking guest entry and exit are processed for this purpose only and the relevant personal data are recorded. Data regarding guest entry and exit are deleted after the retention periods expire.

13.3 Website Visitors

On the websites owned by our company; to ensure that those who visit these sites perform their visits on the sites in a suitable manner for visiting purposes; Internet movements within the site are recorded by technical means (eg cookies-cookies) in order to show them customized content and to perform online advertising activities.

13.4 Storage of Records Regarding Internet Access Provided to Our Visitors in Our Company’s Buildings and Facilities

For the purpose of ensuring security by our company and for the purposes specified in this Policy; Internet access can be provided to our visitors who request during their stay in our buildings and facilities by our company. In this case, the log records regarding your internet access are recorded in accordance with the Law No. 5651 and the governing provisions of the legislation regulated according to this Law; These records are only processed when requested by the authorized public institutions and organizations or in order to fulfill our legal obligation in the audit processes to be carried out within the Company. Only a limited number of employees of our Company have access to the log records obtained within this framework . Company employees, who have access to the aforementioned records, access these records only for use in the request or audit processes from the authorized public institutions and organizations and share them with legally authorized persons. A limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.

ANNEX 1

Types of Personal DataExplanationPersonal Data Category

TR ID number, nationality information, passport number, name-surname, place of birth, date of birth, age, place of birth, certificate of identity card copy, tax number, SGK number, gender and similar information

Identification of an identified or identifiable natural person belonging is clear who and data recording system located in, driving license, identity card, residence, passport, attorney’s identity, marriage certificate as information contained in documents

Identity Information
E-mail address, phone number, address, IP address and similar informationIdentification of an identified or identifiable natural person belonging is clear who and data recording system located within, which is used to communicate with the contact informationCommunication information
Location data obtained during the use of company vehiclesIdentification of an identified or identifiable natural person belonging is clear who and data recording system located within, for detecting the position of the data subject dataLocation Data

Identity information, contact information and professional, educational information about the children and spouses of the personal data owner informations

Identification of an identified or identifiable natural person belonging is clear who and data recording system located within the respective companies and data have legal processed in order to protect their interests information about family members and relatives of the data subject

Family Members and Relatives Information
Entry-exit logs, visit information, camera records and similar informationPersonal data regarding the records and documents that are clearly belonging to an identified or identifiable natural person and that are included in the data recording system , at the entrance to the physical space, during the stay in the physical space.Physical Space Security Information
The processed personal data regarding all kinds of financial results, documents and records created according to the type of legal relationship our COMPANY has established with the personal data owner, and data such as bank account number, IBAN number, credit card information, financial profile, assets data, income informationIdentity identified or identifiable natural person belonging is clear who and data recording system contained in personal data with the owner of the existing legal relationship to the type of all kinds of financial results showing information created, according to documents and records individual within the scope of dataFinancial Information
All kinds of information and documents required by law to be included in the personal file; Salary amount, SSI premiums, payrolls and similar informationIdentification of an identified or identifiable natural person belonging is clear who and data recording system located within the employees’ personal rights fundamental to the formation of the personal data.Personal Information
CV, interview notes, personality test results and similar informationIdentification of an identified or identifiable natural person belonging is clear who and data recording system located within, our company started to share data with the information to do the job application, application evaluation process used in personal data.Employee Candidate Information
Race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, costume and dress, association, foundation or union membership information, data on health and sexual life, data on criminal convictions and security measures, biometric data, genetic data

Identity identified or identifiable natural person belonging is clear who and data recording system located within the race of persons, ethnic origin, political opinion, philosophical belief, religion, creed or other beliefs, costumes and dress, association, foundation or union membership, data on his health, sexual life, criminal conviction and security measures with biometric and genetic data.

Special Quality Personal Data
All kinds of requests and complaints against our COMPANY , and related records and reportsIdentification of an identified or identifiable natural person belonging is clear who and data recording system located within, COMPANY ‘ to any kind of request or receipt of the complaint, which is directed on the assessment and personal dataRequest / Complaint Management Information
Photographs, camera recordings and sound recordings

Identification of an identified or identifiable natural person belonging is clear who and data recording system within field of personal data by having associated visual and audio recordings.

Audio / Visual Data

ANNEX-2

Personal Data Owner CategoryExplanation
EmployeesPersons working in our company in accordance with the business contract made between our company
Employee CandidateReal persons who have applied for a job to our company in any way or who have opened their curriculum vitae and related information to our Company for inspection.

Collaborating Employees, Shareholders and Officials of Institutions

Real persons working in institutions with which our company has all kinds of business relations (such as business partners, suppliers, but not limited to them), including the shareholders and officials of these institutions
CustomerReal persons whose personal data are obtained through business relations within the scope of the operations carried out by the business units of our Company , regardless of whether they have any contractual relationship with our company.
Potential CustomerReal persons who have been interested in our products or who have been evaluated in accordance with the rules of commercial practice and honesty to whom they may have this interest.
Company ShareholderReal persons who are the shareholders of our company
Company OfficialBoard member of our company and other authorized real persons
Third PersonThird-party natural persons (e.g. family members and relatives) or other real persons not covered by this policy in order to ensure the security of commercial transactions between our company and the parties mentioned above or to protect the rights of the aforementioned persons and to obtain benefits.
Visitor

Entering the physical sites owned by our company for various purposes or Real persons visiting our websites

ANNEX-3

Persons for Data TransferDefinition ofData Transfer Purpose
ShareholdersShareholders of our companyDesigning strategies for the commercial activities of our company and auditing according to the provisions of the relevant legislation
Legally Authorized Public Institutions and OrganizationsPublic institutions and organizations authorized to receive information and documents from our company in accordance with the provisions of the relevant legislationLimited to the purpose requested by the relevant public institutions and organizations within the legal authority
Legally Authorized Private Law PersonsPrivate law persons authorized to receive information and documents from our company in accordance with the provisions of the relevant legislationLimited to the purpose requested by the relevant private law persons within the legal authority
Business UnitsOur business units within our company that need to be transferredLimited to the purpose and scope of the execution of business processes within our organizational structure
Business Partner

Business related to the commercial activities of our company

It defines the parties with which it establishes a partnership.

Establishing the objectives of the business partnership ensure fulfillment

AffiliatesCompanies in which our company is a shareholderEnsuring that the commercial activities of our company that require the participation of its affiliates are carried out
Company officialBoard member of our company and other authorized real personsDesigning strategies for the commercial activities of our company and auditing according to the provisions of the relevant legislation
SuppliersIt defines the parties that provide services to our Company on a contract basis in accordance with our Company’s orders and instructions while conducting the commercial activities of our company.

The services provided by our company outsourced from the supplier and necessary to carry out the commercial activities of our company are provided to our Company. provide to be presented

FOR CONTACT :              

Bomaksan Industrial Air Filtration Systems San. Tic. A.S 

Head Office Address: Küçükbakkalköy Mah. Serdar Sk. Gresan Plaza No: 1/14 Ataşehir İstanbul Merkez Tel : (+90) 216 541 93 34                            

Mail: kvk.bilgi@bomaksan.com

PEP Address: bomaksan@hs01.kep.tr