Our Personal Data Protection Policy

OUR PERSONAL DATA PROTECTION POLICY

 

1. Policy, Scope and Purpose

 

1.1. The Board of Directors and management team of Sarkap İç ve Dış Ticaret Anonim Şirketi undertake to comply with the Constitution of the Republic of Turkey, the Law on Protection of Personal Data No 6698 (“LPPD”) and principles and rules set out in the other legislation on protection of personal data and protect the rights and freedom of the individuals whose personal data are processed by Sarkap İç ve Dış Ticaret Anonim Şirketi. The Board of Directors has adopted a written personal data protection policy and system to be implemented and developed for this purpose.

 

1.2. Scope

 

The policy provisions cover all information systems and sub-information, agreements, environmental and physical areas and the systems and regulations created for the processing of personal data in the fields of activity and operational areas of Sarkap İç ve Dış Ticaret Anonim Şirketi. This policy encompasses all units, employees of the companies that provide support, apprentices and contracted personnel of Sarkap İç ve Dış Ticaret Anonim Şirketi.

 

1.3. Purpose of Protection of Personal Data and System

 

The purpose of the Personal Data Protection Policy and System is to ensure that Sarkap İç ve Dış Ticaret Anonim Şirketi establishes and implements its own standards in the management of personal data; identify and support organizational objectives and obligations, establish the control mechanisms in line with the acceptable risk level of Sarkap İç ve Dış Ticaret Anonim Şirketi ; perform all obligations Sarkap İç ve Dış Ticaret Anonim Şirketi pursuant to the international agreements on protection of personal data, the Constitution, laws, agreements and professional rules and protect the interests of the individuals in the best manner possible.

 

1.4. Sarkap İç ve Dış Ticaret Anonim Şirketi will comply with the personal data protection legislation and the data protection principles. The data protection principles adopted by Sarkap İç ve Dış Ticaret Anonim Şirketi are as follows:

1. Process personal data only if explicitly required for legitimate corporate purposes;
2. Process personal data on the minimum scale required for these purposes and not to process more than necessary data;
3. Provide individuals with clear information about by whom and how their personal data are used;
4. Process only relevant and appropriate personal data;
5. Process personal data in a fair and lawful manner;
6. Maintain an inventory of categories of personal data processed by Ambalaj Sanayi ve Ticaret Anonim Şirketi;
7. Keep personal data accurate and up to date when necessary;
8. Retain the personal data only for as long as required by legal regulations, legal obligations or legitimate corporate interests of Sarkap İç ve Dış Ticaret Anonim Şirketi ;
9. Respect the rights of individuals with respect to their personal data, including the right of access;
10. Keep all personal data secure;
11. Transfer personal data abroad only if adequate protection is available;
12. Apply the exceptions allowed under the legislation;
13. Establish and implement a personal data protection system for implementation of the policy;
14. Determine, if necessary, the internal and external stakeholders who are parties to the personal data protection system and the extent to which they are involved in the personal data protection system of Sarkap İç ve Dış Ticaret Anonim Şirketi;
15. Identify the employee(s) having special authorities and responsibilities related to the personal data protection system.

 

Notices

1.5. Sarkap İç ve Dış Ticaret Anonim Şirketi informs the Personal Data Protection Board (“PDP Board”) about its capacity as the controller and the categories of personal data it processes. Sarkap İç ve Dış Ticaret Anonim Şirketi determines all categories of personal data that it processes in its personal data inventory.

1.6. The notification will be made in accordance with the procedure and method to be determined by the PDP Board and a copy of the notification will be kept by the Personal Data Protection Committee (“PDP Committee”) of Sarkap İç ve Dış Ticaret Anonim Şirketi.

1.7. The notifications will be periodically repeated if deemed necessary by the relevant legislation or the PDP Board.

1.8. The PDP Committee reviews the data processing activities of Sarkap İç ve Dış Ticaret Anonim Şirketi and any changes thereof annually in order to identify potential changes to the notification made to the PDP Board and informs the PDP Board if necessary.

This policy encompasses all units, employees of the companies that provide support, the apprentices and contracted personnel of Sarkap İç ve Dış Ticaret Anonim Şirketi. Disciplinary legislation of Sarkap İç ve Dış Ticaret Anonim Şirketi will be applied to all acts breaching the LPPD or this policy, and if the violation constitutes a crime or misdemeanor, the relevant authorities will be notified as soon as possible.

The solution partners of Sarkap İç ve Dış Ticaret Anonim Şirketi that have actual or potential access to personal data and all third parties working with Sarkap İç ve Dış Ticaret Anonim Şirketi are invited to read and comply with this policy. No third party may have access to personal data processed by Sarkap İç ve Dış Ticaret Anonim Şirketi without a written confidentiality agreement that includes obligations and auditing rights that are as strict as the standards of Sarkap İç ve Dış Ticaret Anonim Şirketi.

 

2. Definitions

“Explicit consent” means freely given, specific and informed consent on a specific matter,

“Anonymizing” means rendering personal data impossible to link with an identified or identifiable natural person, even though matching them with other data,

“Data subject” means the natural person whose personal data are processed,

“Personal data” means all the information relating to an identified or identifiable natural person,

“Sensitive personal data” means individuals’ data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership of associations, foundations or trade-unions, information relating to health, sexual life, convictions and security measures, and the biometric and genetic data.

“Processing of personal data” means any operation performed on personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means,

“LPPD” means the Law on Protection of Personal Data No 6698

“PPD Board” means the Personal Data Protection Board,

“PPD Authority” means the Personal Data Protection Authority,

 “Data Processor” means a natural person or legal entity which processes personal data on behalf and upon authorization of the controller;

“Data registry system” means the registry system where the personal data are registered after being structured according to certain criteria,

“Data Controller” means the natural person or legal entity that determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.

 

3. Roles and Responsibilities

 

3.1. Sarkap İç ve Dış Ticaret Anonim Şirketi is the controller pursuant to LPPD.

3.2. Everyone holding a senior management and executive and auditor position is responsible for development and promotion of correct practices in processing of personal data within Sarkap İç ve Dış Ticaret Anonim Şirketi , as well as other obligations related to this matter, which are included in the individual job descriptions.

3.3. The PDP Committee is established as the unit responsible for the management of the personal data protection system and for ensuring compliance and documentation of the LPPD and other relevant legislation and is responsible to the Board of Directors in these matters.

3.3.1. PDP Committee

The members of the PDP Committee are appointed by the board of directors, taking into account their expertise and experience in the field of personal data protection legislation and practices and report directly to the Board of Directors.

The PDP Committee consists of 1 chairman and 5 members. The Committee convenes once every six months on ordinary or extraordinary basis.

 

3.3.2. Roles and Responsibilities of the PDP Committee

3.3.2.1. The Committee will inform the Board of Directors on the legislation on Personal Data Protection and the relevant developments.

3.3.2.2. The Committee is responsible for ensuring that the policies and procedures of Sarkap İç ve Dış Ticaret Anonim Şirketi are up-to-date and that data processing audits are conducted in accordance with the planned schedule and comply with the applicable legislation.

3.3.2.3. The Committee acts with all relevant personnel on personal data protection issues.

3.3.2.4. The main roles and responsibilities of the Committee are as follows:

 

• Provide information and advice on personal data protection legislation and compliance matters to Sarkap İç ve Dış Ticaret Anonim Şirketi , its related partners and suppliers providing support services.
• Provide information and advice to Sarkap İç ve Dış Ticaret Anonim Şirketi personnel about their obligations under the personal data protection legislation.
• Observe the compliance of the data processing activities of Sarkap İç ve Dış Ticaret Anonim Şirketi with personal data protection legislation.
• Contribute to development and maintenance of the personal data protection policy and related procedures and processes of Sarkap İç ve Dış Ticaret Anonim Şirketi.
• Assign the responsibilities within the Sarkap İç ve Dış Ticaret Anonim Şirketi in the context of compliance with personal data protection legislation.
• Ensure provision of necessary training and awareness for all personnel involved in personal data processing.
• Monitor compliance with personal data protection legislation by conducting regular audits and report the results to the Board of Directors
• Give information and advice for personal data protection impact analysis reports.
• Act in cooperation and contact with the PDP Board.
• Function as the contact point and representative of Sarkap İç ve Dış Ticaret Anonim Şirketi before PDP Board and give information and advice to the Board when necessary.
• Observe compliance with the Information Security Policy within Sarkap İç ve Dış Ticaret Anonim Şirketi and provide information and advice to those concerned when necessary.
• Develop a formal procedure for notifying the Board of information security incidents and investigations.
• Contribute in the business continuity plan process.
• Give information and advice on keeping corporate records.
• Determine the scale at which personal data are collected, held and used in Sarkap İç ve Dış Ticaret Anonim Şirketi and the conditions of their storage in accordance with information security standards.
• Conduct oversight and evaluation of compliance, rationality, security practices and other controls that may be necessary for the protection of personal data.
• Identify and implement controls to ensure the confidentiality, integrity and accessibility of personal data, and propose additional controls that may be required.
• Submit the issues that pose a potential risk in terms of personal data in Sarkap İç ve Dış Ticaret Anonim Şirketi and the relevant proposals to agenda of the Board of Directors.

3.3.2.5. The PDP Committee has the authority to access all systems of Sarkap İç ve Dış Ticaret Anonim Şirketi concerning collection, processing and storage of personal data. In performing its duties, the PDP Committee may ask all staff to cooperate, including access to systems and records. If this cooperation is not provided, the Committee reports the situation to the Board of Directors.

3.4. All personnel of Sarkap İç ve Dış Ticaret Anonim Şirketi who process personal data are responsible for complying with the provisions of Personal Data Protection legislation.

3.5. A personal data protection representative from the Operations, Corporate Marketing and Human Resources departments will be assigned to the PDP Committee to manage and fulfill the daily responsibilities of the unit in compliance with this policy.

3.6. The Human Resources Department is responsible for making the necessary notifications and providing the training to ensure that all personnel are aware of their responsibilities in the field of personal data protection and have the necessary awareness.

3.7. Personnel of Sarkap İç ve Dış Ticaret Anonim Şirketi are responsible for ensuring the accuracy and timeliness of all personal data provided to Sarkap İç ve Dış Ticaret Anonim Şirketi or related to them.

 

4. Risk Assessment

Objective: Sarkap İç ve Dış Ticaret Anonim Şirketi is aware of the risks associated with the processing of certain types of personal data.

Sarkap İç ve Dış Ticaret Anonim Şirketi has a procedure in place to assess the risks that the processing of personal information may pose on individuals. This assessment is carried out taking into consideration the third parties that process the data of behalf of Sarkap İç ve Dış Ticaret Anonim Şirketi.  Sarkap İç ve Dış Ticaret Anonim Şirketi manages the risks determined as a result of the assessment in a way that does not constitute a violation of this policy.

If a particular type of data processing activity is likely to pose a high risk to personal rights and freedoms in line with its structure, context, and objectives, Sarkap İç ve Dış Ticaret Anonim Şirketi should manage the potential risks by conducting an impact analysis prior to the data processing activity. A single assessment can be based on multiple data processing activities with similar risks.

If the impact analysis shows that Sarkap İç ve Dış Ticaret Anonim Şirketi is about to start a data processing activity that may pose a high risk to personal rights and freedoms, the approval of the PDP Committee is sought about the same. The PDP Committee, if deemed necessary, will obtain opinion from the PDP Board on the matter.

In risk management, the systems and controls which are currently adopted by Sarkap İç ve Dış Ticaret Anonim Şirketi in accordance with the information security policy are implemented.

 

5. Data Protection Principles

All personal data processing activities must be performed in accordance with the following data protection principles. The policies and procedures of Sarkap İç ve Dış Ticaret Anonim Şirketi aim to ensure compliance with these principles:

• Processing will be performed lawfully and fairly,
• Data will be accurate and, where necessary, kept up to date;
• Data will be processed for specific, explicit and legitimate purposes
• Data will be adequate, relevant and not excessive in relation to the purposes for which they are processed
• Data will be kept only for the period which is stipulated by law and necessary for the purpose of processing

 

5.1. Personal data are processed lawfully, fairly and transparently.

Accordingly, Sarkap İç ve Dış Ticaret Anonim Şirketi will include confidentiality notices in the data collection channels and related forms regarding its personal data processing activities. The PDP Committee will determine the areas which will include clear and understandable information regarding the purpose of processing of the data, including the persons such data belong to, and the which data of such persons, by Sarkap İç ve Dış Ticaret Anonim Şirketi and which will be announced. These notifications include:

• Identity and contact details of Sarkap İç ve Dış Ticaret Anonim Şirketi as the data controller,
• Types of personal data processed,
• Purpose of processing the personal data
• Personal data collections methods,
• Legal reasons which constitute the basis of processing the personal data
• The envisaged period for which the personal data will be stored,
• Rights of data subject,
• Third parties the data may be shared with

5.2. Personal data can be processed only for specific, explicit and legitimate purposes

5.2.1. The justifications/purposes of personal data processing are specified in the personal data inventory, and the personal data will not be used for any other purpose without another legal justification or explicit consent of the data subject.

5.2.2. In the event that conditions arise which require the use of personal data for purposes other than those specified in the personal data inventory, the relevant personnel / unit will notify the PDP Committee about this requirement. The PDP Committee checks appropriateness of the new purpose and, if necessary, ensures that the data subject is informed of the new purpose and the new data processing activity.

5.3. Personal data must be appropriate, relevant and processed in proportion to the purpose for which they are processed.

5.3.1. The PDP Committee is responsible for ensuring that personal data that are not explicitly required for processing purposes are not collected and processed.

5.3.2. All electronic and physical data collection forms and data collection mechanisms in the information systems will be implemented provided that they are approved by the PDP Committee.

5.3.3. The PDP Committee checks that the processed data are appropriate and relevant through the personal data inventory which is updated annually.

5.3.4. The PDP Committee will ensure that all data processing methods are appropriate and relevant by the internal audit / external audit to be carried out on an annual basis.

5.3.5. The PDP Committee will be responsible for discontinuation of data processing activity and for safe destruction of the processed data in accordance with the Storage and Disposal Procedure in respect of personal data which it finds to be inappropriate or not relevant or excessive for the purpose of processing.

5.4. Personal data must be accurate and up to date

5.4.1. The accuracy and currency of the data held for a long time will be reviewed.

5.4.2. The Human Resources Department manager is responsible for training of all personnel on collection and retention of accurate and up to date data.

5.4.3. The employees are responsible that their data retained for processing purposes are accurate and up to date.

5.4.4. The employees / customers and other data subjects will inform Sarkap İç ve Dış Ticaret Anonim Şirketi to update the personal data processed. Upon such notification, it is the responsibility of the relevant unit to correct and update such record.

5.4.5. Based on its assessment on the data inventory regarding the type, storage time and amount of the data processed, the PDP Committee may instruct the relevant unit to review the accuracy or currency of certain data.

5.5. Personal data must be processed in such a way that identifies the data subject only on condition that such identification is necessary for the purpose of processing.

5.5.1. In case personal data need to be stored for longer than necessary due to reasons such as back-up etc. relevant personal data must be encrypted or anonymized / masked to protect individuals' rights and freedom in cases of data security vulnerability.

5.5.2. Processing of the personal data beyond the periods determined pursuant to the personal data storage and destruction procedure will be subject to written approval of the PDP Committee.

 

6. Rights of the Data Subjects

The data subjects will have the following rights with respect to data processing activities and records at the Sarkap İç ve Dış Ticaret Anonim Şirketi:

6.1. Find out whether or not data relating to them are being processed,

6.2. Request relevant information if their personal data have been processed,

6.3. Find out the purpose of processing of their personal data and whether or not your data are used for its intended purposes,

6.4. Find out the third parties in Turkey or abroad to whom their personal data are transferred,

6.5. Request rectification of their personal data if they are processed incompletely or inaccurately

6.6. Request erasure or destruction of their personal data in case there is no legal justification for processing under the LPPD or this policy;

6.7. Request that the correction or erasure processes carried out upon their request are communicated to third parties that have received personal data;

6.8. Object to occurrence of any result that is detrimental to them in person as a result of analysis of their personal data exclusively through automated systems;

6.9. Claim compensation of their damages if they incur damages as a result of unlawful processing of their personal data.

Data subjects are entitled to submit their claims regarding their abovementioned rights to Sarkap İç ve Dış Ticaret Anonim Şirketi. In this respect, You are entitled to send your application requests regarding your personal data to Sarkap İç ve Dış Ticaret Anonim Şirketi with the “Data Subject Application Form” posted in the web- address: “sarkap.com”;

o             By sending an e-mail to info@sarkap.com via your e-mail address that you have previously reported to Sarkap İç ve Dış Ticaret Anonim Şirketi,

o             by personally applying with a valid identity document,

o             by posting to “Piri Mehmet Paşa Mah. Pier Gateway Sk. Tasev Apt. No: 7 Interior Door No: 5 Silivri/Istanbul” address, with your hand-written signature and a photocopy of your ID card,

o             By signing with an electronic signature or secure electronic signature and sending an e-mail to “_________” address,

o             By sending it to the registered electronic mail (KEP) address of “sarkap@hs03.kep.tr” using a registered electronic mail (KEP) address and secure electronic signature or mobile signature.

 

In such a case, Sarkap İç ve Dış Ticaret Anonim Şirketi will finalize your request free of charge as soon as possible and in any case within 30 (thirty) days depending on the nature of your request. But, in case your application incurs additional cost, Sarkap İç ve Dış Ticaret Anonim Şirketi will be entitled to charge the fee listed in the tariff in the Law on Protection of Personal Data. The processes for receiving, forwarding and finalizing the requests are carried out in accordance with the Request Management Procedure.

Data access rights and contact information of the data subjects will be provided in the privacy statements and the web site of Sarkap İç ve Dış Ticaret Anonim Şirketi for data subjects to send their requests.

Regardless of the job descriptions, all personnel of Sarkap İç ve Dış Ticaret Anonim Şirketi will be obliged to guide the data subjects about the correct application method for data subject access requests made to them. The PDP Committee will inform and train all Sarkap İç ve Dış Ticaret Anonim Şirketi personnel on what to do about the requests received from data subjects.

 

7. Obtain Explicit Consent

Sarkap İç ve Dış Ticaret Anonim Şirketi considers the consent given in the form of written statement or explicit verification action of the data subject as explicit consent provided that it is given on a specific data processing activity based on information and free will and provided that it shows the free will for processing of his personal data. The explicit consent is obtained in writing or systematically in such a way that can be proved. The data subject is entitled to revoke the explicit consent at any time.

Explicit consent can be obtained by having the data subject sign the explicit consent form template or by including the elements contained in this template to be executed with the data subject or the electronic form used for this purpose.

In case the data processing activity based on an explicit consent is to be continuous or to be repeated, the relevant unit keeps a single list of the individuals whose explicit consents have been obtained. The relevant unit is responsible for currency and accuracy of this list. The explicit consent forms or other relevant means of evidence for data processing based on explicit consent will be stored by the relevant unit.

 

8. Data Security

All personnel are responsible for ensuring that the data processed by Sarkap İç ve Dış Ticaret Anonim Şirketi which are under their responsibility are kept safe and not disclosed to any third party unless a confidentiality agreement is signed.

Personal data will be accessible only by those who need to access such data. The access is provided in accordance with the Access Management Procedure.

Data security will be provided in accordance with the Information Security Policy of Sarkap İç ve Dış Ticaret Anonim Şirketi and the related documents.

The information security incidents related to personal data will be notified to the PDP Board and the data subject as soon as possible and no later than within 72 hours after the incident is identified by the PDP Committee.

9. Data Sharing

• Personal data can only be disclosed to third parties in accordance with law and rules of fairness. Accordingly, one of the following conditions is required in order to disclose personal data:
• Explicit consent of the data subject must be obtained.
• It is clearly provided for by the laws.
• It is imperative for the protection of life or bodily integrity of the data subject or of any other person where it is physically impossible for data subject to give explicit consent or where explicit consent of the data subject is not legally valid.
• The processing of personal data of the parties to an agreement is necessary, provided that it is directly related to the conclusion or performance of the agreement to which Sarkap İç ve Dış Ticaret Anonim Şirketi is or will become a party.
• It is mandatory for Sarkap İç ve Dış Ticaret Anonim Şirketi to be able to perform its legal obligations.
• The data concerned are made available to the public by the data subject.
• Data processing is necessary for the establishment, exercise or protection of the rights of Sarkap İç ve Dış Ticaret Anonim Şirketi.
• Data processing is mandatory for the legitimate interests of Sarkap İç ve Dış Ticaret Anonim Şirketi, provided that this processing will not violate the fundamental rights and freedoms of the data subject.

9.2. Personal data may only be transferred abroad provided that the above conditions are satisfied, and that adequate protection is available in the destination country and that the data subject is explicitly consenting to this transfer.

When transferring the personal data abroad, the list of countries with enough protection as determined by the PDP Board is taken into account. If the countries with sufficient protection have not been announced, they can be transferred abroad without the explicit consent of the data subject, provided that the data controllers in Turkey and the country to be transferred undertake to ensure adequate protection in writing and that the permission of the PDP Board is available.

Except for the cases listed, personal data can only be transferred abroad with the explicit consent of the data subject.

 

Where personal data are transferred abroad, the PDP Committee will obtain the necessary permits from and give the necessary notifications to the PDP Board in accordance with LPPD and the relevant legislation.

9.3.         All operations concerning disclosure of personal data must be documented in writing, specifying the reasons. These records are audited by the PDP Committee on periodic basis.

9.4.         In the case data has to be disclosed on regular basis without a legal basis or legal obligation, a data-disclosure agreement / protocol that specifies the terms of the data-disclosure will be concluded with the party. The data disclosure agreement / protocol minimum includes the following:

• Purpose or purposes of disclosure;
• Potential third-party recipients or the recipient type and access conditions;
• The data to be disclosed;
• General principles of data processing;
• Data security measures;
• Storage period of disclosed data;
• Data subject’s rights, access requests, and procedures for responding to applications and complaints;
• Reviewing the termination of the data disclosure agreement and
• Liability and sanctions for failing to honor the agreement or individual violation of personnel.
• The data disclosure agreements / protocols are submitted to the PDP Committee for approval.

 

10. Management of Records

Personal data may not be retained for longer than necessary for processing purposes. The classification of records containing personal data and their storage periods are determined in accordance with the Labeling and Processing Procedure, Storage and Destruction Procedure.

Upon expiry of the period necessary for processing purposes or upon the rightful request of the data subject, relevant personal data are anonymized, erased or destroyed as per the Storage and Destruction Procedure in such a way that the data subject cannot be identified.

 

11. Audit

The Personal Data Protection Committee will ensure that regular audits are performed on personal data processing in the company. Accordingly, an in-house audit team or an external audit firm assigned for this purpose will perform auditing services.

The audit activities will be carried out annually and the audit results will be submitted to the Personal Data Protection Committee, and the Committee will make necessary improvements on the outcome of the audit report.

 

12. Keeping the Policy Up to Date

This Policy is reviewed at least once a year without notice and updated as deemed necessary.

 

Document Ownership and Approval

The PDP Committee is the owner of this document and responsible for regular review of this policy in accordance with the review requirements set out above.

The current version of this document is made available to all Sarkap İç ve Dış Ticaret Anonim Şirketi personnel via QDMS or Intranet system and published via http://www.sarkap.com address.

 

SARKAP – Data Subject Application Form

To apply to our company regarding the Protection of Personal Data Law, please download the form above and fill it in accordance with the explanations on the form and submit your application.